Lines Matching defs:sa
238 struct iked_sa *sa, *satmp;
258 RB_FOREACH_SAFE(sa, iked_sas, &env->sc_sas, satmp) {
259 if (sa->sa_state != IKEV2_STATE_ESTABLISHED) {
260 sa_state(env, sa, IKEV2_STATE_CLOSING);
261 ikev2_ike_sa_setreason(sa, "reload");
262 sa_free(env, sa);
266 old = sa->sa_policy;
267 if (policy_lookup_sa(env, sa) == -1) {
269 SPI_SA(sa, __func__));
270 ikev2_ike_sa_setreason(sa, "Policy no longer exists");
271 ikev2_ikesa_delete(env, sa, sa->sa_hdr.sh_initiator);
273 if (old != sa->sa_policy) {
275 TAILQ_REMOVE(&old->pol_sapeers, sa, sa_peer_entry);
277 policy_ref(env, sa->sa_policy);
278 TAILQ_INSERT_TAIL(&sa->sa_policy->pol_sapeers, sa, sa_peer_entry);
327 struct iked_sa *sa;
356 if ((sa = ikev2_getimsgdata(env, imsg,
358 sa->sa_state < IKEV2_STATE_EAP)
362 id = &sa->sa_rcert;
364 id = &sa->sa_icert;
378 if (sa->sa_peerauth.id_type && ikev2_auth_verify(env, sa))
382 sa_stateflags(sa, IKED_REQ_CERTVALID);
384 if (ikev2_ike_auth(env, sa) != 0)
388 SPI_SA(sa, __func__));
389 ikev2_send_auth_failed(env, sa);
393 if ((sa = ikev2_getimsgdata(env, imsg,
403 if (sa->sa_stateflags & IKED_REQ_CERT ||
415 id = &sa->sa_icert;
417 id = &sa->sa_rcert;
430 sa_stateflags(sa, IKED_REQ_CERT);
432 if (ikev2_ike_auth(env, sa) != 0)
436 if ((sa = ikev2_getimsgdata(env, imsg,
443 if (sa->sa_stateflags & IKED_REQ_CERT ||
456 id = &sa->sa_scert[i];
481 if ((sa = ikev2_getimsgdata(env, imsg,
486 if (sa_stateok(sa, IKEV2_STATE_VALID)) {
488 SPI_SA(sa, __func__),
489 print_map(sa->sa_state, ikev2_state_map));
495 id = &sa->sa_localauth;
510 sa_stateflags(sa, IKED_REQ_AUTH);
512 if (ikev2_ike_auth(env, sa) != 0)
546 ikev2_ike_sa_delete(struct iked *env, struct iked_sa *sa)
548 if (sa->sa_state != IKEV2_STATE_ESTABLISHED)
550 if (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF))
552 ikev2_disable_timer(env, sa);
553 ikev2_ike_sa_setreason(sa, "reset sa control message");
554 ikev2_ikesa_delete(env, sa, 1);
555 timer_add(env, &sa->sa_timer, 0);
562 struct iked_sa *sa;
570 RB_FOREACH(sa, iked_sas, &env->sc_sas) {
571 if (ikev2_print_id(IKESA_DSTID(sa), sa_id, sizeof(sa_id)) == -1)
575 if (sa->sa_state == IKEV2_STATE_CLOSED)
577 if (sa->sa_state == IKEV2_STATE_ESTABLISHED)
578 ikev2_disable_timer(env, sa);
580 sa, sa_id,
581 print_spi(sa->sa_hdr.sh_ispi, 8),
582 print_spi(sa->sa_hdr.sh_rspi, 8));
583 ikev2_ike_sa_setreason(sa, "reset control message");
584 ikev2_ikesa_delete(env, sa, 1);
586 timer_add(env, &sa->sa_timer, 3 * IKED_RETRANSMIT_TIMEOUT);
611 struct iked_sa *sa;
626 sa = sa_lookup(env, sh->sh_ispi, sh->sh_rspi, sh->sh_initiator);
628 log_debug("%s: imsg %d rspi %s ispi %s initiator %d sa %s"
634 sa == NULL ? "invalid" : "valid", *type, len);
636 if (sa == NULL)
642 return (sa);
657 struct iked_sa *sa;
698 if ((sa = msg->msg_sa) == NULL)
701 sa->sa_last_recvd = gettime();
716 if (msg->msg_msgid > sa->sa_reqid) {
720 mr = ikev2_msg_lookup(env, &sa->sa_requests, msg,
723 mr == NULL && sa->sa_fragments.frag_count == 0) {
728 if ((sa->sa_stateflags & flag) == 0) {
742 ikev2_msg_dispose(env, &sa->sa_requests, mr);
751 if (sa->sa_state == IKEV2_STATE_CLOSED && sa->sa_1stmsg &&
754 (ibuf_size(msg->msg_data) != ibuf_size(sa->sa_1stmsg) ||
755 memcmp(ibuf_data(msg->msg_data), ibuf_data(sa->sa_1stmsg),
756 ibuf_size(sa->sa_1stmsg)) != 0)) {
757 ikev2_ike_sa_setreason(sa, NULL);
758 sa_free(env, sa);
759 msg->msg_sa = sa = NULL;
762 if (msg->msg_msgid < sa->sa_msgid) {
772 if ((r = ikev2_msg_retransmit_response(env, sa, msg, hdr))
777 ikev2_ike_sa_setreason(sa,
779 sa_free(env, sa);
782 } else if (sa->sa_msgid_set && msg->msg_msgid == sa->sa_msgid) {
790 sa->sa_msgid_current = msg->msg_msgid;
793 if (sa_address(sa, &sa->sa_peer, (struct sockaddr *)&msg->msg_peer)
795 sa_address(sa, &sa->sa_local, (struct sockaddr *)&msg->msg_local)
801 sa->sa_fd = msg->msg_fd;
804 print_addr(&sa->sa_peer.addr), print_addr(&sa->sa_local.addr));
812 if (sa != NULL && !msg->msg_response && msg->msg_valid) {
819 sa->sa_msgid = sa->sa_msgid_current;
820 sa->sa_msgid_set = 1;
821 ikev2_msg_prevail(env, &sa->sa_responses, msg);
824 if (sa != NULL && sa->sa_state == IKEV2_STATE_CLOSED) {
826 ikev2_ike_sa_setreason(sa, "closed");
827 sa_free(env, sa);
832 ikev2_ike_auth_compatible(struct iked_sa *sa, uint8_t policy, uint8_t wire)
860 if (sa->sa_sigsha2)
869 ikev2_auth_verify(struct iked *env, struct iked_sa *sa)
875 memcpy(&ikeauth, &sa->sa_policy->pol_auth,
878 if (sa->sa_policy->pol_auth.auth_eap &&
879 sa->sa_eapmsk != NULL) {
888 ibuf_data(sa->sa_eapmsk),
889 ibuf_size(sa->sa_eapmsk));
890 ikeauth.auth_length = ibuf_size(sa->sa_eapmsk);
893 if (ikev2_ike_auth_compatible(sa,
894 ikeauth.auth_method, sa->sa_peerauth.id_type) < 0) {
896 "expecting %s", SPI_SA(sa, __func__),
897 print_map(sa->sa_peerauth.id_type,
901 ikev2_send_auth_failed(env, sa);
905 ikeauth.auth_method = sa->sa_peerauth.id_type;
907 if ((authmsg = ikev2_msg_auth(env, sa,
908 sa->sa_hdr.sh_initiator)) == NULL) {
911 ikev2_send_auth_failed(env, sa);
916 ret = ikev2_msg_authverify(env, sa, &ikeauth,
917 ibuf_data(sa->sa_peerauth.id_buf),
918 ibuf_size(sa->sa_peerauth.id_buf),
923 SPI_SA(sa, __func__));
924 ikev2_send_auth_failed(env, sa);
928 if (sa->sa_eapmsk != NULL) {
929 if ((authmsg = ikev2_msg_auth(env, sa,
930 !sa->sa_hdr.sh_initiator)) == NULL) {
938 ret = ikev2_msg_authsign(env, sa, &ikeauth, authmsg);
941 ikev2_send_auth_failed(env, sa);
947 sa_stateflags(sa, IKED_REQ_AUTHVALID);
948 sa_stateflags(sa, IKED_REQ_EAPVALID);
949 sa_state(env, sa, IKEV2_STATE_EAP_SUCCESS);
957 ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa,
970 !sa_stateok(sa, IKEV2_STATE_EAP))
971 sa_state(env, sa, IKEV2_STATE_AUTH_REQUEST);
973 if (!sa->sa_hdr.sh_initiator &&
974 !sa_stateok(sa, IKEV2_STATE_AUTH_REQUEST) &&
975 sa->sa_policy->pol_auth.auth_eap)
976 sa_state(env, sa, IKEV2_STATE_EAP);
978 if (sa->sa_hdr.sh_initiator)
979 id = &sa->sa_rid;
981 id = &sa->sa_iid;
984 if (msg->msg_peerid.id_type && !sa->sa_hdr.sh_initiator) {
985 old = sa->sa_policy;
987 sa->sa_policy = NULL;
988 if (policy_lookup(env, msg, &sa->sa_proposals, NULL, 0) != 0 ||
991 SPI_SA(sa, __func__));
992 ikev2_send_auth_failed(env, sa);
993 TAILQ_REMOVE(&old->pol_sapeers, sa, sa_peer_entry);
999 TAILQ_REMOVE(&old->pol_sapeers, sa, sa_peer_entry);
1003 if (sa_new(env, sa->sa_hdr.sh_ispi,
1004 sa->sa_hdr.sh_rspi, 0, msg->msg_policy) != sa) {
1006 SPI_SA(sa, __func__));
1007 ikev2_send_auth_failed(env, sa);
1012 msg->msg_policy = sa->sa_policy = old;
1016 } else if (sa->sa_hdr.sh_initiator) {
1017 old = sa->sa_policy;
1020 sa->sa_policy = NULL;
1021 if (policy_lookup(env, msg, &sa->sa_proposals, &old->pol_flows,
1029 log_warnx("%s: policy mismatch", SPI_SA(sa, __func__));
