summaryrefslogtreecommitdiffstats
path: root/ipsec-tools/src/racoon/isakmp_inf.c
diff options
context:
space:
mode:
Diffstat (limited to 'ipsec-tools/src/racoon/isakmp_inf.c')
-rw-r--r--ipsec-tools/src/racoon/isakmp_inf.c1605
1 files changed, 1605 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/isakmp_inf.c b/ipsec-tools/src/racoon/isakmp_inf.c
new file mode 100644
index 00000000..99daffb3
--- /dev/null
+++ b/ipsec-tools/src/racoon/isakmp_inf.c
@@ -0,0 +1,1605 @@
+/* $NetBSD: isakmp_inf.c,v 1.47.2.3 2013/04/12 09:53:52 tteras Exp $ */
+
+/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <net/pfkeyv2.h>
+#include <netinet/in.h>
+#include <sys/queue.h>
+#include PATH_IPSEC_H
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#if TIME_WITH_SYS_TIME
+# include <sys/time.h>
+# include <time.h>
+#else
+# if HAVE_SYS_TIME_H
+# include <sys/time.h>
+# else
+# include <time.h>
+# endif
+#endif
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
+#endif
+
+#include "libpfkey.h"
+
+#include "var.h"
+#include "vmbuf.h"
+#include "schedule.h"
+#include "str2val.h"
+#include "misc.h"
+#include "plog.h"
+#include "debug.h"
+
+#include "localconf.h"
+#include "remoteconf.h"
+#include "sockmisc.h"
+#include "handler.h"
+#include "policy.h"
+#include "proposal.h"
+#include "isakmp_var.h"
+#include "evt.h"
+#include "isakmp.h"
+#ifdef ENABLE_HYBRID
+#include "isakmp_xauth.h"
+#include "isakmp_unity.h"
+#include "isakmp_cfg.h"
+#endif
+#include "isakmp_inf.h"
+#include "oakley.h"
+#include "ipsec_doi.h"
+#include "crypto_openssl.h"
+#include "pfkey.h"
+#include "policy.h"
+#include "algorithm.h"
+#include "proposal.h"
+#include "admin.h"
+#include "strnames.h"
+#ifdef ENABLE_NATT
+#include "nattraversal.h"
+#endif
+
+/* information exchange */
+static int isakmp_info_recv_n (struct ph1handle *, struct isakmp_pl_n *, u_int32_t, int);
+static int isakmp_info_recv_d (struct ph1handle *, struct isakmp_pl_d *, u_int32_t, int);
+
+#ifdef ENABLE_DPD
+static int isakmp_info_recv_r_u __P((struct ph1handle *,
+ struct isakmp_pl_ru *, u_int32_t));
+static int isakmp_info_recv_r_u_ack __P((struct ph1handle *,
+ struct isakmp_pl_ru *, u_int32_t));
+static void isakmp_info_send_r_u __P((struct sched *));
+#endif
+
+static void purge_isakmp_spi __P((int, isakmp_index *, size_t));
+
+/* %%%
+ * Information Exchange
+ */
+/*
+ * receive Information
+ */
+int
+isakmp_info_recv(iph1, msg0)
+ struct ph1handle *iph1;
+ vchar_t *msg0;
+{
+ vchar_t *msg = NULL;
+ vchar_t *pbuf = NULL;
+ u_int32_t msgid = 0;
+ int error = -1;
+ struct isakmp *isakmp;
+ struct isakmp_gen *gen;
+ struct isakmp_parse_t *pa, *pap;
+ void *p;
+ vchar_t *hash, *payload;
+ struct isakmp_gen *nd;
+ u_int8_t np;
+ int encrypted;
+
+ plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n");
+
+ encrypted = ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E);
+ msgid = ((struct isakmp *)msg0->v)->msgid;
+
+ /* Use new IV to decrypt Informational message. */
+ if (encrypted) {
+ struct isakmp_ivm *ivm;
+
+ if (iph1->ivm == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "iph1->ivm == NULL\n");
+ return -1;
+ }
+
+ /* compute IV */
+ ivm = oakley_newiv2(iph1, ((struct isakmp *)msg0->v)->msgid);
+ if (ivm == NULL)
+ return -1;
+
+ msg = oakley_do_decrypt(iph1, msg0, ivm->iv, ivm->ive);
+ oakley_delivm(ivm);
+ if (msg == NULL)
+ return -1;
+
+ } else
+ msg = vdup(msg0);
+
+ /* Safety check */
+ if (msg->l < sizeof(*isakmp) + sizeof(*gen)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore information because the "
+ "message is way too short - %zu byte(s).\n",
+ msg->l);
+ goto end;
+ }
+
+ isakmp = (struct isakmp *)msg->v;
+ gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));
+ np = gen->np;
+
+ if (encrypted) {
+ if (isakmp->np != ISAKMP_NPTYPE_HASH) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore information because the "
+ "message has no hash payload.\n");
+ goto end;
+ }
+
+ if (iph1->status != PHASE1ST_ESTABLISHED &&
+ iph1->status != PHASE1ST_DYING) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore information because ISAKMP-SA "
+ "has not been established yet.\n");
+ goto end;
+ }
+
+ /* Safety check */
+ if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore information because the "
+ "message is too short - %zu byte(s).\n",
+ msg->l);
+ goto end;
+ }
+
+ p = (caddr_t) gen + sizeof(struct isakmp_gen);
+ nd = (struct isakmp_gen *) ((caddr_t) gen + ntohs(gen->len));
+
+ /* nd length check */
+ if (ntohs(nd->len) > msg->l - (sizeof(struct isakmp) +
+ ntohs(gen->len))) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "too long payload length (broken message?)\n");
+ goto end;
+ }
+
+ if (ntohs(nd->len) < sizeof(*nd)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "too short payload length (broken message?)\n");
+ goto end;
+ }
+
+ payload = vmalloc(ntohs(nd->len));
+ if (payload == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "cannot allocate memory\n");
