1 /* $NetBSD: isakmp_quick.c,v 1.19 2008/07/14 05:45:15 tteras Exp $ */
2
3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39
40 #include <netinet/in.h>
41
42 #include <stdlib.h>
43 #include <stdio.h>
44 #include <string.h>
45 #include <errno.h>
46 #if TIME_WITH_SYS_TIME
47 # include <sys/time.h>
48 # include <time.h>
49 #else
50 # if HAVE_SYS_TIME_H
51 # include <sys/time.h>
52 # else
53 # include <time.h>
54 # endif
55 #endif
56
57 #include PATH_IPSEC_H
58
59 #include "var.h"
60 #include "vmbuf.h"
61 #include "schedule.h"
62 #include "misc.h"
63 #include "plog.h"
64 #include "debug.h"
65
66 #include "localconf.h"
67 #include "remoteconf.h"
68 #include "handler.h"
69 #include "policy.h"
70 #include "proposal.h"
71 #include "isakmp_var.h"
72 #include "isakmp.h"
73 #include "isakmp_inf.h"
74 #include "isakmp_quick.h"
75 #include "oakley.h"
76 #include "ipsec_doi.h"
77 #include "crypto_openssl.h"
78 #include "pfkey.h"
79 #include "policy.h"
80 #include "algorithm.h"
81 #include "sockmisc.h"
82 #include "proposal.h"
83 #include "sainfo.h"
84 #include "admin.h"
85 #include "strnames.h"
86
87 #ifdef ENABLE_HYBRID
88 #include <resolv.h>
89 #include "isakmp_xauth.h"
90 #include "isakmp_cfg.h"
91 #endif
92
93 #ifdef ENABLE_NATT
94 #include "nattraversal.h"
95 #endif
96
97 /* quick mode */
98 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
99 static int get_sainfo_r __P((struct ph2handle *));
100 static int get_proposal_r __P((struct ph2handle *));
101 static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *));
102
103 /* �%%%
104 * Quick Mode
105 */
106 /*
107 * begin Quick Mode as initiator. send pfkey getspi message to kernel.
108 */
109 int
110 quick_i1prep(iph2, msg)
111 struct ph2handle *iph2;
112 vchar_t *msg; /* must be null pointer */
113 {
114 int error = ISAKMP_INTERNAL_ERROR;
115
116 /* validity check */
117 if (iph2->status != PHASE2ST_STATUS2) {
118 plog(LLV_ERROR, LOCATION, NULL,
119 "status mismatched %d.\n", iph2->status);
120 goto end;
121 }
122
123 iph2->msgid = isakmp_newmsgid2(iph2->ph1);
124 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
125 if (iph2->ivm == NULL)
126 return 0;
127
128 iph2->status = PHASE2ST_GETSPISENT;
129
130 /* don't anything if local test mode. */
131 if (f_local) {
132 error = 0;
133 goto end;
134 }
135
136 /* send getspi message */
137 if (pk_sendgetspi(iph2) < 0)
138 goto end;
139
140 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
141
142 iph2->sce = sched_new(lcconf->wait_ph2complete,
143 pfkey_timeover_stub, iph2);
144
145 error = 0;
146
147 end:
148 return error;
149 }
150
151 /*
152 * send to responder
153 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
154 */
155 int
156 quick_i1send(iph2, msg)
157 struct ph2handle *iph2;
158 vchar_t *msg; /* must be null pointer */
159 {
160 vchar_t *body = NULL;
161 vchar_t *hash = NULL;
162 struct isakmp_gen *gen;
163 char *p;
164 int tlen;
165 int error = ISAKMP_INTERNAL_ERROR;
166 int natoa = ISAKMP_NPTYPE_NONE;
167 int pfsgroup, idci, idcr;
168 int np;
169 struct ipsecdoi_id_b *id, *id_p;
170 #ifdef ENABLE_NATT
171 vchar_t *nat_oai = NULL;
172 vchar_t *nat_oar = NULL;
173 #endif
174
175 /* validity check */
176 if (msg != NULL) {
177 plog(LLV_ERROR, LOCATION, NULL,
178 "msg has to be NULL in this function.\n");
179 goto end;
180 }
181 if (iph2->status != PHASE2ST_GETSPIDONE) {
182 plog(LLV_ERROR, LOCATION, NULL,
183 "status mismatched %d.\n", iph2->status);
184 goto end;
185 }
186
187 /* create SA payload for my proposal */
188 if (ipsecdoi_setph2proposal(iph2) < 0)
189 goto end;
190
191 /* generate NONCE value */
192 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
193 if (iph2->nonce == NULL)
194 goto end;
195
196 /*
197 * DH value calculation is kicked out into cfparse.y.
198 * because pfs group can not be negotiated, it's only to be checked
199 * acceptable.
200 */
201 /* generate KE value if need */
202 pfsgroup = iph2->proposal->pfs_group;
203 if (pfsgroup) {
204 /* DH group settting if PFS is required. */
205 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
206 plog(LLV_ERROR, LOCATION, NULL,
207 "failed to set DH value.\n");
208 goto end;
209 }
210 if (oakley_dh_generate(iph2->pfsgrp,
211 &iph2->dhpub, &iph2->dhpriv) < 0) {
212 goto end;
213 }
214 }
215
216 /* generate ID value */
217 if (ipsecdoi_setid2(iph2) < 0) {
218 plog(LLV_ERROR, LOCATION, NULL,
219 "failed to get ID.\n");
220 goto end;
221 }
222 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n");
223 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
224 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n");
225 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
226
227 /*
228 * we do not attach IDci nor IDcr, under the following condition:
229 * - all proposals are transport mode
230 * - no MIP6 or proxy
231 * - id payload suggests to encrypt all the traffic (no specific
232 * protocol type)
233 */
234 id = (struct ipsecdoi_id_b *)iph2->id->v;
235 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
236 if (id->proto_id == 0
237 && id_p->proto_id == 0
238 && iph2->ph1->rmconf->support_proxy == 0
239 && ipsecdoi_transportmode(iph2->proposal)) {
240 idci = idcr = 0;
241 } else
242 idci = idcr = 1;
243
244 #ifdef ENABLE_NATT
245 /*
246 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport
247 * we should send NAT-OA
248 */
249 if (ipsecdoi_transportmode(iph2->proposal)
250 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
251 natoa = iph2->ph1->natt_options->payload_nat_oa;
252
253 nat_oai = ipsecdoi_sockaddr2id(iph2->src,
254 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
255 nat_oar = ipsecdoi_sockaddr2id(iph2->dst,
256 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
257
258 if (nat_oai == NULL || nat_oar == NULL) {
259 plog(LLV_ERROR, LOCATION, NULL,
260 "failed to generate NAT-OA payload.\n");
261 goto end;
262 }
263
264 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n");
265 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l);
266 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n");
267 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l);
268 } else {
269 natoa = ISAKMP_NPTYPE_NONE;
270 }
271 #endif
272
273 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
274 tlen = + sizeof(*gen) + iph2->sa->l
275 + sizeof(*gen) + iph2->nonce->l;
276 if (pfsgroup)
277 tlen += (sizeof(*gen) + iph2->dhpub->l);
278 if (idci)
279 tlen += sizeof(*gen) + iph2->id->l;
280 if (idcr)
281 tlen += sizeof(*gen) + iph2->id_p->l;
282 #ifdef ENABLE_NATT
283 if (natoa != ISAKMP_NPTYPE_NONE)
284 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l;
285 #endif
286
287 body = vmalloc(tlen);
288 if (body == NULL) {
289 plog(LLV_ERROR, LOCATION, NULL,
290 "failed to get buffer to send.\n");
291 goto end;
292 }
293
294 p = body->v;
295
296 /* add SA payload */
297 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
298
299 /* add NONCE payload */
300 if (pfsgroup)
301 np = ISAKMP_NPTYPE_KE;
302 else if (idci || idcr)
303 np = ISAKMP_NPTYPE_ID;
304 else
305 np = natoa;
306 p = set_isakmp_payload(p, iph2->nonce, np);
307
308 /* add KE payload if need. */
309 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : natoa;
310 if (pfsgroup)
311 p = set_isakmp_payload(p, iph2->dhpub, np);
312
313 /* IDci */
314 np = (idcr) ? ISAKMP_NPTYPE_ID : natoa;
315 if (idci)
316 p = set_isakmp_payload(p, iph2->id, np);
317
318 /* IDcr */
319 if (idcr)
320 p = set_isakmp_payload(p, iph2->id_p, natoa);
321
322 #ifdef ENABLE_NATT
323 /* NAT-OA */
324 if (natoa != ISAKMP_NPTYPE_NONE) {
325 p = set_isakmp_payload(p, nat_oai, natoa);
326 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE);
327 }
328 #endif
329
330 /* generate HASH(1) */
331 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
332 if (hash == NULL)
333 goto end;
334
335 /* send isakmp payload */
336 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
337 if (iph2->sendbuf == NULL)
338 goto end;
339
340 /* send the packet, add to the schedule to resend */
341 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
342 if (isakmp_ph2resend(iph2) == -1)
343 goto end;
344
345 /* change status of isakmp status entry */
346 iph2->status = PHASE2ST_MSG1SENT;
347
348 error = 0;
349
350 end:
351 if (body != NULL)
352 vfree(body);
353 if (hash != NULL)
354 vfree(hash);
355 #ifdef ENABLE_NATT
356 if (nat_oai != NULL)
357 vfree(nat_oai);
358 if (nat_oar != NULL)
359 vfree(nat_oar);
360 #endif
361
362 return error;
363 }
364
365 /*
366 * receive from responder
367 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
368 */
369 int
370 quick_i2recv(iph2, msg0)
371 struct ph2handle *iph2;
372 vchar_t *msg0;
373 {
374 vchar_t *msg = NULL;
375 vchar_t *hbuf = NULL; /* for hash computing. */
376 vchar_t *pbuf = NULL; /* for payload parsing */
377 vchar_t *idci = NULL;
378 vchar_t *idcr = NULL;
379 struct isakmp_parse_t *pa;
380 struct isakmp *isakmp = (struct isakmp *)msg0->v;
381 struct isakmp_pl_hash *hash = NULL;
382 char *p;
383 int tlen;
384 int error = ISAKMP_INTERNAL_ERROR;
385
386 /* validity check */
387 if (iph2->status != PHASE2ST_MSG1SENT) {
388 plog(LLV_ERROR, LOCATION, NULL,
389 "status mismatched %d.\n", iph2->status);
390 goto end;
391 }
392
393 /* decrypt packet */
394 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
395 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
396 "Packet wasn't encrypted.\n");
397 goto end;
398 }
399 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
400 if (msg == NULL)
401 goto end;
402
403 /* create buffer for validating HASH(2) */
404 /*
405 * ordering rule:
406 * 1. the first one must be HASH
407 * 2. the second one must be SA (added in isakmp-oakley-05!)
