#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>
#else
# if HAVE_SYS_TIME_H
# include <sys/time.h>
# else
# include <time.h>
# endif
#endif
#ifndef HAVE_NETINET6_IPSEC
#include <netinet/ipsec.h>
#else
#include <netinet6/ipsec.h>
#endif
#include "var.h"
#include "vmbuf.h"
#include "schedule.h"
#include "misc.h"
#include "plog.h"
#include "debug.h"
#include "fsm.h"
#include "localconf.h"
#include "remoteconf.h"
#include "handler.h"
#include "policy.h"
#include "proposal.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "isakmp_inf.h"
#include "isakmp_quick.h"
#include "oakley.h"
#include "ipsec_doi.h"
#include "crypto_openssl.h"
#include "pfkey.h"
#include "policy.h"
#include "algorithm.h"
#include "sockmisc.h"
#include "proposal.h"
#include "sainfo.h"
#include "strnames.h"
#include "nattraversal.h"
#include "ipsecSessionTracer.h"
#include "ipsecMessageTracer.h"
#ifndef HAVE_OPENSSL
#include <Security/SecDH.h>
#endif
static vchar_t *quick_ir1mx (phase2_handle_t *, vchar_t *, vchar_t *);
static int get_proposal_r_remote (phase2_handle_t *, int);
int
quick_iprep(iph2, msg)
phase2_handle_t *iph2;
vchar_t *msg;
{
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != IKEV1_STATE_QUICK_I_START) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
iph2->msgid = isakmp_newmsgid2(iph2->ph1);
if (iph2->ivm != NULL)
oakley_delivm(iph2->ivm);
iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
if (iph2->ivm == NULL)
return 0;
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_GETSPISENT);
if (f_local) {
error = 0;
goto end;
}
if (pk_sendgetspi(iph2) < 0) {
plog(ASL_LEVEL_ERR,
"failed to send getspi message");
goto end;
}
plog(ASL_LEVEL_DEBUG, "pfkey getspi sent.\n");
iph2->sce = sched_new(lcconf->wait_ph2complete,
pfkey_timeover_stub, iph2);
error = 0;
end:
return error;
}
int
quick_i1send(iph2, msg)
phase2_handle_t *iph2;
vchar_t *msg;
{
vchar_t *body = NULL;
vchar_t *hash = NULL;
#ifdef ENABLE_NATT
vchar_t *natoa_i = NULL;
vchar_t *natoa_r = NULL;
#endif
int natoa_type = 0;
struct isakmp_gen *gen;
char *p;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
int pfsgroup, idci, idcr;
int np;
struct ipsecdoi_id_b *id, *id_p;
if (msg != NULL) {
plog(ASL_LEVEL_ERR,
"msg has to be NULL in this function.\n");
goto end;
}
if (iph2->status != IKEV1_STATE_QUICK_I_GETSPIDONE) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (ipsecdoi_setph2proposal(iph2, FALSE) < 0) {
plog(ASL_LEVEL_ERR,
"failed to set proposal");
goto end;
}
iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
if (iph2->nonce == NULL) {
plog(ASL_LEVEL_ERR,
"failed to generate NONCE");
goto end;
}
pfsgroup = iph2->proposal->pfs_group;
if (pfsgroup) {
if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
plog(ASL_LEVEL_ERR,
"failed to set DH value.\n");
goto end;
}
#ifdef HAVE_OPENSSL
if (oakley_dh_generate(iph2->pfsgrp,
&iph2->dhpub, &iph2->dhpriv) < 0) {
#else
if (oakley_dh_generate(iph2->pfsgrp,
&iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) {
#endif
plog(ASL_LEVEL_ERR,
"failed to generate DH");
goto end;
}
}
if (ipsecdoi_setid2(iph2) < 0) {
plog(ASL_LEVEL_ERR,
"failed to get ID.\n");
goto end;
}
plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "IDci:\n");
plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "IDcr:\n");
id = ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v;
id_p = ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v;
if (id->proto_id == 0
&& id_p->proto_id == 0
&& iph2->ph1->rmconf->support_proxy == 0
&& ipsecdoi_transportmode(iph2->proposal)) {
idci = idcr = 0;
} else
idci = idcr = 1;
tlen = + sizeof(*gen) + iph2->sa->l
+ sizeof(*gen) + iph2->nonce->l;
if (pfsgroup)
tlen += (sizeof(*gen) + iph2->dhpub->l);
if (idci)
tlen += sizeof(*gen) + iph2->id->l;
if (idcr)
tlen += sizeof(*gen) + iph2->id_p->l;
#ifdef ENABLE_NATT
if (ipsecdoi_any_transportmode(iph2->proposal)
&& (iph2->ph1->natt_flags & NAT_DETECTED)) {
natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
if (natoa_type == -1) {
plog(ASL_LEVEL_ERR,
"failed to generate NAT-OA payload.\n");
goto end;
} else if (natoa_type != 0) {
tlen += sizeof(*gen) + natoa_i->l;
tlen += sizeof(*gen) + natoa_r->l;
}
}
#endif
body = vmalloc(tlen);
if (body == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get buffer to send.\n");
goto end;
}
p = body->v;
p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
if (pfsgroup)
np = ISAKMP_NPTYPE_KE;
else if (idci || idcr)
np = ISAKMP_NPTYPE_ID;
else
np = (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
p = set_isakmp_payload(p, iph2->nonce, np);
np = (idci || idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
if (pfsgroup)
p = set_isakmp_payload(p, iph2->dhpub, np);
np = (idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
if (idci)
p = set_isakmp_payload(p, iph2->id, np);
if (idcr)
p = set_isakmp_payload(p, iph2->id_p, natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
if (natoa_type) {
p = set_isakmp_payload(p, natoa_i, natoa_type);
p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
}
hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
if (hash == NULL) {
plog(ASL_LEVEL_ERR,
"failed to compute HASH");
goto end;
}
iph2->sendbuf = quick_ir1mx(iph2, body, hash);
if (iph2->sendbuf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get send buffer");
goto end;
}
iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
if (isakmp_ph2resend(iph2) == -1) {
plog(ASL_LEVEL_ERR,
"failed to send packet");
goto end;
}
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG1SENT);
error = 0;
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
CONSTSTR("Initiator, Quick-Mode message 1"),
CONSTSTR(NULL));
end:
if (error) {
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
CONSTSTR("Initiator, Quick-Mode Message 1"),
CONSTSTR("Failed to transmit Quick-Mode Message 1"));
}
if (body != NULL)