+ goto end;
+ }
+
+ memcpy(payload->v, (caddr_t) nd, ntohs(nd->len));
+
+ /* compute HASH */
+ hash = oakley_compute_hash1(iph1, isakmp->msgid, payload);
+ if (hash == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "cannot compute hash\n");
+
+ vfree(payload);
+ goto end;
+ }
+
+ if (ntohs(gen->len) - sizeof(struct isakmp_gen) != hash->l) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore information due to hash length mismatch\n");
+
+ vfree(hash);
+ vfree(payload);
+ goto end;
+ }
+
+ if (memcmp(p, hash->v, hash->l) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignore information due to hash mismatch\n");
+
+ vfree(hash);
+ vfree(payload);
+ goto end;
+ }
+
+ plog(LLV_DEBUG, LOCATION, NULL, "hash validated.\n");
+
+ vfree(hash);
+ vfree(payload);
+ } else {
+ /* make sure the packet was encrypted after the beginning of phase 1. */
+ switch (iph1->etype) {
+ case ISAKMP_ETYPE_AGG:
+ case ISAKMP_ETYPE_BASE:
+ case ISAKMP_ETYPE_IDENT:
+ if ((iph1->side == INITIATOR && iph1->status < PHASE1ST_MSG3SENT)
+ || (iph1->side == RESPONDER && iph1->status < PHASE1ST_MSG2SENT)) {
+ break;
+ }
+ /*FALLTHRU*/
+ default:
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "%s message must be encrypted\n",
+ s_isakmp_nptype(np));
+ error = 0;
+ goto end;
+ }
+ }
+
+ if (!(pbuf = isakmp_parse(msg))) {
+ error = -1;
+ goto end;
+ }
+
+ error = 0;
+ for (pa = (struct isakmp_parse_t *)pbuf->v; pa->type; pa++) {
+ switch (pa->type) {
+ case ISAKMP_NPTYPE_HASH:
+ /* Handled above */
+ break;
+ case ISAKMP_NPTYPE_N:
+ error = isakmp_info_recv_n(iph1,
+ (struct isakmp_pl_n *)pa->ptr,
+ msgid, encrypted);
+ break;
+ case ISAKMP_NPTYPE_D:
+ error = isakmp_info_recv_d(iph1,
+ (struct isakmp_pl_d *)pa->ptr,
+ msgid, encrypted);
+ break;
+ case ISAKMP_NPTYPE_NONCE:
+ /* XXX to be 6.4.2 ike-01.txt */
+ /* XXX IV is to be synchronized. */
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "ignore Acknowledged Informational\n");
+ break;
+ default:
+ /* don't send information, see isakmp_ident_r1() */
+ error = 0;
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "reject the packet, "
+ "received unexpected payload type %s.\n",
+ s_isakmp_nptype(gen->np));
+ }
+ if (error < 0)
+ break;
+ }
+ end:
+ if (msg != NULL)
+ vfree(msg);
+ if (pbuf != NULL)
+ vfree(pbuf);
+ return error;
+}
+
+
+/*
+ * log unhandled / unallowed Notification payload
+ */
+int
+isakmp_log_notify(iph1, notify, exchange)
+ struct ph1handle *iph1;
+ struct isakmp_pl_n *notify;
+ const char *exchange;
+{
+ u_int type;
+ char *nraw, *ndata, *nhex;
+ size_t l;
+
+ type = ntohs(notify->type);
+ if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "invalid spi_size in %s notification in %s.\n",
+ s_isakmp_notify_msg(type), exchange);
+ return -1;
+ }
+
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "notification %s received in %s.\n",
+ s_isakmp_notify_msg(type), exchange);
+
+ nraw = ((char*) notify) + sizeof(*notify) + notify->spi_size;
+ l = ntohs(notify->h.len) - sizeof(*notify) - notify->spi_size;
+ if (l > 0) {
+ if (type >= ISAKMP_NTYPE_MINERROR &&
+ type <= ISAKMP_NTYPE_MAXERROR) {
+ ndata = binsanitize(nraw, l);
+ if (ndata != NULL) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "error message: '%s'.\n",
+ ndata);
+ racoon_free(ndata);
+ } else {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "Cannot allocate memory\n");
+ }
+ } else {
+ nhex = val2str(nraw, l);
+ if (nhex != NULL) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "notification payload: %s.\n",
+ nhex);
+ racoon_free(nhex);
+ } else {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "Cannot allocate memory\n");
+ }
+ }
+ }
+
+ return 0;
+}
+
+
+/*
+ * handling of Notification payload
+ */
+static int
+isakmp_info_recv_n(iph1, notify, msgid, encrypted)
+ struct ph1handle *iph1;
+ struct isakmp_pl_n *notify;
+ u_int32_t msgid;
+ int encrypted;
+{
+ u_int type;
+
+ type = ntohs(notify->type);
+ switch (type) {
+ case ISAKMP_NTYPE_CONNECTED:
+ case ISAKMP_NTYPE_RESPONDER_LIFETIME:
+ case ISAKMP_NTYPE_REPLAY_STATUS:
+#ifdef ENABLE_HYBRID
+ case ISAKMP_NTYPE_UNITY_HEARTBEAT:
+#endif
+ /* do something */
+ break;
+ case ISAKMP_NTYPE_INITIAL_CONTACT:
+ if (encrypted)
+ return isakmp_info_recv_initialcontact(iph1, NULL);
+ break;
+#ifdef ENABLE_DPD
+ case ISAKMP_NTYPE_R_U_THERE:
+ if (encrypted)
+ return isakmp_info_recv_r_u(iph1,
+ (struct isakmp_pl_ru *)notify, msgid);
+ break;
+ case ISAKMP_NTYPE_R_U_THERE_ACK:
+ if (encrypted)
+ return isakmp_info_recv_r_u_ack(iph1,
+ (struct isakmp_pl_ru *)notify, msgid);
+ break;
+#endif
+ }
+
+ /* If we receive a error notification we should delete the related
+ * phase1 / phase2 handle, and send an event to racoonctl.
+ * However, since phase1 error notifications are not encrypted and
+ * can not be authenticated, it would allow a DoS attack possibility
+ * to handle them.
