#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netkey/key_var.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>
#else
# if HAVE_SYS_TIME_H
# include <sys/time.h>
# else
# include <time.h>
# endif
#endif
#ifdef IPV6_INRIA_VERSION
#include <netinet/ipsec.h>
#else
#include <netinet6/ipsec.h>
#endif
#include "var.h"
#include "vmbuf.h"
#include "schedule.h"
#include "misc.h"
#include "plog.h"
#include "debug.h"
#include "localconf.h"
#include "remoteconf.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "isakmp_inf.h"
#include "isakmp_quick.h"
#include "isakmp_natd.h"
#include "oakley.h"
#include "handler.h"
#include "ipsec_doi.h"
#include "crypto_openssl.h"
#include "pfkey.h"
#include "policy.h"
#include "algorithm.h"
#include "sockmisc.h"
#include "proposal.h"
#include "sainfo.h"
#include "admin.h"
#include "strnames.h"
static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
static int get_sainfo_r __P((struct ph2handle *));
static int get_proposal_r __P((struct ph2handle *));
static u_int32_t setscopeid __P((struct sockaddr *, struct sockaddr *));
static int create_natoa_payloads(struct ph2handle *iph2, vchar_t **, vchar_t **);
int
quick_i1prep(iph2, msg)
struct ph2handle *iph2;
vchar_t *msg;
{
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != PHASE2ST_STATUS2) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
iph2->msgid = isakmp_newmsgid2(iph2->ph1);
iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
if (iph2->ivm == NULL)
return 0;
iph2->status = PHASE2ST_GETSPISENT;
if (f_local) {
error = 0;
goto end;
}
if (pk_sendgetspi(iph2) < 0)
goto end;
plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
iph2->sce = sched_new(lcconf->wait_ph2complete,
pfkey_timeover_stub, iph2);
error = 0;
end:
return error;
}
int
quick_i1send(iph2, msg)
struct ph2handle *iph2;
vchar_t *msg;
{
vchar_t *body = NULL;
vchar_t *hash = NULL;
vchar_t *natoa_i = NULL;
vchar_t *natoa_r = NULL;
int natoa_type = 0;
struct isakmp_gen *gen;
char *p;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
int pfsgroup, idci, idcr;
int np;
struct ipsecdoi_id_b *id, *id_p;
if (msg != NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"msg has to be NULL in this function.\n");
goto end;
}
if (iph2->status != PHASE2ST_GETSPIDONE) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (ipsecdoi_setph2proposal(iph2) < 0)
goto end;
iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
if (iph2->nonce == NULL)
goto end;
pfsgroup = iph2->proposal->pfs_group;
if (pfsgroup) {
if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to set DH value.\n");
goto end;
}
if (oakley_dh_generate(iph2->pfsgrp,
&iph2->dhpub, &iph2->dhpriv) < 0) {
goto end;
}
}
if (ipsecdoi_setid2(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get ID.\n");
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "IDci:");
plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
plog(LLV_DEBUG, LOCATION, NULL, "IDcr:");
plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
id = (struct ipsecdoi_id_b *)iph2->id->v;
id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
if (id->proto_id == 0
&& id_p->proto_id == 0
&& iph2->ph1->rmconf->support_mip6 == 0
&& ipsecdoi_transportmode(iph2)) {
idci = idcr = 0;
} else
idci = idcr = 1;
tlen = + sizeof(*gen) + iph2->sa->l
+ sizeof(*gen) + iph2->nonce->l;
if (pfsgroup)
tlen += (sizeof(*gen) + iph2->dhpub->l);
if (idci)
tlen += sizeof(*gen) + iph2->id->l;
if (idcr)
tlen += sizeof(*gen) + iph2->id_p->l;
if (ipsecdoi_tunnelmode(iph2) != 1) {
natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
if (natoa_type == -1)
goto end;
else if (natoa_type != 0) {
tlen += sizeof(*gen) + natoa_i->l;
tlen += sizeof(*gen) + natoa_r->l;
}
}
body = vmalloc(tlen);
if (body == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get buffer to send.\n");
goto end;
}
p = body->v;
p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
if (pfsgroup)
np = ISAKMP_NPTYPE_KE;
else if (idci || idcr)
np = ISAKMP_NPTYPE_ID;
else
np = (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
p = set_isakmp_payload(p, iph2->nonce, np);
np = (idci || idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
if (pfsgroup)
p = set_isakmp_payload(p, iph2->dhpub, np);
np = (idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
if (idci)
p = set_isakmp_payload(p, iph2->id, np);
if (idcr)
p = set_isakmp_payload(p, iph2->id_p, natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
if (natoa_type) {
p = set_isakmp_payload(p, natoa_i, natoa_type);
p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
}
hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
if (hash == NULL)
goto end;
