1/* $KAME: isakmp.c,v 1.172 2002/01/02 09:06:53 jinmei Exp $ */
2
3/*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32#include <sys/types.h>
33#include <sys/param.h>
34#include <sys/socket.h>
35#include <sys/queue.h>
36
37#include <netinet/in.h>
38
39#include <stdlib.h>
40#include <stdio.h>
41#include <string.h>
42#include <errno.h>
43#if TIME_WITH_SYS_TIME
44# include <sys/time.h>
45# include <time.h>
46#else
47# if HAVE_SYS_TIME_H
48# include <sys/time.h>
49# else
50# include <time.h>
51# endif
52#endif
53#include <netdb.h>
54#ifdef HAVE_UNISTD_H
55#include <unistd.h>
56#endif
57#include <ctype.h>
58
59#if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO)
60#include "addrinfo.h"
61#endif
62
63#include "var.h"
64#include "misc.h"
65#include "vmbuf.h"
66#include "plog.h"
67#include "sockmisc.h"
68#include "schedule.h"
69#include "debug.h"
70
71#include "remoteconf.h"
72#include "localconf.h"
73#include "grabmyaddr.h"
74#include "isakmp_var.h"
75#include "isakmp.h"
76#include "oakley.h"
77#include "handler.h"
78#include "ipsec_doi.h"
79#include "pfkey.h"
80#include "crypto_openssl.h"
81#include "policy.h"
82#include "isakmp_ident.h"
83#include "isakmp_agg.h"
84#include "isakmp_base.h"
85#include "isakmp_quick.h"
86#include "isakmp_inf.h"
87#include "isakmp_newg.h"
88#include "strnames.h"
89
90static int nostate1 __P((struct ph1handle *, vchar_t *));
91static int nostate2 __P((struct ph2handle *, vchar_t *));
92
93extern caddr_t val2str(const char *, size_t);
94
95static int (*ph1exchange[][2][PHASE1ST_MAX])
96 __P((struct ph1handle *, vchar_t *)) = {
97 /* error */
98 { {}, {}, },
99 /* Identity Protection exchange */
100 {
101 { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
102 ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
103 { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
104 ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
105 },
106 /* Aggressive exchange */
107 {
108 { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
109 nostate1, nostate1, nostate1, nostate1, nostate1, },
110 { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
111 nostate1, nostate1, nostate1, nostate1, nostate1, },
112 },
113 /* Base exchange */
114 {
115 { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
116 base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
117 { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
118 nostate1, nostate1, nostate1, nostate1, nostate1, },
119 },
120};
121
122static int (*ph2exchange[][2][PHASE2ST_MAX])
123 __P((struct ph2handle *, vchar_t *)) = {
124 /* error */
125 { {}, {}, },
126 /* Quick mode for IKE*/
127 {
128 { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
129 quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
130 { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
131 quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
132 },
133};
134
135static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
136
137static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
138static int ph1_main __P((struct ph1handle *, vchar_t *));
139static int quick_main __P((struct ph2handle *, vchar_t *));
140static int isakmp_ph1begin_r __P((vchar_t *,
141 struct sockaddr *, struct sockaddr *, u_int8_t));
142static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
143static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
144static int etypesw1 __P((int));
145static int etypesw2 __P((int));
146
147/*
148 * isakmp packet handler
149 */
150int
151isakmp_handler(so_isakmp)
152 int so_isakmp;
153{
154 struct isakmp isakmp;
155 struct sockaddr_storage remote;
156 struct sockaddr_storage local;
157 int remote_len = sizeof(remote);
158 int local_len = sizeof(local);
159 int len;
160 u_short port;
161 vchar_t *buf = NULL;
162 int error = -1;
163
164 /* read message by MSG_PEEK */
165 while ((len = recvfromto(so_isakmp, (char *)&isakmp, sizeof(isakmp),
166 MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
167 (struct sockaddr *)&local, &local_len)) < 0) {
168 if (errno == EINTR)
169 continue;
170 plog(LLV_ERROR, LOCATION, NULL,
171 "failed to receive isakmp packet\n");
172 goto end;
173 }
174
175 /* check isakmp header length */
176 if (len < sizeof(isakmp)) {
177 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
178 "packet shorter than isakmp header size.\n");
179 /* dummy receive */
180 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
181 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
182 plog(LLV_ERROR, LOCATION, NULL,
183 "failed to receive isakmp packet\n");
184 }
185 goto end;
186 }
187
188 /* read real message */
189 if ((buf = vmalloc(ntohl(isakmp.len))) == NULL) {
190 plog(LLV_ERROR, LOCATION, NULL,
191 "failed to allocate reading buffer\n");
192 /* dummy receive */
193 if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
194 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
195 plog(LLV_ERROR, LOCATION, NULL,
196 "failed to receive isakmp packet\n");
197 }
198 goto end;
199 }
200
201 while ((len = recvfromto(so_isakmp, buf->v, buf->l,
202 0, (struct sockaddr *)&remote, &remote_len,
203 (struct sockaddr *)&local, &local_len)) < 0) {
204 if (errno == EINTR)
205 continue;
206 plog(LLV_ERROR, LOCATION, NULL,
207 "failed to receive isakmp packet\n");
208 goto end;
209 }
210
211 if (len != buf->l) {
212 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
213 "received invalid length, why ?\n");
214 goto end;
215 }
216
217 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
218 plog(LLV_DEBUG, LOCATION, (struct sockaddr *)&local,
219 "%d bytes message received from %s\n",
220 len, saddr2str((struct sockaddr *)&remote));
221 plogdump(LLV_DEBUG, buf->v, buf->l);
222
223 /* avoid packets with malicious port/address */
224 switch (remote.ss_family) {
225 case AF_INET:
226 port = ((struct sockaddr_in *)&remote)->sin_port;
227 break;
228#ifdef INET6
229 case AF_INET6:
230 port = ((struct sockaddr_in6 *)&remote)->sin6_port;
231 break;
232#endif
233 default:
234 plog(LLV_ERROR, LOCATION, NULL,
235 "invalid family: %d\n", remote.ss_family);
236 goto end;
237 }
238 if (port == 0) {
239 plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
240 "src port == 0 (valid as UDP but not with IKE)\n");
241 goto end;
242 }
243
244
245
246 /* simply reply if the packet was processed. */
247 if (check_recvdpkt((struct sockaddr *)&remote,
248 (struct sockaddr *)&local, buf)) {
249 plog(LLV_NOTIFY, LOCATION, NULL,
250 "the packet is retransmitted by %s.\n",
251 saddr2str((struct sockaddr *)&remote));
252 error = 0;
253 goto end;
254 }
255
256 /* isakmp main routine */
257 if (isakmp_main(buf, (struct sockaddr *)&remote,
258 (struct sockaddr *)&local) != 0) goto end;
259
260 error = 0;
261
262end:
263 if (buf != NULL)
264 vfree(buf);
265
266 return(error);
267}
268
269/*
270 * main processing to handle isakmp payload
271 */
272static int
273isakmp_main(msg, remote, local)
274 vchar_t *msg;
275 struct sockaddr *remote, *local;
276{
277 struct isakmp *isakmp = (struct isakmp *)msg->v;
278 isakmp_index *index = (isakmp_index *)isakmp;
279 u_int32_t msgid = isakmp->msgid;
280 struct ph1handle *iph1;
281
282#ifdef HAVE_PRINT_ISAKMP_C
283 isakmp_printpacket(msg, remote, local, 0);
284#endif
285
286 /* the initiator's cookie must not be zero */
287 if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
288 plog(LLV_ERROR, LOCATION, remote,
289 "malformed cookie received.\n");
290 return -1;
291 }
292
293 /* Check the Major and Minor Version fields. */
294 if (isakmp->v < ISAKMP_VERSION_NUMBER) {
295 if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
296 plog(LLV_ERROR, LOCATION, remote,
297 "invalid major version %d.\n",
298 ISAKMP_GETMAJORV(isakmp->v));
299 return -1;
300 }
301#if ISAKMP_MINOR_VERSION > 0
302 if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
303 plog(LLV_ERROR, LOCATION, remote,
304 "invalid minor version %d.\n",
305 ISAKMP_GETMINORV(isakmp->v));
306 return -1;
307 }
308#endif
309 }
310
311 /* check the Flags field. */
312 if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
313 plog(LLV_ERROR, LOCATION, remote,
314 "invalid flag 0x%02x.\n", isakmp->flags);
315 return -1;
316 }
317
318 /* ignore commit bit. */
319 if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
320 if (isakmp->msgid == 0) {
321 isakmp_info_send_nx(isakmp, remote, local,
322 ISAKMP_NTYPE_INVALID_FLAGS, NULL);
323 plog(LLV_ERROR, LOCATION, remote,
324 "Commit bit on phase1 forbidden.\n");
325 return -1;
326 }
327 }
328
329 iph1 = getph1byindex(index);
330 if (iph1 != NULL) {
331 /* validity check */
332 if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
333 iph1->side == INITIATOR) {
334 plog(LLV_DEBUG, LOCATION, remote,
335 "malformed cookie received or "
336 "the initiator's cookies collide.\n");
337//LLL return -1;
338 }
339
340 /* must be same addresses in one stream of a phase at least. */
341 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
342 char *saddr_db, *saddr_act;
343
344 saddr_db = strdup(saddr2str(iph1->remote));
345 saddr_act = strdup(saddr2str(remote));
346
347 plog(LLV_WARNING, LOCATION, remote,
348 "remote address mismatched. db=%s, act=%s\n",
349 saddr_db, saddr_act);
350
351 racoon_free(saddr_db);
352 racoon_free(saddr_act);
353 }
354 /*
355 * don't check of exchange type here because other type will be
356 * with same index, for example, informational exchange.
