Context Navigation

isakmp.c @ ff36f5e

55-freebsd-126-freebsd-12

Last change on this file since ff36f5e was ff36f5e, checked in by Christian Mauderer <christian.mauderer@…>, on 05/30/18 at 12:27:35

Import ipsec-tools 0.8.2.

Import unchanged ipsec-tools sources in the release version 0.8.2. The
homepage of ipsec-tools is http://ipsec-tools.sourceforge.net/. The
sources can be obtained from there.

Property mode set to 100644

File size: 85.7 KB

Line
1	/* $NetBSD: isakmp.c,v 1.71.2.2 2012/08/29 08:55:26 tteras Exp $ */
2
3	/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
4
5	/*
6	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7	* All rights reserved.
8	*
9	* Redistribution and use in source and binary forms, with or without
10	* modification, are permitted provided that the following conditions
11	* are met:
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	* 2. Redistributions in binary form must reproduce the above copyright
15	* notice, this list of conditions and the following disclaimer in the
16	* documentation and/or other materials provided with the distribution.
17	* 3. Neither the name of the project nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#include "config.h"
35
36	#include <sys/types.h>
37	#include <sys/param.h>
38	#include <sys/socket.h>
39	#include <sys/queue.h>
40
41	#include <netinet/in.h>
42	#include <arpa/inet.h>
43
44	#include PATH_IPSEC_H
45
46	#include <stdlib.h>
47	#include <stdio.h>
48	#include <string.h>
49	#include <errno.h>
50	#if TIME_WITH_SYS_TIME
51	# include <sys/time.h>
52	# include <time.h>
53	#else
54	# if HAVE_SYS_TIME_H
55	# include <sys/time.h>
56	# else
57	# include <time.h>
58	# endif
59	#endif
60	#include <netdb.h>
61	#ifdef HAVE_UNISTD_H
62	#include <unistd.h>
63	#endif
64	#include <ctype.h>
65	#ifdef ENABLE_HYBRID
66	#include <resolv.h>
67	#endif
68
69	#include "var.h"
70	#include "misc.h"
71	#include "vmbuf.h"
72	#include "plog.h"
73	#include "sockmisc.h"
74	#include "schedule.h"
75	#include "session.h"
76	#include "debug.h"
77
78	#include "remoteconf.h"
79	#include "localconf.h"
80	#include "grabmyaddr.h"
81	#include "admin.h"
82	#include "privsep.h"
83	#include "isakmp_var.h"
84	#include "isakmp.h"
85	#include "oakley.h"
86	#include "evt.h"
87	#include "handler.h"
88	#include "ipsec_doi.h"
89	#include "pfkey.h"
90	#include "crypto_openssl.h"
91	#include "policy.h"
92	#include "algorithm.h"
93	#include "proposal.h"
94	#include "sainfo.h"
95	#include "isakmp_ident.h"
96	#include "isakmp_agg.h"
97	#include "isakmp_base.h"
98	#include "isakmp_quick.h"
99	#include "isakmp_inf.h"
100	#include "isakmp_newg.h"
101	#ifdef ENABLE_HYBRID
102	#include "vendorid.h"
103	#include "isakmp_xauth.h"
104	#include "isakmp_unity.h"
105	#include "isakmp_cfg.h"
106	#endif
107	#ifdef ENABLE_FRAG
108	#include "isakmp_frag.h"
109	#endif
110	#include "strnames.h"
111
112	#include <fcntl.h>
113
114	#ifdef ENABLE_NATT
115	# include "nattraversal.h"
116	#endif
117	# ifdef __linux__
118	# include <linux/udp.h>
119	# include <linux/ip.h>
120	# ifndef SOL_UDP
121	# define SOL_UDP 17
122	# endif
123	# endif /* __linux__ */
124	# if defined(__NetBSD__) \|\| defined(__FreeBSD__) \|\| \
125	(defined(__APPLE__) && defined(__MACH__))
126	# include <netinet/in.h>
127	# include <netinet/udp.h>
128	# include <netinet/in_systm.h>
129	# include <netinet/ip.h>
130	# define SOL_UDP IPPROTO_UDP
131	# endif /* __NetBSD__ / __FreeBSD__ */
132
133	static int nostate1 __P((struct ph1handle , vchar_t ));
134	static int nostate2 __P((struct ph2handle , vchar_t ));
135
136	extern caddr_t val2str(const char *, size_t);
137
138	static int (*ph1exchange[][2][PHASE1ST_MAX])
139	__P((struct ph1handle , vchar_t )) = {
140	/* error */
141	{ { 0 }, { 0 }, },
142	/* Identity Protection exchange */
143	{
144	{ nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
145	ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, nostate1,},
146	{ nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
147	ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, nostate1, },
148	},
149	/* Aggressive exchange */
150	{
151	{ nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
152	nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
153	{ nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
154	nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
155	},
156	/* Base exchange */
157	{
158	{ nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
159	base_i3recv, base_i3send, nostate1, nostate1, nostate1, nostate1, },
160	{ nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
161	nostate1, nostate1, nostate1, nostate1, nostate1, nostate1, },
162	},
163	};
164
165	static int (*ph2exchange[][2][PHASE2ST_MAX])
166	__P((struct ph2handle , vchar_t )) = {
167	/* error */
168	{ { 0 }, { 0 }, },
169	/* Quick mode for IKE */
170	{
171	{ nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
172	quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
173	{ nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
174	quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
175	},
176	};
177
178	static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
179
180	static int isakmp_main __P((vchar_t , struct sockaddr , struct sockaddr *));
181	static int ph1_main __P((struct ph1handle , vchar_t ));
182	static int quick_main __P((struct ph2handle , vchar_t ));
183	static int isakmp_ph1begin_r __P((vchar_t *,
184	struct sockaddr , struct sockaddr , u_int8_t));
185	static int isakmp_ph2begin_i __P((struct ph1handle , struct ph2handle ));
186	static int isakmp_ph2begin_r __P((struct ph1handle , vchar_t ));
187	static int etypesw1 __P((int));
188	static int etypesw2 __P((int));
189	static int isakmp_ph1resend __P((struct ph1handle *));
190	static int isakmp_ph2resend __P((struct ph2handle *));
191
192	#ifdef ENABLE_FRAG
193	static int frag_handler(struct ph1handle *,
194	vchar_t , struct sockaddr , struct sockaddr *);
195	#endif
196
197	/*
198	* isakmp packet handler
199	*/
200	static int
201	isakmp_handler(ctx, so_isakmp)
202	void *ctx;
203	int so_isakmp;
204	{
205	struct isakmp isakmp;
206	union {
207	char buf[sizeof (isakmp) + 4];
208	u_int32_t non_esp[2];
209	struct {
210	struct udphdr udp;
211	#ifdef __linux
212	struct iphdr ip;
213	#else
214	struct ip ip;
215	#endif
216	char buf[sizeof(isakmp) + 4];
217	} lbuf;
218	} x;
219	struct sockaddr_storage remote;
220	struct sockaddr_storage local;
221	unsigned int remote_len = sizeof(remote);
222	unsigned int local_len = sizeof(local);
223	int len = 0, extralen = 0;
224	vchar_t buf = NULL, tmpbuf = NULL;
225	int error = -1, res;
226
227	/* read message by MSG_PEEK */
228	while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
229	MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
230	(struct sockaddr *)&local, &local_len)) < 0) {
231	if (errno == EINTR)
232	continue;
233	plog(LLV_ERROR, LOCATION, NULL,
234	"failed to receive isakmp packet: %s\n",
235	strerror (errno));
236	goto end;
237	}
238
239	/* keep-alive packet - ignore */
240	if (len == 1 && (x.buf[0]&0xff) == 0xff) {
241	/* Pull the keep-alive packet */
242	if ((len = recvfrom(so_isakmp, (char *)x.buf, 1,
243	0, (struct sockaddr *)&remote, &remote_len)) != 1) {
244	plog(LLV_ERROR, LOCATION, NULL,
245	"failed to receive keep alive packet: %s\n",
246	strerror (errno));
247	}
248	goto end;
249	}
250
251	/* Lucent IKE in UDP encapsulation */
252	{
253	#ifdef __linux__
254	if (ntohs(x.lbuf.udp.dest) == 501) {
255	extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ihl;
256	}
257	#else
258	if (ntohs(x.lbuf.udp.uh_dport) == 501) {
259	extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl;
260	}
261	#endif
262	}
263
264	#ifdef ENABLE_NATT
265	/* we don't know about portchange yet,
266	look for non-esp marker instead */
267	if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
268	extralen = NON_ESP_MARKER_LEN;
269	#endif
270
271	/* now we know if there is an extra non-esp
272	marker at the beginning or not */
273	memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
274
275	/* check isakmp header length, as well as sanity of header length */
276	if (len < sizeof(isakmp) \|\| ntohl(isakmp.len) < sizeof(isakmp)) {
277	plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
278	"packet shorter than isakmp header size (%u, %u, %zu)\n",
279	len, ntohl(isakmp.len), sizeof(isakmp));
280	/* dummy receive */
281	if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
282	0, (struct sockaddr *)&remote, &remote_len)) < 0) {
283	plog(LLV_ERROR, LOCATION, NULL,
284	"failed to receive isakmp packet: %s\n",
285	strerror (errno));
286	}
287	goto end;
288	}
289
290	/* reject it if the size is tooooo big. */
291	if (ntohl(isakmp.len) > 0xffff) {
292	plog(LLV_ERROR, LOCATION, NULL,
293	"the length in the isakmp header is too big.\n");
294	if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
295	0, (struct sockaddr *)&remote, &remote_len)) < 0) {
296	plog(LLV_ERROR, LOCATION, NULL,
297	"failed to receive isakmp packet: %s\n",
298	strerror (errno));
299	}
300	goto end;
301	}
302
303	/* read real message */
304	if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) {
305	plog(LLV_ERROR, LOCATION, NULL,
306	"failed to allocate reading buffer (%u Bytes)\n",
307	ntohl(isakmp.len) + extralen);
308	/* dummy receive */
309	if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
310	0, (struct sockaddr *)&remote, &remote_len)) < 0) {
311	plog(LLV_ERROR, LOCATION, NULL,
312	"failed to receive isakmp packet: %s\n",
313	strerror (errno));
314	}
315	goto end;
316	}
317
318	while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
319	0, (struct sockaddr *)&remote, &remote_len,
320	(struct sockaddr *)&local, &local_len)) < 0) {
321	if (errno == EINTR)
322	continue;
323	plog(LLV_ERROR, LOCATION, NULL,
324	"failed to receive isakmp packet: %s\n",
325	strerror (errno));
326	goto end;
327	}
328
329	if ((buf = vmalloc(len - extralen)) == NULL) {
330	plog(LLV_ERROR, LOCATION, NULL,
331	"failed to allocate reading buffer (%u Bytes)\n",
332	(len - extralen));
333	goto end;
334	}
335
336	memcpy (buf->v, tmpbuf->v + extralen, buf->l);
337
338	len -= extralen;
339
340	if (len != buf->l) {
341	plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
342	"received invalid length (%d != %zu), why ?\n",
343	len, buf->l);
344	goto end;
345	}
346
347	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
348	plog(LLV_DEBUG, LOCATION, NULL,
349	"%d bytes message received %s\n",
350	len, saddr2str_fromto("from %s to %s",
351	(struct sockaddr *)&remote,
352	(struct sockaddr *)&local));
353	plogdump(LLV_DEBUG, buf->v, buf->l);
354
355	/* avoid packets with malicious port/address */
356	if (extract_port((struct sockaddr *)&remote) == 0) {
357	plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
358	"src port == 0 (valid as UDP but not with IKE)\n");
359	goto end;
360	}
361
362	/* XXX: check sender whether to be allowed or not to accept */
363
364	/* XXX: I don't know how to check isakmp half connection attack. */
365
366	/* simply reply if the packet was processed. */
367	res=check_recvdpkt((struct sockaddr )&remote,(struct sockaddr )&local, buf);
368	if (res) {
369	plog(LLV_NOTIFY, LOCATION, NULL,
370	"the packet is retransmitted by %s (%d).\n",
371	saddr2str((struct sockaddr *)&remote), res);
372	error = 0;
373	goto end;
374	}
375
376	/* isakmp main routine */
377	if (isakmp_main(buf, (struct sockaddr *)&remote,
378	(struct sockaddr *)&local) != 0) goto end;
379
380	error = 0;
381
382	end:
383	if (tmpbuf != NULL)
384	vfree(tmpbuf);
385	if (buf != NULL)
386	vfree(buf);
387	return error;
388	}
389
390	/*
391	* main processing to handle isakmp payload
392	*/
393	static int
394	isakmp_main(msg, remote, local)
395	vchar_t *msg;
396	struct sockaddr remote, local;
397	{
398	struct isakmp isakmp = (struct isakmp )msg->v;
399	isakmp_index index = (isakmp_index )isakmp;
400	u_int32_t msgid = isakmp->msgid;
401	struct ph1handle *iph1;
402
403	#ifdef HAVE_PRINT_ISAKMP_C
404	isakmp_printpacket(msg, remote, local, 0);
405	#endif
406
407	/* the initiator's cookie must not be zero */
408	if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
409	plog(LLV_ERROR, LOCATION, remote,
410	"malformed cookie received.\n");
411	return -1;
412	}
413
414	/* Check the Major and Minor Version fields. */
415	/*
416	* XXX Is is right to check version here ?
417	* I think it may no be here because the version depends
418	* on exchange status.