iph2->sendbuf = quick_ir1mx(iph2, body, hash);
if (iph2->sendbuf == NULL)
goto end;
iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
if (isakmp_ph2resend(iph2) == -1)
goto end;
iph2->status = PHASE2ST_MSG1SENT;
error = 0;
end:
if (body != NULL)
vfree(body);
if (hash != NULL)
vfree(hash);
if (natoa_i)
vfree(natoa_i);
if (natoa_r)
vfree(natoa_r);
return error;
}
int
quick_i2recv(iph2, msg0)
struct ph2handle *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
vchar_t *hbuf = NULL;
vchar_t *pbuf = NULL;
struct isakmp_parse_t *pa;
struct isakmp *isakmp = (struct isakmp *)msg0->v;
struct isakmp_pl_hash *hash = NULL;
int f_id;
char *p;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != PHASE2ST_MSG1SENT) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"Packet wasn't encrypted.\n");
goto end;
}
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL)
goto end;
pbuf = isakmp_parse(msg);
if (pbuf == NULL)
goto end;
pa = (struct isakmp_parse_t *)pbuf->v;
if (pa->type != ISAKMP_NPTYPE_HASH) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"received invalid next payload type %d, "
"expecting %d.\n",
pa->type, ISAKMP_NPTYPE_HASH);
goto end;
}
hash = (struct isakmp_pl_hash *)pa->ptr;
pa++;
if (pa->type != ISAKMP_NPTYPE_SA) {
plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
"received invalid next payload type %d, "
"expecting %d.\n",
pa->type, ISAKMP_NPTYPE_HASH);
}
tlen = iph2->nonce->l
+ ntohl(isakmp->len) - sizeof(*isakmp);
hbuf = vmalloc(tlen);
if (hbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get hash buffer.\n");
goto end;
}
p = hbuf->v + iph2->nonce->l;
iph2->sa_ret = NULL;
f_id = 0;
tlen = 0;
for (; pa->type; pa++) {
memcpy(p, pa->ptr, pa->len);
switch (pa->type) {
case ISAKMP_NPTYPE_SA:
if (iph2->sa_ret != NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"Ignored, multiple SA "
"isn't supported.\n");
break;
}
if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
goto end;
break;
case ISAKMP_NPTYPE_NONCE:
if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
goto end;
break;
case ISAKMP_NPTYPE_KE:
if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
goto end;
break;
case ISAKMP_NPTYPE_ID:
{
vchar_t *vp;
if (f_id == 0) {
f_id = 1;
vp = iph2->id;
} else {
vp = iph2->id_p;
}
if (!natd_hasnat(iph2->ph1)) {
struct ipsecdoi_id_b *id_ptr = (struct ipsecdoi_id_b *)vp->v;
struct ipsecdoi_pl_id *idp_ptr = (struct ipsecdoi_pl_id *)pa->ptr;
if (id_ptr->type != idp_ptr->b.type
|| (idp_ptr->b.proto_id != 0 && idp_ptr->b.proto_id != id_ptr->proto_id)
|| (idp_ptr->b.port != 0 && idp_ptr->b.port != id_ptr->port)
|| memcmp(vp->v + sizeof(struct ipsecdoi_id_b), (caddr_t)pa->ptr + sizeof(struct ipsecdoi_pl_id),
vp->l - sizeof(struct ipsecdoi_id_b))) {
plog(LLV_ERROR, LOCATION, NULL,
"mismatched ID was returned.\n");
error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
goto end;
}
}
}
break;
#ifdef IKE_NAT_T
case ISAKMP_NPTYPE_NATOA_RFC:
case ISAKMP_NPTYPE_NATOA_DRAFT:
case ISAKMP_NPTYPE_NATOA_BADDRAFT:
break;
#endif
case ISAKMP_NPTYPE_N:
isakmp_check_notify(pa->ptr, iph2->ph1);
break;
default:
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"ignore the packet, "
"received unexpecting payload type %d.\n",
pa->type);
goto end;
}
p += pa->len;
tlen += pa->len;
}
if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"few isakmp message received.\n");
goto end;
}
memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
plog(LLV_DEBUG, LOCATION, NULL,
"HASH allocated:hbuf->l=%d actual:tlen=%d\n",
hbuf->l, tlen + iph2->nonce->l);
hbuf->l = iph2->nonce->l + tlen;
{
char *r_hash;
vchar_t *my_hash = NULL;
int result;
r_hash = (char *)hash + sizeof(*hash);
plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:");
plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
if (my_hash == NULL)
goto end;
result = memcmp(my_hash->v, r_hash, my_hash->l);
vfree(my_hash);
if (result) {
plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
"HASH(2) mismatch.\n");
error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
goto end;
}
}
if (ipsecdoi_checkph2proposal(iph2) < 0) {
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
iph2->status = PHASE2ST_STATUS6;
error = 0;
end:
if (hbuf)
vfree(hbuf);
if (pbuf)
vfree(pbuf);
if (msg)
vfree(msg);
if (error) {
VPTRINIT(iph2->sa_ret);
VPTRINIT(iph2->nonce_p);
VPTRINIT(iph2->dhpub_p);
VPTRINIT(iph2->id);
VPTRINIT(iph2->id_p);
}
return error;
}
int
quick_i2send(iph2, msg0)
struct ph2handle *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
vchar_t *buf = NULL;
vchar_t *hash = NULL;
char *p = NULL;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != PHASE2ST_STATUS6) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