vfree(body);
if (hash != NULL)
vfree(hash);
#ifdef ENABLE_NATT
if (natoa_i)
vfree(natoa_i);
if (natoa_r)
vfree(natoa_r);
#endif
return error;
}
int
quick_i2recv(iph2, msg0)
phase2_handle_t *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
vchar_t *hbuf = NULL;
vchar_t *pbuf = NULL;
struct isakmp_parse_t *pa;
struct isakmp *isakmp = (struct isakmp *)msg0->v;
struct isakmp_pl_hash *hash = NULL;
int f_id;
char *p;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
struct sockaddr_storage *natoa_i = NULL;
struct sockaddr_storage *natoa_r = NULL;
if (iph2->status != IKEV1_STATE_QUICK_I_MSG1SENT) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
plog(ASL_LEVEL_ERR,
"Packet wasn't encrypted.\n");
goto end;
}
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL) {
plog(ASL_LEVEL_ERR,
"failed to decrypt");
goto end;
}
pbuf = isakmp_parse(msg);
if (pbuf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to parse msg");
goto end;
}
pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
if (pa->type != ISAKMP_NPTYPE_HASH) {
plog(ASL_LEVEL_ERR,
"received invalid next payload type %d, "
"expecting %d.\n",
pa->type, ISAKMP_NPTYPE_HASH);
goto end;
}
hash = (struct isakmp_pl_hash *)pa->ptr;
pa++;
if (pa->type != ISAKMP_NPTYPE_SA) {
plog(ASL_LEVEL_WARNING,
"received invalid next payload type %d, "
"expecting %d.\n",
pa->type, ISAKMP_NPTYPE_HASH);
}
tlen = iph2->nonce->l
+ ntohl(isakmp->len) - sizeof(*isakmp);
if (tlen < 0) {
plog(ASL_LEVEL_ERR,
"invalid length (%lu,%d) while getting hash buffer.\n",
iph2->nonce->l, ntohl(isakmp->len));
goto end;
}
hbuf = vmalloc(tlen);
if (hbuf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get hash buffer.\n");
goto end;
}
p = hbuf->v + iph2->nonce->l;
iph2->sa_ret = NULL;
f_id = 0;
tlen = 0;
for (; pa->type; pa++) {
memcpy(p, pa->ptr, pa->len);
switch (pa->type) {
case ISAKMP_NPTYPE_SA:
if (iph2->sa_ret != NULL) {
plog(ASL_LEVEL_ERR,
"Ignored, multiple SA "
"isn't supported.\n");
break;
}
if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
plog(ASL_LEVEL_ERR,
"failed to process SA payload");
goto end;
}
break;
case ISAKMP_NPTYPE_NONCE:
if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
plog(ASL_LEVEL_ERR,
"failed to process NONCE payload");
goto end;
}
break;
case ISAKMP_NPTYPE_KE:
if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
plog(ASL_LEVEL_ERR,
"failed to process KE payload");
goto end;
}
break;
case ISAKMP_NPTYPE_ID:
{
vchar_t *vp;
if (iph2->id == NULL || iph2->id_p == NULL) {
error = ISAKMP_INTERNAL_ERROR; goto end;
}
if (f_id == 0) {
vp = iph2->id;
} else {
vp = iph2->id_p;
}
struct ipsecdoi_id_b *id_ptr = ALIGNED_CAST(struct ipsecdoi_id_b *)vp->v;
struct ipsecdoi_pl_id *idp_ptr = (struct ipsecdoi_pl_id *)pa->ptr;
if (id_ptr->type != idp_ptr->b.type
|| (idp_ptr->b.proto_id != 0 && idp_ptr->b.proto_id != id_ptr->proto_id)
|| (idp_ptr->b.port != 0 && idp_ptr->b.port != id_ptr->port)
|| memcmp(vp->v + sizeof(struct ipsecdoi_id_b), (caddr_t)pa->ptr + sizeof(struct ipsecdoi_pl_id),
vp->l - sizeof(struct ipsecdoi_id_b))) {
if (iph2->ph1->natt_flags & NAT_DETECTED) {
plog(ASL_LEVEL_WARNING,
"mismatched ID was returned - ignored because nat traversal is being used.\n");
if (f_id == 0 && (iph2->ph1->natt_flags & NAT_DETECTED_ME)) {
if (lcconf->ext_nat_id)
vfree(lcconf->ext_nat_id);
if (idp_ptr->h.len < sizeof(struct isakmp_gen)) {
plog(ASL_LEVEL_ERR, "invalid length (%d) while allocating external nat id.\n", idp_ptr->h.len);
goto end;
}
lcconf->ext_nat_id = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
if (lcconf->ext_nat_id == NULL) {
plog(ASL_LEVEL_ERR, "memory error while allocating external nat id.\n");
goto end;
}
memcpy(lcconf->ext_nat_id->v, &(idp_ptr->b), lcconf->ext_nat_id->l);
if (iph2->ext_nat_id)
vfree(iph2->ext_nat_id);
iph2->ext_nat_id = vdup(lcconf->ext_nat_id);
if (iph2->ext_nat_id == NULL) {
plog(ASL_LEVEL_ERR, "memory error while allocating ph2's external nat id.\n");
goto end;
}
plogdump(ASL_LEVEL_DEBUG, iph2->ext_nat_id->v, iph2->ext_nat_id->l, "external nat address saved.\n");
} else if (f_id && (iph2->ph1->natt_flags & NAT_DETECTED_PEER)) {
if (iph2->ext_nat_id_p)
vfree(iph2->ext_nat_id_p);
iph2->ext_nat_id_p = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
if (iph2->ext_nat_id_p == NULL) {
plog(ASL_LEVEL_ERR, "memory error while allocating peers ph2's external nat id.\n");
goto end;
}
memcpy(iph2->ext_nat_id_p->v, &(idp_ptr->b), iph2->ext_nat_id_p->l);
plogdump(ASL_LEVEL_DEBUG, iph2->ext_nat_id_p->v, iph2->ext_nat_id_p->l, "peer's external nat address saved.\n");
}
} else {
plog(ASL_LEVEL_ERR, "mismatched ID was returned.\n");
error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
goto end;
}
}
if (f_id == 0)
f_id = 1;
}
break;
case ISAKMP_NPTYPE_N:
isakmp_check_ph2_notify(pa->ptr, iph2);
break;
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATOA_DRAFT:
case ISAKMP_NPTYPE_NATOA_BADDRAFT:
case ISAKMP_NPTYPE_NATOA_RFC:
{
vchar_t *vp = NULL;
struct sockaddr_storage *daddr;
isakmp_p2ph(&vp, pa->ptr);
if (vp) {
daddr = process_natoa_payload(vp);
if (daddr) {
if (natoa_i == NULL) {
natoa_i = daddr;
plog(ASL_LEVEL_DEBUG, "initiaor rcvd NAT-OA i: %s\n",
saddr2str((struct sockaddr *)natoa_i));
} else if (natoa_r == NULL) {
natoa_r = daddr;
plog(ASL_LEVEL_DEBUG, "initiator rcvd NAT-OA r: %s\n",
saddr2str((struct sockaddr *)natoa_r));
} else {
racoon_free(daddr);
}
}
vfree(vp);
}
}
break;
#endif
default:
plog(ASL_LEVEL_ERR,
"ignore the packet, "
"received unexpecting payload type %d.\n",
pa->type);
goto end;
}
p += pa->len;
tlen += pa->len;
}
if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
plog(ASL_LEVEL_ERR,
"few isakmp message received.\n");
goto end;
}
memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
plog(ASL_LEVEL_DEBUG,
"HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
hbuf->l, tlen + iph2->nonce->l);
