1 /* $NetBSD: isakmp_quick.c,v 1.22 2008/10/09 15:53:12 tteras Exp $ */
2
3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39
40 #include <netinet/in.h>
41
42 #include <stdlib.h>
43 #include <stdio.h>
44 #include <string.h>
45 #include <errno.h>
46 #if TIME_WITH_SYS_TIME
47 # include <sys/time.h>
48 # include <time.h>
49 #else
50 # if HAVE_SYS_TIME_H
51 # include <sys/time.h>
52 # else
53 # include <time.h>
54 # endif
55 #endif
56
57 #include PATH_IPSEC_H
58
59 #include "var.h"
60 #include "vmbuf.h"
61 #include "schedule.h"
62 #include "misc.h"
63 #include "plog.h"
64 #include "debug.h"
65
66 #include "localconf.h"
67 #include "remoteconf.h"
68 #include "handler.h"
69 #include "policy.h"
70 #include "proposal.h"
71 #include "isakmp_var.h"
72 #include "isakmp.h"
73 #include "isakmp_inf.h"
74 #include "isakmp_quick.h"
75 #include "oakley.h"
76 #include "ipsec_doi.h"
77 #include "crypto_openssl.h"
78 #include "pfkey.h"
79 #include "policy.h"
80 #include "algorithm.h"
81 #include "sockmisc.h"
82 #include "proposal.h"
83 #include "sainfo.h"
84 #include "admin.h"
85 #include "strnames.h"
86
87 #ifdef ENABLE_HYBRID
88 #include <resolv.h>
89 #include "isakmp_xauth.h"
90 #include "isakmp_cfg.h"
91 #endif
92
93 #ifdef ENABLE_NATT
94 #include "nattraversal.h"
95 #endif
96
97 /* quick mode */
98 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
99 static int get_sainfo_r __P((struct ph2handle *));
100 static int get_proposal_r __P((struct ph2handle *));
101 static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *));
102 static void quick_timeover_stub __P((struct sched *));
103 static void quick_timeover __P((struct ph2handle *));
104
105 /* called from scheduler */
106 static void
107 quick_timeover_stub(p)
108 struct sched *p;
109 {
110 quick_timeover(container_of(p, struct ph2handle, sce));
111 }
112
113 static void
114 quick_timeover(iph2)
115 struct ph2handle *iph2;
116 {
117 plog(LLV_ERROR, LOCATION, NULL,
118 "%s give up to get IPsec-SA due to time up to wait.\n",
119 saddrwop2str(iph2->dst));
120
121 /* If initiator side, send error to kernel by SADB_ACQUIRE. */
122 if (iph2->side == INITIATOR)
123 pk_sendeacquire(iph2);
124
125 remph2(iph2);
126 delph2(iph2);
127 }
128
129 /* �%%%
130 * Quick Mode
131 */
132 /*
133 * begin Quick Mode as initiator. send pfkey getspi message to kernel.
134 */
135 int
136 quick_i1prep(iph2, msg)
137 struct ph2handle *iph2;
138 vchar_t *msg; /* must be null pointer */
139 {
140 int error = ISAKMP_INTERNAL_ERROR;
141
142 /* validity check */
143 if (iph2->status != PHASE2ST_STATUS2) {
144 plog(LLV_ERROR, LOCATION, NULL,
145 "status mismatched %d.\n", iph2->status);
146 goto end;
147 }
148
149 iph2->msgid = isakmp_newmsgid2(iph2->ph1);
150 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
151 if (iph2->ivm == NULL)
152 return 0;
153
154 iph2->status = PHASE2ST_GETSPISENT;
155
156 /* don't anything if local test mode. */
157 if (f_local) {
158 error = 0;
159 goto end;
160 }
161
162 /* send getspi message */
163 if (pk_sendgetspi(iph2) < 0)
164 goto end;
165
166 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
167
168 sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
169 quick_timeover_stub);
170
171 error = 0;
172
173 end:
174 return error;
175 }
176
177 /*
178 * send to responder
179 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
180 */
181 int
182 quick_i1send(iph2, msg)
183 struct ph2handle *iph2;
184 vchar_t *msg; /* must be null pointer */
185 {
186 vchar_t *body = NULL;
187 vchar_t *hash = NULL;
188 struct isakmp_gen *gen;
189 char *p;
190 int tlen;
191 int error = ISAKMP_INTERNAL_ERROR;
192 int natoa = ISAKMP_NPTYPE_NONE;
193 int pfsgroup, idci, idcr;
194 int np;
195 struct ipsecdoi_id_b *id, *id_p;
196 #ifdef ENABLE_NATT
197 vchar_t *nat_oai = NULL;
198 vchar_t *nat_oar = NULL;
199 #endif
200
201 /* validity check */
202 if (msg != NULL) {
203 plog(LLV_ERROR, LOCATION, NULL,
204 "msg has to be NULL in this function.\n");
205 goto end;
206 }
207 if (iph2->status != PHASE2ST_GETSPIDONE) {
208 plog(LLV_ERROR, LOCATION, NULL,
209 "status mismatched %d.\n", iph2->status);
210 goto end;
211 }
212
213 /* create SA payload for my proposal */
214 if (ipsecdoi_setph2proposal(iph2) < 0)
215 goto end;
216
217 /* generate NONCE value */
218 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
219 if (iph2->nonce == NULL)
220 goto end;
221
222 /*
223 * DH value calculation is kicked out into cfparse.y.
224 * because pfs group can not be negotiated, it's only to be checked
225 * acceptable.
226 */
227 /* generate KE value if need */
228 pfsgroup = iph2->proposal->pfs_group;
229 if (pfsgroup) {
230 /* DH group settting if PFS is required. */
231 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
232 plog(LLV_ERROR, LOCATION, NULL,
233 "failed to set DH value.\n");
234 goto end;
235 }
236 if (oakley_dh_generate(iph2->pfsgrp,
237 &iph2->dhpub, &iph2->dhpriv) < 0) {
238 goto end;
239 }
240 }
241
242 /* generate ID value */
243 if (ipsecdoi_setid2(iph2) < 0) {
244 plog(LLV_ERROR, LOCATION, NULL,
245 "failed to get ID.\n");
246 goto end;
247 }
248 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n");
249 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
250 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n");
251 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
252
253 /*
254 * we do not attach IDci nor IDcr, under the following condition:
255 * - all proposals are transport mode
256 * - no MIP6 or proxy
257 * - id payload suggests to encrypt all the traffic (no specific
258 * protocol type)
259 */
260 id = (struct ipsecdoi_id_b *)iph2->id->v;
261 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
262 if (id->proto_id == 0
263 && id_p->proto_id == 0
264 && iph2->ph1->rmconf->support_proxy == 0
265 && ipsecdoi_transportmode(iph2->proposal)) {
266 idci = idcr = 0;
267 } else
268 idci = idcr = 1;
269
270 #ifdef ENABLE_NATT
271 /*
272 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport
273 * we should send NAT-OA
274 */
275 if (ipsecdoi_transportmode(iph2->proposal)
276 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
277 natoa = iph2->ph1->natt_options->payload_nat_oa;
278
279 nat_oai = ipsecdoi_sockaddr2id(iph2->src,
280 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
281 nat_oar = ipsecdoi_sockaddr2id(iph2->dst,
282 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
283
284 if (nat_oai == NULL || nat_oar == NULL) {
285 plog(LLV_ERROR, LOCATION, NULL,
286 "failed to generate NAT-OA payload.\n");
287 goto end;
288 }
289
290 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n");
291 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l);
292 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n");
293 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l);
294 } else {
295 natoa = ISAKMP_NPTYPE_NONE;
296 }
297 #endif
298
299 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
300 tlen = + sizeof(*gen) + iph2->sa->l
301 + sizeof(*gen) + iph2->nonce->l;
302 if (pfsgroup)
303 tlen += (sizeof(*gen) + iph2->dhpub->l);
304 if (idci)
305 tlen += sizeof(*gen) + iph2->id->l;
306 if (idcr)
307 tlen += sizeof(*gen) + iph2->id_p->l;
308 #ifdef ENABLE_NATT
309 if (natoa != ISAKMP_NPTYPE_NONE)
310 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l;
311 #endif
312
313 body = vmalloc(tlen);
314 if (body == NULL) {
315 plog(LLV_ERROR, LOCATION, NULL,
316 "failed to get buffer to send.\n");
317 goto end;
318 }
319
320 p = body->v;
321
322 /* add SA payload */
323 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
324
325 /* add NONCE payload */
326 if (pfsgroup)
327 np = ISAKMP_NPTYPE_KE;
328 else if (idci || idcr)
329 np = ISAKMP_NPTYPE_ID;
330 else
331 np = natoa;
332 p = set_isakmp_payload(p, iph2->nonce, np);
333
334 /* add KE payload if need. */
335 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : natoa;
336 if (pfsgroup)
337 p = set_isakmp_payload(p, iph2->dhpub, np);
338
339 /* IDci */
340 np = (idcr) ? ISAKMP_NPTYPE_ID : natoa;
341 if (idci)
342 p = set_isakmp_payload(p, iph2->id, np);
343
344 /* IDcr */
345 if (idcr)
346 p = set_isakmp_payload(p, iph2->id_p, natoa);
347
348 #ifdef ENABLE_NATT
349 /* NAT-OA */
350 if (natoa != ISAKMP_NPTYPE_NONE) {
351 p = set_isakmp_payload(p, nat_oai, natoa);
352 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE);
353 }
354 #endif
355
356 /* generate HASH(1) */
357 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
358 if (hash == NULL)
359 goto end;
360
361 /* send isakmp payload */
362 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
363 if (iph2->sendbuf == NULL)
364 goto end;
365
366 /* send the packet, add to the schedule to resend */
367 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
368 if (isakmp_ph2resend(iph2) == -1)
369 goto end;
370
371 /* change status of isakmp status entry */
372 iph2->status = PHASE2ST_MSG1SENT;
373
374 error = 0;
375
376 end:
377 if (body != NULL)
378 vfree(body);
379 if (hash != NULL)
380 vfree(hash);
381 #ifdef ENABLE_NATT
382 if (nat_oai != NULL)
383 vfree(nat_oai);
384 if (nat_oar != NULL)
385 vfree(nat_oar);
386 #endif
387
388 return error;
389 }
390
391 /*
392 * receive from responder
393 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
394 */
395 int
396 quick_i2recv(iph2, msg0)
397 struct ph2handle *iph2;
398 vchar_t *msg0;
399 {
400 vchar_t *msg = NULL;
401 vchar_t *hbuf = NULL; /* for hash computing. */
402 vchar_t *pbuf = NULL; /* for payload parsing */
403 vchar_t *idci = NULL;
404 vchar_t *idcr = NULL;
405 struct isakmp_parse_t *pa;
406 struct isakmp *isakmp = (struct isakmp *)msg0->v;
407 struct isakmp_pl_hash *hash = NULL;
408 char *p;
409 int tlen;
410 int error = ISAKMP_INTERNAL_ERROR;
411
412 /* validity check */
413 if (iph2->status != PHASE2ST_MSG1SENT) {
414 plog(LLV_ERROR, LOCATION, NULL,
415 "status mismatched %d.\n", iph2->status);
416 goto end;
417 }
418
419 /* decrypt packet */
420 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
421 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
422 "Packet wasn't encrypted.\n");
423 goto end;
424 }
425 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
426 if (msg == NULL)
427 goto end;
428
429 /* create buffer for validating HASH(2) */
430 /*
431 * ordering rule:
432 * 1. the first one must be HASH
433 * 2. the second one must be SA (added in isakmp-oakley-05!)
