1 /* demultiplex incoming IKE messages
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 /* Ordering Constraints on Payloads
20 * rfc2409: The Internet Key Exchange (IKE)
23 * "The SA payload MUST precede all other payloads in a phase 1 exchange."
25 * "Except where otherwise noted, there are no requirements for ISAKMP
26 * payloads in any message to be in any particular order."
28 * 5.3 Phase 1 Authenticated With a Revised Mode of Public Key Encryption:
30 * "If the HASH payload is sent it MUST be the first payload of the
31 * second message exchange and MUST be followed by the encrypted
32 * nonce. If the HASH payload is not sent, the first payload of the
33 * second message exchange MUST be the encrypted nonce."
35 * "Save the requirements on the location of the optional HASH payload
36 * and the mandatory nonce payload there are no further payload
37 * requirements. All payloads-- in whatever order-- following the
38 * encrypted nonce MUST be encrypted with Ke_i or Ke_r depending on the
41 * 5.5 Phase 2 - Quick Mode
43 * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
44 * header and a SA payload MUST immediately follow the HASH."
45 * [NOTE: there may be more than one SA payload, so this is not
46 * totally reasonable. Probably all SAs should be so constrained.]
48 * "If ISAKMP is acting as a client negotiator on behalf of another
49 * party, the identities of the parties MUST be passed as IDci and
52 * "With the exception of the HASH, SA, and the optional ID payloads,
53 * there are no payload ordering restrictions on Quick Mode."
56 /* Unfolding of Identity -- a central mystery
58 * This concerns Phase 1 identities, those of the IKE hosts.
59 * These are the only ones that are authenticated. Phase 2
60 * identities are for IPsec SAs.
62 * There are three case of interest:
64 * (1) We initiate, based on a whack command specifying a Connection.
65 * We know the identity of the peer from the Connection.
67 * (2) (to be implemented) we initiate based on a flow from our client
69 * We immediately know one of the peer's client IP addresses from
70 * the flow. We must use this to figure out the peer's IP address
71 * and Id. To be solved.
73 * (3) We respond to an IKE negotiation.
74 * We immediately know the peer's IP address.
75 * We get an ID Payload in Main I2.
77 * Unfortunately, this is too late for a number of things:
78 * - the ISAKMP SA proposals have already been made (Main I1)
79 * AND one accepted (Main R1)
80 * - the SA includes a specification of the type of ID
81 * authentication so this is negotiated without being told the ID.
82 * - with Preshared Key authentication, Main I2 is encrypted
83 * using the key, so it cannot be decoded to reveal the ID
84 * without knowing (or guessing) which key to use.
86 * There are three reasonable choices here for the responder:
87 * + assume that the initiator is making wise offers since it
88 * knows the IDs involved. We can balk later (but not gracefully)
89 * when we find the actual initiator ID
90 * + attempt to infer identity by IP address. Again, we can balk
91 * when the true identity is revealed. Actually, it is enough
92 * to infer properties of the identity (eg. SA properties and
94 * + make all properties universal so discrimination based on
95 * identity isn't required. For example, always accept the same
96 * kinds of encryption. Accept Public Key Id authentication
97 * since the Initiator presumably has our public key and thinks
98 * we must have / can find his. This approach is weakest
99 * for preshared key since the actual key must be known to
100 * decrypt the Initiator's ID Payload.
101 * These choices can be blended. For example, a class of Identities
102 * can be inferred, sufficient to select a preshared key but not
103 * sufficient to infer a unique identity.
112 #include <sys/types.h>
113 #include <sys/time.h> /* only used for belt-and-suspenders select call */
114 #include <sys/poll.h> /* only used for forensic poll call */
115 #include <sys/socket.h>
116 #include <netinet/in.h>
117 #include <arpa/inet.h>
120 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
121 # include <asm/types.h> /* for __u8, __u32 */
122 # include <linux/errqueue.h>
123 # include <sys/uio.h> /* struct iovec */
126 #include <freeswan.h>
128 #include "constants.h"
133 #include "connections.h" /* needs id.h */
138 #include "crypto.h" /* requires sha1.h and md5.h */
141 #include "demux.h" /* needs packet.h */
142 #include "ipsec_doi.h" /* needs demux.h and state.h */
144 #include "whack.h" /* requires connections.h */
148 #include "nat_traversal.h"
152 /* This file does basic header checking and demux of
156 /* forward declarations */
157 static bool read_packet(struct msg_digest *md);
158 static void process_packet(struct msg_digest **mdp);
160 /* Reply messages are built in this buffer.