357 */
358
359 }
360
361 switch (isakmp->etype) {
362 case ISAKMP_ETYPE_IDENT:
363 case ISAKMP_ETYPE_AGG:
364 case ISAKMP_ETYPE_BASE:
365 /* phase 1 validity check */
366 if (isakmp->msgid != 0) {
367 plog(LLV_ERROR, LOCATION, remote,
368 "message id should be zero in phase1.\n");
369 return -1;
370 }
371
372 /* search for isakmp status record of phase 1 */
373 if (iph1 == NULL) {
374 /*
375 * the packet must be the 1st message from a initiator
376 * or the 2nd message from the responder.
377 */
378
379 /* search for phase1 handle by index without r_ck */
380 iph1 = getph1byindex0(index);
381 if (iph1 == NULL) {
382 /*it must be the 1st message from a initiator.*/
383 if (memcmp(&isakmp->r_ck, r_ck0,
384 sizeof(cookie_t)) != 0) {
385
386 plog(LLV_DEBUG, LOCATION, remote,
387 "malformed cookie received "
388 "or the spi expired.\n");
389 return -1;
390 }
391
392 /* it must be responder's 1st exchange. */
393 if (isakmp_ph1begin_r(msg, remote, local,
394 isakmp->etype) < 0)
395 return -1;
396 break;
397
398 /*NOTREACHED*/
399 }
400
401 /* it must be the 2nd message from the responder. */
402 if (iph1->side != INITIATOR) {
403 plog(LLV_DEBUG, LOCATION, remote,
404 "malformed cookie received. "
405 "it has to be as the initiator. %s\n",
406 isakmp_pindex(&iph1->index, 0));
407 return -1;
408 }
409 }
410
411 /*
412 * Don't delete phase 1 handler when the exchange type
413 * in handler is not equal to packet's one because of no
414 * authencication completed.
415 */
416 if (iph1->etype != isakmp->etype) {
417 plog(LLV_ERROR, LOCATION, iph1->remote,
418 "exchange type is mismatched: "
419 "db=%s packet=%s, ignore it.\n",
420 s_isakmp_etype(iph1->etype),
421 s_isakmp_etype(isakmp->etype));
422 return -1;
423 }
424
425 /* call main process of phase 1 */
426 if (ph1_main(iph1, msg) < 0) {
427 plog(LLV_ERROR, LOCATION, iph1->remote,
428 "phase1 negotiation failed.\n");
429 remph1(iph1);
430 delph1(iph1);
431 return -1;
432 }
433 break;
434
435 case ISAKMP_ETYPE_AUTH:
436 plog(LLV_INFO, LOCATION, remote,
437 "unsupported exchange %d received.\n",
438 isakmp->etype);
439 break;
440
441 case ISAKMP_ETYPE_INFO:
442 case ISAKMP_ETYPE_ACKINFO:
443 /*
444 * iph1 must be present for Information message.
445 * if iph1 is null then trying to get the phase1 status
446 * as the packet from responder againt initiator's 1st
447 * exchange in phase 1.
448 * NOTE: We think such informational exchange should be ignored.
449 */
450 if (iph1 == NULL) {
451 iph1 = getph1byindex0(index);
452 if (iph1 == NULL) {
453 plog(LLV_ERROR, LOCATION, remote,
454 "unknown Informational "
455 "exchange received.\n");
456 return -1;
457 }
458 if (cmpsaddrstrict(iph1->remote, remote) != 0) {
459 plog(LLV_WARNING, LOCATION, remote,
460 "remote address mismatched. "
461 "db=%s\n",
462 saddr2str(iph1->remote));
463 }
464 }
465
466 if (isakmp_info_recv(iph1, msg) < 0)
467 return -1;
468 break;
469
470 case ISAKMP_ETYPE_QUICK:
471 {
472 struct ph2handle *iph2;
473
474 if (iph1 == NULL) {
475 isakmp_info_send_nx(isakmp, remote, local,
476 ISAKMP_NTYPE_INVALID_COOKIE, NULL);
477 plog(LLV_ERROR, LOCATION, remote,
478 "can't start the quick mode, "
479 "there is no ISAKMP-SA, %s\n",
480 isakmp_pindex((isakmp_index *)&isakmp->i_ck,
481 isakmp->msgid));
482 return -1;
483 }
484
485 /* check status of phase 1 whether negotiated or not. */
486 if (iph1->status != PHASE1ST_ESTABLISHED) {
487 plog(LLV_ERROR, LOCATION, remote,
488 "can't start the quick mode, "
489 "there is no valid ISAKMP-SA, %s\n",
490 isakmp_pindex(&iph1->index, iph1->msgid));
491 return -1;
492 }
493
494 /* search isakmp phase 2 stauts record. */
495 iph2 = getph2bymsgid(iph1, msgid);
496 if (iph2 == NULL) {
497 /* it must be new negotiation as responder */
498 if (isakmp_ph2begin_r(iph1, msg) < 0)
499 return -1;
500 return 0;
501 /*NOTREACHED*/
502 }
503
504 /* commit bit. */
505 if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
506 iph2->flags |= ISAKMP_FLAG_C;
507
508 /* call main process of quick mode */
509 if (quick_main(iph2, msg) < 0) {
510 plog(LLV_ERROR, LOCATION, iph1->remote,
511 "phase2 negotiation failed.\n");
512 unbindph12(iph2);
513 remph2(iph2);
514 delph2(iph2);
515 return -1;
516 }
517 }
518 break;
519
520 case ISAKMP_ETYPE_NEWGRP:
521 if (iph1 == NULL) {
522 plog(LLV_ERROR, LOCATION, remote,
523 "Unknown new group mode exchange, "
524 "there is no ISAKMP-SA.\n");
525 return -1;
526 }
527 isakmp_newgroup_r(iph1, msg);
528 break;
529
530 case ISAKMP_ETYPE_NONE:
531 default:
532 plog(LLV_ERROR, LOCATION, NULL,
533 "Invalid exchange type %d from %s.\n",
534 isakmp->etype, saddr2str(remote));
535 return -1;
536 }
537
538 return 0;
539}
540
541/*
542 * main function of phase 1.
543 */
544static int
545ph1_main(iph1, msg)
546 struct ph1handle *iph1;
547 vchar_t *msg;
548{
549 int error;
550#ifdef ENABLE_STATS
551 struct timeval start, end;
552#endif
553
554 /* ignore a packet */
555 if (iph1->status == PHASE1ST_ESTABLISHED)
556 return 0;
557
558#ifdef ENABLE_STATS
559 gettimeofday(&start, NULL);
560#endif
561 /* receive */
562 if (ph1exchange[etypesw1(iph1->etype)]
563 [iph1->side]
564 [iph1->status] == NULL) {
565 plog(LLV_ERROR, LOCATION, iph1->remote,
566 "why isn't the function defined.\n");
567 return -1;
568 }
569 error = (ph1exchange[etypesw1(iph1->etype)]
570 [iph1->side]
571 [iph1->status])(iph1, msg);
572 if (error != 0) {
573 /* ignore the error and keep phase 1 handler */
574 return 0;
575 }
576
577 /* free resend buffer */
578 if (iph1->sendbuf == NULL) {
579 plog(LLV_ERROR, LOCATION, NULL,
580 "no buffer found as sendbuf\n");
581 return -1;
582 }
583 vfree(iph1->sendbuf);
584 iph1->sendbuf = NULL;
585
586 /* turn off schedule */
587 if (iph1->scr)
588 SCHED_KILL(iph1->scr);
589
590 /* send */
591 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
592 if ((ph1exchange[etypesw1(iph1->etype)]
593 [iph1->side]
594 [iph1->status])(iph1, msg) != 0) {
595 plog(LLV_ERROR, LOCATION, iph1->remote,
596 "failed to process packet.\n");
597 return -1;
598 }
599
600#ifdef ENABLE_STATS
601 gettimeofday(&end, NULL);
602 syslog(LOG_NOTICE, "%s(%s): %8.6f",
603 "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
604 timedelta(&start, &end));
605#endif
606 if (iph1->status == PHASE1ST_ESTABLISHED) {
607
608#ifdef ENABLE_STATS
609 gettimeofday(&iph1->end, NULL);
610 syslog(LOG_NOTICE, "%s(%s): %8.6f",
611 "phase1", s_isakmp_etype(iph1->etype),
612 timedelta(&iph1->start, &iph1->end));
613#endif
614
615 /* save created date. */
616 (void)time(&iph1->created);
617
618 /* add to the schedule to expire, and seve back pointer. */
619 iph1->sce = sched_new(iph1->approval->lifetime,
620 isakmp_ph1expire_stub, iph1);
621
622 /* INITIAL-CONTACT processing */
623 /* don't anything if local test mode. */
624 if (!f_local
625 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
626 /* send INITIAL-CONTACT */
627 isakmp_info_send_n1(iph1,
628 ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
629 /* insert a node into contacted list. */
630 if (inscontacted(iph1->remote) == -1) {
631 plog(LLV_ERROR, LOCATION, iph1->remote,
632 "failed to add contacted list.\n");
633 /* ignore */
634 }
635 }
636
637 log_ph1established(iph1);
638 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
639 }
640
641 return 0;
642}
643
644/*
645 * main function of quick mode.