434 * 3. two IDs must be considered as IDci, then IDcr
435 */
436 pbuf = isakmp_parse(msg);
437 if (pbuf == NULL)
438 goto end;
439 pa = (struct isakmp_parse_t *)pbuf->v;
440
441 /* HASH payload is fixed postion */
442 if (pa->type != ISAKMP_NPTYPE_HASH) {
443 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
444 "received invalid next payload type %d, "
445 "expecting %d.\n",
446 pa->type, ISAKMP_NPTYPE_HASH);
447 goto end;
448 }
449 hash = (struct isakmp_pl_hash *)pa->ptr;
450 pa++;
451
452 /*
453 * this restriction was introduced in isakmp-oakley-05.
454 * we do not check this for backward compatibility.
455 * TODO: command line/config file option to enable/disable this code
456 */
457 /* HASH payload is fixed postion */
458 if (pa->type != ISAKMP_NPTYPE_SA) {
459 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
460 "received invalid next payload type %d, "
461 "expecting %d.\n",
462 pa->type, ISAKMP_NPTYPE_HASH);
463 }
464
465 /* allocate buffer for computing HASH(2) */
466 tlen = iph2->nonce->l
467 + ntohl(isakmp->len) - sizeof(*isakmp);
468 hbuf = vmalloc(tlen);
469 if (hbuf == NULL) {
470 plog(LLV_ERROR, LOCATION, NULL,
471 "failed to get hash buffer.\n");
472 goto end;
473 }
474 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
475
476 /*
477 * parse the payloads.
478 * copy non-HASH payloads into hbuf, so that we can validate HASH.
479 */
480 iph2->sa_ret = NULL;
481 tlen = 0; /* count payload length except of HASH payload. */
482 for (; pa->type; pa++) {
483
484 /* copy to buffer for HASH */
485 /* Don't modify the payload */
486 memcpy(p, pa->ptr, pa->len);
487
488 switch (pa->type) {
489 case ISAKMP_NPTYPE_SA:
490 if (iph2->sa_ret != NULL) {
491 plog(LLV_ERROR, LOCATION, NULL,
492 "Ignored, multiple SA "
493 "isn't supported.\n");
494 break;
495 }
496 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
497 goto end;
498 break;
499
500 case ISAKMP_NPTYPE_NONCE:
501 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
502 goto end;
503 break;
504
505 case ISAKMP_NPTYPE_KE:
506 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
507 goto end;
508 break;
509
510 case ISAKMP_NPTYPE_ID:
511 if (idci == NULL) {
512 if (isakmp_p2ph(&idci, pa->ptr) < 0)
513 goto end;
514 } else if (idcr == NULL) {
515 if (isakmp_p2ph(&idcr, pa->ptr) < 0)
516 goto end;
517 } else {
518 goto end;
519 }
520 break;
521
522 case ISAKMP_NPTYPE_N:
523 ph2_recv_n(iph2, pa->ptr);
524 break;
525
526 #ifdef ENABLE_NATT
527 case ISAKMP_NPTYPE_NATOA_DRAFT:
528 case ISAKMP_NPTYPE_NATOA_RFC:
529 {
530 struct sockaddr_storage addr;
531 struct sockaddr *daddr;
532 u_int8_t prefix;
533 u_int16_t ul_proto;
534 vchar_t *vp = NULL;
535
536 if (isakmp_p2ph(&vp, pa->ptr) < 0)
537 goto end;
538
539 error = ipsecdoi_id2sockaddr(vp,
540 (struct sockaddr *) &addr,
541 &prefix, &ul_proto);
542
543 vfree(vp);
544
545 if (error)
546 goto end;
547
548 daddr = dupsaddr((struct sockaddr *) &addr);
549 if (daddr == NULL)
550 goto end;
551
552 if (iph2->natoa_src == NULL)
553 iph2->natoa_src = daddr;
554 else if (iph2->natoa_dst == NULL)
555 iph2->natoa_dst = daddr;
556 else {
557 racoon_free(daddr);
558 goto end;
559 }
560 }
561 break;
562 #endif
563
564 default:
565 /* don't send information, see ident_r1recv() */
566 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
567 "ignore the packet, "
568 "received unexpecting payload type %d.\n",
569 pa->type);
570 goto end;
571 }
572
573 p += pa->len;
574
575 /* compute true length of payload. */
576 tlen += pa->len;
577 }
578
579 /* payload existency check */
580 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
581 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
582 "few isakmp message received.\n");
583 goto end;
584 }
585
586 /* identity check */
587 if (idci != NULL) {
588 struct sockaddr_storage proposed_addr, got_addr;
589 u_int8_t proposed_prefix, got_prefix;
590 u_int16_t proposed_ulproto, got_ulproto;
591
592 error = ipsecdoi_id2sockaddr(iph2->id,
593 (struct sockaddr *) &proposed_addr,
594 &proposed_prefix, &proposed_ulproto);
595 if (error)
596 goto end;
597
598 error = ipsecdoi_id2sockaddr(idci,
599 (struct sockaddr *) &got_addr,
600 &got_prefix, &got_ulproto);
601 if (error)
602 goto end;
603
604 if (proposed_prefix != got_prefix
605 || proposed_ulproto != got_ulproto) {
606 plog(LLV_DEBUG, LOCATION, NULL,
607 "IDci prefix/ulproto does not match proposal.\n");
608 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
609 goto end;
610 }
611
612 if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
613 (struct sockaddr *) &got_addr) == 0) {
614 plog(LLV_DEBUG, LOCATION, NULL,
615 "IDci matches proposal.\n");
616 #ifdef ENABLE_NATT
617 } else if (iph2->natoa_src != NULL
618 && cmpsaddrwop(iph2->natoa_src,
619 (struct sockaddr *) &got_addr) == 0
620 && extract_port((struct sockaddr *) &proposed_addr) ==
621 extract_port((struct sockaddr *) &got_addr)) {
622 plog(LLV_DEBUG, LOCATION, NULL,
623 "IDci matches NAT-OAi.\n");
624 #endif
625 } else {
626 plog(LLV_ERROR, LOCATION, NULL,
627 "mismatched IDci was returned.\n");
628 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
629 goto end;
630 }
631 }
632 if (idcr != NULL) {
633 struct sockaddr_storage proposed_addr, got_addr;
634 u_int8_t proposed_prefix, got_prefix;
635 u_int16_t proposed_ulproto, got_ulproto;
636
637 error = ipsecdoi_id2sockaddr(iph2->id_p,
638 (struct sockaddr *) &proposed_addr,
639 &proposed_prefix, &proposed_ulproto);
640 if (error)
641 goto end;
642
643 error = ipsecdoi_id2sockaddr(idcr,
644 (struct sockaddr *) &got_addr,
645 &got_prefix, &got_ulproto);
646 if (error)
647 goto end;
648
649 if (proposed_prefix != got_prefix
650 || proposed_ulproto != got_ulproto) {
651 plog(LLV_DEBUG, LOCATION, NULL,
652 "IDcr prefix/ulproto does not match proposal.\n");
653 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
654 goto end;
655 }
656
657 if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
658 (struct sockaddr *) &got_addr) == 0) {
659 plog(LLV_DEBUG, LOCATION, NULL,
660 "IDcr matches proposal.\n");
661 #ifdef ENABLE_NATT
662 } else if (iph2->natoa_dst != NULL
663 && cmpsaddrwop(iph2->natoa_dst,
664 (struct sockaddr *) &got_addr) == 0
665 && extract_port((struct sockaddr *) &proposed_addr) ==
666 extract_port((struct sockaddr *) &got_addr)) {
667 plog(LLV_DEBUG, LOCATION, NULL,
668 "IDcr matches NAT-OAr.\n");
669 #endif
670 } else {
671 plog(LLV_ERROR, LOCATION, NULL,
672 "mismatched IDcr was returned.\n");
673 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
674 goto end;
675 }
676 }
677
678 /* Fixed buffer for calculating HASH */
679 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
680 plog(LLV_DEBUG, LOCATION, NULL,
681 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
682 hbuf->l, tlen + iph2->nonce->l);
683 /* adjust buffer length for HASH */
684 hbuf->l = iph2->nonce->l + tlen;
685
686 /* validate HASH(2) */
687 {
688 char *r_hash;
689 vchar_t *my_hash = NULL;
690 int result;
691
692 r_hash = (char *)hash + sizeof(*hash);
693
694 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:");
695 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
696
697 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
698 if (my_hash == NULL)
699 goto end;
700
701 result = memcmp(my_hash->v, r_hash, my_hash->l);
702 vfree(my_hash);
703
704 if (result) {
705 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
706 "HASH(2) mismatch.\n");
707 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
708 goto end;
709 }
710 }
711
712 /* validity check SA payload sent from responder */
713 if (ipsecdoi_checkph2proposal(iph2) < 0) {
714 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
715 goto end;
716 }
717
718 /* change status of isakmp status entry */
719 iph2->status = PHASE2ST_STATUS6;
720
721 error = 0;
722
723 end:
724 if (hbuf)
725 vfree(hbuf);
726 if (pbuf)
727 vfree(pbuf);
728 if (msg)
729 vfree(msg);
730 if (idci)
731 vfree(idci);
732 if (idcr)
733 vfree(idcr);
734
735 if (error) {
736 VPTRINIT(iph2->sa_ret);
737 VPTRINIT(iph2->nonce_p);
738 VPTRINIT(iph2->dhpub_p);
739 VPTRINIT(iph2->id);
740 VPTRINIT(iph2->id_p);
741 #ifdef ENABLE_NATT
742 if (iph2->natoa_src) {
743 racoon_free(iph2->natoa_src);
744 iph2->natoa_src = NULL;
745 }
746 if (iph2->natoa_dst) {
747 racoon_free(iph2->natoa_dst);
748 iph2->natoa_dst = NULL;
749 }
750 #endif
751 }
752
753 return error;
754 }
