1 /* $Id: ikev1.c,v 1.34 2008/07/07 09:36:08 fukumoto Exp $ */
2
3 /*
4 * Copyright (C) 2004 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <config.h>
33
34 #include <assert.h>
35 #include <string.h>
36 #include <sys/types.h>
37 #if TIME_WITH_SYS_TIME
38 # include <sys/time.h>
39 # include <time.h>
40 #else
41 # if HAVE_SYS_TIME_H
42 # include <sys/time.h>
43 # else
44 # include <time.h>
45 # endif
46 #endif
47 #include <sys/socket.h>
48 #include <sys/errno.h>
49
50 #include <netinet/in.h>
51 #include <netdb.h>
52
53 #ifdef HAVE_NETINET6_IPSEC_H
54 # include <netinet6/ipsec.h>
55 #else
56 # ifdef HAVE_NETIPSEC_IPSEC_H
57 # include <netipsec/ipsec.h>
58 # else
59 # ifndef sun /* XXX KEBE SAYS OpenSolaris */
60 # include <linux/ipsec.h>
61 # endif
62 # endif
63 #endif
64
65 #ifdef sun /* XXX KEBE SAYS OpenSolaris */
66 #define IPSEC_ULPROTO_ANY 0
67 #endif
68
69 #include "racoon.h"
70
71 #include "isakmp.h"
72 #include "ikev2.h"
73 #include "keyed_hash.h"
74 #include "isakmp_impl.h"
75 #include "ikev1_impl.h"
76 #include "ipsec_doi.h"
77 #include "isakmp_ident.h"
78 /* #include "isakmp_agg.h" */
79 /* #include "isakmp_base.h" */
80 #include "isakmp_quick.h"
81 #include "isakmp_inf.h"
82 #include "vendorid.h"
83 #include "pfkey.h"
84 #ifdef ENABLE_NATT
85 # include "ikev1_natt.h"
86 #endif
87
88 #include "var.h"
89
90 #include "algorithm.h"
91 #include "dhgroup.h"
92 #include "oakley.h" /* for prototypes */
93 #include "crypto_impl.h"
94 #include "ike_conf.h"
95 #include "script.h"
96 #include "handler.h"
97 #include "remoteconf.h"
98 #include "strnames.h"
99 #include "sockmisc.h"
100
101 #include "debug.h"
102
103 static int nostate1 (struct ph1handle *, rc_vchar_t *);
104 static int nostate2 (struct ph2handle *, rc_vchar_t *);
105
106 extern caddr_t val2str(const char *, size_t);
107
108 static int ph1_main (struct ph1handle *, rc_vchar_t *);
109 static int quick_main (struct ph2handle *, rc_vchar_t *);
110 static int isakmp_ph1begin_r (rc_vchar_t *,
111 struct sockaddr *, struct sockaddr *,
112 uint8_t);
113 static void isakmp_ph2begin_i (struct ph1handle *, struct ph2handle *);
114 static int isakmp_ph2begin_r (struct ph1handle *, rc_vchar_t *);
115 static void isakmp_fail_initiate_ph2(struct ph2handle *);
116
117 static void isakmp_ph1expire_stub(void *);
118
119 static struct isakmpsa * create_isakmpsa(int, int,
120 struct rc_alglist *,
121 struct rc_alglist *,
122 struct rc_alglist *,
123 struct rc_alglist *,
124 struct rcf_remote *,
125 rc_vchar_t *);
126
127 int getsockmyaddr(struct sockaddr *addr);
128
129 typedef int (*PH1EXCHG) (struct ph1handle *, rc_vchar_t *);
130
131 PH1EXCHG ph1exchange[][2][PHASE1ST_MAX] = {
132 /* error */
133 {{NULL}, {NULL},},
134 /* Identity Protection exchange */
135 {
136 {nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
137 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1,},
138 {nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
139 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1,},
140 },
141 /* Aggressive exchange */
142 {
143 #if 0
144 {nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send, nostate1,
145 nostate1, nostate1, nostate1, nostate1,},
146 {nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send, nostate1,
147 nostate1, nostate1, nostate1, nostate1,},
148 #else
149 {nostate1, nostate1, nostate1, nostate1, nostate1, nostate1,
150 nostate1, nostate1, nostate1, nostate1, },
151 {nostate1, nostate1, nostate1, nostate1, nostate1, nostate1,
152 nostate1, nostate1, nostate1, nostate1, },
153 #endif
154 },
155 /* Base exchange */
156 {
157 #if 0
158 {nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
159 base_i3recv, base_i3send, nostate1, nostate1, nostate1,},
160 {nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
161 nostate1, nostate1, nostate1, nostate1, nostate1,},
162 #else
163 {nostate1, nostate1, nostate1, nostate1, nostate1, nostate1,
164 nostate1, nostate1, nostate1, nostate1, },
165 {nostate1, nostate1, nostate1, nostate1, nostate1, nostate1,
166 nostate1, nostate1, nostate1, nostate1, },
167 #endif
168 },
169 };
170
171 typedef int (*PH2EXCHG) (struct ph2handle *, rc_vchar_t *);
172
173 PH2EXCHG ph2exchange[][2][PHASE2ST_MAX] = {
174 /* error */
175 {{NULL}, {NULL},},
176 /* Quick mode for IKE */
177 {
178 {nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
179 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2,},
180 {nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
181 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2,},
182 },
183 };
184
185 static int etypesw1 (int);
186 static int etypesw2 (int);
187
188 #if 0
189 struct dh_def ikev1_dhdef = {
190 {algtype_dhg_modp768, OAKLEY_ATTR_GRP_DESC_MODP768, &dh_mopd768},
191 {algtype_dhg_modp1024, OAKLEY_ATTR_GRP_DESC_MODP1024, &dh_modp1024},
192 /* { algtype_dhg_ec2n155, OAKLEY_ATTR_GRP_DESC_EC2N155, .... }, */
193 /* { algtype_dhg_ec2n185, OAKLEY_ATTR_GRP_DESC_EC2N185, .... }, */
194 {algtype_dhg_modp1536, OAKLEY_ATTR_GRP_DESC_MODP1536, &dh_modp1536},
195 /* ec2n_163_a */
196 /* ec2n_163_b */
197 /* ec2n_283_a */
198 /* ec2n_283_b */
199 /* ec2n_409_a */
200 /* ec2n_409_b */
201 /* ec2n_571_a */
202 /* ec2n_571_b */
203 {algtype_dhg_modp2048, OAKLEY_ATTR_GRP_DESC_MODP2048, &dh_modp2048},
204 {algtype_dhg_modp3072, OAKLEY_ATTR_GRP_DESC_MODP3072, &dh_modp3072},
205 {algtype_dhg_modp4096, OAKLEY_ATTR_GRP_DESC_MODP4096, &dh_modp4096},
206 {algtype_dhg_modp6144, OAKLEY_ATTR_GRP_DESC_MODP6144, &dh_modp6144},
207 {algtype_dhg_modp8192, OAKLEY_ATTR_GRP_DESC_MODP8192, &dh_modp8192},
208 {0}
209 };
210 #endif
211
212 /*
213 * main processing to handle isakmp payload
214 */
215 int
216 ikev1_main(rc_vchar_t *msg, struct sockaddr *remote, struct sockaddr *local)
217 {
218 struct isakmp *isakmp = (struct isakmp *)msg->v;
219 isakmp_index_t *index = (isakmp_index_t *)isakmp;
220 uint32_t msgid = isakmp->msgid;
221 struct ph1handle *iph1;
222 static isakmp_cookie_t r_ck0 = { 0, 0, 0, 0, 0, 0, 0, 0 };
223
224 ++isakmpstat.v1input;
225
226 #ifdef HAVE_PRINT_ISAKMP_C
227 isakmp_printpacket(msg, remote, local, 0);
228 #endif
229
230 /* XXX: check sender whether to be allowed or not to accept */
231
232 /* XXX: I don't know how to check isakmp half connection attack. */
233
234 /* simply reply if the packet was processed. */
235 if (check_recvdpkt((struct sockaddr *)remote,
236 (struct sockaddr *)local, msg)) {
237 plog(PLOG_INFO, PLOGLOC, 0,
238 "the packet is retransmitted by %s.\n",
239 rcs_sa2str((struct sockaddr *)remote));
240 /* ++isakmpstat.duplicate; */
241 return 0;
242 }
243
244 /* (RFC2408)
245 * Implementations SHOULD never accept packets with a minor
246 * version number larger than its own, given the major version
247 * numbers are identical.
248 */
249 if (ISAKMP_GETMINORV(isakmp->v) > ISAKMP_MINOR_VERSION) {
250 plog(PLOG_PROTOERR, PLOGLOC, 0,
251 "unsupported isakmp version %d.%03d.\n",
252 ISAKMP_GETMAJORV(isakmp->v), ISAKMP_GETMINORV(isakmp->v));
253 /* XXX should send notification */
254 ++isakmpstat.unsupported_version;
255 return -1;
256 }
257
258 /* the initiator's cookie must not be zero */
259 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(isakmp_cookie_t)) == 0) {
260 plog(PLOG_PROTOERR, PLOGLOC, 0,
261 "malformed cookie received.\n");
262 ++isakmpstat.invalid_ike_spi;
263 return -1;
264 }
265
266 /* check the Flags field. */
267 /* XXX How is the exclusive check, E and A ? */
268 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
269 plog(PLOG_PROTOERR, PLOGLOC, 0,
270 "invalid flag 0x%02x.\n", isakmp->flags);
271 ++isakmpstat.invalid_flag;
272 return -1;
273 }
274
275 /* ignore commit bit. */
276 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
277 if (isakmp->msgid == 0) {
278 isakmp_info_send_nx(isakmp, remote, local,
279 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
280 plog(PLOG_PROTOERR, PLOGLOC, 0,
281 "Commit bit on phase1 forbidden.\n");
282 ++isakmpstat.invalid_flag;
283 return -1;
284 }
285 }
286
287 iph1 = getph1byindex(index);
288 if (iph1 != NULL) {
289 /* validity check */
290 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(isakmp_cookie_t)) == 0
291 && iph1->side == INITIATOR) {
292 plog(PLOG_DEBUG, PLOGLOC, 0,
293 "malformed cookie received or "
294 "the initiator's cookies collide.\n");
295 ++isakmpstat.invalid_ike_spi;
296 return -1;
297 }
298
299 #ifdef ENABLE_NATT
300 /* Floating ports for NAT-T */
301 if (NATT_AVAILABLE(iph1) &&
302 !(iph1->natt_flags & NAT_PORTS_CHANGED) &&
303 ((rcs_cmpsa(iph1->remote, remote) != 0) ||
304 (rcs_cmpsa(iph1->local, local) != 0))) {
305 /* prevent memory leak */
306 racoon_free(iph1->remote);
307 racoon_free(iph1->local);
308
309 /* copy-in new addresses */
310 iph1->remote = rcs_sadup(remote);
311 iph1->local = rcs_sadup(local);
312
313 /*
314 * set the flag to prevent further port floating.
315 * (FIXME: should we allow it? E.g. when the NAT gw
316 * is rebooted?)
317 */
318 #ifdef sun
319 iph1->natt_flags |= NAT_PORTS_CHANGED;
320 #else
321 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
322 #endif
323 }
324 #endif
325
326 /* must be same addresses in one stream of a phase at least. */
327 if (rcs_cmpsa(iph1->remote, remote) != 0) {
328 char *saddr_db, *saddr_act;
329
330 saddr_db = strdup(rcs_sa2str(iph1->remote));
331 saddr_act = strdup(rcs_sa2str(remote));
332
333 plog(PLOG_PROTOWARN, PLOGLOC, 0,
334 "remote address mismatched. db=%s, act=%s\n",
335 saddr_db, saddr_act);
336
337 racoon_free(saddr_db);
338 racoon_free(saddr_act);
339 }
340 /*
341 * don't check of exchange type here because other type will be
342 * with same index, for example, informational exchange.
343 */
344
345 /* XXX more acceptable check */
346 }
347
348 switch (isakmp->etype) {
349 case ISAKMP_ETYPE_IDENT: /* == oakley main mode */
350 case ISAKMP_ETYPE_AGG:
351 case ISAKMP_ETYPE_BASE:
352 /* phase 1 validity check */
353 if (isakmp->msgid != 0) {
354 plog(PLOG_PROTOERR, PLOGLOC, 0,
355 "message id should be zero in phase1.\n");
356 ++isakmpstat.invalid_message_id;
357 return -1;
358 }
359
360 /* search for isakmp status record of phase 1 */
361 if (iph1 == NULL) {
362 /*
363 * the packet must be the 1st message from a initiator
364 * or the 2nd message from the responder.
