xref: /external/ipsec-tools/src/racoon/isakmp.c

/*	$NetBSD: isakmp.c,v 1.20.6.13 2008/09/25 09:34:39 vanhu Exp $	*/

/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include "config.h"

#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/queue.h>

#include <netinet/in.h>
#include <arpa/inet.h>

#include PATH_IPSEC_H

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>
#else
# if HAVE_SYS_TIME_H
#  include <sys/time.h>
# else
#  include <time.h>
# endif
#endif
#include <netdb.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <ctype.h>
#ifdef ENABLE_HYBRID
#include <resolv.h>
#endif

#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "sockmisc.h"
#include "schedule.h"
#include "debug.h"

#include "remoteconf.h"
#include "localconf.h"
#include "grabmyaddr.h"
#include "admin.h"
#include "privsep.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "oakley.h"
#include "evt.h"
#include "handler.h"
#include "ipsec_doi.h"
#include "pfkey.h"
#include "crypto_openssl.h"
#include "policy.h"
#include "isakmp_ident.h"
#include "isakmp_agg.h"
#include "isakmp_base.h"
#include "isakmp_quick.h"
#include "isakmp_inf.h"
#include "isakmp_newg.h"
#ifdef ENABLE_HYBRID
#include "vendorid.h"
#include "isakmp_xauth.h"
#include "isakmp_unity.h"
#include "isakmp_cfg.h"
#endif
#ifdef ENABLE_FRAG
#include "isakmp_frag.h"
#endif
#include "strnames.h"

#include <fcntl.h>

#ifdef ENABLE_NATT
# include "nattraversal.h"
#endif
# ifdef __linux__
#  include <linux/udp.h>
#  include <linux/ip.h>
#  ifndef SOL_UDP
#   define SOL_UDP 17
#  endif
#ifdef ANDROID_CHANGES
#define __linux
#endif
# endif /* __linux__ */
# if defined(__NetBSD__) || defined(__FreeBSD__) ||	\
  (defined(__APPLE__) && defined(__MACH__))
#  include <netinet/in.h>
#  include <netinet/udp.h>
#  include <netinet/in_systm.h>
#  include <netinet/ip.h>
#  define SOL_UDP IPPROTO_UDP
# endif /* __NetBSD__ / __FreeBSD__ */

static int nostate1 __P((struct ph1handle *, vchar_t *));
static int nostate2 __P((struct ph2handle *, vchar_t *));

extern caddr_t val2str(const char *, size_t);

static int (*ph1exchange[][2][PHASE1ST_MAX])
	__P((struct ph1handle *, vchar_t *)) = {
 /* error */
 { {}, {}, },
 /* Identity Protection exchange */
 {
  { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
    ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
  { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
    ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
 },
 /* Aggressive exchange */
 {
  { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
    nostate1, nostate1, nostate1, nostate1, nostate1, },
  { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
    nostate1, nostate1, nostate1, nostate1, nostate1, },
 },
 /* Base exchange */
 {
  { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
    base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
  { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
    nostate1, nostate1, nostate1, nostate1, nostate1, },
 },
};

static int (*ph2exchange[][2][PHASE2ST_MAX])
	__P((struct ph2handle *, vchar_t *)) = {
 /* error */
 { {}, {}, },
 /* Quick mode for IKE */
 {
  { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
    quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
  { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
    quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
 },
};

static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */

static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
static int ph1_main __P((struct ph1handle *, vchar_t *));
static int quick_main __P((struct ph2handle *, vchar_t *));
static int isakmp_ph1begin_r __P((vchar_t *,
	struct sockaddr *, struct sockaddr *, u_int8_t));
static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
static int etypesw1 __P((int));
static int etypesw2 __P((int));
#ifdef ENABLE_FRAG
static int frag_handler(struct ph1handle *,
    vchar_t *, struct sockaddr *, struct sockaddr *);
#endif

/*
 * isakmp packet handler
 */
int
isakmp_handler(so_isakmp)
	int so_isakmp;
{
	struct isakmp isakmp;
	union {
		char		buf[sizeof (isakmp) + 4];
		u_int32_t	non_esp[2];
		char		lbuf[sizeof(struct udphdr) +
#ifdef __linux
				     sizeof(struct iphdr) +
#else
				     sizeof(struct ip) +
#endif
				     sizeof(isakmp) + 4];
	} x;
	struct sockaddr_storage remote;
	struct sockaddr_storage local;
	unsigned int remote_len = sizeof(remote);
	unsigned int local_len = sizeof(local);
	int len = 0, extralen = 0;
	vchar_t *buf = NULL, *tmpbuf = NULL;
	int error = -1, res;

	/* read message by MSG_PEEK */
	while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
		    MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
		    (struct sockaddr *)&local, &local_len)) < 0) {
		if (errno == EINTR)
			continue;
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to receive isakmp packet: %s\n",
			strerror (errno));
		goto end;
	}

	/* keep-alive packet - ignore */
	if (len == 1 && (x.buf[0]&0xff) == 0xff) {
		/* Pull the keep-alive packet */
		if ((len = recvfrom(so_isakmp, (char *)x.buf, 1,
		    0, (struct sockaddr *)&remote, &remote_len)) != 1) {
			plog(LLV_ERROR, LOCATION, NULL,
			    "failed to receive keep alive packet: %s\n",
			    strerror (errno));
		}
		goto end;
	}

	/* Lucent IKE in UDP encapsulation */
	{
		struct udphdr *udp;
#ifdef __linux__
		struct iphdr *ip;

		udp = (struct udphdr *)&x.lbuf[0];
		if (ntohs(udp->dest) == 501) {
			ip = (struct iphdr *)(x.lbuf + sizeof(*udp));
			extralen += sizeof(*udp) + ip->ihl;
		}
#else
		struct ip *ip;

		udp = (struct udphdr *)&x.lbuf[0];
		if (ntohs(udp->uh_dport) == 501) {
			ip = (struct ip *)(x.lbuf + sizeof(*udp));
			extralen += sizeof(*udp) + ip->ip_hl;
		}
#endif
	}

#ifdef ENABLE_NATT
	/* we don't know about portchange yet,
	   look for non-esp marker instead */
	if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
		extralen = NON_ESP_MARKER_LEN;
#endif

	/* now we know if there is an extra non-esp
	   marker at the beginning or not */
	memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));

	/* check isakmp header length, as well as sanity of header length */
	if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
		plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
			"packet shorter than isakmp header size (%u, %u, %zu)\n",
			len, ntohl(isakmp.len), sizeof(isakmp));
		/* dummy receive */
		if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
			    0, (struct sockaddr *)&remote, &remote_len)) < 0) {
			plog(LLV_ERROR, LOCATION, NULL,
				"failed to receive isakmp packet: %s\n",
				strerror (errno));
		}
		goto end;
	}

	/* reject it if the size is tooooo big. */
	if (ntohl(isakmp.len) > 0xffff) {
		plog(LLV_ERROR, LOCATION, NULL,
			"the length in the isakmp header is too big.\n");
		if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
			    0, (struct sockaddr *)&remote, &remote_len)) < 0) {
			plog(LLV_ERROR, LOCATION, NULL,
				"failed to receive isakmp packet: %s\n",
				strerror (errno));
		}
		goto end;
	}

	/* read real message */
	if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to allocate reading buffer (%u Bytes)\n",
			ntohl(isakmp.len) + extralen);
		/* dummy receive */
		if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
			    0, (struct sockaddr *)&remote, &remote_len)) < 0) {
			plog(LLV_ERROR, LOCATION, NULL,
				"failed to receive isakmp packet: %s\n",
				strerror (errno));
		}
		goto end;
	}

	while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
	                    0, (struct sockaddr *)&remote, &remote_len,
	                    (struct sockaddr *)&local, &local_len)) < 0) {
		if (errno == EINTR)
			continue;
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to receive isakmp packet: %s\n",
			strerror (errno));
		goto end;
	}

	if ((buf = vmalloc(len - extralen)) == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to allocate reading buffer (%u Bytes)\n",
			(len - extralen));
		goto end;
	}

	memcpy (buf->v, tmpbuf->v + extralen, buf->l);

	len -= extralen;

	if (len != buf->l) {
		plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
			"received invalid length (%d != %zu), why ?\n",
			len, buf->l);
		goto end;
	}

	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
	plog(LLV_DEBUG, LOCATION, NULL,
		"%d bytes message received %s\n",
		len, saddr2str_fromto("from %s to %s",
			(struct sockaddr *)&remote,
			(struct sockaddr *)&local));
	plogdump(LLV_DEBUG, buf->v, buf->l);

	/* avoid packets with malicious port/address */
	if (extract_port((struct sockaddr *)&remote) == 0) {
		plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
			"src port == 0 (valid as UDP but not with IKE)\n");
		goto end;
	}

	/* XXX: check sender whether to be allowed or not to accept */

	/* XXX: I don't know how to check isakmp half connection attack. */

	/* simply reply if the packet was processed. */
	res=check_recvdpkt((struct sockaddr *)&remote,(struct sockaddr *)&local, buf);
	if (res) {
		plog(LLV_NOTIFY, LOCATION, NULL,
			"the packet is retransmitted by %s (%d).\n",
			 saddr2str((struct sockaddr *)&remote), res);
		error = 0;
		goto end;
	}

	/* isakmp main routine */
	if (isakmp_main(buf, (struct sockaddr *)&remote,
			(struct sockaddr *)&local) != 0) goto end;

	error = 0;

end:
	if (tmpbuf != NULL)
		vfree(tmpbuf);
	if (buf != NULL)
		vfree(buf);

	return(error);
}

/*
 * main processing to handle isakmp payload
 */
static int
isakmp_main(msg, remote, local)
	vchar_t *msg;
	struct sockaddr *remote, *local;
{
	struct isakmp *isakmp = (struct isakmp *)msg->v;
	isakmp_index *index = (isakmp_index *)isakmp;
	u_int32_t msgid = isakmp->msgid;
	struct ph1handle *iph1;

#ifdef HAVE_PRINT_ISAKMP_C
	isakmp_printpacket(msg, remote, local, 0);
#endif

	/* the initiator's cookie must not be zero */
	if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
		plog(LLV_ERROR, LOCATION, remote,
			"malformed cookie received.\n");
		return -1;
	}

	/* Check the Major and Minor Version fields. */
	/*
	 * XXX Is is right to check version here ?
	 * I think it may no be here because the version depends
	 * on exchange status.
	 */
	if (isakmp->v < ISAKMP_VERSION_NUMBER) {
		if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
			plog(LLV_ERROR, LOCATION, remote,
				"invalid major version %d.\n",
				ISAKMP_GETMAJORV(isakmp->v));
			return -1;
		}
#if ISAKMP_MINOR_VERSION > 0
		if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
			plog(LLV_ERROR, LOCATION, remote,
				"invalid minor version %d.\n",
				ISAKMP_GETMINORV(isakmp->v));
			return -1;
		}
#endif
	}

	/* check the Flags field. */
	/* XXX How is the exclusive check, E and A ? */
	if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
		plog(LLV_ERROR, LOCATION, remote,
			"invalid flag 0x%02x.\n", isakmp->flags);
		return -1;
	}

	/* ignore commit bit. */
	if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
		if (isakmp->msgid == 0) {
			isakmp_info_send_nx(isakmp, remote, local,
				ISAKMP_NTYPE_INVALID_FLAGS, NULL);
			plog(LLV_ERROR, LOCATION, remote,
				"Commit bit on phase1 forbidden.\n");
			return -1;
		}
	}

	iph1 = getph1byindex(index);
	if (iph1 != NULL) {
		/* validity check */
		if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
		    iph1->side == INITIATOR) {
			plog(LLV_DEBUG, LOCATION, remote,
				"malformed cookie received or "
				"the initiator's cookies collide.\n");
			return -1;
		}