755
756 /*
757 * send to responder
758 * HDR*, HASH(3)
759 */
760 int
761 quick_i2send(iph2, msg0)
762 struct ph2handle *iph2;
763 vchar_t *msg0;
764 {
765 vchar_t *msg = NULL;
766 vchar_t *buf = NULL;
767 vchar_t *hash = NULL;
768 char *p = NULL;
769 int tlen;
770 int error = ISAKMP_INTERNAL_ERROR;
771
772 /* validity check */
773 if (iph2->status != PHASE2ST_STATUS6) {
774 plog(LLV_ERROR, LOCATION, NULL,
775 "status mismatched %d.\n", iph2->status);
776 goto end;
777 }
778
779 /* generate HASH(3) */
780 {
781 vchar_t *tmp = NULL;
782
783 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n");
784
785 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
786 if (tmp == NULL) {
787 plog(LLV_ERROR, LOCATION, NULL,
788 "failed to get hash buffer.\n");
789 goto end;
790 }
791 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
792 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
793
794 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
795 vfree(tmp);
796
797 if (hash == NULL)
798 goto end;
799 }
800
801 /* create buffer for isakmp payload */
802 tlen = sizeof(struct isakmp)
803 + sizeof(struct isakmp_gen) + hash->l;
804 buf = vmalloc(tlen);
805 if (buf == NULL) {
806 plog(LLV_ERROR, LOCATION, NULL,
807 "failed to get buffer to send.\n");
808 goto end;
809 }
810
811 /* create isakmp header */
812 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
813 if (p == NULL)
814 goto end;
815
816 /* add HASH(3) payload */
817 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
818
819 #ifdef HAVE_PRINT_ISAKMP_C
820 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
821 #endif
822
823 /* encoding */
824 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
825 if (iph2->sendbuf == NULL)
826 goto end;
827
828 /* if there is commit bit, need resending */
829 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
830 /* send the packet, add to the schedule to resend */
831 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
832 if (isakmp_ph2resend(iph2) == -1)
833 goto end;
834 } else {
835 /* send the packet */
836 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
837 goto end;
838 }
839
840 /* the sending message is added to the received-list. */
841 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
842 iph2->sendbuf, msg0) == -1) {
843 plog(LLV_ERROR , LOCATION, NULL,
844 "failed to add a response packet to the tree.\n");
845 goto end;
846 }
847
848 /* compute both of KEYMATs */
849 if (oakley_compute_keymat(iph2, INITIATOR) < 0)
850 goto end;
851
852 iph2->status = PHASE2ST_ADDSA;
853
854 /* don't anything if local test mode. */
855 if (f_local) {
856 error = 0;
857 goto end;
858 }
859
860 /* if there is commit bit don't set up SA now. */
861 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
862 iph2->status = PHASE2ST_COMMIT;
863 error = 0;
864 goto end;
865 }
866
867 /* Do UPDATE for initiator */
868 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
869 if (pk_sendupdate(iph2) < 0) {
870 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
871 goto end;
872 }
873 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
874
875 /* Do ADD for responder */
876 if (pk_sendadd(iph2) < 0) {
877 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
878 goto end;
879 }
880 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
881
882 error = 0;
883
884 end:
885 if (buf != NULL)
886 vfree(buf);
887 if (msg != NULL)
888 vfree(msg);
889 if (hash != NULL)
890 vfree(hash);
891
892 return error;
893 }
894
895 /*
896 * receive from responder
897 * HDR#*, HASH(4), notify
898 */
899 int
900 quick_i3recv(iph2, msg0)
901 struct ph2handle *iph2;
902 vchar_t *msg0;
903 {
904 vchar_t *msg = NULL;
905 vchar_t *pbuf = NULL; /* for payload parsing */
906 struct isakmp_parse_t *pa;
907 struct isakmp_pl_hash *hash = NULL;
908 vchar_t *notify = NULL;
909 int error = ISAKMP_INTERNAL_ERROR;
910
911 /* validity check */
912 if (iph2->status != PHASE2ST_COMMIT) {
913 plog(LLV_ERROR, LOCATION, NULL,
914 "status mismatched %d.\n", iph2->status);
915 goto end;
916 }
917
918 /* decrypt packet */
919 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
920 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
921 "Packet wasn't encrypted.\n");
922 goto end;
923 }
924 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
925 if (msg == NULL)
926 goto end;
927
928 /* validate the type of next payload */
929 pbuf = isakmp_parse(msg);
930 if (pbuf == NULL)
931 goto end;
932
933 for (pa = (struct isakmp_parse_t *)pbuf->v;
934 pa->type != ISAKMP_NPTYPE_NONE;
935 pa++) {
936
937 switch (pa->type) {
938 case ISAKMP_NPTYPE_HASH:
939 hash = (struct isakmp_pl_hash *)pa->ptr;
940 break;
941 case ISAKMP_NPTYPE_N:
942 if (notify != NULL) {
943 plog(LLV_WARNING, LOCATION, NULL,
944 "Ignoring multiples notifications\n");
945 break;
946 }
947 ph2_recv_n(iph2, pa->ptr);
948 notify = vmalloc(pa->len);
949 if (notify == NULL) {
950 plog(LLV_ERROR, LOCATION, NULL,
951 "failed to get notify buffer.\n");
952 goto end;
953 }
954 memcpy(notify->v, pa->ptr, notify->l);
955 break;
956 default:
957 /* don't send information, see ident_r1recv() */
958 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
959 "ignore the packet, "
960 "received unexpecting payload type %d.\n",
961 pa->type);
962 goto end;
963 }
964 }
965
966 /* payload existency check */
967 if (hash == NULL) {
968 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
969 "few isakmp message received.\n");
970 goto end;
971 }
972
973 /* validate HASH(4) */
974 {
975 char *r_hash;
976 vchar_t *my_hash = NULL;
977 vchar_t *tmp = NULL;
978 int result;
979
980 r_hash = (char *)hash + sizeof(*hash);
981
982 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:");
983 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
984
985 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
986 vfree(tmp);
987 if (my_hash == NULL)
988 goto end;
989
990 result = memcmp(my_hash->v, r_hash, my_hash->l);
991 vfree(my_hash);
992
993 if (result) {
994 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
995 "HASH(4) mismatch.\n");
996 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
997 goto end;
998 }
999 }
1000
1001 iph2->status = PHASE2ST_ADDSA;
1002 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1003
1004 /* don't anything if local test mode. */
1005 if (f_local) {
1006 error = 0;
1007 goto end;
1008 }
1009
1010 /* Do UPDATE for initiator */
1011 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1012 if (pk_sendupdate(iph2) < 0) {
1013 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1014 goto end;
1015 }
1016 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1017
1018 /* Do ADD for responder */
1019 if (pk_sendadd(iph2) < 0) {
1020 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1021 goto end;
1022 }
1023 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
1024
1025 error = 0;
1026
1027 end:
1028 if (msg != NULL)
1029 vfree(msg);
1030 if (pbuf != NULL)
1031 vfree(pbuf);
1032 if (notify != NULL)
1033 vfree(notify);
1034
1035 return error;
1036 }
1037
1038 /*
1039 * receive from initiator
1040 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1041 */
1042 int
1043 quick_r1recv(iph2, msg0)
1044 struct ph2handle *iph2;
1045 vchar_t *msg0;
1046 {
1047 vchar_t *msg = NULL;
1048 vchar_t *hbuf = NULL; /* for hash computing. */
1049 vchar_t *pbuf = NULL; /* for payload parsing */
1050 struct isakmp_parse_t *pa;
1051 struct isakmp *isakmp = (struct isakmp *)msg0->v;
1052 struct isakmp_pl_hash *hash = NULL;
1053 char *p;
1054 int tlen;
1055 int f_id_order; /* for ID payload detection */
1056 int error = ISAKMP_INTERNAL_ERROR;
1057
1058 /* validity check */
1059 if (iph2->status != PHASE2ST_START) {
1060 plog(LLV_ERROR, LOCATION, NULL,
1061 "status mismatched %d.\n", iph2->status);
1062 goto end;
1063 }
1064
1065 /* decrypting */
1066 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1067 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1068 "Packet wasn't encrypted.\n");
1069 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1070 goto end;
1071 }
1072 /* decrypt packet */
1073 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1074 if (msg == NULL)
1075 goto end;
1076
1077 /* create buffer for using to validate HASH(1) */
1078 /*
1079 * ordering rule:
1080 * 1. the first one must be HASH
1081 * 2. the second one must be SA (added in isakmp-oakley-05!)
