Print this page
Current snapshot of OpenSolaris port.
Checkpoint
Checkpoint
Merge from parent.
Merge with WIDE update.
Pull from WIDE.
Pull from WIDE.
Checkpoint
Re-update.
blah
WIDE update
Update from WIDE.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/iked/ikev1/ikev1.c
+++ new/iked/ikev1/ikev1.c
1 1 /* $Id: ikev1.c,v 1.34 2008/07/07 09:36:08 fukumoto Exp $ */
2 2
3 3 /*
4 4 * Copyright (C) 2004 WIDE Project.
5 5 * All rights reserved.
6 6 *
7 7 * Redistribution and use in source and binary forms, with or without
8 8 * modification, are permitted provided that the following conditions
9 9 * are met:
10 10 * 1. Redistributions of source code must retain the above copyright
11 11 * notice, this list of conditions and the following disclaimer.
12 12 * 2. Redistributions in binary form must reproduce the above copyright
13 13 * notice, this list of conditions and the following disclaimer in the
14 14 * documentation and/or other materials provided with the distribution.
15 15 * 3. Neither the name of the project nor the names of its contributors
16 16 * may be used to endorse or promote products derived from this software
17 17 * without specific prior written permission.
18 18 *
19 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 29 * SUCH DAMAGE.
30 30 */
31 31
32 32 #include <config.h>
33 33
34 34 #include <assert.h>
35 35 #include <string.h>
36 36 #include <sys/types.h>
37 37 #if TIME_WITH_SYS_TIME
38 38 # include <sys/time.h>
39 39 # include <time.h>
40 40 #else
41 41 # if HAVE_SYS_TIME_H
42 42 # include <sys/time.h>
43 43 # else
44 44 # include <time.h>
45 45 # endif
46 46 #endif
47 47 #include <sys/socket.h>
48 48 #include <sys/errno.h>
|
↓ open down ↓ |
48 lines elided |
↑ open up ↑ |
49 49
50 50 #include <netinet/in.h>
51 51 #include <netdb.h>
52 52
53 53 #ifdef HAVE_NETINET6_IPSEC_H
54 54 # include <netinet6/ipsec.h>
55 55 #else
56 56 # ifdef HAVE_NETIPSEC_IPSEC_H
57 57 # include <netipsec/ipsec.h>
58 58 # else
59 -# include <linux/ipsec.h>
59 +# ifndef sun /* XXX KEBE SAYS OpenSolaris */
60 +# include <linux/ipsec.h>
61 +# endif
60 62 # endif
61 63 #endif
62 64
65 +#ifdef sun /* XXX KEBE SAYS OpenSolaris */
66 +#define IPSEC_ULPROTO_ANY 0
67 +#endif
68 +
63 69 #include "racoon.h"
64 70
65 71 #include "isakmp.h"
66 72 #include "ikev2.h"
67 73 #include "keyed_hash.h"
68 74 #include "isakmp_impl.h"
69 75 #include "ikev1_impl.h"
70 76 #include "ipsec_doi.h"
71 77 #include "isakmp_ident.h"
72 78 /* #include "isakmp_agg.h" */
73 79 /* #include "isakmp_base.h" */
74 80 #include "isakmp_quick.h"
75 81 #include "isakmp_inf.h"
76 82 #include "vendorid.h"
77 83 #include "pfkey.h"
78 84 #ifdef ENABLE_NATT
79 85 # include "ikev1_natt.h"
80 86 #endif
81 87
82 88 #include "var.h"
83 89
84 90 #include "algorithm.h"
85 91 #include "dhgroup.h"
86 92 #include "oakley.h" /* for prototypes */
87 93 #include "crypto_impl.h"
88 94 #include "ike_conf.h"
89 95 #include "script.h"
90 96 #include "handler.h"
91 97 #include "remoteconf.h"
92 98 #include "strnames.h"
93 99 #include "sockmisc.h"
94 100
95 101 #include "debug.h"
96 102
97 103 static int nostate1 (struct ph1handle *, rc_vchar_t *);
98 104 static int nostate2 (struct ph2handle *, rc_vchar_t *);
99 105
100 106 extern caddr_t val2str(const char *, size_t);
101 107
102 108 static int ph1_main (struct ph1handle *, rc_vchar_t *);
103 109 static int quick_main (struct ph2handle *, rc_vchar_t *);
104 110 static int isakmp_ph1begin_r (rc_vchar_t *,
105 111 struct sockaddr *, struct sockaddr *,
106 112 uint8_t);
107 113 static void isakmp_ph2begin_i (struct ph1handle *, struct ph2handle *);
108 114 static int isakmp_ph2begin_r (struct ph1handle *, rc_vchar_t *);
109 115 static void isakmp_fail_initiate_ph2(struct ph2handle *);
110 116
111 117 static void isakmp_ph1expire_stub(void *);
112 118
113 119 static struct isakmpsa * create_isakmpsa(int, int,
114 120 struct rc_alglist *,
115 121 struct rc_alglist *,
116 122 struct rc_alglist *,
117 123 struct rc_alglist *,
118 124 struct rcf_remote *,
119 125 rc_vchar_t *);
120 126
121 127 int getsockmyaddr(struct sockaddr *addr);
122 128
123 129 typedef int (*PH1EXCHG) (struct ph1handle *, rc_vchar_t *);
124 130
125 131 PH1EXCHG ph1exchange[][2][PHASE1ST_MAX] = {
126 132 /* error */
127 133 {{NULL}, {NULL},},
128 134 /* Identity Protection exchange */
129 135 {
130 136 {nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
131 137 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1,},
132 138 {nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
133 139 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1,},
134 140 },
135 141 /* Aggressive exchange */
136 142 {
137 143 #if 0
138 144 {nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send, nostate1,
139 145 nostate1, nostate1, nostate1, nostate1,},
140 146 {nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send, nostate1,
141 147 nostate1, nostate1, nostate1, nostate1,},
142 148 #else
143 149 {nostate1, nostate1, nostate1, nostate1, nostate1, nostate1,
144 150 nostate1, nostate1, nostate1, nostate1, },
145 151 {nostate1, nostate1, nostate1, nostate1, nostate1, nostate1,
146 152 nostate1, nostate1, nostate1, nostate1, },
147 153 #endif
148 154 },
149 155 /* Base exchange */
150 156 {
151 157 #if 0
152 158 {nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
153 159 base_i3recv, base_i3send, nostate1, nostate1, nostate1,},
154 160 {nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
155 161 nostate1, nostate1, nostate1, nostate1, nostate1,},
156 162 #else
157 163 {nostate1, nostate1, nostate1, nostate1, nostate1, nostate1,
158 164 nostate1, nostate1, nostate1, nostate1, },
159 165 {nostate1, nostate1, nostate1, nostate1, nostate1, nostate1,
160 166 nostate1, nostate1, nostate1, nostate1, },
161 167 #endif
162 168 },
163 169 };
164 170
165 171 typedef int (*PH2EXCHG) (struct ph2handle *, rc_vchar_t *);
166 172
167 173 PH2EXCHG ph2exchange[][2][PHASE2ST_MAX] = {
168 174 /* error */
169 175 {{NULL}, {NULL},},
170 176 /* Quick mode for IKE */
171 177 {
172 178 {nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
173 179 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2,},
174 180 {nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
175 181 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2,},
176 182 },
177 183 };
178 184
179 185 static int etypesw1 (int);
180 186 static int etypesw2 (int);
181 187
182 188 #if 0
183 189 struct dh_def ikev1_dhdef = {
184 190 {algtype_dhg_modp768, OAKLEY_ATTR_GRP_DESC_MODP768, &dh_mopd768},
185 191 {algtype_dhg_modp1024, OAKLEY_ATTR_GRP_DESC_MODP1024, &dh_modp1024},
186 192 /* { algtype_dhg_ec2n155, OAKLEY_ATTR_GRP_DESC_EC2N155, .... }, */
187 193 /* { algtype_dhg_ec2n185, OAKLEY_ATTR_GRP_DESC_EC2N185, .... }, */
188 194 {algtype_dhg_modp1536, OAKLEY_ATTR_GRP_DESC_MODP1536, &dh_modp1536},
189 195 /* ec2n_163_a */
190 196 /* ec2n_163_b */
191 197 /* ec2n_283_a */
192 198 /* ec2n_283_b */
193 199 /* ec2n_409_a */
194 200 /* ec2n_409_b */
195 201 /* ec2n_571_a */
196 202 /* ec2n_571_b */
197 203 {algtype_dhg_modp2048, OAKLEY_ATTR_GRP_DESC_MODP2048, &dh_modp2048},
198 204 {algtype_dhg_modp3072, OAKLEY_ATTR_GRP_DESC_MODP3072, &dh_modp3072},
199 205 {algtype_dhg_modp4096, OAKLEY_ATTR_GRP_DESC_MODP4096, &dh_modp4096},
200 206 {algtype_dhg_modp6144, OAKLEY_ATTR_GRP_DESC_MODP6144, &dh_modp6144},
201 207 {algtype_dhg_modp8192, OAKLEY_ATTR_GRP_DESC_MODP8192, &dh_modp8192},
202 208 {0}
203 209 };
204 210 #endif
205 211
206 212 /*
207 213 * main processing to handle isakmp payload
208 214 */
209 215 int
210 216 ikev1_main(rc_vchar_t *msg, struct sockaddr *remote, struct sockaddr *local)
211 217 {
212 218 struct isakmp *isakmp = (struct isakmp *)msg->v;
213 219 isakmp_index_t *index = (isakmp_index_t *)isakmp;
214 220 uint32_t msgid = isakmp->msgid;
215 221 struct ph1handle *iph1;
216 222 static isakmp_cookie_t r_ck0 = { 0, 0, 0, 0, 0, 0, 0, 0 };
217 223
218 224 ++isakmpstat.v1input;
219 225
220 226 #ifdef HAVE_PRINT_ISAKMP_C
221 227 isakmp_printpacket(msg, remote, local, 0);
222 228 #endif
223 229
224 230 /* XXX: check sender whether to be allowed or not to accept */
225 231
226 232 /* XXX: I don't know how to check isakmp half connection attack. */
227 233
228 234 /* simply reply if the packet was processed. */
229 235 if (check_recvdpkt((struct sockaddr *)remote,
230 236 (struct sockaddr *)local, msg)) {
231 237 plog(PLOG_INFO, PLOGLOC, 0,
232 238 "the packet is retransmitted by %s.\n",
233 239 rcs_sa2str((struct sockaddr *)remote));
234 240 /* ++isakmpstat.duplicate; */
235 241 return 0;
236 242 }
237 243
238 244 /* (RFC2408)
239 245 * Implementations SHOULD never accept packets with a minor
240 246 * version number larger than its own, given the major version
241 247 * numbers are identical.
242 248 */
243 249 if (ISAKMP_GETMINORV(isakmp->v) > ISAKMP_MINOR_VERSION) {
244 250 plog(PLOG_PROTOERR, PLOGLOC, 0,
245 251 "unsupported isakmp version %d.%03d.\n",
246 252 ISAKMP_GETMAJORV(isakmp->v), ISAKMP_GETMINORV(isakmp->v));
247 253 /* XXX should send notification */
248 254 ++isakmpstat.unsupported_version;
249 255 return -1;
250 256 }
251 257
252 258 /* the initiator's cookie must not be zero */
253 259 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(isakmp_cookie_t)) == 0) {
254 260 plog(PLOG_PROTOERR, PLOGLOC, 0,
255 261 "malformed cookie received.\n");
256 262 ++isakmpstat.invalid_ike_spi;
257 263 return -1;
258 264 }
259 265
260 266 /* check the Flags field. */
261 267 /* XXX How is the exclusive check, E and A ? */
262 268 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
263 269 plog(PLOG_PROTOERR, PLOGLOC, 0,
264 270 "invalid flag 0x%02x.\n", isakmp->flags);
265 271 ++isakmpstat.invalid_flag;
266 272 return -1;
267 273 }
268 274
269 275 /* ignore commit bit. */
270 276 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
271 277 if (isakmp->msgid == 0) {
272 278 isakmp_info_send_nx(isakmp, remote, local,
273 279 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
274 280 plog(PLOG_PROTOERR, PLOGLOC, 0,
275 281 "Commit bit on phase1 forbidden.\n");
276 282 ++isakmpstat.invalid_flag;
277 283 return -1;
278 284 }
279 285 }
280 286
281 287 iph1 = getph1byindex(index);
282 288 if (iph1 != NULL) {
283 289 /* validity check */
284 290 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(isakmp_cookie_t)) == 0
285 291 && iph1->side == INITIATOR) {
286 292 plog(PLOG_DEBUG, PLOGLOC, 0,
287 293 "malformed cookie received or "
288 294 "the initiator's cookies collide.\n");
289 295 ++isakmpstat.invalid_ike_spi;
290 296 return -1;
291 297 }
292 298
293 299 #ifdef ENABLE_NATT
294 300 /* Floating ports for NAT-T */
295 301 if (NATT_AVAILABLE(iph1) &&
296 302 !(iph1->natt_flags & NAT_PORTS_CHANGED) &&
297 303 ((rcs_cmpsa(iph1->remote, remote) != 0) ||
298 304 (rcs_cmpsa(iph1->local, local) != 0))) {
299 305 /* prevent memory leak */
300 306 racoon_free(iph1->remote);
301 307 racoon_free(iph1->local);
|
↓ open down ↓ |
229 lines elided |
↑ open up ↑ |
302 308
303 309 /* copy-in new addresses */
304 310 iph1->remote = rcs_sadup(remote);
305 311 iph1->local = rcs_sadup(local);
306 312
307 313 /*
308 314 * set the flag to prevent further port floating.
309 315 * (FIXME: should we allow it? E.g. when the NAT gw
310 316 * is rebooted?)
311 317 */
318 +#ifdef sun
319 + iph1->natt_flags |= NAT_PORTS_CHANGED;
320 +#else
312 321 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
322 +#endif
313 323 }
314 324 #endif
315 325
316 326 /* must be same addresses in one stream of a phase at least. */
317 327 if (rcs_cmpsa(iph1->remote, remote) != 0) {
318 328 char *saddr_db, *saddr_act;
319 329
320 330 saddr_db = strdup(rcs_sa2str(iph1->remote));
321 331 saddr_act = strdup(rcs_sa2str(remote));
322 332
323 333 plog(PLOG_PROTOWARN, PLOGLOC, 0,
324 334 "remote address mismatched. db=%s, act=%s\n",
325 335 saddr_db, saddr_act);
326 336
327 337 racoon_free(saddr_db);
328 338 racoon_free(saddr_act);
329 339 }
330 340 /*
331 341 * don't check of exchange type here because other type will be
332 342 * with same index, for example, informational exchange.