365 */
366
367 /* search for phase1 handle by index without r_ck */
368 iph1 = getph1byindex0(index);
369 if (iph1 == NULL) {
370 /*it must be the 1st message from a initiator. */
371 if (memcmp(&isakmp->r_ck, r_ck0,
372 sizeof(isakmp_cookie_t)) != 0) {
373
374 plog(PLOG_DEBUG, PLOGLOC, 0,
375 "malformed cookie received "
376 "or the spi expired.\n");
377 ++isakmpstat.unknown_cookie;
378 return -1;
379 }
380
381 /* it must be responder's 1st exchange. */
382 if (isakmp_ph1begin_r(msg, remote, local,
383 isakmp->etype) < 0)
384 return -1;
385 break;
386
387 /*NOTREACHED*/}
388
389 /* it must be the 2nd message from the responder. */
390 if (iph1->side != INITIATOR) {
391 plog(PLOG_DEBUG, PLOGLOC, 0,
392 "malformed cookie received. "
393 "it has to be as the initiator. %s\n",
394 isakmp_pindex(&iph1->index, 0));
395 ++isakmpstat.invalid_message_id;
396 return -1;
397 }
398 }
399
400 /*
401 * Don't delete phase 1 handler when the exchange type
402 * in handler is not equal to packet's one because of no
403 * authencication completed.
404 */
405 if (iph1->etype != isakmp->etype) {
406 plog(PLOG_PROTOERR, PLOGLOC, 0,
407 "exchange type is mismatched: "
408 "db=%s packet=%s, ignore it.\n",
409 s_isakmp_etype(iph1->etype),
410 s_isakmp_etype(isakmp->etype));
411 ++isakmpstat.unexpected_packet;
412 return -1;
413 }
414
415 /* call main process of phase 1 */
416 if (ph1_main(iph1, msg) < 0) {
417 plog(PLOG_PROTOERR, PLOGLOC, 0,
418 "phase1 negotiation failed.\n");
419 remph1(iph1);
420 delph1(iph1);
421 return -1;
422 }
423 break;
424
425 #if 0
426 case ISAKMP_ETYPE_AUTH:
427 plog(PLOG_INFO, PLOGLOC, 0,
428 "unsupported exchange %d received.\n", isakmp->etype);
429 ++isakmpstat.unsupported_exchange_type;
430 break;
431 #endif
432
433 case ISAKMP_ETYPE_INFO:
434 case ISAKMP_ETYPE_ACKINFO:
435 /*
436 * iph1 must be present for Information message.
437 * if iph1 is null then trying to get the phase1 status
438 * as the packet from responder againt initiator's 1st
439 * exchange in phase 1.
440 * NOTE: We think such informational exchange should be ignored.
441 */
442 if (iph1 == NULL) {
443 iph1 = getph1byindex0(index);
444 if (iph1 == NULL) {
445 plog(PLOG_PROTOERR, PLOGLOC, 0,
446 "unknown Informational "
447 "exchange received.\n");
448 /* ++isakmpstat.infoexch_unknown_peer; */
449 return -1;
450 }
451 if (rcs_cmpsa(iph1->remote, remote) != 0) {
452 plog(PLOG_PROTOWARN, PLOGLOC, 0,
453 "remote address mismatched. "
454 "db=%s\n", rcs_sa2str(iph1->remote));
455 /* ++isakmpstat.infoexch_unknown_remote_addr; */
456 }
457 }
458
459 if (isakmp_info_recv(iph1, msg) < 0)
460 return -1;
461 break;
462
463 case ISAKMP_ETYPE_QUICK:
464 {
465 struct ph2handle *iph2;
466
467 if (iph1 == NULL) {
468 isakmp_info_send_nx(isakmp, remote, local,
469 ISAKMP_NTYPE_INVALID_COOKIE,
470 NULL);
471 plog(PLOG_PROTOERR, PLOGLOC, 0,
472 "can't start the quick mode, "
473 "there is no ISAKMP-SA, %s\n",
474 isakmp_pindex((isakmp_index_t *)&isakmp->
475 i_ck, isakmp->msgid));
476 ++isakmpstat.invalid_ike_spi;
477 return -1;
478 }
479
480 /* check status of phase 1 whether negotiated or not. */
481 if (iph1->status != PHASE1ST_ESTABLISHED) {
482 plog(PLOG_PROTOERR, PLOGLOC, 0,
483 "can't start the quick mode, "
484 "there is no valid ISAKMP-SA, %s\n",
485 isakmp_pindex(&iph1->index, iph1->msgid));
486 ++isakmpstat.premature;
487 return -1;
488 }
489
490 /* search isakmp phase 2 stauts record. */
491 iph2 = getph2bymsgid(iph1, msgid);
492 if (iph2 == NULL) {
493 /* it must be new negotiation as responder */
494 if (isakmp_ph2begin_r(iph1, msg) < 0)
495 return -1;
496 return 0;
497 /*NOTREACHED*/}
498
499 /* commit bit. */
500 /* XXX
501 * we keep to set commit bit during negotiation.
502 * When SA is configured, bit will be reset.
503 * XXX
504 * don't initiate commit bit. should be fixed in the future.
505 */
506 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
507 iph2->flags |= ISAKMP_FLAG_C;
508
509 /* call main process of quick mode */
510 if (quick_main(iph2, msg) < 0) {
511 plog(PLOG_PROTOERR, PLOGLOC, 0,
512 "phase2 negotiation failed.\n");
513 unbindph12(iph2);
514 remph2(iph2);
515 delph2(iph2);
516 return -1;
517 }
518 }
519 break;
520
521 case ISAKMP_ETYPE_NEWGRP:
522 if (iph1 == NULL) {
523 plog(PLOG_PROTOERR, PLOGLOC, 0,
524 "Unknown new group mode exchange, "
525 "there is no ISAKMP-SA.\n");
526 ++isakmpstat.unknown_cookie;
527 return -1;
528 }
529 #ifdef notyet
530 isakmp_newgroup_r(iph1, msg);
531 break;
532 #else
533 /*FALLTHROUGH*/
534 #endif
535 case ISAKMP_ETYPE_NONE:
536 default:
537 plog(PLOG_PROTOERR, PLOGLOC, 0,
538 "Invalid exchange type %d from %s.\n",
539 isakmp->etype, rcs_sa2str(remote));
540 /* ++isakmpstat.unsupported_exchange_type; */
541 return -1;
542 }
543
544 return 0;
545 }
546
547
548 /*
549 * process ACQUIRE for IKEv1
550 */
551 void
552 ikev1_initiate(struct isakmp_acquire_request *req,
553 struct rcf_policy *policy,
554 struct rcf_selector *selector,
555 struct rcf_remote *rm_info)
556 {
557 struct ph2handle *iph2;
558 struct sockaddr *peer = 0;
559 extern struct sadb_response_method ikev1_sadb_callback;
560 extern struct ph2handle *getph2byselector();
561 extern int set_proposal_from_policy();
562
563 TRACE((PLOGLOC, "processing acquire for IKEv1\n"));
564 if (ikev1_passive(rm_info) == RCT_BOOL_ON) {
565 isakmp_log(0, req->src, req->dst, 0, PLOG_INFO, PLOGLOC, /* ??? */
566 "remote %s passive mode specified for IKEv1, dropping acquire request\n",
567 (rm_info->rm_index ?
568 rc_vmem2str(rm_info->rm_index) : "(default)"));
569 goto fail;
570 }
571
572 if (rm_info->ikev1->peers_ipaddr) {
573 if (rm_info->ikev1->peers_ipaddr->type != RCT_ADDR_INET) {
574 isakmp_log(0, req->src, req->dst, 0,
575 PLOG_INTERR, PLOGLOC,
576 "unsupported peers_ipaddr format in policy %.*s\n",
577 (int)policy->pl_index->l,
578 policy->pl_index->v);
579 goto fail;
580 }
581 peer = rcs_sadup(rm_info->ikev1->peers_ipaddr->a.ipaddr);
582 } else {
583 peer = rcs_sadup(req->dst);
584 switch (SOCKADDR_FAMILY(peer)) {
585 case AF_INET:
586 ((struct sockaddr_in *)peer)->sin_port =
587 htons(isakmp_port);
588 break;
589 #ifdef INET6
590 case AF_INET6:
591 ((struct sockaddr_in6 *)peer)->sin6_port =
592 htons(isakmp_port);
593 break;
594 #endif
595 default:
596 isakmp_log(0, req->src, req->dst, 0,
597 PLOG_INTERR, PLOGLOC,
598 "unsupported address family (%d) for peer address\n",
599 SOCKADDR_FAMILY(peer));
600 goto fail;
601 }
602 }
603
604 iph2 = getph2byselector(req->src, req->dst, selector);
605 if (iph2) {
606 if (iph2->status < PHASE2ST_ESTABLISHED) {
607 isakmp_log(0, req->src, req->dst, 0, PLOG_DEBUG, PLOGLOC,
608 "ignoring acquire request since there's ph2 already\n");
609 goto fail;
610 }
611 if (iph2->status == PHASE2ST_EXPIRED)
612 iph2 = 0;
613 }
614
615 iph2 = newph2();
616 if (!iph2) {
617 plog(PLOG_INTERR, PLOGLOC, 0,
618 "failed to allocate phase 2 entry\n");
619 goto fail;
620 }
621 iph2->side = INITIATOR;
622 iph2->selector = selector;
623 selector = 0;
624 iph2->satype = RCT_SATYPE_ESP; /* ??? */
625 iph2->status = PHASE2ST_STATUS2;
626
627 iph2->dst = rcs_sadup(req->dst);
628 if (req->src2)
629 iph2->src = rcs_sadup(req->src2);
630 else
631 iph2->src = rcs_sadup(req->src);
632 if (!iph2->dst || !iph2->src) {
633 delph2(iph2);
634 goto fail_nomem;
635 }
636 iph2->seq = req->request_msg_seq;
637
638 sadb_request_initialize(&iph2->sadb_request,
639 req->callback_method,
640 &ikev1_sadb_callback,
641 req->request_msg_seq,
642 iph2);
643
644 if (set_proposal_from_policy(iph2, rm_info, policy)) {
645 plog(PLOG_INTERR, PLOGLOC, 0,
646 "failed to create saprop\n");
647 delph2(iph2);
648 goto fail;
649 }
650
651 TRACE((PLOGLOC, "new acquire ph2 %p\n", iph2));
652
653 insph2(iph2);
654
655 ikev1_post_acquire(rm_info, iph2);
656
657 done:
658 if (selector)
659 rcf_free_selector(selector);
660 if (peer)
661 racoon_free(peer);
662 return;
663
664 fail_nomem:
665 isakmp_log(0, req->src, req->dst, 0,
666 PLOG_INTERR, PLOGLOC, "failed allocating memory\n");
667 fail:
668 goto done;
669 }
670
671
672 /*
673 * main function of phase 1.
674 */
675 static int
676 ph1_main(iph1, msg)
677 struct ph1handle *iph1;
678 rc_vchar_t *msg;
679 {
680 int error;
681 #ifdef ENABLE_STATS
682 struct timeval start, end;
683 #endif
684
685 /* ignore a packet */
686 if (iph1->status == PHASE1ST_ESTABLISHED) {
687 /* ++isakmpstat.ignore; */
688 return 0;
689 }
690 #ifdef ENABLE_STATS
691 gettimeofday(&start, NULL);
692 #endif
693 /* receive */
694 if (ph1exchange[etypesw1(iph1->etype)]
695 [iph1->side]
696 [iph1->status] == NULL) {
697 plog(PLOG_INTERR, PLOGLOC, 0,
698 "why isn't the function defined.\n");
699 /* ++isakmpstat.ignore; */
700 return -1;
701 }
702 error = (ph1exchange[etypesw1(iph1->etype)]
703 [iph1->side]
704 [iph1->status]) (iph1, msg);
705 if (error != 0) {
706 #if 0
707 /* XXX
708 * When an invalid packet is received on phase1, it should
709 * be selected to process this packet. That is to respond
710 * with a notify and delete phase 1 handler, OR not to respond
711 * and keep phase 1 handler.
