1/* $NetBSD: isakmp.c,v 1.20.6.7 2007/08/01 11:52:20 vanhu Exp $ */ 2 3/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ 4 5/* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33#define __APPLE_API_PRIVATE 34 35#include "config.h" 36 37#include <sys/types.h> 38#include <sys/param.h> 39#include <sys/socket.h> 40#include <sys/ioctl.h> 41#include <sys/queue.h> 42 43#include <netinet/in.h> 44#include <net/if_var.h> 45#include <netinet6/in6_var.h> 46#include <arpa/inet.h> 47 48#ifndef HAVE_NETINET6_IPSEC 49#include <netinet/ipsec.h> 50#else 51#include <netinet6/ipsec.h> 52#endif 53 54#include <stdlib.h> 55#include <stdio.h> 56#include <string.h> 57#include <errno.h> 58#if TIME_WITH_SYS_TIME 59# include <sys/time.h> 60# include <time.h> 61#else 62# if HAVE_SYS_TIME_H 63# include <sys/time.h> 64# else 65# include <time.h> 66# endif 67#endif 68#include <netdb.h> 69#ifdef HAVE_UNISTD_H 70#include <unistd.h> 71#endif 72#include <ctype.h> 73#ifdef ENABLE_HYBRID 74#include <resolv.h> 75#endif 76 77#include "var.h" 78#include "misc.h" 79#include "vmbuf.h" 80#include "plog.h" 81#include "sockmisc.h" 82#include "schedule.h" 83#include "debug.h" 84#include "session.h" 85#include "fsm.h" 86 87#include "remoteconf.h" 88#include "localconf.h" 89#include "grabmyaddr.h" 90#include "isakmp_var.h" 91#include "isakmp.h" 92#include "oakley.h" 93#include "handler.h" 94#include "proposal.h" 95#include "ipsec_doi.h" 96#include "pfkey.h" 97#include "crypto_openssl.h" 98#include "policy.h" 99#include "isakmp_ident.h" 100#include "isakmp_agg.h" 101#include "isakmp_quick.h" 102#include "isakmp_inf.h" 103#include "vpn_control.h" 104#include "vpn_control_var.h" 105#ifdef ENABLE_HYBRID 106#include "vendorid.h" 107#include "isakmp_xauth.h" 108#include "isakmp_unity.h" 109#include "isakmp_cfg.h" 110#endif 111#ifdef ENABLE_FRAG 112#include "isakmp_frag.h" 113#endif 114#include "strnames.h" 115 116#include <fcntl.h> 117 118#ifdef ENABLE_NATT 119# include "nattraversal.h" 120#endif 121#include "ike_session.h" 122# include <netinet/in.h> 123# include <netinet/udp.h> 124# include <netinet/in_systm.h> 125# include <netinet/ip.h> 126# define SOL_UDP IPPROTO_UDP 127#include "ipsecSessionTracer.h" 128#include "ipsecMessageTracer.h" 129#include "power_mgmt.h" 130 131extern caddr_t val2str (const char *, size_t); 132u_char i_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the i_ck. */ 133u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ 134 135 136static void isakmp_main (vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *); 137static void ikev1_received_packet(vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *); 138static int ikev1_ph1begin_r (ike_session_t *session, vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *, u_int8_t); 139static int ikev1_ph2begin_i (phase1_handle_t *, phase2_handle_t *); 140static int ikev1_ph2begin_r (phase1_handle_t *, vchar_t *); 141 142 143#ifdef ENABLE_FRAG 144static void frag_handler (phase1_handle_t *, vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *); 145#endif 146 147/* 148 * isakmp packet handler 149 */ 150void 151isakmp_handler(int so_isakmp) 152{ 153 struct isakmp isakmp; 154 union { 155 u_int64_t force_align; // Wcast-align fix - force alignment 156 char buf[sizeof (isakmp) + 4]; 157 u_int32_t non_esp[2]; 158 char lbuf[sizeof(struct udphdr) + 159 sizeof(struct ip) + 160 sizeof(isakmp) + 4]; 161 } x; 162 struct sockaddr_storage remote; 163 struct sockaddr_storage local; 164 unsigned int remote_len = sizeof(remote); 165 unsigned int local_len = sizeof(local); 166 ssize_t len = 0; 167 int extralen = 0; 168 u_short port; 169 vchar_t *buf = NULL, *tmpbuf = NULL; 170 int error = -1; 171 172 if (slept_at || woke_at) { 173 plog(ASL_LEVEL_DEBUG, 174 "ignoring isakmp port until power-mgmt event is handled.\n"); 175 return; 176 } 177 178 /* read message by MSG_PEEK */ 179 while ((len = recvfromto(so_isakmp, x.buf, sizeof(x), 180 MSG_PEEK, &remote, &remote_len, &local, &local_len)) < 0) { 181 if (errno == EINTR) 182 continue; 183 plog(ASL_LEVEL_ERR, 184 "failed to receive isakmp packet: %s\n", 185 strerror (errno)); 186 goto end; 187 } 188 189 /* keep-alive packet - ignore */ 190 if (len == 1 && (x.buf[0]&0xff) == 0xff) { 191 /* Pull the keep-alive packet */ 192 if ((len = recvfrom(so_isakmp, (char *)x.buf, 1, 193 0, (struct sockaddr *)&remote, &remote_len)) != 1) { 194 plog(ASL_LEVEL_ERR, 195 "failed to receive keep alive packet: %s\n", 196 strerror (errno)); 197 } 198 goto end; 199 } 200 201 202 /* we don't know about portchange yet, 203 look for non-esp marker instead */ 204 if (x.non_esp[0] == 0 && x.non_esp[1] != 0) 205 extralen = NON_ESP_MARKER_LEN; 206 207 /* now we know if there is an extra non-esp 208 marker at the beginning or not */ 209 memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp)); 210 211 /* check isakmp header length, as well as sanity of header length */ 212 if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) { 213 plog(ASL_LEVEL_ERR, 214 "packet shorter than isakmp header size (size: %zu, minimum expected: %zu)\n", len, sizeof(isakmp)); 215 /* dummy receive */ 216 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 217 0, (struct sockaddr *)&remote, &remote_len)) < 0) { 218 plog(ASL_LEVEL_ERR, 219 "failed to receive isakmp packet: %s\n", 220 strerror (errno)); 221 } 222 goto end; 223 } 224 225 /* reject it if the size is tooooo big. */ 226 if (ntohl(isakmp.len) > 0xffff) { 227 plog(ASL_LEVEL_ERR, 228 "the length in the isakmp header is too big.\n"); 229 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 230 0, (struct sockaddr *)&remote, &remote_len)) < 0) { 231 plog(ASL_LEVEL_ERR, 232 "failed to receive isakmp packet: %s\n", 233 strerror (errno)); 234 } 235 goto end; 236 } 237 238 /* read real message */ 239 if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) { 240 plog(ASL_LEVEL_ERR, 241 "failed to allocate reading buffer (%u Bytes)\n", 242 ntohl(isakmp.len) + extralen); 243 /* dummy receive */ 244 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 245 0, (struct sockaddr *)&remote, &remote_len)) < 0) { 246 plog(ASL_LEVEL_ERR, 247 "failed to receive isakmp packet: %s\n", 248 strerror (errno)); 249 error = -2; /* serious problem with socket */ 250 } 251 goto end; 252 } 253 254 while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l, 255 0, &remote, &remote_len, &local, &local_len)) < 0) { 256 if (errno == EINTR) 257 continue; 258 plog(ASL_LEVEL_ERR, 259 "failed to receive isakmp packet: %s\n", 260 strerror (errno)); 261 goto end; 262 } 263 264 if (len < extralen) { 265 plog(ASL_LEVEL_ERR, 266 "invalid len (%zd Bytes) & extralen (%d Bytes)\n", 267 len, extralen); 268 goto end; 269 } 270 271 if ((buf = vmalloc(len - extralen)) == NULL) { 272 plog(ASL_LEVEL_ERR, 273 "failed to allocate reading buffer (%lu Bytes)\n", 274 (len - extralen)); 275 goto end; 276 } 277 278 memcpy (buf->v, tmpbuf->v + extralen, buf->l); 279 280 len -= extralen; 281 282 if (len != buf->l) { 283 plog(ASL_LEVEL_ERR, "received invalid length (%zd != %zu), why ?\n", 284 len, buf->l); 285 goto end; 286 } 287 288 plog(ASL_LEVEL_DEBUG, "%zd bytes message received %s\n", 289 len, saddr2str_fromto("from %s to %s", 290 (struct sockaddr *)&remote, 291 (struct sockaddr *)&local)); 292 293 /* avoid packets with malicious port/address */ 294 switch (remote.ss_family) { 295 case AF_INET: 296 port = ((struct sockaddr_in *)&remote)->sin_port; 297 break; 298#ifdef INET6 299 case AF_INET6: 300 port = ((struct sockaddr_in6 *)&remote)->sin6_port; 301 break; 302#endif 303 default: 304 plog(ASL_LEVEL_ERR, 305 "invalid family: %d\n", remote.ss_family); 306 goto end; 307 } 308 if (port == 0) { 309 plog(ASL_LEVEL_ERR, 310 "src port == 0 (valid as UDP but not with IKE)\n"); 311 goto end; 312 } 313 314 /* XXX: check sender whether to be allowed or not to accept */ 315 316 /* XXX: I don't know how to check isakmp half connection attack. */ 317 318 /* simply reply if the packet was processed. */ 319 320 if (ike_session_check_recvdpkt(&remote, &local, buf)) { 321 IPSECLOGASLMSG("Received retransmitted packet from %s.\n", 322 saddr2str((struct sockaddr *)&remote)); 323 324 plog(ASL_LEVEL_NOTICE, 325 "the packet is retransmitted by %s.\n", 326 saddr2str((struct sockaddr *)&remote)); 327 error = 0; 328 goto end; 329 } 330 331 /* isakmp main routine */ 332 isakmp_main(buf, &remote, &local); 333 334end: 335 if (tmpbuf != NULL) 336 vfree(tmpbuf); 337 if (buf != NULL) 338 vfree(buf); 339 340 return; 341} 342 343/* 344 * main processing to handle isakmp payload 345 */ 346static void 347isakmp_main(vchar_t *msg, struct sockaddr_storage *remote, struct sockaddr_storage *local) 348{ 349 struct isakmp *isakmp = (struct isakmp *)msg->v; 350 u_int8_t isakmp_version = isakmp->v; 351 352#ifdef HAVE_PRINT_ISAKMP_C 353 isakmp_printpacket(msg, remote, local, 0); 354#endif 355 356 /* the initiator's cookie must not be zero */ 357 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) { 358 plog(ASL_LEVEL_ERR, 359 "malformed cookie received.\n"); 360 return; 361 } 362 363 /* Check the Major and Minor Version fields. */ 364 /* 365 * XXX Is is right to check version here ? 366 * I think it may no be here because the version depends 367 * on exchange status. 368 */ 369 if (ISAKMP_GETMAJORV(isakmp_version) != ISAKMP_MAJOR_VERSION_IKEV1) { 370 plog(ASL_LEVEL_ERR, "invalid major version %d.\n", isakmp_version); 371 return; 372 } 373 374#if 0 375#if ISAKMP_MINOR_VERSION > 0 //%%%%%%%% fix this 376 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) { //%%%%%%%%%%%%%%% ?????? 377 plog(ASL_LEVEL_ERR, 378 "invalid minor version %d.\n", 379 ISAKMP_GETMINORV(isakmp->v)); 380 return; 381 } 382#endif 383#endif 384 385 if (isakmp_version == ISAKMP_VERSION_NUMBER_IKEV1) { 386 /* check the Flags field. */ 387 /* XXX How is the exclusive check, E and A ? */ 388 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) { 389 plog(ASL_LEVEL_ERR, "invalid flag 0x%02x.\n", isakmp->flags); 390 return; 391 } 392 393 /* ignore commit bit. */ 394 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) { 395 if (isakmp->msgid == 0) { 396 isakmp_info_send_nx(isakmp, remote, local, 397 ISAKMP_NTYPE_INVALID_FLAGS, NULL); 398 plog(ASL_LEVEL_ERR, "Commit bit on Phase 1 forbidden.\n"); 399 return; 400 } 401 } 402 403 ikev1_received_packet(msg, local, remote); 404 } 405 return; 406} 407 408/* 409 * ikev1_received_packet 410 * Handler for received IKEv1 Packets 411 */ 412static void 413ikev1_received_packet(vchar_t *msg, struct sockaddr_storage *local, struct sockaddr_storage *remote) 414{ 415 ike_session_t *session; 416 phase1_handle_t *iph1; 417 418 struct isakmp *isakmp = (struct isakmp *)msg->v; 419 isakmp_index *index = (isakmp_index *)isakmp; 420 421 session = ike_session_get_session(local, remote, 0, index); 422 if (!session) { 423 session = ike_session_get_session(local, remote, 1, NULL); 424 } 425 if (!session) { 426 plog (ASL_LEVEL_INFO, "failed to allocate or find ike session.\n"); 427 fatal_error(-1); 428 } 429 430 iph1 = ike_session_getph1byindex(session, index); 431 if (iph1 != NULL) { 432 /* validity check */ 433 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 && 434 iph1->side == INITIATOR) { 435 IPSECSESSIONTRACEREVENT(iph1->parent_session, 436 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, 437 CONSTSTR("Malformed or unexpected cookie"), 438 CONSTSTR("Failed to process packet (malformed/unexpected cookie)")); 439 plog(ASL_LEVEL_DEBUG, 440 "Malformed cookie received or " 441 "the initiator's cookies collide.\n"); 442 return; 443 } 444 445 446 /* Floating ports for NAT-T */ 447 if (NATT_AVAILABLE(iph1) && 448 ! (iph1->natt_flags & NAT_PORTS_CHANGED) && 449 ((cmpsaddrstrict(iph1->remote, remote) != 0) || 450 (cmpsaddrstrict(iph1->local, local) != 0))) 451 { 452 /* prevent memory leak */ 453 racoon_free(iph1->remote); 454 racoon_free(iph1->local); 455 iph1->remote = NULL; 456 iph1->local = NULL; 457 458 /* copy-in new addresses */ 459 iph1->remote = dupsaddr(remote); 460 if (iph1->remote == NULL) { 461 IPSECSESSIONTRACEREVENT(iph1->parent_session, 462 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, 463 CONSTSTR("Failed to duplicate remote address"), 464 CONSTSTR("Failed to process Phase 1 message (can't duplicate remote address")); 465 plog(ASL_LEVEL_ERR, 466 "Phase 1 failed: dupsaddr failed.\n"); 467 fatal_error(-1); 468 } 469 iph1->local = dupsaddr(local); 470 if (iph1->local == NULL) { 471 IPSECSESSIONTRACEREVENT(iph1->parent_session, 472 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, 473 CONSTSTR("Failed to duplicate local address"), 474 CONSTSTR("Failed to process Phase 1 message (can't duplicate local address")); 475 plog(ASL_LEVEL_ERR, 476 "Phase 1 failed: dupsaddr failed.