1082 * 3. two IDs must be considered as IDci, then IDcr
1083 */
1084 pbuf = isakmp_parse(msg);
1085 if (pbuf == NULL)
1086 goto end;
1087 pa = (struct isakmp_parse_t *)pbuf->v;
1088
1089 /* HASH payload is fixed postion */
1090 if (pa->type != ISAKMP_NPTYPE_HASH) {
1091 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1092 "received invalid next payload type %d, "
1093 "expecting %d.\n",
1094 pa->type, ISAKMP_NPTYPE_HASH);
1095 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1096 goto end;
1097 }
1098 hash = (struct isakmp_pl_hash *)pa->ptr;
1099 pa++;
1100
1101 /*
1102 * this restriction was introduced in isakmp-oakley-05.
1103 * we do not check this for backward compatibility.
1104 * TODO: command line/config file option to enable/disable this code
1105 */
1106 /* HASH payload is fixed postion */
1107 if (pa->type != ISAKMP_NPTYPE_SA) {
1108 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
1109 "received invalid next payload type %d, "
1110 "expecting %d.\n",
1111 pa->type, ISAKMP_NPTYPE_SA);
1112 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1113 }
1114
1115 /* allocate buffer for computing HASH(1) */
1116 tlen = ntohl(isakmp->len) - sizeof(*isakmp);
1117 hbuf = vmalloc(tlen);
1118 if (hbuf == NULL) {
1119 plog(LLV_ERROR, LOCATION, NULL,
1120 "failed to get hash buffer.\n");
1121 goto end;
1122 }
1123 p = hbuf->v;
1124
1125 /*
1126 * parse the payloads.
1127 * copy non-HASH payloads into hbuf, so that we can validate HASH.
1128 */
1129 iph2->sa = NULL; /* we don't support multi SAs. */
1130 iph2->nonce_p = NULL;
1131 iph2->dhpub_p = NULL;
1132 iph2->id_p = NULL;
1133 iph2->id = NULL;
1134 tlen = 0; /* count payload length except of HASH payload. */
1135
1136 /*
1137 * IDi2 MUST be immediatelly followed by IDr2. We allowed the
1138 * illegal case, but logged. First ID payload is to be IDi2.
1139 * And next ID payload is to be IDr2.
1140 */
1141 f_id_order = 0;
1142
1143 for (; pa->type; pa++) {
1144
1145 /* copy to buffer for HASH */
1146 /* Don't modify the payload */
1147 memcpy(p, pa->ptr, pa->len);
1148
1149 if (pa->type != ISAKMP_NPTYPE_ID)
1150 f_id_order = 0;
1151
1152 switch (pa->type) {
1153 case ISAKMP_NPTYPE_SA:
1154 if (iph2->sa != NULL) {
1155 plog(LLV_ERROR, LOCATION, NULL,
1156 "Multi SAs isn't supported.\n");
1157 goto end;
1158 }
1159 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0)
1160 goto end;
1161 break;
1162
1163 case ISAKMP_NPTYPE_NONCE:
1164 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
1165 goto end;
1166 break;
1167
1168 case ISAKMP_NPTYPE_KE:
1169 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
1170 goto end;
1171 break;
1172
1173 case ISAKMP_NPTYPE_ID:
1174 if (iph2->id_p == NULL) {
1175 /* for IDci */
1176 f_id_order++;
1177
1178 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0)
1179 goto end;
1180
1181 } else if (iph2->id == NULL) {
1182 /* for IDcr */
1183 if (f_id_order == 0) {
1184 plog(LLV_ERROR, LOCATION, NULL,
1185 "IDr2 payload is not "
1186 "immediatelly followed "
1187 "by IDi2. We allowed.\n");
1188 /* XXX we allowed in this case. */
1189 }
1190
1191 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0)
1192 goto end;
1193 } else {
1194 plog(LLV_ERROR, LOCATION, NULL,
1195 "received too many ID payloads.\n");
1196 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l);
1197 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1198 goto end;
1199 }
1200 break;
1201
1202 case ISAKMP_NPTYPE_N:
1203 ph2_recv_n(iph2, pa->ptr);
1204 break;
1205
1206 #ifdef ENABLE_NATT
1207 case ISAKMP_NPTYPE_NATOA_DRAFT:
1208 case ISAKMP_NPTYPE_NATOA_RFC:
1209 {
1210 struct sockaddr_storage addr;
1211 struct sockaddr *daddr;
1212 u_int8_t prefix;
1213 u_int16_t ul_proto;
1214 vchar_t *vp = NULL;
1215
1216 if (isakmp_p2ph(&vp, pa->ptr) < 0)
1217 goto end;
1218
1219 error = ipsecdoi_id2sockaddr(vp,
1220 (struct sockaddr *) &addr,
1221 &prefix, &ul_proto);
1222
1223 vfree(vp);
1224
1225 if (error)
1226 goto end;
1227
1228 daddr = dupsaddr((struct sockaddr *) &addr);
1229 if (daddr == NULL)
1230 goto end;
1231
1232 if (iph2->natoa_dst == NULL)
1233 iph2->natoa_dst = daddr;
1234 else if (iph2->natoa_src == NULL)
1235 iph2->natoa_src = daddr;
1236 else {
1237 racoon_free(daddr);
1238 goto end;
1239 }
1240 }
1241 break;
1242 #endif
1243
1244 default:
1245 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1246 "ignore the packet, "
1247 "received unexpecting payload type %d.\n",
1248 pa->type);
1249 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1250 goto end;
1251 }
1252
1253 p += pa->len;
1254
1255 /* compute true length of payload. */
1256 tlen += pa->len;
1257 }
1258
1259 /* payload existency check */
1260 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
1261 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1262 "few isakmp message received.\n");
1263 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1264 goto end;
1265 }
1266
1267 if (iph2->id_p) {
1268 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
1269 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
1270 }
1271 if (iph2->id) {
1272 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
1273 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
1274 }
1275
1276 /* adjust buffer length for HASH */
1277 hbuf->l = tlen;
1278
1279 /* validate HASH(1) */
1280 {
1281 char *r_hash;
1282 vchar_t *my_hash = NULL;
1283 int result;
1284
1285 r_hash = (caddr_t)hash + sizeof(*hash);
1286
1287 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:");
1288 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1289
1290 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
1291 if (my_hash == NULL)
1292 goto end;
1293
1294 result = memcmp(my_hash->v, r_hash, my_hash->l);
1295 vfree(my_hash);
1296
1297 if (result) {
1298 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1299 "HASH(1) mismatch.\n");
1300 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1301 goto end;
1302 }
1303 }
1304
1305 /* get sainfo */
1306 error = get_sainfo_r(iph2);
1307 if (error) {
1308 plog(LLV_ERROR, LOCATION, NULL,
1309 "failed to get sainfo.\n");
1310 goto end;
1311 }
1312
1313
1314 /* check the existence of ID payload and create responder's proposal */
1315 error = get_proposal_r(iph2);
1316 switch (error) {
1317 case -2:
1318 /* generate a policy template from peer's proposal */
1319 if (set_proposal_from_proposal(iph2)) {
1320 plog(LLV_ERROR, LOCATION, NULL,
1321 "failed to generate a proposal template "
1322 "from client's proposal.\n");
1323 error = ISAKMP_INTERNAL_ERROR;
1324 goto end;
1325 }
1326 /*FALLTHROUGH*/
1327 case 0:
1328 /* select single proposal or reject it. */
1329 if (ipsecdoi_selectph2proposal(iph2) < 0) {
1330 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1331 goto end;
1332 }
1333 break;
1334 default:
1335 plog(LLV_ERROR, LOCATION, NULL,
1336 "failed to get proposal for responder.\n");
1337 goto end;
1338 }
1339
1340 /* check KE and attribute of PFS */
1341 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
1342 plog(LLV_ERROR, LOCATION, NULL,
1343 "no PFS is specified, but peer sends KE.\n");
1344 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1345 goto end;
1346 }
1347 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
1348 plog(LLV_ERROR, LOCATION, NULL,
1349 "PFS is specified, but peer doesn't sends KE.\n");
1350 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1351 goto end;
1352 }
1353
1354 /*
1355 * save the packet from the initiator in order to resend the
1356 * responder's first packet against this packet.