646 */
647static int
648quick_main(iph2, msg)
649 struct ph2handle *iph2;
650 vchar_t *msg;
651{
652 struct isakmp *isakmp = (struct isakmp *)msg->v;
653 int error;
654#ifdef ENABLE_STATS
655 struct timeval start, end;
656#endif
657
658 /* ignore a packet */
659 if (iph2->status == PHASE2ST_ESTABLISHED
660 || iph2->status == PHASE2ST_GETSPISENT)
661 return 0;
662
663#ifdef ENABLE_STATS
664 gettimeofday(&start, NULL);
665#endif
666
667 /* receive */
668 if (ph2exchange[etypesw2(isakmp->etype)]
669 [iph2->side]
670 [iph2->status] == NULL) {
671 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
672 "why isn't the function defined.\n");
673 return -1;
674 }
675 error = (ph2exchange[etypesw2(isakmp->etype)]
676 [iph2->side]
677 [iph2->status])(iph2, msg);
678 if (error != 0) {
679 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
680 "failed to pre-process packet.\n");
681 if (error == ISAKMP_INTERNAL_ERROR)
682 return 0;
683 isakmp_info_send_n1(iph2->ph1, error, NULL);
684 return -1;
685 }
686
687 /* when using commit bit, status will be reached here. */
688 if (iph2->status == PHASE2ST_ADDSA)
689 return 0;
690
691 /* free resend buffer */
692 if (iph2->sendbuf == NULL) {
693 plog(LLV_ERROR, LOCATION, NULL,
694 "no buffer found as sendbuf\n");
695 return -1;
696 }
697 vfree(iph2->sendbuf);
698 iph2->sendbuf = NULL;
699
700 /* turn off schedule */
701 if (iph2->scr)
702 SCHED_KILL(iph2->scr);
703
704 /* send */
705 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
706 if ((ph2exchange[etypesw2(isakmp->etype)]
707 [iph2->side]
708 [iph2->status])(iph2, msg) != 0) {
709 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
710 "failed to process packet.\n");
711 return -1;
712 }
713
714#ifdef ENABLE_STATS
715 gettimeofday(&end, NULL);
716 syslog(LOG_NOTICE, "%s(%s): %8.6f",
717 "phase2",
718 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
719 timedelta(&start, &end));
720#endif
721
722 return 0;
723}
724
725/* new negotiation of phase 1 for initiator */
726int
727isakmp_ph1begin_i(rmconf, remote)
728 struct remoteconf *rmconf;
729 struct sockaddr *remote;
730{
731 struct ph1handle *iph1;
732#ifdef ENABLE_STATS
733 struct timeval start, end;
734#endif
735
736 /* get new entry to isakmp status table. */
737 iph1 = newph1();
738 if (iph1 == NULL)
739 return -1;
740
741 iph1->status = PHASE1ST_START;
742 iph1->rmconf = rmconf;
743 iph1->side = INITIATOR;
744 iph1->version = ISAKMP_VERSION_NUMBER;
745 iph1->msgid = 0;
746 iph1->flags = 0;
747 iph1->ph2cnt = 0;
748#ifdef HAVE_GSSAPI
749 iph1->gssapi_state = NULL;
750#endif
751 iph1->approval = NULL;
752
753 if (copy_ph1addresses(iph1, rmconf, remote, NULL) < 0)
754 return -1;
755
756 (void)insph1(iph1);
757
758 /* start phase 1 exchange */
759 iph1->etype = rmconf->etypes->type;
760
761 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
762 {
763 char *a;
764
765 a = strdup(saddr2str(iph1->local));
766 plog(LLV_INFO, LOCATION, NULL,
767 "initiate new phase 1 negotiation: %s<=>%s\n",
768 a, saddr2str(iph1->remote));
769 racoon_free(a);
770 }
771 plog(LLV_INFO, LOCATION, NULL,
772 "begin %s mode.\n",
773 s_isakmp_etype(iph1->etype));
774
775#ifdef ENABLE_STATS
776 gettimeofday(&iph1->start, NULL);
777 gettimeofday(&start, NULL);
778#endif
779 /* start exchange */
780 if ((ph1exchange[etypesw1(iph1->etype)]
781 [iph1->side]
782 [iph1->status])(iph1, NULL) != 0) {
783 /* failed to start phase 1 negotiation */
784 remph1(iph1);
785 delph1(iph1);
786
787 return -1;
788 }
789
790#ifdef ENABLE_STATS
791 gettimeofday(&end, NULL);
792 syslog(LOG_NOTICE, "%s(%s): %8.6f",
793 "phase1",
794 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
795 timedelta(&start, &end));
796#endif
797
798 return 0;
799}
800
801/* new negotiation of phase 1 for responder */
802static int
803isakmp_ph1begin_r(msg, remote, local, etype)
804 vchar_t *msg;
805 struct sockaddr *remote, *local;
806 u_int8_t etype;
807{
808 struct isakmp *isakmp = (struct isakmp *)msg->v;
809 struct remoteconf *rmconf;
810 struct ph1handle *iph1;
811 struct etypes *etypeok;
812#ifdef ENABLE_STATS
813 struct timeval start, end;
814#endif
815
816 /* look for my configuration */
817 rmconf = getrmconf(remote);
818 if (rmconf == NULL) {
819 plog(LLV_ERROR, LOCATION, remote,
820 "couldn't find "
821 "configuration.\n");
822 return -1;
823 }
824
825 /* check to be acceptable exchange type */
826 etypeok = check_etypeok(rmconf, etype);
827 if (etypeok == NULL) {
828 plog(LLV_ERROR, LOCATION, remote,
829 "not acceptable %s mode\n", s_isakmp_etype(etype));
830 return -1;
831 }
832
833 /* get new entry to isakmp status table. */
834 iph1 = newph1();
835 if (iph1 == NULL)
836 return -1;
837
838 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
839 iph1->status = PHASE1ST_START;
840 iph1->rmconf = rmconf;
841 iph1->flags = 0;
842 iph1->side = RESPONDER;
843 iph1->etype = etypeok->type;
844 iph1->version = isakmp->v;
845 iph1->msgid = 0;
846#ifdef HAVE_GSSAPI
847 iph1->gssapi_state = NULL;
848#endif
849 iph1->approval = NULL;
850
851 /* copy remote address */
852 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
853 return -1;
854
855 (void)insph1(iph1);
856
857 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
858 {
859 char *a;
860
861 a = strdup(saddr2str(iph1->local));
862 plog(LLV_INFO, LOCATION, NULL,
863 "respond new phase 1 negotiation: %s<=>%s\n",
864 a, saddr2str(iph1->remote));
865 racoon_free(a);
866 }
867 plog(LLV_INFO, LOCATION, NULL,
868 "begin %s mode.\n", s_isakmp_etype(etype));
869
870#ifdef ENABLE_STATS
871 gettimeofday(&iph1->start, NULL);
872 gettimeofday(&start, NULL);
873#endif
874 /* start exchange */
875 if ((ph1exchange[etypesw1(iph1->etype)]
876 [iph1->side]
877 [iph1->status])(iph1, msg) < 0
878 || (ph1exchange[etypesw1(iph1->etype)]
879 [iph1->side]
880 [iph1->status])(iph1, msg) < 0) {
881 plog(LLV_ERROR, LOCATION, remote,
882 "failed to process packet.\n");
883 remph1(iph1);
884 delph1(iph1);
885 return -1;
886 }
887#ifdef ENABLE_STATS
888 gettimeofday(&end, NULL);
889 syslog(LOG_NOTICE, "%s(%s): %8.6f",
890 "phase1",
891 s_isakmp_state(iph1->etype, iph1->side, iph1->status),
892 timedelta(&start, &end));
893#endif
894
895 return 0;
896}
897
898/* new negotiation of phase 2 for initiator */
899static int
900isakmp_ph2begin_i(iph1, iph2)
901 struct ph1handle *iph1;
902 struct ph2handle *iph2;
903{
904 /* found ISAKMP-SA. */