#ifdef ENABLE_NATT
		/* Floating ports for NAT-T */
		if (NATT_AVAILABLE(iph1) &&
		    ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
		    ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
		    (cmpsaddrstrict(iph1->local, local) != 0)))
		{
			/* prevent memory leak */
			racoon_free(iph1->remote);
			racoon_free(iph1->local);
			iph1->remote = NULL;
			iph1->local = NULL;

			/* copy-in new addresses */
			iph1->remote = dupsaddr(remote);
			if (iph1->remote == NULL) {
           			plog(LLV_ERROR, LOCATION, iph1->remote,
				   "phase1 failed: dupsaddr failed.\n");
				remph1(iph1);
				delph1(iph1);
				return -1;
			}
			iph1->local = dupsaddr(local);
			if (iph1->local == NULL) {
           			plog(LLV_ERROR, LOCATION, iph1->remote,
				   "phase1 failed: dupsaddr failed.\n");
				remph1(iph1);
				delph1(iph1);
				return -1;
			}

			/* set the flag to prevent further port floating
			   (FIXME: should we allow it? E.g. when the NAT gw
			    is rebooted?) */
			iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;

			/* print some neat info */
			plog (LLV_INFO, LOCATION, NULL,
			      "NAT-T: ports changed to: %s\n",
			      saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));

			natt_keepalive_add_ph1 (iph1);
		}
#endif

		/* must be same addresses in one stream of a phase at least. */
		if (cmpsaddrstrict(iph1->remote, remote) != 0) {
			char *saddr_db, *saddr_act;

			saddr_db = racoon_strdup(saddr2str(iph1->remote));
			saddr_act = racoon_strdup(saddr2str(remote));
			STRDUP_FATAL(saddr_db);
			STRDUP_FATAL(saddr_act);

			plog(LLV_WARNING, LOCATION, remote,
				"remote address mismatched. db=%s, act=%s\n",
				saddr_db, saddr_act);

			racoon_free(saddr_db);
			racoon_free(saddr_act);
		}

		/*
		 * don't check of exchange type here because other type will be
		 * with same index, for example, informational exchange.
		 */

		/* XXX more acceptable check */
	}

	switch (isakmp->etype) {
	case ISAKMP_ETYPE_IDENT:
	case ISAKMP_ETYPE_AGG:
	case ISAKMP_ETYPE_BASE:
		/* phase 1 validity check */
		if (isakmp->msgid != 0) {
			plog(LLV_ERROR, LOCATION, remote,
				"message id should be zero in phase1.\n");
			return -1;
		}

		/* search for isakmp status record of phase 1 */
		if (iph1 == NULL) {
			/*
			 * the packet must be the 1st message from a initiator
			 * or the 2nd message from the responder.
			 */

			/* search for phase1 handle by index without r_ck */
			iph1 = getph1byindex0(index);
			if (iph1 == NULL) {
				/*it must be the 1st message from a initiator.*/
				if (memcmp(&isakmp->r_ck, r_ck0,
					sizeof(cookie_t)) != 0) {

					plog(LLV_DEBUG, LOCATION, remote,
						"malformed cookie received "
						"or the spi expired.\n");
					return -1;
				}

				/* it must be responder's 1st exchange. */
				if (isakmp_ph1begin_r(msg, remote, local,
					isakmp->etype) < 0)
					return -1;
				break;

				/*NOTREACHED*/
			}

			/* it must be the 2nd message from the responder. */
			if (iph1->side != INITIATOR) {
				plog(LLV_DEBUG, LOCATION, remote,
					"malformed cookie received. "
					"it has to be as the initiator.  %s\n",
					isakmp_pindex(&iph1->index, 0));
				return -1;
			}
		}

		/*
		 * Don't delete phase 1 handler when the exchange type
		 * in handler is not equal to packet's one because of no
		 * authencication completed.
		 */
		if (iph1->etype != isakmp->etype) {
			plog(LLV_ERROR, LOCATION, iph1->remote,
				"exchange type is mismatched: "
				"db=%s packet=%s, ignore it.\n",
				s_isakmp_etype(iph1->etype),
				s_isakmp_etype(isakmp->etype));
			return -1;
		}

#ifdef ENABLE_FRAG
		if (isakmp->np == ISAKMP_NPTYPE_FRAG)
			return frag_handler(iph1, msg, remote, local);
#endif

		/* call main process of phase 1 */
		if (ph1_main(iph1, msg) < 0) {
			plog(LLV_ERROR, LOCATION, iph1->remote,
				"phase1 negotiation failed.\n");
			remph1(iph1);
			delph1(iph1);
			return -1;
		}
		break;

	case ISAKMP_ETYPE_AUTH:
		plog(LLV_INFO, LOCATION, remote,
			"unsupported exchange %d received.\n",
			isakmp->etype);
		break;

	case ISAKMP_ETYPE_INFO:
	case ISAKMP_ETYPE_ACKINFO:
		/*
		 * iph1 must be present for Information message.
		 * if iph1 is null then trying to get the phase1 status
		 * as the packet from responder againt initiator's 1st
		 * exchange in phase 1.
		 * NOTE: We think such informational exchange should be ignored.
		 */
		if (iph1 == NULL) {
			iph1 = getph1byindex0(index);
			if (iph1 == NULL) {
				plog(LLV_ERROR, LOCATION, remote,
					"unknown Informational "
					"exchange received.\n");
				return -1;
			}
			if (cmpsaddrstrict(iph1->remote, remote) != 0) {
				plog(LLV_WARNING, LOCATION, remote,
					"remote address mismatched. "
					"db=%s\n",
					saddr2str(iph1->remote));
			}
		}

#ifdef ENABLE_FRAG
		if (isakmp->np == ISAKMP_NPTYPE_FRAG)
			return frag_handler(iph1, msg, remote, local);
#endif

		if (isakmp_info_recv(iph1, msg) < 0)
			return -1;
		break;

	case ISAKMP_ETYPE_QUICK:
	{
		struct ph2handle *iph2;

		if (iph1 == NULL) {
			isakmp_info_send_nx(isakmp, remote, local,
				ISAKMP_NTYPE_INVALID_COOKIE, NULL);
			plog(LLV_ERROR, LOCATION, remote,
				"can't start the quick mode, "
				"there is no ISAKMP-SA, %s\n",
				isakmp_pindex((isakmp_index *)&isakmp->i_ck,
					isakmp->msgid));
			return -1;
		}
#ifdef ENABLE_HYBRID
		/* Reinit the IVM if it's still there */
		if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
			oakley_delivm(iph1->mode_cfg->ivm);
			iph1->mode_cfg->ivm = NULL;
		}
#endif
#ifdef ENABLE_FRAG
		if (isakmp->np == ISAKMP_NPTYPE_FRAG)
			return frag_handler(iph1, msg, remote, local);
#endif

		/* check status of phase 1 whether negotiated or not. */
		if (iph1->status != PHASE1ST_ESTABLISHED) {
			plog(LLV_ERROR, LOCATION, remote,
				"can't start the quick mode, "
				"there is no valid ISAKMP-SA, %s\n",
				isakmp_pindex(&iph1->index, iph1->msgid));
			return -1;
		}

		/* search isakmp phase 2 stauts record. */
		iph2 = getph2bymsgid(iph1, msgid);
		if (iph2 == NULL) {
			/* it must be new negotiation as responder */
			if (isakmp_ph2begin_r(iph1, msg) < 0)
				return -1;
			return 0;
			/*NOTREACHED*/
		}

		/* commit bit. */
		/* XXX
		 * we keep to set commit bit during negotiation.
		 * When SA is configured, bit will be reset.
		 * XXX
		 * don't initiate commit bit.  should be fixed in the future.
		 */
		if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
			iph2->flags |= ISAKMP_FLAG_C;

		/* call main process of quick mode */
		if (quick_main(iph2, msg) < 0) {
			plog(LLV_ERROR, LOCATION, iph1->remote,
				"phase2 negotiation failed.\n");
			unbindph12(iph2);
			remph2(iph2);
			delph2(iph2);
			return -1;
		}
	}
		break;

	case ISAKMP_ETYPE_NEWGRP:
		if (iph1 == NULL) {
			plog(LLV_ERROR, LOCATION, remote,
				"Unknown new group mode exchange, "
				"there is no ISAKMP-SA.\n");
			return -1;
		}

#ifdef ENABLE_FRAG
		if (isakmp->np == ISAKMP_NPTYPE_FRAG)
			return frag_handler(iph1, msg, remote, local);
#endif

		isakmp_newgroup_r(iph1, msg);
		break;

#ifdef ENABLE_HYBRID
	case ISAKMP_ETYPE_CFG:
		if (iph1 == NULL) {
			plog(LLV_ERROR, LOCATION, NULL,
			     "mode config %d from %s, "
			     "but we have no ISAKMP-SA.\n",
			     isakmp->etype, saddr2str(remote));
			return -1;
		}

#ifdef ENABLE_FRAG
		if (isakmp->np == ISAKMP_NPTYPE_FRAG)
			return frag_handler(iph1, msg, remote, local);
#endif

		isakmp_cfg_r(iph1, msg);
		break;
#endif

	case ISAKMP_ETYPE_NONE:
	default:
		plog(LLV_ERROR, LOCATION, NULL,
			"Invalid exchange type %d from %s.\n",
			isakmp->etype, saddr2str(remote));
		return -1;
	}

	return 0;
}

/*
 * main function of phase 1.
 */
static int
ph1_main(iph1, msg)
	struct ph1handle *iph1;
	vchar_t *msg;
{
	int error;
#ifdef ENABLE_STATS
	struct timeval start, end;
#endif

	/* ignore a packet */
	if (iph1->status == PHASE1ST_ESTABLISHED)
		return 0;

#ifdef ENABLE_STATS
	gettimeofday(&start, NULL);
#endif
	/* receive */
	if (ph1exchange[etypesw1(iph1->etype)]
		       [iph1->side]
		       [iph1->status] == NULL) {
		plog(LLV_ERROR, LOCATION, iph1->remote,
			"why isn't the function defined.\n");
		return -1;
	}
	error = (ph1exchange[etypesw1(iph1->etype)]
			    [iph1->side]
			    [iph1->status])(iph1, msg);
	if (error != 0) {

		/* XXX
		 * When an invalid packet is received on phase1, it should
		 * be selected to process this packet.  That is to respond
		 * with a notify and delete phase 1 handler, OR not to respond
		 * and keep phase 1 handler. However, in PHASE1ST_START when
		 * acting as RESPONDER we must not keep phase 1 handler or else
		 * it will stay forever.
		 */

		if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
			plog(LLV_ERROR, LOCATION, iph1->remote,
				"failed to pre-process packet.\n");
			return -1;
		} else {
			/* ignore the error and keep phase 1 handler */
			return 0;
		}
	}

#ifndef ENABLE_FRAG
	/* free resend buffer */
	if (iph1->sendbuf == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"no buffer found as sendbuf\n");
		return -1;
	}
#endif

	VPTRINIT(iph1->sendbuf);

	/* turn off schedule */
	SCHED_KILL(iph1->scr);

	/* send */
	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
	if ((ph1exchange[etypesw1(iph1->etype)]
			[iph1->side]
			[iph1->status])(iph1, msg) != 0) {
		plog(LLV_ERROR, LOCATION, iph1->remote,
			"failed to process packet.\n");
		return -1;
	}

#ifdef ENABLE_STATS
	gettimeofday(&end, NULL);
	syslog(LOG_NOTICE, "%s(%s): %8.6f",
		"phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
		timedelta(&start, &end));
#endif
	if (iph1->status == PHASE1ST_ESTABLISHED) {