419	*/
420	if (isakmp->v < ISAKMP_VERSION_NUMBER) {
421	if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
422	plog(LLV_ERROR, LOCATION, remote,
423	"invalid major version %d.\n",
424	ISAKMP_GETMAJORV(isakmp->v));
425	return -1;
426	}
427	#if ISAKMP_MINOR_VERSION > 0
428	if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
429	plog(LLV_ERROR, LOCATION, remote,
430	"invalid minor version %d.\n",
431	ISAKMP_GETMINORV(isakmp->v));
432	return -1;
433	}
434	#endif
435	}
436
437	/* check the Flags field. */
438	/* XXX How is the exclusive check, E and A ? */
439	if (isakmp->flags & ~(ISAKMP_FLAG_E \| ISAKMP_FLAG_C \| ISAKMP_FLAG_A)) {
440	plog(LLV_ERROR, LOCATION, remote,
441	"invalid flag 0x%02x.\n", isakmp->flags);
442	return -1;
443	}
444
445	/* ignore commit bit. */
446	if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
447	if (isakmp->msgid == 0) {
448	isakmp_info_send_nx(isakmp, remote, local,
449	ISAKMP_NTYPE_INVALID_FLAGS, NULL);
450	plog(LLV_ERROR, LOCATION, remote,
451	"Commit bit on phase1 forbidden.\n");
452	return -1;
453	}
454	}
455
456	iph1 = getph1byindex(index);
457	if (iph1 != NULL) {
458	/* validity check */
459	if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
460	iph1->side == INITIATOR) {
461	plog(LLV_DEBUG, LOCATION, remote,
462	"malformed cookie received or "
463	"the initiator's cookies collide.\n");
464	return -1;
465	}
466
467	#ifdef ENABLE_NATT
468	/* Floating ports for NAT-T */
469	if (NATT_AVAILABLE(iph1) &&
470	! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
471	((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) \|\|
472	(cmpsaddr(iph1->local, local) != CMPSADDR_MATCH)))
473	{
474	/* prevent memory leak */
475	racoon_free(iph1->remote);
476	racoon_free(iph1->local);
477	iph1->remote = NULL;
478	iph1->local = NULL;
479
480	/* copy-in new addresses */
481	iph1->remote = dupsaddr(remote);
482	if (iph1->remote == NULL) {
483	plog(LLV_ERROR, LOCATION, iph1->remote,
484	"phase1 failed: dupsaddr failed.\n");
485	remph1(iph1);
486	delph1(iph1);
487	return -1;
488	}
489	iph1->local = dupsaddr(local);
490	if (iph1->local == NULL) {
491	plog(LLV_ERROR, LOCATION, iph1->remote,
492	"phase1 failed: dupsaddr failed.\n");
493	remph1(iph1);
494	delph1(iph1);
495	return -1;
496	}
497
498	/* set the flag to prevent further port floating
499	(FIXME: should we allow it? E.g. when the NAT gw
500	is rebooted?) */
501	iph1->natt_flags \|= NAT_PORTS_CHANGED \| NAT_ADD_NON_ESP_MARKER;
502
503	/* print some neat info */
504	plog (LLV_INFO, LOCATION, NULL,
505	"NAT-T: ports changed to: %s\n",
506	saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
507
508	natt_keepalive_add_ph1 (iph1);
509	}
510	#endif
511
512	/* must be same addresses in one stream of a phase at least. */
513	if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
514	char saddr_db, saddr_act;
515
516	saddr_db = racoon_strdup(saddr2str(iph1->remote));
517	saddr_act = racoon_strdup(saddr2str(remote));
518	STRDUP_FATAL(saddr_db);
519	STRDUP_FATAL(saddr_act);
520
521	plog(LLV_WARNING, LOCATION, remote,
522	"remote address mismatched. db=%s, act=%s\n",
523	saddr_db, saddr_act);
524
525	racoon_free(saddr_db);
526	racoon_free(saddr_act);
527	}
528
529	/*
530	* don't check of exchange type here because other type will be
531	* with same index, for example, informational exchange.
532	*/
533
534	/* XXX more acceptable check */
535	}
536
537	switch (isakmp->etype) {
538	case ISAKMP_ETYPE_IDENT:
539	case ISAKMP_ETYPE_AGG:
540	case ISAKMP_ETYPE_BASE:
541	/* phase 1 validity check */
542	if (isakmp->msgid != 0) {
543	plog(LLV_ERROR, LOCATION, remote,
544	"message id should be zero in phase1.\n");
545	return -1;
546	}
547
548	/* search for isakmp status record of phase 1 */
549	if (iph1 == NULL) {
550	/*
551	* the packet must be the 1st message from a initiator
552	* or the 2nd message from the responder.
553	*/
554
555	/* search for phase1 handle by index without r_ck */
556	iph1 = getph1byindex0(index);
557	if (iph1 == NULL) {
558	/it must be the 1st message from a initiator./
559	if (memcmp(&isakmp->r_ck, r_ck0,
560	sizeof(cookie_t)) != 0) {
561
562	plog(LLV_DEBUG, LOCATION, remote,
563	"malformed cookie received "
564	"or the spi expired.\n");
565	return -1;
566	}
567
568	/* it must be responder's 1st exchange. */
569	if (isakmp_ph1begin_r(msg, remote, local,
570	isakmp->etype) < 0)
571	return -1;
572	break;
573
574	/NOTREACHED/
575	}
576
577	/* it must be the 2nd message from the responder. */
578	if (iph1->side != INITIATOR) {
579	plog(LLV_DEBUG, LOCATION, remote,
580	"malformed cookie received. "
581	"it has to be as the initiator. %s\n",
582	isakmp_pindex(&iph1->index, 0));
583	return -1;
584	}
585	}
586
587	/*
588	* Don't delete phase 1 handler when the exchange type
589	* in handler is not equal to packet's one because of no
590	* authencication completed.
591	*/
592	if (iph1->etype != isakmp->etype) {
593	plog(LLV_ERROR, LOCATION, iph1->remote,
594	"exchange type is mismatched: "
595	"db=%s packet=%s, ignore it.\n",
596	s_isakmp_etype(iph1->etype),
597	s_isakmp_etype(isakmp->etype));
598	return -1;
599	}
600
601	#ifdef ENABLE_FRAG
602	if (isakmp->np == ISAKMP_NPTYPE_FRAG)
603	return frag_handler(iph1, msg, remote, local);
604	#endif
605
606	/* call main process of phase 1 */
607	if (ph1_main(iph1, msg) < 0) {
608	plog(LLV_ERROR, LOCATION, iph1->remote,
609	"phase1 negotiation failed.\n");
610	remph1(iph1);
611	delph1(iph1);
612	return -1;
613	}
614	break;
615
616	case ISAKMP_ETYPE_AUTH:
617	plog(LLV_INFO, LOCATION, remote,
618	"unsupported exchange %d received.\n",
619	isakmp->etype);
620	break;
621
622	case ISAKMP_ETYPE_INFO:
623	case ISAKMP_ETYPE_ACKINFO:
624	/*
625	* iph1 must be present for Information message.
626	* if iph1 is null then trying to get the phase1 status
627	* as the packet from responder againt initiator's 1st
628	* exchange in phase 1.
629	* NOTE: We think such informational exchange should be ignored.
630	*/
631	if (iph1 == NULL) {
632	iph1 = getph1byindex0(index);
633	if (iph1 == NULL) {
634	plog(LLV_ERROR, LOCATION, remote,
635	"unknown Informational "
636	"exchange received.\n");
637	return -1;
638	}
639	if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
640	plog(LLV_WARNING, LOCATION, remote,
641	"remote address mismatched. "
642	"db=%s\n",
643	saddr2str(iph1->remote));
644	}
645	}
646
647	#ifdef ENABLE_FRAG
648	if (isakmp->np == ISAKMP_NPTYPE_FRAG)
649	return frag_handler(iph1, msg, remote, local);
650	#endif
651
652	if (isakmp_info_recv(iph1, msg) < 0)
653	return -1;
654	break;
655
656	case ISAKMP_ETYPE_QUICK:
657	{
658	struct ph2handle *iph2;
659
660	if (iph1 == NULL) {
661	isakmp_info_send_nx(isakmp, remote, local,
662	ISAKMP_NTYPE_INVALID_COOKIE, NULL);
663	plog(LLV_ERROR, LOCATION, remote,
664	"can't start the quick mode, "
665	"there is no ISAKMP-SA, %s\n",
666	isakmp_pindex((isakmp_index *)&isakmp->i_ck,
667	isakmp->msgid));
668	return -1;
669	}
670	#ifdef ENABLE_HYBRID
671	/* Reinit the IVM if it's still there */
672	if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
673	oakley_delivm(iph1->mode_cfg->ivm);
674	iph1->mode_cfg->ivm = NULL;
675	}
676	#endif
677	#ifdef ENABLE_FRAG
678	if (isakmp->np == ISAKMP_NPTYPE_FRAG)
679	return frag_handler(iph1, msg, remote, local);
680	#endif
681
682	/* check status of phase 1 whether negotiated or not. */
683	if (iph1->status != PHASE1ST_ESTABLISHED &&
684	iph1->status != PHASE1ST_DYING) {
685	plog(LLV_ERROR, LOCATION, remote,
686	"can't start the quick mode, "
687	"there is no valid ISAKMP-SA, %s\n",
688	isakmp_pindex(&iph1->index, iph1->msgid));
689	return -1;
690	}
691
692	/* search isakmp phase 2 stauts record. */
693	iph2 = getph2bymsgid(iph1, msgid);
694	if (iph2 == NULL) {
695	/* it must be new negotiation as responder */
696	if (isakmp_ph2begin_r(iph1, msg) < 0)
697	return -1;
698	return 0;
699	/NOTREACHED/
700	}
701
702	/* commit bit. */
703	/* XXX
704	* we keep to set commit bit during negotiation.
705	* When SA is configured, bit will be reset.
706	* XXX
707	* don't initiate commit bit. should be fixed in the future.
708	*/
709	if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
710	iph2->flags \|= ISAKMP_FLAG_C;
711
712	/* call main process of quick mode */
713	if (quick_main(iph2, msg) < 0) {
714	plog(LLV_ERROR, LOCATION, iph1->remote,
715	"phase2 negotiation failed.\n");
716	remph2(iph2);
717	delph2(iph2);
718	return -1;
719	}
720	}
721	break;
722
723	case ISAKMP_ETYPE_NEWGRP:
724	if (iph1 == NULL) {
725	plog(LLV_ERROR, LOCATION, remote,
726	"Unknown new group mode exchange, "
727	"there is no ISAKMP-SA.\n");
728	return -1;
729	}
730
731	#ifdef ENABLE_FRAG
732	if (isakmp->np == ISAKMP_NPTYPE_FRAG)
733	return frag_handler(iph1, msg, remote, local);
734	#endif
735
736	isakmp_newgroup_r(iph1, msg);
737	break;
738
739	#ifdef ENABLE_HYBRID
740	case ISAKMP_ETYPE_CFG:
741	if (iph1 == NULL) {
742	plog(LLV_ERROR, LOCATION, NULL,
743	"mode config %d from %s, "
744	"but we have no ISAKMP-SA.\n",
745	isakmp->etype, saddr2str(remote));
746	return -1;
747	}
748
749	#ifdef ENABLE_FRAG
750	if (isakmp->np == ISAKMP_NPTYPE_FRAG)
751	return frag_handler(iph1, msg, remote, local);
752	#endif
753
754	isakmp_cfg_r(iph1, msg);
755	break;
756	#endif
757
758	case ISAKMP_ETYPE_NONE:
759	default:
760	plog(LLV_ERROR, LOCATION, NULL,
761	"Invalid exchange type %d from %s.\n",
762	isakmp->etype, saddr2str(remote));
763	return -1;
764	}
765
766	return 0;
767	}
768
769	/*
770	* main function of phase 1.
771	*/
772	static int
773	ph1_main(iph1, msg)
774	struct ph1handle *iph1;
775	vchar_t *msg;
776	{
777	int error;
778	#ifdef ENABLE_STATS
779	struct timeval start, end;
780	#endif
781
782	/* ignore a packet */
783	if (iph1->status >= PHASE1ST_ESTABLISHED)
784	return 0;
785
786	#ifdef ENABLE_STATS
787	gettimeofday(&start, NULL);
788	#endif
789	/* receive */
790	if (ph1exchange[etypesw1(iph1->etype)]
791	[iph1->side]
792	[iph1->status] == NULL) {
793	plog(LLV_ERROR, LOCATION, iph1->remote,
794	"why isn't the function defined.\n");
795	return -1;
796	}
797	error = (ph1exchange[etypesw1(iph1->etype)]
798	[iph1->side]
799	[iph1->status])(iph1, msg);
800	if (error != 0) {
801
802	/* XXX
803	* When an invalid packet is received on phase1, it should
804	* be selected to process this packet. That is to respond
805	* with a notify and delete phase 1 handler, OR not to respond
806	* and keep phase 1 handler. However, in PHASE1ST_START when
807	* acting as RESPONDER we must not keep phase 1 handler or else
808	* it will stay forever.
809	*/
810
811	if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
812	plog(LLV_ERROR, LOCATION, iph1->remote,
813	"failed to pre-process ph1 packet (side: %d, status %d).\n",
814	iph1->side, iph1->status);
815	return -1;
816	} else {
817	/* ignore the error and keep phase 1 handler */
818	return 0;
819	}
820	}
821
822	#ifndef ENABLE_FRAG
823	/* free resend buffer */
824	if (iph1->sendbuf == NULL) {
825	plog(LLV_ERROR, LOCATION, NULL,
826	"no buffer found as sendbuf\n");
827	return -1;
828	}
829	#endif
830
831	VPTRINIT(iph1->sendbuf);
832
833	/* turn off schedule */
834	sched_cancel(&iph1->scr);
835
836	/* send */
837	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
838	if ((ph1exchange[etypesw1(iph1->etype)]
839	[iph1->side]
840	[iph1->status])(iph1, msg) != 0) {
841	plog(LLV_ERROR, LOCATION, iph1->remote,
842	"failed to process ph1 packet (side: %d, status: %d).\n",
843	iph1->side, iph1->status);
844	return -1;
845	}
846
847	#ifdef ENABLE_STATS
848	gettimeofday(&end, NULL);
849	syslog(LOG_NOTICE, "%s(%s): %8.6f",
850	"phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
851	timedelta(&start, &end));
852	#endif
853	if (iph1->status == PHASE1ST_ESTABLISHED) {
854
855	#ifdef ENABLE_STATS
856	gettimeofday(&iph1->end, NULL);
857	syslog(LOG_NOTICE, "%s(%s): %8.6f",
858	"phase1", s_isakmp_etype(iph1->etype),
859	timedelta(&iph1->start, &iph1->end));
860	#endif
861
862	/* save created date. */
863	(void)time(&iph1->created);
864
865	/* migrate ph2s from dying ph1s */
866	migrate_dying_ph12(iph1);
867
868	/* add to the schedule to expire, and seve back pointer. */
869	if (ph1_rekey_enabled(iph1)) {
870	sched_schedule(&iph1->sce,
871	iph1->approval->lifetime *
872	PFKEY_SOFT_LIFETIME_RATE / 100,
873	isakmp_ph1dying_stub);
874	} else {
875	sched_schedule(&iph1->sce, iph1->approval->lifetime,
876	isakmp_ph1expire_stub);
877	}
878
879	#ifdef ENABLE_HYBRID
880	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
881	switch (iph1->approval->authmethod) {
882	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
883	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
884	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
885	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
886	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
887	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
888	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
889	xauth_sendreq(iph1);
890	/* XXX Don't process INITIAL_CONTACT */
891	iph1->rmconf->ini_contact = 0;
892	break;
893	default:
894	break;
895	}
896	}
897	#endif
898	#ifdef ENABLE_DPD
899	/* Schedule the r_u_there.... */
900	if(iph1->dpd_support && iph1->rmconf->dpd_interval)
901	isakmp_sched_r_u(iph1, 0);
902	#endif
903
904	/* INITIAL-CONTACT processing */
905	/* don't anything if local test mode. */
906	if (!f_local
907	&& iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
908	/* send INITIAL-CONTACT */
909	isakmp_info_send_n1(iph1,
910	ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
911	/* insert a node into contacted list. */
912	if (inscontacted(iph1->remote) == -1) {
913	plog(LLV_ERROR, LOCATION, iph1->remote,
914	"failed to add contacted list.\n");
915	/* ignore */
916	}
917	}
918	if (iph1->initial_contact_received)
919	isakmp_info_recv_initialcontact(iph1, NULL);
920
921	log_ph1established(iph1);
922	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
923
924	/*
925	* SA up shell script hook: do it now,except if
926	* ISAKMP mode config was requested. In the later
927	* case it is done when we receive the configuration.