408 * 3. two IDs must be considered as IDci, then IDcr
409 */
410 pbuf = isakmp_parse(msg);
411 if (pbuf == NULL)
412 goto end;
413 pa = (struct isakmp_parse_t *)pbuf->v;
414
415 /* HASH payload is fixed postion */
416 if (pa->type != ISAKMP_NPTYPE_HASH) {
417 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
418 "received invalid next payload type %d, "
419 "expecting %d.\n",
420 pa->type, ISAKMP_NPTYPE_HASH);
421 goto end;
422 }
423 hash = (struct isakmp_pl_hash *)pa->ptr;
424 pa++;
425
426 /*
427 * this restriction was introduced in isakmp-oakley-05.
428 * we do not check this for backward compatibility.
429 * TODO: command line/config file option to enable/disable this code
430 */
431 /* HASH payload is fixed postion */
432 if (pa->type != ISAKMP_NPTYPE_SA) {
433 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
434 "received invalid next payload type %d, "
435 "expecting %d.\n",
436 pa->type, ISAKMP_NPTYPE_HASH);
437 }
438
439 /* allocate buffer for computing HASH(2) */
440 tlen = iph2->nonce->l
441 + ntohl(isakmp->len) - sizeof(*isakmp);
442 hbuf = vmalloc(tlen);
443 if (hbuf == NULL) {
444 plog(LLV_ERROR, LOCATION, NULL,
445 "failed to get hash buffer.\n");
446 goto end;
447 }
448 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
449
450 /*
451 * parse the payloads.
452 * copy non-HASH payloads into hbuf, so that we can validate HASH.
453 */
454 iph2->sa_ret = NULL;
455 tlen = 0; /* count payload length except of HASH payload. */
456 for (; pa->type; pa++) {
457
458 /* copy to buffer for HASH */
459 /* Don't modify the payload */
460 memcpy(p, pa->ptr, pa->len);
461
462 switch (pa->type) {
463 case ISAKMP_NPTYPE_SA:
464 if (iph2->sa_ret != NULL) {
465 plog(LLV_ERROR, LOCATION, NULL,
466 "Ignored, multiple SA "
467 "isn't supported.\n");
468 break;
469 }
470 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
471 goto end;
472 break;
473
474 case ISAKMP_NPTYPE_NONCE:
475 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
476 goto end;
477 break;
478
479 case ISAKMP_NPTYPE_KE:
480 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
481 goto end;
482 break;
483
484 case ISAKMP_NPTYPE_ID:
485 if (idci == NULL) {
486 if (isakmp_p2ph(&idci, pa->ptr) < 0)
487 goto end;
488 } else if (idcr == NULL) {
489 if (isakmp_p2ph(&idcr, pa->ptr) < 0)
490 goto end;
491 } else {
492 goto end;
493 }
494 break;
495
496 case ISAKMP_NPTYPE_N:
497 ph2_recv_n(iph2, pa->ptr);
498 break;
499
500 #ifdef ENABLE_NATT
501 case ISAKMP_NPTYPE_NATOA_DRAFT:
502 case ISAKMP_NPTYPE_NATOA_RFC:
503 {
504 struct sockaddr_storage addr;
505 struct sockaddr *daddr;
506 u_int8_t prefix;
507 u_int16_t ul_proto;
508 vchar_t *vp = NULL;
509
510 if (isakmp_p2ph(&vp, pa->ptr) < 0)
511 goto end;
512
513 error = ipsecdoi_id2sockaddr(vp,
514 (struct sockaddr *) &addr,
515 &prefix, &ul_proto);
516
517 vfree(vp);
518
519 if (error)
520 goto end;
521
522 daddr = dupsaddr((struct sockaddr *) &addr);
523 if (daddr == NULL)
524 goto end;
525
526 if (iph2->natoa_src == NULL)
527 iph2->natoa_src = daddr;
528 else if (iph2->natoa_dst == NULL)
529 iph2->natoa_dst = daddr;
530 else {
531 racoon_free(daddr);
532 goto end;
533 }
534 }
535 break;
536 #endif
537
538 default:
539 /* don't send information, see ident_r1recv() */
540 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
541 "ignore the packet, "
542 "received unexpecting payload type %d.\n",
543 pa->type);
544 goto end;
545 }
546
547 p += pa->len;
548
549 /* compute true length of payload. */
550 tlen += pa->len;
551 }
552
553 /* payload existency check */
554 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
555 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
556 "few isakmp message received.\n");
557 goto end;
558 }
559
560 /* identity check */
561 if (idci != NULL) {
562 struct sockaddr_storage proposed_addr, got_addr;
563 u_int8_t proposed_prefix, got_prefix;
564 u_int16_t proposed_ulproto, got_ulproto;
565
566 error = ipsecdoi_id2sockaddr(iph2->id,
567 (struct sockaddr *) &proposed_addr,
568 &proposed_prefix, &proposed_ulproto);
569 if (error)
570 goto end;
571
572 error = ipsecdoi_id2sockaddr(idci,
573 (struct sockaddr *) &got_addr,
574 &got_prefix, &got_ulproto);
575 if (error)
576 goto end;
577
578 if (proposed_prefix != got_prefix
579 || proposed_ulproto != got_ulproto) {
580 plog(LLV_DEBUG, LOCATION, NULL,
581 "IDci prefix/ulproto does not match proposal.\n");
582 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
583 goto end;
584 }
585
586 if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
587 (struct sockaddr *) &got_addr) == 0) {
588 plog(LLV_DEBUG, LOCATION, NULL,
589 "IDci matches proposal.\n");
590 #ifdef ENABLE_NATT
591 } else if (iph2->natoa_src != NULL
592 && cmpsaddrwop(iph2->natoa_src,
593 (struct sockaddr *) &got_addr) == 0
594 && extract_port((struct sockaddr *) &proposed_addr) ==
595 extract_port((struct sockaddr *) &got_addr)) {
596 plog(LLV_DEBUG, LOCATION, NULL,
597 "IDci matches NAT-OAi.\n");
598 #endif
599 } else {
600 plog(LLV_ERROR, LOCATION, NULL,
601 "mismatched IDci was returned.\n");
602 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
603 goto end;
604 }
605 }
606 if (idcr != NULL) {
607 struct sockaddr_storage proposed_addr, got_addr;
608 u_int8_t proposed_prefix, got_prefix;
609 u_int16_t proposed_ulproto, got_ulproto;
610
611 error = ipsecdoi_id2sockaddr(iph2->id_p,
612 (struct sockaddr *) &proposed_addr,
613 &proposed_prefix, &proposed_ulproto);
614 if (error)
615 goto end;
616
617 error = ipsecdoi_id2sockaddr(idcr,
618 (struct sockaddr *) &got_addr,
619 &got_prefix, &got_ulproto);
620 if (error)
621 goto end;
622
623 if (proposed_prefix != got_prefix
624 || proposed_ulproto != got_ulproto) {
625 plog(LLV_DEBUG, LOCATION, NULL,
626 "IDcr prefix/ulproto does not match proposal.\n");
627 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
628 goto end;
629 }
630
631 if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
632 (struct sockaddr *) &got_addr) == 0) {
633 plog(LLV_DEBUG, LOCATION, NULL,
634 "IDcr matches proposal.\n");
635 #ifdef ENABLE_NATT
636 } else if (iph2->natoa_dst != NULL
637 && cmpsaddrwop(iph2->natoa_dst,
638 (struct sockaddr *) &got_addr) == 0
639 && extract_port((struct sockaddr *) &proposed_addr) ==
640 extract_port((struct sockaddr *) &got_addr)) {
641 plog(LLV_DEBUG, LOCATION, NULL,
642 "IDcr matches NAT-OAr.\n");
643 #endif
644 } else {
645 plog(LLV_ERROR, LOCATION, NULL,
646 "mismatched IDcr was returned.\n");
647 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
648 goto end;
649 }
650 }
651
652 /* Fixed buffer for calculating HASH */
653 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
654 plog(LLV_DEBUG, LOCATION, NULL,
655 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
656 hbuf->l, tlen + iph2->nonce->l);
657 /* adjust buffer length for HASH */
658 hbuf->l = iph2->nonce->l + tlen;
659
660 /* validate HASH(2) */
661 {
662 char *r_hash;
663 vchar_t *my_hash = NULL;
664 int result;
665
666 r_hash = (char *)hash + sizeof(*hash);
667
668 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:");
669 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
670
671 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
672 if (my_hash == NULL)
673 goto end;
674
675 result = memcmp(my_hash->v, r_hash, my_hash->l);
676 vfree(my_hash);
677
678 if (result) {
679 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
680 "HASH(2) mismatch.\n");
681 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
682 goto end;
683 }
684 }
685
686 /* validity check SA payload sent from responder */
687 if (ipsecdoi_checkph2proposal(iph2) < 0) {
688 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
689 goto end;
690 }
691
692 /* change status of isakmp status entry */
693 iph2->status = PHASE2ST_STATUS6;
694
695 error = 0;
696
697 end:
698 if (hbuf)
699 vfree(hbuf);
700 if (pbuf)
701 vfree(pbuf);
702 if (msg)
703 vfree(msg);
704 if (idci)
705 vfree(idci);
706 if (idcr)
707 vfree(idcr);
708
709 if (error) {
710 VPTRINIT(iph2->sa_ret);
711 VPTRINIT(iph2->nonce_p);
712 VPTRINIT(iph2->dhpub_p);
713 VPTRINIT(iph2->id);
714 VPTRINIT(iph2->id_p);
715 #ifdef ENABLE_NATT
716 if (iph2->natoa_src) {
717 racoon_free(iph2->natoa_src);
718 iph2->natoa_src = NULL;
719 }
720 if (iph2->natoa_dst) {
721 racoon_free(iph2->natoa_dst);
722 iph2->natoa_dst = NULL;
723 }
724 #endif
725 }
726
727 return error;