+ * Phase2 error notifications should be encrypted, so we could handle
+ * those, but it needs implementing (the old code didn't implement
+ * that either).
+ * So we are good to just log the messages here.
+ */
+ if (encrypted)
+ isakmp_log_notify(iph1, notify, "informational exchange");
+ else
+ isakmp_log_notify(iph1, notify, "unencrypted informational exchange");
+
+ return 0;
+}
+
+/*
+ * handling of Deletion payload
+ */
+static int
+isakmp_info_recv_d(iph1, delete, msgid, encrypted)
+ struct ph1handle *iph1;
+ struct isakmp_pl_d *delete;
+ u_int32_t msgid;
+ int encrypted;
+{
+ int tlen, num_spi;
+ vchar_t *pbuf;
+ int protected = 0;
+ struct ph1handle *del_ph1;
+ struct ph2handle *iph2;
+ union {
+ u_int32_t spi32;
+ u_int16_t spi16[2];
+ } spi;
+
+ if (ntohl(delete->doi) != IPSEC_DOI) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "delete payload with invalid doi:%d.\n",
+ ntohl(delete->doi));
+#ifdef ENABLE_HYBRID
+ /*
+ * At deconnexion time, Cisco VPN client does this
+ * with a zero DOI. Don't give up in that situation.
+ */
+ if (((iph1->mode_cfg->flags &
+ ISAKMP_CFG_VENDORID_UNITY) == 0) || (delete->doi != 0))
+ return 0;
+#else
+ return 0;
+#endif
+ }
+
+ num_spi = ntohs(delete->num_spi);
+ tlen = ntohs(delete->h.len) - sizeof(struct isakmp_pl_d);
+
+ if (tlen != num_spi * delete->spi_size) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "deletion payload with invalid length.\n");
+ return 0;
+ }
+
+ plog(LLV_DEBUG, LOCATION, iph1->remote,
+ "delete payload for protocol %s\n",
+ s_ipsecdoi_proto(delete->proto_id));
+
+ if((iph1 == NULL || !iph1->rmconf->weak_phase1_check) && !encrypted) {
+ plog(LLV_WARNING, LOCATION, iph1->remote,
+ "Ignoring unencrypted delete payload "
+ "(check the weak_phase1_check option)\n");
+ return 0;
+ }
+
+ switch (delete->proto_id) {
+ case IPSECDOI_PROTO_ISAKMP:
+ if (delete->spi_size != sizeof(isakmp_index)) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "delete payload with strange spi "
+ "size %d(proto_id:%d)\n",
+ delete->spi_size, delete->proto_id);
+ return 0;
+ }
+
+ del_ph1=getph1byindex((isakmp_index *)(delete + 1));
+ if(del_ph1 != NULL){
+
+ evt_phase1(iph1, EVT_PHASE1_PEER_DELETED, NULL);
+ sched_cancel(&del_ph1->scr);
+
+ /*
+ * Delete also IPsec-SAs if rekeying is enabled.
+ */
+ if (ph1_rekey_enabled(del_ph1))
+ purge_remote(del_ph1);
+ else
+ isakmp_ph1expire(del_ph1);
+ }
+ break;
+
+ case IPSECDOI_PROTO_IPSEC_AH:
+ case IPSECDOI_PROTO_IPSEC_ESP:
+ if (delete->spi_size != sizeof(u_int32_t)) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "delete payload with strange spi "
+ "size %d(proto_id:%d)\n",
+ delete->spi_size, delete->proto_id);
+ return 0;
+ }
+ purge_ipsec_spi(iph1->remote, delete->proto_id,
+ (u_int32_t *)(delete + 1), num_spi);
+ break;
+
+ case IPSECDOI_PROTO_IPCOMP:
+ /* need to handle both 16bit/32bit SPI */
+ memset(&spi, 0, sizeof(spi));
+ if (delete->spi_size == sizeof(spi.spi16[1])) {
+ memcpy(&spi.spi16[1], delete + 1,
+ sizeof(spi.spi16[1]));
+ } else if (delete->spi_size == sizeof(spi.spi32))
+ memcpy(&spi.spi32, delete + 1, sizeof(spi.spi32));
+ else {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "delete payload with strange spi "
+ "size %d(proto_id:%d)\n",
+ delete->spi_size, delete->proto_id);
+ return 0;
+ }
+ purge_ipsec_spi(iph1->remote, delete->proto_id,
+ &spi.spi32, num_spi);
+ break;
+
+ default:
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "deletion message received, "
+ "invalid proto_id: %d\n",
+ delete->proto_id);
+ return 0;
+ }
+
+ plog(LLV_DEBUG, LOCATION, NULL, "purged SAs.\n");
+
+ return 0;
+}
+
+/*
+ * send Delete payload (for ISAKMP SA) in Informational exchange.
+ */
+int
+isakmp_info_send_d1(iph1)
+ struct ph1handle *iph1;
+{
+ struct isakmp_pl_d *d;
+ vchar_t *payload = NULL;
+ int tlen;
+ int error = 0;
+
+ if (iph1->status != PHASE2ST_ESTABLISHED)
+ return 0;
+
+ /* create delete payload */
+
+ /* send SPIs of inbound SAs. */
+ /* XXX should send outbound SAs's ? */
+ tlen = sizeof(*d) + sizeof(isakmp_index);
+ payload = vmalloc(tlen);
+ if (payload == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get buffer for payload.\n");
+ return errno;
+ }
+
+ d = (struct isakmp_pl_d *)payload->v;
+ d->h.np = ISAKMP_NPTYPE_NONE;
+ d->h.len = htons(tlen);
+ d->doi = htonl(IPSEC_DOI);
+ d->proto_id = IPSECDOI_PROTO_ISAKMP;
+ d->spi_size = sizeof(isakmp_index);
+ d->num_spi = htons(1);
+ memcpy(d + 1, &iph1->index, sizeof(isakmp_index));
+
+ error = isakmp_info_send_common(iph1, payload,
+ ISAKMP_NPTYPE_D, 0);
+ vfree(payload);
+
+ return error;
+}
+
+/*
+ * send Delete payload (for IPsec SA) in Informational exchange, based on
+ * pfkey msg. It sends always single SPI.