1030 ikev2_send_auth_failed(env, sa);
1031 TAILQ_REMOVE(&old->pol_sapeers, sa, sa_peer_entry);
1036 msg->msg_policy = sa->sa_policy = old;
1041 !sa->sa_policy->pol_auth.auth_eap) {
1047 log_debug("%s: missing auth payload", SPI_SA(sa, __func__));
1048 ikev2_send_auth_failed(env, sa);
1056 if (!sa->sa_hdr.sh_initiator) {
1057 if ((authmsg = ikev2_msg_auth(env, sa,
1058 !sa->sa_hdr.sh_initiator)) == NULL) {
1064 ca_setauth(env, sa, authmsg, PROC_CERT);
1094 if (proposals_negotiate(&sa->sa_proposals,
1095 &sa->sa_policy->pol_proposals, &msg->msg_proposals,
1102 sa_stateflags(sa, IKED_REQ_SA);
1106 memcpy(&sa->sa_peerauth, &msg->msg_auth, sizeof(sa->sa_peerauth));
1112 sa->sa_cp_addr = msg->msg_cp_addr;
1116 sa->sa_cp_addr6 = msg->msg_cp_addr6;
1120 sa->sa_cp_dns = msg->msg_cp_dns;
1123 sa->sa_cp = msg->msg_cp;
1127 if ((sa->sa_policy->pol_auth.auth_eap &&
1128 sa->sa_eapmsk != NULL) ||
1129 sa->sa_policy->pol_auth.auth_method == IKEV2_AUTH_SHARED_KEY_MIC)
1130 ikev2_auth_verify(env, sa);
1132 else if (sa->sa_peerauth.id_type) {
1138 sa->sa_stateflags &= ~IKED_REQ_CERTVALID;
1139 if (ca_setcert(env, &sa->sa_hdr, id, certtype, cert, certlen, PROC_CERT) == -1)
1143 if (sa->sa_cp == IKEV2_CP_REPLY) {
1144 if (sa->sa_cp_addr)
1145 log_info("%s: obtained lease: %s", SPI_SA(sa, __func__),
1146 print_addr(&sa->sa_cp_addr->addr));
1147 if (sa->sa_cp_addr6)
1148 log_info("%s: obtained lease: %s", SPI_SA(sa, __func__),
1149 print_addr(&sa->sa_cp_addr6->addr));
1150 if (sa->sa_cp_dns)
1151 log_info("%s: obtained DNS: %s", SPI_SA(sa, __func__),
1152 print_addr(&sa->sa_cp_dns->addr));
1155 return ikev2_ike_auth(env, sa);
1159 ikev2_ike_auth(struct iked *env, struct iked_sa *sa)
1162 if (sa->sa_state == IKEV2_STATE_EAP_SUCCESS)
1163 sa_state(env, sa, IKEV2_STATE_EAP_VALID);
1164 else if (sa->sa_state == IKEV2_STATE_AUTH_SUCCESS)
1165 sa_state(env, sa, IKEV2_STATE_VALID);
1167 if (sa->sa_hdr.sh_initiator) {
1168 if (sa_stateok(sa, IKEV2_STATE_AUTH_SUCCESS))
1169 return (ikev2_init_done(env, sa));
1171 else if (sa_stateok(sa, IKEV2_STATE_AUTH_REQUEST))
1174 return (ikev2_init_ike_auth(env, sa));
1176 return (ikev2_resp_ike_auth(env, sa));
1183 struct iked_sa *sa;
1190 sa = msg->msg_sa;
1195 if ((sa = sa_new(env,
1197 NULL)) == NULL || sa != msg->msg_sa) {
1199 if (sa) {
1200 ikev2_ike_sa_setreason(sa, "invalid new SA");
1201 sa_free(env, sa);
1221 if (sa->sa_fragments.frag_count != 0)
1230 if (msg->msg_nat_detected && sa->sa_natt == 0)
1231 ikev2_enable_natt(env, sa, msg, 1);
1236 pol = sa->sa_policy;
1240 "IKE_SA_INIT exchange", SPI_SA(sa,
1246 SPI_SA(sa, __func__));
1247 ikev2_ike_sa_setreason(sa, "no proposal chosen");
1248 sa_state(env, sa, IKEV2_STATE_CLOSED);
1256 ikev2_ike_sa_setreason(sa,
1258 sa_state(env, sa, IKEV2_STATE_CLOSED);
1267 ikev2_log_cert_info(SPI_SA(sa, __func__),
1268 sa->sa_hdr.sh_initiator ? &sa->sa_rcert
1269 : &sa->sa_icert);
1270 ikev2_ike_sa_setreason(sa,
1272 sa_state(env, sa, IKEV2_STATE_CLOSED);
1278 SPI_SA(sa, __func__));
1279 ikev2_ike_sa_setreason(sa, "no proposal chosen (IKE SA)");
1280 sa_state(env, sa, IKEV2_STATE_CLOSED);
1285 (void)ikev2_ike_auth_recv(env, sa, msg);
1290 SPI_SA(sa, __func__));
1291 ikev2_ike_sa_setreason(sa, "no proposal chosen (CHILD SA)");
1292 sa_state(env, sa, IKEV2_STATE_CLOSED);
1299 sa->sa_stateflags &= ~IKED_REQ_INF;
1309 ikev2_enable_natt(struct iked *env, struct iked_sa *sa,
1315 sock = ikev2_msg_getsocket(env, sa->sa_local.addr_af, 1);
1325 sa->sa_local.addr_port = port;
1326 sa->sa_peer.addr_port = port;
1327 (void)socket_af((struct sockaddr *)&sa->sa_local.addr, port);
1328 (void)socket_af((struct sockaddr *)&sa->sa_peer.addr, port);
1330 msg->msg_fd = sa->sa_fd = sock->sock_fd;
1332 sa->sa_natt = 1;
1334 sa->sa_udpencap = 1;
1338 print_addr(&sa->sa_peer.addr), print_addr(&sa->sa_local.addr));
1369 struct iked_sa *sa = arg;
1372 print_spi(sa->sa_hdr.sh_ispi, 8),
1373 print_spi(sa->sa_hdr.sh_rspi, 8));
1375 ikev2_ike_sa_setreason(sa, "SA_INIT timeout");
1376 sa_free(env, sa);
1389 struct iked_sa *sa = NULL;
1401 sa = retry->msg_sa;
1403 sa_state(env, sa, IKEV2_STATE_INIT);
1407 if (sa == NULL &&
1408 (sa = sa_new(env, 0, 0, 1, pol)) == NULL)
1412 if (pol->pol_peerdh > 0 && sa->sa_dhgroup == NULL &&
1413 (sa->sa_dhgroup = group_get(pol->pol_peerdh)) == NULL) {
1414 log_warnx("%s: invalid peer DH group %u", SPI_SA(sa, __func__),
1418 sa->sa_reqid = 0;
1420 if (ikev2_sa_initiator(env, sa, NULL, NULL) == -1)
1439 req.msg_sa = sa;
1441 req.msg_msgid = ikev2_msg_id(env, sa);
1444 if ((hdr = ikev2_add_header(buf, sa, req.msg_msgid,
1473 if ((len = ikev2_add_proposals(env, sa, buf, &pol->pol_proposals,
1474 IKEV2_SAPROTO_IKE, sa->sa_hdr.sh_initiator, 0, 0)) == -1)
1485 if ((group = sa->sa_dhgroup) == NULL) {
1490 if (ikev2_add_buf(buf, sa->sa_dhiexchange) == -1)
1492 len = sizeof(*ke) + ibuf_size(sa->sa_dhiexchange);
1500 if (ikev2_add_buf(buf, sa->sa_inonce) == -1)
1502 len = ibuf_size(sa->sa_inonce);
1523 req.msg_natt = sa->sa_natt = sa->sa_udpencap = 1;
1541 ibuf_free(sa->sa_1stmsg);
1542 if ((sa->sa_1stmsg = ibuf_dup(buf)) == NULL) {
1548 sa_state(env, sa, IKEV2_STATE_SA_INIT);
1551 timer_set(env, &sa->sa_timer, ikev2_init_ike_sa_timeout, sa);
1552 timer_add(env, &sa->sa_timer, IKED_IKE_SA_EXCHANGE_TIMEOUT);
1559 ikev2_ike_sa_setreason(sa, "failed to send SA_INIT");
1560 sa_free(env, sa);
1570 struct iked_sa *sa = msg->msg_sa;
1573 if (sa == NULL)
1576 if (ikev2_sa_initiator(env, sa, NULL, msg) == -1) {
1577 log_info("%s: failed to get IKE keys", SPI_SA(sa, __func__));
1581 if ((authmsg = ikev2_msg_auth(env, sa,
1582 !sa->sa_hdr.sh_initiator)) == NULL) {
1583 log_info("%s: failed to get auth data", SPI_SA(sa, __func__));
1587 if (ca_setauth(env, sa, authmsg, PROC_CERT) == -1) {
1588 log_info("%s: failed to get cert", SPI_SA(sa, __func__));
1594 return (ikev2_init_ike_auth(env, sa));
1598 ikev2_init_ike_auth(struct iked *env, struct iked_sa *sa)
1600 struct iked_policy *pol = sa->sa_policy;
1611 if (!sa_stateok(sa, IKEV2_STATE_SA_INIT))
1614 if (!sa->sa_localauth.id_type) {
1623 id = &sa->sa_iid;
1624 certid = &sa->sa_icert;
1650 if ((sa->sa_stateinit & IKED_REQ_CERT) &&
1665 if (sa->sa_scert[i].id_type == IKEV2_CERT_NONE)
1674 cert->cert_type = sa->sa_scert[i].id_type;
1675 if (ibuf_add_ibuf(e, sa->sa_scert[i].id_buf) != 0)
1677 len = ibuf_size(sa->sa_scert[i].id_buf) + sizeof(*cert);
1699 auth->auth_method = sa->sa_localauth.id_type;
1700 if (ibuf_add_ibuf(e, sa->sa_localauth.id_buf) != 0)
1702 len = ibuf_size(sa->sa_localauth.id_buf) + sizeof(*auth);
1705 if (ikev2_cp_request_configured(sa)) {
1710 if ((len = ikev2_init_add_cp(env, sa, e)) == -1)
1715 (len = ikev2_add_ipcompnotify(env, e, &pld, len, sa, 1)) == -1)