712 */
713 plog(PLOG_INTERR, PLOGLOC, 0,
714 "failed to pre-process packet.\n");
715 return -1;
716 #else
717 /* ignore the error and keep phase 1 handler */
718 return 0;
719 #endif
720 }
721
722 /* free resend buffer */
723 if (iph1->sendbuf == NULL) {
724 plog(PLOG_INTERR, PLOGLOC, 0, "no buffer found as sendbuf\n");
725 return -1;
726 }
727 VPTRINIT(iph1->sendbuf);
728
729 /* turn off schedule */
730 if (iph1->scr)
731 SCHED_KILL(iph1->scr);
732
733 /* send */
734 plog(PLOG_DEBUG, PLOGLOC, 0, "===\n");
735 if ((ph1exchange[etypesw1(iph1->etype)]
736 [iph1->side]
737 [iph1->status]) (iph1, msg) != 0) {
738 plog(PLOG_PROTOERR, PLOGLOC, 0,
739 "failed to process packet.\n");
740 return -1;
741 }
742 #ifdef ENABLE_STATS
743 gettimeofday(&end, NULL);
744 syslog(LOG_NOTICE, "%s(%s): %8.6f",
745 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
746 timedelta(&start, &end));
747 #endif
748 if (iph1->status == PHASE1ST_ESTABLISHED) {
749 /* ++isakmpstat.ph1established; */
750 #ifdef ENABLE_STATS
751 gettimeofday(&iph1->end, NULL);
752 syslog(LOG_NOTICE, "%s(%s): %8.6f",
753 "phase1", s_isakmp_etype(iph1->etype),
754 timedelta(&iph1->start, &iph1->end));
755 #endif
756
757 /* save created date. */
758 (void)time(&iph1->created);
759
760 /* add to the schedule to expire, and seve back pointer. */
761 iph1->sce = sched_new(iph1->approval->lifetime,
762 isakmp_ph1expire_stub, iph1);
763
764 /* INITIAL-CONTACT processing */
765 /* don't anything if local test mode. */
766 if (/*!opt_local */ 1
767 && iph1->rmconf->ikev1
768 && iph1->rmconf->ikev1->initial_contact
769 && !getcontacted(iph1->remote)) {
770 /*++isakmpstat.initial_contact; */
771 /* insert a node into contacted list. */
772 if (inscontacted(iph1->remote) == -1) {
773 plog(PLOG_INTERR, PLOGLOC, 0,
774 "failed to add contacted list.\n");
775 /* ignore */
776 } else {
777 /* send INITIAL-CONTACT */
778 isakmp_info_send_n1(iph1,
779 ISAKMP_NTYPE_INITIAL_CONTACT,
780 NULL);
781 }
782 }
783
784 log_ph1established(iph1);
785 ikev1_script_hook(iph1, SCRIPT_PHASE1_UP);
786 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
787 }
788
789 return 0;
790 }
791
792 /*
793 * main function of quick mode.
794 */
795 static int
796 quick_main(struct ph2handle *iph2, rc_vchar_t *msg)
797 {
798 struct isakmp *isakmp = (struct isakmp *)msg->v;
799 int error;
800 #ifdef ENABLE_STATS
801 struct timeval start, end;
802 #endif
803
804 /* ignore a packet */
805 if (iph2->status == PHASE2ST_ESTABLISHED
806 || iph2->status == PHASE2ST_GETSPISENT)
807 return 0;
808
809 #ifdef ENABLE_STATS
810 gettimeofday(&start, NULL);
811 #endif
812
813 /* receive */
814 if (ph2exchange[etypesw2(isakmp->etype)]
815 [iph2->side]
816 [iph2->status] == NULL) {
817 plog(PLOG_INTERR, PLOGLOC, 0,
818 "why isn't the function defined.\n");
819 return -1;
820 }
821 error = (ph2exchange[etypesw2(isakmp->etype)]
822 [iph2->side]
823 [iph2->status]) (iph2, msg);
824 if (error != 0) {
825 plog(PLOG_INTERR, PLOGLOC, 0,
826 "failed to pre-process packet.\n");
827 if (error == ISAKMP_INTERNAL_ERROR)
828 return 0;
829 isakmp_info_send_n1(iph2->ph1, error, NULL);
830 return -1;
831 }
832
833 /* when using commit bit, status will be reached here. */
834 if (iph2->status == PHASE2ST_ADDSA)
835 return 0;
836
837 /* free resend buffer */
838 if (iph2->sendbuf == NULL) {
839 plog(PLOG_INTERR, PLOGLOC, NULL, "no buffer found as sendbuf\n");
840 return -1;
841 }
842 VPTRINIT(iph2->sendbuf);
843
844 /* turn off schedule */
845 if (iph2->scr)
846 SCHED_KILL(iph2->scr);
847
848 #ifdef sun
849 /* Bail now to await inverse-ACQUIRE response. */
850 if (iph2->status == PHASE2ST_START && iph2->side == RESPONDER)
851 return (0);
852 #endif /* sun/OpenSolaris */
853
854 /* send */
855 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
856 if ((ph2exchange[etypesw2(isakmp->etype)]
857 [iph2->side]
858 [iph2->status]) (iph2, msg) != 0) {
859 plog(PLOG_PROTOERR, PLOGLOC, 0,
860 "failed to process packet.\n");
861 return -1;
862 }
863 #ifdef ENABLE_STATS
864 gettimeofday(&end, NULL);
865 syslog(LOG_NOTICE, "%s(%s): %8.6f",
866 "phase2",
867 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
868 timedelta(&start, &end));
869 #endif
870
871 return 0;
872 }
873
874 /* new negotiation of phase 1 for initiator */
875 int
876 isakmp_ph1begin_i(struct rcf_remote *rmconf,
877 struct sockaddr *remote, struct sockaddr *local)
878 {
879 struct ph1handle *iph1;
880 #ifdef ENABLE_STATS
881 struct timeval start, end;
882 #endif
883
884 /* get new entry to isakmp status table. */
885 iph1 = newph1();
886 if (iph1 == NULL)
887 return -1;
888
889 iph1->status = PHASE1ST_START;
890 iph1->rmconf = rmconf;
891 iph1->side = INITIATOR;
892 iph1->version = ISAKMP_VERSION_NUMBER;
893 iph1->msgid = 0;
894 iph1->flags = 0;
895 iph1->ph2cnt = 0;
896 #ifdef HAVE_GSSAPI
897 iph1->gssapi_state = NULL;
898 #endif
899 iph1->approval = NULL;
900 iph1->proposal = ikev1_conf_to_isakmpsa(rmconf);
901
902 /* XXX copy remote address */
903 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
904 return -1;
905
906 (void)insph1(iph1);
907
908 /* start phase 1 exchange */
909 iph1->etype = ikev1_conf_exmode_to_isakmp(rmconf);
910
911 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
912 {
913 char *a;
914
915 a = strdup(rcs_sa2str(iph1->local));
916 plog(PLOG_INFO, PLOGLOC, NULL,
917 "initiate new phase 1 negotiation: %s<=>%s\n",
918 a, rcs_sa2str(iph1->remote));
919 racoon_free(a);
920 }
921 plog(PLOG_INFO, PLOGLOC, NULL,
922 "begin %s mode.\n", s_isakmp_etype(iph1->etype));
923
924 #ifdef ENABLE_STATS
925 gettimeofday(&iph1->start, NULL);
926 gettimeofday(&start, NULL);
927 #endif
928 /* start exchange */
929 if ((ph1exchange[etypesw1(iph1->etype)]
930 [iph1->side]
931 [iph1->status]) (iph1, NULL) != 0) {
932 /* failed to start phase 1 negotiation */
933 remph1(iph1);
934 delph1(iph1);
935
936 return -1;
937 }
938 #ifdef ENABLE_STATS
939 gettimeofday(&end, NULL);
940 syslog(LOG_NOTICE, "%s(%s): %8.6f",
941 "phase1",
942 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
943 timedelta(&start, &end));
944 #endif
945
946 return 0;
947 }
948
949 /* new negotiation of phase 1 for responder */
950 static int
951 isakmp_ph1begin_r(rc_vchar_t *msg, struct sockaddr *remote,
952 struct sockaddr *local, uint8_t etype)
953 {
954 struct isakmp *isakmp = (struct isakmp *)msg->v;
955 struct rcf_remote *rmconf;
956 struct ph1handle *iph1;
957 /* struct etypes *etypeok; */
958 #ifdef ENABLE_STATS
959 struct timeval start, end;
960 #endif
961
962 /* look for my configuration */
963 rmconf = getrmconf(remote);
964 if (rmconf == NULL) {
965 plog(PLOG_PROTOERR, PLOGLOC, 0,
966 "couldn't find " "configuration.\n");
967 return -1;
968 }
969 if (rmconf->ikev1 == NULL) {
970 plog(PLOG_PROTOERR, PLOGLOC, 0,
971 "received IKEv1 request but no IKEv1 configuration for peer %s\n",
972 rc_vmem2str(rmconf->rm_index));
973 return -1;
974 }
975
976 /* check to be acceptable exchange type */
977 if (etype != ikev1_conf_exmode_to_isakmp(rmconf)) {
978 plog(PLOG_PROTOERR, PLOGLOC, 0,
979 "not acceptable %s mode\n", s_isakmp_etype(etype));
980 return -1;
981 }
982
983 /* get new entry to isakmp status table. */
984 iph1 = newph1();
985 if (iph1 == NULL)
986 return -1;
987
988 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
989 iph1->status = PHASE1ST_START;
990 iph1->rmconf = rmconf;
991 iph1->flags = 0;
992 iph1->side = RESPONDER;
993 iph1->etype = etype;
994 iph1->version = isakmp->v;
995 iph1->msgid = 0;
996 #ifdef HAVE_GSSAPI
997 iph1->gssapi_state = NULL;
998 #endif
999 iph1->approval = NULL;
1000 iph1->proposal = ikev1_conf_to_isakmpsa(rmconf);
1001
1002 /* copy remote address */
1003 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
1004 return -1;
1005
1006 (void)insph1(iph1);
1007
1008 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
1009 {
1010 char *a;
1011
1012 a = strdup(rcs_sa2str(iph1->local));
1013 plog(PLOG_INFO, PLOGLOC, NULL,
1014 "respond new phase 1 negotiation: %s<=>%s\n",
1015 a, rcs_sa2str(iph1->remote));
1016 racoon_free(a);
1017 }
1018 plog(PLOG_INFO, PLOGLOC, NULL,
1019 "begin %s mode.\n", s_isakmp_etype(etype));
1020
1021 #ifdef ENABLE_STATS
1022 gettimeofday(&iph1->start, NULL);
1023 gettimeofday(&start, NULL);
1024 #endif
1025 /* start exchange */
1026 if ((ph1exchange[etypesw1(iph1->etype)]
1027 [iph1->side]
1028 [iph1->status]) (iph1, msg) < 0
1029 || (ph1exchange[etypesw1(iph1->etype)]
1030 [iph1->side]
1031 [iph1->status]) (iph1, msg) < 0) {
1032 plog(PLOG_PROTOERR, PLOGLOC, 0,
1033 "failed to process packet.\n");
1034 remph1(iph1);
1035 delph1(iph1);
1036 return -1;
1037 }
1038 #ifdef ENABLE_STATS
1039 gettimeofday(&end, NULL);
1040 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1041 "phase1",
1042 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1043 timedelta(&start, &end));
1044 #endif
1045
1046 return 0;
1047 }
1048
1049
1050
1051 /*
1052 * make strings containing i_cookie + r_cookie + msgid
1053 */
1054 const char *
1055 isakmp_pindex(const isakmp_index_t *index, const uint32_t msgid)
1056 {
1057 static char buf[64];
1058 const unsigned char *p;
1059 int i, j;
1060
1061 memset(buf, 0, sizeof(buf));
1062
1063 /* copy index */
1064 p = (const unsigned char *)index;
1065 for (j = 0, i = 0; (size_t)i < sizeof(isakmp_index_t); i++) {
1066 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1067 j += 2;
1068 switch (i) {
1069 case 7:
1070 buf[j++] = ':';
1071 }
1072 }
1073
1074 if (msgid == 0)
1075 return buf;
1076
1077 /* copy msgid */
1078 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohl(msgid));
1079
1080 return buf;
1081 }
1082
1083 /*
1084 * receive GETSPI from kernel.