{
vchar_t *tmp = NULL;
plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n");
tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
if (tmp == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get hash buffer.\n");
goto end;
}
memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
vfree(tmp);
if (hash == NULL)
goto end;
}
tlen = sizeof(struct isakmp)
+ sizeof(struct isakmp_gen) + hash->l;
buf = vmalloc(tlen);
if (buf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get buffer to send.\n");
goto end;
}
p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
if (p == NULL)
goto end;
p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
#endif
iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
if (iph2->sendbuf == NULL)
goto end;
if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
if (isakmp_ph2resend(iph2) == -1)
goto end;
} else {
if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
goto end;
}
if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
iph2->sendbuf, msg0) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
if (oakley_compute_keymat(iph2, INITIATOR) < 0)
goto end;
iph2->status = PHASE2ST_ADDSA;
if (f_local) {
error = 0;
goto end;
}
if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
iph2->status = PHASE2ST_COMMIT;
error = 0;
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
if (pk_sendupdate(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
if (pk_sendadd(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
error = 0;
end:
if (buf != NULL)
vfree(buf);
if (msg != NULL)
vfree(msg);
if (hash != NULL)
vfree(hash);
return error;
}
int
quick_i3recv(iph2, msg0)
struct ph2handle *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
vchar_t *pbuf = NULL;
struct isakmp_parse_t *pa;
struct isakmp_pl_hash *hash = NULL;
vchar_t *notify = NULL;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != PHASE2ST_COMMIT) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"Packet wasn't encrypted.\n");
goto end;
}
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL)
goto end;
pbuf = isakmp_parse(msg);
if (pbuf == NULL)
goto end;
for (pa = (struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
switch (pa->type) {
case ISAKMP_NPTYPE_HASH:
hash = (struct isakmp_pl_hash *)pa->ptr;
break;
case ISAKMP_NPTYPE_N:
isakmp_check_notify(pa->ptr, iph2->ph1);
notify = vmalloc(pa->len);
if (notify == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get notify buffer.\n");
goto end;
}
memcpy(notify->v, pa->ptr, notify->l);
break;
default:
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"ignore the packet, "
"received unexpecting payload type %d.\n",
pa->type);
goto end;
}
}
if (hash == NULL) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"few isakmp message received.\n");
goto end;
}
{
char *r_hash;
vchar_t *my_hash = NULL;
vchar_t *tmp = NULL;
int result;
r_hash = (char *)hash + sizeof(*hash);
plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:");
plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
vfree(tmp);
if (my_hash == NULL)
goto end;
result = memcmp(my_hash->v, r_hash, my_hash->l);
vfree(my_hash);
if (result) {
plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
"HASH(4) mismatch.\n");
error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
goto end;
}
}
iph2->status = PHASE2ST_ADDSA;
iph2->flags ^= ISAKMP_FLAG_C;
if (f_local) {
error = 0;
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
if (pk_sendupdate(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
if (pk_sendadd(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
error = 0;
end:
if (msg != NULL)
vfree(msg);
if (pbuf != NULL)
vfree(pbuf);
if (notify != NULL)
vfree(notify);
return error;
}
int
quick_r1recv(iph2, msg0)
struct ph2handle *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
vchar_t *hbuf = NULL;
vchar_t *pbuf = NULL;
struct isakmp_parse_t *pa;
struct isakmp *isakmp = (struct isakmp *)msg0->v;
struct isakmp_pl_hash *hash = NULL;
char *p;
int tlen;
int f_id_order;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != PHASE2ST_START) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"Packet wasn't encrypted.\n");
error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
goto end;
}
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL)
goto end;
pbuf = isakmp_parse(msg);
if (pbuf == NULL)
goto end;
pa = (struct isakmp_parse_t *)pbuf->v;
if (pa->type != ISAKMP_NPTYPE_HASH) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"received invalid next payload type %d, "
"expecting %d.\n",
pa->type, ISAKMP_NPTYPE_HASH);
error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
goto end;