#ifdef ENABLE_STATS
		gettimeofday(&iph1->end, NULL);
		syslog(LOG_NOTICE, "%s(%s): %8.6f",
			"phase1", s_isakmp_etype(iph1->etype),
			timedelta(&iph1->start, &iph1->end));
#endif

		/* save created date. */
		(void)time(&iph1->created);

		/* add to the schedule to expire, and seve back pointer. */
		iph1->sce = sched_new(iph1->approval->lifetime,
		    isakmp_ph1expire_stub, iph1);
#ifdef ENABLE_HYBRID
		if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
			switch(AUTHMETHOD(iph1)) {
			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
				xauth_sendreq(iph1);
				/* XXX Don't process INITIAL_CONTACT */
				iph1->rmconf->ini_contact = 0;
				break;
			default:
				break;
			}
		}
#endif
#ifdef ENABLE_DPD
		/* Schedule the r_u_there.... */
		if(iph1->dpd_support && iph1->rmconf->dpd_interval)
			isakmp_sched_r_u(iph1, 0);
#endif

		/* INITIAL-CONTACT processing */
		/* don't anything if local test mode. */
		if (!f_local
		 && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
			/* send INITIAL-CONTACT */
			isakmp_info_send_n1(iph1,
					ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
			/* insert a node into contacted list. */
			if (inscontacted(iph1->remote) == -1) {
				plog(LLV_ERROR, LOCATION, iph1->remote,
					"failed to add contacted list.\n");
				/* ignore */
			}
		}

		log_ph1established(iph1);
		plog(LLV_DEBUG, LOCATION, NULL, "===\n");

		/*
		 * SA up shell script hook: do it now,except if
		 * ISAKMP mode config was requested. In the later
		 * case it is done when we receive the configuration.
		 */
		if ((iph1->status == PHASE1ST_ESTABLISHED) &&
		    !iph1->rmconf->mode_cfg) {
			switch (AUTHMETHOD(iph1)) {
#ifdef ENABLE_HYBRID
			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
			/* Unimplemeted... */
			case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
				break;
#endif
			default:
				script_hook(iph1, SCRIPT_PHASE1_UP);
				break;
			}
		}
	}

	return 0;
}

/*
 * main function of quick mode.
 */
static int
quick_main(iph2, msg)
	struct ph2handle *iph2;
	vchar_t *msg;
{
	struct isakmp *isakmp = (struct isakmp *)msg->v;
	int error;
#ifdef ENABLE_STATS
	struct timeval start, end;
#endif

	/* ignore a packet */
	if (iph2->status == PHASE2ST_ESTABLISHED
	 || iph2->status == PHASE2ST_GETSPISENT)
		return 0;

#ifdef ENABLE_STATS
	gettimeofday(&start, NULL);
#endif

	/* receive */
	if (ph2exchange[etypesw2(isakmp->etype)]
		       [iph2->side]
		       [iph2->status] == NULL) {
		plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
			"why isn't the function defined.\n");
		return -1;
	}
	error = (ph2exchange[etypesw2(isakmp->etype)]
			    [iph2->side]
			    [iph2->status])(iph2, msg);
	if (error != 0) {
		plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
			"failed to pre-process packet.\n");
		if (error == ISAKMP_INTERNAL_ERROR)
			return 0;
		isakmp_info_send_n1(iph2->ph1, error, NULL);
		return -1;
	}

	/* when using commit bit, status will be reached here. */
	if (iph2->status == PHASE2ST_ADDSA)
		return 0;

	/* free resend buffer */
	if (iph2->sendbuf == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"no buffer found as sendbuf\n");
		return -1;
	}
	VPTRINIT(iph2->sendbuf);

	/* turn off schedule */
	SCHED_KILL(iph2->scr);

	/* send */
	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
	if ((ph2exchange[etypesw2(isakmp->etype)]
			[iph2->side]
			[iph2->status])(iph2, msg) != 0) {
		plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
			"failed to process packet.\n");
		return -1;
	}

#ifdef ENABLE_STATS
	gettimeofday(&end, NULL);
	syslog(LOG_NOTICE, "%s(%s): %8.6f",
		"phase2",
		s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
		timedelta(&start, &end));
#endif

	return 0;
}

/* new negotiation of phase 1 for initiator */
int
isakmp_ph1begin_i(rmconf, remote, local)
	struct remoteconf *rmconf;
	struct sockaddr *remote, *local;
{
	struct ph1handle *iph1;
#ifdef ENABLE_STATS
	struct timeval start, end;
#endif

	/* get new entry to isakmp status table. */
	iph1 = newph1();
	if (iph1 == NULL)
		return -1;

	iph1->status = PHASE1ST_START;
	iph1->rmconf = rmconf;
	iph1->side = INITIATOR;
	iph1->version = ISAKMP_VERSION_NUMBER;
	iph1->msgid = 0;
	iph1->flags = 0;
	iph1->ph2cnt = 0;
#ifdef HAVE_GSSAPI
	iph1->gssapi_state = NULL;
#endif
#ifdef ENABLE_HYBRID
	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
		delph1(iph1);
		return -1;
	}
#endif
#ifdef ENABLE_FRAG

	if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
		iph1->frag = 1;
	else
		iph1->frag = 0;
	iph1->frag_chain = NULL;
#endif
	iph1->approval = NULL;

	/* XXX copy remote address */
	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
		delph1(iph1);
		return -1;
	}

	(void)insph1(iph1);

	/* start phase 1 exchange */
	iph1->etype = rmconf->etypes->type;

	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
    {
	char *a;

	a = racoon_strdup(saddr2str(iph1->local));
	STRDUP_FATAL(a);

	plog(LLV_INFO, LOCATION, NULL,
		"initiate new phase 1 negotiation: %s<=>%s\n",
		a, saddr2str(iph1->remote));
	racoon_free(a);
    }
	plog(LLV_INFO, LOCATION, NULL,
		"begin %s mode.\n",
		s_isakmp_etype(iph1->etype));

#ifdef ENABLE_STATS
	gettimeofday(&iph1->start, NULL);
	gettimeofday(&start, NULL);
#endif
	/* start exchange */
	if ((ph1exchange[etypesw1(iph1->etype)]
			[iph1->side]
			[iph1->status])(iph1, NULL) != 0) {
		/* failed to start phase 1 negotiation */
		remph1(iph1);
		delph1(iph1);

		return -1;
	}

#ifdef ENABLE_STATS
	gettimeofday(&end, NULL);
	syslog(LOG_NOTICE, "%s(%s): %8.6f",
		"phase1",
		s_isakmp_state(iph1->etype, iph1->side, iph1->status),
		timedelta(&start, &end));
#endif

	return 0;
}

/* new negotiation of phase 1 for responder */
static int
isakmp_ph1begin_r(msg, remote, local, etype)
	vchar_t *msg;
	struct sockaddr *remote, *local;
	u_int8_t etype;
{
	struct isakmp *isakmp = (struct isakmp *)msg->v;
	struct remoteconf *rmconf;
	struct ph1handle *iph1;
	struct etypes *etypeok;
#ifdef ENABLE_STATS
	struct timeval start, end;
#endif

	/* look for my configuration */
	rmconf = getrmconf(remote);
	if (rmconf == NULL) {
		plog(LLV_ERROR, LOCATION, remote,
			"couldn't find "
			"configuration.\n");
		return -1;
	}

	/* check to be acceptable exchange type */
	etypeok = check_etypeok(rmconf, etype);
	if (etypeok == NULL) {
		plog(LLV_ERROR, LOCATION, remote,
			"not acceptable %s mode\n", s_isakmp_etype(etype));
		return -1;
	}

	/* get new entry to isakmp status table. */
	iph1 = newph1();
	if (iph1 == NULL)
		return -1;

	memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
	iph1->status = PHASE1ST_START;
	iph1->rmconf = rmconf;
	iph1->flags = 0;
	iph1->side = RESPONDER;
	iph1->etype = etypeok->type;
	iph1->version = isakmp->v;
	iph1->msgid = 0;
#ifdef HAVE_GSSAPI
	iph1->gssapi_state = NULL;
#endif
#ifdef ENABLE_HYBRID
	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
		delph1(iph1);
		return -1;
	}
#endif
#ifdef ENABLE_FRAG
	iph1->frag = 0;
	iph1->frag_chain = NULL;
#endif
	iph1->approval = NULL;

#ifdef ENABLE_NATT
	/* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
	 * We have to setup this flag now to correctly generate the first reply.
	 * Don't know if a better check could be done for that ?
	 */
	if(extract_port(local) == lcconf->port_isakmp_natt)
		iph1->natt_flags |= (NAT_PORTS_CHANGED);
#endif

	/* copy remote address */
	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
		delph1(iph1);
		return -1;
	}
	(void)insph1(iph1);

	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
    {
	char *a;

	a = racoon_strdup(saddr2str(iph1->local));
	STRDUP_FATAL(a);

	plog(LLV_INFO, LOCATION, NULL,
		"respond new phase 1 negotiation: %s<=>%s\n",
		a, saddr2str(iph1->remote));
	racoon_free(a);
    }
	plog(LLV_INFO, LOCATION, NULL,
		"begin %s mode.\n", s_isakmp_etype(etype));

#ifdef ENABLE_STATS
	gettimeofday(&iph1->start, NULL);
	gettimeofday(&start, NULL);
#endif

#ifndef ENABLE_FRAG

	/* start exchange */
	if ((ph1exchange[etypesw1(iph1->etype)]
	                [iph1->side]
	                [iph1->status])(iph1, msg) < 0
	 || (ph1exchange[etypesw1(iph1->etype)]
			[iph1->side]
			[iph1->status])(iph1, msg) < 0) {
		plog(LLV_ERROR, LOCATION, remote,
			"failed to process packet.\n");
		remph1(iph1);
		delph1(iph1);
		return -1;
	}

#ifdef ENABLE_STATS
	gettimeofday(&end, NULL);
	syslog(LOG_NOTICE, "%s(%s): %8.6f",
		"phase1",
		s_isakmp_state(iph1->etype, iph1->side, iph1->status),
		timedelta(&start, &end));
#endif

	return 0;

#else /* ENABLE_FRAG */

	/* now that we have a phase1 handle, feed back into our
	 * main receive function to catch fragmented packets
	 */

	return isakmp_main(msg, remote, local);

#endif /* ENABLE_FRAG */

}

/* new negotiation of phase 2 for initiator */
static int
isakmp_ph2begin_i(iph1, iph2)
	struct ph1handle *iph1;
	struct ph2handle *iph2;
{
#ifdef ENABLE_HYBRID
	if (xauth_check(iph1) != 0) {
		plog(LLV_ERROR, LOCATION, NULL,
		    "Attempt to start phase 2 whereas Xauth failed\n");
		return -1;
	}
#endif

	/* found ISAKMP-SA. */
	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
	plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
    {
	char *a;
	a = racoon_strdup(saddr2str(iph2->src));
	STRDUP_FATAL(a);

	plog(LLV_INFO, LOCATION, NULL,
		"initiate new phase 2 negotiation: %s<=>%s\n",
		a, saddr2str(iph2->dst));
	racoon_free(a);
    }

#ifdef ENABLE_STATS
	gettimeofday(&iph2->start, NULL);
#endif
	/* found isakmp-sa */
	bindph12(iph1, iph2);
	iph2->status = PHASE2ST_STATUS2;

	if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
			 [iph2->side]
			 [iph2->status])(iph2, NULL) < 0) {
		unbindph12(iph2);
		/* release ipsecsa handler due to internal error. */
		remph2(iph2);
		return -1;
	}
	return 0;
}