+ */
+int
+isakmp_info_send_d2(iph2)
+ struct ph2handle *iph2;
+{
+ struct ph1handle *iph1;
+ struct saproto *pr;
+ struct isakmp_pl_d *d;
+ vchar_t *payload = NULL;
+ int tlen;
+ int error = 0;
+ u_int8_t *spi;
+
+ if (iph2->status != PHASE2ST_ESTABLISHED)
+ return 0;
+
+ /*
+ * don't send delete information if there is no phase 1 handler.
+ * It's nonsensical to negotiate phase 1 to send the information.
+ */
+ iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
+ if (iph1 == NULL){
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "No ph1 handler found, could not send DELETE_SA\n");
+ return 0;
+ }
+
+ /* create delete payload */
+ for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
+
+ /* send SPIs of inbound SAs. */
+ /*
+ * XXX should I send outbound SAs's ?
+ * I send inbound SAs's SPI only at the moment because I can't
+ * decode any more if peer send encoded packet without aware of
+ * deletion of SA. Outbound SAs don't come under the situation.
+ */
+ tlen = sizeof(*d) + pr->spisize;
+ payload = vmalloc(tlen);
+ if (payload == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get buffer for payload.\n");
+ return errno;
+ }
+
+ d = (struct isakmp_pl_d *)payload->v;
+ d->h.np = ISAKMP_NPTYPE_NONE;
+ d->h.len = htons(tlen);
+ d->doi = htonl(IPSEC_DOI);
+ d->proto_id = pr->proto_id;
+ d->spi_size = pr->spisize;
+ d->num_spi = htons(1);
+ /*
+ * XXX SPI bits are left-filled, for use with IPComp.
+ * we should be switching to variable-length spi field...
+ */
+ spi = (u_int8_t *)&pr->spi;
+ spi += sizeof(pr->spi);
+ spi -= pr->spisize;
+ memcpy(d + 1, spi, pr->spisize);
+
+ error = isakmp_info_send_common(iph1, payload,
+ ISAKMP_NPTYPE_D, 0);
+ vfree(payload);
+ }
+
+ return error;
+}
+
+/*
+ * send Notification payload (for without ISAKMP SA) in Informational exchange
+ */
+int
+isakmp_info_send_nx(isakmp, remote, local, type, data)
+ struct isakmp *isakmp;
+ struct sockaddr *remote, *local;
+ int type;
+ vchar_t *data;
+{
+ struct ph1handle *iph1 = NULL;
+ vchar_t *payload = NULL;
+ int tlen;
+ int error = -1;
+ struct isakmp_pl_n *n;
+ int spisiz = 0; /* see below */
+
+ /* add new entry to isakmp status table. */
+ iph1 = newph1();
+ if (iph1 == NULL)
+ return -1;
+
+ memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(cookie_t));
+ isakmp_newcookie((char *)&iph1->index.r_ck, remote, local);
+ iph1->status = PHASE1ST_START;
+ iph1->side = INITIATOR;
+ iph1->version = isakmp->v;
+ iph1->flags = 0;
+ iph1->msgid = 0; /* XXX */
+#ifdef ENABLE_HYBRID
+ if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
+ goto end;
+#endif
+#ifdef ENABLE_FRAG
+ iph1->frag = 0;
+ iph1->frag_chain = NULL;
+#endif
+
+ /* copy remote address */
+ if (copy_ph1addresses(iph1, NULL, remote, local) < 0)
+ goto end;
+
+ tlen = sizeof(*n) + spisiz;
+ if (data)
+ tlen += data->l;
+ payload = vmalloc(tlen);
+ if (payload == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get buffer to send.\n");
+ goto end;
+ }
+
+ n = (struct isakmp_pl_n *)payload->v;
+ n->h.np = ISAKMP_NPTYPE_NONE;
+ n->h.len = htons(tlen);
+ n->doi = htonl(IPSEC_DOI);
+ n->proto_id = IPSECDOI_KEY_IKE;
+ n->spi_size = spisiz;
+ n->type = htons(type);
+ if (spisiz)
+ memset(n + 1, 0, spisiz); /* XXX spisiz is always 0 */
+ if (data)
+ memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l);
+
+ error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
+ vfree(payload);
+
+ end:
+ if (iph1 != NULL)
+ delph1(iph1);
+
+ return error;
+}
+
+/*
+ * send Notification payload (for ISAKMP SA) in Informational exchange
+ */
+int
+isakmp_info_send_n1(iph1, type, data)
+ struct ph1handle *iph1;
+ int type;
+ vchar_t *data;
+{
+ vchar_t *payload = NULL;
+ int tlen;
+ int error = 0;
+ struct isakmp_pl_n *n;
+ int spisiz;
+
+ /*
+ * note on SPI size: which description is correct? I have chosen
+ * this to be 0.
+ *
+ * RFC2408 3.1, 2nd paragraph says: ISAKMP SA is identified by
+ * Initiator/Responder cookie and SPI has no meaning, SPI size = 0.
+ * RFC2408 3.1, first paragraph on page 40: ISAKMP SA is identified
+ * by cookie and SPI has no meaning, 0 <= SPI size <= 16.
+ * RFC2407 4.6.3.3, INITIAL-CONTACT is required to set to 16.