905 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
906 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
907 {
908 char *a;
909 a = strdup(saddr2str(iph2->src));
910 plog(LLV_INFO, LOCATION, NULL,
911 "initiate new phase 2 negotiation: %s<=>%s\n",
912 a, saddr2str(iph2->dst));
913 racoon_free(a);
914 }
915
916#ifdef ENABLE_STATS
917 gettimeofday(&iph2->start, NULL);
918#endif
919 /* found isakmp-sa */
920 bindph12(iph1, iph2);
921 iph2->status = PHASE2ST_STATUS2;
922
923 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
924 [iph2->side]
925 [iph2->status])(iph2, NULL) < 0) {
926 unbindph12(iph2);
927 /* release ipsecsa handler due to internal error. */
928 remph2(iph2);
929 delph2(iph2);
930 return -1;
931 }
932 return 0;
933}
934
935/* new negotiation of phase 2 for responder */
936static int
937isakmp_ph2begin_r(iph1, msg)
938 struct ph1handle *iph1;
939 vchar_t *msg;
940{
941 struct isakmp *isakmp = (struct isakmp *)msg->v;
942 struct ph2handle *iph2 = 0;
943 int error;
944#ifdef ENABLE_STATS
945 struct timeval start, end;
946#endif
947
948 iph2 = newph2();
949 if (iph2 == NULL) {
950 plog(LLV_ERROR, LOCATION, NULL,
951 "failed to allocate phase2 entry.\n");
952 return -1;
953 }
954
955 iph2->ph1 = iph1;
956 iph2->side = RESPONDER;
957 iph2->status = PHASE2ST_START;
958 iph2->flags = isakmp->flags;
959 iph2->msgid = isakmp->msgid;
960 iph2->seq = pk_getseq();
961 iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
962 if (iph2->ivm == NULL) {
963 delph2(iph2);
964 return -1;
965 }
966 iph2->dst = dupsaddr(iph1->remote);
967 if (iph2->dst == NULL) {
968 delph2(iph2);
969 return -1;
970 }
971 switch (iph2->dst->sa_family) {
972 case AF_INET:
973 ((struct sockaddr_in *)iph2->dst)->sin_port = 0;
974 break;
975#ifdef INET6
976 case AF_INET6:
977 ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0;
978 break;
979#endif
980 default:
981 plog(LLV_ERROR, LOCATION, NULL,
982 "invalid family: %d\n", iph2->dst->sa_family);
983 delph2(iph2);
984 return -1;
985 }
986
987 iph2->src = dupsaddr(iph1->local);
988 if (iph2->src == NULL) {
989 delph2(iph2);
990 return -1;
991 }
992 switch (iph2->src->sa_family) {
993 case AF_INET:
994 ((struct sockaddr_in *)iph2->src)->sin_port = 0;
995 break;
996#ifdef INET6
997 case AF_INET6:
998 ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0;
999 break;
1000#endif
1001 default:
1002 plog(LLV_ERROR, LOCATION, NULL,
1003 "invalid family: %d\n", iph2->src->sa_family);
1004 delph2(iph2);
1005 return -1;
1006 }
1007
1008 /* add new entry to isakmp status table */
1009 insph2(iph2);
1010 bindph12(iph1, iph2);
1011
1012 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1013 {
1014 char *a;
1015
1016 a = strdup(saddr2str(iph2->src));
1017 plog(LLV_INFO, LOCATION, NULL,
1018 "respond new phase 2 negotiation: %s<=>%s\n",
1019 a, saddr2str(iph2->dst));
1020 racoon_free(a);
1021 }
1022
1023#ifdef ENABLE_STATS
1024 gettimeofday(&start, NULL);
1025#endif
1026
1027 error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1028 [iph2->side]
1029 [iph2->status])(iph2, msg);
1030 if (error != 0) {
1031 plog(LLV_ERROR, LOCATION, iph1->remote,
1032 "failed to pre-process packet.\n");
1033 if (error != ISAKMP_INTERNAL_ERROR)
1034 isakmp_info_send_n1(iph2->ph1, error, NULL);
1035 /*
1036 * release handler because it's wrong that ph2handle is kept
1037 * after failed to check message for responder's.
1038 */
1039 unbindph12(iph2);
1040 remph2(iph2);
1041 delph2(iph2);
1042 return -1;
1043 }
1044
1045 /* send */
1046 plog(LLV_DEBUG, LOCATION, NULL, "===\n");
1047 if ((ph2exchange[etypesw2(isakmp->etype)]
1048 [iph2->side]
1049 [iph2->status])(iph2, msg) < 0) {
1050 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1051 "failed to process packet.\n");
1052 /* don't release handler */
1053 return -1;
1054 }
1055#ifdef ENABLE_STATS
1056 gettimeofday(&end, NULL);
1057 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1058 "phase2",
1059 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1060 timedelta(&start, &end));
1061#endif
1062
1063 return 0;
1064}
1065
1066/*
1067 * parse ISAKMP payloads, without ISAKMP base header.
1068 */
1069vchar_t *
1070isakmp_parsewoh(np0, gen, len)
1071 int np0;
1072 struct isakmp_gen *gen;
1073 int len;
1074{
1075 u_char np = np0 & 0xff;
1076 int tlen, plen;
1077 vchar_t *result;
1078 struct isakmp_parse_t *p, *ep;
1079
1080 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
1081
1082 /*
1083 * 5 is a magic number, but any value larger than 2 should be fine
1084 * as we do vrealloc() in the following loop.
1085 */
1086 result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
1087 if (result == NULL) {
1088 plog(LLV_ERROR, LOCATION, NULL,
1089 "failed to get buffer.\n");
1090 return NULL;
1091 }
1092 p = (struct isakmp_parse_t *)result->v;
1093 ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
1094
1095 tlen = len;
1096
1097 /* parse through general headers */
1098 while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
1099 if (tlen <= sizeof(struct isakmp_gen)) {
1100 /* don't send information, see isakmp_ident_r1() */
1101 plog(LLV_ERROR, LOCATION, NULL,
1102 "invalid length of payload\n");
1103 vfree(result);
1104 return NULL;
1105 }
1106
1107 plog(LLV_DEBUG, LOCATION, NULL,
1108 "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
1109
1110 p->type = np;
1111 p->len = ntohs(gen->len);
1112 if (p->len == 0 || p->len > tlen) {
1113 plog(LLV_DEBUG, LOCATION, NULL,
1114 "invalid length of payload\n");
1115 vfree(result);
1116 return NULL;
1117 }
1118 p->ptr = gen;
1119 p++;
1120 if (ep <= p) {
1121 int off;
1122
1123 off = p - (struct isakmp_parse_t *)result->v;
1124 result = vrealloc(result, result->l * 2);
1125 if (result == NULL) {
1126 plog(LLV_DEBUG, LOCATION, NULL,
1127 "failed to realloc buffer.\n");
1128 vfree(result);
1129 return NULL;
1130 }
1131 ep = (struct isakmp_parse_t *)
1132 (result->v + result->l - sizeof(*ep));
1133 p = (struct isakmp_parse_t *)result->v;
1134 p += off;
1135 }
1136
1137 np = gen->np;
1138 plen = ntohs(gen->len);
1139 gen = (struct isakmp_gen *)((caddr_t)gen + plen);
1140 tlen -= plen;
1141 }
1142 p->type = ISAKMP_NPTYPE_NONE;
1143 p->len = 0;
1144 p->ptr = NULL;
1145
1146 plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
1147
1148 return result;
1149}
1150
1151/*
1152 * parse ISAKMP payloads, including ISAKMP base header.
