isakmp_quick.c revision f8a6a7636d53a5730c58ae041e4e09ae12e1657c
1/* $NetBSD: isakmp_quick.c,v 1.29 2011/03/14 17:18:13 tteras Exp $ */ 2 3/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */ 4 5/* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "config.h" 35 36#include <sys/types.h> 37#include <sys/param.h> 38#include <sys/socket.h> 39 40#include <netinet/in.h> 41 42#include <stdlib.h> 43#include <stdio.h> 44#include <string.h> 45#include <errno.h> 46#if TIME_WITH_SYS_TIME 47# include <sys/time.h> 48# include <time.h> 49#else 50# if HAVE_SYS_TIME_H 51# include <sys/time.h> 52# else 53# include <time.h> 54# endif 55#endif 56 57#include PATH_IPSEC_H 58 59#include "var.h" 60#include "vmbuf.h" 61#include "schedule.h" 62#include "misc.h" 63#include "plog.h" 64#include "debug.h" 65 66#include "localconf.h" 67#include "remoteconf.h" 68#include "handler.h" 69#include "policy.h" 70#include "proposal.h" 71#include "isakmp_var.h" 72#include "isakmp.h" 73#include "isakmp_inf.h" 74#include "isakmp_quick.h" 75#include "oakley.h" 76#include "ipsec_doi.h" 77#include "crypto_openssl.h" 78#include "pfkey.h" 79#include "policy.h" 80#include "algorithm.h" 81#include "sockmisc.h" 82#include "proposal.h" 83#include "sainfo.h" 84#include "admin.h" 85#include "strnames.h" 86 87#ifdef ENABLE_HYBRID 88#include <resolv.h> 89#include "isakmp_xauth.h" 90#include "isakmp_cfg.h" 91#endif 92 93#ifdef ENABLE_NATT 94#include "nattraversal.h" 95#endif 96 97/* quick mode */ 98static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *)); 99static int get_sainfo_r __P((struct ph2handle *)); 100static int get_proposal_r __P((struct ph2handle *)); 101static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *)); 102static void quick_timeover_stub __P((struct sched *)); 103static void quick_timeover __P((struct ph2handle *)); 104 105/* called from scheduler */ 106static void 107quick_timeover_stub(p) 108 struct sched *p; 109{ 110 quick_timeover(container_of(p, struct ph2handle, sce)); 111} 112 113static void 114quick_timeover(iph2) 115 struct ph2handle *iph2; 116{ 117 plog(LLV_ERROR, LOCATION, NULL, 118 "%s give up to get IPsec-SA due to time up to wait.\n", 119 saddrwop2str(iph2->dst)); 120 121 /* If initiator side, send error to kernel by SADB_ACQUIRE. */ 122 if (iph2->side == INITIATOR) 123 pk_sendeacquire(iph2); 124 125 remph2(iph2); 126 delph2(iph2); 127} 128 129/* %%% 130 * Quick Mode 131 */ 132/* 133 * begin Quick Mode as initiator. send pfkey getspi message to kernel. 134 */ 135int 136quick_i1prep(iph2, msg) 137 struct ph2handle *iph2; 138 vchar_t *msg; /* must be null pointer */ 139{ 140 int error = ISAKMP_INTERNAL_ERROR; 141 142 /* validity check */ 143 if (iph2->status != PHASE2ST_STATUS2) { 144 plog(LLV_ERROR, LOCATION, NULL, 145 "status mismatched %d.\n", iph2->status); 146 goto end; 147 } 148 149 iph2->msgid = isakmp_newmsgid2(iph2->ph1); 150 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid); 151 if (iph2->ivm == NULL) 152 return 0; 153 154 iph2->status = PHASE2ST_GETSPISENT; 155 156 /* don't anything if local test mode. */ 157 if (f_local) { 158 error = 0; 159 goto end; 160 } 161 162 /* send getspi message */ 163 if (pk_sendgetspi(iph2) < 0) 164 goto end; 165 166 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); 167 168 sched_schedule(&iph2->sce, lcconf->wait_ph2complete, 169 quick_timeover_stub); 170 171 error = 0; 172 173end: 174 return error; 175} 176 177/* 178 * send to responder 179 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 180 */ 181int 182quick_i1send(iph2, msg) 183 struct ph2handle *iph2; 184 vchar_t *msg; /* must be null pointer */ 185{ 186 vchar_t *body = NULL; 187 vchar_t *hash = NULL; 188 struct isakmp_gen *gen; 189 char *p; 190 int tlen; 191 int error = ISAKMP_INTERNAL_ERROR; 192 int natoa = ISAKMP_NPTYPE_NONE; 193 int pfsgroup, idci, idcr; 194 int np; 195 struct ipsecdoi_id_b *id, *id_p; 196#ifdef ENABLE_NATT 197 vchar_t *nat_oai = NULL; 198 vchar_t *nat_oar = NULL; 199#endif 200 201 /* validity check */ 202 if (msg != NULL) { 203 plog(LLV_ERROR, LOCATION, NULL, 204 "msg has to be NULL in this function.\n"); 205 goto end; 206 } 207 if (iph2->status != PHASE2ST_GETSPIDONE) { 208 plog(LLV_ERROR, LOCATION, NULL, 209 "status mismatched %d.\n", iph2->status); 210 goto end; 211 } 212 213 /* create SA payload for my proposal */ 214 if (ipsecdoi_setph2proposal(iph2) < 0) 215 goto end; 216 217 /* generate NONCE value */ 218 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); 219 if (iph2->nonce == NULL) 220 goto end; 221 222 /* 223 * DH value calculation is kicked out into cfparse.y. 224 * because pfs group can not be negotiated, it's only to be checked 225 * acceptable. 226 */ 227 /* generate KE value if need */ 228 pfsgroup = iph2->proposal->pfs_group; 229 if (pfsgroup) { 230 /* DH group settting if PFS is required. */ 231 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { 232 plog(LLV_ERROR, LOCATION, NULL, 233 "failed to set DH value.\n"); 234 goto end; 235 } 236 if (oakley_dh_generate(iph2->pfsgrp, 237 &iph2->dhpub, &iph2->dhpriv) < 0) { 238 goto end; 239 } 240 } 241 242 /* generate ID value */ 243 if (ipsecdoi_setid2(iph2) < 0) { 244 plog(LLV_ERROR, LOCATION, NULL, 245 "failed to get ID.\n"); 246 goto end; 247 } 248 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n"); 249 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); 250 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n"); 251 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); 252 253 /* 254 * we do not attach IDci nor IDcr, under the following condition: 255 * - all proposals are transport mode 256 * - no MIP6 or proxy 257 * - id payload suggests to encrypt all the traffic (no specific 258 * protocol type) 259 * - SA endpoints and IKE addresses for the nego are the same 260 * (iph2->src/dst) 261 */ 262 id = (struct ipsecdoi_id_b *)iph2->id->v; 263 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v; 264 if (id->proto_id == 0 && 265 id_p->proto_id == 0 && 266 iph2->ph1->rmconf->support_proxy == 0 && 267 iph2->sa_src == NULL && iph2->sa_dst == NULL && 268 ipsecdoi_transportmode(iph2->proposal)) { 269 idci = idcr = 0; 270 } else 271 idci = idcr = 1; 272 273#ifdef ENABLE_NATT 274 /* 275 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport 276 * we should send NAT-OA 277 */ 278 if (ipsecdoi_transportmode(iph2->proposal) 279 && (iph2->ph1->natt_flags & NAT_DETECTED)) { 280 natoa = iph2->ph1->natt_options->payload_nat_oa; 281 282 nat_oai = ipsecdoi_sockaddr2id(iph2->src, 283 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 284 nat_oar = ipsecdoi_sockaddr2id(iph2->dst, 285 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 286 287 if (nat_oai == NULL || nat_oar == NULL) { 288 plog(LLV_ERROR, LOCATION, NULL, 289 "failed to generate NAT-OA payload.\n"); 290 goto end; 291 } 292 293 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n"); 294 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l); 295 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n"); 296 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l); 297 } else { 298 natoa = ISAKMP_NPTYPE_NONE; 299 } 300#endif 301 302 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */ 303 tlen = + sizeof(*gen) + iph2->sa->l 304 + sizeof(*gen) + iph2->nonce->l; 305 if (pfsgroup) 306 tlen += (sizeof(*gen) + iph2->dhpub->l); 307 if (idci) 308 tlen += sizeof(*gen) + iph2->id->l; 309 if (idcr) 310 tlen += sizeof(*gen) + iph2->id_p->l; 311#ifdef ENABLE_NATT 312 if (natoa != ISAKMP_NPTYPE_NONE) 313 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l; 314#endif 315 316 body = vmalloc(tlen); 317 if (body == NULL) { 318 plog(LLV_ERROR, LOCATION, NULL, 319 "failed to get buffer to send.