Bug Summary

File:src/sbin/isakmpd/ipsec.c
Warning:line 641, column 19
Result of 'calloc' is converted to a pointer of type 'struct sockaddr', which is incompatible with sizeof operand type 'struct sockaddr_in'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name ipsec.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sbin/isakmpd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/sbin/isakmpd -I . -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/sbin/isakmpd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/sbin/isakmpd/ipsec.c
1/* $OpenBSD: ipsec.c,v 1.151 2021/10/22 12:30:53 bluhm Exp $ */
2/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */
3
4/*
5 * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved.
6 * Copyright (c) 2001 Angelos D. Keromytis. All rights reserved.
7 * Copyright (c) 2001 Håkan Olsson. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30/*
31 * This code was written under funding by Ericsson Radio Systems.
32 */
33
34#include <sys/types.h>
35#include <sys/socket.h>
36#include <netdb.h>
37#include <netinet/in.h>
38#include <arpa/inet.h>
39#include <stdlib.h>
40#include <string.h>
41
42#include <net/if.h>
43#include <net/pfvar.h>
44
45#include "attribute.h"
46#include "conf.h"
47#include "connection.h"
48#include "constants.h"
49#include "crypto.h"
50#include "dh.h"
51#include "doi.h"
52#include "dpd.h"
53#include "exchange.h"
54#include "hash.h"
55#include "ike_aggressive.h"
56#include "ike_auth.h"
57#include "ike_main_mode.h"
58#include "ike_quick_mode.h"
59#include "ipsec.h"
60#include "ipsec_doi.h"
61#include "isakmp.h"
62#include "isakmp_cfg.h"
63#include "isakmp_fld.h"
64#include "isakmp_num.h"
65#include "log.h"
66#include "message.h"
67#include "nat_traversal.h"
68#include "pf_key_v2.h"
69#include "prf.h"
70#include "sa.h"
71#include "timer.h"
72#include "transport.h"
73#include "util.h"
74#include "x509.h"
75
76extern int acquire_only;
77
78#define MINIMUM(a, b)(((a) < (b)) ? (a) : (b)) (((a) < (b)) ? (a) : (b))
79#define MAXIMUM(a, b)(((a) > (b)) ? (a) : (b)) (((a) > (b)) ? (a) : (b))
80
81/* The replay window size used for all IPsec protocols if not overridden. */
82#define DEFAULT_REPLAY_WINDOW16 16
83
84struct ipsec_decode_arg {
85 struct message *msg;
86 struct sa *sa;
87 struct proto *proto;
88};
89
90/* These variables hold the contacted peers ADT state. */
91struct contact {
92 struct sockaddr *addr;
93 socklen_t len;
94} *contacts = 0;
95int contact_cnt = 0, contact_limit = 0;
96
97static int addr_cmp(const void *, const void *);
98static int ipsec_add_contact(struct message *);
99static int ipsec_contacted(struct message *);
100static int ipsec_debug_attribute(u_int16_t, u_int8_t *, u_int16_t,
101 void *);
102static void ipsec_delete_spi(struct sa *, struct proto *, int);
103static int16_t *ipsec_exchange_script(u_int8_t);
104static void ipsec_finalize_exchange(struct message *);
105static void ipsec_free_exchange_data(void *);
106static void ipsec_free_proto_data(void *);
107static void ipsec_free_sa_data(void *);
108static struct keystate *ipsec_get_keystate(struct message *);
109static u_int8_t *ipsec_get_spi(size_t *, u_int8_t, struct message *);
110static int ipsec_handle_leftover_payload(struct message *, u_int8_t,
111 struct payload *);
112static int ipsec_informational_post_hook(struct message *);
113static int ipsec_informational_pre_hook(struct message *);
114static int ipsec_initiator(struct message *);
115static void ipsec_proto_init(struct proto *, char *);
116static int ipsec_responder(struct message *);
117static void ipsec_setup_situation(u_int8_t *);
118static int ipsec_set_network(u_int8_t *, u_int8_t *, struct sa *);
119static size_t ipsec_situation_size(void);
120static u_int8_t ipsec_spi_size(u_int8_t);
121static int ipsec_validate_attribute(u_int16_t, u_int8_t *, u_int16_t,
122 void *);
123static int ipsec_validate_exchange(u_int8_t);
124static int ipsec_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *,
125 size_t, struct exchange *);
126static int ipsec_validate_key_information(u_int8_t *, size_t);
127static int ipsec_validate_notification(u_int16_t);
128static int ipsec_validate_proto(u_int8_t);
129static int ipsec_validate_situation(u_int8_t *, size_t *, size_t);
130static int ipsec_validate_transform_id(u_int8_t, u_int8_t);
131static int ipsec_sa_check_flow(struct sa *, void *);
132static int ipsec_sa_check_flow_any(struct sa *, void *);
133static int ipsec_sa_tag(struct exchange *, struct sa *, struct sa *);
134
135static struct doi ipsec_doi = {
136 {0}, IPSEC_DOI_IPSEC1,
137 sizeof(struct ipsec_exch), sizeof(struct ipsec_sa),
138 sizeof(struct ipsec_proto),
139 ipsec_debug_attribute,
140 ipsec_delete_spi,
141 ipsec_exchange_script,
142 ipsec_finalize_exchange,
143 ipsec_free_exchange_data,
144 ipsec_free_proto_data,
145 ipsec_free_sa_data,
146 ipsec_get_keystate,
147 ipsec_get_spi,
148 ipsec_handle_leftover_payload,
149 ipsec_informational_post_hook,
150 ipsec_informational_pre_hook,
151 ipsec_is_attribute_incompatible,
152 ipsec_proto_init,
153 ipsec_setup_situation,
154 ipsec_situation_size,
155 ipsec_spi_size,
156 ipsec_validate_attribute,
157 ipsec_validate_exchange,
158 ipsec_validate_id_information,
159 ipsec_validate_key_information,
160 ipsec_validate_notification,
161 ipsec_validate_proto,
162 ipsec_validate_situation,
163 ipsec_validate_transform_id,
164 ipsec_initiator,
165 ipsec_responder,
166 ipsec_decode_ids
167};
168
169int16_t script_quick_mode[] = {
170 ISAKMP_PAYLOAD_HASH8, /* Initiator -> responder. */
171 ISAKMP_PAYLOAD_SA1,
172 ISAKMP_PAYLOAD_NONCE10,
173 EXCHANGE_SCRIPT_SWITCH-3,
174 ISAKMP_PAYLOAD_HASH8, /* Responder -> initiator. */
175 ISAKMP_PAYLOAD_SA1,
176 ISAKMP_PAYLOAD_NONCE10,
177 EXCHANGE_SCRIPT_SWITCH-3,
178 ISAKMP_PAYLOAD_HASH8, /* Initiator -> responder. */
179 EXCHANGE_SCRIPT_END-4
180};
181
182int16_t script_new_group_mode[] = {
183 ISAKMP_PAYLOAD_HASH8, /* Initiator -> responder. */
184 ISAKMP_PAYLOAD_SA1,
185 EXCHANGE_SCRIPT_SWITCH-3,
186 ISAKMP_PAYLOAD_HASH8, /* Responder -> initiator. */
187 ISAKMP_PAYLOAD_SA1,
188 EXCHANGE_SCRIPT_END-4
189};
190
191struct dst_spi_proto_arg {
192 struct sockaddr *dst;
193 u_int32_t spi;
194 u_int8_t proto;
195};
196
197/*
198 * Check if SA matches what we are asking for through V_ARG. It has to
199 * be a finished phase 2 SA.
200 * if "proto" arg is 0, match any proto
201 */
202static int
203ipsec_sa_check(struct sa *sa, void *v_arg)
204{
205 struct dst_spi_proto_arg *arg = v_arg;
206 struct proto *proto;
207 struct sockaddr *dst, *src;
208 int incoming;
209
210 if (sa->phase != 2 || !(sa->flags & SA_FLAG_READY0x01))
211 return 0;
212
213 sa->transport->vtbl->get_dst(sa->transport, &dst);
214 if (memcmp(sockaddr_addrdata(dst), sockaddr_addrdata(arg->dst),
215 sockaddr_addrlen(dst)) == 0)
216 incoming = 0;
217 else {
218 sa->transport->vtbl->get_src(sa->transport, &src);
219 if (memcmp(sockaddr_addrdata(src), sockaddr_addrdata(arg->dst),
220 sockaddr_addrlen(src)) == 0)
221 incoming = 1;
222 else
223 return 0;
224 }
225
226 for (proto = TAILQ_FIRST(&sa->protos)((&sa->protos)->tqh_first); proto;
227 proto = TAILQ_NEXT(proto, link)((proto)->link.tqe_next))
228 if ((arg->proto == 0 || proto->proto == arg->proto) &&
229 memcmp(proto->spi[incoming], &arg->spi, sizeof arg->spi)
230 == 0)
231 return 1;
232 return 0;
233}
234
235/* Find an SA with a "name" of DST, SPI & PROTO. */
236struct sa *
237ipsec_sa_lookup(struct sockaddr *dst, u_int32_t spi, u_int8_t proto)
238{
239 struct dst_spi_proto_arg arg;
240
241 arg.dst = dst;
242 arg.spi = spi;
243 arg.proto = proto;
244 return sa_find(ipsec_sa_check, &arg);
245}
246
247/*
248 * Check if SA matches the flow of another SA in V_ARG. It has to
249 * be a finished non-replaced phase 2 SA.
250 * XXX At some point other selectors will matter here too.
251 */
252static int
253ipsec_sa_check_flow(struct sa *sa, void *v_arg)
254{
255 if ((sa->flags & (SA_FLAG_READY0x01 | SA_FLAG_REPLACED0x08)) != SA_FLAG_READY0x01)
256 return 0;
257
258 return ipsec_sa_check_flow_any(sa, v_arg);
259}
260
261static int
262ipsec_sa_check_flow_any(struct sa *sa, void *v_arg)
263{
264 struct sa *sa2 = v_arg;
265 struct ipsec_sa *isa = sa->data, *isa2 = sa2->data;
266
267 if (sa == sa2 || sa->phase != 2 ||
268 (sa->flags & SA_FLAG_READY0x01) != SA_FLAG_READY0x01)
269 return 0;
270
271 if (isa->tproto != isa2->tproto || isa->sport != isa2->sport ||
272 isa->dport != isa2->dport)
273 return 0;
274
275 /*
276 * If at least one of the IPsec SAs is incomplete, we're done.
277 */
278 if (isa->src_net == NULL((void*)0) || isa2->src_net == NULL((void*)0) ||
279 isa->dst_net == NULL((void*)0) || isa2->dst_net == NULL((void*)0) ||
280 isa->src_mask == NULL((void*)0) || isa2->src_mask == NULL((void*)0) ||
281 isa->dst_mask == NULL((void*)0) || isa2->dst_mask == NULL((void*)0))
282 return 0;
283
284 return isa->src_net->sa_family == isa2->src_net->sa_family &&
285 memcmp(sockaddr_addrdata(isa->src_net),
286 sockaddr_addrdata(isa2->src_net),
287 sockaddr_addrlen(isa->src_net)) == 0 &&
288 memcmp(sockaddr_addrdata(isa->src_mask),
289 sockaddr_addrdata(isa2->src_mask),
290 sockaddr_addrlen(isa->src_mask)) == 0 &&
291 memcmp(sockaddr_addrdata(isa->dst_net),
292 sockaddr_addrdata(isa2->dst_net),
293 sockaddr_addrlen(isa->dst_net)) == 0 &&
294 memcmp(sockaddr_addrdata(isa->dst_mask),
295 sockaddr_addrdata(isa2->dst_mask),
296 sockaddr_addrlen(isa->dst_mask)) == 0;
297}
298
299/*
300 * Construct a PF tag if specified in the configuration.
301 * It is possible to use variables to expand the tag:
302 * $id The string representation of the remote ID
303 * $domain The stripped domain part of the ID (for FQDN and UFQDN)
304 */
305static int
306ipsec_sa_tag(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
307{
308 char *format, *section;
309 char *id_string = NULL((void*)0), *domain = NULL((void*)0);
310 int error = -1;
311 size_t len;
312
313 sa->tag = NULL((void*)0);
314
315 if (exchange->name == NULL((void*)0) ||
316 (section = exchange->name) == NULL((void*)0) ||
317 (format = conf_get_str(section, "PF-Tag")) == NULL((void*)0))
318 return (0); /* ignore if not present */
319
320 len = PF_TAG_NAME_SIZE64;
321 if ((sa->tag = calloc(1, len)) == NULL((void*)0)) {
322 log_error("ipsec_sa_tag: calloc");
323 goto fail;
324 }
325 if (strlcpy(sa->tag, format, len) >= len) {
326 log_print("ipsec_sa_tag: tag too long");
327 goto fail;
328 }
329 if (isakmp_sa->initiator)
330 id_string = ipsec_id_string(isakmp_sa->id_r,
331 isakmp_sa->id_r_len);
332 else
333 id_string = ipsec_id_string(isakmp_sa->id_i,
334 isakmp_sa->id_i_len);
335
336 if (strstr(format, "$id") != NULL((void*)0)) {
337 if (id_string == NULL((void*)0)) {
338 log_print("ipsec_sa_tag: cannot get ID");
339 goto fail;
340 }
341 if (expand_string(sa->tag, len, "$id", id_string) != 0) {
342 log_print("ipsec_sa_tag: failed to expand tag");
343 goto fail;
344 }
345 }
346
347 if (strstr(format, "$domain") != NULL((void*)0)) {
348 if (id_string == NULL((void*)0)) {
349 log_print("ipsec_sa_tag: cannot get ID");
350 goto fail;
351 }
352 if (strncmp(id_string, "fqdn/", strlen("fqdn/")) == 0)
353 domain = strchr(id_string, '.');
354 else if (strncmp(id_string, "ufqdn/", strlen("ufqdn/")) == 0)
355 domain = strchr(id_string, '@');
356 if (domain == NULL((void*)0) || strlen(domain) < 2) {
357 log_print("ipsec_sa_tag: no valid domain in ID %s",
358 id_string);
359 goto fail;
360 }
361 domain++;
362 if (expand_string(sa->tag, len, "$domain", domain) != 0) {
363 log_print("ipsec_sa_tag: failed to expand tag");
364 goto fail;
365 }
366 }
367
368 LOG_DBG((LOG_SA, 10, "ipsec_sa_tag: tag_len %ld tag \"%s\"",log_debug (LOG_SA, 10, "ipsec_sa_tag: tag_len %ld tag \"%s\""
, strlen(sa->tag), sa->tag)
369 strlen(sa->tag), sa->tag))log_debug (LOG_SA, 10, "ipsec_sa_tag: tag_len %ld tag \"%s\""
, strlen(sa->tag), sa->tag)
;
370
371 error = 0;
372 fail:
373 free(id_string);
374 if (error != 0) {
375 free(sa->tag);
376 sa->tag = NULL((void*)0);
377 }
378
379 return (error);
380}
381
382/*
383 * Do IPsec DOI specific finalizations task for the exchange where MSG was
384 * the final message.