hbuf->l = iph2->nonce->l + tlen;
{
char *r_hash;
vchar_t *my_hash = NULL;
int result;
r_hash = (char *)hash + sizeof(*hash);
my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
if (my_hash == NULL) {
plog(ASL_LEVEL_ERR,
"failed to compute HASH");
goto end;
}
result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
vfree(my_hash);
if (result) {
plog(ASL_LEVEL_DEBUG,
"HASH(2) mismatch.\n");
error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
goto end;
}
}
if (ipsecdoi_checkph2proposal(iph2) < 0) {
plog(ASL_LEVEL_ERR,
"failed to validate SA proposal");
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG2RCVD);
error = 0;
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
CONSTSTR("Initiator, Quick-Mode message 2"),
CONSTSTR(NULL));
end:
if (error) {
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
CONSTSTR("Initiator, Quick-Mode Message 2"),
CONSTSTR("Failed to process Quick-Mode Message 2 "));
}
if (hbuf)
vfree(hbuf);
if (pbuf)
vfree(pbuf);
if (msg)
vfree(msg);
#ifdef ENABLE_NATT
if (natoa_i) {
racoon_free(natoa_i);
}
if (natoa_r) {
racoon_free(natoa_r);
}
#endif
if (error) {
VPTRINIT(iph2->sa_ret);
VPTRINIT(iph2->nonce_p);
VPTRINIT(iph2->dhpub_p);
}
return error;
}
int
quick_i3send(iph2, msg0)
phase2_handle_t *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
vchar_t *buf = NULL;
vchar_t *hash = NULL;
char *p = NULL;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
int packet_error = -1;
if (iph2->status != IKEV1_STATE_QUICK_I_MSG2RCVD) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
{
vchar_t *tmp = NULL;
plog(ASL_LEVEL_DEBUG, "HASH(3) generate\n");
tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
if (tmp == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get hash buffer.\n");
goto end;
}
memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
vfree(tmp);
if (hash == NULL) {
plog(ASL_LEVEL_ERR,
"failed to compute HASH");
goto end;
}
}
tlen = sizeof(struct isakmp)
+ sizeof(struct isakmp_gen) + hash->l;
buf = vmalloc(tlen);
if (buf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get buffer to send.\n");
goto end;
}
p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
if (p == NULL) {
plog(ASL_LEVEL_ERR,
"failed to create ISAKMP header");
goto end;
}
p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
#endif
iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
if (iph2->sendbuf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to encrypt packet");
goto end;
}
if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
if (isakmp_ph2resend(iph2) == -1) {
plog(ASL_LEVEL_ERR,
"failed to send packet, commit-bit");
goto end;
}
} else {
if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
plog(ASL_LEVEL_ERR,
"failed to send packet");
goto end;
}
}
if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
iph2->sendbuf, msg0,
PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) {
plog(ASL_LEVEL_ERR ,
"failed to add a response packet to the tree.\n");
goto end;
}
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
CONSTSTR("Initiator, Quick-Mode message 3"),
CONSTSTR(NULL));
packet_error = 0;
if (oakley_compute_keymat(iph2, INITIATOR) < 0) {
plog(ASL_LEVEL_ERR,
"failed to compute KEYMAT");
goto end;
}
if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG3SENT);
error = 0;
goto end;
}
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_ADDSA);
plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n");
if (pk_sendupdate(iph2) < 0) {
plog(ASL_LEVEL_ERR, "pfkey update failed.\n");
goto end;
}
plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n");
if (pk_sendadd(iph2) < 0) {
plog(ASL_LEVEL_ERR, "pfkey add failed.\n");
goto end;
}
plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n");
error = 0;
end:
if (packet_error) {
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
CONSTSTR("Initiator, Quick-Mode Message 3"),
CONSTSTR("Failed to transmit Quick-Mode Message 3"));
}
if (buf != NULL)
vfree(buf);
if (msg != NULL)
vfree(msg);
if (hash != NULL)
vfree(hash);
return error;
}
int
quick_i4recv(iph2, msg0)
phase2_handle_t *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
vchar_t *pbuf = NULL;
struct isakmp_parse_t *pa;
struct isakmp_pl_hash *hash = NULL;
vchar_t *notify = NULL;
int error = ISAKMP_INTERNAL_ERROR;
int packet_error = -1;
if (iph2->status != IKEV1_STATE_QUICK_I_MSG3SENT) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
plog(ASL_LEVEL_ERR,
"Packet wasn't encrypted.\n");
goto end;
}
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL) {
plog(ASL_LEVEL_ERR,
"failed to decrypt packet\n");
goto end;
}
pbuf = isakmp_parse(msg);
if (pbuf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to parse msg\n");
goto end;
}
for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
switch (pa->type) {
case ISAKMP_NPTYPE_HASH:
hash = (struct isakmp_pl_hash *)pa->ptr;
break;
case ISAKMP_NPTYPE_N:
if (notify != NULL) {
plog(ASL_LEVEL_WARNING,
"Ignoring multiple notifications\n");
break;
}
isakmp_check_ph2_notify(pa->ptr, iph2);
notify = vmalloc(pa->len);
if (notify == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get notify buffer.\n");
goto end;
}
memcpy(notify->v, pa->ptr, notify->l);
break;
default:
plog(ASL_LEVEL_ERR,
"ignore the packet, "
"received unexpecting payload type %d.\n",
pa->type);
goto end;
}
}
if (hash == NULL) {
plog(ASL_LEVEL_ERR,
"few isakmp message received.\n");
goto end;
}
{
char *r_hash;
vchar_t *my_hash = NULL;
vchar_t *tmp = NULL;
int result;
r_hash = (char *)hash + sizeof(*hash);
my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
vfree(tmp);
if (my_hash == NULL) {
plog(ASL_LEVEL_ERR,
"failed to compute HASH\n");
goto end;
}
result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
vfree(my_hash);
if (result) {
plog(ASL_LEVEL_DEBUG,
"HASH(4) mismatch.\n");
error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
goto end;