928	*/
929	if ((iph1->status == PHASE1ST_ESTABLISHED) &&
930	!iph1->rmconf->mode_cfg) {
931	switch (iph1->approval->authmethod) {
932	#ifdef ENABLE_HYBRID
933	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
934	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
935	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
936	/* Unimplemeted... */
937	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
938	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
939	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
940	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
941	break;
942	#endif
943	default:
944	script_hook(iph1, SCRIPT_PHASE1_UP);
945	break;
946	}
947	}
948	}
949
950	return 0;
951	}
952
953	/*
954	* main function of quick mode.
955	*/
956	static int
957	quick_main(iph2, msg)
958	struct ph2handle *iph2;
959	vchar_t *msg;
960	{
961	struct isakmp isakmp = (struct isakmp )msg->v;
962	int error;
963	#ifdef ENABLE_STATS
964	struct timeval start, end;
965	#endif
966
967	/* ignore a packet */
968	if (iph2->status == PHASE2ST_ESTABLISHED
969	\|\| iph2->status == PHASE2ST_GETSPISENT)
970	return 0;
971
972	#ifdef ENABLE_STATS
973	gettimeofday(&start, NULL);
974	#endif
975
976	/* receive */
977	if (ph2exchange[etypesw2(isakmp->etype)]
978	[iph2->side]
979	[iph2->status] == NULL) {
980	plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
981	"why isn't the function defined.\n");
982	return -1;
983	}
984	error = (ph2exchange[etypesw2(isakmp->etype)]
985	[iph2->side]
986	[iph2->status])(iph2, msg);
987	if (error != 0) {
988	plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
989	"failed to pre-process ph2 packet (side: %d, status %d).\n",
990	iph2->side, iph2->status);
991	if (error == ISAKMP_INTERNAL_ERROR)
992	return 0;
993	isakmp_info_send_n1(iph2->ph1, error, NULL);
994	return -1;
995	}
996
997	/* when using commit bit, status will be reached here. */
998	if (iph2->status == PHASE2ST_ADDSA)
999	return 0;
1000
1001	/* free resend buffer */
1002	if (iph2->sendbuf == NULL) {
1003	plog(LLV_ERROR, LOCATION, NULL,
1004	"no buffer found as sendbuf\n");
1005	return -1;
1006	}
1007	VPTRINIT(iph2->sendbuf);
1008
1009	/* turn off schedule */
1010	sched_cancel(&iph2->scr);
1011
1012	/* send */
1013	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1014	if ((ph2exchange[etypesw2(isakmp->etype)]
1015	[iph2->side]
1016	[iph2->status])(iph2, msg) != 0) {
1017	plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1018	"failed to process ph2 packet (side: %d, status: %d).\n",
1019	iph2->side, iph2->status);
1020	return -1;
1021	}
1022
1023	#ifdef ENABLE_STATS
1024	gettimeofday(&end, NULL);
1025	syslog(LOG_NOTICE, "%s(%s): %8.6f",
1026	"phase2",
1027	s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1028	timedelta(&start, &end));
1029	#endif
1030
1031	return 0;
1032	}
1033
1034	/* new negotiation of phase 1 for initiator */
1035	struct ph1handle *
1036	isakmp_ph1begin_i(rmconf, remote, local)
1037	struct remoteconf *rmconf;
1038	struct sockaddr remote, local;
1039	{
1040	struct ph1handle *iph1;
1041	#ifdef ENABLE_STATS
1042	struct timeval start, end;
1043	#endif
1044
1045	/* get new entry to isakmp status table. */
1046	iph1 = newph1();
1047	if (iph1 == NULL)
1048	return NULL;
1049
1050	iph1->status = PHASE1ST_START;
1051	iph1->rmconf = rmconf;
1052	iph1->side = INITIATOR;
1053	iph1->version = ISAKMP_VERSION_NUMBER;
1054	iph1->msgid = 0;
1055	iph1->flags = 0;
1056	iph1->ph2cnt = 0;
1057	#ifdef HAVE_GSSAPI
1058	iph1->gssapi_state = NULL;
1059	#endif
1060	#ifdef ENABLE_HYBRID
1061	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1062	delph1(iph1);
1063	return NULL;
1064	}
1065	#endif
1066	#ifdef ENABLE_FRAG
1067
1068	if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
1069	iph1->frag = 1;
1070	else
1071	iph1->frag = 0;
1072	iph1->frag_chain = NULL;
1073	#endif
1074	iph1->approval = NULL;
1075
1076	/* XXX copy remote address */
1077	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
1078	delph1(iph1);
1079	return NULL;
1080	}
1081
1082	(void)insph1(iph1);
1083
1084	/* start phase 1 exchange */
1085	iph1->etype = rmconf->etypes->type;
1086
1087	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1088	{
1089	char *a;
1090
1091	a = racoon_strdup(saddr2str(iph1->local));
1092	STRDUP_FATAL(a);
1093
1094	plog(LLV_INFO, LOCATION, NULL,
1095	"initiate new phase 1 negotiation: %s<=>%s\n",
1096	a, saddr2str(iph1->remote));
1097	racoon_free(a);
1098	}
1099	plog(LLV_INFO, LOCATION, NULL,
1100	"begin %s mode.\n",
1101	s_isakmp_etype(iph1->etype));
1102
1103	#ifdef ENABLE_STATS
1104	gettimeofday(&iph1->start, NULL);
1105	gettimeofday(&start, NULL);
1106	#endif
1107	/* start exchange */
1108	if ((ph1exchange[etypesw1(iph1->etype)]
1109	[iph1->side]
1110	[iph1->status])(iph1, NULL) != 0) {
1111	/* failed to start phase 1 negotiation */
1112	remph1(iph1);
1113	delph1(iph1);
1114
1115	return NULL;
1116	}
1117
1118	#ifdef ENABLE_STATS
1119	gettimeofday(&end, NULL);
1120	syslog(LOG_NOTICE, "%s(%s): %8.6f",
1121	"phase1",
1122	s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1123	timedelta(&start, &end));
1124	#endif
1125
1126	return iph1;
1127	}
1128
1129	/* new negotiation of phase 1 for responder */
1130	static int
1131	isakmp_ph1begin_r(msg, remote, local, etype)
1132	vchar_t *msg;
1133	struct sockaddr remote, local;
1134	u_int8_t etype;
1135	{
1136	struct isakmp isakmp = (struct isakmp )msg->v;
1137	struct ph1handle *iph1;
1138	struct rmconfselector rmsel;
1139	#ifdef ENABLE_STATS
1140	struct timeval start, end;
1141	#endif
1142
1143	/* check if this etype is allowed */
1144	memset(&rmsel, 0, sizeof(rmsel));
1145	rmsel.remote = remote;
1146	if (enumrmconf(&rmsel, check_etypeok, (void *) (intptr_t) etype) == 0) {
1147	plog(LLV_ERROR, LOCATION, remote,
1148	"exchange %s not allowed in any applicable rmconf.\n",
1149	s_isakmp_etype(etype));
1150	return -1;
1151	}
1152
1153	/* get new entry to isakmp status table. */
1154	iph1 = newph1();
1155	if (iph1 == NULL)
1156	return -1;
1157
1158	memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
1159	iph1->status = PHASE1ST_START;
1160	iph1->flags = 0;
1161	iph1->side = RESPONDER;
1162	iph1->etype = etype;
1163	iph1->version = isakmp->v;
1164	iph1->msgid = 0;
1165	#ifdef HAVE_GSSAPI
1166	iph1->gssapi_state = NULL;
1167	#endif
1168	#ifdef ENABLE_HYBRID
1169	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1170	delph1(iph1);
1171	return -1;
1172	}
1173	#endif
1174	#ifdef ENABLE_FRAG
1175	iph1->frag = 0;
1176	iph1->frag_chain = NULL;
1177	#endif
1178	iph1->approval = NULL;
1179
1180	#ifdef ENABLE_NATT
1181	/* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
1182	* We have to setup this flag now to correctly generate the first reply.
1183	* Don't know if a better check could be done for that ?
1184	*/
1185	if(extract_port(local) == lcconf->port_isakmp_natt)
1186	iph1->natt_flags \|= (NAT_PORTS_CHANGED);
1187	#endif
1188
1189	/* copy remote address; remote and local always contain
1190	* port numbers so rmconf is not needed */
1191	if (copy_ph1addresses(iph1, NULL, remote, local) < 0) {
1192	delph1(iph1);
1193	return -1;
1194	}
1195	(void)insph1(iph1);
1196
1197	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1198	{
1199	char *a;
1200
1201	a = racoon_strdup(saddr2str(iph1->local));
1202	STRDUP_FATAL(a);
1203
1204	plog(LLV_INFO, LOCATION, NULL,
1205	"respond new phase 1 negotiation: %s<=>%s\n",
1206	a, saddr2str(iph1->remote));
1207	racoon_free(a);
1208	}
1209	plog(LLV_INFO, LOCATION, NULL,
1210	"begin %s mode.\n", s_isakmp_etype(etype));
1211
1212	#ifdef ENABLE_STATS
1213	gettimeofday(&iph1->start, NULL);
1214	gettimeofday(&start, NULL);
1215	#endif
1216
1217	#ifndef ENABLE_FRAG
1218
1219	/* start exchange */
1220	if ((ph1exchange[etypesw1(iph1->etype)]
1221	[iph1->side]
1222	[iph1->status])(iph1, msg) < 0
1223	\|\| (ph1exchange[etypesw1(iph1->etype)]
1224	[iph1->side]
1225	[iph1->status])(iph1, msg) < 0) {
1226	plog(LLV_ERROR, LOCATION, remote,
1227	"failed to process ph1 packet (side: %d, status: %d).\n",
1228	iph1->side, iph1->status);
1229	remph1(iph1);
1230	delph1(iph1);
1231	return -1;
1232	}
1233
1234	#ifdef ENABLE_STATS
1235	gettimeofday(&end, NULL);
1236	syslog(LOG_NOTICE, "%s(%s): %8.6f",
1237	"phase1",
1238	s_isakmp_state(iph1->etype, iph1->side, iph1->status),
1239	timedelta(&start, &end));
1240	#endif
1241
1242	return 0;
1243
1244	#else /* ENABLE_FRAG */
1245
1246	/* now that we have a phase1 handle, feed back into our
1247	* main receive function to catch fragmented packets
1248	*/
1249
1250	return isakmp_main(msg, remote, local);
1251
1252	#endif /* ENABLE_FRAG */
1253
1254	}
1255
1256	/* new negotiation of phase 2 for initiator */
1257	static int
1258	isakmp_ph2begin_i(iph1, iph2)
1259	struct ph1handle *iph1;
1260	struct ph2handle *iph2;
1261	{
1262	#ifdef ENABLE_HYBRID
1263	if (xauth_check(iph1) != 0) {
1264	plog(LLV_ERROR, LOCATION, NULL,
1265	"Attempt to start phase 2 whereas Xauth failed\n");
1266	return -1;
1267	}
1268	#endif
1269
1270	/* fixup ph2 ports for this ph1 */
1271	if (extract_port(iph2->src) == 0)
1272	set_port(iph2->src, extract_port(iph1->local));
1273	if (extract_port(iph2->dst) == 0)
1274	set_port(iph2->dst, extract_port(iph1->remote));
1275
1276	/* found ISAKMP-SA. */
1277	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1278	plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1279	{
1280	char *a;
1281	a = racoon_strdup(saddr2str(iph2->src));
1282	STRDUP_FATAL(a);
1283
1284	plog(LLV_INFO, LOCATION, NULL,
1285	"initiate new phase 2 negotiation: %s<=>%s\n",
1286	a, saddr2str(iph2->dst));
1287	racoon_free(a);
1288	}
1289
1290	#ifdef ENABLE_STATS
1291	gettimeofday(&iph2->start, NULL);
1292	#endif
1293	if (iph2->status != PHASE2ST_EXPIRED) /* Phase 1 is already bound (ongoing rekeying) */
1294	bindph12(iph1, iph2);
1295	iph2->status = PHASE2ST_STATUS2;
1296
1297	if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1298	[iph2->side]
1299	[iph2->status])(iph2, NULL) < 0) {
1300	/* release ipsecsa handler due to internal error. */
1301	remph2(iph2);
1302	return -1;
1303	}
1304	return 0;
1305	}
1306
1307	/* new negotiation of phase 2 for responder */
1308	static int
1309	isakmp_ph2begin_r(iph1, msg)
1310	struct ph1handle *iph1;
1311	vchar_t *msg;
1312	{
1313	struct isakmp isakmp = (struct isakmp )msg->v;
1314	struct ph2handle *iph2 = 0;
1315	int error;
1316	#ifdef ENABLE_STATS
1317	struct timeval start, end;
1318	#endif
1319	#ifdef ENABLE_HYBRID
1320	if (xauth_check(iph1) != 0) {
1321	plog(LLV_ERROR, LOCATION, NULL,
1322	"Attempt to start phase 2 whereas Xauth failed\n");
1323	return -1;
1324	}
1325	#endif
1326
1327	iph2 = newph2();
1328	if (iph2 == NULL) {
1329	plog(LLV_ERROR, LOCATION, NULL,
1330	"failed to allocate phase2 entry.\n");
1331	return -1;
1332	}
1333
1334	iph2->side = RESPONDER;
1335	iph2->status = PHASE2ST_START;
1336	iph2->flags = isakmp->flags;
1337	iph2->msgid = isakmp->msgid;
1338	iph2->seq = pk_getseq();
1339	iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
1340	if (iph2->ivm == NULL) {
1341	delph2(iph2);
1342	return -1;
1343	}
1344	iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
1345	if (iph2->dst == NULL) {
1346	delph2(iph2);
1347	return -1;
1348	}
1349	iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
1350	if (iph2->src == NULL) {
1351	delph2(iph2);
1352	return -1;
1353	}
1354
1355	/* add new entry to isakmp status table */
1356	insph2(iph2);
1357	bindph12(iph1, iph2);
1358
1359	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1360	{
1361	char *a;
1362
1363	a = racoon_strdup(saddr2str(iph2->src));
1364	STRDUP_FATAL(a);
1365
1366	plog(LLV_INFO, LOCATION, NULL,
1367	"respond new phase 2 negotiation: %s<=>%s\n",
1368	a, saddr2str(iph2->dst));
1369	racoon_free(a);
1370	}
1371
1372	#ifdef ENABLE_STATS
1373	gettimeofday(&start, NULL);
1374	#endif
1375
1376	error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1377	[iph2->side]
1378	[iph2->status])(iph2, msg);
1379	if (error != 0) {
1380	plog(LLV_ERROR, LOCATION, iph1->remote,
1381	"failed to pre-process ph2 packet (side: %d, status: %d).\n",
1382	iph2->side, iph2->status);
1383	if (error != ISAKMP_INTERNAL_ERROR)
1384	isakmp_info_send_n1(iph2->ph1, error, NULL);
1385	/*
1386	* release handler because it's wrong that ph2handle is kept
1387	* after failed to check message for responder's.