333 343 */
334 344
335 345 /* XXX more acceptable check */
336 346 }
337 347
338 348 switch (isakmp->etype) {
339 349 case ISAKMP_ETYPE_IDENT: /* == oakley main mode */
340 350 case ISAKMP_ETYPE_AGG:
341 351 case ISAKMP_ETYPE_BASE:
342 352 /* phase 1 validity check */
343 353 if (isakmp->msgid != 0) {
344 354 plog(PLOG_PROTOERR, PLOGLOC, 0,
345 355 "message id should be zero in phase1.\n");
346 356 ++isakmpstat.invalid_message_id;
347 357 return -1;
348 358 }
349 359
350 360 /* search for isakmp status record of phase 1 */
351 361 if (iph1 == NULL) {
352 362 /*
353 363 * the packet must be the 1st message from a initiator
354 364 * or the 2nd message from the responder.
355 365 */
356 366
357 367 /* search for phase1 handle by index without r_ck */
358 368 iph1 = getph1byindex0(index);
359 369 if (iph1 == NULL) {
360 370 /*it must be the 1st message from a initiator. */
361 371 if (memcmp(&isakmp->r_ck, r_ck0,
362 372 sizeof(isakmp_cookie_t)) != 0) {
363 373
364 374 plog(PLOG_DEBUG, PLOGLOC, 0,
365 375 "malformed cookie received "
366 376 "or the spi expired.\n");
367 377 ++isakmpstat.unknown_cookie;
368 378 return -1;
369 379 }
370 380
371 381 /* it must be responder's 1st exchange. */
372 382 if (isakmp_ph1begin_r(msg, remote, local,
373 383 isakmp->etype) < 0)
374 384 return -1;
375 385 break;
376 386
377 387 /*NOTREACHED*/}
378 388
379 389 /* it must be the 2nd message from the responder. */
380 390 if (iph1->side != INITIATOR) {
381 391 plog(PLOG_DEBUG, PLOGLOC, 0,
382 392 "malformed cookie received. "
383 393 "it has to be as the initiator. %s\n",
384 394 isakmp_pindex(&iph1->index, 0));
385 395 ++isakmpstat.invalid_message_id;
386 396 return -1;
387 397 }
388 398 }
389 399
390 400 /*
391 401 * Don't delete phase 1 handler when the exchange type
392 402 * in handler is not equal to packet's one because of no
393 403 * authencication completed.
394 404 */
395 405 if (iph1->etype != isakmp->etype) {
396 406 plog(PLOG_PROTOERR, PLOGLOC, 0,
397 407 "exchange type is mismatched: "
398 408 "db=%s packet=%s, ignore it.\n",
399 409 s_isakmp_etype(iph1->etype),
400 410 s_isakmp_etype(isakmp->etype));
401 411 ++isakmpstat.unexpected_packet;
402 412 return -1;
403 413 }
404 414
405 415 /* call main process of phase 1 */
406 416 if (ph1_main(iph1, msg) < 0) {
407 417 plog(PLOG_PROTOERR, PLOGLOC, 0,
408 418 "phase1 negotiation failed.\n");
409 419 remph1(iph1);
410 420 delph1(iph1);
411 421 return -1;
412 422 }
413 423 break;
414 424
415 425 #if 0
416 426 case ISAKMP_ETYPE_AUTH:
417 427 plog(PLOG_INFO, PLOGLOC, 0,
418 428 "unsupported exchange %d received.\n", isakmp->etype);
419 429 ++isakmpstat.unsupported_exchange_type;
420 430 break;
421 431 #endif
422 432
423 433 case ISAKMP_ETYPE_INFO:
424 434 case ISAKMP_ETYPE_ACKINFO:
425 435 /*
426 436 * iph1 must be present for Information message.
427 437 * if iph1 is null then trying to get the phase1 status
428 438 * as the packet from responder againt initiator's 1st
429 439 * exchange in phase 1.
430 440 * NOTE: We think such informational exchange should be ignored.
431 441 */
432 442 if (iph1 == NULL) {
433 443 iph1 = getph1byindex0(index);
434 444 if (iph1 == NULL) {
435 445 plog(PLOG_PROTOERR, PLOGLOC, 0,
436 446 "unknown Informational "
437 447 "exchange received.\n");
438 448 /* ++isakmpstat.infoexch_unknown_peer; */
439 449 return -1;
440 450 }
441 451 if (rcs_cmpsa(iph1->remote, remote) != 0) {
442 452 plog(PLOG_PROTOWARN, PLOGLOC, 0,
443 453 "remote address mismatched. "
444 454 "db=%s\n", rcs_sa2str(iph1->remote));
445 455 /* ++isakmpstat.infoexch_unknown_remote_addr; */
446 456 }
447 457 }
448 458
449 459 if (isakmp_info_recv(iph1, msg) < 0)
450 460 return -1;
451 461 break;
452 462
453 463 case ISAKMP_ETYPE_QUICK:
454 464 {
455 465 struct ph2handle *iph2;
456 466
457 467 if (iph1 == NULL) {
458 468 isakmp_info_send_nx(isakmp, remote, local,
459 469 ISAKMP_NTYPE_INVALID_COOKIE,
460 470 NULL);
461 471 plog(PLOG_PROTOERR, PLOGLOC, 0,
462 472 "can't start the quick mode, "
463 473 "there is no ISAKMP-SA, %s\n",
464 474 isakmp_pindex((isakmp_index_t *)&isakmp->
465 475 i_ck, isakmp->msgid));
466 476 ++isakmpstat.invalid_ike_spi;
467 477 return -1;
468 478 }
469 479
470 480 /* check status of phase 1 whether negotiated or not. */
471 481 if (iph1->status != PHASE1ST_ESTABLISHED) {
472 482 plog(PLOG_PROTOERR, PLOGLOC, 0,
473 483 "can't start the quick mode, "
474 484 "there is no valid ISAKMP-SA, %s\n",
475 485 isakmp_pindex(&iph1->index, iph1->msgid));
476 486 ++isakmpstat.premature;
477 487 return -1;
478 488 }
479 489
480 490 /* search isakmp phase 2 stauts record. */
481 491 iph2 = getph2bymsgid(iph1, msgid);
482 492 if (iph2 == NULL) {
483 493 /* it must be new negotiation as responder */
484 494 if (isakmp_ph2begin_r(iph1, msg) < 0)
485 495 return -1;
486 496 return 0;
487 497 /*NOTREACHED*/}
488 498
489 499 /* commit bit. */
490 500 /* XXX
491 501 * we keep to set commit bit during negotiation.
492 502 * When SA is configured, bit will be reset.
493 503 * XXX
494 504 * don't initiate commit bit. should be fixed in the future.
495 505 */
496 506 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
497 507 iph2->flags |= ISAKMP_FLAG_C;
498 508
499 509 /* call main process of quick mode */
500 510 if (quick_main(iph2, msg) < 0) {
501 511 plog(PLOG_PROTOERR, PLOGLOC, 0,
502 512 "phase2 negotiation failed.\n");
503 513 unbindph12(iph2);
504 514 remph2(iph2);
505 515 delph2(iph2);
506 516 return -1;
507 517 }
508 518 }
509 519 break;
510 520
511 521 case ISAKMP_ETYPE_NEWGRP:
512 522 if (iph1 == NULL) {
513 523 plog(PLOG_PROTOERR, PLOGLOC, 0,
514 524 "Unknown new group mode exchange, "
515 525 "there is no ISAKMP-SA.\n");
516 526 ++isakmpstat.unknown_cookie;
517 527 return -1;
518 528 }
519 529 #ifdef notyet
520 530 isakmp_newgroup_r(iph1, msg);
521 531 break;
522 532 #else
523 533 /*FALLTHROUGH*/
524 534 #endif
525 535 case ISAKMP_ETYPE_NONE:
526 536 default:
527 537 plog(PLOG_PROTOERR, PLOGLOC, 0,
528 538 "Invalid exchange type %d from %s.\n",
529 539 isakmp->etype, rcs_sa2str(remote));
530 540 /* ++isakmpstat.unsupported_exchange_type; */
531 541 return -1;
532 542 }
533 543
534 544 return 0;
535 545 }
536 546
537 547
538 548 /*
539 549 * process ACQUIRE for IKEv1
540 550 */
541 551 void
542 552 ikev1_initiate(struct isakmp_acquire_request *req,
543 553 struct rcf_policy *policy,
544 554 struct rcf_selector *selector,
545 555 struct rcf_remote *rm_info)
546 556 {
547 557 struct ph2handle *iph2;
548 558 struct sockaddr *peer = 0;
549 559 extern struct sadb_response_method ikev1_sadb_callback;
550 560 extern struct ph2handle *getph2byselector();
551 561 extern int set_proposal_from_policy();
552 562
553 563 TRACE((PLOGLOC, "processing acquire for IKEv1\n"));
554 564 if (ikev1_passive(rm_info) == RCT_BOOL_ON) {
555 565 isakmp_log(0, req->src, req->dst, 0, PLOG_INFO, PLOGLOC, /* ??? */
556 566 "remote %s passive mode specified for IKEv1, dropping acquire request\n",
557 567 (rm_info->rm_index ?
558 568 rc_vmem2str(rm_info->rm_index) : "(default)"));
559 569 goto fail;
560 570 }
561 571
562 572 if (rm_info->ikev1->peers_ipaddr) {
563 573 if (rm_info->ikev1->peers_ipaddr->type != RCT_ADDR_INET) {
564 574 isakmp_log(0, req->src, req->dst, 0,
565 575 PLOG_INTERR, PLOGLOC,
566 576 "unsupported peers_ipaddr format in policy %.*s\n",
567 577 (int)policy->pl_index->l,
568 578 policy->pl_index->v);
569 579 goto fail;
570 580 }
571 581 peer = rcs_sadup(rm_info->ikev1->peers_ipaddr->a.ipaddr);
572 582 } else {
573 583 peer = rcs_sadup(req->dst);
574 584 switch (SOCKADDR_FAMILY(peer)) {
575 585 case AF_INET:
576 586 ((struct sockaddr_in *)peer)->sin_port =
577 587 htons(isakmp_port);
578 588 break;
579 589 #ifdef INET6
580 590 case AF_INET6:
581 591 ((struct sockaddr_in6 *)peer)->sin6_port =
582 592 htons(isakmp_port);
583 593 break;
584 594 #endif
585 595 default:
586 596 isakmp_log(0, req->src, req->dst, 0,
587 597 PLOG_INTERR, PLOGLOC,
588 598 "unsupported address family (%d) for peer address\n",
589 599 SOCKADDR_FAMILY(peer));
590 600 goto fail;
591 601 }
592 602 }
593 603
594 604 iph2 = getph2byselector(req->src, req->dst, selector);
595 605 if (iph2) {
596 606 if (iph2->status < PHASE2ST_ESTABLISHED) {
597 607 isakmp_log(0, req->src, req->dst, 0, PLOG_DEBUG, PLOGLOC,
598 608 "ignoring acquire request since there's ph2 already\n");
599 609 goto fail;
600 610 }
601 611 if (iph2->status == PHASE2ST_EXPIRED)
602 612 iph2 = 0;
603 613 }
604 614
605 615 iph2 = newph2();
606 616 if (!iph2) {
607 617 plog(PLOG_INTERR, PLOGLOC, 0,
608 618 "failed to allocate phase 2 entry\n");
609 619 goto fail;
610 620 }
611 621 iph2->side = INITIATOR;
612 622 iph2->selector = selector;
613 623 selector = 0;
614 624 iph2->satype = RCT_SATYPE_ESP; /* ??? */
615 625 iph2->status = PHASE2ST_STATUS2;
616 626
617 627 iph2->dst = rcs_sadup(req->dst);
618 628 if (req->src2)
619 629 iph2->src = rcs_sadup(req->src2);
620 630 else
621 631 iph2->src = rcs_sadup(req->src);
622 632 if (!iph2->dst || !iph2->src) {
623 633 delph2(iph2);
624 634 goto fail_nomem;
625 635 }
626 636 iph2->seq = req->request_msg_seq;
627 637
628 638 sadb_request_initialize(&iph2->sadb_request,
629 639 req->callback_method,
630 640 &ikev1_sadb_callback,
631 641 req->request_msg_seq,
632 642 iph2);
633 643
634 644 if (set_proposal_from_policy(iph2, rm_info, policy)) {
635 645 plog(PLOG_INTERR, PLOGLOC, 0,
636 646 "failed to create saprop\n");
637 647 delph2(iph2);
638 648 goto fail;
639 649 }
640 650
641 651 TRACE((PLOGLOC, "new acquire ph2 %p\n", iph2));
642 652
643 653 insph2(iph2);
644 654
645 655 ikev1_post_acquire(rm_info, iph2);
646 656
647 657 done:
648 658 if (selector)
649 659 rcf_free_selector(selector);
650 660 if (peer)
651 661 racoon_free(peer);
652 662 return;
653 663
654 664 fail_nomem:
655 665 isakmp_log(0, req->src, req->dst, 0,
656 666 PLOG_INTERR, PLOGLOC, "failed allocating memory\n");
657 667 fail:
658 668 goto done;
659 669 }
660 670
661 671
662 672 /*
663 673 * main function of phase 1.
664 674 */
665 675 static int
666 676 ph1_main(iph1, msg)
667 677 struct ph1handle *iph1;
668 678 rc_vchar_t *msg;
669 679 {
670 680 int error;
671 681 #ifdef ENABLE_STATS
672 682 struct timeval start, end;
673 683 #endif
674 684
675 685 /* ignore a packet */
676 686 if (iph1->status == PHASE1ST_ESTABLISHED) {
677 687 /* ++isakmpstat.ignore; */
678 688 return 0;
679 689 }
680 690 #ifdef ENABLE_STATS
681 691 gettimeofday(&start, NULL);
682 692 #endif
683 693 /* receive */
684 694 if (ph1exchange[etypesw1(iph1->etype)]
685 695 [iph1->side]
686 696 [iph1->status] == NULL) {
687 697 plog(PLOG_INTERR, PLOGLOC, 0,
688 698 "why isn't the function defined.\n");
689 699 /* ++isakmpstat.ignore; */
690 700 return -1;
691 701 }
692 702 error = (ph1exchange[etypesw1(iph1->etype)]
693 703 [iph1->side]
694 704 [iph1->status]) (iph1, msg);
695 705 if (error != 0) {
696 706 #if 0
697 707 /* XXX
698 708 * When an invalid packet is received on phase1, it should
699 709 * be selected to process this packet. That is to respond
700 710 * with a notify and delete phase 1 handler, OR not to respond
701 711 * and keep phase 1 handler.