728 }
729
730 /*
731 * send to responder
732 * HDR*, HASH(3)
733 */
734 int
735 quick_i2send(iph2, msg0)
736 struct ph2handle *iph2;
737 vchar_t *msg0;
738 {
739 vchar_t *msg = NULL;
740 vchar_t *buf = NULL;
741 vchar_t *hash = NULL;
742 char *p = NULL;
743 int tlen;
744 int error = ISAKMP_INTERNAL_ERROR;
745
746 /* validity check */
747 if (iph2->status != PHASE2ST_STATUS6) {
748 plog(LLV_ERROR, LOCATION, NULL,
749 "status mismatched %d.\n", iph2->status);
750 goto end;
751 }
752
753 /* generate HASH(3) */
754 {
755 vchar_t *tmp = NULL;
756
757 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n");
758
759 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
760 if (tmp == NULL) {
761 plog(LLV_ERROR, LOCATION, NULL,
762 "failed to get hash buffer.\n");
763 goto end;
764 }
765 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
766 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
767
768 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
769 vfree(tmp);
770
771 if (hash == NULL)
772 goto end;
773 }
774
775 /* create buffer for isakmp payload */
776 tlen = sizeof(struct isakmp)
777 + sizeof(struct isakmp_gen) + hash->l;
778 buf = vmalloc(tlen);
779 if (buf == NULL) {
780 plog(LLV_ERROR, LOCATION, NULL,
781 "failed to get buffer to send.\n");
782 goto end;
783 }
784
785 /* create isakmp header */
786 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
787 if (p == NULL)
788 goto end;
789
790 /* add HASH(3) payload */
791 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
792
793 #ifdef HAVE_PRINT_ISAKMP_C
794 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
795 #endif
796
797 /* encoding */
798 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
799 if (iph2->sendbuf == NULL)
800 goto end;
801
802 /* if there is commit bit, need resending */
803 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
804 /* send the packet, add to the schedule to resend */
805 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
806 if (isakmp_ph2resend(iph2) == -1)
807 goto end;
808 } else {
809 /* send the packet */
810 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
811 goto end;
812 }
813
814 /* the sending message is added to the received-list. */
815 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
816 iph2->sendbuf, msg0) == -1) {
817 plog(LLV_ERROR , LOCATION, NULL,
818 "failed to add a response packet to the tree.\n");
819 goto end;
820 }
821
822 /* compute both of KEYMATs */
823 if (oakley_compute_keymat(iph2, INITIATOR) < 0)
824 goto end;
825
826 iph2->status = PHASE2ST_ADDSA;
827
828 /* don't anything if local test mode. */
829 if (f_local) {
830 error = 0;
831 goto end;
832 }
833
834 /* if there is commit bit don't set up SA now. */
835 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
836 iph2->status = PHASE2ST_COMMIT;
837 error = 0;
838 goto end;
839 }
840
841 /* Do UPDATE for initiator */
842 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
843 if (pk_sendupdate(iph2) < 0) {
844 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
845 goto end;
846 }
847 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
848
849 /* Do ADD for responder */
850 if (pk_sendadd(iph2) < 0) {
851 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
852 goto end;
853 }
854 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
855
856 error = 0;
857
858 end:
859 if (buf != NULL)
860 vfree(buf);
861 if (msg != NULL)
862 vfree(msg);
863 if (hash != NULL)
864 vfree(hash);
865
866 return error;
867 }
868
869 /*
870 * receive from responder
871 * HDR#*, HASH(4), notify
872 */
873 int
874 quick_i3recv(iph2, msg0)
875 struct ph2handle *iph2;
876 vchar_t *msg0;
877 {
878 vchar_t *msg = NULL;
879 vchar_t *pbuf = NULL; /* for payload parsing */
880 struct isakmp_parse_t *pa;
881 struct isakmp_pl_hash *hash = NULL;
882 vchar_t *notify = NULL;
883 int error = ISAKMP_INTERNAL_ERROR;
884
885 /* validity check */
886 if (iph2->status != PHASE2ST_COMMIT) {
887 plog(LLV_ERROR, LOCATION, NULL,
888 "status mismatched %d.\n", iph2->status);
889 goto end;
890 }
891
892 /* decrypt packet */
893 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
894 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
895 "Packet wasn't encrypted.\n");
896 goto end;
897 }
898 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
899 if (msg == NULL)
900 goto end;
901
902 /* validate the type of next payload */
903 pbuf = isakmp_parse(msg);
904 if (pbuf == NULL)
905 goto end;
906
907 for (pa = (struct isakmp_parse_t *)pbuf->v;
908 pa->type != ISAKMP_NPTYPE_NONE;
909 pa++) {
910
911 switch (pa->type) {
912 case ISAKMP_NPTYPE_HASH:
913 hash = (struct isakmp_pl_hash *)pa->ptr;
914 break;
915 case ISAKMP_NPTYPE_N:
916 if (notify != NULL) {
917 plog(LLV_WARNING, LOCATION, NULL,
918 "Ignoring multiples notifications\n");
919 break;
920 }
921 ph2_recv_n(iph2, pa->ptr);
922 notify = vmalloc(pa->len);
923 if (notify == NULL) {
924 plog(LLV_ERROR, LOCATION, NULL,
925 "failed to get notify buffer.\n");
926 goto end;
927 }
928 memcpy(notify->v, pa->ptr, notify->l);
929 break;
930 default:
931 /* don't send information, see ident_r1recv() */
932 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
933 "ignore the packet, "
934 "received unexpecting payload type %d.\n",
935 pa->type);
936 goto end;
937 }
938 }
939
940 /* payload existency check */
941 if (hash == NULL) {
942 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
943 "few isakmp message received.\n");
944 goto end;
945 }
946
947 /* validate HASH(4) */
948 {
949 char *r_hash;
950 vchar_t *my_hash = NULL;
951 vchar_t *tmp = NULL;
952 int result;
953
954 r_hash = (char *)hash + sizeof(*hash);
955
956 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:");
957 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
958
959 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
960 vfree(tmp);
961 if (my_hash == NULL)
962 goto end;
963
964 result = memcmp(my_hash->v, r_hash, my_hash->l);
965 vfree(my_hash);
966
967 if (result) {
968 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
969 "HASH(4) mismatch.\n");
970 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
971 goto end;
972 }
973 }
974
975 iph2->status = PHASE2ST_ADDSA;
976 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
977
978 /* don't anything if local test mode. */
979 if (f_local) {
980 error = 0;
981 goto end;
982 }
983
984 /* Do UPDATE for initiator */
985 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
986 if (pk_sendupdate(iph2) < 0) {
987 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
988 goto end;
989 }
990 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
991
992 /* Do ADD for responder */
993 if (pk_sendadd(iph2) < 0) {
994 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
995 goto end;
996 }
997 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
998
999 error = 0;
1000
1001 end:
1002 if (msg != NULL)
1003 vfree(msg);
1004 if (pbuf != NULL)
1005 vfree(pbuf);
1006 if (notify != NULL)
1007 vfree(notify);
1008
1009 return error;
1010 }
1011
1012 /*
1013 * receive from initiator
1014 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1015 */
1016 int
1017 quick_r1recv(iph2, msg0)
1018 struct ph2handle *iph2;
1019 vchar_t *msg0;
1020 {
1021 vchar_t *msg = NULL;
1022 vchar_t *hbuf = NULL; /* for hash computing. */
1023 vchar_t *pbuf = NULL; /* for payload parsing */
1024 struct isakmp_parse_t *pa;
1025 struct isakmp *isakmp = (struct isakmp *)msg0->v;
1026 struct isakmp_pl_hash *hash = NULL;
1027 char *p;
1028 int tlen;
1029 int f_id_order; /* for ID payload detection */
1030 int error = ISAKMP_INTERNAL_ERROR;
1031
1032 /* validity check */
1033 if (iph2->status != PHASE2ST_START) {
1034 plog(LLV_ERROR, LOCATION, NULL,
1035 "status mismatched %d.\n", iph2->status);
1036 goto end;
1037 }
1038
1039 /* decrypting */
1040 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1041 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1042 "Packet wasn't encrypted.\n");
1043 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1044 goto end;
1045 }
1046 /* decrypt packet */
1047 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1048 if (msg == NULL)
1049 goto end;
1050
1051 /* create buffer for using to validate HASH(1) */
1052 /*
1053 * ordering rule:
1054 * 1. the first one must be HASH
1055 * 2. the second one must be SA (added in isakmp-oakley-05!)