161 * Only one state transition function can be using it at a time
162 * so suspended STFs must save and restore it.
163 * It could be an auto variable of complete_state_transition except for the fact
164 * that when a suspended STF resumes, its reply message buffer
165 * must be at the same location -- there are pointers into it.
167 u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
169 /* state_microcode is a tuple of information parameterizing certain
170 * centralized processing of a packet. For example, it roughly
171 * specifies what payloads are expected in this message.
172 * The microcode is selected primarily based on the state.
173 * In Phase 1, the payload structure often depends on the
174 * authentication technique, so that too plays a part in selecting
175 * the state_microcode to use.
178 struct state_microcode {
179 enum state_kind state, next_state;
181 lset_t req_payloads; /* required payloads (allows just one) */
182 lset_t opt_payloads; /* optional payloads (any mumber) */
183 /* if not ISAKMP_NEXT_NONE, process_packet will emit HDR with this as np */
184 u_int8_t first_out_payload;
185 enum event_type timeout_event;
186 state_transition_fn *processor;
189 /* State Microcode Flags, in several groups */
191 /* Oakley Auth values: to which auth values does this entry apply?
192 * Most entries will use SMF_ALL_AUTH because they apply to all.
193 * Note: SMF_ALL_AUTH matches 0 for those circumstances when no auth
196 #define SMF_ALL_AUTH LRANGE(0, OAKLEY_AUTH_ROOF-1)
197 #define SMF_PSK_AUTH LELEM(OAKLEY_PRESHARED_KEY)
198 #define SMF_DS_AUTH (LELEM(OAKLEY_DSS_SIG) | LELEM(OAKLEY_RSA_SIG))
199 #define SMF_PKE_AUTH (LELEM(OAKLEY_RSA_ENC) | LELEM(OAKLEY_ELGAMAL_ENC))
200 #define SMF_RPKE_AUTH (LELEM(OAKLEY_RSA_ENC_REV) | LELEM(OAKLEY_ELGAMAL_ENC_REV))
204 #define SMF_INITIATOR LELEM(OAKLEY_AUTH_ROOF + 0)
205 #define SMF_FIRST_ENCRYPTED_INPUT LELEM(OAKLEY_AUTH_ROOF + 1)
206 #define SMF_INPUT_ENCRYPTED LELEM(OAKLEY_AUTH_ROOF + 2)
207 #define SMF_OUTPUT_ENCRYPTED LELEM(OAKLEY_AUTH_ROOF + 3)
208 #define SMF_RETRANSMIT_ON_DUPLICATE LELEM(OAKLEY_AUTH_ROOF + 4)
210 #define SMF_ENCRYPTED (SMF_INPUT_ENCRYPTED | SMF_OUTPUT_ENCRYPTED)
212 /* this state generates a reply message */
213 #define SMF_REPLY LELEM(OAKLEY_AUTH_ROOF + 5)
215 /* this state completes P1, so any pending P2 negotiations should start */
216 #define SMF_RELEASE_PENDING_P2 LELEM(OAKLEY_AUTH_ROOF + 6)
221 static state_transition_fn /* forward declaration */
225 /* state_microcode_table is a table of all state_microcode tuples.
226 * It must be in order of state (the first element).
227 * After initialization, ike_microcode_index[s] points to the
228 * first entry in state_microcode_table for state s.
229 * Remember that each state name in Main or Quick Mode describes
230 * what has happened in the past, not what this message is.