}
}
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
CONSTSTR("Initiator, Quick-Mode message 4"),
CONSTSTR(NULL));
packet_error = 0;
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_ADDSA);
iph2->flags ^= ISAKMP_FLAG_C;
if (f_local) {
error = 0;
goto end;
}
plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n");
if (pk_sendupdate(iph2) < 0) {
plog(ASL_LEVEL_ERR, "pfkey update failed.\n");
goto end;
}
plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n");
if (pk_sendadd(iph2) < 0) {
plog(ASL_LEVEL_ERR, "pfkey add failed.\n");
goto end;
}
plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n");
error = 0;
end:
if (packet_error) {
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
CONSTSTR("Initiator, Quick-Mode Message 4"),
CONSTSTR("Failed to process Quick-Mode Message 4"));
}
if (msg != NULL)
vfree(msg);
if (pbuf != NULL)
vfree(pbuf);
if (notify != NULL)
vfree(notify);
return error;
}
int
quick_r1recv(iph2, msg0)
phase2_handle_t *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
vchar_t *hbuf = NULL;
vchar_t *pbuf = NULL;
struct isakmp_parse_t *pa;
struct isakmp *isakmp = (struct isakmp *)msg0->v;
struct isakmp_pl_hash *hash = NULL;
char *p;
int tlen;
int f_id_order;
int error = ISAKMP_INTERNAL_ERROR;
struct sockaddr_storage *natoa_i = NULL;
struct sockaddr_storage *natoa_r = NULL;
if (iph2->status != IKEV1_STATE_QUICK_R_START) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
plog(ASL_LEVEL_ERR,
"Packet wasn't encrypted.\n");
error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
goto end;
}
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL) {
plog(ASL_LEVEL_ERR,
"failed to decrypt packet\n");
goto end;
}
pbuf = isakmp_parse(msg);
if (pbuf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to parse msg\n");
goto end;
}
pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
if (pa->type != ISAKMP_NPTYPE_HASH) {
plog(ASL_LEVEL_ERR,
"received invalid next payload type %d, "
"expecting %d.\n",
pa->type, ISAKMP_NPTYPE_HASH);
error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
goto end;
}
hash = (struct isakmp_pl_hash *)pa->ptr;
pa++;
if (pa->type != ISAKMP_NPTYPE_SA) {
plog(ASL_LEVEL_WARNING,
"received invalid next payload type %d, "
"expecting %d.\n",
pa->type, ISAKMP_NPTYPE_SA);
error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
}
tlen = ntohl(isakmp->len) - sizeof(*isakmp);
if (tlen < 0) {
plog(ASL_LEVEL_ERR, "invalid length (%d) while extracting hash.\n",
ntohl(isakmp->len));
goto end;
}
hbuf = vmalloc(tlen);
if (hbuf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get hash buffer.\n");
goto end;
}
p = hbuf->v;
iph2->sa = NULL;
iph2->nonce_p = NULL;
iph2->dhpub_p = NULL;
iph2->id_p = NULL;
iph2->id = NULL;
tlen = 0;
f_id_order = 0;
for (; pa->type; pa++) {
memcpy(p, pa->ptr, pa->len);
if (pa->type != ISAKMP_NPTYPE_ID)
f_id_order = 0;
switch (pa->type) {
case ISAKMP_NPTYPE_SA:
if (iph2->sa != NULL) {
plog(ASL_LEVEL_ERR,
"Multi SAs isn't supported.\n");
goto end;
}
if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
plog(ASL_LEVEL_ERR,
"failed to process SA payload\n");
goto end;
}
break;
case ISAKMP_NPTYPE_NONCE:
if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
plog(ASL_LEVEL_ERR,
"failed to process NONCE payload\n");
goto end;
}
break;
case ISAKMP_NPTYPE_KE:
if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
plog(ASL_LEVEL_ERR,
"failed to process KE payload\n");
goto end;
}
break;
case ISAKMP_NPTYPE_ID:
if (iph2->id_p == NULL) {
f_id_order++;
if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) {
plog(ASL_LEVEL_ERR,
"failed to process IDci2 payload\n");
goto end;
}
} else if (iph2->id == NULL) {
if (f_id_order == 0) {
plog(ASL_LEVEL_ERR,
"IDr2 payload is not "
"immediatelly followed "
"by IDi2. We allowed.\n");
}
if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) {
plog(ASL_LEVEL_ERR,
"failed to process IDcr2 payload\n");
goto end;
}
} else {
plogdump(ASL_LEVEL_ERR, iph2->id->v, iph2->id->l, "received too many ID payloads");
error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
goto end;
}
break;
case ISAKMP_NPTYPE_N:
isakmp_check_ph2_notify(pa->ptr, iph2);
break;
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATOA_DRAFT:
case ISAKMP_NPTYPE_NATOA_BADDRAFT:
case ISAKMP_NPTYPE_NATOA_RFC:
{
vchar_t *vp = NULL;
struct sockaddr_storage *daddr;
isakmp_p2ph(&vp, pa->ptr);
if (vp) {
daddr = process_natoa_payload(vp);
if (daddr) {
if (natoa_i == NULL) {
natoa_i = daddr;
plog(ASL_LEVEL_DEBUG, "responder rcvd NAT-OA i: %s\n",
saddr2str((struct sockaddr *)natoa_i));
} else if (natoa_r == NULL) {
natoa_r = daddr;
plog(ASL_LEVEL_DEBUG, "responder rcvd NAT-OA r: %s\n",
saddr2str((struct sockaddr *)natoa_r));
} else {
racoon_free(daddr);
}
}
vfree(vp);
}
}
break;
#endif
default:
plog(ASL_LEVEL_ERR,
"ignore the packet, "
"received unexpected payload type %d.\n",
pa->type);
error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
goto end;
}
p += pa->len;
tlen += pa->len;
}
if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
plog(ASL_LEVEL_ERR,
"expected isakmp payloads missing.\n");
error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
goto end;
}
if (iph2->id_p) {
plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "received IDci2:");
}
if (iph2->id) {
plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "received IDcr2:");
}
hbuf->l = tlen;
{
char *r_hash;
vchar_t *my_hash = NULL;
int result;
r_hash = (caddr_t)hash + sizeof(*hash);
my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
if (my_hash == NULL) {
plog(ASL_LEVEL_ERR,
"failed to compute HASH\n");
goto end;
}
result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
vfree(my_hash);
if (result) {
plog(ASL_LEVEL_ERR,
"HASH(1) mismatch.\n");
error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
goto end;
}
}
error = get_sainfo_r(iph2);
if (error) {