702 712 */
703 713 plog(PLOG_INTERR, PLOGLOC, 0,
704 714 "failed to pre-process packet.\n");
705 715 return -1;
706 716 #else
707 717 /* ignore the error and keep phase 1 handler */
708 718 return 0;
709 719 #endif
710 720 }
711 721
712 722 /* free resend buffer */
713 723 if (iph1->sendbuf == NULL) {
714 724 plog(PLOG_INTERR, PLOGLOC, 0, "no buffer found as sendbuf\n");
715 725 return -1;
716 726 }
717 727 VPTRINIT(iph1->sendbuf);
718 728
719 729 /* turn off schedule */
720 730 if (iph1->scr)
721 731 SCHED_KILL(iph1->scr);
722 732
723 733 /* send */
724 734 plog(PLOG_DEBUG, PLOGLOC, 0, "===\n");
725 735 if ((ph1exchange[etypesw1(iph1->etype)]
726 736 [iph1->side]
727 737 [iph1->status]) (iph1, msg) != 0) {
728 738 plog(PLOG_PROTOERR, PLOGLOC, 0,
729 739 "failed to process packet.\n");
730 740 return -1;
731 741 }
732 742 #ifdef ENABLE_STATS
733 743 gettimeofday(&end, NULL);
734 744 syslog(LOG_NOTICE, "%s(%s): %8.6f",
735 745 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
736 746 timedelta(&start, &end));
737 747 #endif
738 748 if (iph1->status == PHASE1ST_ESTABLISHED) {
739 749 /* ++isakmpstat.ph1established; */
740 750 #ifdef ENABLE_STATS
741 751 gettimeofday(&iph1->end, NULL);
742 752 syslog(LOG_NOTICE, "%s(%s): %8.6f",
743 753 "phase1", s_isakmp_etype(iph1->etype),
744 754 timedelta(&iph1->start, &iph1->end));
745 755 #endif
746 756
747 757 /* save created date. */
748 758 (void)time(&iph1->created);
749 759
750 760 /* add to the schedule to expire, and seve back pointer. */
751 761 iph1->sce = sched_new(iph1->approval->lifetime,
752 762 isakmp_ph1expire_stub, iph1);
753 763
754 764 /* INITIAL-CONTACT processing */
755 765 /* don't anything if local test mode. */
756 766 if (/*!opt_local */ 1
757 767 && iph1->rmconf->ikev1
758 768 && iph1->rmconf->ikev1->initial_contact
759 769 && !getcontacted(iph1->remote)) {
760 770 /*++isakmpstat.initial_contact; */
761 771 /* insert a node into contacted list. */
762 772 if (inscontacted(iph1->remote) == -1) {
763 773 plog(PLOG_INTERR, PLOGLOC, 0,
764 774 "failed to add contacted list.\n");
765 775 /* ignore */
766 776 } else {
767 777 /* send INITIAL-CONTACT */
768 778 isakmp_info_send_n1(iph1,
769 779 ISAKMP_NTYPE_INITIAL_CONTACT,
770 780 NULL);
771 781 }
772 782 }
773 783
774 784 log_ph1established(iph1);
775 785 ikev1_script_hook(iph1, SCRIPT_PHASE1_UP);
776 786 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
777 787 }
778 788
779 789 return 0;
780 790 }
781 791
782 792 /*
783 793 * main function of quick mode.
784 794 */
785 795 static int
786 796 quick_main(struct ph2handle *iph2, rc_vchar_t *msg)
787 797 {
788 798 struct isakmp *isakmp = (struct isakmp *)msg->v;
789 799 int error;
790 800 #ifdef ENABLE_STATS
791 801 struct timeval start, end;
792 802 #endif
793 803
794 804 /* ignore a packet */
795 805 if (iph2->status == PHASE2ST_ESTABLISHED
796 806 || iph2->status == PHASE2ST_GETSPISENT)
797 807 return 0;
798 808
799 809 #ifdef ENABLE_STATS
800 810 gettimeofday(&start, NULL);
801 811 #endif
802 812
803 813 /* receive */
804 814 if (ph2exchange[etypesw2(isakmp->etype)]
805 815 [iph2->side]
806 816 [iph2->status] == NULL) {
807 817 plog(PLOG_INTERR, PLOGLOC, 0,
808 818 "why isn't the function defined.\n");
809 819 return -1;
810 820 }
811 821 error = (ph2exchange[etypesw2(isakmp->etype)]
812 822 [iph2->side]
813 823 [iph2->status]) (iph2, msg);
814 824 if (error != 0) {
815 825 plog(PLOG_INTERR, PLOGLOC, 0,
816 826 "failed to pre-process packet.\n");
817 827 if (error == ISAKMP_INTERNAL_ERROR)
818 828 return 0;
819 829 isakmp_info_send_n1(iph2->ph1, error, NULL);
820 830 return -1;
821 831 }
822 832
823 833 /* when using commit bit, status will be reached here. */
824 834 if (iph2->status == PHASE2ST_ADDSA)
825 835 return 0;
826 836
827 837 /* free resend buffer */
|
↓ open down ↓ |
505 lines elided |
↑ open up ↑ |
828 838 if (iph2->sendbuf == NULL) {
829 839 plog(PLOG_INTERR, PLOGLOC, NULL, "no buffer found as sendbuf\n");
830 840 return -1;
831 841 }
832 842 VPTRINIT(iph2->sendbuf);
833 843
834 844 /* turn off schedule */
835 845 if (iph2->scr)
836 846 SCHED_KILL(iph2->scr);
837 847
848 +#ifdef sun
849 + /* Bail now to await inverse-ACQUIRE response. */
850 + if (iph2->status == PHASE2ST_START && iph2->side == RESPONDER)
851 + return (0);
852 +#endif /* sun/OpenSolaris */
853 +
838 854 /* send */
839 855 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
840 856 if ((ph2exchange[etypesw2(isakmp->etype)]
841 857 [iph2->side]
842 858 [iph2->status]) (iph2, msg) != 0) {
843 859 plog(PLOG_PROTOERR, PLOGLOC, 0,
844 860 "failed to process packet.\n");
845 861 return -1;
846 862 }
847 863 #ifdef ENABLE_STATS
848 864 gettimeofday(&end, NULL);
849 865 syslog(LOG_NOTICE, "%s(%s): %8.6f",
850 866 "phase2",
851 867 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
852 868 timedelta(&start, &end));
853 869 #endif
854 870
855 871 return 0;
856 872 }
857 873
858 874 /* new negotiation of phase 1 for initiator */
859 875 int
860 876 isakmp_ph1begin_i(struct rcf_remote *rmconf,
861 877 struct sockaddr *remote, struct sockaddr *local)
862 878 {
863 879 struct ph1handle *iph1;
864 880 #ifdef ENABLE_STATS
865 881 struct timeval start, end;
866 882 #endif
867 883
868 884 /* get new entry to isakmp status table. */
869 885 iph1 = newph1();
870 886 if (iph1 == NULL)
871 887 return -1;
872 888
873 889 iph1->status = PHASE1ST_START;
874 890 iph1->rmconf = rmconf;
875 891 iph1->side = INITIATOR;
876 892 iph1->version = ISAKMP_VERSION_NUMBER;
877 893 iph1->msgid = 0;
878 894 iph1->flags = 0;
879 895 iph1->ph2cnt = 0;
880 896 #ifdef HAVE_GSSAPI
881 897 iph1->gssapi_state = NULL;
882 898 #endif
883 899 iph1->approval = NULL;
884 900 iph1->proposal = ikev1_conf_to_isakmpsa(rmconf);
885 901
886 902 /* XXX copy remote address */
887 903 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
888 904 return -1;
889 905
890 906 (void)insph1(iph1);
891 907
892 908 /* start phase 1 exchange */
893 909 iph1->etype = ikev1_conf_exmode_to_isakmp(rmconf);
894 910
895 911 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
896 912 {
897 913 char *a;
898 914
899 915 a = strdup(rcs_sa2str(iph1->local));
900 916 plog(PLOG_INFO, PLOGLOC, NULL,
901 917 "initiate new phase 1 negotiation: %s<=>%s\n",
902 918 a, rcs_sa2str(iph1->remote));
903 919 racoon_free(a);
904 920 }
905 921 plog(PLOG_INFO, PLOGLOC, NULL,
906 922 "begin %s mode.\n", s_isakmp_etype(iph1->etype));
907 923
908 924 #ifdef ENABLE_STATS
909 925 gettimeofday(&iph1->start, NULL);
910 926 gettimeofday(&start, NULL);
911 927 #endif
912 928 /* start exchange */
913 929 if ((ph1exchange[etypesw1(iph1->etype)]
914 930 [iph1->side]
915 931 [iph1->status]) (iph1, NULL) != 0) {
916 932 /* failed to start phase 1 negotiation */
917 933 remph1(iph1);
918 934 delph1(iph1);
919 935
920 936 return -1;
921 937 }
922 938 #ifdef ENABLE_STATS
923 939 gettimeofday(&end, NULL);
924 940 syslog(LOG_NOTICE, "%s(%s): %8.6f",
925 941 "phase1",
926 942 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
927 943 timedelta(&start, &end));
928 944 #endif
929 945
930 946 return 0;
931 947 }
932 948
933 949 /* new negotiation of phase 1 for responder */
934 950 static int
935 951 isakmp_ph1begin_r(rc_vchar_t *msg, struct sockaddr *remote,
936 952 struct sockaddr *local, uint8_t etype)
937 953 {
938 954 struct isakmp *isakmp = (struct isakmp *)msg->v;
939 955 struct rcf_remote *rmconf;
940 956 struct ph1handle *iph1;
941 957 /* struct etypes *etypeok; */
942 958 #ifdef ENABLE_STATS
943 959 struct timeval start, end;
944 960 #endif
945 961
946 962 /* look for my configuration */
947 963 rmconf = getrmconf(remote);
948 964 if (rmconf == NULL) {
949 965 plog(PLOG_PROTOERR, PLOGLOC, 0,
950 966 "couldn't find " "configuration.\n");
951 967 return -1;
952 968 }
953 969 if (rmconf->ikev1 == NULL) {
954 970 plog(PLOG_PROTOERR, PLOGLOC, 0,
955 971 "received IKEv1 request but no IKEv1 configuration for peer %s\n",
956 972 rc_vmem2str(rmconf->rm_index));
957 973 return -1;
958 974 }
959 975
960 976 /* check to be acceptable exchange type */
961 977 if (etype != ikev1_conf_exmode_to_isakmp(rmconf)) {
962 978 plog(PLOG_PROTOERR, PLOGLOC, 0,
963 979 "not acceptable %s mode\n", s_isakmp_etype(etype));
964 980 return -1;
965 981 }
966 982
967 983 /* get new entry to isakmp status table. */
968 984 iph1 = newph1();
969 985 if (iph1 == NULL)
970 986 return -1;
971 987
972 988 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
973 989 iph1->status = PHASE1ST_START;
974 990 iph1->rmconf = rmconf;
975 991 iph1->flags = 0;
976 992 iph1->side = RESPONDER;
977 993 iph1->etype = etype;
978 994 iph1->version = isakmp->v;
979 995 iph1->msgid = 0;
980 996 #ifdef HAVE_GSSAPI
981 997 iph1->gssapi_state = NULL;
982 998 #endif
983 999 iph1->approval = NULL;
984 1000 iph1->proposal = ikev1_conf_to_isakmpsa(rmconf);
985 1001
986 1002 /* copy remote address */
987 1003 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
988 1004 return -1;
989 1005
990 1006 (void)insph1(iph1);
991 1007
992 1008 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
993 1009 {
994 1010 char *a;
995 1011
996 1012 a = strdup(rcs_sa2str(iph1->local));
997 1013 plog(PLOG_INFO, PLOGLOC, NULL,
998 1014 "respond new phase 1 negotiation: %s<=>%s\n",
999 1015 a, rcs_sa2str(iph1->remote));
1000 1016 racoon_free(a);
1001 1017 }
1002 1018 plog(PLOG_INFO, PLOGLOC, NULL,
1003 1019 "begin %s mode.\n", s_isakmp_etype(etype));
1004 1020
1005 1021 #ifdef ENABLE_STATS
1006 1022 gettimeofday(&iph1->start, NULL);
1007 1023 gettimeofday(&start, NULL);
1008 1024 #endif
1009 1025 /* start exchange */
1010 1026 if ((ph1exchange[etypesw1(iph1->etype)]
1011 1027 [iph1->side]
1012 1028 [iph1->status]) (iph1, msg) < 0
1013 1029 || (ph1exchange[etypesw1(iph1->etype)]
1014 1030 [iph1->side]
1015 1031 [iph1->status]) (iph1, msg) < 0) {
1016 1032 plog(PLOG_PROTOERR, PLOGLOC, 0,
1017 1033 "failed to process packet.\n");
1018 1034 remph1(iph1);
1019 1035 delph1(iph1);
1020 1036 return -1;
1021 1037 }
1022 1038 #ifdef ENABLE_STATS
1023 1039 gettimeofday(&end, NULL);
1024 1040 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1025 1041 "phase1",
1026 1042 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1027 1043 timedelta(&start, &end));
1028 1044 #endif
1029 1045
1030 1046 return 0;
1031 1047 }
1032 1048
1033 1049
1034 1050
1035 1051 /*
1036 1052 * make strings containing i_cookie + r_cookie + msgid
1037 1053 */
1038 1054 const char *
1039 1055 isakmp_pindex(const isakmp_index_t *index, const uint32_t msgid)
1040 1056 {
1041 1057 static char buf[64];
1042 1058 const unsigned char *p;
1043 1059 int i, j;
1044 1060
1045 1061 memset(buf, 0, sizeof(buf));
1046 1062
1047 1063 /* copy index */
1048 1064 p = (const unsigned char *)index;
1049 1065 for (j = 0, i = 0; (size_t)i < sizeof(isakmp_index_t); i++) {
1050 1066 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1051 1067 j += 2;
1052 1068 switch (i) {
1053 1069 case 7:
1054 1070 buf[j++] = ':';
1055 1071 }
1056 1072 }
1057 1073
1058 1074 if (msgid == 0)
1059 1075 return buf;
1060 1076
1061 1077 /* copy msgid */
1062 1078 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohl(msgid));
1063 1079
1064 1080 return buf;
1065 1081 }
1066 1082
1067 1083 /*
1068 1084 * receive GETSPI from kernel.