385 */
386static void
387ipsec_finalize_exchange(struct message *msg)
388{
389 struct sa *isakmp_sa = msg->isakmp_sa;
390 struct ipsec_sa *isa;
391 struct exchange *exchange = msg->exchange;
392 struct ipsec_exch *ie = exchange->data;
393 struct sa *sa = 0, *old_sa;
394 struct proto *proto, *last_proto = 0;
395 char *addr1, *addr2, *mask1, *mask2;
396
397 switch (exchange->phase) {
398 case 1:
399 switch (exchange->type) {
400 case ISAKMP_EXCH_ID_PROT2:
401 case ISAKMP_EXCH_AGGRESSIVE4:
402 isa = isakmp_sa->data;
403 isa->hash = ie->hash->type;
404 isa->prf_type = ie->prf_type;
405 isa->skeyid_len = ie->skeyid_len;
406 isa->skeyid_d = ie->skeyid_d;
407 isa->skeyid_a = ie->skeyid_a;
408 /* Prevents early free of SKEYID_*. */
409 ie->skeyid_a = ie->skeyid_d = 0;
410
411 /*
412 * If a lifetime was negotiated setup the expiration
413 * timers.
414 */
415 if (isakmp_sa->seconds)
416 sa_setup_expirations(isakmp_sa);
417
418 if (isakmp_sa->flags & SA_FLAG_NAT_T_KEEPALIVE0x200)
419 nat_t_setup_keepalive(isakmp_sa);
420 break;
421 }
422 break;
423
424 case 2:
425 switch (exchange->type) {
426 case IKE_EXCH_QUICK_MODE32:
427 /*
428 * Tell the application(s) about the SPIs and key
429 * material.
430 */
431 for (sa = TAILQ_FIRST(&exchange->sa_list)((&exchange->sa_list)->tqh_first); sa;
432 sa = TAILQ_NEXT(sa, next)((sa)->next.tqe_next)) {
433 isa = sa->data;
434
435 if (exchange->initiator) {
436 /*
437 * Initiator is source, responder is
438 * destination.
439 */
440 if (ipsec_set_network(ie->id_ci,
441 ie->id_cr, sa)) {
442 log_print(
443 "ipsec_finalize_exchange: "
444 "ipsec_set_network "
445 "failed");
446 return;
447 }
448 } else {
449 /*
450 * Responder is source, initiator is
451 * destination.
452 */
453 if (ipsec_set_network(ie->id_cr,
454 ie->id_ci, sa)) {
455 log_print(
456 "ipsec_finalize_exchange: "
457 "ipsec_set_network "
458 "failed");
459 return;
460 }
461 }
462
463 if (ipsec_sa_tag(exchange, sa, isakmp_sa) == -1)
464 return;
465
466 for (proto = TAILQ_FIRST(&sa->protos)((&sa->protos)->tqh_first),
467 last_proto = 0; proto;
468 proto = TAILQ_NEXT(proto, link)((proto)->link.tqe_next)) {
469 if (pf_key_v2_set_spi(sa, proto,
470 0, isakmp_sa) ||
471 (last_proto &&
472 pf_key_v2_group_spis(sa,
473 last_proto, proto, 0)) ||
474 pf_key_v2_set_spi(sa, proto,
475 1, isakmp_sa) ||
476 (last_proto &&
477 pf_key_v2_group_spis(sa,
478 last_proto, proto, 1)))
479 /*
480 * XXX Tear down this
481 * exchange.
482 */
483 return;
484 last_proto = proto;
485 }
486
487 if (sockaddr2text(isa->src_net, &addr1, 0))
488 addr1 = 0;
489 if (sockaddr2text(isa->src_mask, &mask1, 0))
490 mask1 = 0;
491 if (sockaddr2text(isa->dst_net, &addr2, 0))
492 addr2 = 0;
493 if (sockaddr2text(isa->dst_mask, &mask2, 0))
494 mask2 = 0;
495
496 LOG_DBG((LOG_EXCHANGE, 50,log_debug (LOG_EXCHANGE, 50, "ipsec_finalize_exchange: src %s %s "
"dst %s %s tproto %u sport %u dport %u", addr1 ? addr1 : "<??\?>"
, mask1 ? mask1 : "<??\?>", addr2 ? addr2 : "<??\?>"
, mask2 ? mask2 : "<??\?>", isa->tproto, (__uint16_t
)(__builtin_constant_p(isa->sport) ? (__uint16_t)(((__uint16_t
)(isa->sport) & 0xffU) << 8 | ((__uint16_t)(isa->
sport) & 0xff00U) >> 8) : __swap16md(isa->sport)
), (__uint16_t)(__builtin_constant_p(isa->dport) ? (__uint16_t
)(((__uint16_t)(isa->dport) & 0xffU) << 8 | ((__uint16_t
)(isa->dport) & 0xff00U) >> 8) : __swap16md(isa->
dport)))
497 "ipsec_finalize_exchange: src %s %s "log_debug (LOG_EXCHANGE, 50, "ipsec_finalize_exchange: src %s %s "
"dst %s %s tproto %u sport %u dport %u", addr1 ? addr1 : "<??\?>"
, mask1 ? mask1 : "<??\?>", addr2 ? addr2 : "<??\?>"
, mask2 ? mask2 : "<??\?>", isa->tproto, (__uint16_t
)(__builtin_constant_p(isa->sport) ? (__uint16_t)(((__uint16_t
)(isa->sport) & 0xffU) << 8 | ((__uint16_t)(isa->
sport) & 0xff00U) >> 8) : __swap16md(isa->sport)
), (__uint16_t)(__builtin_constant_p(isa->dport) ? (__uint16_t
)(((__uint16_t)(isa->dport) & 0xffU) << 8 | ((__uint16_t
)(isa->dport) & 0xff00U) >> 8) : __swap16md(isa->
dport)))
498 "dst %s %s tproto %u sport %u dport %u",log_debug (LOG_EXCHANGE, 50, "ipsec_finalize_exchange: src %s %s "
"dst %s %s tproto %u sport %u dport %u", addr1 ? addr1 : "<??\?>"
, mask1 ? mask1 : "<??\?>", addr2 ? addr2 : "<??\?>"
, mask2 ? mask2 : "<??\?>", isa->tproto, (__uint16_t
)(__builtin_constant_p(isa->sport) ? (__uint16_t)(((__uint16_t
)(isa->sport) & 0xffU) << 8 | ((__uint16_t)(isa->
sport) & 0xff00U) >> 8) : __swap16md(isa->sport)
), (__uint16_t)(__builtin_constant_p(isa->dport) ? (__uint16_t
)(((__uint16_t)(isa->dport) & 0xffU) << 8 | ((__uint16_t
)(isa->dport) & 0xff00U) >> 8) : __swap16md(isa->
dport)))
499 addr1 ? addr1 : "<??\?>",log_debug (LOG_EXCHANGE, 50, "ipsec_finalize_exchange: src %s %s "
"dst %s %s tproto %u sport %u dport %u", addr1 ? addr1 : "<??\?>"
, mask1 ? mask1 : "<??\?>", addr2 ? addr2 : "<??\?>"
, mask2 ? mask2 : "<??\?>", isa->tproto, (__uint16_t
)(__builtin_constant_p(isa->sport) ? (__uint16_t)(((__uint16_t
)(isa->sport) & 0xffU) << 8 | ((__uint16_t)(isa->
sport) & 0xff00U) >> 8) : __swap16md(isa->sport)
), (__uint16_t)(__builtin_constant_p(isa->dport) ? (__uint16_t
)(((__uint16_t)(isa->dport) & 0xffU) << 8 | ((__uint16_t
)(isa->dport) & 0xff00U) >> 8) : __swap16md(isa->
dport)))
500 mask1 ? mask1 : "<??\?>",log_debug (LOG_EXCHANGE, 50, "ipsec_finalize_exchange: src %s %s "
"dst %s %s tproto %u sport %u dport %u", addr1 ? addr1 : "<??\?>"
, mask1 ? mask1 : "<??\?>", addr2 ? addr2 : "<??\?>"
, mask2 ? mask2 : "<??\?>", isa->tproto, (__uint16_t
)(__builtin_constant_p(isa->sport) ? (__uint16_t)(((__uint16_t
)(isa->sport) & 0xffU) << 8 | ((__uint16_t)(isa->
sport) & 0xff00U) >> 8) : __swap16md(isa->sport)
), (__uint16_t)(__builtin_constant_p(isa->dport) ? (__uint16_t
)(((__uint16_t)(isa->dport) & 0xffU) << 8 | ((__uint16_t
)(isa->dport) & 0xff00U) >> 8) : __swap16md(isa->
dport)))
501 addr2 ? addr2 : "<??\?>",log_debug (LOG_EXCHANGE, 50, "ipsec_finalize_exchange: src %s %s "
"dst %s %s tproto %u sport %u dport %u", addr1 ? addr1 : "<??\?>"
, mask1 ? mask1 : "<??\?>", addr2 ? addr2 : "<??\?>"
, mask2 ? mask2 : "<??\?>", isa->tproto, (__uint16_t
)(__builtin_constant_p(isa->sport) ? (__uint16_t)(((__uint16_t
)(isa->sport) & 0xffU) << 8 | ((__uint16_t)(isa->
sport) & 0xff00U) >> 8) : __swap16md(isa->sport)
), (__uint16_t)(__builtin_constant_p(isa->dport) ? (__uint16_t
)(((__uint16_t)(isa->dport) & 0xffU) << 8 | ((__uint16_t
)(isa->dport) & 0xff00U) >> 8) : __swap16md(isa->
dport)))
502 mask2 ? mask2 : "<??\?>",log_debug (LOG_EXCHANGE, 50, "ipsec_finalize_exchange: src %s %s "
"dst %s %s tproto %u sport %u dport %u", addr1 ? addr1 : "<??\?>"
, mask1 ? mask1 : "<??\?>", addr2 ? addr2 : "<??\?>"
, mask2 ? mask2 : "<??\?>", isa->tproto, (__uint16_t
)(__builtin_constant_p(isa->sport) ? (__uint16_t)(((__uint16_t
)(isa->sport) & 0xffU) << 8 | ((__uint16_t)(isa->
sport) & 0xff00U) >> 8) : __swap16md(isa->sport)
), (__uint16_t)(__builtin_constant_p(isa->dport) ? (__uint16_t
)(((__uint16_t)(isa->dport) & 0xffU) << 8 | ((__uint16_t
)(isa->dport) & 0xff00U) >> 8) : __swap16md(isa->
dport)))
503 isa->tproto, ntohs(isa->sport),log_debug (LOG_EXCHANGE, 50, "ipsec_finalize_exchange: src %s %s "
"dst %s %s tproto %u sport %u dport %u", addr1 ? addr1 : "<??\?>"
, mask1 ? mask1 : "<??\?>", addr2 ? addr2 : "<??\?>"
, mask2 ? mask2 : "<??\?>", isa->tproto, (__uint16_t
)(__builtin_constant_p(isa->sport) ? (__uint16_t)(((__uint16_t
)(isa->sport) & 0xffU) << 8 | ((__uint16_t)(isa->
sport) & 0xff00U) >> 8) : __swap16md(isa->sport)
), (__uint16_t)(__builtin_constant_p(isa->dport) ? (__uint16_t
)(((__uint16_t)(isa->dport) & 0xffU) << 8 | ((__uint16_t
)(isa->dport) & 0xff00U) >> 8) : __swap16md(isa->
dport)))
504 ntohs(isa->dport)))log_debug (LOG_EXCHANGE, 50, "ipsec_finalize_exchange: src %s %s "
"dst %s %s tproto %u sport %u dport %u", addr1 ? addr1 : "<??\?>"
, mask1 ? mask1 : "<??\?>", addr2 ? addr2 : "<??\?>"
, mask2 ? mask2 : "<??\?>", isa->tproto, (__uint16_t
)(__builtin_constant_p(isa->sport) ? (__uint16_t)(((__uint16_t
)(isa->sport) & 0xffU) << 8 | ((__uint16_t)(isa->
sport) & 0xff00U) >> 8) : __swap16md(isa->sport)
), (__uint16_t)(__builtin_constant_p(isa->dport) ? (__uint16_t
)(((__uint16_t)(isa->dport) & 0xffU) << 8 | ((__uint16_t
)(isa->dport) & 0xff00U) >> 8) : __swap16md(isa->
dport)))
;
505
506 free(addr1);
507 free(mask1);
508 free(addr2);
509 free(mask2);
510
511 /*
512 * If this is not an SA acquired by the
513 * kernel, it needs to have a SPD entry
514 * (a.k.a. flow) set up.
515 */
516 if (!(sa->flags & SA_FLAG_ONDEMAND0x04 ||
517 conf_get_str("General", "Acquire-Only") ||
518 acquire_only) &&
519 pf_key_v2_enable_sa(sa, isakmp_sa))
520 /* XXX Tear down this exchange. */
521 return;
522
523 /*
524 * Mark elder SAs with the same flow
525 * information as replaced.
526 */
527 while ((old_sa = sa_find(ipsec_sa_check_flow,
528 sa)) != 0)
529 sa_mark_replaced(old_sa);
530 }
531 break;
532 }
533 }
534}
535
536/* Set the client addresses in ISA from SRC_ID and DST_ID. */
537static int
538ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct sa *sa)
539{
540 void *src_net, *dst_net;
541 void *src_mask = NULL((void*)0), *dst_mask = NULL((void*)0);
542 struct sockaddr *addr;
543 struct proto *proto;
544 struct ipsec_proto *iproto;
545 struct ipsec_sa *isa = sa->data;
546 int src_af, dst_af;
547 int id;
548 char *name, *nat = NULL((void*)0);
549 u_int8_t *nat_id = NULL((void*)0);
550 size_t nat_sz;
551
552 if ((name = connection_passive_lookup_by_ids(src_id, dst_id)))
553 nat = conf_get_str(name, "NAT-ID");
554
555 if (nat) {
556 if ((nat_id = ipsec_build_id(nat, &nat_sz))) {
557 LOG_DBG((LOG_EXCHANGE, 50, "ipsec_set_network: SRC-NAT:"log_debug (LOG_EXCHANGE, 50, "ipsec_set_network: SRC-NAT:" " src: %s -> %s"
, name, nat)
558 " src: %s -> %s", name, nat))log_debug (LOG_EXCHANGE, 50, "ipsec_set_network: SRC-NAT:" " src: %s -> %s"
, name, nat)
;
559 src_id = nat_id;
560 } else
561 log_print("ipsec_set_network: ipsec_build_id"
562 " failed for NAT-ID: %s", nat);
563 }
564
565 if (((proto = TAILQ_FIRST(&sa->protos)((&sa->protos)->tqh_first)) != NULL((void*)0)) &&
566 ((iproto = proto->data) != NULL((void*)0)) &&
567 (iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TRANSPORT4 ||
568 iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT61444)) {
569 /*
570 * For NAT-T with transport mode, we need to use the ISAKMP's
571 * SA addresses for the flow.