plog(ASL_LEVEL_ERR,
"failed to get sainfo.\n");
goto end;
}
error = get_proposal_r(iph2);
switch (error) {
case -2:
if (set_proposal_from_proposal(iph2)) {
plog(ASL_LEVEL_ERR,
"failed to generate a proposal template "
"from client's proposal.\n");
error = ISAKMP_INTERNAL_ERROR;
goto end;
}
case 0:
if (ipsecdoi_selectph2proposal(iph2) < 0) {
plog(ASL_LEVEL_ERR,
"failed to select proposal.\n");
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
break;
default:
plog(ASL_LEVEL_ERR,
"failed to get proposal for responder.\n");
goto end;
}
if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
plog(ASL_LEVEL_ERR,
"no PFS is specified, but peer sends KE.\n");
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
plog(ASL_LEVEL_ERR,
"PFS is specified, but peer doesn't sends KE.\n");
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
ike_session_update_mode(iph2);
iph2->msg1 = vdup(msg0);
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG1RCVD);
error = 0;
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
CONSTSTR("Responder, Quick-Mode message 1"),
CONSTSTR(NULL));
end:
if (error) {
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
CONSTSTR("Responder, Quick-Mode Message 1"),
CONSTSTR("Failed to process Quick-Mode Message 1"));
}
if (hbuf)
vfree(hbuf);
if (msg)
vfree(msg);
if (pbuf)
vfree(pbuf);
#ifdef ENABLE_NATT
if (natoa_i) {
racoon_free(natoa_i);
}
if (natoa_r) {
racoon_free(natoa_r);
}
#endif
if (error) {
VPTRINIT(iph2->sa);
VPTRINIT(iph2->nonce_p);
VPTRINIT(iph2->dhpub_p);
VPTRINIT(iph2->id);
VPTRINIT(iph2->id_p);
}
return error;
}
int
quick_rprep(iph2, msg)
phase2_handle_t *iph2;
vchar_t *msg;
{
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != IKEV1_STATE_QUICK_R_MSG1RCVD) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_GETSPISENT);
if (pk_sendgetspi(iph2) < 0) {
plog(ASL_LEVEL_ERR,
"failed to send getspi");
goto end;
}
plog(ASL_LEVEL_DEBUG, "pfkey getspi sent.\n");
iph2->sce = sched_new(lcconf->wait_ph2complete,
pfkey_timeover_stub, iph2);
error = 0;
end:
return error;
}
int
quick_r2send(iph2, msg)
phase2_handle_t *iph2;
vchar_t *msg;
{
vchar_t *body = NULL;
vchar_t *hash = NULL;
vchar_t *natoa_i = NULL;
vchar_t *natoa_r = NULL;
int natoa_type = 0;
struct isakmp_gen *gen;
char *p;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
int pfsgroup;
u_int8_t *np_p = NULL;
if (msg != NULL) {
plog(ASL_LEVEL_ERR,
"msg has to be NULL in this function.\n");
goto end;
}
if (iph2->status != IKEV1_STATE_QUICK_R_GETSPIDONE) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (ipsecdoi_updatespi(iph2) < 0) {
plog(ASL_LEVEL_ERR, "failed to update spi.\n");
goto end;
}
iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
if (iph2->nonce == NULL) {
plog(ASL_LEVEL_ERR,
"failed to generate NONCE");
goto end;
}
pfsgroup = iph2->approval->pfs_group;
if (iph2->dhpub_p != NULL && pfsgroup != 0) {
if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
plog(ASL_LEVEL_ERR,
"failed to set DH value.\n");
goto end;
}
#ifdef HAVE_OPENSSL
if (oakley_dh_generate(iph2->pfsgrp,
&iph2->dhpub, &iph2->dhpriv) < 0) {
#else
if (oakley_dh_generate(iph2->pfsgrp,
&iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) {
#endif
plog(ASL_LEVEL_ERR,
"failed to generate DH public");
goto end;
}
}
tlen = sizeof(*gen) + iph2->sa_ret->l
+ sizeof(*gen) + iph2->nonce->l;
if (iph2->dhpub_p != NULL && pfsgroup != 0)
tlen += (sizeof(*gen) + iph2->dhpub->l);
if (iph2->id_p != NULL)
tlen += (sizeof(*gen) + iph2->id_p->l
+ sizeof(*gen) + iph2->id->l);
#ifdef ENABLE_NATT
if (ipsecdoi_any_transportmode(iph2->approval)
&& (iph2->ph1->natt_flags & NAT_DETECTED)) {
natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
if (natoa_type == -1) {
plog(ASL_LEVEL_ERR,
"failed to create NATOA payloads");
goto end;
}
else if (natoa_type != 0) {
tlen += sizeof(*gen) + natoa_i->l;
tlen += sizeof(*gen) + natoa_r->l;
}
}
#endif
plog(ASL_LEVEL_DEBUG, "Approved SA\n");
printsaprop0(ASL_LEVEL_DEBUG, iph2->approval);
body = vmalloc(tlen);
if (body == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get buffer to send.\n");
goto end;
}
p = body->v;
p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
np_p = &((struct isakmp_gen *)p)->np;
p = set_isakmp_payload(p, iph2->nonce,
(iph2->dhpub_p != NULL && pfsgroup != 0)
? ISAKMP_NPTYPE_KE
: (iph2->id_p != NULL
? ISAKMP_NPTYPE_ID
: (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE)));
if (iph2->dhpub_p != NULL && pfsgroup != 0) {
np_p = &((struct isakmp_gen *)p)->np;
p = set_isakmp_payload(p, iph2->dhpub,
(iph2->id_p == NULL) ? (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE) : ISAKMP_NPTYPE_ID);
}
if (iph2->id_p != NULL) {
p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "sending IDci2:");
np_p = &((struct isakmp_gen *)p)->np;
p = set_isakmp_payload(p, iph2->id, (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE));
plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "sending IDcr2:");
}
{
vchar_t *data = NULL;
struct saprop *pp = iph2->approval;
struct saproto *pr;
if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
u_int32_t v = htonl((u_int32_t)pp->lifetime);
data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
IPSECDOI_ATTR_SA_LD_TYPE_SEC);
if (!data) {
plog(ASL_LEVEL_ERR,
"failed to add RESPONDER-LIFETIME notify (type) payload");
goto end;
}
data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
(caddr_t)&v, sizeof(v));
if (!data) {
plog(ASL_LEVEL_ERR,
"failed to add RESPONDER-LIFETIME notify (value) payload");
goto end;
}
}
if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
u_int32_t v = htonl((u_int32_t)pp->lifebyte);
data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
IPSECDOI_ATTR_SA_LD_TYPE_KB);
if (!data) {
plog(ASL_LEVEL_ERR,
"failed to add RESPONDER-LIFETIME notify (type) payload");
goto end;
}
data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