1718 (len = ikev2_add_transport_mode(env, e, &pld, len, sa)) == -1)
1727 if ((len = ikev2_add_proposals(env, sa, e, &pol->pol_proposals, 0,
1728 sa->sa_hdr.sh_initiator, 0, 1)) == -1)
1731 if ((len = ikev2_add_ts(e, &pld, len, sa, 0)) == -1)
1737 ret = ikev2_msg_send_encrypt(env, sa, &e,
1747 ikev2_enable_timer(struct iked *env, struct iked_sa *sa)
1749 sa->sa_last_recvd = gettime();
1750 timer_set(env, &sa->sa_timer, ikev2_ike_sa_alive, sa);
1752 timer_add(env, &sa->sa_timer, env->sc_alive_timeout);
1753 timer_set(env, &sa->sa_keepalive, ikev2_ike_sa_keepalive, sa);
1754 if (sa->sa_usekeepalive)
1755 timer_add(env, &sa->sa_keepalive,
1757 timer_set(env, &sa->sa_rekey, ikev2_ike_sa_rekey, sa);
1758 if (sa->sa_policy->pol_rekey)
1759 ikev2_ike_sa_rekey_schedule(env, sa);
1765 struct iked_sa *sa;
1767 RB_FOREACH(sa, iked_sas, &env->sc_sas) {
1768 if (sa->sa_state != IKEV2_STATE_ESTABLISHED)
1770 timer_del(env, &sa->sa_timer);
1772 timer_add(env, &sa->sa_timer, env->sc_alive_timeout);
1777 ikev2_disable_timer(struct iked *env, struct iked_sa *sa)
1779 timer_del(env, &sa->sa_timer);
1780 timer_del(env, &sa->sa_keepalive);
1781 timer_del(env, &sa->sa_rekey);
1785 ikev2_init_done(struct iked *env, struct iked_sa *sa)
1789 if (!sa_stateok(sa, IKEV2_STATE_VALID))
1792 ret = ikev2_childsa_negotiate(env, sa, &sa->sa_kex, &sa->sa_proposals,
1793 sa->sa_hdr.sh_initiator, 0);
1795 ret = ikev2_childsa_enable(env, sa);
1797 sa_state(env, sa, IKEV2_STATE_ESTABLISHED);
1798 iked_radius_acct_start(env, sa);
1800 timer_del(env, &sa->sa_timer);
1801 ikev2_enable_timer(env, sa);
1802 ikev2_log_established(sa);
1803 ikev2_record_dstid(env, sa);
1804 sa_configure_iface(env, sa, 1);
1808 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1);
1903 ikev2_add_header(struct ibuf *buf, struct iked_sa *sa,
1914 hdr->ike_ispi = htobe64(sa->sa_hdr.sh_ispi);
1915 hdr->ike_rspi = htobe64(sa->sa_hdr.sh_rspi);
1923 if (sa->sa_hdr.sh_initiator)
1961 ikev2_add_ts_payload(struct ibuf *buf, unsigned int type, struct iked_sa *sa)
1963 struct iked_policy *pol = sa->sa_policy;
1983 if (sa->sa_hdr.sh_initiator) {
1991 if (sa->sa_hdr.sh_initiator) {
2008 if ((type == IKEV2_PAYLOAD_TSi && !sa->sa_hdr.sh_initiator) ||
2009 (type == IKEV2_PAYLOAD_TSr && sa->sa_hdr.sh_initiator)) {
2010 if (ikev2_cp_fixaddr(sa, addr, &pooladdr) == 0)
2081 struct iked_sa *sa, int reverse)
2090 IKEV2_PAYLOAD_TSi, sa)) == -1)
2100 IKEV2_PAYLOAD_TSr, sa)) == -1)
2143 struct ikev2_payload **pld, ssize_t len, struct iked_sa *sa,
2156 ic = initiator ? &sa->sa_ipcompi : &sa->sa_ipcompr;
2161 csa.csa_ikesa = sa;
2162 csa.csa_local = &sa->sa_peer;
2163 csa.csa_peer = &sa->sa_local;
2295 struct ikev2_payload **pld, ssize_t len, struct iked_sa *sa)
2328 struct iked_sa *sa = msg->msg_sa;
2350 ispi = htobe64(sa->sa_hdr.sh_ispi);
2351 rspi = htobe64(sa->sa_hdr.sh_rspi);
2475 ikev2_add_cp(struct iked *env, struct iked_sa *sa, int type, struct ibuf *buf)
2477 struct iked_policy *pol = sa->sa_policy;
2504 if (sa->sa_radreq != NULL)
2505 rad_ncfg = sa->sa_radreq->rr_ncfg;
2511 ikecfg = &sa->sa_radreq->rr_cfg[i - pol->pol_ncfg];
2545 sa->sa_addrpool &&
2546 sa->sa_addrpool->addr_af == AF_INET) ?
2547 (struct sockaddr_in *)&sa->sa_addrpool->addr :
2559 if (sa->sa_addrpool &&
2560 sa->sa_addrpool->addr_af == AF_INET &&
2561 sa->sa_addrpool->addr_mask != 0)
2594 sa->sa_addrpool6 &&
2595 sa->sa_addrpool6->addr_af == AF_INET6) ?
2596 (struct sockaddr_in6 *)&sa->sa_addrpool6->addr :
2628 mask4 = prefixlen2mask(sa->sa_addrpool->addr_mask);
2639 ikev2_init_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf)
2641 return (ikev2_add_cp(env, sa, IKEV2_CP_REQUEST, buf));
2645 ikev2_resp_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf)
2649 switch (sa->sa_cp) {
2651 ret = ikev2_add_cp(env, sa, IKEV2_CP_REPLY, buf);
2664 ikev2_add_proposals(struct iked *env, struct iked_sa *sa, struct ibuf *buf,
2688 csa.csa_ikesa = sa;
2690 csa.csa_local = &sa->sa_peer;
2691 csa.csa_peer = &sa->sa_local;
2710 sa->sa_hdr.sh_ispi : sa->sa_hdr.sh_rspi;
2859 ikev2_resp_informational(struct iked *env, struct iked_sa *sa,
2869 if (!sa_stateok(sa, IKEV2_STATE_AUTH_REQUEST) ||
2884 if (sa->sa_mobike &&
2917 ret = ikev2_msg_send_encrypt(env, sa, &buf,
2924 ikev2_log_cert_info(SPI_SA(sa, __func__),
2925 sa->sa_hdr.sh_initiator ? &sa->sa_rcert : &sa->sa_icert);
2926 ikev2_ike_sa_setreason(sa,
2928 sa_state(env, sa, IKEV2_STATE_CLOSED);
2939 struct iked_sa *sa;
2990 if ((sa = msg->msg_sa) == NULL)
2993 if (sa->sa_fragments.frag_count != 0)
2998 if (msg->msg_natt && sa->sa_natt == 0) {
3000 sa->sa_natt = 1;
3005 if (ikev2_sa_responder(env, sa, NULL, msg) != 0) {
3007 SPI_SA(sa, __func__));
3011 ikev2_ike_sa_setreason(sa, "no proposal chosen");
3012 sa_state(env, sa, IKEV2_STATE_CLOSED);
3017 ikev2_ike_sa_setreason(sa, "SA_INIT response failed");
3018 sa_state(env, sa, IKEV2_STATE_CLOSED);
3023 if (!sa_stateok(sa, IKEV2_STATE_SA_INIT)) {
3025 ikev2_ike_sa_setreason(sa, "state mismatch IKE_AUTH");
3026 sa_state(env, sa, IKEV2_STATE_CLOSED);
3032 if (ikev2_resp_ike_eap(env, sa, msg)) {
3034 SPI_SA(sa, __func__));
3035 ikev2_ike_sa_setreason(sa, "EAP failed");
3036 sa_state(env, sa, IKEV2_STATE_CLOSED);
3042 if (ikev2_ike_auth_recv(env, sa, msg) != 0) {
3044 ikev2_send_error(env, sa, msg, hdr->ike_exchange);
3045 ikev2_ike_sa_setreason(sa, "IKE_AUTH failed");
3046 sa_state(env, sa, IKEV2_STATE_CLOSED);
3054 ikev2_send_error(env, sa, msg, hdr->ike_exchange);
3059 ikev2_update_sa_addresses(env, sa);
3060 (void)ikev2_resp_informational(env, sa, msg);
3072 struct iked_sa *sa = msg->msg_sa;
3103 ikev2_ikesa_recv_delete(env, sa);
3140 if (peersas == NULL || sa == NULL)
3143 if ((peersas[i] = childsa_lookup(sa, spi,
3146 SPI_SA(sa, __func__),
3151 if (ikev2_childsa_delete(env, sa, msg->msg_del_protoid, spi,
3206 SPI_SA(sa, NULL), found, found == 1 ? "" : "s",
3227 struct iked_sa *sa;
3233 if ((sa = msg->msg_sa) == NULL)
3237 sa->sa_stateflags &= ~IKED_REQ_CHILDSA;
3241 sa->sa_frag = 1;
3246 sa->sa_mobike = 1;
3248 if (sa->sa_natt == 0 && sa->sa_udpencap == 0)
3249 ikev2_enable_natt(env, sa, msg, 0);
3253 && sa->sa_stateflags & IKED_REQ_CHILDSA) {
3255 ikev2_disable_rekeying(env, sa);
3256 sa->sa_stateflags &= ~IKED_REQ_CHILDSA;
3264 ikev2_ike_sa_setreason(sa,
3266 sa_state(env, sa, IKEV2_STATE_CLOSED);
3275 if (!sa->sa_hdr.sh_initiator) {
3277 ikev2_ike_sa_setreason(sa,
3279 sa_state(env, sa, IKEV2_STATE_CLOSED);
3287 ikev2_ike_sa_setreason(sa,
3289 sa_state(env, sa, IKEV2_STATE_CLOSED);
3293 ikev2_ike_sa_setreason(sa,
3295 sa_state(env, sa, IKEV2_STATE_CLOSED);
3302 if (!(sa->sa_stateflags & IKED_REQ_CHILDSA)) {
3307 sa->sa_stateflags &= ~IKED_REQ_CHILDSA;
3308 protoid = sa->sa_rekeyspi ?