572 */
573 sa->transport->vtbl->get_src(sa->transport, &addr);
574 src_af = addr->sa_family;
575 src_net = sockaddr_addrdata(addr);
576
577 sa->transport->vtbl->get_dst(sa->transport, &addr);
578 dst_af = addr->sa_family;
579 dst_net = sockaddr_addrdata(addr);
580 } else {
581 id = GET_ISAKMP_ID_TYPE(src_id)field_get_num (isakmp_id_fld + 0, src_id);
582 src_net = src_id + ISAKMP_ID_DATA_OFF8;
583 switch (id) {
584 case IPSEC_ID_IPV4_ADDR_SUBNET4:
585 src_mask = (u_int8_t *)src_net + sizeof(struct in_addr);
586 /* FALLTHROUGH */
587 case IPSEC_ID_IPV4_ADDR1:
588 src_af = AF_INET2;
589 break;
590
591 case IPSEC_ID_IPV6_ADDR_SUBNET6:
592 src_mask = (u_int8_t *)src_net +
593 sizeof(struct in6_addr);
594 /* FALLTHROUGH */
595 case IPSEC_ID_IPV6_ADDR5:
596 src_af = AF_INET624;
597 break;
598
599 default:
600 log_print(
601 "ipsec_set_network: ID type %d (%s) not supported",
602 id, constant_name(ipsec_id_cst, id));
603 return -1;
604 }
605
606 id = GET_ISAKMP_ID_TYPE(dst_id)field_get_num (isakmp_id_fld + 0, dst_id);
607 dst_net = dst_id + ISAKMP_ID_DATA_OFF8;
608 switch (id) {
609 case IPSEC_ID_IPV4_ADDR_SUBNET4:
610 dst_mask = (u_int8_t *)dst_net + sizeof(struct in_addr);
611 /* FALLTHROUGH */
612 case IPSEC_ID_IPV4_ADDR1:
613 dst_af = AF_INET2;
614 break;
615
616 case IPSEC_ID_IPV6_ADDR_SUBNET6:
617 dst_mask = (u_int8_t *)dst_net +
618 sizeof(struct in6_addr);
619 /* FALLTHROUGH */
620 case IPSEC_ID_IPV6_ADDR5:
621 dst_af = AF_INET624;
622 break;
623
624 default:
625 log_print(
626 "ipsec_set_network: ID type %d (%s) not supported",
627 id, constant_name(ipsec_id_cst, id));
628 return -1;
629 }
630 }
631
632 /* Set source address/mask. */
633 switch (src_af) {
634 case AF_INET2:
635 isa->src_net = calloc(1, sizeof(struct sockaddr_in));
636 if (!isa->src_net)
637 goto memfail;
638 isa->src_net->sa_family = AF_INET2;
639 isa->src_net->sa_len = sizeof(struct sockaddr_in);
640
641 isa->src_mask = calloc(1, sizeof(struct sockaddr_in));
Result of 'calloc' is converted to a pointer of type 'struct sockaddr', which is incompatible with sizeof operand type 'struct sockaddr_in'
642 if (!isa->src_mask)
643 goto memfail;
644 isa->src_mask->sa_family = AF_INET2;
645 isa->src_mask->sa_len = sizeof(struct sockaddr_in);
646 break;
647
648 case AF_INET624:
649 isa->src_net = calloc(1, sizeof(struct sockaddr_in6));
650 if (!isa->src_net)
651 goto memfail;
652 isa->src_net->sa_family = AF_INET624;
653 isa->src_net->sa_len = sizeof(struct sockaddr_in6);
654
655 isa->src_mask = calloc(1, sizeof(struct sockaddr_in6));
656 if (!isa->src_mask)
657 goto memfail;
658 isa->src_mask->sa_family = AF_INET624;
659 isa->src_mask->sa_len = sizeof(struct sockaddr_in6);
660 break;
661 }
662
663 /* Net */
664 memcpy(sockaddr_addrdata(isa->src_net), src_net,
665 sockaddr_addrlen(isa->src_net));
666
667 /* Mask */
668 if (src_mask == NULL((void*)0))
669 memset(sockaddr_addrdata(isa->src_mask), 0xff,
670 sockaddr_addrlen(isa->src_mask));
671 else
672 memcpy(sockaddr_addrdata(isa->src_mask), src_mask,
673 sockaddr_addrlen(isa->src_mask));
674
675 memcpy(&isa->sport,
676 src_id + ISAKMP_ID_DOI_DATA_OFF5 + IPSEC_ID_PORT_OFF1,
677 IPSEC_ID_PORT_LEN2);
678
679 free(nat_id);
680
681 /* Set destination address. */
682 switch (dst_af) {
683 case AF_INET2:
684 isa->dst_net = calloc(1, sizeof(struct sockaddr_in));
685 if (!isa->dst_net)
686 goto memfail;
687 isa->dst_net->sa_family = AF_INET2;
688 isa->dst_net->sa_len = sizeof(struct sockaddr_in);
689
690 isa->dst_mask = calloc(1, sizeof(struct sockaddr_in));
691 if (!isa->dst_mask)
692 goto memfail;
693 isa->dst_mask->sa_family = AF_INET2;
694 isa->dst_mask->sa_len = sizeof(struct sockaddr_in);
695 break;
696
697 case AF_INET624:
698 isa->dst_net = calloc(1, sizeof(struct sockaddr_in6));
699 if (!isa->dst_net)
700 goto memfail;
701 isa->dst_net->sa_family = AF_INET624;
702 isa->dst_net->sa_len = sizeof(struct sockaddr_in6);
703
704 isa->dst_mask = calloc(1, sizeof(struct sockaddr_in6));
705 if (!isa->dst_mask)
706 goto memfail;
707 isa->dst_mask->sa_family = AF_INET624;
708 isa->dst_mask->sa_len = sizeof(struct sockaddr_in6);
709 break;
710 }
711
712 /* Net */
713 memcpy(sockaddr_addrdata(isa->dst_net), dst_net,
714 sockaddr_addrlen(isa->dst_net));
715
716 /* Mask */
717 if (dst_mask == NULL((void*)0))
718 memset(sockaddr_addrdata(isa->dst_mask), 0xff,
719 sockaddr_addrlen(isa->dst_mask));
720 else
721 memcpy(sockaddr_addrdata(isa->dst_mask), dst_mask,
722 sockaddr_addrlen(isa->dst_mask));
723
724 memcpy(&isa->tproto, dst_id + ISAKMP_ID_DOI_DATA_OFF5 +
725 IPSEC_ID_PROTO_OFF0, IPSEC_ID_PROTO_LEN1);
726 memcpy(&isa->dport,
727 dst_id + ISAKMP_ID_DOI_DATA_OFF5 + IPSEC_ID_PORT_OFF1,
728 IPSEC_ID_PORT_LEN2);
729 return 0;
730
731memfail:
732 log_error("ipsec_set_network: calloc () failed");
733 return -1;
734}
735
736/* Free the DOI-specific exchange data pointed to by VIE. */
737static void
738ipsec_free_exchange_data(void *vie)
739{
740 struct ipsec_exch *ie = vie;
741 struct isakmp_cfg_attr *attr;
742
743 free(ie->sa_i_b);
744 free(ie->id_ci);
745 free(ie->id_cr);
746 free(ie->g_xi);
747 free(ie->g_xr);
748 free(ie->g_xy);
749 free(ie->skeyid);
750 free(ie->skeyid_d);
751 free(ie->skeyid_a);
752 free(ie->skeyid_e);
753 free(ie->hash_i);
754 free(ie->hash_r);
755 if (ie->group)
756 group_free(ie->group);
757 for (attr = LIST_FIRST(&ie->attrs)((&ie->attrs)->lh_first); attr;
758 attr = LIST_FIRST(&ie->attrs)((&ie->attrs)->lh_first)) {
759 LIST_REMOVE(attr, link)do { if ((attr)->link.le_next != ((void*)0)) (attr)->link
.le_next->link.le_prev = (attr)->link.le_prev; *(attr)->
link.le_prev = (attr)->link.le_next; ; ; } while (0)
;
760 if (attr->length)
761 free(attr->value);
762 free(attr);
763 }
764}
765
766/* Free the DOI-specific SA data pointed to by VISA. */
767static void
768ipsec_free_sa_data(void *visa)
769{
770 struct ipsec_sa *isa = visa;
771
772 free(isa->src_net);
773 free(isa->src_mask);
774 free(isa->dst_net);
775 free(isa->dst_mask);
776 free(isa->skeyid_a);
777 free(isa->skeyid_d);
778}
779
780/* Free the DOI-specific protocol data of an SA pointed to by VIPROTO. */
781static void
782ipsec_free_proto_data(void *viproto)
783{
784 struct ipsec_proto *iproto = viproto;
785 int i;
786
787 for (i = 0; i < 2; i++)
788 free(iproto->keymat[i]);
789}
790
791/* Return exchange script based on TYPE. */
792static int16_t *
793ipsec_exchange_script(u_int8_t type)
794{
795 switch (type) {
796 case ISAKMP_EXCH_TRANSACTION6:
797 return script_transaction;
798 case IKE_EXCH_QUICK_MODE32:
799 return script_quick_mode;
800 case IKE_EXCH_NEW_GROUP_MODE33:
801 return script_new_group_mode;
802 }
803 return 0;
804}
805
806/* Initialize this DOI, requires doi_init to already have been called. */
807void
808ipsec_init(void)
809{
810 doi_register(&ipsec_doi);
811}
812
813/* Given a message MSG, return a suitable IV (or rather keystate). */
814static struct keystate *
815ipsec_get_keystate(struct message *msg)
816{
817 struct keystate *ks;
818 struct hash *hash;
819
820 /* If we have already have an IV, use it. */
821 if (msg->exchange && msg->exchange->keystate) {
822 ks = malloc(sizeof *ks);
823 if (!ks) {
824 log_error("ipsec_get_keystate: malloc (%lu) failed",
825 (unsigned long) sizeof *ks);
826 return 0;
827 }
828 memcpy(ks, msg->exchange->keystate, sizeof *ks);
829 return ks;
830 }
831 /*
832 * For phase 2 when no SA yet is setup we need to hash the IV used by
833 * the ISAKMP SA concatenated with the message ID, and use that as an
834 * IV for further cryptographic operations.
835 */
836 if (!msg->isakmp_sa->keystate) {
837 log_print("ipsec_get_keystate: no keystate in ISAKMP SA %p",
838 msg->isakmp_sa);
839 return 0;
840 }
841 ks = crypto_clone_keystate(msg->isakmp_sa->keystate);
842 if (!ks)
843 return 0;
844
845 hash = hash_get(((struct ipsec_sa *)msg->isakmp_sa->data)->hash);
846 hash->Init(hash->ctx);
847 LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: final phase 1 IV",log_debug_buf (LOG_CRYPTO, 80, "ipsec_get_keystate: final phase 1 IV"
, ks->riv, ks->xf->blocksize)
848 ks->riv, ks->xf->blocksize))log_debug_buf (LOG_CRYPTO, 80, "ipsec_get_keystate: final phase 1 IV"
, ks->riv, ks->xf->blocksize)
;
849 hash->Update(hash->ctx, ks->riv, ks->xf->blocksize);
850 LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: message ID",log_debug_buf (LOG_CRYPTO, 80, "ipsec_get_keystate: message ID"
, ((u_int8_t *) msg->iov[0].iov_base) + 20, 4)
851 ((u_int8_t *) msg->iov[0].iov_base) + ISAKMP_HDR_MESSAGE_ID_OFF,log_debug_buf (LOG_CRYPTO, 80, "ipsec_get_keystate: message ID"
, ((u_int8_t *) msg->iov[0].iov_base) + 20, 4)
852 ISAKMP_HDR_MESSAGE_ID_LEN))log_debug_buf (LOG_CRYPTO, 80, "ipsec_get_keystate: message ID"
, ((u_int8_t *) msg->iov[0].iov_base) + 20, 4)
;
853 hash->Update(hash->ctx, ((u_int8_t *) msg->iov[0].iov_base) +
854 ISAKMP_HDR_MESSAGE_ID_OFF20, ISAKMP_HDR_MESSAGE_ID_LEN4);
855 hash->Final(hash->digest, hash->ctx);
856 crypto_init_iv(ks, hash->digest, ks->xf->blocksize);
857 LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: phase 2 IV",log_debug_buf (LOG_CRYPTO, 80, "ipsec_get_keystate: phase 2 IV"
, hash->digest, ks->xf->blocksize)
858 hash->digest, ks->xf->blocksize))log_debug_buf (LOG_CRYPTO, 80, "ipsec_get_keystate: phase 2 IV"
, hash->digest, ks->xf->blocksize)
;
859 return ks;
860}
861
862static void
863ipsec_setup_situation(u_int8_t *buf)
864{
865 SET_IPSEC_SIT_SIT(buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY)field_set_num (ipsec_sit_fld + 0, buf + 8, 1);
866}
867
868static size_t
869ipsec_situation_size(void)
870{
871 return IPSEC_SIT_SIT_LEN4;
872}
873
874static u_int8_t
875ipsec_spi_size(u_int8_t proto)
876{
877 return IPSEC_SPI_SIZE4;
878}
879
880static int
881ipsec_validate_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
882 void *vmsg)
883{
884 struct message *msg = vmsg;
885
886 if (msg->exchange->phase == 1 &&
887 (type < IKE_ATTR_ENCRYPTION_ALGORITHM1 || type > IKE_ATTR_GROUP_ORDER16))
888 return -1;
889 if (msg->exchange->phase == 2 &&
890 (type < IPSEC_ATTR_SA_LIFE_TYPE1 || type > IPSEC_ATTR_ECN_TUNNEL10))
891 return -1;
892 return 0;
893}
894
895static int
896ipsec_validate_exchange(u_int8_t exch)
897{
898 return exch != IKE_EXCH_QUICK_MODE32 && exch != IKE_EXCH_NEW_GROUP_MODE33;
899}
900
901static int
902ipsec_validate_id_information(u_int8_t type, u_int8_t *extra, u_int8_t *buf,
903 size_t sz, struct exchange *exchange)
904{
905 u_int8_t proto = GET_IPSEC_ID_PROTO(extra)field_get_num (ipsec_id_fld + 0, extra);
906 u_int16_t port = GET_IPSEC_ID_PORT(extra)field_get_num (ipsec_id_fld + 1, extra);
907
908 LOG_DBG((LOG_MESSAGE, 40,log_debug (LOG_MESSAGE, 40, "ipsec_validate_id_information: proto %d port %d type %d"
, proto, port, type)
909 "ipsec_validate_id_information: proto %d port %d type %d",log_debug (LOG_MESSAGE, 40, "ipsec_validate_id_information: proto %d port %d type %d"
, proto, port, type)
910 proto, port, type))log_debug (LOG_MESSAGE, 40, "ipsec_validate_id_information: proto %d port %d type %d"
, proto, port, type)
;
911 if (type < IPSEC_ID_IPV4_ADDR1 || type > IPSEC_ID_KEY_ID11)
912 return -1;
913
914 switch (type) {
915 case IPSEC_ID_IPV4_ADDR1:
916 LOG_DBG_BUF((LOG_MESSAGE, 40,log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv4"
, buf, sizeof(struct in_addr))
917 "ipsec_validate_id_information: IPv4", buf,log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv4"
, buf, sizeof(struct in_addr))
918 sizeof(struct in_addr)))log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv4"
, buf, sizeof(struct in_addr))
;
919 break;
920
921 case IPSEC_ID_IPV6_ADDR5:
922 LOG_DBG_BUF((LOG_MESSAGE, 40,log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv6"
, buf, sizeof(struct in6_addr))
923 "ipsec_validate_id_information: IPv6", buf,log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv6"
, buf, sizeof(struct in6_addr))
924 sizeof(struct in6_addr)))log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv6"
, buf, sizeof(struct in6_addr))
;
925 break;
926
927 case IPSEC_ID_IPV4_ADDR_SUBNET4:
928 LOG_DBG_BUF((LOG_MESSAGE, 40,log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv4 network/netmask"
, buf, 2 * sizeof(struct in_addr))
929 "ipsec_validate_id_information: IPv4 network/netmask",log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv4 network/netmask"
, buf, 2 * sizeof(struct in_addr))
930 buf, 2 * sizeof(struct in_addr)))log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv4 network/netmask"
, buf, 2 * sizeof(struct in_addr))
;
931 break;
932
933 case IPSEC_ID_IPV6_ADDR_SUBNET6:
934 LOG_DBG_BUF((LOG_MESSAGE, 40,log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv6 network/netmask"
, buf, 2 * sizeof(struct in6_addr))
935 "ipsec_validate_id_information: IPv6 network/netmask",log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv6 network/netmask"
, buf, 2 * sizeof(struct in6_addr))
936 buf, 2 * sizeof(struct in6_addr)))log_debug_buf (LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv6 network/netmask"
, buf, 2 * sizeof(struct in6_addr))
;
937 break;
938
939 default:
940 break;
941 }
942
943 if (exchange->phase == 1 &&
944 (proto != IPPROTO_UDP17 || port != UDP_DEFAULT_PORT500) &&
945 (proto != 0 || port != 0)) {
946 /*
947 * XXX SSH's ISAKMP tester fails this test (proto 17 - port
948 * 0).