1069 1085 */
1070 1086 int
1071 1087 isakmp_post_getspi(struct ph2handle *iph2)
1072 1088 {
1073 1089 #ifdef ENABLE_STATS
1074 1090 struct timeval start, end;
1075 1091 #endif
1076 1092
1077 1093 /* don't process it because there is no suitable phase1-sa. */
1078 1094 if (iph2->ph1->status == PHASE1ST_EXPIRED) {
1079 1095 plog(PLOG_INTERR, PLOGLOC, 0,
1080 1096 "the negotiation is stopped, "
1081 1097 "because there is no suitable ISAKMP-SA.\n");
1082 1098 return -1;
1083 1099 }
1084 1100
1085 1101 #ifdef ENABLE_STATS
1086 1102 gettimeofday(&start, NULL);
1087 1103 #endif
1088 1104 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1089 1105 [iph2->side]
1090 1106 [iph2->status])(iph2, NULL) != 0)
1091 1107 return -1;
1092 1108 #ifdef ENABLE_STATS
1093 1109 gettimeofday(&end, NULL);
1094 1110 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1095 1111 "phase2",
1096 1112 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1097 1113 timedelta(&start, &end));
1098 1114 #endif
1099 1115
1100 1116 return 0;
1101 1117 }
1102 1118
1103 1119 /* new negotiation of phase 2 for initiator */
1104 1120 static void
1105 1121 isakmp_ph2begin_i(struct ph1handle *iph1, struct ph2handle *iph2)
1106 1122 {
1107 1123 /* found ISAKMP-SA. */
1108 1124 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
1109 1125 plog(PLOG_DEBUG, PLOGLOC, NULL, "begin QUICK mode.\n");
1110 1126 {
1111 1127 char *a;
1112 1128 a = strdup(rcs_sa2str(iph2->src));
1113 1129 plog(PLOG_INFO, PLOGLOC, NULL,
1114 1130 "initiate new phase 2 negotiation: %s<=>%s\n",
1115 1131 a, rcs_sa2str(iph2->dst));
1116 1132 racoon_free(a);
1117 1133 }
1118 1134
1119 1135 #ifdef ENABLE_STATS
1120 1136 gettimeofday(&iph2->start, NULL);
1121 1137 #endif
1122 1138 /* found isakmp-sa */
1123 1139 bindph12(iph1, iph2);
1124 1140 iph2->status = PHASE2ST_STATUS2;
1125 1141
1126 1142 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1127 1143 [iph2->side]
1128 1144 [iph2->status]) (iph2, NULL) < 0) {
|
↓ open down ↓ |
281 lines elided |
↑ open up ↑ |
1129 1145 /* release ipsecsa handler due to internal error. */
1130 1146 plog(PLOG_INTERR, PLOGLOC, 0,
1131 1147 "failed to initiate phase 2 negotiation for %s\n",
1132 1148 rcs_sa2str_wop(iph2->dst));
1133 1149 isakmp_fail_initiate_ph2(iph2);
1134 1150 return;
1135 1151 }
1136 1152 return;
1137 1153 }
1138 1154
1155 +#ifdef sun
1156 +static int
1157 +isakmp_ph2_inv_acquire(invacq_t *invacq)
1158 +{
1159 + struct ph2handle *iph2 = invacq->iph2;
1160 + struct rcpfk_msg *param = invacq->answer;
1161 + struct isakmp *isakmp = (struct isakmp *)iph2->msg1->v;
1162 +
1163 + sadb_request_finish(&invacq->request);
1164 + free(invacq);
1165 +
1166 + /*
1167 + * Initialize iph2->selector, iph2->proposal, and iph2-> with the results of an
1168 + * inverse-ACQUIRE.
1169 + *
1170 + * XXX KEBE SAYS -- We need a way to figure out a p2_pfs equivalent
1171 + * for racoon2. We store this in Phase I/PAD state in in.iked.
1172 + */
1173 +
1174 + /* Then send the Quick Mode reply. */
1175 + /* assert(iph2->status == PHASE2ST_STATUS2); */
1176 +
1177 + /* change status of isakmp status entry */
1178 + iph2->status = PHASE2ST_STATUS2;
1179 +
1180 + if (extract_extended_acquire(param, &iph2->selector, NULL) != 0) {
1181 + /* XXX KEBE SAYS MORE ERROR HANDLING? */
1182 + return (-1);
1183 + }
1184 +
1185 + /* XXX KEBE SAYS FILL ME IN XXX */
1186 +
1187 + if (set_proposal_from_policy(iph2, iph2->ph1->rmconf,
1188 + iph2->selector->pl) != 0) {
1189 + /* XXX KEBE SAYS MORE ERROR HANDLING? */
1190 + return (-1);
1191 + }
1192 +
1193 + if (ipsecdoi_selectph2proposal(iph2) < 0) {
1194 + /* XXX KEBE SAYS MORE ERROR HANDLING? PROPER RETURN? */
1195 + isakmp_info_send_n1(iph2->ph1, ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN,
1196 + NULL);
1197 + return (-1);
1198 + }
1199 +
1200 + /* The following was moved here from quick_main(). */
1201 + plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
1202 + if ((ph2exchange[etypesw2(isakmp->etype)]
1203 + [iph2->side]
1204 + [iph2->status]) (iph2, iph2->msg1) < 0) {
1205 + plog(PLOG_PROTOERR, PLOGLOC, 0,
1206 + "failed to process packet.\n");
1207 + /* don't release handler */
1208 + return -1;
1209 + }
1210 +#ifdef ENABLE_STATS
1211 + gettimeofday(&end, NULL);
1212 + syslog(LOG_NOTICE, "%s(%s): %8.6f",
1213 + "phase2",
1214 + s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1215 + timedelta(&start, &end));
1216 +#endif
1217 +}
1218 +#endif
1219 +
1139 1220 /* new negotiation of phase 2 for responder */
1140 1221 static int
1141 1222 isakmp_ph2begin_r(struct ph1handle *iph1, rc_vchar_t *msg)
1142 1223 {
1143 1224 struct isakmp *isakmp = (struct isakmp *)msg->v;
1144 1225 struct ph2handle *iph2 = 0;
1145 1226 int error;
1146 1227 #ifdef ENABLE_STATS
1147 1228 struct timeval start, end;
1148 1229 #endif
1149 1230 extern struct sadb_response_method ikev1_sadb_callback;
1150 1231
1151 1232 iph2 = newph2();
1152 1233 if (iph2 == NULL) {
1153 1234 plog(PLOG_INTERR, PLOGLOC, NULL,
1154 1235 "failed to allocate phase2 entry.\n");
1155 1236 return -1;
1156 1237 }
1157 1238
1158 1239 iph2->ph1 = iph1;
1159 1240 iph2->side = RESPONDER;
1160 1241 iph2->status = PHASE2ST_START;
1161 1242 iph2->flags = isakmp->flags;
1162 1243 iph2->msgid = isakmp->msgid;
1163 1244 iph2->seq = sadb_new_seq(); /* pk_getseq(); */
1164 1245 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1165 1246 if (iph2->ivm == NULL) {
1166 1247 delph2(iph2);
1167 1248 return -1;
1168 1249 }
1169 1250
1170 1251 iph2->dst = rcs_sadup(iph1->remote); /* XXX should be considered */
1171 1252 if (iph2->dst == NULL) {
1172 1253 delph2(iph2);
1173 1254 return -1;
1174 1255 }
1175 1256
1176 1257 iph2->src = rcs_sadup(iph1->local); /* XXX should be considered */
1177 1258 if (iph2->src == NULL) {
1178 1259 delph2(iph2);
1179 1260 return -1;
1180 1261 }
1181 1262
1182 1263 iph2->selector = 0;
1183 1264
1184 1265 sadb_request_initialize(&iph2->sadb_request,
1185 1266 debug_pfkey ? &sadb_debug_method : &sadb_responder_request_method,
1186 1267 &ikev1_sadb_callback,
1187 1268 iph2->seq,
1188 1269 iph2);
1189 1270
1190 1271 /* add new entry to isakmp status table */
1191 1272 insph2(iph2);
1192 1273 bindph12(iph1, iph2);
1193 1274
1194 1275 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
1195 1276 {
1196 1277 char *a;
1197 1278
1198 1279 a = strdup(rcs_sa2str(iph2->src));
|
↓ open down ↓ |
50 lines elided |
↑ open up ↑ |
1199 1280 plog(PLOG_INFO, PLOGLOC, NULL,
1200 1281 "respond new phase 2 negotiation: %s<=>%s\n",
1201 1282 a, rcs_sa2str(iph2->dst));
1202 1283 racoon_free(a);
1203 1284 }
1204 1285
1205 1286 #ifdef ENABLE_STATS
1206 1287 gettimeofday(&start, NULL);
1207 1288 #endif
1208 1289
1290 +
1209 1291 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1210 1292 [iph2->side]
1211 1293 [iph2->status]) (iph2, msg);
1212 1294 if (error != 0) {
1213 1295 plog(PLOG_INTERR, PLOGLOC, 0,
1214 1296 "failed to pre-process packet.\n");
1215 1297 if (error != ISAKMP_INTERNAL_ERROR)
1216 1298 isakmp_info_send_n1(iph2->ph1, error, NULL);
1217 1299 /*
1218 1300 * release handler because it's wrong that ph2handle is kept
1219 1301 * after failed to check message for responder's.
1220 1302 */
1221 1303 unbindph12(iph2);
1222 1304 remph2(iph2);
1223 1305 delph2(iph2);
1224 1306 return -1;
1225 1307 }
1226 1308
1309 +#ifdef sun
1310 + /* XXX KEBE ASKS - how do you insert inverse-ACQUIRE here? */
1311 +
1312 + /* Assume iph2->msg1 contains a copy of "msg" we passed-in. */
1313 + {
1314 + invacq_t *invacq = malloc(sizeof (*invacq));
1315 + uint32_t newseq = sadb_new_seq();
1316 +
1317 + /*
1318 + * Use newseq to avoid using iph2's, which already has a
1319 + * record via a previous sadb_request_initalize() call.
1320 + */
1321 +
1322 + if (invacq == NULL)
1323 + return (-1);
1324 +
1325 + invacq->iph2 = iph2;
1326 + sadb_request_initialize(&invacq->request,
1327 + NULL /* KEBE - reqmethod */, NULL /* KEBE - respmethod */,
1328 + newseq, invacq);
1329 + invacq->receiver = isakmp_ph2_inv_acquire;
1330 +
1331 + /* Okay, now we send the inverse-ACQUIRE itself. */
1332 + /* XXX KEBE SAYS CODE ME */
1333 + ikev1_send_inverse_acquire(iph2, newseq);
1334 + }
1335 +#else
1227 1336 /* send */
1228 1337 plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
1229 1338 if ((ph2exchange[etypesw2(isakmp->etype)]
1230 1339 [iph2->side]
1231 1340 [iph2->status]) (iph2, msg) < 0) {
1232 1341 plog(PLOG_PROTOERR, PLOGLOC, 0,
1233 1342 "failed to process packet.\n");
1234 1343 /* don't release handler */
1235 1344 return -1;
1236 1345 }
1237 1346 #ifdef ENABLE_STATS
1238 1347 gettimeofday(&end, NULL);
1239 1348 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1240 1349 "phase2",
1241 1350 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1242 1351 timedelta(&start, &end));
1243 1352 #endif
1353 +#endif /* sun/OpenSolaris */
1244 1354
1245 1355 return 0;
1246 1356 }
1247 1357
1248 1358 /* called from scheduler */
1249 1359 static void
1250 1360 isakmp_ph1resend_stub(void *p)
1251 1361 {
1252 1362 (void)isakmp_ph1resend((struct ph1handle *)p);
1253 1363 }
1254 1364
1255 1365 int
1256 1366 isakmp_ph1resend(struct ph1handle *iph1)
1257 1367 {
1258 1368 if (iph1->retry_counter < 0) {
1259 1369 plog(PLOG_PROTOERR, PLOGLOC, NULL,
1260 1370 "phase1 negotiation failed due to time up (index %s).\n",
1261 1371 isakmp_pindex(&iph1->index, iph1->msgid));
1262 1372
1263 1373 remph1(iph1);
1264 1374 delph1(iph1);
1265 1375 return -1;
1266 1376 }
1267 1377
1268 1378 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1269 1379 return -1;
1270 1380
1271 1381 plog(PLOG_DEBUG, PLOGLOC, NULL,
1272 1382 "resend phase1 packet %s\n",
1273 1383 isakmp_pindex(&iph1->index, iph1->msgid));
1274 1384
1275 1385 iph1->retry_counter--;
1276 1386
1277 1387 iph1->scr = sched_new(ikev1_interval_to_send(iph1->rmconf),
1278 1388 isakmp_ph1resend_stub, iph1);
1279 1389
1280 1390 return 0;
1281 1391 }
1282 1392
1283 1393 /* called from scheduler */
1284 1394 static void
1285 1395 isakmp_ph2resend_stub(void *p)
1286 1396 {
1287 1397
1288 1398 (void)isakmp_ph2resend((struct ph2handle *)p);
1289 1399 }
1290 1400
1291 1401 int
1292 1402 isakmp_ph2resend(struct ph2handle *iph2)
1293 1403 {
1294 1404 if (iph2->retry_counter < 0) {
1295 1405 plog(PLOG_PROTOERR, PLOGLOC, NULL,
1296 1406 "phase2 negotiation failed due to time up. %s\n",
1297 1407 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1298 1408 unbindph12(iph2);
1299 1409 remph2(iph2);
1300 1410 delph2(iph2);
1301 1411 return -1;
1302 1412 }
1303 1413
1304 1414 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1305 1415 return -1;
1306 1416
1307 1417 plog(PLOG_DEBUG, PLOGLOC, NULL,
1308 1418 "resend phase2 packet %s\n",
1309 1419 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1310 1420
1311 1421 iph2->retry_counter--;
1312 1422
1313 1423 iph2->scr = sched_new(ikev1_interval_to_send(iph2->ph1->rmconf),
1314 1424 isakmp_ph2resend_stub, iph2);
1315 1425
1316 1426 return 0;
1317 1427 }
1318 1428
1319 1429 /* called from scheduler */
1320 1430 static void
1321 1431 isakmp_ph1expire_stub(void *p)
1322 1432 {
1323 1433
1324 1434 isakmp_ph1expire((struct ph1handle *)p);
1325 1435 }
1326 1436
1327 1437 void
1328 1438 isakmp_ph1expire(struct ph1handle *iph1)
1329 1439 {
1330 1440 char *src, *dst;
1331 1441
1332 1442 src = strdup(rcs_sa2str(iph1->local));
1333 1443 dst = strdup(rcs_sa2str(iph1->remote));
1334 1444 plog(PLOG_INFO, PLOGLOC, NULL,
1335 1445 "ISAKMP-SA expired %s-%s spi:%s\n",
1336 1446 src, dst, isakmp_pindex(&iph1->index, 0));
1337 1447 racoon_free(src);
1338 1448 racoon_free(dst);
1339 1449
1340 1450 SCHED_KILL(iph1->sce);
1341 1451
1342 1452 iph1->status = PHASE1ST_EXPIRED;
1343 1453
1344 1454 /*
1345 1455 * the phase1 deletion is postponed until there is no phase2.