1357 */
1358 iph2->msg1 = vdup(msg0);
1359
1360 /* change status of isakmp status entry */
1361 iph2->status = PHASE2ST_STATUS2;
1362
1363 error = 0;
1364
1365 end:
1366 if (hbuf)
1367 vfree(hbuf);
1368 if (msg)
1369 vfree(msg);
1370 if (pbuf)
1371 vfree(pbuf);
1372
1373 if (error) {
1374 VPTRINIT(iph2->sa);
1375 VPTRINIT(iph2->nonce_p);
1376 VPTRINIT(iph2->dhpub_p);
1377 VPTRINIT(iph2->id);
1378 VPTRINIT(iph2->id_p);
1379 #ifdef ENABLE_NATT
1380 if (iph2->natoa_src) {
1381 racoon_free(iph2->natoa_src);
1382 iph2->natoa_src = NULL;
1383 }
1384 if (iph2->natoa_dst) {
1385 racoon_free(iph2->natoa_dst);
1386 iph2->natoa_dst = NULL;
1387 }
1388 #endif
1389 }
1390
1391 return error;
1392 }
1393
1394 /*
1395 * call pfkey_getspi.
1396 */
1397 int
1398 quick_r1prep(iph2, msg)
1399 struct ph2handle *iph2;
1400 vchar_t *msg;
1401 {
1402 int error = ISAKMP_INTERNAL_ERROR;
1403
1404 /* validity check */
1405 if (iph2->status != PHASE2ST_STATUS2) {
1406 plog(LLV_ERROR, LOCATION, NULL,
1407 "status mismatched %d.\n", iph2->status);
1408 goto end;
1409 }
1410
1411 iph2->status = PHASE2ST_GETSPISENT;
1412
1413 /* send getspi message */
1414 if (pk_sendgetspi(iph2) < 0)
1415 goto end;
1416
1417 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
1418
1419 sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
1420 quick_timeover_stub);
1421
1422 error = 0;
1423
1424 end:
1425 return error;
1426 }
1427
1428 /*
1429 * send to initiator
1430 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1431 */
1432 int
1433 quick_r2send(iph2, msg)
1434 struct ph2handle *iph2;
1435 vchar_t *msg;
1436 {
1437 vchar_t *body = NULL;
1438 vchar_t *hash = NULL;
1439 struct isakmp_gen *gen;
1440 char *p;
1441 int tlen;
1442 int error = ISAKMP_INTERNAL_ERROR;
1443 int natoa = ISAKMP_NPTYPE_NONE;
1444 int pfsgroup;
1445 u_int8_t *np_p = NULL;
1446 #ifdef ENABLE_NATT
1447 vchar_t *nat_oai = NULL;
1448 vchar_t *nat_oar = NULL;
1449 #endif
1450
1451 /* validity check */
1452 if (msg != NULL) {
1453 plog(LLV_ERROR, LOCATION, NULL,
1454 "msg has to be NULL in this function.\n");
1455 goto end;
1456 }
1457 if (iph2->status != PHASE2ST_GETSPIDONE) {
1458 plog(LLV_ERROR, LOCATION, NULL,
1459 "status mismatched %d.\n", iph2->status);
1460 goto end;
1461 }
1462
1463 /* update responders SPI */
1464 if (ipsecdoi_updatespi(iph2) < 0) {
1465 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n");
1466 goto end;
1467 }
1468
1469 /* generate NONCE value */
1470 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
1471 if (iph2->nonce == NULL)
1472 goto end;
1473
1474 /* generate KE value if need */
1475 pfsgroup = iph2->approval->pfs_group;
1476 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1477 /* DH group settting if PFS is required. */
1478 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
1479 plog(LLV_ERROR, LOCATION, NULL,
1480 "failed to set DH value.\n");
1481 goto end;
1482 }
1483 /* generate DH public value */
1484 if (oakley_dh_generate(iph2->pfsgrp,
1485 &iph2->dhpub, &iph2->dhpriv) < 0) {
1486 goto end;
1487 }
1488 }
1489
1490 #ifdef ENABLE_NATT
1491 /*
1492 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport
1493 * we should send NAT-OA
1494 */
1495 if (ipsecdoi_transportmode(iph2->proposal)
1496 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
1497 natoa = iph2->ph1->natt_options->payload_nat_oa;
1498
1499 nat_oai = ipsecdoi_sockaddr2id(iph2->dst,
1500 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
1501 nat_oar = ipsecdoi_sockaddr2id(iph2->src,
1502 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY);
1503
1504 if (nat_oai == NULL || nat_oar == NULL) {
1505 plog(LLV_ERROR, LOCATION, NULL,
1506 "failed to generate NAT-OA payload.\n");
1507 goto end;
1508 }
1509
1510 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n");
1511 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l);
1512 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n");
1513 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l);
1514 }
1515 #endif
1516
1517 /* create SA;NONCE payload, and KE and ID if need */
1518 tlen = sizeof(*gen) + iph2->sa_ret->l
1519 + sizeof(*gen) + iph2->nonce->l;
1520 if (iph2->dhpub_p != NULL && pfsgroup != 0)
1521 tlen += (sizeof(*gen) + iph2->dhpub->l);
1522 if (iph2->id_p != NULL)
1523 tlen += (sizeof(*gen) + iph2->id_p->l
1524 + sizeof(*gen) + iph2->id->l);
1525 #ifdef ENABLE_NATT
1526 if (natoa != ISAKMP_NPTYPE_NONE)
1527 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l;
1528 #endif
1529
1530 body = vmalloc(tlen);
1531 if (body == NULL) {
1532 plog(LLV_ERROR, LOCATION, NULL,
1533 "failed to get buffer to send.\n");
1534 goto end;
1535 }
1536 p = body->v;
1537
1538 /* make SA payload */
1539 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
1540
1541 /* add NONCE payload */
1542 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1543 p = set_isakmp_payload(p, iph2->nonce,
1544 (iph2->dhpub_p != NULL && pfsgroup != 0)
1545 ? ISAKMP_NPTYPE_KE
1546 : (iph2->id_p != NULL
1547 ? ISAKMP_NPTYPE_ID
1548 : natoa));
1549
1550 /* add KE payload if need. */
1551 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1552 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1553 p = set_isakmp_payload(p, iph2->dhpub,
1554 (iph2->id_p == NULL)
1555 ? natoa
1556 : ISAKMP_NPTYPE_ID);
1557 }
1558
1559 /* add ID payloads received. */
1560 if (iph2->id_p != NULL) {
1561 /* IDci */
1562 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
1563 /* IDcr */
1564 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1565 p = set_isakmp_payload(p, iph2->id, natoa);
1566 }
1567
1568 #ifdef ENABLE_NATT
1569 /* NAT-OA */
1570 if (natoa != ISAKMP_NPTYPE_NONE) {
1571 p = set_isakmp_payload(p, nat_oai, natoa);
1572 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE);
1573 }
1574 #endif
1575
1576 /* add a RESPONDER-LIFETIME notify payload if needed */
1577 {
1578 vchar_t *data = NULL;
1579 struct saprop *pp = iph2->approval;
1580 struct saproto *pr;
1581
1582 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
1583 u_int32_t v = htonl((u_int32_t)pp->lifetime);
1584 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1585 IPSECDOI_ATTR_SA_LD_TYPE_SEC);
1586 if (!data)
1587 goto end;
1588 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1589 (caddr_t)&v, sizeof(v));
1590 if (!data)
1591 goto end;
1592 }
1593 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
1594 u_int32_t v = htonl((u_int32_t)pp->lifebyte);
1595 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1596 IPSECDOI_ATTR_SA_LD_TYPE_KB);
1597 if (!data)
1598 goto end;
1599 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1600 (caddr_t)&v, sizeof(v));
1601 if (!data)
1602 goto end;
1603 }
1604
1605 /*
1606 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1607 * in the case of SA bundle ?