949 */
950#ifdef notyet
951 return -1;
952#else
953 log_print("ipsec_validate_id_information: dubious ID "
954 "information accepted");
955#endif
956 }
957 /* XXX More checks? */
958
959 return 0;
960}
961
962static int
963ipsec_validate_key_information(u_int8_t *buf, size_t sz)
964{
965 /* XXX Not implemented yet. */
966 return 0;
967}
968
969static int
970ipsec_validate_notification(u_int16_t type)
971{
972 return type < IPSEC_NOTIFY_RESPONDER_LIFETIME24576 ||
973 type > IPSEC_NOTIFY_INITIAL_CONTACT24578 ? -1 : 0;
974}
975
976static int
977ipsec_validate_proto(u_int8_t proto)
978{
979 return proto < IPSEC_PROTO_IPSEC_AH2 ||
980 proto > IPSEC_PROTO_IPCOMP4 ? -1 : 0;
981}
982
983static int
984ipsec_validate_situation(u_int8_t *buf, size_t *sz, size_t len)
985{
986 if (len < IPSEC_SIT_SIT_OFF0 + IPSEC_SIT_SIT_LEN4) {
987 log_print("ipsec_validate_situation: payload too short: %u",
988 (unsigned int) len);
989 return -1;
990 }
991 /* Currently only "identity only" situations are supported. */
992 if (GET_IPSEC_SIT_SIT(buf)field_get_num (ipsec_sit_fld + 0, buf) != IPSEC_SIT_IDENTITY_ONLY1)
993 return 1;
994
995 *sz = IPSEC_SIT_SIT_LEN4;
996
997 return 0;
998}
999
1000static int
1001ipsec_validate_transform_id(u_int8_t proto, u_int8_t transform_id)
1002{
1003 switch (proto) {
1004 /*
1005 * As no unexpected protocols can occur, we just tie the
1006 * default case to the first case, in order to silence a GCC
1007 * warning.
1008 */
1009 default:
1010 case ISAKMP_PROTO_ISAKMP1:
1011 return transform_id != IPSEC_TRANSFORM_KEY_IKE1;
1012 case IPSEC_PROTO_IPSEC_AH2:
1013 return transform_id < IPSEC_AH_MD52 ||
1014 transform_id > IPSEC_AH_RIPEMD8 ? -1 : 0;
1015 case IPSEC_PROTO_IPSEC_ESP3:
1016 return transform_id < IPSEC_ESP_DES_IV641 ||
1017 (transform_id > IPSEC_ESP_AES_GMAC23 &&
1018 transform_id < IPSEC_ESP_AES_MARS249) ||
1019 transform_id > IPSEC_ESP_AES_TWOFISH253 ? -1 : 0;
1020 case IPSEC_PROTO_IPCOMP4:
1021 return transform_id < IPSEC_IPCOMP_OUI1 ||
1022 transform_id > IPSEC_IPCOMP_DEFLATE2 ? -1 : 0;
1023 }
1024}
1025
1026static int
1027ipsec_initiator(struct message *msg)
1028{
1029 struct exchange *exchange = msg->exchange;
1030 int (**script)(struct message *) = 0;
1031
1032 /* Check that the SA is coherent with the IKE rules. */
1033 if (exchange->type != ISAKMP_EXCH_TRANSACTION6 &&
1034 ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT2 &&
1035 exchange->type != ISAKMP_EXCH_AGGRESSIVE4 &&
1036 exchange->type != ISAKMP_EXCH_INFO5) ||
1037 (exchange->phase == 2 && exchange->type != IKE_EXCH_QUICK_MODE32 &&
1038 exchange->type != ISAKMP_EXCH_INFO5))) {
1039 log_print("ipsec_initiator: unsupported exchange type %d "
1040 "in phase %d", exchange->type, exchange->phase);
1041 return -1;
1042 }
1043 switch (exchange->type) {
1044 case ISAKMP_EXCH_ID_PROT2:
1045 script = ike_main_mode_initiator;
1046 break;
1047 case ISAKMP_EXCH_AGGRESSIVE4:
1048 script = ike_aggressive_initiator;
1049 break;
1050 case ISAKMP_EXCH_TRANSACTION6:
1051 script = isakmp_cfg_initiator;
1052 break;
1053 case ISAKMP_EXCH_INFO5:
1054 return message_send_info(msg);
1055 case IKE_EXCH_QUICK_MODE32:
1056 script = ike_quick_mode_initiator;
1057 break;
1058 default:
1059 log_print("ipsec_initiator: unsupported exchange type %d",
1060 exchange->type);
1061 return -1;
1062 }
1063
1064 /* Run the script code for this step. */
1065 if (script)
1066 return script[exchange->step] (msg);
1067
1068 return 0;
1069}
1070
1071/*
1072 * delete all SA's from addr with the associated proto and SPI's
1073 *
1074 * spis[] is an array of SPIs of size 16-octet for proto ISAKMP
1075 * or 4-octet otherwise.
1076 */
1077static void
1078ipsec_delete_spi_list(struct sockaddr *addr, u_int8_t proto, u_int8_t *spis,
1079 int nspis, char *type)
1080{
1081 struct sa *sa;
1082 char *peer;
1083 char ids[1024];
1084 int i;
1085
1086 for (i = 0; i < nspis; i++) {
1087 if (proto == ISAKMP_PROTO_ISAKMP1) {
1088 u_int8_t *spi = spis + i * ISAKMP_HDR_COOKIES_LEN(8 + 8);
1089
1090 /*
1091 * This really shouldn't happen in IPSEC DOI
1092 * code, but Cisco VPN 3000 sends ISAKMP DELETE's
1093 * this way.
1094 */
1095 sa = sa_lookup_isakmp_sa(addr, spi);
1096 } else {
1097 u_int32_t spi = ((u_int32_t *)spis)[i];
1098
1099 sa = ipsec_sa_lookup(addr, spi, proto);
1100 }
1101
1102 if (sa == NULL((void*)0)) {
1103 LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: could "log_debug (LOG_SA, 30, "ipsec_delete_spi_list: could " "not locate SA (SPI %08x, proto %u)"
, ((u_int32_t *)spis)[i], proto)
1104 "not locate SA (SPI %08x, proto %u)",log_debug (LOG_SA, 30, "ipsec_delete_spi_list: could " "not locate SA (SPI %08x, proto %u)"
, ((u_int32_t *)spis)[i], proto)
1105 ((u_int32_t *)spis)[i], proto))log_debug (LOG_SA, 30, "ipsec_delete_spi_list: could " "not locate SA (SPI %08x, proto %u)"
, ((u_int32_t *)spis)[i], proto)
;
1106 continue;
1107 }
1108
1109 strlcpy(ids,
1110 sa->doi->decode_ids("initiator id: %s, responder id: %s",
1111 sa->id_i, sa->id_i_len, sa->id_r, sa->id_r_len, 0),
1112 sizeof ids);
1113 if (sockaddr2text(addr, &peer, 0))
1114 peer = NULL((void*)0);
1115
1116 /* only log deletion of SAs which are not soft expired yet */
1117 if (sa->soft_death != NULL((void*)0))
1118 log_verbose("isakmpd: Peer %s made us delete live SA "
1119 "%s for proto %d, %s", peer ? peer : "<unknown>",
1120 sa->name ? sa->name : "<unnamed>", proto, ids);
1121
1122 LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: "log_debug (LOG_SA, 30, "ipsec_delete_spi_list: " "%s made us delete SA %p (%d references) for proto %d (%s)"
, type, sa, sa->refcnt, proto, ids)
1123 "%s made us delete SA %p (%d references) for proto %d (%s)",log_debug (LOG_SA, 30, "ipsec_delete_spi_list: " "%s made us delete SA %p (%d references) for proto %d (%s)"
, type, sa, sa->refcnt, proto, ids)
1124 type, sa, sa->refcnt, proto, ids))log_debug (LOG_SA, 30, "ipsec_delete_spi_list: " "%s made us delete SA %p (%d references) for proto %d (%s)"
, type, sa, sa->refcnt, proto, ids)
;
1125 free(peer);
1126
1127 /* Delete the SA and search for the next */
1128 sa_free(sa);
1129 }
1130}
1131
1132static int
1133ipsec_responder(struct message *msg)
1134{
1135 struct exchange *exchange = msg->exchange;
1136 int (**script)(struct message *) = 0;
1137 struct payload *p;
1138 u_int16_t type;
1139
1140 /* Check that a new exchange is coherent with the IKE rules. */
1141 if (exchange->step == 0 && exchange->type != ISAKMP_EXCH_TRANSACTION6 &&
1142 ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT2 &&
1143 exchange->type != ISAKMP_EXCH_AGGRESSIVE4 &&
1144 exchange->type != ISAKMP_EXCH_INFO5) ||
1145 (exchange->phase == 2 && exchange->type != IKE_EXCH_QUICK_MODE32 &&
1146 exchange->type != ISAKMP_EXCH_INFO5))) {
1147 message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE29,
1148 0, 1, 0);
1149 return -1;
1150 }
1151 LOG_DBG((LOG_MISC, 30, "ipsec_responder: phase %d exchange %d step %d",log_debug (LOG_MISC, 30, "ipsec_responder: phase %d exchange %d step %d"
, exchange->phase, exchange->type, exchange->step)
1152 exchange->phase, exchange->type, exchange->step))log_debug (LOG_MISC, 30, "ipsec_responder: phase %d exchange %d step %d"
, exchange->phase, exchange->type, exchange->step)
;
1153 switch (exchange->type) {
1154 case ISAKMP_EXCH_ID_PROT2:
1155 script = ike_main_mode_responder;
1156 break;
1157 case ISAKMP_EXCH_AGGRESSIVE4:
1158 script = ike_aggressive_responder;
1159 break;
1160 case ISAKMP_EXCH_TRANSACTION6:
1161 script = isakmp_cfg_responder;
1162 break;
1163 case ISAKMP_EXCH_INFO5:
1164 TAILQ_FOREACH(p, &msg->payload[ISAKMP_PAYLOAD_NOTIFY], link)for((p) = ((&msg->payload[11])->tqh_first); (p) != (
(void*)0); (p) = ((p)->link.tqe_next))
{
1165 type = GET_ISAKMP_NOTIFY_MSG_TYPE(p->p)field_get_num (isakmp_notify_fld + 3, p->p);
1166 LOG_DBG((LOG_EXCHANGE, 10,log_debug (LOG_EXCHANGE, 10, "ipsec_responder: got NOTIFY of type %s"
, constant_name(isakmp_notify_cst, type))
1167 "ipsec_responder: got NOTIFY of type %s",log_debug (LOG_EXCHANGE, 10, "ipsec_responder: got NOTIFY of type %s"
, constant_name(isakmp_notify_cst, type))
1168 constant_name(isakmp_notify_cst, type)))log_debug (LOG_EXCHANGE, 10, "ipsec_responder: got NOTIFY of type %s"
, constant_name(isakmp_notify_cst, type))
;
1169
1170 switch (type) {
1171 case IPSEC_NOTIFY_INITIAL_CONTACT24578:
1172 /* Handled by leftover logic. */
1173 break;
1174
1175 case ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE36136:
1176 case ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK36137:
1177 dpd_handle_notify(msg, p);
1178 break;
1179
1180 default:
1181 p->flags |= PL_MARK1;
1182 break;
1183 }
1184 }
1185
1186 /*
1187 * If any DELETEs are in here, let the logic of leftover
1188 * payloads deal with them.