233 static const struct state_microcode
234 *ike_microcode_index[STATE_IKE_ROOF - STATE_IKE_FLOOR];
236 static const struct state_microcode state_microcode_table[] = {
237 #define PT(n) ISAKMP_NEXT_##n
238 #define P(n) LELEM(PT(n))
240 /***** Phase 1 Main Mode *****/
242 /* No state for main_outI1: --> HDR, SA */
244 /* STATE_MAIN_R0: I1 --> R1
245 * HDR, SA --> HDR, SA
247 { STATE_MAIN_R0, STATE_MAIN_R1
248 , SMF_ALL_AUTH | SMF_REPLY
249 , P(SA), P(VID) | P(CR), PT(NONE)
250 , EVENT_RETRANSMIT, main_inI1_outR1},
252 /* STATE_MAIN_I1: R1 --> I2
253 * HDR, SA --> auth dependent
254 * SMF_PSK_AUTH, SMF_DS_AUTH: --> HDR, KE, Ni
256 * --> HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
258 * --> HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
259 * Note: since we don't know auth at start, we cannot differentiate
260 * microcode entries based on it.
262 { STATE_MAIN_I1, STATE_MAIN_I2
263 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_REPLY
264 , P(SA), P(VID) | P(CR), PT(NONE) /* don't know yet */
265 , EVENT_RETRANSMIT, main_inR1_outI2 },
267 /* STATE_MAIN_R1: I2 --> R2
268 * SMF_PSK_AUTH, SMF_DS_AUTH: HDR, KE, Ni --> HDR, KE, Nr
269 * SMF_PKE_AUTH: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
270 * --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
272 * HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
273 * --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
275 { STATE_MAIN_R1, STATE_MAIN_R2
276 , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY
278 , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE)
280 , P(KE) | P(NONCE), P(VID) | P(CR), PT(KE)
282 , EVENT_RETRANSMIT, main_inI2_outR2 },
284 { STATE_MAIN_R1, STATE_UNDEFINED
285 , SMF_PKE_AUTH | SMF_REPLY
286 , P(KE) | P(ID) | P(NONCE), P(VID) | P(HASH), PT(KE)
287 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
289 { STATE_MAIN_R1, STATE_UNDEFINED
290 , SMF_RPKE_AUTH | SMF_REPLY
291 , P(NONCE) | P(KE) | P(ID), P(VID) | P(HASH) | P(CERT), PT(NONCE)
292 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
294 /* for states from here on, output message must be encrypted */
296 /* STATE_MAIN_I2: R2 --> I3
297 * SMF_PSK_AUTH: HDR, KE, Nr --> HDR*, IDi1, HASH_I
298 * SMF_DS_AUTH: HDR, KE, Nr --> HDR*, IDi1, [ CERT, ] SIG_I
299 * SMF_PKE_AUTH: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
301 * SMF_RPKE_AUTH: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
304 { STATE_MAIN_I2, STATE_MAIN_I3
305 , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
307 , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(ID)
309 , P(KE) | P(NONCE), P(VID) | P(CR), PT(ID)
311 , EVENT_RETRANSMIT, main_inR2_outI3 },
313 { STATE_MAIN_I2, STATE_UNDEFINED
314 , SMF_PKE_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
315 , P(KE) | P(ID) | P(NONCE), P(VID), PT(HASH)
316 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
318 { STATE_MAIN_I2, STATE_UNDEFINED
319 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
320 , P(NONCE) | P(KE) | P(ID), P(VID), PT(HASH)
321 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
323 /* for states from here on, input message must be encrypted */
325 /* STATE_MAIN_R2: I3 --> R3
326 * SMF_PSK_AUTH: HDR*, IDi1, HASH_I --> HDR*, IDr1, HASH_R
327 * SMF_DS_AUTH: HDR*, IDi1, [ CERT, ] SIG_I --> HDR*, IDr1, [ CERT, ] SIG_R
328 * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_I --> HDR*, HASH_R
330 { STATE_MAIN_R2, STATE_MAIN_R3
331 , SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
332 | SMF_REPLY | SMF_RELEASE_PENDING_P2