1085 */
1086 int
1087 isakmp_post_getspi(struct ph2handle *iph2)
1088 {
1089 #ifdef ENABLE_STATS
1090 struct timeval start, end;
1091 #endif
1092
1093 /* don't process it because there is no suitable phase1-sa. */
1094 if (iph2->ph1->status == PHASE1ST_EXPIRED) {
1095 plog(PLOG_INTERR, PLOGLOC, 0,
1096 "the negotiation is stopped, "
1097 "because there is no suitable ISAKMP-SA.\n");
1098 return -1;
1099 }
1100
1101 #ifdef ENABLE_STATS
1102 gettimeofday(&start, NULL);
1103 #endif
1104 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1105 [iph2->side]
1106 [iph2->status])(iph2, NULL) != 0)
1107 return -1;
1108 #ifdef ENABLE_STATS
1109 gettimeofday(&end, NULL);
1110 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1111 "phase2",
1112 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1113 timedelta(&start, &end));
1114 #endif
1115
1116 return 0;
1117 }
1118
1119 /* new negotiation of phase 2 for initiator */
1120 static void
1121 isakmp_ph2begin_i(struct ph1handle *iph1, struct ph2handle *iph2)
1122 {
1123 /* found ISAKMP-SA. */
1124 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
1125 plog(PLOG_DEBUG, PLOGLOC, NULL, "begin QUICK mode.\n");
1126 {
1127 char *a;
1128 a = strdup(rcs_sa2str(iph2->src));
1129 plog(PLOG_INFO, PLOGLOC, NULL,
1130 "initiate new phase 2 negotiation: %s<=>%s\n",
1131 a, rcs_sa2str(iph2->dst));
1132 racoon_free(a);
1133 }
1134
1135 #ifdef ENABLE_STATS
1136 gettimeofday(&iph2->start, NULL);
1137 #endif
1138 /* found isakmp-sa */
1139 bindph12(iph1, iph2);
1140 iph2->status = PHASE2ST_STATUS2;
1141
1142 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1143 [iph2->side]
1144 [iph2->status]) (iph2, NULL) < 0) {
1145 /* release ipsecsa handler due to internal error. */
1146 plog(PLOG_INTERR, PLOGLOC, 0,
1147 "failed to initiate phase 2 negotiation for %s\n",
1148 rcs_sa2str_wop(iph2->dst));
1149 isakmp_fail_initiate_ph2(iph2);
1150 return;
1151 }
1152 return;
1153 }
1154
1155 #ifdef sun
1156 static int
1157 isakmp_ph2_inv_acquire(invacq_t *invacq)
1158 {
1159 struct ph2handle *iph2 = invacq->iph2;
1160 struct rcpfk_msg *param = invacq->answer;
1161 struct isakmp *isakmp = (struct isakmp *)iph2->msg1->v;
1162
1163 sadb_request_finish(&invacq->request);
1164 free(invacq);
1165
1166 /*
1167 * Initialize iph2->selector, iph2->proposal, and iph2-> with the results of an
1168 * inverse-ACQUIRE.
1169 *
1170 * XXX KEBE SAYS -- We need a way to figure out a p2_pfs equivalent
1171 * for racoon2. We store this in Phase I/PAD state in in.iked.
1172 */
1173
1174 /* Then send the Quick Mode reply. */
1175 /* assert(iph2->status == PHASE2ST_STATUS2); */
1176
1177 /* change status of isakmp status entry */
1178 iph2->status = PHASE2ST_STATUS2;
1179
1180 if (extract_extended_acquire(param, &iph2->selector, NULL) != 0) {
1181 /* XXX KEBE SAYS MORE ERROR HANDLING? */
1182 return (-1);
1183 }
1184
1185 /* XXX KEBE SAYS FILL ME IN XXX */
1186
1187 if (set_proposal_from_policy(iph2, iph2->ph1->rmconf,
1188 iph2->selector->pl) != 0) {
1189 /* XXX KEBE SAYS MORE ERROR HANDLING? */
1190 return (-1);
1191 }
1192
1193 if (ipsecdoi_selectph2proposal(iph2) < 0) {
1194 /* XXX KEBE SAYS MORE ERROR HANDLING? PROPER RETURN? */
1195 isakmp_info_send_n1(iph2->ph1, ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN,
1196 NULL);
1197 return (-1);
1198 }
1199
1200 /* The following was moved here from quick_main(). */
1201 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
1202 if ((ph2exchange[etypesw2(isakmp->etype)]
1203 [iph2->side]
1204 [iph2->status]) (iph2, iph2->msg1) < 0) {
1205 plog(PLOG_PROTOERR, PLOGLOC, 0,
1206 "failed to process packet.\n");
1207 /* don't release handler */
1208 return -1;
1209 }
1210 #ifdef ENABLE_STATS
1211 gettimeofday(&end, NULL);
1212 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1213 "phase2",
1214 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1215 timedelta(&start, &end));
1216 #endif
1217 }
1218 #endif
1219
1220 /* new negotiation of phase 2 for responder */
1221 static int
1222 isakmp_ph2begin_r(struct ph1handle *iph1, rc_vchar_t *msg)
1223 {
1224 struct isakmp *isakmp = (struct isakmp *)msg->v;
1225 struct ph2handle *iph2 = 0;
1226 int error;
1227 #ifdef ENABLE_STATS
1228 struct timeval start, end;
1229 #endif
1230 extern struct sadb_response_method ikev1_sadb_callback;
1231
1232 iph2 = newph2();
1233 if (iph2 == NULL) {
1234 plog(PLOG_INTERR, PLOGLOC, NULL,
1235 "failed to allocate phase2 entry.\n");
1236 return -1;
1237 }
1238
1239 iph2->ph1 = iph1;
1240 iph2->side = RESPONDER;
1241 iph2->status = PHASE2ST_START;
1242 iph2->flags = isakmp->flags;
1243 iph2->msgid = isakmp->msgid;
1244 iph2->seq = sadb_new_seq(); /* pk_getseq(); */
1245 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1246 if (iph2->ivm == NULL) {
1247 delph2(iph2);
1248 return -1;
1249 }
1250
1251 iph2->dst = rcs_sadup(iph1->remote); /* XXX should be considered */
1252 if (iph2->dst == NULL) {
1253 delph2(iph2);
1254 return -1;
1255 }
1256
1257 iph2->src = rcs_sadup(iph1->local); /* XXX should be considered */
1258 if (iph2->src == NULL) {
1259 delph2(iph2);
1260 return -1;
1261 }
1262
1263 iph2->selector = 0;
1264
1265 sadb_request_initialize(&iph2->sadb_request,
1266 debug_pfkey ? &sadb_debug_method : &sadb_responder_request_method,
1267 &ikev1_sadb_callback,
1268 iph2->seq,
1269 iph2);
1270
1271 /* add new entry to isakmp status table */
1272 insph2(iph2);
1273 bindph12(iph1, iph2);
1274
1275 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
1276 {
1277 char *a;
1278
1279 a = strdup(rcs_sa2str(iph2->src));
1280 plog(PLOG_INFO, PLOGLOC, NULL,
1281 "respond new phase 2 negotiation: %s<=>%s\n",
1282 a, rcs_sa2str(iph2->dst));
1283 racoon_free(a);
1284 }
1285
1286 #ifdef ENABLE_STATS
1287 gettimeofday(&start, NULL);
1288 #endif
1289
1290
1291 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1292 [iph2->side]
1293 [iph2->status]) (iph2, msg);
1294 if (error != 0) {
1295 plog(PLOG_INTERR, PLOGLOC, 0,
1296 "failed to pre-process packet.\n");
1297 if (error != ISAKMP_INTERNAL_ERROR)
1298 isakmp_info_send_n1(iph2->ph1, error, NULL);
1299 /*
1300 * release handler because it's wrong that ph2handle is kept
1301 * after failed to check message for responder's.
1302 */
1303 unbindph12(iph2);
1304 remph2(iph2);
1305 delph2(iph2);
1306 return -1;
1307 }
1308
1309 #ifdef sun
1310 /* XXX KEBE ASKS - how do you insert inverse-ACQUIRE here? */
1311
1312 /* Assume iph2->msg1 contains a copy of "msg" we passed-in. */
1313 {
1314 invacq_t *invacq = malloc(sizeof (*invacq));
1315 uint32_t newseq = sadb_new_seq();
1316
1317 /*
1318 * Use newseq to avoid using iph2's, which already has a
1319 * record via a previous sadb_request_initalize() call.
1320 */
1321
1322 if (invacq == NULL)
1323 return (-1);
1324
1325 invacq->iph2 = iph2;
1326 sadb_request_initialize(&invacq->request,
1327 NULL /* KEBE - reqmethod */, NULL /* KEBE - respmethod */,
1328 newseq, invacq);
1329 invacq->receiver = isakmp_ph2_inv_acquire;
1330
1331 /* Okay, now we send the inverse-ACQUIRE itself. */
1332 /* XXX KEBE SAYS CODE ME */
1333 ikev1_send_inverse_acquire(iph2, newseq);
1334 }
1335 #else
1336 /* send */
1337 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
1338 if ((ph2exchange[etypesw2(isakmp->etype)]
1339 [iph2->side]
1340 [iph2->status]) (iph2, msg) < 0) {
1341 plog(PLOG_PROTOERR, PLOGLOC, 0,
1342 "failed to process packet.\n");
1343 /* don't release handler */
1344 return -1;
1345 }
1346 #ifdef ENABLE_STATS
1347 gettimeofday(&end, NULL);
1348 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1349 "phase2",
1350 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1351 timedelta(&start, &end));
1352 #endif
1353 #endif /* sun/OpenSolaris */
1354
1355 return 0;
1356 }
1357
1358 /* called from scheduler */
1359 static void
1360 isakmp_ph1resend_stub(void *p)
1361 {
1362 (void)isakmp_ph1resend((struct ph1handle *)p);
1363 }
1364
1365 int
1366 isakmp_ph1resend(struct ph1handle *iph1)
1367 {
1368 if (iph1->retry_counter < 0) {
1369 plog(PLOG_PROTOERR, PLOGLOC, NULL,
1370 "phase1 negotiation failed due to time up (index %s).\n",
1371 isakmp_pindex(&iph1->index, iph1->msgid));
1372
1373 remph1(iph1);
1374 delph1(iph1);
1375 return -1;
1376 }
1377
1378 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1379 return -1;
1380
1381 plog(PLOG_DEBUG, PLOGLOC, NULL,
1382 "resend phase1 packet %s\n",
1383 isakmp_pindex(&iph1->index, iph1->msgid));
1384
1385 iph1->retry_counter--;
1386
1387 iph1->scr = sched_new(ikev1_interval_to_send(iph1->rmconf),
1388 isakmp_ph1resend_stub, iph1);
1389
1390 return 0;
1391 }
1392
1393 /* called from scheduler */
1394 static void
1395 isakmp_ph2resend_stub(void *p)
1396 {
1397
1398 (void)isakmp_ph2resend((struct ph2handle *)p);
1399 }
1400
1401 int
1402 isakmp_ph2resend(struct ph2handle *iph2)
1403 {
1404 if (iph2->retry_counter < 0) {
1405 plog(PLOG_PROTOERR, PLOGLOC, NULL,
1406 "phase2 negotiation failed due to time up. %s\n",
1407 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1408 unbindph12(iph2);
1409 remph2(iph2);
1410 delph2(iph2);
1411 return -1;
1412 }
1413
1414 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1415 return -1;
1416
1417 plog(PLOG_DEBUG, PLOGLOC, NULL,
1418 "resend phase2 packet %s\n",
1419 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1420
1421 iph2->retry_counter--;
1422
1423 iph2->scr = sched_new(ikev1_interval_to_send(iph2->ph1->rmconf),
1424 isakmp_ph2resend_stub, iph2);
1425
1426 return 0;
1427 }
1428
1429 /* called from scheduler */
1430 static void
1431 isakmp_ph1expire_stub(void *p)
1432 {
1433
1434 isakmp_ph1expire((struct ph1handle *)p);
1435 }
1436
1437 void
1438 isakmp_ph1expire(struct ph1handle *iph1)
1439 {
1440 char *src, *dst;
1441
1442 src = strdup(rcs_sa2str(iph1->local));
1443 dst = strdup(rcs_sa2str(iph1->remote));
1444 plog(PLOG_INFO, PLOGLOC, NULL,
1445 "ISAKMP-SA expired %s-%s spi:%s\n",
1446 src, dst, isakmp_pindex(&iph1->index, 0));
1447 racoon_free(src);
1448 racoon_free(dst);
1449
1450 SCHED_KILL(iph1->sce);
1451
1452 iph1->status = PHASE1ST_EXPIRED;
1453
1454 /*
1455 * the phase1 deletion is postponed until there is no phase2.
1456 */
1457 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1458 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
1459 return;
1460 }
1461
1462 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1463 }
1464
1465 /* called from scheduler */
1466 void
1467 isakmp_ph1delete_stub(void *p)
1468 {
1469
1470 isakmp_ph1delete((struct ph1handle *)p);
1471 }
1472
1473 void
1474 isakmp_ph1delete(struct ph1handle *iph1)
1475 {
1476 char *src, *dst;
1477
1478 SCHED_KILL(iph1->sce);
1479
1480 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1481 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1482 return;
1483 }
1484
1485 /* don't re-negosiation when the phase 1 SA expires. */
1486
1487 src = strdup(rcs_sa2str(iph1->local));
1488 dst = strdup(rcs_sa2str(iph1->remote));
1489 plog(PLOG_INFO, PLOGLOC, NULL,
1490 "ISAKMP-SA deleted %s-%s spi:%s\n",
1491 src, dst, isakmp_pindex(&iph1->index, 0));
1492 racoon_free(src);
1493 racoon_free(dst);
1494
1495 remph1(iph1);
1496 delph1(iph1);
1497
1498 return;
1499 }
1500
1501 void
1502 isakmp_ph2expire(struct ph2handle *iph2)
1503 {
1504 char *src, *dst;
1505
1506 SCHED_KILL(iph2->sce);
1507
1508 src = strdup(rcs_sa2str_wop(iph2->src));
1509 dst = strdup(rcs_sa2str_wop(iph2->dst));
1510 plog(PLOG_INFO, PLOGLOC, NULL, "phase2 sa expired %s-%s\n", src, dst);
1511 racoon_free(src);
1512 racoon_free(dst);
1513
1514 iph2->status = PHASE2ST_EXPIRED;
1515
1516 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
1517
1518 return;
1519 }
1520
1521 /* called from scheduler */
1522 void
1523 isakmp_ph2delete_stub(void *p)
1524 {
1525
1526 isakmp_ph2delete((struct ph2handle *)p);
1527 }
1528
1529 void
1530 isakmp_ph2delete(struct ph2handle *iph2)
1531 {
1532 char *src, *dst;
1533
1534 SCHED_KILL(iph2->sce);
1535
1536 src = strdup(rcs_sa2str_wop(iph2->src));
1537 dst = strdup(rcs_sa2str_wop(iph2->dst));
1538 plog(PLOG_INFO, PLOGLOC, NULL, "phase2 sa deleted %s-%s\n", src, dst);
1539 racoon_free(src);
1540 racoon_free(dst);
1541
1542 unbindph12(iph2);
1543 remph2(iph2);
1544 delph2(iph2);
1545
1546 return;
1547 }
1548
1549 void
1550 ikev1_post_acquire(struct rcf_remote *rm_info, struct ph2handle *iph2)
1551 {
1552 struct ph1handle *iph1;
1553
1554 #ifdef ENABLE_NATT
1555 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
1556 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
1557 set_port(iph2->src, extract_port(iph1->local));
1558 set_port(iph2->dst, extract_port(iph1->remote));
1559 }
1560 } else {
1561 iph1 = getph1byaddr(iph2->src, iph2->dst);
1562 }
1563 #else
1564 iph1 = getph1byaddr(iph2->src, iph2->dst);
1565 #endif
1566
1567 #define IKEV1_DEFAULT_RETRY_CHECKPH1 30
1568
1569 if (!iph1) {
1570 struct sched *sc;
1571
1572 if (isakmp_ph1begin_i(rm_info, iph2->dst, iph2->src) < 0) {
1573 plog(PLOG_INTERR, PLOGLOC, 0,
1574 "failed to initiate phase 1 negotiation for %s\n",
1575 rcs_sa2str_wop(iph2->dst));
1576 isakmp_fail_initiate_ph2(iph2);
1577 goto fail;
1578 }
1579 iph2->retry_checkph1 = IKEV1_DEFAULT_RETRY_CHECKPH1;
1580 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
1581 plog(PLOG_INFO, PLOGLOC, 0,
1582 "IPsec-SA request for %s queued "
1583 "since no phase1 found\n",
1584 rcs_sa2str_wop(iph2->dst));
1585
1586 } else if (iph1->status != PHASE1ST_ESTABLISHED) {
1587 iph2->retry_checkph1 = IKEV1_DEFAULT_RETRY_CHECKPH1;
1588 sched_new(1, isakmp_chkph1there_stub, iph2);
1589 plog(PLOG_INFO, PLOGLOC, 0,
1590 "request for establishing IPsec-SA was queued "
1591 "since phase1 is not mature\n");
1592 } else {
1593 /* iph1->status == PHASE1ST_ESTABLISHED */
1594 TRACE((PLOGLOC, "begin QUICK mode\n"));
1595 isakmp_ph2begin_i(iph1, iph2);
1596 }
1597 fail:
1598 return;
1599 }
1600
1601 /* called by scheduler */
1602 void
1603 isakmp_chkph1there_stub(void *p)
1604 {
1605 isakmp_chkph1there((struct ph2handle *)p);
1606 }
1607
1608 static void
1609 isakmp_fail_initiate_ph2(struct ph2handle *iph2)
1610 {
1611 /* send acquire to kernel as error */
1612 pk_sendeacquire(iph2);
1613
1614 /* then remove ph2 */
1615 unbindph12(iph2);
1616 remph2(iph2);
1617 delph2(iph2);
1618 }
1619
1620 void
1621 isakmp_chkph1there(struct ph2handle *iph2)
1622 {
1623 struct ph1handle *iph1;
1624
1625 iph2->retry_checkph1--;
1626 if (iph2->retry_checkph1 < 0) {
1627 plog(PLOG_INTERR, PLOGLOC, 0,
1628 "phase2 negotiation failed "
1629 "due to time up waiting for phase1. %s\n",
1630 sadbsecas2str(iph2->dst, iph2->src,
1631 iph2->satype, 0, 0));
1632 plog(PLOG_INFO, PLOGLOC, 0,
1633 "delete phase 2 handler.\n");
1634 isakmp_fail_initiate_ph2(iph2);
1635 return;
1636 }
1637
1638 /*
1639 * Search isakmp status table by address and port
1640 * If NAT-T is in use, consider null ports as a
1641 * wildcard and use IKE ports instead.
1642 */
1643 #ifdef ENABLE_NATT
1644 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
1645 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
1646 set_port(iph2->src, extract_port(iph1->local));
1647 set_port(iph2->dst, extract_port(iph1->remote));
1648 }
1649 } else {
1650 iph1 = getph1byaddr(iph2->src, iph2->dst);
1651 }
1652 #else
1653 iph1 = getph1byaddr(iph2->src, iph2->dst);
1654 #endif
1655
1656 /* XXX Even if ph1 as responder is there, should we not start
1657 * phase 2 negotiation ? */
1658 if (iph1 != NULL
1659 && iph1->status == PHASE1ST_ESTABLISHED) {
1660 /* found isakmp-sa */
1661 /* begin quick mode */
1662 isakmp_ph2begin_i(iph1, iph2);
1663 return;
1664 }
1665
1666 /* no isakmp-sa found */
1667 sched_new(1, isakmp_chkph1there_stub, iph2);
1668
1669 return;
1670 }
1671
1672 /*
1673 * Payload attribute handling
1674 */
1675 /* copy variable data into ALLOCATED buffer. */
1676 caddr_t
1677 isakmp_set_attr_v(caddr_t buf, int type, caddr_t val, int len)
1678 {
1679 struct isakmp_data *data;
1680
1681 data = (struct isakmp_data *)buf;
1682 put_uint16(&data->type, type | ISAKMP_GEN_TLV);
1683 put_uint16(&data->lorv, len);
1684 memcpy(data + 1, val, len);
1685
1686 return buf + sizeof(*data) + len;
1687 }
1688
1689 /* copy fixed length data into ALLOCATED buffer. */
1690 caddr_t
1691 isakmp_set_attr_l(caddr_t buf, int type, uint32_t val)
1692 {
1693 struct isakmp_data *data;
1694
1695 data = (struct isakmp_data *)buf;
1696 put_uint16(&data->type, type | ISAKMP_GEN_TV);
1697 put_uint16(&data->lorv, val);
1698
1699 return buf + sizeof(*data);
1700 }
1701
1702 /* add a variable data attribute to the buffer by reallocating it. */
1703 rc_vchar_t *
1704 isakmp_add_attr_v(rc_vchar_t *buf0, int type, caddr_t val, int len)
1705 {
1706 rc_vchar_t *buf = NULL;
1707 struct isakmp_data *data;
1708 int tlen;
1709 int oldlen = 0;
1710
1711 tlen = sizeof(*data) + len;
1712
1713 if (buf0) {
1714 oldlen = buf0->l;
1715 buf = rc_vrealloc(buf0, oldlen + tlen);
1716 } else
1717 buf = rc_vmalloc(tlen);
1718 if (!buf) {
1719 plog(PLOG_INTERR, PLOGLOC, NULL,
1720 "failed to get a attribute buffer.\n");
1721 return NULL;
1722 }
1723
1724 data = (struct isakmp_data *)(buf->v + oldlen);
1725 put_uint16(&data->type, type | ISAKMP_GEN_TLV);
1726 put_uint16(&data->lorv, len);
1727 memcpy(data + 1, val, len);
1728
1729 return buf;
1730 }
1731
1732 /* add a fixed data attribute to the buffer by reallocating it. */
1733 rc_vchar_t *
1734 isakmp_add_attr_l(rc_vchar_t *buf0, int type, uint32_t val)
1735 {
1736 rc_vchar_t *buf = NULL;
1737 struct isakmp_data *data;
1738 int tlen;
1739 int oldlen = 0;
1740
1741 tlen = sizeof(*data);
1742
1743 if (buf0) {
1744 oldlen = buf0->l;
1745 buf = rc_vrealloc(buf0, oldlen + tlen);
1746 } else
1747 buf = rc_vmalloc(tlen);
1748 if (!buf) {
1749 plog(PLOG_INTERR, PLOGLOC, NULL,
1750 "failed to get a attribute buffer.\n");
1751 return NULL;
1752 }
1753
1754 data = (struct isakmp_data *)(buf->v + oldlen);
1755 put_uint16(&data->type, type | ISAKMP_GEN_TV);
1756 put_uint16(&data->lorv, val);
1757
1758 return buf;
1759 }
1760
1761 /*
1762 * set values into allocated buffer of isakmp header for phase 1
1763 */
1764 static caddr_t
1765 set_isakmp_header(rc_vchar_t *vbuf, struct ph1handle *iph1,
1766 int nptype, uint8_t etype, uint8_t flags, uint32_t msgid)
1767 {
1768 struct isakmp *isakmp;
1769
1770 if (vbuf->l < sizeof(*isakmp))
1771 return NULL;
1772
1773 isakmp = (struct isakmp *)vbuf->v;
1774
1775 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(isakmp_cookie_t));
1776 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(isakmp_cookie_t));
1777 isakmp->np = nptype;
1778 isakmp->v = iph1->version;
1779 isakmp->etype = etype;
1780 isakmp->flags = flags;
1781 isakmp->msgid = msgid;
1782 put_uint32(&isakmp->len, vbuf->l);
1783
1784 return vbuf->v + sizeof(*isakmp);
1785 }
1786
1787 /*
1788 * set values into allocated buffer of isakmp header for phase 1
1789 */
1790 caddr_t
1791 set_isakmp_header1(rc_vchar_t *vbuf, struct ph1handle *iph1, int nptype)
1792 {
1793 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
1794 }
1795
1796 /*
1797 * set values into allocated buffer of isakmp header for phase 2
1798 */
1799 caddr_t
1800 set_isakmp_header2(rc_vchar_t *vbuf, struct ph2handle *iph2, int nptype)
1801 {
1802 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
1803 }
1804
1805 #if 0
1806 /*
1807 * set values into allocated buffer of isakmp header for phase 1
1808 */
1809 caddr_t
1810 set_isakmp_header1(vbuf, iph1, nptype)
1811 rc_vchar_t *vbuf;
1812 struct ph1handle *iph1;
1813 {
1814 struct isakmp *isakmp;
1815 struct isakmp_construct res;
1816
1817 res.buff = NULL;
1818 res.np = NULL;
1819
1820 if (vbuf->l < sizeof(*isakmp))
1821 return res;
1822
1823 isakmp = (struct isakmp *)vbuf->v;
1824 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(isakmp_cookie_t));
1825 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(isakmp_cookie_t));
1826 isakmp->np = nptype;
1827 isakmp->v = iph1->version;
1828 isakmp->etype = iph1->etype;
1829 isakmp->flags = iph1->flags;
1830 isakmp->msgid = iph1->msgid;
1831 put_uint32(&isakmp->len, vbuf->l);
1832
1833 res.np = &(isakmp->np);
1834 res.buff = vbuf->v + sizeof(*isakmp);
1835
1836 return res;
1837 }
1838
1839 /*
1840 * set values into allocated buffer of isakmp header for phase 2
1841 */
1842 caddr_t
1843 set_isakmp_header2(vbuf, iph2, nptype)
1844 rc_vchar_t *vbuf;
1845 struct ph2handle *iph2;
1846 int nptype;
1847 {
1848 struct isakmp *isakmp;
1849
1850 if (vbuf->l < sizeof(*isakmp))
1851 return NULL;
1852
1853 isakmp = (struct isakmp *)vbuf->v;
1854 memcpy(&isakmp->i_ck, &iph2->ph1->index.i_ck, sizeof(isakmp_cookie_t));
1855 memcpy(&isakmp->r_ck, &iph2->ph1->index.r_ck, sizeof(isakmp_cookie_t));
1856 isakmp->np = nptype;
1857 isakmp->v = iph2->ph1->version;
1858 isakmp->etype = ISAKMP_ETYPE_QUICK;
1859 isakmp->flags = iph2->flags;
1860 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
1861 put_uint32(&isakmp->len, vbuf->l);
1862
1863 return vbuf->v + sizeof(*isakmp);
1864 }
1865 #endif
1866
1867 /*
1868 * set values into allocated buffer of isakmp payload.
1869 */
1870 struct isakmp_construct
1871 set_isakmp_payload_c(struct isakmp_construct constr, rc_vchar_t *src, int nptype)
1872 {
1873 struct isakmp_gen *gen;
1874 caddr_t p = constr.buff;
1875
1876 plog(PLOG_DEBUG, PLOGLOC, NULL, "add payload of len %lu, next type %d\n",
1877 (unsigned long)src->l, nptype);
1878
1879 *constr.np = nptype;
1880 gen = (struct isakmp_gen *)p;
1881 gen->np = ISAKMP_NPTYPE_NONE;
1882 put_uint16(&gen->len, sizeof(*gen) + src->l);
1883 p += sizeof(*gen);
1884 memcpy(p, src->v, src->l);
1885 p += src->l;
1886
1887 constr.np = &(gen->np);
1888 constr.buff = p;
1889
1890 return constr;
1891 }
1892
1893 /*
1894 * set values into allocated buffer of isakmp payload.
1895 */
1896 caddr_t
1897 set_isakmp_payload(caddr_t buf, rc_vchar_t *src, int nptype)
1898 {
1899 struct isakmp_gen *gen;
1900 caddr_t p = buf;
1901
1902 plog(PLOG_DEBUG, PLOGLOC, NULL, "add payload of len %lu, next type %d\n",
1903 (unsigned long)src->l, nptype);
1904
1905 gen = (struct isakmp_gen *)p;
1906 gen->np = nptype;
1907 put_uint16(&gen->len, sizeof(*gen) + src->l);
1908 p += sizeof(*gen);
1909 memcpy(p, src->v, src->l);
1910 p += src->l;
1911
1912 return p;
1913 }
1914
1915 /*
1916 * conversion routine for use with dispatch tables
1917 */
1918 static int
1919 etypesw1(int etype)
1920 {
1921 switch (etype) {
1922 case ISAKMP_ETYPE_IDENT:
1923 return 1;
1924 case ISAKMP_ETYPE_AGG:
1925 return 2;
1926 case ISAKMP_ETYPE_BASE:
1927 return 3;
1928 default:
1929 return 0;
1930 }
1931 /*NOTREACHED*/}
1932
1933 static int
1934 etypesw2(int etype)
1935 {
1936 switch (etype) {
1937 case ISAKMP_ETYPE_QUICK:
1938 return 1;
1939 default:
1940 return 0;
1941 }
1942 /*NOTREACHED*/}
1943
1944 int
1945 copy_ph1addresses(struct ph1handle *iph1, struct rcf_remote *rmconf,
1946 struct sockaddr *remote, struct sockaddr *local)
1947 {
1948 uint16_t *port = NULL;
1949
1950 /* address portion must be grabbed from real remote address "remote" */
1951 iph1->remote = rcs_sadup(remote);
1952 if (iph1->remote == NULL) {
1953 delph1(iph1);
1954 return -1;
1955 }
1956
1957 /*
1958 * if remote has no port # (in case of initiator - from ACQUIRE msg)
1959 * - if remote.conf specifies port #, use that
1960 * - if remote.conf does not, use 500
1961 * if remote has port # (in case of responder - from recvfrom(2))
1962 * respect content of "remote".
1963 */
1964 switch (iph1->remote->sa_family) {
1965 case AF_INET:
1966 port = &((struct sockaddr_in *)iph1->remote)->sin_port;
1967 if (*port)
1968 break;
1969 *port = ((struct sockaddr_in *)rmconf->ikev1->peers_ipaddr->a.ipaddr)->sin_port;
1970 if (*port)
1971 break;
1972 *port = htons(isakmp_port);
1973 break;
1974 #ifdef INET6
1975 case AF_INET6:
1976 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port;
1977 if (*port)
1978 break;
1979 *port = ((struct sockaddr_in6 *)rmconf->ikev1->peers_ipaddr->a.ipaddr)->sin6_port;
1980 if (*port)
1981 break;
1982 *port = htons(isakmp_port);
1983 break;
1984 #endif
1985 default:
1986 plog(PLOG_PROTOERR, PLOGLOC, NULL,
1987 "invalid family: %d\n", iph1->remote->sa_family);
1988 delph1(iph1);
1989 return -1;
1990 }
1991
1992 iph1->local = getlocaladdr(iph1->remote, local, isakmp_port);
1993 if (iph1->local == NULL) {
1994 delph1(iph1);
1995 return -1;
1996 }
1997
1998 switch (iph1->local->sa_family) {
1999 case AF_INET:
2000 port = &((struct sockaddr_in *)iph1->local)->sin_port;
2001 break;
2002 #ifdef INET6
2003 case AF_INET6:
2004 port = &((struct sockaddr_in6 *)iph1->local)->sin6_port;
2005 break;
2006 #endif
2007 default:
2008 plog(PLOG_PROTOERR, PLOGLOC, NULL,
2009 "invalid family: %d\n", iph1->remote->sa_family);
2010 delph1(iph1);
2011 return -1;
2012 }
2013 if (*port == 0)
2014 *port = htons(isakmp_port);
2015
2016 return 0;
2017 }
2018
2019 static int
2020 nostate1(struct ph1handle *iph1, rc_vchar_t *msg)
2021 {
2022 plog(PLOG_PROTOERR, PLOGLOC, 0, "wrong state %u.\n",
2023 iph1->status);
2024 return -1;
2025 }
2026
2027 static int
2028 nostate2(struct ph2handle *iph2, rc_vchar_t *msg)
2029 {
2030 plog(PLOG_PROTOERR, PLOGLOC, 0, "wrong state %u.\n",
2031 iph2->status);
2032 return -1;
2033 }
2034
2035 void
2036 log_ph1established(const struct ph1handle *iph1)
2037 {
2038 char *src, *dst;
2039
2040 src = strdup(rcs_sa2str(iph1->local));
2041 dst = strdup(rcs_sa2str(iph1->remote));
2042 plog(PLOG_INFO, PLOGLOC, NULL,
2043 "ISAKMP-SA established %s-%s spi:%s\n",
2044 src, dst, isakmp_pindex(&iph1->index, 0));
2045 racoon_free(src);
2046 racoon_free(dst);
2047
2048 return;
2049 }
2050
2051 /*
2052 * calculate cookie and set.
2053 */
2054 int
2055 isakmp_newcookie(caddr_t place, struct sockaddr *remote, struct sockaddr *local)
2056 {
2057 rc_vchar_t *buf = NULL, *buf2 = NULL;
2058 char *p;
2059 int blen;
2060 int alen;
2061 caddr_t sa1, sa2;
2062 time_t t;
2063 int error = -1;
2064 uint16_t port;
2065 const int secret_size = 16;
2066
2067 if (remote->sa_family != local->sa_family) {
2068 plog(PLOG_PROTOERR, PLOGLOC, NULL,
2069 "address family mismatch, remote:%d local:%d\n",
2070 remote->sa_family, local->sa_family);
2071 goto end;
2072 }
2073 switch (remote->sa_family) {
2074 case AF_INET:
2075 alen = sizeof(struct in_addr);
2076 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2077 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2078 break;
2079 #ifdef INET6
2080 case AF_INET6:
2081 alen = sizeof(struct in6_addr);
2082 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2083 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2084 break;
2085 #endif
2086 default:
2087 plog(PLOG_PROTOERR, PLOGLOC, NULL,
2088 "invalid family: %d\n", remote->sa_family);
2089 goto end;
2090 }
2091 blen = (alen + sizeof(uint16_t)) * 2
2092 + sizeof(time_t) + secret_size;
2093 buf = rc_vmalloc(blen);
2094 if (buf == NULL) {
2095 plog(PLOG_INTERR, PLOGLOC, NULL, "failed to get a cookie.\n");
2096 goto end;
2097 }
2098 p = buf->v;
2099
2100 /* copy my address */
2101 memcpy(p, sa1, alen);
2102 p += alen;
2103 port = ((struct sockaddr_in *)remote)->sin_port;
2104 memcpy(p, &port, sizeof(uint16_t));
2105 p += sizeof(uint16_t);
2106
2107 /* copy target address */
2108 memcpy(p, sa2, alen);
2109 p += alen;
2110 port = ((struct sockaddr_in *)local)->sin_port;
2111 memcpy(p, &port, sizeof(uint16_t));
2112 p += sizeof(uint16_t);
2113
2114 /* copy time */
2115 t = time(0);
2116 memcpy(p, (caddr_t)&t, sizeof(t));
2117 p += sizeof(t);
2118
2119 /* copy random value */
2120 buf2 = eay_set_random(secret_size);
2121 if (buf2 == NULL)
2122 goto end;
2123 memcpy(p, buf2->v, secret_size);
2124 p += secret_size;
2125 rc_vfree(buf2);
2126
2127 buf2 = eay_sha1_one(buf);
2128 memcpy(place, buf2->v, sizeof(isakmp_cookie_t));
2129
2130 sa1 = val2str(place, sizeof(isakmp_cookie_t));
2131 plog(PLOG_DEBUG, PLOGLOC, NULL, "new cookie:\n%s\n", sa1);
2132 racoon_free(sa1);
2133
2134 error = 0;
2135 end:
2136 if (buf != NULL)
2137 rc_vfree(buf);
2138 if (buf2 != NULL)
2139 rc_vfree(buf2);
2140 return error;
2141 }
2142
2143 /*
2144 * save partner's(payload) data into phhandle.
2145 */
2146 int
2147 isakmp_p2ph(rc_vchar_t **buf, struct isakmp_gen *gen)
2148 {
2149 /* XXX to be checked in each functions for logging. */
2150 if (*buf) {
2151 plog(PLOG_PROTOWARN, PLOGLOC, NULL,
2152 "ignore this payload, same payload type exist.\n");
2153 return -1;
2154 }
2155
2156 *buf = rc_vmalloc(get_uint16(&gen->len) - sizeof(*gen));
2157 if (*buf == NULL) {
2158 plog(PLOG_INTERR, PLOGLOC, NULL, "failed to get buffer.\n");
2159 return -1;
2160 }
2161 memcpy((*buf)->v, gen + 1, (*buf)->l);
2162
2163 return 0;
2164 }
2165
2166 #if 0
2167 static int
2168 check_spi_size(proto_id, size)
2169 int proto_id, size;
2170 {
2171 switch (proto_id) {
2172 case IPSECDOI_PROTO_ISAKMP:
2173 if (size != 0) {
2174 /* WARNING */
2175 plog(PLOG_DEBUG, PLOGLOC, NULL,
2176 "SPI size isn't zero, but IKE proposal.\n");
2177 }
2178 return 0;
2179
2180 case IPSECDOI_PROTO_IPSEC_AH:
2181 case IPSECDOI_PROTO_IPSEC_ESP:
2182 if (size != 4) {
2183 plog(PLOG_PROTOERR, PLOGLOC, NULL,
2184 "invalid SPI size=%d for IPSEC proposal.\n", size);
2185 return -1;
2186 }
2187 return 0;
2188
2189 case IPSECDOI_PROTO_IPCOMP:
2190 if (size != 2 && size != 4) {
2191 plog(PLOG_INTERR, PLOGLOC, NULL,
2192 "invalid SPI size=%d for IPCOMP proposal.\n",
2193 size);
2194 return -1;
2195 }
2196 return 0;
2197
2198 default:
2199 /* ??? */
2200 return -1;
2201 }
2202 /* NOT REACHED */
2203 }
2204 #endif
2205
2206
2207 /*
2208 * parse ISAKMP payloads, without ISAKMP base header.