1189 */
1190 return 0;
1191
1192 case IKE_EXCH_QUICK_MODE32:
1193 script = ike_quick_mode_responder;
1194 break;
1195
1196 default:
1197 message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE29,
1198 0, 1, 0);
1199 return -1;
1200 }
1201
1202 /* Run the script code for this step. */
1203 if (script)
1204 return script[exchange->step] (msg);
1205
1206 /*
1207 * XXX So far we don't accept any proposals for exchanges we don't
1208 * support.
1209 */
1210 if (payload_first(msg, ISAKMP_PAYLOAD_SA1)) {
1211 message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN14, 0, 1, 0);
1212 return -1;
1213 }
1214 return 0;
1215}
1216
1217static enum hashes
1218from_ike_hash(u_int16_t hash)
1219{
1220 switch (hash) {
1221 case IKE_HASH_MD51:
1222 return HASH_MD5;
1223 case IKE_HASH_SHA2:
1224 return HASH_SHA1;
1225 case IKE_HASH_SHA2_2564:
1226 return HASH_SHA2_256;
1227 case IKE_HASH_SHA2_3845:
1228 return HASH_SHA2_384;
1229 case IKE_HASH_SHA2_5126:
1230 return HASH_SHA2_512;
1231 }
1232 return -1;
1233}
1234
1235static enum transform
1236from_ike_crypto(u_int16_t crypto)
1237{
1238 /* Coincidentally this is the null operation :-) */
1239 return crypto;
1240}
1241
1242/*
1243 * Find out whether the attribute of type TYPE with a LEN length value
1244 * pointed to by VALUE is incompatible with what we can handle.
1245 * VMSG is a pointer to the current message.
1246 */
1247int
1248ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t *value, u_int16_t len,
1249 void *vmsg)
1250{
1251 struct message *msg = vmsg;
1252 u_int16_t dv = decode_16(value);
1253
1254 if (msg->exchange->phase == 1) {
1255 switch (type) {
1256 case IKE_ATTR_ENCRYPTION_ALGORITHM1:
1257 return !crypto_get(from_ike_crypto(dv));
1258 case IKE_ATTR_HASH_ALGORITHM2:
1259 return !hash_get(from_ike_hash(dv));
1260 case IKE_ATTR_AUTHENTICATION_METHOD3:
1261 return !ike_auth_get(dv);
1262 case IKE_ATTR_GROUP_DESCRIPTION4:
1263 return (dv < IKE_GROUP_DESC_MODP_7681 ||
1264 dv > IKE_GROUP_DESC_MODP_15365) &&
1265 (dv < IKE_GROUP_DESC_MODP_204814 ||
1266 dv > IKE_GROUP_DESC_ECP_52121) &&
1267 (dv < IKE_GROUP_DESC_ECP_19225 ||
1268 dv > IKE_GROUP_DESC_BP_51230);
1269 case IKE_ATTR_GROUP_TYPE5:
1270 return 1;
1271 case IKE_ATTR_GROUP_PRIME6:
1272 return 1;
1273 case IKE_ATTR_GROUP_GENERATOR_17:
1274 return 1;
1275 case IKE_ATTR_GROUP_GENERATOR_28:
1276 return 1;
1277 case IKE_ATTR_GROUP_CURVE_A9:
1278 return 1;
1279 case IKE_ATTR_GROUP_CURVE_B10:
1280 return 1;
1281 case IKE_ATTR_LIFE_TYPE11:
1282 return dv < IKE_DURATION_SECONDS1 ||
1283 dv > IKE_DURATION_KILOBYTES2;
1284 case IKE_ATTR_LIFE_DURATION12:
1285 return len != 2 && len != 4;
1286 case IKE_ATTR_PRF13:
1287 return 1;
1288 case IKE_ATTR_KEY_LENGTH14:
1289 /*
1290 * Our crypto routines only allows key-lengths which
1291 * are multiples of an octet.
1292 */
1293 return dv % 8 != 0;
1294 case IKE_ATTR_FIELD_SIZE15:
1295 return 1;
1296 case IKE_ATTR_GROUP_ORDER16:
1297 return 1;
1298 }
1299 } else {
1300 switch (type) {
1301 case IPSEC_ATTR_SA_LIFE_TYPE1:
1302 return dv < IPSEC_DURATION_SECONDS1 ||
1303 dv > IPSEC_DURATION_KILOBYTES2;
1304 case IPSEC_ATTR_SA_LIFE_DURATION2:
1305 return len != 2 && len != 4;
1306 case IPSEC_ATTR_GROUP_DESCRIPTION3:
1307 return (dv < IKE_GROUP_DESC_MODP_7681 ||
1308 dv > IKE_GROUP_DESC_MODP_15365) &&
1309 (dv < IKE_GROUP_DESC_MODP_204814 ||
1310 dv > IKE_GROUP_DESC_ECP_52121) &&
1311 (dv < IKE_GROUP_DESC_ECP_19225 ||
1312 dv > IKE_GROUP_DESC_BP_51230);
1313 case IPSEC_ATTR_ENCAPSULATION_MODE4:
1314 return dv != IPSEC_ENCAP_TUNNEL1 &&
1315 dv != IPSEC_ENCAP_TRANSPORT2 &&
1316 dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL3 &&
1317 dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT4 &&
1318 dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT61443 &&
1319 dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT61444;
1320 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM5:
1321 return dv < IPSEC_AUTH_HMAC_MD51 ||
1322 dv > IPSEC_AUTH_HMAC_RIPEMD8;
1323 case IPSEC_ATTR_KEY_LENGTH6:
1324 /*
1325 * XXX Blowfish needs '0'. Others appear to disregard
1326 * this attr?
1327 */
1328 return 0;
1329 case IPSEC_ATTR_KEY_ROUNDS7:
1330 return 1;
1331 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE8:
1332 return 1;
1333 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM9:
1334 return 1;
1335 case IPSEC_ATTR_ECN_TUNNEL10:
1336 return 1;
1337 }
1338 }
1339 /* XXX Silence gcc. */
1340 return 1;
1341}
1342
1343/*
1344 * Log the attribute of TYPE with a LEN length value pointed to by VALUE
1345 * in human-readable form. VMSG is a pointer to the current message.
1346 */
1347int
1348ipsec_debug_attribute(u_int16_t type, u_int8_t *value, u_int16_t len,
1349 void *vmsg)
1350{
1351 struct message *msg = vmsg;
1352 char val[20];
1353
1354 /* XXX Transient solution. */
1355 if (len == 2)
1356 snprintf(val, sizeof val, "%d", decode_16(value));
1357 else if (len == 4)
1358 snprintf(val, sizeof val, "%d", decode_32(value));
1359 else
1360 snprintf(val, sizeof val, "unrepresentable");
1361
1362 LOG_DBG((LOG_MESSAGE, 50, "Attribute %s value %s",log_debug (LOG_MESSAGE, 50, "Attribute %s value %s", constant_name
(msg->exchange->phase == 1 ? ike_attr_cst : ipsec_attr_cst
, type), val)
1363 constant_name(msg->exchange->phase == 1 ? ike_attr_cst :log_debug (LOG_MESSAGE, 50, "Attribute %s value %s", constant_name
(msg->exchange->phase == 1 ? ike_attr_cst : ipsec_attr_cst
, type), val)
1364 ipsec_attr_cst, type), val))log_debug (LOG_MESSAGE, 50, "Attribute %s value %s", constant_name
(msg->exchange->phase == 1 ? ike_attr_cst : ipsec_attr_cst
, type), val)
;
1365 return 0;
1366}
1367
1368/*
1369 * Decode the attribute of type TYPE with a LEN length value pointed to by
1370 * VALUE. VIDA is a pointer to a context structure where we can find the
1371 * current message, SA and protocol.
1372 */
1373int
1374ipsec_decode_attribute(u_int16_t type, u_int8_t *value, u_int16_t len,
1375 void *vida)
1376{
1377 struct ipsec_decode_arg *ida = vida;
1378 struct message *msg = ida->msg;
1379 struct sa *sa = ida->sa;
1380 struct ipsec_sa *isa = sa->data;
1381 struct proto *proto = ida->proto;
1382 struct ipsec_proto *iproto = proto->data;
1383 struct exchange *exchange = msg->exchange;
1384 struct ipsec_exch *ie = exchange->data;
1385 static int lifetype = 0;
1386
1387 if (exchange->phase == 1) {
1388 switch (type) {
1389 case IKE_ATTR_ENCRYPTION_ALGORITHM1:
1390 /* XXX Errors possible? */
1391 exchange->crypto = crypto_get(from_ike_crypto(
1392 decode_16(value)));
1393 break;
1394 case IKE_ATTR_HASH_ALGORITHM2:
1395 /* XXX Errors possible? */
1396 ie->hash = hash_get(from_ike_hash(decode_16(value)));
1397 break;
1398 case IKE_ATTR_AUTHENTICATION_METHOD3:
1399 /* XXX Errors possible? */
1400 ie->ike_auth = ike_auth_get(decode_16(value));
1401 break;
1402 case IKE_ATTR_GROUP_DESCRIPTION4:
1403 isa->group_desc = decode_16(value);
1404 break;
1405 case IKE_ATTR_GROUP_TYPE5:
1406 break;
1407 case IKE_ATTR_GROUP_PRIME6:
1408 break;
1409 case IKE_ATTR_GROUP_GENERATOR_17:
1410 break;
1411 case IKE_ATTR_GROUP_GENERATOR_28:
1412 break;
1413 case IKE_ATTR_GROUP_CURVE_A9:
1414 break;
1415 case IKE_ATTR_GROUP_CURVE_B10:
1416 break;
1417 case IKE_ATTR_LIFE_TYPE11:
1418 lifetype = decode_16(value);
1419 return 0;
1420 case IKE_ATTR_LIFE_DURATION12:
1421 switch (lifetype) {
1422 case IKE_DURATION_SECONDS1:
1423 switch (len) {
1424 case 2:
1425 sa->seconds = decode_16(value);
1426 break;
1427 case 4:
1428 sa->seconds = decode_32(value);
1429 break;
1430 default:
1431 log_print("ipsec_decode_attribute: "
1432 "unreasonable lifetime");
1433 }
1434 break;
1435 case IKE_DURATION_KILOBYTES2:
1436 switch (len) {
1437 case 2:
1438 sa->kilobytes = decode_16(value);
1439 break;
1440 case 4:
1441 sa->kilobytes = decode_32(value);
1442 break;
1443 default:
1444 log_print("ipsec_decode_attribute: "
1445 "unreasonable lifetime");
1446 }
1447 break;
1448 default:
1449 log_print("ipsec_decode_attribute: unknown "
1450 "lifetime type");
1451 }
1452 break;
1453 case IKE_ATTR_PRF13:
1454 break;
1455 case IKE_ATTR_KEY_LENGTH14:
1456 exchange->key_length = decode_16(value) / 8;
1457 break;
1458 case IKE_ATTR_FIELD_SIZE15:
1459 break;
1460 case IKE_ATTR_GROUP_ORDER16:
1461 break;
1462 }
1463 } else {
1464 switch (type) {
1465 case IPSEC_ATTR_SA_LIFE_TYPE1:
1466 lifetype = decode_16(value);
1467 return 0;
1468 case IPSEC_ATTR_SA_LIFE_DURATION2:
1469 switch (lifetype) {
1470 case IPSEC_DURATION_SECONDS1:
1471 switch (len) {
1472 case 2:
1473 sa->seconds = decode_16(value);
1474 break;
1475 case 4:
1476 sa->seconds = decode_32(value);
1477 break;
1478 default:
1479 log_print("ipsec_decode_attribute: "
1480 "unreasonable lifetime");
1481 }
1482 break;
1483 case IPSEC_DURATION_KILOBYTES2:
1484 switch (len) {
1485 case 2:
1486 sa->kilobytes = decode_16(value);
1487 break;
1488 case 4:
1489 sa->kilobytes = decode_32(value);
1490 break;
1491 default:
1492 log_print("ipsec_decode_attribute: "
1493 "unreasonable lifetime");
1494 }
1495 break;
1496 default:
1497 log_print("ipsec_decode_attribute: unknown "
1498 "lifetime type");
1499 }
1500 break;
1501 case IPSEC_ATTR_GROUP_DESCRIPTION3:
1502 isa->group_desc = decode_16(value);
1503 break;
1504 case IPSEC_ATTR_ENCAPSULATION_MODE4:
1505 /*
1506 * XXX Multiple protocols must have same
1507 * encapsulation mode, no?
1508 */
1509 iproto->encap_mode = decode_16(value);
1510 break;
1511 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM5:
1512 iproto->auth = decode_16(value);
1513 break;
1514 case IPSEC_ATTR_KEY_LENGTH6:
1515 iproto->keylen = decode_16(value);
1516 break;
1517 case IPSEC_ATTR_KEY_ROUNDS7:
1518 iproto->keyrounds = decode_16(value);
1519 break;
1520 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE8:
1521 break;
1522 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM9:
1523 break;
1524 case IPSEC_ATTR_ECN_TUNNEL10:
1525 break;
1526 }
1527 }
1528 lifetype = 0;
1529 return 0;
1530}
1531
1532/*
1533 * Walk over the attributes of the transform payload found in BUF, and
1534 * fill out the fields of the SA attached to MSG. Also mark the SA as
1535 * processed.
1536 */
1537void
1538ipsec_decode_transform(struct message *msg, struct sa *sa, struct proto *proto,
1539 u_int8_t *buf)
1540{
1541 struct ipsec_exch *ie = msg->exchange->data;
1542 struct ipsec_decode_arg ida;
1543
1544 LOG_DBG((LOG_MISC, 20, "ipsec_decode_transform: transform %d chosen",log_debug (LOG_MISC, 20, "ipsec_decode_transform: transform %d chosen"
, field_get_num (isakmp_transform_fld + 0, buf))
1545 GET_ISAKMP_TRANSFORM_NO(buf)))log_debug (LOG_MISC, 20, "ipsec_decode_transform: transform %d chosen"
, field_get_num (isakmp_transform_fld + 0, buf))
;
1546
1547 ida.msg = msg;
1548 ida.sa = sa;
1549 ida.proto = proto;
1550
1551 /* The default IKE lifetime is 8 hours. */
1552 if (sa->phase == 1)
1553 sa->seconds = 28800;
1554
1555 /* Extract the attributes and stuff them into the SA. */
1556 attribute_map(buf + ISAKMP_TRANSFORM_SA_ATTRS_OFF8,
1557 GET_ISAKMP_GEN_LENGTH(buf)field_get_num (isakmp_gen_fld + 2, buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF8,
1558 ipsec_decode_attribute, &ida);
1559
1560 /*
1561 * If no pseudo-random function was negotiated, it's HMAC.
1562 * XXX As PRF_HMAC currently is zero, this is a no-op.
1563 */
1564 if (!ie->prf_type)
1565 ie->prf_type = PRF_HMAC;
1566}
1567
1568/*
1569 * Delete the IPsec SA represented by the INCOMING direction in protocol PROTO
1570 * of the IKE security association SA.