/* new negotiation of phase 2 for responder */
static int
isakmp_ph2begin_r(iph1, msg)
	struct ph1handle *iph1;
	vchar_t *msg;
{
	struct isakmp *isakmp = (struct isakmp *)msg->v;
	struct ph2handle *iph2 = 0;
	int error;
#ifdef ENABLE_STATS
	struct timeval start, end;
#endif
#ifdef ENABLE_HYBRID
	if (xauth_check(iph1) != 0) {
		plog(LLV_ERROR, LOCATION, NULL,
		    "Attempt to start phase 2 whereas Xauth failed\n");
		return -1;
	}
#endif

	iph2 = newph2();
	if (iph2 == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to allocate phase2 entry.\n");
		return -1;
	}

	iph2->ph1 = iph1;
	iph2->side = RESPONDER;
	iph2->status = PHASE2ST_START;
	iph2->flags = isakmp->flags;
	iph2->msgid = isakmp->msgid;
	iph2->seq = pk_getseq();
	iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
	if (iph2->ivm == NULL) {
		delph2(iph2);
		return -1;
	}
	iph2->dst = dupsaddr(iph1->remote);	/* XXX should be considered */
	if (iph2->dst == NULL) {
		delph2(iph2);
		return -1;
	}
	iph2->src = dupsaddr(iph1->local);	/* XXX should be considered */
	if (iph2->src == NULL) {
		delph2(iph2);
		return -1;
	}
#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
	if (set_port(iph2->dst, 0) == NULL ||
	    set_port(iph2->src, 0) == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
		     "invalid family: %d\n", iph2->dst->sa_family);
		delph2(iph2);
		return -1;
	}
#endif

	/* add new entry to isakmp status table */
	insph2(iph2);
	bindph12(iph1, iph2);

	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
    {
	char *a;

	a = racoon_strdup(saddr2str(iph2->src));
	STRDUP_FATAL(a);

	plog(LLV_INFO, LOCATION, NULL,
		"respond new phase 2 negotiation: %s<=>%s\n",
		a, saddr2str(iph2->dst));
	racoon_free(a);
    }

#ifdef ENABLE_STATS
	gettimeofday(&start, NULL);
#endif

	error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
	                   [iph2->side]
	                   [iph2->status])(iph2, msg);
	if (error != 0) {
		plog(LLV_ERROR, LOCATION, iph1->remote,
			"failed to pre-process packet.\n");
		if (error != ISAKMP_INTERNAL_ERROR)
			isakmp_info_send_n1(iph2->ph1, error, NULL);
		/*
		 * release handler because it's wrong that ph2handle is kept
		 * after failed to check message for responder's.
		 */
		unbindph12(iph2);
		remph2(iph2);
		delph2(iph2);
		return -1;
	}

	/* send */
	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
	if ((ph2exchange[etypesw2(isakmp->etype)]
			[iph2->side]
			[iph2->status])(iph2, msg) < 0) {
		plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
			"failed to process packet.\n");
		/* don't release handler */
		return -1;
	}
#ifdef ENABLE_STATS
	gettimeofday(&end, NULL);
	syslog(LOG_NOTICE, "%s(%s): %8.6f",
		"phase2",
		s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
		timedelta(&start, &end));
#endif

	return 0;
}

/*
 * parse ISAKMP payloads, without ISAKMP base header.
 */
vchar_t *
isakmp_parsewoh(np0, gen, len)
	int np0;
	struct isakmp_gen *gen;
	int len;
{
	u_char np = np0 & 0xff;
	int tlen, plen;
	vchar_t *result;
	struct isakmp_parse_t *p, *ep;

	plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");

	/*
	 * 5 is a magic number, but any value larger than 2 should be fine
	 * as we do vrealloc() in the following loop.
	 */
	result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
	if (result == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to get buffer.\n");
		return NULL;
	}
	p = (struct isakmp_parse_t *)result->v;
	ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));

	tlen = len;

	/* parse through general headers */
	while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
		if (tlen <= sizeof(struct isakmp_gen)) {
			/* don't send information, see isakmp_ident_r1() */
			plog(LLV_ERROR, LOCATION, NULL,
				"invalid length of payload\n");
			vfree(result);
			return NULL;
		}

		plog(LLV_DEBUG, LOCATION, NULL,
			"seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));

		p->type = np;
		p->len = ntohs(gen->len);
		if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
			plog(LLV_DEBUG, LOCATION, NULL,
				"invalid length of payload\n");
			vfree(result);
			return NULL;
		}
		p->ptr = gen;
		p++;
		if (ep <= p) {
			int off;

			off = p - (struct isakmp_parse_t *)result->v;
			result = vrealloc(result, result->l * 2);
			if (result == NULL) {
				plog(LLV_DEBUG, LOCATION, NULL,
					"failed to realloc buffer.\n");
				vfree(result);
				return NULL;
			}
			ep = (struct isakmp_parse_t *)
				(result->v + result->l - sizeof(*ep));
			p = (struct isakmp_parse_t *)result->v;
			p += off;
		}

		np = gen->np;
		plen = ntohs(gen->len);
		gen = (struct isakmp_gen *)((caddr_t)gen + plen);
		tlen -= plen;
	}
	p->type = ISAKMP_NPTYPE_NONE;
	p->len = 0;
	p->ptr = NULL;

	plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");

	return result;
}

/*
 * parse ISAKMP payloads, including ISAKMP base header.
 */
vchar_t *
isakmp_parse(buf)
	vchar_t *buf;
{
	struct isakmp *isakmp = (struct isakmp *)buf->v;
	struct isakmp_gen *gen;
	int tlen;
	vchar_t *result;
	u_char np;

	np = isakmp->np;
	gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
	tlen = buf->l - sizeof(struct isakmp);
	result = isakmp_parsewoh(np, gen, tlen);

	return result;
}

/* %%% */
int
isakmp_init()
{
	/* initialize a isakmp status table */
	initph1tree();
	initph2tree();
	initctdtree();
	init_recvdpkt();

	if (isakmp_open() < 0)
		goto err;

	return(0);

err:
	isakmp_close();
	return(-1);
}

/*
 * make strings containing i_cookie + r_cookie + msgid
 */
const char *
isakmp_pindex(index, msgid)
	const isakmp_index *index;
	const u_int32_t msgid;
{
	static char buf[64];
	const u_char *p;
	int i, j;

	memset(buf, 0, sizeof(buf));

	/* copy index */
	p = (const u_char *)index;
	for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
		snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
		j += 2;
		switch (i) {
		case 7:
			buf[j++] = ':';
		}
	}

	if (msgid == 0)
		return buf;

	/* copy msgid */
	snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));

	return buf;
}

/* open ISAKMP sockets. */
int
isakmp_open()
{
	const int yes = 1;
	int ifnum = 0, encap_ifnum = 0;
#ifdef INET6
	int pktinfo;
#endif
	struct myaddrs *p;

	for (p = lcconf->myaddrs; p; p = p->next) {
		if (!p->addr)
			continue;

		/* warn if wildcard address - should we forbid this? */
		switch (p->addr->sa_family) {
		case AF_INET:
			if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
				plog(LLV_WARNING, LOCATION, NULL,
					"listening to wildcard address,"
					"broadcast IKE packet may kill you\n");
			break;
#ifdef INET6
		case AF_INET6:
			if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
				plog(LLV_WARNING, LOCATION, NULL,
					"listening to wildcard address, "
					"broadcast IKE packet may kill you\n");
			break;
#endif
		default:
			plog(LLV_ERROR, LOCATION, NULL,
				"unsupported address family %d\n",
				lcconf->default_af);
			goto err_and_next;
		}

#ifdef INET6
		if (p->addr->sa_family == AF_INET6 &&
		    IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)
					    p->addr)->sin6_addr))
		{
			plog(LLV_DEBUG, LOCATION, NULL,
				"Ignoring multicast address %s\n",
				saddr2str(p->addr));
				racoon_free(p->addr);
				p->addr = NULL;
			continue;
		}
#endif

		if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) {
			plog(LLV_ERROR, LOCATION, NULL,
				"socket (%s)\n", strerror(errno));
			goto err_and_next;
		}

		if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
			plog(LLV_WARNING, LOCATION, NULL,
				"failed to put socket in non-blocking mode\n");

		/* receive my interface address on inbound packets. */
		switch (p->addr->sa_family) {
		case AF_INET:
			if (setsockopt(p->sock, IPPROTO_IP,
#ifdef __linux__
				       IP_PKTINFO,
#else
				       IP_RECVDSTADDR,
#endif
					(const void *)&yes, sizeof(yes)) < 0) {
				plog(LLV_ERROR, LOCATION, NULL,
					"setsockopt IP_RECVDSTADDR (%s)\n",
					strerror(errno));
				goto err_and_next;
			}
			break;
#ifdef INET6
		case AF_INET6:
#ifdef INET6_ADVAPI
#ifdef IPV6_RECVPKTINFO
			pktinfo = IPV6_RECVPKTINFO;
#else  /* old adv. API */
			pktinfo = IPV6_PKTINFO;
#endif /* IPV6_RECVPKTINFO */
#else
			pktinfo = IPV6_RECVDSTADDR;
#endif
			if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo,
					(const void *)&yes, sizeof(yes)) < 0)
			{
				plog(LLV_ERROR, LOCATION, NULL,
					"setsockopt IPV6_RECVDSTADDR (%d):%s\n",
					pktinfo, strerror(errno));
				goto err_and_next;
			}
			break;
#endif
		}

#ifdef IPV6_USE_MIN_MTU
		if (p->addr->sa_family == AF_INET6 &&
		    setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
		    (void *)&yes, sizeof(yes)) < 0) {
			plog(LLV_ERROR, LOCATION, NULL,
			    "setsockopt IPV6_USE_MIN_MTU (%s)\n",
			    strerror(errno));
			return -1;
		}
#endif

		if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
			goto err_and_next;

		if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
			plog(LLV_ERROR, LOCATION, p->addr,
				"failed to bind to address %s (%s).\n",
				saddr2str(p->addr), strerror(errno));
			close(p->sock);
			goto err_and_next;
		}

		ifnum++;

		plog(LLV_INFO, LOCATION, NULL,
			"%s used as isakmp port (fd=%d)\n",
			saddr2str(p->addr), p->sock);

#ifdef ENABLE_NATT
		if (p->addr->sa_family == AF_INET) {
			int option = -1;


			if(p->udp_encap)
				option = UDP_ENCAP_ESPINUDP;
#if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01)
			else
				option = UDP_ENCAP_ESPINUDP_NON_IKE;
#endif
			if(option != -1){
				if (setsockopt (p->sock, SOL_UDP,
				    UDP_ENCAP, &option, sizeof (option)) < 0) {
					plog(LLV_WARNING, LOCATION, NULL,
					    "setsockopt(%s): UDP_ENCAP %s\n",
					    option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
						 strerror(errno));
					goto skip_encap;
				}
				else {
					plog(LLV_INFO, LOCATION, NULL,
						 "%s used for NAT-T\n",
						 saddr2str(p->addr));
					encap_ifnum++;
				}
			}
		}
skip_encap:
#endif
		continue;

	err_and_next:
		racoon_free(p->addr);
		p->addr = NULL;
		if (! lcconf->autograbaddr && lcconf->strict_address)
			return -1;
		continue;
	}

	if (!ifnum) {
		plog(LLV_ERROR, LOCATION, NULL,
			"no address could be bound.\n");
		return -1;
	}