3314 ikev2_ike_sa_setreason(sa,
3316 sa_state(env, sa, IKEV2_STATE_CLOSED);
3322 rekey.spi = sa->sa_rekeyspi;
3325 (void)ikev2_send_create_child_sa(env, sa,
3331 group_free(sa->sa_dhgroup);
3332 sa->sa_dhgroup = group;
3333 timer_set(env, &sa->sa_rekey,
3334 ikev2_ike_sa_rekey, sa);
3335 timer_add(env, &sa->sa_rekey, 0);
3346 &sa->sa_ipcompi :
3347 &sa->sa_ipcompr;
3355 sa->sa_usekeepalive = 1;
3360 sa->sa_sigsha2 = 1;
3363 sa->sa_use_transport_mode = 1;
3366 && sa->sa_nexti != NULL)
3367 sa->sa_tmpfail = 1;
3379 struct iked_sa *sa = msg->msg_sa;
3386 if (sa->sa_hdr.sh_initiator) {
3390 if (msg->msg_nat_detected && sa->sa_udpencap == 0) {
3393 sa->sa_udpencap = 1;
3401 resp.msg_sa = sa;
3405 resp.msg_policy = sa->sa_policy;
3408 if ((hdr = ikev2_add_header(buf, sa, resp.msg_msgid,
3416 if ((len = ikev2_add_proposals(env, sa, buf, &sa->sa_proposals,
3417 IKEV2_SAPROTO_IKE, sa->sa_hdr.sh_initiator, 0, 0)) == -1)
3428 if ((group = sa->sa_dhgroup) == NULL) {
3433 if (ikev2_add_buf(buf, sa->sa_dhrexchange) == -1)
3435 len = sizeof(*ke) + ibuf_size(sa->sa_dhrexchange);
3443 if (ikev2_add_buf(buf, sa->sa_rnonce) == -1)
3445 len = ibuf_size(sa->sa_rnonce);
3456 if (sa->sa_frag) {
3468 if (sa->sa_statevalid & IKED_REQ_CERT) {
3474 if (env->sc_certreqtype != sa->sa_policy->pol_certreqtype &&
3476 len, NULL, sa->sa_policy->pol_certreqtype)) == -1)
3480 if (sa->sa_sigsha2 &&
3492 ibuf_free(sa->sa_2ndmsg);
3493 if ((sa->sa_2ndmsg = ibuf_dup(buf)) == NULL) {
3508 ikev2_send_auth_failed(struct iked *env, struct iked_sa *sa)
3515 if (ikev2_print_id(IKESA_DSTID(sa), dstid, sizeof(dstid)) == -1)
3518 SPI_SA(sa, __func__), dstid);
3521 ikev2_log_cert_info(SPI_SA(sa, __func__),
3522 sa->sa_hdr.sh_initiator ? &sa->sa_rcert : &sa->sa_icert);
3532 if (sa->sa_hdr.sh_initiator) {
3539 ret = ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_NOTIFY,
3542 sa->sa_stateflags |= IKED_REQ_INF;
3547 sa_state(env, sa, IKEV2_STATE_CLOSING);
3548 timer_del(env, &sa->sa_timer);
3549 timer_set(env, &sa->sa_timer, ikev2_ike_sa_timeout, sa);
3550 timer_add(env, &sa->sa_timer, IKED_IKE_SA_DELETE_TIMEOUT);
3551 config_free_fragments(&sa->sa_fragments);
3552 ikev2_ike_sa_setreason(sa, "authentication failed");
3629 ikev2_record_dstid(struct iked *env, struct iked_sa *sa)
3633 osa = sa_dstid_lookup(env, sa);
3634 if (osa == sa)
3642 print_spi(sa->sa_hdr.sh_ispi, 8));
3645 ikev2_ike_sa_setreason(osa, "sa replaced");
3651 osa = sa_dstid_insert(env, sa);
3655 SPI_SA(sa, __func__),
3663 ikev2_send_error(struct iked *env, struct iked_sa *sa,
3675 ret = ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_NOTIFY,
3692 struct iked_sa *sa = msg->msg_sa;
3697 if (sa->sa_hdr.sh_initiator) {
3709 resp.msg_sa = sa;
3713 resp.msg_policy = sa->sa_policy;
3716 if ((hdr = ikev2_add_header(buf, sa, resp.msg_msgid,
3744 struct iked_sa *sa;
3748 if ((sa = msg->msg_sa) == NULL)
3752 if (sa->sa_policy->pol_auth.auth_method == IKEV2_AUTH_SHARED_KEY_MIC)
3755 if (sa->sa_hdr.sh_initiator)
3756 sa->sa_stateinit |= IKED_REQ_CERT;
3758 sa->sa_statevalid |= IKED_REQ_CERT;
3767 if (sa->sa_policy->pol_certreqtype)
3768 crtype = sa->sa_policy->pol_certreqtype;
3771 ca_setreq(env, sa, &sa->sa_policy->pol_localid,
3781 ca_setreq(env, sa, &sa->sa_policy->pol_localid,
3796 ikev2_resp_ike_eap_mschap(struct iked *env, struct iked_sa *sa,
3810 sa->sa_eapid = eap->eam_identity;
3811 return (eap_challenge_request(env, sa, eap->eam_id));
3815 } else if (sa->sa_eapid) {
3816 name = sa->sa_eapid;
3820 SPI_SA(sa, __func__));
3824 log_info("%s: unknown user '%s'", SPI_SA(sa, __func__),
3832 mschap_nt_response(ibuf_data(sa->sa_eap.id_buf),
3839 SPI_SA(sa, __func__), usr->usr_name);
3849 ntresponse, ibuf_data(sa->sa_eap.id_buf),
3852 if ((sa->sa_eapmsk = ibuf_new(NULL, MSCHAP_MSK_SZ)) == NULL) {
3853 log_info("%s: failed to get MSK", SPI_SA(sa, __func__));
3858 ibuf_data(sa->sa_eapmsk));
3863 ret = eap_mschap_challenge(env, sa, eap->eam_id, eap->eam_msrid,
3866 sa_state(env, sa, IKEV2_STATE_AUTH_SUCCESS);
3869 return (eap_mschap_success(env, sa, eap->eam_id));
3871 if (!sa_stateok(sa, IKEV2_STATE_AUTH_SUCCESS))
3873 return (eap_success(env, sa, msg->msg_eap.eam_id));
3882 ikev2_resp_ike_eap(struct iked *env, struct iked_sa *sa,
3885 if (!sa_stateok(sa, IKEV2_STATE_EAP))
3888 switch (sa->sa_policy->pol_auth.auth_eap) {
3890 return ikev2_resp_ike_eap_mschap(env, sa, msg);
3892 return iked_radius_request(env, sa, msg);
3898 ikev2_resp_ike_auth(struct iked *env, struct iked_sa *sa)
3910 if (sa == NULL)
3913 if (sa->sa_state == IKEV2_STATE_EAP)
3914 return (eap_identity_request(env, sa));
3916 if (!sa_stateok(sa, IKEV2_STATE_VALID))
3919 if (ikev2_cp_setaddr(env, sa, AF_INET) < 0 ||
3920 ikev2_cp_setaddr(env, sa, AF_INET6) < 0)
3923 if (ikev2_childsa_negotiate(env, sa, &sa->sa_kex, &sa->sa_proposals,
3924 sa->sa_hdr.sh_initiator, 0) < 0)
3931 if (!sa->sa_localauth.id_type) {
3933 sa_state(env, sa, IKEV2_STATE_AUTH_SUCCESS);
3936 if (sa->sa_hdr.sh_initiator) {
3937 id = &sa->sa_iid;
3938 certid = &sa->sa_icert;
3940 id = &sa->sa_rid;
3941 certid = &sa->sa_rcert;
3944 if (sa->sa_state != IKEV2_STATE_EAP_VALID) {
3954 if ((sa->sa_statevalid & IKED_REQ_CERT) &&
3970 if (sa->sa_scert[i].id_type == IKEV2_CERT_NONE)
3980 cert->cert_type = sa->sa_scert[i].id_type;
3981 if (ibuf_add_ibuf(e, sa->sa_scert[i].id_buf) !=
3984 len = ibuf_size(sa->sa_scert[i].id_buf)
3999 auth->auth_method = sa->sa_localauth.id_type;
4000 if (ibuf_add_ibuf(e, sa->sa_localauth.id_buf) != 0)
4002 len = ibuf_size(sa->sa_localauth.id_buf) + sizeof(*auth);
4005 if (sa->sa_cp) {
4010 if ((len = ikev2_resp_add_cp(env, sa, e)) == -1)
4014 if (sa->sa_ipcompr.ic_transform &&
4015 (len = ikev2_add_ipcompnotify(env, e, &pld, len, sa, 0)) == -1)
4017 if (sa->sa_used_transport_mode &&
4018 (len = ikev2_add_transport_mode(env, e, &pld, len, sa)) == -1)
4022 if (sa->sa_mobike &&
4032 if ((len = ikev2_add_proposals(env, sa, e, &sa->sa_proposals, 0,
4033 sa->sa_hdr.sh_initiator, 0, 1)) == -1)
4036 if ((len = ikev2_add_ts(e, &pld, len, sa, 0)) == -1)
4042 ret = ikev2_msg_send_encrypt(env, sa, &e,
4045 ret = ikev2_childsa_enable(env, sa);
4047 sa_state(env, sa, IKEV2_STATE_ESTABLISHED);
4048 iked_radius_acct_start(env, sa);
4050 timer_del(env, &sa->sa_timer);
4051 ikev2_enable_timer(env, sa);
4052 ikev2_log_established(sa);
4053 ikev2_record_dstid(env, sa);
4058 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1);
4064 ikev2_send_ike_e(struct iked *env, struct iked_sa *sa, struct ibuf *buf,
4087 ret = ikev2_msg_send_encrypt(env, sa, &e, exchange, firstpayload,
4097 ikev2_set_sa_proposal(struct iked_sa *sa, struct iked_policy *pol,
4105 config_free_proposals(&sa->sa_proposals, proto);
4109 if ((copy = config_add_proposal(&sa->sa_proposals,
4124 ikev2_send_create_child_sa(struct iked *env, struct iked_sa *sa,
4127 struct iked_policy *pol = sa->sa_policy;
4149 if (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF)) {
4155 ibuf_free(sa->sa_simult);
4156 sa->sa_simult = NULL;
4157 sa->sa_rekeyspi = 0; /* clear rekey spi */
4158 initiator = sa->sa_hdr.sh_initiator ? 1 : 0;
4161 ((csa = childsa_lookup(sa, rekey->spi,
4174 ibuf_free(sa->sa_inonce);
4175 sa->sa_inonce = nonce;
4181 (len = ikev2_add_ipcompnotify(env, e, &pld, 0, sa, 1)) == -1)
4184 (len = ikev2_add_transport_mode(env, e, &pld, len, sa)) == -1)