\n"); 477 fatal_error(-1); 478 } 479 480 /* set the flag to prevent further port floating 481 (FIXME: should we allow it? E.g. when the NAT gw 482 is rebooted?) */ 483 iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; 484 485 /* print some neat info */ 486 plog (ASL_LEVEL_INFO, 487 "NAT-T: ports changed to: %s\n", 488 saddr2str_fromto("%s<->%s", (struct sockaddr *)iph1->remote, (struct sockaddr *)iph1->local)); 489 } 490 491 /* must be same addresses in one stream of a phase at least. */ 492 if (cmpsaddrstrict(iph1->remote, remote) != 0) { 493 char *saddr_db, *saddr_act; 494 495 saddr_db = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); 496 saddr_act = racoon_strdup(saddr2str((struct sockaddr *)remote)); 497 STRDUP_FATAL(saddr_db); 498 STRDUP_FATAL(saddr_act); 499 500 plog(ASL_LEVEL_WARNING, 501 "Remote address mismatched. db=%s, act=%s\n", 502 saddr_db, saddr_act); 503 504 racoon_free(saddr_db); 505 racoon_free(saddr_act); 506 } 507 508 /* 509 * don't check of exchange type here because other type will have 510 * the same index, for example, informational exchange. 511 */ 512 513 // received ike packets: update dpd checks 514 isakmp_reschedule_info_monitor_if_pending(iph1, "IKE packet received from peer"); 515 516 } 517 518 // 519 // Check exchange type and process accordingly 520 // 521 switch (isakmp->etype) { 522 523 case ISAKMP_ETYPE_IDENT: 524 case ISAKMP_ETYPE_AGG: 525 { 526 /* phase 1 validity check */ 527 if (isakmp->msgid != 0) { 528 plog(ASL_LEVEL_ERR, "Message id should be zero in Phase 1.\n"); 529 return; 530 } 531 532 /* search for isakmp status record of phase 1 */ 533 if (iph1 == NULL) { 534 /* 535 * the packet must be the 1st message from a initiator 536 * or the 2nd message from the responder. 537 */ 538 539 /* search for phase1 handle by index without r_ck */ 540 iph1 = ike_session_getph1byindex0(session, index); 541 if (iph1 == NULL) { 542 /*it must be the 1st message from a initiator.*/ 543 if (memcmp(&isakmp->r_ck, r_ck0, 544 sizeof(cookie_t)) != 0) { 545 546 plog(ASL_LEVEL_DEBUG, "Malformed cookie received " 547 "or the spi expired.\n"); 548 return; 549 } 550 551 /* Initiation of new exchange */ 552 ikev1_ph1begin_r(session, msg, remote, local, isakmp->etype); 553 return; 554 } 555 } 556 557 /* 558 * Don't delete phase 1 handler for mismatch 559 * because of no authentication has been completed. 560 */ 561 if (iph1->etype != isakmp->etype) { 562 IPSECSESSIONTRACEREVENT(iph1->parent_session, 563 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, 564 CONSTSTR("Mismatched exchange type"), 565 CONSTSTR("Failed to process Phase 1 message (mismatched exchange type)")); 566 plog(ASL_LEVEL_ERR, 567 "Exchange type is mismatched: " 568 "db=%s packet=%s, ignore it.\n", 569 s_isakmp_etype(iph1->etype), 570 s_isakmp_etype(isakmp->etype)); 571 return; 572 } 573 574 if (isakmp->np == ISAKMP_NPTYPE_FRAG) { 575 frag_handler(iph1, msg, remote, local); 576 return; 577 } 578 fsm_ikev1_phase1_process_payloads(iph1, msg); 579 } 580 break; 581 582 case ISAKMP_ETYPE_INFO: 583 case ISAKMP_ETYPE_ACKINFO: 584 { 585 /* 586 * iph1 must be present for Information message. 587 * if iph1 is null then trying to get the phase1 status 588 * as the packet from responder againt initiator's 1st 589 * exchange in phase 1. 590 * NOTE: We think such informational exchange should be ignored. 591 */ 592 if (iph1 == NULL) { 593 iph1 = ike_session_getph1byindex0(session, index); 594 if (iph1 == NULL) { 595 plog(ASL_LEVEL_ERR, "Unknown Informational exchange received.\n"); 596 return; 597 } 598 if (cmpsaddrstrict(iph1->remote, remote) != 0) { 599 plog(ASL_LEVEL_WARNING, 600 "Remote address mismatched. " 601 "db=%s\n", 602 saddr2str((struct sockaddr *)iph1->remote)); 603 } 604 } 605 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 606 return frag_handler(iph1, msg, remote, local); 607 608 if (isakmp_info_recv(iph1, msg) < 0) 609 return; 610 } 611 break; 612 613 case ISAKMP_ETYPE_QUICK: 614 { 615 u_int32_t msgid = isakmp->msgid; 616 phase2_handle_t *iph2; 617 618 if (iph1 == NULL) { 619 isakmp_info_send_nx(isakmp, remote, local, 620 ISAKMP_NTYPE_INVALID_COOKIE, NULL); 621 plog(ASL_LEVEL_ERR, "Can't start the quick mode, " 622 "there is no ISAKMP-SA, %s\n", isakmp_pindex((isakmp_index *)&isakmp->i_ck, 623 isakmp->msgid)); 624 return; 625 } 626 #ifdef ENABLE_HYBRID 627 /* Reinit the IVM if it's still there */ 628 if (iph1->mode_cfg && iph1->mode_cfg->ivm) { 629 oakley_delivm(iph1->mode_cfg->ivm); 630 iph1->mode_cfg->ivm = NULL; 631 } 632 #endif 633 if (isakmp->np == ISAKMP_NPTYPE_FRAG) { 634 frag_handler(iph1, msg, remote, local); 635 return; 636 } 637 638 /* check status of phase 1 whether negotiated or not. */ 639 if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { 640 IPSECSESSIONTRACEREVENT(iph1->parent_session, 641 IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP, 642 CONSTSTR("Can't start Phase 2 without valid Phase 1"), 643 CONSTSTR("Failed to start Phase 2 responder (no established Phase 1")); 644 plog(ASL_LEVEL_ERR, "can't start the quick mode, " 645 "there is no valid ISAKMP-SA, %s\n", isakmp_pindex(&iph1->index, iph1->msgid)); 646 return; 647 } 648 649 /* search isakmp phase 2 stauts record. */ 650 iph2 = ike_session_getph2bymsgid(iph1, msgid); 651 if (iph2 == NULL) { 652 /* it must be new negotiation as responder */ 653 ikev1_ph2begin_r(iph1, msg); 654 return; 655 } 656 657 /* commit bit. */ 658 /* XXX 659 * we keep to set commit bit during negotiation. 660 * When SA is configured, bit will be reset. 661 * XXX 662 * don't initiate commit bit. should be fixed in the future. 663 */ 664 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) 665 iph2->flags |= ISAKMP_FLAG_C; 666 667 if (ISSET(isakmp->flags, ISAKMP_FLAG_E) && 668 (iph2->ph1 == NULL || iph2->ph1->approval == NULL)) { 669 IPSECSESSIONTRACEREVENT(iph2->parent_session, 670 IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP, 671 CONSTSTR("Can't continue Phase 2 without valid Phase 1"), 672 CONSTSTR("Failed to continue Phase 2 resonder (invalid linked Phase 1")); 673 plog(ASL_LEVEL_ERR, "can't start the quick mode, " 674 "invalid linked ISAKMP-SA\n"); 675 return; 676 } 677 fsm_ikev1_phase2_process_payloads(iph2, msg); 678 } 679 break; 680 681 case ISAKMP_ETYPE_CFG: 682 { 683 if (iph1 == NULL) { 684 plog(ASL_LEVEL_ERR, 685 "mode config %d from %s, " 686 "but we have no ISAKMP-SA.\n", 687 isakmp->etype, saddr2str((struct sockaddr *)remote)); 688 return; 689 } 690 if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { 691 plog(ASL_LEVEL_ERR, 692 "mode config %d from %s, " 693 "but ISAKMP-SA %s isn't established.\n", 694 isakmp->etype, saddr2str((struct sockaddr *)remote), 695 isakmp_pindex(&iph1->index, iph1->msgid)); 696 return; 697 } 698 if (isakmp->np == ISAKMP_NPTYPE_FRAG) 699 return frag_handler(iph1, msg, remote, local); 700 isakmp_cfg_r(iph1, msg); 701 } 702 break; 703 704 case ISAKMP_ETYPE_NEWGRP: 705 case ISAKMP_ETYPE_AUTH: 706 case ISAKMP_ETYPE_NONE: 707 default: 708 plog(ASL_LEVEL_ERR, 709 "Invalid exchange type %d from %s.\n", 710 isakmp->etype, saddr2str((struct sockaddr *)remote)); 711 break; 712 } 713} 714 715/* new negotiation of phase 1 for initiator */ 716int 717ikev1_ph1begin_i(ike_session_t *session, struct remoteconf *rmconf, struct sockaddr_storage *remote, 718 struct sockaddr_storage *local, int started_by_api) 719{ 720 721 phase1_handle_t *iph1; 722#ifdef ENABLE_STATS 723 struct timeval start, end; 724#endif 725 726 if (session == NULL) { 727 session = ike_session_get_session(local, remote, 1, NULL); 728 if (!session) { 729 plog (ASL_LEVEL_INFO, "failed to allocate or find ike session.\n"); 730 fatal_error(-1); 731 } 732 } 733 734 /* get new entry to isakmp status table. */ 735 iph1 = ike_session_newph1(ISAKMP_VERSION_NUMBER_IKEV1); 736 if (iph1 == NULL) 737 return -1; 738 739 iph1->rmconf = rmconf; 740 retain_rmconf(iph1->rmconf); 741 iph1->side = INITIATOR; 742 iph1->started_by_api = started_by_api; 743 iph1->version = ISAKMP_VERSION_NUMBER_IKEV1; 744 iph1->msgid = 0; 745 iph1->flags = 0; 746 iph1->ph2cnt = 0; 747 748#ifdef ENABLE_HYBRID 749 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { 750 /* don't call remph1(iph1) until after insph1(iph1) is called */ 751 ike_session_delph1(iph1); 752 return -1; 753 } 754#endif 755 756 if(rmconf->ike_frag == ISAKMP_FRAG_FORCE) 757 iph1->frag = 1; 758 else 759 iph1->frag = 0; 760 iph1->frag_chain = NULL; 761 iph1->approval = NULL; 762 763 /* XXX copy remote address */ 764 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) { 765 /* don't call remph1(iph1) until after insph1(iph1) is called */ 766 iph1 = NULL; /* deleted in copy_ph1addresses */ 767 return -1; 768 } 769 770 if (ike_session_link_phase1(session, iph1) != 0) { 771 plog(ASL_LEVEL_DEBUG, "Failed to link ph1 to session\n"); 772 ike_session_delph1(iph1); 773 return -1; 774 } 775 // HACK!!! to track rekeys across SIGHUPs 776 if (started_by_api == VPN_RESTARTED_BY_API && 777 !iph1->is_rekey) { 778 iph1->parent_session->established = 1; 779 iph1->parent_session->ikev1_state.ph2cnt++; 780 iph1->is_rekey = 1; 781 } 782 783 /* start phase 1 exchange */ 784 iph1->etype = rmconf->etypes->type; 785 if (iph1->etype == ISAKMP_ETYPE_IDENT) 786 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_START); 787 else if (iph1->etype == ISAKMP_ETYPE_AGG) 788 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_I_START); 789 else 790 return -1; 791 792 plog(ASL_LEVEL_DEBUG, "===\n"); 793 { 794 char *a; 795 796 a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); 797 STRDUP_FATAL(a); 798 799 plog(ASL_LEVEL_INFO, 800 "initiate new phase 1 negotiation: %s<=>%s\n", 801 a, saddr2str((struct sockaddr *)iph1->remote)); 802 racoon_free(a); 803 } 804 plog(ASL_LEVEL_INFO, 805 "begin %s mode.\n", 806 s_isakmp_etype(iph1->etype)); 807 808#ifdef ENABLE_STATS 809 gettimeofday(&iph1->start, NULL); 810 gettimeofday(&start, NULL); 811#endif 812 813 IPSECLOGASLMSG("IPSec Phase 1 started (Initiated by me).\n"); 814 815 if (fsm_ikev1_phase1_send_response(iph1, NULL)) { 816 ike_session_unlink_phase1(iph1); 817 return -1; 818 } 819 820#ifdef ENABLE_STATS 821 gettimeofday(&end, NULL); 822 syslog(LOG_NOTICE, "%s(%s): %8.6f", 823 "Phase 1", 824 s_isakmp_state(iph1->etype, iph1->side, iph1->status), 825 timedelta(&start, &end)); 826#endif 827 828#ifdef ENABLE_VPNCONTROL_PORT 829 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL); 830#endif 831 832 return 0; 833} 834 835/* new negotiation of phase 1 for responder */ 836static int 837ikev1_ph1begin_r(ike_session_t *session, vchar_t *msg, struct sockaddr_storage *remote, 838 struct sockaddr_storage *local, u_int8_t etype) 839{ 840 841 struct isakmp *isakmp = (struct isakmp *)msg->v; 842 struct remoteconf *rmconf; 843 phase1_handle_t *iph1; 844 struct etypes *etypeok; 845#ifdef ENABLE_STATS 846 struct timeval start, end; 847#endif 848 849 /* look for my configuration */ 850 rmconf = getrmconf(remote); 851 if (rmconf == NULL) { 852 plog(ASL_LEVEL_ERR, 853 "couldn't find " 854 "configuration.\n"); 855 return -1; 856 } 857 858 /* check to be acceptable exchange type */ 859 etypeok = check_etypeok(rmconf, etype); 860 if (etypeok == NULL) { 861 plog(ASL_LEVEL_ERR, 862 "not acceptable %s mode\n", s_isakmp_etype(etype)); 863 return -1; 864 } 865 866 /* get new entry to isakmp status table. */ 867 iph1 = ike_session_newph1(ISAKMP_VERSION_NUMBER_IKEV1); 868 if (iph1 == NULL) 869 return -1; 870 871 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck)); 872 iph1->rmconf = rmconf; 873 retain_rmconf(iph1->rmconf); 874 iph1->flags = 0; 875 iph1->side = RESPONDER; 876 iph1->started_by_api = 0; 877 iph1->etype = etypeok->type; 878 iph1->version = isakmp->v; 879 iph1->msgid = 0; 880 881 if (iph1->etype == ISAKMP_ETYPE_IDENT) 882 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_START); 883 else if (iph1->etype == ISAKMP_ETYPE_AGG) 884 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_START); 885 else 886 return -1; 887 888 889#ifdef ENABLE_HYBRID 890 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { 891 /* don't call remph1(iph1) until after insph1(iph1) is called */ 892 ike_session_delph1(iph1); 893 return -1; 894 } 895#endif 896 897 iph1->frag = 0; 898 iph1->frag_chain = NULL; 899 iph1->approval = NULL; 900 901 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port. 902 * We have to setup this flag now to correctly generate the first reply. 903 * Don't know if a better check could be done for that ? 