1388	*/
1389	remph2(iph2);
1390	delph2(iph2);
1391	return -1;
1392	}
1393
1394	/* send */
1395	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1396	if ((ph2exchange[etypesw2(isakmp->etype)]
1397	[iph2->side]
1398	[iph2->status])(iph2, msg) < 0) {
1399	plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1400	"failed to process ph2 packet (side: %d, status: %d).\n",
1401	iph2->side, iph2->status);
1402	/* don't release handler */
1403	return -1;
1404	}
1405	#ifdef ENABLE_STATS
1406	gettimeofday(&end, NULL);
1407	syslog(LOG_NOTICE, "%s(%s): %8.6f",
1408	"phase2",
1409	s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1410	timedelta(&start, &end));
1411	#endif
1412
1413	return 0;
1414	}
1415
1416	/*
1417	* parse ISAKMP payloads, without ISAKMP base header.
1418	*/
1419	vchar_t *
1420	isakmp_parsewoh(np0, gen, len)
1421	int np0;
1422	struct isakmp_gen *gen;
1423	int len;
1424	{
1425	u_char np = np0 & 0xff;
1426	int tlen, plen;
1427	vchar_t *result;
1428	struct isakmp_parse_t p, ep;
1429
1430	plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1431
1432	/*
1433	* 5 is a magic number, but any value larger than 2 should be fine
1434	* as we do vrealloc() in the following loop.
1435	*/
1436	result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1437	if (result == NULL) {
1438	plog(LLV_ERROR, LOCATION, NULL,
1439	"failed to get buffer.\n");
1440	return NULL;
1441	}
1442	p = (struct isakmp_parse_t *)result->v;
1443	ep = (struct isakmp_parse_t )(result->v + result->l - sizeof(ep));
1444
1445	tlen = len;
1446
1447	/* parse through general headers */
1448	while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1449	if (tlen <= sizeof(struct isakmp_gen)) {
1450	/* don't send information, see isakmp_ident_r1() */
1451	plog(LLV_ERROR, LOCATION, NULL,
1452	"invalid length of payload\n");
1453	vfree(result);
1454	return NULL;
1455	}
1456
1457	plog(LLV_DEBUG, LOCATION, NULL,
1458	"seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1459
1460	p->type = np;
1461	p->len = ntohs(gen->len);
1462	if (p->len < sizeof(struct isakmp_gen) \|\| p->len > tlen) {
1463	plog(LLV_DEBUG, LOCATION, NULL,
1464	"invalid length of payload\n");
1465	vfree(result);
1466	return NULL;
1467	}
1468	p->ptr = gen;
1469	p++;
1470	if (ep <= p) {
1471	int off;
1472
1473	off = p - (struct isakmp_parse_t *)result->v;
1474	result = vrealloc(result, result->l * 2);
1475	if (result == NULL) {
1476	plog(LLV_DEBUG, LOCATION, NULL,
1477	"failed to realloc buffer.\n");
1478	vfree(result);
1479	return NULL;
1480	}
1481	ep = (struct isakmp_parse_t *)
1482	(result->v + result->l - sizeof(*ep));
1483	p = (struct isakmp_parse_t *)result->v;
1484	p += off;
1485	}
1486
1487	np = gen->np;
1488	plen = ntohs(gen->len);
1489	gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1490	tlen -= plen;
1491	}
1492	p->type = ISAKMP_NPTYPE_NONE;
1493	p->len = 0;
1494	p->ptr = NULL;
1495
1496	plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1497
1498	return result;
1499	}
1500
1501	/*
1502	* parse ISAKMP payloads, including ISAKMP base header.
1503	*/
1504	vchar_t *
1505	isakmp_parse(buf)
1506	vchar_t *buf;
1507	{
1508	struct isakmp isakmp = (struct isakmp )buf->v;
1509	struct isakmp_gen *gen;
1510	int tlen;
1511	vchar_t *result;
1512	u_char np;
1513
1514	np = isakmp->np;
1515	gen = (struct isakmp_gen )(buf->v + sizeof(isakmp));
1516	tlen = buf->l - sizeof(struct isakmp);
1517	result = isakmp_parsewoh(np, gen, tlen);
1518
1519	return result;
1520	}
1521
1522	/* %%% */
1523	int
1524	isakmp_init()
1525	{
1526	/* initialize a isakmp status table */
1527	initph1tree();
1528	initph2tree();
1529	initctdtree();
1530	init_recvdpkt();
1531
1532	return 0;
1533	}
1534
1535	/*
1536	* make strings containing i_cookie + r_cookie + msgid
1537	*/
1538	const char *
1539	isakmp_pindex(index, msgid)
1540	const isakmp_index *index;
1541	const u_int32_t msgid;
1542	{
1543	static char buf[64];
1544	const u_char *p;
1545	int i, j;
1546
1547	memset(buf, 0, sizeof(buf));
1548
1549	/* copy index */
1550	p = (const u_char *)index;
1551	for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1552	snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1553	j += 2;
1554	switch (i) {
1555	case 7:
1556	buf[j++] = ':';
1557	}
1558	}
1559
1560	if (msgid == 0)
1561	return buf;
1562
1563	/* copy msgid */
1564	snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1565
1566	return buf;
1567	}
1568
1569	/* open ISAKMP sockets. */
1570	int
1571	isakmp_open(struct sockaddr *addr, int udp_encap)
1572	{
1573	const int yes = 1;
1574	int ifnum = 0, encap_ifnum = 0, fd;
1575	struct sockaddr_in sin = (struct sockaddr_in ) addr;
1576	#ifdef INET6
1577	struct sockaddr_in6 sin6 = (struct sockaddr_in6 ) addr;
1578	int pktinfo;
1579	#endif
1580	#ifdef ENABLE_NATT
1581	int option = -1;
1582	#endif
1583
1584	/* warn if wildcard address - should we forbid this? */
1585	switch (addr->sa_family) {
1586	case AF_INET:
1587	if (sin->sin_addr.s_addr == 0)
1588	plog(LLV_WARNING, LOCATION, NULL,
1589	"listening to wildcard address,"
1590	"broadcast IKE packet may kill you\n");
1591	break;
1592	#ifdef INET6
1593	case AF_INET6:
1594	if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) {
1595	plog(LLV_DEBUG, LOCATION, NULL,
1596	"ignoring multicast address %s\n",
1597	saddr2str(addr));
1598	return -1;
1599	}
1600
1601	if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
1602	plog(LLV_WARNING, LOCATION, NULL,
1603	"listening to wildcard address, "
1604	"broadcast IKE packet may kill you\n");
1605	break;
1606	#endif
1607	default:
1608	plog(LLV_ERROR, LOCATION, NULL,
1609	"unsupported address family %d\n",
1610	addr->sa_family);
1611	return -1;
1612	}
1613
1614	if ((fd = privsep_socket(addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1615	plog(LLV_ERROR, LOCATION, NULL,
1616	"socket(%s)\n", strerror(errno));
1617	return -1;
1618	}
1619	close_on_exec(fd);
1620	if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1)
1621	plog(LLV_WARNING, LOCATION, NULL,
1622	"failed to put socket in non-blocking mode\n");
1623
1624	/* receive my interface address on inbound packets. */
1625	switch (addr->sa_family) {
1626	case AF_INET:
1627	if (setsockopt(fd, IPPROTO_IP,
1628	#ifdef __linux__
1629	IP_PKTINFO,
1630	#else
1631	IP_RECVDSTADDR,
1632	#endif
1633	(const void *) &yes, sizeof(yes)) < 0) {
1634	plog(LLV_ERROR, LOCATION, NULL,
1635	"setsockopt IP_RECVDSTADDR (%s)\n",
1636	strerror(errno));
1637	goto err;
1638	}
1639
1640	#ifdef ENABLE_NATT
1641	if (udp_encap)
1642	option = UDP_ENCAP_ESPINUDP;
1643	#if defined(ENABLE_NATT_00) \|\| defined(ENABLE_NATT_01)
1644	else
1645	option = UDP_ENCAP_ESPINUDP_NON_IKE;
1646	#endif
1647	if (option == -1)
1648	break;
1649
1650	if (setsockopt(fd, SOL_UDP,
1651	UDP_ENCAP, &option,
1652	sizeof(option)) < 0) {
1653	plog(LLV_WARNING, LOCATION, NULL,
1654	"setsockopt(%s): UDP_ENCAP %s\n",
1655	option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
1656	strerror(errno));
1657	} else {
1658	plog(LLV_INFO, LOCATION, NULL,
1659	"%s used for NAT-T\n",
1660	saddr2str(addr));
1661	}
1662	#endif
1663	break;
1664
1665	#ifdef INET6
1666	case AF_INET6:
1667	#if defined(INET6_ADVAPI)
1668	#ifdef IPV6_RECVPKTINFO
1669	pktinfo = IPV6_RECVPKTINFO;
1670	#else /* old adv. API */
1671	pktinfo = IPV6_PKTINFO;
1672	#endif /* IPV6_RECVPKTINFO */
1673	#else
1674	pktinfo = IPV6_RECVDSTADDR;
1675	#endif
1676	if (setsockopt(fd, IPPROTO_IPV6, pktinfo,
1677	(const void *) &yes, sizeof(yes)) < 0) {
1678	plog(LLV_ERROR, LOCATION, NULL,
1679	"setsockopt IPV6_RECVDSTADDR (%d):%s\n",
1680	pktinfo, strerror(errno));
1681	goto err;
1682	}
1683
1684	#ifdef IPV6_USE_MIN_MTU
1685	if (setsockopt(fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1686	(void *) &yes, sizeof(yes)) < 0) {
1687	plog(LLV_ERROR, LOCATION, NULL,
1688	"setsockopt IPV6_USE_MIN_MTU (%s)\n",
1689	strerror(errno));
1690	goto err;
1691	}
1692	#endif
1693	break;
1694	#endif
1695	}
1696
1697	if (setsockopt(fd, SOL_SOCKET,
1698	#ifdef __linux__
1699	SO_REUSEADDR,
1700	#else
1701	SO_REUSEPORT,
1702	#endif
1703	(void *) &yes, sizeof(yes)) < 0) {
1704	plog(LLV_ERROR, LOCATION, NULL,
1705	"failed to set REUSE flag on %s (%s).\n",
1706	saddr2str(addr), strerror(errno));
1707	goto err;
1708	}
1709
1710	if (setsockopt_bypass(fd, addr->sa_family) < 0)
1711	goto err;
1712
1713	if (privsep_bind(fd, addr, sysdep_sa_len(addr)) < 0) {
1714	plog(LLV_ERROR, LOCATION, addr,
1715	"failed to bind to address %s (%s).\n",
1716	saddr2str(addr), strerror(errno));
1717	goto err;
1718	}
1719
1720	plog(LLV_INFO, LOCATION, NULL,
1721	"%s used as isakmp port (fd=%d)\n",
1722	saddr2str(addr), fd);
1723
1724	monitor_fd(fd, isakmp_handler, NULL, 1);
1725	return fd;
1726
1727	err:
1728	close(fd);
1729	return -1;
1730	}
1731
1732	void
1733	isakmp_close(int fd)
1734	{
1735	unmonitor_fd(fd);
1736	close(fd);
1737	}
1738
1739	int
1740	isakmp_send(iph1, sbuf)
1741	struct ph1handle *iph1;
1742	vchar_t *sbuf;
1743	{
1744	int len = 0;
1745	int s;
1746	vchar_t *vbuf = NULL, swap;
1747
1748	#ifdef ENABLE_NATT
1749	size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
1750
1751	/* Check if NON_ESP_MARKER_LEN is already there (happens when resending packets)
1752	*/
1753	if(extralen == NON_ESP_MARKER_LEN &&
1754	(u_int32_t )sbuf->v == 0)
1755	extralen = 0;
1756
1757	#ifdef ENABLE_FRAG
1758	/*
1759	* Do not add the non ESP marker for a packet that will
1760	* be fragmented. The non ESP marker should appear in
1761	* all fragment's packets, but not in the fragmented packet
1762	*/
1763	if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
1764	extralen = 0;
1765	#endif
1766	if (extralen)
1767	plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
1768
1769	/* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
1770	must added just before the packet itself. For this we must
1771	allocate a new buffer and release it at the end. */
1772	if (extralen) {
1773	if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
1774	plog(LLV_ERROR, LOCATION, NULL,
1775	"vbuf allocation failed\n");
1776	return -1;
1777	}
1778	(u_int32_t )vbuf->v = 0;
1779	memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
1780	/* ensures that the modified buffer will be sent back to the caller, so
1781	* add_recvdpkt() will add the correct buffer
1782	*/
1783	swap = *sbuf;
1784	sbuf = vbuf;
1785	*vbuf = swap;
1786	vfree(vbuf);
1787	}
1788	#endif
1789
1790	/* select the socket to be sent */
1791	s = myaddr_getfd(iph1->local);
1792	if (s == -1)
1793	return -1;
1794
1795	plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
1796	saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
1797
1798	#ifdef ENABLE_FRAG
1799	if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
1800	if (isakmp_sendfrags(iph1, sbuf) == -1) {
1801	plog(LLV_ERROR, LOCATION, NULL,
1802	"isakmp_sendfrags failed\n");
1803	return -1;
1804	}
1805	} else
1806	#endif
1807	{
1808	len = sendfromto(s, sbuf->v, sbuf->l,
1809	iph1->local, iph1->remote, lcconf->count_persend);
1810
1811	if (len == -1) {
1812	plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1813	return -1;
1814	}
1815	}
1816
1817	return 0;
1818	}
1819
1820	/* called from scheduler */
1821	static void
1822	isakmp_ph1resend_stub(p)
1823	struct sched *p;
1824	{
1825	struct ph1handle *iph1 = container_of(p, struct ph1handle, scr);
1826
1827	if (isakmp_ph1resend(iph1) < 0) {
1828	remph1(iph1);
1829	delph1(iph1);
1830	}
1831	}
1832
1833	static int
1834	isakmp_ph1resend(iph1)
1835	struct ph1handle *iph1;
1836	{
1837	/* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
1838	*/
1839	if (iph1->retry_counter <= 0) {
1840	plog(LLV_ERROR, LOCATION, NULL,
1841	"phase1 negotiation failed due to time up. %s\n",
1842	isakmp_pindex(&iph1->index, iph1->msgid));
1843	/* XXX is the peer really "dead" here ??? */
1844	script_hook(iph1, SCRIPT_PHASE1_DEAD);
1845	evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL);
1846
1847	return -1;
1848	}
1849
1850	if (isakmp_send(iph1, iph1->sendbuf) < 0){
1851	plog(LLV_ERROR, LOCATION, NULL,
1852	"phase1 negotiation failed due to send error. %s\n",