+ */
+ if (type == ISAKMP_NTYPE_INITIAL_CONTACT)
+ spisiz = sizeof(isakmp_index);
+ else
+ spisiz = 0;
+
+ tlen = sizeof(*n) + spisiz;
+ if (data)
+ tlen += data->l;
+ payload = vmalloc(tlen);
+ if (payload == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get buffer to send.\n");
+ return errno;
+ }
+
+ n = (struct isakmp_pl_n *)payload->v;
+ n->h.np = ISAKMP_NPTYPE_NONE;
+ n->h.len = htons(tlen);
+ n->doi = htonl(iph1->rmconf->doitype);
+ n->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX to be configurable ? */
+ n->spi_size = spisiz;
+ n->type = htons(type);
+ if (spisiz)
+ memcpy(n + 1, &iph1->index, sizeof(isakmp_index));
+ if (data)
+ memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l);
+
+ error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph1->flags);
+ vfree(payload);
+
+ return error;
+}
+
+/*
+ * send Notification payload (for IPsec SA) in Informational exchange
+ */
+int
+isakmp_info_send_n2(iph2, type, data)
+ struct ph2handle *iph2;
+ int type;
+ vchar_t *data;
+{
+ struct ph1handle *iph1 = iph2->ph1;
+ vchar_t *payload = NULL;
+ int tlen;
+ int error = 0;
+ struct isakmp_pl_n *n;
+ struct saproto *pr;
+
+ if (!iph2->approval)
+ return EINVAL;
+
+ pr = iph2->approval->head;
+
+ /* XXX must be get proper spi */
+ tlen = sizeof(*n) + pr->spisize;
+ if (data)
+ tlen += data->l;
+ payload = vmalloc(tlen);
+ if (payload == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get buffer to send.\n");
+ return errno;
+ }
+
+ n = (struct isakmp_pl_n *)payload->v;
+ n->h.np = ISAKMP_NPTYPE_NONE;
+ n->h.len = htons(tlen);
+ n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */
+ n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/
+ n->spi_size = pr->spisize;
+ n->type = htons(type);
+ *(u_int32_t *)(n + 1) = pr->spi;
+ if (data)
+ memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l);
+
+ iph2->flags |= ISAKMP_FLAG_E; /* XXX Should we do FLAG_A ? */
+ error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph2->flags);
+ vfree(payload);
+
+ return error;
+}
+
+/*
+ * send Information
+ * When ph1->skeyid_a == NULL, send message without encoding.
+ */
+int
+isakmp_info_send_common(iph1, payload, np, flags)
+ struct ph1handle *iph1;
+ vchar_t *payload;
+ u_int32_t np;
+ int flags;
+{
+ struct ph2handle *iph2 = NULL;
+ vchar_t *hash = NULL;
+ struct isakmp *isakmp;
+ struct isakmp_gen *gen;
+ char *p;
+ int tlen;
+ int error = -1;
+
+ /* add new entry to isakmp status table */
+ iph2 = newph2();
+ if (iph2 == NULL)
+ goto end;
+
+ iph2->dst = dupsaddr(iph1->remote);
+ if (iph2->dst == NULL) {
+ delph2(iph2);
+ goto end;
+ }
+ iph2->src = dupsaddr(iph1->local);
+ if (iph2->src == NULL) {
+ delph2(iph2);
+ goto end;
+ }
+ iph2->side = INITIATOR;
+ iph2->status = PHASE2ST_START;
+ iph2->msgid = isakmp_newmsgid2(iph1);
+
+ /* get IV and HASH(1) if skeyid_a was generated. */
+ if (iph1->skeyid_a != NULL) {
+ iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
+ if (iph2->ivm == NULL) {
+ delph2(iph2);
+ goto end;
+ }
+
+ /* generate HASH(1) */
+ hash = oakley_compute_hash1(iph1, iph2->msgid, payload);
+ if (hash == NULL) {
+ delph2(iph2);
+ goto end;
+ }
+
+ /* initialized total buffer length */
+ tlen = hash->l;
+ tlen += sizeof(*gen);
+ } else {
+ /* IKE-SA is not established */
+ hash = NULL;
+
+ /* initialized total buffer length */
+ tlen = 0;
+ }
+ if ((flags & ISAKMP_FLAG_A) == 0)
+ iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E);
+ else
+ iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A);
+
+ insph2(iph2);
+ bindph12(iph1, iph2);
+
+ tlen += sizeof(*isakmp) + payload->l;
+
+ /* create buffer for isakmp payload */
+ iph2->sendbuf = vmalloc(tlen);
+ if (iph2->sendbuf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get buffer to send.\n");
+ goto err;
+ }
+
+ /* create isakmp header */
+ isakmp = (struct isakmp *)iph2->sendbuf->v;
+ memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
+ memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
+ isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH;
+ isakmp->v = iph1->version;
+ isakmp->etype = ISAKMP_ETYPE_INFO;
+ isakmp->flags = iph2->flags;
+ memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
+ isakmp->len = htonl(tlen);
+ p = (char *)(isakmp + 1);
+
+ /* create HASH payload */
+ if (hash != NULL) {
+ gen = (struct isakmp_gen *)p;
+ gen->np = np & 0xff;
+ gen->len = htons(sizeof(*gen) + hash->l);
+ p += sizeof(*gen);
+ memcpy(p, hash->v, hash->l);
+ p += hash->l;
+ }
+
+ /* add payload */
+ memcpy(p, payload->v, payload->l);
+ p += payload->l;
+
+#ifdef HAVE_PRINT_ISAKMP_C
+ isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
+#endif
+
+ /* encoding */
+ if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
+ vchar_t *tmp;
+
+ tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, iph2->ivm->ive,
+ iph2->ivm->iv);
+ VPTRINIT(iph2->sendbuf);
+ if (tmp == NULL)
+ goto err;
+ iph2->sendbuf = tmp;
+ }
+
+ /* HDR*, HASH(1), N */
+ if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
+ VPTRINIT(iph2->sendbuf);
+ goto err;
+ }
+
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "sendto Information %s.\n", s_isakmp_nptype(np));
+
+ /*
+ * don't resend notify message because peer can use Acknowledged
+ * Informational if peer requires the reply of the notify message.
+ */
+
+ /* XXX If Acknowledged Informational required, don't delete ph2handle */
+ error = 0;
+ VPTRINIT(iph2->sendbuf);
+ goto err; /* XXX */
+
+end:
+ if (hash)
+ vfree(hash);
+ return error;
+
+err:
+ remph2(iph2);
+ delph2(iph2);
+ goto end;
+}
+
+/*
+ * add a notify payload to buffer by reallocating buffer.