1571 */
1572static void
1573ipsec_delete_spi(struct sa *sa, struct proto *proto, int incoming)
1574{
1575 struct sa *new_sa;
1576 struct ipsec_proto *iproto;
1577
1578 if (sa->phase == 1)
1579 return;
1580
1581 iproto = proto->data;
1582 /*
1583 * If the SA is using UDP encap and it replaced other SA,
1584 * enable the other SA to keep the flow for the other SAs.
1585 */
1586 if ((iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TRANSPORT4 ||
1587 iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT61444) &&
1588 (sa->flags & SA_FLAG_REPLACED0x08) == 0 &&
1589 (new_sa = sa_find(ipsec_sa_check_flow_any, sa)) != NULL((void*)0) &&
1590 new_sa->flags & SA_FLAG_REPLACED0x08)
1591 sa_replace(sa, new_sa);
1592
1593 /*
1594 * If the SA was not replaced and was not one acquired through the
1595 * kernel (ACQUIRE message), remove the flow associated with it.
1596 * We ignore any errors from the disabling of the flow.
1597 */
1598 if (sa->flags & SA_FLAG_READY0x01 && !(sa->flags & SA_FLAG_ONDEMAND0x04 ||
1599 sa->flags & SA_FLAG_REPLACED0x08 || acquire_only ||
1600 conf_get_str("General", "Acquire-Only")))
1601 pf_key_v2_disable_sa(sa, incoming);
1602
1603 /* XXX Error handling? Is it interesting? */
1604 pf_key_v2_delete_spi(sa, proto, incoming);
1605}
1606
1607/*
1608 * Store BUF into the g^x entry of the exchange that message MSG belongs to.
1609 * PEER is non-zero when the value is our peer's, and zero when it is ours.
1610 */
1611static int
1612ipsec_g_x(struct message *msg, int peer, u_int8_t *buf)
1613{
1614 struct exchange *exchange = msg->exchange;
1615 struct ipsec_exch *ie = exchange->data;
1616 u_int8_t **g_x;
1617 int initiator = exchange->initiator ^ peer;
1618 char header[32];
1619
1620 g_x = initiator ? &ie->g_xi : &ie->g_xr;
1621 *g_x = malloc(ie->g_x_len);
1622 if (!*g_x) {
1623 log_error("ipsec_g_x: malloc (%lu) failed",
1624 (unsigned long)ie->g_x_len);
1625 return -1;
1626 }
1627 memcpy(*g_x, buf, ie->g_x_len);
1628 snprintf(header, sizeof header, "ipsec_g_x: g^x%c",
1629 initiator ? 'i' : 'r');
1630 LOG_DBG_BUF((LOG_MISC, 80, header, *g_x, ie->g_x_len))log_debug_buf (LOG_MISC, 80, header, *g_x, ie->g_x_len);
1631 return 0;
1632}
1633
1634/* Generate our DH value. */
1635int
1636ipsec_gen_g_x(struct message *msg)
1637{
1638 struct exchange *exchange = msg->exchange;
1639 struct ipsec_exch *ie = exchange->data;
1640 u_int8_t *buf;
1641
1642 buf = malloc(ISAKMP_KE_SZ4 + ie->g_x_len);
1643 if (!buf) {
1644 log_error("ipsec_gen_g_x: malloc (%lu) failed",
1645 ISAKMP_KE_SZ4 + (unsigned long)ie->g_x_len);
1646 return -1;
1647 }
1648 if (message_add_payload(msg, ISAKMP_PAYLOAD_KEY_EXCH4, buf,
1649 ISAKMP_KE_SZ4 + ie->g_x_len, 1)) {
1650 free(buf);
1651 return -1;
1652 }
1653 if (dh_create_exchange(ie->group, buf + ISAKMP_KE_DATA_OFF4)) {
1654 log_print("ipsec_gen_g_x: dh_create_exchange failed");
1655 free(buf);
1656 return -1;
1657 }
1658 return ipsec_g_x(msg, 0, buf + ISAKMP_KE_DATA_OFF4);
1659}
1660
1661/* Save the peer's DH value. */
1662int
1663ipsec_save_g_x(struct message *msg)
1664{
1665 struct exchange *exchange = msg->exchange;
1666 struct ipsec_exch *ie = exchange->data;
1667 struct payload *kep;
1668
1669 kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH4);
1670 kep->flags |= PL_MARK1;
1671 ie->g_x_len = GET_ISAKMP_GEN_LENGTH(kep->p)field_get_num (isakmp_gen_fld + 2, kep->p) - ISAKMP_KE_DATA_OFF4;
1672
1673 /* Check that the given length matches the group's expectancy. */
1674 if (ie->g_x_len != (size_t) dh_getlen(ie->group)) {
1675 /* XXX Is this a good notify type? */
1676 message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED16, 0, 1, 0);
1677 return -1;
1678 }
1679 return ipsec_g_x(msg, 1, kep->p + ISAKMP_KE_DATA_OFF4);
1680}
1681
1682/*
1683 * Get a SPI for PROTO and the transport MSG passed over. Store the
1684 * size where SZ points. NB! A zero return is OK if *SZ is zero.
1685 */
1686static u_int8_t *
1687ipsec_get_spi(size_t *sz, u_int8_t proto, struct message *msg)
1688{
1689 struct sockaddr *dst, *src;
1690 struct transport *transport = msg->transport;
1691
1692 if (msg->exchange->phase == 1) {
1693 *sz = 0;
1694 return 0;
1695 } else {
1696 /* We are the destination in the SA we want a SPI for. */
1697 transport->vtbl->get_src(transport, &dst);
1698 /* The peer is the source. */
1699 transport->vtbl->get_dst(transport, &src);
1700 return pf_key_v2_get_spi(sz, proto, src, dst,
1701 msg->exchange->seq);
1702 }
1703}
1704
1705/*
1706 * We have gotten a payload PAYLOAD of type TYPE, which did not get handled
1707 * by the logic of the exchange MSG takes part in. Now is the time to deal
1708 * with such a payload if we know how to, if we don't, return -1, otherwise
1709 * 0.
1710 */
1711int
1712ipsec_handle_leftover_payload(struct message *msg, u_int8_t type,
1713 struct payload *payload)
1714{
1715 u_int32_t spisz, nspis;
1716 struct sockaddr *dst;
1717 int reenter = 0;
1718 u_int8_t *spis, proto;
1719 struct sa *sa;
1720
1721 switch (type) {
1722 case ISAKMP_PAYLOAD_DELETE12:
1723 proto = GET_ISAKMP_DELETE_PROTO(payload->p)field_get_num (isakmp_delete_fld + 1, payload->p);
1724 nspis = GET_ISAKMP_DELETE_NSPIS(payload->p)field_get_num (isakmp_delete_fld + 3, payload->p);
1725 spisz = GET_ISAKMP_DELETE_SPI_SZ(payload->p)field_get_num (isakmp_delete_fld + 2, payload->p);
1726
1727 if (nspis == 0) {
1728 LOG_DBG((LOG_SA, 60, "ipsec_handle_leftover_payload: "log_debug (LOG_SA, 60, "ipsec_handle_leftover_payload: " "message specified zero SPIs, ignoring"
)
1729 "message specified zero SPIs, ignoring"))log_debug (LOG_SA, 60, "ipsec_handle_leftover_payload: " "message specified zero SPIs, ignoring"
)
;
1730 return -1;
1731 }
1732 /* verify proper SPI size */
1733 if ((proto == ISAKMP_PROTO_ISAKMP1 &&
1734 spisz != ISAKMP_HDR_COOKIES_LEN(8 + 8)) ||
1735 (proto != ISAKMP_PROTO_ISAKMP1 && spisz != sizeof(u_int32_t))) {
1736 log_print("ipsec_handle_leftover_payload: invalid SPI "
1737 "size %d for proto %d in DELETE payload",
1738 spisz, proto);
1739 return -1;
1740 }
1741 spis = calloc(nspis, spisz);
1742 if (!spis) {
1743 log_error("ipsec_handle_leftover_payload: malloc "
1744 "(%d) failed", nspis * spisz);
1745 return -1;
1746 }
1747 /* extract SPI and get dst address */
1748 memcpy(spis, payload->p + ISAKMP_DELETE_SPI_OFF12, nspis * spisz);
1749 msg->transport->vtbl->get_dst(msg->transport, &dst);
1750
1751 ipsec_delete_spi_list(dst, proto, spis, nspis, "DELETE");
1752
1753 free(spis);
1754 payload->flags |= PL_MARK1;
1755 return 0;
1756
1757 case ISAKMP_PAYLOAD_NOTIFY11:
1758 switch (GET_ISAKMP_NOTIFY_MSG_TYPE(payload->p)field_get_num (isakmp_notify_fld + 3, payload->p)) {
1759 case IPSEC_NOTIFY_INITIAL_CONTACT24578:
1760 /*
1761 * Permit INITIAL-CONTACT if
1762 * - this is not an AGGRESSIVE mode exchange
1763 * - it is protected by an ISAKMP SA
1764 *
1765 * XXX Instead of the first condition above, we could
1766 * XXX permit this only for phase 2. In the last
1767 * XXX packet of main-mode, this payload, while
1768 * XXX encrypted, is not part of the hash digest. As
1769 * XXX we currently send our own INITIAL-CONTACTs at
1770 * XXX this point, this too would need to be changed.
1771 */
1772 if (msg->exchange->type == ISAKMP_EXCH_AGGRESSIVE4) {
1773 log_print("ipsec_handle_leftover_payload: got "
1774 "INITIAL-CONTACT in AGGRESSIVE mode");
1775 return -1;
1776 }
1777 if ((msg->exchange->flags & EXCHANGE_FLAG_ENCRYPT0x0004)
1778 == 0) {
1779 log_print("ipsec_handle_leftover_payload: got "
1780 "INITIAL-CONTACT without ISAKMP SA");
1781 return -1;
1782 }
1783
1784 if ((msg->flags & MSG_AUTHENTICATED0x10) == 0) {
1785 log_print("ipsec_handle_leftover_payload: "
1786 "got unauthenticated INITIAL-CONTACT");
1787 return -1;
1788 }
1789 /*
1790 * Find out who is sending this and then delete every
1791 * SA that is ready. Exchanges will timeout
1792 * themselves and then the non-ready SAs will
1793 * disappear too.
1794 */
1795 msg->transport->vtbl->get_dst(msg->transport, &dst);
1796 while ((sa = sa_lookup_by_peer(dst, SA_LEN(dst)((dst)->sa_len), 0)) != 0) {
1797 /*
1798 * Don't delete the current SA -- we received
1799 * the notification over it, so it's obviously
1800 * still active. We temporarily need to remove
1801 * the SA from the list to avoid an endless
1802 * loop, but keep a reference so it won't
1803 * disappear meanwhile.
1804 */
1805 if (sa == msg->isakmp_sa) {
1806 sa_reference(sa);
1807 sa_remove(sa);
1808 reenter = 1;
1809 continue;
1810 }
1811 LOG_DBG((LOG_SA, 30,log_debug (LOG_SA, 30, "ipsec_handle_leftover_payload: " "INITIAL-CONTACT made us delete SA %p"
, sa)
1812 "ipsec_handle_leftover_payload: "log_debug (LOG_SA, 30, "ipsec_handle_leftover_payload: " "INITIAL-CONTACT made us delete SA %p"
, sa)
1813 "INITIAL-CONTACT made us delete SA %p",log_debug (LOG_SA, 30, "ipsec_handle_leftover_payload: " "INITIAL-CONTACT made us delete SA %p"
, sa)
1814 sa))log_debug (LOG_SA, 30, "ipsec_handle_leftover_payload: " "INITIAL-CONTACT made us delete SA %p"
, sa)
;
1815 sa_delete(sa, 0);
1816 }
1817
1818 if (reenter) {
1819 sa_enter(msg->isakmp_sa);
1820 sa_release(msg->isakmp_sa);
1821 }
1822 payload->flags |= PL_MARK1;
1823 return 0;
1824 }
1825 }
1826 return -1;
1827}
1828
1829/* Return the encryption keylength in octets of the ESP protocol PROTO. */
1830int
1831ipsec_esp_enckeylength(struct proto *proto)
1832{
1833 struct ipsec_proto *iproto = proto->data;
1834
1835 /* Compute the keylength to use. */
1836 switch (proto->id) {
1837 case IPSEC_ESP_3DES3:
1838 return 24;
1839 case IPSEC_ESP_CAST6:
1840 if (!iproto->keylen)
1841 return 16;
1842 return iproto->keylen / 8;
1843 case IPSEC_ESP_AES_CTR13:
1844 case IPSEC_ESP_AES_GCM_1620:
1845 case IPSEC_ESP_AES_GMAC23:
1846 if (!iproto->keylen)
1847 return 20;
1848 return iproto->keylen / 8 + 4;
1849 case IPSEC_ESP_AES12:
1850 if (!iproto->keylen)
1851 return 16;
1852 /* FALLTHROUGH */
1853 default:
1854 return iproto->keylen / 8;
1855 }
1856}
1857
1858/* Return the authentication keylength in octets of the ESP protocol PROTO. */
1859int
1860ipsec_esp_authkeylength(struct proto *proto)
1861{
1862 struct ipsec_proto *iproto = proto->data;
1863
1864 switch (iproto->auth) {
1865 case IPSEC_AUTH_HMAC_MD51:
1866 return 16;
1867 case IPSEC_AUTH_HMAC_SHA2:
1868 case IPSEC_AUTH_HMAC_RIPEMD8:
1869 return 20;
1870 case IPSEC_AUTH_HMAC_SHA2_2565:
1871 return 32;
1872 case IPSEC_AUTH_HMAC_SHA2_3846:
1873 return 48;
1874 case IPSEC_AUTH_HMAC_SHA2_5127:
1875 return 64;
1876 default:
1877 return 0;
1878 }
1879}
1880
1881/* Return the authentication keylength in octets of the AH protocol PROTO. */
1882int
1883ipsec_ah_keylength(struct proto *proto)
1884{
1885 switch (proto->id) {
1886 case IPSEC_AH_MD52:
1887 return 16;
1888 case IPSEC_AH_SHA3:
1889 case IPSEC_AH_RIPEMD8:
1890 return 20;
1891 case IPSEC_AH_SHA2_2565:
1892 return 32;
1893 case IPSEC_AH_SHA2_3846:
1894 return 48;
1895 case IPSEC_AH_SHA2_5127:
1896 return 64;
1897 default:
1898 return -1;
1899 }
1900}
1901
1902/* Return the total keymaterial length of the protocol PROTO. */
1903int
1904ipsec_keymat_length(struct proto *proto)
1905{
1906 switch (proto->proto) {
1907 case IPSEC_PROTO_IPSEC_ESP3:
1908 return ipsec_esp_enckeylength(proto)
1909 + ipsec_esp_authkeylength(proto);
1910 case IPSEC_PROTO_IPSEC_AH2:
1911 return ipsec_ah_keylength(proto);
1912 default:
1913 return -1;
1914 }
1915}
1916
1917/* Helper function for ipsec_get_id(). */
1918static int
1919ipsec_get_proto_port(char *section, u_int8_t *tproto, u_int16_t *port)
1920{
1921 struct protoent *pe = NULL((void*)0);
1922 struct servent *se;
1923 char *pstr;
1924
1925 pstr = conf_get_str(section, "Protocol");
1926 if (!pstr) {
1927 *tproto = 0;
1928 return 0;
1929 }
1930 *tproto = (u_int8_t)atoi(pstr);
1931 if (!*tproto) {
1932 pe = getprotobyname(pstr);
1933 if (pe)
1934 *tproto = pe->p_proto;
1935 }
1936 if (!*tproto) {
1937 log_print("ipsec_get_proto_port: protocol \"%s\" unknown",
1938 pstr);
1939 return -1;
1940 }
1941
1942 pstr = conf_get_str(section, "Port");
1943 if (!pstr)
1944 return 0;
1945 *port = (u_int16_t)atoi(pstr);
1946 if (!*port) {
1947 se = getservbyname(pstr,
1948 pe ? pe->p_name : (pstr ? pstr : NULL((void*)0)));
1949 if (se)
1950 *port = ntohs(se->s_port)(__uint16_t)(__builtin_constant_p(se->s_port) ? (__uint16_t
)(((__uint16_t)(se->s_port) & 0xffU) << 8 | ((__uint16_t
)(se->s_port) & 0xff00U) >> 8) : __swap16md(se->
s_port))
;
1951 }
1952 if (!*port) {
1953 log_print("ipsec_get_proto_port: port \"%s\" unknown",
1954 pstr);
1955 return -1;
1956 }
1957 return 0;
1958}
1959
1960/*
1961 * Out of a named section SECTION in the configuration file find out
1962 * the network address and mask as well as the ID type. Put the info
1963 * in the areas pointed to by ADDR, MASK, TPROTO, PORT, and ID respectively.