1853	isakmp_pindex(&iph1->index, iph1->msgid));
1854	evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL);
1855	return -1;
1856	}
1857
1858	plog(LLV_DEBUG, LOCATION, NULL,
1859	"resend phase1 packet %s\n",
1860	isakmp_pindex(&iph1->index, iph1->msgid));
1861
1862	iph1->retry_counter--;
1863
1864	sched_schedule(&iph1->scr, lcconf->retry_interval,
1865	isakmp_ph1resend_stub);
1866
1867	return 0;
1868	}
1869
1870	int
1871	isakmp_ph1send(iph1)
1872	struct ph1handle *iph1;
1873	{
1874	iph1->retry_counter = lcconf->retry_counter;
1875	return isakmp_ph1resend(iph1);
1876	}
1877
1878	/* called from scheduler */
1879	static void
1880	isakmp_ph2resend_stub(p)
1881	struct sched *p;
1882	{
1883	struct ph2handle *iph2 = container_of(p, struct ph2handle, scr);
1884
1885	if (isakmp_ph2resend(iph2) < 0) {
1886	remph2(iph2);
1887	delph2(iph2);
1888	}
1889	}
1890
1891	static int
1892	isakmp_ph2resend(iph2)
1893	struct ph2handle *iph2;
1894	{
1895	/* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
1896	*/
1897	if (iph2->ph1->status >= PHASE1ST_EXPIRED) {
1898	plog(LLV_ERROR, LOCATION, NULL,
1899	"phase2 negotiation failed due to phase1 expired. %s\n",
1900	isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1901	return -1;
1902	}
1903
1904	if (iph2->retry_counter <= 0) {
1905	plog(LLV_ERROR, LOCATION, NULL,
1906	"phase2 negotiation failed due to time up. %s\n",
1907	isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1908	evt_phase2(iph2, EVT_PHASE2_NO_RESPONSE, NULL);
1909	unbindph12(iph2);
1910	return -1;
1911	}
1912
1913	if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){
1914	plog(LLV_ERROR, LOCATION, NULL,
1915	"phase2 negotiation failed due to send error. %s\n",
1916	isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1917	evt_phase2(iph2, EVT_PHASE2_NO_RESPONSE, NULL);
1918	return -1;
1919	}
1920
1921	plog(LLV_DEBUG, LOCATION, NULL,
1922	"resend phase2 packet %s\n",
1923	isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1924
1925	iph2->retry_counter--;
1926
1927	sched_schedule(&iph2->scr, lcconf->retry_interval,
1928	isakmp_ph2resend_stub);
1929
1930	return 0;
1931	}
1932
1933	int
1934	isakmp_ph2send(iph2)
1935	struct ph2handle *iph2;
1936	{
1937	iph2->retry_counter = lcconf->retry_counter;
1938	return isakmp_ph2resend(iph2);
1939	}
1940
1941	/* called from scheduler */
1942	void
1943	isakmp_ph1dying_stub(p)
1944	struct sched *p;
1945	{
1946
1947	isakmp_ph1dying(container_of(p, struct ph1handle, sce));
1948	}
1949
1950	void
1951	isakmp_ph1dying(iph1)
1952	struct ph1handle *iph1;
1953	{
1954	struct ph1handle *new_iph1;
1955	struct ph2handle *p;
1956	struct remoteconf *rmconf;
1957
1958	if (iph1->status >= PHASE1ST_DYING)
1959	return;
1960
1961	/* Going away in after a while... */
1962	iph1->status = PHASE1ST_DYING;
1963
1964	/* Any fresh phase1s? */
1965	new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
1966	if (new_iph1 == NULL) {
1967	LIST_FOREACH(p, &iph1->ph2tree, ph1bind) {
1968	if (p->status != PHASE2ST_ESTABLISHED)
1969	continue;
1970
1971	plog(LLV_INFO, LOCATION, NULL,
1972	"renegotiating phase1 to %s due to "
1973	"active phase2\n",
1974	saddrwop2str(iph1->remote));
1975
1976	if (iph1->side == INITIATOR)
1977	isakmp_ph1begin_i(iph1->rmconf, iph1->remote,
1978	iph1->local);
1979
1980	break;
1981	}
1982	} else {
1983	migrate_ph12(iph1, new_iph1);
1984	}
1985
1986	/* Schedule for expiration */
1987	sched_schedule(&iph1->sce, iph1->approval->lifetime *
1988	(100 - PFKEY_SOFT_LIFETIME_RATE) / 100,
1989	isakmp_ph1expire_stub);
1990	}
1991
1992	/* called from scheduler */
1993	void
1994	isakmp_ph1expire_stub(p)
1995	struct sched *p;
1996	{
1997	isakmp_ph1expire(container_of(p, struct ph1handle, sce));
1998	}
1999
2000	void
2001	isakmp_ph1expire(iph1)
2002	struct ph1handle *iph1;
2003	{
2004	char src, dst;
2005
2006	if (iph1->status < PHASE1ST_EXPIRED) {
2007	src = racoon_strdup(saddr2str(iph1->local));
2008	dst = racoon_strdup(saddr2str(iph1->remote));
2009	STRDUP_FATAL(src);
2010	STRDUP_FATAL(dst);
2011
2012	plog(LLV_INFO, LOCATION, NULL,
2013	"ISAKMP-SA expired %s-%s spi:%s\n",
2014	src, dst,
2015	isakmp_pindex(&iph1->index, 0));
2016	racoon_free(src);
2017	racoon_free(dst);
2018	iph1->status = PHASE1ST_EXPIRED;
2019	}
2020
2021	isakmp_ph1delete(iph1);
2022	}
2023
2024	/* called from scheduler */
2025	void
2026	isakmp_ph1delete_stub(p)
2027	struct sched *p;
2028	{
2029
2030	isakmp_ph1delete(container_of(p, struct ph1handle, sce));
2031	}
2032
2033	void
2034	isakmp_ph1delete(iph1)
2035	struct ph1handle *iph1;
2036	{
2037	struct ph2handle p, next;
2038	struct ph1handle *new_iph1;
2039	char src, dst;
2040
2041	/* Migrate established phase2s. Any fresh phase1s? */
2042	new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
2043	if (new_iph1 != NULL)
2044	migrate_ph12(iph1, new_iph1);
2045
2046	/* Discard any left phase2s */
2047	for (p = LIST_FIRST(&iph1->ph2tree); p; p = next) {
2048	next = LIST_NEXT(p, ph1bind);
2049	if (p->status == PHASE2ST_ESTABLISHED)
2050	isakmp_info_send_d2(p);
2051	/* remove all ph2 handles,
2052	* as ph1handle will be expired soon
2053	*/
2054	delete_spd(p, 1);
2055	remph2(p);
2056	delph2(p);
2057	}
2058
2059	src = racoon_strdup(saddr2str(iph1->local));
2060	dst = racoon_strdup(saddr2str(iph1->remote));
2061	STRDUP_FATAL(src);
2062	STRDUP_FATAL(dst);
2063
2064	plog(LLV_INFO, LOCATION, NULL,
2065	"ISAKMP-SA deleted %s-%s spi:%s\n",
2066	src, dst, isakmp_pindex(&iph1->index, 0));
2067
2068	evt_phase1(iph1, EVT_PHASE1_DOWN, NULL);
2069	if (new_iph1 == NULL && ph1_rekey_enabled(iph1))
2070	script_hook(iph1, SCRIPT_PHASE1_DEAD);
2071
2072	racoon_free(src);
2073	racoon_free(dst);
2074
2075	remph1(iph1);
2076	delph1(iph1);
2077	}
2078
2079	/* called from scheduler.
2080	* this function will call only isakmp_ph2delete().
2081	* phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
2082	* by something cause. That's why this function is called after phase 2 SA
2083	* expires in the userland.
2084	*/
2085	void
2086	isakmp_ph2expire_stub(p)
2087	struct sched *p;
2088	{
2089
2090	isakmp_ph2expire(container_of(p, struct ph2handle, sce));
2091	}
2092
2093	void
2094	isakmp_ph2expire(iph2)
2095	struct ph2handle *iph2;
2096	{
2097	char src, dst;
2098
2099	src = racoon_strdup(saddrwop2str(iph2->src));
2100	dst = racoon_strdup(saddrwop2str(iph2->dst));
2101	STRDUP_FATAL(src);
2102	STRDUP_FATAL(dst);
2103
2104	plog(LLV_INFO, LOCATION, NULL,
2105	"phase2 sa expired %s-%s\n", src, dst);
2106	racoon_free(src);
2107	racoon_free(dst);
2108
2109	iph2->status = PHASE2ST_EXPIRED;
2110	sched_schedule(&iph2->sce, 1, isakmp_ph2delete_stub);
2111	}
2112
2113	/* called from scheduler */
2114	void
2115	isakmp_ph2delete_stub(p)
2116	struct sched *p;
2117	{
2118
2119	isakmp_ph2delete(container_of(p, struct ph2handle, sce));
2120	}
2121
2122	void
2123	isakmp_ph2delete(iph2)
2124	struct ph2handle *iph2;
2125	{
2126	char src, dst;
2127
2128	src = racoon_strdup(saddrwop2str(iph2->src));
2129	dst = racoon_strdup(saddrwop2str(iph2->dst));
2130	STRDUP_FATAL(src);
2131	STRDUP_FATAL(dst);
2132
2133	plog(LLV_INFO, LOCATION, NULL,
2134	"phase2 sa deleted %s-%s\n", src, dst);
2135	racoon_free(src);
2136	racoon_free(dst);
2137
2138	remph2(iph2);
2139	delph2(iph2);
2140
2141	return;
2142	}
2143
2144	/* %%%
2145	* Interface between PF_KEYv2 and ISAKMP
2146	*/
2147	/*
2148	* receive ACQUIRE from kernel, and begin either phase1 or phase2.
2149	* if phase1 has been finished, begin phase2.
2150	*/
2151	int
2152	isakmp_post_acquire(iph2, iph1hint, nopassive)
2153	struct ph2handle *iph2;
2154	struct ph1handle *iph1hint;
2155	int nopassive;
2156	{
2157	struct remoteconf *rmconf;
2158	struct ph1handle *iph1 = NULL;
2159
2160	plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
2161
2162	/* Search appropriate configuration with masking port. Note that
2163	* we always use iph2->dst, and not iph2->sa_dst.
2164	*
2165	* XXX One possible need for using iph2->sa_dst if not NULL would
2166	* be for selecting a remote configuration based on a stable
2167	* address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS
2168	* as iph2->dst hint). This scenario would require additional changes,
2169	* so no need to bother yet. --arno */
2170
2171	if (iph1hint == NULL \|\| iph1hint->rmconf == NULL) {
2172	rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0);
2173	if (rmconf == NULL) {
2174	plog(LLV_ERROR, LOCATION, NULL,
2175	"no configuration found for %s.\n",
2176	saddrwop2str(iph2->dst));
2177	return -1;
2178	}
2179	} else {
2180	rmconf = iph1hint->rmconf;
2181	}
2182
2183	/* if passive mode, ignore the acquire message */
2184	if (nopassive && rmconf->passive) {
2185	plog(LLV_DEBUG, LOCATION, NULL,
2186	"because of passive mode, "
2187	"ignore the acquire message for %s.\n",
2188	saddrwop2str(iph2->dst));
2189	return -1;
2190	}
2191
2192	/*
2193	* XXX Searching by IP addresses + ports might fail on
2194	* some cases, we should use the ISAKMP identity to search
2195	* matching ISAKMP.
2196	*/
2197	iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0);
2198
2199	/* no ISAKMP-SA found. */
2200	if (iph1 == NULL) {
2201	iph2->retry_checkph1 = lcconf->retry_checkph1;
2202	sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
2203	plog(LLV_INFO, LOCATION, NULL,
2204	"IPsec-SA request for %s queued "
2205	"due to no phase1 found.\n",
2206	saddrwop2str(iph2->dst));
2207
2208	/* start phase 1 negotiation as a initiator. */
2209	if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) == NULL) {
2210	sched_cancel(&iph2->sce);
2211	return -1;
2212	}
2213
2214	return 0;
2215	/NOTREACHED/
2216	}
2217
2218	/* found ISAKMP-SA, but on negotiation. */
2219	if (iph1->status < PHASE1ST_ESTABLISHED) {
2220	iph2->retry_checkph1 = lcconf->retry_checkph1;
2221	sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
2222	plog(LLV_INFO, LOCATION, iph2->dst,
2223	"request for establishing IPsec-SA was queued "
2224	"due to no phase1 found.\n");
2225	return 0;
2226	/NOTREACHED/
2227	}
2228
2229	/* found established ISAKMP-SA */
2230	/* i.e. iph1->status == PHASE1ST_ESTABLISHED */
2231
2232	/* found ISAKMP-SA. */
2233	plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
2234
2235	/* begin quick mode */
2236	if (isakmp_ph2begin_i(iph1, iph2))
2237	return -1;
2238
2239	return 0;
2240	}
2241
2242	int
2243	isakmp_get_sainfo(iph2, sp_out, sp_in)
2244	struct ph2handle *iph2;
2245	struct secpolicy sp_out, sp_in;
2246	{
2247	struct remoteconf *conf;
2248	uint32_t remoteid = 0;
2249
2250	plog(LLV_DEBUG, LOCATION, NULL,
2251	"new acquire %s\n", spidx2str(&sp_out->spidx));
2252
2253	/* get sainfo */
2254	{
2255	vchar_t idsrc, iddst;
2256
2257	idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src,
2258	sp_out->spidx.prefs, sp_out->spidx.ul_proto);
2259	if (idsrc == NULL) {
2260	plog(LLV_ERROR, LOCATION, NULL,
2261	"failed to get ID for %s\n",
2262	spidx2str(&sp_out->spidx));
2263	return -1;
2264	}
2265	iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst,
2266	sp_out->spidx.prefd, sp_out->spidx.ul_proto);
2267	if (iddst == NULL) {
2268	plog(LLV_ERROR, LOCATION, NULL,
2269	"failed to get ID for %s\n",
2270	spidx2str(&sp_out->spidx));
2271	vfree(idsrc);
2272	return -1;
2273	}
2274
2275	conf = getrmconf(iph2->dst, 0);
2276	if (conf != NULL)
2277	remoteid = conf->ph1id;
2278	else
2279	plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
2280
2281	iph2->sainfo = getsainfo(idsrc, iddst, NULL, NULL, remoteid);
2282	vfree(idsrc);
2283	vfree(iddst);
2284	if (iph2->sainfo == NULL) {
2285	plog(LLV_ERROR, LOCATION, NULL,
2286	"failed to get sainfo.\n");
2287	return -1;
2288	/* XXX should use the algorithm list from register message */
2289	}
2290
2291	plog(LLV_DEBUG, LOCATION, NULL,
2292	"selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2293	}
2294
2295	if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) {
2296	plog(LLV_ERROR, LOCATION, NULL,
2297	"failed to create saprop.\n");
2298	return -1;
2299	}
2300
2301	return 0;
2302	}
2303
2304
2305	/*
2306	* receive GETSPI from kernel.
2307	*/
2308	int
2309	isakmp_post_getspi(iph2)
2310	struct ph2handle *iph2;
2311	{
2312	#ifdef ENABLE_STATS
2313	struct timeval start, end;
2314	#endif
2315
2316	/* don't process it because there is no suitable phase1-sa. */
2317	if (iph2->ph1->status >= PHASE1ST_EXPIRED) {
2318	plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
2319	"the negotiation is stopped, "
2320	"because there is no suitable ISAKMP-SA.\n");
2321	return -1;
2322	}
2323
2324	#ifdef ENABLE_STATS
2325	gettimeofday(&start, NULL);
2326	#endif
2327	if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
2328	[iph2->side]
2329	[iph2->status])(iph2, NULL) != 0)
2330	return -1;
2331	#ifdef ENABLE_STATS
2332	gettimeofday(&end, NULL);
2333	syslog(LOG_NOTICE, "%s(%s): %8.6f",
2334	"phase2",
2335	s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
2336	timedelta(&start, &end));
2337	#endif
2338
2339	return 0;
2340	}
2341
2342	/* called by scheduler */
2343	void
2344	isakmp_chkph1there_stub(p)
2345	struct sched *p;
2346	{
2347	isakmp_chkph1there(container_of(p, struct ph2handle, sce));
2348	}
2349
2350	void
2351	isakmp_chkph1there(iph2)
2352	struct ph2handle *iph2;
2353	{
2354	struct ph1handle *iph1;
2355
2356	iph2->retry_checkph1--;
2357	if (iph2->retry_checkph1 < 0) {
2358	plog(LLV_ERROR, LOCATION, iph2->dst,
2359	"phase2 negotiation failed "
2360	"due to time up waiting for phase1. %s\n",
2361	sadbsecas2str(iph2->dst, iph2->src,
2362	iph2->satype, 0, 0));
2363	plog(LLV_INFO, LOCATION, NULL,
2364	"delete phase 2 handler.\n");
2365
2366	/* send acquire to kernel as error */
2367	pk_sendeacquire(iph2);
2368
2369	remph2(iph2);
2370	delph2(iph2);
2371
2372	return;
2373	}
2374
2375	/* Search isakmp status table by address and port */
2376	iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
2377
2378	/* XXX Even if ph1 as responder is there, should we not start
2379	* phase 2 negotiation ? */
2380	if (iph1 != NULL
2381	&& iph1->status == PHASE1ST_ESTABLISHED) {
2382	/* found isakmp-sa */
2383
2384	plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n");
2385	plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local));
2386	plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote));
2387	plog(LLV_DEBUG2, LOCATION, NULL, "before:\n");
2388	plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
2389	plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
2390	set_port(iph2->src, extract_port(iph1->local));
2391	set_port(iph2->dst, extract_port(iph1->remote));
2392	plog(LLV_DEBUG2, LOCATION, NULL, "After:\n");
2393	plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
2394	plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
2395
2396	/* begin quick mode */
2397	(void)isakmp_ph2begin_i(iph1, iph2);
2398	return;
2399	}
2400
2401	plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n");
2402
2403	/* no isakmp-sa found */
2404	sched_schedule(&iph2->sce, 1, isakmp_chkph1there_stub);
2405
2406	return;
2407	}
2408
2409	/* copy variable data into ALLOCATED buffer. */
2410	caddr_t
2411	isakmp_set_attr_v(buf, type, val, len)
2412	caddr_t buf;
2413	int type;
2414	caddr_t val;
2415	int len;
2416	{
2417	struct isakmp_data *data;
2418
2419	data = (struct isakmp_data *)buf;
2420	data->type = htons((u_int16_t)type \| ISAKMP_GEN_TLV);
2421	data->lorv = htons((u_int16_t)len);
2422	memcpy(data + 1, val, len);
2423
2424	return buf + sizeof(*data) + len;
2425	}
2426
2427	/* copy fixed length data into ALLOCATED buffer. */
2428	caddr_t
2429	isakmp_set_attr_l(buf, type, val)
2430	caddr_t buf;
2431	int type;
2432	u_int32_t val;
2433	{
2434	struct isakmp_data *data;
2435
2436	data = (struct isakmp_data *)buf;
2437	data->type = htons((u_int16_t)type \| ISAKMP_GEN_TV);
2438	data->lorv = htons((u_int16_t)val);
2439
2440	return buf + sizeof(*data);
2441	}
2442
2443	/* add a variable data attribute to the buffer by reallocating it. */
2444	vchar_t *
2445	isakmp_add_attr_v(buf0, type, val, len)
2446	vchar_t *buf0;
2447	int type;
2448	caddr_t val;
2449	int len;
2450	{
2451	vchar_t *buf = NULL;
2452	struct isakmp_data *data;
2453	int tlen;
2454	int oldlen = 0;
2455
2456	tlen = sizeof(*data) + len;
2457
2458	if (buf0) {
2459	oldlen = buf0->l;
2460	buf = vrealloc(buf0, oldlen + tlen);
2461	} else
2462	buf = vmalloc(tlen);
2463	if (!buf) {
2464	plog(LLV_ERROR, LOCATION, NULL,
2465	"failed to get a attribute buffer.\n");
2466	return NULL;
2467	}
2468
2469	data = (struct isakmp_data *)(buf->v + oldlen);
2470	data->type = htons((u_int16_t)type \| ISAKMP_GEN_TLV);
2471	data->lorv = htons((u_int16_t)len);
2472	memcpy(data + 1, val, len);
2473
2474	return buf;
2475	}
2476
2477	/* add a fixed data attribute to the buffer by reallocating it. */
2478	vchar_t *
2479	isakmp_add_attr_l(buf0, type, val)
2480	vchar_t *buf0;
2481	int type;
2482	u_int32_t val;
2483	{
2484	vchar_t *buf = NULL;
2485	struct isakmp_data *data;
2486	int tlen;
2487	int oldlen = 0;
2488
2489	tlen = sizeof(*data);
2490
2491	if (buf0) {
2492	oldlen = buf0->l;
2493	buf = vrealloc(buf0, oldlen + tlen);
2494	} else
2495	buf = vmalloc(tlen);
2496	if (!buf) {
2497	plog(LLV_ERROR, LOCATION, NULL,
2498	"failed to get a attribute buffer.\n");
2499	return NULL;
2500	}
2501
2502	data = (struct isakmp_data *)(buf->v + oldlen);
2503	data->type = htons((u_int16_t)type \| ISAKMP_GEN_TV);
2504	data->lorv = htons((u_int16_t)val);
2505
2506	return buf;
2507	}
2508
2509	/*
2510	* calculate cookie and set.
2511	*/
2512	int
2513	isakmp_newcookie(place, remote, local)
2514	caddr_t place;
2515	struct sockaddr *remote;
2516	struct sockaddr *local;
2517	{
2518	vchar_t buf = NULL, buf2 = NULL;
2519	char *p;
2520	int blen;
2521	int alen;
2522	caddr_t sa1, sa2;
2523	time_t t;
2524	int error = -1;
2525	u_short port;
2526
2527
2528	if (remote->sa_family != local->sa_family) {
2529	plog(LLV_ERROR, LOCATION, NULL,
2530	"address family mismatch, remote:%d local:%d\n",
2531	remote->sa_family, local->sa_family);
2532	goto end;
2533	}
2534	switch (remote->sa_family) {
2535	case AF_INET:
2536	alen = sizeof(struct in_addr);
2537	sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
2538	sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
2539	break;
2540	#ifdef INET6
2541	case AF_INET6:
2542	alen = sizeof(struct in6_addr);
2543	sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
2544	sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
2545	break;
2546	#endif
2547	default:
2548	plog(LLV_ERROR, LOCATION, NULL,
2549	"invalid family: %d\n", remote->sa_family);
2550	goto end;
2551	}
2552	blen = (alen + sizeof(u_short)) * 2
2553	+ sizeof(time_t) + lcconf->secret_size;
2554	buf = vmalloc(blen);
2555	if (buf == NULL) {
2556	plog(LLV_ERROR, LOCATION, NULL,
2557	"failed to get a cookie.\n");
2558	goto end;
2559	}
2560	p = buf->v;
2561
2562	/* copy my address */
2563	memcpy(p, sa1, alen);
2564	p += alen;
2565	port = ((struct sockaddr_in *)remote)->sin_port;
2566	memcpy(p, &port, sizeof(u_short));
2567	p += sizeof(u_short);
2568
2569	/* copy target address */
2570	memcpy(p, sa2, alen);
2571	p += alen;
2572	port = ((struct sockaddr_in *)local)->sin_port;
2573	memcpy(p, &port, sizeof(u_short));
2574	p += sizeof(u_short);
2575
2576	/* copy time */
2577	t = time(0);
2578	memcpy(p, (caddr_t)&t, sizeof(t));
2579	p += sizeof(t);
2580
2581	/* copy random value */
2582	buf2 = eay_set_random(lcconf->secret_size);
2583	if (buf2 == NULL)
2584	goto end;
2585	memcpy(p, buf2->v, lcconf->secret_size);
2586	p += lcconf->secret_size;
2587	vfree(buf2);
2588
2589	buf2 = eay_sha1_one(buf);
2590	memcpy(place, buf2->v, sizeof(cookie_t));
2591
2592	sa1 = val2str(place, sizeof (cookie_t));
2593	plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
2594	racoon_free(sa1);
2595
2596	error = 0;
2597	end:
2598	if (buf != NULL)
2599	vfree(buf);
2600	if (buf2 != NULL)
2601	vfree(buf2);
2602	return error;
2603	}
2604
2605	/*
2606	* save partner's(payload) data into phhandle.
2607	*/
2608	int
2609	isakmp_p2ph(buf, gen)
2610	vchar_t **buf;
2611	struct isakmp_gen *gen;
2612	{
2613	/* XXX to be checked in each functions for logging. */
2614	if (*buf) {
2615	plog(LLV_WARNING, LOCATION, NULL,
2616	"ignore this payload, same payload type exist.\n");
2617	return -1;
2618	}
2619
2620	buf = vmalloc(ntohs(gen->len) - sizeof(gen));
2621	if (*buf == NULL) {
2622	plog(LLV_ERROR, LOCATION, NULL,
2623	"failed to get buffer.\n");
2624	return -1;
2625	}
2626	memcpy((buf)->v, gen + 1, (buf)->l);
2627
2628	return 0;
2629	}
2630
2631	u_int32_t
2632	isakmp_newmsgid2(iph1)
2633	struct ph1handle *iph1;
2634	{
2635	u_int32_t msgid2;
2636
2637	do {
2638	msgid2 = eay_random();
2639	} while (getph2bymsgid(iph1, msgid2));
2640
2641	return msgid2;
2642	}
2643
2644	/*
2645	* set values into allocated buffer of isakmp header for phase 1
2646	*/
2647	static caddr_t
2648	set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid)
2649	vchar_t *vbuf;
2650	struct ph1handle *iph1;
2651	int nptype;
2652	u_int8_t etype;
2653	u_int8_t flags;
2654	u_int32_t msgid;
2655	{
2656	struct isakmp *isakmp;
2657
2658	if (vbuf->l < sizeof(*isakmp))
2659	return NULL;
2660
2661	isakmp = (struct isakmp *)vbuf->v;
2662
2663	memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2664	memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2665	isakmp->np = nptype;
2666	isakmp->v = iph1->version;
2667	isakmp->etype = etype;
2668	isakmp->flags = flags;
2669	isakmp->msgid = msgid;
2670	isakmp->len = htonl(vbuf->l);
2671
2672	return vbuf->v + sizeof(*isakmp);
2673	}
2674
2675	/*
2676	* set values into allocated buffer of isakmp header for phase 1
2677	*/
2678	caddr_t
2679	set_isakmp_header1(vbuf, iph1, nptype)
2680	vchar_t *vbuf;
2681	struct ph1handle *iph1;
2682	int nptype;
2683	{
2684	return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
2685	}
2686
2687	/*
2688	* set values into allocated buffer of isakmp header for phase 2
2689	*/
2690	caddr_t
2691	set_isakmp_header2(vbuf, iph2, nptype)
2692	vchar_t *vbuf;
2693	struct ph2handle *iph2;
2694	int nptype;
2695	{
2696	return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
2697	}
2698
2699	/*
2700	* set values into allocated buffer of isakmp payload.
2701	*/
2702	caddr_t
2703	set_isakmp_payload(buf, src, nptype)
2704	caddr_t buf;
2705	vchar_t *src;
2706	int nptype;
2707	{
2708	struct isakmp_gen *gen;
2709	caddr_t p = buf;
2710
2711	plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n",
2712	src->l, nptype);
2713
2714	gen = (struct isakmp_gen *)p;
2715	gen->np = nptype;
2716	gen->len = htons(sizeof(*gen) + src->l);
2717	p += sizeof(*gen);
2718	memcpy(p, src->v, src->l);
2719	p += src->l;
2720
2721	return p;
2722	}
2723
2724	static int
2725	etypesw1(etype)
2726	int etype;
2727	{
2728	switch (etype) {
2729	case ISAKMP_ETYPE_IDENT:
2730	return 1;
2731	case ISAKMP_ETYPE_AGG:
2732	return 2;
2733	case ISAKMP_ETYPE_BASE:
2734	return 3;
2735	default:
2736	return 0;
2737	}
2738	/NOTREACHED/
2739	}
2740
2741	static int
2742	etypesw2(etype)
2743	int etype;
2744	{
2745	switch (etype) {
2746	case ISAKMP_ETYPE_QUICK:
2747	return 1;
2748	default:
2749	return 0;
2750	}
2751	/NOTREACHED/
2752	}
2753
2754	#ifdef HAVE_PRINT_ISAKMP_C
2755	/* for print-isakmp.c */
2756	char *snapend;
2757	extern void isakmp_print __P((const u_char , u_int, const u_char ));
2758
2759	char getname __P((const u_char ));
2760	#ifdef INET6
2761	char getname6 __P((const u_char ));
2762	#endif
2763	int safeputchar __P((int));
2764
2765	/*
2766	* Return a name for the IP address pointed to by ap. This address
2767	* is assumed to be in network byte order.
2768	*/
2769	char *
2770	getname(ap)
2771	const u_char *ap;
2772	{
2773	struct sockaddr_in addr;
2774	static char ntop_buf[NI_MAXHOST];
2775
2776	memset(&addr, 0, sizeof(addr));
2777	#ifndef __linux__
2778	addr.sin_len = sizeof(struct sockaddr_in);
2779	#endif
2780	addr.sin_family = AF_INET;
2781	memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2782	if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
2783	ntop_buf, sizeof(ntop_buf), NULL, 0,
2784	NI_NUMERICHOST \| niflags))
2785	strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2786
2787	return ntop_buf;
2788	}
2789
2790	#ifdef INET6
2791	/*
2792	* Return a name for the IP6 address pointed to by ap. This address
2793	* is assumed to be in network byte order.
2794	*/
2795	char *
2796	getname6(ap)
2797	const u_char *ap;
2798	{
2799	struct sockaddr_in6 addr;
2800	static char ntop_buf[NI_MAXHOST];
2801
2802	memset(&addr, 0, sizeof(addr));
2803	addr.sin6_len = sizeof(struct sockaddr_in6);
2804	addr.sin6_family = AF_INET6;
2805	memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2806	if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2807	ntop_buf, sizeof(ntop_buf), NULL, 0,
2808	NI_NUMERICHOST \| niflags))
2809	strlcpy(ntop_buf, "?", sizeof(ntop_buf));
2810
2811	return ntop_buf;
2812	}
2813	#endif /* INET6 */
2814
2815	int
2816	safeputchar(c)
2817	int c;
2818	{
2819	unsigned char ch;
2820
2821	ch = (unsigned char)(c & 0xff);
2822	if (c < 0x80 && isprint(c))
2823	return printf("%c", c & 0xff);
2824	else
2825	return printf("\\%03o", c & 0xff);
2826	}
2827
2828	void
2829	isakmp_printpacket(msg, from, my, decoded)
2830	vchar_t *msg;
2831	struct sockaddr *from;
2832	struct sockaddr *my;
2833	int decoded;
2834	{
2835	#ifdef YIPS_DEBUG
2836	struct timeval tv;
2837	int s;
2838	char hostbuf[NI_MAXHOST];
2839	char portbuf[NI_MAXSERV];
2840	struct isakmp *isakmp;
2841	vchar_t *buf;
2842	#endif
2843
2844	if (loglevel < LLV_DEBUG)
2845	return;
2846
2847	#ifdef YIPS_DEBUG
2848	plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2849
2850	gettimeofday(&tv, NULL);
2851	s = tv.tv_sec % 3600;
2852	printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2853
2854	if (from) {
2855	if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
2856	portbuf, sizeof(portbuf),
2857	NI_NUMERICHOST \| NI_NUMERICSERV \| niflags)) {
2858	strlcpy(hostbuf, "?", sizeof(hostbuf));
2859	strlcpy(portbuf, "?", sizeof(portbuf));
2860	}
2861	printf("%s:%s", hostbuf, portbuf);
2862	} else
2863	printf("?");
2864	printf(" -> ");
2865	if (my) {
2866	if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
2867	portbuf, sizeof(portbuf),
2868	NI_NUMERICHOST \| NI_NUMERICSERV \| niflags)) {
2869	strlcpy(hostbuf, "?", sizeof(hostbuf));
2870	strlcpy(portbuf, "?", sizeof(portbuf));
2871	}
2872	printf("%s:%s", hostbuf, portbuf);
2873	} else
2874	printf("?");
2875	printf(": ");
2876
2877	buf = vdup(msg);
2878	if (!buf) {
2879	printf("(malloc fail)\n");
2880	return;
2881	}
2882	if (decoded) {
2883	isakmp = (struct isakmp *)buf->v;
2884	if (isakmp->flags & ISAKMP_FLAG_E) {
2885	#if 0
2886	int pad;
2887	pad = (u_char )(buf->v + buf->l - 1);
2888	if (buf->l < pad && 2 < vflag)
2889	printf("(wrong padding)");
2890	#endif
2891	isakmp->flags &= ~ISAKMP_FLAG_E;
2892	}
2893	}
2894
2895	snapend = buf->v + buf->l;
2896	isakmp_print(buf->v, buf->l, NULL);
2897	vfree(buf);
2898	printf("\n");
2899	fflush(stdout);
2900
2901	return;
2902	#endif
2903	}
2904	#endif /HAVE_PRINT_ISAKMP_C/
2905
2906	int
2907	copy_ph1addresses(iph1, rmconf, remote, local)
2908	struct ph1handle *iph1;
2909	struct remoteconf *rmconf;
2910	struct sockaddr remote, local;
2911	{
2912	u_int16_t port;
2913
2914	/* address portion must be grabbed from real remote address "remote" */
2915	iph1->remote = dupsaddr(remote);
2916	if (iph1->remote == NULL)
2917	return -1;
2918
2919	/*
2920	* if remote has no port # (in case of initiator - from ACQUIRE msg)
2921	* - if remote.conf specifies port #, use that
2922	* - if remote.conf does not, use 500
2923	* if remote has port # (in case of responder - from recvfrom(2))
2924	* respect content of "remote".
2925	*/
2926	if (extract_port(iph1->remote) == 0) {
2927	port = 0;
2928	if (rmconf != NULL)
2929	port = extract_port(rmconf->remote);
2930	if (port == 0)
2931	port = PORT_ISAKMP;
2932	set_port(iph1->remote, port);
2933	}
2934
2935	if (local == NULL)
2936	iph1->local = getlocaladdr(iph1->remote);
2937	else
2938	iph1->local = dupsaddr(local);
2939	if (iph1->local == NULL)
2940	return -1;
2941
2942	if (extract_port(iph1->local) == 0) {
2943	port = myaddr_getsport(iph1->local);
2944	if (port == 0)
2945	port = PORT_ISAKMP;
2946	set_port(iph1->local, port);
2947	}
2948
2949	#ifdef ENABLE_NATT
2950	if (extract_port(iph1->local) == lcconf->port_isakmp_natt) {
2951	plog(LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n");
2952	iph1->natt_flags \|= NAT_ADD_NON_ESP_MARKER;
2953	}
2954	#endif
2955
2956	return 0;
2957	}
2958
2959	static int
2960	nostate1(iph1, msg)
2961	struct ph1handle *iph1;
2962	vchar_t *msg;
2963	{
2964	plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2965	iph1->status);
2966	return -1;
2967	}
2968
2969	static int
2970	nostate2(iph2, msg)
2971	struct ph2handle *iph2;
2972	vchar_t *msg;
2973	{
2974	plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2975	iph2->status);
2976	return -1;
2977	}
2978
2979	void
2980	log_ph1established(iph1)
2981	const struct ph1handle *iph1;
2982	{
2983	char src, dst;
2984
2985	src = racoon_strdup(saddr2str(iph1->local));
2986	dst = racoon_strdup(saddr2str(iph1->remote));
2987	STRDUP_FATAL(src);
2988	STRDUP_FATAL(dst);
2989
2990	plog(LLV_INFO, LOCATION, NULL,
2991	"ISAKMP-SA established %s-%s spi:%s\n",
2992	src, dst,
2993	isakmp_pindex(&iph1->index, 0));
2994
2995	evt_phase1(iph1, EVT_PHASE1_UP, NULL);
2996	if(!iph1->rmconf->mode_cfg)
2997	evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL);
2998
2999	racoon_free(src);
3000	racoon_free(dst);
3001
3002	return;
3003	}
3004
3005	struct payload_list *
3006	isakmp_plist_append_full (struct payload_list plist, vchar_t payload,
3007	u_int8_t payload_type, u_int8_t free_payload)
3008	{
3009	if (! plist) {
3010	plist = racoon_malloc (sizeof (struct payload_list));
3011	plist->prev = NULL;
3012	}
3013	else {
3014	plist->next = racoon_malloc (sizeof (struct payload_list));
3015	plist->next->prev = plist;
3016	plist = plist->next;
3017	}
3018
3019	plist->next = NULL;
3020	plist->payload = payload;
3021	plist->payload_type = payload_type;
3022	plist->free_payload = free_payload;
3023
3024	return plist;
3025	}
3026
3027	vchar_t *
3028	isakmp_plist_set_all (struct payload_list *plist, struct ph1handle iph1)
3029	{
3030	struct payload_list ptr = plist, *first;
3031	size_t tlen = sizeof (struct isakmp), n = 0;
3032	vchar_t *buf = NULL;
3033	char *p;
3034
3035	/* Seek to the first item. */
3036	while (ptr->prev) ptr = ptr->prev;
3037	first = ptr;
3038
3039	/* Compute the whole length. */
3040	while (ptr) {
3041	tlen += ptr->payload->l + sizeof (struct isakmp_gen);
3042	ptr = ptr->next;
3043	}
3044
3045	buf = vmalloc(tlen);
3046	if (buf == NULL) {
3047	plog(LLV_ERROR, LOCATION, NULL,
3048	"failed to get buffer to send.\n");
3049	goto end;
3050	}
3051
3052	ptr = first;
3053
3054	p = set_isakmp_header1(buf, iph1, ptr->payload_type);
3055	if (p == NULL)
3056	goto end;
3057
3058	while (ptr)
3059	{
3060	p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
3061	first = ptr;
3062	ptr = ptr->next;
3063	if (first->free_payload)
3064	vfree(first->payload);
3065	racoon_free (first);
3066	/* ptr->prev = NULL; first = NULL; ... omitted. */
3067	n++;
3068	}
3069
3070	*plist = NULL;
3071
3072	return buf;
3073	end:
3074	if (buf != NULL)
3075	vfree(buf);
3076	return NULL;
3077	}
3078
3079	#ifdef ENABLE_FRAG
3080	int
3081	frag_handler(iph1, msg, remote, local)
3082	struct ph1handle *iph1;
3083	vchar_t *msg;
3084	struct sockaddr *remote;
3085	struct sockaddr *local;
3086	{
3087	vchar_t *newmsg;
3088
3089	if (isakmp_frag_extract(iph1, msg) == 1) {
3090	if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
3091	plog(LLV_ERROR, LOCATION, remote,
3092	"Packet reassembly failed\n");
3093	return -1;
3094	}
3095	return isakmp_main(newmsg, remote, local);
3096	}
3097
3098	return 0;
3099	}
3100	#endif
3101
3102	void
3103	script_hook(iph1, script)
3104	struct ph1handle *iph1;
3105	int script;
3106	{
3107	#define IP_MAX 40
3108	#define PORT_MAX 6
3109	char addrstr[IP_MAX];
3110	char portstr[PORT_MAX];
3111	char **envp = NULL;
3112	int envc = 1;
3113	char **c;
3114
3115	if (iph1 == NULL \|\|
3116	iph1->rmconf == NULL \|\|
3117	iph1->rmconf->script[script] == NULL)
3118	return;
3119
3120	#ifdef ENABLE_HYBRID
3121	(void)isakmp_cfg_setenv(iph1, &envp, &envc);
3122	#endif
3123
3124	/* local address */
3125	GETNAMEINFO(iph1->local, addrstr, portstr);
3126
3127	if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
3128	plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
3129	goto out;
3130	}
3131
3132	if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) {
3133	plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n");
3134	goto out;
3135	}
3136
3137	/* Peer address */
3138	if (iph1->remote != NULL) {
3139	GETNAMEINFO(iph1->remote, addrstr, portstr);
3140
3141	if (script_env_append(&envp, &envc,
3142	"REMOTE_ADDR", addrstr) != 0) {
3143	plog(LLV_ERROR, LOCATION, NULL,
3144	"Cannot set REMOTE_ADDR\n");
3145	goto out;
3146	}
3147
3148	if (script_env_append(&envp, &envc,
3149	"REMOTE_PORT", portstr) != 0) {
3150	plog(LLV_ERROR, LOCATION, NULL,
3151	"Cannot set REMOTEL_PORT\n");
3152	goto out;
3153	}
3154	}
3155
3156	/* Peer identity. */
3157	if (iph1->id_p != NULL) {
3158	if (script_env_append(&envp, &envc, "REMOTE_ID",
3159	ipsecdoi_id2str(iph1->id_p)) != 0) {
3160	plog(LLV_ERROR, LOCATION, NULL,
3161	"Cannot set REMOTE_ID\n");
3162	goto out;
3163	}
3164	}
3165
3166	if (privsep_script_exec(iph1->rmconf->script[script]->v,
3167	script, envp) != 0)
3168	plog(LLV_ERROR, LOCATION, NULL,
3169	"Script %s execution failed\n", script_names[script]);
3170
3171	out:
3172	for (c = envp; *c; c++)
3173	racoon_free(*c);
3174
3175	racoon_free(envp);
3176
3177	return;
3178	}
3179
3180	int
3181	script_env_append(envp, envc, name, value)
3182	char ***envp;
3183	int *envc;
3184	char *name;
3185	char *value;
3186	{
3187	char *envitem;
3188	char **newenvp;
3189	int newenvc;
3190
3191	envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1);
3192	if (envitem == NULL) {
3193	plog(LLV_ERROR, LOCATION, NULL,
3194	"Cannot allocate memory: %s\n", strerror(errno));
3195	return -1;
3196	}
3197	sprintf(envitem, "%s=%s", name, value);
3198
3199	newenvc = (*envc) + 1;
3200	newenvp = racoon_realloc(envp, newenvc sizeof(char *));
3201	if (newenvp == NULL) {
3202	plog(LLV_ERROR, LOCATION, NULL,
3203	"Cannot allocate memory: %s\n", strerror(errno));
3204	racoon_free(envitem);
3205	return -1;
3206	}
3207
3208	newenvp[newenvc - 2] = envitem;
3209	newenvp[newenvc - 1] = NULL;
3210
3211	*envp = newenvp;
3212	*envc = newenvc;
3213	return 0;
3214	}
3215
3216	int
3217	script_exec(script, name, envp)
3218	char *script;
3219	int name;
3220	char *const envp[];
3221	{
3222	char *argv[] = { NULL, NULL, NULL };
3223
3224	argv[0] = script;
3225	argv[1] = script_names[name];
3226	argv[2] = NULL;
3227
3228	switch (fork()) {
3229	case 0:
3230	execve(argv[0], argv, envp);
3231	plog(LLV_ERROR, LOCATION, NULL,
3232	"execve(\"%s\") failed: %s\n",
3233	argv[0], strerror(errno));
3234	_exit(1);
3235	break;
3236	case -1:
3237	plog(LLV_ERROR, LOCATION, NULL,
3238	"Cannot fork: %s\n", strerror(errno));
3239	return -1;
3240	break;
3241	default:
3242	break;
3243	}
3244	return 0;
3245
3246	}
3247
3248	void
3249	purge_remote(iph1)
3250	struct ph1handle *iph1;
3251	{
3252	vchar_t *buf = NULL;
3253	struct sadb_msg msg, next, *end;
3254	struct sadb_sa *sa;
3255	struct sockaddr src, dst;
3256	caddr_t mhp[SADB_EXT_MAX + 1];
3257	u_int proto_id;
3258	struct ph2handle *iph2;
3259	struct ph1handle *new_iph1;
3260
3261	plog(LLV_INFO, LOCATION, NULL,
3262	"purging ISAKMP-SA spi=%s.\n",
3263	isakmp_pindex(&(iph1->index), iph1->msgid));
3264
3265	/* Mark as expired. */
3266	iph1->status = PHASE1ST_EXPIRED;
3267
3268	/* Check if we have another, still valid, phase1 SA. */
3269	new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED);
3270
3271	/*
3272	* Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
3273	* Keep all others phase2 SAs.