4203 if (ikev2_set_sa_proposal(sa, pol, protoid) < 0) {
4208 if ((len = ikev2_add_proposals(env, sa, e, &sa->sa_proposals,
4225 ikev2_sa_cleanup_dh(sa);
4227 if ((sa->sa_dhgroup =
4233 if (ikev2_sa_initiator_dh(sa, NULL, protoid, NULL) < 0) {
4245 if ((group = sa->sa_dhgroup) == NULL) {
4250 if (ikev2_add_buf(e, sa->sa_dhiexchange) == -1)
4252 len = sizeof(*ke) + ibuf_size(sa->sa_dhiexchange);
4255 if ((len = ikev2_add_ts(e, &pld, len, sa, !initiator)) == -1)
4281 ret = ikev2_msg_send_encrypt(env, sa, &e,
4291 sa->sa_rekeyspi = csa->csa_peerspi;
4293 sa->sa_stateflags |= IKED_REQ_CHILDSA;
4304 struct iked_sa *sa = arg;
4313 log_debug("%s: IKE SA %p ispi %s rspi %s", __func__, sa,
4314 print_spi(sa->sa_hdr.sh_ispi, 8),
4315 print_spi(sa->sa_hdr.sh_rspi, 8));
4317 if (sa->sa_nexti) {
4322 if (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF)) {
4327 log_info("%s: busy, delaying rekey", SPI_SA(sa, __func__));
4328 ikev2_ike_sa_rekey_schedule_fast(env, sa);
4333 timer_set(env, &sa->sa_rekey, ikev2_ike_sa_rekey_timeout, sa);
4334 timer_add(env, &sa->sa_rekey, IKED_IKE_SA_REKEY_TIMEOUT);
4336 if ((nsa = sa_new(env, 0, 0, 1, sa->sa_policy)) == NULL) {
4341 if (ikev2_sa_initiator(env, nsa, sa, NULL)) {
4356 if ((len = ikev2_add_proposals(env, nsa, e, &sa->sa_proposals,
4390 ret = ikev2_msg_send_encrypt(env, sa, &e,
4393 sa->sa_stateflags |= IKED_REQ_CHILDSA;
4394 sa->sa_nexti = nsa;
4395 nsa->sa_previ = sa;
4396 sa->sa_tmpfail = 0;
4433 struct iked_sa *sa = msg->msg_sa;
4443 (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF)) == 0)
4446 if (sa->sa_nexti != NULL && sa->sa_tmpfail) {
4447 sa->sa_stateflags &= ~IKED_REQ_CHILDSA;
4448 ikev2_ike_sa_setreason(sa->sa_nexti, "tmpfail");
4449 sa_free(env, sa->sa_nexti);
4450 sa->sa_nexti = NULL;
4451 timer_set(env, &sa->sa_rekey, ikev2_ike_sa_rekey, sa);
4452 ikev2_ike_sa_rekey_schedule_fast(env, sa);
4453 log_info("%s: IKESA rekey delayed", SPI_SA(sa, __func__));
4459 log_info("%s: no proposal specified", SPI_SA(sa, __func__));
4463 if (proposals_negotiate(&sa->sa_proposals, &sa->sa_proposals,
4465 log_info("%s: no proposal chosen", SPI_SA(sa, __func__));
4470 TAILQ_FOREACH(prop, &sa->sa_proposals, prop_entry) {
4475 log_info("%s: failed to find %s proposals", SPI_SA(sa, __func__),
4482 if (sa->sa_nexti == NULL) {
4484 SPI_SA(sa, __func__));
4488 /* XXX sa_new() is just a lookup, so nsa == sa->sa_nexti */
4490 if ((nsa = sa_new(env, sa->sa_nexti->sa_hdr.sh_ispi,
4491 spi->spi, 1, NULL)) == NULL || nsa != sa->sa_nexti) {
4492 log_info("%s: invalid rekey SA", SPI_SA(sa, __func__));
4498 ikev2_ike_sa_setreason(sa->sa_nexti, "invalid SA nexti");
4499 sa_free(env, sa->sa_nexti);
4500 sa->sa_nexti = NULL; /* reset by sa_free */
4503 if (ikev2_sa_initiator(env, nsa, sa, msg) == -1) {
4505 SPI_SA(sa, __func__));
4508 sa->sa_stateflags &= ~IKED_REQ_CHILDSA;
4509 if (sa->sa_nextr) {
4515 SPI_SA(sa, __func__));
4517 if (ikev2_nonce_cmp(sa->sa_nexti->sa_inonce,
4518 sa->sa_nexti->sa_rnonce) < 0)
4519 ni = sa->sa_nexti->sa_inonce;
4521 ni = sa->sa_nexti->sa_rnonce;
4523 if (ikev2_nonce_cmp(sa->sa_nextr->sa_inonce,
4524 sa->sa_nextr->sa_rnonce) < 0)
4525 nr = sa->sa_nextr->sa_inonce;
4527 nr = sa->sa_nextr->sa_rnonce;
4530 dsa = sa->sa_nexti;
4531 nsa = sa->sa_nextr;
4533 dsa = sa->sa_nextr;
4534 nsa = sa->sa_nexti;
4537 sa->sa_nextr->sa_prevr = NULL;
4538 sa->sa_nextr = NULL;
4541 (struct sockaddr *)&sa->sa_peer.addr);
4543 (struct sockaddr *)&sa->sa_local.addr);
4544 dsa->sa_fd = sa->sa_fd;
4545 dsa->sa_natt = sa->sa_natt;
4546 dsa->sa_udpencap = sa->sa_udpencap;
4552 sa->sa_nexti->sa_previ = NULL;
4553 sa->sa_nexti = NULL;
4554 return (ikev2_ikesa_enable(env, sa, nsa));
4558 if (sa->sa_rekeyspi &&
4559 (csa = childsa_lookup(sa, sa->sa_rekeyspi, prop->prop_protoid))
4562 SPI_SA(sa, __func__),
4571 if (ikev2_sa_initiator_dh(sa, msg, prop->prop_protoid, NULL) < 0) {
4573 SPI_SA(sa, __func__));
4576 if (sa->sa_dhpeer == NULL) {
4577 log_info("%s: no peer DH", SPI_SA(sa, __func__));
4588 SPI_SA(sa, __func__));
4591 ibuf_free(sa->sa_rnonce);
4592 sa->sa_rnonce = msg->msg_nonce;
4595 if (csa && (nr = sa->sa_simult) != NULL) {
4597 SPI_SA(sa, __func__));
4599 if (ikev2_nonce_cmp(sa->sa_inonce, sa->sa_rnonce) < 0)
4600 ni = sa->sa_inonce;
4602 ni = sa->sa_rnonce;
4608 ret = ikev2_childsa_delete_proposed(env, sa,
4609 &sa->sa_proposals);
4614 if (ikev2_childsa_negotiate(env, sa, &sa->sa_kex, &sa->sa_proposals, 1,
4616 log_info("%s: failed to get CHILD SAs", SPI_SA(sa, __func__));
4637 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
4641 sa->sa_stateflags |= IKED_REQ_INF;
4644 ret = ikev2_childsa_enable(env, sa);
4647 sa->sa_stateflags &= ~IKED_REQ_CHILDSA;
4650 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1);
4653 ikev2_childsa_delete(env, sa, csa->csa_saproto,
4661 ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa)
4670 __func__, sa,
4671 print_spi(sa->sa_hdr.sh_ispi, 8),
4672 print_spi(sa->sa_hdr.sh_rspi, 8),
4678 nsa->sa_fd = sa->sa_fd;
4679 nsa->sa_natt = sa->sa_natt;
4680 nsa->sa_udpencap = sa->sa_udpencap;
4681 nsa->sa_usekeepalive = sa->sa_usekeepalive;
4682 nsa->sa_mobike = sa->sa_mobike;
4683 nsa->sa_frag = sa->sa_frag;
4686 memcpy(&nsa->sa_local, &sa->sa_local, sizeof(nsa->sa_local));
4687 memcpy(&nsa->sa_peer, &sa->sa_peer, sizeof(nsa->sa_peer));
4688 memcpy(&nsa->sa_peer_loaded, &sa->sa_peer_loaded,
4692 TAILQ_FOREACH_SAFE(flow, &sa->sa_flows, flow_entry, flowtmp) {
4693 TAILQ_REMOVE(&sa->sa_flows, flow, flow_entry);
4700 TAILQ_FOREACH_SAFE(csa, &sa->sa_childsas, csa_entry, csatmp) {
4701 TAILQ_REMOVE(&sa->sa_childsas, csa, csa_entry);
4719 TAILQ_FOREACH_SAFE(prop, &sa->sa_proposals, prop_entry, proptmp) {
4722 TAILQ_REMOVE(&sa->sa_proposals, prop, prop_entry);
4732 if (sa->sa_hdr.sh_initiator == nsa->sa_hdr.sh_initiator) {
4733 nsa->sa_iid = sa->sa_iid;
4734 nsa->sa_rid = sa->sa_rid;
4735 nsa->sa_icert = sa->sa_icert;
4736 nsa->sa_rcert = sa->sa_rcert;
4739 nsa->sa_iid = sa->sa_rid;
4740 nsa->sa_rid = sa->sa_iid;
4741 nsa->sa_icert = sa->sa_rcert;
4742 nsa->sa_rcert = sa->sa_icert;
4745 nsa->sa_scert[i] = sa->sa_scert[i];
4755 if (sa->sa_addrpool) {
4756 RB_REMOVE(iked_addrpool, &env->sc_addrpool, sa);
4757 nsa->sa_addrpool = sa->sa_addrpool;
4758 sa->sa_addrpool = NULL;
4761 if (sa->sa_addrpool6) {
4762 RB_REMOVE(iked_addrpool6, &env->sc_addrpool6, sa);
4763 nsa->sa_addrpool6 = sa->sa_addrpool6;
4764 sa->sa_addrpool6 = NULL;
4767 nsa->sa_cp = sa->sa_cp;
4768 nsa->sa_cp_addr = sa->sa_cp_addr;
4769 sa->sa_cp_addr = NULL;
4770 nsa->sa_cp_addr6 = sa->sa_cp_addr6;
4771 sa->sa_cp_addr6 = NULL;
4772 nsa->sa_cp_dns = sa->sa_cp_dns;
4773 sa->sa_cp_dns = NULL;
4775 if (sa->sa_dstid_entry_valid) {
4776 sa_dstid_remove(env, sa);
4779 if (sa->sa_tag) {
4780 nsa->sa_tag = sa->sa_tag;
4781 sa->sa_tag = NULL;
4784 if (sa->sa_eapid)
4785 nsa->sa_eapid = strdup(sa->sa_eapid);
4786 if (sa->sa_eapclass)
4787 nsa->sa_eapclass = ibuf_dup(sa->sa_eapclass);
4790 SPI_SA(sa, NULL), print_spi(nsa->sa_hdr.sh_ispi, 8),
4797 print_xf(nsa->sa_prf->hash_id, hash_keylength(sa->sa_prf), prfxfs));
4808 if (sa->sa_state == IKEV2_STATE_ESTABLISHED)
4809 ikev2_disable_timer(env, sa);
4811 ikev2_ike_sa_setreason(sa, "SA rekeyed");
4812 ikev2_ikesa_delete(env, sa, nsa->sa_hdr.sh_initiator);
4817 ikev2_ikesa_delete(struct iked *env, struct iked_sa *sa, int initiator)
4824 if (sa->sa_stateflags & IKED_REQ_INF)