1153 */
1154vchar_t *
1155isakmp_parse(buf)
1156 vchar_t *buf;
1157{
1158 struct isakmp *isakmp = (struct isakmp *)buf->v;
1159 struct isakmp_gen *gen;
1160 int tlen;
1161 vchar_t *result;
1162 u_char np;
1163
1164 np = isakmp->np;
1165 gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
1166 tlen = buf->l - sizeof(struct isakmp);
1167 result = isakmp_parsewoh(np, gen, tlen);
1168
1169 return result;
1170}
1171
1172/* %%% */
1173int
1174isakmp_init()
1175{
1176 /* initialize a isakmp status table */
1177 initph1tree();
1178 initph2tree();
1179 initctdtree();
1180 init_recvdpkt();
1181
1182 srandom(time(0));
1183
1184 if (isakmp_open() < 0)
1185 goto err;
1186
1187 return(0);
1188
1189err:
1190 isakmp_close();
1191 return(-1);
1192}
1193
1194/*
1195 * make strings containing i_cookie + r_cookie + msgid
1196 */
1197const char *
1198isakmp_pindex(index, msgid)
1199 const isakmp_index *index;
1200 const u_int32_t msgid;
1201{
1202 static char buf[64];
1203 const u_char *p;
1204 int i, j;
1205
1206 memset(buf, 0, sizeof(buf));
1207
1208 /* copy index */
1209 p = (const u_char *)index;
1210 for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
1211 snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
1212 j += 2;
1213 switch (i) {
1214 case 7:
1215 buf[j++] = ':';
1216 }
1217 }
1218
1219 if (msgid == 0)
1220 return buf;
1221
1222 /* copy msgid */
1223 snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
1224
1225 return buf;
1226}
1227
1228/* open ISAKMP sockets. */
1229int
1230isakmp_open()
1231{
1232 const int yes = 1;
1233 int ifnum;
1234#ifdef INET6
1235 int pktinfo;
1236#endif
1237 struct myaddrs *p;
1238
1239 ifnum = 0;
1240 for (p = lcconf->myaddrs; p; p = p->next) {
1241 if (!p->addr)
1242 continue;
1243
1244 /* warn if wildcard address - should we forbid this? */
1245 switch (p->addr->sa_family) {
1246 case AF_INET:
1247 if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
1248 plog(LLV_WARNING, LOCATION, NULL,
1249 "listening to wildcard address,"
1250 "broadcast IKE packet may kill you\n");
1251 break;
1252#ifdef INET6
1253 case AF_INET6:
1254 if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
1255 plog(LLV_WARNING, LOCATION, NULL,
1256 "listening to wildcard address, "
1257 "broadcast IKE packet may kill you\n");
1258 break;
1259#endif
1260 default:
1261 plog(LLV_ERROR, LOCATION, NULL,
1262 "unsupported address family %d\n",
1263 lcconf->default_af);
1264 goto err_and_next;
1265 }
1266
1267 if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) {
1268 plog(LLV_ERROR, LOCATION, NULL,
1269 "socket (%s)\n", strerror(errno));
1270 goto err_and_next;
1271 }
1272
1273 /* receive my interface address on inbound packets. */
1274 switch (p->addr->sa_family) {
1275 case AF_INET:
1276#ifndef __linux__
1277 if (setsockopt(p->sock, IPPROTO_IP, IP_RECVDSTADDR,
1278 (const void *)&yes, sizeof(yes)) < 0) {
1279 plog(LLV_ERROR, LOCATION, NULL,
1280 "setsockopt (%s)\n", strerror(errno));
1281 goto err_and_next;
1282 }
1283#else
1284 if (setsockopt(p->sock, IPPROTO_IP, IP_PKTINFO,
1285 (const void *)&yes, sizeof(yes)) < 0) {
1286 plog(LLV_ERROR, LOCATION, NULL,
1287 "setsockopt (%s)\n", strerror(errno));
1288 goto err_and_next;
1289 }
1290#endif
1291 break;
1292#ifdef INET6
1293 case AF_INET6:
1294#ifdef ADVAPI
1295#ifdef IPV6_RECVPKTINFO
1296 pktinfo = IPV6_RECVPKTINFO;
1297#else /* old adv. API */
1298 pktinfo = IPV6_PKTINFO;
1299#endif /* IPV6_RECVPKTINFO */
1300#else
1301 pktinfo = IPV6_RECVDSTADDR;
1302#endif
1303 if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo,
1304 (const void *)&yes, sizeof(yes)) < 0)
1305 {
1306 plog(LLV_ERROR, LOCATION, NULL,
1307 "setsockopt(%d): %s\n",
1308 pktinfo, strerror(errno));
1309 goto err_and_next;
1310 }
1311 break;
1312#endif
1313 }
1314
1315#ifdef IPV6_USE_MIN_MTU
1316 if (p->addr->sa_family == AF_INET6 &&
1317 setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
1318 (void *)&yes, sizeof(yes)) < 0) {
1319 plog(LLV_ERROR, LOCATION, NULL,
1320 "setsockopt (%s)\n", strerror(errno));
1321 return -1;
1322 }
1323#endif
1324
1325 if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
1326 goto err_and_next;
1327
1328 if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
1329 plog(LLV_ERROR, LOCATION, p->addr,
1330 "failed to bind (%s).\n", strerror(errno));
1331 close(p->sock);
1332 goto err_and_next;
1333 }
1334
1335 ifnum++;
1336
1337 plog(LLV_INFO, LOCATION, NULL,
1338 "%s used as isakmp port (fd=%d)\n",
1339 saddr2str(p->addr), p->sock);
1340
1341 continue;
1342
1343 err_and_next:
1344 racoon_free(p->addr);
1345 p->addr = NULL;
1346 if (! lcconf->autograbaddr && lcconf->strict_address)
1347 return -1;
1348 continue;
1349 }
1350
1351 if (!ifnum) {
1352 plog(LLV_ERROR, LOCATION, NULL,
1353 "no address could be bound.\n");
1354 return -1;
1355 }
1356
1357 return 0;
1358}
1359
1360void
1361isakmp_close()
1362{
1363 struct myaddrs *p, *next;
1364
1365 for (p = lcconf->myaddrs; p; p = next) {
1366 next = p->next;
1367
1368 if (!p->addr)
1369 continue;
1370 close(p->sock);
1371 racoon_free(p->addr);
1372 racoon_free(p);
1373 }
1374
1375 lcconf->myaddrs = NULL;
1376}
1377
1378int
1379isakmp_send(iph1, sbuf)
1380 struct ph1handle *iph1;
1381 vchar_t *sbuf;
1382{
1383 int len = 0;
1384 int s;
1385
1386 /* select the socket to be sent */
1387 s = getsockmyaddr(iph1->local);
1388 if (s == -1)
1389 return -1;
1390
1391 len = sendfromto(s, sbuf->v, sbuf->l,
1392 iph1->local, iph1->remote, lcconf->count_persend);
1393 if (len == -1) {
1394 plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
1395 return -1;
1396 }
1397
1398 return 0;
1399}
1400
1401/* called from scheduler */
1402void
1403isakmp_ph1resend_stub(p)
1404 void *p;
1405{
1406 (void)isakmp_ph1resend((struct ph1handle *)p);
1407}
1408
1409int
1410isakmp_ph1resend(iph1)
1411 struct ph1handle *iph1;
1412{
1413 if (iph1->retry_counter < 0) {
1414 plog(LLV_ERROR, LOCATION, NULL,
1415 "phase1 negotiation failed due to time up. %s\n",
1416 isakmp_pindex(&iph1->index, iph1->msgid));
1417
1418 remph1(iph1);
1419 delph1(iph1);
1420 return -1;
1421 }
1422
1423 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1424 return -1;
1425
1426 plog(LLV_DEBUG, LOCATION, NULL,
1427 "resend phase1 packet %s\n",
1428 isakmp_pindex(&iph1->index, iph1->msgid));
1429
1430 iph1->retry_counter--;
1431
1432 iph1->scr = sched_new(iph1->rmconf->retry_interval,
1433 isakmp_ph1resend_stub, iph1);
1434
1435 return 0;
1436}
1437
1438/* called from scheduler */
1439void
1440isakmp_ph2resend_stub(p)
1441 void *p;
1442{
1443
1444 (void)isakmp_ph2resend((struct ph2handle *)p);
1445}
1446
1447int
1448isakmp_ph2resend(iph2)
1449 struct ph2handle *iph2;
1450{
1451 if (iph2->retry_counter < 0) {
1452 plog(LLV_ERROR, LOCATION, NULL,
1453 "phase2 negotiation failed due to time up. %s\n",
1454 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1455 unbindph12(iph2);
1456 remph2(iph2);
1457 delph2(iph2);
1458 return -1;
1459 }
1460
1461 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
1462 return -1;
1463
1464 plog(LLV_DEBUG, LOCATION, NULL,
1465 "resend phase2 packet %s\n",
1466 isakmp_pindex(&iph2->ph1->index, iph2->msgid));
1467
1468 iph2->retry_counter--;
1469
1470 iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
1471 isakmp_ph2resend_stub, iph2);
1472
1473 return 0;
1474}
1475
1476/* called from scheduler */
1477void
1478isakmp_ph1expire_stub(p)
1479 void *p;
1480{
1481
1482 isakmp_ph1expire((struct ph1handle *)p);
1483}
1484
1485void
1486isakmp_ph1expire(iph1)
1487 struct ph1handle *iph1;
1488{
1489 char *src, *dst;
1490
1491 src = strdup(saddr2str(iph1->local));
1492 dst = strdup(saddr2str(iph1->remote));
1493 plog(LLV_INFO, LOCATION, NULL,
1494 "ISAKMP-SA expired %s-%s spi:%s\n",
1495 src, dst,
1496 isakmp_pindex(&iph1->index, 0));
1497 racoon_free(src);
1498 racoon_free(dst);
1499
1500 SCHED_KILL(iph1->sce);
1501
1502 iph1->status = PHASE1ST_EXPIRED;
1503
1504 /*
1505 * the phase1 deletion is postponed until there is no phase2.