}
hash = (struct isakmp_pl_hash *)pa->ptr;
pa++;
if (pa->type != ISAKMP_NPTYPE_SA) {
plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
"received invalid next payload type %d, "
"expecting %d.\n",
pa->type, ISAKMP_NPTYPE_HASH);
error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
}
tlen = ntohl(isakmp->len) - sizeof(*isakmp);
hbuf = vmalloc(tlen);
if (hbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get hash buffer.\n");
goto end;
}
p = hbuf->v;
iph2->sa = NULL;
iph2->nonce_p = NULL;
iph2->dhpub_p = NULL;
iph2->id_p = NULL;
iph2->id = NULL;
tlen = 0;
f_id_order = 0;
for (; pa->type; pa++) {
memcpy(p, pa->ptr, pa->len);
if (pa->type != ISAKMP_NPTYPE_ID)
f_id_order = 0;
switch (pa->type) {
case ISAKMP_NPTYPE_SA:
if (iph2->sa != NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"Multi SAs isn't supported.\n");
goto end;
}
if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0)
goto end;
break;
case ISAKMP_NPTYPE_NONCE:
if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
goto end;
break;
case ISAKMP_NPTYPE_KE:
if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
goto end;
break;
case ISAKMP_NPTYPE_ID:
if (iph2->id_p == NULL) {
f_id_order++;
if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0)
goto end;
} else if (iph2->id == NULL) {
if (f_id_order == 0) {
plog(LLV_ERROR, LOCATION, NULL,
"IDr2 payload is not "
"immediatelly followed "
"by IDi2. We allowed.\n");
}
if (isakmp_p2ph(&iph2->id, pa->ptr) < 0)
goto end;
} else {
plog(LLV_ERROR, LOCATION, NULL,
"received too many ID payloads.\n");
plogdump(LLV_ERROR, iph2->id->v, iph2->id->l);
error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
goto end;
}
break;
case ISAKMP_NPTYPE_N:
isakmp_check_notify(pa->ptr, iph2->ph1);
break;
#if IKE_NAT_T
case ISAKMP_NPTYPE_NATOA_RFC:
case ISAKMP_NPTYPE_NATOA_DRAFT:
case ISAKMP_NPTYPE_NATOA_BADDRAFT:
break;
#endif
default:
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"ignore the packet, "
"received unexpecting payload type %d.\n",
pa->type);
error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
goto end;
}
p += pa->len;
tlen += pa->len;
}
if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"few isakmp message received.\n");
error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
goto end;
}
if (iph2->id_p) {
plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
}
if (iph2->id) {
plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
}
hbuf->l = tlen;
{
char *r_hash;
vchar_t *my_hash = NULL;
int result;
r_hash = (caddr_t)hash + sizeof(*hash);
plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:");
plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
if (my_hash == NULL)
goto end;
result = memcmp(my_hash->v, r_hash, my_hash->l);
vfree(my_hash);
if (result) {
plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
"HASH(1) mismatch.\n");
error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
goto end;
}
}
error = get_sainfo_r(iph2);
if (error) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get sainfo.\n");
goto end;
}
error = get_proposal_r(iph2);
switch (error) {
case -2:
if (set_proposal_from_proposal(iph2)) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to generate a proposal template "
"from client's proposal.\n");
return ISAKMP_INTERNAL_ERROR;
}
case 0:
if (ipsecdoi_selectph2proposal(iph2) < 0) {
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
break;
default:
plog(LLV_ERROR, LOCATION, NULL,
"failed to get proposal for responder.\n");
goto end;
}
if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
plog(LLV_ERROR, LOCATION, NULL,
"no PFS is specified, but peer sends KE.\n");
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"PFS is specified, but peer doesn't sends KE.\n");
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
iph2->msg1 = vdup(msg0);
iph2->status = PHASE2ST_STATUS2;
error = 0;
end:
if (hbuf)
vfree(hbuf);
if (msg)
vfree(msg);
if (pbuf)
vfree(pbuf);
if (error) {
VPTRINIT(iph2->sa);
VPTRINIT(iph2->nonce_p);
VPTRINIT(iph2->dhpub_p);
VPTRINIT(iph2->id);
VPTRINIT(iph2->id_p);
}
return error;
}
int
quick_r1prep(iph2, msg)
struct ph2handle *iph2;
vchar_t *msg;
{
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != PHASE2ST_STATUS2) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
iph2->status = PHASE2ST_GETSPISENT;
if (pk_sendgetspi(iph2) < 0)
goto end;
plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
iph2->sce = sched_new(lcconf->wait_ph2complete,
pfkey_timeover_stub, iph2);
error = 0;
end:
return error;
}
int
quick_r2send(iph2, msg)
struct ph2handle *iph2;
vchar_t *msg;
{
vchar_t *body = NULL;
vchar_t *hash = NULL;
vchar_t *natoa_i = NULL;