333 , P(ID) | P(HASH), P(VID), PT(NONE)
334 , EVENT_SA_REPLACE, main_inI3_outR3 },
336 { STATE_MAIN_R2, STATE_MAIN_R3
337 , SMF_DS_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
338 | SMF_REPLY | SMF_RELEASE_PENDING_P2
339 , P(ID) | P(SIG), P(VID) | P(CERT) | P(CR), PT(NONE)
340 , EVENT_SA_REPLACE, main_inI3_outR3 },
342 { STATE_MAIN_R2, STATE_UNDEFINED
343 , SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
344 | SMF_REPLY | SMF_RELEASE_PENDING_P2
345 , P(HASH), P(VID), PT(NONE)
346 , EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
348 /* STATE_MAIN_I3: R3 --> done
349 * SMF_PSK_AUTH: HDR*, IDr1, HASH_R --> done
350 * SMF_DS_AUTH: HDR*, IDr1, [ CERT, ] SIG_R --> done
351 * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_R --> done
352 * May initiate quick mode by calling quick_outI1
354 { STATE_MAIN_I3, STATE_MAIN_I4
355 , SMF_PSK_AUTH | SMF_INITIATOR
356 | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
357 , P(ID) | P(HASH), P(VID), PT(NONE)
358 , EVENT_SA_REPLACE, main_inR3 },
360 { STATE_MAIN_I3, STATE_MAIN_I4
361 , SMF_DS_AUTH | SMF_INITIATOR
362 | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
363 , P(ID) | P(SIG), P(VID) | P(CERT), PT(NONE)
364 , EVENT_SA_REPLACE, main_inR3 },
366 { STATE_MAIN_I3, STATE_UNDEFINED
367 , SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_INITIATOR
368 | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
369 , P(HASH), P(VID), PT(NONE)
370 , EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
372 /* STATE_MAIN_R3: can only get here due to packet loss */
373 { STATE_MAIN_R3, STATE_UNDEFINED
374 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
376 , PT(NONE), EVENT_NULL, unexpected },
378 /* STATE_MAIN_I4: can only get here due to packet loss */
379 { STATE_MAIN_I4, STATE_UNDEFINED
380 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED
382 , PT(NONE), EVENT_NULL, unexpected },
385 /***** Phase 1 Aggressive Mode *****/
387 /* No state for aggr_outI1: -->HDR, SA, KE, Ni, IDii */
389 /* STATE_AGGR_R0: HDR, SA, KE, Ni, IDii -->
390 * HDR, SA, KE, Nr, IDir, HASH_R
392 { STATE_AGGR_R0, STATE_AGGR_R1, SMF_PSK_AUTH | SMF_REPLY,
393 P(SA) | P(KE) | P(NONCE) | P(ID), P(VID), PT(NONE),
394 EVENT_RETRANSMIT, aggr_inI1_outR1 },
396 /* STATE_AGGR_I1: HDR, SA, KE, Nr, IDir, HASH_R --> HDR*, HASH_I */
397 { STATE_AGGR_I1, STATE_AGGR_I2,
398 SMF_PSK_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2,
400 P(SA) | P(KE) | P(NONCE) | P(ID) | P(HASH), P(VID) | P(NATD_RFC), PT(NONE),
402 P(SA) | P(KE) | P(NONCE) | P(ID) | P(HASH), P(VID), PT(NONE),
405 EVENT_SA_REPLACE, aggr_inR1_outI2 },
407 /* STATE_AGGR_R1: HDR*, HASH_I --> done */
408 { STATE_AGGR_R1, STATE_AGGR_R2,
409 SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2,
411 P(HASH), P(VID)| P(NATD_RFC), PT(NONE),
413 P(HASH), P(VID), PT(NONE),
415 EVENT_SA_REPLACE, aggr_inI2 },
417 /* STATE_AGGR_I2: can only get here due to packet loss */
418 { STATE_AGGR_I2, STATE_UNDEFINED,
419 SMF_PSK_AUTH | SMF_INITIATOR | SMF_RETRANSMIT_ON_DUPLICATE | SMF_RELEASE_PENDING_P2,
420 LEMPTY, LEMPTY, PT(NONE), EVENT_NULL, unexpected },
422 /* STATE_AGGR_R2: can only get here due to packet loss */
423 { STATE_AGGR_R2, STATE_UNDEFINED, SMF_PSK_AUTH,
424 LEMPTY, LEMPTY, PT(NONE), EVENT_NULL, unexpected },
428 /***** Phase 2 Quick Mode *****/
430 /* No state for quick_outI1:
431 * --> HDR*, HASH(1), SA, Nr [, KE ] [, IDci, IDcr ]
435 * HDR*, HASH(1), SA, Ni [, KE ] [, IDci, IDcr ] -->
436 * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ]
437 * Installs inbound IPsec SAs.