1346 1456 */
1347 1457 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1348 1458 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
1349 1459 return;
1350 1460 }
1351 1461
1352 1462 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1353 1463 }
1354 1464
1355 1465 /* called from scheduler */
1356 1466 void
1357 1467 isakmp_ph1delete_stub(void *p)
1358 1468 {
1359 1469
1360 1470 isakmp_ph1delete((struct ph1handle *)p);
1361 1471 }
1362 1472
1363 1473 void
1364 1474 isakmp_ph1delete(struct ph1handle *iph1)
1365 1475 {
1366 1476 char *src, *dst;
1367 1477
1368 1478 SCHED_KILL(iph1->sce);
1369 1479
1370 1480 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1371 1481 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1372 1482 return;
1373 1483 }
1374 1484
1375 1485 /* don't re-negosiation when the phase 1 SA expires. */
1376 1486
1377 1487 src = strdup(rcs_sa2str(iph1->local));
1378 1488 dst = strdup(rcs_sa2str(iph1->remote));
1379 1489 plog(PLOG_INFO, PLOGLOC, NULL,
1380 1490 "ISAKMP-SA deleted %s-%s spi:%s\n",
1381 1491 src, dst, isakmp_pindex(&iph1->index, 0));
1382 1492 racoon_free(src);
1383 1493 racoon_free(dst);
1384 1494
1385 1495 remph1(iph1);
1386 1496 delph1(iph1);
1387 1497
1388 1498 return;
1389 1499 }
1390 1500
1391 1501 void
1392 1502 isakmp_ph2expire(struct ph2handle *iph2)
1393 1503 {
1394 1504 char *src, *dst;
1395 1505
1396 1506 SCHED_KILL(iph2->sce);
1397 1507
1398 1508 src = strdup(rcs_sa2str_wop(iph2->src));
1399 1509 dst = strdup(rcs_sa2str_wop(iph2->dst));
1400 1510 plog(PLOG_INFO, PLOGLOC, NULL, "phase2 sa expired %s-%s\n", src, dst);
1401 1511 racoon_free(src);
1402 1512 racoon_free(dst);
1403 1513
1404 1514 iph2->status = PHASE2ST_EXPIRED;
1405 1515
1406 1516 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
1407 1517
1408 1518 return;
1409 1519 }
1410 1520
1411 1521 /* called from scheduler */
1412 1522 void
1413 1523 isakmp_ph2delete_stub(void *p)
1414 1524 {
1415 1525
1416 1526 isakmp_ph2delete((struct ph2handle *)p);
1417 1527 }
1418 1528
1419 1529 void
1420 1530 isakmp_ph2delete(struct ph2handle *iph2)
1421 1531 {
1422 1532 char *src, *dst;
1423 1533
1424 1534 SCHED_KILL(iph2->sce);
1425 1535
1426 1536 src = strdup(rcs_sa2str_wop(iph2->src));
1427 1537 dst = strdup(rcs_sa2str_wop(iph2->dst));
1428 1538 plog(PLOG_INFO, PLOGLOC, NULL, "phase2 sa deleted %s-%s\n", src, dst);
1429 1539 racoon_free(src);
1430 1540 racoon_free(dst);
1431 1541
1432 1542 unbindph12(iph2);
1433 1543 remph2(iph2);
1434 1544 delph2(iph2);
1435 1545
1436 1546 return;
1437 1547 }
1438 1548
1439 1549 void
1440 1550 ikev1_post_acquire(struct rcf_remote *rm_info, struct ph2handle *iph2)
1441 1551 {
1442 1552 struct ph1handle *iph1;
1443 1553
1444 1554 #ifdef ENABLE_NATT
1445 1555 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
1446 1556 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
1447 1557 set_port(iph2->src, extract_port(iph1->local));
1448 1558 set_port(iph2->dst, extract_port(iph1->remote));
1449 1559 }
1450 1560 } else {
1451 1561 iph1 = getph1byaddr(iph2->src, iph2->dst);
1452 1562 }
1453 1563 #else
1454 1564 iph1 = getph1byaddr(iph2->src, iph2->dst);
1455 1565 #endif
1456 1566
1457 1567 #define IKEV1_DEFAULT_RETRY_CHECKPH1 30
1458 1568
1459 1569 if (!iph1) {
1460 1570 struct sched *sc;
1461 1571
1462 1572 if (isakmp_ph1begin_i(rm_info, iph2->dst, iph2->src) < 0) {
1463 1573 plog(PLOG_INTERR, PLOGLOC, 0,
1464 1574 "failed to initiate phase 1 negotiation for %s\n",
1465 1575 rcs_sa2str_wop(iph2->dst));
1466 1576 isakmp_fail_initiate_ph2(iph2);
1467 1577 goto fail;
1468 1578 }
1469 1579 iph2->retry_checkph1 = IKEV1_DEFAULT_RETRY_CHECKPH1;
1470 1580 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
1471 1581 plog(PLOG_INFO, PLOGLOC, 0,
1472 1582 "IPsec-SA request for %s queued "
1473 1583 "since no phase1 found\n",
1474 1584 rcs_sa2str_wop(iph2->dst));
1475 1585
1476 1586 } else if (iph1->status != PHASE1ST_ESTABLISHED) {
1477 1587 iph2->retry_checkph1 = IKEV1_DEFAULT_RETRY_CHECKPH1;
1478 1588 sched_new(1, isakmp_chkph1there_stub, iph2);
1479 1589 plog(PLOG_INFO, PLOGLOC, 0,
1480 1590 "request for establishing IPsec-SA was queued "
1481 1591 "since phase1 is not mature\n");
1482 1592 } else {
1483 1593 /* iph1->status == PHASE1ST_ESTABLISHED */
1484 1594 TRACE((PLOGLOC, "begin QUICK mode\n"));
1485 1595 isakmp_ph2begin_i(iph1, iph2);
1486 1596 }
1487 1597 fail:
1488 1598 return;
1489 1599 }
1490 1600
1491 1601 /* called by scheduler */
1492 1602 void
1493 1603 isakmp_chkph1there_stub(void *p)
1494 1604 {
1495 1605 isakmp_chkph1there((struct ph2handle *)p);
1496 1606 }
1497 1607
1498 1608 static void
1499 1609 isakmp_fail_initiate_ph2(struct ph2handle *iph2)
1500 1610 {
1501 1611 /* send acquire to kernel as error */
1502 1612 pk_sendeacquire(iph2);
1503 1613
1504 1614 /* then remove ph2 */
1505 1615 unbindph12(iph2);
1506 1616 remph2(iph2);
1507 1617 delph2(iph2);
1508 1618 }
1509 1619
1510 1620 void
1511 1621 isakmp_chkph1there(struct ph2handle *iph2)
1512 1622 {
1513 1623 struct ph1handle *iph1;
1514 1624
1515 1625 iph2->retry_checkph1--;
1516 1626 if (iph2->retry_checkph1 < 0) {
1517 1627 plog(PLOG_INTERR, PLOGLOC, 0,
1518 1628 "phase2 negotiation failed "
1519 1629 "due to time up waiting for phase1. %s\n",
1520 1630 sadbsecas2str(iph2->dst, iph2->src,
1521 1631 iph2->satype, 0, 0));
1522 1632 plog(PLOG_INFO, PLOGLOC, 0,
1523 1633 "delete phase 2 handler.\n");
1524 1634 isakmp_fail_initiate_ph2(iph2);
1525 1635 return;
1526 1636 }
1527 1637
1528 1638 /*
1529 1639 * Search isakmp status table by address and port
1530 1640 * If NAT-T is in use, consider null ports as a
1531 1641 * wildcard and use IKE ports instead.
1532 1642 */
1533 1643 #ifdef ENABLE_NATT
1534 1644 if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
1535 1645 if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
1536 1646 set_port(iph2->src, extract_port(iph1->local));
1537 1647 set_port(iph2->dst, extract_port(iph1->remote));
1538 1648 }
1539 1649 } else {
1540 1650 iph1 = getph1byaddr(iph2->src, iph2->dst);
1541 1651 }
1542 1652 #else
1543 1653 iph1 = getph1byaddr(iph2->src, iph2->dst);
1544 1654 #endif
1545 1655
1546 1656 /* XXX Even if ph1 as responder is there, should we not start
1547 1657 * phase 2 negotiation ? */
1548 1658 if (iph1 != NULL
1549 1659 && iph1->status == PHASE1ST_ESTABLISHED) {
1550 1660 /* found isakmp-sa */
1551 1661 /* begin quick mode */
1552 1662 isakmp_ph2begin_i(iph1, iph2);
1553 1663 return;
1554 1664 }
1555 1665
1556 1666 /* no isakmp-sa found */
1557 1667 sched_new(1, isakmp_chkph1there_stub, iph2);
1558 1668
1559 1669 return;
1560 1670 }
1561 1671
1562 1672 /*
1563 1673 * Payload attribute handling
1564 1674 */
1565 1675 /* copy variable data into ALLOCATED buffer. */
1566 1676 caddr_t
1567 1677 isakmp_set_attr_v(caddr_t buf, int type, caddr_t val, int len)
1568 1678 {
1569 1679 struct isakmp_data *data;
1570 1680
1571 1681 data = (struct isakmp_data *)buf;
1572 1682 put_uint16(&data->type, type | ISAKMP_GEN_TLV);
1573 1683 put_uint16(&data->lorv, len);
1574 1684 memcpy(data + 1, val, len);
1575 1685
1576 1686 return buf + sizeof(*data) + len;
1577 1687 }
1578 1688
1579 1689 /* copy fixed length data into ALLOCATED buffer. */
1580 1690 caddr_t
1581 1691 isakmp_set_attr_l(caddr_t buf, int type, uint32_t val)
1582 1692 {
1583 1693 struct isakmp_data *data;
1584 1694
1585 1695 data = (struct isakmp_data *)buf;
1586 1696 put_uint16(&data->type, type | ISAKMP_GEN_TV);
1587 1697 put_uint16(&data->lorv, val);
1588 1698
1589 1699 return buf + sizeof(*data);
1590 1700 }
1591 1701
1592 1702 /* add a variable data attribute to the buffer by reallocating it. */
1593 1703 rc_vchar_t *
1594 1704 isakmp_add_attr_v(rc_vchar_t *buf0, int type, caddr_t val, int len)
1595 1705 {
1596 1706 rc_vchar_t *buf = NULL;
1597 1707 struct isakmp_data *data;
1598 1708 int tlen;
1599 1709 int oldlen = 0;
1600 1710
1601 1711 tlen = sizeof(*data) + len;
1602 1712
1603 1713 if (buf0) {
1604 1714 oldlen = buf0->l;
1605 1715 buf = rc_vrealloc(buf0, oldlen + tlen);
1606 1716 } else
1607 1717 buf = rc_vmalloc(tlen);
1608 1718 if (!buf) {
1609 1719 plog(PLOG_INTERR, PLOGLOC, NULL,
1610 1720 "failed to get a attribute buffer.\n");
1611 1721 return NULL;
1612 1722 }
1613 1723
1614 1724 data = (struct isakmp_data *)(buf->v + oldlen);
1615 1725 put_uint16(&data->type, type | ISAKMP_GEN_TLV);
1616 1726 put_uint16(&data->lorv, len);
1617 1727 memcpy(data + 1, val, len);
1618 1728
1619 1729 return buf;
1620 1730 }
1621 1731
1622 1732 /* add a fixed data attribute to the buffer by reallocating it. */
1623 1733 rc_vchar_t *
1624 1734 isakmp_add_attr_l(rc_vchar_t *buf0, int type, uint32_t val)
1625 1735 {
1626 1736 rc_vchar_t *buf = NULL;
1627 1737 struct isakmp_data *data;
1628 1738 int tlen;
1629 1739 int oldlen = 0;
1630 1740
1631 1741 tlen = sizeof(*data);
1632 1742
1633 1743 if (buf0) {
1634 1744 oldlen = buf0->l;
1635 1745 buf = rc_vrealloc(buf0, oldlen + tlen);
1636 1746 } else
1637 1747 buf = rc_vmalloc(tlen);
1638 1748 if (!buf) {
1639 1749 plog(PLOG_INTERR, PLOGLOC, NULL,
1640 1750 "failed to get a attribute buffer.\n");
1641 1751 return NULL;
1642 1752 }
1643 1753
1644 1754 data = (struct isakmp_data *)(buf->v + oldlen);
1645 1755 put_uint16(&data->type, type | ISAKMP_GEN_TV);
1646 1756 put_uint16(&data->lorv, val);
1647 1757
1648 1758 return buf;
1649 1759 }
1650 1760
1651 1761 /*
1652 1762 * set values into allocated buffer of isakmp header for phase 1
1653 1763 */
1654 1764 static caddr_t
1655 1765 set_isakmp_header(rc_vchar_t *vbuf, struct ph1handle *iph1,
1656 1766 int nptype, uint8_t etype, uint8_t flags, uint32_t msgid)
1657 1767 {
1658 1768 struct isakmp *isakmp;
1659 1769
1660 1770 if (vbuf->l < sizeof(*isakmp))
1661 1771 return NULL;
1662 1772
1663 1773 isakmp = (struct isakmp *)vbuf->v;
1664 1774
1665 1775 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(isakmp_cookie_t));
1666 1776 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(isakmp_cookie_t));
1667 1777 isakmp->np = nptype;
1668 1778 isakmp->v = iph1->version;
1669 1779 isakmp->etype = etype;
1670 1780 isakmp->flags = flags;
1671 1781 isakmp->msgid = msgid;
1672 1782 put_uint32(&isakmp->len, vbuf->l);
1673 1783
1674 1784 return vbuf->v + sizeof(*isakmp);
1675 1785 }
1676 1786
1677 1787 /*
1678 1788 * set values into allocated buffer of isakmp header for phase 1
1679 1789 */
1680 1790 caddr_t
1681 1791 set_isakmp_header1(rc_vchar_t *vbuf, struct ph1handle *iph1, int nptype)
1682 1792 {
1683 1793 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
1684 1794 }
1685 1795
1686 1796 /*
1687 1797 * set values into allocated buffer of isakmp header for phase 2
1688 1798 */
1689 1799 caddr_t
1690 1800 set_isakmp_header2(rc_vchar_t *vbuf, struct ph2handle *iph2, int nptype)
1691 1801 {
1692 1802 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
1693 1803 }
1694 1804
1695 1805 #if 0
1696 1806 /*
1697 1807 * set values into allocated buffer of isakmp header for phase 1
1698 1808 */
1699 1809 caddr_t
1700 1810 set_isakmp_header1(vbuf, iph1, nptype)
1701 1811 rc_vchar_t *vbuf;
1702 1812 struct ph1handle *iph1;
1703 1813 {
1704 1814 struct isakmp *isakmp;
1705 1815 struct isakmp_construct res;
1706 1816
1707 1817 res.buff = NULL;
1708 1818 res.np = NULL;
1709 1819
1710 1820 if (vbuf->l < sizeof(*isakmp))
1711 1821 return res;
1712 1822
1713 1823 isakmp = (struct isakmp *)vbuf->v;
1714 1824 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(isakmp_cookie_t));
1715 1825 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(isakmp_cookie_t));
1716 1826 isakmp->np = nptype;
1717 1827 isakmp->v = iph1->version;
1718 1828 isakmp->etype = iph1->etype;
1719 1829 isakmp->flags = iph1->flags;
1720 1830 isakmp->msgid = iph1->msgid;
1721 1831 put_uint32(&isakmp->len, vbuf->l);
1722 1832
1723 1833 res.np = &(isakmp->np);
1724 1834 res.buff = vbuf->v + sizeof(*isakmp);
1725 1835
1726 1836 return res;
1727 1837 }
1728 1838
1729 1839 /*
1730 1840 * set values into allocated buffer of isakmp header for phase 2
1731 1841 */
1732 1842 caddr_t
1733 1843 set_isakmp_header2(vbuf, iph2, nptype)
1734 1844 rc_vchar_t *vbuf;
1735 1845 struct ph2handle *iph2;
1736 1846 int nptype;
1737 1847 {
1738 1848 struct isakmp *isakmp;
1739 1849
1740 1850 if (vbuf->l < sizeof(*isakmp))
1741 1851 return NULL;
1742 1852
1743 1853 isakmp = (struct isakmp *)vbuf->v;
1744 1854 memcpy(&isakmp->i_ck, &iph2->ph1->index.i_ck, sizeof(isakmp_cookie_t));
1745 1855 memcpy(&isakmp->r_ck, &iph2->ph1->index.r_ck, sizeof(isakmp_cookie_t));
1746 1856 isakmp->np = nptype;
1747 1857 isakmp->v = iph2->ph1->version;
1748 1858 isakmp->etype = ISAKMP_ETYPE_QUICK;
1749 1859 isakmp->flags = iph2->flags;
1750 1860 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
1751 1861 put_uint32(&isakmp->len, vbuf->l);
1752 1862
1753 1863 return vbuf->v + sizeof(*isakmp);
1754 1864 }
1755 1865 #endif
1756 1866
1757 1867 /*
1758 1868 * set values into allocated buffer of isakmp payload.