1506 */
1507 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1508 iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
1509 return;
1510 }
1511
1512 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1513}
1514
1515/* called from scheduler */
1516void
1517isakmp_ph1delete_stub(p)
1518 void *p;
1519{
1520
1521 isakmp_ph1delete((struct ph1handle *)p);
1522}
1523
1524void
1525isakmp_ph1delete(iph1)
1526 struct ph1handle *iph1;
1527{
1528 char *src, *dst;
1529
1530 SCHED_KILL(iph1->sce);
1531
1532 if (LIST_FIRST(&iph1->ph2tree) != NULL) {
1533 iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
1534 return;
1535 }
1536
1537 /* don't re-negosiation when the phase 1 SA expires. */
1538
1539 src = strdup(saddr2str(iph1->local));
1540 dst = strdup(saddr2str(iph1->remote));
1541 plog(LLV_INFO, LOCATION, NULL,
1542 "ISAKMP-SA deleted %s-%s spi:%s\n",
1543 src, dst, isakmp_pindex(&iph1->index, 0));
1544 racoon_free(src);
1545 racoon_free(dst);
1546
1547 remph1(iph1);
1548 delph1(iph1);
1549
1550 return;
1551}
1552
1553/* called from scheduler.
1554 * this function will call only isakmp_ph2delete().
1555 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
1556 * by something cause. That's why this function is called after phase 2 SA
1557 * expires in the userland.
1558 */
1559void
1560isakmp_ph2expire_stub(p)
1561 void *p;
1562{
1563
1564 isakmp_ph2expire((struct ph2handle *)p);
1565}
1566
1567void
1568isakmp_ph2expire(iph2)
1569 struct ph2handle *iph2;
1570{
1571 char *src, *dst;
1572
1573 SCHED_KILL(iph2->sce);
1574
1575 src = strdup(saddrwop2str(iph2->src));
1576 dst = strdup(saddrwop2str(iph2->dst));
1577 plog(LLV_INFO, LOCATION, NULL,
1578 "phase2 sa expired %s-%s\n", src, dst);
1579 racoon_free(src);
1580 racoon_free(dst);
1581
1582 iph2->status = PHASE2ST_EXPIRED;
1583
1584 iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
1585
1586 return;
1587}
1588
1589/* called from scheduler */
1590void
1591isakmp_ph2delete_stub(p)
1592 void *p;
1593{
1594
1595 isakmp_ph2delete((struct ph2handle *)p);
1596}
1597
1598void
1599isakmp_ph2delete(iph2)
1600 struct ph2handle *iph2;
1601{
1602 char *src, *dst;
1603
1604 SCHED_KILL(iph2->sce);
1605
1606 src = strdup(saddrwop2str(iph2->src));
1607 dst = strdup(saddrwop2str(iph2->dst));
1608 plog(LLV_INFO, LOCATION, NULL,
1609 "phase2 sa deleted %s-%s\n", src, dst);
1610 racoon_free(src);
1611 racoon_free(dst);
1612
1613 unbindph12(iph2);
1614 remph2(iph2);
1615 delph2(iph2);
1616
1617 return;
1618}
1619
1620/* �%%%
1621 * Interface between PF_KEYv2 and ISAKMP
1622 */
1623/*
1624 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
1625 * if phase1 has been finished, begin phase2.
1626 */
1627int
1628isakmp_post_acquire(iph2)
1629 struct ph2handle *iph2;
1630{
1631 struct remoteconf *rmconf;
1632 struct ph1handle *iph1 = NULL;
1633
1634 /* search appropreate configuration with masking port. */
1635 rmconf = getrmconf(iph2->dst);
1636 if (rmconf == NULL) {
1637 plog(LLV_ERROR, LOCATION, NULL,
1638 "no configuration found for %s.\n",
1639 saddrwop2str(iph2->dst));
1640 return -1;
1641 }
1642
1643 /* if passive mode, ignore the acquire message */
1644 if (rmconf->passive) {
1645 plog(LLV_DEBUG, LOCATION, NULL,
1646 "because of passive mode, "
1647 "ignore the acquire message for %s.\n",
1648 saddrwop2str(iph2->dst));
1649 return 0;
1650 }
1651
1652 /* search isakmp status table by address with masking port */
1653 iph1 = getph1byaddr(iph2->src, iph2->dst);
1654
1655 /* no ISAKMP-SA found. */
1656 if (iph1 == NULL) {
1657 struct sched *sc;
1658
1659 iph2->retry_checkph1 = lcconf->retry_checkph1;
1660 sc = sched_new(1, isakmp_chkph1there_stub, iph2);
1661 plog(LLV_INFO, LOCATION, NULL,
1662 "IPsec-SA request for %s queued "
1663 "due to no phase1 found.\n",
1664 saddrwop2str(iph2->dst));
1665
1666 /* start phase 1 negotiation as a initiator. */
1667 if (isakmp_ph1begin_i(rmconf, iph2->dst) < 0) {
1668 SCHED_KILL(sc);
1669 return -1;
1670 }
1671
1672 return 0;
1673 /*NOTREACHED*/
1674 }
1675
1676 /* found ISAKMP-SA, but on negotiation. */
1677 if (iph1->status != PHASE1ST_ESTABLISHED) {
1678 iph2->retry_checkph1 = lcconf->retry_checkph1;
1679 sched_new(1, isakmp_chkph1there_stub, iph2);
1680 plog(LLV_INFO, LOCATION, iph2->dst,
1681 "request for establishing IPsec-SA was queued "
1682 "due to no phase1 found.\n");
1683 return 0;
1684 /*NOTREACHED*/
1685 }
1686
1687 /* found established ISAKMP-SA */
1688 /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
1689
1690 /* found ISAKMP-SA. */
1691 plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
1692
1693 /* begin quick mode */
1694 if (isakmp_ph2begin_i(iph1, iph2))
1695 return -1;
1696
1697 return 0;
1698}
1699
1700/*
1701 * receive GETSPI from kernel.
1702 */
1703int
1704isakmp_post_getspi(iph2)
1705 struct ph2handle *iph2;
1706{
1707#ifdef ENABLE_STATS
1708 struct timeval start, end;
1709#endif
1710
1711 /* don't process it because there is no suitable phase1-sa. */
1712 if (iph2->ph1->status == PHASE2ST_EXPIRED) {
1713 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1714 "the negotiation is stopped, "
1715 "because there is no suitable ISAKMP-SA.\n");
1716 return -1;
1717 }
1718
1719#ifdef ENABLE_STATS
1720 gettimeofday(&start, NULL);
1721#endif
1722 if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
1723 [iph2->side]
1724 [iph2->status])(iph2, NULL) != 0)
1725 return -1;
1726#ifdef ENABLE_STATS
1727 gettimeofday(&end, NULL);
1728 syslog(LOG_NOTICE, "%s(%s): %8.6f",
1729 "phase2",
1730 s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
1731 timedelta(&start, &end));
1732#endif
1733
1734 return 0;
1735}
1736
1737/* called by scheduler */
1738void
1739isakmp_chkph1there_stub(p)
1740 void *p;
1741{
1742 isakmp_chkph1there((struct ph2handle *)p);
1743}
1744
1745void
1746isakmp_chkph1there(iph2)
1747 struct ph2handle *iph2;
1748{
1749 struct ph1handle *iph1;
1750
1751 iph2->retry_checkph1--;
1752 if (iph2->retry_checkph1 < 0) {
1753 plog(LLV_ERROR, LOCATION, iph2->dst,
1754 "phase2 negotiation failed "
1755 "due to time up waiting for phase1. %s\n",
1756 sadbsecas2str(iph2->dst, iph2->src,
1757 iph2->satype, 0, 0));
1758 plog(LLV_INFO, LOCATION, NULL,
1759 "delete phase 2 handler.\n");
1760
1761 /* send acquire to kernel as error */
1762 pk_sendeacquire(iph2);
1763
1764 unbindph12(iph2);
1765 remph2(iph2);
1766 delph2(iph2);
1767
1768 return;
1769 }
1770
1771 iph1 = getph1byaddr(iph2->src, iph2->dst);
1772
1773 if (iph1 != NULL
1774 && iph1->status == PHASE1ST_ESTABLISHED) {
1775 /* found isakmp-sa */
1776 /* begin quick mode */
1777 (void)isakmp_ph2begin_i(iph1, iph2);
1778 return;
1779 }
1780
1781 /* no isakmp-sa found */
1782 sched_new(1, isakmp_chkph1there_stub, iph2);
1783
1784 return;
1785}
1786
1787/* copy variable data into ALLOCATED buffer. */
1788caddr_t
1789isakmp_set_attr_v(buf, type, val, len)
1790 caddr_t buf;
1791 int type;
1792 caddr_t val;
1793 int len;
1794{
1795 struct isakmp_data *data;
1796
1797 data = (struct isakmp_data *)buf;
1798 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
1799 data->lorv = htons((u_int16_t)len);
1800 memcpy(data + 1, val, len);
1801
1802 return buf + sizeof(*data) + len;
1803}
1804
1805/* copy fixed length data into ALLOCATED buffer. */
1806caddr_t
1807isakmp_set_attr_l(buf, type, val)
1808 caddr_t buf;
1809 int type;
1810 u_int32_t val;
1811{
1812 struct isakmp_data *data;
1813
1814 data = (struct isakmp_data *)buf;
1815 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
1816 data->lorv = htons((u_int16_t)val);
1817
1818 return buf + sizeof(*data);
1819}
1820
1821/* add a variable data attribute to the buffer by reallocating it. */
1822vchar_t *
1823isakmp_add_attr_v(buf0, type, val, len)
1824 vchar_t *buf0;
1825 int type;
1826 caddr_t val;
1827 int len;
1828{
1829 vchar_t *buf = NULL;
1830 struct isakmp_data *data;
1831 int tlen;
1832 int oldlen = 0;
1833
1834 tlen = sizeof(*data) + len;
1835
1836 if (buf0) {
1837 oldlen = buf0->l;
1838 buf = vrealloc(buf0, oldlen + tlen);
1839 } else
1840 buf = vmalloc(tlen);
1841 if (!buf) {
1842 plog(LLV_ERROR, LOCATION, NULL,
1843 "failed to get a attribute buffer.\n");
1844 return NULL;
1845 }
1846
1847 data = (struct isakmp_data *)(buf->v + oldlen);
1848 data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
1849 data->lorv = htons((u_int16_t)len);
1850 memcpy(data + 1, val, len);
1851
1852 return buf;
1853}
1854
1855/* add a fixed data attribute to the buffer by reallocating it. */
1856vchar_t *
1857isakmp_add_attr_l(buf0, type, val)
1858 vchar_t *buf0;
1859 int type;
1860 u_int32_t val;
1861{
1862 vchar_t *buf = NULL;
1863 struct isakmp_data *data;
1864 int tlen;
1865 int oldlen = 0;
1866
1867 tlen = sizeof(*data);
1868
1869 if (buf0) {
1870 oldlen = buf0->l;
1871 buf = vrealloc(buf0, oldlen + tlen);
1872 } else
1873 buf = vmalloc(tlen);
1874 if (!buf) {
1875 plog(LLV_ERROR, LOCATION, NULL,
1876 "failed to get a attribute buffer.\n");
1877 return NULL;
1878 }
1879
1880 data = (struct isakmp_data *)(buf->v + oldlen);
1881 data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
1882 data->lorv = htons((u_int16_t)val);
1883
1884 return buf;
1885}
1886
1887/*
1888 * calculate cookie and set.
1889 */
1890int
1891isakmp_newcookie(place, remote, local)
1892 caddr_t place;
1893 struct sockaddr *remote;
1894 struct sockaddr *local;
1895{
1896 vchar_t *buf = NULL, *buf2 = NULL;
1897 char *p;
1898 int blen;
1899 int alen;
1900 caddr_t sa1, sa2;
1901 time_t t;
1902 int error = -1;
1903 u_short port;
1904
1905
1906 if (remote->sa_family != local->sa_family) {
1907 plog(LLV_ERROR, LOCATION, NULL,
1908 "address family mismatch, remote:%d local:%d\n",
1909 remote->sa_family, local->sa_family);
1910 goto end;
1911 }
1912 switch (remote->sa_family) {
1913 case AF_INET:
1914 alen = sizeof(struct in_addr);
1915 sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
1916 sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
1917 break;
1918#ifdef INET6
1919 case AF_INET6:
1920 alen = sizeof(struct in_addr);
1921 sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
1922 sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
1923 break;
1924#endif
1925 default:
1926 plog(LLV_ERROR, LOCATION, NULL,
1927 "invalid family: %d\n", remote->sa_family);
1928 goto end;
1929 }
1930 blen = (alen + sizeof(u_short)) * 2
1931 + sizeof(time_t) + lcconf->secret_size;
1932 buf = vmalloc(blen);
1933 if (buf == NULL) {
1934 plog(LLV_ERROR, LOCATION, NULL,
1935 "failed to get a cookie.\n");
1936 goto end;
1937 }
1938 p = buf->v;
1939
1940 /* copy my address */
1941 memcpy(p, sa1, alen);
1942 p += alen;
1943 port = ((struct sockaddr_in *)remote)->sin_port;
1944 memcpy(p, &port, sizeof(u_short));
1945 p += sizeof(u_short);
1946
1947 /* copy target address */
1948 memcpy(p, sa2, alen);
1949 p += alen;
1950 port = ((struct sockaddr_in *)local)->sin_port;
1951 memcpy(p, &port, sizeof(u_short));
1952 p += sizeof(u_short);
1953
1954 /* copy time */
1955 t = time(0);
1956 memcpy(p, (caddr_t)&t, sizeof(t));
1957 p += sizeof(t);
1958
1959 /* copy random value */
1960 buf2 = eay_set_random(lcconf->secret_size);
1961 if (buf2 == NULL)
1962 goto end;
1963 memcpy(p, buf2->v, lcconf->secret_size);
1964 p += lcconf->secret_size;
1965 vfree(buf2);
1966
1967 buf2 = eay_sha1_one(buf);
1968 memcpy(place, buf2->v, sizeof(cookie_t));
1969
1970 sa1 = val2str(place, sizeof (cookie_t));
1971 plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
1972 racoon_free(sa1);
1973
1974 error = 0;
1975end:
1976 if (buf != NULL)
1977 vfree(buf);
1978 if (buf2 != NULL)
1979 vfree(buf2);
1980 return error;
1981}
1982
1983/*
1984 * save partner's(payload) data into phhandle.
1985 */
1986int
1987isakmp_p2ph(buf, gen)
1988 vchar_t **buf;
1989 struct isakmp_gen *gen;
1990{
1991 if (*buf) {
1992 plog(LLV_WARNING, LOCATION, NULL,
1993 "ignore this payload, same payload type exist.\n");
1994 return -1;
1995 }
1996
1997 *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
1998 if (*buf == NULL) {
1999 plog(LLV_ERROR, LOCATION, NULL,
2000 "failed to get buffer.\n");
2001 return -1;
2002 }
2003 memcpy((*buf)->v, gen + 1, (*buf)->l);
2004
2005 return 0;
2006}
2007
2008u_int32_t
2009isakmp_newmsgid2(iph1)
2010 struct ph1handle *iph1;
2011{
2012 u_int32_t msgid2;
2013
2014 do {
2015 msgid2 = random();
2016 } while (getph2bymsgid(iph1, msgid2));
2017
2018 return msgid2;
2019}
2020
2021/*
2022 * set values into allocated buffer of isakmp header for phase 1
2023 */
2024caddr_t
2025set_isakmp_header(vbuf, iph1, nptype)
2026 vchar_t *vbuf;
2027 struct ph1handle *iph1;
2028 int nptype;
2029{
2030 struct isakmp *isakmp;
2031
2032 if (vbuf->l < sizeof(*isakmp))
2033 return NULL;
2034
2035 isakmp = (struct isakmp *)vbuf->v;
2036 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
2037 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
2038 isakmp->np = nptype;
2039 isakmp->v = iph1->version;
2040 isakmp->etype = iph1->etype;
2041 isakmp->flags = iph1->flags;
2042 isakmp->msgid = iph1->msgid;
2043 isakmp->len = htonl(vbuf->l);
2044
2045 return vbuf->v + sizeof(*isakmp);
2046}
2047
2048/*
2049 * set values into allocated buffer of isakmp header for phase 2
2050 */
2051caddr_t
2052set_isakmp_header2(vbuf, iph2, nptype)
2053 vchar_t *vbuf;
2054 struct ph2handle *iph2;
2055 int nptype;
2056{
2057 struct isakmp *isakmp;
2058
2059 if (vbuf->l < sizeof(*isakmp))
2060 return NULL;
2061
2062 isakmp = (struct isakmp *)vbuf->v;
2063 memcpy(&isakmp->i_ck, &iph2->ph1->index.i_ck, sizeof(cookie_t));
2064 memcpy(&isakmp->r_ck, &iph2->ph1->index.r_ck, sizeof(cookie_t));
2065 isakmp->np = nptype;
2066 isakmp->v = iph2->ph1->version;
2067 isakmp->etype = ISAKMP_ETYPE_QUICK;
2068 isakmp->flags = iph2->flags;
2069 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
2070 isakmp->len = htonl(vbuf->l);
2071
2072 return vbuf->v + sizeof(*isakmp);
2073}
2074
2075/*
2076 * set values into allocated buffer of isakmp payload.