vchar_t *natoa_r = NULL;
int natoa_type = 0;
int encmode;
struct isakmp_gen *gen;
char *p;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
int pfsgroup;
u_int8_t *np_p = NULL;
if (msg != NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"msg has to be NULL in this function.\n");
goto end;
}
if (iph2->status != PHASE2ST_GETSPIDONE) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (ipsecdoi_updatespi(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n");
goto end;
}
iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
if (iph2->nonce == NULL)
goto end;
pfsgroup = iph2->approval->pfs_group;
if (iph2->dhpub_p != NULL && pfsgroup != 0) {
if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to set DH value.\n");
goto end;
}
if (oakley_dh_generate(iph2->pfsgrp,
&iph2->dhpub, &iph2->dhpriv) < 0) {
goto end;
}
}
tlen = sizeof(*gen) + iph2->sa_ret->l
+ sizeof(*gen) + iph2->nonce->l;
if (iph2->dhpub_p != NULL && pfsgroup != 0)
tlen += (sizeof(*gen) + iph2->dhpub->l);
if (iph2->id_p != NULL)
tlen += (sizeof(*gen) + iph2->id_p->l
+ sizeof(*gen) + iph2->id->l);
encmode = iph2->approval->head->encmode;
if (encmode == IPSECDOI_ATTR_ENC_MODE_TRNS ||
encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC ||
encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT) {
natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
if (natoa_type == -1)
goto end;
else if (natoa_type != 0) {
tlen += sizeof(*gen) + natoa_i->l;
tlen += sizeof(*gen) + natoa_r->l;
}
}
body = vmalloc(tlen);
if (body == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get buffer to send.\n");
goto end;
}
p = body->v;
p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
np_p = &((struct isakmp_gen *)p)->np;
p = set_isakmp_payload(p, iph2->nonce,
(iph2->dhpub_p != NULL && pfsgroup != 0)
? ISAKMP_NPTYPE_KE
: (iph2->id_p != NULL
? ISAKMP_NPTYPE_ID
: (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE)));
if (iph2->dhpub_p != NULL && pfsgroup != 0) {
np_p = &((struct isakmp_gen *)p)->np;
p = set_isakmp_payload(p, iph2->dhpub,
(iph2->id_p == NULL)
? (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE)
: ISAKMP_NPTYPE_ID);
}
if (iph2->id_p != NULL) {
p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
np_p = &((struct isakmp_gen *)p)->np;
p = set_isakmp_payload(p, iph2->id, (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE));
}
{
vchar_t *data = NULL;
struct saprop *pp = iph2->approval;
struct saproto *pr;
if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
u_int32_t v = htonl((u_int32_t)pp->lifetime);
data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
IPSECDOI_ATTR_SA_LD_TYPE_SEC);
if (!data)
goto end;
data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
(caddr_t)&v, sizeof(v));
if (!data)
goto end;
}
if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
u_int32_t v = htonl((u_int32_t)pp->lifebyte);
data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
IPSECDOI_ATTR_SA_LD_TYPE_KB);
if (!data)
goto end;
data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
(caddr_t)&v, sizeof(v));
if (!data)
goto end;
}
if (data) {
for (pr = pp->head; pr; pr = pr->next) {
body = isakmp_add_pl_n(body, &np_p,
ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
if (!body) {
vfree(data);
return error;
}
}
vfree(data);
}
}
if (natoa_type) {
p = set_isakmp_payload(p, natoa_i, natoa_type);
p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
}
{
vchar_t *tmp;
tmp = vmalloc(iph2->nonce_p->l + body->l);
if (tmp == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get hash buffer.\n");
goto end;
}
memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
vfree(tmp);
if (hash == NULL)
goto end;
}
iph2->sendbuf = quick_ir1mx(iph2, body, hash);
if (iph2->sendbuf == NULL)
goto end;
iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
if (isakmp_ph2resend(iph2) == -1)
goto end;
if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
iph2->status = PHASE2ST_MSG1SENT;
error = 0;
end:
if (body != NULL)
vfree(body);
if (hash != NULL)
vfree(hash);
if (natoa_i)
vfree(natoa_i);
if (natoa_r)
vfree(natoa_r);
return error;
}
int
quick_r3recv(iph2, msg0)
struct ph2handle *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
vchar_t *pbuf = NULL;
struct isakmp_parse_t *pa;
struct isakmp_pl_hash *hash = NULL;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != PHASE2ST_MSG1SENT) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"Packet wasn't encrypted.\n");
goto end;
}
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
if (msg == NULL)
goto end;
pbuf = isakmp_parse(msg);
if (pbuf == NULL)
goto end;
for (pa = (struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