\n"); 320 goto end; 321 } 322 323 p = body->v; 324 325 /* add SA payload */ 326 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE); 327 328 /* add NONCE payload */ 329 if (pfsgroup) 330 np = ISAKMP_NPTYPE_KE; 331 else if (idci || idcr) 332 np = ISAKMP_NPTYPE_ID; 333 else 334 np = natoa; 335 p = set_isakmp_payload(p, iph2->nonce, np); 336 337 /* add KE payload if need. */ 338 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : natoa; 339 if (pfsgroup) 340 p = set_isakmp_payload(p, iph2->dhpub, np); 341 342 /* IDci */ 343 np = (idcr) ? ISAKMP_NPTYPE_ID : natoa; 344 if (idci) 345 p = set_isakmp_payload(p, iph2->id, np); 346 347 /* IDcr */ 348 if (idcr) 349 p = set_isakmp_payload(p, iph2->id_p, natoa); 350 351#ifdef ENABLE_NATT 352 /* NAT-OA */ 353 if (natoa != ISAKMP_NPTYPE_NONE) { 354 p = set_isakmp_payload(p, nat_oai, natoa); 355 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE); 356 } 357#endif 358 359 /* generate HASH(1) */ 360 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body); 361 if (hash == NULL) 362 goto end; 363 364 /* send isakmp payload */ 365 iph2->sendbuf = quick_ir1mx(iph2, body, hash); 366 if (iph2->sendbuf == NULL) 367 goto end; 368 369 /* send the packet, add to the schedule to resend */ 370 if (isakmp_ph2send(iph2) == -1) 371 goto end; 372 373 /* change status of isakmp status entry */ 374 iph2->status = PHASE2ST_MSG1SENT; 375 376 error = 0; 377 378end: 379 if (body != NULL) 380 vfree(body); 381 if (hash != NULL) 382 vfree(hash); 383#ifdef ENABLE_NATT 384 if (nat_oai != NULL) 385 vfree(nat_oai); 386 if (nat_oar != NULL) 387 vfree(nat_oar); 388#endif 389 390 return error; 391} 392 393/* 394 * receive from responder 395 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 396 */ 397int 398quick_i2recv(iph2, msg0) 399 struct ph2handle *iph2; 400 vchar_t *msg0; 401{ 402 vchar_t *msg = NULL; 403 vchar_t *hbuf = NULL; /* for hash computing. */ 404 vchar_t *pbuf = NULL; /* for payload parsing */ 405 vchar_t *idci = NULL; 406 vchar_t *idcr = NULL; 407 struct isakmp_parse_t *pa; 408 struct isakmp *isakmp = (struct isakmp *)msg0->v; 409 struct isakmp_pl_hash *hash = NULL; 410 char *p; 411 int tlen; 412 int error = ISAKMP_INTERNAL_ERROR; 413 414 /* validity check */ 415 if (iph2->status != PHASE2ST_MSG1SENT) { 416 plog(LLV_ERROR, LOCATION, NULL, 417 "status mismatched %d.\n", iph2->status); 418 goto end; 419 } 420 421 /* decrypt packet */ 422 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 423 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 424 "Packet wasn't encrypted.\n"); 425 goto end; 426 } 427 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 428 if (msg == NULL) 429 goto end; 430 431 /* create buffer for validating HASH(2) */ 432 /* 433 * ordering rule: 434 * 1. the first one must be HASH 435 * 2. the second one must be SA (added in isakmp-oakley-05!) 436 * 3. two IDs must be considered as IDci, then IDcr 437 */ 438 pbuf = isakmp_parse(msg); 439 if (pbuf == NULL) 440 goto end; 441 pa = (struct isakmp_parse_t *)pbuf->v; 442 443 /* HASH payload is fixed postion */ 444 if (pa->type != ISAKMP_NPTYPE_HASH) { 445 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 446 "received invalid next payload type %d, " 447 "expecting %d.\n", 448 pa->type, ISAKMP_NPTYPE_HASH); 449 goto end; 450 } 451 hash = (struct isakmp_pl_hash *)pa->ptr; 452 pa++; 453 454 /* 455 * this restriction was introduced in isakmp-oakley-05. 456 * we do not check this for backward compatibility. 457 * TODO: command line/config file option to enable/disable this code 458 */ 459 /* HASH payload is fixed postion */ 460 if (pa->type != ISAKMP_NPTYPE_SA) { 461 plog(LLV_WARNING, LOCATION, iph2->ph1->remote, 462 "received invalid next payload type %d, " 463 "expecting %d.\n", 464 pa->type, ISAKMP_NPTYPE_HASH); 465 } 466 467 /* allocate buffer for computing HASH(2) */ 468 tlen = iph2->nonce->l 469 + ntohl(isakmp->len) - sizeof(*isakmp); 470 hbuf = vmalloc(tlen); 471 if (hbuf == NULL) { 472 plog(LLV_ERROR, LOCATION, NULL, 473 "failed to get hash buffer.\n"); 474 goto end; 475 } 476 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */ 477 478 /* 479 * parse the payloads. 480 * copy non-HASH payloads into hbuf, so that we can validate HASH. 481 */ 482 iph2->sa_ret = NULL; 483 tlen = 0; /* count payload length except of HASH payload. */ 484 for (; pa->type; pa++) { 485 486 /* copy to buffer for HASH */ 487 /* Don't modify the payload */ 488 memcpy(p, pa->ptr, pa->len); 489 490 switch (pa->type) { 491 case ISAKMP_NPTYPE_SA: 492 if (iph2->sa_ret != NULL) { 493 plog(LLV_ERROR, LOCATION, NULL, 494 "Ignored, multiple SA " 495 "isn't supported.\n"); 496 break; 497 } 498 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) { 499 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 500 "duplicate ISAKMP_NPTYPE_SA.\n"); 501 goto end; 502 } 503 break; 504 505 case ISAKMP_NPTYPE_NONCE: 506 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { 507 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 508 "duplicate ISAKMP_NPTYPE_NONCE.\n"); 509 goto end; 510 } 511 break; 512 513 case ISAKMP_NPTYPE_KE: 514 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { 515 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 516 "duplicate ISAKMP_NPTYPE_KE.\n"); 517 goto end; 518 } 519 break; 520 521 case ISAKMP_NPTYPE_ID: 522 if (idci == NULL) { 523 if (isakmp_p2ph(&idci, pa->ptr) < 0) 524 goto end; 525 } else if (idcr == NULL) { 526 if (isakmp_p2ph(&idcr, pa->ptr) < 0) 527 goto end; 528 } else { 529 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 530 "too many ISAKMP_NPTYPE_ID payloads.\n"); 531 goto end; 532 } 533 break; 534 535 case ISAKMP_NPTYPE_N: 536 ph2_recv_n(iph2, pa->ptr); 537 break; 538 539#ifdef ENABLE_NATT 540 case ISAKMP_NPTYPE_NATOA_DRAFT: 541 case ISAKMP_NPTYPE_NATOA_RFC: 542 { 543 struct sockaddr_storage addr; 544 struct sockaddr *daddr; 545 u_int8_t prefix; 546 u_int16_t ul_proto; 547 vchar_t *vp = NULL; 548 549 if (isakmp_p2ph(&vp, pa->ptr) < 0) 550 goto end; 551 552 error = ipsecdoi_id2sockaddr(vp, 553 (struct sockaddr *) &addr, 554 &prefix, &ul_proto); 555 556 vfree(vp); 557 558 if (error) 559 goto end; 560 561 daddr = dupsaddr((struct sockaddr *) &addr); 562 if (daddr == NULL) 563 goto end; 564 565 if (iph2->natoa_src == NULL) 566 iph2->natoa_src = daddr; 567 else if (iph2->natoa_dst == NULL) 568 iph2->natoa_dst = daddr; 569 else { 570 racoon_free(daddr); 571 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 572 "too many ISAKMP_NPTYPE_NATOA payloads.\n"); 573 goto end; 574 } 575 } 576 break; 577#endif 578 579 default: 580 /* don't send information, see ident_r1recv() */ 581 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 582 "ignore the packet, " 583 "received unexpecting payload type %d.\n", 584 pa->type); 585 goto end; 586 } 587 588 p += pa->len; 589 590 /* compute true length of payload. */ 591 tlen += pa->len; 592 } 593 594 /* payload existency check */ 595 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) { 596 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 597 "few isakmp message received.\n"); 598 goto end; 599 } 600 601#ifdef ANDROID_PATCHED 602 if (idcr != NULL) { 603 struct ipsecdoi_id_b *id_b = idcr->v; 604 if (id_b->type != IPSECDOI_ID_IPV4_ADDR && 605 id_b->type != IPSECDOI_ID_IPV4_ADDR_SUBNET && 606 id_b->type != IPSECDOI_ID_IPV6_ADDR && 607 id_b->type != IPSECDOI_ID_IPV6_ADDR_SUBNET) { 608 vfree(idcr); 609 idcr = NULL; 610 } 611 } 612#endif 613 614 /* identity check */ 615 if (idci != NULL) { 616 struct sockaddr_storage proposed_addr, got_addr; 617 u_int8_t proposed_prefix, got_prefix; 618 u_int16_t proposed_ulproto, got_ulproto; 619 620 error = ipsecdoi_id2sockaddr(iph2->id, 621 (struct sockaddr *) &proposed_addr, 622 &proposed_prefix, &proposed_ulproto); 623 if (error) 624 goto end; 625 626 error = ipsecdoi_id2sockaddr(idci, 627 (struct sockaddr *) &got_addr, 628 &got_prefix, &got_ulproto); 629 if (error) 630 goto end; 631 632 if (proposed_prefix != got_prefix 633 || proposed_ulproto != got_ulproto) { 634 plog(LLV_DEBUG, LOCATION, NULL, 635 "IDci prefix/ulproto does not match proposal.\n"); 636 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 637 goto end; 638 } 639#ifdef ENABLE_NATT 640 set_port(iph2->natoa_src, 641 extract_port((struct sockaddr *) &proposed_addr)); 642#endif 643 644 if (cmpsaddr((struct sockaddr *) &proposed_addr, 645 (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { 646 plog(LLV_DEBUG, LOCATION, NULL, 647 "IDci matches proposal.\n"); 648#ifdef ENABLE_NATT 649 } else if (iph2->natoa_src != NULL 650 && cmpsaddr(iph2->natoa_src, 651 (struct sockaddr *) &got_addr) == 0) { 652 plog(LLV_DEBUG, LOCATION, NULL, 653 "IDci matches NAT-OAi.\n"); 654#endif 655#ifndef ANDROID_PATCHED 656 } else { 657 plog(LLV_ERROR, LOCATION, NULL, 658 "mismatched IDci was returned.\n"); 659 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 660 goto end; 661#endif 662 } 663 } 664 if (idcr != NULL) { 665 struct sockaddr_storage proposed_addr, got_addr; 666 u_int8_t proposed_prefix, got_prefix; 667 u_int16_t proposed_ulproto, got_ulproto; 668 669 error = ipsecdoi_id2sockaddr(iph2->id_p, 670 (struct sockaddr *) &proposed_addr, 671 &proposed_prefix, &proposed_ulproto); 672 if (error) 673 goto end; 674 675 error = ipsecdoi_id2sockaddr(idcr, 676 (struct sockaddr *) &got_addr, 677 &got_prefix, &got_ulproto); 678 if (error) 679 goto end; 680 681 if (proposed_prefix != got_prefix 682 || proposed_ulproto != got_ulproto) { 683 plog(LLV_DEBUG, LOCATION, NULL, 684 "IDcr prefix/ulproto does not match proposal.\n"); 685 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 686 goto end; 687 } 688 689#ifdef ENABLE_NATT 690 set_port(iph2->natoa_dst, 691 extract_port((struct sockaddr *) &proposed_addr)); 692#endif 693 694 if (cmpsaddr((struct sockaddr *) &proposed_addr, 695 (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { 696 plog(LLV_DEBUG, LOCATION, NULL, 697 "IDcr matches proposal.