904 */ 905 if(extract_port(local) == lcconf->port_isakmp_natt) 906 iph1->natt_flags |= (NAT_PORTS_CHANGED); 907 908 /* copy remote address */ 909 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) { 910 /* don't call remph1(iph1) until after insph1(iph1) is called */ 911 iph1 = NULL; /* deleted in copy_ph1addresses */ 912 return -1; 913 } 914 915 if (ike_session_link_phase1(session, iph1) != 0) { 916 ike_session_delph1(iph1); 917 return -1; 918 } 919 920 plog(ASL_LEVEL_DEBUG, "===\n"); 921 { 922 char *a; 923 924 a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); 925 STRDUP_FATAL(a); 926 927 plog(ASL_LEVEL_INFO, 928 "respond new phase 1 negotiation: %s<=>%s\n", 929 a, saddr2str((struct sockaddr *)iph1->remote)); 930 racoon_free(a); 931 } 932 plog(ASL_LEVEL_INFO, 933 "begin %s mode.\n", s_isakmp_etype(etype)); 934 935#ifdef ENABLE_STATS 936 gettimeofday(&iph1->start, NULL); 937 gettimeofday(&start, NULL); 938#endif 939 940 IPSECLOGASLMSG("IPSec Phase 1 started (Initiated by peer).\n"); 941 942 /* now that we have a phase1 handle, feed back into our 943 * main receive function to catch fragmented packets 944 */ 945 isakmp_main(msg, remote, local); 946 return 0; 947} 948 949/* new negotiation of phase 2 for initiator */ 950static int 951ikev1_ph2begin_i(phase1_handle_t *iph1, phase2_handle_t *iph2) 952{ 953 954#ifdef ENABLE_HYBRID 955 if (xauth_check(iph1) != 0) { 956 plog(ASL_LEVEL_ERR, 957 "Attempt to start phase 2 whereas Xauth failed\n"); 958 return -1; 959 } 960#endif 961 962 /* found ISAKMP-SA. */ 963 plog(ASL_LEVEL_DEBUG, "===\n"); 964 plog(ASL_LEVEL_DEBUG, "begin QUICK mode.\n"); 965 { 966 char *a; 967 a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src)); 968 STRDUP_FATAL(a); 969 970 plog(ASL_LEVEL_INFO, 971 "initiate new phase 2 negotiation: %s<=>%s\n", 972 a, saddr2str((struct sockaddr *)iph2->dst)); 973 racoon_free(a); 974 } 975 976#ifdef ENABLE_STATS 977 gettimeofday(&iph2->start, NULL); 978#endif 979 980 iph2->is_dying = 0; 981 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_START); 982 983 IPSECLOGASLMSG("IPSec Phase 2 started (Initiated by me).\n"); 984 if (quick_iprep(iph2, NULL)) 985 return -1; 986 987#ifdef ENABLE_VPNCONTROL_PORT 988 vpncontrol_notify_phase_change(1, FROM_LOCAL, NULL, iph2); 989#endif 990 991 return 0; 992} 993 994/* new negotiation of phase 2 for responder */ 995static int 996ikev1_ph2begin_r(phase1_handle_t *iph1, vchar_t *msg) 997{ 998 struct isakmp *isakmp = (struct isakmp *)msg->v; 999 phase2_handle_t *iph2 = 0; 1000 int error; 1001#ifdef ENABLE_STATS 1002 struct timeval start, end; 1003#endif 1004#ifdef ENABLE_HYBRID 1005 if (xauth_check(iph1) != 0) { 1006 plog(ASL_LEVEL_ERR, 1007 "Attempt to start Phase 2 whereas Xauth failed\n"); 1008 return -1; 1009 } 1010#endif 1011 1012 iph2 = ike_session_newph2(ISAKMP_VERSION_NUMBER_IKEV1, PHASE2_TYPE_SA); 1013 if (iph2 == NULL) { 1014 plog(ASL_LEVEL_ERR, 1015 "failed to allocate Phase 2 entry.\n"); 1016 return -1; 1017 } 1018 1019 iph2->side = RESPONDER; 1020 iph2->version = ISAKMP_VERSION_NUMBER_IKEV1; 1021 fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_START); 1022 iph2->flags = isakmp->flags; 1023 iph2->msgid = isakmp->msgid; 1024 iph2->seq = pk_getseq(); 1025 iph2->ivm = oakley_newiv2(iph1, iph2->msgid); 1026 if (iph2->ivm == NULL) { 1027 ike_session_delph2(iph2); 1028 return -1; 1029 } 1030 iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */ 1031 if (iph2->dst == NULL) { 1032 ike_session_delph2(iph2); 1033 return -1; 1034 } 1035 switch (iph2->dst->ss_family) { 1036 case AF_INET: 1037#ifndef ENABLE_NATT 1038 ((struct sockaddr_in *)iph2->dst)->sin_port = 0; 1039#endif 1040 break; 1041#ifdef INET6 1042 case AF_INET6: 1043#ifndef ENABLE_NATT 1044 ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0; 1045#endif 1046 break; 1047#endif 1048 default: 1049 plog(ASL_LEVEL_ERR, 1050 "invalid family: %d\n", iph2->dst->ss_family); 1051 ike_session_delph2(iph2); 1052 return -1; 1053 } 1054 1055 iph2->src = dupsaddr(iph1->local); /* XXX should be considered */ 1056 if (iph2->src == NULL) { 1057 ike_session_delph2(iph2); 1058 return -1; 1059 } 1060 switch (iph2->src->ss_family) { 1061 case AF_INET: 1062#ifndef ENABLE_NATT 1063 ((struct sockaddr_in *)iph2->src)->sin_port = 0; 1064#endif 1065 break; 1066#ifdef INET6 1067 case AF_INET6: 1068#ifndef ENABLE_NATT 1069 ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0; 1070#endif 1071 break; 1072#endif 1073 default: 1074 plog(ASL_LEVEL_ERR, 1075 "invalid family: %d\n", iph2->src->ss_family); 1076 ike_session_delph2(iph2); 1077 return -1; 1078 } 1079 1080 if (ike_session_link_ph2_to_ph1(iph1, iph2)) 1081 return -1; 1082 iph2->is_dying = 0; 1083 1084 plog(ASL_LEVEL_DEBUG, "===\n"); 1085 { 1086 char *a; 1087 1088 a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src)); 1089 STRDUP_FATAL(a); 1090 1091 plog(ASL_LEVEL_INFO, 1092 "respond new phase 2 negotiation: %s<=>%s\n", 1093 a, saddr2str((struct sockaddr *)iph2->dst)); 1094 racoon_free(a); 1095 } 1096 1097#ifdef ENABLE_STATS 1098 gettimeofday(&start, NULL); 1099#endif 1100 1101 IPSECLOGASLMSG("IPSec Phase 2 started (Initiated by peer).\n"); 1102 1103 error = fsm_ikev1_phase2_process_payloads(iph2, msg); 1104 if (error) 1105 return error; 1106 1107#ifdef ENABLE_VPNCONTROL_PORT 1108 vpncontrol_notify_phase_change(1, FROM_REMOTE, NULL, iph2); 1109#endif 1110 1111 return 0; 1112} 1113 1114int 1115ikev1_phase1_established(phase1_handle_t *iph1) 1116{ 1117 int spi_cmp; 1118 u_int rekey_lifetime; 1119 int ini_contact = iph1->rmconf->ini_contact; 1120 1121#ifdef ENABLE_STATS 1122 gettimeofday(&iph1->end, NULL); 1123 syslog(LOG_NOTICE, "%s(%s): %8.6f", 1124 "Phase 1", s_isakmp_etype(iph1->etype), 1125 timedelta(&iph1->start, &iph1->end)); 1126#endif 1127 1128#ifdef ENABLE_VPNCONTROL_PORT 1129 1130 if (iph1->side == RESPONDER && 1131 iph1->local->ss_family == AF_INET) { 1132 1133 struct redirect *addr; 1134 1135 LIST_FOREACH(addr, &lcconf->redirect_addresses, chain) { 1136 if (((struct sockaddr_in *)iph1->local)->sin_addr.s_addr == addr->cluster_address) { 1137 vchar_t *raddr = vmalloc(sizeof(u_int32_t)); 1138 1139 if (raddr == NULL) { 1140 plog(ASL_LEVEL_ERR, 1141 "failed to send redirect message - memory error.\n"); 1142 } else { 1143 memcpy(raddr->v, &addr->redirect_address, sizeof(u_int32_t)); 1144 (void)isakmp_info_send_n1(iph1, ISAKMP_NTYPE_LOAD_BALANCE, raddr); 1145 plog(ASL_LEVEL_DEBUG, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address)); 1146 vfree(raddr); 1147 if (addr->force) { 1148 (void)ike_session_update_ph1_ph2tree(iph1); 1149 isakmp_ph1expire(iph1); 1150 } 1151 } 1152 } 1153 return 0; 1154 } 1155 } 1156#endif 1157 /* save created date. */ 1158 (void)time(&iph1->created); 1159 1160 /* add to the schedule to expire, and save back pointer. */ 1161 iph1->sce = sched_new(iph1->approval->lifetime, 1162 isakmp_ph1expire_stub, iph1); 1163 1164 if (iph1->rmconf->initiate_ph1rekey) { 1165 if (iph1->side == INITIATOR) { 1166 spi_cmp = memcmp(&iph1->index.i_ck, &iph1->index.r_ck, sizeof(iph1->index.i_ck)); 1167 if (spi_cmp == 0) 1168 spi_cmp = 1; 1169 } else { 1170 spi_cmp = memcmp(&iph1->index.r_ck, &iph1->index.i_ck, sizeof(iph1->index.r_ck)); 1171 if (spi_cmp == 0) 1172 spi_cmp = -1; 1173 } 1174 rekey_lifetime = ike_session_get_rekey_lifetime((spi_cmp > 0), 1175 iph1->approval->lifetime); 1176 if (rekey_lifetime) { 1177 iph1->sce_rekey = sched_new(rekey_lifetime, 1178 isakmp_ph1rekeyexpire_stub, 1179 iph1); 1180 } else { 1181 /* iph1->approval->lifetime is too small (e.g. 1) so why bother? 1182 * LOG ERROR 1183 */ 1184 plog(ASL_LEVEL_ERR, 1185 "failed to get rekey timer - lifetime is too small... probably.\n"); 1186 } 1187 } 1188 1189#ifdef ENABLE_HYBRID 1190 /* ignore xauth if it is a rekey */ 1191 if (!iph1->is_rekey && 1192 iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 1193 switch(AUTHMETHOD(iph1)) { 1194 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1195 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1196 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1197 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1198 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1199 xauth_sendreq(iph1); 1200 /* XXX Don't process INITIAL_CONTACT */ 1201 ini_contact = 0; 1202 break; 1203 default: 1204 break; 1205 } 1206 } 1207#endif 1208#ifdef ENABLE_DPD 1209 /* Schedule the r_u_there.... */ 1210 if(iph1->dpd_support && iph1->rmconf->dpd_interval) 1211 isakmp_sched_r_u(iph1, 0); 1212#endif 1213 1214 /* INITIAL-CONTACT processing */ 1215 /* ignore initial-contact if it is a rekey */ 1216 /* don't send anything if local test mode. */ 1217 if (!iph1->is_rekey && !f_local && ini_contact && !ike_session_getcontacted(iph1->remote)) { 1218 /* send INITIAL-CONTACT */ 1219 isakmp_info_send_n1(iph1, 1220 ISAKMP_NTYPE_INITIAL_CONTACT, NULL); 1221 /* insert a node into contacted list. */ 1222 if (ike_session_inscontacted(iph1->remote) == -1) { 1223 plog(ASL_LEVEL_ERR, 1224 "failed to add contacted list.\n"); 1225 /* ignore */ 1226 } 1227 } 1228 1229 log_ph1established(iph1); 1230 plog(ASL_LEVEL_DEBUG, "===\n"); 1231 1232 ike_session_cleanup_other_established_ph1s(iph1->parent_session, iph1); 1233 1234#ifdef ENABLE_VPNCONTROL_PORT 1235 vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL); 1236 vpncontrol_notify_peer_resp_ph1(1, iph1); 1237#endif 1238 1239 return 0; 1240} 1241 1242/* 1243 * parse ISAKMP payloads, without ISAKMP base header. 1244 */ 1245vchar_t * 1246isakmp_parsewoh(np0, gen, len) 1247 int np0; 1248 struct isakmp_gen *gen; 1249 int len; 1250{ 1251 u_char np = np0 & 0xff; 1252 int tlen, plen; 1253 vchar_t *result; 1254 struct isakmp_parse_t *p, *ep; 1255 1256 plog(ASL_LEVEL_DEBUG, "begin.\n"); 1257 1258 /* 1259 * 5 is a magic number, but any value larger than 2 should be fine 1260 * as we do vrealloc() in the following loop. 1261 */ 1262 result = vmalloc(sizeof(struct isakmp_parse_t) * 5); 1263 if (result == NULL) { 1264 plog(ASL_LEVEL_ERR, 1265 "failed to get buffer.\n"); 1266 return NULL; 1267 } 1268 // Wcast-align fix (void*) - result = aligned buffer of struct isakmp_parse_t 1269 p = ALIGNED_CAST(struct isakmp_parse_t *)result->v; 1270 ep = ALIGNED_CAST(struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep)); 1271 1272 tlen = len; 1273 1274 /* parse through general headers */ 1275 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) { 1276 if (tlen <= sizeof(struct isakmp_gen)) { 1277 /* don't send information, see isakmp_ident_r1() */ 1278 plog(ASL_LEVEL_ERR, 1279 "invalid length of payload\n"); 1280 vfree(result); 1281 return NULL; 1282 } 1283 1284 plog(ASL_LEVEL_DEBUG, 1285 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np)); 1286 1287 p->type = np; 1288 p->len = ntohs(gen->len); 1289 if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) { 1290 plog(ASL_LEVEL_DEBUG, 1291 "invalid length of payload\n"); 1292 vfree(result); 1293 return NULL; 1294 } 1295 p->ptr = gen; 1296 p++; 1297 if (ep <= p) { 1298 int off; 1299 1300 off = p - ALIGNED_CAST(struct isakmp_parse_t *)result->v; 1301 result = vrealloc(result, result->l * 2); 1302 if (result == NULL) { 1303 plog(ASL_LEVEL_DEBUG, 1304 "failed to realloc buffer.\n"); 1305 vfree(result); 1306 return NULL; 1307 } 1308 ep = ALIGNED_CAST(struct isakmp_parse_t *) 1309 (result->v + result->l - sizeof(*ep)); 1310 p = ALIGNED_CAST(struct isakmp_parse_t *)result->v; 1311 p += off; 1312 } 1313 1314 np = gen->np; 1315 plen = ntohs(gen->len); 1316 gen = (struct isakmp_gen *)((caddr_t)gen + plen); 1317 tlen -= plen; 1318 } 1319 p->type = ISAKMP_NPTYPE_NONE; 1320 p->len = 0; 1321 p->ptr = NULL; 1322 1323 plog(ASL_LEVEL_DEBUG, "succeed.\n"); 1324 1325 return result; 1326} 1327 1328/* 1329 * parse ISAKMP payloads, including ISAKMP base header. 