1056 * 3. two IDs must be considered as IDci, then IDcr
1057 */
1058 pbuf = isakmp_parse(msg);
1059 if (pbuf == NULL)
1060 goto end;
1061 pa = (struct isakmp_parse_t *)pbuf->v;
1062
1063 /* HASH payload is fixed postion */
1064 if (pa->type != ISAKMP_NPTYPE_HASH) {
1065 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1066 "received invalid next payload type %d, "
1067 "expecting %d.\n",
1068 pa->type, ISAKMP_NPTYPE_HASH);
1069 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1070 goto end;
1071 }
1072 hash = (struct isakmp_pl_hash *)pa->ptr;
1073 pa++;
1074
1075 /*
1076 * this restriction was introduced in isakmp-oakley-05.
1077 * we do not check this for backward compatibility.
1078 * TODO: command line/config file option to enable/disable this code
1079 */
1080 /* HASH payload is fixed postion */
1081 if (pa->type != ISAKMP_NPTYPE_SA) {
1082 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
1083 "received invalid next payload type %d, "
1084 "expecting %d.\n",
1085 pa->type, ISAKMP_NPTYPE_SA);
1086 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1087 }
1088
1089 /* allocate buffer for computing HASH(1) */
1090 tlen = ntohl(isakmp->len) - sizeof(*isakmp);
1091 hbuf = vmalloc(tlen);
1092 if (hbuf == NULL) {
1093 plog(LLV_ERROR, LOCATION, NULL,
1094 "failed to get hash buffer.\n");
1095 goto end;
1096 }
1097 p = hbuf->v;
1098
1099 /*
1100 * parse the payloads.
1101 * copy non-HASH payloads into hbuf, so that we can validate HASH.
1102 */
1103 iph2->sa = NULL; /* we don't support multi SAs. */
1104 iph2->nonce_p = NULL;
1105 iph2->dhpub_p = NULL;
1106 iph2->id_p = NULL;
1107 iph2->id = NULL;
1108 tlen = 0; /* count payload length except of HASH payload. */
1109
1110 /*
1111 * IDi2 MUST be immediatelly followed by IDr2. We allowed the
1112 * illegal case, but logged. First ID payload is to be IDi2.
1113 * And next ID payload is to be IDr2.
1114 */
1115 f_id_order = 0;
1116
1117 for (; pa->type; pa++) {
1118
1119 /* copy to buffer for HASH */
1120 /* Don't modify the payload */
1121 memcpy(p, pa->ptr, pa->len);
1122
1123 if (pa->type != ISAKMP_NPTYPE_ID)
1124 f_id_order = 0;
1125
1126 switch (pa->type) {
1127 case ISAKMP_NPTYPE_SA:
1128 if (iph2->sa != NULL) {
1129 plog(LLV_ERROR, LOCATION, NULL,
1130 "Multi SAs isn't supported.\n");
1131 goto end;
1132 }
1133 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0)
1134 goto end;
1135 break;
1136
1137 case ISAKMP_NPTYPE_NONCE:
1138 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
1139 goto end;
1140 break;
1141
1142 case ISAKMP_NPTYPE_KE:
1143 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
1144 goto end;
1145 break;
1146
1147 case ISAKMP_NPTYPE_ID:
1148 if (iph2->id_p == NULL) {
1149 /* for IDci */
1150 f_id_order++;
1151
1152 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0)
1153 goto end;
1154
1155 } else if (iph2->id == NULL) {
1156 /* for IDcr */
1157 if (f_id_order == 0) {
1158 plog(LLV_ERROR, LOCATION, NULL,
1159 "IDr2 payload is not "
1160 "immediatelly followed "
1161 "by IDi2. We allowed.\n");
1162 /* XXX we allowed in this case. */
1163 }
1164
1165 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0)
1166 goto end;
1167 } else {
1168 plog(LLV_ERROR, LOCATION, NULL,
1169 "received too many ID payloads.\n");
1170 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l);
1171 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1172 goto end;
1173 }
1174 break;
1175
1176 case ISAKMP_NPTYPE_N:
1177 ph2_recv_n(iph2, pa->ptr);
1178 break;
1179
1180 #ifdef ENABLE_NATT
1181 case ISAKMP_NPTYPE_NATOA_DRAFT:
1182 case ISAKMP_NPTYPE_NATOA_RFC:
1183 {
1184 struct sockaddr_storage addr;
1185 struct sockaddr *daddr;
1186 u_int8_t prefix;
1187 u_int16_t ul_proto;
1188 vchar_t *vp = NULL;
1189
1190 if (isakmp_p2ph(&vp, pa->ptr) < 0)
1191 goto end;
1192
1193 error = ipsecdoi_id2sockaddr(vp,
1194 (struct sockaddr *) &addr,
1195 &prefix, &ul_proto);
1196
1197 vfree(vp);
1198
1199 if (error)
1200 goto end;
1201
1202 daddr = dupsaddr((struct sockaddr *) &addr);
1203 if (daddr == NULL)
1204 goto end;
1205
1206 if (iph2->natoa_dst == NULL)
1207 iph2->natoa_dst = daddr;
1208 else if (iph2->natoa_src == NULL)
1209 iph2->natoa_src = daddr;
1210 else {
1211 racoon_free(daddr);
1212 goto end;
1213 }
1214 }
1215 break;
1216 #endif
1217
1218 default:
1219 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1220 "ignore the packet, "
1221 "received unexpecting payload type %d.\n",
1222 pa->type);
1223 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1224 goto end;
1225 }
1226
1227 p += pa->len;
1228
1229 /* compute true length of payload. */
1230 tlen += pa->len;
1231 }
1232
1233 /* payload existency check */
1234 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
1235 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1236 "few isakmp message received.\n");
1237 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1238 goto end;
1239 }
1240
1241 if (iph2->id_p) {
1242 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
1243 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
1244 }
1245 if (iph2->id) {
1246 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
1247 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
1248 }
1249
1250 /* adjust buffer length for HASH */
1251 hbuf->l = tlen;
1252
1253 /* validate HASH(1) */
1254 {
1255 char *r_hash;
1256 vchar_t *my_hash = NULL;
1257 int result;
1258
1259 r_hash = (caddr_t)hash + sizeof(*hash);
1260
1261 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:");
1262 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1263
1264 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
1265 if (my_hash == NULL)
1266 goto end;
1267
1268 result = memcmp(my_hash->v, r_hash, my_hash->l);
1269 vfree(my_hash);
1270
1271 if (result) {
1272 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1273 "HASH(1) mismatch.\n");
1274 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1275 goto end;
1276 }
1277 }
1278
1279 /* get sainfo */
1280 error = get_sainfo_r(iph2);
1281 if (error) {
1282 plog(LLV_ERROR, LOCATION, NULL,
1283 "failed to get sainfo.\n");
1284 goto end;
1285 }
1286
1287
1288 /* check the existence of ID payload and create responder's proposal */
1289 error = get_proposal_r(iph2);
1290 switch (error) {
1291 case -2:
1292 /* generate a policy template from peer's proposal */
1293 if (set_proposal_from_proposal(iph2)) {
1294 plog(LLV_ERROR, LOCATION, NULL,
1295 "failed to generate a proposal template "
1296 "from client's proposal.\n");
1297 error = ISAKMP_INTERNAL_ERROR;
1298 goto end;
1299 }
1300 /*FALLTHROUGH*/
1301 case 0:
1302 /* select single proposal or reject it. */
1303 if (ipsecdoi_selectph2proposal(iph2) < 0) {
1304 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1305 goto end;
1306 }
1307 break;
1308 default:
1309 plog(LLV_ERROR, LOCATION, NULL,
1310 "failed to get proposal for responder.\n");
1311 goto end;
1312 }
1313
1314 /* check KE and attribute of PFS */
1315 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
1316 plog(LLV_ERROR, LOCATION, NULL,
1317 "no PFS is specified, but peer sends KE.\n");
1318 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1319 goto end;
1320 }
1321 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
1322 plog(LLV_ERROR, LOCATION, NULL,
1323 "PFS is specified, but peer doesn't sends KE.\n");
1324 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1325 goto end;
1326 }
1327
1328 /*
1329 * save the packet from the initiator in order to resend the
1330 * responder's first packet against this packet.