1608 */
1609 if (data) {
1610 for (pr = pp->head; pr; pr = pr->next) {
1611 body = isakmp_add_pl_n(body, &np_p,
1612 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
1613 if (!body) {
1614 vfree(data);
1615 return error; /* XXX */
1616 }
1617 }
1618 vfree(data);
1619 }
1620 }
1621
1622 /* generate HASH(2) */
1623 {
1624 vchar_t *tmp;
1625
1626 tmp = vmalloc(iph2->nonce_p->l + body->l);
1627 if (tmp == NULL) {
1628 plog(LLV_ERROR, LOCATION, NULL,
1629 "failed to get hash buffer.\n");
1630 goto end;
1631 }
1632 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1633 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
1634
1635 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
1636 vfree(tmp);
1637
1638 if (hash == NULL)
1639 goto end;
1640 }
1641
1642 /* send isakmp payload */
1643 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
1644 if (iph2->sendbuf == NULL)
1645 goto end;
1646
1647 /* send the packet, add to the schedule to resend */
1648 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
1649 if (isakmp_ph2resend(iph2) == -1)
1650 goto end;
1651
1652 /* the sending message is added to the received-list. */
1653 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) {
1654 plog(LLV_ERROR , LOCATION, NULL,
1655 "failed to add a response packet to the tree.\n");
1656 goto end;
1657 }
1658
1659 /* change status of isakmp status entry */
1660 iph2->status = PHASE2ST_MSG1SENT;
1661
1662 error = 0;
1663
1664 end:
1665 if (body != NULL)
1666 vfree(body);
1667 if (hash != NULL)
1668 vfree(hash);
1669 #ifdef ENABLE_NATT
1670 if (nat_oai != NULL)
1671 vfree(nat_oai);
1672 if (nat_oar != NULL)
1673 vfree(nat_oar);
1674 #endif
1675
1676 return error;
1677 }
1678
1679 /*
1680 * receive from initiator
1681 * HDR*, HASH(3)
1682
1683 */
1684 int
1685 quick_r3recv(iph2, msg0)
1686 struct ph2handle *iph2;
1687 vchar_t *msg0;
1688 {
1689 vchar_t *msg = NULL;
1690 vchar_t *pbuf = NULL; /* for payload parsing */
1691 struct isakmp_parse_t *pa;
1692 struct isakmp_pl_hash *hash = NULL;
1693 int error = ISAKMP_INTERNAL_ERROR;
1694
1695 /* validity check */
1696 if (iph2->status != PHASE2ST_MSG1SENT) {
1697 plog(LLV_ERROR, LOCATION, NULL,
1698 "status mismatched %d.\n", iph2->status);
1699 goto end;
1700 }
1701
1702 /* decrypt packet */
1703 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1704 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1705 "Packet wasn't encrypted.\n");
1706 goto end;
1707 }
1708 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1709 if (msg == NULL)
1710 goto end;
1711
1712 /* validate the type of next payload */
1713 pbuf = isakmp_parse(msg);
1714 if (pbuf == NULL)
1715 goto end;
1716
1717 for (pa = (struct isakmp_parse_t *)pbuf->v;
1718 pa->type != ISAKMP_NPTYPE_NONE;
1719 pa++) {
1720
1721 switch (pa->type) {
1722 case ISAKMP_NPTYPE_HASH:
1723 hash = (struct isakmp_pl_hash *)pa->ptr;
1724 break;
1725 case ISAKMP_NPTYPE_N:
1726 ph2_recv_n(iph2, pa->ptr);
1727 break;
1728 default:
1729 /* don't send information, see ident_r1recv() */
1730 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1731 "ignore the packet, "
1732 "received unexpecting payload type %d.\n",
1733 pa->type);
1734 goto end;
1735 }
1736 }
1737
1738 /* payload existency check */
1739 if (hash == NULL) {
1740 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1741 "few isakmp message received.\n");
1742 goto end;
1743 }
1744
1745 /* validate HASH(3) */
1746 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1747 {
1748 char *r_hash;
1749 vchar_t *my_hash = NULL;
1750 vchar_t *tmp = NULL;
1751 int result;
1752
1753 r_hash = (char *)hash + sizeof(*hash);
1754
1755 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:");
1756 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1757
1758 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
1759 if (tmp == NULL) {
1760 plog(LLV_ERROR, LOCATION, NULL,
1761 "failed to get hash buffer.\n");
1762 goto end;
1763 }
1764 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1765 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
1766
1767 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
1768 vfree(tmp);
1769 if (my_hash == NULL)
1770 goto end;
1771
1772 result = memcmp(my_hash->v, r_hash, my_hash->l);
1773 vfree(my_hash);
1774
1775 if (result) {
1776 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1777 "HASH(3) mismatch.\n");
1778 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1779 goto end;
1780 }
1781 }
1782
1783 /* if there is commit bit, don't set up SA now. */
1784 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
1785 iph2->status = PHASE2ST_COMMIT;
1786 } else
1787 iph2->status = PHASE2ST_STATUS6;
1788
1789 error = 0;
1790
1791 end:
1792 if (pbuf != NULL)
1793 vfree(pbuf);
1794 if (msg != NULL)
1795 vfree(msg);
1796
1797 return error;
1798 }
1799
1800 /*
1801 * send to initiator
1802 * HDR#*, HASH(4), notify
1803 */
1804 int
1805 quick_r3send(iph2, msg0)
1806 struct ph2handle *iph2;
1807 vchar_t *msg0;
1808 {
1809 vchar_t *buf = NULL;
1810 vchar_t *myhash = NULL;
1811 struct isakmp_pl_n *n;
1812 vchar_t *notify = NULL;
1813 char *p;
1814 int tlen;
1815 int error = ISAKMP_INTERNAL_ERROR;
1816
1817 /* validity check */
1818 if (iph2->status != PHASE2ST_COMMIT) {
1819 plog(LLV_ERROR, LOCATION, NULL,
1820 "status mismatched %d.\n", iph2->status);
1821 goto end;
1822 }
1823
1824 /* generate HASH(4) */
1825 /* XXX What can I do in the case of multiple different SA */
1826 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n");
1827
1828 /* XXX What should I do if there are multiple SAs ? */
1829 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
1830 notify = vmalloc(tlen);
1831 if (notify == NULL) {
1832 plog(LLV_ERROR, LOCATION, NULL,
1833 "failed to get notify buffer.\n");
1834 goto end;
1835 }
1836 n = (struct isakmp_pl_n *)notify->v;
1837 n->h.np = ISAKMP_NPTYPE_NONE;
1838 n->h.len = htons(tlen);
1839 n->doi = htonl(IPSEC_DOI);
1840 n->proto_id = iph2->approval->head->proto_id;
1841 n->spi_size = sizeof(iph2->approval->head->spisize);
1842 n->type = htons(ISAKMP_NTYPE_CONNECTED);
1843 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
1844
1845 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1846 if (myhash == NULL)
1847 goto end;
1848
1849 /* create buffer for isakmp payload */
1850 tlen = sizeof(struct isakmp)
1851 + sizeof(struct isakmp_gen) + myhash->l
1852 + notify->l;
1853 buf = vmalloc(tlen);
1854 if (buf == NULL) {
1855 plog(LLV_ERROR, LOCATION, NULL,
1856 "failed to get buffer to send.\n");
1857 goto end;
1858 }
1859
1860 /* create isakmp header */
1861 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
1862 if (p == NULL)
1863 goto end;
1864
1865 /* add HASH(4) payload */
1866 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
1867
1868 /* add notify payload */
1869 memcpy(p, notify->v, notify->l);
1870
1871 #ifdef HAVE_PRINT_ISAKMP_C
1872 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
1873 #endif
1874
1875 /* encoding */
1876 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
1877 if (iph2->sendbuf == NULL)
1878 goto end;
1879
1880 /* send the packet */
1881 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1882 goto end;
1883
1884 /* the sending message is added to the received-list. */
1885 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) {
1886 plog(LLV_ERROR , LOCATION, NULL,
1887 "failed to add a response packet to the tree.\n");
1888 goto end;
1889 }
1890
1891 iph2->status = PHASE2ST_COMMIT;
1892
1893 error = 0;
1894
1895 end:
1896 if (buf != NULL)
1897 vfree(buf);
1898 if (myhash != NULL)
1899 vfree(myhash);
1900 if (notify != NULL)
1901 vfree(notify);
1902
1903 return error;
1904 }
1905
1906 int
1907 tunnel_mode_prop(p)
1908 struct saprop *p;
1909 {
1910 struct saproto *pr;
1911
1912 for (pr = p->head; pr; pr = pr->next)
1913 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL)
1914 return 1;
1915 return 0;
1916 }
1917
1918 /*
1919 * set SA to kernel.
1920 */
1921 int
1922 quick_r3prep(iph2, msg0)
1923 struct ph2handle *iph2;
1924 vchar_t *msg0;
1925 {
1926 int error = ISAKMP_INTERNAL_ERROR;
1927
1928 /* validity check */
1929 if (iph2->status != PHASE2ST_STATUS6) {
1930 plog(LLV_ERROR, LOCATION, NULL,
1931 "status mismatched %d.\n", iph2->status);
1932 goto end;
1933 }
1934
1935 /* compute both of KEYMATs */
1936 if (oakley_compute_keymat(iph2, RESPONDER) < 0)
1937 goto end;
1938
1939 iph2->status = PHASE2ST_ADDSA;
1940 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1941
1942 /* don't anything if local test mode. */
1943 if (f_local) {
1944 error = 0;
1945 goto end;
1946 }
1947
1948 /* Do UPDATE as responder */
1949 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1950 if (pk_sendupdate(iph2) < 0) {
1951 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1952 goto end;
1953 }
1954 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1955
1956 /* Do ADD for responder */
1957 if (pk_sendadd(iph2) < 0) {
1958 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1959 goto end;
1960 }
1961 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
1962
1963 /*
1964 * set policies into SPD if the policy is generated
1965 * from peer's policy.