switch (pa->type) {
case ISAKMP_NPTYPE_HASH:
hash = (struct isakmp_pl_hash *)pa->ptr;
break;
case ISAKMP_NPTYPE_N:
isakmp_check_notify(pa->ptr, iph2->ph1);
break;
default:
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"ignore the packet, "
"received unexpecting payload type %d.\n",
pa->type);
goto end;
}
}
if (hash == NULL) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"few isakmp message received.\n");
goto end;
}
{
char *r_hash;
vchar_t *my_hash = NULL;
vchar_t *tmp = NULL;
int result;
r_hash = (char *)hash + sizeof(*hash);
plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:");
plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
if (tmp == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get hash buffer.\n");
goto end;
}
memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
vfree(tmp);
if (my_hash == NULL)
goto end;
result = memcmp(my_hash->v, r_hash, my_hash->l);
vfree(my_hash);
if (result) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
"HASH(3) mismatch.\n");
error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
goto end;
}
}
if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
iph2->status = PHASE2ST_COMMIT;
} else
iph2->status = PHASE2ST_STATUS6;
error = 0;
end:
if (pbuf != NULL)
vfree(pbuf);
if (msg != NULL)
vfree(msg);
return error;
}
int
quick_r3send(iph2, msg0)
struct ph2handle *iph2;
vchar_t *msg0;
{
vchar_t *buf = NULL;
vchar_t *myhash = NULL;
struct isakmp_pl_n *n;
vchar_t *notify = NULL;
char *p;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != PHASE2ST_COMMIT) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n");
tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
notify = vmalloc(tlen);
if (notify == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get notify buffer.\n");
goto end;
}
n = (struct isakmp_pl_n *)notify->v;
n->h.np = ISAKMP_NPTYPE_NONE;
n->h.len = htons(tlen);
n->doi = IPSEC_DOI;
n->proto_id = iph2->approval->head->proto_id;
n->spi_size = sizeof(iph2->approval->head->spisize);
n->type = htons(ISAKMP_NTYPE_CONNECTED);
memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
if (myhash == NULL)
goto end;
tlen = sizeof(struct isakmp)
+ sizeof(struct isakmp_gen) + myhash->l
+ notify->l;
buf = vmalloc(tlen);
if (buf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get buffer to send.\n");
goto end;
}
p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
if (p == NULL)
goto end;
p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
memcpy(p, notify->v, notify->l);
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
#endif
iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
if (iph2->sendbuf == NULL)
goto end;
if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
goto end;
if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
iph2->status = PHASE2ST_COMMIT;
error = 0;
end:
if (buf != NULL)
vfree(buf);
if (myhash != NULL)
vfree(myhash);
if (notify != NULL)
vfree(notify);
return error;
}
int
quick_r3prep(iph2, msg0)
struct ph2handle *iph2;
vchar_t *msg0;
{
vchar_t *msg = NULL;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->status != PHASE2ST_STATUS6) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph2->status);
goto end;
}
if (oakley_compute_keymat(iph2, RESPONDER) < 0)
goto end;
iph2->status = PHASE2ST_ADDSA;
iph2->flags ^= ISAKMP_FLAG_C;
if (f_local) {
error = 0;
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
if (pk_sendupdate(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
if (pk_sendadd(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
if (iph2->spidx_gen) {
struct policyindex *spidx;
struct sockaddr_storage addr;
u_int8_t pref;
struct sockaddr *src = iph2->src;
struct sockaddr *dst = iph2->dst;
iph2->src = dst;
iph2->dst = src;
if (pk_sendspdupdate2(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"pfkey spdupdate2(inbound) failed.\n");
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL,
"pfkey spdupdate2(inbound) sent.\n");
iph2->src = src;
iph2->dst = dst;
spidx = (struct policyindex *)iph2->spidx_gen;
spidx->dir = IPSEC_DIR_OUTBOUND;
addr = spidx->src;
spidx->src = spidx->dst;
spidx->dst = addr;
pref = spidx->prefs;
spidx->prefs = spidx->prefd;
spidx->prefd = pref;
if (pk_sendspdupdate2(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"pfkey spdupdate2(outbound) failed.\n");
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL,
"pfkey spdupdate2(outbound) sent.\n");
delsp_bothdir((struct policyindex *)iph2->spidx_gen);
racoon_free(iph2->spidx_gen);
iph2->spidx_gen = NULL;
}
error = 0;
end:
if (msg != NULL)
vfree(msg);
return error;
}
static vchar_t *
quick_ir1mx(iph2, body, hash)
struct ph2handle *iph2;