1331 */
1332 iph2->msg1 = vdup(msg0);
1333
1334 /* change status of isakmp status entry */
1335 iph2->status = PHASE2ST_STATUS2;
1336
1337 error = 0;
1338
1339 end:
1340 if (hbuf)
1341 vfree(hbuf);
1342 if (msg)
1343 vfree(msg);
1344 if (pbuf)
1345 vfree(pbuf);
1346
1347 if (error) {
1348 VPTRINIT(iph2->sa);
1349 VPTRINIT(iph2->nonce_p);
1350 VPTRINIT(iph2->dhpub_p);
1351 VPTRINIT(iph2->id);
1352 VPTRINIT(iph2->id_p);
1353 #ifdef ENABLE_NATT
1354 if (iph2->natoa_src) {
1355 racoon_free(iph2->natoa_src);
1356 iph2->natoa_src = NULL;
1357 }
1358 if (iph2->natoa_dst) {
1359 racoon_free(iph2->natoa_dst);
1360 iph2->natoa_dst = NULL;
1361 }
1362 #endif
1363 }
1364
1365 return error;
1366 }
1367
1368 /*
1369 * call pfkey_getspi.
1370 */
1371 int
1372 quick_r1prep(iph2, msg)
1373 struct ph2handle *iph2;
1374 vchar_t *msg;
1375 {
1376 int error = ISAKMP_INTERNAL_ERROR;
1377
1378 /* validity check */
1379 if (iph2->status != PHASE2ST_STATUS2) {
1380 plog(LLV_ERROR, LOCATION, NULL,
1381 "status mismatched %d.\n", iph2->status);
1382 goto end;
1383 }
1384
1385 iph2->status = PHASE2ST_GETSPISENT;
1386
1387 /* send getspi message */
1388 if (pk_sendgetspi(iph2) < 0)
1389 goto end;
1390
1391 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
1392
1393 iph2->sce = sched_new(lcconf->wait_ph2complete,
1394 pfkey_timeover_stub, iph2);
1395
1396 error = 0;
1397
1398 end:
1399 return error;
1400 }
1401
1402 /*
1403 * send to initiator
1404 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1405 */
1406 int
1407 quick_r2send(iph2, msg)
1408 struct ph2handle *iph2;
1409 vchar_t *msg;
1410 {
1411 vchar_t *body = NULL;
1412 vchar_t *hash = NULL;
1413 struct isakmp_gen *gen;
1414 char *p;
1415 int tlen;
1416 int error = ISAKMP_INTERNAL_ERROR;
1417 int natoa = ISAKMP_NPTYPE_NONE;
1418 int pfsgroup;
1419 u_int8_t *np_p = NULL;
1420 #ifdef ENABLE_NATT
1421 vchar_t *nat_oai = NULL;
1422 vchar_t *nat_oar = NULL;
1423 #endif
1424
1425 /* validity check */
1426 if (msg != NULL) {
1427 plog(LLV_ERROR, LOCATION, NULL,
1428 "msg has to be NULL in this function.\n");
1429 goto end;
1430 }
1431 if (iph2->status != PHASE2ST_GETSPIDONE) {
1432 plog(LLV_ERROR, LOCATION, NULL,
1433 "status mismatched %d.\n", iph2->status);
1434 goto end;
1435 }
1436
1437 /* update responders SPI */
1438 if (ipsecdoi_updatespi(iph2) < 0) {
1439 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n");
1440 goto end;
1441 }
1442
1443 /* generate NONCE value */
1444 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
1445 if (iph2->nonce == NULL)
1446 goto end;
1447
1448 /* generate KE value if need */
1449 pfsgroup = iph2->approval->pfs_group;
1450 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1451 /* DH group settting if PFS is required. */
1452 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
1453 plog(LLV_ERROR, LOCATION, NULL,
1454 "failed to set DH value.\n");
1455 goto end;
1456 }
1457 /* generate DH public value */
1458 if (oakley_dh_generate(iph2->pfsgrp,
1459 &iph2->dhpub, &iph2->dhpriv) < 0) {
1460 goto end;
1461 }
1462 }
1463
1464 #ifdef ENABLE_NATT
1465 /*
1466 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport
1467 * we should send NAT-OA
1468 */
1469 if (ipsecdoi_transportmode(iph2->proposal)
1470 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
1471 natoa = iph2->ph1->natt_options->payload_nat_oa;
1472
1473 nat_oai = ipsecdoi_sockaddr2id(iph2->dst,
1474 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
1475 nat_oar = ipsecdoi_sockaddr2id(iph2->src,
1476 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
1477
1478 if (nat_oai == NULL || nat_oar == NULL) {
1479 plog(LLV_ERROR, LOCATION, NULL,
1480 "failed to generate NAT-OA payload.\n");
1481 goto end;
1482 }
1483
1484 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n");
1485 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l);
1486 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n");
1487 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l);
1488 }
1489 #endif
1490
1491 /* create SA;NONCE payload, and KE and ID if need */
1492 tlen = sizeof(*gen) + iph2->sa_ret->l
1493 + sizeof(*gen) + iph2->nonce->l;
1494 if (iph2->dhpub_p != NULL && pfsgroup != 0)
1495 tlen += (sizeof(*gen) + iph2->dhpub->l);
1496 if (iph2->id_p != NULL)
1497 tlen += (sizeof(*gen) + iph2->id_p->l
1498 + sizeof(*gen) + iph2->id->l);
1499 #ifdef ENABLE_NATT
1500 if (natoa != ISAKMP_NPTYPE_NONE)
1501 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l;
1502 #endif
1503
1504 body = vmalloc(tlen);
1505 if (body == NULL) {
1506 plog(LLV_ERROR, LOCATION, NULL,
1507 "failed to get buffer to send.\n");
1508 goto end;
1509 }
1510 p = body->v;
1511
1512 /* make SA payload */
1513 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
1514
1515 /* add NONCE payload */
1516 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1517 p = set_isakmp_payload(p, iph2->nonce,
1518 (iph2->dhpub_p != NULL && pfsgroup != 0)
1519 ? ISAKMP_NPTYPE_KE
1520 : (iph2->id_p != NULL
1521 ? ISAKMP_NPTYPE_ID
1522 : natoa));
1523
1524 /* add KE payload if need. */
1525 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1526 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1527 p = set_isakmp_payload(p, iph2->dhpub,
1528 (iph2->id_p == NULL)
1529 ? natoa
1530 : ISAKMP_NPTYPE_ID);
1531 }
1532
1533 /* add ID payloads received. */
1534 if (iph2->id_p != NULL) {
1535 /* IDci */
1536 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
1537 /* IDcr */
1538 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1539 p = set_isakmp_payload(p, iph2->id, natoa);
1540 }
1541
1542 #ifdef ENABLE_NATT
1543 /* NAT-OA */
1544 if (natoa != ISAKMP_NPTYPE_NONE) {
1545 p = set_isakmp_payload(p, nat_oai, natoa);
1546 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE);
1547 }
1548 #endif
1549
1550 /* add a RESPONDER-LIFETIME notify payload if needed */
1551 {
1552 vchar_t *data = NULL;
1553 struct saprop *pp = iph2->approval;
1554 struct saproto *pr;
1555
1556 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
1557 u_int32_t v = htonl((u_int32_t)pp->lifetime);
1558 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1559 IPSECDOI_ATTR_SA_LD_TYPE_SEC);
1560 if (!data)
1561 goto end;
1562 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1563 (caddr_t)&v, sizeof(v));
1564 if (!data)
1565 goto end;
1566 }
1567 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
1568 u_int32_t v = htonl((u_int32_t)pp->lifebyte);
1569 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1570 IPSECDOI_ATTR_SA_LD_TYPE_KB);
1571 if (!data)
1572 goto end;
1573 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1574 (caddr_t)&v, sizeof(v));
1575 if (!data)
1576 goto end;
1577 }
1578
1579 /*
1580 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1581 * in the case of SA bundle ?
