1 /* $NetBSD: isakmp_quick.c,v 1.28 2010/12/07 14:28:12 tteras Exp $ */ 2 3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 40 #include <netinet/in.h> 41 42 #include <stdlib.h> 43 #include <stdio.h> 44 #include <string.h> 45 #include <errno.h> 46 #if TIME_WITH_SYS_TIME 47 # include <sys/time.h> 48 # include <time.h> 49 #else 50 # if HAVE_SYS_TIME_H 51 # include <sys/time.h> 52 # else 53 # include <time.h> 54 # endif 55 #endif 56 57 #include PATH_IPSEC_H 58 59 #include "var.h" 60 #include "vmbuf.h" 61 #include "schedule.h" 62 #include "misc.h" 63 #include "plog.h" 64 #include "debug.h" 65 66 #include "localconf.h" 67 #include "remoteconf.h" 68 #include "handler.h" 69 #include "policy.h" 70 #include "proposal.h" 71 #include "isakmp_var.h" 72 #include "isakmp.h" 73 #include "isakmp_inf.h" 74 #include "isakmp_quick.h" 75 #include "oakley.h" 76 #include "ipsec_doi.h" 77 #include "crypto_openssl.h" 78 #include "pfkey.h" 79 #include "policy.h" 80 #include "algorithm.h" 81 #include "sockmisc.h" 82 #include "proposal.h" 83 #include "sainfo.h" 84 #include "admin.h" 85 #include "strnames.h" 86 87 #ifdef ENABLE_HYBRID 88 #include <resolv.h> 89 #include "isakmp_xauth.h" 90 #include "isakmp_cfg.h" 91 #endif 92 93 #ifdef ENABLE_NATT 94 #include "nattraversal.h" 95 #endif 96 97 /* quick mode */ 98 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *)); 99 static int get_sainfo_r __P((struct ph2handle *)); 100 static int get_proposal_r __P((struct ph2handle *)); 101 static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *)); 102 static void quick_timeover_stub __P((struct sched *)); 103 static void quick_timeover __P((struct ph2handle *)); 104 105 /* called from scheduler */ 106 static void 107 quick_timeover_stub(p) 108 struct sched *p; 109 { 110 quick_timeover(container_of(p, struct ph2handle, sce)); 111 } 112 113 static void 114 quick_timeover(iph2) 115 struct ph2handle *iph2; 116 { 117 plog(LLV_ERROR, LOCATION, NULL, 118 "%s give up to get IPsec-SA due to time up to wait.\n", 119 saddrwop2str(iph2->dst)); 120 121 /* If initiator side, send error to kernel by SADB_ACQUIRE. */ 122 if (iph2->side == INITIATOR) 123 pk_sendeacquire(iph2); 124 125 remph2(iph2); 126 delph2(iph2); 127 } 128 129 /* %%% 130 * Quick Mode 131 */ 132 /* 133 * begin Quick Mode as initiator. send pfkey getspi message to kernel. 134 */ 135 int 136 quick_i1prep(iph2, msg) 137 struct ph2handle *iph2; 138 vchar_t *msg; /* must be null pointer */ 139 { 140 int error = ISAKMP_INTERNAL_ERROR; 141 142 /* validity check */ 143 if (iph2->status != PHASE2ST_STATUS2) { 144 plog(LLV_ERROR, LOCATION, NULL, 145 "status mismatched %d.\n", iph2->status); 146 goto end; 147 } 148 149 iph2->msgid = isakmp_newmsgid2(iph2->ph1); 150 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid); 151 if (iph2->ivm == NULL) 152 return 0; 153 154 iph2->status = PHASE2ST_GETSPISENT; 155 156 /* don't anything if local test mode. */ 157 if (f_local) { 158 error = 0; 159 goto end; 160 } 161 162 /* send getspi message */ 163 if (pk_sendgetspi(iph2) < 0) 164 goto end; 165 166 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); 167 168 sched_schedule(&iph2->sce, lcconf->wait_ph2complete, 169 quick_timeover_stub); 170 171 error = 0; 172 173 end: 174 return error; 175 } 176 177 /* 178 * send to responder 179 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 180 */ 181 int 182 quick_i1send(iph2, msg) 183 struct ph2handle *iph2; 184 vchar_t *msg; /* must be null pointer */ 185 { 186 vchar_t *body = NULL; 187 vchar_t *hash = NULL; 188 struct isakmp_gen *gen; 189 char *p; 190 int tlen; 191 int error = ISAKMP_INTERNAL_ERROR; 192 int natoa = ISAKMP_NPTYPE_NONE; 193 int pfsgroup, idci, idcr; 194 int np; 195 struct ipsecdoi_id_b *id, *id_p; 196 #ifdef ENABLE_NATT 197 vchar_t *nat_oai = NULL; 198 vchar_t *nat_oar = NULL; 199 #endif 200 201 /* validity check */ 202 if (msg != NULL) { 203 plog(LLV_ERROR, LOCATION, NULL, 204 "msg has to be NULL in this function.\n"); 205 goto end; 206 } 207 if (iph2->status != PHASE2ST_GETSPIDONE) { 208 plog(LLV_ERROR, LOCATION, NULL, 209 "status mismatched %d.\n", iph2->status); 210 goto end; 211 } 212 213 /* create SA payload for my proposal */ 214 if (ipsecdoi_setph2proposal(iph2) < 0) 215 goto end; 216 217 /* generate NONCE value */ 218 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); 219 if (iph2->nonce == NULL) 220 goto end; 221 222 /* 223 * DH value calculation is kicked out into cfparse.y. 224 * because pfs group can not be negotiated, it's only to be checked 225 * acceptable. 226 */ 227 /* generate KE value if need */ 228 pfsgroup = iph2->proposal->pfs_group; 229 if (pfsgroup) { 230 /* DH group settting if PFS is required. */ 231 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { 232 plog(LLV_ERROR, LOCATION, NULL, 233 "failed to set DH value.\n"); 234 goto end; 235 } 236 if (oakley_dh_generate(iph2->pfsgrp, 237 &iph2->dhpub, &iph2->dhpriv) < 0) { 238 goto end; 239 } 240 } 241 242 /* generate ID value */ 243 if (ipsecdoi_setid2(iph2) < 0) { 244 plog(LLV_ERROR, LOCATION, NULL, 245 "failed to get ID.\n"); 246 goto end; 247 } 248 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n"); 249 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); 250 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n"); 251 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); 252 253 /* 254 * we do not attach IDci nor IDcr, under the following condition: 255 * - all proposals are transport mode 256 * - no MIP6 or proxy 257 * - id payload suggests to encrypt all the traffic (no specific 258 * protocol type) 259 * - SA endpoints and IKE addresses for the nego are the same 260 * (iph2->src/dst) 261 */ 262 id = (struct ipsecdoi_id_b *)iph2->id->v; 263 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v; 264 if (id->proto_id == 0 && 265 id_p->proto_id == 0 && 266 iph2->ph1->rmconf->support_proxy == 0 && 267 iph2->sa_src == NULL && iph2->sa_dst == NULL && 268 ipsecdoi_transportmode(iph2->proposal)) { 269 idci = idcr = 0; 270 } else 271 idci = idcr = 1; 272 273 #ifdef ENABLE_NATT 274 /* 275 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport 276 * we should send NAT-OA 277 */ 278 if (ipsecdoi_transportmode(iph2->proposal) 279 && (iph2->ph1->natt_flags & NAT_DETECTED)) { 280 natoa = iph2->ph1->natt_options->payload_nat_oa; 281 282 nat_oai = ipsecdoi_sockaddr2id(iph2->src, 283 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 284 nat_oar = ipsecdoi_sockaddr2id(iph2->dst, 285 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 286 287 if (nat_oai == NULL || nat_oar == NULL) { 288 plog(LLV_ERROR, LOCATION, NULL, 289 "failed to generate NAT-OA payload.\n"); 290 goto end; 291 } 292 293 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n"); 294 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l); 295 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n"); 296 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l); 297 } else { 298 natoa = ISAKMP_NPTYPE_NONE; 299 } 300 #endif 301 302 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */ 303 tlen = + sizeof(*gen) + iph2->sa->l 304 + sizeof(*gen) + iph2->nonce->l; 305 if (pfsgroup) 306 tlen += (sizeof(*gen) + iph2->dhpub->l); 307 if (idci) 308 tlen += sizeof(*gen) + iph2->id->l; 309 if (idcr) 310 tlen += sizeof(*gen) + iph2->id_p->l; 311 #ifdef ENABLE_NATT 312 if (natoa != ISAKMP_NPTYPE_NONE) 313 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l; 314 #endif 315 316 body = vmalloc(tlen); 317 if (body == NULL) { 318 plog(LLV_ERROR, LOCATION, NULL, 319 "failed to get buffer to send.\n"); 320 goto end; 321 } 322 323 p = body->v; 324 325 /* add SA payload */ 326 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE); 327 328 /* add NONCE payload */ 329 if (pfsgroup) 330 np = ISAKMP_NPTYPE_KE; 331 else if (idci || idcr) 332 np = ISAKMP_NPTYPE_ID; 333 else 334 np = natoa; 335 p = set_isakmp_payload(p, iph2->nonce, np); 336 337 /* add KE payload if need. */ 338 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : natoa; 339 if (pfsgroup) 340 p = set_isakmp_payload(p, iph2->dhpub, np); 341 342 /* IDci */ 343 np = (idcr) ? ISAKMP_NPTYPE_ID : natoa; 344 if (idci) 345 p = set_isakmp_payload(p, iph2->id, np); 346 347 /* IDcr */ 348 if (idcr) 349 p = set_isakmp_payload(p, iph2->id_p, natoa); 350 351 #ifdef ENABLE_NATT 352 /* NAT-OA */ 353 if (natoa != ISAKMP_NPTYPE_NONE) { 354 p = set_isakmp_payload(p, nat_oai, natoa); 355 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE); 356 } 357 #endif 358 359 /* generate HASH(1) */ 360 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body); 361 if (hash == NULL) 362 goto end; 363 364 /* send isakmp payload */ 365 iph2->sendbuf = quick_ir1mx(iph2, body, hash); 366 if (iph2->sendbuf == NULL) 367 goto end; 368 369 /* send the packet, add to the schedule to resend */ 370 if (isakmp_ph2send(iph2) == -1) 371 goto end; 372 373 /* change status of isakmp status entry */ 374 iph2->status = PHASE2ST_MSG1SENT; 375 376 error = 0; 377 378 end: 379 if (body != NULL) 380 vfree(body); 381 if (hash != NULL) 382 vfree(hash); 383 #ifdef ENABLE_NATT 384 if (nat_oai != NULL) 385 vfree(nat_oai); 386 if (nat_oar != NULL) 387 vfree(nat_oar); 388 #endif 389 390 return error; 391 } 392 393 /* 394 * receive from responder 395 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 396 */ 397 int 398 quick_i2recv(iph2, msg0) 399 struct ph2handle *iph2; 400 vchar_t *msg0; 401 { 402 vchar_t *msg = NULL; 403 vchar_t *hbuf = NULL; /* for hash computing. */ 404 vchar_t *pbuf = NULL; /* for payload parsing */ 405 vchar_t *idci = NULL; 406 vchar_t *idcr = NULL; 407 struct isakmp_parse_t *pa; 408 struct isakmp *isakmp = (struct isakmp *)msg0->v; 409 struct isakmp_pl_hash *hash = NULL; 410 char *p; 411 int tlen; 412 int error = ISAKMP_INTERNAL_ERROR; 413 414 /* validity check */ 415 if (iph2->status != PHASE2ST_MSG1SENT) { 416 plog(LLV_ERROR, LOCATION, NULL, 417 "status mismatched %d.\n", iph2->status); 418 goto end; 419 } 420 421 /* decrypt packet */ 422 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 423 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 424 "Packet wasn't encrypted.\n"); 425 goto end; 426 } 427 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 428 if (msg == NULL) 429 goto end; 430 431 /* create buffer for validating HASH(2) */ 432 /* 433 * ordering rule: 434 * 1. the first one must be HASH 435 * 2. the second one must be SA (added in isakmp-oakley-05!) 436 * 3. two IDs must be considered as IDci, then IDcr 437 */ 438 pbuf = isakmp_parse(msg); 439 if (pbuf == NULL) 440 goto end; 441 pa = (struct isakmp_parse_t *)pbuf->v; 442 443 /* HASH payload is fixed postion */ 444 if (pa->type != ISAKMP_NPTYPE_HASH) { 445 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 446 "received invalid next payload type %d, " 447 "expecting %d.\n", 448 pa->type, ISAKMP_NPTYPE_HASH); 449 goto end; 450 } 451 hash = (struct isakmp_pl_hash *)pa->ptr; 452 pa++; 453 454 /* 455 * this restriction was introduced in isakmp-oakley-05. 456 * we do not check this for backward compatibility. 457 * TODO: command line/config file option to enable/disable this code 458 */ 459 /* HASH payload is fixed postion */ 460 if (pa->type != ISAKMP_NPTYPE_SA) { 461 plog(LLV_WARNING, LOCATION, iph2->ph1->remote, 462 "received invalid next payload type %d, " 463 "expecting %d.\n", 464 pa->type, ISAKMP_NPTYPE_HASH); 465 } 466 467 /* allocate buffer for computing HASH(2) */ 468 tlen = iph2->nonce->l 469 + ntohl(isakmp->len) - sizeof(*isakmp); 470 hbuf = vmalloc(tlen); 471 if (hbuf == NULL) { 472 plog(LLV_ERROR, LOCATION, NULL, 473 "failed to get hash buffer.\n"); 474 goto end; 475 } 476 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */ 477 478 /* 479 * parse the payloads. 480 * copy non-HASH payloads into hbuf, so that we can validate HASH. 481 */ 482 iph2->sa_ret = NULL; 483 tlen = 0; /* count payload length except of HASH payload. */ 484 for (; pa->type; pa++) { 485 486 /* copy to buffer for HASH */ 487 /* Don't modify the payload */ 488 memcpy(p, pa->ptr, pa->len); 489 490 switch (pa->type) { 491 case ISAKMP_NPTYPE_SA: 492 if (iph2->sa_ret != NULL) { 493 plog(LLV_ERROR, LOCATION, NULL, 494 "Ignored, multiple SA " 495 "isn't supported.\n"); 496 break; 497 } 498 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) { 499 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 500 "duplicate ISAKMP_NPTYPE_SA.\n"); 501 goto end; 502 } 503 break; 504 505 case ISAKMP_NPTYPE_NONCE: 506 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { 507 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 508 "duplicate ISAKMP_NPTYPE_NONCE.\n"); 509 goto end; 510 } 511 break; 512 513 case ISAKMP_NPTYPE_KE: 514 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { 515 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 516 "duplicate ISAKMP_NPTYPE_KE.\n"); 517 goto end; 518 } 519 break; 520 521 case ISAKMP_NPTYPE_ID: 522 if (idci == NULL) { 523 if (isakmp_p2ph(&idci, pa->ptr) < 0) 524 goto end; 525 } else if (idcr == NULL) { 526 if (isakmp_p2ph(&idcr, pa->ptr) < 0) 527 goto end; 528 } else { 529 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 530 "too many ISAKMP_NPTYPE_ID payloads.\n"); 531 goto end; 532 } 533 break; 534 535 case ISAKMP_NPTYPE_N: 536 ph2_recv_n(iph2, pa->ptr); 537 break; 538 539 #ifdef ENABLE_NATT 540 case ISAKMP_NPTYPE_NATOA_DRAFT: 541 case ISAKMP_NPTYPE_NATOA_RFC: 542 { 543 struct sockaddr_storage addr; 544 struct sockaddr *daddr; 545 u_int8_t prefix; 546 u_int16_t ul_proto; 547 vchar_t *vp = NULL; 548 549 if (isakmp_p2ph(&vp, pa->ptr) < 0) 550 goto end; 551 552 error = ipsecdoi_id2sockaddr(vp, 553 (struct sockaddr *) &addr, 554 &prefix, &ul_proto); 555 556 vfree(vp); 557 558 if (error) 559 goto end; 560 561 daddr = dupsaddr((struct sockaddr *) &addr); 562 if (daddr == NULL) 563 goto end; 564 565 if (iph2->natoa_src == NULL) 566 iph2->natoa_src = daddr; 567 else if (iph2->natoa_dst == NULL) 568 iph2->natoa_dst = daddr; 569 else { 570 racoon_free(daddr); 571 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 572 "too many ISAKMP_NPTYPE_NATOA payloads.\n"); 573 goto end; 574 } 575 } 576 break; 577 #endif 578 579 default: 580 /* don't send information, see ident_r1recv() */ 581 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 582 "ignore the packet, " 583 "received unexpecting payload type %d.\n", 584 pa->type); 585 goto end; 586 } 587 588 p += pa->len; 589 590 /* compute true length of payload. */ 591 tlen += pa->len; 592 } 593 594 /* payload existency check */ 595 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) { 596 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 597 "few isakmp message received.\n"); 598 goto end; 599 } 600 601 /* identity check */ 602 if (idci != NULL) { 603 struct sockaddr_storage proposed_addr, got_addr; 604 u_int8_t proposed_prefix, got_prefix; 605 u_int16_t proposed_ulproto, got_ulproto; 606 607 error = ipsecdoi_id2sockaddr(iph2->id, 608 (struct sockaddr *) &proposed_addr, 609 &proposed_prefix, &proposed_ulproto); 610 if (error) 611 goto end; 612 613 error = ipsecdoi_id2sockaddr(idci, 614 (struct sockaddr *) &got_addr, 615 &got_prefix, &got_ulproto); 616 if (error) 617 goto end; 618 619 if (proposed_prefix != got_prefix 620 || proposed_ulproto != got_ulproto) { 621 plog(LLV_DEBUG, LOCATION, NULL, 622 "IDci prefix/ulproto does not match proposal.\n"); 623 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 624 goto end; 625 } 626 #ifdef ENABLE_NATT 627 set_port(iph2->natoa_src, 628 extract_port((struct sockaddr *) &proposed_addr)); 629 #endif 630 631 if (cmpsaddr((struct sockaddr *) &proposed_addr, 632 (struct sockaddr *) &got_addr) == 0) { 633 plog(LLV_DEBUG, LOCATION, NULL, 634 "IDci matches proposal.\n"); 635 #ifdef ENABLE_NATT 636 } else if (iph2->natoa_src != NULL 637 && cmpsaddr(iph2->natoa_src, 638 (struct sockaddr *) &got_addr) == 0) { 639 plog(LLV_DEBUG, LOCATION, NULL, 640 "IDci matches NAT-OAi.\n"); 641 #endif 642 } else { 643 plog(LLV_ERROR, LOCATION, NULL, 644 "mismatched IDci was returned.\n"); 645 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 646 goto end; 647 } 648 } 649 if (idcr != NULL) { 650 struct sockaddr_storage proposed_addr, got_addr; 651 u_int8_t proposed_prefix, got_prefix; 652 u_int16_t proposed_ulproto, got_ulproto; 653 654 error = ipsecdoi_id2sockaddr(iph2->id_p, 655 (struct sockaddr *) &proposed_addr, 656 &proposed_prefix, &proposed_ulproto); 657 if (error) 658 goto end; 659 660 error = ipsecdoi_id2sockaddr(idcr, 661 (struct sockaddr *) &got_addr, 662 &got_prefix, &got_ulproto); 663 if (error) 664 goto end; 665 666 if (proposed_prefix != got_prefix 667 || proposed_ulproto != got_ulproto) { 668 plog(LLV_DEBUG, LOCATION, NULL, 669 "IDcr prefix/ulproto does not match proposal.\n"); 670 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 671 goto end; 672 } 673 674 #ifdef ENABLE_NATT 675 set_port(iph2->natoa_dst, 676 extract_port((struct sockaddr *) &proposed_addr)); 677 #endif 678 679 if (cmpsaddr((struct sockaddr *) &proposed_addr, 680 (struct sockaddr *) &got_addr) == 0) { 681 plog(LLV_DEBUG, LOCATION, NULL, 682 "IDcr matches proposal.\n"); 683 #ifdef ENABLE_NATT 684 } else if (iph2->natoa_dst != NULL 685 && cmpsaddr(iph2->natoa_dst, 686 (struct sockaddr *) &got_addr) == 0) { 687 plog(LLV_DEBUG, LOCATION, NULL, 688 "IDcr matches NAT-OAr.\n"); 689 #endif 690 } else { 691 plog(LLV_ERROR, LOCATION, NULL, 692 "mismatched IDcr was returned.\n"); 693 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; 694 goto end; 695 } 696 } 697 698 /* Fixed buffer for calculating HASH */ 699 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l); 700 plog(LLV_DEBUG, LOCATION, NULL, 701 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n", 702 hbuf->l, tlen + iph2->nonce->l); 703 /* adjust buffer length for HASH */ 704 hbuf->l = iph2->nonce->l + tlen; 705 706 /* validate HASH(2) */ 707 { 708 char *r_hash; 709 vchar_t *my_hash = NULL; 710 int result; 711 712 r_hash = (char *)hash + sizeof(*hash); 713 714 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:"); 715 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 716 717 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); 718 if (my_hash == NULL) 719 goto end; 720 721 result = memcmp(my_hash->v, r_hash, my_hash->l); 722 vfree(my_hash); 723 724 if (result) { 725 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 726 "HASH(2) mismatch.\n"); 727 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 728 goto end; 729 } 730 } 731 732 /* validity check SA payload sent from responder */ 733 if (ipsecdoi_checkph2proposal(iph2) < 0) { 734 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 735 "proposal check failed.\n"); 736 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 737 goto end; 738 } 739 740 /* change status of isakmp status entry */ 741 iph2->status = PHASE2ST_STATUS6; 742 743 error = 0; 744 745 end: 746 if (hbuf) 747 vfree(hbuf); 748 if (pbuf) 749 vfree(pbuf); 750 if (msg) 751 vfree(msg); 752 if (idci) 753 vfree(idci); 754 if (idcr) 755 vfree(idcr); 756 757 if (error) { 758 VPTRINIT(iph2->sa_ret); 759 VPTRINIT(iph2->nonce_p); 760 VPTRINIT(iph2->dhpub_p); 761 VPTRINIT(iph2->id); 762 VPTRINIT(iph2->id_p); 763 #ifdef ENABLE_NATT 764 if (iph2->natoa_src) { 765 racoon_free(iph2->natoa_src); 766 iph2->natoa_src = NULL; 767 } 768 if (iph2->natoa_dst) { 769 racoon_free(iph2->natoa_dst); 770 iph2->natoa_dst = NULL; 771 } 772 #endif 773 } 774 775 return error; 776 } 777 778 /* 779 * send to responder 780 * HDR*, HASH(3) 781 */ 782 int 783 quick_i2send(iph2, msg0) 784 struct ph2handle *iph2; 785 vchar_t *msg0; 786 { 787 vchar_t *msg = NULL; 788 vchar_t *buf = NULL; 789 vchar_t *hash = NULL; 790 char *p = NULL; 791 int tlen; 792 int error = ISAKMP_INTERNAL_ERROR; 793 794 /* validity check */ 795 if (iph2->status != PHASE2ST_STATUS6) { 796 plog(LLV_ERROR, LOCATION, NULL, 797 "status mismatched %d.\n", iph2->status); 798 goto end; 799 } 800 801 /* generate HASH(3) */ 802 { 803 vchar_t *tmp = NULL; 804 805 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n"); 806 807 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l); 808 if (tmp == NULL) { 809 plog(LLV_ERROR, LOCATION, NULL, 810 "failed to get hash buffer.\n"); 811 goto end; 812 } 813 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l); 814 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l); 815 816 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); 817 vfree(tmp); 818 819 if (hash == NULL) 820 goto end; 821 } 822 823 /* create buffer for isakmp payload */ 824 tlen = sizeof(struct isakmp) 825 + sizeof(struct isakmp_gen) + hash->l; 826 buf = vmalloc(tlen); 827 if (buf == NULL) { 828 plog(LLV_ERROR, LOCATION, NULL, 829 "failed to get buffer to send.\n"); 830 goto end; 831 } 832 833 /* create isakmp header */ 834 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 835 if (p == NULL) 836 goto end; 837 838 /* add HASH(3) payload */ 839 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE); 840 841 #ifdef HAVE_PRINT_ISAKMP_C 842 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 843 #endif 844 845 /* encoding */ 846 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 847 if (iph2->sendbuf == NULL) 848 goto end; 849 850 /* if there is commit bit, need resending */ 851 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 852 /* send the packet, add to the schedule to resend */ 853 if (isakmp_ph2send(iph2) == -1) 854 goto end; 855 } else { 856 /* send the packet */ 857 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) 858 goto end; 859 } 860 861 /* the sending message is added to the received-list. */ 862 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, 863 iph2->sendbuf, msg0) == -1) { 864 plog(LLV_ERROR , LOCATION, NULL, 865 "failed to add a response packet to the tree.\n"); 866 goto end; 867 } 868 869 /* compute both of KEYMATs */ 870 if (oakley_compute_keymat(iph2, INITIATOR) < 0) 871 goto end; 872 873 iph2->status = PHASE2ST_ADDSA; 874 875 /* don't anything if local test mode. */ 876 if (f_local) { 877 error = 0; 878 goto end; 879 } 880 881 /* if there is commit bit don't set up SA now. */ 882 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 883 iph2->status = PHASE2ST_COMMIT; 884 error = 0; 885 goto end; 886 } 887 888 /* Do UPDATE for initiator */ 889 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 890 if (pk_sendupdate(iph2) < 0) { 891 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 892 goto end; 893 } 894 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 895 896 /* Do ADD for responder */ 897 if (pk_sendadd(iph2) < 0) { 898 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 899 goto end; 900 } 901 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 902 903 error = 0; 904 905 end: 906 if (buf != NULL) 907 vfree(buf); 908 if (msg != NULL) 909 vfree(msg); 910 if (hash != NULL) 911 vfree(hash); 912 913 return error; 914 } 915 916 /* 917 * receive from responder 918 * HDR#*, HASH(4), notify 919 */ 920 int 921 quick_i3recv(iph2, msg0) 922 struct ph2handle *iph2; 923 vchar_t *msg0; 924 { 925 vchar_t *msg = NULL; 926 vchar_t *pbuf = NULL; /* for payload parsing */ 927 struct isakmp_parse_t *pa; 928 struct isakmp_pl_hash *hash = NULL; 929 vchar_t *notify = NULL; 930 int error = ISAKMP_INTERNAL_ERROR; 931 932 /* validity check */ 933 if (iph2->status != PHASE2ST_COMMIT) { 934 plog(LLV_ERROR, LOCATION, NULL, 935 "status mismatched %d.\n", iph2->status); 936 goto end; 937 } 938 939 /* decrypt packet */ 940 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 941 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 942 "Packet wasn't encrypted.\n"); 943 goto end; 944 } 945 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 946 if (msg == NULL) 947 goto end; 948 949 /* validate the type of next payload */ 950 pbuf = isakmp_parse(msg); 951 if (pbuf == NULL) 952 goto end; 953 954 for (pa = (struct isakmp_parse_t *)pbuf->v; 955 pa->type != ISAKMP_NPTYPE_NONE; 956 pa++) { 957 958 switch (pa->type) { 959 case ISAKMP_NPTYPE_HASH: 960 hash = (struct isakmp_pl_hash *)pa->ptr; 961 break; 962 case ISAKMP_NPTYPE_N: 963 if (notify != NULL) { 964 plog(LLV_WARNING, LOCATION, NULL, 965 "Ignoring multiples notifications\n"); 966 break; 967 } 968 ph2_recv_n(iph2, pa->ptr); 969 notify = vmalloc(pa->len); 970 if (notify == NULL) { 971 plog(LLV_ERROR, LOCATION, NULL, 972 "failed to get notify buffer.\n"); 973 goto end; 974 } 975 memcpy(notify->v, pa->ptr, notify->l); 976 break; 977 default: 978 /* don't send information, see ident_r1recv() */ 979 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 980 "ignore the packet, " 981 "received unexpecting payload type %d.\n", 982 pa->type); 983 goto end; 984 } 985 } 986 987 /* payload existency check */ 988 if (hash == NULL) { 989 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 990 "few isakmp message received.\n"); 991 goto end; 992 } 993 994 /* validate HASH(4) */ 995 { 996 char *r_hash; 997 vchar_t *my_hash = NULL; 998 vchar_t *tmp = NULL; 999 int result; 1000 1001 r_hash = (char *)hash + sizeof(*hash); 1002 1003 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:"); 1004 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1005 1006 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); 1007 vfree(tmp); 1008 if (my_hash == NULL) 1009 goto end; 1010 1011 result = memcmp(my_hash->v, r_hash, my_hash->l); 1012 vfree(my_hash); 1013 1014 if (result) { 1015 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 1016 "HASH(4) mismatch.\n"); 1017 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1018 goto end; 1019 } 1020 } 1021 1022 iph2->status = PHASE2ST_ADDSA; 1023 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ 1024 1025 /* don't anything if local test mode. */ 1026 if (f_local) { 1027 error = 0; 1028 goto end; 1029 } 1030 1031 /* Do UPDATE for initiator */ 1032 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 1033 if (pk_sendupdate(iph2) < 0) { 1034 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 1035 goto end; 1036 } 1037 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 1038 1039 /* Do ADD for responder */ 1040 if (pk_sendadd(iph2) < 0) { 1041 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 1042 goto end; 1043 } 1044 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 1045 1046 error = 0; 1047 1048 end: 1049 if (msg != NULL) 1050 vfree(msg); 1051 if (pbuf != NULL) 1052 vfree(pbuf); 1053 if (notify != NULL) 1054 vfree(notify); 1055 1056 return error; 1057 } 1058 1059 /* 1060 * receive from initiator 1061 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 1062 */ 1063 int 1064 quick_r1recv(iph2, msg0) 1065 struct ph2handle *iph2; 1066 vchar_t *msg0; 1067 { 1068 vchar_t *msg = NULL; 1069 vchar_t *hbuf = NULL; /* for hash computing. */ 1070 vchar_t *pbuf = NULL; /* for payload parsing */ 1071 struct isakmp_parse_t *pa; 1072 struct isakmp *isakmp = (struct isakmp *)msg0->v; 1073 struct isakmp_pl_hash *hash = NULL; 1074 char *p; 1075 int tlen; 1076 int f_id_order; /* for ID payload detection */ 1077 int error = ISAKMP_INTERNAL_ERROR; 1078 1079 /* validity check */ 1080 if (iph2->status != PHASE2ST_START) { 1081 plog(LLV_ERROR, LOCATION, NULL, 1082 "status mismatched %d.\n", iph2->status); 1083 goto end; 1084 } 1085 1086 /* decrypting */ 1087 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1088 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1089 "Packet wasn't encrypted.\n"); 1090 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1091 goto end; 1092 } 1093 /* decrypt packet */ 1094 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 1095 if (msg == NULL) { 1096 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1097 "Packet decryption failed.\n"); 1098 goto end; 1099 } 1100 1101 /* create buffer for using to validate HASH(1) */ 1102 /* 1103 * ordering rule: 1104 * 1. the first one must be HASH 1105 * 2. the second one must be SA (added in isakmp-oakley-05!) 1106 * 3. two IDs must be considered as IDci, then IDcr 1107 */ 1108 pbuf = isakmp_parse(msg); 1109 if (pbuf == NULL) 1110 goto end; 1111 pa = (struct isakmp_parse_t *)pbuf->v; 1112 1113 /* HASH payload is fixed postion */ 1114 if (pa->type != ISAKMP_NPTYPE_HASH) { 1115 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1116 "received invalid next payload type %d, " 1117 "expecting %d.\n", 1118 pa->type, ISAKMP_NPTYPE_HASH); 1119 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX; 1120 goto end; 1121 } 1122 hash = (struct isakmp_pl_hash *)pa->ptr; 1123 pa++; 1124 1125 /* 1126 * this restriction was introduced in isakmp-oakley-05. 1127 * we do not check this for backward compatibility. 1128 * TODO: command line/config file option to enable/disable this code 1129 */ 1130 /* HASH payload is fixed postion */ 1131 if (pa->type != ISAKMP_NPTYPE_SA) { 1132 plog(LLV_WARNING, LOCATION, iph2->ph1->remote, 1133 "received invalid next payload type %d, " 1134 "expecting %d.\n", 1135 pa->type, ISAKMP_NPTYPE_SA); 1136 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX; 1137 } 1138 1139 /* allocate buffer for computing HASH(1) */ 1140 tlen = ntohl(isakmp->len) - sizeof(*isakmp); 1141 hbuf = vmalloc(tlen); 1142 if (hbuf == NULL) { 1143 plog(LLV_ERROR, LOCATION, NULL, 1144 "failed to get hash buffer.\n"); 1145 goto end; 1146 } 1147 p = hbuf->v; 1148 1149 /* 1150 * parse the payloads. 1151 * copy non-HASH payloads into hbuf, so that we can validate HASH. 1152 */ 1153 iph2->sa = NULL; /* we don't support multi SAs. */ 1154 iph2->nonce_p = NULL; 1155 iph2->dhpub_p = NULL; 1156 iph2->id_p = NULL; 1157 iph2->id = NULL; 1158 tlen = 0; /* count payload length except of HASH payload. */ 1159 1160 /* 1161 * IDi2 MUST be immediatelly followed by IDr2. We allowed the 1162 * illegal case, but logged. First ID payload is to be IDi2. 1163 * And next ID payload is to be IDr2. 1164 */ 1165 f_id_order = 0; 1166 1167 for (; pa->type; pa++) { 1168 1169 /* copy to buffer for HASH */ 1170 /* Don't modify the payload */ 1171 memcpy(p, pa->ptr, pa->len); 1172 1173 if (pa->type != ISAKMP_NPTYPE_ID) 1174 f_id_order = 0; 1175 1176 switch (pa->type) { 1177 case ISAKMP_NPTYPE_SA: 1178 if (iph2->sa != NULL) { 1179 plog(LLV_ERROR, LOCATION, NULL, 1180 "Multi SAs isn't supported.\n"); 1181 goto end; 1182 } 1183 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) { 1184 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1185 "duplicate ISAKMP_NPTYPE_SA.\n"); 1186 goto end; 1187 } 1188 break; 1189 1190 case ISAKMP_NPTYPE_NONCE: 1191 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { 1192 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1193 "duplicate ISAKMP_NPTYPE_NONCE.\n"); 1194 goto end; 1195 } 1196 break; 1197 1198 case ISAKMP_NPTYPE_KE: 1199 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { 1200 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1201 "duplicate ISAKMP_NPTYPE_KE.\n"); 1202 goto end; 1203 } 1204 break; 1205 1206 case ISAKMP_NPTYPE_ID: 1207 if (iph2->id_p == NULL) { 1208 /* for IDci */ 1209 f_id_order++; 1210 1211 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) 1212 goto end; 1213 1214 } else if (iph2->id == NULL) { 1215 /* for IDcr */ 1216 if (f_id_order == 0) { 1217 plog(LLV_ERROR, LOCATION, NULL, 1218 "IDr2 payload is not " 1219 "immediatelly followed " 1220 "by IDi2. We allowed.\n"); 1221 /* XXX we allowed in this case. */ 1222 } 1223 1224 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) 1225 goto end; 1226 } else { 1227 plog(LLV_ERROR, LOCATION, NULL, 1228 "received too many ID payloads.\n"); 1229 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l); 1230 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1231 goto end; 1232 } 1233 break; 1234 1235 case ISAKMP_NPTYPE_N: 1236 ph2_recv_n(iph2, pa->ptr); 1237 break; 1238 1239 #ifdef ENABLE_NATT 1240 case ISAKMP_NPTYPE_NATOA_DRAFT: 1241 case ISAKMP_NPTYPE_NATOA_RFC: 1242 { 1243 struct sockaddr_storage addr; 1244 struct sockaddr *daddr; 1245 u_int8_t prefix; 1246 u_int16_t ul_proto; 1247 vchar_t *vp = NULL; 1248 1249 if (isakmp_p2ph(&vp, pa->ptr) < 0) 1250 goto end; 1251 1252 error = ipsecdoi_id2sockaddr(vp, 1253 (struct sockaddr *) &addr, 1254 &prefix, &ul_proto); 1255 1256 vfree(vp); 1257 1258 if (error) 1259 goto end; 1260 1261 daddr = dupsaddr((struct sockaddr *) &addr); 1262 if (daddr == NULL) 1263 goto end; 1264 1265 if (iph2->natoa_dst == NULL) 1266 iph2->natoa_dst = daddr; 1267 else if (iph2->natoa_src == NULL) 1268 iph2->natoa_src = daddr; 1269 else { 1270 racoon_free(daddr); 1271 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1272 "received too many NAT-OA payloads.\n"); 1273 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1274 goto end; 1275 } 1276 } 1277 break; 1278 #endif 1279 1280 default: 1281 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1282 "ignore the packet, " 1283 "received unexpecting payload type %d.\n", 1284 pa->type); 1285 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1286 goto end; 1287 } 1288 1289 p += pa->len; 1290 1291 /* compute true length of payload. */ 1292 tlen += pa->len; 1293 } 1294 1295 /* payload existency check */ 1296 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) { 1297 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1298 "few isakmp message received.\n"); 1299 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1300 goto end; 1301 } 1302 1303 if (iph2->id_p) { 1304 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:"); 1305 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); 1306 } 1307 if (iph2->id) { 1308 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:"); 1309 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); 1310 } 1311 1312 /* adjust buffer length for HASH */ 1313 hbuf->l = tlen; 1314 1315 /* validate HASH(1) */ 1316 { 1317 char *r_hash; 1318 vchar_t *my_hash = NULL; 1319 int result; 1320 1321 r_hash = (caddr_t)hash + sizeof(*hash); 1322 1323 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:"); 1324 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1325 1326 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); 1327 if (my_hash == NULL) 1328 goto end; 1329 1330 result = memcmp(my_hash->v, r_hash, my_hash->l); 1331 vfree(my_hash); 1332 1333 if (result) { 1334 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, 1335 "HASH(1) mismatch.\n"); 1336 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1337 goto end; 1338 } 1339 } 1340 1341 /* get sainfo */ 1342 error = get_sainfo_r(iph2); 1343 if (error) { 1344 plog(LLV_ERROR, LOCATION, NULL, 1345 "failed to get sainfo.\n"); 1346 goto end; 1347 } 1348 1349 1350 /* check the existence of ID payload and create responder's proposal */ 1351 error = get_proposal_r(iph2); 1352 switch (error) { 1353 case -2: 1354 /* generate a policy template from peer's proposal */ 1355 if (set_proposal_from_proposal(iph2)) { 1356 plog(LLV_ERROR, LOCATION, NULL, 1357 "failed to generate a proposal template " 1358 "from client's proposal.\n"); 1359 error = ISAKMP_INTERNAL_ERROR; 1360 goto end; 1361 } 1362 /*FALLTHROUGH*/ 1363 case 0: 1364 /* select single proposal or reject it. */ 1365 if (ipsecdoi_selectph2proposal(iph2) < 0) { 1366 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1367 "no proposal chosen.\n"); 1368 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1369 goto end; 1370 } 1371 break; 1372 default: 1373 plog(LLV_ERROR, LOCATION, NULL, 1374 "failed to get proposal for responder.\n"); 1375 goto end; 1376 } 1377 1378 /* check KE and attribute of PFS */ 1379 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) { 1380 plog(LLV_ERROR, LOCATION, NULL, 1381 "no PFS is specified, but peer sends KE.\n"); 1382 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1383 goto end; 1384 } 1385 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) { 1386 plog(LLV_ERROR, LOCATION, NULL, 1387 "PFS is specified, but peer doesn't sends KE.\n"); 1388 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 1389 goto end; 1390 } 1391 1392 /* 1393 * save the packet from the initiator in order to resend the 1394 * responder's first packet against this packet. 1395 */ 1396 iph2->msg1 = vdup(msg0); 1397 1398 /* change status of isakmp status entry */ 1399 iph2->status = PHASE2ST_STATUS2; 1400 1401 error = 0; 1402 1403 end: 1404 if (hbuf) 1405 vfree(hbuf); 1406 if (msg) 1407 vfree(msg); 1408 if (pbuf) 1409 vfree(pbuf); 1410 1411 if (error) { 1412 VPTRINIT(iph2->sa); 1413 VPTRINIT(iph2->nonce_p); 1414 VPTRINIT(iph2->dhpub_p); 1415 VPTRINIT(iph2->id); 1416 VPTRINIT(iph2->id_p); 1417 #ifdef ENABLE_NATT 1418 if (iph2->natoa_src) { 1419 racoon_free(iph2->natoa_src); 1420 iph2->natoa_src = NULL; 1421 } 1422 if (iph2->natoa_dst) { 1423 racoon_free(iph2->natoa_dst); 1424 iph2->natoa_dst = NULL; 1425 } 1426 #endif 1427 } 1428 1429 return error; 1430 } 1431 1432 /* 1433 * call pfkey_getspi. 1434 */ 1435 int 1436 quick_r1prep(iph2, msg) 1437 struct ph2handle *iph2; 1438 vchar_t *msg; 1439 { 1440 int error = ISAKMP_INTERNAL_ERROR; 1441 1442 /* validity check */ 1443 if (iph2->status != PHASE2ST_STATUS2) { 1444 plog(LLV_ERROR, LOCATION, NULL, 1445 "status mismatched %d.\n", iph2->status); 1446 goto end; 1447 } 1448 1449 iph2->status = PHASE2ST_GETSPISENT; 1450 1451 /* send getspi message */ 1452 if (pk_sendgetspi(iph2) < 0) 1453 goto end; 1454 1455 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); 1456 1457 sched_schedule(&iph2->sce, lcconf->wait_ph2complete, 1458 quick_timeover_stub); 1459 1460 error = 0; 1461 1462 end: 1463 return error; 1464 } 1465 1466 /* 1467 * send to initiator 1468 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ] 1469 */ 1470 int 1471 quick_r2send(iph2, msg) 1472 struct ph2handle *iph2; 1473 vchar_t *msg; 1474 { 1475 vchar_t *body = NULL; 1476 vchar_t *hash = NULL; 1477 struct isakmp_gen *gen; 1478 char *p; 1479 int tlen; 1480 int error = ISAKMP_INTERNAL_ERROR; 1481 int natoa = ISAKMP_NPTYPE_NONE; 1482 int pfsgroup; 1483 u_int8_t *np_p = NULL; 1484 #ifdef ENABLE_NATT 1485 vchar_t *nat_oai = NULL; 1486 vchar_t *nat_oar = NULL; 1487 #endif 1488 1489 /* validity check */ 1490 if (msg != NULL) { 1491 plog(LLV_ERROR, LOCATION, NULL, 1492 "msg has to be NULL in this function.\n"); 1493 goto end; 1494 } 1495 if (iph2->status != PHASE2ST_GETSPIDONE) { 1496 plog(LLV_ERROR, LOCATION, NULL, 1497 "status mismatched %d.\n", iph2->status); 1498 goto end; 1499 } 1500 1501 /* update responders SPI */ 1502 if (ipsecdoi_updatespi(iph2) < 0) { 1503 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n"); 1504 goto end; 1505 } 1506 1507 /* generate NONCE value */ 1508 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); 1509 if (iph2->nonce == NULL) 1510 goto end; 1511 1512 /* generate KE value if need */ 1513 pfsgroup = iph2->approval->pfs_group; 1514 if (iph2->dhpub_p != NULL && pfsgroup != 0) { 1515 /* DH group settting if PFS is required. */ 1516 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { 1517 plog(LLV_ERROR, LOCATION, NULL, 1518 "failed to set DH value.\n"); 1519 goto end; 1520 } 1521 /* generate DH public value */ 1522 if (oakley_dh_generate(iph2->pfsgrp, 1523 &iph2->dhpub, &iph2->dhpriv) < 0) { 1524 goto end; 1525 } 1526 } 1527 1528 #ifdef ENABLE_NATT 1529 /* 1530 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport 1531 * we should send NAT-OA 1532 */ 1533 if (ipsecdoi_transportmode(iph2->proposal) 1534 && (iph2->ph1->natt_flags & NAT_DETECTED)) { 1535 natoa = iph2->ph1->natt_options->payload_nat_oa; 1536 1537 nat_oai = ipsecdoi_sockaddr2id(iph2->dst, 1538 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 1539 nat_oar = ipsecdoi_sockaddr2id(iph2->src, 1540 IPSECDOI_PREFIX_HOST, IPSEC_ULPROTO_ANY); 1541 1542 if (nat_oai == NULL || nat_oar == NULL) { 1543 plog(LLV_ERROR, LOCATION, NULL, 1544 "failed to generate NAT-OA payload.\n"); 1545 goto end; 1546 } 1547 1548 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAi:\n"); 1549 plogdump(LLV_DEBUG, nat_oai->v, nat_oai->l); 1550 plog(LLV_DEBUG, LOCATION, NULL, "NAT-OAr:\n"); 1551 plogdump(LLV_DEBUG, nat_oar->v, nat_oar->l); 1552 } 1553 #endif 1554 1555 /* create SA;NONCE payload, and KE and ID if need */ 1556 tlen = sizeof(*gen) + iph2->sa_ret->l 1557 + sizeof(*gen) + iph2->nonce->l; 1558 if (iph2->dhpub_p != NULL && pfsgroup != 0) 1559 tlen += (sizeof(*gen) + iph2->dhpub->l); 1560 if (iph2->id_p != NULL) 1561 tlen += (sizeof(*gen) + iph2->id_p->l 1562 + sizeof(*gen) + iph2->id->l); 1563 #ifdef ENABLE_NATT 1564 if (natoa != ISAKMP_NPTYPE_NONE) 1565 tlen += 2 * sizeof(*gen) + nat_oai->l + nat_oar->l; 1566 #endif 1567 1568 body = vmalloc(tlen); 1569 if (body == NULL) { 1570 plog(LLV_ERROR, LOCATION, NULL, 1571 "failed to get buffer to send.\n"); 1572 goto end; 1573 } 1574 p = body->v; 1575 1576 /* make SA payload */ 1577 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE); 1578 1579 /* add NONCE payload */ 1580 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1581 p = set_isakmp_payload(p, iph2->nonce, 1582 (iph2->dhpub_p != NULL && pfsgroup != 0) 1583 ? ISAKMP_NPTYPE_KE 1584 : (iph2->id_p != NULL 1585 ? ISAKMP_NPTYPE_ID 1586 : natoa)); 1587 1588 /* add KE payload if need. */ 1589 if (iph2->dhpub_p != NULL && pfsgroup != 0) { 1590 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1591 p = set_isakmp_payload(p, iph2->dhpub, 1592 (iph2->id_p == NULL) 1593 ? natoa 1594 : ISAKMP_NPTYPE_ID); 1595 } 1596 1597 /* add ID payloads received. */ 1598 if (iph2->id_p != NULL) { 1599 /* IDci */ 1600 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID); 1601 /* IDcr */ 1602 np_p = &((struct isakmp_gen *)p)->np; /* XXX */ 1603 p = set_isakmp_payload(p, iph2->id, natoa); 1604 } 1605 1606 #ifdef ENABLE_NATT 1607 /* NAT-OA */ 1608 if (natoa != ISAKMP_NPTYPE_NONE) { 1609 p = set_isakmp_payload(p, nat_oai, natoa); 1610 p = set_isakmp_payload(p, nat_oar, ISAKMP_NPTYPE_NONE); 1611 } 1612 #endif 1613 1614 /* add a RESPONDER-LIFETIME notify payload if needed */ 1615 { 1616 vchar_t *data = NULL; 1617 struct saprop *pp = iph2->approval; 1618 struct saproto *pr; 1619 1620 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) { 1621 u_int32_t v = htonl((u_int32_t)pp->lifetime); 1622 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, 1623 IPSECDOI_ATTR_SA_LD_TYPE_SEC); 1624 if (!data) 1625 goto end; 1626 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, 1627 (caddr_t)&v, sizeof(v)); 1628 if (!data) 1629 goto end; 1630 } 1631 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) { 1632 u_int32_t v = htonl((u_int32_t)pp->lifebyte); 1633 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, 1634 IPSECDOI_ATTR_SA_LD_TYPE_KB); 1635 if (!data) 1636 goto end; 1637 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, 1638 (caddr_t)&v, sizeof(v)); 1639 if (!data) 1640 goto end; 1641 } 1642 1643 /* 1644 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message 1645 * in the case of SA bundle ? 1646 */ 1647 if (data) { 1648 for (pr = pp->head; pr; pr = pr->next) { 1649 body = isakmp_add_pl_n(body, &np_p, 1650 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data); 1651 if (!body) { 1652 vfree(data); 1653 return error; /* XXX */ 1654 } 1655 } 1656 vfree(data); 1657 } 1658 } 1659 1660 /* generate HASH(2) */ 1661 { 1662 vchar_t *tmp; 1663 1664 tmp = vmalloc(iph2->nonce_p->l + body->l); 1665 if (tmp == NULL) { 1666 plog(LLV_ERROR, LOCATION, NULL, 1667 "failed to get hash buffer.\n"); 1668 goto end; 1669 } 1670 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l); 1671 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l); 1672 1673 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp); 1674 vfree(tmp); 1675 1676 if (hash == NULL) 1677 goto end; 1678 } 1679 1680 /* send isakmp payload */ 1681 iph2->sendbuf = quick_ir1mx(iph2, body, hash); 1682 if (iph2->sendbuf == NULL) 1683 goto end; 1684 1685 /* send the packet, add to the schedule to resend */ 1686 if (isakmp_ph2send(iph2) == -1) 1687 goto end; 1688 1689 /* the sending message is added to the received-list. */ 1690 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) { 1691 plog(LLV_ERROR , LOCATION, NULL, 1692 "failed to add a response packet to the tree.\n"); 1693 goto end; 1694 } 1695 1696 /* change status of isakmp status entry */ 1697 iph2->status = PHASE2ST_MSG1SENT; 1698 1699 error = 0; 1700 1701 end: 1702 if (body != NULL) 1703 vfree(body); 1704 if (hash != NULL) 1705 vfree(hash); 1706 #ifdef ENABLE_NATT 1707 if (nat_oai != NULL) 1708 vfree(nat_oai); 1709 if (nat_oar != NULL) 1710 vfree(nat_oar); 1711 #endif 1712 1713 return error; 1714 } 1715 1716 /* 1717 * receive from initiator 1718 * HDR*, HASH(3) 1719 1720 */ 1721 int 1722 quick_r3recv(iph2, msg0) 1723 struct ph2handle *iph2; 1724 vchar_t *msg0; 1725 { 1726 vchar_t *msg = NULL; 1727 vchar_t *pbuf = NULL; /* for payload parsing */ 1728 struct isakmp_parse_t *pa; 1729 struct isakmp_pl_hash *hash = NULL; 1730 int error = ISAKMP_INTERNAL_ERROR; 1731 1732 /* validity check */ 1733 if (iph2->status != PHASE2ST_MSG1SENT) { 1734 plog(LLV_ERROR, LOCATION, NULL, 1735 "status mismatched %d.\n", iph2->status); 1736 goto end; 1737 } 1738 1739 /* decrypt packet */ 1740 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1741 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1742 "Packet wasn't encrypted.\n"); 1743 goto end; 1744 } 1745 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); 1746 if (msg == NULL) 1747 goto end; 1748 1749 /* validate the type of next payload */ 1750 pbuf = isakmp_parse(msg); 1751 if (pbuf == NULL) 1752 goto end; 1753 1754 for (pa = (struct isakmp_parse_t *)pbuf->v; 1755 pa->type != ISAKMP_NPTYPE_NONE; 1756 pa++) { 1757 1758 switch (pa->type) { 1759 case ISAKMP_NPTYPE_HASH: 1760 hash = (struct isakmp_pl_hash *)pa->ptr; 1761 break; 1762 case ISAKMP_NPTYPE_N: 1763 ph2_recv_n(iph2, pa->ptr); 1764 break; 1765 default: 1766 /* don't send information, see ident_r1recv() */ 1767 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1768 "ignore the packet, " 1769 "received unexpecting payload type %d.\n", 1770 pa->type); 1771 goto end; 1772 } 1773 } 1774 1775 /* payload existency check */ 1776 if (hash == NULL) { 1777 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1778 "few isakmp message received.\n"); 1779 goto end; 1780 } 1781 1782 /* validate HASH(3) */ 1783 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */ 1784 { 1785 char *r_hash; 1786 vchar_t *my_hash = NULL; 1787 vchar_t *tmp = NULL; 1788 int result; 1789 1790 r_hash = (char *)hash + sizeof(*hash); 1791 1792 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:"); 1793 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); 1794 1795 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l); 1796 if (tmp == NULL) { 1797 plog(LLV_ERROR, LOCATION, NULL, 1798 "failed to get hash buffer.\n"); 1799 goto end; 1800 } 1801 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l); 1802 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l); 1803 1804 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); 1805 vfree(tmp); 1806 if (my_hash == NULL) 1807 goto end; 1808 1809 result = memcmp(my_hash->v, r_hash, my_hash->l); 1810 vfree(my_hash); 1811 1812 if (result) { 1813 plog(LLV_ERROR, LOCATION, iph2->ph1->remote, 1814 "HASH(3) mismatch.\n"); 1815 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1816 goto end; 1817 } 1818 } 1819 1820 /* if there is commit bit, don't set up SA now. */ 1821 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { 1822 iph2->status = PHASE2ST_COMMIT; 1823 } else 1824 iph2->status = PHASE2ST_STATUS6; 1825 1826 error = 0; 1827 1828 end: 1829 if (pbuf != NULL) 1830 vfree(pbuf); 1831 if (msg != NULL) 1832 vfree(msg); 1833 1834 return error; 1835 } 1836 1837 /* 1838 * send to initiator 1839 * HDR#*, HASH(4), notify 1840 */ 1841 int 1842 quick_r3send(iph2, msg0) 1843 struct ph2handle *iph2; 1844 vchar_t *msg0; 1845 { 1846 vchar_t *buf = NULL; 1847 vchar_t *myhash = NULL; 1848 struct isakmp_pl_n *n; 1849 vchar_t *notify = NULL; 1850 char *p; 1851 int tlen; 1852 int error = ISAKMP_INTERNAL_ERROR; 1853 1854 /* validity check */ 1855 if (iph2->status != PHASE2ST_COMMIT) { 1856 plog(LLV_ERROR, LOCATION, NULL, 1857 "status mismatched %d.\n", iph2->status); 1858 goto end; 1859 } 1860 1861 /* generate HASH(4) */ 1862 /* XXX What can I do in the case of multiple different SA */ 1863 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n"); 1864 1865 /* XXX What should I do if there are multiple SAs ? */ 1866 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize; 1867 notify = vmalloc(tlen); 1868 if (notify == NULL) { 1869 plog(LLV_ERROR, LOCATION, NULL, 1870 "failed to get notify buffer.\n"); 1871 goto end; 1872 } 1873 n = (struct isakmp_pl_n *)notify->v; 1874 n->h.np = ISAKMP_NPTYPE_NONE; 1875 n->h.len = htons(tlen); 1876 n->doi = htonl(IPSEC_DOI); 1877 n->proto_id = iph2->approval->head->proto_id; 1878 n->spi_size = sizeof(iph2->approval->head->spisize); 1879 n->type = htons(ISAKMP_NTYPE_CONNECTED); 1880 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize); 1881 1882 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); 1883 if (myhash == NULL) 1884 goto end; 1885 1886 /* create buffer for isakmp payload */ 1887 tlen = sizeof(struct isakmp) 1888 + sizeof(struct isakmp_gen) + myhash->l 1889 + notify->l; 1890 buf = vmalloc(tlen); 1891 if (buf == NULL) { 1892 plog(LLV_ERROR, LOCATION, NULL, 1893 "failed to get buffer to send.\n"); 1894 goto end; 1895 } 1896 1897 /* create isakmp header */ 1898 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 1899 if (p == NULL) 1900 goto end; 1901 1902 /* add HASH(4) payload */ 1903 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N); 1904 1905 /* add notify payload */ 1906 memcpy(p, notify->v, notify->l); 1907 1908 #ifdef HAVE_PRINT_ISAKMP_C 1909 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 1910 #endif 1911 1912 /* encoding */ 1913 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 1914 if (iph2->sendbuf == NULL) 1915 goto end; 1916 1917 /* send the packet */ 1918 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) 1919 goto end; 1920 1921 /* the sending message is added to the received-list. */ 1922 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) { 1923 plog(LLV_ERROR , LOCATION, NULL, 1924 "failed to add a response packet to the tree.\n"); 1925 goto end; 1926 } 1927 1928 iph2->status = PHASE2ST_COMMIT; 1929 1930 error = 0; 1931 1932 end: 1933 if (buf != NULL) 1934 vfree(buf); 1935 if (myhash != NULL) 1936 vfree(myhash); 1937 if (notify != NULL) 1938 vfree(notify); 1939 1940 return error; 1941 } 1942 1943 int 1944 tunnel_mode_prop(p) 1945 struct saprop *p; 1946 { 1947 struct saproto *pr; 1948 1949 for (pr = p->head; pr; pr = pr->next) 1950 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) 1951 return 1; 1952 return 0; 1953 } 1954 1955 /* 1956 * set SA to kernel. 1957 */ 1958 int 1959 quick_r3prep(iph2, msg0) 1960 struct ph2handle *iph2; 1961 vchar_t *msg0; 1962 { 1963 int error = ISAKMP_INTERNAL_ERROR; 1964 1965 /* validity check */ 1966 if (iph2->status != PHASE2ST_STATUS6) { 1967 plog(LLV_ERROR, LOCATION, NULL, 1968 "status mismatched %d.\n", iph2->status); 1969 goto end; 1970 } 1971 1972 /* compute both of KEYMATs */ 1973 if (oakley_compute_keymat(iph2, RESPONDER) < 0) 1974 goto end; 1975 1976 iph2->status = PHASE2ST_ADDSA; 1977 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ 1978 1979 /* don't anything if local test mode. */ 1980 if (f_local) { 1981 error = 0; 1982 goto end; 1983 } 1984 1985 /* Do UPDATE as responder */ 1986 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); 1987 if (pk_sendupdate(iph2) < 0) { 1988 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); 1989 goto end; 1990 } 1991 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); 1992 1993 /* Do ADD for responder */ 1994 if (pk_sendadd(iph2) < 0) { 1995 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); 1996 goto end; 1997 } 1998 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); 1999 2000 /* 2001 * set policies into SPD if the policy is generated 2002 * from peer's policy. 2003 */ 2004 if (iph2->spidx_gen) { 2005 2006 struct policyindex *spidx; 2007 struct sockaddr_storage addr; 2008 u_int8_t pref; 2009 struct sockaddr *src = iph2->src; 2010 struct sockaddr *dst = iph2->dst; 2011 2012 /* make inbound policy */ 2013 iph2->src = dst; 2014 iph2->dst = src; 2015 if (pk_sendspdupdate2(iph2) < 0) { 2016 plog(LLV_ERROR, LOCATION, NULL, 2017 "pfkey spdupdate2(inbound) failed.\n"); 2018 goto end; 2019 } 2020 plog(LLV_DEBUG, LOCATION, NULL, 2021 "pfkey spdupdate2(inbound) sent.\n"); 2022 2023 spidx = (struct policyindex *)iph2->spidx_gen; 2024 #ifdef HAVE_POLICY_FWD 2025 /* make forward policy if required */ 2026 if (tunnel_mode_prop(iph2->approval)) { 2027 spidx->dir = IPSEC_DIR_FWD; 2028 if (pk_sendspdupdate2(iph2) < 0) { 2029 plog(LLV_ERROR, LOCATION, NULL, 2030 "pfkey spdupdate2(forward) failed.\n"); 2031 goto end; 2032 } 2033 plog(LLV_DEBUG, LOCATION, NULL, 2034 "pfkey spdupdate2(forward) sent.\n"); 2035 } 2036 #endif 2037 2038 /* make outbound policy */ 2039 iph2->src = src; 2040 iph2->dst = dst; 2041 spidx->dir = IPSEC_DIR_OUTBOUND; 2042 addr = spidx->src; 2043 spidx->src = spidx->dst; 2044 spidx->dst = addr; 2045 pref = spidx->prefs; 2046 spidx->prefs = spidx->prefd; 2047 spidx->prefd = pref; 2048 2049 if (pk_sendspdupdate2(iph2) < 0) { 2050 plog(LLV_ERROR, LOCATION, NULL, 2051 "pfkey spdupdate2(outbound) failed.\n"); 2052 goto end; 2053 } 2054 plog(LLV_DEBUG, LOCATION, NULL, 2055 "pfkey spdupdate2(outbound) sent.\n"); 2056 2057 /* spidx_gen is unnecessary any more */ 2058 delsp_bothdir((struct policyindex *)iph2->spidx_gen); 2059 racoon_free(iph2->spidx_gen); 2060 iph2->spidx_gen = NULL; 2061 iph2->generated_spidx=1; 2062 } 2063 2064 error = 0; 2065 2066 end: 2067 return error; 2068 } 2069 2070 /* 2071 * create HASH, body (SA, NONCE) payload with isakmp header. 2072 */ 2073 static vchar_t * 2074 quick_ir1mx(iph2, body, hash) 2075 struct ph2handle *iph2; 2076 vchar_t *body, *hash; 2077 { 2078 struct isakmp *isakmp; 2079 vchar_t *buf = NULL, *new = NULL; 2080 char *p; 2081 int tlen; 2082 struct isakmp_gen *gen; 2083 int error = ISAKMP_INTERNAL_ERROR; 2084 2085 /* create buffer for isakmp payload */ 2086 tlen = sizeof(*isakmp) 2087 + sizeof(*gen) + hash->l 2088 + body->l; 2089 buf = vmalloc(tlen); 2090 if (buf == NULL) { 2091 plog(LLV_ERROR, LOCATION, NULL, 2092 "failed to get buffer to send.\n"); 2093 goto end; 2094 } 2095 2096 /* re-set encryption flag, for serurity. */ 2097 iph2->flags |= ISAKMP_FLAG_E; 2098 2099 /* set isakmp header */ 2100 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); 2101 if (p == NULL) 2102 goto end; 2103 2104 /* add HASH payload */ 2105 /* XXX is next type always SA ? */ 2106 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA); 2107 2108 /* add body payload */ 2109 memcpy(p, body->v, body->l); 2110 2111 #ifdef HAVE_PRINT_ISAKMP_C 2112 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); 2113 #endif 2114 2115 /* encoding */ 2116 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); 2117 2118 if (new == NULL) 2119 goto end; 2120 2121 vfree(buf); 2122 2123 buf = new; 2124 2125 error = 0; 2126 2127 end: 2128 if (error && buf != NULL) { 2129 vfree(buf); 2130 buf = NULL; 2131 } 2132 2133 return buf; 2134 } 2135 2136 /* 2137 * get remote's sainfo. 2138 * NOTE: this function is for responder. 2139 */ 2140 static int 2141 get_sainfo_r(iph2) 2142 struct ph2handle *iph2; 2143 { 2144 vchar_t *idsrc = NULL, *iddst = NULL, *client = NULL; 2145 int error = ISAKMP_INTERNAL_ERROR; 2146 2147 if (iph2->id == NULL) { 2148 idsrc = ipsecdoi_sockaddr2id(iph2->src, IPSECDOI_PREFIX_HOST, 2149 IPSEC_ULPROTO_ANY); 2150 } else { 2151 idsrc = vdup(iph2->id); 2152 } 2153 if (idsrc == NULL) { 2154 plog(LLV_ERROR, LOCATION, NULL, 2155 "failed to set ID for source.\n"); 2156 goto end; 2157 } 2158 2159 if (iph2->id_p == NULL) { 2160 iddst = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST, 2161 IPSEC_ULPROTO_ANY); 2162 } else { 2163 iddst = vdup(iph2->id_p); 2164 } 2165 if (iddst == NULL) { 2166 plog(LLV_ERROR, LOCATION, NULL, 2167 "failed to set ID for destination.\n"); 2168 goto end; 2169 } 2170 2171 #ifdef ENABLE_HYBRID 2172 2173 /* clientaddr check : obtain modecfg address */ 2174 if (iph2->ph1->mode_cfg != NULL) { 2175 if ((iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || 2176 (iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)){ 2177 struct sockaddr saddr; 2178 saddr.sa_family = AF_INET; 2179 #ifndef __linux__ 2180 saddr.sa_len = sizeof(struct sockaddr_in); 2181 #endif 2182 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY; 2183 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, 2184 &iph2->ph1->mode_cfg->addr4, sizeof(struct in_addr)); 2185 client = ipsecdoi_sockaddr2id(&saddr, 32, IPSEC_ULPROTO_ANY); 2186 } 2187 } 2188 2189 /* clientaddr check, fallback to peer address */ 2190 if (client == NULL) 2191 { 2192 client = ipsecdoi_sockaddr2id(iph2->dst, IPSECDOI_PREFIX_HOST, 2193 IPSEC_ULPROTO_ANY); 2194 } 2195 #endif 2196 2197 /* obtain a matching sainfo section */ 2198 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, client, iph2->ph1->rmconf->ph1id); 2199 if (iph2->sainfo == NULL) { 2200 plog(LLV_ERROR, LOCATION, NULL, 2201 "failed to get sainfo.\n"); 2202 goto end; 2203 } 2204 2205 #ifdef ENABLE_HYBRID 2206 /* xauth group inclusion check */ 2207 if (iph2->sainfo->group != NULL) 2208 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) 2209 goto end; 2210 #endif 2211 2212 plog(LLV_DEBUG, LOCATION, NULL, 2213 "selected sainfo: %s\n", sainfo2str(iph2->sainfo)); 2214 2215 error = 0; 2216 end: 2217 if (idsrc) 2218 vfree(idsrc); 2219 if (iddst) 2220 vfree(iddst); 2221 if (client) 2222 vfree(client); 2223 2224 return error; 2225 } 2226 2227 /* 2228 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types 2229 * are IP address and same address family. 2230 * Then get remote's policy from SPD copied from kernel. 2231 * If the type of ID payload is address or subnet type, then the index is 2232 * made from the payload. If there is no ID payload, or the type of ID 2233 * payload is NOT address type, then the index is made from the address 2234 * pair of phase 1. 2235 * NOTE: This function is only for responder. 2236 */ 2237 static int 2238 get_proposal_r(iph2) 2239 struct ph2handle *iph2; 2240 { 2241 struct policyindex spidx; 2242 struct secpolicy *sp_in, *sp_out; 2243 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */ 2244 int error = ISAKMP_INTERNAL_ERROR; 2245 2246 /* check the existence of ID payload */ 2247 if ((iph2->id_p != NULL && iph2->id == NULL) 2248 || (iph2->id_p == NULL && iph2->id != NULL)) { 2249 plog(LLV_ERROR, LOCATION, NULL, 2250 "Both IDs wasn't found in payload.\n"); 2251 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 2252 } 2253 2254 /* make sure if sa_[src, dst] are null. */ 2255 if (iph2->sa_src || iph2->sa_dst) { 2256 plog(LLV_ERROR, LOCATION, NULL, 2257 "Why do ID[src,dst] exist already.\n"); 2258 return ISAKMP_INTERNAL_ERROR; 2259 } 2260 2261 memset(&spidx, 0, sizeof(spidx)); 2262 2263 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type 2264 2265 /* make a spidx; a key to search SPD */ 2266 spidx.dir = IPSEC_DIR_INBOUND; 2267 spidx.ul_proto = 0; 2268 2269 /* 2270 * make destination address in spidx from either ID payload 2271 * or phase 1 address into a address in spidx. 2272 */ 2273 if (iph2->id != NULL 2274 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 2275 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR 2276 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET 2277 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 2278 /* get a destination address of a policy */ 2279 error = ipsecdoi_id2sockaddr(iph2->id, 2280 (struct sockaddr *)&spidx.dst, 2281 &spidx.prefd, &spidx.ul_proto); 2282 if (error) 2283 return error; 2284 2285 #ifdef INET6 2286 /* 2287 * get scopeid from the SA address. 2288 * note that the phase 1 source address is used as 2289 * a destination address to search for a inbound policy entry 2290 * because rcoon is responder. 2291 */ 2292 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { 2293 error = setscopeid((struct sockaddr *)&spidx.dst, 2294 iph2->src); 2295 if (error) 2296 return error; 2297 } 2298 #endif 2299 2300 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR 2301 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) 2302 idi2type = _XIDT(iph2->id); 2303 2304 } else { 2305 2306 plog(LLV_DEBUG, LOCATION, NULL, 2307 "get a destination address of SP index " 2308 "from phase1 address " 2309 "due to no ID payloads found " 2310 "OR because ID type is not address.\n"); 2311 2312 /* 2313 * copy the SOURCE address of IKE into the DESTINATION address 2314 * of the key to search the SPD because the direction of policy 2315 * is inbound. 2316 */ 2317 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); 2318 switch (spidx.dst.ss_family) { 2319 case AF_INET: 2320 spidx.prefd = sizeof(struct in_addr) << 3; 2321 break; 2322 #ifdef INET6 2323 case AF_INET6: 2324 spidx.prefd = sizeof(struct in6_addr) << 3; 2325 break; 2326 #endif 2327 default: 2328 spidx.prefd = 0; 2329 break; 2330 } 2331 } 2332 2333 /* make source address in spidx */ 2334 if (iph2->id_p != NULL 2335 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR 2336 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR 2337 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET 2338 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { 2339 /* get a source address of inbound SA */ 2340 error = ipsecdoi_id2sockaddr(iph2->id_p, 2341 (struct sockaddr *)&spidx.src, 2342 &spidx.prefs, &spidx.ul_proto); 2343 if (error) 2344 return error; 2345 2346 #ifdef INET6 2347 /* 2348 * get scopeid from the SA address. 2349 * for more detail, see above of this function. 2350 */ 2351 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { 2352 error = setscopeid((struct sockaddr *)&spidx.src, 2353 iph2->dst); 2354 if (error) 2355 return error; 2356 } 2357 #endif 2358 2359 /* Before setting iph2->[sa_src, sa_dst] with the addresses 2360 * provided in ID payloads, we check: 2361 * - they are both addresses of same family 2362 * - sainfo has not been selected only based on ID payload 2363 * information but also based on specific Phase 1 2364 * credentials (iph2->sainfo->id_i is defined), i.e. 2365 * local configuration _explicitly_ expect that user 2366 * (e.g. from asn1dn "C=FR, ...") with those IDs) */ 2367 if (_XIDT(iph2->id_p) == idi2type && 2368 spidx.dst.ss_family == spidx.src.ss_family && 2369 iph2->sainfo && iph2->sainfo->id_i) { 2370 2371 iph2->sa_src = dupsaddr((struct sockaddr *)&spidx.dst); 2372 if (iph2->sa_src == NULL) { 2373 plog(LLV_ERROR, LOCATION, NULL, 2374 "buffer allocation failed.\n"); 2375 return ISAKMP_INTERNAL_ERROR; 2376 } 2377 2378 iph2->sa_dst = dupsaddr((struct sockaddr *)&spidx.src); 2379 if (iph2->sa_dst == NULL) { 2380 plog(LLV_ERROR, LOCATION, NULL, 2381 "buffer allocation failed.\n"); 2382 return ISAKMP_INTERNAL_ERROR; 2383 } 2384 } else { 2385 plog(LLV_DEBUG, LOCATION, NULL, 2386 "Either family (%d - %d), types (%d - %d) of ID " 2387 "from initiator differ or matching sainfo " 2388 "has no id_i defined for the peer. Not filling " 2389 "iph2->sa_src and iph2->sa_dst.\n", 2390 spidx.src.ss_family, spidx.dst.ss_family, 2391 _XIDT(iph2->id_p),idi2type); 2392 } 2393 } else { 2394 plog(LLV_DEBUG, LOCATION, NULL, 2395 "get a source address of SP index from Phase 1" 2396 "addresses due to no ID payloads found" 2397 "OR because ID type is not address.\n"); 2398 2399 /* see above comment. */ 2400 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); 2401 switch (spidx.src.ss_family) { 2402 case AF_INET: 2403 spidx.prefs = sizeof(struct in_addr) << 3; 2404 break; 2405 #ifdef INET6 2406 case AF_INET6: 2407 spidx.prefs = sizeof(struct in6_addr) << 3; 2408 break; 2409 #endif 2410 default: 2411 spidx.prefs = 0; 2412 break; 2413 } 2414 } 2415 2416 #undef _XIDT 2417 2418 plog(LLV_DEBUG, LOCATION, NULL, 2419 "get src address from ID payload " 2420 "%s prefixlen=%u ul_proto=%u\n", 2421 saddr2str((struct sockaddr *)&spidx.src), 2422 spidx.prefs, spidx.ul_proto); 2423 plog(LLV_DEBUG, LOCATION, NULL, 2424 "get dst address from ID payload " 2425 "%s prefixlen=%u ul_proto=%u\n", 2426 saddr2str((struct sockaddr *)&spidx.dst), 2427 spidx.prefd, spidx.ul_proto); 2428 2429 /* 2430 * convert the ul_proto if it is 0 2431 * because 0 in ID payload means a wild card. 2432 */ 2433 if (spidx.ul_proto == 0) 2434 spidx.ul_proto = IPSEC_ULPROTO_ANY; 2435 2436 #ifdef HAVE_SECCTX 2437 /* 2438 * Need to use security context in spidx to ensure the correct 2439 * policy is selected. The only way to get the security context 2440 * is to look into the proposal sent by peer ahead of time. 2441 */ 2442 if (get_security_context(iph2->sa, &spidx)) { 2443 plog(LLV_ERROR, LOCATION, NULL, 2444 "error occurred trying to get security context.\n"); 2445 return ISAKMP_INTERNAL_ERROR; 2446 } 2447 #endif /* HAVE_SECCTX */ 2448 2449 /* get inbound policy */ 2450 sp_in = getsp_r(&spidx); 2451 if (sp_in == NULL) { 2452 if (iph2->ph1->rmconf->gen_policy) { 2453 plog(LLV_INFO, LOCATION, NULL, 2454 "no policy found, " 2455 "try to generate the policy : %s\n", 2456 spidx2str(&spidx)); 2457 iph2->spidx_gen = racoon_malloc(sizeof(spidx)); 2458 if (!iph2->spidx_gen) { 2459 plog(LLV_ERROR, LOCATION, NULL, 2460 "buffer allocation failed.\n"); 2461 return ISAKMP_INTERNAL_ERROR; 2462 } 2463 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); 2464 return -2; /* special value */ 2465 } 2466 plog(LLV_ERROR, LOCATION, NULL, 2467 "no policy found: %s\n", spidx2str(&spidx)); 2468 return ISAKMP_INTERNAL_ERROR; 2469 } 2470 /* Refresh existing generated policies 2471 */ 2472 if (iph2->ph1->rmconf->gen_policy) { 2473 plog(LLV_INFO, LOCATION, NULL, 2474 "Update the generated policy : %s\n", 2475 spidx2str(&spidx)); 2476 iph2->spidx_gen = racoon_malloc(sizeof(spidx)); 2477 if (!iph2->spidx_gen) { 2478 plog(LLV_ERROR, LOCATION, NULL, 2479 "buffer allocation failed.\n"); 2480 return ISAKMP_INTERNAL_ERROR; 2481 } 2482 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); 2483 } 2484 2485 /* get outbound policy */ 2486 { 2487 struct sockaddr_storage addr; 2488 u_int8_t pref; 2489 2490 spidx.dir = IPSEC_DIR_OUTBOUND; 2491 addr = spidx.src; 2492 spidx.src = spidx.dst; 2493 spidx.dst = addr; 2494 pref = spidx.prefs; 2495 spidx.prefs = spidx.prefd; 2496 spidx.prefd = pref; 2497 2498 sp_out = getsp_r(&spidx); 2499 if (!sp_out) { 2500 plog(LLV_WARNING, LOCATION, NULL, 2501 "no outbound policy found: %s\n", 2502 spidx2str(&spidx)); 2503 } 2504 } 2505 2506 plog(LLV_DEBUG, LOCATION, NULL, 2507 "suitable SP found:%s\n", spidx2str(&spidx)); 2508 2509 /* 2510 * In the responder side, the inbound policy should be using IPsec. 2511 * outbound policy is not checked currently. 2512 */ 2513 if (sp_in->policy != IPSEC_POLICY_IPSEC) { 2514 plog(LLV_ERROR, LOCATION, NULL, 2515 "policy found, but no IPsec required: %s\n", 2516 spidx2str(&spidx)); 2517 return ISAKMP_INTERNAL_ERROR; 2518 } 2519 2520 /* set new proposal derived from a policy into the iph2->proposal. */ 2521 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) { 2522 plog(LLV_ERROR, LOCATION, NULL, 2523 "failed to create saprop.\n"); 2524 return ISAKMP_INTERNAL_ERROR; 2525 } 2526 2527 #ifdef HAVE_SECCTX 2528 if (spidx.sec_ctx.ctx_str) { 2529 set_secctx_in_proposal(iph2, spidx); 2530 } 2531 #endif /* HAVE_SECCTX */ 2532 2533 iph2->spid = sp_in->id; 2534 2535 return 0; 2536 } 2537 2538 /* 2539 * handle a notification payload inside phase2 exchange. 2540 * phase2 is always encrypted, so it does not need to be checked 2541 * for explicitely. 2542 */ 2543 static int 2544 ph2_recv_n(iph2, gen) 2545 struct ph2handle *iph2; 2546 struct isakmp_gen *gen; 2547 { 2548 struct ph1handle *iph1 = iph2->ph1; 2549 struct isakmp_pl_n *notify = (struct isakmp_pl_n *) gen; 2550 u_int type; 2551 int check_level; 2552 2553 type = ntohs(notify->type); 2554 switch (type) { 2555 case ISAKMP_NTYPE_CONNECTED: 2556 break; 2557 case ISAKMP_NTYPE_INITIAL_CONTACT: 2558 return isakmp_info_recv_initialcontact(iph1, iph2); 2559 case ISAKMP_NTYPE_RESPONDER_LIFETIME: 2560 ipsecdoi_parse_responder_lifetime(notify, 2561 &iph2->lifetime_secs, &iph2->lifetime_kb); 2562 2563 if (iph1 != NULL && iph1->rmconf != NULL) { 2564 check_level = iph1->rmconf->pcheck_level; 2565 } else { 2566 if (iph1 != NULL) 2567 plog(LLV_DEBUG, LOCATION, NULL, 2568 "No phase1 rmconf found !\n"); 2569 else 2570 plog(LLV_DEBUG, LOCATION, NULL, 2571 "No phase1 found !\n"); 2572 check_level = PROP_CHECK_EXACT; 2573 } 2574 2575 switch (check_level) { 2576 case PROP_CHECK_OBEY: 2577 break; 2578 case PROP_CHECK_STRICT: 2579 case PROP_CHECK_CLAIM: 2580 if (iph2->sainfo == NULL 2581 || iph2->sainfo->lifetime <= iph2->lifetime_secs) { 2582 plog(LLV_WARNING, LOCATION, NULL, 2583 "RESPONDER-LIFETIME: lifetime mismatch\n"); 2584 iph2->lifetime_secs = 0; 2585 } 2586 break; 2587 case PROP_CHECK_EXACT: 2588 if (iph2->sainfo == NULL 2589 || iph2->sainfo->lifetime != iph2->lifetime_secs) { 2590 plog(LLV_WARNING, LOCATION, NULL, 2591 "RESPONDER-LIFETIME: lifetime mismatch\n"); 2592 iph2->lifetime_secs = 0; 2593 } 2594 break; 2595 } 2596 break; 2597 default: 2598 isakmp_log_notify(iph2->ph1, notify, "phase2 exchange"); 2599 isakmp_info_send_n2(iph2, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, 2600 NULL); 2601 break; 2602 } 2603 return 0; 2604 } 2605 2606