438 * Because it may suspend for asynchronous DNS, first_out_payload
439 * is set to NONE to suppress early emission of HDR*.
440 * ??? it is legal to have multiple SAs, but we don't support it yet.
442 { STATE_QUICK_R0, STATE_QUICK_R1
443 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
445 , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(NONE)
447 , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID), PT(NONE)
449 , EVENT_RETRANSMIT, quick_inI1_outR1 },
452 * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ] -->
454 * Installs inbound and outbound IPsec SAs, routing, etc.
455 * ??? it is legal to have multiple SAs, but we don't support it yet.
457 { STATE_QUICK_I1, STATE_QUICK_I2
458 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_REPLY
460 , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(HASH)
462 , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID), PT(HASH)
464 , EVENT_SA_REPLACE, quick_inR1_outI2 },
466 /* STATE_QUICK_R1: HDR*, HASH(3) --> done
467 * Installs outbound IPsec SAs, routing, etc.
469 { STATE_QUICK_R1, STATE_QUICK_R2
470 , SMF_ALL_AUTH | SMF_ENCRYPTED
471 , P(HASH), LEMPTY, PT(NONE)
472 , EVENT_SA_REPLACE, quick_inI2 },
474 /* STATE_QUICK_I2: can only happen due to lost packet */
475 { STATE_QUICK_I2, STATE_UNDEFINED
476 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
477 , LEMPTY, LEMPTY, PT(NONE)
478 , EVENT_NULL, unexpected },
480 /* STATE_QUICK_R2: can only happen due to lost packet */
481 { STATE_QUICK_R2, STATE_UNDEFINED
482 , SMF_ALL_AUTH | SMF_ENCRYPTED
483 , LEMPTY, LEMPTY, PT(NONE)
484 , EVENT_NULL, unexpected },
487 /***** informational messages *****/
490 { STATE_INFO, STATE_UNDEFINED
492 , LEMPTY, LEMPTY, PT(NONE)
493 , EVENT_NULL, informational },
495 /* STATE_INFO_PROTECTED: */
496 { STATE_INFO_PROTECTED, STATE_UNDEFINED
497 , SMF_ALL_AUTH | SMF_ENCRYPTED
498 , P(HASH), LEMPTY, PT(NONE)
499 , EVENT_NULL, informational },
508 /* fill ike_microcode_index:
509 * make ike_microcode_index[s] point to first entry in
510 * state_microcode_table for state s (backward scan makes this easier).
511 * Check that table is in order -- catch coding errors.
512 * For what it's worth, this routine is idempotent.
514 const struct state_microcode *t;
516 for (t = &state_microcode_table[elemsof(state_microcode_table) - 1];;)
518 passert(STATE_IKE_FLOOR <= t->state && t->state < STATE_IKE_ROOF);
519 ike_microcode_index[t->state - STATE_IKE_FLOOR] = t;
520 if (t == state_microcode_table)
523 passert(t[0].state <= t[1].state);
527 /* Process any message on the MSG_ERRQUEUE
529 * This information is generated because of the IP_RECVERR socket option.
530 * The API is sparsely documented, and may be LINUX-only, and only on
531 * fairly recent versions at that (hence the conditional compilation).
533 * - ip(7) describes IP_RECVERR
534 * - recvmsg(2) describes MSG_ERRQUEUE
535 * - readv(2) describes iovec
536 * - cmsg(3) describes how to process auxilliary messages
538 * ??? we should link this message with one we've sent
539 * so that the diagnostic can refer to that negotiation.
541 * ??? how long can the messge be?
543 * ??? poll(2) has a very incomplete description of the POLL* events.
544 * We assume that POLLIN, POLLOUT, and POLLERR are all we need to deal with
545 * and that POLLERR will be on iff there is a MSG_ERRQUEUE message.
547 * We have to code around a couple of surprises:
549 * - Select can say that a socket is ready to read from, and
550 * yet a read will hang. It turns out that a message available on the
551 * MSG_ERRQUEUE will cause select to say something is pending, but
552 * a normal read will hang. poll(2) can tell when a MSG_ERRQUEUE
553 * message is pending.
555 * This is dealt with by calling check_msg_errqueue after select
556 * has indicated that there is something to read, but before the
557 * read is performed. check_msg_errqueue will return TRUE if there
558 * is something left to read.