1582 */
1583 if (data) {
1584 for (pr = pp->head; pr; pr = pr->next) {
1585 body = isakmp_add_pl_n(body, &np_p,
1586 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
1587 if (!body) {
1588 vfree(data);
1589 return error; /* XXX */
1590 }
1591 }
1592 vfree(data);
1593 }
1594 }
1595
1596 /* generate HASH(2) */
1597 {
1598 vchar_t *tmp;
1599
1600 tmp = vmalloc(iph2->nonce_p->l + body->l);
1601 if (tmp == NULL) {
1602 plog(LLV_ERROR, LOCATION, NULL,
1603 "failed to get hash buffer.\n");
1604 goto end;
1605 }
1606 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1607 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
1608
1609 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
1610 vfree(tmp);
1611
1612 if (hash == NULL)
1613 goto end;
1614 }
1615
1616 /* send isakmp payload */
1617 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
1618 if (iph2->sendbuf == NULL)
1619 goto end;
1620
1621 /* send the packet, add to the schedule to resend */
1622 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
1623 if (isakmp_ph2resend(iph2) == -1)
1624 goto end;
1625
1626 /* the sending message is added to the received-list. */
1627 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) {
1628 plog(LLV_ERROR , LOCATION, NULL,
1629 "failed to add a response packet to the tree.\n");
1630 goto end;
1631 }
1632
1633 /* change status of isakmp status entry */
1634 iph2->status = PHASE2ST_MSG1SENT;
1635
1636 error = 0;
1637
1638 end:
1639 if (body != NULL)
1640 vfree(body);
1641 if (hash != NULL)
1642 vfree(hash);
1643 #ifdef ENABLE_NATT
1644 if (nat_oai != NULL)
1645 vfree(nat_oai);
1646 if (nat_oar != NULL)
1647 vfree(nat_oar);
1648 #endif
1649
1650 return error;
1651 }
1652
1653 /*
1654 * receive from initiator
1655 * HDR*, HASH(3)
1656
1657 */
1658 int
1659 quick_r3recv(iph2, msg0)
1660 struct ph2handle *iph2;
1661 vchar_t *msg0;
1662 {
1663 vchar_t *msg = NULL;
1664 vchar_t *pbuf = NULL; /* for payload parsing */
1665 struct isakmp_parse_t *pa;
1666 struct isakmp_pl_hash *hash = NULL;
1667 int error = ISAKMP_INTERNAL_ERROR;
1668
1669 /* validity check */
1670 if (iph2->status != PHASE2ST_MSG1SENT) {
1671 plog(LLV_ERROR, LOCATION, NULL,
1672 "status mismatched %d.\n", iph2->status);
1673 goto end;
1674 }
1675
1676 /* decrypt packet */
1677 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1678 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1679 "Packet wasn't encrypted.\n");
1680 goto end;
1681 }
1682 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1683 if (msg == NULL)
1684 goto end;
1685
1686 /* validate the type of next payload */
1687 pbuf = isakmp_parse(msg);
1688 if (pbuf == NULL)
1689 goto end;
1690
1691 for (pa = (struct isakmp_parse_t *)pbuf->v;
1692 pa->type != ISAKMP_NPTYPE_NONE;
1693 pa++) {
1694
1695 switch (pa->type) {
1696 case ISAKMP_NPTYPE_HASH:
1697 hash = (struct isakmp_pl_hash *)pa->ptr;
1698 break;
1699 case ISAKMP_NPTYPE_N:
1700 ph2_recv_n(iph2, pa->ptr);
1701 break;
1702 default:
1703 /* don't send information, see ident_r1recv() */
1704 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1705 "ignore the packet, "
1706 "received unexpecting payload type %d.\n",
1707 pa->type);
1708 goto end;
1709 }
1710 }
1711
1712 /* payload existency check */
1713 if (hash == NULL) {
1714 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1715 "few isakmp message received.\n");
1716 goto end;
1717 }
1718
1719 /* validate HASH(3) */
1720 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1721 {
1722 char *r_hash;
1723 vchar_t *my_hash = NULL;
1724 vchar_t *tmp = NULL;
1725 int result;
1726
1727 r_hash = (char *)hash + sizeof(*hash);
1728
1729 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:");
1730 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1731
1732 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
1733 if (tmp == NULL) {
1734 plog(LLV_ERROR, LOCATION, NULL,
1735 "failed to get hash buffer.\n");
1736 goto end;
1737 }
1738 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1739 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
1740
1741 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
1742 vfree(tmp);
1743 if (my_hash == NULL)
1744 goto end;
1745
1746 result = memcmp(my_hash->v, r_hash, my_hash->l);
1747 vfree(my_hash);
1748
1749 if (result) {
1750 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1751 "HASH(3) mismatch.\n");
1752 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1753 goto end;
1754 }
1755 }
1756
1757 /* if there is commit bit, don't set up SA now. */
1758 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
1759 iph2->status = PHASE2ST_COMMIT;
1760 } else
1761 iph2->status = PHASE2ST_STATUS6;
1762
1763 error = 0;
1764
1765 end:
1766 if (pbuf != NULL)
1767 vfree(pbuf);
1768 if (msg != NULL)
1769 vfree(msg);
1770
1771 return error;
1772 }
1773
1774 /*
1775 * send to initiator
1776 * HDR#*, HASH(4), notify
1777 */
1778 int
1779 quick_r3send(iph2, msg0)
1780 struct ph2handle *iph2;
1781 vchar_t *msg0;
1782 {
1783 vchar_t *buf = NULL;
1784 vchar_t *myhash = NULL;
1785 struct isakmp_pl_n *n;
1786 vchar_t *notify = NULL;
1787 char *p;
1788 int tlen;
1789 int error = ISAKMP_INTERNAL_ERROR;
1790
1791 /* validity check */
1792 if (iph2->status != PHASE2ST_COMMIT) {
1793 plog(LLV_ERROR, LOCATION, NULL,
1794 "status mismatched %d.\n", iph2->status);
1795 goto end;
1796 }
1797
1798 /* generate HASH(4) */
1799 /* XXX What can I do in the case of multiple different SA */
1800 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n");
1801
1802 /* XXX What should I do if there are multiple SAs ? */
1803 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
1804 notify = vmalloc(tlen);
1805 if (notify == NULL) {
1806 plog(LLV_ERROR, LOCATION, NULL,
1807 "failed to get notify buffer.\n");
1808 goto end;
1809 }
1810 n = (struct isakmp_pl_n *)notify->v;
1811 n->h.np = ISAKMP_NPTYPE_NONE;
1812 n->h.len = htons(tlen);
1813 n->doi = htonl(IPSEC_DOI);
1814 n->proto_id = iph2->approval->head->proto_id;
1815 n->spi_size = sizeof(iph2->approval->head->spisize);
1816 n->type = htons(ISAKMP_NTYPE_CONNECTED);
1817 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
1818
1819 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1820 if (myhash == NULL)
1821 goto end;
1822
1823 /* create buffer for isakmp payload */
1824 tlen = sizeof(struct isakmp)
1825 + sizeof(struct isakmp_gen) + myhash->l
1826 + notify->l;
1827 buf = vmalloc(tlen);
1828 if (buf == NULL) {
1829 plog(LLV_ERROR, LOCATION, NULL,
1830 "failed to get buffer to send.\n");
1831 goto end;
1832 }
1833
1834 /* create isakmp header */
1835 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
1836 if (p == NULL)
1837 goto end;
1838
1839 /* add HASH(4) payload */
1840 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
1841
1842 /* add notify payload */
1843 memcpy(p, notify->v, notify->l);
1844
1845 #ifdef HAVE_PRINT_ISAKMP_C
1846 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
1847 #endif
1848
1849 /* encoding */
1850 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
1851 if (iph2->sendbuf == NULL)
1852 goto end;
1853
1854 /* send the packet */
1855 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1856 goto end;
1857
1858 /* the sending message is added to the received-list. */
1859 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) {
1860 plog(LLV_ERROR , LOCATION, NULL,
1861 "failed to add a response packet to the tree.\n");
1862 goto end;
1863 }
1864
1865 iph2->status = PHASE2ST_COMMIT;
1866
1867 error = 0;
1868
1869 end:
1870 if (buf != NULL)
1871 vfree(buf);
1872 if (myhash != NULL)
1873 vfree(myhash);
1874 if (notify != NULL)
1875 vfree(notify);
1876
1877 return error;
1878 }
1879
1880 int
1881 tunnel_mode_prop(p)
1882 struct saprop *p;
1883 {
1884 struct saproto *pr;
1885
1886 for (pr = p->head; pr; pr = pr->next)
1887 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL)
1888 return 1;
1889 return 0;
1890 }
1891
1892 /*
1893 * set SA to kernel.
1894 */
1895 int
1896 quick_r3prep(iph2, msg0)
1897 struct ph2handle *iph2;
1898 vchar_t *msg0;
1899 {
1900 int error = ISAKMP_INTERNAL_ERROR;
1901
1902 /* validity check */
1903 if (iph2->status != PHASE2ST_STATUS6) {
1904 plog(LLV_ERROR, LOCATION, NULL,
1905 "status mismatched %d.\n", iph2->status);
1906 goto end;
1907 }
1908
1909 /* compute both of KEYMATs */
1910 if (oakley_compute_keymat(iph2, RESPONDER) < 0)
1911 goto end;
1912
1913 iph2->status = PHASE2ST_ADDSA;
1914 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1915
1916 /* don't anything if local test mode. */
1917 if (f_local) {
1918 error = 0;
1919 goto end;
1920 }
1921
1922 /* Do UPDATE as responder */
1923 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1924 if (pk_sendupdate(iph2) < 0) {
1925 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1926 goto end;
1927 }
1928 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1929
1930 /* Do ADD for responder */
1931 if (pk_sendadd(iph2) < 0) {
1932 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1933 goto end;
1934 }
1935 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
1936
1937 /*
1938 * set policies into SPD if the policy is generated
1939 * from peer's policy.
1940 */
1941 if (iph2->spidx_gen) {
1942
1943 struct policyindex *spidx;
1944 struct sockaddr_storage addr;
1945 u_int8_t pref;
1946 struct sockaddr *src = iph2->src;
1947 struct sockaddr *dst = iph2->dst;
1948
1949 /* make inbound policy */
1950 iph2->src = dst;
1951 iph2->dst = src;
1952 if (pk_sendspdupdate2(iph2) < 0) {
1953 plog(LLV_ERROR, LOCATION, NULL,
1954 "pfkey spdupdate2(inbound) failed.\n");
1955 goto end;
1956 }
1957 plog(LLV_DEBUG, LOCATION, NULL,
1958 "pfkey spdupdate2(inbound) sent.\n");
1959
1960 spidx = (struct policyindex *)iph2->spidx_gen;
1961 #ifdef HAVE_POLICY_FWD
1962 /* make forward policy if required */
1963 if (tunnel_mode_prop(iph2->approval)) {
1964 spidx->dir = IPSEC_DIR_FWD;
1965 if (pk_sendspdupdate2(iph2) < 0) {
1966 plog(LLV_ERROR, LOCATION, NULL,
1967 "pfkey spdupdate2(forward) failed.\n");
1968 goto end;
1969 }
1970 plog(LLV_DEBUG, LOCATION, NULL,
1971 "pfkey spdupdate2(forward) sent.\n");
1972 }
1973 #endif
1974
1975 /* make outbound policy */
1976 iph2->src = src;
1977 iph2->dst = dst;
1978 spidx->dir = IPSEC_DIR_OUTBOUND;
1979 addr = spidx->src;
1980 spidx->src = spidx->dst;
1981 spidx->dst = addr;
1982 pref = spidx->prefs;
1983 spidx->prefs = spidx->prefd;
1984 spidx->prefd = pref;
1985
1986 if (pk_sendspdupdate2(iph2) < 0) {
1987 plog(LLV_ERROR, LOCATION, NULL,
1988 "pfkey spdupdate2(outbound) failed.\n");
1989 goto end;
1990 }
1991 plog(LLV_DEBUG, LOCATION, NULL,
1992 "pfkey spdupdate2(outbound) sent.\n");
1993
1994 /* spidx_gen is unnecessary any more */
1995 delsp_bothdir((struct policyindex *)iph2->spidx_gen);
1996 racoon_free(iph2->spidx_gen);
1997 iph2->spidx_gen = NULL;
1998 iph2->generated_spidx=1;
1999 }
2000
2001 error = 0;
2002
2003 end:
2004 return error;
2005 }
2006
2007 /*
2008 * create HASH, body (SA, NONCE) payload with isakmp header.