1759 1869 */
1760 1870 struct isakmp_construct
1761 1871 set_isakmp_payload_c(struct isakmp_construct constr, rc_vchar_t *src, int nptype)
1762 1872 {
1763 1873 struct isakmp_gen *gen;
1764 1874 caddr_t p = constr.buff;
1765 1875
1766 1876 plog(PLOG_DEBUG, PLOGLOC, NULL, "add payload of len %lu, next type %d\n",
1767 1877 (unsigned long)src->l, nptype);
1768 1878
1769 1879 *constr.np = nptype;
1770 1880 gen = (struct isakmp_gen *)p;
1771 1881 gen->np = ISAKMP_NPTYPE_NONE;
1772 1882 put_uint16(&gen->len, sizeof(*gen) + src->l);
1773 1883 p += sizeof(*gen);
1774 1884 memcpy(p, src->v, src->l);
1775 1885 p += src->l;
1776 1886
1777 1887 constr.np = &(gen->np);
1778 1888 constr.buff = p;
1779 1889
1780 1890 return constr;
1781 1891 }
1782 1892
1783 1893 /*
1784 1894 * set values into allocated buffer of isakmp payload.
1785 1895 */
1786 1896 caddr_t
1787 1897 set_isakmp_payload(caddr_t buf, rc_vchar_t *src, int nptype)
1788 1898 {
1789 1899 struct isakmp_gen *gen;
1790 1900 caddr_t p = buf;
1791 1901
1792 1902 plog(PLOG_DEBUG, PLOGLOC, NULL, "add payload of len %lu, next type %d\n",
1793 1903 (unsigned long)src->l, nptype);
1794 1904
1795 1905 gen = (struct isakmp_gen *)p;
1796 1906 gen->np = nptype;
1797 1907 put_uint16(&gen->len, sizeof(*gen) + src->l);
1798 1908 p += sizeof(*gen);
1799 1909 memcpy(p, src->v, src->l);
1800 1910 p += src->l;
1801 1911
1802 1912 return p;
1803 1913 }
1804 1914
1805 1915 /*
1806 1916 * conversion routine for use with dispatch tables
1807 1917 */
1808 1918 static int
1809 1919 etypesw1(int etype)
1810 1920 {
1811 1921 switch (etype) {
1812 1922 case ISAKMP_ETYPE_IDENT:
1813 1923 return 1;
1814 1924 case ISAKMP_ETYPE_AGG:
1815 1925 return 2;
1816 1926 case ISAKMP_ETYPE_BASE:
1817 1927 return 3;
1818 1928 default:
1819 1929 return 0;
1820 1930 }
1821 1931 /*NOTREACHED*/}
1822 1932
1823 1933 static int
1824 1934 etypesw2(int etype)
1825 1935 {
1826 1936 switch (etype) {
1827 1937 case ISAKMP_ETYPE_QUICK:
1828 1938 return 1;
1829 1939 default:
1830 1940 return 0;
1831 1941 }
1832 1942 /*NOTREACHED*/}
1833 1943
1834 1944 int
1835 1945 copy_ph1addresses(struct ph1handle *iph1, struct rcf_remote *rmconf,
1836 1946 struct sockaddr *remote, struct sockaddr *local)
1837 1947 {
1838 1948 uint16_t *port = NULL;
1839 1949
1840 1950 /* address portion must be grabbed from real remote address "remote" */
1841 1951 iph1->remote = rcs_sadup(remote);
1842 1952 if (iph1->remote == NULL) {
1843 1953 delph1(iph1);
1844 1954 return -1;
1845 1955 }
1846 1956
1847 1957 /*
1848 1958 * if remote has no port # (in case of initiator - from ACQUIRE msg)
1849 1959 * - if remote.conf specifies port #, use that
1850 1960 * - if remote.conf does not, use 500
1851 1961 * if remote has port # (in case of responder - from recvfrom(2))
1852 1962 * respect content of "remote".
1853 1963 */
1854 1964 switch (iph1->remote->sa_family) {
1855 1965 case AF_INET:
1856 1966 port = &((struct sockaddr_in *)iph1->remote)->sin_port;
1857 1967 if (*port)
1858 1968 break;
1859 1969 *port = ((struct sockaddr_in *)rmconf->ikev1->peers_ipaddr->a.ipaddr)->sin_port;
1860 1970 if (*port)
1861 1971 break;
1862 1972 *port = htons(isakmp_port);
1863 1973 break;
1864 1974 #ifdef INET6
1865 1975 case AF_INET6:
1866 1976 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port;
1867 1977 if (*port)
1868 1978 break;
1869 1979 *port = ((struct sockaddr_in6 *)rmconf->ikev1->peers_ipaddr->a.ipaddr)->sin6_port;
1870 1980 if (*port)
1871 1981 break;
1872 1982 *port = htons(isakmp_port);
1873 1983 break;
1874 1984 #endif
1875 1985 default:
1876 1986 plog(PLOG_PROTOERR, PLOGLOC, NULL,
1877 1987 "invalid family: %d\n", iph1->remote->sa_family);
1878 1988 delph1(iph1);
1879 1989 return -1;
1880 1990 }
1881 1991
1882 1992 iph1->local = getlocaladdr(iph1->remote, local, isakmp_port);
1883 1993 if (iph1->local == NULL) {
1884 1994 delph1(iph1);
1885 1995 return -1;
1886 1996 }
1887 1997
1888 1998 switch (iph1->local->sa_family) {
1889 1999 case AF_INET:
1890 2000 port = &((struct sockaddr_in *)iph1->local)->sin_port;
1891 2001 break;
1892 2002 #ifdef INET6
1893 2003 case AF_INET6:
1894 2004 port = &((struct sockaddr_in6 *)iph1->local)->sin6_port;
1895 2005 break;
1896 2006 #endif
1897 2007 default:
1898 2008 plog(PLOG_PROTOERR, PLOGLOC, NULL,
1899 2009 "invalid family: %d\n", iph1->remote->sa_family);
1900 2010 delph1(iph1);
1901 2011 return -1;
1902 2012 }
1903 2013 if (*port == 0)
1904 2014 *port = htons(isakmp_port);
1905 2015
1906 2016 return 0;
1907 2017 }
1908 2018
1909 2019 static int
1910 2020 nostate1(struct ph1handle *iph1, rc_vchar_t *msg)
1911 2021 {
1912 2022 plog(PLOG_PROTOERR, PLOGLOC, 0, "wrong state %u.\n",
1913 2023 iph1->status);
1914 2024 return -1;
1915 2025 }
1916 2026
1917 2027 static int
1918 2028 nostate2(struct ph2handle *iph2, rc_vchar_t *msg)
1919 2029 {
1920 2030 plog(PLOG_PROTOERR, PLOGLOC, 0, "wrong state %u.\n",
1921 2031 iph2->status);
1922 2032 return -1;
1923 2033 }
1924 2034
1925 2035 void
1926 2036 log_ph1established(const struct ph1handle *iph1)
1927 2037 {
1928 2038 char *src, *dst;
1929 2039
1930 2040 src = strdup(rcs_sa2str(iph1->local));
1931 2041 dst = strdup(rcs_sa2str(iph1->remote));
1932 2042 plog(PLOG_INFO, PLOGLOC, NULL,
1933 2043 "ISAKMP-SA established %s-%s spi:%s\n",
1934 2044 src, dst, isakmp_pindex(&iph1->index, 0));
1935 2045 racoon_free(src);
1936 2046 racoon_free(dst);
1937 2047
1938 2048 return;
1939 2049 }
1940 2050
1941 2051 /*
1942 2052 * calculate cookie and set.
1943 2053 */
1944 2054 int
1945 2055 isakmp_newcookie(caddr_t place, struct sockaddr *remote, struct sockaddr *local)
1946 2056 {
1947 2057 rc_vchar_t *buf = NULL, *buf2 = NULL;
1948 2058 char *p;
1949 2059 int blen;
1950 2060 int alen;
1951 2061 caddr_t sa1, sa2;
1952 2062 time_t t;
1953 2063 int error = -1;
1954 2064 uint16_t port;
1955 2065 const int secret_size = 16;
1956 2066
1957 2067 if (remote->sa_family != local->sa_family) {
1958 2068 plog(PLOG_PROTOERR, PLOGLOC, NULL,
1959 2069 "address family mismatch, remote:%d local:%d\n",
1960 2070 remote->sa_family, local->sa_family);
1961 2071 goto end;
1962 2072 }
1963 2073 switch (remote->sa_family) {
1964 2074 case AF_INET:
1965 2075 alen = sizeof(struct in_addr);
1966 2076 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
1967 2077 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
1968 2078 break;
1969 2079 #ifdef INET6
1970 2080 case AF_INET6:
1971 2081 alen = sizeof(struct in6_addr);
1972 2082 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
1973 2083 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
1974 2084 break;
1975 2085 #endif
1976 2086 default:
1977 2087 plog(PLOG_PROTOERR, PLOGLOC, NULL,
1978 2088 "invalid family: %d\n", remote->sa_family);
1979 2089 goto end;
1980 2090 }
1981 2091 blen = (alen + sizeof(uint16_t)) * 2
1982 2092 + sizeof(time_t) + secret_size;
1983 2093 buf = rc_vmalloc(blen);
1984 2094 if (buf == NULL) {
1985 2095 plog(PLOG_INTERR, PLOGLOC, NULL, "failed to get a cookie.\n");
1986 2096 goto end;
1987 2097 }
1988 2098 p = buf->v;
1989 2099
1990 2100 /* copy my address */
1991 2101 memcpy(p, sa1, alen);
1992 2102 p += alen;
1993 2103 port = ((struct sockaddr_in *)remote)->sin_port;
1994 2104 memcpy(p, &port, sizeof(uint16_t));
1995 2105 p += sizeof(uint16_t);
1996 2106
1997 2107 /* copy target address */
1998 2108 memcpy(p, sa2, alen);
1999 2109 p += alen;
2000 2110 port = ((struct sockaddr_in *)local)->sin_port;
2001 2111 memcpy(p, &port, sizeof(uint16_t));
2002 2112 p += sizeof(uint16_t);
2003 2113
2004 2114 /* copy time */
2005 2115 t = time(0);
2006 2116 memcpy(p, (caddr_t)&t, sizeof(t));
2007 2117 p += sizeof(t);
2008 2118
2009 2119 /* copy random value */
2010 2120 buf2 = eay_set_random(secret_size);
2011 2121 if (buf2 == NULL)
2012 2122 goto end;
2013 2123 memcpy(p, buf2->v, secret_size);
2014 2124 p += secret_size;
2015 2125 rc_vfree(buf2);
2016 2126
2017 2127 buf2 = eay_sha1_one(buf);
2018 2128 memcpy(place, buf2->v, sizeof(isakmp_cookie_t));
2019 2129
2020 2130 sa1 = val2str(place, sizeof(isakmp_cookie_t));
2021 2131 plog(PLOG_DEBUG, PLOGLOC, NULL, "new cookie:\n%s\n", sa1);
2022 2132 racoon_free(sa1);
2023 2133
2024 2134 error = 0;
2025 2135 end:
2026 2136 if (buf != NULL)
2027 2137 rc_vfree(buf);
2028 2138 if (buf2 != NULL)
2029 2139 rc_vfree(buf2);
2030 2140 return error;
2031 2141 }
2032 2142
2033 2143 /*
2034 2144 * save partner's(payload) data into phhandle.
2035 2145 */
2036 2146 int
2037 2147 isakmp_p2ph(rc_vchar_t **buf, struct isakmp_gen *gen)
2038 2148 {
2039 2149 /* XXX to be checked in each functions for logging. */
2040 2150 if (*buf) {
2041 2151 plog(PLOG_PROTOWARN, PLOGLOC, NULL,
2042 2152 "ignore this payload, same payload type exist.\n");
2043 2153 return -1;
2044 2154 }
2045 2155
2046 2156 *buf = rc_vmalloc(get_uint16(&gen->len) - sizeof(*gen));
2047 2157 if (*buf == NULL) {
2048 2158 plog(PLOG_INTERR, PLOGLOC, NULL, "failed to get buffer.\n");
2049 2159 return -1;
2050 2160 }
2051 2161 memcpy((*buf)->v, gen + 1, (*buf)->l);
2052 2162
2053 2163 return 0;
2054 2164 }
2055 2165
2056 2166 #if 0
2057 2167 static int
2058 2168 check_spi_size(proto_id, size)
2059 2169 int proto_id, size;
2060 2170 {
2061 2171 switch (proto_id) {
2062 2172 case IPSECDOI_PROTO_ISAKMP:
2063 2173 if (size != 0) {
2064 2174 /* WARNING */
2065 2175 plog(PLOG_DEBUG, PLOGLOC, NULL,
2066 2176 "SPI size isn't zero, but IKE proposal.\n");
2067 2177 }
2068 2178 return 0;
2069 2179
2070 2180 case IPSECDOI_PROTO_IPSEC_AH:
2071 2181 case IPSECDOI_PROTO_IPSEC_ESP:
2072 2182 if (size != 4) {
2073 2183 plog(PLOG_PROTOERR, PLOGLOC, NULL,
2074 2184 "invalid SPI size=%d for IPSEC proposal.\n", size);
2075 2185 return -1;
2076 2186 }
2077 2187 return 0;
2078 2188
2079 2189 case IPSECDOI_PROTO_IPCOMP:
2080 2190 if (size != 2 && size != 4) {
2081 2191 plog(PLOG_INTERR, PLOGLOC, NULL,
2082 2192 "invalid SPI size=%d for IPCOMP proposal.\n",
2083 2193 size);
2084 2194 return -1;
2085 2195 }
2086 2196 return 0;
2087 2197
2088 2198 default:
2089 2199 /* ??? */
2090 2200 return -1;
2091 2201 }
2092 2202 /* NOT REACHED */
2093 2203 }
2094 2204 #endif
2095 2205
2096 2206
2097 2207 /*
2098 2208 * parse ISAKMP payloads, without ISAKMP base header.