1966 */
1967 if (iph2->spidx_gen) {
1968
1969 struct policyindex *spidx;
1970 struct sockaddr_storage addr;
1971 u_int8_t pref;
1972 struct sockaddr *src = iph2->src;
1973 struct sockaddr *dst = iph2->dst;
1974
1975 /* make inbound policy */
1976 iph2->src = dst;
1977 iph2->dst = src;
1978 if (pk_sendspdupdate2(iph2) < 0) {
1979 plog(LLV_ERROR, LOCATION, NULL,
1980 "pfkey spdupdate2(inbound) failed.\n");
1981 goto end;
1982 }
1983 plog(LLV_DEBUG, LOCATION, NULL,
1984 "pfkey spdupdate2(inbound) sent.\n");
1985
1986 spidx = (struct policyindex *)iph2->spidx_gen;
1987 #ifdef HAVE_POLICY_FWD
1988 /* make forward policy if required */
1989 if (tunnel_mode_prop(iph2->approval)) {
1990 spidx->dir = IPSEC_DIR_FWD;
1991 if (pk_sendspdupdate2(iph2) < 0) {
1992 plog(LLV_ERROR, LOCATION, NULL,
1993 "pfkey spdupdate2(forward) failed.\n");
1994 goto end;
1995 }
1996 plog(LLV_DEBUG, LOCATION, NULL,
1997 "pfkey spdupdate2(forward) sent.\n");
1998 }
1999 #endif
2000
2001 /* make outbound policy */
2002 iph2->src = src;
2003 iph2->dst = dst;
2004 spidx->dir = IPSEC_DIR_OUTBOUND;
2005 addr = spidx->src;
2006 spidx->src = spidx->dst;
2007 spidx->dst = addr;
2008 pref = spidx->prefs;
2009 spidx->prefs = spidx->prefd;
2010 spidx->prefd = pref;
2011
2012 if (pk_sendspdupdate2(iph2) < 0) {
2013 plog(LLV_ERROR, LOCATION, NULL,
2014 "pfkey spdupdate2(outbound) failed.\n");
2015 goto end;
2016 }
2017 plog(LLV_DEBUG, LOCATION, NULL,
2018 "pfkey spdupdate2(outbound) sent.\n");
2019
2020 /* spidx_gen is unnecessary any more */
2021 delsp_bothdir((struct policyindex *)iph2->spidx_gen);
2022 racoon_free(iph2->spidx_gen);
2023 iph2->spidx_gen = NULL;
2024 iph2->generated_spidx=1;
2025 }
2026
2027 error = 0;
2028
2029 end:
2030 return error;
2031 }
2032
2033 /*
2034 * create HASH, body (SA, NONCE) payload with isakmp header.
2035 */
2036 static vchar_t *
2037 quick_ir1mx(iph2, body, hash)
2038 struct ph2handle *iph2;
2039 vchar_t *body, *hash;
2040 {
2041 struct isakmp *isakmp;
2042 vchar_t *buf = NULL, *new = NULL;
2043 char *p;
2044 int tlen;
2045 struct isakmp_gen *gen;
2046 int error = ISAKMP_INTERNAL_ERROR;
2047
2048 /* create buffer for isakmp payload */
2049 tlen = sizeof(*isakmp)
2050 + sizeof(*gen) + hash->l
2051 + body->l;
2052 buf = vmalloc(tlen);
2053 if (buf == NULL) {
2054 plog(LLV_ERROR, LOCATION, NULL,
2055 "failed to get buffer to send.\n");
2056 goto end;
2057 }
2058
2059 /* re-set encryption flag, for serurity. */
2060 iph2->flags |= ISAKMP_FLAG_E;
2061
2062 /* set isakmp header */
2063 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
2064 if (p == NULL)
2065 goto end;
2066
2067 /* add HASH payload */
2068 /* XXX is next type always SA ? */
2069 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
2070
2071 /* add body payload */
2072 memcpy(p, body->v, body->l);
2073
2074 #ifdef HAVE_PRINT_ISAKMP_C
2075 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2076 #endif
2077
2078 /* encoding */
2079 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2080
2081 if (new == NULL)
2082 goto end;
2083
2084 vfree(buf);
2085
2086 buf = new;
2087
2088 error = 0;
2089
2090 end:
2091 if (error && buf != NULL) {
2092 vfree(buf);
2093 buf = NULL;
2094 }
2095
2096 return buf;
2097 }
2098
2099 /*
2100 * get remote's sainfo.
2101 * NOTE: this function is for responder.
2102 */
2103 static int
2104 get_sainfo_r(iph2)
2105 struct ph2handle *iph2;
2106 {
2107 vchar_t *idsrc = NULL, *iddst = NULL, *client = NULL;
2108 int error = ISAKMP_INTERNAL_ERROR;
2109
2110 if (iph2->id == NULL) {
2111 idsrc = ipsecdoi_sockaddr2id(iph2->src, IPSECDOI_PREFIX_HOST,
2112 IPSEC_ULPROTO_ANY);
2113 } else {
2114 idsrc = vdup(iph2->id);
2115 }
2116 if (idsrc == NULL) {
2117 plog(LLV_ERROR, LOCATION, NULL,
2118 "failed to set ID for source.\n");
2119 goto end;
2120 }
2121
2122 if (iph2->id_p == NULL) {
2123 iddst = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
2124 IPSEC_ULPROTO_ANY);
2125 } else {
2126 iddst = vdup(iph2->id_p);
2127 }
2128 if (iddst == NULL) {
2129 plog(LLV_ERROR, LOCATION, NULL,
2130 "failed to set ID for destination.\n");
2131 goto end;
2132 }
2133
2134 #ifdef ENABLE_HYBRID
2135
2136 /* clientaddr check : obtain modecfg address */
2137 if (iph2->ph1->mode_cfg != NULL) {
2138 if ((iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
2139 (iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)){
2140 struct sockaddr saddr;
2141 saddr.sa_family = AF_INET;
2142 #ifndef __linux__
2143 saddr.sa_len = sizeof(struct sockaddr_in);
2144 #endif
2145 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
2146 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
2147 &iph2->ph1->mode_cfg->addr4, sizeof(struct in_addr));
2148 client = ipsecdoi_sockaddr2id(&saddr, 32, IPSEC_ULPROTO_ANY);
2149 }
2150 }
2151
2152 /* clientaddr check, fallback to peer address */
2153 if (client == NULL)
2154 {
2155 client = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST,
2156 IPSEC_ULPROTO_ANY);
2157 }
2158 #endif
2159
2160 /* obtain a matching sainfo section */
2161 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, client, iph2->ph1->rmconf->ph1id);
2162 if (iph2->sainfo == NULL) {
2163 plog(LLV_ERROR, LOCATION, NULL,
2164 "failed to get sainfo.\n");
2165 goto end;
2166 }
2167
2168 #ifdef ENABLE_HYBRID
2169 /* xauth group inclusion check */
2170 if (iph2->sainfo->group != NULL)
2171 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1))
2172 goto end;
2173 #endif
2174
2175 plog(LLV_DEBUG, LOCATION, NULL,
2176 "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2177
2178 error = 0;
2179 end:
2180 if (idsrc)
2181 vfree(idsrc);
2182 if (iddst)
2183 vfree(iddst);
2184 if (client)
2185 vfree(client);
2186
2187 return error;
2188 }
2189
2190 /*
2191 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
2192 * are IP address and same address family.
2193 * Then get remote's policy from SPD copied from kernel.
2194 * If the type of ID payload is address or subnet type, then the index is
2195 * made from the payload. If there is no ID payload, or the type of ID
2196 * payload is NOT address type, then the index is made from the address
2197 * pair of phase 1.
2198 * NOTE: This function is only for responder.
2199 */
2200 static int
2201 get_proposal_r(iph2)
2202 struct ph2handle *iph2;
2203 {
2204 struct policyindex spidx;
2205 struct secpolicy *sp_in, *sp_out;
2206 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
2207 int error = ISAKMP_INTERNAL_ERROR;
2208
2209 /* check the existence of ID payload */
2210 if ((iph2->id_p != NULL && iph2->id == NULL)
2211 || (iph2->id_p == NULL && iph2->id != NULL)) {
2212 plog(LLV_ERROR, LOCATION, NULL,
2213 "Both IDs wasn't found in payload.\n");
2214 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2215 }
2216
2217 /* make sure if id[src,dst] is null. */
2218 if (iph2->src_id || iph2->dst_id) {
2219 plog(LLV_ERROR, LOCATION, NULL,
2220 "Why do ID[src,dst] exist already.\n");
2221 return ISAKMP_INTERNAL_ERROR;
2222 }
2223
2224 memset(&spidx, 0, sizeof(spidx));
2225
2226 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
2227
2228 /* make a spidx; a key to search SPD */
2229 spidx.dir = IPSEC_DIR_INBOUND;
2230 spidx.ul_proto = 0;
2231
2232 /*
2233 * make destination address in spidx from either ID payload
2234 * or phase 1 address into a address in spidx.
2235 */
2236 if (iph2->id != NULL
2237 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2238 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
2239 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2240 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2241 /* get a destination address of a policy */
2242 error = ipsecdoi_id2sockaddr(iph2->id,
2243 (struct sockaddr *)&spidx.dst,
2244 &spidx.prefd, &spidx.ul_proto);
2245 if (error)
2246 return error;
2247
2248 #ifdef INET6
2249 /*
2250 * get scopeid from the SA address.
2251 * note that the phase 1 source address is used as
2252 * a destination address to search for a inbound policy entry
2253 * because rcoon is responder.
2254 */
2255 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
2256 error = setscopeid((struct sockaddr *)&spidx.dst,
2257 iph2->src);
2258 if (error)
2259 return error;
2260 }
2261 #endif
2262
2263 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2264 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
2265 idi2type = _XIDT(iph2->id);
2266
2267 } else {
2268
2269 plog(LLV_DEBUG, LOCATION, NULL,
2270 "get a destination address of SP index "
2271 "from phase1 address "
2272 "due to no ID payloads found "
2273 "OR because ID type is not address.\n");
2274
2275 /*
2276 * copy the SOURCE address of IKE into the DESTINATION address
2277 * of the key to search the SPD because the direction of policy
2278 * is inbound.
2279 */
2280 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
2281 switch (spidx.dst.ss_family) {
2282 case AF_INET:
2283 spidx.prefd = sizeof(struct in_addr) << 3;
2284 break;
2285 #ifdef INET6
2286 case AF_INET6:
2287 spidx.prefd = sizeof(struct in6_addr) << 3;
2288 break;
2289 #endif
2290 default:
2291 spidx.prefd = 0;
2292 break;
2293 }
2294 }
2295
2296 /* make source address in spidx */
2297 if (iph2->id_p != NULL
2298 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
2299 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
2300 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2301 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2302 /* get a source address of inbound SA */
2303 error = ipsecdoi_id2sockaddr(iph2->id_p,
2304 (struct sockaddr *)&spidx.src,
2305 &spidx.prefs, &spidx.ul_proto);
2306 if (error)
2307 return error;
2308
2309 #ifdef INET6
2310 /*
2311 * get scopeid from the SA address.