(caddr_t)&v, sizeof(v));
if (!data) {
plog(ASL_LEVEL_ERR,
"failed to add RESPONDER-LIFETIME notify (value) payload");
goto end;
}
}
if (data) {
for (pr = pp->head; pr; pr = pr->next) {
body = isakmp_add_pl_n(body, &np_p,
ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
if (!body) {
plog(ASL_LEVEL_ERR,
"invalid RESPONDER-LIFETIME payload");
vfree(data);
return error;
}
}
vfree(data);
}
}
if (natoa_type) {
p = set_isakmp_payload(p, natoa_i, natoa_type);
p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
}
{
vchar_t *tmp;
tmp = vmalloc(iph2->nonce_p->l + body->l);
if (tmp == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get hash buffer.\n");
goto end;
}
memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
vfree(tmp);
if (hash == NULL) {
plog(ASL_LEVEL_ERR,
"failed to compute HASH");
goto end;
}
}
iph2->sendbuf = quick_ir1mx(iph2, body, hash);
if (iph2->sendbuf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get send buffer");
goto end;
}
iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
if (isakmp_ph2resend(iph2) == -1) {
plog(ASL_LEVEL_ERR,
"failed to send packet");
goto end;
}
if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1,
PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) {
plog(ASL_LEVEL_ERR,
"failed to add a response packet to the tree.\n");
goto end;
}
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG2SENT);
error = 0;
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
CONSTSTR("Responder, Quick-Mode message 2"),
CONSTSTR(NULL));
end:
if (error) {
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
CONSTSTR("Responder, Quick-Mode Message 2"),
CONSTSTR("Failed to transmit Quick-Mode Message 2"));
}
if (body != NULL)
vfree(body);
if (hash != NULL)
vfree(hash);
if (natoa_i)
vfree(natoa_i);
if (natoa_r)
vfree(natoa_r);
return error;
}
int
quick_r3recv(iph2, msg0)
phase2_handle_t *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
vchar_t *pbuf = NULL;
struct isakmp_parse_t *pa;
struct isakmp_pl_hash *hash = NULL;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != IKEV1_STATE_QUICK_R_MSG2SENT) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
plog(ASL_LEVEL_ERR,
"Packet wasn't encrypted.\n");
goto end;
}
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL) {
plog(ASL_LEVEL_ERR,
"failed to decrypt packet\n");
goto end;
}
pbuf = isakmp_parse(msg);
if (pbuf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to parse msg\n");
goto end;
}
for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
switch (pa->type) {
case ISAKMP_NPTYPE_HASH:
hash = (struct isakmp_pl_hash *)pa->ptr;
break;
case ISAKMP_NPTYPE_N:
isakmp_check_ph2_notify(pa->ptr, iph2);
break;
default:
plog(ASL_LEVEL_ERR,
"ignore the packet, "
"received unexpecting payload type %d.\n",
pa->type);
goto end;
}
}
if (hash == NULL) {
plog(ASL_LEVEL_ERR,
"few isakmp message received.\n");
goto end;
}
{
char *r_hash;
vchar_t *my_hash = NULL;
vchar_t *tmp = NULL;
int result;
r_hash = (char *)hash + sizeof(*hash);
tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
if (tmp == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get hash buffer.\n");
goto end;
}
memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
vfree(tmp);
if (my_hash == NULL) {
plog(ASL_LEVEL_ERR,
"failed to compute HASH\n");
goto end;
}
result = timingsafe_bcmp(my_hash->v, r_hash, my_hash->l);
vfree(my_hash);
if (result) {
plog(ASL_LEVEL_ERR,
"HASH(3) mismatch.\n");
error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
goto end;
}
}
if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG3RCVD);
} else
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_COMMIT);
error = 0;
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
CONSTSTR("Responder, Quick-Mode message 3"),
CONSTSTR(NULL));
end:
if (error) {
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
CONSTSTR("Responder, Quick-Mode Message 3"),
CONSTSTR("Failed to process Quick-Mode Message 3"));
}
if (pbuf != NULL)
vfree(pbuf);
if (msg != NULL)
vfree(msg);
return error;
}
int
quick_r4send(iph2, msg0)
phase2_handle_t *iph2;
vchar_t *msg0;
{
vchar_t *buf = NULL;
vchar_t *myhash = NULL;
struct isakmp_pl_n *n;
vchar_t *notify = NULL;
char *p;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != IKEV1_STATE_QUICK_R_MSG3RCVD) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
plog(ASL_LEVEL_DEBUG, "HASH(4) generate\n");
tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
notify = vmalloc(tlen);
if (notify == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get notify buffer.\n");
goto end;
}
n = (struct isakmp_pl_n *)notify->v;
n->h.np = ISAKMP_NPTYPE_NONE;
n->h.len = htons(tlen);
n->doi = htonl(IPSEC_DOI);
n->proto_id = iph2->approval->head->proto_id;
n->spi_size = sizeof(iph2->approval->head->spisize);
n->type = htons(ISAKMP_NTYPE_CONNECTED);
memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
if (myhash == NULL) {
plog(ASL_LEVEL_ERR,
"failed to compute HASH");
goto end;
}
tlen = sizeof(struct isakmp)
+ sizeof(struct isakmp_gen) + myhash->l
+ notify->l;
buf = vmalloc(tlen);
if (buf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get buffer to send.\n");
goto end;
}
p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
if (p == NULL) {
plog(ASL_LEVEL_ERR,
"failed to set ISAKMP header");
goto end;
}
p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
memcpy(p, notify->v, notify->l);
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
#endif
iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
if (iph2->sendbuf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to encrypt packet");
goto end;
}
if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
plog(ASL_LEVEL_ERR,
"failed to send packet");
goto end;
}
if (ike_session_add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0,
PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH2_FRAG_FLAGS(iph2)) == -1) {