4834 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
4837 sa->sa_stateflags |= IKED_REQ_INF;
4838 log_info("%s: sent delete, closing SA", SPI_SA(sa, __func__));
4841 sa_state(env, sa, IKEV2_STATE_CLOSED);
4843 sa_state(env, sa, IKEV2_STATE_CLOSING);
4847 timer_set(env, &sa->sa_timer, ikev2_ike_sa_timeout, sa);
4848 timer_add(env, &sa->sa_timer, IKED_IKE_SA_DELETE_TIMEOUT);
4849 ikev2_ike_sa_setreason(sa, "deleting SA");
4853 ikev2_ikesa_recv_delete(struct iked *env, struct iked_sa *sa)
4855 log_info("%s: received delete", SPI_SA(sa, __func__));
4856 if (sa->sa_nexti) {
4863 if (sa->sa_nextr) {
4865 SPI_SA(sa, __func__));
4866 ikev2_ikesa_enable(env, sa, sa->sa_nextr);
4868 sa->sa_nextr->sa_prevr = NULL;
4869 sa->sa_nextr = NULL;
4871 ikev2_ike_sa_setreason(sa->sa_nexti,
4873 sa_free(env, sa->sa_nexti);
4874 sa->sa_nexti = NULL; /* reset by sa_free */
4876 ikev2_ike_sa_setreason(sa, "received delete");
4879 sa_state(env, sa, IKEV2_STATE_CLOSING);
4880 timer_del(env, &sa->sa_timer);
4881 timer_set(env, &sa->sa_timer, ikev2_ike_sa_timeout, sa);
4882 timer_add(env, &sa->sa_timer, 3 * IKED_RETRANSMIT_TIMEOUT);
4884 sa_state(env, sa, IKEV2_STATE_CLOSED);
4895 struct iked_sa *nsa = NULL, *sa = msg->msg_sa;
4907 initiator = sa->sa_hdr.sh_initiator ? 1 : 0;
4922 if (sa->sa_hdr.sh_initiator)
4923 rekey->spi = sa->sa_hdr.sh_rspi;
4925 rekey->spi = sa->sa_hdr.sh_ispi;
4942 if ((sa->sa_stateflags & IKED_REQ_CHILDSA)
4943 && !(sa->sa_nexti)) {
4960 if (ikev2_sa_responder(env, nsa, sa, msg)) {
4978 &sa->sa_policy->pol_proposals, &msg->msg_proposals,
5015 if ((csa = childsa_lookup(sa, rekey->spi,
5018 SPI_SA(sa, __func__),
5026 " or no peer SA", SPI_SA(sa, __func__),
5052 if (ikev2_childsa_negotiate(env, sa, kex, &proposals, 0, pfs)) {
5057 if (rekeying && (sa->sa_stateflags & IKED_REQ_CHILDSA) &&
5058 csa && (sa->sa_rekeyspi == csa->csa_peerspi)) {
5060 SPI_SA(sa, __func__),
5062 print_spi(sa->sa_rekeyspi, rekey->spi_size));
5063 ibuf_free(sa->sa_simult);
5065 sa->sa_simult = ibuf_dup(kex->kex_inonce);
5067 sa->sa_simult = ibuf_dup(nonce);
5074 if (!nsa && sa->sa_ipcompr.ic_transform &&
5075 (len = ikev2_add_ipcompnotify(env, e, &pld, 0, sa, 0)) == -1)
5077 if (!nsa && sa->sa_used_transport_mode &&
5078 (len = ikev2_add_transport_mode(env, e, &pld, len, sa)) == -1)
5092 if ((len = ikev2_add_proposals(env, nsa ? nsa : sa, e,
5128 if ((len = ikev2_add_ts(e, &pld, len, sa, initiator)) == -1)
5134 if ((ret = ikev2_msg_send_encrypt(env, sa, &e,
5146 if (sa->sa_nexti) {
5148 SPI_SA(sa, __func__));
5149 sa->sa_nextr = nsa;
5150 nsa->sa_prevr = sa; /* backpointer */
5153 ret = ikev2_ikesa_enable(env, sa, nsa);
5155 ret = ikev2_childsa_enable(env, sa);
5159 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1);
5172 ikev2_ike_sa_setreason(struct iked_sa *sa, char *reason)
5175 if (reason == NULL || sa->sa_reason == NULL)
5176 sa->sa_reason = reason;
5182 struct iked_sa *sa = arg;
5185 ikev2_ike_sa_setreason(sa, "timeout");
5186 sa_free(env, sa);
5192 struct iked_sa *sa = arg;
5195 ikev2_ike_sa_setreason(sa, "rekey timeout");
5196 sa_free(env, sa);
5200 ikev2_ike_sa_rekey_schedule(struct iked *env, struct iked_sa *sa)
5202 timer_add(env, &sa->sa_rekey, (sa->sa_policy->pol_rekey * 850 +
5208 ikev2_ike_sa_rekey_schedule_fast(struct iked *env, struct iked_sa *sa)
5210 int timeout = sa->sa_policy->pol_rekey / 100; /* 1% */
5216 timer_add(env, &sa->sa_rekey, timeout);
5222 struct iked_sa *sa = arg;
5232 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) {
5252 diff = (uint32_t)(gettime() - sa->sa_last_recvd);
5256 " second(s) ago", __func__, sa,
5257 print_spi(sa->sa_hdr.sh_ispi, 8),
5258 print_spi(sa->sa_hdr.sh_rspi, 8), diff);
5267 (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF)) == 0) {
5269 ikev2_send_ike_e(env, sa, NULL, IKEV2_PAYLOAD_NONE,
5271 sa->sa_stateflags |= IKED_REQ_INF;
5276 timer_add(env, &sa->sa_timer, env->sc_alive_timeout);
5282 struct iked_sa *sa = arg;
5285 if (sendtofrom(sa->sa_fd, &marker, sizeof(marker), 0,
5286 (struct sockaddr *)&sa->sa_peer.addr, sa->sa_peer.addr.ss_len,
5287 (struct sockaddr *)&sa->sa_local.addr, sa->sa_local.addr.ss_len)
5290 print_addr(&sa->sa_peer.addr),
5291 print_addr(&sa->sa_local.addr));
5294 print_addr(&sa->sa_peer.addr),
5295 print_addr(&sa->sa_local.addr));
5297 timer_add(env, &sa->sa_keepalive, IKED_IKE_SA_KEEPALIVE_TIMEOUT);
5307 struct iked_sa *sa = msg->msg_sa, sah;
5340 log_warnx("%s: unsupported notification %s", SPI_SA(sa,
5344 log_info("%s: %s", SPI_SA(sa, __func__),
5350 if (sa != NULL && msg->msg_e) {
5351 resp.msg_msgid = ikev2_msg_id(env, sa);
5354 if ((hdr = ikev2_add_header(buf, sa, resp.msg_msgid,
5363 if ((e = ikev2_msg_encrypt(env, sa, e, buf)) == NULL) {
5377 if (ikev2_msg_integr(env, sa, buf) != 0) {
5418 ikev2_psk(struct iked_sa *sa, uint8_t *data, size_t length,
5424 if (hash_setkey(sa->sa_prf, data, length) == NULL)
5427 if ((psk = calloc(1, hash_keylength(sa->sa_prf))) == NULL)
5430 hash_init(sa->sa_prf);
5431 hash_update(sa->sa_prf, IKEV2_KEYPAD, strlen(IKEV2_KEYPAD));
5432 hash_final(sa->sa_prf, psk, &psklen);
5439 ikev2_sa_initiator_dh(struct iked_sa *sa, struct iked_message *msg,
5442 struct iked_policy *pol = sa->sa_policy;
5448 if (sa->sa_dhgroup == NULL) {
5454 if ((sa->sa_dhgroup =
5462 if (!ibuf_length(sa->sa_dhiexchange)) {
5463 if (dh_create_exchange(sa->sa_dhgroup,
5464 &sa->sa_dhiexchange, NULL) == -1) {
5474 if (!ibuf_length(sa->sa_dhrexchange)) {
5479 sa->sa_dhrexchange = msg->msg_ke;
5484 sa->sa_dhpeer = sa->sa_dhrexchange;
5489 ikev2_sa_negotiate_common(struct iked *env, struct iked_sa *sa,
5495 if (proposals_negotiate(&sa->sa_proposals,
5501 if (sa_stateok(sa, IKEV2_STATE_SA_INIT))
5502 sa_stateflags(sa, IKED_REQ_SA);
5504 if (sa->sa_encr == NULL) {
5505 if ((xform = config_findtransform(&sa->sa_proposals,
5508 SPI_SA(sa, __func__));
5511 if ((sa->sa_encr = cipher_new(xform->xform_type,
5514 SPI_SA(sa, __func__));
5520 if (sa->sa_encr->encr_authid && sa->sa_integr == NULL) {
5521 if ((sa->sa_integr = hash_new(IKEV2_XFORMTYPE_INTEGR,
5522 sa->sa_encr->encr_authid)) == NULL) {
5524 SPI_SA(sa, __func__));
5529 if (sa->sa_prf == NULL) {
5530 if ((xform = config_findtransform(&sa->sa_proposals,
5533 SPI_SA(sa, __func__));
5536 if ((sa->sa_prf =
5538 log_info("%s: failed to get prf", SPI_SA(sa, __func__));
5543 if (sa->sa_integr == NULL) {
5544 if ((xform = config_findtransform(&sa->sa_proposals,
5547 SPI_SA(sa, __func__));
5550 if ((sa->sa_integr =
5553 SPI_SA(sa, __func__));
5562 ikev2_sa_initiator(struct iked *env, struct iked_sa *sa,
5565 if (ikev2_sa_initiator_dh(sa, msg, 0, osa) < 0)
5568 if (!ibuf_length(sa->sa_inonce)) {
5569 if ((sa->sa_inonce = ibuf_random(IKED_NONCE_SIZE)) == NULL) {
5571 SPI_SA(sa, __func__));
5580 if (!ibuf_length(sa->sa_rnonce)) {
5583 SPI_SA(sa, __func__));
5586 sa->sa_rnonce = msg->msg_nonce;
5590 if (ikev2_sa_negotiate_common(env, sa, msg, -1) != 0)
5593 ibuf_free(sa->sa_2ndmsg);
5594 if ((sa->sa_2ndmsg = ibuf_dup(msg->msg_data)) == NULL) {
5596 SPI_SA(sa, __func__));
5600 return (ikev2_sa_keys(env, sa, osa ? osa->sa_key_d : NULL));
5655 ikev2_sa_responder(struct iked *env, struct iked_sa *sa, struct iked_sa *osa,
5662 old = sa->sa_policy;
5663 sa->sa_policy = NULL;
5666 sa->sa_policy = old;
5671 /* move sa to new policy */
5672 sa->sa_policy = msg->msg_policy;