\n"); 698#ifdef ENABLE_NATT 699 } else if (iph2->natoa_dst != NULL 700 && cmpsaddr(iph2->natoa_dst, 701 (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { 702 plog(LLV_DEBUG, LOCATION, NULL, 703 "IDcr matches NAT-OAr.\n"); 704#endif 705 } else { 706 plog(LLV_ERROR, LOCATION, NULL, 707 "mismatched IDcr was returned.\n"); 708 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 709 goto end; 710 } 711 } 712 713 /* Fixed buffer for calculating HASH */ 714 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l); 715 plog(LLV_DEBUG, LOCATION, NULL, 716 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n", 717 hbuf->l, tlen + iph2->nonce->l); 718 /* adjust buffer length for HASH */ 719 hbuf->l = iph2->nonce->l + tlen; 720 721 /* validate HASH(2) */ 722 { 723 char *r_hash; 724 vchar_t *my_hash = NULL; 725 int result; 726 727 r_hash = (char *)hash + sizeof(*hash); 728 729 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:"); 730 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 731 732 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); 733 if (my_hash == NULL) 734 goto end; 735 736 result = memcmp(my_hash->v, r_hash, my_hash->l); 737 vfree(my_hash); 738 739 if (result) { 740 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 741 "HASH(2) mismatch.\n"); 742 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 743 goto end; 744 } 745 } 746 747 /* validity check SA payload sent from responder */ 748 if (ipsecdoi_checkph2proposal(iph2) < 0) { 749 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 750 "proposal check failed.\n"); 751 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 752 goto end; 753 } 754 755 /* change status of isakmp status entry */ 756 iph2->status = PHASE2ST_STATUS6; 757 758 error = 0; 759 760end: 761 if (hbuf) 762 vfree(hbuf); 763 if (pbuf) 764 vfree(pbuf); 765 if (msg) 766 vfree(msg); 767 if (idci) 768 vfree(idci); 769 if (idcr) 770 vfree(idcr); 771 772 if (error) { 773 VPTRINIT(iph2->sa_ret); 774 VPTRINIT(iph2->nonce_p); 775 VPTRINIT(iph2->dhpub_p); 776 VPTRINIT(iph2->id); 777 VPTRINIT(iph2->id_p); 778#ifdef ENABLE_NATT 779 if (iph2->natoa_src) { 780 racoon_free(iph2->natoa_src); 781 iph2->natoa_src = NULL; 782 } 783 if (iph2->natoa_dst) { 784 racoon_free(iph2->natoa_dst); 785 iph2->natoa_dst = NULL; 786 } 787#endif 788 } 789 790 return error; 791} 792 793/* 794 * send to responder 795 * HDR*, HASH(3) 796 */ 797int 798quick_i2send(iph2, msg0) 799 struct ph2handle *iph2; 800 vchar_t *msg0; 801{ 802 vchar_t *msg = NULL; 803 vchar_t *buf = NULL; 804 vchar_t *hash = NULL; 805 char *p = NULL; 806 int tlen; 807 int error = ISAKMP_INTERNAL_ERROR; 808 809 /* validity check */ 810 if (iph2->status != PHASE2ST_STATUS6) { 811 plog(LLV_ERROR, LOCATION, NULL, 812 "status mismatched %d.\n", iph2->status); 813 goto end; 814 } 815 816 /* generate HASH(3) */ 817 { 818 vchar_t *tmp = NULL; 819 820 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n"); 821 822 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l); 823 if (tmp == NULL) { 824 plog(LLV_ERROR, LOCATION, NULL, 825 "failed to get hash buffer.\n"); 826 goto end; 827 } 828 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l); 829 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l); 830 831 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); 832 vfree(tmp); 833 834 if (hash == NULL) 835 goto end; 836 } 837 838 /* create buffer for isakmp payload */ 839 tlen = sizeof(struct isakmp) 840 + sizeof(struct isakmp_gen) + hash->l; 841 buf = vmalloc(tlen); 842 if (buf == NULL) { 843 plog(LLV_ERROR, LOCATION, NULL, 844 "failed to get buffer to send.\n"); 845 goto end; 846 } 847 848 /* create isakmp header */ 849 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 850 if (p == NULL) 851 goto end; 852 853 /* add HASH(3) payload */ 854 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE); 855 856#ifdef HAVE_PRINT_ISAKMP_C 857 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 858#endif 859 860 /* encoding */ 861 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 862 if (iph2->sendbuf == NULL) 863 goto end; 864 865 /* if there is commit bit, need resending */ 866 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 867 /* send the packet, add to the schedule to resend */ 868 if (isakmp_ph2send(iph2) == -1) 869 goto end; 870 } else { 871 /* send the packet */ 872 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) 873 goto end; 874 } 875 876 /* the sending message is added to the received-list. */ 877 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, 878 iph2->sendbuf, msg0) == -1) { 879 plog(LLV_ERROR , LOCATION, NULL, 880 "failed to add a response packet to the tree.\n"); 881 goto end; 882 } 883 884 /* compute both of KEYMATs */ 885 if (oakley_compute_keymat(iph2, INITIATOR) < 0) 886 goto end; 887 888 iph2->status = PHASE2ST_ADDSA; 889 890 /* don't anything if local test mode. */ 891 if (f_local) { 892 error = 0; 893 goto end; 894 } 895 896 /* if there is commit bit don't set up SA now. */ 897 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 898 iph2->status = PHASE2ST_COMMIT; 899 error = 0; 900 goto end; 901 } 902 903 /* Do UPDATE for initiator */ 904 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 905 if (pk_sendupdate(iph2) < 0) { 906 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 907 goto end; 908 } 909 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 910 911 /* Do ADD for responder */ 912 if (pk_sendadd(iph2) < 0) { 913 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 914 goto end; 915 } 916 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 917 918 error = 0; 919 920end: 921 if (buf != NULL) 922 vfree(buf); 923 if (msg != NULL) 924 vfree(msg); 925 if (hash != NULL) 926 vfree(hash); 927 928 return error; 929} 930 931/* 932 * receive from responder 933 * HDR#*, HASH(4), notify 934 */ 935int 936quick_i3recv(iph2, msg0) 937 struct ph2handle *iph2; 938 vchar_t *msg0; 939{ 940 vchar_t *msg = NULL; 941 vchar_t *pbuf = NULL; /* for payload parsing */ 942 struct isakmp_parse_t *pa; 943 struct isakmp_pl_hash *hash = NULL; 944 vchar_t *notify = NULL; 945 int error = ISAKMP_INTERNAL_ERROR; 946 947 /* validity check */ 948 if (iph2->status != PHASE2ST_COMMIT) { 949 plog(LLV_ERROR, LOCATION, NULL, 950 "status mismatched %d.\n", iph2->status); 951 goto end; 952 } 953 954 /* decrypt packet */ 955 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 956 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 957 "Packet wasn't encrypted.\n"); 958 goto end; 959 } 960 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 961 if (msg == NULL) 962 goto end; 963 964 /* validate the type of next payload */ 965 pbuf = isakmp_parse(msg); 966 if (pbuf == NULL) 967 goto end; 968 969 for (pa = (struct isakmp_parse_t *)pbuf->v; 970 pa->type != ISAKMP_NPTYPE_NONE; 971 pa++) { 972 973 switch (pa->type) { 974 case ISAKMP_NPTYPE_HASH: 975 hash = (struct isakmp_pl_hash *)pa->ptr; 976 break; 977 case ISAKMP_NPTYPE_N: 978 if (notify != NULL) { 979 plog(LLV_WARNING, LOCATION, NULL, 980 "Ignoring multiples notifications\n"); 981 break; 982 } 983 ph2_recv_n(iph2, pa->ptr); 984 notify = vmalloc(pa->len); 985 if (notify == NULL) { 986 plog(LLV_ERROR, LOCATION, NULL, 987 "failed to get notify buffer.\n"); 988 goto end; 989 } 990 memcpy(notify->v, pa->ptr, notify->l); 991 break; 992 default: 993 /* don't send information, see ident_r1recv() */ 994 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 995 "ignore the packet, " 996 "received unexpecting payload type %d.\n", 997 pa->type); 998 goto end; 999 } 1000 } 1001 1002 /* payload existency check */ 1003 if (hash == NULL) { 1004 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1005 "few isakmp message received.\n"); 1006 goto end; 1007 } 1008 1009 /* validate HASH(4) */ 1010 { 1011 char *r_hash; 1012 vchar_t *my_hash = NULL; 1013 vchar_t *tmp = NULL; 1014 int result; 1015 1016 r_hash = (char *)hash + sizeof(*hash); 1017 1018 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:"); 1019 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1020 1021 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); 1022 vfree(tmp); 1023 if (my_hash == NULL) 1024 goto end; 1025 1026 result = memcmp(my_hash->v, r_hash, my_hash->l); 1027 vfree(my_hash); 1028 1029 if (result) { 1030 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 1031 "HASH(4) mismatch.