+ * If buf == NULL, the function only create a notify payload.
+ *
+ * XXX Which is SPI to be included, inbound or outbound ?
+ */
+vchar_t *
+isakmp_add_pl_n(buf0, np_p, type, pr, data)
+ vchar_t *buf0;
+ u_int8_t **np_p;
+ int type;
+ struct saproto *pr;
+ vchar_t *data;
+{
+ vchar_t *buf = NULL;
+ struct isakmp_pl_n *n;
+ int tlen;
+ int oldlen = 0;
+
+ if (*np_p)
+ **np_p = ISAKMP_NPTYPE_N;
+
+ tlen = sizeof(*n) + pr->spisize;
+
+ if (data)
+ tlen += data->l;
+ if (buf0) {
+ oldlen = buf0->l;
+ buf = vrealloc(buf0, buf0->l + tlen);
+ } else
+ buf = vmalloc(tlen);
+ if (!buf) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get a payload buffer.\n");
+ return NULL;
+ }
+
+ n = (struct isakmp_pl_n *)(buf->v + oldlen);
+ n->h.np = ISAKMP_NPTYPE_NONE;
+ n->h.len = htons(tlen);
+ n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */
+ n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/
+ n->spi_size = pr->spisize;
+ n->type = htons(type);
+ *(u_int32_t *)(n + 1) = pr->spi; /* XXX */
+ if (data)
+ memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l);
+
+ /* save the pointer of next payload type */
+ *np_p = &n->h.np;
+
+ return buf;
+}
+
+static void
+purge_isakmp_spi(proto, spi, n)
+ int proto;
+ isakmp_index *spi; /*network byteorder*/
+ size_t n;
+{
+ struct ph1handle *iph1;
+ size_t i;
+
+ for (i = 0; i < n; i++) {
+ iph1 = getph1byindex(&spi[i]);
+ if (!iph1)
+ continue;
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "purged ISAKMP-SA proto_id=%s spi=%s.\n",
+ s_ipsecdoi_proto(proto),
+ isakmp_pindex(&spi[i], 0));
+
+ iph1->status = PHASE1ST_EXPIRED;
+ isakmp_ph1delete(iph1);
+ }
+}
+
+
+
+void
+purge_ipsec_spi(dst0, proto, spi, n)
+ struct sockaddr *dst0;
+ int proto;
+ u_int32_t *spi; /*network byteorder*/
+ size_t n;
+{
+ vchar_t *buf = NULL;
+ struct sadb_msg *msg, *next, *end;
+ struct sadb_sa *sa;
+ struct sadb_lifetime *lt;
+ struct sockaddr *src, *dst;
+ struct ph2handle *iph2;
+ u_int64_t created;
+ size_t i;
+ caddr_t mhp[SADB_EXT_MAX + 1];
+ unsigned num_purged = 0;
+
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "purge_ipsec_spi:\n");
+ plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str(dst0));
+ plog(LLV_DEBUG2, LOCATION, NULL, "SPI: %08X\n", ntohl(spi[0]));
+
+ buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto));
+ if (buf == NULL) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "pfkey_dump_sadb returned nothing.\n");
+ return;
+ }
+
+ msg = (struct sadb_msg *)buf->v;
+ end = (struct sadb_msg *)(buf->v + buf->l);
+
+ while (msg < end) {
+ if ((msg->sadb_msg_len << 3) < sizeof(*msg))
+ break;
+ next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
+ if (msg->sadb_msg_type != SADB_DUMP) {
+ msg = next;
+ continue;
+ }
+
+ if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "pfkey_check (%s)\n", ipsec_strerror());
+ msg = next;
+ continue;
+ }
+
+ sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
+ if (!sa
+ || !mhp[SADB_EXT_ADDRESS_SRC]
+ || !mhp[SADB_EXT_ADDRESS_DST]) {
+ msg = next;
+ continue;
+ }
+ pk_fixup_sa_addresses(mhp);
+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
+ if(lt != NULL)
+ created = lt->sadb_lifetime_addtime;
+ else
+ created = 0;
+
+ if (sa->sadb_sa_state != SADB_SASTATE_MATURE
+ && sa->sadb_sa_state != SADB_SASTATE_DYING) {
+ msg = next;
+ continue;
+ }
+
+ plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
+ plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst));
+ plog(LLV_DEBUG2, LOCATION, NULL, "spi: %u\n", ntohl(sa->sadb_sa_spi));
+
+ /* XXX n^2 algorithm, inefficient */
+
+ /* don't delete inbound SAs at the moment */
+ /* XXX should we remove SAs with opposite direction as well? */
+ if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) {
+ msg = next;
+ continue;
+ }
+
+ for (i = 0; i < n; i++) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "check spi(packet)=%u spi(db)=%u.\n",
+ ntohl(spi[i]), ntohl(sa->sadb_sa_spi));
+ if (spi[i] != sa->sadb_sa_spi)
+ continue;
+
+ pfkey_send_delete(lcconf->sock_pfkey,
+ msg->sadb_msg_satype,
+ IPSEC_MODE_ANY,
+ src, dst, sa->sadb_sa_spi);
+
+ /*
+ * delete a relative phase 2 handler.
+ * continue to process if no relative phase 2 handler
+ * exists.
+ */
+ iph2 = getph2bysaidx(src, dst, proto, spi[i]);
+ if(iph2 != NULL){
+ delete_spd(iph2, created);
+ remph2(iph2);
+ delph2(iph2);
+ }
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "purged IPsec-SA proto_id=%s spi=%u.\n",
+ s_ipsecdoi_proto(proto),
+ ntohl(spi[i]));
+ num_purged++;
+ }
+
+ msg = next;
+ }
+
+ if (buf)
+ vfree(buf);
+
+ plog(LLV_DEBUG, LOCATION, NULL, "purged %u SAs.\n", num_purged);
+}
+
+/*
+ * delete all phase2 sa relatived to the destination address
+ * (except the phase2 within which the INITIAL-CONTACT was received).
+ * Don't delete Phase 1 handlers on INITIAL-CONTACT, and don't ignore
+ * an INITIAL-CONTACT if we have contacted the peer. This matches the
+ * Sun IKE behavior, and makes rekeying work much better when the peer
+ * restarts.
+ */
+int
+isakmp_info_recv_initialcontact(iph1, protectedph2)
+ struct ph1handle *iph1;
+ struct ph2handle *protectedph2;
+{
+ vchar_t *buf = NULL;
+ struct sadb_msg *msg, *next, *end;
+ struct sadb_sa *sa;
+ struct sockaddr *src, *dst;
+ caddr_t mhp[SADB_EXT_MAX + 1];
+ int proto_id, i;
+ struct ph2handle *iph2;
+#if 0
+ char *loc, *rem;
+#endif
+
+ plog(LLV_INFO, LOCATION, iph1->remote, "received INITIAL-CONTACT\n");
+
+ if (f_local)
+ return 0;
+
+#if 0
+ loc = racoon_strdup(saddrwop2str(iph1->local));
+ rem = racoon_strdup(saddrwop2str(iph1->remote));
+ STRDUP_FATAL(loc);
+ STRDUP_FATAL(rem);
+
+ /*
+ * Purge all IPSEC-SAs for the peer. We can do this
+ * the easy way (using a PF_KEY SADB_DELETE extension)
+ * or we can do it the hard way.
+ */
+ for (i = 0; i < pfkey_nsatypes; i++) {
+ proto_id = pfkey2ipsecdoi_proto(pfkey_satypes[i].ps_satype);
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "purging %s SAs for %s -> %s\n",
+ pfkey_satypes[i].ps_name, loc, rem);
+ if (pfkey_send_delete_all(lcconf->sock_pfkey,
+ pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY,
+ iph1->local, iph1->remote) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "delete_all %s -> %s failed for %s (%s)\n",
+ loc, rem,
+ pfkey_satypes[i].ps_name, ipsec_strerror());
+ goto the_hard_way;
+ }
+
+ deleteallph2(iph1->local, iph1->remote, proto_id);
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "purging %s SAs for %s -> %s\n",
+ pfkey_satypes[i].ps_name, rem, loc);
+ if (pfkey_send_delete_all(lcconf->sock_pfkey,
+ pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY,
+ iph1->remote, iph1->local) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "delete_all %s -> %s failed for %s (%s)\n",
+ rem, loc,
+ pfkey_satypes[i].ps_name, ipsec_strerror());
+ goto the_hard_way;
+ }
+
+ deleteallph2(iph1->remote, iph1->local, proto_id);
+ }
+
+ racoon_free(loc);
+ racoon_free(rem);
+ return 0;
+
+ the_hard_way:
+ racoon_free(loc);
+ racoon_free(rem);
+#endif
+
+ buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
+ if (buf == NULL) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "pfkey_dump_sadb returned nothing.\n");
+ return 0;
+ }
+
+ msg = (struct sadb_msg *)buf->v;
+ end = (struct sadb_msg *)(buf->v + buf->l);
+
+ for (; msg < end; msg = next) {
+ if ((msg->sadb_msg_len << 3) < sizeof(*msg))
+ break;
+
+ next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
+ if (msg->sadb_msg_type != SADB_DUMP)
+ continue;
+
+ if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "pfkey_check (%s)\n", ipsec_strerror());
+ continue;
+ }
+
+ if (mhp[SADB_EXT_SA] == NULL
+ || mhp[SADB_EXT_ADDRESS_SRC] == NULL
+ || mhp[SADB_EXT_ADDRESS_DST] == NULL)
+ continue;
+
+ sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
+ pk_fixup_sa_addresses(mhp);
+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+
+ if (sa->sadb_sa_state != SADB_SASTATE_MATURE
+ && sa->sadb_sa_state != SADB_SASTATE_DYING)
+ continue;
+
+ /*
+ * RFC2407 4.6.3.3 INITIAL-CONTACT is the message that
+ * announces the sender of the message was rebooted.
+ * it is interpreted to delete all SAs which source address
+ * is the sender of the message.
+ * racoon only deletes SA which is matched both the
+ * source address and the destination accress.
+ */
+
+ /*
+ * Check that the IP and port match. But this is not optimal,
+ * since NAT-T can make the peer have multiple different
+ * ports. Correct thing to do is delete all entries with
+ * same identity. -TT
+ */
+ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
+ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
+ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
+ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH))
+ continue;
+
+ /*
+ * Make sure this is an SATYPE that we manage.
+ * This is gross; too bad we couldn't do it the
+ * easy way.
+ */
+ for (i = 0; i < pfkey_nsatypes; i++) {
+ if (pfkey_satypes[i].ps_satype ==
+ msg->sadb_msg_satype)
+ break;
+ }
+ if (i == pfkey_nsatypes)
+ continue;
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "purging spi=%u.\n", ntohl(sa->sadb_sa_spi));
+ pfkey_send_delete(lcconf->sock_pfkey,
+ msg->sadb_msg_satype,
+ IPSEC_MODE_ANY, src, dst, sa->sadb_sa_spi);
+
+ /*
+ * delete a relative phase 2 handler.
+ * continue to process if no relative phase 2 handler
+ * exists.
+ */
+ proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
+ iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
+ if (iph2 && iph2 != protectedph2) {
+ delete_spd(iph2, 0);
+ remph2(iph2);
+ delph2(iph2);
+ }
+ }
+
+ vfree(buf);
+ return 0;
+}
+
+
+#ifdef ENABLE_DPD
+static int
+isakmp_info_recv_r_u (iph1, ru, msgid)
+ struct ph1handle *iph1;
+ struct isakmp_pl_ru *ru;
+ u_int32_t msgid;
+{
+ struct isakmp_pl_ru *ru_ack;
+ vchar_t *payload = NULL;
+ int tlen;
+ int error = 0;
+
+ plog(LLV_DEBUG, LOCATION, iph1->remote,
+ "DPD R-U-There received\n");
+
+ /* XXX should compare cookies with iph1->index?