2312 * for more detail, see above of this function.
2313 */
2314 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
2315 error = setscopeid((struct sockaddr *)&spidx.src,
2316 iph2->dst);
2317 if (error)
2318 return error;
2319 }
2320 #endif
2321
2322 /* make id[src,dst] if both ID types are IP address and same */
2323 if (_XIDT(iph2->id_p) == idi2type
2324 && spidx.dst.ss_family == spidx.src.ss_family) {
2325 iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst);
2326 if (iph2->src_id == NULL) {
2327 plog(LLV_ERROR, LOCATION, NULL,
2328 "buffer allocation failed.\n");
2329 return ISAKMP_INTERNAL_ERROR;
2330 }
2331 iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src);
2332 if (iph2->dst_id == NULL) {
2333 plog(LLV_ERROR, LOCATION, NULL,
2334 "buffer allocation failed.\n");
2335 return ISAKMP_INTERNAL_ERROR;
2336 }
2337 } else {
2338 plog(LLV_DEBUG, LOCATION, NULL,
2339 "Family (%d - %d) or types (%d - %d) of ID"
2340 "from initiator differ.\n",
2341 spidx.src.ss_family, spidx.dst.ss_family,
2342 _XIDT(iph2->id_p),idi2type);
2343 }
2344 } else {
2345 plog(LLV_DEBUG, LOCATION, NULL,
2346 "get a source address of SP index "
2347 "from phase1 address "
2348 "due to no ID payloads found "
2349 "OR because ID type is not address.\n");
2350
2351 /* see above comment. */
2352 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
2353 switch (spidx.src.ss_family) {
2354 case AF_INET:
2355 spidx.prefs = sizeof(struct in_addr) << 3;
2356 break;
2357 #ifdef INET6
2358 case AF_INET6:
2359 spidx.prefs = sizeof(struct in6_addr) << 3;
2360 break;
2361 #endif
2362 default:
2363 spidx.prefs = 0;
2364 break;
2365 }
2366 }
2367
2368 #undef _XIDT
2369
2370 plog(LLV_DEBUG, LOCATION, NULL,
2371 "get a src address from ID payload "
2372 "%s prefixlen=%u ul_proto=%u\n",
2373 saddr2str((struct sockaddr *)&spidx.src),
2374 spidx.prefs, spidx.ul_proto);
2375 plog(LLV_DEBUG, LOCATION, NULL,
2376 "get dst address from ID payload "
2377 "%s prefixlen=%u ul_proto=%u\n",
2378 saddr2str((struct sockaddr *)&spidx.dst),
2379 spidx.prefd, spidx.ul_proto);
2380
2381 /*
2382 * convert the ul_proto if it is 0
2383 * because 0 in ID payload means a wild card.
2384 */
2385 if (spidx.ul_proto == 0)
2386 spidx.ul_proto = IPSEC_ULPROTO_ANY;
2387
2388 #ifdef HAVE_SECCTX
2389 /*
2390 * Need to use security context in spidx to ensure the correct
2391 * policy is selected. The only way to get the security context
2392 * is to look into the proposal sent by peer ahead of time.
2393 */
2394 if (get_security_context(iph2->sa, &spidx)) {
2395 plog(LLV_ERROR, LOCATION, NULL,
2396 "error occurred trying to get security context.\n");
2397 return ISAKMP_INTERNAL_ERROR;
2398 }
2399 #endif /* HAVE_SECCTX */
2400
2401 /* get inbound policy */
2402 sp_in = getsp_r(&spidx);
2403 if (sp_in == NULL) {
2404 if (iph2->ph1->rmconf->gen_policy) {
2405 plog(LLV_INFO, LOCATION, NULL,
2406 "no policy found, "
2407 "try to generate the policy : %s\n",
2408 spidx2str(&spidx));
2409 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2410 if (!iph2->spidx_gen) {
2411 plog(LLV_ERROR, LOCATION, NULL,
2412 "buffer allocation failed.\n");
2413 return ISAKMP_INTERNAL_ERROR;
2414 }
2415 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2416 return -2; /* special value */
2417 }
2418 plog(LLV_ERROR, LOCATION, NULL,
2419 "no policy found: %s\n", spidx2str(&spidx));
2420 return ISAKMP_INTERNAL_ERROR;
2421 }
2422 /* Refresh existing generated policies
2423 */
2424 if (iph2->ph1->rmconf->gen_policy) {
2425 plog(LLV_INFO, LOCATION, NULL,
2426 "Update the generated policy : %s\n",
2427 spidx2str(&spidx));
2428 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2429 if (!iph2->spidx_gen) {
2430 plog(LLV_ERROR, LOCATION, NULL,
2431 "buffer allocation failed.\n");
2432 return ISAKMP_INTERNAL_ERROR;
2433 }
2434 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2435 }
2436
2437 /* get outbound policy */
2438 {
2439 struct sockaddr_storage addr;
2440 u_int8_t pref;
2441
2442 spidx.dir = IPSEC_DIR_OUTBOUND;
2443 addr = spidx.src;
2444 spidx.src = spidx.dst;
2445 spidx.dst = addr;
2446 pref = spidx.prefs;
2447 spidx.prefs = spidx.prefd;
2448 spidx.prefd = pref;
2449
2450 sp_out = getsp_r(&spidx);
2451 if (!sp_out) {
2452 plog(LLV_WARNING, LOCATION, NULL,
2453 "no outbound policy found: %s\n",
2454 spidx2str(&spidx));
2455 }
2456 }
2457
2458 plog(LLV_DEBUG, LOCATION, NULL,
2459 "suitable SP found:%s\n", spidx2str(&spidx));
2460
2461 /*
2462 * In the responder side, the inbound policy should be using IPsec.
2463 * outbound policy is not checked currently.
2464 */
2465 if (sp_in->policy != IPSEC_POLICY_IPSEC) {
2466 plog(LLV_ERROR, LOCATION, NULL,
2467 "policy found, but no IPsec required: %s\n",
2468 spidx2str(&spidx));
2469 return ISAKMP_INTERNAL_ERROR;
2470 }
2471
2472 /* set new proposal derived from a policy into the iph2->proposal. */
2473 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
2474 plog(LLV_ERROR, LOCATION, NULL,
2475 "failed to create saprop.\n");
2476 return ISAKMP_INTERNAL_ERROR;
2477 }
2478
2479 #ifdef HAVE_SECCTX
2480 if (spidx.sec_ctx.ctx_str) {
2481 set_secctx_in_proposal(iph2, spidx);
2482 }
2483 #endif /* HAVE_SECCTX */
2484
2485 return 0;
2486 }
2487
2488 /*
2489 * handle a notification payload inside phase2 exchange.
2490 * phase2 is always encrypted, so it does not need to be checked
2491 * for explicitely.
2492 */
2493 static int
2494 ph2_recv_n(iph2, gen)
2495 struct ph2handle *iph2;
2496 struct isakmp_gen *gen;
2497 {
2498 struct ph1handle *iph1 = iph2->ph1;
2499 struct isakmp_pl_n *notify = (struct isakmp_pl_n *) gen;
2500 u_int type;
2501 int check_level;
2502
2503 type = ntohs(notify->type);
2504 switch (type) {
2505 case ISAKMP_NTYPE_CONNECTED:
2506 break;
2507 case ISAKMP_NTYPE_INITIAL_CONTACT:
2508 return isakmp_info_recv_initialcontact(iph1, iph2);
2509 case ISAKMP_NTYPE_RESPONDER_LIFETIME:
2510 ipsecdoi_parse_responder_lifetime(notify,
2511 &iph2->lifetime_secs, &iph2->lifetime_kb);
2512
2513 if (iph1 != NULL && iph1->rmconf != NULL) {
2514 check_level = iph1->rmconf->pcheck_level;
2515 } else {
2516 if (iph1 != NULL)
2517 plog(LLV_DEBUG, LOCATION, NULL,
2518 "No phase1 rmconf found !\n");
2519 else
2520 plog(LLV_DEBUG, LOCATION, NULL,
2521 "No phase1 found !\n");
2522 check_level = PROP_CHECK_EXACT;
2523 }
2524
2525 switch (check_level) {
2526 case PROP_CHECK_OBEY:
2527 break;
2528 case PROP_CHECK_STRICT:
2529 case PROP_CHECK_CLAIM:
2530 if (iph2->sainfo == NULL
2531 || iph2->sainfo->lifetime <= iph2->lifetime_secs) {
2532 plog(LLV_WARNING, LOCATION, NULL,
2533 "RESPONDER-LIFETIME: lifetime mismatch\n");
2534 iph2->lifetime_secs = 0;
2535 }
2536 break;
2537 case PROP_CHECK_EXACT:
2538 if (iph2->sainfo == NULL
2539 || iph2->sainfo->lifetime != iph2->lifetime_secs) {
2540 plog(LLV_WARNING, LOCATION, NULL,
2541 "RESPONDER-LIFETIME: lifetime mismatch\n");
2542 iph2->lifetime_secs = 0;
2543 }
2544 break;
2545 }
2546 break;
2547 default:
2548 isakmp_log_notify(iph2->ph1, notify, "phase2 exchange");
2549 isakmp_info_send_n2(iph2, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE,
2550 NULL);
2551 break;
2552 }
2553 return 0;
2554 }
2555
2556