plog(ASL_LEVEL_ERR ,
"failed to add a response packet to the tree.\n");
goto end;
}
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_COMMIT);
error = 0;
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
CONSTSTR("Responder, Quick-Mode message 4"),
CONSTSTR(NULL));
end:
if (error) {
IPSECSESSIONTRACEREVENT(iph2->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
CONSTSTR("Responder, Quick-Mode Message 4"),
CONSTSTR("Failed to transmit Quick-Mode Message 4"));
}
if (buf != NULL)
vfree(buf);
if (myhash != NULL)
vfree(myhash);
if (notify != NULL)
vfree(notify);
return error;
}
int
quick_rfinalize(iph2, msg0)
phase2_handle_t *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != IKEV1_STATE_QUICK_R_COMMIT) {
plog(ASL_LEVEL_ERR,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (oakley_compute_keymat(iph2, RESPONDER) < 0) {
plog(ASL_LEVEL_ERR,
"failed to compute KEYMAT");
goto end;
}
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_ADDSA);
iph2->flags ^= ISAKMP_FLAG_C;
if (f_local) {
error = 0;
goto end;
}
plog(ASL_LEVEL_DEBUG, "call pk_sendupdate\n");
if (pk_sendupdate(iph2) < 0) {
plog(ASL_LEVEL_ERR, "pfkey update failed.\n");
goto end;
}
plog(ASL_LEVEL_DEBUG, "pfkey update sent.\n");
if (pk_sendadd(iph2) < 0) {
plog(ASL_LEVEL_ERR, "pfkey add failed.\n");
goto end;
}
plog(ASL_LEVEL_DEBUG, "pfkey add sent.\n");
if (iph2->spidx_gen) {
struct policyindex *spidx;
struct sockaddr_storage addr;
u_int8_t pref;
struct sockaddr_storage *src = iph2->src;
struct sockaddr_storage *dst = iph2->dst;
iph2->src = dst;
iph2->dst = src;
if (pk_sendspdupdate2(iph2) < 0) {
plog(ASL_LEVEL_ERR,
"pfkey spdupdate2(inbound) failed.\n");
goto end;
}
plog(ASL_LEVEL_DEBUG,
"pfkey spdupdate2(inbound) sent.\n");
spidx = iph2->spidx_gen;
#ifdef HAVE_POLICY_FWD
if (tunnel_mode_prop(iph2->approval)) {
spidx->dir = IPSEC_DIR_FWD;
if (pk_sendspdupdate2(iph2) < 0) {
plog(ASL_LEVEL_ERR,
"pfkey spdupdate2(forward) failed.\n");
goto end;
}
plog(ASL_LEVEL_DEBUG,
"pfkey spdupdate2(forward) sent.\n");
}
#endif
iph2->src = src;
iph2->dst = dst;
spidx->dir = IPSEC_DIR_OUTBOUND;
addr = spidx->src;
spidx->src = spidx->dst;
spidx->dst = addr;
pref = spidx->prefs;
spidx->prefs = spidx->prefd;
spidx->prefd = pref;
if (pk_sendspdupdate2(iph2) < 0) {
plog(ASL_LEVEL_ERR,
"pfkey spdupdate2(outbound) failed.\n");
goto end;
}
plog(ASL_LEVEL_DEBUG,
"pfkey spdupdate2(outbound) sent.\n");
delsp_bothdir(iph2->spidx_gen);
racoon_free(iph2->spidx_gen);
iph2->spidx_gen = NULL;
iph2->generated_spidx=1;
}
error = 0;
end:
if (msg != NULL)
vfree(msg);
return error;
}
static vchar_t *
quick_ir1mx(iph2, body, hash)
phase2_handle_t *iph2;
vchar_t *body, *hash;
{
struct isakmp *isakmp;
vchar_t *buf = NULL, *new = NULL;
char *p;
int tlen;
struct isakmp_gen *gen;
int error = ISAKMP_INTERNAL_ERROR;
tlen = sizeof(*isakmp)
+ sizeof(*gen) + hash->l
+ body->l;
buf = vmalloc(tlen);
if (buf == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get buffer to send.\n");
goto end;
}
iph2->flags |= ISAKMP_FLAG_E;
p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
if (p == NULL) {
plog(ASL_LEVEL_ERR,
"failed to set ISAKMP header");
goto end;
}
p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
memcpy(p, body->v, body->l);
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
#endif
new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
if (new == NULL) {
plog(ASL_LEVEL_ERR,
"failed to encrypt packet");
goto end;
}
vfree(buf);
buf = new;
error = 0;
end:
if (error && buf != NULL) {
vfree(buf);
buf = NULL;
}
return buf;
}
int
get_sainfo_r(iph2)
phase2_handle_t *iph2;
{
vchar_t *idsrc = NULL, *iddst = NULL;
int prefixlen;
int error = ISAKMP_INTERNAL_ERROR;
struct sainfo *anonymous = NULL;
if (iph2->id == NULL) {
switch (iph2->src->ss_family) {
case AF_INET:
prefixlen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
prefixlen = sizeof(struct in6_addr) << 3;
break;
default:
plog(ASL_LEVEL_ERR,
"invalid family: %d\n", iph2->src->ss_family);
goto end;
}
idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
IPSEC_ULPROTO_ANY);
} else {
idsrc = vdup(iph2->id);
}
if (idsrc == NULL) {
plog(ASL_LEVEL_ERR,
"failed to set ID for source.\n");
goto end;
}
if (iph2->id_p == NULL) {
switch (iph2->dst->ss_family) {
case AF_INET:
prefixlen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
prefixlen = sizeof(struct in6_addr) << 3;
break;
default:
plog(ASL_LEVEL_ERR,
"invalid family: %d\n", iph2->dst->ss_family);
goto end;
}
iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
IPSEC_ULPROTO_ANY);
} else {
iddst = vdup(iph2->id_p);
}
if (iddst == NULL) {
plog(ASL_LEVEL_ERR,
"failed to set ID for destination.\n");
goto end;
}
iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 0);
if (iph2->sainfo && iph2->sainfo->idsrc == NULL)
anonymous = iph2->sainfo;
if (iph2->sainfo == NULL ||
(anonymous && iph2->parent_session && iph2->parent_session->is_client)) {
if ((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL)
iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 1);
if (iph2->sainfo) {
plog(ASL_LEVEL_DEBUG,
"get_sainfo_r case 1.\n");
}
if (iph2->sainfo == NULL ||
(iph2->sainfo->idsrc == NULL && iph2->parent_session && iph2->parent_session->is_client)) {
ike_session_get_sainfo_r(iph2);
if (iph2->sainfo) {
plog(ASL_LEVEL_DEBUG,
"get_sainfo_r case 2.\n");
}
if ((iph2->sainfo == NULL || iph2->sainfo->idsrc == NULL) && iph2->id_p) {
plog(ASL_LEVEL_DEBUG,
"get_sainfo_r about to try dst id only.\n");
iph2->sainfo = getsainfo_by_dst_id(iph2->id_p, iph2->ph1->id_p);
if (iph2->sainfo) {
plog(ASL_LEVEL_DEBUG,
"get_sainfo_r case 3.\n");
if (iph2->sainfo->idsrc == NULL)
anonymous = iph2->sainfo;
}
}
}
}
if (iph2->sainfo == NULL) {
if (anonymous == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get sainfo.\n");
goto end;
}
iph2->sainfo = anonymous;
}