1964 * Return 0 on success and -1 on failure.
1965 */
1966int
1967ipsec_get_id(char *section, int *id, struct sockaddr **addr,
1968 struct sockaddr **mask, u_int8_t *tproto, u_int16_t *port)
1969{
1970 char *type, *address, *netmask;
1971 sa_family_t af = 0;
1972
1973 type = conf_get_str(section, "ID-type");
1974 if (!type) {
1975 log_print("ipsec_get_id: section %s has no \"ID-type\" tag",
1976 section);
1977 return -1;
1978 }
1979 *id = constant_value(ipsec_id_cst, type);
1980 switch (*id) {
1981 case IPSEC_ID_IPV4_ADDR1:
1982 case IPSEC_ID_IPV4_ADDR_SUBNET4:
1983 af = AF_INET2;
1984 break;
1985 case IPSEC_ID_IPV6_ADDR5:
1986 case IPSEC_ID_IPV6_ADDR_SUBNET6:
1987 af = AF_INET624;
1988 break;
1989 }
1990 switch (*id) {
1991 case IPSEC_ID_IPV4_ADDR1:
1992 case IPSEC_ID_IPV6_ADDR5: {
1993 int ret;
1994
1995 address = conf_get_str(section, "Address");
1996 if (!address) {
1997 log_print("ipsec_get_id: section %s has no "
1998 "\"Address\" tag", section);
1999 return -1;
2000 }
2001 if (text2sockaddr(address, NULL((void*)0), addr, af, 0)) {
2002 log_print("ipsec_get_id: invalid address %s in "
2003 "section %s", address, section);
2004 return -1;
2005 }
2006 ret = ipsec_get_proto_port(section, tproto, port);
2007 if (ret < 0)
2008 free(*addr);
2009
2010 return ret;
2011 }
2012
2013#ifdef notyet
2014 case IPSEC_ID_FQDN2:
2015 return -1;
2016
2017 case IPSEC_ID_USER_FQDN3:
2018 return -1;
2019#endif
2020
2021 case IPSEC_ID_IPV4_ADDR_SUBNET4:
2022 case IPSEC_ID_IPV6_ADDR_SUBNET6: {
2023 int ret;
2024
2025 address = conf_get_str(section, "Network");
2026 if (!address) {
2027 log_print("ipsec_get_id: section %s has no "
2028 "\"Network\" tag", section);
2029 return -1;
2030 }
2031 if (text2sockaddr(address, NULL((void*)0), addr, af, 0)) {
2032 log_print("ipsec_get_id: invalid section %s "
2033 "network %s", section, address);
2034 return -1;
2035 }
2036 netmask = conf_get_str(section, "Netmask");
2037 if (!netmask) {
2038 log_print("ipsec_get_id: section %s has no "
2039 "\"Netmask\" tag", section);
2040 free(*addr);
2041 return -1;
2042 }
2043 if (text2sockaddr(netmask, NULL((void*)0), mask, af, 1)) {
2044 log_print("ipsec_get_id: invalid section %s "
2045 "network %s", section, netmask);
2046 free(*addr);
2047 return -1;
2048 }
2049 ret = ipsec_get_proto_port(section, tproto, port);
2050 if (ret < 0) {
2051 free(*mask);
2052 free(*addr);
2053 }
2054 return ret;
2055 }
2056
2057#ifdef notyet
2058 case IPSEC_ID_IPV4_RANGE7:
2059 return -1;
2060
2061 case IPSEC_ID_IPV6_RANGE8:
2062 return -1;
2063
2064 case IPSEC_ID_DER_ASN1_DN9:
2065 return -1;
2066
2067 case IPSEC_ID_DER_ASN1_GN10:
2068 return -1;
2069
2070 case IPSEC_ID_KEY_ID11:
2071 return -1;
2072#endif
2073
2074 default:
2075 log_print("ipsec_get_id: unknown ID type \"%s\" in "
2076 "section %s", type, section);
2077 return -1;
2078 }
2079
2080 return 0;
2081}
2082
2083/*
2084 * XXX I rather want this function to return a status code, and fail if
2085 * we cannot fit the information in the supplied buffer.
2086 */
2087static void
2088ipsec_decode_id(char *buf, size_t size, u_int8_t *id, size_t id_len,
2089 int isakmpform)
2090{
2091 int id_type;
2092 char *addr = 0, *mask = 0;
2093 u_int32_t *idp;
2094
2095 if (id) {
2096 if (!isakmpform) {
2097 /*
2098 * Exchanges and SAs dont carry the IDs in ISAKMP
2099 * form.
2100 */
2101 id -= ISAKMP_GEN_SZ4;
2102 id_len += ISAKMP_GEN_SZ4;
2103 }
2104 id_type = GET_ISAKMP_ID_TYPE(id)field_get_num (isakmp_id_fld + 0, id);
2105 idp = (u_int32_t *) (id + ISAKMP_ID_DATA_OFF8);
2106 switch (id_type) {
2107 case IPSEC_ID_IPV4_ADDR1:
2108 util_ntoa(&addr, AF_INET2, id + ISAKMP_ID_DATA_OFF8);
2109 snprintf(buf, size, "%s", addr);
2110 break;
2111
2112 case IPSEC_ID_IPV4_ADDR_SUBNET4:
2113 util_ntoa(&addr, AF_INET2, id + ISAKMP_ID_DATA_OFF8);
2114 util_ntoa(&mask, AF_INET2, id + ISAKMP_ID_DATA_OFF8 + 4);
2115 snprintf(buf, size, "%s/%s", addr, mask);
2116 break;
2117
2118 case IPSEC_ID_IPV6_ADDR5:
2119 util_ntoa(&addr, AF_INET624, id + ISAKMP_ID_DATA_OFF8);
2120 snprintf(buf, size, "%s", addr);
2121 break;
2122
2123 case IPSEC_ID_IPV6_ADDR_SUBNET6:
2124 util_ntoa(&addr, AF_INET624, id + ISAKMP_ID_DATA_OFF8);
2125 util_ntoa(&mask, AF_INET624, id + ISAKMP_ID_DATA_OFF8 +
2126 sizeof(struct in6_addr));
2127 snprintf(buf, size, "%s/%s", addr, mask);
2128 break;
2129
2130 case IPSEC_ID_FQDN2:
2131 case IPSEC_ID_USER_FQDN3:
2132 /* String is not NUL terminated, be careful */
2133 id_len -= ISAKMP_ID_DATA_OFF8;
2134 id_len = MINIMUM(id_len, size - 1)(((id_len) < (size - 1)) ? (id_len) : (size - 1));
2135 memcpy(buf, id + ISAKMP_ID_DATA_OFF8, id_len);
2136 buf[id_len] = '\0';
2137 break;
2138
2139 case IPSEC_ID_DER_ASN1_DN9:
2140 addr = x509_DN_string(id + ISAKMP_ID_DATA_OFF8,
2141 id_len - ISAKMP_ID_DATA_OFF8);
2142 if (!addr) {
2143 snprintf(buf, size, "unparsable ASN1 DN ID");
2144 return;
2145 }
2146 strlcpy(buf, addr, size);
2147 break;
2148
2149 default:
2150 snprintf(buf, size, "<id type unknown: %x>", id_type);
2151 break;
2152 }
2153 } else
2154 snprintf(buf, size, "<no ipsec id>");
2155 free(addr);
2156 free(mask);
2157}
2158
2159char *
2160ipsec_decode_ids(char *fmt, u_int8_t *id1, size_t id1_len, u_int8_t *id2,
2161 size_t id2_len, int isakmpform)
2162{
2163 static char result[1024];
2164 char s_id1[256], s_id2[256];
2165
2166 ipsec_decode_id(s_id1, sizeof s_id1, id1, id1_len, isakmpform);
2167 ipsec_decode_id(s_id2, sizeof s_id2, id2, id2_len, isakmpform);
2168
2169 snprintf(result, sizeof result, fmt, s_id1, s_id2);
2170 return result;
2171}
2172
2173/*
2174 * Out of a named section SECTION in the configuration file build an
2175 * ISAKMP ID payload. Ths payload size should be stashed in SZ.
2176 * The caller is responsible for freeing the payload.
2177 */
2178u_int8_t *
2179ipsec_build_id(char *section, size_t *sz)
2180{
2181 struct sockaddr *addr, *mask;
2182 u_int8_t *p;
2183 int id, subnet = 0;
2184 u_int8_t tproto = 0;
2185 u_int16_t port = 0;
2186
2187 if (ipsec_get_id(section, &id, &addr, &mask, &tproto, &port))
2188 return 0;
2189
2190 if (id == IPSEC_ID_IPV4_ADDR_SUBNET4 || id == IPSEC_ID_IPV6_ADDR_SUBNET6)
2191 subnet = 1;
2192
2193 *sz = ISAKMP_ID_SZ8 + sockaddr_addrlen(addr);
2194 if (subnet)
2195 *sz += sockaddr_addrlen(mask);
2196
2197 p = malloc(*sz);
2198 if (!p) {
2199 log_print("ipsec_build_id: malloc(%lu) failed",
2200 (unsigned long)*sz);
2201 if (subnet)
2202 free(mask);
2203 free(addr);
2204 return 0;
2205 }
2206 SET_ISAKMP_ID_TYPE(p, id)field_set_num (isakmp_id_fld + 0, p, id);
2207 SET_ISAKMP_ID_DOI_DATA(p, (unsigned char *)"\000\000\000")field_set_raw (isakmp_id_fld + 1, p, (unsigned char *)"\000\000\000"
)
;
2208
2209 memcpy(p + ISAKMP_ID_DATA_OFF8, sockaddr_addrdata(addr),
2210 sockaddr_addrlen(addr));
2211 if (subnet)
2212 memcpy(p + ISAKMP_ID_DATA_OFF8 + sockaddr_addrlen(addr),
2213 sockaddr_addrdata(mask), sockaddr_addrlen(mask));
2214
2215 SET_IPSEC_ID_PROTO(p + ISAKMP_ID_DOI_DATA_OFF, tproto)field_set_num (ipsec_id_fld + 0, p + 5, tproto);
2216 SET_IPSEC_ID_PORT(p + ISAKMP_ID_DOI_DATA_OFF, port)field_set_num (ipsec_id_fld + 1, p + 5, port);
2217
2218 if (subnet)
2219 free(mask);
2220 free(addr);
2221 return p;
2222}
2223
2224/*
2225 * copy an ISAKMPD id
2226 */
2227int
2228ipsec_clone_id(u_int8_t **did, size_t *did_len, u_int8_t *id, size_t id_len)
2229{
2230 free(*did);
2231
2232 if (!id_len || !id) {
2233 *did = 0;
2234 *did_len = 0;
2235 return 0;
2236 }
2237 *did = malloc(id_len);
2238 if (!*did) {
2239 *did_len = 0;
2240 log_error("ipsec_clone_id: malloc(%lu) failed",
2241 (unsigned long)id_len);
2242 return -1;
2243 }
2244 *did_len = id_len;
2245 memcpy(*did, id, id_len);
2246
2247 return 0;
2248}
2249
2250/*
2251 * IPsec-specific PROTO initializations. SECTION is only set if we are the
2252 * initiator thus only usable there.
2253 * XXX I want to fix this later.
2254 */
2255void
2256ipsec_proto_init(struct proto *proto, char *section)
2257{
2258 struct ipsec_proto *iproto = proto->data;
2259
2260 if (proto->sa->phase == 2)
2261 iproto->replay_window = section ? conf_get_num(section,
2262 "ReplayWindow", DEFAULT_REPLAY_WINDOW16) :
2263 DEFAULT_REPLAY_WINDOW16;
2264}
2265
2266/*
2267 * Add a notification payload of type INITIAL CONTACT to MSG if this is
2268 * the first contact we have made to our peer.