3274	*/
3275	buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
3276	if (buf == NULL) {
3277	plog(LLV_DEBUG, LOCATION, NULL,
3278	"pfkey_dump_sadb returned nothing.\n");
3279	return;
3280	}
3281
3282	msg = (struct sadb_msg *)buf->v;
3283	end = (struct sadb_msg *)(buf->v + buf->l);
3284
3285	while (msg < end) {
3286	if ((msg->sadb_msg_len << 3) < sizeof(*msg))
3287	break;
3288	next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
3289	if (msg->sadb_msg_type != SADB_DUMP) {
3290	msg = next;
3291	continue;
3292	}
3293
3294	if (pfkey_align(msg, mhp) \|\| pfkey_check(mhp)) {
3295	plog(LLV_ERROR, LOCATION, NULL,
3296	"pfkey_check (%s)\n", ipsec_strerror());
3297	msg = next;
3298	continue;
3299	}
3300
3301	sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
3302	if (!sa \|\|
3303	!mhp[SADB_EXT_ADDRESS_SRC] \|\|
3304	!mhp[SADB_EXT_ADDRESS_DST]) {
3305	msg = next;
3306	continue;
3307	}
3308	pk_fixup_sa_addresses(mhp);
3309	src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
3310	dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
3311
3312	if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
3313	sa->sadb_sa_state != SADB_SASTATE_MATURE &&
3314	sa->sadb_sa_state != SADB_SASTATE_DYING) {
3315	msg = next;
3316	continue;
3317	}
3318
3319	/*
3320	* check in/outbound SAs.
3321	* Select only SAs where src == local and dst == remote (outgoing)
3322	* or src == remote and dst == local (incoming).
3323	*/
3324	if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH \|\|
3325	cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
3326	(cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH \|\|
3327	cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) {
3328	msg = next;
3329	continue;
3330	}
3331
3332	proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
3333	iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
3334
3335	/* Check if there is another valid ISAKMP-SA */
3336	if (new_iph1 != NULL) {
3337
3338	if (iph2 == NULL) {
3339	/* No handler... still send a pfkey_delete message, but log this !*/
3340	plog(LLV_INFO, LOCATION, NULL,
3341	"Unknown IPsec-SA spi=%u, hmmmm?\n",
3342	ntohl(sa->sadb_sa_spi));
3343	}else{
3344
3345	/*
3346	* If we have a new ph1, do not purge IPsec-SAs binded
3347	* to a different ISAKMP-SA
3348	*/
3349	if (iph2->ph1 != NULL && iph2->ph1 != iph1){
3350	msg = next;
3351	continue;
3352	}
3353
3354	/* If the ph2handle is established, do not purge IPsec-SA */
3355	if (iph2->status == PHASE2ST_ESTABLISHED \|\|
3356	iph2->status == PHASE2ST_EXPIRED) {
3357
3358	plog(LLV_INFO, LOCATION, NULL,
3359	"keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
3360	ntohl(sa->sadb_sa_spi),
3361	isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
3362	msg = next;
3363	continue;
3364	}
3365	}
3366	}
3367
3368
3369	pfkey_send_delete(lcconf->sock_pfkey,
3370	msg->sadb_msg_satype,
3371	IPSEC_MODE_ANY,
3372	src, dst, sa->sadb_sa_spi);
3373
3374	/* delete a relative phase 2 handle. */
3375	if (iph2 != NULL) {
3376	delete_spd(iph2, 0);
3377	remph2(iph2);
3378	delph2(iph2);
3379	}
3380
3381	plog(LLV_INFO, LOCATION, NULL,
3382	"purged IPsec-SA spi=%u.\n",
3383	ntohl(sa->sadb_sa_spi));
3384
3385	msg = next;
3386	}
3387
3388	if (buf)
3389	vfree(buf);
3390
3391	/* Mark the phase1 handler as EXPIRED */
3392	plog(LLV_INFO, LOCATION, NULL,
3393	"purged ISAKMP-SA spi=%s.\n",
3394	isakmp_pindex(&(iph1->index), iph1->msgid));
3395
3396	isakmp_ph1delete(iph1);
3397	}
3398
3399	void
3400	delete_spd(iph2, created)
3401	struct ph2handle *iph2;
3402	u_int64_t created;
3403	{
3404	struct policyindex spidx;
3405	struct sockaddr_storage addr;
3406	u_int8_t pref;
3407	struct sockaddr *src;
3408	struct sockaddr *dst;
3409	int error;
3410	int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
3411
3412	if (iph2 == NULL)
3413	return;
3414
3415	/* Delete the SPD entry if we generated it
3416	*/
3417	if (! iph2->generated_spidx )
3418	return;
3419
3420	src = iph2->src;
3421	dst = iph2->dst;
3422
3423	plog(LLV_INFO, LOCATION, NULL,
3424	"deleting a generated policy.\n");
3425
3426	memset(&spidx, 0, sizeof(spidx));
3427	iph2->spidx_gen = (caddr_t )&spidx;
3428
3429	/* make inbound policy */
3430	iph2->src = dst;
3431	iph2->dst = src;
3432	spidx.dir = IPSEC_DIR_INBOUND;
3433	spidx.ul_proto = 0;
3434
3435	/*
3436	* Note: code from get_proposal_r
3437	*/
3438
3439	#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
3440
3441	/*
3442	* make destination address in spidx from either ID payload
3443	* or phase 1 address into a address in spidx.
3444	*/
3445	if (iph2->id != NULL
3446	&& (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3447	\|\| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
3448	\|\| _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3449	\|\| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3450	/* get a destination address of a policy */
3451	error = ipsecdoi_id2sockaddr(iph2->id,
3452	(struct sockaddr *)&spidx.dst,
3453	&spidx.prefd, &spidx.ul_proto);
3454	if (error)
3455	goto purge;
3456
3457	#ifdef INET6
3458	/*
3459	* get scopeid from the SA address.
3460	* note that the phase 1 source address is used as
3461	* a destination address to search for a inbound
3462	* policy entry because rcoon is responder.
3463	*/
3464	if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
3465	if ((error =
3466	setscopeid((struct sockaddr *)&spidx.dst,
3467	iph2->src)) != 0)
3468	goto purge;
3469	}
3470	#endif
3471
3472	if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
3473	\|\| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
3474	idi2type = _XIDT(iph2->id);
3475
3476	} else {
3477
3478	plog(LLV_DEBUG, LOCATION, NULL,
3479	"get a destination address of SP index "
3480	"from phase1 address "
3481	"due to no ID payloads found "
3482	"OR because ID type is not address.\n");
3483
3484	/*
3485	* copy the SOURCE address of IKE into the
3486	* DESTINATION address of the key to search the
3487	* SPD because the direction of policy is inbound.
3488	*/
3489	memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
3490	switch (spidx.dst.ss_family) {
3491	case AF_INET:
3492	spidx.prefd =
3493	sizeof(struct in_addr) << 3;
3494	break;
3495	#ifdef INET6
3496	case AF_INET6:
3497	spidx.prefd =
3498	sizeof(struct in6_addr) << 3;
3499	break;
3500	#endif
3501	default:
3502	spidx.prefd = 0;
3503	break;
3504	}
3505	}
3506
3507	/* make source address in spidx */
3508	if (iph2->id_p != NULL
3509	&& (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
3510	\|\| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
3511	\|\| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
3512	\|\| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3513	/* get a source address of inbound SA */
3514	error = ipsecdoi_id2sockaddr(iph2->id_p,
3515	(struct sockaddr *)&spidx.src,
3516	&spidx.prefs, &spidx.ul_proto);
3517	if (error)
3518	goto purge;
3519
3520	#ifdef INET6
3521	/*
3522	* get scopeid from the SA address.
3523	* for more detail, see above of this function.
3524	*/
3525	if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
3526	error =
3527	setscopeid((struct sockaddr *)&spidx.src,
3528	iph2->dst);
3529	if (error)
3530	goto purge;
3531	}
3532	#endif
3533
3534	/* make sa_[src,dst] if both ID types are IP address and same */
3535	if (_XIDT(iph2->id_p) == idi2type
3536	&& spidx.dst.ss_family == spidx.src.ss_family) {
3537	iph2->sa_src =
3538	dupsaddr((struct sockaddr *)&spidx.dst);
3539	if (iph2->sa_src == NULL) {
3540	plog(LLV_ERROR, LOCATION, NULL,
3541	"allocation failed\n");
3542	goto purge;
3543	}
3544	iph2->sa_dst =
3545	dupsaddr((struct sockaddr *)&spidx.src);
3546	if (iph2->sa_dst == NULL) {
3547	plog(LLV_ERROR, LOCATION, NULL,
3548	"allocation failed\n");
3549	goto purge;
3550	}
3551	}
3552
3553	} else {
3554	plog(LLV_DEBUG, LOCATION, NULL,
3555	"get a source address of SP index "
3556	"from phase1 address "
3557	"due to no ID payloads found "
3558	"OR because ID type is not address.\n");
3559
3560	/* see above comment. */
3561	memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
3562	switch (spidx.src.ss_family) {
3563	case AF_INET:
3564	spidx.prefs =
3565	sizeof(struct in_addr) << 3;
3566	break;
3567	#ifdef INET6
3568	case AF_INET6:
3569	spidx.prefs =
3570	sizeof(struct in6_addr) << 3;
3571	break;
3572	#endif
3573	default:
3574	spidx.prefs = 0;
3575	break;
3576	}
3577	}
3578
3579	#undef _XIDT
3580
3581	plog(LLV_DEBUG, LOCATION, NULL,
3582	"get a src address from ID payload "
3583	"%s prefixlen=%u ul_proto=%u\n",
3584	saddr2str((struct sockaddr *)&spidx.src),
3585	spidx.prefs, spidx.ul_proto);
3586	plog(LLV_DEBUG, LOCATION, NULL,
3587	"get dst address from ID payload "
3588	"%s prefixlen=%u ul_proto=%u\n",
3589	saddr2str((struct sockaddr *)&spidx.dst),
3590	spidx.prefd, spidx.ul_proto);
3591
3592	/*
3593	* convert the ul_proto if it is 0
3594	* because 0 in ID payload means a wild card.
3595	*/
3596	if (spidx.ul_proto == 0)
3597	spidx.ul_proto = IPSEC_ULPROTO_ANY;
3598
3599	#undef _XIDT
3600
3601	/* Check if the generated SPD has the same timestamp as the SA.
3602	* If timestamps are different, this means that the SPD entry has been
3603	* refreshed by another SA, and should NOT be deleted with the current SA.
3604	*/
3605	if( created ){
3606	struct secpolicy *p;
3607
3608	p = getsp(&spidx);
3609	if(p != NULL){
3610	/* just do no test if p is NULL, because this probably just means
3611	* that the policy has already be deleted for some reason.
3612	*/
3613	if(p->spidx.created != created)
3614	goto purge;
3615	}
3616	}
3617
3618	/* End of code from get_proposal_r
3619	*/
3620
3621	if (pk_sendspddelete(iph2) < 0) {
3622	plog(LLV_ERROR, LOCATION, NULL,
3623	"pfkey spddelete(inbound) failed.\n");
3624	}else{
3625	plog(LLV_DEBUG, LOCATION, NULL,
3626	"pfkey spddelete(inbound) sent.\n");
3627	}
3628
3629	#ifdef HAVE_POLICY_FWD
3630	/* make forward policy if required */
3631	if (tunnel_mode_prop(iph2->approval)) {
3632	spidx.dir = IPSEC_DIR_FWD;
3633	if (pk_sendspddelete(iph2) < 0) {
3634	plog(LLV_ERROR, LOCATION, NULL,
3635	"pfkey spddelete(forward) failed.\n");
3636	}else{
3637	plog(LLV_DEBUG, LOCATION, NULL,
3638	"pfkey spddelete(forward) sent.\n");
3639	}
3640	}
3641	#endif
3642
3643	/* make outbound policy */
3644	iph2->src = src;
3645	iph2->dst = dst;
3646	spidx.dir = IPSEC_DIR_OUTBOUND;
3647	addr = spidx.src;
3648	spidx.src = spidx.dst;
3649	spidx.dst = addr;
3650	pref = spidx.prefs;
3651	spidx.prefs = spidx.prefd;
3652	spidx.prefd = pref;
3653
3654	if (pk_sendspddelete(iph2) < 0) {
3655	plog(LLV_ERROR, LOCATION, NULL,
3656	"pfkey spddelete(outbound) failed.\n");
3657	}else{
3658	plog(LLV_DEBUG, LOCATION, NULL,
3659	"pfkey spddelete(outbound) sent.\n");
3660	}
3661	purge:
3662	iph2->spidx_gen=NULL;
3663	}
3664
3665
3666	#ifdef INET6
3667	u_int32_t
3668	setscopeid(sp_addr0, sa_addr0)
3669	struct sockaddr sp_addr0, sa_addr0;
3670	{
3671	struct sockaddr_in6 sp_addr, sa_addr;
3672
3673	sp_addr = (struct sockaddr_in6 *)sp_addr0;
3674	sa_addr = (struct sockaddr_in6 *)sa_addr0;
3675
3676	if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
3677	&& !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
3678	&& !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
3679	return 0;
3680
3681	/* this check should not be here ? */
3682	if (sa_addr->sin6_family != AF_INET6) {
3683	plog(LLV_ERROR, LOCATION, NULL,
3684	"can't get scope ID: family mismatch\n");
3685	return -1;
3686	}
3687
3688	if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
3689	plog(LLV_ERROR, LOCATION, NULL,
3690	"scope ID is not supported except of lladdr.\n");
3691	return -1;
3692	}
3693
3694	sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;
3695
3696	return 0;
3697	}
3698	#endif

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: rtems-libbsd/ipsec-tools/src/racoon/isakmp.c @ ff36f5e

Download in other formats: