1 /* $NetBSD: isakmp_inf.c,v 1.54 2025/03/07 15:55:29 christos Exp $ */ 2 3 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 40 #include <net/pfkeyv2.h> 41 #include <netinet/in.h> 42 #include <sys/queue.h> 43 #include PATH_IPSEC_H 44 45 #include <stdlib.h> 46 #include <stdio.h> 47 #include <string.h> 48 #include <errno.h> 49 #if TIME_WITH_SYS_TIME 50 # include <sys/time.h> 51 # include <time.h> 52 #else 53 # if HAVE_SYS_TIME_H 54 # include <sys/time.h> 55 # else 56 # include <time.h> 57 # endif 58 #endif 59 #ifdef ENABLE_HYBRID 60 #include <resolv.h> 61 #endif 62 63 #include "libpfkey.h" 64 65 #include "var.h" 66 #include "vmbuf.h" 67 #include "schedule.h" 68 #include "str2val.h" 69 #include "misc.h" 70 #include "plog.h" 71 #include "debug.h" 72 73 #include "localconf.h" 74 #include "remoteconf.h" 75 #include "sockmisc.h" 76 #include "handler.h" 77 #include "policy.h" 78 #include "proposal.h" 79 #include "isakmp_var.h" 80 #include "evt.h" 81 #include "isakmp.h" 82 #ifdef ENABLE_HYBRID 83 #include "isakmp_xauth.h" 84 #include "isakmp_unity.h" 85 #include "isakmp_cfg.h" 86 #endif 87 #include "isakmp_inf.h" 88 #include "oakley.h" 89 #include "ipsec_doi.h" 90 #include "crypto_openssl.h" 91 #include "pfkey.h" 92 #include "policy.h" 93 #include "algorithm.h" 94 #include "proposal.h" 95 #include "admin.h" 96 #include "strnames.h" 97 #ifdef ENABLE_NATT 98 #include "nattraversal.h" 99 #endif 100 101 /* information exchange */ 102 static int isakmp_info_recv_n (struct ph1handle *, struct isakmp_pl_n *, uint32_t, int); 103 static int isakmp_info_recv_d (struct ph1handle *, struct isakmp_pl_d *, uint32_t, int); 104 105 #ifdef ENABLE_DPD 106 static int isakmp_info_recv_r_u(struct ph1handle *, struct isakmp_pl_ru *, 107 uint32_t); 108 static int isakmp_info_recv_r_u_ack(struct ph1handle *, struct isakmp_pl_ru *, 109 uint32_t); 110 static void isakmp_info_send_r_u(struct sched *); 111 #endif 112 113 /* %%% 115 * Information Exchange 116 */ 117 /* 118 * receive Information 119 */ 120 int 121 isakmp_info_recv(struct ph1handle *iph1, vchar_t *msg0) 122 { 123 vchar_t *msg = NULL; 124 vchar_t *pbuf = NULL; 125 uint32_t msgid = 0; 126 int error = -1; 127 struct isakmp *isakmp; 128 struct isakmp_gen *gen; 129 struct isakmp_parse_t *pa; 130 void *p; 131 vchar_t *hash, *payload; 132 struct isakmp_gen *nd; 133 uint8_t np; 134 int encrypted; 135 136 plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n"); 137 138 encrypted = ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E); 139 msgid = ((struct isakmp *)msg0->v)->msgid; 140 141 /* Use new IV to decrypt Informational message. */ 142 if (encrypted) { 143 struct isakmp_ivm *ivm; 144 145 if (iph1->ivm == NULL) { 146 plog(LLV_ERROR, LOCATION, NULL, "iph1->ivm == NULL\n"); 147 return -1; 148 } 149 150 /* compute IV */ 151 ivm = oakley_newiv2(iph1, ((struct isakmp *)msg0->v)->msgid); 152 if (ivm == NULL) 153 return -1; 154 155 msg = oakley_do_decrypt(iph1, msg0, ivm->iv, ivm->ive); 156 oakley_delivm(ivm); 157 if (msg == NULL) 158 return -1; 159 160 } else 161 msg = vdup(msg0); 162 163 /* Safety check */ 164 if (msg->l < sizeof(*isakmp) + sizeof(*gen)) { 165 plog(LLV_ERROR, LOCATION, NULL, 166 "ignore information because the " 167 "message is way too short - %zu byte(s).\n", 168 msg->l); 169 goto end; 170 } 171 172 isakmp = (struct isakmp *)msg->v; 173 gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp)); 174 np = gen->np; 175 176 if (encrypted) { 177 if (isakmp->np != ISAKMP_NPTYPE_HASH) { 178 plog(LLV_ERROR, LOCATION, NULL, 179 "ignore information because the " 180 "message has no hash payload.\n"); 181 goto end; 182 } 183 184 if (iph1->status != PHASE1ST_ESTABLISHED && 185 iph1->status != PHASE1ST_DYING) { 186 plog(LLV_ERROR, LOCATION, NULL, 187 "ignore information because ISAKMP-SA " 188 "has not been established yet.\n"); 189 goto end; 190 } 191 192 /* Safety check */ 193 if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) { 194 plog(LLV_ERROR, LOCATION, NULL, 195 "ignore information because the " 196 "message is too short - %zu byte(s).\n", 197 msg->l); 198 goto end; 199 } 200 201 p = (caddr_t) gen + sizeof(struct isakmp_gen); 202 nd = (struct isakmp_gen *) ((caddr_t) gen + ntohs(gen->len)); 203 204 /* nd length check */ 205 if (ntohs(nd->len) > msg->l - (sizeof(struct isakmp) + 206 ntohs(gen->len))) { 207 plog(LLV_ERROR, LOCATION, NULL, 208 "too long payload length (broken message?)\n"); 209 goto end; 210 } 211 212 if (ntohs(nd->len) < sizeof(*nd)) { 213 plog(LLV_ERROR, LOCATION, NULL, 214 "too short payload length (broken message?)\n"); 215 goto end; 216 } 217 218 payload = vmalloc(ntohs(nd->len)); 219 if (payload == NULL) { 220 plog(LLV_ERROR, LOCATION, NULL, 221 "cannot allocate memory\n"); 222 goto end; 223 } 224 225 memcpy(payload->v, (caddr_t) nd, ntohs(nd->len)); 226 227 /* compute HASH */ 228 hash = oakley_compute_hash1(iph1, isakmp->msgid, payload); 229 if (hash == NULL) { 230 plog(LLV_ERROR, LOCATION, NULL, 231 "cannot compute hash\n"); 232 233 vfree(payload); 234 goto end; 235 } 236 237 if (ntohs(gen->len) - sizeof(struct isakmp_gen) != hash->l) { 238 plog(LLV_ERROR, LOCATION, NULL, 239 "ignore information due to hash length mismatch\n"); 240 241 vfree(hash); 242 vfree(payload); 243 goto end; 244 } 245 246 if (memcmp(p, hash->v, hash->l) != 0) { 247 plog(LLV_ERROR, LOCATION, NULL, 248 "ignore information due to hash mismatch\n"); 249 250 vfree(hash); 251 vfree(payload); 252 goto end; 253 } 254 255 plog(LLV_DEBUG, LOCATION, NULL, "hash validated.\n"); 256 257 vfree(hash); 258 vfree(payload); 259 } else { 260 /* make sure the packet was encrypted after the beginning of phase 1. */ 261 switch (iph1->etype) { 262 case ISAKMP_ETYPE_AGG: 263 case ISAKMP_ETYPE_BASE: 264 case ISAKMP_ETYPE_IDENT: 265 if ((iph1->side == INITIATOR && iph1->status < PHASE1ST_MSG3SENT) 266 || (iph1->side == RESPONDER && iph1->status < PHASE1ST_MSG2SENT)) { 267 break; 268 } 269 /*FALLTHRU*/ 270 default: 271 plog(LLV_ERROR, LOCATION, iph1->remote, 272 "%s message must be encrypted\n", 273 s_isakmp_nptype(np)); 274 error = 0; 275 goto end; 276 } 277 } 278 279 if (!(pbuf = isakmp_parse(msg))) { 280 error = -1; 281 goto end; 282 } 283 284 error = 0; 285 for (pa = (struct isakmp_parse_t *)pbuf->v; pa->type; pa++) { 286 switch (pa->type) { 287 case ISAKMP_NPTYPE_HASH: 288 /* Handled above */ 289 break; 290 case ISAKMP_NPTYPE_N: 291 error = isakmp_info_recv_n(iph1, 292 (struct isakmp_pl_n *)pa->ptr, 293 msgid, encrypted); 294 break; 295 case ISAKMP_NPTYPE_D: 296 error = isakmp_info_recv_d(iph1, 297 (struct isakmp_pl_d *)pa->ptr, 298 msgid, encrypted); 299 break; 300 case ISAKMP_NPTYPE_NONCE: 301 /* XXX to be 6.4.2 ike-01.txt */ 302 /* XXX IV is to be synchronized. */ 303 plog(LLV_ERROR, LOCATION, iph1->remote, 304 "ignore Acknowledged Informational\n"); 305 break; 306 default: 307 /* don't send information, see isakmp_ident_r1() */ 308 error = 0; 309 plog(LLV_ERROR, LOCATION, iph1->remote, 310 "reject the packet, " 311 "received unexpected payload type %s.\n", 312 s_isakmp_nptype(gen->np)); 313 } 314 if (error < 0) 315 break; 316 } 317 end: 318 if (msg != NULL) 319 vfree(msg); 320 if (pbuf != NULL) 321 vfree(pbuf); 322 return error; 323 } 324 325 326 /* 327 * log unhandled / unallowed Notification payload 328 */ 329 int 330 isakmp_log_notify(struct ph1handle *iph1, struct isakmp_pl_n *notify, 331 const char *exchange) 332 { 333 u_int type; 334 char *nraw, *ndata, *nhex; 335 size_t l; 336 337 type = ntohs(notify->type); 338 if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) { 339 plog(LLV_ERROR, LOCATION, iph1->remote, 340 "invalid spi_size in %s notification in %s.\n", 341 s_isakmp_notify_msg(type), exchange); 342 return -1; 343 } 344 345 plog(LLV_ERROR, LOCATION, iph1->remote, 346 "notification %s received in %s.\n", 347 s_isakmp_notify_msg(type), exchange); 348 349 nraw = ((char*) notify) + sizeof(*notify) + notify->spi_size; 350 l = ntohs(notify->h.len) - sizeof(*notify) - notify->spi_size; 351 if (l > 0) { 352 if (type >= ISAKMP_NTYPE_MINERROR && 353 type <= ISAKMP_NTYPE_MAXERROR) { 354 ndata = binsanitize(nraw, l); 355 if (ndata != NULL) { 356 plog(LLV_ERROR, LOCATION, iph1->remote, 357 "error message: '%s'.\n", 358 ndata); 359 racoon_free(ndata); 360 } else { 361 plog(LLV_ERROR, LOCATION, iph1->remote, 362 "Cannot allocate memory\n"); 363 } 364 } else { 365 nhex = val2str(nraw, l); 366 if (nhex != NULL) { 367 plog(LLV_ERROR, LOCATION, iph1->remote, 368 "notification payload: %s.\n", 369 nhex); 370 racoon_free(nhex); 371 } else { 372 plog(LLV_ERROR, LOCATION, iph1->remote, 373 "Cannot allocate memory\n"); 374 } 375 } 376 } 377 378 return 0; 379 } 380 381 382 /* 383 * handling of Notification payload 384 */ 385 static int 386 isakmp_info_recv_n(struct ph1handle *iph1, struct isakmp_pl_n *notify, 387 uint32_t msgid, int encrypted) 388 { 389 u_int type; 390 391 type = ntohs(notify->type); 392 switch (type) { 393 case ISAKMP_NTYPE_CONNECTED: 394 case ISAKMP_NTYPE_RESPONDER_LIFETIME: 395 case ISAKMP_NTYPE_REPLAY_STATUS: 396 #ifdef ENABLE_HYBRID 397 case ISAKMP_NTYPE_UNITY_HEARTBEAT: 398 #endif 399 /* do something */ 400 break; 401 case ISAKMP_NTYPE_INITIAL_CONTACT: 402 if (encrypted) 403 return isakmp_info_recv_initialcontact(iph1, NULL); 404 break; 405 #ifdef ENABLE_DPD 406 case ISAKMP_NTYPE_R_U_THERE: 407 if (encrypted) 408 return isakmp_info_recv_r_u(iph1, 409 (struct isakmp_pl_ru *)notify, msgid); 410 break; 411 case ISAKMP_NTYPE_R_U_THERE_ACK: 412 if (encrypted) 413 return isakmp_info_recv_r_u_ack(iph1, 414 (struct isakmp_pl_ru *)notify, msgid); 415 break; 416 #endif 417 } 418 419 /* If we receive a error notification we should delete the related 420 * phase1 / phase2 handle, and send an event to racoonctl. 421 * However, since phase1 error notifications are not encrypted and 422 * can not be authenticated, it would allow a DoS attack possibility 423 * to handle them. 424 * Phase2 error notifications should be encrypted, so we could handle 425 * those, but it needs implementing (the old code didn't implement 426 * that either). 427 * So we are good to just log the messages here. 428 */ 429 if (encrypted) 430 isakmp_log_notify(iph1, notify, "informational exchange"); 431 else 432 isakmp_log_notify(iph1, notify, "unencrypted informational exchange"); 433 434 return 0; 435 } 436 437 /* 438 * handling of Deletion payload 439 */ 440 /*ARGSUSED*/ 441 static int 442 isakmp_info_recv_d(struct ph1handle *iph1, struct isakmp_pl_d *delete, 443 uint32_t msgid __unused, int encrypted) 444 { 445 int tlen, num_spi; 446 struct ph1handle *del_ph1; 447 union { 448 uint32_t spi32; 449 uint16_t spi16[2]; 450 } spi; 451 452 if (ntohl(delete->doi) != IPSEC_DOI) { 453 plog(LLV_ERROR, LOCATION, iph1->remote, 454 "delete payload with invalid doi:%d.\n", 455 ntohl(delete->doi)); 456 #ifdef ENABLE_HYBRID 457 /* 458 * At deconnexion time, Cisco VPN client does this 459 * with a zero DOI. Don't give up in that situation. 460 */ 461 if (((iph1->mode_cfg->flags & 462 ISAKMP_CFG_VENDORID_UNITY) == 0) || (delete->doi != 0)) 463 return 0; 464 #else 465 return 0; 466 #endif 467 } 468 469 num_spi = ntohs(delete->num_spi); 470 tlen = ntohs(delete->h.len) - sizeof(struct isakmp_pl_d); 471 472 if (tlen != num_spi * delete->spi_size) { 473 plog(LLV_ERROR, LOCATION, iph1->remote, 474 "deletion payload with invalid length.\n"); 475 return 0; 476 } 477 478 plog(LLV_DEBUG, LOCATION, iph1->remote, 479 "delete payload for protocol %s\n", 480 s_ipsecdoi_proto(delete->proto_id)); 481 482 if((iph1 == NULL || !iph1->rmconf->weak_phase1_check) && !encrypted) { 483 plog(LLV_WARNING, LOCATION, iph1->remote, 484 "Ignoring unencrypted delete payload " 485 "(check the weak_phase1_check option)\n"); 486 return 0; 487 } 488 489 switch (delete->proto_id) { 490 case IPSECDOI_PROTO_ISAKMP: 491 if (delete->spi_size != sizeof(isakmp_index)) { 492 plog(LLV_ERROR, LOCATION, iph1->remote, 493 "delete payload with strange spi " 494 "size %d(proto_id:%d)\n", 495 delete->spi_size, delete->proto_id); 496 return 0; 497 } 498 499 del_ph1=getph1byindex((isakmp_index *)(delete + 1)); 500 if(del_ph1 != NULL){ 501 502 evt_phase1(iph1, EVT_PHASE1_PEER_DELETED, NULL); 503 sched_cancel(&del_ph1->scr); 504 505 /* 506 * Delete also IPsec-SAs if rekeying is enabled. 507 */ 508 if (ph1_rekey_enabled(del_ph1)) 509 purge_remote(del_ph1); 510 else 511 isakmp_ph1expire(del_ph1); 512 } 513 break; 514 515 case IPSECDOI_PROTO_IPSEC_AH: 516 case IPSECDOI_PROTO_IPSEC_ESP: 517 if (delete->spi_size != sizeof(uint32_t)) { 518 plog(LLV_ERROR, LOCATION, iph1->remote, 519 "delete payload with strange spi " 520 "size %d(proto_id:%d)\n", 521 delete->spi_size, delete->proto_id); 522 return 0; 523 } 524 purge_ipsec_spi(iph1->remote, delete->proto_id, 525 (uint32_t *)(delete + 1), num_spi); 526 break; 527 528 case IPSECDOI_PROTO_IPCOMP: 529 /* need to handle both 16bit/32bit SPI */ 530 memset(&spi, 0, sizeof(spi)); 531 if (delete->spi_size == sizeof(spi.spi16[1])) { 532 memcpy(&spi.spi16[1], delete + 1, 533 sizeof(spi.spi16[1])); 534 } else if (delete->spi_size == sizeof(spi.spi32)) 535 memcpy(&spi.spi32, delete + 1, sizeof(spi.spi32)); 536 else { 537 plog(LLV_ERROR, LOCATION, iph1->remote, 538 "delete payload with strange spi " 539 "size %d(proto_id:%d)\n", 540 delete->spi_size, delete->proto_id); 541 return 0; 542 } 543 purge_ipsec_spi(iph1->remote, delete->proto_id, 544 &spi.spi32, num_spi); 545 break; 546 547 default: 548 plog(LLV_ERROR, LOCATION, iph1->remote, 549 "deletion message received, " 550 "invalid proto_id: %d\n", 551 delete->proto_id); 552 return 0; 553 } 554 555 plog(LLV_DEBUG, LOCATION, NULL, "purged SAs.\n"); 556 557 return 0; 558 } 559 560 /* 561 * send Delete payload (for ISAKMP SA) in Informational exchange. 562 */ 563 int 564 isakmp_info_send_d1(struct ph1handle *iph1) 565 { 566 struct isakmp_pl_d *d; 567 vchar_t *payload = NULL; 568 int tlen; 569 int error = 0; 570 571 if (iph1->status != PHASE2ST_ESTABLISHED) 572 return 0; 573 574 /* create delete payload */ 575 576 /* send SPIs of inbound SAs. */ 577 /* XXX should send outbound SAs's ? */ 578 tlen = sizeof(*d) + sizeof(isakmp_index); 579 payload = vmalloc(tlen); 580 if (payload == NULL) { 581 plog(LLV_ERROR, LOCATION, NULL, 582 "failed to get buffer for payload.\n"); 583 return errno; 584 } 585 586 d = (struct isakmp_pl_d *)payload->v; 587 d->h.np = ISAKMP_NPTYPE_NONE; 588 d->h.len = htons(tlen); 589 d->doi = htonl(IPSEC_DOI); 590 d->proto_id = IPSECDOI_PROTO_ISAKMP; 591 d->spi_size = sizeof(isakmp_index); 592 d->num_spi = htons(1); 593 memcpy(d + 1, &iph1->index, sizeof(isakmp_index)); 594 595 error = isakmp_info_send_common(iph1, payload, 596 ISAKMP_NPTYPE_D, 0); 597 vfree(payload); 598 599 return error; 600 } 601 602 /* 603 * send Delete payload (for IPsec SA) in Informational exchange, based on 604 * pfkey msg. It sends always single SPI. 605 */ 606 int 607 isakmp_info_send_d2( struct ph2handle *iph2) 608 { 609 struct ph1handle *iph1; 610 struct saproto *pr; 611 struct isakmp_pl_d *d; 612 vchar_t *payload = NULL; 613 size_t tlen; 614 int error = 0; 615 uint8_t *spi; 616 617 if (iph2->status != PHASE2ST_ESTABLISHED) 618 return 0; 619 620 /* 621 * don't send delete information if there is no phase 1 handler. 622 * It's nonsensical to negotiate phase 1 to send the information. 623 */ 624 iph1 = getph1byaddr(iph2->src, iph2->dst, 0); 625 if (iph1 == NULL){ 626 plog(LLV_DEBUG2, LOCATION, NULL, 627 "No ph1 handler found, could not send DELETE_SA\n"); 628 return 0; 629 } 630 631 /* create delete payload */ 632 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 633 634 /* send SPIs of inbound SAs. */ 635 /* 636 * XXX should I send outbound SAs's ? 637 * I send inbound SAs's SPI only at the moment because I can't 638 * decode any more if peer send encoded packet without aware of 639 * deletion of SA. Outbound SAs don't come under the situation. 640 */ 641 tlen = sizeof(*d) + pr->spisize; 642 payload = vmalloc(tlen); 643 if (payload == NULL) { 644 plog(LLV_ERROR, LOCATION, NULL, 645 "failed to get buffer for payload.\n"); 646 return errno; 647 } 648 649 d = (struct isakmp_pl_d *)payload->v; 650 d->h.np = ISAKMP_NPTYPE_NONE; 651 d->h.len = htons(tlen); 652 d->doi = htonl(IPSEC_DOI); 653 d->proto_id = pr->proto_id; 654 d->spi_size = pr->spisize; 655 d->num_spi = htons(1); 656 /* 657 * XXX SPI bits are left-filled, for use with IPComp. 658 * we should be switching to variable-length spi field... 659 */ 660 spi = (uint8_t *)&pr->spi; 661 spi += sizeof(pr->spi); 662 spi -= pr->spisize; 663 memcpy(d + 1, spi, pr->spisize); 664 665 error = isakmp_info_send_common(iph1, payload, 666 ISAKMP_NPTYPE_D, 0); 667 vfree(payload); 668 } 669 670 return error; 671 } 672 673 /* 674 * send Notification payload (for without ISAKMP SA) in Informational exchange 675 */ 676 int 677 isakmp_info_send_nx(struct isakmp *isakmp, struct sockaddr *remote, 678 struct sockaddr *local, int type, vchar_t *data) 679 { 680 struct ph1handle *iph1 = NULL; 681 vchar_t *payload = NULL; 682 size_t tlen; 683 int error = -1; 684 struct isakmp_pl_n *n; 685 int spisiz = 0; /* see below */ 686 687 /* add new entry to isakmp status table. */ 688 iph1 = newph1(); 689 if (iph1 == NULL) 690 return -1; 691 692 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(cookie_t)); 693 isakmp_newcookie((char *)&iph1->index.r_ck, remote, local); 694 iph1->status = PHASE1ST_START; 695 iph1->side = INITIATOR; 696 iph1->version = isakmp->v; 697 iph1->flags = 0; 698 iph1->msgid = 0; /* XXX */ 699 #ifdef ENABLE_HYBRID 700 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) 701 goto end; 702 #endif 703 #ifdef ENABLE_FRAG 704 iph1->frag = 0; 705 iph1->frag_last_index = 0; 706 iph1->frag_chain = NULL; 707 #endif 708 709 /* copy remote address */ 710 if (copy_ph1addresses(iph1, NULL, remote, local) < 0) 711 goto end; 712 713 tlen = sizeof(*n) + spisiz; 714 if (data) 715 tlen += data->l; 716 payload = vmalloc(tlen); 717 if (payload == NULL) { 718 plog(LLV_ERROR, LOCATION, NULL, 719 "failed to get buffer to send.\n"); 720 goto end; 721 } 722 723 n = (struct isakmp_pl_n *)payload->v; 724 n->h.np = ISAKMP_NPTYPE_NONE; 725 n->h.len = htons(tlen); 726 n->doi = htonl(IPSEC_DOI); 727 n->proto_id = IPSECDOI_KEY_IKE; 728 n->spi_size = spisiz; 729 n->type = htons(type); 730 if (spisiz) 731 memset(n + 1, 0, spisiz); /* XXX spisiz is always 0 */ 732 if (data) 733 memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l); 734 735 error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0); 736 vfree(payload); 737 738 end: 739 if (iph1 != NULL) 740 delph1(iph1); 741 742 return error; 743 } 744 745 /* 746 * send Notification payload (for ISAKMP SA) in Informational exchange 747 */ 748 int 749 isakmp_info_send_n1(struct ph1handle *iph1, int type, vchar_t *data) 750 { 751 vchar_t *payload = NULL; 752 size_t tlen; 753 int error = 0; 754 struct isakmp_pl_n *n; 755 int spisiz; 756 757 /* 758 * note on SPI size: which description is correct? I have chosen 759 * this to be 0. 760 * 761 * RFC2408 3.1, 2nd paragraph says: ISAKMP SA is identified by 762 * Initiator/Responder cookie and SPI has no meaning, SPI size = 0. 763 * RFC2408 3.1, first paragraph on page 40: ISAKMP SA is identified 764 * by cookie and SPI has no meaning, 0 <= SPI size <= 16. 765 * RFC2407 4.6.3.3, INITIAL-CONTACT is required to set to 16. 766 */ 767 if (type == ISAKMP_NTYPE_INITIAL_CONTACT) 768 spisiz = sizeof(isakmp_index); 769 else 770 spisiz = 0; 771 772 tlen = sizeof(*n) + spisiz; 773 if (data) 774 tlen += data->l; 775 payload = vmalloc(tlen); 776 if (payload == NULL) { 777 plog(LLV_ERROR, LOCATION, NULL, 778 "failed to get buffer to send.\n"); 779 return errno; 780 } 781 782 n = (struct isakmp_pl_n *)payload->v; 783 n->h.np = ISAKMP_NPTYPE_NONE; 784 n->h.len = htons(tlen); 785 n->doi = htonl(iph1->rmconf->doitype); 786 n->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX to be configurable ? */ 787 n->spi_size = spisiz; 788 n->type = htons(type); 789 if (spisiz) 790 memcpy(n + 1, &iph1->index, sizeof(isakmp_index)); 791 if (data) 792 memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l); 793 794 error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph1->flags); 795 vfree(payload); 796 797 return error; 798 } 799 800 /* 801 * send Notification payload (for IPsec SA) in Informational exchange 802 */ 803 int 804 isakmp_info_send_n2(struct ph2handle *iph2, int type, vchar_t *data) 805 { 806 struct ph1handle *iph1 = iph2->ph1; 807 vchar_t *payload = NULL; 808 size_t tlen; 809 int error = 0; 810 struct isakmp_pl_n *n; 811 struct saproto *pr; 812 813 if (!iph2->approval) 814 return EINVAL; 815 816 pr = iph2->approval->head; 817 818 /* XXX must be get proper spi */ 819 tlen = sizeof(*n) + pr->spisize; 820 if (data) 821 tlen += data->l; 822 payload = vmalloc(tlen); 823 if (payload == NULL) { 824 plog(LLV_ERROR, LOCATION, NULL, 825 "failed to get buffer to send.\n"); 826 return errno; 827 } 828 829 n = (struct isakmp_pl_n *)payload->v; 830 n->h.np = ISAKMP_NPTYPE_NONE; 831 n->h.len = htons(tlen); 832 n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */ 833 n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/ 834 n->spi_size = pr->spisize; 835 n->type = htons(type); 836 *(uint32_t *)(n + 1) = pr->spi; 837 if (data) 838 memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l); 839 840 iph2->flags |= ISAKMP_FLAG_E; /* XXX Should we do FLAG_A ? */ 841 error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph2->flags); 842 vfree(payload); 843 844 return error; 845 } 846 847 /* 848 * send Information 849 * When ph1->skeyid_a == NULL, send message without encoding. 850 */ 851 int 852 isakmp_info_send_common(struct ph1handle *iph1, vchar_t *payload, uint32_t np, 853 int flags) 854 { 855 struct ph2handle *iph2 = NULL; 856 vchar_t *hash = NULL; 857 struct isakmp *isakmp; 858 struct isakmp_gen *gen; 859 char *p; 860 size_t tlen; 861 int error = -1; 862 863 /* add new entry to isakmp status table */ 864 iph2 = newph2(); 865 if (iph2 == NULL) 866 goto end; 867 868 iph2->dst = dupsaddr(iph1->remote); 869 if (iph2->dst == NULL) { 870 delph2(iph2); 871 goto end; 872 } 873 iph2->src = dupsaddr(iph1->local); 874 if (iph2->src == NULL) { 875 delph2(iph2); 876 goto end; 877 } 878 iph2->side = INITIATOR; 879 iph2->status = PHASE2ST_START; 880 iph2->msgid = isakmp_newmsgid2(iph1); 881 882 /* get IV and HASH(1) if skeyid_a was generated. */ 883 if (iph1->skeyid_a != NULL) { 884 iph2->ivm = oakley_newiv2(iph1, iph2->msgid); 885 if (iph2->ivm == NULL) { 886 delph2(iph2); 887 goto end; 888 } 889 890 /* generate HASH(1) */ 891 hash = oakley_compute_hash1(iph1, iph2->msgid, payload); 892 if (hash == NULL) { 893 delph2(iph2); 894 goto end; 895 } 896 897 /* initialized total buffer length */ 898 tlen = hash->l; 899 tlen += sizeof(*gen); 900 } else { 901 /* IKE-SA is not established */ 902 hash = NULL; 903 904 /* initialized total buffer length */ 905 tlen = 0; 906 } 907 if ((flags & ISAKMP_FLAG_A) == 0) 908 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E); 909 else 910 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A); 911 912 insph2(iph2); 913 bindph12(iph1, iph2); 914 915 tlen += sizeof(*isakmp) + payload->l; 916 917 /* create buffer for isakmp payload */ 918 iph2->sendbuf = vmalloc(tlen); 919 if (iph2->sendbuf == NULL) { 920 plog(LLV_ERROR, LOCATION, NULL, 921 "failed to get buffer to send.\n"); 922 goto err; 923 } 924 925 /* create isakmp header */ 926 isakmp = (struct isakmp *)iph2->sendbuf->v; 927 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); 928 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); 929 isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH; 930 isakmp->v = iph1->version; 931 isakmp->etype = ISAKMP_ETYPE_INFO; 932 isakmp->flags = iph2->flags; 933 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid)); 934 isakmp->len = htonl(tlen); 935 p = (char *)(isakmp + 1); 936 937 /* create HASH payload */ 938 if (hash != NULL) { 939 gen = (struct isakmp_gen *)p; 940 gen->np = np & 0xff; 941 gen->len = htons(sizeof(*gen) + hash->l); 942 p += sizeof(*gen); 943 memcpy(p, hash->v, hash->l); 944 p += hash->l; 945 } 946 947 /* add payload */ 948 memcpy(p, payload->v, payload->l); 949 p += payload->l; 950 951 #ifdef HAVE_PRINT_ISAKMP_C 952 isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1); 953 #endif 954 955 /* encoding */ 956 if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) { 957 vchar_t *tmp; 958 959 tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, iph2->ivm->ive, 960 iph2->ivm->iv); 961 VPTRINIT(iph2->sendbuf); 962 if (tmp == NULL) 963 goto err; 964 iph2->sendbuf = tmp; 965 } 966 967 /* HDR*, HASH(1), N */ 968 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { 969 VPTRINIT(iph2->sendbuf); 970 goto err; 971 } 972 973 plog(LLV_DEBUG, LOCATION, NULL, 974 "sendto Information %s.\n", s_isakmp_nptype(np)); 975 976 /* 977 * don't resend notify message because peer can use Acknowledged 978 * Informational if peer requires the reply of the notify message. 979 */ 980 981 /* XXX If Acknowledged Informational required, don't delete ph2handle */ 982 error = 0; 983 VPTRINIT(iph2->sendbuf); 984 goto err; /* XXX */ 985 986 end: 987 if (hash) 988 vfree(hash); 989 return error; 990 991 err: 992 remph2(iph2); 993 delph2(iph2); 994 goto end; 995 } 996 997 /* 998 * add a notify payload to buffer by reallocating buffer. 999 * If buf == NULL, the function only create a notify payload. 1000 * 1001 * XXX Which is SPI to be included, inbound or outbound ? 1002 */ 1003 vchar_t * 1004 isakmp_add_pl_n(vchar_t *buf0, uint8_t **np_p, int type, struct saproto *pr, 1005 vchar_t *data) 1006 { 1007 vchar_t *buf = NULL; 1008 struct isakmp_pl_n *n; 1009 size_t tlen; 1010 size_t oldlen = 0; 1011 1012 if (*np_p) 1013 **np_p = ISAKMP_NPTYPE_N; 1014 1015 tlen = sizeof(*n) + pr->spisize; 1016 1017 if (data) 1018 tlen += data->l; 1019 if (buf0) { 1020 oldlen = buf0->l; 1021 buf = vrealloc(buf0, buf0->l + tlen); 1022 } else 1023 buf = vmalloc(tlen); 1024 if (!buf) { 1025 plog(LLV_ERROR, LOCATION, NULL, 1026 "failed to get a payload buffer.\n"); 1027 return NULL; 1028 } 1029 1030 n = (struct isakmp_pl_n *)(buf->v + oldlen); 1031 n->h.np = ISAKMP_NPTYPE_NONE; 1032 n->h.len = htons(tlen); 1033 n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */ 1034 n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/ 1035 n->spi_size = pr->spisize; 1036 n->type = htons(type); 1037 *(uint32_t *)(n + 1) = pr->spi; /* XXX */ 1038 if (data) 1039 memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l); 1040 1041 /* save the pointer of next payload type */ 1042 *np_p = &n->h.np; 1043 1044 return buf; 1045 } 1046 1047 void 1048 purge_ipsec_spi(struct sockaddr *dst0, int proto, uint32_t *spi, size_t n) 1049 { 1050 vchar_t *buf = NULL; 1051 struct sadb_msg *msg, *next, *end; 1052 struct sadb_sa *sa; 1053 struct sadb_lifetime *lt; 1054 struct sockaddr *src, *dst; 1055 struct ph2handle *iph2; 1056 u_int64_t created; 1057 size_t i; 1058 caddr_t mhp[SADB_EXT_MAX + 1]; 1059 unsigned num_purged = 0; 1060 1061 plog(LLV_DEBUG2, LOCATION, NULL, 1062 "purge_ipsec_spi:\n"); 1063 plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str(dst0)); 1064 plog(LLV_DEBUG2, LOCATION, NULL, "SPI: %08X\n", ntohl(spi[0])); 1065 1066 buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto)); 1067 if (buf == NULL) { 1068 plog(LLV_DEBUG, LOCATION, NULL, 1069 "pfkey_dump_sadb returned nothing.\n"); 1070 return; 1071 } 1072 1073 msg = (struct sadb_msg *)buf->v; 1074 end = (struct sadb_msg *)(buf->v + buf->l); 1075 1076 while (msg < end) { 1077 if ((msg->sadb_msg_len << 3) < sizeof(*msg)) 1078 break; 1079 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); 1080 if (msg->sadb_msg_type != SADB_DUMP) { 1081 msg = next; 1082 continue; 1083 } 1084 1085 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { 1086 plog(LLV_ERROR, LOCATION, NULL, 1087 "pfkey_check (%s)\n", ipsec_strerror()); 1088 msg = next; 1089 continue; 1090 } 1091 1092 sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]); 1093 if (!sa 1094 || !mhp[SADB_EXT_ADDRESS_SRC] 1095 || !mhp[SADB_EXT_ADDRESS_DST]) { 1096 msg = next; 1097 continue; 1098 } 1099 pk_fixup_sa_addresses(mhp); 1100 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1101 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1102 lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; 1103 if(lt != NULL) 1104 created = lt->sadb_lifetime_addtime; 1105 else 1106 created = 0; 1107 1108 if (sa->sadb_sa_state != SADB_SASTATE_MATURE 1109 && sa->sadb_sa_state != SADB_SASTATE_DYING) { 1110 msg = next; 1111 continue; 1112 } 1113 1114 plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); 1115 plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst)); 1116 plog(LLV_DEBUG2, LOCATION, NULL, "spi: %u\n", ntohl(sa->sadb_sa_spi)); 1117 1118 /* XXX n^2 algorithm, inefficient */ 1119 1120 /* don't delete inbound SAs at the moment */ 1121 /* XXX should we remove SAs with opposite direction as well? */ 1122 if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) { 1123 msg = next; 1124 continue; 1125 } 1126 1127 for (i = 0; i < n; i++) { 1128 plog(LLV_DEBUG, LOCATION, NULL, 1129 "check spi(packet)=%u spi(db)=%u.\n", 1130 ntohl(spi[i]), ntohl(sa->sadb_sa_spi)); 1131 if (spi[i] != sa->sadb_sa_spi) 1132 continue; 1133 1134 pfkey_send_delete(lcconf->sock_pfkey, 1135 msg->sadb_msg_satype, 1136 IPSEC_MODE_ANY, 1137 src, dst, sa->sadb_sa_spi); 1138 1139 /* 1140 * delete a relative phase 2 handler. 1141 * continue to process if no relative phase 2 handler 1142 * exists. 1143 */ 1144 iph2 = getph2bysaidx(src, dst, proto, spi[i]); 1145 if(iph2 != NULL){ 1146 delete_spd(iph2, created); 1147 remph2(iph2); 1148 delph2(iph2); 1149 } 1150 1151 plog(LLV_INFO, LOCATION, NULL, 1152 "purged IPsec-SA proto_id=%s spi=%u.\n", 1153 s_ipsecdoi_proto(proto), 1154 ntohl(spi[i])); 1155 num_purged++; 1156 } 1157 1158 msg = next; 1159 } 1160 1161 if (buf) 1162 vfree(buf); 1163 1164 plog(LLV_DEBUG, LOCATION, NULL, "purged %u SAs.\n", num_purged); 1165 } 1166 1167 /* 1168 * delete all phase2 sa relatived to the destination address 1169 * (except the phase2 within which the INITIAL-CONTACT was received). 1170 * Don't delete Phase 1 handlers on INITIAL-CONTACT, and don't ignore 1171 * an INITIAL-CONTACT if we have contacted the peer. This matches the 1172 * Sun IKE behavior, and makes rekeying work much better when the peer 1173 * restarts. 1174 */ 1175 int 1176 isakmp_info_recv_initialcontact(struct ph1handle *iph1, 1177 struct ph2handle *protectedph2) 1178 { 1179 vchar_t *buf = NULL; 1180 struct sadb_msg *msg, *next, *end; 1181 struct sadb_sa *sa; 1182 struct sockaddr *src, *dst; 1183 caddr_t mhp[SADB_EXT_MAX + 1]; 1184 int proto_id, i; 1185 struct ph2handle *iph2; 1186 #if 0 1187 char *loc, *rem; 1188 #endif 1189 1190 plog(LLV_INFO, LOCATION, iph1->remote, "received INITIAL-CONTACT\n"); 1191 1192 if (f_local) 1193 return 0; 1194 1195 #if 0 1196 loc = racoon_strdup(saddrwop2str(iph1->local)); 1197 rem = racoon_strdup(saddrwop2str(iph1->remote)); 1198 STRDUP_FATAL(loc); 1199 STRDUP_FATAL(rem); 1200 1201 /* 1202 * Purge all IPSEC-SAs for the peer. We can do this 1203 * the easy way (using a PF_KEY SADB_DELETE extension) 1204 * or we can do it the hard way. 1205 */ 1206 for (i = 0; i < pfkey_nsatypes; i++) { 1207 proto_id = pfkey2ipsecdoi_proto(pfkey_satypes[i].ps_satype); 1208 1209 plog(LLV_INFO, LOCATION, NULL, 1210 "purging %s SAs for %s -> %s\n", 1211 pfkey_satypes[i].ps_name, loc, rem); 1212 if (pfkey_send_delete_all(lcconf->sock_pfkey, 1213 pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY, 1214 iph1->local, iph1->remote) == -1) { 1215 plog(LLV_ERROR, LOCATION, NULL, 1216 "delete_all %s -> %s failed for %s (%s)\n", 1217 loc, rem, 1218 pfkey_satypes[i].ps_name, ipsec_strerror()); 1219 goto the_hard_way; 1220 } 1221 1222 deleteallph2(iph1->local, iph1->remote, proto_id); 1223 1224 plog(LLV_INFO, LOCATION, NULL, 1225 "purging %s SAs for %s -> %s\n", 1226 pfkey_satypes[i].ps_name, rem, loc); 1227 if (pfkey_send_delete_all(lcconf->sock_pfkey, 1228 pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY, 1229 iph1->remote, iph1->local) == -1) { 1230 plog(LLV_ERROR, LOCATION, NULL, 1231 "delete_all %s -> %s failed for %s (%s)\n", 1232 rem, loc, 1233 pfkey_satypes[i].ps_name, ipsec_strerror()); 1234 goto the_hard_way; 1235 } 1236 1237 deleteallph2(iph1->remote, iph1->local, proto_id); 1238 } 1239 1240 racoon_free(loc); 1241 racoon_free(rem); 1242 return 0; 1243 1244 the_hard_way: 1245 racoon_free(loc); 1246 racoon_free(rem); 1247 #endif 1248 1249 buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); 1250 if (buf == NULL) { 1251 plog(LLV_DEBUG, LOCATION, NULL, 1252 "pfkey_dump_sadb returned nothing.\n"); 1253 return 0; 1254 } 1255 1256 msg = (struct sadb_msg *)buf->v; 1257 end = (struct sadb_msg *)(buf->v + buf->l); 1258 1259 for (; msg < end; msg = next) { 1260 if ((msg->sadb_msg_len << 3) < sizeof(*msg)) 1261 break; 1262 1263 next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); 1264 if (msg->sadb_msg_type != SADB_DUMP) 1265 continue; 1266 1267 if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { 1268 plog(LLV_ERROR, LOCATION, NULL, 1269 "pfkey_check (%s)\n", ipsec_strerror()); 1270 continue; 1271 } 1272 1273 if (mhp[SADB_EXT_SA] == NULL 1274 || mhp[SADB_EXT_ADDRESS_SRC] == NULL 1275 || mhp[SADB_EXT_ADDRESS_DST] == NULL) 1276 continue; 1277 1278 sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; 1279 pk_fixup_sa_addresses(mhp); 1280 src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); 1281 dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); 1282 1283 if (sa->sadb_sa_state != SADB_SASTATE_MATURE 1284 && sa->sadb_sa_state != SADB_SASTATE_DYING) 1285 continue; 1286 1287 /* 1288 * RFC2407 4.6.3.3 INITIAL-CONTACT is the message that 1289 * announces the sender of the message was rebooted. 1290 * it is interpreted to delete all SAs which source address 1291 * is the sender of the message. 1292 * racoon only deletes SA which is matched both the 1293 * source address and the destination accress. 1294 */ 1295 1296 /* 1297 * Check that the IP and port match. But this is not optimal, 1298 * since NAT-T can make the peer have multiple different 1299 * ports. Correct thing to do is delete all entries with 1300 * same identity. -TT 1301 */ 1302 if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH || 1303 cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) && 1304 (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH || 1305 cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) 1306 continue; 1307 1308 /* 1309 * Make sure this is an SATYPE that we manage. 1310 * This is gross; too bad we couldn't do it the 1311 * easy way. 1312 */ 1313 for (i = 0; i < pfkey_nsatypes; i++) { 1314 if (pfkey_satypes[i].ps_satype == 1315 msg->sadb_msg_satype) 1316 break; 1317 } 1318 if (i == pfkey_nsatypes) 1319 continue; 1320 1321 plog(LLV_INFO, LOCATION, NULL, 1322 "purging spi=%u.\n", ntohl(sa->sadb_sa_spi)); 1323 pfkey_send_delete(lcconf->sock_pfkey, 1324 msg->sadb_msg_satype, 1325 IPSEC_MODE_ANY, src, dst, sa->sadb_sa_spi); 1326 1327 /* 1328 * delete a relative phase 2 handler. 1329 * continue to process if no relative phase 2 handler 1330 * exists. 1331 */ 1332 proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); 1333 iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); 1334 if (iph2 && iph2 != protectedph2) { 1335 delete_spd(iph2, 0); 1336 remph2(iph2); 1337 delph2(iph2); 1338 } 1339 } 1340 1341 vfree(buf); 1342 return 0; 1343 } 1344 1345 1346 #ifdef ENABLE_DPD 1347 /*ARGSUSED*/ 1348 static int 1349 isakmp_info_recv_r_u(struct ph1handle *iph1, struct isakmp_pl_ru *ru, 1350 uint32_t msgid __unused) 1351 { 1352 struct isakmp_pl_ru *ru_ack; 1353 vchar_t *payload = NULL; 1354 int tlen; 1355 int error = 0; 1356 1357 plog(LLV_DEBUG, LOCATION, iph1->remote, 1358 "DPD R-U-There received\n"); 1359 1360 /* XXX should compare cookies with iph1->index? 1361 Or is this already done by calling function? */ 1362 tlen = sizeof(*ru_ack); 1363 payload = vmalloc(tlen); 1364 if (payload == NULL) { 1365 plog(LLV_ERROR, LOCATION, NULL, 1366 "failed to get buffer to send.\n"); 1367 return errno; 1368 } 1369 1370 ru_ack = (struct isakmp_pl_ru *)payload->v; 1371 ru_ack->h.np = ISAKMP_NPTYPE_NONE; 1372 ru_ack->h.len = htons(tlen); 1373 ru_ack->doi = htonl(IPSEC_DOI); 1374 ru_ack->type = htons(ISAKMP_NTYPE_R_U_THERE_ACK); 1375 ru_ack->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX ? */ 1376 ru_ack->spi_size = sizeof(isakmp_index); 1377 memcpy(ru_ack->i_ck, ru->i_ck, sizeof(cookie_t)); 1378 memcpy(ru_ack->r_ck, ru->r_ck, sizeof(cookie_t)); 1379 ru_ack->data = ru->data; 1380 1381 /* XXX Should we do FLAG_A ? */ 1382 error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 1383 ISAKMP_FLAG_E); 1384 vfree(payload); 1385 1386 plog(LLV_DEBUG, LOCATION, NULL, "received a valid R-U-THERE, ACK sent\n"); 1387 1388 /* Should we mark tunnel as active ? */ 1389 return error; 1390 } 1391 1392 /*ARGSUSED*/ 1393 static int 1394 isakmp_info_recv_r_u_ack(struct ph1handle *iph1, struct isakmp_pl_ru *ru, 1395 uint32_t msgid __unused) 1396 { 1397 uint32_t seq; 1398 1399 plog(LLV_DEBUG, LOCATION, iph1->remote, 1400 "DPD R-U-There-Ack received\n"); 1401 1402 seq = ntohl(ru->data); 1403 if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) { 1404 plog(LLV_ERROR, LOCATION, iph1->remote, 1405 "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n", 1406 seq, iph1->dpd_last_ack, iph1->dpd_seq); 1407 return 0; 1408 } 1409 1410 /* accept cookies in original or reversed order */ 1411 if ((memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) || 1412 memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) && 1413 (memcmp(ru->r_ck, iph1->index.i_ck, sizeof(cookie_t)) || 1414 memcmp(ru->i_ck, iph1->index.r_ck, sizeof(cookie_t)))) { 1415 plog(LLV_ERROR, LOCATION, iph1->remote, 1416 "Cookie mismatch in DPD ACK!.\n"); 1417 return 0; 1418 } 1419 1420 iph1->dpd_fails = 0; 1421 iph1->dpd_last_ack = seq; 1422 sched_cancel(&iph1->dpd_r_u); 1423 isakmp_sched_r_u(iph1, 0); 1424 1425 plog(LLV_DEBUG, LOCATION, iph1->remote, "received an R-U-THERE-ACK\n"); 1426 1427 return 0; 1428 } 1429 1430 1431 1432 1433 /* 1434 * send DPD R-U-THERE payload in Informational exchange. 1435 */ 1436 static void 1437 isakmp_info_send_r_u(struct sched *sc) 1438 { 1439 struct ph1handle *iph1 = container_of(sc, struct ph1handle, dpd_r_u); 1440 1441 /* create R-U-THERE payload */ 1442 struct isakmp_pl_ru *ru; 1443 vchar_t *payload = NULL; 1444 int tlen; 1445 int error = 0; 1446 1447 plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring....\n"); 1448 1449 if (iph1->status == PHASE1ST_EXPIRED) { 1450 /* This can happen after removing tunnels from the 1451 * config file and then reloading. 1452 * Such iph1 have rmconf=NULL, so return before the if 1453 * block below. 1454 */ 1455 return; 1456 } 1457 1458 if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) { 1459 1460 plog(LLV_INFO, LOCATION, iph1->remote, 1461 "DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n", 1462 isakmp_pindex(&iph1->index, 0)); 1463 1464 script_hook(iph1, SCRIPT_PHASE1_DEAD); 1465 evt_phase1(iph1, EVT_PHASE1_DPD_TIMEOUT, NULL); 1466 purge_remote(iph1); 1467 1468 /* Do not reschedule here: phase1 is deleted, 1469 * DPD will be reactivated when a new ph1 will be negociated 1470 */ 1471 return; 1472 } 1473 1474 /* TODO: check recent activity to avoid useless sends... */ 1475 1476 tlen = sizeof(*ru); 1477 payload = vmalloc(tlen); 1478 if (payload == NULL) { 1479 plog(LLV_ERROR, LOCATION, NULL, 1480 "failed to get buffer for payload.\n"); 1481 return; 1482 } 1483 ru = (struct isakmp_pl_ru *)payload->v; 1484 ru->h.np = ISAKMP_NPTYPE_NONE; 1485 ru->h.len = htons(tlen); 1486 ru->doi = htonl(IPSEC_DOI); 1487 ru->type = htons(ISAKMP_NTYPE_R_U_THERE); 1488 ru->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX ?*/ 1489 ru->spi_size = sizeof(isakmp_index); 1490 1491 memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)); 1492 memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t)); 1493 1494 if (iph1->dpd_seq == 0) { 1495 /* generate a random seq which is not too big */ 1496 iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff; 1497 } 1498 1499 iph1->dpd_seq++; 1500 iph1->dpd_fails++; 1501 ru->data = htonl(iph1->dpd_seq); 1502 1503 error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0); 1504 vfree(payload); 1505 1506 plog(LLV_DEBUG, LOCATION, iph1->remote, 1507 "DPD R-U-There sent (%d)\n", error); 1508 1509 /* Reschedule the r_u_there with a short delay, 1510 * will be deleted/rescheduled if ACK received before */ 1511 isakmp_sched_r_u(iph1, 1); 1512 1513 plog(LLV_DEBUG, LOCATION, iph1->remote, 1514 "rescheduling send_r_u (%d).\n", iph1->rmconf->dpd_retry); 1515 } 1516 1517 /* Schedule a new R-U-THERE */ 1518 int 1519 isakmp_sched_r_u(struct ph1handle *iph1, int retry) 1520 { 1521 if(iph1 == NULL || 1522 iph1->rmconf == NULL) 1523 return 1; 1524 1525 1526 if(iph1->dpd_support == 0 || 1527 iph1->rmconf->dpd_interval == 0) 1528 return 0; 1529 1530 if(retry) 1531 sched_schedule(&iph1->dpd_r_u, iph1->rmconf->dpd_retry, 1532 isakmp_info_send_r_u); 1533 else 1534 sched_schedule(&iph1->dpd_r_u, iph1->rmconf->dpd_interval, 1535 isakmp_info_send_r_u); 1536 1537 return 0; 1538 } 1539 #endif 1540
Indexes created Fri Jun 26 00:24:39 UTC 2026