+ Or is this already done by calling function? */
+ tlen = sizeof(*ru_ack);
+ payload = vmalloc(tlen);
+ if (payload == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get buffer to send.\n");
+ return errno;
+ }
+
+ ru_ack = (struct isakmp_pl_ru *)payload->v;
+ ru_ack->h.np = ISAKMP_NPTYPE_NONE;
+ ru_ack->h.len = htons(tlen);
+ ru_ack->doi = htonl(IPSEC_DOI);
+ ru_ack->type = htons(ISAKMP_NTYPE_R_U_THERE_ACK);
+ ru_ack->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX ? */
+ ru_ack->spi_size = sizeof(isakmp_index);
+ memcpy(ru_ack->i_ck, ru->i_ck, sizeof(cookie_t));
+ memcpy(ru_ack->r_ck, ru->r_ck, sizeof(cookie_t));
+ ru_ack->data = ru->data;
+
+ /* XXX Should we do FLAG_A ? */
+ error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N,
+ ISAKMP_FLAG_E);
+ vfree(payload);
+
+ plog(LLV_DEBUG, LOCATION, NULL, "received a valid R-U-THERE, ACK sent\n");
+
+ /* Should we mark tunnel as active ? */
+ return error;
+}
+
+static int
+isakmp_info_recv_r_u_ack (iph1, ru, msgid)
+ struct ph1handle *iph1;
+ struct isakmp_pl_ru *ru;
+ u_int32_t msgid;
+{
+ u_int32_t seq;
+
+ plog(LLV_DEBUG, LOCATION, iph1->remote,
+ "DPD R-U-There-Ack received\n");
+
+ seq = ntohl(ru->data);
+ if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n",
+ seq, iph1->dpd_last_ack, iph1->dpd_seq);
+ return 0;
+ }
+
+ /* accept cookies in original or reversed order */
+ if ((memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
+ memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) &&
+ (memcmp(ru->r_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
+ memcmp(ru->i_ck, iph1->index.r_ck, sizeof(cookie_t)))) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "Cookie mismatch in DPD ACK!.\n");
+ return 0;
+ }
+
+ iph1->dpd_fails = 0;
+ iph1->dpd_last_ack = seq;
+ sched_cancel(&iph1->dpd_r_u);
+ isakmp_sched_r_u(iph1, 0);
+
+ plog(LLV_DEBUG, LOCATION, iph1->remote, "received an R-U-THERE-ACK\n");
+
+ return 0;
+}
+
+
+
+
+/*
+ * send DPD R-U-THERE payload in Informational exchange.
+ */
+static void
+isakmp_info_send_r_u(sc)
+ struct sched *sc;
+{
+ struct ph1handle *iph1 = container_of(sc, struct ph1handle, dpd_r_u);
+
+ /* create R-U-THERE payload */
+ struct isakmp_pl_ru *ru;
+ vchar_t *payload = NULL;
+ int tlen;
+ int error = 0;
+
+ plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring....\n");
+
+ if (iph1->status == PHASE1ST_EXPIRED) {
+ /* This can happen after removing tunnels from the
+ * config file and then reloading.
+ * Such iph1 have rmconf=NULL, so return before the if
+ * block below.
+ */
+ return;
+ }
+
+ if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) {
+
+ plog(LLV_INFO, LOCATION, iph1->remote,
+ "DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n",
+ isakmp_pindex(&iph1->index, 0));
+
+ script_hook(iph1, SCRIPT_PHASE1_DEAD);
+ evt_phase1(iph1, EVT_PHASE1_DPD_TIMEOUT, NULL);
+ purge_remote(iph1);
+
+ /* Do not reschedule here: phase1 is deleted,
+ * DPD will be reactivated when a new ph1 will be negociated
+ */
+ return;
+ }
+
+ /* TODO: check recent activity to avoid useless sends... */
+
+ tlen = sizeof(*ru);
+ payload = vmalloc(tlen);
+ if (payload == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to get buffer for payload.\n");
+ return;
+ }
+ ru = (struct isakmp_pl_ru *)payload->v;
+ ru->h.np = ISAKMP_NPTYPE_NONE;
+ ru->h.len = htons(tlen);
+ ru->doi = htonl(IPSEC_DOI);
+ ru->type = htons(ISAKMP_NTYPE_R_U_THERE);
+ ru->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX ?*/
+ ru->spi_size = sizeof(isakmp_index);
+
+ memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t));
+ memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t));
+
+ if (iph1->dpd_seq == 0) {
+ /* generate a random seq which is not too big */
+ iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff;
+ }
+
+ iph1->dpd_seq++;
+ iph1->dpd_fails++;
+ ru->data = htonl(iph1->dpd_seq);
+
+ error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
+ vfree(payload);
+
+ plog(LLV_DEBUG, LOCATION, iph1->remote,
+ "DPD R-U-There sent (%d)\n", error);
+
+ /* Reschedule the r_u_there with a short delay,
+ * will be deleted/rescheduled if ACK received before */
+ isakmp_sched_r_u(iph1, 1);
+
+ plog(LLV_DEBUG, LOCATION, iph1->remote,
+ "rescheduling send_r_u (%d).\n", iph1->rmconf->dpd_retry);
+}
+
+/* Schedule a new R-U-THERE */
+int
+isakmp_sched_r_u(iph1, retry)
+ struct ph1handle *iph1;
+ int retry;
+{
+ if(iph1 == NULL ||
+ iph1->rmconf == NULL)
+ return 1;
+
+
+ if(iph1->dpd_support == 0 ||
+ iph1->rmconf->dpd_interval == 0)
+ return 0;
+
+ if(retry)
+ sched_schedule(&iph1->dpd_r_u, iph1->rmconf->dpd_retry,
+ isakmp_info_send_r_u);
+ else
+ sched_schedule(&iph1->dpd_r_u, iph1->rmconf->dpd_interval,
+ isakmp_info_send_r_u);
+
+ return 0;
+}
+#endif
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-04 04:14:33 +0000