#ifdef ENABLE_NATT
	if (natt_enabled_in_rmconf() && !encap_ifnum) {
		plog(LLV_WARNING, LOCATION, NULL,
			"NAT-T is enabled in at least one remote{} section,\n");
		plog(LLV_WARNING, LOCATION, NULL,
			"but no 'isakmp_natt' address was specified!\n");
	}
#endif

	return 0;
}

void
isakmp_close()
{
#ifndef ANDROID_PATCHED
	struct myaddrs *p, *next;

	for (p = lcconf->myaddrs; p; p = next) {
		next = p->next;

		if (!p->addr) {
			racoon_free(p);
			continue;
		}
		close(p->sock);
		racoon_free(p->addr);
		racoon_free(p);
	}

	lcconf->myaddrs = NULL;
#endif
}

int
isakmp_send(iph1, sbuf)
	struct ph1handle *iph1;
	vchar_t *sbuf;
{
	int len = 0;
	int s;
	vchar_t *vbuf = NULL, swap;

#ifdef ENABLE_NATT
	size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;

	/* Check if NON_ESP_MARKER_LEN is already there (happens when resending packets)
	 */
	if(extralen == NON_ESP_MARKER_LEN &&
	   *(u_int32_t *)sbuf->v == 0)
		extralen = 0;

#ifdef ENABLE_FRAG
	/*
	 * Do not add the non ESP marker for a packet that will
	 * be fragmented. The non ESP marker should appear in
	 * all fragment's packets, but not in the fragmented packet
	 */
	if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
		extralen = 0;
#endif
	if (extralen)
		plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");

	/* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
	   must added just before the packet itself. For this we must
	   allocate a new buffer and release it at the end. */
	if (extralen) {
		if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
			plog(LLV_ERROR, LOCATION, NULL,
			    "vbuf allocation failed\n");
			return -1;
		}
		*(u_int32_t *)vbuf->v = 0;
		memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
		/* ensures that the modified buffer will be sent back to the caller, so
		 * add_recvdpkt() will add the correct buffer
		 */
		swap = *sbuf;
		*sbuf = *vbuf;
		*vbuf = swap;
		vfree(vbuf);
	}
#endif

	/* select the socket to be sent */
	s = getsockmyaddr(iph1->local);
	if (s == -1){
		return -1;
	}

	plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
	      saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));

#ifdef ENABLE_FRAG
	if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
		if (isakmp_sendfrags(iph1, sbuf) == -1) {
			plog(LLV_ERROR, LOCATION, NULL,
			    "isakmp_sendfrags failed\n");
			return -1;
		}
	} else
#endif
	{
		len = sendfromto(s, sbuf->v, sbuf->l,
		    iph1->local, iph1->remote, lcconf->count_persend);

		if (len == -1) {
			plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
			return -1;
		}
	}

	return 0;
}

/* called from scheduler */
void
isakmp_ph1resend_stub(p)
	void *p;
{
	struct ph1handle *iph1;

	iph1=(struct ph1handle *)p;
	if(isakmp_ph1resend(iph1) < 0){
		if(iph1->scr != NULL){
			/* Should not happen...
			 */
			sched_kill(iph1->scr);
			iph1->scr=NULL;
		}

		remph1(iph1);
		delph1(iph1);
	}
}

int
isakmp_ph1resend(iph1)
	struct ph1handle *iph1;
{
	/* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
	 */
	if (iph1->retry_counter <= 0) {
		plog(LLV_ERROR, LOCATION, NULL,
			"phase1 negotiation failed due to time up. %s\n",
			isakmp_pindex(&iph1->index, iph1->msgid));
		EVT_PUSH(iph1->local, iph1->remote,
		    EVTT_PEER_NO_RESPONSE, NULL);

		return -1;
	}

	if (isakmp_send(iph1, iph1->sendbuf) < 0){
		plog(LLV_ERROR, LOCATION, NULL,
			 "phase1 negotiation failed due to send error. %s\n",
			 isakmp_pindex(&iph1->index, iph1->msgid));
		EVT_PUSH(iph1->local, iph1->remote,
				 EVTT_PEER_NO_RESPONSE, NULL);
		return -1;
	}

	plog(LLV_DEBUG, LOCATION, NULL,
		"resend phase1 packet %s\n",
		isakmp_pindex(&iph1->index, iph1->msgid));

	iph1->retry_counter--;

	iph1->scr = sched_new(iph1->rmconf->retry_interval,
		isakmp_ph1resend_stub, iph1);

	return 0;
}

/* called from scheduler */
void
isakmp_ph2resend_stub(p)
	void *p;
{
	struct ph2handle *iph2;

	iph2=(struct ph2handle *)p;

	if(isakmp_ph2resend(iph2) < 0){
		unbindph12(iph2);
		remph2(iph2);
		delph2(iph2);
	}
}

int
isakmp_ph2resend(iph2)
	struct ph2handle *iph2;
{
	/* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
	 */
	if (iph2->ph1->status == PHASE1ST_EXPIRED){
		plog(LLV_ERROR, LOCATION, NULL,
			"phase2 negotiation failed due to phase1 expired. %s\n",
				isakmp_pindex(&iph2->ph1->index, iph2->msgid));
		return -1;
	}

	if (iph2->retry_counter <= 0) {
		plog(LLV_ERROR, LOCATION, NULL,
			"phase2 negotiation failed due to time up. %s\n",
				isakmp_pindex(&iph2->ph1->index, iph2->msgid));
		EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
		unbindph12(iph2);
		return -1;
	}

	if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){
		plog(LLV_ERROR, LOCATION, NULL,
			"phase2 negotiation failed due to send error. %s\n",
				isakmp_pindex(&iph2->ph1->index, iph2->msgid));
		EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);

		return -1;
	}

	plog(LLV_DEBUG, LOCATION, NULL,
		"resend phase2 packet %s\n",
		isakmp_pindex(&iph2->ph1->index, iph2->msgid));

	iph2->retry_counter--;

	iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
		isakmp_ph2resend_stub, iph2);

	return 0;
}

/* called from scheduler */
void
isakmp_ph1expire_stub(p)
	void *p;
{

	isakmp_ph1expire((struct ph1handle *)p);
}

void
isakmp_ph1expire(iph1)
	struct ph1handle *iph1;
{
	char *src, *dst;

	SCHED_KILL(iph1->sce);

	if(iph1->status != PHASE1ST_EXPIRED){
		src = racoon_strdup(saddr2str(iph1->local));
		dst = racoon_strdup(saddr2str(iph1->remote));
		STRDUP_FATAL(src);
		STRDUP_FATAL(dst);

		plog(LLV_INFO, LOCATION, NULL,
			 "ISAKMP-SA expired %s-%s spi:%s\n",
			 src, dst,
			 isakmp_pindex(&iph1->index, 0));
		racoon_free(src);
		racoon_free(dst);
		iph1->status = PHASE1ST_EXPIRED;
	}

	/*
	 * the phase1 deletion is postponed until there is no phase2.
	 */
	if (LIST_FIRST(&iph1->ph2tree) != NULL) {
		iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
		return;
	}

	iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
}

/* called from scheduler */
void
isakmp_ph1delete_stub(p)
	void *p;
{

	isakmp_ph1delete((struct ph1handle *)p);
}

void
isakmp_ph1delete(iph1)
	struct ph1handle *iph1;
{
	char *src, *dst;

	SCHED_KILL(iph1->sce);

	if (LIST_FIRST(&iph1->ph2tree) != NULL) {
		iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
		return;
	}

	/* don't re-negosiation when the phase 1 SA expires. */

	src = racoon_strdup(saddr2str(iph1->local));
	dst = racoon_strdup(saddr2str(iph1->remote));
	STRDUP_FATAL(src);
	STRDUP_FATAL(dst);

	plog(LLV_INFO, LOCATION, NULL,
		"ISAKMP-SA deleted %s-%s spi:%s\n",
		src, dst, isakmp_pindex(&iph1->index, 0));
	EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
	racoon_free(src);
	racoon_free(dst);

	remph1(iph1);
	delph1(iph1);

	return;
}

/* called from scheduler.
 * this function will call only isakmp_ph2delete().
 * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
 * by something cause.  That's why this function is called after phase 2 SA
 * expires in the userland.
 */
void
isakmp_ph2expire_stub(p)
	void *p;
{

	isakmp_ph2expire((struct ph2handle *)p);
}

void
isakmp_ph2expire(iph2)
	struct ph2handle *iph2;
{
	char *src, *dst;

	SCHED_KILL(iph2->sce);

	src = racoon_strdup(saddrwop2str(iph2->src));
	dst = racoon_strdup(saddrwop2str(iph2->dst));
	STRDUP_FATAL(src);
	STRDUP_FATAL(dst);

	plog(LLV_INFO, LOCATION, NULL,
		"phase2 sa expired %s-%s\n", src, dst);
	racoon_free(src);
	racoon_free(dst);

	iph2->status = PHASE2ST_EXPIRED;

	iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);

	return;
}

/* called from scheduler */
void
isakmp_ph2delete_stub(p)
	void *p;
{

	isakmp_ph2delete((struct ph2handle *)p);
}

void
isakmp_ph2delete(iph2)
	struct ph2handle *iph2;
{
	char *src, *dst;

	SCHED_KILL(iph2->sce);

	src = racoon_strdup(saddrwop2str(iph2->src));
	dst = racoon_strdup(saddrwop2str(iph2->dst));
	STRDUP_FATAL(src);
	STRDUP_FATAL(dst);

	plog(LLV_INFO, LOCATION, NULL,
		"phase2 sa deleted %s-%s\n", src, dst);
	racoon_free(src);
	racoon_free(dst);

	unbindph12(iph2);
	remph2(iph2);
	delph2(iph2);

	return;
}

/* %%%
 * Interface between PF_KEYv2 and ISAKMP
 */
/*
 * receive ACQUIRE from kernel, and begin either phase1 or phase2.
 * if phase1 has been finished, begin phase2.
 */
int
isakmp_post_acquire(iph2)
	struct ph2handle *iph2;
{
	struct remoteconf *rmconf;
	struct ph1handle *iph1 = NULL;

	plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");

	/* search appropreate configuration with masking port. */
	rmconf = getrmconf(iph2->dst);
	if (rmconf == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"no configuration found for %s.\n",
			saddrwop2str(iph2->dst));
		return -1;
	}

	/* if passive mode, ignore the acquire message */
	if (rmconf->passive) {
		plog(LLV_DEBUG, LOCATION, NULL,
			"because of passive mode, "
			"ignore the acquire message for %s.\n",
			saddrwop2str(iph2->dst));
		return 0;
	}

	/*
	 * Search isakmp status table by address and port
	 * If NAT-T is in use, consider null ports as a
	 * wildcard and use IKE ports instead.
	 */
#ifdef ENABLE_NATT
	if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
		if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
			set_port(iph2->src, extract_port(iph1->local));
			set_port(iph2->dst, extract_port(iph1->remote));
		}
	} else {
		iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
	}
#else
	iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
#endif

	/* no ISAKMP-SA found. */
	if (iph1 == NULL) {
		struct sched *sc;

		iph2->retry_checkph1 = lcconf->retry_checkph1;
		sc = sched_new(1, isakmp_chkph1there_stub, iph2);
		plog(LLV_INFO, LOCATION, NULL,
			"IPsec-SA request for %s queued "
			"due to no phase1 found.\n",
			saddrwop2str(iph2->dst));

		/* start phase 1 negotiation as a initiator. */
		if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) {
			SCHED_KILL(sc);
			return -1;
		}

		return 0;
		/*NOTREACHED*/
	}

	/* found ISAKMP-SA, but on negotiation. */
	if (iph1->status != PHASE1ST_ESTABLISHED) {
		iph2->retry_checkph1 = lcconf->retry_checkph1;
		sched_new(1, isakmp_chkph1there_stub, iph2);
		plog(LLV_INFO, LOCATION, iph2->dst,
			"request for establishing IPsec-SA was queued "
			"due to no phase1 found.\n");
		return 0;
		/*NOTREACHED*/
	}

	/* found established ISAKMP-SA */
	/* i.e. iph1->status == PHASE1ST_ESTABLISHED */

	/* found ISAKMP-SA. */
	plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");

	/* begin quick mode */
	if (isakmp_ph2begin_i(iph1, iph2))
		return -1;

	return 0;
}

/*
 * receive GETSPI from kernel.
 */
int
isakmp_post_getspi(iph2)
	struct ph2handle *iph2;
{
#ifdef ENABLE_STATS
	struct timeval start, end;
#endif

	/* don't process it because there is no suitable phase1-sa. */
	if (iph2->ph1->status == PHASE1ST_EXPIRED) {
		plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
			"the negotiation is stopped, "
			"because there is no suitable ISAKMP-SA.\n");
		return -1;
	}

#ifdef ENABLE_STATS
	gettimeofday(&start, NULL);
#endif
	if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
	                [iph2->side]
	                [iph2->status])(iph2, NULL) != 0)
		return -1;
#ifdef ENABLE_STATS
	gettimeofday(&end, NULL);
	syslog(LOG_NOTICE, "%s(%s): %8.6f",
		"phase2",
		s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
		timedelta(&start, &end));
#endif

	return 0;
}

/* called by scheduler */
void
isakmp_chkph1there_stub(p)
	void *p;
{
	isakmp_chkph1there((struct ph2handle *)p);
}

void
isakmp_chkph1there(iph2)
	struct ph2handle *iph2;
{
	struct ph1handle *iph1;

	iph2->retry_checkph1--;
	if (iph2->retry_checkph1 < 0) {
		plog(LLV_ERROR, LOCATION, iph2->dst,
			"phase2 negotiation failed "
			"due to time up waiting for phase1. %s\n",
			sadbsecas2str(iph2->dst, iph2->src,
				iph2->satype, 0, 0));
		plog(LLV_INFO, LOCATION, NULL,
			"delete phase 2 handler.\n");

		/* send acquire to kernel as error */
		pk_sendeacquire(iph2);

		unbindph12(iph2);
		remph2(iph2);
		delph2(iph2);

		return;
	}

	/*
	 * Search isakmp status table by address and port
	 * If NAT-T is in use, consider null ports as a
	 * wildcard and use IKE ports instead.
	 */
#ifdef ENABLE_NATT
	if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
		plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n");
		if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){
			plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n");
		}
	} else {
		plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n");
		iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
		if(iph1 != NULL)
			plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n");
	}
#else
	iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
#endif

	/* XXX Even if ph1 as responder is there, should we not start
	 * phase 2 negotiation ? */
	if (iph1 != NULL
	 && iph1->status == PHASE1ST_ESTABLISHED) {
		/* found isakmp-sa */

		plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n");
		plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local));
		plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote));
		plog(LLV_DEBUG2, LOCATION, NULL, "before:\n");
		plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
		plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
		set_port(iph2->src, extract_port(iph1->local));
		set_port(iph2->dst, extract_port(iph1->remote));
		plog(LLV_DEBUG2, LOCATION, NULL, "After:\n");
		plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
		plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));

		/* begin quick mode */
		(void)isakmp_ph2begin_i(iph1, iph2);
		return;
	}

	plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n");

	/* no isakmp-sa found */
	sched_new(1, isakmp_chkph1there_stub, iph2);

	return;
}

/* copy variable data into ALLOCATED buffer. */
caddr_t
isakmp_set_attr_v(buf, type, val, len)
	caddr_t buf;
	int type;
	caddr_t val;
	int len;
{
	struct isakmp_data *data;

	data = (struct isakmp_data *)buf;
	data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
	data->lorv = htons((u_int16_t)len);
	memcpy(data + 1, val, len);

	return buf + sizeof(*data) + len;
}

/* copy fixed length data into ALLOCATED buffer. */
caddr_t
isakmp_set_attr_l(buf, type, val)
	caddr_t buf;
	int type;
	u_int32_t val;
{
	struct isakmp_data *data;

	data = (struct isakmp_data *)buf;
	data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
	data->lorv = htons((u_int16_t)val);

	return buf + sizeof(*data);
}

/* add a variable data attribute to the buffer by reallocating it. */
vchar_t *
isakmp_add_attr_v(buf0, type, val, len)
	vchar_t *buf0;
	int type;
	caddr_t val;
	int len;
{
	vchar_t *buf = NULL;
	struct isakmp_data *data;
	int tlen;
	int oldlen = 0;

	tlen = sizeof(*data) + len;

	if (buf0) {
		oldlen = buf0->l;
		buf = vrealloc(buf0, oldlen + tlen);
	} else
		buf = vmalloc(tlen);
	if (!buf) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to get a attribute buffer.\n");
		return NULL;
	}

	data = (struct isakmp_data *)(buf->v + oldlen);
	data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
	data->lorv = htons((u_int16_t)len);
	memcpy(data + 1, val, len);

	return buf;
}

/* add a fixed data attribute to the buffer by reallocating it. */
vchar_t *
isakmp_add_attr_l(buf0, type, val)
	vchar_t *buf0;
	int type;
	u_int32_t val;
{
	vchar_t *buf = NULL;
	struct isakmp_data *data;
	int tlen;
	int oldlen = 0;

	tlen = sizeof(*data);

	if (buf0) {
		oldlen = buf0->l;
		buf = vrealloc(buf0, oldlen + tlen);
	} else
		buf = vmalloc(tlen);
	if (!buf) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to get a attribute buffer.\n");
		return NULL;
	}

	data = (struct isakmp_data *)(buf->v + oldlen);
	data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
	data->lorv = htons((u_int16_t)val);

	return buf;
}

/*
 * calculate cookie and set.
 */
int
isakmp_newcookie(place, remote, local)
	caddr_t place;
	struct sockaddr *remote;
	struct sockaddr *local;
{
	vchar_t *buf = NULL, *buf2 = NULL;
	char *p;
	int blen;
	int alen;
	caddr_t sa1, sa2;
	time_t t;
	int error = -1;
	u_short port;


	if (remote->sa_family != local->sa_family) {
		plog(LLV_ERROR, LOCATION, NULL,
			"address family mismatch, remote:%d local:%d\n",
			remote->sa_family, local->sa_family);
		goto end;
	}
	switch (remote->sa_family) {
	case AF_INET:
		alen = sizeof(struct in_addr);
		sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
		sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
		break;
#ifdef INET6
	case AF_INET6:
		alen = sizeof(struct in6_addr);
		sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
		sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
		break;
#endif
	default:
		plog(LLV_ERROR, LOCATION, NULL,
			"invalid family: %d\n", remote->sa_family);
		goto end;
	}
	blen = (alen + sizeof(u_short)) * 2
		+ sizeof(time_t) + lcconf->secret_size;
	buf = vmalloc(blen);
	if (buf == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to get a cookie.\n");
		goto end;
	}
	p = buf->v;

	/* copy my address */
	memcpy(p, sa1, alen);
	p += alen;
	port = ((struct sockaddr_in *)remote)->sin_port;
	memcpy(p, &port, sizeof(u_short));
	p += sizeof(u_short);

	/* copy target address */
	memcpy(p, sa2, alen);
	p += alen;
	port = ((struct sockaddr_in *)local)->sin_port;
	memcpy(p, &port, sizeof(u_short));
	p += sizeof(u_short);

	/* copy time */
	t = time(0);
	memcpy(p, (caddr_t)&t, sizeof(t));
	p += sizeof(t);

	/* copy random value */
	buf2 = eay_set_random(lcconf->secret_size);
	if (buf2 == NULL)
		goto end;
	memcpy(p, buf2->v, lcconf->secret_size);
	p += lcconf->secret_size;
	vfree(buf2);

	buf2 = eay_sha1_one(buf);
	memcpy(place, buf2->v, sizeof(cookie_t));

	sa1 = val2str(place, sizeof (cookie_t));
	plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
	racoon_free(sa1);

	error = 0;
end:
	if (buf != NULL)
		vfree(buf);
	if (buf2 != NULL)
		vfree(buf2);
	return error;
}

/*
 * save partner's(payload) data into phhandle.
 */
int
isakmp_p2ph(buf, gen)
	vchar_t **buf;
	struct isakmp_gen *gen;
{
	/* XXX to be checked in each functions for logging. */
	if (*buf) {
		plog(LLV_WARNING, LOCATION, NULL,
			"ignore this payload, same payload type exist.\n");
		return -1;
	}

	*buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
	if (*buf == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to get buffer.\n");
		return -1;
	}
	memcpy((*buf)->v, gen + 1, (*buf)->l);

	return 0;
}

u_int32_t
isakmp_newmsgid2(iph1)
	struct ph1handle *iph1;
{
	u_int32_t msgid2;

	do {
		msgid2 = eay_random();
	} while (getph2bymsgid(iph1, msgid2));

	return msgid2;
}

/*
 * set values into allocated buffer of isakmp header for phase 1
 */
static caddr_t
set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid)
	vchar_t *vbuf;
	struct ph1handle *iph1;
	int nptype;
	u_int8_t etype;
	u_int8_t flags;
	u_int32_t msgid;
{
	struct isakmp *isakmp;

	if (vbuf->l < sizeof(*isakmp))
		return NULL;

	isakmp = (struct isakmp *)vbuf->v;

	memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
	memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
	isakmp->np = nptype;
	isakmp->v = iph1->version;
	isakmp->etype = etype;
	isakmp->flags = flags;
	isakmp->msgid = msgid;
	isakmp->len = htonl(vbuf->l);

	return vbuf->v + sizeof(*isakmp);
}

/*
 * set values into allocated buffer of isakmp header for phase 1
 */
caddr_t
set_isakmp_header1(vbuf, iph1, nptype)
	vchar_t *vbuf;
	struct ph1handle *iph1;
	int nptype;
{
	return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
}

/*
 * set values into allocated buffer of isakmp header for phase 2
 */
caddr_t
set_isakmp_header2(vbuf, iph2, nptype)
	vchar_t *vbuf;
	struct ph2handle *iph2;
	int nptype;
{
	return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
}

/*
 * set values into allocated buffer of isakmp payload.
 */
caddr_t
set_isakmp_payload(buf, src, nptype)
	caddr_t buf;
	vchar_t *src;
	int nptype;
{
	struct isakmp_gen *gen;
	caddr_t p = buf;

	plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n",
	    src->l, nptype);

	gen = (struct isakmp_gen *)p;
	gen->np = nptype;
	gen->len = htons(sizeof(*gen) + src->l);
	p += sizeof(*gen);
	memcpy(p, src->v, src->l);
	p += src->l;

	return p;
}

static int
etypesw1(etype)
	int etype;
{
	switch (etype) {
	case ISAKMP_ETYPE_IDENT:
		return 1;
	case ISAKMP_ETYPE_AGG:
		return 2;
	case ISAKMP_ETYPE_BASE:
		return 3;
	default:
		return 0;
	}
	/*NOTREACHED*/
}

static int
etypesw2(etype)
	int etype;
{
	switch (etype) {
	case ISAKMP_ETYPE_QUICK:
		return 1;
	default:
		return 0;
	}
	/*NOTREACHED*/
}

#ifdef HAVE_PRINT_ISAKMP_C
/* for print-isakmp.c */
char *snapend;
extern void isakmp_print __P((const u_char *, u_int, const u_char *));

char *getname __P((const u_char *));
#ifdef INET6
char *getname6 __P((const u_char *));
#endif
int safeputchar __P((int));

/*
 * Return a name for the IP address pointed to by ap.  This address
 * is assumed to be in network byte order.
 */
char *
getname(ap)
	const u_char *ap;
{
	struct sockaddr_in addr;
	static char ntop_buf[NI_MAXHOST];

	memset(&addr, 0, sizeof(addr));
#ifndef __linux__
	addr.sin_len = sizeof(struct sockaddr_in);
#endif
	addr.sin_family = AF_INET;
	memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
	if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
			ntop_buf, sizeof(ntop_buf), NULL, 0,
			NI_NUMERICHOST | niflags))
		strlcpy(ntop_buf, "?", sizeof(ntop_buf));

	return ntop_buf;
}

#ifdef INET6
/*
 * Return a name for the IP6 address pointed to by ap.  This address
 * is assumed to be in network byte order.
 */
char *
getname6(ap)
	const u_char *ap;
{
	struct sockaddr_in6 addr;
	static char ntop_buf[NI_MAXHOST];

	memset(&addr, 0, sizeof(addr));
	addr.sin6_len = sizeof(struct sockaddr_in6);
	addr.sin6_family = AF_INET6;
	memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
	if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
			ntop_buf, sizeof(ntop_buf), NULL, 0,
			NI_NUMERICHOST | niflags))
		strlcpy(ntop_buf, "?", sizeof(ntop_buf));

	return ntop_buf;
}
#endif /* INET6 */

int
safeputchar(c)
	int c;
{
	unsigned char ch;

	ch = (unsigned char)(c & 0xff);
	if (c < 0x80 && isprint(c))
		return printf("%c", c & 0xff);
	else
		return printf("\\%03o", c & 0xff);
}

void
isakmp_printpacket(msg, from, my, decoded)
	vchar_t *msg;
	struct sockaddr *from;
	struct sockaddr *my;
	int decoded;
{
#ifdef YIPS_DEBUG
	struct timeval tv;
	int s;
	char hostbuf[NI_MAXHOST];
	char portbuf[NI_MAXSERV];
	struct isakmp *isakmp;
	vchar_t *buf;
#endif

	if (loglevel < LLV_DEBUG)
		return;

#ifdef YIPS_DEBUG
	plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");

	gettimeofday(&tv, NULL);
	s = tv.tv_sec % 3600;
	printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);

	if (from) {
		if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
				portbuf, sizeof(portbuf),
				NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
			strlcpy(hostbuf, "?", sizeof(hostbuf));
			strlcpy(portbuf, "?", sizeof(portbuf));
		}
		printf("%s:%s", hostbuf, portbuf);
	} else
		printf("?");
	printf(" -> ");
	if (my) {
		if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
				portbuf, sizeof(portbuf),
				NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
			strlcpy(hostbuf, "?", sizeof(hostbuf));
			strlcpy(portbuf, "?", sizeof(portbuf));
		}
		printf("%s:%s", hostbuf, portbuf);
	} else
		printf("?");
	printf(": ");

	buf = vdup(msg);
	if (!buf) {
		printf("(malloc fail)\n");
		return;
	}
	if (decoded) {
		isakmp = (struct isakmp *)buf->v;
		if (isakmp->flags & ISAKMP_FLAG_E) {
#if 0
			int pad;
			pad = *(u_char *)(buf->v + buf->l - 1);
			if (buf->l < pad && 2 < vflag)
				printf("(wrong padding)");
#endif
			isakmp->flags &= ~ISAKMP_FLAG_E;
		}
	}

	snapend = buf->v + buf->l;
	isakmp_print(buf->v, buf->l, NULL);
	vfree(buf);
	printf("\n");
	fflush(stdout);

	return;
#endif
}
#endif /*HAVE_PRINT_ISAKMP_C*/

int
copy_ph1addresses(iph1, rmconf, remote, local)
	struct ph1handle *iph1;
	struct remoteconf *rmconf;
	struct sockaddr *remote, *local;
{
	u_int16_t port;

	/* address portion must be grabbed from real remote address "remote" */
	iph1->remote = dupsaddr(remote);
	if (iph1->remote == NULL)
		return -1;

	/*
	 * if remote has no port # (in case of initiator - from ACQUIRE msg)
	 * - if remote.conf specifies port #, use that
	 * - if remote.conf does not, use 500
	 * if remote has port # (in case of responder - from recvfrom(2))
	 * respect content of "remote".
	 */
	if (extract_port(iph1->remote) == 0) {
		port = extract_port(rmconf->remote);
		if (port == 0)
			port = PORT_ISAKMP;
		set_port(iph1->remote, port);
	}

	if (local == NULL)
		iph1->local = getlocaladdr(iph1->remote);
	else
		iph1->local = dupsaddr(local);
	if (iph1->local == NULL)
		return -1;

	if (extract_port(iph1->local) == 0)
		set_port(iph1->local, PORT_ISAKMP);

#ifdef ENABLE_NATT
	if (extract_port(iph1->local) == lcconf->port_isakmp_natt) {
		plog(LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n");
		iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
	}
#endif

	return 0;
}

static int
nostate1(iph1, msg)
	struct ph1handle *iph1;
	vchar_t *msg;
{
	plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
			iph1->status);
	return -1;
}

static int
nostate2(iph2, msg)
	struct ph2handle *iph2;
	vchar_t *msg;
{
	plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
		iph2->status);
	return -1;
}

void
log_ph1established(iph1)
	const struct ph1handle *iph1;
{
	char *src, *dst;

	src = racoon_strdup(saddr2str(iph1->local));
	dst = racoon_strdup(saddr2str(iph1->remote));
	STRDUP_FATAL(src);
	STRDUP_FATAL(dst);

	plog(LLV_INFO, LOCATION, NULL,
		"ISAKMP-SA established %s-%s spi:%s\n",
		src, dst,
		isakmp_pindex(&iph1->index, 0));

	EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL);
	if(!iph1->rmconf->mode_cfg)
		EVT_PUSH(iph1->local, iph1->remote, EVTT_NO_ISAKMP_CFG, NULL);

	racoon_free(src);
	racoon_free(dst);

	return;
}

struct payload_list *
isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_type)
{
	if (! plist) {
		plist = racoon_malloc (sizeof (struct payload_list));
		plist->prev = NULL;
	}
	else {
		plist->next = racoon_malloc (sizeof (struct payload_list));
		plist->next->prev = plist;
		plist = plist->next;
	}

	plist->next = NULL;
	plist->payload = payload;
	plist->payload_type = payload_type;

	return plist;
}

vchar_t *
isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
{
	struct payload_list *ptr = *plist, *first;
	size_t tlen = sizeof (struct isakmp), n = 0;
	vchar_t *buf = NULL;
	char *p;

	/* Seek to the first item.  */
	while (ptr->prev) ptr = ptr->prev;
	first = ptr;

	/* Compute the whole length.  */
	while (ptr) {
		tlen += ptr->payload->l + sizeof (struct isakmp_gen);
		ptr = ptr->next;
	}

	buf = vmalloc(tlen);
	if (buf == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
			"failed to get buffer to send.\n");
		goto end;
	}

	ptr = first;

	p = set_isakmp_header1(buf, iph1, ptr->payload_type);
	if (p == NULL)
		goto end;

	while (ptr)
	{
		p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
		first = ptr;
		ptr = ptr->next;
		racoon_free (first);
		/* ptr->prev = NULL; first = NULL; ... omitted.  */
		n++;
	}

	*plist = NULL;

	return buf;
end:
	if (buf != NULL)
		vfree(buf);
	return NULL;
}

#ifdef ENABLE_FRAG
int
frag_handler(iph1, msg, remote, local)
	struct ph1handle *iph1;
	vchar_t *msg;
	struct sockaddr *remote;
	struct sockaddr *local;
{
	vchar_t *newmsg;

	if (isakmp_frag_extract(iph1, msg) == 1) {
		if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
			plog(LLV_ERROR, LOCATION, remote,
			    "Packet reassembly failed\n");
			return -1;
		}
		return isakmp_main(newmsg, remote, local);
	}

	return 0;
}
#endif

void
script_hook(iph1, script)
	struct ph1handle *iph1;
	int script;
{
#define IP_MAX 40
#define PORT_MAX 6
	char addrstr[IP_MAX];
	char portstr[PORT_MAX];
	char **envp = NULL;
	int envc = 1;
	struct sockaddr_in *sin;
	char **c;

	if (iph1 == NULL ||
		iph1->rmconf == NULL ||
		iph1->rmconf->script[script] == NULL)
		return;

#ifdef ENABLE_HYBRID
	(void)isakmp_cfg_setenv(iph1, &envp, &envc);
#endif

	/* local address */
	sin = (struct sockaddr_in *)iph1->local;
	inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
	snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));

	if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
		plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
		goto out;
	}

	if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) {
		plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n");
		goto out;
	}

	/* Peer address */
	if (iph1->remote != NULL) {
		sin = (struct sockaddr_in *)iph1->remote;
		inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
		snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));

		if (script_env_append(&envp, &envc,
		    "REMOTE_ADDR", addrstr) != 0) {
			plog(LLV_ERROR, LOCATION, NULL,
			    "Cannot set REMOTE_ADDR\n");
			goto out;
		}

		if (script_env_append(&envp, &envc,
		    "REMOTE_PORT", portstr) != 0) {
			plog(LLV_ERROR, LOCATION, NULL,
			    "Cannot set REMOTEL_PORT\n");
			goto out;
		}
	}

	if (privsep_script_exec(iph1->rmconf->script[script]->v,
	    script, envp) != 0)
		plog(LLV_ERROR, LOCATION, NULL,
		    "Script %s execution failed\n", script_names[script]);

out:
	for (c = envp; *c; c++)
		racoon_free(*c);

	racoon_free(envp);

	return;
}

int
script_env_append(envp, envc, name, value)
	char ***envp;
	int *envc;
	char *name;
	char *value;
{
	char *envitem;
	char **newenvp;
	int newenvc;

	if (value == NULL) {
	        value = "";
	}

	envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1);
	if (envitem == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
		    "Cannot allocate memory: %s\n", strerror(errno));
		return -1;
	}
	sprintf(envitem, "%s=%s", name, value);

	newenvc = (*envc) + 1;
	newenvp = racoon_realloc(*envp, newenvc * sizeof(char *));
	if (newenvp == NULL) {
		plog(LLV_ERROR, LOCATION, NULL,
		    "Cannot allocate memory: %s\n", strerror(errno));
		racoon_free(envitem);
		return -1;
	}

	newenvp[newenvc - 2] = envitem;
	newenvp[newenvc - 1] = NULL;

	*envp = newenvp;
	*envc = newenvc;
	return 0;
}

int
script_exec(script, name, envp)
	char *script;
	int name;
	char *const envp[];
{
	char *argv[] = { NULL, NULL, NULL };

	argv[0] = script;
	argv[1] = script_names[name];
	argv[2] = NULL;

	switch (fork()) {
	case 0:
		execve(argv[0], argv, envp);
		plog(LLV_ERROR, LOCATION, NULL,
		    "execve(\"%s\") failed: %s\n",
		    argv[0], strerror(errno));
		_exit(1);
		break;
	case -1:
		plog(LLV_ERROR, LOCATION, NULL,
		    "Cannot fork: %s\n", strerror(errno));
		return -1;
		break;
	default:
		break;
	}
	return 0;

}

void
purge_remote(iph1)
	struct ph1handle *iph1;
{
	vchar_t *buf = NULL;
	struct sadb_msg *msg, *next, *end;
	struct sadb_sa *sa;
	struct sockaddr *src, *dst;
	caddr_t mhp[SADB_EXT_MAX + 1];
	u_int proto_id;
	struct ph2handle *iph2;
	struct ph1handle *new_iph1;

	plog(LLV_INFO, LOCATION, NULL,
		 "purging ISAKMP-SA spi=%s.\n",
		 isakmp_pindex(&(iph1->index), iph1->msgid));

	/* Mark as expired. */
	iph1->status = PHASE1ST_EXPIRED;

	/* Check if we have another, still valid, phase1 SA. */
	new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);

	/*
	 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
	 * Keep all others phase2 SAs.
	 */
	buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
	if (buf == NULL) {
		plog(LLV_DEBUG, LOCATION, NULL,
			"pfkey_dump_sadb returned nothing.\n");
		return;
	}

	msg = (struct sadb_msg *)buf->v;
	end = (struct sadb_msg *)(buf->v + buf->l);

	while (msg < end) {
		if ((msg->sadb_msg_len << 3) < sizeof(*msg))
			break;
		next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
		if (msg->sadb_msg_type != SADB_DUMP) {
			msg = next;
			continue;
		}

		if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
			plog(LLV_ERROR, LOCATION, NULL,
				"pfkey_check (%s)\n", ipsec_strerror());
			msg = next;
			continue;
		}

		sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
		if (!sa ||
		    !mhp[SADB_EXT_ADDRESS_SRC] ||
		    !mhp[SADB_EXT_ADDRESS_DST]) {
			msg = next;
			continue;
		}
		src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
		dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);

		if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
		    sa->sadb_sa_state != SADB_SASTATE_MATURE &&
		    sa->sadb_sa_state != SADB_SASTATE_DYING) {
			msg = next;
			continue;
		}

		/*
		 * check in/outbound SAs.
		 * Select only SAs where src == local and dst == remote (outgoing)
		 * or src == remote and dst == local (incoming).
		 */
		if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
			(CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
			msg = next;
			continue;
		}

		proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
		iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);

		/* Check if there is another valid ISAKMP-SA */
		if (new_iph1 != NULL) {

			if (iph2 == NULL) {
				/* No handler... still send a pfkey_delete message, but log this !*/
				plog(LLV_INFO, LOCATION, NULL,
					"Unknown IPsec-SA spi=%u, hmmmm?\n",
					ntohl(sa->sadb_sa_spi));
			}else{

				/*
				 * If we have a new ph1, do not purge IPsec-SAs binded
				 *  to a different ISAKMP-SA
				 */
				if (iph2->ph1 != NULL && iph2->ph1 != iph1){
					msg = next;
					continue;
				}

				/* If the ph2handle is established, do not purge IPsec-SA */
				if (iph2->status == PHASE2ST_ESTABLISHED ||
					iph2->status == PHASE2ST_EXPIRED) {

					plog(LLV_INFO, LOCATION, NULL,
						 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
						 ntohl(sa->sadb_sa_spi),
						 isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
					msg = next;
					continue;
				}
			}
		}


		pfkey_send_delete(lcconf->sock_pfkey,
				  msg->sadb_msg_satype,
				  IPSEC_MODE_ANY,
				  src, dst, sa->sadb_sa_spi);

		/* delete a relative phase 2 handle. */
		if (iph2 != NULL) {
			delete_spd(iph2, 0);
			unbindph12(iph2);
			remph2(iph2);
			delph2(iph2);
		}

		plog(LLV_INFO, LOCATION, NULL,
			 "purged IPsec-SA spi=%u.\n",
			 ntohl(sa->sadb_sa_spi));

		msg = next;
	}

	if (buf)
		vfree(buf);

	/* Mark the phase1 handler as EXPIRED */
	plog(LLV_INFO, LOCATION, NULL,
		 "purged ISAKMP-SA spi=%s.\n",
		 isakmp_pindex(&(iph1->index), iph1->msgid));

	SCHED_KILL(iph1->sce);

	iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
}

void
delete_spd(iph2, created)
	struct ph2handle *iph2;
 	u_int64_t created;
{
	struct policyindex spidx;
	struct sockaddr_storage addr;
	u_int8_t pref;
	struct sockaddr *src;
	struct sockaddr *dst;
	int error;
	int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */

	if (iph2 == NULL)
		return;

	/* Delete the SPD entry if we generated it
	 */
	if (! iph2->generated_spidx )
		return;

	src = iph2->src;
	dst = iph2->dst;

	plog(LLV_INFO, LOCATION, NULL,
		 "generated policy, deleting it.\n");

	memset(&spidx, 0, sizeof(spidx));
	iph2->spidx_gen = (caddr_t )&spidx;

	/* make inbound policy */
	iph2->src = dst;
	iph2->dst = src;
	spidx.dir = IPSEC_DIR_INBOUND;
	spidx.ul_proto = 0;

	/*
	 * Note: code from get_proposal_r
	 */

#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type

	/*
	 * make destination address in spidx from either ID payload
	 * or phase 1 address into a address in spidx.
	 */
	if (iph2->id != NULL
		&& (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
			|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
			|| _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
			|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
		/* get a destination address of a policy */
		error = ipsecdoi_id2sockaddr(iph2->id,
									 (struct sockaddr *)&spidx.dst,
									 &spidx.prefd, &spidx.ul_proto);
		if (error)
			goto purge;

#ifdef INET6
		/*
		 * get scopeid from the SA address.
		 * note that the phase 1 source address is used as
		 * a destination address to search for a inbound
		 * policy entry because rcoon is responder.
		 */
		if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
			if ((error =
				 setscopeid((struct sockaddr *)&spidx.dst,
							iph2->src)) != 0)
				goto purge;
		}
#endif

		if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
			|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
			idi2type = _XIDT(iph2->id);

	} else {

		plog(LLV_DEBUG, LOCATION, NULL,
			 "get a destination address of SP index "
			 "from phase1 address "
			 "due to no ID payloads found "
			 "OR because ID type is not address.\n");

		/*
		 * copy the SOURCE address of IKE into the
		 * DESTINATION address of the key to search the
		 * SPD because the direction of policy is inbound.
		 */
		memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
		switch (spidx.dst.ss_family) {
		case AF_INET:
			spidx.prefd =
				sizeof(struct in_addr) << 3;
			break;
#ifdef INET6
		case AF_INET6:
			spidx.prefd =
				sizeof(struct in6_addr) << 3;
			break;
#endif
		default:
			spidx.prefd = 0;
			break;
		}
	}

	/* make source address in spidx */
	if (iph2->id_p != NULL
		&& (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
			|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
			|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
			|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
		/* get a source address of inbound SA */
		error = ipsecdoi_id2sockaddr(iph2->id_p,
									 (struct sockaddr *)&spidx.src,
									 &spidx.prefs, &spidx.ul_proto);
		if (error)
			goto purge;

#ifdef INET6
		/*
		 * get scopeid from the SA address.
		 * for more detail, see above of this function.
		 */
		if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
			error =
				setscopeid((struct sockaddr *)&spidx.src,
						   iph2->dst);
			if (error)
				goto purge;
		}
#endif

		/* make id[src,dst] if both ID types are IP address and same */
		if (_XIDT(iph2->id_p) == idi2type
			&& spidx.dst.ss_family == spidx.src.ss_family) {
			iph2->src_id =
				dupsaddr((struct sockaddr *)&spidx.dst);
			if (iph2->src_id == NULL) {
				plog(LLV_ERROR, LOCATION, NULL,
					 "allocation failed\n");
				goto purge;
			}
			iph2->dst_id =
				dupsaddr((struct sockaddr *)&spidx.src);
			if (iph2->dst_id == NULL) {
				plog(LLV_ERROR, LOCATION, NULL,
					 "allocation failed\n");
				goto purge;
			}
		}

	} else {
		plog(LLV_DEBUG, LOCATION, NULL,
			 "get a source address of SP index "
			 "from phase1 address "
			 "due to no ID payloads found "
			 "OR because ID type is not address.\n");

		/* see above comment. */
		memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
		switch (spidx.src.ss_family) {
		case AF_INET:
			spidx.prefs =
				sizeof(struct in_addr) << 3;
			break;
#ifdef INET6
		case AF_INET6:
			spidx.prefs =
				sizeof(struct in6_addr) << 3;
			break;
#endif
		default:
			spidx.prefs = 0;
			break;
		}
	}

#undef _XIDT

	plog(LLV_DEBUG, LOCATION, NULL,
		 "get a src address from ID payload "
		 "%s prefixlen=%u ul_proto=%u\n",
		 saddr2str((struct sockaddr *)&spidx.src),
		 spidx.prefs, spidx.ul_proto);
	plog(LLV_DEBUG, LOCATION, NULL,
		 "get dst address from ID payload "
		 "%s prefixlen=%u ul_proto=%u\n",
		 saddr2str((struct sockaddr *)&spidx.dst),
		 spidx.prefd, spidx.ul_proto);

	/*
	 * convert the ul_proto if it is 0
	 * because 0 in ID payload means a wild card.
	 */
	if (spidx.ul_proto == 0)
		spidx.ul_proto = IPSEC_ULPROTO_ANY;

#undef _XIDT

	/* Check if the generated SPD has the same timestamp as the SA.
	 * If timestamps are different, this means that the SPD entry has been
	 * refreshed by another SA, and should NOT be deleted with the current SA.
	 */
	if( created ){
		struct secpolicy *p;

		p = getsp(&spidx);
		if(p != NULL){
			/* just do no test if p is NULL, because this probably just means
			 * that the policy has already be deleted for some reason.
			 */
			if(p->spidx.created != created)
				goto purge;
		}
	}

	/* End of code from get_proposal_r
	 */

	if (pk_sendspddelete(iph2) < 0) {
		plog(LLV_ERROR, LOCATION, NULL,
			 "pfkey spddelete(inbound) failed.\n");
	}else{
		plog(LLV_DEBUG, LOCATION, NULL,
			 "pfkey spddelete(inbound) sent.\n");
	}

#ifdef HAVE_POLICY_FWD
	/* make forward policy if required */
	if (tunnel_mode_prop(iph2->approval)) {
		spidx.dir = IPSEC_DIR_FWD;
		if (pk_sendspddelete(iph2) < 0) {
			plog(LLV_ERROR, LOCATION, NULL,
				 "pfkey spddelete(forward) failed.\n");
		}else{
			plog(LLV_DEBUG, LOCATION, NULL,
				 "pfkey spddelete(forward) sent.\n");
		}
	}
#endif

	/* make outbound policy */
	iph2->src = src;
	iph2->dst = dst;
	spidx.dir = IPSEC_DIR_OUTBOUND;
	addr = spidx.src;
	spidx.src = spidx.dst;
	spidx.dst = addr;
	pref = spidx.prefs;
	spidx.prefs = spidx.prefd;
	spidx.prefd = pref;

	if (pk_sendspddelete(iph2) < 0) {
		plog(LLV_ERROR, LOCATION, NULL,
			 "pfkey spddelete(outbound) failed.\n");
	}else{
		plog(LLV_DEBUG, LOCATION, NULL,
			 "pfkey spddelete(outbound) sent.\n");
	}
purge:
	iph2->spidx_gen=NULL;
}


#ifdef INET6
u_int32_t
setscopeid(sp_addr0, sa_addr0)
	struct sockaddr *sp_addr0, *sa_addr0;
{
	struct sockaddr_in6 *sp_addr, *sa_addr;

	sp_addr = (struct sockaddr_in6 *)sp_addr0;
	sa_addr = (struct sockaddr_in6 *)sa_addr0;

	if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
	 && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
	 && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
		return 0;

	/* this check should not be here ? */
	if (sa_addr->sin6_family != AF_INET6) {
		plog(LLV_ERROR, LOCATION, NULL,
			"can't get scope ID: family mismatch\n");
		return -1;
	}

	if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
		plog(LLV_ERROR, LOCATION, NULL,
			"scope ID is not supported except of lladdr.\n");
		return -1;
	}

	sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;

	return 0;
}
#endif