2209 */
2210 rc_vchar_t *
2211 isakmp_parsewoh(int np0, struct isakmp_gen *gen, int len)
2212 {
2213 unsigned char np = np0 & 0xff;
2214 int tlen, plen;
2215 rc_vchar_t *result;
2216 struct isakmp_parse_t *p, *ep;
2217
2218 plog(PLOG_DEBUG, PLOGLOC, NULL, "begin.\n");
2219
2220 /*
2221 * 5 is a magic number, but any value larger than 2 should be fine
2222 * as we do rc_vrealloc() in the following loop.
2223 */
2224 result = rc_vmalloc(sizeof(struct isakmp_parse_t) * 5);
2225 if (result == NULL) {
2226 plog(PLOG_INTERR, PLOGLOC, 0,
2227 "failed to get buffer.\n");
2228 return NULL;
2229 }
2230 p = (struct isakmp_parse_t *)result->v;
2231 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
2232
2233 tlen = len;
2234
2235 /* parse through general headers */
2236 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
2237 if (tlen <= sizeof(struct isakmp_gen)) {
2238 /* don't send information, see isakmp_ident_r1() */
2239 plog(PLOG_PROTOERR, PLOGLOC, 0,
2240 "invalid length of payload\n");
2241 rc_vfree(result);
2242 return NULL;
2243 }
2244
2245 plog(PLOG_DEBUG, PLOGLOC, NULL,
2246 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
2247
2248 p->type = np;
2249 p->len = get_uint16(&gen->len);
2250 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
2251 plog(PLOG_DEBUG, PLOGLOC, NULL,
2252 "invalid length of payload\n");
2253 rc_vfree(result);
2254 return NULL;
2255 }
2256 p->ptr = gen;
2257 p++;
2258 if (ep <= p) {
2259 int off;
2260
2261 off = p - (struct isakmp_parse_t *)result->v;
2262 result = rc_vrealloc(result, result->l * 2);
2263 if (result == NULL) {
2264 plog(PLOG_DEBUG, PLOGLOC, NULL,
2265 "failed to realloc buffer.\n");
2266 rc_vfree(result);
2267 return NULL;
2268 }
2269 ep = (struct isakmp_parse_t *)
2270 (result->v + result->l - sizeof(*ep));
2271 p = (struct isakmp_parse_t *)result->v;
2272 p += off;
2273 }
2274
2275 np = gen->np;
2276 plen = get_uint16(&gen->len);
2277 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
2278 tlen -= plen;
2279 }
2280 p->type = ISAKMP_NPTYPE_NONE;
2281 p->len = 0;
2282 p->ptr = NULL;
2283
2284 plog(PLOG_DEBUG, PLOGLOC, NULL, "succeed.\n");
2285
2286 return result;
2287 }
2288
2289
2290 /*
2291 * parse ISAKMP payloads, including ISAKMP base header.
2292 */
2293 rc_vchar_t *
2294 isakmp_parse(rc_vchar_t *buf)
2295 {
2296 struct isakmp *isakmp = (struct isakmp *)buf->v;
2297 struct isakmp_gen *gen;
2298 int tlen;
2299 rc_vchar_t *result;
2300 unsigned char np;
2301
2302 np = isakmp->np;
2303 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
2304 tlen = buf->l - sizeof(struct isakmp);
2305 result = isakmp_parsewoh(np, gen, tlen);
2306
2307 return result;
2308 }
2309
2310
2311 int
2312 isakmp_send(struct ph1handle *iph1, rc_vchar_t *sbuf)
2313 {
2314 int len = 0;
2315 int s;
2316 rc_vchar_t *vbuf = NULL;
2317
2318 #ifdef ENABLE_NATT
2319 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
2320
2321 #ifdef ENABLE_FRAG
2322 /*
2323 * Do not add the non ESP marker for a packet that will
2324 * be fragmented. The non ESP marker should appear in
2325 * all fragment's packets, but not in the fragmented packet
2326 */
2327 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
2328 extralen = 0;
2329 #endif
2330 if (extralen)
2331 plog (PLOG_DEBUG, PLOGLOC, NULL, "Adding NON-ESP marker\n");
2332
2333 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
2334 must added just before the packet itself. For this we must
2335 allocate a new buffer and release it at the end. */
2336 if (extralen) {
2337 if ((vbuf = rc_vmalloc (sbuf->l + extralen)) == NULL) {
2338 plog(PLOG_INTERR, PLOGLOC, NULL,
2339 "vbuf allocation failed\n");
2340 return -1;
2341 }
2342 *(uint32_t *)vbuf->v = 0;
2343 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
2344 sbuf = vbuf;
2345 }
2346 #endif
2347
2348 /* select the socket to be sent */
2349 s = getsockmyaddr(iph1->local);
2350 if (s == -1){
2351 if ( vbuf != NULL )
2352 rc_vfree(vbuf);
2353 return -1;
2354 }
2355
2356 plog(PLOG_DEBUG, PLOGLOC, NULL, "%zu bytes from %s to %s\n",
2357 sbuf->l, rcs_sa2str(iph1->local), rcs_sa2str(iph1->remote));
2358
2359 #ifdef ENABLE_FRAG
2360 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
2361 if (isakmp_sendfrags(iph1, sbuf) == -1) {
2362 plog(PLOG_INTERR, PLOGLOC, NULL,
2363 "isakmp_sendfrags failed\n");
2364 if ( vbuf != NULL )
2365 rc_vfree(vbuf);
2366 return -1;
2367 }
2368 } else
2369 #endif
2370 {
2371 len = sendfromto(s, sbuf->v, sbuf->l,
2372 iph1->local, iph1->remote, ikev1_times_per_send(iph1->rmconf));
2373
2374 if (len == -1) {
2375 plog(PLOG_INTERR, PLOGLOC, NULL, "sendfromto failed\n");
2376 if ( vbuf != NULL )
2377 rc_vfree(vbuf);
2378 return -1;
2379 }
2380 }
2381
2382 if ( vbuf != NULL )
2383 rc_vfree(vbuf);
2384
2385 return 0;
2386 }
2387
2388 void
2389 ikev1_set_rmconf(struct ph1handle *iph1, struct rcf_remote *conf)
2390 {
2391 if (iph1->rmconf)
2392 rcf_free_remote(iph1->rmconf);
2393
2394 iph1->rmconf = conf;
2395 }
2396
2397 int
2398 ikev1_verify_cert(struct rcf_remote *conf)
2399 {
2400 return ikev1_verify_pubkey(conf) != RCT_BOOL_OFF;
2401 }
2402
2403
2404 int
2405 ikev1_getcert_method(struct rcf_remote *conf)
2406 {
2407 return ISAKMP_GETCERT_LOCALFILE;
2408 }
2409
2410 int
2411 ikev1_certtype(struct rcf_remote *conf)
2412 {
2413 return ISAKMP_CERT_X509SIGN;
2414 /* ISAKMP_CERT_PLAINRSA; */
2415 }
2416
2417 /*remoteconf.c*/
2418 struct rcf_remote *
2419 getrmconf(struct sockaddr *remote)
2420 {
2421 struct rcf_remote *conf;
2422
2423 conf = ikev1_conf_find(remote);
2424 if (!conf) {
2425 /* if no config with src addr, use default */
2426 extern struct rcf_default *rcf_default_head;
2427 extern struct rcf_remote *rcf_deepcopy_remote(struct rcf_remote *);
2428 if (rcf_default_head && rcf_default_head->remote) {
2429 plog(PLOG_DEBUG, PLOGLOC, 0,
2430 "anonymous configuration selected for %s.\n",
2431 rcs_sa2str(remote));
2432 conf = rcf_deepcopy_remote(rcf_default_head->remote);
2433 }
2434 }
2435 return conf;
2436 }
2437
2438
2439 /*isakmp.c*/
2440 uint32_t
2441 isakmp_newmsgid2(struct ph1handle *iph1)
2442 {
2443 uint32_t msgid2;
2444
2445 do {
2446 msgid2 = eay_random_uint32();
2447 } while (getph2bymsgid(iph1, msgid2));
2448
2449 return msgid2;
2450 }
2451
2452
2453 /**/
2454 int
2455 ikev1_doitype(struct rcf_remote *conf)
2456 {
2457 return IPSEC_DOI; /* ??? */
2458 }
2459
2460 /**/
2461 int
2462 ikev1_sittype(struct rcf_remote *conf)
2463 {
2464 return IPSECDOI_SIT_IDENTITY_ONLY;
2465 }
2466
2467
2468 /*??*/
2469 size_t
2470 sysdep_sa_len(struct sockaddr *a)
2471 {
2472 return SA_LEN(a);
2473 }
2474
2475
2476 int
2477 ikev1_weak_phase1_check(struct rcf_remote *conf)
2478 {
2479 return 0;
2480 }
2481
2482
2483 /*remoteconf.c*/
2484 /*%%%*/
2485 struct isakmpsa *
2486 newisakmpsa(void)
2487 {
2488 struct isakmpsa *new;
2489
2490 new = racoon_calloc(1, sizeof(*new));
2491 if (new == NULL)
2492 return NULL;
2493
2494 /*
2495 * Just for sanity, make sure this is initialized. This is
2496 * filled in for real when the ISAKMP proposal is configured.
2497 */
2498 new->vendorid = VENDORID_UNKNOWN;
2499
2500 new->next = NULL;
2501 new->rmconf = NULL;
2502 #ifdef HAVE_GSSAPI
2503 new->gssid = NULL;
2504 #endif
2505
2506 return new;
2507 }
2508
2509 struct isakmpsa *
2510 dupisakmpsa(struct isakmpsa *sa)
2511 {
2512 struct isakmpsa *res = NULL;
2513
2514 if (sa == NULL)
2515 return NULL;
2516
2517 res = newisakmpsa();
2518 if(res == NULL)
2519 return NULL;
2520
2521 *res = *sa;
2522 #ifdef HAVE_GSSAPI
2523 /*
2524 * XXX gssid
2525 */
2526 #endif
2527 res->next=NULL;
2528
2529 if (sa->dhgrp != NULL)
2530 oakley_setdhgroup(sa->dh_group, &(res->dhgrp));
2531
2532 return res;
2533
2534 }
2535
2536 /*
2537 * insert into tail of list.