2269 */
2270int
2271ipsec_initial_contact(struct message *msg)
2272{
2273 u_int8_t *buf;
2274
2275 if (ipsec_contacted(msg))
2276 return 0;
2277
2278 buf = malloc(ISAKMP_NOTIFY_SZ12 + ISAKMP_HDR_COOKIES_LEN(8 + 8));
2279 if (!buf) {
2280 log_error("ike_phase_1_initial_contact: malloc (%d) failed",
2281 ISAKMP_NOTIFY_SZ12 + ISAKMP_HDR_COOKIES_LEN(8 + 8));
2282 return -1;
2283 }
2284 SET_ISAKMP_NOTIFY_DOI(buf, IPSEC_DOI_IPSEC)field_set_num (isakmp_notify_fld + 0, buf, 1);
2285 SET_ISAKMP_NOTIFY_PROTO(buf, ISAKMP_PROTO_ISAKMP)field_set_num (isakmp_notify_fld + 1, buf, 1);
2286 SET_ISAKMP_NOTIFY_SPI_SZ(buf, ISAKMP_HDR_COOKIES_LEN)field_set_num (isakmp_notify_fld + 2, buf, (8 + 8));
2287 SET_ISAKMP_NOTIFY_MSG_TYPE(buf, IPSEC_NOTIFY_INITIAL_CONTACT)field_set_num (isakmp_notify_fld + 3, buf, 24578);
2288 memcpy(buf + ISAKMP_NOTIFY_SPI_OFF12, msg->isakmp_sa->cookies,
2289 ISAKMP_HDR_COOKIES_LEN(8 + 8));
2290 if (message_add_payload(msg, ISAKMP_PAYLOAD_NOTIFY11, buf,
2291 ISAKMP_NOTIFY_SZ12 + ISAKMP_HDR_COOKIES_LEN(8 + 8), 1)) {
2292 free(buf);
2293 return -1;
2294 }
2295 return ipsec_add_contact(msg);
2296}
2297
2298/*
2299 * Compare the two contacts pointed to by A and B. Return negative if
2300 * *A < *B, 0 if they are equal, and positive if *A is the largest of them.
2301 */
2302static int
2303addr_cmp(const void *a, const void *b)
2304{
2305 const struct contact *x = a, *y = b;
2306 int minlen = MINIMUM(x->len, y->len)(((x->len) < (y->len)) ? (x->len) : (y->len));
2307 int rv = memcmp(x->addr, y->addr, minlen);
2308
2309 return rv ? rv : (x->len - y->len);
2310}
2311
2312/*
2313 * Add the peer that MSG is bound to as an address we don't want to send
2314 * INITIAL CONTACT too from now on. Do not call this function with a
2315 * specific address duplicate times. We want fast lookup, speed of insertion
2316 * is unimportant, if this is to scale.
2317 */
2318static int
2319ipsec_add_contact(struct message *msg)
2320{
2321 struct contact *new_contacts;
2322 struct sockaddr *dst, *addr;
2323 int cnt;
2324
2325 if (contact_cnt == contact_limit) {
2326 cnt = contact_limit ? 2 * contact_limit : 64;
2327 new_contacts = reallocarray(contacts, cnt, sizeof contacts[0]);
2328 if (!new_contacts) {
2329 log_error("ipsec_add_contact: "
2330 "realloc (%p, %lu) failed", contacts,
2331 cnt * (unsigned long) sizeof contacts[0]);
2332 return -1;
2333 }
2334 contact_limit = cnt;
2335 contacts = new_contacts;
2336 }
2337 msg->transport->vtbl->get_dst(msg->transport, &dst);
2338 addr = malloc(SA_LEN(dst)((dst)->sa_len));
2339 if (!addr) {
2340 log_error("ipsec_add_contact: malloc (%lu) failed",
2341 (unsigned long)SA_LEN(dst)((dst)->sa_len));
2342 return -1;
2343 }
2344 memcpy(addr, dst, SA_LEN(dst)((dst)->sa_len));
2345 contacts[contact_cnt].addr = addr;
2346 contacts[contact_cnt++].len = SA_LEN(dst)((dst)->sa_len);
2347
2348 /*
2349 * XXX There are better algorithms for already mostly-sorted data like
2350 * this, but only qsort is standard. I will someday do this inline.
2351 */
2352 qsort(contacts, contact_cnt, sizeof *contacts, addr_cmp);
2353 return 0;
2354}
2355
2356/* Return true if the recipient of MSG has already been contacted. */
2357static int
2358ipsec_contacted(struct message *msg)
2359{
2360 struct contact contact;
2361
2362 msg->transport->vtbl->get_dst(msg->transport, &contact.addr);
2363 contact.len = SA_LEN(contact.addr)((contact.addr)->sa_len);
2364 return contacts ? (bsearch(&contact, contacts, contact_cnt,
2365 sizeof *contacts, addr_cmp) != 0) : 0;
2366}
2367
2368/* Add a HASH for to MSG. */
2369u_int8_t *
2370ipsec_add_hash_payload(struct message *msg, size_t hashsize)
2371{
2372 u_int8_t *buf;
2373
2374 buf = malloc(ISAKMP_HASH_SZ4 + hashsize);
2375 if (!buf) {
2376 log_error("ipsec_add_hash_payload: malloc (%lu) failed",
2377 ISAKMP_HASH_SZ4 + (unsigned long) hashsize);
2378 return 0;
2379 }
2380 if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH8, buf,
2381 ISAKMP_HASH_SZ4 + hashsize, 1)) {
2382 free(buf);
2383 return 0;
2384 }
2385 return buf;
2386}
2387
2388/* Fill in the HASH payload of MSG. */
2389int
2390ipsec_fill_in_hash(struct message *msg)
2391{
2392 struct exchange *exchange = msg->exchange;
2393 struct sa *isakmp_sa = msg->isakmp_sa;
2394 struct ipsec_sa *isa = isakmp_sa->data;
2395 struct hash *hash = hash_get(isa->hash);
2396 struct prf *prf;
2397 struct payload *payload;
2398 u_int8_t *buf;
2399 u_int32_t i;
2400 char header[80];
2401
2402 /* If no SKEYID_a, we need not do anything. */
2403 if (!isa->skeyid_a)
2404 return 0;
2405
2406 payload = payload_first(msg, ISAKMP_PAYLOAD_HASH8);
2407 if (!payload) {
2408 log_print("ipsec_fill_in_hash: no HASH payload found");
2409 return -1;
2410 }
2411 buf = payload->p;
2412
2413 /* Allocate the prf and start calculating our HASH(1). */
2414 LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: SKEYID_a",log_debug_buf (LOG_MISC, 90, "ipsec_fill_in_hash: SKEYID_a", isa
->skeyid_a, isa->skeyid_len)
2415 isa->skeyid_a, isa->skeyid_len))log_debug_buf (LOG_MISC, 90, "ipsec_fill_in_hash: SKEYID_a", isa
->skeyid_a, isa->skeyid_len)
;
2416 prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a,
2417 isa->skeyid_len);
2418 if (!prf)
2419 return -1;
2420
2421 prf->Init(prf->prfctx);
2422 LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: message_id",log_debug_buf (LOG_MISC, 90, "ipsec_fill_in_hash: message_id"
, exchange->message_id, 4)
2423 exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN))log_debug_buf (LOG_MISC, 90, "ipsec_fill_in_hash: message_id"
, exchange->message_id, 4)
;
2424 prf->Update(prf->prfctx, exchange->message_id,
2425 ISAKMP_HDR_MESSAGE_ID_LEN4);
2426
2427 /* Loop over all payloads after HASH(1). */
2428 for (i = 2; i < msg->iovlen; i++) {
2429 /* XXX Misleading payload type printouts. */
2430 snprintf(header, sizeof header,
2431 "ipsec_fill_in_hash: payload %d after HASH(1)", i - 1);
2432 LOG_DBG_BUF((LOG_MISC, 90, header, msg->iov[i].iov_base,log_debug_buf (LOG_MISC, 90, header, msg->iov[i].iov_base,
msg->iov[i].iov_len)
2433 msg->iov[i].iov_len))log_debug_buf (LOG_MISC, 90, header, msg->iov[i].iov_base,
msg->iov[i].iov_len)
;
2434 prf->Update(prf->prfctx, msg->iov[i].iov_base,
2435 msg->iov[i].iov_len);
2436 }
2437 prf->Final(buf + ISAKMP_HASH_DATA_OFF4, prf->prfctx);
2438 prf_free(prf);
2439 LOG_DBG_BUF((LOG_MISC, 80, "ipsec_fill_in_hash: HASH(1)", buf +log_debug_buf (LOG_MISC, 80, "ipsec_fill_in_hash: HASH(1)", buf
+ 4, hash->hashsize)
2440 ISAKMP_HASH_DATA_OFF, hash->hashsize))log_debug_buf (LOG_MISC, 80, "ipsec_fill_in_hash: HASH(1)", buf
+ 4, hash->hashsize)
;
2441
2442 return 0;
2443}
2444
2445/* Add a HASH payload to MSG, if we have an ISAKMP SA we're protected by. */
2446static int
2447ipsec_informational_pre_hook(struct message *msg)
2448{
2449 struct sa *isakmp_sa = msg->isakmp_sa;
2450 struct ipsec_sa *isa;
2451 struct hash *hash;
2452
2453 if (!isakmp_sa)
2454 return 0;
2455 isa = isakmp_sa->data;
2456 hash = hash_get(isa->hash);
2457 return ipsec_add_hash_payload(msg, hash->hashsize) == 0;
2458}
2459
2460/*
2461 * Fill in the HASH payload in MSG, if we have an ISAKMP SA we're protected by.
2462 */
2463static int
2464ipsec_informational_post_hook(struct message *msg)
2465{
2466 if (!msg->isakmp_sa)
2467 return 0;
2468 return ipsec_fill_in_hash(msg);
2469}
2470
2471ssize_t
2472ipsec_id_size(char *section, u_int8_t *id)
2473{
2474 char *type, *data;
2475
2476 type = conf_get_str(section, "ID-type");
2477 if (!type) {
2478 log_print("ipsec_id_size: section %s has no \"ID-type\" tag",
2479 section);
2480 return -1;
2481 }
2482 *id = constant_value(ipsec_id_cst, type);
2483 switch (*id) {
2484 case IPSEC_ID_IPV4_ADDR1:
2485 return sizeof(struct in_addr);
2486 case IPSEC_ID_IPV4_ADDR_SUBNET4:
2487 return 2 * sizeof(struct in_addr);
2488 case IPSEC_ID_IPV6_ADDR5:
2489 return sizeof(struct in6_addr);
2490 case IPSEC_ID_IPV6_ADDR_SUBNET6:
2491 return 2 * sizeof(struct in6_addr);
2492 case IPSEC_ID_FQDN2:
2493 case IPSEC_ID_USER_FQDN3:
2494 case IPSEC_ID_KEY_ID11:
2495 case IPSEC_ID_DER_ASN1_DN9:
2496 case IPSEC_ID_DER_ASN1_GN10:
2497 data = conf_get_str(section, "Name");
2498 if (!data) {
2499 log_print("ipsec_id_size: "
2500 "section %s has no \"Name\" tag", section);
2501 return -1;
2502 }
2503 return strlen(data);
2504 }
2505 log_print("ipsec_id_size: unrecognized/unsupported ID-type %d (%s)",
2506 *id, type);
2507 return -1;
2508}
2509
2510/*
2511 * Generate a string version of the ID.
2512 */
2513char *
2514ipsec_id_string(u_int8_t *id, size_t id_len)
2515{
2516 char *buf = 0;
2517 char *addrstr = 0;
2518 size_t len, size;
2519
2520 /*
2521 * XXX Real ugly way of making the offsets correct. Be aware that id
2522 * now will point before the actual buffer and cannot be dereferenced
2523 * without an offset larger than or equal to ISAKM_GEN_SZ.
2524 */
2525 id -= ISAKMP_GEN_SZ4;
2526
2527 /* This is the actual length of the ID data field. */
2528 id_len += ISAKMP_GEN_SZ4 - ISAKMP_ID_DATA_OFF8;
2529
2530 /*
2531 * Conservative allocation.
2532 * XXX I think the ASN1 DN case can be thought through to give a better
2533 * estimate.
2534 */
2535 size = MAXIMUM(sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",(((sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff") >
(sizeof "asn1_dn/" + id_len)) ? (sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
) : (sizeof "asn1_dn/" + id_len))
2536 sizeof "asn1_dn/" + id_len)(((sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff") >
(sizeof "asn1_dn/" + id_len)) ? (sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
) : (sizeof "asn1_dn/" + id_len))
;
2537 buf = malloc(size);
2538 if (!buf)
2539 /* XXX Log? */
2540 goto fail;
2541
2542 switch (GET_ISAKMP_ID_TYPE(id)field_get_num (isakmp_id_fld + 0, id)) {
2543 case IPSEC_ID_IPV4_ADDR1:
2544 if (id_len < sizeof(struct in_addr))
2545 goto fail;
2546 util_ntoa(&addrstr, AF_INET2, id + ISAKMP_ID_DATA_OFF8);
2547 if (!addrstr)
2548 goto fail;
2549 snprintf(buf, size, "ipv4/%s", addrstr);
2550 break;
2551
2552 case IPSEC_ID_IPV6_ADDR5:
2553 if (id_len < sizeof(struct in6_addr))
2554 goto fail;
2555 util_ntoa(&addrstr, AF_INET624, id + ISAKMP_ID_DATA_OFF8);
2556 if (!addrstr)
2557 goto fail;
2558 snprintf(buf, size, "ipv6/%s", addrstr);
2559 break;
2560
2561 case IPSEC_ID_FQDN2:
2562 case IPSEC_ID_USER_FQDN3:
2563 strlcpy(buf, GET_ISAKMP_ID_TYPE(id)field_get_num (isakmp_id_fld + 0, id) == IPSEC_ID_FQDN2 ?
2564 "fqdn/" : "ufqdn/", size);
2565 len = strlen(buf);
2566
2567 memcpy(buf + len, id + ISAKMP_ID_DATA_OFF8, id_len);
2568 *(buf + len + id_len) = '\0';
2569 break;
2570
2571 case IPSEC_ID_DER_ASN1_DN9:
2572 strlcpy(buf, "asn1_dn/", size);
2573 len = strlen(buf);
2574 addrstr = x509_DN_string(id + ISAKMP_ID_DATA_OFF8, id_len);
2575 if (!addrstr)
2576 goto fail;
2577 if (size < len + strlen(addrstr) + 1)
2578 goto fail;
2579 strlcpy(buf + len, addrstr, size - len);
2580 break;
2581
2582 default:
2583 /* Unknown type. */
2584 LOG_DBG((LOG_MISC, 10,log_debug (LOG_MISC, 10, "ipsec_id_string: unknown identity type %d\n"
, field_get_num (isakmp_id_fld + 0, id))
2585 "ipsec_id_string: unknown identity type %d\n",log_debug (LOG_MISC, 10, "ipsec_id_string: unknown identity type %d\n"
, field_get_num (isakmp_id_fld + 0, id))
2586 GET_ISAKMP_ID_TYPE(id)))log_debug (LOG_MISC, 10, "ipsec_id_string: unknown identity type %d\n"
, field_get_num (isakmp_id_fld + 0, id))
;
2587 goto fail;
2588 }
2589
2590 free(addrstr);
2591 return buf;
2592
2593fail:
2594 free(buf);
2595 free(addrstr);
2596 return 0;
2597}