vchar_t *body, *hash;
{
struct isakmp *isakmp;
vchar_t *buf = NULL, *new = NULL;
char *p;
int tlen;
struct isakmp_gen *gen;
int error = ISAKMP_INTERNAL_ERROR;
tlen = sizeof(*isakmp)
+ sizeof(*gen) + hash->l
+ body->l;
buf = vmalloc(tlen);
if (buf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get buffer to send.\n");
goto end;
}
iph2->flags |= ISAKMP_FLAG_E;
p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
if (p == NULL)
goto end;
p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
memcpy(p, body->v, body->l);
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
#endif
new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
if (new == NULL)
goto end;
vfree(buf);
buf = new;
error = 0;
end:
if (error && buf != NULL) {
vfree(buf);
buf = NULL;
}
return buf;
}
static int
get_sainfo_r(iph2)
struct ph2handle *iph2;
{
vchar_t *idsrc = NULL, *iddst = NULL;
int prefixlen;
int error = ISAKMP_INTERNAL_ERROR;
if (iph2->id_p == NULL) {
switch (iph2->src->sa_family) {
case AF_INET:
prefixlen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
prefixlen = sizeof(struct in6_addr) << 3;
break;
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n", iph2->src->sa_family);
goto end;
}
idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
IPSEC_ULPROTO_ANY);
} else {
idsrc = vdup(iph2->id);
}
if (idsrc == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to set ID for source.\n");
goto end;
}
if (iph2->id == NULL) {
switch (iph2->dst->sa_family) {
case AF_INET:
prefixlen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
prefixlen = sizeof(struct in6_addr) << 3;
break;
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n", iph2->dst->sa_family);
goto end;
}
iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
IPSEC_ULPROTO_ANY);
} else {
iddst = vdup(iph2->id_p);
}
if (iddst == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to set ID for destination.\n");
goto end;
}
iph2->sainfo = getsainfo(idsrc, iddst);
if (iph2->sainfo == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get sainfo.\n");
goto end;
}
plog(LLV_DEBUG, LOCATION, NULL,
"get sa info: %s\n", sainfo2str(iph2->sainfo));
error = 0;
end:
if (idsrc)
vfree(idsrc);
if (iddst)
vfree(iddst);
return error;
}
static int
get_proposal_r(iph2)
struct ph2handle *iph2;
{
struct policyindex spidx;
struct secpolicy *sp_in, *sp_out;
int idi2type = 0;
int error = ISAKMP_INTERNAL_ERROR;
if ((iph2->id_p != NULL && iph2->id == NULL)
|| (iph2->id_p == NULL && iph2->id != NULL)) {
plog(LLV_ERROR, LOCATION, NULL,
"Both IDs wasn't found in payload.\n");
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
if (iph2->src_id || iph2->dst_id) {
plog(LLV_ERROR, LOCATION, NULL,
"Why do ID[src,dst] exist already.\n");
return ISAKMP_INTERNAL_ERROR;
}
memset(&spidx, 0, sizeof(spidx));
#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
spidx.dir = IPSEC_DIR_INBOUND;
spidx.ul_proto = 0;
if (iph2->id != NULL
&& (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
error = ipsecdoi_id2sockaddr(iph2->id,
(struct sockaddr *)&spidx.dst,
&spidx.prefd, &spidx.ul_proto);
if (error)
return error;
#ifdef INET6
if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
error = setscopeid((struct sockaddr *)&spidx.dst,
iph2->src);
if (error)
return error;
}
#endif
if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
idi2type = _XIDT(iph2->id);
} else {
plog(LLV_DEBUG, LOCATION, NULL,
"get a destination address of SP index "
"from phase1 address "
"due to no ID payloads found "
"OR because ID type is not address.\n");
memcpy(&spidx.dst, iph2->src, iph2->src->sa_len);
switch (spidx.dst.ss_family) {
case AF_INET:
spidx.prefd = sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
spidx.prefd = sizeof(struct in6_addr) << 3;
break;
#endif
default:
spidx.prefd = 0;
break;
}
}
if (iph2->id_p != NULL
&& (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
error = ipsecdoi_id2sockaddr(iph2->id_p,
(struct sockaddr *)&spidx.src,
&spidx.prefs, &spidx.ul_proto);
if (error)
return error;
#ifdef INET6
if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
error = setscopeid((struct sockaddr *)&spidx.src,
iph2->dst);
if (error)
return error;
}
#endif
if (_XIDT(iph2->id_p) == idi2type
&& spidx.dst.ss_family == spidx.src.ss_family) {
iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst);
iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src);
}
} else {
plog(LLV_DEBUG, LOCATION, NULL,
"get a source address of SP index "
"from phase1 address "
"due to no ID payloads found "
"OR because ID type is not address.\n");
memcpy(&spidx.src, iph2->dst, iph2->dst->sa_len);
switch (spidx.src.ss_family) {
case AF_INET:
spidx.prefs = sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
spidx.prefs = sizeof(struct in6_addr) << 3;
break;
#endif
default:
spidx.prefs = 0;
break;
}
}
#undef _XIDT
plog(LLV_DEBUG, LOCATION, NULL,
"get a src address from ID payload "
"%s prefixlen=%u ul_proto=%u\n",
saddr2str((struct sockaddr *)&spidx.src),
spidx.prefs, spidx.ul_proto);
plog(LLV_DEBUG, LOCATION, NULL,
"get dst address from ID payload "
"%s prefixlen=%u ul_proto=%u\n",
saddr2str((struct sockaddr *)&spidx.dst),
spidx.prefd, spidx.ul_proto);
if (spidx.ul_proto == 0)
spidx.ul_proto = IPSEC_ULPROTO_ANY;
sp_in = getsp_r(&spidx);
if (sp_in == NULL) {
if (iph2->ph1->rmconf->gen_policy) {
plog(LLV_INFO, LOCATION, NULL,
"no policy found, "
"try to generate the policy : %s\n",
spidx2str(&spidx));
iph2->spidx_gen = racoon_malloc(sizeof(spidx));
if (!iph2->spidx_gen) {
plog(LLV_ERROR, LOCATION, NULL,
"buffer allocation failed.\n");
return ISAKMP_INTERNAL_ERROR;
}
memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
return -2;
}
plog(LLV_ERROR, LOCATION, NULL,
"no policy found: %s\n", spidx2str(&spidx));
return ISAKMP_INTERNAL_ERROR;
}
{
struct sockaddr_storage addr;
u_int8_t pref;
spidx.dir = IPSEC_DIR_OUTBOUND;
addr = spidx.src;
spidx.src = spidx.dst;
spidx.dst = addr;
pref = spidx.prefs;
spidx.prefs = spidx.prefd;
spidx.prefd = pref;
sp_out = getsp_r(&spidx);
if (!sp_out) {
plog(LLV_WARNING, LOCATION, NULL,
"no outbound policy found: %s\n",
spidx2str(&spidx));
}
}
plog(LLV_DEBUG, LOCATION, NULL,
"suitable SP found:%s\n", spidx2str(&spidx));
if (sp_in->policy != IPSEC_POLICY_IPSEC) {
plog(LLV_ERROR, LOCATION, NULL,
"policy found, but no IPsec required: %s\n",
spidx2str(&spidx));
return ISAKMP_INTERNAL_ERROR;
}
if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to create saprop.\n");
return ISAKMP_INTERNAL_ERROR;
}
return 0;
}
static int
create_natoa_payloads(struct ph2handle *iph2, vchar_t **natoa_i, vchar_t **natoa_r)
{
int natoa_type = 0;
int natt_type;
vchar_t *i;
vchar_t *r;
u_int8_t *p;
size_t src_size;
size_t dst_size;
*natoa_i = *natoa_r = NULL;
if ((natt_type = natd_hasnat(iph2->ph1)) != 0)
if (natt_type == natt_type_rfc)
natoa_type = ISAKMP_NPTYPE_NATOA_RFC;
else if (natt_type == natt_type_02 || natt_type == natt_type_02N)
natoa_type = ISAKMP_NPTYPE_NATOA_DRAFT;
if (natoa_type == 0)
return 0;
switch (iph2->src->sa_family) {
case AF_INET:
src_size = sizeof(in_addr_t);
break;
#ifdef INET6
case AF_INET6:
src_size = sizeof(struct in6_addr);
break;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid address family: %d\n", iph2->src->sa_family);
return -1;
}
switch (iph2->dst->sa_family) {
case AF_INET:
dst_size = sizeof(in_addr_t);
break;
#ifdef INET6
case AF_INET6:
dst_size = sizeof(struct in6_addr);
break;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid address family: %d\n", iph2->dst->sa_family);
return -1;
}
i = vmalloc(sizeof(struct isakmp_pl_natoa) + src_size - sizeof(struct isakmp_gen));
r = vmalloc(sizeof(struct isakmp_pl_natoa) + dst_size - sizeof(struct isakmp_gen));
if (i == NULL || r == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get buffer for natoa payload.\n");
return -1;
}
p = i->v;
switch (iph2->src->sa_family) {
case AF_INET:
*p = IPSECDOI_ID_IPV4_ADDR;
bcopy(&(((struct sockaddr_in *)iph2->src)->sin_addr.s_addr), p + sizeof(u_int32_t), src_size);
break;
#ifdef INET6
case AF_INET6:
*p = IPSECDOI_ID_IPV6_ADDR;
bcopy(&(((struct sockaddr_in6 *)iph2->src)->sin6_addr), p + sizeof(u_int32_t), src_size);
break;
#endif
}
p = r->v;
switch (iph2->dst->sa_family) {
case AF_INET:
*p = IPSECDOI_ID_IPV4_ADDR;
bcopy(&(((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr), p + sizeof(u_int32_t), dst_size);
break;
#ifdef INET6
case AF_INET6:
*p = IPSECDOI_ID_IPV6_ADDR;
bcopy(&(((struct sockaddr_in6 *)iph2->dst)->sin6_addr), p + sizeof(u_int32_t), dst_size);
break;
#endif
}
*natoa_i = i;
*natoa_r = r;
return natoa_type;
}
#ifdef INET6
static u_int32_t
setscopeid(sp_addr0, sa_addr0)
struct sockaddr *sp_addr0, *sa_addr0;
{
struct sockaddr_in6 *sp_addr, *sa_addr;
sp_addr = (struct sockaddr_in6 *)sp_addr0;
sa_addr = (struct sockaddr_in6 *)sa_addr0;
if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
&& !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
&& !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
return 0;
if (sa_addr->sin6_family != AF_INET6) {
plog(LLV_ERROR, LOCATION, NULL,
"can't get scope ID: family mismatch\n");
return -1;
}
if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
plog(LLV_ERROR, LOCATION, NULL,
"scope ID is not supported except of lladdr.\n");
return -1;
}
sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;
return 0;
}
#endif