2009 */
2010 static vchar_t *
2011 quick_ir1mx(iph2, body, hash)
2012 struct ph2handle *iph2;
2013 vchar_t *body, *hash;
2014 {
2015 struct isakmp *isakmp;
2016 vchar_t *buf = NULL, *new = NULL;
2017 char *p;
2018 int tlen;
2019 struct isakmp_gen *gen;
2020 int error = ISAKMP_INTERNAL_ERROR;
2021
2022 /* create buffer for isakmp payload */
2023 tlen = sizeof(*isakmp)
2024 + sizeof(*gen) + hash->l
2025 + body->l;
2026 buf = vmalloc(tlen);
2027 if (buf == NULL) {
2028 plog(LLV_ERROR, LOCATION, NULL,
2029 "failed to get buffer to send.\n");
2030 goto end;
2031 }
2032
2033 /* re-set encryption flag, for serurity. */
2034 iph2->flags |= ISAKMP_FLAG_E;
2035
2036 /* set isakmp header */
2037 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
2038 if (p == NULL)
2039 goto end;
2040
2041 /* add HASH payload */
2042 /* XXX is next type always SA ? */
2043 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
2044
2045 /* add body payload */
2046 memcpy(p, body->v, body->l);
2047
2048 #ifdef HAVE_PRINT_ISAKMP_C
2049 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2050 #endif
2051
2052 /* encoding */
2053 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2054
2055 if (new == NULL)
2056 goto end;
2057
2058 vfree(buf);
2059
2060 buf = new;
2061
2062 error = 0;
2063
2064 end:
2065 if (error && buf != NULL) {
2066 vfree(buf);
2067 buf = NULL;
2068 }
2069
2070 return buf;
2071 }
2072
2073 /*
2074 * get remote's sainfo.
2075 * NOTE: this function is for responder.
2076 */
2077 static int
2078 get_sainfo_r(iph2)
2079 struct ph2handle *iph2;
2080 {
2081 vchar_t *idsrc = NULL, *iddst = NULL, *client = NULL;
2082 int error = ISAKMP_INTERNAL_ERROR;
2083 int remoteid = 0;
2084
2085 if (iph2->id == NULL) {
2086 idsrc = ipsecdoi_sockaddr2id(iph2->src, IPSECDOI_PREFIX_HOST,
2087 IPSEC_ULPROTO_ANY);
2088 } else {
2089 idsrc = vdup(iph2->id);
2090 }
2091 if (idsrc == NULL) {
2092 plog(LLV_ERROR, LOCATION, NULL,
2093 "failed to set ID for source.\n");
2094 goto end;
2095 }
2096
2097 if (iph2->id_p == NULL) {
2098 iddst = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
2099 IPSEC_ULPROTO_ANY);
2100 } else {
2101 iddst = vdup(iph2->id_p);
2102 }
2103 if (iddst == NULL) {
2104 plog(LLV_ERROR, LOCATION, NULL,
2105 "failed to set ID for destination.\n");
2106 goto end;
2107 }
2108
2109 {
2110 struct remoteconf *conf;
2111 conf = getrmconf(iph2->dst);
2112 if (conf != NULL)
2113 remoteid=conf->ph1id;
2114 else{
2115 plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
2116 remoteid=0;
2117 }
2118
2119 }
2120
2121 #ifdef ENABLE_HYBRID
2122
2123 /* clientaddr check : obtain modecfg address */
2124 if (iph2->ph1->mode_cfg != NULL) {
2125 if ((iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
2126 (iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)){
2127 struct sockaddr saddr;
2128 saddr.sa_family = AF_INET;
2129 #ifndef __linux__
2130 saddr.sa_len = sizeof(struct sockaddr_in);
2131 #endif
2132 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
2133 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
2134 &iph2->ph1->mode_cfg->addr4, sizeof(struct in_addr));
2135 client = ipsecdoi_sockaddr2id(&saddr, 32, IPSEC_ULPROTO_ANY);
2136 }
2137 }
2138
2139 /* clientaddr check, fallback to peer address */
2140 if (client == NULL)
2141 {
2142 client = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
2143 IPSEC_ULPROTO_ANY);
2144 }
2145 #endif
2146
2147 /* obtain a matching sainfo section */
2148 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, client, remoteid);
2149 if (iph2->sainfo == NULL) {
2150 plog(LLV_ERROR, LOCATION, NULL,
2151 "failed to get sainfo.\n");
2152 goto end;
2153 }
2154
2155 #ifdef ENABLE_HYBRID
2156 /* xauth group inclusion check */
2157 if (iph2->sainfo->group != NULL)
2158 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1))
2159 goto end;
2160 #endif
2161
2162 plog(LLV_DEBUG, LOCATION, NULL,
2163 "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2164
2165 error = 0;
2166 end:
2167 if (idsrc)
2168 vfree(idsrc);
2169 if (iddst)
2170 vfree(iddst);
2171 if (client)
2172 vfree(client);
2173
2174 return error;
2175 }
2176
2177 /*
2178 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
2179 * are IP address and same address family.
2180 * Then get remote's policy from SPD copied from kernel.
2181 * If the type of ID payload is address or subnet type, then the index is
2182 * made from the payload. If there is no ID payload, or the type of ID
2183 * payload is NOT address type, then the index is made from the address
2184 * pair of phase 1.
2185 * NOTE: This function is only for responder.
2186 */
2187 static int
2188 get_proposal_r(iph2)
2189 struct ph2handle *iph2;
2190 {
2191 struct policyindex spidx;
2192 struct secpolicy *sp_in, *sp_out;
2193 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
2194 int error = ISAKMP_INTERNAL_ERROR;
2195
2196 /* check the existence of ID payload */
2197 if ((iph2->id_p != NULL && iph2->id == NULL)
2198 || (iph2->id_p == NULL && iph2->id != NULL)) {
2199 plog(LLV_ERROR, LOCATION, NULL,
2200 "Both IDs wasn't found in payload.\n");
2201 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2202 }
2203
2204 /* make sure if id[src,dst] is null. */
2205 if (iph2->src_id || iph2->dst_id) {
2206 plog(LLV_ERROR, LOCATION, NULL,
2207 "Why do ID[src,dst] exist already.\n");
2208 return ISAKMP_INTERNAL_ERROR;
2209 }
2210
2211 memset(&spidx, 0, sizeof(spidx));
2212
2213 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
2214
2215 /* make a spidx; a key to search SPD */
2216 spidx.dir = IPSEC_DIR_INBOUND;
2217 spidx.ul_proto = 0;
2218
2219 /*
2220 * make destination address in spidx from either ID payload
2221 * or phase 1 address into a address in spidx.
2222 */
2223 if (iph2->id != NULL
2224 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2225 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
2226 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2227 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2228 /* get a destination address of a policy */
2229 error = ipsecdoi_id2sockaddr(iph2->id,
2230 (struct sockaddr *)&spidx.dst,
2231 &spidx.prefd, &spidx.ul_proto);
2232 if (error)
2233 return error;
2234
2235 #ifdef INET6
2236 /*
2237 * get scopeid from the SA address.
2238 * note that the phase 1 source address is used as
2239 * a destination address to search for a inbound policy entry
2240 * because rcoon is responder.
2241 */
2242 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
2243 error = setscopeid((struct sockaddr *)&spidx.dst,
2244 iph2->src);
2245 if (error)
2246 return error;
2247 }
2248 #endif
2249
2250 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2251 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
2252 idi2type = _XIDT(iph2->id);
2253
2254 } else {
2255
2256 plog(LLV_DEBUG, LOCATION, NULL,
2257 "get a destination address of SP index "
2258 "from phase1 address "
2259 "due to no ID payloads found "
2260 "OR because ID type is not address.\n");
2261
2262 /*
2263 * copy the SOURCE address of IKE into the DESTINATION address
2264 * of the key to search the SPD because the direction of policy
2265 * is inbound.
2266 */
2267 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
2268 switch (spidx.dst.ss_family) {
2269 case AF_INET:
2270 spidx.prefd = sizeof(struct in_addr) << 3;
2271 break;
2272 #ifdef INET6
2273 case AF_INET6:
2274 spidx.prefd = sizeof(struct in6_addr) << 3;
2275 break;
2276 #endif
2277 default:
2278 spidx.prefd = 0;
2279 break;
2280 }
2281 }
2282
2283 /* make source address in spidx */
2284 if (iph2->id_p != NULL
2285 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
2286 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
2287 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2288 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2289 /* get a source address of inbound SA */
2290 error = ipsecdoi_id2sockaddr(iph2->id_p,
2291 (struct sockaddr *)&spidx.src,
2292 &spidx.prefs, &spidx.ul_proto);
2293 if (error)
2294 return error;
2295
2296 #ifdef INET6
2297 /*
2298 * get scopeid from the SA address.