2099 2209 */
2100 2210 rc_vchar_t *
2101 2211 isakmp_parsewoh(int np0, struct isakmp_gen *gen, int len)
2102 2212 {
2103 2213 unsigned char np = np0 & 0xff;
2104 2214 int tlen, plen;
2105 2215 rc_vchar_t *result;
2106 2216 struct isakmp_parse_t *p, *ep;
2107 2217
2108 2218 plog(PLOG_DEBUG, PLOGLOC, NULL, "begin.\n");
2109 2219
2110 2220 /*
2111 2221 * 5 is a magic number, but any value larger than 2 should be fine
2112 2222 * as we do rc_vrealloc() in the following loop.
2113 2223 */
2114 2224 result = rc_vmalloc(sizeof(struct isakmp_parse_t) * 5);
2115 2225 if (result == NULL) {
2116 2226 plog(PLOG_INTERR, PLOGLOC, 0,
2117 2227 "failed to get buffer.\n");
2118 2228 return NULL;
2119 2229 }
2120 2230 p = (struct isakmp_parse_t *)result->v;
2121 2231 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
2122 2232
2123 2233 tlen = len;
2124 2234
2125 2235 /* parse through general headers */
2126 2236 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
2127 2237 if (tlen <= sizeof(struct isakmp_gen)) {
2128 2238 /* don't send information, see isakmp_ident_r1() */
2129 2239 plog(PLOG_PROTOERR, PLOGLOC, 0,
2130 2240 "invalid length of payload\n");
2131 2241 rc_vfree(result);
2132 2242 return NULL;
2133 2243 }
2134 2244
2135 2245 plog(PLOG_DEBUG, PLOGLOC, NULL,
2136 2246 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
2137 2247
2138 2248 p->type = np;
2139 2249 p->len = get_uint16(&gen->len);
2140 2250 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
2141 2251 plog(PLOG_DEBUG, PLOGLOC, NULL,
2142 2252 "invalid length of payload\n");
2143 2253 rc_vfree(result);
2144 2254 return NULL;
2145 2255 }
2146 2256 p->ptr = gen;
2147 2257 p++;
2148 2258 if (ep <= p) {
2149 2259 int off;
2150 2260
2151 2261 off = p - (struct isakmp_parse_t *)result->v;
2152 2262 result = rc_vrealloc(result, result->l * 2);
2153 2263 if (result == NULL) {
2154 2264 plog(PLOG_DEBUG, PLOGLOC, NULL,
2155 2265 "failed to realloc buffer.\n");
2156 2266 rc_vfree(result);
2157 2267 return NULL;
2158 2268 }
2159 2269 ep = (struct isakmp_parse_t *)
2160 2270 (result->v + result->l - sizeof(*ep));
2161 2271 p = (struct isakmp_parse_t *)result->v;
2162 2272 p += off;
2163 2273 }
2164 2274
2165 2275 np = gen->np;
2166 2276 plen = get_uint16(&gen->len);
2167 2277 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
2168 2278 tlen -= plen;
2169 2279 }
2170 2280 p->type = ISAKMP_NPTYPE_NONE;
2171 2281 p->len = 0;
2172 2282 p->ptr = NULL;
2173 2283
2174 2284 plog(PLOG_DEBUG, PLOGLOC, NULL, "succeed.\n");
2175 2285
2176 2286 return result;
2177 2287 }
2178 2288
2179 2289
2180 2290 /*
2181 2291 * parse ISAKMP payloads, including ISAKMP base header.
2182 2292 */
2183 2293 rc_vchar_t *
2184 2294 isakmp_parse(rc_vchar_t *buf)
2185 2295 {
2186 2296 struct isakmp *isakmp = (struct isakmp *)buf->v;
2187 2297 struct isakmp_gen *gen;
2188 2298 int tlen;
2189 2299 rc_vchar_t *result;
2190 2300 unsigned char np;
2191 2301
2192 2302 np = isakmp->np;
2193 2303 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
2194 2304 tlen = buf->l - sizeof(struct isakmp);
2195 2305 result = isakmp_parsewoh(np, gen, tlen);
2196 2306
2197 2307 return result;
2198 2308 }
2199 2309
2200 2310
2201 2311 int
2202 2312 isakmp_send(struct ph1handle *iph1, rc_vchar_t *sbuf)
2203 2313 {
2204 2314 int len = 0;
2205 2315 int s;
2206 2316 rc_vchar_t *vbuf = NULL;
2207 2317
2208 2318 #ifdef ENABLE_NATT
2209 2319 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
2210 2320
2211 2321 #ifdef ENABLE_FRAG
2212 2322 /*
2213 2323 * Do not add the non ESP marker for a packet that will
2214 2324 * be fragmented. The non ESP marker should appear in
2215 2325 * all fragment's packets, but not in the fragmented packet
2216 2326 */
2217 2327 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
2218 2328 extralen = 0;
2219 2329 #endif
2220 2330 if (extralen)
2221 2331 plog (PLOG_DEBUG, PLOGLOC, NULL, "Adding NON-ESP marker\n");
2222 2332
2223 2333 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
2224 2334 must added just before the packet itself. For this we must
2225 2335 allocate a new buffer and release it at the end. */
2226 2336 if (extralen) {
2227 2337 if ((vbuf = rc_vmalloc (sbuf->l + extralen)) == NULL) {
2228 2338 plog(PLOG_INTERR, PLOGLOC, NULL,
2229 2339 "vbuf allocation failed\n");
2230 2340 return -1;
2231 2341 }
2232 2342 *(uint32_t *)vbuf->v = 0;
2233 2343 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
2234 2344 sbuf = vbuf;
2235 2345 }
2236 2346 #endif
2237 2347
2238 2348 /* select the socket to be sent */
2239 2349 s = getsockmyaddr(iph1->local);
2240 2350 if (s == -1){
2241 2351 if ( vbuf != NULL )
2242 2352 rc_vfree(vbuf);
2243 2353 return -1;
2244 2354 }
2245 2355
2246 2356 plog(PLOG_DEBUG, PLOGLOC, NULL, "%zu bytes from %s to %s\n",
2247 2357 sbuf->l, rcs_sa2str(iph1->local), rcs_sa2str(iph1->remote));
2248 2358
2249 2359 #ifdef ENABLE_FRAG
2250 2360 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
2251 2361 if (isakmp_sendfrags(iph1, sbuf) == -1) {
2252 2362 plog(PLOG_INTERR, PLOGLOC, NULL,
2253 2363 "isakmp_sendfrags failed\n");
2254 2364 if ( vbuf != NULL )
2255 2365 rc_vfree(vbuf);
2256 2366 return -1;
2257 2367 }
2258 2368 } else
2259 2369 #endif
2260 2370 {
2261 2371 len = sendfromto(s, sbuf->v, sbuf->l,
2262 2372 iph1->local, iph1->remote, ikev1_times_per_send(iph1->rmconf));
2263 2373
2264 2374 if (len == -1) {
2265 2375 plog(PLOG_INTERR, PLOGLOC, NULL, "sendfromto failed\n");
2266 2376 if ( vbuf != NULL )
2267 2377 rc_vfree(vbuf);
2268 2378 return -1;
2269 2379 }
2270 2380 }
2271 2381
2272 2382 if ( vbuf != NULL )
2273 2383 rc_vfree(vbuf);
2274 2384
2275 2385 return 0;
2276 2386 }
2277 2387
2278 2388 void
2279 2389 ikev1_set_rmconf(struct ph1handle *iph1, struct rcf_remote *conf)
2280 2390 {
2281 2391 if (iph1->rmconf)
2282 2392 rcf_free_remote(iph1->rmconf);
2283 2393
2284 2394 iph1->rmconf = conf;
2285 2395 }
2286 2396
2287 2397 int
2288 2398 ikev1_verify_cert(struct rcf_remote *conf)
2289 2399 {
2290 2400 return ikev1_verify_pubkey(conf) != RCT_BOOL_OFF;
2291 2401 }
2292 2402
2293 2403
2294 2404 int
2295 2405 ikev1_getcert_method(struct rcf_remote *conf)
2296 2406 {
2297 2407 return ISAKMP_GETCERT_LOCALFILE;
2298 2408 }
2299 2409
2300 2410 int
2301 2411 ikev1_certtype(struct rcf_remote *conf)
2302 2412 {
2303 2413 return ISAKMP_CERT_X509SIGN;
2304 2414 /* ISAKMP_CERT_PLAINRSA; */
2305 2415 }
2306 2416
2307 2417 /*remoteconf.c*/
2308 2418 struct rcf_remote *
2309 2419 getrmconf(struct sockaddr *remote)
2310 2420 {
2311 2421 struct rcf_remote *conf;
2312 2422
2313 2423 conf = ikev1_conf_find(remote);
2314 2424 if (!conf) {
2315 2425 /* if no config with src addr, use default */
2316 2426 extern struct rcf_default *rcf_default_head;
2317 2427 extern struct rcf_remote *rcf_deepcopy_remote(struct rcf_remote *);
2318 2428 if (rcf_default_head && rcf_default_head->remote) {
2319 2429 plog(PLOG_DEBUG, PLOGLOC, 0,
2320 2430 "anonymous configuration selected for %s.\n",
2321 2431 rcs_sa2str(remote));
2322 2432 conf = rcf_deepcopy_remote(rcf_default_head->remote);
2323 2433 }
2324 2434 }
2325 2435 return conf;
2326 2436 }
2327 2437
2328 2438
2329 2439 /*isakmp.c*/
2330 2440 uint32_t
2331 2441 isakmp_newmsgid2(struct ph1handle *iph1)
2332 2442 {
2333 2443 uint32_t msgid2;
2334 2444
2335 2445 do {
2336 2446 msgid2 = eay_random_uint32();
2337 2447 } while (getph2bymsgid(iph1, msgid2));
2338 2448
2339 2449 return msgid2;
2340 2450 }
2341 2451
2342 2452
2343 2453 /**/
2344 2454 int
2345 2455 ikev1_doitype(struct rcf_remote *conf)
2346 2456 {
2347 2457 return IPSEC_DOI; /* ??? */
2348 2458 }
2349 2459
2350 2460 /**/
2351 2461 int
2352 2462 ikev1_sittype(struct rcf_remote *conf)
2353 2463 {
2354 2464 return IPSECDOI_SIT_IDENTITY_ONLY;
2355 2465 }
2356 2466
2357 2467
2358 2468 /*??*/
2359 2469 size_t
2360 2470 sysdep_sa_len(struct sockaddr *a)
2361 2471 {
2362 2472 return SA_LEN(a);
2363 2473 }
2364 2474
2365 2475
2366 2476 int
2367 2477 ikev1_weak_phase1_check(struct rcf_remote *conf)
2368 2478 {
2369 2479 return 0;
2370 2480 }
2371 2481
2372 2482
2373 2483 /*remoteconf.c*/
2374 2484 /*%%%*/
2375 2485 struct isakmpsa *
2376 2486 newisakmpsa(void)
2377 2487 {
2378 2488 struct isakmpsa *new;
2379 2489
2380 2490 new = racoon_calloc(1, sizeof(*new));
2381 2491 if (new == NULL)
2382 2492 return NULL;
2383 2493
2384 2494 /*
2385 2495 * Just for sanity, make sure this is initialized. This is
2386 2496 * filled in for real when the ISAKMP proposal is configured.
2387 2497 */
2388 2498 new->vendorid = VENDORID_UNKNOWN;
2389 2499
2390 2500 new->next = NULL;
2391 2501 new->rmconf = NULL;
2392 2502 #ifdef HAVE_GSSAPI
2393 2503 new->gssid = NULL;
2394 2504 #endif
2395 2505
2396 2506 return new;
2397 2507 }
2398 2508
2399 2509 struct isakmpsa *
2400 2510 dupisakmpsa(struct isakmpsa *sa)
2401 2511 {
2402 2512 struct isakmpsa *res = NULL;
2403 2513
2404 2514 if (sa == NULL)
2405 2515 return NULL;
2406 2516
2407 2517 res = newisakmpsa();
2408 2518 if(res == NULL)
2409 2519 return NULL;
2410 2520
2411 2521 *res = *sa;
2412 2522 #ifdef HAVE_GSSAPI
2413 2523 /*
2414 2524 * XXX gssid
2415 2525 */
2416 2526 #endif
2417 2527 res->next=NULL;
2418 2528
2419 2529 if (sa->dhgrp != NULL)
2420 2530 oakley_setdhgroup(sa->dh_group, &(res->dhgrp));
2421 2531
2422 2532 return res;
2423 2533
2424 2534 }
2425 2535
2426 2536 /*
2427 2537 * insert into tail of list.