2077 */
2078caddr_t
2079set_isakmp_payload(buf, src, nptype)
2080 caddr_t buf;
2081 vchar_t *src;
2082 int nptype;
2083{
2084 struct isakmp_gen *gen;
2085 caddr_t p = buf;
2086
2087 plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %d, next type %d\n",
2088 src->l, nptype);
2089
2090 gen = (struct isakmp_gen *)p;
2091 gen->np = nptype;
2092 gen->len = htons(sizeof(*gen) + src->l);
2093 p += sizeof(*gen);
2094 memcpy(p, src->v, src->l);
2095 p += src->l;
2096
2097 return p;
2098}
2099
2100static int
2101etypesw1(etype)
2102 int etype;
2103{
2104 switch (etype) {
2105 case ISAKMP_ETYPE_IDENT:
2106 return 1;
2107 case ISAKMP_ETYPE_AGG:
2108 return 2;
2109 case ISAKMP_ETYPE_BASE:
2110 return 3;
2111 default:
2112 return 0;
2113 }
2114 /*NOTREACHED*/
2115}
2116
2117static int
2118etypesw2(etype)
2119 int etype;
2120{
2121 switch (etype) {
2122 case ISAKMP_ETYPE_QUICK:
2123 return 1;
2124 default:
2125 return 0;
2126 }
2127 /*NOTREACHED*/
2128}
2129
2130#ifdef HAVE_PRINT_ISAKMP_C
2131/* for print-isakmp.c */
2132char *snapend;
2133extern void isakmp_print __P((const u_char *, u_int, const u_char *));
2134
2135char *getname __P((const u_char *));
2136#ifdef INET6
2137char *getname6 __P((const u_char *));
2138#endif
2139int safeputchar __P((int));
2140
2141/*
2142 * Return a name for the IP address pointed to by ap. This address
2143 * is assumed to be in network byte order.
2144 */
2145char *
2146getname(ap)
2147 const u_char *ap;
2148{
2149 struct sockaddr_in addr;
2150 static char ntop_buf[NI_MAXHOST];
2151
2152 memset(&addr, 0, sizeof(addr));
2153 //addr.sin_len = sizeof(struct sockaddr_in);
2154 addr.sin_family = AF_INET;
2155 memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
2156 if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
2157 ntop_buf, sizeof(ntop_buf), NULL, 0,
2158 NI_NUMERICHOST | niflags))
2159 strncpy(ntop_buf, "?", sizeof(ntop_buf));
2160
2161 return ntop_buf;
2162}
2163
2164#ifdef INET6
2165/*
2166 * Return a name for the IP6 address pointed to by ap. This address
2167 * is assumed to be in network byte order.
2168 */
2169char *
2170getname6(ap)
2171 const u_char *ap;
2172{
2173 struct sockaddr_in6 addr;
2174 static char ntop_buf[NI_MAXHOST];
2175
2176 memset(&addr, 0, sizeof(addr));
2177 addr.sin6_len = sizeof(struct sockaddr_in6);
2178 addr.sin6_family = AF_INET6;
2179 memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
2180 if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
2181 ntop_buf, sizeof(ntop_buf), NULL, 0,
2182 NI_NUMERICHOST | niflags))
2183 strncpy(ntop_buf, "?", sizeof(ntop_buf));
2184
2185 return ntop_buf;
2186}
2187#endif /* INET6 */
2188
2189int
2190safeputchar(c)
2191 int c;
2192{
2193 unsigned char ch;
2194
2195 ch = (unsigned char)(c & 0xff);
2196 if (c < 0x80 && isprint(c))
2197 return printf("%c", c & 0xff);
2198 else
2199 return printf("\\%03o", c & 0xff);
2200}
2201
2202void
2203isakmp_printpacket(msg, from, my, decoded)
2204 vchar_t *msg;
2205 struct sockaddr *from;
2206 struct sockaddr *my;
2207 int decoded;
2208{
2209#ifdef YIPS_DEBUG
2210 struct timeval tv;
2211 int s;
2212 char hostbuf[NI_MAXHOST];
2213 char portbuf[NI_MAXSERV];
2214 struct isakmp *isakmp;
2215 vchar_t *buf;
2216#endif
2217
2218 if (loglevel < LLV_DEBUG)
2219 return;
2220
2221#ifdef YIPS_DEBUG
2222 plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
2223
2224 gettimeofday(&tv, NULL);
2225 s = tv.tv_sec % 3600;
2226 printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
2227
2228 if (from) {
2229 if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
2230 portbuf, sizeof(portbuf),
2231 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2232 strncpy(hostbuf, "?", sizeof(hostbuf));
2233 strncpy(portbuf, "?", sizeof(portbuf));
2234 }
2235 printf("%s:%s", hostbuf, portbuf);
2236 } else
2237 printf("?");
2238 printf(" -> ");
2239 if (my) {
2240 if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
2241 portbuf, sizeof(portbuf),
2242 NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
2243 strncpy(hostbuf, "?", sizeof(hostbuf));
2244 strncpy(portbuf, "?", sizeof(portbuf));
2245 }
2246 printf("%s:%s", hostbuf, portbuf);
2247 } else
2248 printf("?");
2249 printf(": ");
2250
2251 buf = vdup(msg);
2252 if (!buf) {
2253 printf("(malloc fail)\n");
2254 return;
2255 }
2256 if (decoded) {
2257 isakmp = (struct isakmp *)buf->v;
2258 if (isakmp->flags & ISAKMP_FLAG_E) {
2259 isakmp->flags &= ~ISAKMP_FLAG_E;
2260 }
2261 }
2262
2263 snapend = buf->v + buf->l;
2264 isakmp_print(buf->v, buf->l, NULL);
2265 vfree(buf);
2266 printf("\n");
2267 fflush(stdout);
2268
2269 return;
2270#endif
2271}
2272#endif /*HAVE_PRINT_ISAKMP_C*/
2273
2274int
2275copy_ph1addresses(iph1, rmconf, remote, local)
2276 struct ph1handle *iph1;
2277 struct remoteconf *rmconf;
2278 struct sockaddr *remote, *local;
2279{
2280 u_short *port = NULL;
2281
2282 /* address portion must be grabbed from real remote address "remote" */
2283 iph1->remote = dupsaddr(remote);
2284 if (iph1->remote == NULL) {
2285 delph1(iph1);
2286 return -1;
2287 }
2288
2289 /*
2290 * if remote has no port # (in case of initiator - from ACQUIRE msg)
2291 * - if remote.conf specifies port #, use that
2292 * - if remote.conf does not, use 500
2293 * if remote has port # (in case of responder - from recvfrom(2))
2294 * respect content of "remote".
2295 */
2296 switch (iph1->remote->sa_family) {
2297 case AF_INET:
2298 port = &((struct sockaddr_in *)iph1->remote)->sin_port;
2299 if (*port)
2300 break;
2301 *port = ((struct sockaddr_in *)rmconf->remote)->sin_port;
2302 if (*port)
2303 break;
2304 *port = htons(PORT_ISAKMP);
2305 break;
2306#ifdef INET6
2307 case AF_INET6:
2308 port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port;
2309 if (*port)
2310 break;
2311 *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
2312 if (*port)
2313 break;
2314 *port = htons(PORT_ISAKMP);
2315 break;
2316#endif
2317 default:
2318 plog(LLV_ERROR, LOCATION, NULL,
2319 "invalid family: %d\n", iph1->remote->sa_family);
2320 return -1;
2321 }
2322
2323 if (local == NULL)
2324 iph1->local = getlocaladdr(iph1->remote);
2325 else
2326 iph1->local = dupsaddr(local);
2327 if (iph1->local == NULL) {
2328 delph1(iph1);
2329 return -1;
2330 }
2331 switch (AF_INET) {
2332 case AF_INET:
2333 ((struct sockaddr_in *)iph1->local)->sin_port
2334 = getmyaddrsport(iph1->local);
2335 break;
2336#ifdef INET6
2337 case AF_INET6:
2338 ((struct sockaddr_in6 *)iph1->local)->sin6_port
2339 = getmyaddrsport(iph1->local);
2340 break;
2341#endif
2342 default:
2343 plog(LLV_ERROR, LOCATION, NULL,
2344 "invalid family: %d\n", iph1->local->sa_family);
2345 delph1(iph1);
2346 return -1;
2347 }
2348
2349 return 0;
2350}
2351
2352static int
2353nostate1(iph1, msg)
2354 struct ph1handle *iph1;
2355 vchar_t *msg;
2356{
2357 plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
2358 iph1->status);
2359 return -1;
2360}
2361
2362static int
2363nostate2(iph2, msg)
2364 struct ph2handle *iph2;
2365 vchar_t *msg;
2366{
2367 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
2368 iph2->status);
2369 return -1;
2370}
2371
2372void
2373log_ph1established(iph1)
2374 const struct ph1handle *iph1;
2375{
2376 char *src, *dst;
2377
2378 src = strdup(saddr2str(iph1->local));
2379 dst = strdup(saddr2str(iph1->remote));
2380 plog(LLV_INFO, LOCATION, NULL,
2381 "ISAKMP-SA established %s-%s spi:%s\n",
2382 src, dst,
2383 isakmp_pindex(&iph1->index, 0));
2384 racoon_free(src);
2385 racoon_free(dst);
2386
2387 return;
2388}
2389