retain_sainfo(iph2->sainfo);
#ifdef ENABLE_HYBRID
if (iph2->sainfo->group != NULL)
if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) {
plog(ASL_LEVEL_ERR,
"failed to group check");
goto end;
}
#endif
plog(ASL_LEVEL_DEBUG,
"selected sainfo: %s\n", sainfo2str(iph2->sainfo));
error = 0;
end:
if (idsrc)
vfree(idsrc);
if (iddst)
vfree(iddst);
return error;
}
int
get_proposal_r(iph2)
phase2_handle_t *iph2;
{
int error = get_proposal_r_remote(iph2, 0);
if (error != -2 && error != 0 &&
(((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL) ||
(iph2->parent_session && iph2->parent_session->is_client))) {
if (iph2->parent_session && iph2->parent_session->is_client)
error = ike_session_get_proposal_r(iph2);
if (error != -2 && error != 0)
error = get_proposal_r_remote(iph2, 1);
}
return error;
}
static int
get_proposal_r_remote(iph2, ignore_id)
phase2_handle_t *iph2;
int ignore_id;
{
struct policyindex spidx;
struct secpolicy *sp_in, *sp_out;
int idi2type = 0;
int error = ISAKMP_INTERNAL_ERROR;
int generated_policy_exit_early = 0;
if ((iph2->id_p != NULL && iph2->id == NULL)
|| (iph2->id_p == NULL && iph2->id != NULL)) {
plog(ASL_LEVEL_ERR,
"Both IDs wasn't found in payload.\n");
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
if (!ignore_id && (iph2->src_id || iph2->dst_id)) {
plog(ASL_LEVEL_ERR,
"Why do ID[src,dst] exist already.\n");
return ISAKMP_INTERNAL_ERROR;
}
plog(ASL_LEVEL_DEBUG,
"%s: ignore_id %x.\n", __FUNCTION__, ignore_id);
memset(&spidx, 0, sizeof(spidx));
#define _XIDT(d) (ALIGNED_CAST(struct ipsecdoi_id_b *)((d)->v))->type
spidx.dir = IPSEC_DIR_INBOUND;
spidx.ul_proto = 0;
if (iph2->id != NULL
&& ignore_id == 0
&& (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
error = ipsecdoi_id2sockaddr(iph2->id, &spidx.dst,
&spidx.prefd, &spidx.ul_proto, iph2->version);
if (error)
return error;
#ifdef INET6
if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
error = setscopeid(&spidx.dst, iph2->src);
if (error)
return error;
}
#endif
if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
idi2type = _XIDT(iph2->id);
} else {
plog(ASL_LEVEL_DEBUG,
"Get a destination address of SP index "
"from Phase 1 address "
"due to no ID payloads found "
"OR because ID type is not address.\n");
memcpy(&spidx.dst, iph2->src, sysdep_sa_len((struct sockaddr *)iph2->src));
switch (spidx.dst.ss_family) {
case AF_INET:
{
struct sockaddr_in *s = (struct sockaddr_in *)&spidx.dst;
spidx.prefd = sizeof(struct in_addr) << 3;
s->sin_port = htons(0);
}
break;
#ifdef INET6
case AF_INET6:
spidx.prefd = sizeof(struct in6_addr) << 3;
break;
#endif
default:
spidx.prefd = 0;
break;
}
}
if (iph2->id_p != NULL
&& ignore_id == 0
&& (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
error = ipsecdoi_id2sockaddr(iph2->id_p, &spidx.src,
&spidx.prefs, &spidx.ul_proto, iph2->version);
if (error)
return error;
#ifdef INET6
if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
error = setscopeid(&spidx.src, iph2->dst);
if (error)
return error;
}
#endif
if (_XIDT(iph2->id_p) == idi2type
&& spidx.dst.ss_family == spidx.src.ss_family) {
iph2->src_id = dupsaddr(&spidx.dst);
if (iph2->src_id == NULL) {
plog(ASL_LEVEL_ERR,
"buffer allocation failed.\n");
return ISAKMP_INTERNAL_ERROR;
}
iph2->dst_id = dupsaddr(&spidx.src);
if (iph2->dst_id == NULL) {
plog(ASL_LEVEL_ERR,
"buffer allocation failed.\n");
return ISAKMP_INTERNAL_ERROR;
}
}
} else {
plog(ASL_LEVEL_DEBUG,
"Get a source address of SP index "
"from Phase 1 address "
"due to no ID payloads found "
"OR because ID type is not address.\n");
memcpy(&spidx.src, iph2->dst, sysdep_sa_len((struct sockaddr *)iph2->dst));
switch (spidx.src.ss_family) {
case AF_INET:
{
struct sockaddr_in *s = (struct sockaddr_in *)&spidx.src;
spidx.prefs = sizeof(struct in_addr) << 3;
s->sin_port = htons(0);
}
break;
#ifdef INET6
case AF_INET6:
spidx.prefs = sizeof(struct in6_addr) << 3;
break;
#endif
default:
spidx.prefs = 0;
break;
}
}
#undef _XIDT
plog(ASL_LEVEL_DEBUG,
"get a src address from ID payload "
"%s prefixlen=%u ul_proto=%u\n",
saddr2str((struct sockaddr *)&spidx.src),
spidx.prefs, spidx.ul_proto);
plog(ASL_LEVEL_DEBUG,
"get dst address from ID payload "
"%s prefixlen=%u ul_proto=%u\n",
saddr2str((struct sockaddr *)&spidx.dst),
spidx.prefd, spidx.ul_proto);
if (spidx.ul_proto == 0)
spidx.ul_proto = IPSEC_ULPROTO_ANY;
sp_in = getsp_r(&spidx, iph2);
if (sp_in == NULL || sp_in->policy == IPSEC_POLICY_GENERATE) {
if (iph2->ph1->rmconf->gen_policy) {
if (sp_in)
plog(ASL_LEVEL_NOTICE,
"Update the generated policy : %s\n",
spidx2str(&spidx));
else
plog(ASL_LEVEL_NOTICE,
"no policy found, "
"try to generate the policy : %s\n",
spidx2str(&spidx));
iph2->spidx_gen = (struct policyindex *)racoon_malloc(sizeof(spidx));
if (!iph2->spidx_gen) {
plog(ASL_LEVEL_ERR,
"buffer allocation failed.\n");
return ISAKMP_INTERNAL_ERROR;
}
memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
generated_policy_exit_early = 1;
} else {
plog(ASL_LEVEL_ERR,
"no policy found: %s\n", spidx2str(&spidx));
return ISAKMP_INTERNAL_ERROR;
}
}
{
struct sockaddr_storage addr;
u_int8_t pref;
spidx.dir = IPSEC_DIR_OUTBOUND;
addr = spidx.src;
spidx.src = spidx.dst;
spidx.dst = addr;
pref = spidx.prefs;
spidx.prefs = spidx.prefd;
spidx.prefd = pref;
sp_out = getsp_r(&spidx, iph2);
if (!sp_out) {
plog(ASL_LEVEL_WARNING,
"no outbound policy found: %s\n",
spidx2str(&spidx));
} else {
if (!iph2->spid) {
iph2->spid = sp_out->id;
}
}
}
plog(ASL_LEVEL_DEBUG,
"suitable SP found:%s\n", spidx2str(&spidx));
if (generated_policy_exit_early) {
return -2;
}
if (sp_in->policy != IPSEC_POLICY_IPSEC) {
plog(ASL_LEVEL_ERR,
"policy found, but no IPsec required: %s\n",
spidx2str(&spidx));
return ISAKMP_INTERNAL_ERROR;
}
if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
plog(ASL_LEVEL_ERR,
"failed to create saprop.\n");
return ISAKMP_INTERNAL_ERROR;
}
return 0;
}