5673 TAILQ_REMOVE(&old->pol_sapeers, sa, sa_peer_entry);
5674 TAILQ_INSERT_TAIL(&sa->sa_policy->pol_sapeers,
5675 sa, sa_peer_entry);
5677 policy_ref(env, sa->sa_policy);
5680 sa_state(env, sa, IKEV2_STATE_SA_INIT);
5682 ibuf_free(sa->sa_1stmsg);
5683 if ((sa->sa_1stmsg = ibuf_dup(msg->msg_data)) == NULL) {
5688 if (sa->sa_rnonce == NULL &&
5689 (sa->sa_rnonce = ibuf_random(IKED_NONCE_SIZE)) == NULL) {
5694 if (!ibuf_length(sa->sa_inonce) &&
5699 sa->sa_inonce = msg->msg_nonce;
5702 if (ikev2_sa_negotiate_common(env, sa, msg, msg->msg_dhgroup) != 0)
5705 if (ikev2_sa_responder_dh(&sa->sa_kex, &sa->sa_proposals, msg, 0) < 0)
5708 return (ikev2_sa_keys(env, sa, osa ? osa->sa_key_d : NULL));
5712 ikev2_sa_keys(struct iked *env, struct iked_sa *sa, struct ibuf *key)
5725 if ((encr = sa->sa_encr) == NULL ||
5726 (prf = sa->sa_prf) == NULL ||
5727 (integr = sa->sa_integr) == NULL ||
5728 (group = sa->sa_dhgroup) == NULL) {
5730 SPI_SA(sa, __func__));
5743 if (ibuf_length(sa->sa_inonce) < nonceminlen ||
5744 (ibuf_length(sa->sa_inonce) % 2) != 0 ||
5745 ibuf_length(sa->sa_rnonce) < nonceminlen ||
5746 (ibuf_length(sa->sa_rnonce) % 2) != 0) {
5747 log_info("%s: invalid nonces", SPI_SA(sa, __func__));
5757 ilen = ibuf_length(sa->sa_inonce);
5758 rlen = ibuf_length(sa->sa_rnonce);
5774 if (dh_create_shared(group, &dhsecret, sa->sa_dhpeer) == -1) {
5777 SPI_SA(sa, __func__),
5779 ibuf_length(sa->sa_dhpeer));
5783 log_debug("%s: DHSECRET with %zu bytes", SPI_SA(sa, __func__),
5791 if ((ninr = ibuf_new(ibuf_data(sa->sa_inonce), ilen)) == NULL ||
5792 ibuf_add(ninr, ibuf_data(sa->sa_rnonce), rlen) != 0) {
5794 SPI_SA(sa, __func__));
5802 if (ibuf_add(dhsecret, ibuf_data(sa->sa_inonce), ilen) != 0 ||
5803 ibuf_add(dhsecret, ibuf_data(sa->sa_rnonce), rlen) != 0) {
5805 SPI_SA(sa, __func__));
5811 log_info("%s: failed to set prf key", SPI_SA(sa, __func__));
5817 SPI_SA(sa, __func__));
5831 SPI_SA(sa, __func__));
5842 ilen = ibuf_length(sa->sa_inonce);
5843 rlen = ibuf_length(sa->sa_rnonce);
5844 ispi = htobe64(sa->sa_hdr.sh_ispi);
5845 rspi = htobe64(sa->sa_hdr.sh_rspi);
5847 if ((s = ibuf_new(ibuf_data(sa->sa_inonce), ilen)) == NULL ||
5848 ibuf_add(s, ibuf_data(sa->sa_rnonce), rlen) != 0 ||
5852 SPI_SA(sa, __func__));
5856 log_debug("%s: S with %zu bytes", SPI_SA(sa, __func__), ibuf_size(s));
5873 SPI_SA(sa, __func__));
5878 if ((sa->sa_key_d = ibuf_getdata(t, hash_length(prf))) == NULL ||
5880 (sa->sa_key_iauth = ibuf_getdata(t, hash_keylength(integr))) ==
5883 (sa->sa_key_rauth = ibuf_getdata(t, hash_keylength(integr))) ==
5885 (sa->sa_key_iencr = ibuf_getdata(t, cipher_keylength(encr))) ==
5887 (sa->sa_key_rencr = ibuf_getdata(t, cipher_keylength(encr))) ==
5889 (sa->sa_key_iprf = ibuf_getdata(t, hash_length(prf))) == NULL ||
5890 (sa->sa_key_rprf = ibuf_getdata(t, hash_length(prf))) == NULL) {
5891 log_debug("%s: failed to get SA keys", SPI_SA(sa, __func__));
5895 log_debug("%s: SK_d with %zu bytes", __func__, ibuf_size(sa->sa_key_d));
5896 print_hexbuf(sa->sa_key_d);
5899 ibuf_size(sa->sa_key_iauth));
5900 print_hexbuf(sa->sa_key_iauth);
5902 ibuf_size(sa->sa_key_rauth));
5903 print_hexbuf(sa->sa_key_rauth);
5906 ibuf_size(sa->sa_key_iencr));
5907 print_hexbuf(sa->sa_key_iencr);
5909 ibuf_size(sa->sa_key_rencr));
5910 print_hexbuf(sa->sa_key_rencr);
5912 ibuf_size(sa->sa_key_iprf));
5913 print_hexbuf(sa->sa_key_iprf);
5915 ibuf_size(sa->sa_key_rprf));
5916 print_hexbuf(sa->sa_key_rprf);
5931 ikev2_sa_cleanup_dh(struct iked_sa *sa)
5933 ibuf_free(sa->sa_dhiexchange);
5934 ibuf_free(sa->sa_dhrexchange);
5935 group_free(sa->sa_dhgroup);
5936 sa->sa_dhiexchange = NULL;
5937 sa->sa_dhrexchange = NULL;
5938 sa->sa_dhgroup = NULL;
6013 ikev2_sa_tag(struct iked_sa *sa, struct iked_id *id)
6020 free(sa->sa_tag);
6021 sa->sa_tag = NULL;
6022 format = sa->sa_policy->pol_tag;
6025 if ((sa->sa_tag = calloc(1, len)) == NULL) {
6029 if (strlcpy(sa->sa_tag, format, len) >= len) {
6048 if (expand_string(sa->sa_tag, len, "$id", idrepl) != 0) {
6054 if (strstr(format, "$eapid") != NULL && sa->sa_eapid != NULL) {
6055 if (expand_string(sa->sa_tag, len, "$eapid",
6056 sa->sa_eapid) != 0) {
6063 if (expand_string(sa->sa_tag, len, "$name",
6064 sa->sa_policy->pol_name) != 0) {
6085 if (expand_string(sa->sa_tag, len, "$domain", domain) != 0) {
6091 log_debug("%s: %s (%zu)", __func__, sa->sa_tag, strlen(sa->sa_tag));
6096 free(sa->sa_tag);
6097 sa->sa_tag = NULL;
6104 ikev2_childsa_delete_proposed(struct iked *env, struct iked_sa *sa,
6114 if (!sa_stateok(sa, IKEV2_STATE_VALID))
6143 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
6146 sa->sa_stateflags |= IKED_REQ_INF;
6155 ikev2_childsa_negotiate(struct iked *env, struct iked_sa *sa,
6172 if (!sa_stateok(sa, IKEV2_STATE_VALID))
6175 if (ikev2_sa_tag(sa, IKESA_DSTID(sa)) == -1)
6178 ic = initiator ? &sa->sa_ipcompi : &sa->sa_ipcompr;
6184 sa->sa_used_transport_mode = 0;
6243 (keymat = ikev2_prfplus(sa->sa_prf,
6244 sa->sa_key_d, seed, ilen)) == NULL) {
6254 RB_FOREACH(flow, iked_flows, &sa->sa_policy->pol_flows) {
6265 flowa->flow_rdomain = sa->sa_policy->pol_rdomain;
6266 flowa->flow_local = &sa->sa_local;
6267 flowa->flow_peer = &sa->sa_peer;
6268 flowa->flow_ikesa = sa;
6269 if (ikev2_cp_fixflow(sa, flow, flowa) == -1) {
6275 TAILQ_FOREACH(saflow, &sa->sa_flows, flow_entry) {
6299 if (ikev2_cp_fixflow(sa, flow, flowb) == -1) {
6305 TAILQ_INSERT_TAIL(&sa->sa_flows, flowa, flow_entry);
6306 TAILQ_INSERT_TAIL(&sa->sa_flows, flowb, flow_entry);
6323 csa->csa_ikesa = sa;
6326 csa->csa_transport = sa->sa_use_transport_mode;
6327 sa->sa_used_transport_mode = sa->sa_use_transport_mode;
6335 csa->csa_local = &sa->sa_local;
6336 csa->csa_peer = &sa->sa_peer;
6342 csa->csa_local = &sa->sa_peer;
6343 csa->csa_peer = &sa->sa_local;
6457 TAILQ_INSERT_TAIL(&sa->sa_childsas, csa, csa_entry);
6458 TAILQ_INSERT_TAIL(&sa->sa_childsas, csb, csa_entry);
6469 sa->sa_use_transport_mode = 0; /* reset state after use */
6482 ikev2_childsa_enable(struct iked *env, struct iked_sa *sa)
6507 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) {
6575 peer_changed = (memcmp(&sa->sa_peer_loaded, &sa->sa_peer,
6576 sizeof(sa->sa_peer_loaded)) != 0);
6578 if (!(sa->sa_policy->pol_flags & IKED_POLICY_ROUTING)) {
6579 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) {
6642 memcpy(&sa->sa_peer_loaded, &sa->sa_peer,
6643 sizeof(sa->sa_peer_loaded));
6645 print_addr(&sa->sa_peer_loaded.addr));
6651 SPI_SA(sa, __func__), spibuf,
6661 log_info("%s: loaded flows: %s", SPI_SA(sa, __func__), flowbuf);
6674 ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, uint8_t saproto,
6681 TAILQ_FOREACH_SAFE(csa, &sa->sa_childsas, csa_entry, csatmp) {
6693 SPI_SA(sa, __func__), print_spi(csa->csa_spi.spi,
6697 SPI_SA(sa, __func__), print_spi(csa->csa_spi.spi,
6709 " SA spi %s", SPI_SA(sa, __func__),
6714 SPI_SA(sa, __func__),
6720 TAILQ_REMOVE(&sa->sa_childsas, csa, csa_entry);
6784 struct iked_sa *sa;
6819 if ((sa = flow->flow_ikesa) == NULL) {
6823 if (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF))
6825 if (ikev2_send_create_child_sa(env, sa, NULL,
6828 "CREATE_CHILD_SA exchange", SPI_SA(sa, __func__));
6834 ikev2_disable_rekeying(struct iked *env, struct iked_sa *sa)
6838 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) {
6843 (void)ikev2_childsa_delete(env, sa, 0, 0, NULL, 1);
6851 struct iked_sa *sa;
6860 if ((sa = csa->csa_ikesa) == NULL) {
6865 if (!sa_stateok(sa, IKEV2_STATE_ESTABLISHED)) {
6866 log_warnx("%s: not established, SPI %s", SPI_SA(sa, __func__),
6870 if (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF)) {
6871 log_info("%s: busy, retrying, SPI %s", SPI_SA(sa, __func__),
6875 if (sa->sa_tmpfail) {
6876 log_info("%s: peer busy, retrying, SPI %s", SPI_SA(sa, __func__),
6882 if (ikev2_send_create_child_sa(env, sa, rekey, rekey->spi_protoid, 0))
6884 SPI_SA(sa, __func__));
6894 struct iked_sa *sa;
6903 sa = csa->csa_ikesa;
6904 if (sa && (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF))) {
6913 if (sa == NULL) {
6923 if (ikev2_childsa_delete(env, sa, csa->csa_saproto,
6940 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE,
6944 sa->sa_stateflags |= IKED_REQ_INF;
7062 ikev2_cp_setaddr(struct iked *env, struct iked_sa *sa, sa_family_t family)
7064 struct iked_policy *pol = sa->sa_policy;
7073 if (sa->sa_addrpool)
7077 if (sa->sa_addrpool6)
7089 if (sa->sa_rad_addr != NULL) {
7090 in4 = (struct sockaddr_in *)&sa->sa_rad_addr->addr;
7096 free(sa->sa_cp_addr);
7097 sa->sa_cp_addr = NULL;
7102 passes = (sa->sa_cp_addr != NULL || sa->sa_cp_addr6 != NULL ||
7103 sa->sa_rad_addr != NULL || sa->sa_rad_addr6 != NULL) ? 2 : 1;
7114 if ((ret = ikev2_cp_setaddr_pool(env, sa,
7120 free(sa->sa_cp_addr);
7121 sa->sa_cp_addr = NULL;
7122 free(sa->sa_rad_addr);
7123 sa->sa_rad_addr = NULL;
7125 free(sa->sa_cp_addr6);
7126 sa->sa_cp_addr6 = NULL;
7127 free(sa->sa_rad_addr6);
7128 sa->sa_rad_addr6 = NULL;
7133 log_warnx("%s: %s", SPI_SA(sa, __func__), errstr);
7138 ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa,
7155 if (sa->sa_cp != IKEV2_CP_REQUEST) {
7165 (osa = sa_dstid_lookup(env, sa)) != NULL &&
7186 sa->sa_addrpool = osa->sa_addrpool;
7188 sa->sa_addrpool6 = osa->sa_addrpool6;
7199 if (sa->sa_addrpool) {
7200 RB_INSERT(iked_addrpool, &env->sc_addrpool, sa);
7204 print_addr(&sa->sa_addrpool->addr),
7205 print_spi(sa->sa_hdr.sh_ispi, 8));
7207 if (sa->sa_addrpool6) {
7208 RB_INSERT(iked_addrpool6, &env->sc_addrpool6, sa);
7212 print_addr(&sa->sa_addrpool6->addr),
7213 print_spi(sa->sa_hdr.sh_ispi, 8));
7215 if (family == AF_INET && sa->sa_addrpool != NULL)
7216 memcpy(&addr, sa->sa_addrpool, sizeof(addr));
7217 else if (family == AF_INET6 && sa->sa_addrpool6 != NULL)
7218 memcpy(&addr, sa->sa_addrpool6, sizeof(addr));
7225 if (sa->sa_cp_addr != NULL || sa->sa_rad_addr != NULL) {
7226 if (sa->sa_rad_addr != NULL) {
7228 memcpy(&addr, sa->sa_rad_addr, sizeof(addr));
7231 memcpy(&addr, sa->sa_cp_addr, sizeof(addr));
7245 if (sa->sa_rad_addr != NULL) {
7246 sa->sa_addrpool = sa->sa_rad_addr;
7247 sa->sa_rad_addr = NULL;
7249 sa->sa_addrpool = sa->sa_cp_addr;
7250 sa->sa_cp_addr = NULL;
7252 free(sa->sa_cp_addr);
7253 free(sa->sa_rad_addr);
7254 RB_INSERT(iked_addrpool, &env->sc_addrpool, sa);
7266 if (sa->sa_cp_addr6 != NULL || sa->sa_rad_addr6 != NULL) {
7333 if ((sa->sa_addrpool = calloc(1, sizeof(addr))) == NULL)
7335 memcpy(sa->sa_addrpool, &addr, sizeof(addr));
7336 RB_INSERT(iked_addrpool, &env->sc_addrpool, sa);
7341 if ((sa->sa_addrpool6 = calloc(1, sizeof(addr))) == NULL)
7343 memcpy(sa->sa_addrpool6, &addr, sizeof(addr));
7344 RB_INSERT(iked_addrpool6, &env->sc_addrpool6, sa);
7350 if (ikev2_print_id(IKESA_DSTID(sa), idstr, sizeof(idstr)) == -1)
7352 log_info("%sassigned address %s to %s%s%s", SPI_SA(sa, NULL),
7360 ikev2_cp_request_configured(struct iked_sa *sa)
7362 struct iked_policy *pol = sa->sa_policy;
7369 log_debug("%s: yes", SPI_SA(sa, __func__));
7373 log_debug("%s: no", SPI_SA(sa, __func__));
7383 ikev2_cp_fixaddr(struct iked_sa *sa, struct iked_addr *addr,
7392 if (sa->sa_cp == 0)
7399 naddr = (sa->sa_cp == IKEV2_CP_REQUEST) ?
7400 sa->sa_addrpool : sa->sa_cp_addr;
7411 naddr = (sa->sa_cp == IKEV2_CP_REQUEST) ?
7412 sa->sa_addrpool6 : sa->sa_cp_addr6;
7425 ikev2_cp_fixflow(struct iked_sa *sa, struct iked_flow *flow,
7428 switch (sa->sa_cp) {
7431 return (ikev2_cp_fixaddr(sa, &flow->flow_dst,
7434 return (ikev2_cp_fixaddr(sa, &flow->flow_dst,
7438 return (ikev2_cp_fixaddr(sa, &flow->flow_src,
7441 return (ikev2_cp_fixaddr(sa, &flow->flow_src,
7449 ikev2_update_sa_addresses(struct iked *env, struct iked_sa *sa)
7456 if (!sa_stateok(sa, IKEV2_STATE_ESTABLISHED))
7459 log_info("%s: old %s new %s", SPI_SA(sa, __func__),
7460 print_addr(&sa->sa_peer_loaded.addr),
7461 print_addr(&sa->sa_peer.addr));
7463 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) {
7467 log_debug("%s: failed to update sa", __func__);
7472 log_debug("%s: failed to update sa", __func__);
7476 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) {
7497 TAILQ_FOREACH(mr, &sa->sa_requests, mrt_entry) {
7499 msg->msg_local = sa->sa_local.addr;
7500 msg->msg_locallen = sa->sa_local.addr.ss_len;
7501 msg->msg_peer = sa->sa_peer.addr;
7502 msg->msg_peerlen = sa->sa_peer.addr.ss_len;
7505 TAILQ_FOREACH(mr, &sa->sa_responses, mrt_entry) {
7507 msg->msg_local = sa->sa_local.addr;
7508 msg->msg_locallen = sa->sa_local.addr.ss_len;
7509 msg->msg_peer = sa->sa_peer.addr;
7510 msg->msg_peerlen = sa->sa_peer.addr.ss_len;
7515 memcpy(&sa->sa_peer_loaded, &sa->sa_peer, sizeof(sa->sa_peer_loaded));
7522 struct iked_sa *sa)
7528 if (ikev2_print_id(IKESA_DSTID(sa), idstr, sizeof(idstr)) == -1)
7533 msg, sa,
7534 print_spi(sa->sa_hdr.sh_rspi, 8),
7535 print_spi(sa->sa_hdr.sh_ispi, 8),
7536 print_addr(&sa->sa_local.addr),
7537 print_addr(&sa->sa_peer.addr),
7539 sa->sa_addrpool ? print_addr(&sa->sa_addrpool->addr) : "",
7540 print_map(sa->sa_state, ikev2_state_map),
7541 sa->sa_hdr.sh_initiator ? 'i' : 'r',
7542 sa->sa_natt ? " natt" : "",
7543 sa->sa_udpencap ? " udpecap" : "",
7544 sa->sa_nexti, sa->sa_policy);
7646 struct iked_sa *sa;
7652 RB_FOREACH(sa, iked_sas, &env->sc_sas) {
7653 ikev2_info_sa(env, imsg, dolog, "iked_sas", sa);
7654 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) {
7660 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) {
7672 RB_FOREACH(sa, iked_dstid_sas, &env->sc_dstid_sas) {
7673 ikev2_info_sa(env, imsg, dolog, "iked_dstid_sas", sa);
7697 ikev2_log_established(struct iked_sa *sa)
7701 clock_gettime(CLOCK_MONOTONIC, &sa->sa_starttime);
7703 if (ikev2_print_id(IKESA_DSTID(sa), dstid, sizeof(dstid)) == -1)
7705 if (ikev2_print_id(IKESA_SRCID(sa), srcid, sizeof(srcid)) == -1)
7709 " (enc %s%s%s group %s prf %s)", SPI_SA(sa, NULL),
7710 print_addr(&sa->sa_peer.addr), dstid,
7711 print_addr(&sa->sa_local.addr), srcid,
7712 sa->sa_addrpool ? " assigned " : "",
7713 sa->sa_addrpool ? print_addr(&sa->sa_addrpool->addr) : "",
7714 sa->sa_addrpool6 ? " assigned " : "",
7715 sa->sa_addrpool6 ? print_addr(&sa->sa_addrpool6->addr) : "",
7716 sa->sa_policy ? sa->sa_policy->pol_name : "",
7717 sa->sa_hdr.sh_initiator ? " as initiator" : " as responder",
7718 print_xf(sa->sa_encr->encr_id, cipher_keylength(sa->sa_encr) -
7719 sa->sa_encr->encr_saltlength, ikeencxfs),
7720 sa->sa_encr->encr_authid ? "" : " auth ",
7721 sa->sa_encr->encr_authid ? "" : print_xf(sa->sa_integr->hash_id,
7722 hash_keylength(sa->sa_integr), authxfs),
7723 print_xf(sa->sa_dhgroup->id, 0, groupxfs),
7724 print_xf(sa->sa_prf->hash_id, hash_keylength(sa->sa_prf), prfxfs));
7749 ikev2_log_proposal(struct iked_sa *sa, struct iked_proposals *proposals)
7765 sa ? SPI_SA(sa, __func__) : __func__,