1330 */ 1331vchar_t * 1332isakmp_parse(buf) 1333 vchar_t *buf; 1334{ 1335 struct isakmp *isakmp = (struct isakmp *)buf->v; 1336 struct isakmp_gen *gen; 1337 int tlen; 1338 vchar_t *result; 1339 u_char np; 1340 1341 np = isakmp->np; 1342 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp)); 1343 tlen = buf->l - sizeof(struct isakmp); 1344 result = isakmp_parsewoh(np, gen, tlen); 1345 1346 return result; 1347} 1348 1349int 1350isakmp_init(void) 1351{ 1352 1353 ike_session_initctdtree(); 1354 ike_session_init_recvdpkt(); 1355 1356 if (isakmp_open() < 0) 1357 goto err; 1358 1359 return(0); 1360 1361err: 1362 isakmp_close(); 1363 return(-1); 1364} 1365 1366void 1367isakmp_cleanup() 1368{ 1369 ike_session_clear_recvdpkt(); 1370 ike_session_clear_contacted(); 1371} 1372 1373/* 1374 * make strings containing i_cookie + r_cookie + msgid 1375 */ 1376const char * 1377isakmp_pindex(index, msgid) 1378 const isakmp_index *index; 1379 const u_int32_t msgid; 1380{ 1381 static char buf[64]; 1382 const u_char *p; 1383 int i, j; 1384 1385 memset(buf, 0, sizeof(buf)); 1386 1387 /* copy index */ 1388 p = (const u_char *)index; 1389 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) { 1390 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]); 1391 j += 2; 1392 switch (i) { 1393 case 7: 1394 buf[j++] = ':'; 1395 } 1396 } 1397 1398 if (msgid == 0) 1399 return buf; 1400 1401 /* copy msgid */ 1402 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid)); 1403 1404 return buf; 1405} 1406 1407 1408/* open ISAKMP sockets. */ 1409int 1410isakmp_open(void) 1411{ 1412 const int yes = 1; 1413 int ifnum = 0, encap_ifnum = 0; 1414#ifdef INET6 1415 int pktinfo; 1416#endif 1417 struct myaddrs *p; 1418 int tentative_failures = 0; 1419 int s; 1420 1421 for (p = lcconf->myaddrs; p; p = p->next) { 1422 if (!p->addr) 1423 continue; 1424 if (p->sock != -1) { 1425 ifnum++; 1426 if (p->udp_encap) 1427 encap_ifnum++; 1428 continue; // socket already open 1429 } 1430 1431 /* warn if wildcard address - should we forbid this? */ 1432 switch (p->addr->ss_family) { 1433 case AF_INET: 1434 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0) 1435 plog(ASL_LEVEL_WARNING, 1436 "listening to wildcard address," 1437 "broadcast IKE packet may kill you\n"); 1438 break; 1439#ifdef INET6 1440 case AF_INET6: 1441 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr)) 1442 plog(ASL_LEVEL_WARNING, 1443 "listening to wildcard address, " 1444 "broadcast IKE packet may kill you\n"); 1445 break; 1446#endif 1447 default: 1448 plog(ASL_LEVEL_ERR, 1449 "unsupported address family %d\n", 1450 lcconf->default_af); 1451 goto err_and_next; 1452 } 1453 1454#ifdef INET6 1455 if (p->addr->ss_family == AF_INET6 && 1456 IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *) 1457 p->addr)->sin6_addr)) 1458 { 1459 plog(ASL_LEVEL_DEBUG, 1460 "Ignoring multicast address %s\n", 1461 saddr2str((struct sockaddr *)p->addr)); 1462 racoon_free(p->addr); 1463 p->addr = NULL; 1464 continue; 1465 } 1466#endif 1467 1468 if ((p->sock = socket(p->addr->ss_family, SOCK_DGRAM, 0)) < 0) { 1469 plog(ASL_LEVEL_ERR, 1470 "socket (%s)\n", strerror(errno)); 1471 goto err_and_next; 1472 } 1473 1474 if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1) 1475 plog(ASL_LEVEL_ERR, "failed to put socket in non-blocking mode\n"); 1476 1477 /* receive my interface address on inbound packets. */ 1478 switch (p->addr->ss_family) { 1479 case AF_INET: 1480 if (setsockopt(p->sock, IPPROTO_IP, 1481 IP_RECVDSTADDR, 1482 (const void *)&yes, sizeof(yes)) < 0) { 1483 plog(ASL_LEVEL_ERR, 1484 "setsockopt IP_RECVDSTADDR (%s)\n", 1485 strerror(errno)); 1486 goto err_and_next; 1487 } 1488 break; 1489#ifdef INET6 1490 case AF_INET6: 1491#ifdef INET6_ADVAPI 1492 pktinfo = IPV6_RECVPKTINFO; 1493#else 1494 pktinfo = IPV6_RECVDSTADDR; 1495#endif 1496 if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo, 1497 (const void *)&yes, sizeof(yes)) < 0) 1498 { 1499 plog(ASL_LEVEL_ERR, 1500 "setsockopt IPV6_RECVDSTADDR (%d):%s\n", 1501 pktinfo, strerror(errno)); 1502 goto err_and_next; 1503 } 1504 break; 1505#endif 1506 } 1507 1508#ifdef IPV6_USE_MIN_MTU 1509 if (p->addr->ss_family == AF_INET6 && 1510 setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, 1511 (void *)&yes, sizeof(yes)) < 0) { 1512 plog(ASL_LEVEL_ERR, 1513 "setsockopt IPV6_USE_MIN_MTU (%s)\n", 1514 strerror(errno)); 1515 return -1; 1516 } 1517#endif 1518 1519 if (setsockopt_bypass(p->sock, p->addr->ss_family) < 0) 1520 goto err_and_next; 1521 1522 if (setsockopt(p->sock, SOL_SOCKET, SO_REUSEADDR, (const void *)&yes, sizeof(yes)) < 0) { 1523 plog(ASL_LEVEL_ERR, "setsockopt SO_REUSEADDR (%s)\n", strerror(errno)); 1524 goto err_and_next; 1525 } 1526 1527 if (setsockopt(p->sock, SOL_SOCKET, SO_REUSEPORT, (const void *)&yes, sizeof(yes)) < 0) { 1528 plog(ASL_LEVEL_ERR, "setsockopt SO_REUSEPORT (%s)\n", strerror(errno)); 1529 goto err_and_next; 1530 } 1531 1532 if (extract_port(p->addr) == PORT_ISAKMP) { 1533 if (setsockopt(p->sock, SOL_SOCKET, SO_NOTIFYCONFLICT, 1534 (void *)&yes, sizeof(yes)) < 0) { 1535 plog(ASL_LEVEL_ERR, 1536 "setsockopt (%s)\n", strerror(errno)); 1537 goto err_and_next; 1538 } 1539 } 1540 1541 if (bind(p->sock, (struct sockaddr *)p->addr, sysdep_sa_len((struct sockaddr *)p->addr)) < 0) { 1542 int tmp_errno = errno; 1543 plog(ASL_LEVEL_ERR, 1544 "failed to bind to address %s (%s).\n", 1545 saddr2str((struct sockaddr *)p->addr), strerror(tmp_errno)); 1546#ifdef INET6 1547 // if bind failed b/c of a tentative v6 address, try again later 1548 if (tmp_errno == EADDRNOTAVAIL && p->addr->ss_family == AF_INET6) { 1549 struct in6_ifreq ifr6; 1550 1551 bzero(&ifr6, sizeof(ifr6)); 1552 strlcpy(ifr6.ifr_name, p->ifname, sizeof(ifr6.ifr_name)); 1553 memcpy(&ifr6.ifr_addr, p->addr, sizeof(ifr6.ifr_addr)); 1554 if (ioctl(p->sock, SIOCGIFAFLAG_IN6, &ifr6) >= 0) { 1555 /* 1556 * the tentative flag may have cleared between the bind() and ioctl() calls (i.e due to timing), so 1557 * try infering that it was tentative from ensuring the absense other cases of EADDRNOTAVAIL. 1558 */ 1559 if ((ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_ANYCAST | IN6_IFF_DUPLICATED | IN6_IFF_DETACHED | IN6_IFF_DEPRECATED)) == 0) { 1560 // address may have been tentantive... invalidate sock but leave address around for another try later 1561 plog(ASL_LEVEL_ERR, 1562 "failed to bind to address %s: because interface address is/was not ready (flags %x).\n", 1563 saddr2str((struct sockaddr *)p->addr), ifr6.ifr_ifru.ifru_flags6); 1564 close(p->sock); 1565 p->sock = -1; 1566 tentative_failures = 1; 1567 continue; 1568 } else { 1569 plog(ASL_LEVEL_ERR, 1570 "failed to bind to address %s: because of interface address error, flags %x.\n", 1571 saddr2str((struct sockaddr *)p->addr), ifr6.ifr_ifru.ifru_flags6); 1572 } 1573 } else { 1574 plog(ASL_LEVEL_ERR, 1575 "failed to bind to address %s: can't read interface address flags.\n", 1576 saddr2str((struct sockaddr *)p->addr)); 1577 } 1578 } 1579#endif 1580 close(p->sock); 1581 p->sock = -1; 1582 goto err_and_next; 1583 } 1584 1585 ifnum++; 1586 if (p->udp_encap) 1587 encap_ifnum++; 1588 1589 s = p->sock; 1590 1591 if (p->source != NULL) { 1592 dispatch_source_cancel(p->source); 1593 p->source = NULL; 1594 } 1595 p->source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, p->sock, 0, dispatch_get_main_queue()); 1596 if (p->source == NULL) { 1597 plog(ASL_LEVEL_ERR, "could not create isakmp socket source."); 1598 return -1; 1599 } 1600 dispatch_source_set_event_handler(p->source, 1601 ^{ 1602 isakmp_handler(s); 1603 }); 1604 dispatch_source_t the_source = p->source; 1605 dispatch_source_set_cancel_handler(p->source, 1606 ^{ 1607 close(s); 1608 dispatch_release(the_source); 1609 }); dispatch_resume(p->source); 1610 1611 plog(ASL_LEVEL_INFO, 1612 "%s used as isakmp port (fd=%d)\n", 1613 saddr2str((struct sockaddr *)p->addr), p->sock); 1614 continue; 1615 1616 err_and_next: 1617 racoon_free(p->addr); 1618 p->addr = NULL; 1619 p->sock = -1; 1620 if (! lcconf->autograbaddr && lcconf->strict_address) { 1621 return -1; 1622 } 1623 1624 continue; 1625 } 1626 1627 if (!ifnum) { 1628 plog(ASL_LEVEL_ERR, 1629 "no address could be bound.\n"); 1630 1631 return -1; 1632 } 1633 1634#ifdef ENABLE_NATT 1635 if (natt_enabled_in_rmconf() && !encap_ifnum) { 1636 plog(ASL_LEVEL_WARNING, 1637 "NAT-T is enabled in at least one remote{} section,\n"); 1638 plog(ASL_LEVEL_WARNING, 1639 "but no 'isakmp_natt' address was specified!\n"); 1640 } 1641#endif 1642 1643 if (tentative_failures) 1644 sched_new(5, update_myaddrs, NULL); 1645 1646 return 0; 1647} 1648 1649void 1650isakmp_suspend_sockets() 1651{ 1652 struct myaddrs *p; 1653 1654 for (p = lcconf->myaddrs; p; p = p->next) { 1655 if (p->source) 1656 dispatch_suspend(p->source); 1657 } 1658} 1659 1660void 1661isakmp_close() 1662{ 1663 isakmp_close_sockets(); 1664 clear_myaddr(); 1665} 1666 1667void 1668isakmp_close_sockets() 1669{ 1670 struct myaddrs *p; 1671 1672 for (p = lcconf->myaddrs; p; p = p->next) { 1673 1674 if (!p->addr) 1675 continue; 1676 1677 if (p->source) { 1678 dispatch_source_cancel(p->source); 1679 p->source = NULL; 1680 p->in_use = 0; 1681 p->sock = -1; 1682 } 1683 } 1684} 1685 1686 1687// close sockets for addresses that have gone away 1688void 1689isakmp_close_unused() 1690{ 1691 struct myaddrs *p, *next, **prev; 1692 1693 prev = &(lcconf->myaddrs); 1694 for (p = lcconf->myaddrs; p; p = next) { 1695 next = p->next; 1696 if (p->in_use == 0) { // not in use ? 1697 if (p->source) { 1698 dispatch_source_cancel(p->source); 1699 p->source = NULL; 1700 } 1701 *prev = p->next; 1702 delmyaddr(p); 1703 } else 1704 prev = &(p->next); 1705 } 1706} 1707 1708int 1709isakmp_send(iph1, sbuf) 1710 phase1_handle_t *iph1; 1711 vchar_t *sbuf; 1712{ 1713 int len = 0; 1714 int s; 1715 vchar_t *vbuf = NULL; 1716 1717#ifdef ENABLE_NATT 1718 size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0; 1719 1720#ifdef ENABLE_FRAG 1721 /* 1722 * Do not add the non ESP marker for a packet that will 1723 * be fragmented. The non ESP marker should appear in 1724 * all fragment's packets, but not in the fragmented packet 1725 */ 1726 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) 1727 extralen = 0; 1728#endif 1729 if (extralen) 1730 plog (ASL_LEVEL_DEBUG, "Adding NON-ESP marker\n"); 1731 1732 /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) 1733 must added just before the packet itself. For this we must 1734 allocate a new buffer and release it at the end. */ 1735 if (extralen) { 1736 if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { 1737 plog(ASL_LEVEL_ERR, 1738 "vbuf allocation failed\n"); 1739 return -1; 1740 } 1741 *ALIGNED_CAST(u_int32_t *)vbuf->v = 0; 1742 memcpy (vbuf->v + extralen, sbuf->v, sbuf->l); 1743 sbuf = vbuf; 1744 } 1745#endif 1746 1747 /* select the socket to be sent */ 1748 s = getsockmyaddr((struct sockaddr *)iph1->local); 1749 if (s == -1){ 1750 if ( vbuf != NULL ) 1751 vfree(vbuf); 1752 return -1; 1753 } 1754 1755 plog (ASL_LEVEL_DEBUG, "%zu bytes %s\n", sbuf->l, 1756 saddr2str_fromto("from %s to %s", (struct sockaddr *)iph1->local, (struct sockaddr *)iph1->remote)); 1757 1758#ifdef ENABLE_FRAG 1759 if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { 1760 if (isakmp_sendfrags(iph1, sbuf) == -1) { 1761 plog(ASL_LEVEL_ERR, 1762 "isakmp_sendfrags failed\n"); 1763 if ( vbuf != NULL ) 1764 vfree(vbuf); 1765 return -1; 1766 } 1767 } else 1768#endif 1769 { 1770 len = sendfromto(s, sbuf->v, sbuf->l, 1771 iph1->local, iph1->remote, lcconf->count_persend); 1772 if (len == -1) { 1773 plog(ASL_LEVEL_ERR, "sendfromto failed\n"); 1774 if ( vbuf != NULL ) 1775 vfree(vbuf); 1776 return -1; 1777 } 1778 } 1779 1780 if ( vbuf != NULL ) 1781 vfree(vbuf); 1782 1783 return 0; 1784} 1785 1786/* called from scheduler */ 1787void 1788isakmp_ph1resend_stub(p) 1789 void *p; 1790{ 1791 phase1_handle_t *iph1; 1792 1793 iph1=(phase1_handle_t *)p; 1794 if(isakmp_ph1resend(iph1) < 0){ 1795 if(iph1->scr != 0){ 1796 /* Should not happen... 1797 */ 1798 SCHED_KILL(iph1->scr); 1799 } 1800 1801 ike_session_unlink_phase1(iph1); 1802 } 1803} 1804 1805int 1806isakmp_ph1resend(iph1) 1807 phase1_handle_t *iph1; 1808{ 1809 time_t retry_interval; 1810 1811 // make sure there is a buffer to send 1812 // isakmp_plist_set_all() could have returned NULL 1813 if (iph1->sendbuf == NULL) 1814 return -1; 1815 1816 /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function 1817 */ 1818 if (iph1->retry_counter <= 0) { 1819 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1820 IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT, 1821 CONSTSTR("Phase 1 Maximum Retransmits"), 1822 CONSTSTR("Phase 1 negotiation failed (Maximum retransmits)")); 1823 1824 plog(ASL_LEVEL_ERR, 1825 "Phase 1 negotiation failed due to time up. %s\n", 1826 isakmp_pindex(&iph1->index, iph1->msgid)); 1827 if (iph1->side == INITIATOR && iph1->is_rekey && iph1->parent_session && iph1->parent_session->is_client) { 1828 /* to get around a bug on the peer, in which rekeys to port 4500 are dropped */ 1829 if (isakmp_ph1rekeyretry(iph1) == 0) 1830 return 0; 1831 } 1832 return -1; 1833 } else { 1834 ike_session_ph1_retransmits(iph1); 1835 } 1836 1837 if (isakmp_send(iph1, iph1->sendbuf) < 0){ 1838 if (iph1->rmconf->retry_counter != iph1->retry_counter) { 1839 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1840 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, 1841 CONSTSTR("Phase 1 Retransmit"), 1842 CONSTSTR("Failed to retrasmit Phase1")); 1843 } 1844 plog(ASL_LEVEL_ERR, 1845 "Phase 1 negotiation failed due to send error. %s\n", 1846 isakmp_pindex(&iph1->index, iph1->msgid)); 1847 return -1; 1848 } 1849 1850 if (iph1->rmconf->retry_counter != iph1->retry_counter) { 1851 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1852 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC, 1853 CONSTSTR("Phase 1 Retransmit"), 1854 CONSTSTR(NULL)); 1855 } 1856 1857 plog(ASL_LEVEL_DEBUG, 1858 "Resend Phase 1 packet %s\n", 1859 isakmp_pindex(&iph1->index, iph1->msgid)); 1860 1861 iph1->retry_counter--; 1862 retry_interval = ike_session_get_exp_retx_interval((iph1->rmconf->retry_counter - iph1->retry_counter), 1863 iph1->rmconf->retry_interval); 1864 iph1->scr = sched_new(retry_interval, 1865 isakmp_ph1resend_stub, iph1); 1866 1867 return 0; 1868} 1869 1870/* called from scheduler */ 1871void 1872isakmp_ph2resend_stub(p) 1873 void *p; 1874{ 1875 phase2_handle_t *iph2; 1876 1877 iph2=(phase2_handle_t *)p; 1878 1879 if(isakmp_ph2resend(iph2) < 0){ 1880 ike_session_unlink_phase2(iph2); 1881 } 1882} 1883 1884int 1885isakmp_ph2resend(iph2) 1886 phase2_handle_t *iph2; 1887{ 1888 time_t retry_interval; 1889 1890 /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function 1891 */ 1892 //%%% BUG FIX - related to commit bit usage - crash happened here 1893 if (iph2->ph1 == 0) { 1894 plog(ASL_LEVEL_ERR, 1895 "Internal error - attempt to re-send Phase 2 with no Phase 1 bound.\n"); 1896 return -1; 1897 } 1898 1899 if (FSM_STATE_IS_EXPIRED(iph2->ph1->status)){ 1900 IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session, 1901 IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT, 1902 CONSTSTR("Underlying Phase 1 expired"), 1903 CONSTSTR("Failed to retransmit Phase 2 (underlying Phase 1 expired)")); 1904 plog(ASL_LEVEL_ERR, 1905 "Phase 2 negotiation failed due to Phase 1 expired. %s\n", 1906 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1907 return -1; 1908 } 1909 1910 if (iph2->retry_counter <= 0) { 1911 IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session, 1912 IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT, 1913 CONSTSTR("Phase 2 maximum retransmits"), 1914 CONSTSTR("Phase 2 negotiation failed (maximum retransmits)")); 1915 plog(ASL_LEVEL_ERR, 1916 "Phase 2 negotiation failed due to time up. %s\n", 1917 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1918 return -1; 1919 } else { 1920 ike_session_ph2_retransmits(iph2); 1921 } 1922 1923 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){ 1924 if (iph2->ph1->rmconf->retry_counter != iph2->retry_counter) { 1925 IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session, 1926 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, 1927 CONSTSTR("Phase 2 Retransmit"), 1928 CONSTSTR("Failed to retransmit Phase2 message")); 1929 } 1930 plog(ASL_LEVEL_ERR, 1931 "Phase 2 negotiation failed due to send error. %s\n", 1932 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1933 1934 return -1; 1935 } 1936 if (iph2->ph1->rmconf->retry_counter != iph2->retry_counter) { 1937 IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session, 1938 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC, 1939 CONSTSTR("Phase 2 Retransmit"), 1940 CONSTSTR(NULL)); 1941 } 1942 1943 plog(ASL_LEVEL_DEBUG, 1944 "Resend Phase 2 packet %s\n", 1945 isakmp_pindex(&iph2->ph1->index, iph2->msgid)); 1946 1947 iph2->retry_counter--; 1948 retry_interval = ike_session_get_exp_retx_interval((iph2->ph1->rmconf->retry_counter - iph2->ph1->retry_counter), 1949 iph2->ph1->rmconf->retry_interval); 1950 iph2->scr = sched_new(retry_interval, 1951 isakmp_ph2resend_stub, iph2); 1952 1953#ifdef ENABLE_DPD 1954 if (iph2->scr) { 1955 isakmp_reschedule_info_monitor_if_pending(iph2->ph1, 1956 "Phase 2 packets sent to peer: retransmit timer armed"); 1957 } 1958#endif /* DPD */ 1959 1960 return 0; 1961} 1962 1963/* called from scheduler */ 1964void 1965isakmp_ph1expire_stub(p) 1966 void *p; 1967{ 1968 1969 isakmp_ph1expire((phase1_handle_t *)p); 1970} 1971 1972void 1973isakmp_ph1expire(iph1) 1974 phase1_handle_t *iph1; 1975{ 1976 char *src, *dst; 1977 phase1_handle_t *new_iph1; 1978 1979 SCHED_KILL(iph1->sce); 1980#ifdef ENABLE_DPD 1981 SCHED_KILL(iph1->dpd_r_u); 1982#endif 1983 1984 if(!FSM_STATE_IS_EXPIRED(iph1->status)){ 1985 src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); 1986 dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); 1987 STRDUP_FATAL(src); 1988 STRDUP_FATAL(dst); 1989 1990 plog(ASL_LEVEL_INFO, 1991 "ISAKMP-SA expired %s-%s spi:%s\n", 1992 src, dst, 1993 isakmp_pindex(&iph1->index, 0)); 1994 racoon_free(src); 1995 racoon_free(dst); 1996 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_EXPIRED); 1997 new_iph1 = ike_session_update_ph1_ph2tree(iph1); 1998 } 1999 2000 /* 2001 * the phase1 deletion is postponed until there is no phase2. 2002 */ 2003 if (LIST_FIRST(&iph1->bound_ph2tree) != NULL) { 2004 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1); 2005 return; 2006 } 2007 2008 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); 2009} 2010 2011/* called from scheduler */ 2012void 2013isakmp_ph1rekeyexpire_stub(p) 2014void *p; 2015{ 2016 2017 isakmp_ph1rekeyexpire((phase1_handle_t *)p, FALSE); 2018} 2019 2020void 2021isakmp_ph1rekeyexpire(iph1, ignore_sess_drop_policy) 2022phase1_handle_t *iph1; 2023int ignore_sess_drop_policy; 2024{ 2025 char *src, *dst; 2026 struct remoteconf *rmconf; 2027 2028 SCHED_KILL(iph1->sce_rekey); 2029 2030 // We are going to start the rekey. Let's fire off the 2031 // phase1 expiration timer if it is not done yet. 2032 if (!iph1->sce && iph1->approval->lifetimegap) { 2033 iph1->sce = sched_new(iph1->approval->lifetimegap, 2034 isakmp_ph1expire_stub, iph1); 2035 } 2036 2037 // early exit if iph2->sce == NULL, iph2 isn't established or if entire session is going down 2038 if (iph1->sce == 0 || 2039 !FSM_STATE_IS_ESTABLISHED(iph1->status) || 2040 iph1->is_dying) { 2041 return; 2042 } 2043 2044 src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); 2045 dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); 2046 STRDUP_FATAL(src); 2047 STRDUP_FATAL(dst); 2048 2049 plog(ASL_LEVEL_INFO, 2050 "ISAKMP-SA rekey-timer expired %s-%s spi:%s\n", 2051 src, dst, 2052 isakmp_pindex(&iph1->index, 0)); 2053 racoon_free(src); 2054 racoon_free(dst); 2055 2056 if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) { 2057 return; 2058 } 2059 2060 // exit if there is another ph1 that is established (with a pending rekey timer) 2061 if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) { 2062 plog(ASL_LEVEL_INFO, 2063 "Request for ISAKMP-SA rekey was ignored " 2064 "due to another established ph1.\n"); 2065 return; 2066 } 2067 2068 // if there is another ph1 that is negotiating, postpone this rekey for a few seconds later 2069 if (ike_session_has_other_negoing_ph1(iph1->parent_session, iph1)) { 2070 plog(ASL_LEVEL_DEBUG, "Reschedule Phase 1 rekey.\n"); 2071 iph1->sce_rekey = sched_new(1, 2072 isakmp_ph1rekeyexpire_stub, 2073 iph1); 2074 return; 2075 } 2076 2077 // get rmconf to initiate rekey with 2078 rmconf = iph1->rmconf; 2079 if (!rmconf) 2080 rmconf = getrmconf(iph1->remote); 2081 2082 if (rmconf) { 2083 /* begin quick mode */ 2084 plog(ASL_LEVEL_DEBUG, "Begin Phase 1 rekey.\n"); 2085 2086 /* start phase 1 negotiation as a initiator. */ 2087 if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) { 2088 plog(ASL_LEVEL_DEBUG, "Phase 1 rekey Failed.\n"); 2089 } 2090 iph1->is_rekey = TRUE; 2091 } else { 2092 plog(ASL_LEVEL_ERR, 2093 "Phase1 rekey failed: no configuration found for %s.\n", 2094 saddrwop2str((struct sockaddr *)iph1->remote)); 2095 } 2096} 2097 2098int 2099isakmp_ph1rekeyretry(iph1) 2100phase1_handle_t *iph1; 2101{ 2102 char *src, *dst; 2103 struct remoteconf *rmconf; 2104 2105 // this code path is meant for floated ph1 rekeys that are failing on the first message 2106 if (iph1->sce != 0 || 2107 iph1->sce_rekey != 0 || 2108 ((iph1->status != IKEV1_STATE_IDENT_I_MSG1SENT && 2109 iph1->status != IKEV1_STATE_AGG_I_MSG1SENT) 2110 || ((iph1->natt_flags & NAT_PORTS_CHANGED) == 0)) 2111 || (extract_port(iph1->local) != PORT_ISAKMP_NATT && extract_port(iph1->remote) != PORT_ISAKMP_NATT) 2112 || iph1->is_dying) { 2113 return -1; 2114 } 2115 2116 src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); 2117 dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); 2118 STRDUP_FATAL(src); 2119 STRDUP_FATAL(dst); 2120 2121 plog(ASL_LEVEL_INFO, 2122 "ISAKMP-SA rekey failed... retrying %s-%s spi:%s\n", 2123 src, dst, 2124 isakmp_pindex(&iph1->index, 0)); 2125 racoon_free(src); 2126 racoon_free(dst); 2127 2128 if (ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) { 2129 plog(ASL_LEVEL_INFO, 2130 "request for ISAKMP-SA rekey was ignored " 2131 "due to idleness.\n"); 2132 return 0; 2133 } 2134 2135 // exit if there is another ph1 that is established (with a pending rekey timer) 2136 if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) { 2137 plog(ASL_LEVEL_INFO, 2138 "request to retry ISAKMP-SA rekey was ignored " 2139 "due to another established ph1.\n"); 2140 return -1; 2141 } 2142 2143 // some servers don't like respond to 4500 for rekeys... try accomodate them 2144 if (extract_port(iph1->local) == PORT_ISAKMP_NATT) { 2145 set_port(iph1->local, PORT_ISAKMP); 2146 } 2147 if (extract_port(iph1->remote) == PORT_ISAKMP_NATT) { 2148 set_port(iph1->remote, PORT_ISAKMP); 2149 } 2150 iph1->natt_flags &= ~NAT_PORTS_CHANGED; 2151 rmconf = getrmconf(iph1->remote); 2152 if (rmconf) { 2153 /* begin quick mode */ 2154 plog(ASL_LEVEL_DEBUG, "begin Phase 1 rekey retry.\n"); 2155 2156 /* start phase 1 negotiation as a initiator. */ 2157 if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) { 2158 plog(ASL_LEVEL_DEBUG, "Phase 1 rekey retry Failed.\n"); 2159 return -1; 2160 } 2161 iph1->is_rekey = TRUE; 2162 } else { 2163 plog(ASL_LEVEL_ERR, 2164 "Phase 1 rekey retry failed: no configuration found for %s.\n", 2165 saddrwop2str((struct sockaddr *)iph1->remote)); 2166 return -1; 2167 } 2168 return 0; 2169} 2170 2171/* called from scheduler */ 2172void 2173isakmp_ph1delete_stub(p) 2174 void *p; 2175{ 2176 2177 isakmp_ph1delete((phase1_handle_t *)p); 2178} 2179 2180void 2181isakmp_ph1delete(iph1) 2182 phase1_handle_t *iph1; 2183{ 2184 char *src, *dst; 2185 2186 SCHED_KILL(iph1->sce); 2187 SCHED_KILL(iph1->sce_rekey); 2188#ifdef ENABLE_DPD 2189 SCHED_KILL(iph1->dpd_r_u); 2190#endif 2191 2192 if (LIST_FIRST(&iph1->bound_ph2tree) != NULL) { 2193 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); 2194 return; 2195 } 2196 2197 isakmp_info_send_d1(iph1); 2198 2199 /* don't re-negosiation when the phase 1 SA expires. */ 2200 2201 src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); 2202 dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); 2203 STRDUP_FATAL(src); 2204 STRDUP_FATAL(dst); 2205 2206 plog(ASL_LEVEL_INFO, 2207 "ISAKMP-SA deleted %s-%s spi:%s\n", 2208 src, dst, isakmp_pindex(&iph1->index, 0)); 2209 racoon_free(src); 2210 racoon_free(dst); 2211 2212 ike_session_unlink_phase1(iph1); 2213 2214 return; 2215} 2216 2217/* called from scheduler. 2218 * this function will call only isakmp_ph2delete(). 2219 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA 2220 * by something cause. That's why this function is called after phase 2 SA 2221 * expires in the userland. 2222 */ 2223void 2224isakmp_ph2expire_stub(p) 2225 void *p; 2226{ 2227 2228 isakmp_ph2expire((phase2_handle_t *)p); 2229} 2230 2231void 2232isakmp_ph2expire(iph2) 2233 phase2_handle_t *iph2; 2234{ 2235 char *src, *dst; 2236 2237 if (FSM_STATE_IS_EXPIRED(iph2->status)) { 2238 return; 2239 } 2240 2241 SCHED_KILL(iph2->sce); 2242 2243 src = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->src)); 2244 dst = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->dst)); 2245 STRDUP_FATAL(src); 2246 STRDUP_FATAL(dst); 2247 2248 plog(ASL_LEVEL_INFO, 2249 "Phase 2 sa expired %s-%s\n", src, dst); 2250 racoon_free(src); 2251 racoon_free(dst); 2252 2253 // delete outgoing SAs 2254 if (FSM_STATE_IS_ESTABLISHED(iph2->status) && iph2->approval) { 2255 struct saproto *pr; 2256 2257 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 2258 if (pr->ok) { 2259 pfkey_send_delete(lcconf->sock_pfkey, 2260 ipsecdoi2pfkey_proto(pr->proto_id), 2261 IPSEC_MODE_ANY, 2262 iph2->src, iph2->dst, pr->spi_p /* pr->reqid_out */); 2263 } 2264 } 2265 } 2266 if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) 2267 fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); 2268 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2); 2269 2270 return; 2271} 2272 2273/* called from scheduler */ 2274void 2275isakmp_ph2delete_stub(p) 2276 void *p; 2277{ 2278 2279 isakmp_ph2delete((phase2_handle_t *)p); 2280} 2281 2282void 2283isakmp_ph2delete(iph2) 2284 phase2_handle_t *iph2; 2285{ 2286 char *src, *dst; 2287 2288 SCHED_KILL(iph2->sce); 2289 2290 src = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->src)); 2291 dst = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->dst)); 2292 STRDUP_FATAL(src); 2293 STRDUP_FATAL(dst); 2294 2295 plog(ASL_LEVEL_INFO, 2296 "Phase 2 sa deleted %s-%s\n", src, dst); 2297 racoon_free(src); 2298 racoon_free(dst); 2299 2300 ike_session_unlink_phase2(iph2); 2301 2302 return; 2303} 2304 2305/* %%% 2306 * Interface between PF_KEYv2 and ISAKMP 2307 */ 2308/* 2309 * receive ACQUIRE from kernel, and begin either phase1 or phase2. 2310 * if phase1 has been finished, begin phase2. 2311 */ 2312int 2313isakmp_post_acquire(phase2_handle_t *iph2) 2314{ 2315 struct remoteconf *rmconf; 2316 phase1_handle_t *iph1 = NULL; 2317 2318 plog(ASL_LEVEL_DEBUG, "In post_acquire\n"); 2319 2320 /* search appropreate configuration with masking port. */ 2321 rmconf = getrmconf(iph2->dst); 2322 if (rmconf == NULL) { 2323 plog(ASL_LEVEL_ERR, 2324 "No configuration found for %s.\n", 2325 saddrwop2str((struct sockaddr *)iph2->dst)); 2326 return -1; 2327 } 2328 /* if passive mode, ignore the acquire message */ 2329 if (rmconf->passive) { 2330 plog(ASL_LEVEL_DEBUG, 2331 "Because of passive mode, ignore the acquire message for %s.\n", 2332 saddrwop2str((struct sockaddr *)iph2->dst)); 2333 return 0; 2334 } 2335 2336 2337 // what if there is another ph2 that is negotiating 2338 if (ike_session_has_other_negoing_ph2(iph2->parent_session, iph2)) { 2339 // TODO: postpone this rekey for a second later 2340 plog(ASL_LEVEL_INFO, 2341 "Request for establishing IPsec-SA was ignored due to another negoing ph2.\n"); 2342 return -1; 2343 } 2344 2345 // if this is a phase2 rekeys (the policy may not have the current port number). 2346 // so, use the appropriate ports. 2347 if (iph2->is_rekey) { 2348 ike_session_update_ph2_ports(iph2); 2349 } 2350 if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) 2351 iph1 = ike_session_update_ph2_ph1bind(iph2); 2352 2353 /* no IKE-SA found. */ 2354 if (iph1 == NULL) { 2355 iph2->retry_checkph1 = lcconf->retry_checkph1; 2356 2357 /* start phase 1 negotiation as a initiator. */ 2358 sched_new(1, isakmp_chkph1there_stub, iph2); 2359 2360 plog(ASL_LEVEL_INFO, 2361 "IPsec-SA request for %s queued due to no Phase 1 found.\n", 2362 saddrwop2str((struct sockaddr *)iph2->dst)); 2363 2364 // exit if there is another ph1 that is established (with a pending rekey timer) 2365 if (ike_session_has_negoing_ph1(iph2->parent_session)) { 2366 plog(ASL_LEVEL_INFO, 2367 "Request for Phase 1 was ignored due to another negotiating Phase 1.\n"); 2368 return 0; 2369 } 2370 2371 if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) { 2372 plog(ASL_LEVEL_INFO, 2373 "Request for Phase 1 failed. Will try later.\n"); 2374 } 2375 return 0; 2376 /*NOTREACHED*/ 2377 } 2378 2379 /* found ISAKMP-SA, but on negotiation. */ 2380 if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) { 2381 iph2->retry_checkph1 = lcconf->retry_checkph1; 2382 sched_new(1, isakmp_chkph1there_stub, iph2); 2383 plog(ASL_LEVEL_INFO, 2384 "Request for establishing IPsec-SA was queued due to no phase1 found.\n"); 2385 return 0; 2386 /*NOTREACHED*/ 2387 } 2388 2389 /* found established ISAKMP-SA */ 2390 2391 /* found ISAKMP-SA. */ 2392 2393 /* begin quick mode */ 2394 plog(ASL_LEVEL_DEBUG, "Begin QUICK mode.\n"); 2395 if (ikev1_ph2begin_i(iph1, iph2)) 2396 return -1; 2397 return 0; 2398} 2399 2400/* 2401 * receive GETSPI from kernel. 2402 */ 2403int 2404isakmp_post_getspi(phase2_handle_t *iph2) 2405{ 2406#ifdef ENABLE_STATS 2407 struct timeval start, end; 2408#endif 2409 int error = 0; 2410 2411 /* don't process it because there is no suitable phase1-sa. */ 2412 if (FSM_STATE_IS_EXPIRED(iph2->ph1->status)) { 2413 plog(ASL_LEVEL_ERR, 2414 "the negotiation is stopped, " 2415 "because there is no suitable ISAKMP-SA.\n"); 2416 return -1; 2417 } 2418 fsm_set_state(&iph2->status, iph2->side == INITIATOR ? 2419 IKEV1_STATE_QUICK_I_GETSPIDONE : IKEV1_STATE_QUICK_R_GETSPIDONE); 2420 2421#ifdef ENABLE_STATS 2422 gettimeofday(&start, NULL); 2423#endif 2424 switch (iph2->side) { 2425 case INITIATOR: 2426 error = quick_i1send(iph2, NULL); 2427 break; 2428 case RESPONDER: 2429 error = quick_r2send(iph2, NULL); 2430 break; 2431 } 2432 2433 if (error) //%%%%%%%% log something ??? 2434 return -1; 2435#ifdef ENABLE_STATS 2436 gettimeofday(&end, NULL); 2437 plog(ASL_LEVEL_NOTICE, "%s(%s): %8.6f", 2438 "Phase 2", 2439 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), 2440 timedelta(&start, &end)); 2441#endif 2442 2443 return 0; 2444} 2445 2446/* called by scheduler */ 2447void 2448isakmp_chkph1there_stub(p) 2449 void *p; 2450{ 2451 isakmp_chkph1there((phase2_handle_t *)p); 2452} 2453 2454void 2455isakmp_chkph1there(iph2) 2456 phase2_handle_t *iph2; 2457{ 2458 phase1_handle_t *iph1; 2459 2460 if ((iph2->version == ISAKMP_VERSION_NUMBER_IKEV1 && iph2->status != IKEV1_STATE_QUICK_I_START) || 2461 iph2->is_dying) { 2462 plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: ph2 handle has advanced too far (status %d, START %d, dying %d)... ignoring\n", iph2->status, IKEV1_STATE_QUICK_I_START, iph2->is_dying); 2463 return; 2464 } 2465 2466 iph2->retry_checkph1--; 2467 2468 if (iph2->retry_checkph1 < 0 /* %%%%|| 2469 ike_session_verify_ph2_parent_session(iph2) */) { 2470 if (iph2->retry_checkph1 < 0) { 2471 plog(ASL_LEVEL_ERR, 2472 "Phase 2 negotiation failed " 2473 "due to time up waiting for Phase 1. %s\n", 2474 sadbsecas2str(iph2->dst, iph2->src, 2475 iph2->satype, 0, 0)); 2476 } else { 2477 plog(ASL_LEVEL_ERR, 2478 "Phase 2 negotiation failed " 2479 "due to invalid parent session. %s\n", 2480 sadbsecas2str(iph2->dst, iph2->src, 2481 iph2->satype, 0, 0)); 2482 } 2483 plog(ASL_LEVEL_INFO, 2484 "delete Phase 2 handler.\n"); 2485 2486 /* send acquire to kernel as error */ 2487 pk_sendeacquire(iph2); 2488 ike_session_unlink_phase2(iph2); 2489 return; 2490 } 2491 2492 iph1 = ike_session_update_ph2_ph1bind(iph2); 2493 2494 /* XXX Even if ph1 as responder is there, should we not start 2495 * phase 2 negotiation ? */ 2496 if (iph1 != NULL 2497 && FSM_STATE_IS_ESTABLISHED(iph1->status)) { 2498 /* found isakmp-sa */ 2499 2500 plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: got a ph1 handler, setting ports.\n"); 2501 plog(ASL_LEVEL_DEBUG, "iph1->local: %s\n", saddr2str((struct sockaddr *)iph1->local)); 2502 plog(ASL_LEVEL_DEBUG, "iph1->remote: %s\n", saddr2str((struct sockaddr *)iph1->remote)); 2503 plog(ASL_LEVEL_DEBUG, "before:\n"); 2504 plog(ASL_LEVEL_DEBUG, "src: %s\n", saddr2str((struct sockaddr *)iph2->src)); 2505 plog(ASL_LEVEL_DEBUG, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst)); 2506 set_port(iph2->src, extract_port(iph1->local)); 2507 set_port(iph2->dst, extract_port(iph1->remote)); 2508 plog(ASL_LEVEL_DEBUG, "After:\n"); 2509 plog(ASL_LEVEL_DEBUG, "src: %s\n", saddr2str((struct sockaddr *)iph2->src)); 2510 plog(ASL_LEVEL_DEBUG, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst)); 2511 2512 /* begin quick mode */ 2513 if (ikev1_ph2begin_i(iph1, iph2)) { 2514 ike_session_unlink_phase2(iph2); 2515 } 2516 return; 2517 } 2518 if (!ike_session_has_negoing_ph1(iph2->parent_session)) { 2519 struct remoteconf *rmconf = getrmconf(iph2->dst); 2520 /* start phase 1 negotiation as a initiator. */ 2521 if (rmconf) { 2522 if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) { 2523 plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n"); 2524 } 2525 } else if (rmconf == NULL) { 2526 plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no remoteconf found... failed to initiate new one\n"); 2527 } 2528 } 2529 2530 plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established ph1 handler found\n"); 2531 2532 /* no isakmp-sa found */ 2533 sched_new(1, isakmp_chkph1there_stub, iph2); 2534 2535 return; 2536} 2537 2538/* copy variable data into ALLOCATED buffer. */ 2539caddr_t 2540isakmp_set_attr_v(buf, type, val, len) 2541 caddr_t buf; 2542 int type; 2543 caddr_t val; 2544 int len; 2545{ 2546 struct isakmp_data *data; 2547 2548 data = (struct isakmp_data *)buf; 2549 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV); 2550 data->lorv = htons((u_int16_t)len); 2551 memcpy(data + 1, val, len); 2552 2553 return buf + sizeof(*data) + len; 2554} 2555 2556/* copy fixed length data into ALLOCATED buffer. */ 2557caddr_t 2558isakmp_set_attr_l(buf, type, val) 2559 caddr_t buf; 2560 int type; 2561 u_int32_t val; 2562{ 2563 struct isakmp_data *data; 2564 2565 data = (struct isakmp_data *)buf; 2566 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV); 2567 data->lorv = htons((u_int16_t)val); 2568 2569 return buf + sizeof(*data); 2570} 2571 2572/* add a variable data attribute to the buffer by reallocating it. */ 2573vchar_t * 2574isakmp_add_attr_v(buf0, type, val, len) 2575 vchar_t *buf0; 2576 int type; 2577 caddr_t val; 2578 int len; 2579{ 2580 vchar_t *buf = NULL; 2581 struct isakmp_data *data; 2582 int tlen; 2583 int oldlen = 0; 2584 2585 tlen = sizeof(*data) + len; 2586 2587 if (buf0) { 2588 oldlen = buf0->l; 2589 buf = vrealloc(buf0, oldlen + tlen); 2590 } else 2591 buf = vmalloc(tlen); 2592 if (!buf) { 2593 plog(ASL_LEVEL_ERR, 2594 "failed to get a attribute buffer.\n"); 2595 return NULL; 2596 } 2597 2598 data = (struct isakmp_data *)(buf->v + oldlen); 2599 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV); 2600 data->lorv = htons((u_int16_t)len); 2601 memcpy(data + 1, val, len); 2602 2603 return buf; 2604} 2605 2606/* add a fixed data attribute to the buffer by reallocating it. */ 2607vchar_t * 2608isakmp_add_attr_l(buf0, type, val) 2609 vchar_t *buf0; 2610 int type; 2611 u_int32_t val; 2612{ 2613 vchar_t *buf = NULL; 2614 struct isakmp_data *data; 2615 int tlen; 2616 int oldlen = 0; 2617 2618 tlen = sizeof(*data); 2619 2620 if (buf0) { 2621 oldlen = buf0->l; 2622 buf = vrealloc(buf0, oldlen + tlen); 2623 } else 2624 buf = vmalloc(tlen); 2625 if (!buf) { 2626 plog(ASL_LEVEL_ERR, 2627 "failed to get a attribute buffer.\n"); 2628 return NULL; 2629 } 2630 2631 data = (struct isakmp_data *)(buf->v + oldlen); 2632 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV); 2633 data->lorv = htons((u_int16_t)val); 2634 2635 return buf; 2636} 2637 2638/* 2639 * calculate cookie and set. 2640 */ 2641int 2642isakmp_newcookie(place, remote, local) 2643 caddr_t place; 2644 struct sockaddr_storage *remote; 2645 struct sockaddr_storage *local; 2646{ 2647 vchar_t *buf = NULL, *buf2 = NULL; 2648 char *p; 2649 int blen; 2650 int alen; 2651 caddr_t sa1, sa2; 2652 time_t t; 2653 int error = -1; 2654 u_short port; 2655 2656 2657 if (remote->ss_family != local->ss_family) { 2658 plog(ASL_LEVEL_ERR, 2659 "address family mismatch, remote:%d local:%d\n", 2660 remote->ss_family, local->ss_family); 2661 goto end; 2662 } 2663 switch (remote->ss_family) { 2664 case AF_INET: 2665 alen = sizeof(struct in_addr); 2666 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr; 2667 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr; 2668 break; 2669#ifdef INET6 2670 case AF_INET6: 2671 alen = sizeof(struct in_addr); 2672 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr; 2673 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr; 2674 break; 2675#endif 2676 default: 2677 plog(ASL_LEVEL_ERR, 2678 "invalid family: %d\n", remote->ss_family); 2679 goto end; 2680 } 2681 blen = (alen + sizeof(u_short)) * 2 2682 + sizeof(time_t) + lcconf->secret_size; 2683 buf = vmalloc(blen); 2684 if (buf == NULL) { 2685 plog(ASL_LEVEL_ERR, 2686 "failed to get a cookie.\n"); 2687 goto end; 2688 } 2689 p = buf->v; 2690 2691 /* copy my address */ 2692 memcpy(p, sa1, alen); 2693 p += alen; 2694 port = ((struct sockaddr_in *)remote)->sin_port; 2695 memcpy(p, &port, sizeof(u_short)); 2696 p += sizeof(u_short); 2697 2698 /* copy target address */ 2699 memcpy(p, sa2, alen); 2700 p += alen; 2701 port = ((struct sockaddr_in *)local)->sin_port; 2702 memcpy(p, &port, sizeof(u_short)); 2703 p += sizeof(u_short); 2704 2705 /* copy time */ 2706 t = time(0); 2707 memcpy(p, (caddr_t)&t, sizeof(t)); 2708 p += sizeof(t); 2709 2710 /* copy random value */ 2711 buf2 = eay_set_random(lcconf->secret_size); 2712 if (buf2 == NULL) 2713 goto end; 2714 memcpy(p, buf2->v, lcconf->secret_size); 2715 p += lcconf->secret_size; 2716 vfree(buf2); 2717 2718 buf2 = eay_sha1_one(buf); 2719 memcpy(place, buf2->v, sizeof(cookie_t)); 2720 2721 sa1 = val2str(place, sizeof (cookie_t)); 2722 plog(ASL_LEVEL_DEBUG, "new cookie:\n%s\n", sa1); 2723 racoon_free(sa1); 2724 2725 error = 0; 2726end: 2727 if (buf != NULL) 2728 vfree(buf); 2729 if (buf2 != NULL) 2730 vfree(buf2); 2731 return error; 2732} 2733 2734/* 2735 * save partner's(payload) data into phhandle. 2736 */ 2737int 2738isakmp_p2ph(buf, gen) 2739 vchar_t **buf; 2740 struct isakmp_gen *gen; 2741{ 2742 /* XXX to be checked in each functions for logging. */ 2743 if (*buf) { 2744 plog(ASL_LEVEL_WARNING, 2745 "ignore this payload, same payload type exist.\n"); 2746 return -1; 2747 } 2748 2749 if (ntohs(gen->len) < sizeof(*gen)) { 2750 plog(ASL_LEVEL_ERR, 2751 "ignore this payload, invalid payload len %d.\n", 2752 ntohs(gen->len)); 2753 return -1; 2754 } 2755 2756 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen)); 2757 if (*buf == NULL) { 2758 plog(ASL_LEVEL_ERR, 2759 "failed to get buffer.\n"); 2760 return -1; 2761 } 2762 memcpy((*buf)->v, gen + 1, (*buf)->l); 2763 2764 return 0; 2765} 2766 2767u_int32_t 2768isakmp_newmsgid2(iph1) 2769 phase1_handle_t *iph1; 2770{ 2771 u_int32_t msgid2; 2772 2773 do { 2774 msgid2 = eay_random(); 2775 } while (ike_session_getph2bymsgid(iph1, msgid2)); 2776 2777 return msgid2; 2778} 2779 2780/* 2781 * set values into allocated buffer of isakmp header for phase 1 2782 */ 2783static caddr_t 2784set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid) 2785 vchar_t *vbuf; 2786 phase1_handle_t *iph1; 2787 int nptype; 2788 u_int8_t etype; 2789 u_int8_t flags; 2790 u_int32_t msgid; 2791{ 2792 struct isakmp *isakmp; 2793 2794 if (vbuf->l < sizeof(*isakmp)) 2795 return NULL; 2796 2797 isakmp = (struct isakmp *)vbuf->v; 2798 2799 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); 2800 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); 2801 isakmp->np = nptype; 2802 isakmp->v = iph1->version; 2803 isakmp->etype = etype; 2804 isakmp->flags = flags; 2805 isakmp->msgid = msgid; 2806 isakmp->len = htonl(vbuf->l); 2807 2808 return vbuf->v + sizeof(*isakmp); 2809} 2810 2811/* 2812 * set values into allocated buffer of isakmp header for phase 1 2813 */ 2814caddr_t 2815set_isakmp_header1(vbuf, iph1, nptype) 2816 vchar_t *vbuf; 2817 phase1_handle_t *iph1; 2818 int nptype; 2819{ 2820 return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid); 2821} 2822 2823/* 2824 * set values into allocated buffer of isakmp header for phase 2 2825 */ 2826caddr_t 2827set_isakmp_header2(vbuf, iph2, nptype) 2828 vchar_t *vbuf; 2829 phase2_handle_t *iph2; 2830 int nptype; 2831{ 2832 return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid); 2833} 2834 2835/* 2836 * set values into allocated buffer of isakmp payload. 2837 */ 2838caddr_t 2839set_isakmp_payload(buf, src, nptype) 2840 caddr_t buf; 2841 vchar_t *src; 2842 int nptype; 2843{ 2844 struct isakmp_gen *gen; 2845 caddr_t p = buf; 2846 2847 plog(ASL_LEVEL_DEBUG, "add payload of len %zu, next type %d\n", 2848 src->l, nptype); 2849 2850 gen = (struct isakmp_gen *)p; 2851 gen->np = nptype; 2852 gen->len = htons(sizeof(*gen) + src->l); 2853 p += sizeof(*gen); 2854 memcpy(p, src->v, src->l); 2855 p += src->l; 2856 2857 return p; 2858} 2859 2860 2861#ifdef HAVE_PRINT_ISAKMP_C 2862/* for print-isakmp.c */ 2863char *snapend; 2864extern void isakmp_print(const u_char *, u_int, const u_char *); 2865 2866char *getname(const u_char *); 2867#ifdef INET6 2868char *getname6(const u_char *); 2869#endif 2870int safeputchar(int); 2871 2872/* 2873 * Return a name for the IP address pointed to by ap. This address 2874 * is assumed to be in network byte order. 2875 */ 2876char * 2877getname(ap) 2878 const u_char *ap; 2879{ 2880 struct sockaddr_in addr; 2881 static char ntop_buf[NI_MAXHOST]; 2882 2883 memset(&addr, 0, sizeof(addr)); 2884 addr.sin_len = sizeof(struct sockaddr_in); 2885 addr.sin_family = AF_INET; 2886 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr)); 2887 if (getnameinfo(&addr, sizeof(addr), 2888 ntop_buf, sizeof(ntop_buf), NULL, 0, 2889 NI_NUMERICHOST | niflags)) 2890 strlcpy(ntop_buf, "?", sizeof(ntop_buf)); 2891 2892 return ntop_buf; 2893} 2894 2895#ifdef INET6 2896/* 2897 * Return a name for the IP6 address pointed to by ap. This address 2898 * is assumed to be in network byte order. 2899 */ 2900char * 2901getname6(ap) 2902 const u_char *ap; 2903{ 2904 struct sockaddr_in6 addr; 2905 static char ntop_buf[NI_MAXHOST]; 2906 2907 memset(&addr, 0, sizeof(addr)); 2908 addr.sin6_len = sizeof(struct sockaddr_in6); 2909 addr.sin6_family = AF_INET6; 2910 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr)); 2911 if (getnameinfo(&addr, addr.sin6_len, 2912 ntop_buf, sizeof(ntop_buf), NULL, 0, 2913 NI_NUMERICHOST | niflags)) 2914 strlcpy(ntop_buf, "?", sizeof(ntop_buf)); 2915 2916 return ntop_buf; 2917} 2918#endif /* INET6 */ 2919 2920int 2921safeputchar(c) 2922 int c; 2923{ 2924 unsigned char ch; 2925 2926 ch = (unsigned char)(c & 0xff); 2927 if (c < 0x80 && isprint(c)) 2928 return printf("%c", c & 0xff); 2929 else 2930 return printf("\\%03o", c & 0xff); 2931} 2932 2933void 2934isakmp_printpacket(msg, from, my, decoded) 2935 vchar_t *msg; 2936 struct sockaddr_storage *from; 2937 struct sockaddr_storage *my; 2938 int decoded; 2939{ 2940#ifdef YIPS_DEBUG 2941 struct timeval tv; 2942 int s; 2943 char hostbuf[NI_MAXHOST]; 2944 char portbuf[NI_MAXSERV]; 2945 struct isakmp *isakmp; 2946 vchar_t *buf; 2947#endif 2948 2949 if (loglevel < ASL_LEVEL_DEBUG) 2950 return; 2951 2952#ifdef YIPS_DEBUG 2953 plog(ASL_LEVEL_DEBUG, "begin.\n"); 2954 2955 gettimeofday(&tv, NULL); 2956 s = tv.tv_sec % 3600; 2957 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec); 2958 2959 if (from) { 2960 if (getnameinfo(from, sysdep_sa_len((struct sockaddr *)from), hostbuf, sizeof(hostbuf), 2961 portbuf, sizeof(portbuf), 2962 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { 2963 strlcpy(hostbuf, "?", sizeof(hostbuf)); 2964 strlcpy(portbuf, "?", sizeof(portbuf)); 2965 } 2966 printf("%s:%s", hostbuf, portbuf); 2967 } else 2968 printf("?"); 2969 printf(" -> "); 2970 if (my) { 2971 if (getnameinfo(my, sysdep_sa_len((struct sockaddr *)my), hostbuf, sizeof(hostbuf), 2972 portbuf, sizeof(portbuf), 2973 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { 2974 strlcpy(hostbuf, "?", sizeof(hostbuf)); 2975 strlcpy(portbuf, "?", sizeof(portbuf)); 2976 } 2977 printf("%s:%s", hostbuf, portbuf); 2978 } else 2979 printf("?"); 2980 printf(": "); 2981 2982 buf = vdup(msg); 2983 if (!buf) { 2984 printf("(malloc fail)\n"); 2985 return; 2986 } 2987 if (decoded) { 2988 isakmp = (struct isakmp *)buf->v; 2989 if (isakmp->flags & ISAKMP_FLAG_E) { 2990#if 0 2991 int pad; 2992 pad = *(u_char *)(buf->v + buf->l - 1); 2993 if (buf->l < pad && 2 < vflag) 2994 printf("(wrong padding)"); 2995#endif 2996 isakmp->flags &= ~ISAKMP_FLAG_E; 2997 } 2998 } 2999 3000 snapend = buf->v + buf->l; 3001 isakmp_print(buf->v, buf->l, NULL); 3002 vfree(buf); 3003 printf("\n"); 3004 fflush(stdout); 3005 3006 return; 3007#endif 3008} 3009#endif /*HAVE_PRINT_ISAKMP_C*/ 3010 3011int 3012copy_ph1addresses(iph1, rmconf, remote, local) 3013 phase1_handle_t *iph1; 3014 struct remoteconf *rmconf; 3015 struct sockaddr_storage *remote, *local; 3016{ 3017 u_short *port = NULL; 3018 3019 /* address portion must be grabbed from real remote address "remote" */ 3020 iph1->remote = dupsaddr(remote); 3021 if (iph1->remote == NULL) { 3022 ike_session_delph1(iph1); 3023 return -1; 3024 } 3025 3026 /* 3027 * if remote has no port # (in case of initiator - from ACQUIRE msg) 3028 * - if remote.conf specifies port #, use that 3029 * - if remote.conf does not, use 500 3030 * if remote has port # (in case of responder - from recvfrom(2)) 3031 * respect content of "remote". 3032 */ 3033 switch (iph1->remote->ss_family) { 3034 case AF_INET: 3035 port = &((struct sockaddr_in *)iph1->remote)->sin_port; 3036 if (*port) 3037 break; 3038 *port = ((struct sockaddr_in *)rmconf->remote)->sin_port; 3039 if (*port) 3040 break; 3041 *port = htons(PORT_ISAKMP); 3042 break; 3043#ifdef INET6 3044 case AF_INET6: 3045 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port; 3046 if (*port) 3047 break; 3048 *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port; 3049 if (*port) 3050 break; 3051 *port = htons(PORT_ISAKMP); 3052 break; 3053#endif 3054 default: 3055 plog(ASL_LEVEL_ERR, 3056 "invalid family: %d\n", iph1->remote->ss_family); 3057 ike_session_delph1(iph1); 3058 return -1; 3059 } 3060 3061 if (local == NULL) 3062 iph1->local = getlocaladdr((struct sockaddr *)iph1->remote); 3063 else 3064 iph1->local = dupsaddr(local); 3065 if (iph1->local == NULL) { 3066 ike_session_delph1(iph1); 3067 return -1; 3068 } 3069 port = NULL; 3070 switch (iph1->local->ss_family) { 3071 case AF_INET: 3072 port = &((struct sockaddr_in *)iph1->local)->sin_port; 3073 if (*port) 3074 break; 3075 *port = ((struct sockaddr_in *)iph1->local)->sin_port; 3076 if (*port) 3077 break; 3078 *port = getmyaddrsport(iph1->local); 3079 break; 3080#ifdef INET6 3081 case AF_INET6: 3082 port = &((struct sockaddr_in6 *)iph1->local)->sin6_port; 3083 if (*port) 3084 break; 3085 *port = ((struct sockaddr_in6 *)iph1->local)->sin6_port; 3086 if (*port) 3087 break; 3088 *port = getmyaddrsport(iph1->local); 3089 break; 3090#endif 3091 default: 3092 plog(ASL_LEVEL_ERR, 3093 "invalid family: %d\n", iph1->local->ss_family); 3094 ike_session_delph1(iph1); 3095 return -1; 3096 } 3097#ifdef ENABLE_NATT 3098 if ( port != NULL && *port == htons(lcconf->port_isakmp_natt) ) { 3099 plog (ASL_LEVEL_DEBUG, "Marking ports as changed\n"); 3100 iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER; 3101 } 3102#endif 3103 3104 return 0; 3105} 3106 3107void 3108log_ph1established(iph1) 3109 const phase1_handle_t *iph1; 3110{ 3111 char *src, *dst; 3112 3113 src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local)); 3114 dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote)); 3115 STRDUP_FATAL(src); 3116 STRDUP_FATAL(dst); 3117 3118 plog(ASL_LEVEL_INFO, 3119 "ISAKMP-SA established %s-%s spi:%s\n", 3120 src, dst, 3121 isakmp_pindex(&iph1->index, 0)); 3122 3123 racoon_free(src); 3124 racoon_free(dst); 3125 3126 IPSECLOGASLMSG("IPSec Phase 1 established (Initiated by %s).\n", 3127 (iph1->side == INITIATOR)? "me" : "peer"); 3128 3129 return; 3130} 3131 3132struct payload_list * 3133isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_type) 3134{ 3135 if (! plist) { 3136 plist = racoon_malloc (sizeof (struct payload_list)); 3137 plist->prev = NULL; 3138 } 3139 else { 3140 plist->next = racoon_malloc (sizeof (struct payload_list)); 3141 plist->next->prev = plist; 3142 plist = plist->next; 3143 } 3144 3145 plist->next = NULL; 3146 plist->payload = payload; 3147 plist->payload_type = payload_type; 3148 3149 return plist; 3150} 3151 3152vchar_t * 3153isakmp_plist_set_all (struct payload_list **plist, phase1_handle_t *iph1) 3154{ 3155 struct payload_list *ptr = *plist, *first; 3156 size_t tlen = sizeof (struct isakmp), n = 0; 3157 vchar_t *buf = NULL; 3158 char *p; 3159 3160 /* Seek to the first item. */ 3161 while (ptr->prev) ptr = ptr->prev; 3162 first = ptr; 3163 3164 /* Compute the whole length. */ 3165 while (ptr) { 3166 tlen += ptr->payload->l + sizeof (struct isakmp_gen); 3167 ptr = ptr->next; 3168 } 3169 3170 buf = vmalloc(tlen); 3171 if (buf == NULL) { 3172 plog(ASL_LEVEL_ERR, 3173 "failed to get buffer to send.\n"); 3174 goto end; 3175 } 3176 3177 ptr = first; 3178 3179 p = set_isakmp_header1(buf, iph1, ptr->payload_type); 3180 if (p == NULL) 3181 goto end; 3182 3183 while (ptr) 3184 { 3185 p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE); 3186 first = ptr; 3187 ptr = ptr->next; 3188 racoon_free (first); 3189 /* ptr->prev = NULL; first = NULL; ... omitted. */ 3190 n++; 3191 } 3192 3193 *plist = NULL; 3194 3195 return buf; 3196end: 3197 if (buf != NULL) 3198 vfree(buf); 3199 return NULL; 3200} 3201 3202#ifdef ENABLE_FRAG 3203void 3204frag_handler(iph1, msg, remote, local) 3205 phase1_handle_t *iph1; 3206 vchar_t *msg; 3207 struct sockaddr_storage *remote; 3208 struct sockaddr_storage *local; 3209{ 3210 vchar_t *newmsg; 3211 3212 if (isakmp_frag_extract(iph1, msg) == 1) { 3213 if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { 3214 plog(ASL_LEVEL_ERR, 3215 "Packet reassembly failed\n"); 3216 return; 3217 } 3218 3219 /* simply reply if the packet was processed. */ 3220 if (ike_session_check_recvdpkt(remote, local, newmsg) > 0) { 3221 IPSECLOGASLMSG("Received (reassembled) retransmitted packet from %s.\n", 3222 saddr2str((struct sockaddr *)remote)); 3223 3224 plog(ASL_LEVEL_NOTICE, 3225 "the reassembled packet is retransmitted by %s.\n", 3226 saddr2str((struct sockaddr *)remote)); 3227 vfree(newmsg); 3228 return; 3229 } 3230 3231 isakmp_main(newmsg, remote, local); 3232 vfree(newmsg); 3233 } 3234 3235 return; 3236} 3237#endif 3238 3239void 3240purge_remote(iph1) 3241 phase1_handle_t *iph1; 3242{ 3243 vchar_t *buf = NULL; 3244 struct sadb_msg *msg, *next, *end; 3245 struct sadb_sa *sa; 3246 struct sockaddr_storage *src, *dst; 3247 caddr_t mhp[SADB_EXT_MAX + 1]; 3248 u_int proto_id; 3249 phase2_handle_t *iph2; 3250 phase1_handle_t *new_iph1; 3251 3252 plog(ASL_LEVEL_INFO, 3253 "purging ISAKMP-SA spi=%s.\n", 3254 isakmp_pindex(&(iph1->index), iph1->msgid)); 3255 3256 /* Mark as expired. */ 3257 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_EXPIRED); 3258 3259 new_iph1 = ike_session_update_ph1_ph2tree(iph1); 3260 3261 /* 3262 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. 3263 * Keep all others phase2 SAs. 3264 */ 3265 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); 3266 if (buf == NULL) { 3267 plog(ASL_LEVEL_DEBUG, 3268 "pfkey_dump_sadb returned nothing.\n"); 3269 return; 3270 } 3271 3272 msg = ALIGNED_CAST(struct sadb_msg *)buf->v; 3273 end = ALIGNED_CAST(struct sadb_msg *)(buf->v + buf->l); 3274 3275 while (msg < end) { 3276 if ((msg->sadb_msg_len << 3) < sizeof(*msg)) 3277 break; 3278 next = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); 3279 if (msg->sadb_msg_type != SADB_DUMP) { 3280 msg = next; 3281 continue; 3282 } 3283 3284 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { 3285 plog(ASL_LEVEL_ERR, 3286 "pfkey_check (%s)\n", ipsec_strerror()); 3287 msg = next; 3288 continue; 3289 } 3290 3291 sa = ALIGNED_CAST(struct sadb_sa *)(mhp[SADB_EXT_SA]); 3292 if (!sa || 3293 !mhp[SADB_EXT_ADDRESS_SRC] || 3294 !mhp[SADB_EXT_ADDRESS_DST]) { 3295 msg = next; 3296 continue; 3297 } 3298 src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 3299 dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 3300 3301 if (sa->sadb_sa_state != SADB_SASTATE_LARVAL && 3302 sa->sadb_sa_state != SADB_SASTATE_MATURE && 3303 sa->sadb_sa_state != SADB_SASTATE_DYING) { 3304 msg = next; 3305 continue; 3306 } 3307 3308 /* 3309 * check in/outbound SAs. 3310 * Select only SAs where src == local and dst == remote (outgoing) 3311 * or src == remote and dst == local (incoming). 3312 */ 3313 if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) && 3314 (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) { 3315 msg = next; 3316 continue; 3317 } 3318 3319 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 3320 iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); 3321 3322 /* Check if there is another valid ISAKMP-SA */ 3323 if (new_iph1 != NULL) { 3324 3325 if (iph2 == NULL) { 3326 /* No handler... still send a pfkey_delete message, but log this !*/ 3327 plog(ASL_LEVEL_INFO, 3328 "Unknown IPsec-SA spi=%u, hmmmm?\n", 3329 ntohl(sa->sadb_sa_spi)); 3330 }else{ 3331 3332 /* 3333 * If we have a new ph1, do not purge IPsec-SAs binded 3334 * to a different ISAKMP-SA 3335 */ 3336 if (iph2->ph1 != NULL && iph2->ph1 != iph1){ 3337 msg = next; 3338 continue; 3339 } 3340 3341 /* If the ph2handle is established, do not purge IPsec-SA */ 3342 if (FSM_STATE_IS_ESTABLISHED_OR_EXPIRED(iph2->status)) { 3343 3344 plog(ASL_LEVEL_INFO, 3345 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", 3346 ntohl(sa->sadb_sa_spi), 3347 isakmp_pindex(&(new_iph1->index), new_iph1->msgid)); 3348 msg = next; 3349 continue; 3350 } 3351 } 3352 } 3353 3354 3355 pfkey_send_delete(lcconf->sock_pfkey, 3356 msg->sadb_msg_satype, 3357 IPSEC_MODE_ANY, 3358 src, dst, sa->sadb_sa_spi); 3359 3360 /* delete a relative phase 2 handle. */ 3361 if (iph2 != NULL) { 3362 delete_spd(iph2); 3363 ike_session_unlink_phase2(iph2); 3364 } 3365 3366 plog(ASL_LEVEL_INFO, 3367 "purged IPsec-SA spi=%u.\n", 3368 ntohl(sa->sadb_sa_spi)); 3369 3370 msg = next; 3371 } 3372 3373 if (buf) 3374 vfree(buf); 3375 3376 /* Mark the phase1 handler as EXPIRED */ 3377 plog(ASL_LEVEL_INFO, 3378 "purged ISAKMP-SA spi=%s.\n", 3379 isakmp_pindex(&(iph1->index), iph1->msgid)); 3380 3381 SCHED_KILL(iph1->sce); 3382 3383 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); 3384} 3385 3386void 3387delete_spd(iph2) 3388 phase2_handle_t *iph2; 3389{ 3390 if (iph2 == NULL) 3391 return; 3392 3393 /* Delete the SPD entry if we generated it 3394 */ 3395 if (iph2->generated_spidx) { 3396 union { 3397 u_int64_t force_align; // Wcast-align fix - force alignment 3398 struct policyindex spidx; 3399 } u; 3400 struct sockaddr_storage addr; 3401 u_int8_t pref; 3402 struct sockaddr_storage *src = iph2->src; 3403 struct sockaddr_storage *dst = iph2->dst; 3404 int error; 3405 int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */ 3406 3407 plog(ASL_LEVEL_INFO, 3408 "generated policy, deleting it.\n"); 3409 3410 memset(&u.spidx, 0, sizeof(u.spidx)); 3411 iph2->spidx_gen = &u.spidx; 3412 3413 /* make inbound policy */ 3414 iph2->src = dst; 3415 iph2->dst = src; 3416 u.spidx.dir = IPSEC_DIR_INBOUND; 3417 u.spidx.ul_proto = 0; 3418 3419 /* 3420 * Note: code from get_proposal_r 3421 */ 3422 3423#define _XIDT(d) (ALIGNED_CAST(struct ipsecdoi_id_b *)((d)->v))->type 3424 3425 /* 3426 * make destination address in spidx from either ID payload 3427 * or phase 1 address into a address in spidx. 3428 */ 3429 if (iph2->id != NULL 3430 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 3431 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR 3432 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET 3433 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 3434 /* get a destination address of a policy */ 3435 error = ipsecdoi_id2sockaddr(iph2->id, &u.spidx.dst, 3436 &u.spidx.prefd, &u.spidx.ul_proto, iph2->version); 3437 if (error) 3438 goto purge; 3439 3440#ifdef INET6 3441 /* 3442 * get scopeid from the SA address. 3443 * note that the phase 1 source address is used as 3444 * a destination address to search for a inbound 3445 * policy entry because rcoon is responder. 3446 */ 3447 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { 3448 if ((error = 3449 setscopeid(&u.spidx.dst, iph2->src)) != 0) 3450 goto purge; 3451 } 3452#endif 3453 3454 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 3455 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) 3456 idi2type = _XIDT(iph2->id); 3457 3458 } else { 3459 3460 plog(ASL_LEVEL_DEBUG, 3461 "Get a destination address of SP index " 3462 "from Phase 1 address " 3463 "due to no ID payloads found " 3464 "OR because ID type is not address.\n"); 3465 3466 /* 3467 * copy the SOURCE address of IKE into the 3468 * DESTINATION address of the key to search the 3469 * SPD because the direction of policy is inbound. 3470 */ 3471 memcpy(&u.spidx.dst, iph2->src, sysdep_sa_len((struct sockaddr *)iph2->src)); 3472 switch (u.spidx.dst.ss_family) { 3473 case AF_INET: 3474 u.spidx.prefd = 3475 sizeof(struct in_addr) << 3; 3476 break; 3477#ifdef INET6 3478 case AF_INET6: 3479 u.spidx.prefd = 3480 sizeof(struct in6_addr) << 3; 3481 break; 3482#endif 3483 default: 3484 u.spidx.prefd = 0; 3485 break; 3486 } 3487 } 3488 3489 /* make source address in spidx */ 3490 if (iph2->id_p != NULL 3491 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR 3492 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR 3493 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET 3494 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 3495 /* get a source address of inbound SA */ 3496 error = ipsecdoi_id2sockaddr(iph2->id_p, &u.spidx.src, 3497 &u.spidx.prefs, &u.spidx.ul_proto, iph2->version); 3498 if (error) 3499 goto purge; 3500 3501#ifdef INET6 3502 /* 3503 * get scopeid from the SA address. 3504 * for more detail, see above of this function. 3505 */ 3506 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { 3507 error = 3508 setscopeid(&u.spidx.src, iph2->dst); 3509 if (error) 3510 goto purge; 3511 } 3512#endif 3513 3514 /* make id[src,dst] if both ID types are IP address and same */ 3515 if (_XIDT(iph2->id_p) == idi2type 3516 && u.spidx.dst.ss_family == u.spidx.src.ss_family) { 3517 iph2->src_id = 3518 dupsaddr(&u.spidx.dst); 3519 iph2->dst_id = 3520 dupsaddr(&u.spidx.src); 3521 } 3522 3523 } else { 3524 plog(ASL_LEVEL_DEBUG, 3525 "Get a source address of SP index " 3526 "from Phase 1 address " 3527 "due to no ID payloads found " 3528 "OR because ID type is not address.\n"); 3529 3530 /* see above comment. */ 3531 memcpy(&u.spidx.src, iph2->dst, sysdep_sa_len((struct sockaddr *)iph2->dst)); 3532 switch (u.spidx.src.ss_family) { 3533 case AF_INET: 3534 u.spidx.prefs = 3535 sizeof(struct in_addr) << 3; 3536 break; 3537#ifdef INET6 3538 case AF_INET6: 3539 u.spidx.prefs = 3540 sizeof(struct in6_addr) << 3; 3541 break; 3542#endif 3543 default: 3544 u.spidx.prefs = 0; 3545 break; 3546 } 3547 } 3548 3549#undef _XIDT 3550 3551 plog(ASL_LEVEL_DEBUG, 3552 "get a src address from ID payload " 3553 "%s prefixlen=%u ul_proto=%u\n", 3554 saddr2str((struct sockaddr *)&u.spidx.src), 3555 u.spidx.prefs, u.spidx.ul_proto); 3556 plog(ASL_LEVEL_DEBUG, 3557 "get dst address from ID payload " 3558 "%s prefixlen=%u ul_proto=%u\n", 3559 saddr2str((struct sockaddr *)&u.spidx.dst), 3560 u.spidx.prefd, u.spidx.ul_proto); 3561 3562 /* 3563 * convert the ul_proto if it is 0 3564 * because 0 in ID payload means a wild card. 3565 */ 3566 if (u.spidx.ul_proto == 0) 3567 u.spidx.ul_proto = IPSEC_ULPROTO_ANY; 3568 3569#undef _XIDT 3570 3571 /* End of code from get_proposal_r 3572 */ 3573 3574 if (pk_sendspddelete(iph2) < 0) { 3575 plog(ASL_LEVEL_ERR, 3576 "pfkey spddelete(inbound) failed.\n"); 3577 }else{ 3578 plog(ASL_LEVEL_DEBUG, 3579 "pfkey spddelete(inbound) sent.\n"); 3580 } 3581 3582#ifdef HAVE_POLICY_FWD 3583 /* make forward policy if required */ 3584 if (tunnel_mode_prop(iph2->approval)) { 3585 u.spidx.dir = IPSEC_DIR_FWD; 3586 if (pk_sendspddelete(iph2) < 0) { 3587 plog(ASL_LEVEL_ERR, 3588 "pfkey spddelete(forward) failed.\n"); 3589 }else{ 3590 plog(ASL_LEVEL_DEBUG, 3591 "pfkey spddelete(forward) sent.\n"); 3592 } 3593 } 3594#endif 3595 3596 /* make outbound policy */ 3597 iph2->src = src; 3598 iph2->dst = dst; 3599 u.spidx.dir = IPSEC_DIR_OUTBOUND; 3600 addr = u.spidx.src; 3601 u.spidx.src = u.spidx.dst; 3602 u.spidx.dst = addr; 3603 pref = u.spidx.prefs; 3604 u.spidx.prefs = u.spidx.prefd; 3605 u.spidx.prefd = pref; 3606 3607 if (pk_sendspddelete(iph2) < 0) { 3608 plog(ASL_LEVEL_ERR, 3609 "pfkey spddelete(outbound) failed.\n"); 3610 }else{ 3611 plog(ASL_LEVEL_DEBUG, 3612 "pfkey spddelete(outbound) sent.\n"); 3613 } 3614purge: 3615 iph2->spidx_gen=NULL; 3616 } 3617} 3618 3619#ifdef INET6 3620u_int32_t 3621setscopeid(sp_addr0, sa_addr0) 3622 struct sockaddr_storage *sp_addr0, *sa_addr0; 3623{ 3624 struct sockaddr_in6 *sp_addr, *sa_addr; 3625 3626 sp_addr = (struct sockaddr_in6 *)sp_addr0; 3627 sa_addr = (struct sockaddr_in6 *)sa_addr0; 3628 3629 if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr) 3630 && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr) 3631 && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr)) 3632 return 0; 3633 3634 /* this check should not be here ? */ 3635 if (sa_addr->sin6_family != AF_INET6) { 3636 plog(ASL_LEVEL_ERR, 3637 "can't get scope ID: family mismatch\n"); 3638 return -1; 3639 } 3640 3641 if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) { 3642 plog(ASL_LEVEL_ERR, 3643 "scope ID is not supported except of lladdr.\n"); 3644 return -1; 3645 } 3646 3647 sp_addr->sin6_scope_id = sa_addr->sin6_scope_id; 3648 3649 return 0; 3650} 3651#endif 3652 3653vchar_t * 3654isakmp_plist_append_initial_contact (iph1, plist) 3655 phase1_handle_t *iph1; 3656 struct payload_list *plist; 3657{ 3658 if (!iph1->is_rekey && iph1->rmconf->ini_contact && !ike_session_getcontacted(iph1->remote)) { 3659 vchar_t *notp_ini = NULL; 3660 struct isakmp_pl_n np, *nptr; 3661 char *cptr; 3662 3663 np.doi = htonl(iph1->rmconf->doitype); 3664 np.proto_id = IPSECDOI_PROTO_ISAKMP; 3665 np.spi_size = sizeof(isakmp_index); 3666 np.type = htons(ISAKMP_NTYPE_INITIAL_CONTACT); 3667 if ((notp_ini = vmalloc(sizeof(struct isakmp_pl_n) - sizeof(struct isakmp_gen) 3668 + sizeof(isakmp_index)))) { 3669 nptr = &np; 3670 memcpy(notp_ini->v, &nptr->doi, sizeof(struct isakmp_pl_n) - sizeof(struct isakmp_gen)); 3671 cptr = notp_ini->v + sizeof(struct isakmp_pl_n) - sizeof(struct isakmp_gen); 3672 memcpy(cptr, &iph1->index, sizeof(isakmp_index)); 3673 plist = isakmp_plist_append(plist, notp_ini, ISAKMP_NPTYPE_N); 3674 plog(ASL_LEVEL_DEBUG, 3675 "added initial-contact payload.\n"); 3676 3677 /* insert a node into contacted list. */ 3678 if (ike_session_inscontacted(iph1->remote) == -1) { 3679 plog(ASL_LEVEL_ERR, 3680 "failed to add contacted list.\n"); 3681 /* ignore */ 3682 } 3683 return notp_ini; 3684 } else { 3685 plog(ASL_LEVEL_ERR, 3686 "failed to allocate notification payload.\n"); 3687 return NULL; 3688 } 3689 } else { 3690 plog(ASL_LEVEL_DEBUG, "failed to add initial-contact payload: rekey %d, ini-contact %d, contacted %d.\n", 3691 iph1->is_rekey? 1:0, iph1->rmconf->ini_contact, ike_session_getcontacted(iph1->remote)? 1:0); 3692 } 3693 return NULL; 3694} 3695