2538 */
2539 struct isakmpsa *
2540 insisakmpsa(struct isakmpsa *new, struct isakmpsa *list)
2541 {
2542 struct isakmpsa *p;
2543
2544 if (list == NULL) {
2545 return new;
2546 } else {
2547 for (p = list; p->next != NULL; p = p->next)
2548 ;
2549 p->next = new;
2550 return list;
2551 }
2552 }
2553
2554 void
2555 delisakmpsa(struct isakmpsa *sa)
2556 {
2557 if (sa->dhgrp)
2558 oakley_dhgrp_free(sa->dhgrp);
2559 if (sa->next)
2560 delisakmpsa(sa->next);
2561 #ifdef HAVE_GSSAPI
2562 if (sa->gssid)
2563 rc_vfree(sa->gssid);
2564 #endif
2565 racoon_free(sa);
2566 }
2567
2568
2569 struct isakmpsa *
2570 ikev1_conf_to_isakmpsa(struct rcf_remote *rmconf)
2571 {
2572 const int prop_no = 1;
2573 int trns_no = 1;
2574 struct rc_alglist *auth, *dh, *enc, *hash;
2575 struct isakmpsa *sa;
2576 struct isakmpsa *result = 0;
2577
2578 for (auth = ikev1_kmp_auth_method(rmconf); auth; auth = auth->next) {
2579 for (dh = ikev1_kmp_dh_group(rmconf); dh; dh = dh->next) {
2580 for (enc = ikev1_kmp_enc_alg(rmconf); enc; enc = enc->next) {
2581 for (hash = ikev1_kmp_hash_alg(rmconf); hash; hash = hash->next) {
2582 sa = create_isakmpsa(prop_no,
2583 trns_no,
2584 auth,
2585 dh,
2586 enc,
2587 hash,
2588 rmconf,
2589 ikev1_my_gssapi_id(rmconf));
2590 ++trns_no;
2591 if (! sa) {
2592 plog(PLOG_INTERR, PLOGLOC, 0,
2593 "failed to create isakmp proposal\n");
2594 return NULL;
2595 }
2596 result = insisakmpsa(sa, result);
2597 }
2598 }
2599 }
2600 }
2601
2602 return result;
2603 }
2604
2605
2606 static int
2607 enc_keylen(rc_type algtype, int keylen)
2608 {
2609 switch (algtype) {
2610 case RCT_ALG_AES128_CBC:
2611 return 128;
2612 case RCT_ALG_AES192_CBC:
2613 return 192;
2614 case RCT_ALG_AES256_CBC:
2615 return 256;
2616 default:
2617 return keylen;
2618 }
2619 }
2620
2621
2622 static struct isakmpsa *
2623 create_isakmpsa(int prop_no, int trns_no,
2624 struct rc_alglist *auth,
2625 struct rc_alglist *dh,
2626 struct rc_alglist *enc,
2627 struct rc_alglist *hash,
2628 struct rcf_remote *rmconf, rc_vchar_t *gssid)
2629 {
2630 struct isakmpsa *new;
2631
2632 new = newisakmpsa();
2633 if (new == NULL) {
2634 plog(PLOG_INTERR, PLOGLOC, 0,
2635 "failed allocating memory for isakmp proposal\n");
2636 return 0;
2637 }
2638 new->prop_no = prop_no;
2639 new->trns_no = trns_no;
2640 new->lifetime = ikev1_kmp_sa_lifetime_time(rmconf);
2641 new->lifebyte = ikev1_kmp_sa_lifetime_byte(rmconf);
2642 new->lifebyte = (new->lifebyte + 1023) >> 10;
2643 new->enctype = alg_oakley_encdef_doi(enc->algtype);
2644 new->encklen = enc_keylen(enc->algtype, enc->keylen);
2645 new->authmethod = alg_oakley_authdef_doi(auth->algtype);
2646 new->hashtype = alg_oakley_hashdef_doi(hash->algtype);
2647 new->dh_group = alg_oakley_dhdef_doi(dh->algtype);
2648 new->vendorid = VENDORID_UNKNOWN; /*vendorid;*/
2649 new->rmconf = rmconf;
2650 #ifdef HAVE_GSSAPI
2651 if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
2652 if (gssid != NULL) {
2653 new->gssid = rc_vmalloc(strlen(gssid));
2654 memcpy(new->gssid->v, gssid, new->gssid->l);
2655 racoon_free(gssid);
2656 } else {
2657 /*
2658 * Allocate the default ID so that it gets put
2659 * into a GSS ID attribute during the Phase 1
2660 * exchange.
2661 */
2662 new->gssid = gssapi_get_default_gss_id();
2663 }
2664 }
2665 #endif
2666
2667 return new;
2668 }
2669
2670 /*policy.c */
2671 void
2672 delsp_bothdir(struct policyindex *p)
2673 {
2674 plog(PLOG_INTERR, PLOGLOC, 0, "unimplemented\n");
2675 }
2676
2677
2678 int
2679 getsockmyaddr(struct sockaddr *addr)
2680 {
2681 extern int isakmp_find_socket();
2682
2683 return isakmp_find_socket(addr);
2684 }
2685
2686
2687 int
2688 ikev1_cacerttype(struct rcf_remote *conf)
2689 {
2690 return ISAKMP_CERT_X509SIGN;
2691 }
2692
2693
2694 static int
2695 check_ph2_id_type(int type)
2696 {
2697 switch (type) {
2698 case IPSECDOI_ID_IPV4_ADDR:
2699 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
2700 case IPSECDOI_ID_IPV6_ADDR:
2701 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
2702 return TRUE;
2703 break;
2704 case IPSECDOI_ID_IPV4_ADDR_RANGE:
2705 case IPSECDOI_ID_IPV6_ADDR_RANGE:
2706 default:
2707 return FALSE;
2708 }
2709 }
2710
2711
2712 static int
2713 id_is_matching(struct rc_addrlist *addr, int upper_layer_protocol,
2714 rc_vchar_t *id)
2715 {
2716 int error;
2717 uint8_t plen;
2718 uint16_t ulproto;
2719 struct ipsecdoi_id_b *idb;
2720 struct sockaddr_storage ss;
2721
2722 idb = (struct ipsecdoi_id_b *)id->v;
2723 switch (idb->type) {
2724 case IPSECDOI_ID_IPV4_ADDR:
2725 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
2726 case IPSECDOI_ID_IPV6_ADDR:
2727 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
2728 if (addr->type != RCT_ADDR_INET)
2729 return FALSE;
2730
2731 /* get a source address of inbound SA */
2732 error = ipsecdoi_id2sockaddr(id,
2733 (struct sockaddr *)&ss,
2734 &plen,
2735 &ulproto);
2736 if (error)
2737 return FALSE;
2738
2739 #ifdef INET6
2740 /* scope? */
2741 #endif
2742 break;
2743
2744 default:
2745 return FALSE;
2746 }
2747
2748 if (rcs_cmpsa(addr->a.ipaddr, (struct sockaddr *)&ss) != 0)
2749 return FALSE;
2750
2751 if (upper_layer_protocol == RC_PROTO_ANY)
2752 upper_layer_protocol = IPSEC_ULPROTO_ANY;
2753
2754 if (upper_layer_protocol != ulproto)
2755 return FALSE;
2756
2757 return TRUE;
2758 }
2759
2760
2761 static void
2762 free_selectorlist(struct rcf_selector *s)
2763 {
2764 struct rcf_selector *s_next;
2765
2766 for (; s; s = s_next) {
2767 s_next = s->next;
2768 rcf_free_selector(s);
2769 }
2770 }
2771
2772
2773 struct rcf_selector *
2774 ike_conf_find_ikev1sel_by_id(rc_vchar_t *id_local, rc_vchar_t *id_remote)
2775 {
2776 int upper_layer_protocol;
2777 int err;
2778 struct ipsecdoi_id_b *id_l;
2779 struct ipsecdoi_id_b *id_r;
2780 struct rcf_selector *s;
2781 struct rcf_selector *s_next;
2782 struct rc_addrlist *srclist;
2783 struct rc_addrlist *dstlist;
2784
2785 id_l = (struct ipsecdoi_id_b *)id_local->v;
2786 id_r = (struct ipsecdoi_id_b *)id_remote->v;
2787
2788 if (!check_ph2_id_type(id_l->type)) {
2789 isakmp_log(0, 0, 0, 0,
2790 PLOG_PROTOERR, PLOGLOC,
2791 "received ID for localside (type %s) is not supported ID type\n",
2792 s_ipsecdoi_ident(id_l->type));
2793 return 0;
2794 }
2795 if (!check_ph2_id_type(id_r->type)) {
2796 isakmp_log(0, 0, 0, 0,
2797 PLOG_PROTOERR, PLOGLOC,
2798 "received ID for remoteside (type %s) is not supported ID type\n",
2799 s_ipsecdoi_ident(id_r->type));
2800 return 0;
2801 }
2802
2803 if (rcf_get_selectorlist(&s)) {
2804 TRACE((PLOGLOC, "rcf_get_selectorlist() failed\n"));
2805 return 0;
2806 }
2807
2808 for (; s; s_next = s->next, rcf_free_selector(s), s = s_next) {
2809 if (s->direction != RCT_DIR_OUTBOUND)
2810 continue;
2811 srclist = dstlist = 0;
2812 err = rcs_extend_addrlist(s->src, &srclist);
2813 if (err != 0) {
2814 isakmp_log(0, 0, 0, 0,
2815 PLOG_INTWARN, PLOGLOC,
2816 "expanding src address of selector %s: %s\n",
2817 rc_vmem2str(s->sl_index), gai_strerror(err));
2818 goto next_selector;
2819 }
2820 err = rcs_extend_addrlist(s->dst, &dstlist);
2821 if (err != 0) {
2822 isakmp_log(0, 0, 0, 0,
2823 PLOG_INTWARN, PLOGLOC,
2824 "expanding dst address of selector %s: %s\n",
2825 rc_vmem2str(s->sl_index), gai_strerror(err));
2826 goto next_selector;
2827 }
2828 #if 0 /* it looks like spmd uses only the first address of expanded addresses */
2829 for (src = srclist; src; src = src->next) {
2830 if (ts_payload_is_matching(ts_r,
2831 upper_layer_protocol,
2832 src->a.ipaddr,
2833 src->prefixlen)) {
2834 for (dst = dstlist; dst; dst = dst->next) {
2835 if (ts_payload_is_matching(ts_i,
2836 upper_layer_protocol,
2837 dst->a.ipaddr,
2838 dst->prefixlen)) {
2839 goto found;
2840 }
2841 }
2842 }
2843 }
2844
2845 continue;
2846
2847 found:
2848 ...;
2849 #endif
2850
2851 upper_layer_protocol = s->upper_layer_protocol;
2852 if (id_is_matching(srclist, upper_layer_protocol, id_local)
2853 && id_is_matching(dstlist, upper_layer_protocol, id_remote)) {
2854 rcs_free_addrlist(srclist);
2855 rcs_free_addrlist(dstlist);
2856 free_selectorlist(s->next);
2857 return s;
2858 }
2859
2860 next_selector:
2861 if (srclist)
2862 rcs_free_addrlist(srclist);
2863 if (dstlist)
2864 rcs_free_addrlist(dstlist);
2865 }
2866
2867 return 0;
2868 }
2869
2870
2871 struct payload_list *
2872 isakmp_plist_append (struct payload_list *plist, rc_vchar_t *payload, int payload_type)
2873 {
2874 if (! plist) {
2875 plist = racoon_malloc (sizeof (struct payload_list));
2876 plist->prev = NULL;
2877 }
2878 else {
2879 plist->next = racoon_malloc (sizeof (struct payload_list));
2880 plist->next->prev = plist;
2881 plist = plist->next;
2882 }
2883
2884 plist->next = NULL;
2885 plist->payload = payload;
2886 plist->payload_type = payload_type;
2887
2888 return plist;
2889 }
2890
2891 rc_vchar_t *
2892 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
2893 {
2894 struct payload_list *ptr, *first;
2895 size_t tlen = sizeof (struct isakmp), n = 0;
2896 rc_vchar_t *buf;
2897 char *p;
2898
2899 if (plist == NULL) {
2900 plog(PLOG_INTERR, PLOGLOC, NULL,
2901 "in isakmp_plist_set_all: plist == NULL\n");
2902 return NULL;
2903 }
2904
2905 /* Seek to the first item. */
2906 ptr = *plist;
2907 while (ptr->prev)
2908 ptr = ptr->prev;
2909 first = ptr;
2910
2911 /* Compute the whole length. */
2912 while (ptr) {
2913 tlen += ptr->payload->l + sizeof (struct isakmp_gen);
2914 ptr = ptr->next;
2915 }
2916
2917 buf = rc_vmalloc(tlen);
2918 if (buf == NULL) {
2919 plog(PLOG_INTERR, PLOGLOC, NULL,
2920 "failed to get buffer to send.\n");
2921 goto end;
2922 }
2923
2924 ptr = first;
2925
2926 p = set_isakmp_header1(buf, iph1, ptr->payload_type);
2927 if (p == NULL)
2928 goto end;
2929
2930 while (ptr)
2931 {
2932 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
2933 first = ptr;
2934 ptr = ptr->next;
2935 racoon_free (first);
2936 /* ptr->prev = NULL; first = NULL; ... omitted. */
2937 n++;
2938 }
2939
2940 *plist = NULL;
2941
2942 return buf;
2943 end:
2944 return NULL;
2945 }
2946
2947
2948 const char *
2949 ipsec_strerror(void)
2950 {
2951 return "";
2952 }
2953
2954 void
2955 delete_spd(struct ph2handle *ph2)
2956 {
2957 plog(PLOG_INTWARN, PLOGLOC, 0, "unimplemented\n");
2958 }