2428 2538 */
2429 2539 struct isakmpsa *
2430 2540 insisakmpsa(struct isakmpsa *new, struct isakmpsa *list)
2431 2541 {
2432 2542 struct isakmpsa *p;
2433 2543
2434 2544 if (list == NULL) {
2435 2545 return new;
2436 2546 } else {
2437 2547 for (p = list; p->next != NULL; p = p->next)
2438 2548 ;
2439 2549 p->next = new;
2440 2550 return list;
2441 2551 }
2442 2552 }
2443 2553
2444 2554 void
2445 2555 delisakmpsa(struct isakmpsa *sa)
2446 2556 {
2447 2557 if (sa->dhgrp)
2448 2558 oakley_dhgrp_free(sa->dhgrp);
2449 2559 if (sa->next)
2450 2560 delisakmpsa(sa->next);
2451 2561 #ifdef HAVE_GSSAPI
2452 2562 if (sa->gssid)
2453 2563 rc_vfree(sa->gssid);
2454 2564 #endif
2455 2565 racoon_free(sa);
2456 2566 }
2457 2567
2458 2568
2459 2569 struct isakmpsa *
2460 2570 ikev1_conf_to_isakmpsa(struct rcf_remote *rmconf)
2461 2571 {
2462 2572 const int prop_no = 1;
2463 2573 int trns_no = 1;
2464 2574 struct rc_alglist *auth, *dh, *enc, *hash;
2465 2575 struct isakmpsa *sa;
2466 2576 struct isakmpsa *result = 0;
2467 2577
2468 2578 for (auth = ikev1_kmp_auth_method(rmconf); auth; auth = auth->next) {
2469 2579 for (dh = ikev1_kmp_dh_group(rmconf); dh; dh = dh->next) {
2470 2580 for (enc = ikev1_kmp_enc_alg(rmconf); enc; enc = enc->next) {
2471 2581 for (hash = ikev1_kmp_hash_alg(rmconf); hash; hash = hash->next) {
2472 2582 sa = create_isakmpsa(prop_no,
2473 2583 trns_no,
2474 2584 auth,
2475 2585 dh,
2476 2586 enc,
2477 2587 hash,
2478 2588 rmconf,
2479 2589 ikev1_my_gssapi_id(rmconf));
2480 2590 ++trns_no;
2481 2591 if (! sa) {
2482 2592 plog(PLOG_INTERR, PLOGLOC, 0,
2483 2593 "failed to create isakmp proposal\n");
2484 2594 return NULL;
2485 2595 }
2486 2596 result = insisakmpsa(sa, result);
2487 2597 }
2488 2598 }
2489 2599 }
2490 2600 }
2491 2601
2492 2602 return result;
2493 2603 }
2494 2604
2495 2605
2496 2606 static int
2497 2607 enc_keylen(rc_type algtype, int keylen)
2498 2608 {
2499 2609 switch (algtype) {
2500 2610 case RCT_ALG_AES128_CBC:
2501 2611 return 128;
2502 2612 case RCT_ALG_AES192_CBC:
2503 2613 return 192;
2504 2614 case RCT_ALG_AES256_CBC:
2505 2615 return 256;
2506 2616 default:
2507 2617 return keylen;
2508 2618 }
2509 2619 }
2510 2620
2511 2621
2512 2622 static struct isakmpsa *
2513 2623 create_isakmpsa(int prop_no, int trns_no,
2514 2624 struct rc_alglist *auth,
2515 2625 struct rc_alglist *dh,
2516 2626 struct rc_alglist *enc,
2517 2627 struct rc_alglist *hash,
2518 2628 struct rcf_remote *rmconf, rc_vchar_t *gssid)
2519 2629 {
2520 2630 struct isakmpsa *new;
2521 2631
2522 2632 new = newisakmpsa();
2523 2633 if (new == NULL) {
2524 2634 plog(PLOG_INTERR, PLOGLOC, 0,
2525 2635 "failed allocating memory for isakmp proposal\n");
2526 2636 return 0;
2527 2637 }
2528 2638 new->prop_no = prop_no;
2529 2639 new->trns_no = trns_no;
2530 2640 new->lifetime = ikev1_kmp_sa_lifetime_time(rmconf);
2531 2641 new->lifebyte = ikev1_kmp_sa_lifetime_byte(rmconf);
2532 2642 new->lifebyte = (new->lifebyte + 1023) >> 10;
2533 2643 new->enctype = alg_oakley_encdef_doi(enc->algtype);
2534 2644 new->encklen = enc_keylen(enc->algtype, enc->keylen);
2535 2645 new->authmethod = alg_oakley_authdef_doi(auth->algtype);
2536 2646 new->hashtype = alg_oakley_hashdef_doi(hash->algtype);
2537 2647 new->dh_group = alg_oakley_dhdef_doi(dh->algtype);
2538 2648 new->vendorid = VENDORID_UNKNOWN; /*vendorid;*/
2539 2649 new->rmconf = rmconf;
2540 2650 #ifdef HAVE_GSSAPI
2541 2651 if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
2542 2652 if (gssid != NULL) {
2543 2653 new->gssid = rc_vmalloc(strlen(gssid));
2544 2654 memcpy(new->gssid->v, gssid, new->gssid->l);
2545 2655 racoon_free(gssid);
2546 2656 } else {
2547 2657 /*
2548 2658 * Allocate the default ID so that it gets put
2549 2659 * into a GSS ID attribute during the Phase 1
2550 2660 * exchange.
2551 2661 */
2552 2662 new->gssid = gssapi_get_default_gss_id();
2553 2663 }
2554 2664 }
2555 2665 #endif
2556 2666
2557 2667 return new;
2558 2668 }
2559 2669
2560 2670 /*policy.c */
2561 2671 void
2562 2672 delsp_bothdir(struct policyindex *p)
2563 2673 {
2564 2674 plog(PLOG_INTERR, PLOGLOC, 0, "unimplemented\n");
2565 2675 }
2566 2676
2567 2677
2568 2678 int
2569 2679 getsockmyaddr(struct sockaddr *addr)
2570 2680 {
2571 2681 extern int isakmp_find_socket();
2572 2682
2573 2683 return isakmp_find_socket(addr);
2574 2684 }
2575 2685
2576 2686
2577 2687 int
2578 2688 ikev1_cacerttype(struct rcf_remote *conf)
2579 2689 {
2580 2690 return ISAKMP_CERT_X509SIGN;
2581 2691 }
2582 2692
2583 2693
2584 2694 static int
2585 2695 check_ph2_id_type(int type)
2586 2696 {
2587 2697 switch (type) {
2588 2698 case IPSECDOI_ID_IPV4_ADDR:
2589 2699 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
2590 2700 case IPSECDOI_ID_IPV6_ADDR:
2591 2701 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
2592 2702 return TRUE;
2593 2703 break;
2594 2704 case IPSECDOI_ID_IPV4_ADDR_RANGE:
2595 2705 case IPSECDOI_ID_IPV6_ADDR_RANGE:
2596 2706 default:
2597 2707 return FALSE;
2598 2708 }
2599 2709 }
2600 2710
2601 2711
2602 2712 static int
2603 2713 id_is_matching(struct rc_addrlist *addr, int upper_layer_protocol,
2604 2714 rc_vchar_t *id)
2605 2715 {
2606 2716 int error;
2607 2717 uint8_t plen;
2608 2718 uint16_t ulproto;
2609 2719 struct ipsecdoi_id_b *idb;
2610 2720 struct sockaddr_storage ss;
2611 2721
2612 2722 idb = (struct ipsecdoi_id_b *)id->v;
2613 2723 switch (idb->type) {
2614 2724 case IPSECDOI_ID_IPV4_ADDR:
2615 2725 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
2616 2726 case IPSECDOI_ID_IPV6_ADDR:
2617 2727 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
2618 2728 if (addr->type != RCT_ADDR_INET)
2619 2729 return FALSE;
2620 2730
2621 2731 /* get a source address of inbound SA */
2622 2732 error = ipsecdoi_id2sockaddr(id,
2623 2733 (struct sockaddr *)&ss,
2624 2734 &plen,
2625 2735 &ulproto);
2626 2736 if (error)
2627 2737 return FALSE;
2628 2738
2629 2739 #ifdef INET6
2630 2740 /* scope? */
2631 2741 #endif
2632 2742 break;
2633 2743
2634 2744 default:
2635 2745 return FALSE;
2636 2746 }
2637 2747
2638 2748 if (rcs_cmpsa(addr->a.ipaddr, (struct sockaddr *)&ss) != 0)
2639 2749 return FALSE;
2640 2750
2641 2751 if (upper_layer_protocol == RC_PROTO_ANY)
2642 2752 upper_layer_protocol = IPSEC_ULPROTO_ANY;
2643 2753
2644 2754 if (upper_layer_protocol != ulproto)
2645 2755 return FALSE;
2646 2756
2647 2757 return TRUE;
2648 2758 }
2649 2759
2650 2760
2651 2761 static void
2652 2762 free_selectorlist(struct rcf_selector *s)
2653 2763 {
2654 2764 struct rcf_selector *s_next;
2655 2765
2656 2766 for (; s; s = s_next) {
2657 2767 s_next = s->next;
2658 2768 rcf_free_selector(s);
2659 2769 }
2660 2770 }
2661 2771
2662 2772
2663 2773 struct rcf_selector *
2664 2774 ike_conf_find_ikev1sel_by_id(rc_vchar_t *id_local, rc_vchar_t *id_remote)
2665 2775 {
2666 2776 int upper_layer_protocol;
2667 2777 int err;
2668 2778 struct ipsecdoi_id_b *id_l;
2669 2779 struct ipsecdoi_id_b *id_r;
2670 2780 struct rcf_selector *s;
2671 2781 struct rcf_selector *s_next;
2672 2782 struct rc_addrlist *srclist;
2673 2783 struct rc_addrlist *dstlist;
2674 2784
2675 2785 id_l = (struct ipsecdoi_id_b *)id_local->v;
2676 2786 id_r = (struct ipsecdoi_id_b *)id_remote->v;
2677 2787
2678 2788 if (!check_ph2_id_type(id_l->type)) {
2679 2789 isakmp_log(0, 0, 0, 0,
2680 2790 PLOG_PROTOERR, PLOGLOC,
2681 2791 "received ID for localside (type %s) is not supported ID type\n",
2682 2792 s_ipsecdoi_ident(id_l->type));
2683 2793 return 0;
2684 2794 }
2685 2795 if (!check_ph2_id_type(id_r->type)) {
2686 2796 isakmp_log(0, 0, 0, 0,
2687 2797 PLOG_PROTOERR, PLOGLOC,
2688 2798 "received ID for remoteside (type %s) is not supported ID type\n",
2689 2799 s_ipsecdoi_ident(id_r->type));
2690 2800 return 0;
2691 2801 }
2692 2802
2693 2803 if (rcf_get_selectorlist(&s)) {
2694 2804 TRACE((PLOGLOC, "rcf_get_selectorlist() failed\n"));
2695 2805 return 0;
2696 2806 }
2697 2807
2698 2808 for (; s; s_next = s->next, rcf_free_selector(s), s = s_next) {
2699 2809 if (s->direction != RCT_DIR_OUTBOUND)
2700 2810 continue;
2701 2811 srclist = dstlist = 0;
2702 2812 err = rcs_extend_addrlist(s->src, &srclist);
2703 2813 if (err != 0) {
2704 2814 isakmp_log(0, 0, 0, 0,
2705 2815 PLOG_INTWARN, PLOGLOC,
2706 2816 "expanding src address of selector %s: %s\n",
2707 2817 rc_vmem2str(s->sl_index), gai_strerror(err));
2708 2818 goto next_selector;
2709 2819 }
2710 2820 err = rcs_extend_addrlist(s->dst, &dstlist);
2711 2821 if (err != 0) {
2712 2822 isakmp_log(0, 0, 0, 0,
2713 2823 PLOG_INTWARN, PLOGLOC,
2714 2824 "expanding dst address of selector %s: %s\n",
2715 2825 rc_vmem2str(s->sl_index), gai_strerror(err));
2716 2826 goto next_selector;
2717 2827 }
2718 2828 #if 0 /* it looks like spmd uses only the first address of expanded addresses */
2719 2829 for (src = srclist; src; src = src->next) {
2720 2830 if (ts_payload_is_matching(ts_r,
2721 2831 upper_layer_protocol,
2722 2832 src->a.ipaddr,
2723 2833 src->prefixlen)) {
2724 2834 for (dst = dstlist; dst; dst = dst->next) {
2725 2835 if (ts_payload_is_matching(ts_i,
2726 2836 upper_layer_protocol,
2727 2837 dst->a.ipaddr,
2728 2838 dst->prefixlen)) {
2729 2839 goto found;
2730 2840 }
2731 2841 }
2732 2842 }
2733 2843 }
2734 2844
2735 2845 continue;
2736 2846
2737 2847 found:
2738 2848 ...;
2739 2849 #endif
2740 2850
2741 2851 upper_layer_protocol = s->upper_layer_protocol;
2742 2852 if (id_is_matching(srclist, upper_layer_protocol, id_local)
2743 2853 && id_is_matching(dstlist, upper_layer_protocol, id_remote)) {
2744 2854 rcs_free_addrlist(srclist);
2745 2855 rcs_free_addrlist(dstlist);
2746 2856 free_selectorlist(s->next);
2747 2857 return s;
2748 2858 }
2749 2859
2750 2860 next_selector:
2751 2861 if (srclist)
2752 2862 rcs_free_addrlist(srclist);
2753 2863 if (dstlist)
2754 2864 rcs_free_addrlist(dstlist);
2755 2865 }
2756 2866
2757 2867 return 0;
2758 2868 }
2759 2869
2760 2870
2761 2871 struct payload_list *
2762 2872 isakmp_plist_append (struct payload_list *plist, rc_vchar_t *payload, int payload_type)
2763 2873 {
2764 2874 if (! plist) {
2765 2875 plist = racoon_malloc (sizeof (struct payload_list));
2766 2876 plist->prev = NULL;
2767 2877 }
2768 2878 else {
2769 2879 plist->next = racoon_malloc (sizeof (struct payload_list));
2770 2880 plist->next->prev = plist;
2771 2881 plist = plist->next;
2772 2882 }
2773 2883
2774 2884 plist->next = NULL;
2775 2885 plist->payload = payload;
2776 2886 plist->payload_type = payload_type;
2777 2887
2778 2888 return plist;
2779 2889 }
2780 2890
2781 2891 rc_vchar_t *
2782 2892 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
2783 2893 {
2784 2894 struct payload_list *ptr, *first;
2785 2895 size_t tlen = sizeof (struct isakmp), n = 0;
2786 2896 rc_vchar_t *buf;
2787 2897 char *p;
2788 2898
2789 2899 if (plist == NULL) {
2790 2900 plog(PLOG_INTERR, PLOGLOC, NULL,
2791 2901 "in isakmp_plist_set_all: plist == NULL\n");
2792 2902 return NULL;
2793 2903 }
2794 2904
2795 2905 /* Seek to the first item. */
2796 2906 ptr = *plist;
2797 2907 while (ptr->prev)
2798 2908 ptr = ptr->prev;
2799 2909 first = ptr;
2800 2910
2801 2911 /* Compute the whole length. */
2802 2912 while (ptr) {
2803 2913 tlen += ptr->payload->l + sizeof (struct isakmp_gen);
2804 2914 ptr = ptr->next;
2805 2915 }
2806 2916
2807 2917 buf = rc_vmalloc(tlen);
2808 2918 if (buf == NULL) {
2809 2919 plog(PLOG_INTERR, PLOGLOC, NULL,
2810 2920 "failed to get buffer to send.\n");
2811 2921 goto end;
2812 2922 }
2813 2923
2814 2924 ptr = first;
2815 2925
2816 2926 p = set_isakmp_header1(buf, iph1, ptr->payload_type);
2817 2927 if (p == NULL)
2818 2928 goto end;
2819 2929
2820 2930 while (ptr)
2821 2931 {
2822 2932 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
2823 2933 first = ptr;
2824 2934 ptr = ptr->next;
2825 2935 racoon_free (first);
2826 2936 /* ptr->prev = NULL; first = NULL; ... omitted. */
2827 2937 n++;
2828 2938 }
2829 2939
2830 2940 *plist = NULL;
2831 2941
2832 2942 return buf;
2833 2943 end:
2834 2944 return NULL;
2835 2945 }
2836 2946
2837 2947
2838 2948 const char *
2839 2949 ipsec_strerror(void)
2840 2950 {
2841 2951 return "";
2842 2952 }
2843 2953
2844 2954 void
2845 2955 delete_spd(struct ph2handle *ph2)
2846 2956 {
2847 2957 plog(PLOG_INTWARN, PLOGLOC, 0, "unimplemented\n");
2848 2958 }
|
↓ open down ↓ |
1595 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX