isakmp_inf.c revision 1.41
1/* $NetBSD: isakmp_inf.c,v 1.41 2009/07/03 06:41:46 tteras Exp $ */ 2 3/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */ 4 5/* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "config.h" 35 36#include <sys/types.h> 37#include <sys/param.h> 38#include <sys/socket.h> 39 40#include <net/pfkeyv2.h> 41#include <netinet/in.h> 42#include <sys/queue.h> 43#include PATH_IPSEC_H 44 45#include <stdlib.h> 46#include <stdio.h> 47#include <string.h> 48#include <errno.h> 49#if TIME_WITH_SYS_TIME 50# include <sys/time.h> 51# include <time.h> 52#else 53# if HAVE_SYS_TIME_H 54# include <sys/time.h> 55# else 56# include <time.h> 57# endif 58#endif 59#ifdef ENABLE_HYBRID 60#include <resolv.h> 61#endif 62 63#include "libpfkey.h" 64 65#include "var.h" 66#include "vmbuf.h" 67#include "schedule.h" 68#include "str2val.h" 69#include "misc.h" 70#include "plog.h" 71#include "debug.h" 72 73#include "localconf.h" 74#include "remoteconf.h" 75#include "sockmisc.h" 76#include "handler.h" 77#include "policy.h" 78#include "proposal.h" 79#include "isakmp_var.h" 80#include "evt.h" 81#include "isakmp.h" 82#ifdef ENABLE_HYBRID 83#include "isakmp_xauth.h" 84#include "isakmp_unity.h" 85#include "isakmp_cfg.h" 86#endif 87#include "isakmp_inf.h" 88#include "oakley.h" 89#include "ipsec_doi.h" 90#include "crypto_openssl.h" 91#include "pfkey.h" 92#include "policy.h" 93#include "algorithm.h" 94#include "proposal.h" 95#include "admin.h" 96#include "strnames.h" 97#ifdef ENABLE_NATT 98#include "nattraversal.h" 99#endif 100 101/* information exchange */ 102static int isakmp_info_recv_n (struct ph1handle *, struct isakmp_pl_n *, u_int32_t, int); 103static int isakmp_info_recv_d (struct ph1handle *, struct isakmp_pl_d *, u_int32_t, int); 104 105#ifdef ENABLE_DPD 106static int isakmp_info_recv_r_u __P((struct ph1handle *, 107 struct isakmp_pl_ru *, u_int32_t)); 108static int isakmp_info_recv_r_u_ack __P((struct ph1handle *, 109 struct isakmp_pl_ru *, u_int32_t)); 110static void isakmp_info_send_r_u __P((struct sched *)); 111#endif 112 113static void purge_isakmp_spi __P((int, isakmp_index *, size_t)); 114 115/* %%% 116 * Information Exchange 117 */ 118/* 119 * receive Information 120 */ 121int 122isakmp_info_recv(iph1, msg0) 123 struct ph1handle *iph1; 124 vchar_t *msg0; 125{ 126 vchar_t *msg = NULL; 127 vchar_t *pbuf = NULL; 128 u_int32_t msgid = 0; 129 int error = -1; 130 struct isakmp *isakmp; 131 struct isakmp_gen *gen; 132 struct isakmp_parse_t *pa, *pap; 133 void *p; 134 vchar_t *hash, *payload; 135 struct isakmp_gen *nd; 136 u_int8_t np; 137 int encrypted; 138 139 plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n"); 140 141 encrypted = ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E); 142 msgid = ((struct isakmp *)msg0->v)->msgid; 143 144 /* Use new IV to decrypt Informational message. */ 145 if (encrypted) { 146 struct isakmp_ivm *ivm; 147 148 if (iph1->ivm == NULL) { 149 plog(LLV_ERROR, LOCATION, NULL, "iph1->ivm == NULL\n"); 150 return -1; 151 } 152 153 /* compute IV */ 154 ivm = oakley_newiv2(iph1, ((struct isakmp *)msg0->v)->msgid); 155 if (ivm == NULL) 156 return -1; 157 158 msg = oakley_do_decrypt(iph1, msg0, ivm->iv, ivm->ive); 159 oakley_delivm(ivm); 160 if (msg == NULL) 161 return -1; 162 163 } else 164 msg = vdup(msg0); 165 166 /* Safety check */ 167 if (msg->l < sizeof(*isakmp) + sizeof(*gen)) { 168 plog(LLV_ERROR, LOCATION, NULL, 169 "ignore information because the " 170 "message is way too short - %zu byte(s).\n", 171 msg->l); 172 goto end; 173 } 174 175 isakmp = (struct isakmp *)msg->v; 176 gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp)); 177 np = gen->np; 178 179 if (encrypted) { 180 if (isakmp->np != ISAKMP_NPTYPE_HASH) { 181 plog(LLV_ERROR, LOCATION, NULL, 182 "ignore information because the " 183 "message has no hash payload.\n"); 184 goto end; 185 } 186 187 if (iph1->status != PHASE1ST_ESTABLISHED && 188 iph1->status != PHASE1ST_DYING) { 189 plog(LLV_ERROR, LOCATION, NULL, 190 "ignore information because ISAKMP-SA " 191 "has not been established yet.\n"); 192 goto end; 193 } 194 195 /* Safety check */ 196 if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) { 197 plog(LLV_ERROR, LOCATION, NULL, 198 "ignore information because the " 199 "message is too short - %zu byte(s).\n", 200 msg->l); 201 goto end; 202 } 203 204 p = (caddr_t) gen + sizeof(struct isakmp_gen); 205 nd = (struct isakmp_gen *) ((caddr_t) gen + ntohs(gen->len)); 206 207 /* nd length check */ 208 if (ntohs(nd->len) > msg->l - (sizeof(struct isakmp) + 209 ntohs(gen->len))) { 210 plog(LLV_ERROR, LOCATION, NULL, 211 "too long payload length (broken message?)\n"); 212 goto end; 213 } 214 215 if (ntohs(nd->len) < sizeof(*nd)) { 216 plog(LLV_ERROR, LOCATION, NULL, 217 "too short payload length (broken message?)\n"); 218 goto end; 219 } 220 221 payload = vmalloc(ntohs(nd->len)); 222 if (payload == NULL) { 223 plog(LLV_ERROR, LOCATION, NULL, 224 "cannot allocate memory\n"); 225 goto end; 226 } 227 228 memcpy(payload->v, (caddr_t) nd, ntohs(nd->len)); 229 230 /* compute HASH */ 231 hash = oakley_compute_hash1(iph1, isakmp->msgid, payload); 232 if (hash == NULL) { 233 plog(LLV_ERROR, LOCATION, NULL, 234 "cannot compute hash\n"); 235 236 vfree(payload); 237 goto end; 238 } 239 240 if (ntohs(gen->len) - sizeof(struct isakmp_gen) != hash->l) { 241 plog(LLV_ERROR, LOCATION, NULL, 242 "ignore information due to hash length mismatch\n"); 243 244 vfree(hash); 245 vfree(payload); 246 goto end; 247 } 248 249 if (memcmp(p, hash->v, hash->l) != 0) { 250 plog(LLV_ERROR, LOCATION, NULL, 251 "ignore information due to hash mismatch\n"); 252 253 vfree(hash); 254 vfree(payload); 255 goto end; 256 } 257 258 plog(LLV_DEBUG, LOCATION, NULL, "hash validated.\n"); 259 260 vfree(hash); 261 vfree(payload); 262 } else { 263 /* make sure the packet was encrypted after the beginning of phase 1. */ 264 switch (iph1->etype) { 265 case ISAKMP_ETYPE_AGG: 266 case ISAKMP_ETYPE_BASE: 267 case ISAKMP_ETYPE_IDENT: 268 if ((iph1->side == INITIATOR && iph1->status < PHASE1ST_MSG3SENT) 269 || (iph1->side == RESPONDER && iph1->status < PHASE1ST_MSG2SENT)) { 270 break; 271 } 272 /*FALLTHRU*/ 273 default: 274 plog(LLV_ERROR, LOCATION, iph1->remote, 275 "%s message must be encrypted\n", 276 s_isakmp_nptype(np)); 277 error = 0; 278 goto end; 279 } 280 } 281 282 if (!(pbuf = isakmp_parse(msg))) { 283 error = -1; 284 goto end; 285 } 286 287 error = 0; 288 for (pa = (struct isakmp_parse_t *)pbuf->v; pa->type; pa++) { 289 switch (pa->type) { 290 case ISAKMP_NPTYPE_HASH: 291 /* Handled above */ 292 break; 293 case ISAKMP_NPTYPE_N: 294 error = isakmp_info_recv_n(iph1, 295 (struct isakmp_pl_n *)pa->ptr, 296 msgid, encrypted); 297 break; 298 case ISAKMP_NPTYPE_D: 299 error = isakmp_info_recv_d(iph1, 300 (struct isakmp_pl_d *)pa->ptr, 301 msgid, encrypted); 302 break; 303 case ISAKMP_NPTYPE_NONCE: 304 /* XXX to be 6.4.2 ike-01.txt */ 305 /* XXX IV is to be synchronized. */ 306 plog(LLV_ERROR, LOCATION, iph1->remote, 307 "ignore Acknowledged Informational\n"); 308 break; 309 default: 310 /* don't send information, see isakmp_ident_r1() */ 311 error = 0; 312 plog(LLV_ERROR, LOCATION, iph1->remote, 313 "reject the packet, " 314 "received unexpected payload type %s.\n", 315 s_isakmp_nptype(gen->np)); 316 } 317 if (error < 0) 318 break; 319 } 320 end: 321 if (msg != NULL) 322 vfree(msg); 323 if (pbuf != NULL) 324 vfree(pbuf); 325 return error; 326} 327 328 329/* 330 * log unhandled / unallowed Notification payload 331 */ 332int 333isakmp_log_notify(iph1, notify, exchange) 334 struct ph1handle *iph1; 335 struct isakmp_pl_n *notify; 336 const char *exchange; 337{ 338 u_int type; 339 char *nraw, *ndata, *nhex; 340 size_t l; 341 342 type = ntohs(notify->type); 343 if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) { 344 plog(LLV_ERROR, LOCATION, iph1->remote, 345 "invalid spi_size in %s notification in %s.\n", 346 s_isakmp_notify_msg(type), exchange); 347 return -1; 348 } 349 350 plog(LLV_ERROR, LOCATION, iph1->remote, 351 "notification %s received in %s.\n", 352 s_isakmp_notify_msg(type), exchange); 353 354 nraw = ((char*) notify) + sizeof(*notify) + notify->spi_size; 355 l = ntohs(notify->h.len) - sizeof(*notify) - notify->spi_size; 356 if (l > 0) { 357 if (type >= ISAKMP_NTYPE_MINERROR && 358 type <= ISAKMP_NTYPE_MAXERROR) { 359 ndata = binsanitize(nraw, l); 360 if (ndata != NULL) { 361 plog(LLV_ERROR, LOCATION, iph1->remote, 362 "error message: '%s'.\n", 363 ndata); 364 racoon_free(ndata); 365 } else { 366 plog(LLV_ERROR, LOCATION, iph1->remote, 367 "Cannot allocate memory\n"); 368 } 369 } else { 370 nhex = val2str(nraw, l); 371 if (nhex != NULL) { 372 plog(LLV_ERROR, LOCATION, iph1->remote, 373 "notification payload: %s.\n", 374 nhex); 375 racoon_free(nhex); 376 } else { 377 plog(LLV_ERROR, LOCATION, iph1->remote, 378 "Cannot allocate memory\n"); 379 } 380 } 381 } 382 383 return 0; 384} 385 386 387/* 388 * handling of Notification payload 389 */ 390static int 391isakmp_info_recv_n(iph1, notify, msgid, encrypted) 392 struct ph1handle *iph1; 393 struct isakmp_pl_n *notify; 394 u_int32_t msgid; 395 int encrypted; 396{ 397 u_int type; 398 399 type = ntohs(notify->type); 400 switch (type) { 401 case ISAKMP_NTYPE_CONNECTED: 402 case ISAKMP_NTYPE_RESPONDER_LIFETIME: 403 case ISAKMP_NTYPE_REPLAY_STATUS: 404#ifdef ENABLE_HYBRID 405 case ISAKMP_NTYPE_UNITY_HEARTBEAT: 406#endif 407 /* do something */ 408 break; 409 case ISAKMP_NTYPE_INITIAL_CONTACT: 410 if (encrypted) 411 return isakmp_info_recv_initialcontact(iph1, NULL); 412 break; 413#ifdef ENABLE_DPD 414 case ISAKMP_NTYPE_R_U_THERE: 415 if (encrypted) 416 return isakmp_info_recv_r_u(iph1, 417 (struct isakmp_pl_ru *)notify, msgid); 418 break; 419 case ISAKMP_NTYPE_R_U_THERE_ACK: 420 if (encrypted) 421 return isakmp_info_recv_r_u_ack(iph1, 422 (struct isakmp_pl_ru *)notify, msgid); 423 break; 424#endif 425 } 426 427 /* If we receive a error notification we should delete the related 428 * phase1 / phase2 handle, and send an event to racoonctl. 429 * However, since phase1 error notifications are not encrypted and 430 * can not be authenticated, it would allow a DoS attack possibility 431 * to handle them. 432 * Phase2 error notifications should be encrypted, so we could handle 433 * those, but it needs implementing (the old code didn't implement 434 * that either). 435 * So we are good to just log the messages here. 436 */ 437 if (encrypted) 438 isakmp_log_notify(iph1, notify, "informational exchange"); 439 else 440 isakmp_log_notify(iph1, notify, "unencrypted informational exchange"); 441 442 return 0; 443} 444 445/* 446 * handling of Deletion payload 447 */ 448static int 449isakmp_info_recv_d(iph1, delete, msgid, encrypted) 450 struct ph1handle *iph1; 451 struct isakmp_pl_d *delete; 452 u_int32_t msgid; 453 int encrypted; 454{ 455 int tlen, num_spi; 456 vchar_t *pbuf; 457 int protected = 0; 458 struct ph1handle *del_ph1; 459 struct ph2handle *iph2; 460 union { 461 u_int32_t spi32; 462 u_int16_t spi16[2]; 463 } spi; 464 465 if (ntohl(delete->doi) != IPSEC_DOI) { 466 plog(LLV_ERROR, LOCATION, iph1->remote, 467 "delete payload with invalid doi:%d.\n", 468 ntohl(delete->doi)); 469#ifdef ENABLE_HYBRID 470 /* 471 * At deconnexion time, Cisco VPN client does this 472 * with a zero DOI. Don't give up in that situation. 473 */ 474 if (((iph1->mode_cfg->flags & 475 ISAKMP_CFG_VENDORID_UNITY) == 0) || (delete->doi != 0)) 476 return 0; 477#else 478 return 0; 479#endif 480 } 481 482 num_spi = ntohs(delete->num_spi); 483 tlen = ntohs(delete->h.len) - sizeof(struct isakmp_pl_d); 484 485 if (tlen != num_spi * delete->spi_size) { 486 plog(LLV_ERROR, LOCATION, iph1->remote, 487 "deletion payload with invalid length.\n"); 488 return 0; 489 } 490 491 plog(LLV_DEBUG, LOCATION, iph1->remote, 492 "delete payload for protocol %s\n", 493 s_ipsecdoi_proto(delete->proto_id)); 494 495 if(!iph1->rmconf->weak_phase1_check && !encrypted) { 496 plog(LLV_WARNING, LOCATION, iph1->remote, 497 "Ignoring unencrypted delete payload " 498 "(check the weak_phase1_check option)\n"); 499 return 0; 500 } 501 502 switch (delete->proto_id) { 503 case IPSECDOI_PROTO_ISAKMP: 504 if (delete->spi_size != sizeof(isakmp_index)) { 505 plog(LLV_ERROR, LOCATION, iph1->remote, 506 "delete payload with strange spi " 507 "size %d(proto_id:%d)\n", 508 delete->spi_size, delete->proto_id); 509 return 0; 510 } 511 512 del_ph1=getph1byindex((isakmp_index *)(delete + 1)); 513 if(del_ph1 != NULL){ 514 515 evt_phase1(iph1, EVT_PHASE1_PEER_DELETED, NULL); 516 sched_cancel(&del_ph1->scr); 517 518 /* 519 * Do not delete IPsec SAs when receiving an IKE delete notification. 520 * Just delete the IKE SA. 521 */ 522 isakmp_ph1expire(del_ph1); 523 } 524 break; 525 526 case IPSECDOI_PROTO_IPSEC_AH: 527 case IPSECDOI_PROTO_IPSEC_ESP: 528 if (delete->spi_size != sizeof(u_int32_t)) { 529 plog(LLV_ERROR, LOCATION, iph1->remote, 530 "delete payload with strange spi " 531 "size %d(proto_id:%d)\n", 532 delete->spi_size, delete->proto_id); 533 return 0; 534 } 535 purge_ipsec_spi(iph1->remote, delete->proto_id, 536 (u_int32_t *)(delete + 1), num_spi); 537 break; 538 539 case IPSECDOI_PROTO_IPCOMP: 540 /* need to handle both 16bit/32bit SPI */ 541 memset(&spi, 0, sizeof(spi)); 542 if (delete->spi_size == sizeof(spi.spi16[1])) { 543 memcpy(&spi.spi16[1], delete + 1, 544 sizeof(spi.spi16[1])); 545 } else if (delete->spi_size == sizeof(spi.spi32)) 546 memcpy(&spi.spi32, delete + 1, sizeof(spi.spi32)); 547 else { 548 plog(LLV_ERROR, LOCATION, iph1->remote, 549 "delete payload with strange spi " 550 "size %d(proto_id:%d)\n", 551 delete->spi_size, delete->proto_id); 552 return 0; 553 } 554 purge_ipsec_spi(iph1->remote, delete->proto_id, 555 &spi.spi32, num_spi); 556 break; 557 558 default: 559 plog(LLV_ERROR, LOCATION, iph1->remote, 560 "deletion message received, " 561 "invalid proto_id: %d\n", 562 delete->proto_id); 563 return 0; 564 } 565 566 plog(LLV_DEBUG, LOCATION, NULL, "purged SAs.\n"); 567 568 return 0; 569} 570 571/* 572 * send Delete payload (for ISAKMP SA) in Informational exchange. 573 */ 574int 575isakmp_info_send_d1(iph1) 576 struct ph1handle *iph1; 577{ 578 struct isakmp_pl_d *d; 579 vchar_t *payload = NULL; 580 int tlen; 581 int error = 0; 582 583 if (iph1->status != PHASE2ST_ESTABLISHED) 584 return 0; 585 586 /* create delete payload */ 587 588 /* send SPIs of inbound SAs. */ 589 /* XXX should send outbound SAs's ? */ 590 tlen = sizeof(*d) + sizeof(isakmp_index); 591 payload = vmalloc(tlen); 592 if (payload == NULL) { 593 plog(LLV_ERROR, LOCATION, NULL, 594 "failed to get buffer for payload.\n"); 595 return errno; 596 } 597 598 d = (struct isakmp_pl_d *)payload->v; 599 d->h.np = ISAKMP_NPTYPE_NONE; 600 d->h.len = htons(tlen); 601 d->doi = htonl(IPSEC_DOI); 602 d->proto_id = IPSECDOI_PROTO_ISAKMP; 603 d->spi_size = sizeof(isakmp_index); 604 d->num_spi = htons(1); 605 memcpy(d + 1, &iph1->index, sizeof(isakmp_index)); 606 607 error = isakmp_info_send_common(iph1, payload, 608 ISAKMP_NPTYPE_D, 0); 609 vfree(payload); 610 611 return error; 612} 613 614/* 615 * send Delete payload (for IPsec SA) in Informational exchange, based on 616 * pfkey msg. It sends always single SPI. 617 */ 618int 619isakmp_info_send_d2(iph2) 620 struct ph2handle *iph2; 621{ 622 struct ph1handle *iph1; 623 struct saproto *pr; 624 struct isakmp_pl_d *d; 625 vchar_t *payload = NULL; 626 int tlen; 627 int error = 0; 628 u_int8_t *spi; 629 630 if (iph2->status != PHASE2ST_ESTABLISHED) 631 return 0; 632 633 /* 634 * don't send delete information if there is no phase 1 handler. 635 * It's nonsensical to negotiate phase 1 to send the information. 636 */ 637 iph1 = getph1byaddr(iph2->src, iph2->dst, 0); 638 if (iph1 == NULL){ 639 plog(LLV_DEBUG2, LOCATION, NULL, 640 "No ph1 handler found, could not send DELETE_SA\n"); 641 return 0; 642 } 643 644 /* create delete payload */ 645 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 646 647 /* send SPIs of inbound SAs. */ 648 /* 649 * XXX should I send outbound SAs's ? 650 * I send inbound SAs's SPI only at the moment because I can't 651 * decode any more if peer send encoded packet without aware of 652 * deletion of SA. Outbound SAs don't come under the situation. 653 */ 654 tlen = sizeof(*d) + pr->spisize; 655 payload = vmalloc(tlen); 656 if (payload == NULL) { 657 plog(LLV_ERROR, LOCATION, NULL, 658 "failed to get buffer for payload.\n"); 659 return errno; 660 } 661 662 d = (struct isakmp_pl_d *)payload->v; 663 d->h.np = ISAKMP_NPTYPE_NONE; 664 d->h.len = htons(tlen); 665 d->doi = htonl(IPSEC_DOI); 666 d->proto_id = pr->proto_id; 667 d->spi_size = pr->spisize; 668 d->num_spi = htons(1); 669 /* 670 * XXX SPI bits are left-filled, for use with IPComp. 671 * we should be switching to variable-length spi field... 672 */ 673 spi = (u_int8_t *)&pr->spi; 674 spi += sizeof(pr->spi); 675 spi -= pr->spisize; 676 memcpy(d + 1, spi, pr->spisize); 677 678 error = isakmp_info_send_common(iph1, payload, 679 ISAKMP_NPTYPE_D, 0); 680 vfree(payload); 681 } 682 683 return error; 684} 685 686/* 687 * send Notification payload (for without ISAKMP SA) in Informational exchange 688 */ 689int 690isakmp_info_send_nx(isakmp, remote, local, type, data) 691 struct isakmp *isakmp; 692 struct sockaddr *remote, *local; 693 int type; 694 vchar_t *data; 695{ 696 struct ph1handle *iph1 = NULL; 697 vchar_t *payload = NULL; 698 int tlen; 699 int error = -1; 700 struct isakmp_pl_n *n; 701 int spisiz = 0; /* see below */ 702 703 /* add new entry to isakmp status table. */ 704 iph1 = newph1(); 705 if (iph1 == NULL) 706 return -1; 707 708 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(cookie_t)); 709 isakmp_newcookie((char *)&iph1->index.r_ck, remote, local); 710 iph1->status = PHASE1ST_START; 711 iph1->side = INITIATOR; 712 iph1->version = isakmp->v; 713 iph1->flags = 0; 714 iph1->msgid = 0; /* XXX */ 715#ifdef ENABLE_HYBRID 716 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) 717 goto end; 718#endif 719#ifdef ENABLE_FRAG 720 iph1->frag = 0; 721 iph1->frag_chain = NULL; 722#endif 723 724 /* copy remote address */ 725 if (copy_ph1addresses(iph1, NULL, remote, local) < 0) 726 goto end; 727 728 tlen = sizeof(*n) + spisiz; 729 if (data) 730 tlen += data->l; 731 payload = vmalloc(tlen); 732 if (payload == NULL) { 733 plog(LLV_ERROR, LOCATION, NULL, 734 "failed to get buffer to send.\n"); 735 goto end; 736 } 737 738 n = (struct isakmp_pl_n *)payload->v; 739 n->h.np = ISAKMP_NPTYPE_NONE; 740 n->h.len = htons(tlen); 741 n->doi = htonl(IPSEC_DOI); 742 n->proto_id = IPSECDOI_KEY_IKE; 743 n->spi_size = spisiz; 744 n->type = htons(type); 745 if (spisiz) 746 memset(n + 1, 0, spisiz); /* XXX spisiz is always 0 */ 747 if (data) 748 memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l); 749 750 error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0); 751 vfree(payload); 752 753 end: 754 if (iph1 != NULL) 755 delph1(iph1); 756 757 return error; 758} 759 760/* 761 * send Notification payload (for ISAKMP SA) in Informational exchange 762 */ 763int 764isakmp_info_send_n1(iph1, type, data) 765 struct ph1handle *iph1; 766 int type; 767 vchar_t *data; 768{ 769 vchar_t *payload = NULL; 770 int tlen; 771 int error = 0; 772 struct isakmp_pl_n *n; 773 int spisiz; 774 775 /* 776 * note on SPI size: which description is correct? I have chosen 777 * this to be 0. 778 * 779 * RFC2408 3.1, 2nd paragraph says: ISAKMP SA is identified by 780 * Initiator/Responder cookie and SPI has no meaning, SPI size = 0. 781 * RFC2408 3.1, first paragraph on page 40: ISAKMP SA is identified 782 * by cookie and SPI has no meaning, 0 <= SPI size <= 16. 783 * RFC2407 4.6.3.3, INITIAL-CONTACT is required to set to 16. 784 */ 785 if (type == ISAKMP_NTYPE_INITIAL_CONTACT) 786 spisiz = sizeof(isakmp_index); 787 else 788 spisiz = 0; 789 790 tlen = sizeof(*n) + spisiz; 791 if (data) 792 tlen += data->l; 793 payload = vmalloc(tlen); 794 if (payload == NULL) { 795 plog(LLV_ERROR, LOCATION, NULL, 796 "failed to get buffer to send.\n"); 797 return errno; 798 } 799 800 n = (struct isakmp_pl_n *)payload->v; 801 n->h.np = ISAKMP_NPTYPE_NONE; 802 n->h.len = htons(tlen); 803 n->doi = htonl(iph1->rmconf->doitype); 804 n->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX to be configurable ? */ 805 n->spi_size = spisiz; 806 n->type = htons(type); 807 if (spisiz) 808 memcpy(n + 1, &iph1->index, sizeof(isakmp_index)); 809 if (data) 810 memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l); 811 812 error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph1->flags); 813 vfree(payload); 814 815 return error; 816} 817 818/* 819 * send Notification payload (for IPsec SA) in Informational exchange 820 */ 821int 822isakmp_info_send_n2(iph2, type, data) 823 struct ph2handle *iph2; 824 int type; 825 vchar_t *data; 826{ 827 struct ph1handle *iph1 = iph2->ph1; 828 vchar_t *payload = NULL; 829 int tlen; 830 int error = 0; 831 struct isakmp_pl_n *n; 832 struct saproto *pr; 833 834 if (!iph2->approval) 835 return EINVAL; 836 837 pr = iph2->approval->head; 838 839 /* XXX must be get proper spi */ 840 tlen = sizeof(*n) + pr->spisize; 841 if (data) 842 tlen += data->l; 843 payload = vmalloc(tlen); 844 if (payload == NULL) { 845 plog(LLV_ERROR, LOCATION, NULL, 846 "failed to get buffer to send.\n"); 847 return errno; 848 } 849 850 n = (struct isakmp_pl_n *)payload->v; 851 n->h.np = ISAKMP_NPTYPE_NONE; 852 n->h.len = htons(tlen); 853 n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */ 854 n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/ 855 n->spi_size = pr->spisize; 856 n->type = htons(type); 857 *(u_int32_t *)(n + 1) = pr->spi; 858 if (data) 859 memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l); 860 861 iph2->flags |= ISAKMP_FLAG_E; /* XXX Should we do FLAG_A ? */ 862 error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph2->flags); 863 vfree(payload); 864 865 return error; 866} 867 868/* 869 * send Information 870 * When ph1->skeyid_a == NULL, send message without encoding. 871 */ 872int 873isakmp_info_send_common(iph1, payload, np, flags) 874 struct ph1handle *iph1; 875 vchar_t *payload; 876 u_int32_t np; 877 int flags; 878{ 879 struct ph2handle *iph2 = NULL; 880 vchar_t *hash = NULL; 881 struct isakmp *isakmp; 882 struct isakmp_gen *gen; 883 char *p; 884 int tlen; 885 int error = -1; 886 887 /* add new entry to isakmp status table */ 888 iph2 = newph2(); 889 if (iph2 == NULL) 890 goto end; 891 892 iph2->dst = dupsaddr(iph1->remote); 893 if (iph2->dst == NULL) { 894 delph2(iph2); 895 goto end; 896 } 897 iph2->src = dupsaddr(iph1->local); 898 if (iph2->src == NULL) { 899 delph2(iph2); 900 goto end; 901 } 902 iph2->side = INITIATOR; 903 iph2->status = PHASE2ST_START; 904 iph2->msgid = isakmp_newmsgid2(iph1); 905 906 /* get IV and HASH(1) if skeyid_a was generated. */ 907 if (iph1->skeyid_a != NULL) { 908 iph2->ivm = oakley_newiv2(iph1, iph2->msgid); 909 if (iph2->ivm == NULL) { 910 delph2(iph2); 911 goto end; 912 } 913 914 /* generate HASH(1) */ 915 hash = oakley_compute_hash1(iph1, iph2->msgid, payload); 916 if (hash == NULL) { 917 delph2(iph2); 918 goto end; 919 } 920 921 /* initialized total buffer length */ 922 tlen = hash->l; 923 tlen += sizeof(*gen); 924 } else { 925 /* IKE-SA is not established */ 926 hash = NULL; 927 928 /* initialized total buffer length */ 929 tlen = 0; 930 } 931 if ((flags & ISAKMP_FLAG_A) == 0) 932 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E); 933 else 934 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A); 935 936 insph2(iph2); 937 bindph12(iph1, iph2); 938 939 tlen += sizeof(*isakmp) + payload->l; 940 941 /* create buffer for isakmp payload */ 942 iph2->sendbuf = vmalloc(tlen); 943 if (iph2->sendbuf == NULL) { 944 plog(LLV_ERROR, LOCATION, NULL, 945 "failed to get buffer to send.\n"); 946 goto err; 947 } 948 949 /* create isakmp header */ 950 isakmp = (struct isakmp *)iph2->sendbuf->v; 951 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); 952 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); 953 isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH; 954 isakmp->v = iph1->version; 955 isakmp->etype = ISAKMP_ETYPE_INFO; 956 isakmp->flags = iph2->flags; 957 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid)); 958 isakmp->len = htonl(tlen); 959 p = (char *)(isakmp + 1); 960 961 /* create HASH payload */ 962 if (hash != NULL) { 963 gen = (struct isakmp_gen *)p; 964 gen->np = np & 0xff; 965 gen->len = htons(sizeof(*gen) + hash->l); 966 p += sizeof(*gen); 967 memcpy(p, hash->v, hash->l); 968 p += hash->l; 969 } 970 971 /* add payload */ 972 memcpy(p, payload->v, payload->l); 973 p += payload->l; 974 975#ifdef HAVE_PRINT_ISAKMP_C 976 isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1); 977#endif 978 979 /* encoding */ 980 if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) { 981 vchar_t *tmp; 982 983 tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, iph2->ivm->ive, 984 iph2->ivm->iv); 985 VPTRINIT(iph2->sendbuf); 986 if (tmp == NULL) 987 goto err; 988 iph2->sendbuf = tmp; 989 } 990 991 /* HDR*, HASH(1), N */ 992 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { 993 VPTRINIT(iph2->sendbuf); 994 goto err; 995 } 996 997 plog(LLV_DEBUG, LOCATION, NULL, 998 "sendto Information %s.\n", s_isakmp_nptype(np)); 999 1000 /* 1001 * don't resend notify message because peer can use Acknowledged 1002 * Informational if peer requires the reply of the notify message. 1003 */ 1004 1005 /* XXX If Acknowledged Informational required, don't delete ph2handle */ 1006 error = 0; 1007 VPTRINIT(iph2->sendbuf); 1008 goto err; /* XXX */ 1009 1010end: 1011 if (hash) 1012 vfree(hash); 1013 return error; 1014 1015err: 1016 remph2(iph2); 1017 delph2(iph2); 1018 goto end; 1019} 1020 1021/* 1022 * add a notify payload to buffer by reallocating buffer. 1023 * If buf == NULL, the function only create a notify payload. 1024 * 1025 * XXX Which is SPI to be included, inbound or outbound ? 1026 */ 1027vchar_t * 1028isakmp_add_pl_n(buf0, np_p, type, pr, data) 1029 vchar_t *buf0; 1030 u_int8_t **np_p; 1031 int type; 1032 struct saproto *pr; 1033 vchar_t *data; 1034{ 1035 vchar_t *buf = NULL; 1036 struct isakmp_pl_n *n; 1037 int tlen; 1038 int oldlen = 0; 1039 1040 if (*np_p) 1041 **np_p = ISAKMP_NPTYPE_N; 1042 1043 tlen = sizeof(*n) + pr->spisize; 1044 1045 if (data) 1046 tlen += data->l; 1047 if (buf0) { 1048 oldlen = buf0->l; 1049 buf = vrealloc(buf0, buf0->l + tlen); 1050 } else 1051 buf = vmalloc(tlen); 1052 if (!buf) { 1053 plog(LLV_ERROR, LOCATION, NULL, 1054 "failed to get a payload buffer.\n"); 1055 return NULL; 1056 } 1057 1058 n = (struct isakmp_pl_n *)(buf->v + oldlen); 1059 n->h.np = ISAKMP_NPTYPE_NONE; 1060 n->h.len = htons(tlen); 1061 n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */ 1062 n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/ 1063 n->spi_size = pr->spisize; 1064 n->type = htons(type); 1065 *(u_int32_t *)(n + 1) = pr->spi; /* XXX */ 1066 if (data) 1067 memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l); 1068 1069 /* save the pointer of next payload type */ 1070 *np_p = &n->h.np; 1071 1072 return buf; 1073} 1074 1075static void 1076purge_isakmp_spi(proto, spi, n) 1077 int proto; 1078 isakmp_index *spi; /*network byteorder*/ 1079 size_t n; 1080{ 1081 struct ph1handle *iph1; 1082 size_t i; 1083 1084 for (i = 0; i < n; i++) { 1085 iph1 = getph1byindex(&spi[i]); 1086 if (!iph1) 1087 continue; 1088 1089 plog(LLV_INFO, LOCATION, NULL, 1090 "purged ISAKMP-SA proto_id=%s spi=%s.\n", 1091 s_ipsecdoi_proto(proto), 1092 isakmp_pindex(&spi[i], 0)); 1093 1094 iph1->status = PHASE1ST_EXPIRED; 1095 sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub); 1096 } 1097} 1098 1099 1100 1101void 1102purge_ipsec_spi(dst0, proto, spi, n) 1103 struct sockaddr *dst0; 1104 int proto; 1105 u_int32_t *spi; /*network byteorder*/ 1106 size_t n; 1107{ 1108 vchar_t *buf = NULL; 1109 struct sadb_msg *msg, *next, *end; 1110 struct sadb_sa *sa; 1111 struct sadb_lifetime *lt; 1112 struct sockaddr *src, *dst; 1113 struct ph2handle *iph2; 1114 u_int64_t created; 1115 size_t i; 1116 caddr_t mhp[SADB_EXT_MAX + 1]; 1117 1118 plog(LLV_DEBUG2, LOCATION, NULL, 1119 "purge_ipsec_spi:\n"); 1120 plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str(dst0)); 1121 plog(LLV_DEBUG2, LOCATION, NULL, "SPI: %08X\n", ntohl(spi[0])); 1122 1123 buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto)); 1124 if (buf == NULL) { 1125 plog(LLV_DEBUG, LOCATION, NULL, 1126 "pfkey_dump_sadb returned nothing.\n"); 1127 return; 1128 } 1129 1130 msg = (struct sadb_msg *)buf->v; 1131 end = (struct sadb_msg *)(buf->v + buf->l); 1132 1133 while (msg < end) { 1134 if ((msg->sadb_msg_len << 3) < sizeof(*msg)) 1135 break; 1136 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); 1137 if (msg->sadb_msg_type != SADB_DUMP) { 1138 msg = next; 1139 continue; 1140 } 1141 1142 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { 1143 plog(LLV_ERROR, LOCATION, NULL, 1144 "pfkey_check (%s)\n", ipsec_strerror()); 1145 msg = next; 1146 continue; 1147 } 1148 1149 sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]); 1150 if (!sa 1151 || !mhp[SADB_EXT_ADDRESS_SRC] 1152 || !mhp[SADB_EXT_ADDRESS_DST]) { 1153 msg = next; 1154 continue; 1155 } 1156 pk_fixup_sa_addresses(mhp); 1157 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1158 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1159 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 1160 if(lt != NULL) 1161 created = lt->sadb_lifetime_addtime; 1162 else 1163 created = 0; 1164 1165 if (sa->sadb_sa_state != SADB_SASTATE_MATURE 1166 && sa->sadb_sa_state != SADB_SASTATE_DYING) { 1167 msg = next; 1168 continue; 1169 } 1170 1171 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); 1172 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst)); 1173 1174 /* XXX n^2 algorithm, inefficient */ 1175 1176 /* don't delete inbound SAs at the moment */ 1177 /* XXX should we remove SAs with opposite direction as well? */ 1178 if (cmpsaddr(dst0, dst)) { 1179 msg = next; 1180 continue; 1181 } 1182 1183 for (i = 0; i < n; i++) { 1184 plog(LLV_DEBUG, LOCATION, NULL, 1185 "check spi(packet)=%u spi(db)=%u.\n", 1186 ntohl(spi[i]), ntohl(sa->sadb_sa_spi)); 1187 if (spi[i] != sa->sadb_sa_spi) 1188 continue; 1189 1190 pfkey_send_delete(lcconf->sock_pfkey, 1191 msg->sadb_msg_satype, 1192 IPSEC_MODE_ANY, 1193 src, dst, sa->sadb_sa_spi); 1194 1195 /* 1196 * delete a relative phase 2 handler. 1197 * continue to process if no relative phase 2 handler 1198 * exists. 1199 */ 1200 iph2 = getph2bysaidx(src, dst, proto, spi[i]); 1201 if(iph2 != NULL){ 1202 delete_spd(iph2, created); 1203 remph2(iph2); 1204 delph2(iph2); 1205 } 1206 1207 plog(LLV_INFO, LOCATION, NULL, 1208 "purged IPsec-SA proto_id=%s spi=%u.\n", 1209 s_ipsecdoi_proto(proto), 1210 ntohl(spi[i])); 1211 } 1212 1213 msg = next; 1214 } 1215 1216 if (buf) 1217 vfree(buf); 1218} 1219 1220/* 1221 * delete all phase2 sa relatived to the destination address 1222 * (except the phase2 within which the INITIAL-CONTACT was received). 1223 * Don't delete Phase 1 handlers on INITIAL-CONTACT, and don't ignore 1224 * an INITIAL-CONTACT if we have contacted the peer. This matches the 1225 * Sun IKE behavior, and makes rekeying work much better when the peer 1226 * restarts. 1227 */ 1228int 1229isakmp_info_recv_initialcontact(iph1, protectedph2) 1230 struct ph1handle *iph1; 1231 struct ph2handle *protectedph2; 1232{ 1233 vchar_t *buf = NULL; 1234 struct sadb_msg *msg, *next, *end; 1235 struct sadb_sa *sa; 1236 struct sockaddr *src, *dst; 1237 caddr_t mhp[SADB_EXT_MAX + 1]; 1238 int proto_id, i; 1239 struct ph2handle *iph2; 1240#if 0 1241 char *loc, *rem; 1242#endif 1243 1244 plog(LLV_INFO, LOCATION, iph1->remote, "received INITIAL-CONTACT\n"); 1245 1246 if (f_local) 1247 return 0; 1248 1249#if 0 1250 loc = racoon_strdup(saddrwop2str(iph1->local)); 1251 rem = racoon_strdup(saddrwop2str(iph1->remote)); 1252 STRDUP_FATAL(loc); 1253 STRDUP_FATAL(rem); 1254 1255 /* 1256 * Purge all IPSEC-SAs for the peer. We can do this 1257 * the easy way (using a PF_KEY SADB_DELETE extension) 1258 * or we can do it the hard way. 1259 */ 1260 for (i = 0; i < pfkey_nsatypes; i++) { 1261 proto_id = pfkey2ipsecdoi_proto(pfkey_satypes[i].ps_satype); 1262 1263 plog(LLV_INFO, LOCATION, NULL, 1264 "purging %s SAs for %s -> %s\n", 1265 pfkey_satypes[i].ps_name, loc, rem); 1266 if (pfkey_send_delete_all(lcconf->sock_pfkey, 1267 pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY, 1268 iph1->local, iph1->remote) == -1) { 1269 plog(LLV_ERROR, LOCATION, NULL, 1270 "delete_all %s -> %s failed for %s (%s)\n", 1271 loc, rem, 1272 pfkey_satypes[i].ps_name, ipsec_strerror()); 1273 goto the_hard_way; 1274 } 1275 1276 deleteallph2(iph1->local, iph1->remote, proto_id); 1277 1278 plog(LLV_INFO, LOCATION, NULL, 1279 "purging %s SAs for %s -> %s\n", 1280 pfkey_satypes[i].ps_name, rem, loc); 1281 if (pfkey_send_delete_all(lcconf->sock_pfkey, 1282 pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY, 1283 iph1->remote, iph1->local) == -1) { 1284 plog(LLV_ERROR, LOCATION, NULL, 1285 "delete_all %s -> %s failed for %s (%s)\n", 1286 rem, loc, 1287 pfkey_satypes[i].ps_name, ipsec_strerror()); 1288 goto the_hard_way; 1289 } 1290 1291 deleteallph2(iph1->remote, iph1->local, proto_id); 1292 } 1293 1294 racoon_free(loc); 1295 racoon_free(rem); 1296 return 0; 1297 1298 the_hard_way: 1299 racoon_free(loc); 1300 racoon_free(rem); 1301#endif 1302 1303 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); 1304 if (buf == NULL) { 1305 plog(LLV_DEBUG, LOCATION, NULL, 1306 "pfkey_dump_sadb returned nothing.\n"); 1307 return 0; 1308 } 1309 1310 msg = (struct sadb_msg *)buf->v; 1311 end = (struct sadb_msg *)(buf->v + buf->l); 1312 1313 for (; msg < end; msg = next) { 1314 if ((msg->sadb_msg_len << 3) < sizeof(*msg)) 1315 break; 1316 1317 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); 1318 if (msg->sadb_msg_type != SADB_DUMP) 1319 continue; 1320 1321 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { 1322 plog(LLV_ERROR, LOCATION, NULL, 1323 "pfkey_check (%s)\n", ipsec_strerror()); 1324 continue; 1325 } 1326 1327 if (mhp[SADB_EXT_SA] == NULL 1328 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1329 || mhp[SADB_EXT_ADDRESS_DST] == NULL) 1330 continue; 1331 1332 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 1333 pk_fixup_sa_addresses(mhp); 1334 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1335 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1336 1337 if (sa->sadb_sa_state != SADB_SASTATE_MATURE 1338 && sa->sadb_sa_state != SADB_SASTATE_DYING) 1339 continue; 1340 1341 /* 1342 * RFC2407 4.6.3.3 INITIAL-CONTACT is the message that 1343 * announces the sender of the message was rebooted. 1344 * it is interpreted to delete all SAs which source address 1345 * is the sender of the message. 1346 * racoon only deletes SA which is matched both the 1347 * source address and the destination accress. 1348 */ 1349 1350 /* 1351 * Check that the IP and port match. But this is not optimal, 1352 * since NAT-T can make the peer have multiple different 1353 * ports. Correct thing to do is delete all entries with 1354 * same identity. -TT 1355 */ 1356 if ((cmpsaddr(iph1->local, src) != 0 || 1357 cmpsaddr(iph1->remote, dst) != 0) && 1358 (cmpsaddr(iph1->local, dst) != 0 || 1359 cmpsaddr(iph1->remote, src) != 0)) 1360 continue; 1361 1362 /* 1363 * Make sure this is an SATYPE that we manage. 1364 * This is gross; too bad we couldn't do it the 1365 * easy way. 1366 */ 1367 for (i = 0; i < pfkey_nsatypes; i++) { 1368 if (pfkey_satypes[i].ps_satype == 1369 msg->sadb_msg_satype) 1370 break; 1371 } 1372 if (i == pfkey_nsatypes) 1373 continue; 1374 1375 plog(LLV_INFO, LOCATION, NULL, 1376 "purging spi=%u.\n", ntohl(sa->sadb_sa_spi)); 1377 pfkey_send_delete(lcconf->sock_pfkey, 1378 msg->sadb_msg_satype, 1379 IPSEC_MODE_ANY, src, dst, sa->sadb_sa_spi); 1380 1381 /* 1382 * delete a relative phase 2 handler. 1383 * continue to process if no relative phase 2 handler 1384 * exists. 1385 */ 1386 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 1387 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); 1388 if (iph2 && iph2 != protectedph2) { 1389 delete_spd(iph2, 0); 1390 remph2(iph2); 1391 delph2(iph2); 1392 } 1393 } 1394 1395 vfree(buf); 1396 return 0; 1397} 1398 1399 1400#ifdef ENABLE_DPD 1401static int 1402isakmp_info_recv_r_u (iph1, ru, msgid) 1403 struct ph1handle *iph1; 1404 struct isakmp_pl_ru *ru; 1405 u_int32_t msgid; 1406{ 1407 struct isakmp_pl_ru *ru_ack; 1408 vchar_t *payload = NULL; 1409 int tlen; 1410 int error = 0; 1411 1412 plog(LLV_DEBUG, LOCATION, iph1->remote, 1413 "DPD R-U-There received\n"); 1414 1415 /* XXX should compare cookies with iph1->index? 1416 Or is this already done by calling function? */ 1417 tlen = sizeof(*ru_ack); 1418 payload = vmalloc(tlen); 1419 if (payload == NULL) { 1420 plog(LLV_ERROR, LOCATION, NULL, 1421 "failed to get buffer to send.\n"); 1422 return errno; 1423 } 1424 1425 ru_ack = (struct isakmp_pl_ru *)payload->v; 1426 ru_ack->h.np = ISAKMP_NPTYPE_NONE; 1427 ru_ack->h.len = htons(tlen); 1428 ru_ack->doi = htonl(IPSEC_DOI); 1429 ru_ack->type = htons(ISAKMP_NTYPE_R_U_THERE_ACK); 1430 ru_ack->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX ? */ 1431 ru_ack->spi_size = sizeof(isakmp_index); 1432 memcpy(ru_ack->i_ck, ru->i_ck, sizeof(cookie_t)); 1433 memcpy(ru_ack->r_ck, ru->r_ck, sizeof(cookie_t)); 1434 ru_ack->data = ru->data; 1435 1436 /* XXX Should we do FLAG_A ? */ 1437 error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 1438 ISAKMP_FLAG_E); 1439 vfree(payload); 1440 1441 plog(LLV_DEBUG, LOCATION, NULL, "received a valid R-U-THERE, ACK sent\n"); 1442 1443 /* Should we mark tunnel as active ? */ 1444 return error; 1445} 1446 1447static int 1448isakmp_info_recv_r_u_ack (iph1, ru, msgid) 1449 struct ph1handle *iph1; 1450 struct isakmp_pl_ru *ru; 1451 u_int32_t msgid; 1452{ 1453 1454 plog(LLV_DEBUG, LOCATION, iph1->remote, 1455 "DPD R-U-There-Ack received\n"); 1456 1457 /* XXX Maintain window of acceptable sequence numbers ? 1458 * => ru->data <= iph2->dpd_seq && 1459 * ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */ 1460 if (ntohl(ru->data) != iph1->dpd_seq-1) { 1461 plog(LLV_ERROR, LOCATION, iph1->remote, 1462 "Wrong DPD sequence number (%d, %d expected).\n", 1463 ntohl(ru->data), iph1->dpd_seq-1); 1464 return 0; 1465 } 1466 1467 if (memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) || 1468 memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) { 1469 plog(LLV_ERROR, LOCATION, iph1->remote, 1470 "Cookie mismatch in DPD ACK!.\n"); 1471 return 0; 1472 } 1473 1474 iph1->dpd_fails = 0; 1475 sched_cancel(&iph1->dpd_r_u); 1476 isakmp_sched_r_u(iph1, 0); 1477 1478 plog(LLV_DEBUG, LOCATION, NULL, "received an R-U-THERE-ACK\n"); 1479 1480 return 0; 1481} 1482 1483 1484 1485 1486/* 1487 * send DPD R-U-THERE payload in Informational exchange. 1488 */ 1489static void 1490isakmp_info_send_r_u(sc) 1491 struct sched *sc; 1492{ 1493 struct ph1handle *iph1 = container_of(sc, struct ph1handle, dpd_r_u); 1494 1495 /* create R-U-THERE payload */ 1496 struct isakmp_pl_ru *ru; 1497 vchar_t *payload = NULL; 1498 int tlen; 1499 int error = 0; 1500 1501 plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring....\n"); 1502 1503 if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) { 1504 1505 plog(LLV_INFO, LOCATION, iph1->remote, 1506 "DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n", 1507 isakmp_pindex(&iph1->index, 0)); 1508 1509 evt_phase1(iph1, EVT_PHASE1_DPD_TIMEOUT, NULL); 1510 purge_remote(iph1); 1511 1512 /* Do not reschedule here: phase1 is deleted, 1513 * DPD will be reactivated when a new ph1 will be negociated 1514 */ 1515 return; 1516 } 1517 1518 /* TODO: check recent activity to avoid useless sends... */ 1519 1520 tlen = sizeof(*ru); 1521 payload = vmalloc(tlen); 1522 if (payload == NULL) { 1523 plog(LLV_ERROR, LOCATION, NULL, 1524 "failed to get buffer for payload.\n"); 1525 return; 1526 } 1527 ru = (struct isakmp_pl_ru *)payload->v; 1528 ru->h.np = ISAKMP_NPTYPE_NONE; 1529 ru->h.len = htons(tlen); 1530 ru->doi = htonl(IPSEC_DOI); 1531 ru->type = htons(ISAKMP_NTYPE_R_U_THERE); 1532 ru->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX ?*/ 1533 ru->spi_size = sizeof(isakmp_index); 1534 1535 memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)); 1536 memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t)); 1537 1538 if (iph1->dpd_seq == 0){ 1539 /* generate a random seq which is not too big */ 1540 srand(time(NULL)); 1541 iph1->dpd_seq = rand() & 0x0fff; 1542 } 1543 1544 ru->data = htonl(iph1->dpd_seq); 1545 1546 error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0); 1547 vfree(payload); 1548 1549 plog(LLV_DEBUG, LOCATION, iph1->remote, 1550 "DPD R-U-There sent (%d)\n", error); 1551 1552 /* will be decreased if ACK received... */ 1553 iph1->dpd_fails++; 1554 1555 /* XXX should be increased only when ACKed ? */ 1556 iph1->dpd_seq++; 1557 1558 /* Reschedule the r_u_there with a short delay, 1559 * will be deleted/rescheduled if ACK received before */ 1560 isakmp_sched_r_u(iph1, 1); 1561 1562 plog(LLV_DEBUG, LOCATION, iph1->remote, 1563 "rescheduling send_r_u (%d).\n", iph1->rmconf->dpd_retry); 1564} 1565 1566/* Schedule a new R-U-THERE */ 1567int 1568isakmp_sched_r_u(iph1, retry) 1569 struct ph1handle *iph1; 1570 int retry; 1571{ 1572 if(iph1 == NULL || 1573 iph1->rmconf == NULL) 1574 return 1; 1575 1576 1577 if(iph1->dpd_support == 0 || 1578 iph1->rmconf->dpd_interval == 0) 1579 return 0; 1580 1581 if(retry) 1582 sched_schedule(&iph1->dpd_r_u, iph1->rmconf->dpd_retry, 1583 isakmp_info_send_r_u); 1584 else 1585 sched_schedule(&iph1->dpd_r_u, iph1->rmconf->dpd_interval, 1586 isakmp_info_send_r_u); 1587 1588 return 0; 1589} 1590#endif 1591