2299 * for more detail, see above of this function.
2300 */
2301 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
2302 error = setscopeid((struct sockaddr *)&spidx.src,
2303 iph2->dst);
2304 if (error)
2305 return error;
2306 }
2307 #endif
2308
2309 /* make id[src,dst] if both ID types are IP address and same */
2310 if (_XIDT(iph2->id_p) == idi2type
2311 && spidx.dst.ss_family == spidx.src.ss_family) {
2312 iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst);
2313 if (iph2->src_id == NULL) {
2314 plog(LLV_ERROR, LOCATION, NULL,
2315 "buffer allocation failed.\n");
2316 return ISAKMP_INTERNAL_ERROR;
2317 }
2318 iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src);
2319 if (iph2->dst_id == NULL) {
2320 plog(LLV_ERROR, LOCATION, NULL,
2321 "buffer allocation failed.\n");
2322 return ISAKMP_INTERNAL_ERROR;
2323 }
2324 } else {
2325 plog(LLV_DEBUG, LOCATION, NULL,
2326 "Family (%d - %d) or types (%d - %d) of ID"
2327 "from initiator differ.\n",
2328 spidx.src.ss_family, spidx.dst.ss_family,
2329 _XIDT(iph2->id_p),idi2type);
2330 }
2331 } else {
2332 plog(LLV_DEBUG, LOCATION, NULL,
2333 "get a source address of SP index "
2334 "from phase1 address "
2335 "due to no ID payloads found "
2336 "OR because ID type is not address.\n");
2337
2338 /* see above comment. */
2339 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
2340 switch (spidx.src.ss_family) {
2341 case AF_INET:
2342 spidx.prefs = sizeof(struct in_addr) << 3;
2343 break;
2344 #ifdef INET6
2345 case AF_INET6:
2346 spidx.prefs = sizeof(struct in6_addr) << 3;
2347 break;
2348 #endif
2349 default:
2350 spidx.prefs = 0;
2351 break;
2352 }
2353 }
2354
2355 #undef _XIDT
2356
2357 plog(LLV_DEBUG, LOCATION, NULL,
2358 "get a src address from ID payload "
2359 "%s prefixlen=%u ul_proto=%u\n",
2360 saddr2str((struct sockaddr *)&spidx.src),
2361 spidx.prefs, spidx.ul_proto);
2362 plog(LLV_DEBUG, LOCATION, NULL,
2363 "get dst address from ID payload "
2364 "%s prefixlen=%u ul_proto=%u\n",
2365 saddr2str((struct sockaddr *)&spidx.dst),
2366 spidx.prefd, spidx.ul_proto);
2367
2368 /*
2369 * convert the ul_proto if it is 0
2370 * because 0 in ID payload means a wild card.
2371 */
2372 if (spidx.ul_proto == 0)
2373 spidx.ul_proto = IPSEC_ULPROTO_ANY;
2374
2375 #ifdef HAVE_SECCTX
2376 /*
2377 * Need to use security context in spidx to ensure the correct
2378 * policy is selected. The only way to get the security context
2379 * is to look into the proposal sent by peer ahead of time.
2380 */
2381 if (get_security_context(iph2->sa, &spidx)) {
2382 plog(LLV_ERROR, LOCATION, NULL,
2383 "error occurred trying to get security context.\n");
2384 return ISAKMP_INTERNAL_ERROR;
2385 }
2386 #endif /* HAVE_SECCTX */
2387
2388 /* get inbound policy */
2389 sp_in = getsp_r(&spidx);
2390 if (sp_in == NULL) {
2391 if (iph2->ph1->rmconf->gen_policy) {
2392 plog(LLV_INFO, LOCATION, NULL,
2393 "no policy found, "
2394 "try to generate the policy : %s\n",
2395 spidx2str(&spidx));
2396 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2397 if (!iph2->spidx_gen) {
2398 plog(LLV_ERROR, LOCATION, NULL,
2399 "buffer allocation failed.\n");
2400 return ISAKMP_INTERNAL_ERROR;
2401 }
2402 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2403 return -2; /* special value */
2404 }
2405 plog(LLV_ERROR, LOCATION, NULL,
2406 "no policy found: %s\n", spidx2str(&spidx));
2407 return ISAKMP_INTERNAL_ERROR;
2408 }
2409 /* Refresh existing generated policies
2410 */
2411 if (iph2->ph1->rmconf->gen_policy) {
2412 plog(LLV_INFO, LOCATION, NULL,
2413 "Update the generated policy : %s\n",
2414 spidx2str(&spidx));
2415 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2416 if (!iph2->spidx_gen) {
2417 plog(LLV_ERROR, LOCATION, NULL,
2418 "buffer allocation failed.\n");
2419 return ISAKMP_INTERNAL_ERROR;
2420 }
2421 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2422 }
2423
2424 /* get outbound policy */
2425 {
2426 struct sockaddr_storage addr;
2427 u_int8_t pref;
2428
2429 spidx.dir = IPSEC_DIR_OUTBOUND;
2430 addr = spidx.src;
2431 spidx.src = spidx.dst;
2432 spidx.dst = addr;
2433 pref = spidx.prefs;
2434 spidx.prefs = spidx.prefd;
2435 spidx.prefd = pref;
2436
2437 sp_out = getsp_r(&spidx);
2438 if (!sp_out) {
2439 plog(LLV_WARNING, LOCATION, NULL,
2440 "no outbound policy found: %s\n",
2441 spidx2str(&spidx));
2442 }
2443 }
2444
2445 plog(LLV_DEBUG, LOCATION, NULL,
2446 "suitable SP found:%s\n", spidx2str(&spidx));
2447
2448 /*
2449 * In the responder side, the inbound policy should be using IPsec.
2450 * outbound policy is not checked currently.
2451 */
2452 if (sp_in->policy != IPSEC_POLICY_IPSEC) {
2453 plog(LLV_ERROR, LOCATION, NULL,
2454 "policy found, but no IPsec required: %s\n",
2455 spidx2str(&spidx));
2456 return ISAKMP_INTERNAL_ERROR;
2457 }
2458
2459 /* set new proposal derived from a policy into the iph2->proposal. */
2460 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
2461 plog(LLV_ERROR, LOCATION, NULL,
2462 "failed to create saprop.\n");
2463 return ISAKMP_INTERNAL_ERROR;
2464 }
2465
2466 #ifdef HAVE_SECCTX
2467 if (spidx.sec_ctx.ctx_str) {
2468 set_secctx_in_proposal(iph2, spidx);
2469 }
2470 #endif /* HAVE_SECCTX */
2471
2472 return 0;
2473 }
2474
2475 /*
2476 * handle a notification payload inside phase2 exchange.
2477 * phase2 is always encrypted, so it does not need to be checked
2478 * for explicitely.
2479 */
2480 static int
2481 ph2_recv_n(iph2, gen)
2482 struct ph2handle *iph2;
2483 struct isakmp_gen *gen;
2484 {
2485 struct ph1handle *iph1 = iph2->ph1;
2486 struct isakmp_pl_n *notify = (struct isakmp_pl_n *) gen;
2487 u_int type;
2488 int check_level;
2489
2490 type = ntohs(notify->type);
2491 switch (type) {
2492 case ISAKMP_NTYPE_CONNECTED:
2493 break;
2494 case ISAKMP_NTYPE_INITIAL_CONTACT:
2495 return isakmp_info_recv_initialcontact(iph1, iph2);
2496 case ISAKMP_NTYPE_RESPONDER_LIFETIME:
2497 ipsecdoi_parse_responder_lifetime(notify,
2498 &iph2->lifetime_secs, &iph2->lifetime_kb);
2499
2500 if (iph1 != NULL && iph1->rmconf != NULL) {
2501 check_level = iph1->rmconf->pcheck_level;
2502 } else {
2503 if (iph1 != NULL)
2504 plog(LLV_DEBUG, LOCATION, NULL,
2505 "No phase1 rmconf found !\n");
2506 else
2507 plog(LLV_DEBUG, LOCATION, NULL,
2508 "No phase1 found !\n");
2509 check_level = PROP_CHECK_EXACT;
2510 }
2511
2512 switch (check_level) {
2513 case PROP_CHECK_OBEY:
2514 break;
2515 case PROP_CHECK_STRICT:
2516 case PROP_CHECK_CLAIM:
2517 if (iph2->sainfo == NULL
2518 || iph2->sainfo->lifetime <= iph2->lifetime_secs) {
2519 plog(LLV_WARNING, LOCATION, NULL,
2520 "RESPONDER-LIFETIME: lifetime mismatch\n");
2521 iph2->lifetime_secs = 0;
2522 }
2523 break;
2524 case PROP_CHECK_EXACT:
2525 if (iph2->sainfo == NULL
2526 || iph2->sainfo->lifetime != iph2->lifetime_secs) {
2527 plog(LLV_WARNING, LOCATION, NULL,
2528 "RESPONDER-LIFETIME: lifetime mismatch\n");
2529 iph2->lifetime_secs = 0;
2530 }
2531 break;
2532 }
2533 break;
2534 default:
2535 isakmp_log_notify(iph2->ph1, notify, "phase2 exchange");
2536 isakmp_info_send_n2(iph2, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE,
2537 NULL);
2538 break;
2539 }
2540 return 0;
2541 }
2542
2543