\n"); 1032 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1033 goto end; 1034 } 1035 } 1036 1037 iph2->status = PHASE2ST_ADDSA; 1038 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ 1039 1040 /* don't anything if local test mode. */ 1041 if (f_local) { 1042 error = 0; 1043 goto end; 1044 } 1045 1046 /* Do UPDATE for initiator */ 1047 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 1048 if (pk_sendupdate(iph2) < 0) { 1049 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 1050 goto end; 1051 } 1052 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 1053 1054 /* Do ADD for responder */ 1055 if (pk_sendadd(iph2) < 0) { 1056 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 1057 goto end; 1058 } 1059 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 1060 1061 error = 0; 1062 1063end: 1064 if (msg != NULL) 1065 vfree(msg); 1066 if (pbuf != NULL) 1067 vfree(pbuf); 1068 if (notify != NULL) 1069 vfree(notify); 1070 1071 return error; 1072} 1073 1074/* 1075 * receive from initiator 1076 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 1077 */ 1078int 1079quick_r1recv(iph2, msg0) 1080 struct ph2handle *iph2; 1081 vchar_t *msg0; 1082{ 1083 vchar_t *msg = NULL; 1084 vchar_t *hbuf = NULL; /* for hash computing. */ 1085 vchar_t *pbuf = NULL; /* for payload parsing */ 1086 struct isakmp_parse_t *pa; 1087 struct isakmp *isakmp = (struct isakmp *)msg0->v; 1088 struct isakmp_pl_hash *hash = NULL; 1089 char *p; 1090 int tlen; 1091 int f_id_order; /* for ID payload detection */ 1092 int error = ISAKMP_INTERNAL_ERROR; 1093 1094 /* validity check */ 1095 if (iph2->status != PHASE2ST_START) { 1096 plog(LLV_ERROR, LOCATION, NULL, 1097 "status mismatched %d.\n", iph2->status); 1098 goto end; 1099 } 1100 1101 /* decrypting */ 1102 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1103 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1104 "Packet wasn't encrypted.\n"); 1105 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1106 goto end; 1107 } 1108 /* decrypt packet */ 1109 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 1110 if (msg == NULL) { 1111 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1112 "Packet decryption failed.\n"); 1113 goto end; 1114 } 1115 1116 /* create buffer for using to validate HASH(1) */ 1117 /* 1118 * ordering rule: 1119 * 1. the first one must be HASH 1120 * 2. the second one must be SA (added in isakmp-oakley-05!) 1121 * 3. two IDs must be considered as IDci, then IDcr 1122 */ 1123 pbuf = isakmp_parse(msg); 1124 if (pbuf == NULL) 1125 goto end; 1126 pa = (struct isakmp_parse_t *)pbuf->v; 1127 1128 /* HASH payload is fixed postion */ 1129 if (pa->type != ISAKMP_NPTYPE_HASH) { 1130 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1131 "received invalid next payload type %d, " 1132 "expecting %d.\n", 1133 pa->type, ISAKMP_NPTYPE_HASH); 1134 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX; 1135 goto end; 1136 } 1137 hash = (struct isakmp_pl_hash *)pa->ptr; 1138 pa++; 1139 1140 /* 1141 * this restriction was introduced in isakmp-oakley-05. 1142 * we do not check this for backward compatibility. 1143 * TODO: command line/config file option to enable/disable this code 1144 */ 1145 /* HASH payload is fixed postion */ 1146 if (pa->type != ISAKMP_NPTYPE_SA) { 1147 plog(LLV_WARNING, LOCATION, iph2->ph1->remote, 1148 "received invalid next payload type %d, " 1149 "expecting %d.\n", 1150 pa->type, ISAKMP_NPTYPE_SA); 1151 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX; 1152 } 1153 1154 /* allocate buffer for computing HASH(1) */ 1155 tlen = ntohl(isakmp->len) - sizeof(*isakmp); 1156 hbuf = vmalloc(tlen); 1157 if (hbuf == NULL) { 1158 plog(LLV_ERROR, LOCATION, NULL, 1159 "failed to get hash buffer.\n"); 1160 goto end; 1161 } 1162 p = hbuf->v; 1163 1164 /* 1165 * parse the payloads. 1166 * copy non-HASH payloads into hbuf, so that we can validate HASH. 1167 */ 1168 iph2->sa = NULL; /* we don't support multi SAs. */ 1169 iph2->nonce_p = NULL; 1170 iph2->dhpub_p = NULL; 1171 iph2->id_p = NULL; 1172 iph2->id = NULL; 1173 tlen = 0; /* count payload length except of HASH payload. */ 1174 1175 /* 1176 * IDi2 MUST be immediatelly followed by IDr2. We allowed the 1177 * illegal case, but logged. First ID payload is to be IDi2. 1178 * And next ID payload is to be IDr2. 1179 */ 1180 f_id_order = 0; 1181 1182 for (; pa->type; pa++) { 1183 1184 /* copy to buffer for HASH */ 1185 /* Don't modify the payload */ 1186 memcpy(p, pa->ptr, pa->len); 1187 1188 if (pa->type != ISAKMP_NPTYPE_ID) 1189 f_id_order = 0; 1190 1191 switch (pa->type) { 1192 case ISAKMP_NPTYPE_SA: 1193 if (iph2->sa != NULL) { 1194 plog(LLV_ERROR, LOCATION, NULL, 1195 "Multi SAs isn't supported.\n"); 1196 goto end; 1197 } 1198 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) { 1199 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1200 "duplicate ISAKMP_NPTYPE_SA.\n"); 1201 goto end; 1202 } 1203 break; 1204 1205 case ISAKMP_NPTYPE_NONCE: 1206 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { 1207 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1208 "duplicate ISAKMP_NPTYPE_NONCE.\n"); 1209 goto end; 1210 } 1211 break; 1212 1213 case ISAKMP_NPTYPE_KE: 1214 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { 1215 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1216 "duplicate ISAKMP_NPTYPE_KE.\n"); 1217 goto end; 1218 } 1219 break; 1220 1221 case ISAKMP_NPTYPE_ID: 1222 if (iph2->id_p == NULL) { 1223 /* for IDci */ 1224 f_id_order++; 1225 1226 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) 1227 goto end; 1228 1229 } else if (iph2->id == NULL) { 1230 /* for IDcr */ 1231 if (f_id_order == 0) { 1232 plog(LLV_ERROR, LOCATION, NULL, 1233 "IDr2 payload is not " 1234 "immediatelly followed " 1235 "by IDi2. We allowed.\n"); 1236 /* XXX we allowed in this case. */ 1237 } 1238 1239 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) 1240 goto end; 1241 } else { 1242 plog(LLV_ERROR, LOCATION, NULL, 1243 "received too many ID payloads.\n"); 1244 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l); 1245 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1246 goto end; 1247 } 1248 break; 1249 1250 case ISAKMP_NPTYPE_N: 1251 ph2_recv_n(iph2, pa->ptr); 1252 break; 1253 1254#ifdef ENABLE_NATT 1255 case ISAKMP_NPTYPE_NATOA_DRAFT: 1256 case ISAKMP_NPTYPE_NATOA_RFC: 1257 { 1258 struct sockaddr_storage addr; 1259 struct sockaddr *daddr; 1260 u_int8_t prefix; 1261 u_int16_t ul_proto; 1262 vchar_t *vp = NULL; 1263 1264 if (isakmp_p2ph(&vp, pa->ptr) < 0) 1265 goto end; 1266 1267 error = ipsecdoi_id2sockaddr(vp, 1268 (struct sockaddr *) &addr, 1269 &prefix, &ul_proto); 1270 1271 vfree(vp); 1272 1273 if (error) 1274 goto end; 1275 1276 daddr = dupsaddr((struct sockaddr *) &addr); 1277 if (daddr == NULL) 1278 goto end; 1279 1280 if (iph2->natoa_dst == NULL) 1281 iph2->natoa_dst = daddr; 1282 else if (iph2->natoa_src == NULL) 1283 iph2->natoa_src = daddr; 1284 else { 1285 racoon_free(daddr); 1286 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1287 "received too many NAT-OA payloads.\n"); 1288 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1289 goto end; 1290 } 1291 } 1292 break; 1293#endif 1294 1295 default: 1296 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1297 "ignore the packet, " 1298 "received unexpecting payload type %d.\n", 1299 pa->type); 1300 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1301 goto end; 1302 } 1303 1304 p += pa->len; 1305 1306 /* compute true length of payload. */ 1307 tlen += pa->len; 1308 } 1309 1310 /* payload existency check */ 1311 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) { 1312 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1313 "few isakmp message received.\n"); 1314 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1315 goto end; 1316 } 1317 1318 if (iph2->id_p) { 1319 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:"); 1320 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); 1321 } 1322 if (iph2->id) { 1323 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:"); 1324 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); 1325 } 1326 1327 /* adjust buffer length for HASH */ 1328 hbuf->l = tlen; 1329 1330 /* validate HASH(1) */ 1331 { 1332 char *r_hash; 1333 vchar_t *my_hash = NULL; 1334 int result; 1335 1336 r_hash = (caddr_t)hash + sizeof(*hash); 1337 1338 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:"); 1339 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1340 1341 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); 1342 if (my_hash == NULL) 1343 goto end; 1344 1345 result = memcmp(my_hash->v, r_hash, my_hash->l); 1346 vfree(my_hash); 1347 1348 if (result) { 1349 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 1350 "HASH(1) mismatch.\n"); 1351 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1352 goto end; 1353 } 1354 } 1355 1356 /* get sainfo */ 1357 error = get_sainfo_r(iph2); 1358 if (error) { 1359 plog(LLV_ERROR, LOCATION, NULL, 1360 "failed to get sainfo.\n"); 1361 goto end; 1362 } 1363 1364 1365 /* check the existence of ID payload and create responder's proposal */ 1366 error = get_proposal_r(iph2); 1367 switch (error) { 1368 case -2: 1369 /* generate a policy template from peer's proposal */ 1370 if (set_proposal_from_proposal(iph2)) { 1371 plog(LLV_ERROR, LOCATION, NULL, 1372 "failed to generate a proposal template " 1373 "from client's proposal.\n"); 1374 error = ISAKMP_INTERNAL_ERROR; 1375 goto end; 1376 } 1377 /*FALLTHROUGH*/ 1378 case 0: 1379 /* select single proposal or reject it. */ 1380 if (ipsecdoi_selectph2proposal(iph2) < 0) { 1381 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1382 "no proposal chosen.\n"); 1383 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1384 goto end; 1385 } 1386 break; 1387 default: 1388 plog(LLV_ERROR, LOCATION, NULL, 1389 "failed to get proposal for responder.\n"); 1390 goto end; 1391 } 1392 1393 /* check KE and attribute of PFS */ 1394 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) { 1395 plog(LLV_ERROR, LOCATION, NULL, 1396 "no PFS is specified, but peer sends KE.\n"); 1397 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1398 goto end; 1399 } 1400 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) { 1401 plog(LLV_ERROR, LOCATION, NULL, 1402 "PFS is specified, but peer doesn't sends KE.\n"); 1403 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1404 goto end; 1405 } 1406 1407 /* 1408 * save the packet from the initiator in order to resend the 1409 * responder's first packet against this packet. 1410 */ 1411 iph2->msg1 = vdup(msg0); 1412 1413 /* change status of isakmp status entry */ 1414 iph2->status = PHASE2ST_STATUS2; 1415 1416 error = 0; 1417 1418end: 1419 if (hbuf) 1420 vfree(hbuf); 1421 if (msg) 1422 vfree(msg); 1423 if (pbuf) 1424 vfree(pbuf); 1425 1426 if (error) { 1427 VPTRINIT(iph2->sa); 1428 VPTRINIT(iph2->nonce_p); 1429 VPTRINIT(iph2->dhpub_p); 1430 VPTRINIT(iph2->id); 1431 VPTRINIT(iph2->id_p); 1432#ifdef ENABLE_NATT 1433 if (iph2->natoa_src) { 1434 racoon_free(iph2->natoa_src); 1435 iph2->natoa_src = NULL; 1436 } 1437 if (iph2->natoa_dst) { 1438 racoon_free(iph2->natoa_dst); 1439 iph2->natoa_dst = NULL; 1440 } 1441#endif 1442 } 1443 1444 return error; 1445} 1446 1447/* 1448 * call pfkey_getspi. 1449 */ 1450int 1451quick_r1prep(iph2, msg) 1452 struct ph2handle *iph2; 1453 vchar_t *msg; 1454{ 1455 int error = ISAKMP_INTERNAL_ERROR; 1456 1457 /* validity check */ 1458 if (iph2->status != PHASE2ST_STATUS2) { 1459 plog(LLV_ERROR, LOCATION, NULL, 1460 "status mismatched %d.\n", iph2->status); 1461 goto end; 1462 } 1463 1464 iph2->status = PHASE2ST_GETSPISENT; 1465 1466 /* send getspi message */ 1467 if (pk_sendgetspi(iph2) < 0) 1468 goto end; 1469 1470 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); 1471 1472 sched_schedule(&iph2->sce, lcconf->wait_ph2complete, 1473 quick_timeover_stub); 1474 1475 error = 0; 1476 1477end: 1478 return error; 1479} 1480 1481/* 1482 * send to initiator 1483 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 1484 */ 1485int 1486quick_r2send(iph2, msg) 1487 struct ph2handle *iph2; 1488 vchar_t *msg; 1489{ 1490 vchar_t *body = NULL; 1491 vchar_t *hash = NULL; 1492 struct isakmp_gen *gen; 1493 char *p; 1494 int tlen; 1495 int error = ISAKMP_INTERNAL_ERROR; 1496 int natoa = ISAKMP_NPTYPE_NONE; 1497 int pfsgroup; 1498 u_int8_t *np_p = NULL; 1499#ifdef ENABLE_NATT 1500 vchar_t *nat_oai = NULL; 1501 vchar_t *nat_oar = NULL; 1502#endif 1503 1504 /* validity check */ 1505 if (msg != NULL) { 1506 plog(LLV_ERROR, LOCATION, NULL, 1507 "msg has to be NULL in this function.\n"); 1508 goto end; 1509 } 1510 if (iph2->status != PHASE2ST_GETSPIDONE) { 1511 plog(LLV_ERROR, LOCATION, NULL, 1512 "status mismatched %d.\n", iph2->status); 1513 goto end; 1514 } 1515 1516 /* update responders SPI */ 1517 if (ipsecdoi_updatespi(iph2) < 0) { 1518 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n"); 1519 goto end; 1520 } 1521 1522 /* generate NONCE value */ 1523 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); 1524 if (iph2->nonce == NULL) 1525 goto end; 1526 1527 /* generate KE value if need */ 1528 pfsgroup = iph2->approval->pfs_group; 1529 if (iph2->dhpub_p != NULL && pfsgroup != 0) { 1530 /* DH group settting if PFS is required. */ 1531 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { 1532 plog(LLV_ERROR, LOCATION, NULL, 1533 "failed to set DH value.\n"); 1534 goto end; 1535 } 1536 /* generate DH public value */ 1537 if (oakley_dh_generate(iph2->pfsgrp, 1538 &iph2->dhpub, &iph2->dhpriv) < 0) { 1539 goto end; 1540 } 1541 } 1542 1543#ifdef ENABLE_NATT 1544 /* 1545 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport 1546 * we should send NAT-OA 1547 */ 1548 if (ipsecdoi_transportmode(iph2->proposal) 1549 && (iph2->ph1->natt_flags & NAT_DETECTED)) { 1550 natoa = iph2->ph1->natt_options->payload_nat_oa; 1551 1552 nat_oai = ipsecdoi_sockaddr2id(iph2->dst, 1553 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 1554 nat_oar = ipsecdoi_sockaddr2id(iph2->src, 1555 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 1556 1557 if (nat_oai == NULL || nat_oar == NULL) { 1558 plog(LLV_ERROR, LOCATION, NULL, 1559 "failed to generate NAT-OA payload.\n"); 1560 goto end; 1561 } 1562 1563 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n"); 1564 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l); 1565 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n"); 1566 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l); 1567 } 1568#endif 1569 1570 /* create SA;NONCE payload, and KE and ID if need */ 1571 tlen = sizeof(*gen) + iph2->sa_ret->l 1572 + sizeof(*gen) + iph2->nonce->l; 1573 if (iph2->dhpub_p != NULL && pfsgroup != 0) 1574 tlen += (sizeof(*gen) + iph2->dhpub->l); 1575 if (iph2->id_p != NULL) 1576 tlen += (sizeof(*gen) + iph2->id_p->l 1577 + sizeof(*gen) + iph2->id->l); 1578#ifdef ENABLE_NATT 1579 if (natoa != ISAKMP_NPTYPE_NONE) 1580 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l; 1581#endif 1582 1583 body = vmalloc(tlen); 1584 if (body == NULL) { 1585 plog(LLV_ERROR, LOCATION, NULL, 1586 "failed to get buffer to send.\n"); 1587 goto end; 1588 } 1589 p = body->v; 1590 1591 /* make SA payload */ 1592 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE); 1593 1594 /* add NONCE payload */ 1595 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1596 p = set_isakmp_payload(p, iph2->nonce, 1597 (iph2->dhpub_p != NULL && pfsgroup != 0) 1598 ? ISAKMP_NPTYPE_KE 1599 : (iph2->id_p != NULL 1600 ? ISAKMP_NPTYPE_ID 1601 : natoa)); 1602 1603 /* add KE payload if need. */ 1604 if (iph2->dhpub_p != NULL && pfsgroup != 0) { 1605 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1606 p = set_isakmp_payload(p, iph2->dhpub, 1607 (iph2->id_p == NULL) 1608 ? natoa 1609 : ISAKMP_NPTYPE_ID); 1610 } 1611 1612 /* add ID payloads received. */ 1613 if (iph2->id_p != NULL) { 1614 /* IDci */ 1615 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID); 1616 /* IDcr */ 1617 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1618 p = set_isakmp_payload(p, iph2->id, natoa); 1619 } 1620 1621#ifdef ENABLE_NATT 1622 /* NAT-OA */ 1623 if (natoa != ISAKMP_NPTYPE_NONE) { 1624 p = set_isakmp_payload(p, nat_oai, natoa); 1625 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE); 1626 } 1627#endif 1628 1629 /* add a RESPONDER-LIFETIME notify payload if needed */ 1630 { 1631 vchar_t *data = NULL; 1632 struct saprop *pp = iph2->approval; 1633 struct saproto *pr; 1634 1635 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) { 1636 u_int32_t v = htonl((u_int32_t)pp->lifetime); 1637 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, 1638 IPSECDOI_ATTR_SA_LD_TYPE_SEC); 1639 if (!data) 1640 goto end; 1641 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, 1642 (caddr_t)&v, sizeof(v)); 1643 if (!data) 1644 goto end; 1645 } 1646 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) { 1647 u_int32_t v = htonl((u_int32_t)pp->lifebyte); 1648 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, 1649 IPSECDOI_ATTR_SA_LD_TYPE_KB); 1650 if (!data) 1651 goto end; 1652 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, 1653 (caddr_t)&v, sizeof(v)); 1654 if (!data) 1655 goto end; 1656 } 1657 1658 /* 1659 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message 1660 * in the case of SA bundle ? 1661 */ 1662 if (data) { 1663 for (pr = pp->head; pr; pr = pr->next) { 1664 body = isakmp_add_pl_n(body, &np_p, 1665 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data); 1666 if (!body) { 1667 vfree(data); 1668 return error; /* XXX */ 1669 } 1670 } 1671 vfree(data); 1672 } 1673 } 1674 1675 /* generate HASH(2) */ 1676 { 1677 vchar_t *tmp; 1678 1679 tmp = vmalloc(iph2->nonce_p->l + body->l); 1680 if (tmp == NULL) { 1681 plog(LLV_ERROR, LOCATION, NULL, 1682 "failed to get hash buffer.\n"); 1683 goto end; 1684 } 1685 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l); 1686 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l); 1687 1688 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp); 1689 vfree(tmp); 1690 1691 if (hash == NULL) 1692 goto end; 1693 } 1694 1695 /* send isakmp payload */ 1696 iph2->sendbuf = quick_ir1mx(iph2, body, hash); 1697 if (iph2->sendbuf == NULL) 1698 goto end; 1699 1700 /* send the packet, add to the schedule to resend */ 1701 if (isakmp_ph2send(iph2) == -1) 1702 goto end; 1703 1704 /* the sending message is added to the received-list. */ 1705 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) { 1706 plog(LLV_ERROR , LOCATION, NULL, 1707 "failed to add a response packet to the tree.\n"); 1708 goto end; 1709 } 1710 1711 /* change status of isakmp status entry */ 1712 iph2->status = PHASE2ST_MSG1SENT; 1713 1714 error = 0; 1715 1716end: 1717 if (body != NULL) 1718 vfree(body); 1719 if (hash != NULL) 1720 vfree(hash); 1721#ifdef ENABLE_NATT 1722 if (nat_oai != NULL) 1723 vfree(nat_oai); 1724 if (nat_oar != NULL) 1725 vfree(nat_oar); 1726#endif 1727 1728 return error; 1729} 1730 1731/* 1732 * receive from initiator 1733 * HDR*, HASH(3) 1734 1735 */ 1736int 1737quick_r3recv(iph2, msg0) 1738 struct ph2handle *iph2; 1739 vchar_t *msg0; 1740{ 1741 vchar_t *msg = NULL; 1742 vchar_t *pbuf = NULL; /* for payload parsing */ 1743 struct isakmp_parse_t *pa; 1744 struct isakmp_pl_hash *hash = NULL; 1745 int error = ISAKMP_INTERNAL_ERROR; 1746 1747 /* validity check */ 1748 if (iph2->status != PHASE2ST_MSG1SENT) { 1749 plog(LLV_ERROR, LOCATION, NULL, 1750 "status mismatched %d.\n", iph2->status); 1751 goto end; 1752 } 1753 1754 /* decrypt packet */ 1755 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1756 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1757 "Packet wasn't encrypted.\n"); 1758 goto end; 1759 } 1760 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 1761 if (msg == NULL) 1762 goto end; 1763 1764 /* validate the type of next payload */ 1765 pbuf = isakmp_parse(msg); 1766 if (pbuf == NULL) 1767 goto end; 1768 1769 for (pa = (struct isakmp_parse_t *)pbuf->v; 1770 pa->type != ISAKMP_NPTYPE_NONE; 1771 pa++) { 1772 1773 switch (pa->type) { 1774 case ISAKMP_NPTYPE_HASH: 1775 hash = (struct isakmp_pl_hash *)pa->ptr; 1776 break; 1777 case ISAKMP_NPTYPE_N: 1778 ph2_recv_n(iph2, pa->ptr); 1779 break; 1780 default: 1781 /* don't send information, see ident_r1recv() */ 1782 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1783 "ignore the packet, " 1784 "received unexpecting payload type %d.\n", 1785 pa->type); 1786 goto end; 1787 } 1788 } 1789 1790 /* payload existency check */ 1791 if (hash == NULL) { 1792 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1793 "few isakmp message received.\n"); 1794 goto end; 1795 } 1796 1797 /* validate HASH(3) */ 1798 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */ 1799 { 1800 char *r_hash; 1801 vchar_t *my_hash = NULL; 1802 vchar_t *tmp = NULL; 1803 int result; 1804 1805 r_hash = (char *)hash + sizeof(*hash); 1806 1807 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:"); 1808 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1809 1810 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l); 1811 if (tmp == NULL) { 1812 plog(LLV_ERROR, LOCATION, NULL, 1813 "failed to get hash buffer.\n"); 1814 goto end; 1815 } 1816 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l); 1817 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l); 1818 1819 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); 1820 vfree(tmp); 1821 if (my_hash == NULL) 1822 goto end; 1823 1824 result = memcmp(my_hash->v, r_hash, my_hash->l); 1825 vfree(my_hash); 1826 1827 if (result) { 1828 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1829 "HASH(3) mismatch.\n"); 1830 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1831 goto end; 1832 } 1833 } 1834 1835 /* if there is commit bit, don't set up SA now. */ 1836 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 1837 iph2->status = PHASE2ST_COMMIT; 1838 } else 1839 iph2->status = PHASE2ST_STATUS6; 1840 1841 error = 0; 1842 1843end: 1844 if (pbuf != NULL) 1845 vfree(pbuf); 1846 if (msg != NULL) 1847 vfree(msg); 1848 1849 return error; 1850} 1851 1852/* 1853 * send to initiator 1854 * HDR#*, HASH(4), notify 1855 */ 1856int 1857quick_r3send(iph2, msg0) 1858 struct ph2handle *iph2; 1859 vchar_t *msg0; 1860{ 1861 vchar_t *buf = NULL; 1862 vchar_t *myhash = NULL; 1863 struct isakmp_pl_n *n; 1864 vchar_t *notify = NULL; 1865 char *p; 1866 int tlen; 1867 int error = ISAKMP_INTERNAL_ERROR; 1868 1869 /* validity check */ 1870 if (iph2->status != PHASE2ST_COMMIT) { 1871 plog(LLV_ERROR, LOCATION, NULL, 1872 "status mismatched %d.\n", iph2->status); 1873 goto end; 1874 } 1875 1876 /* generate HASH(4) */ 1877 /* XXX What can I do in the case of multiple different SA */ 1878 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n"); 1879 1880 /* XXX What should I do if there are multiple SAs ? */ 1881 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize; 1882 notify = vmalloc(tlen); 1883 if (notify == NULL) { 1884 plog(LLV_ERROR, LOCATION, NULL, 1885 "failed to get notify buffer.\n"); 1886 goto end; 1887 } 1888 n = (struct isakmp_pl_n *)notify->v; 1889 n->h.np = ISAKMP_NPTYPE_NONE; 1890 n->h.len = htons(tlen); 1891 n->doi = htonl(IPSEC_DOI); 1892 n->proto_id = iph2->approval->head->proto_id; 1893 n->spi_size = sizeof(iph2->approval->head->spisize); 1894 n->type = htons(ISAKMP_NTYPE_CONNECTED); 1895 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize); 1896 1897 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); 1898 if (myhash == NULL) 1899 goto end; 1900 1901 /* create buffer for isakmp payload */ 1902 tlen = sizeof(struct isakmp) 1903 + sizeof(struct isakmp_gen) + myhash->l 1904 + notify->l; 1905 buf = vmalloc(tlen); 1906 if (buf == NULL) { 1907 plog(LLV_ERROR, LOCATION, NULL, 1908 "failed to get buffer to send.\n"); 1909 goto end; 1910 } 1911 1912 /* create isakmp header */ 1913 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 1914 if (p == NULL) 1915 goto end; 1916 1917 /* add HASH(4) payload */ 1918 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N); 1919 1920 /* add notify payload */ 1921 memcpy(p, notify->v, notify->l); 1922 1923#ifdef HAVE_PRINT_ISAKMP_C 1924 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 1925#endif 1926 1927 /* encoding */ 1928 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 1929 if (iph2->sendbuf == NULL) 1930 goto end; 1931 1932 /* send the packet */ 1933 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) 1934 goto end; 1935 1936 /* the sending message is added to the received-list. */ 1937 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) { 1938 plog(LLV_ERROR , LOCATION, NULL, 1939 "failed to add a response packet to the tree.\n"); 1940 goto end; 1941 } 1942 1943 iph2->status = PHASE2ST_COMMIT; 1944 1945 error = 0; 1946 1947end: 1948 if (buf != NULL) 1949 vfree(buf); 1950 if (myhash != NULL) 1951 vfree(myhash); 1952 if (notify != NULL) 1953 vfree(notify); 1954 1955 return error; 1956} 1957 1958int 1959tunnel_mode_prop(p) 1960 struct saprop *p; 1961{ 1962 struct saproto *pr; 1963 1964 for (pr = p->head; pr; pr = pr->next) 1965 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) 1966 return 1; 1967 return 0; 1968} 1969 1970/* 1971 * set SA to kernel. 1972 */ 1973int 1974quick_r3prep(iph2, msg0) 1975 struct ph2handle *iph2; 1976 vchar_t *msg0; 1977{ 1978 int error = ISAKMP_INTERNAL_ERROR; 1979 1980 /* validity check */ 1981 if (iph2->status != PHASE2ST_STATUS6) { 1982 plog(LLV_ERROR, LOCATION, NULL, 1983 "status mismatched %d.\n", iph2->status); 1984 goto end; 1985 } 1986 1987 /* compute both of KEYMATs */ 1988 if (oakley_compute_keymat(iph2, RESPONDER) < 0) 1989 goto end; 1990 1991 iph2->status = PHASE2ST_ADDSA; 1992 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ 1993 1994 /* don't anything if local test mode. */ 1995 if (f_local) { 1996 error = 0; 1997 goto end; 1998 } 1999 2000 /* Do UPDATE as responder */ 2001 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 2002 if (pk_sendupdate(iph2) < 0) { 2003 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 2004 goto end; 2005 } 2006 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 2007 2008 /* Do ADD for responder */ 2009 if (pk_sendadd(iph2) < 0) { 2010 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 2011 goto end; 2012 } 2013 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 2014 2015 /* 2016 * set policies into SPD if the policy is generated 2017 * from peer's policy. 2018 */ 2019 if (iph2->spidx_gen) { 2020 2021 struct policyindex *spidx; 2022 struct sockaddr_storage addr; 2023 u_int8_t pref; 2024 struct sockaddr *src = iph2->src; 2025 struct sockaddr *dst = iph2->dst; 2026 2027 /* make inbound policy */ 2028 iph2->src = dst; 2029 iph2->dst = src; 2030 if (pk_sendspdupdate2(iph2) < 0) { 2031 plog(LLV_ERROR, LOCATION, NULL, 2032 "pfkey spdupdate2(inbound) failed.\n"); 2033 goto end; 2034 } 2035 plog(LLV_DEBUG, LOCATION, NULL, 2036 "pfkey spdupdate2(inbound) sent.\n"); 2037 2038 spidx = (struct policyindex *)iph2->spidx_gen; 2039#ifdef HAVE_POLICY_FWD 2040 /* make forward policy if required */ 2041 if (tunnel_mode_prop(iph2->approval)) { 2042 spidx->dir = IPSEC_DIR_FWD; 2043 if (pk_sendspdupdate2(iph2) < 0) { 2044 plog(LLV_ERROR, LOCATION, NULL, 2045 "pfkey spdupdate2(forward) failed.\n"); 2046 goto end; 2047 } 2048 plog(LLV_DEBUG, LOCATION, NULL, 2049 "pfkey spdupdate2(forward) sent.\n"); 2050 } 2051#endif 2052 2053 /* make outbound policy */ 2054 iph2->src = src; 2055 iph2->dst = dst; 2056 spidx->dir = IPSEC_DIR_OUTBOUND; 2057 addr = spidx->src; 2058 spidx->src = spidx->dst; 2059 spidx->dst = addr; 2060 pref = spidx->prefs; 2061 spidx->prefs = spidx->prefd; 2062 spidx->prefd = pref; 2063 2064 if (pk_sendspdupdate2(iph2) < 0) { 2065 plog(LLV_ERROR, LOCATION, NULL, 2066 "pfkey spdupdate2(outbound) failed.\n"); 2067 goto end; 2068 } 2069 plog(LLV_DEBUG, LOCATION, NULL, 2070 "pfkey spdupdate2(outbound) sent.\n"); 2071 2072 /* spidx_gen is unnecessary any more */ 2073 delsp_bothdir((struct policyindex *)iph2->spidx_gen); 2074 racoon_free(iph2->spidx_gen); 2075 iph2->spidx_gen = NULL; 2076 iph2->generated_spidx=1; 2077 } 2078 2079 error = 0; 2080 2081end: 2082 return error; 2083} 2084 2085/* 2086 * create HASH, body (SA, NONCE) payload with isakmp header. 2087 */ 2088static vchar_t * 2089quick_ir1mx(iph2, body, hash) 2090 struct ph2handle *iph2; 2091 vchar_t *body, *hash; 2092{ 2093 struct isakmp *isakmp; 2094 vchar_t *buf = NULL, *new = NULL; 2095 char *p; 2096 int tlen; 2097 struct isakmp_gen *gen; 2098 int error = ISAKMP_INTERNAL_ERROR; 2099 2100 /* create buffer for isakmp payload */ 2101 tlen = sizeof(*isakmp) 2102 + sizeof(*gen) + hash->l 2103 + body->l; 2104 buf = vmalloc(tlen); 2105 if (buf == NULL) { 2106 plog(LLV_ERROR, LOCATION, NULL, 2107 "failed to get buffer to send.\n"); 2108 goto end; 2109 } 2110 2111 /* re-set encryption flag, for serurity. */ 2112 iph2->flags |= ISAKMP_FLAG_E; 2113 2114 /* set isakmp header */ 2115 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 2116 if (p == NULL) 2117 goto end; 2118 2119 /* add HASH payload */ 2120 /* XXX is next type always SA ? */ 2121 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA); 2122 2123 /* add body payload */ 2124 memcpy(p, body->v, body->l); 2125 2126#ifdef HAVE_PRINT_ISAKMP_C 2127 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 2128#endif 2129 2130 /* encoding */ 2131 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 2132 2133 if (new == NULL) 2134 goto end; 2135 2136 vfree(buf); 2137 2138 buf = new; 2139 2140 error = 0; 2141 2142end: 2143 if (error && buf != NULL) { 2144 vfree(buf); 2145 buf = NULL; 2146 } 2147 2148 return buf; 2149} 2150 2151/* 2152 * get remote's sainfo. 2153 * NOTE: this function is for responder. 2154 */ 2155static int 2156get_sainfo_r(iph2) 2157 struct ph2handle *iph2; 2158{ 2159 vchar_t *idsrc = NULL, *iddst = NULL, *client = NULL; 2160 int error = ISAKMP_INTERNAL_ERROR; 2161 2162 if (iph2->id == NULL) { 2163 idsrc = ipsecdoi_sockaddr2id(iph2->src, IPSECDOI_PREFIX_HOST, 2164 IPSEC_ULPROTO_ANY); 2165 } else { 2166 idsrc = vdup(iph2->id); 2167 } 2168 if (idsrc == NULL) { 2169 plog(LLV_ERROR, LOCATION, NULL, 2170 "failed to set ID for source.\n"); 2171 goto end; 2172 } 2173 2174 if (iph2->id_p == NULL) { 2175 iddst = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST, 2176 IPSEC_ULPROTO_ANY); 2177 } else { 2178 iddst = vdup(iph2->id_p); 2179 } 2180 if (iddst == NULL) { 2181 plog(LLV_ERROR, LOCATION, NULL, 2182 "failed to set ID for destination.\n"); 2183 goto end; 2184 } 2185 2186#ifdef ENABLE_HYBRID 2187 2188 /* clientaddr check : obtain modecfg address */ 2189 if (iph2->ph1->mode_cfg != NULL) { 2190 if ((iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || 2191 (iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)){ 2192 struct sockaddr saddr; 2193 saddr.sa_family = AF_INET; 2194#ifndef __linux__ 2195 saddr.sa_len = sizeof(struct sockaddr_in); 2196#endif 2197 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY; 2198 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, 2199 &iph2->ph1->mode_cfg->addr4, sizeof(struct in_addr)); 2200 client = ipsecdoi_sockaddr2id(&saddr, 32, IPSEC_ULPROTO_ANY); 2201 } 2202 } 2203 2204 /* clientaddr check, fallback to peer address */ 2205 if (client == NULL) 2206 { 2207 client = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST, 2208 IPSEC_ULPROTO_ANY); 2209 } 2210#endif 2211 2212 /* obtain a matching sainfo section */ 2213 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, client, iph2->ph1->rmconf->ph1id); 2214 if (iph2->sainfo == NULL) { 2215 plog(LLV_ERROR, LOCATION, NULL, 2216 "failed to get sainfo.\n"); 2217 goto end; 2218 } 2219 2220#ifdef ENABLE_HYBRID 2221 /* xauth group inclusion check */ 2222 if (iph2->sainfo->group != NULL) 2223 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) 2224 goto end; 2225#endif 2226 2227 plog(LLV_DEBUG, LOCATION, NULL, 2228 "selected sainfo: %s\n", sainfo2str(iph2->sainfo)); 2229 2230 error = 0; 2231end: 2232 if (idsrc) 2233 vfree(idsrc); 2234 if (iddst) 2235 vfree(iddst); 2236 if (client) 2237 vfree(client); 2238 2239 return error; 2240} 2241 2242/* 2243 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types 2244 * are IP address and same address family. 2245 * Then get remote's policy from SPD copied from kernel. 2246 * If the type of ID payload is address or subnet type, then the index is 2247 * made from the payload. If there is no ID payload, or the type of ID 2248 * payload is NOT address type, then the index is made from the address 2249 * pair of phase 1. 2250 * NOTE: This function is only for responder. 2251 */ 2252static int 2253get_proposal_r(iph2) 2254 struct ph2handle *iph2; 2255{ 2256 struct policyindex spidx; 2257 struct secpolicy *sp_in, *sp_out; 2258 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */ 2259 int error = ISAKMP_INTERNAL_ERROR; 2260 2261 /* check the existence of ID payload */ 2262 if ((iph2->id_p != NULL && iph2->id == NULL) 2263 || (iph2->id_p == NULL && iph2->id != NULL)) { 2264 plog(LLV_ERROR, LOCATION, NULL, 2265 "Both IDs wasn't found in payload.\n"); 2266 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 2267 } 2268 2269 /* make sure if sa_[src, dst] are null. */ 2270 if (iph2->sa_src || iph2->sa_dst) { 2271 plog(LLV_ERROR, LOCATION, NULL, 2272 "Why do ID[src,dst] exist already.\n"); 2273 return ISAKMP_INTERNAL_ERROR; 2274 } 2275 2276 memset(&spidx, 0, sizeof(spidx)); 2277 2278#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type 2279 2280 /* make a spidx; a key to search SPD */ 2281 spidx.dir = IPSEC_DIR_INBOUND; 2282 spidx.ul_proto = 0; 2283 2284 /* 2285 * make destination address in spidx from either ID payload 2286 * or phase 1 address into a address in spidx. 2287 */ 2288 if (iph2->id != NULL 2289 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 2290 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR 2291 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET 2292 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 2293 /* get a destination address of a policy */ 2294 error = ipsecdoi_id2sockaddr(iph2->id, 2295 (struct sockaddr *)&spidx.dst, 2296 &spidx.prefd, &spidx.ul_proto); 2297 if (error) 2298 return error; 2299 2300#ifdef INET6 2301 /* 2302 * get scopeid from the SA address. 2303 * note that the phase 1 source address is used as 2304 * a destination address to search for a inbound policy entry 2305 * because rcoon is responder. 2306 */ 2307 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { 2308 error = setscopeid((struct sockaddr *)&spidx.dst, 2309 iph2->src); 2310 if (error) 2311 return error; 2312 } 2313#endif 2314 2315 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 2316 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) 2317 idi2type = _XIDT(iph2->id); 2318 2319 } else { 2320 2321 plog(LLV_DEBUG, LOCATION, NULL, 2322 "get a destination address of SP index " 2323 "from phase1 address " 2324 "due to no ID payloads found " 2325 "OR because ID type is not address.\n"); 2326 2327 /* 2328 * copy the SOURCE address of IKE into the DESTINATION address 2329 * of the key to search the SPD because the direction of policy 2330 * is inbound. 2331 */ 2332 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); 2333 switch (spidx.dst.ss_family) { 2334 case AF_INET: 2335 spidx.prefd = sizeof(struct in_addr) << 3; 2336 break; 2337#ifdef INET6 2338 case AF_INET6: 2339 spidx.prefd = sizeof(struct in6_addr) << 3; 2340 break; 2341#endif 2342 default: 2343 spidx.prefd = 0; 2344 break; 2345 } 2346 } 2347 2348 /* make source address in spidx */ 2349 if (iph2->id_p != NULL 2350 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR 2351 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR 2352 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET 2353 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 2354 /* get a source address of inbound SA */ 2355 error = ipsecdoi_id2sockaddr(iph2->id_p, 2356 (struct sockaddr *)&spidx.src, 2357 &spidx.prefs, &spidx.ul_proto); 2358 if (error) 2359 return error; 2360 2361#ifdef INET6 2362 /* 2363 * get scopeid from the SA address. 2364 * for more detail, see above of this function. 2365 */ 2366 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { 2367 error = setscopeid((struct sockaddr *)&spidx.src, 2368 iph2->dst); 2369 if (error) 2370 return error; 2371 } 2372#endif 2373 2374 /* Before setting iph2->[sa_src, sa_dst] with the addresses 2375 * provided in ID payloads, we check: 2376 * - they are both addresses of same family 2377 * - sainfo has not been selected only based on ID payload 2378 * information but also based on specific Phase 1 2379 * credentials (iph2->sainfo->id_i is defined), i.e. 2380 * local configuration _explicitly_ expect that user 2381 * (e.g. from asn1dn "C=FR, ...") with those IDs) */ 2382 if (_XIDT(iph2->id_p) == idi2type && 2383 spidx.dst.ss_family == spidx.src.ss_family && 2384 iph2->sainfo && iph2->sainfo->id_i) { 2385 2386 iph2->sa_src = dupsaddr((struct sockaddr *)&spidx.dst); 2387 if (iph2->sa_src == NULL) { 2388 plog(LLV_ERROR, LOCATION, NULL, 2389 "buffer allocation failed.\n"); 2390 return ISAKMP_INTERNAL_ERROR; 2391 } 2392 2393 iph2->sa_dst = dupsaddr((struct sockaddr *)&spidx.src); 2394 if (iph2->sa_dst == NULL) { 2395 plog(LLV_ERROR, LOCATION, NULL, 2396 "buffer allocation failed.\n"); 2397 return ISAKMP_INTERNAL_ERROR; 2398 } 2399 } else { 2400 plog(LLV_DEBUG, LOCATION, NULL, 2401 "Either family (%d - %d), types (%d - %d) of ID " 2402 "from initiator differ or matching sainfo " 2403 "has no id_i defined for the peer. Not filling " 2404 "iph2->sa_src and iph2->sa_dst.\n", 2405 spidx.src.ss_family, spidx.dst.ss_family, 2406 _XIDT(iph2->id_p),idi2type); 2407 } 2408 } else { 2409 plog(LLV_DEBUG, LOCATION, NULL, 2410 "get a source address of SP index from Phase 1" 2411 "addresses due to no ID payloads found" 2412 "OR because ID type is not address.\n"); 2413 2414 /* see above comment. */ 2415 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); 2416 switch (spidx.src.ss_family) { 2417 case AF_INET: 2418 spidx.prefs = sizeof(struct in_addr) << 3; 2419 break; 2420#ifdef INET6 2421 case AF_INET6: 2422 spidx.prefs = sizeof(struct in6_addr) << 3; 2423 break; 2424#endif 2425 default: 2426 spidx.prefs = 0; 2427 break; 2428 } 2429 } 2430 2431#undef _XIDT 2432 2433 plog(LLV_DEBUG, LOCATION, NULL, 2434 "get src address from ID payload " 2435 "%s prefixlen=%u ul_proto=%u\n", 2436 saddr2str((struct sockaddr *)&spidx.src), 2437 spidx.prefs, spidx.ul_proto); 2438 plog(LLV_DEBUG, LOCATION, NULL, 2439 "get dst address from ID payload " 2440 "%s prefixlen=%u ul_proto=%u\n", 2441 saddr2str((struct sockaddr *)&spidx.dst), 2442 spidx.prefd, spidx.ul_proto); 2443 2444 /* 2445 * convert the ul_proto if it is 0 2446 * because 0 in ID payload means a wild card. 2447 */ 2448 if (spidx.ul_proto == 0) 2449 spidx.ul_proto = IPSEC_ULPROTO_ANY; 2450 2451#ifdef HAVE_SECCTX 2452 /* 2453 * Need to use security context in spidx to ensure the correct 2454 * policy is selected. The only way to get the security context 2455 * is to look into the proposal sent by peer ahead of time. 2456 */ 2457 if (get_security_context(iph2->sa, &spidx)) { 2458 plog(LLV_ERROR, LOCATION, NULL, 2459 "error occurred trying to get security context.\n"); 2460 return ISAKMP_INTERNAL_ERROR; 2461 } 2462#endif /* HAVE_SECCTX */ 2463 2464 /* get inbound policy */ 2465 sp_in = getsp_r(&spidx); 2466 if (sp_in == NULL) { 2467 if (iph2->ph1->rmconf->gen_policy) { 2468 plog(LLV_INFO, LOCATION, NULL, 2469 "no policy found, " 2470 "try to generate the policy : %s\n", 2471 spidx2str(&spidx)); 2472 iph2->spidx_gen = racoon_malloc(sizeof(spidx)); 2473 if (!iph2->spidx_gen) { 2474 plog(LLV_ERROR, LOCATION, NULL, 2475 "buffer allocation failed.\n"); 2476 return ISAKMP_INTERNAL_ERROR; 2477 } 2478 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); 2479 return -2; /* special value */ 2480 } 2481 plog(LLV_ERROR, LOCATION, NULL, 2482 "no policy found: %s\n", spidx2str(&spidx)); 2483 return ISAKMP_INTERNAL_ERROR; 2484 } 2485 /* Refresh existing generated policies 2486 */ 2487 if (iph2->ph1->rmconf->gen_policy) { 2488 plog(LLV_INFO, LOCATION, NULL, 2489 "Update the generated policy : %s\n", 2490 spidx2str(&spidx)); 2491 iph2->spidx_gen = racoon_malloc(sizeof(spidx)); 2492 if (!iph2->spidx_gen) { 2493 plog(LLV_ERROR, LOCATION, NULL, 2494 "buffer allocation failed.\n"); 2495 return ISAKMP_INTERNAL_ERROR; 2496 } 2497 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); 2498 } 2499 2500 /* get outbound policy */ 2501 { 2502 struct sockaddr_storage addr; 2503 u_int8_t pref; 2504 2505 spidx.dir = IPSEC_DIR_OUTBOUND; 2506 addr = spidx.src; 2507 spidx.src = spidx.dst; 2508 spidx.dst = addr; 2509 pref = spidx.prefs; 2510 spidx.prefs = spidx.prefd; 2511 spidx.prefd = pref; 2512 2513 sp_out = getsp_r(&spidx); 2514 if (!sp_out) { 2515 plog(LLV_WARNING, LOCATION, NULL, 2516 "no outbound policy found: %s\n", 2517 spidx2str(&spidx)); 2518 } 2519 } 2520 2521 plog(LLV_DEBUG, LOCATION, NULL, 2522 "suitable SP found:%s\n", spidx2str(&spidx)); 2523 2524 /* 2525 * In the responder side, the inbound policy should be using IPsec. 2526 * outbound policy is not checked currently. 2527 */ 2528 if (sp_in->policy != IPSEC_POLICY_IPSEC) { 2529 plog(LLV_ERROR, LOCATION, NULL, 2530 "policy found, but no IPsec required: %s\n", 2531 spidx2str(&spidx)); 2532 return ISAKMP_INTERNAL_ERROR; 2533 } 2534 2535 /* set new proposal derived from a policy into the iph2->proposal. */ 2536 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) { 2537 plog(LLV_ERROR, LOCATION, NULL, 2538 "failed to create saprop.\n"); 2539 return ISAKMP_INTERNAL_ERROR; 2540 } 2541 2542#ifdef HAVE_SECCTX 2543 if (spidx.sec_ctx.ctx_str) { 2544 set_secctx_in_proposal(iph2, spidx); 2545 } 2546#endif /* HAVE_SECCTX */ 2547 2548 iph2->spid = sp_in->id; 2549 2550 return 0; 2551} 2552 2553/* 2554 * handle a notification payload inside phase2 exchange. 2555 * phase2 is always encrypted, so it does not need to be checked 2556 * for explicitely. 2557 */ 2558static int 2559ph2_recv_n(iph2, gen) 2560 struct ph2handle *iph2; 2561 struct isakmp_gen *gen; 2562{ 2563 struct ph1handle *iph1 = iph2->ph1; 2564 struct isakmp_pl_n *notify = (struct isakmp_pl_n *) gen; 2565 u_int type; 2566 int check_level; 2567 2568 type = ntohs(notify->type); 2569 switch (type) { 2570 case ISAKMP_NTYPE_CONNECTED: 2571 break; 2572 case ISAKMP_NTYPE_INITIAL_CONTACT: 2573 return isakmp_info_recv_initialcontact(iph1, iph2); 2574 case ISAKMP_NTYPE_RESPONDER_LIFETIME: 2575 ipsecdoi_parse_responder_lifetime(notify, 2576 &iph2->lifetime_secs, &iph2->lifetime_kb); 2577 2578 if (iph1 != NULL && iph1->rmconf != NULL) { 2579 check_level = iph1->rmconf->pcheck_level; 2580 } else { 2581 if (iph1 != NULL) 2582 plog(LLV_DEBUG, LOCATION, NULL, 2583 "No phase1 rmconf found !\n"); 2584 else 2585 plog(LLV_DEBUG, LOCATION, NULL, 2586 "No phase1 found !\n"); 2587 check_level = PROP_CHECK_EXACT; 2588 } 2589 2590 switch (check_level) { 2591 case PROP_CHECK_OBEY: 2592 break; 2593 case PROP_CHECK_STRICT: 2594 case PROP_CHECK_CLAIM: 2595 if (iph2->sainfo == NULL 2596 || iph2->sainfo->lifetime <= iph2->lifetime_secs) { 2597 plog(LLV_WARNING, LOCATION, NULL, 2598 "RESPONDER-LIFETIME: lifetime mismatch\n"); 2599 iph2->lifetime_secs = 0; 2600 } 2601 break; 2602 case PROP_CHECK_EXACT: 2603 if (iph2->sainfo == NULL 2604 || iph2->sainfo->lifetime != iph2->lifetime_secs) { 2605 plog(LLV_WARNING, LOCATION, NULL, 2606 "RESPONDER-LIFETIME: lifetime mismatch\n"); 2607 iph2->lifetime_secs = 0; 2608 } 2609 break; 2610 } 2611 break; 2612 default: 2613 isakmp_log_notify(iph2->ph1, notify, "phase2 exchange"); 2614 isakmp_info_send_n2(iph2, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, 2615 NULL); 2616 break; 2617 } 2618 return 0; 2619} 2620 2621