560 * - A write to a socket may fail because there is a pending MSG_ERRQUEUE
561 * message, without there being anything wrong with the write. This
562 * makes for confusing diagnostics.
564 * To avoid this, we call check_msg_errqueue before a write. True,
565 * there is a race condition (a MSG_ERRQUEUE message might arrive
566 * between the check and the write), but we should eliminate many
567 * of the problematic events. To narrow the window, the poll(2)
568 * will await until an event happens (in the case or a write,
569 * POLLOUT; this should be benign for POLLIN).
572 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
574 check_msg_errqueue(const struct iface *ifp, short interest)
579 pfd.events = interest | POLLPRI | POLLOUT;
581 while (pfd.revents = 0
582 , poll(&pfd, 1, -1) > 0 && (pfd.revents & POLLERR))
584 u_int8_t buffer[3000]; /* hope that this is big enough */
588 struct sockaddr_in sa_in4;
589 struct sockaddr_in6 sa_in6;
592 int from_len = sizeof(from);
599 /* force alignment (not documented as necessary) */
602 /* how much space is enough? */
603 unsigned char space[256];
607 char fromstr[sizeof(" for message to port 65536") + INET6_ADDRSTRLEN];
608 struct state *sender = NULL;
611 from_len = sizeof(from);
613 emh.msg_name = &from.sa; /* ??? filled in? */
614 emh.msg_namelen = sizeof(from);
617 emh.msg_control = &ecms_buf;
618 emh.msg_controllen = sizeof(ecms_buf);
621 eiov.iov_base = buffer; /* see readv(2) */
622 eiov.iov_len = sizeof(buffer);
624 packet_len = recvmsg(ifp->fd, &emh, MSG_ERRQUEUE);
626 if (packet_len == -1)
628 log_errno((e, "recvmsg(,, MSG_ERRQUEUE) on %s failed in comm_handle"
632 else if (packet_len == sizeof(buffer))
634 log("MSG_ERRQUEUE message longer than %lu bytes; truncated"
635 , (unsigned long) sizeof(buffer));
639 sender = find_sender((size_t) packet_len, buffer);
642 DBG_cond_dump(DBG_ALL, "rejected packet:\n", buffer, packet_len);
643 DBG_cond_dump(DBG_ALL, "control:\n", emh.msg_control, emh.msg_controllen);
644 /* ??? Andi Kleen <ak@suse.de> and misc documentation
645 * suggests that name will have the original destination
646 * of the packet. We seem to see msg_namelen == 0.
647 * Andi says that this is a kernel bug and has fixed it.
648 * Perhaps in 2.2.18/2.4.0.
650 passert(emh.msg_name == &from.sa);
651 DBG_cond_dump(DBG_ALL, "name:\n", emh.msg_name
654 fromstr[0] = '\0'; /* usual case :-( */
655 switch (from.sa.sa_family)
657 char as[INET6_ADDRSTRLEN];
660 if (emh.msg_namelen == sizeof(struct sockaddr_in))
661 snprintf(fromstr, sizeof(fromstr)
662 , " for message to %s port %u"
663 , inet_ntop(from.sa.sa_family
664 , &from.sa_in4.sin_addr, as, sizeof(as))
665 , ntohs(from.sa_in4.sin_port));
668 if (emh.msg_namelen == sizeof(struct sockaddr_in6))
669 snprintf(fromstr, sizeof(fromstr)
670 , " for message to %s port %u"
671 , inet_ntop(from.sa.sa_family
672 , &from.sa_in6.sin6_addr, as, sizeof(as))
673 , ntohs(from.sa_in6.sin6_port));
677 for (cm = CMSG_FIRSTHDR(&emh)
679 ; cm = CMSG_NXTHDR(&emh,cm))
681 if (cm->cmsg_level == SOL_IP
682 && cm->cmsg_type == IP_RECVERR)
684 /* ip(7) and recvmsg(2) specify:
685 * ee_origin is SO_EE_ORIGIN_ICMP for ICMP
686 * or SO_EE_ORIGIN_LOCAL for locally generated errors.
687 * ee_type and ee_code are from the ICMP header.
688 * ee_info is the discovered MTU for EMSGSIZE errors
689 * ee_data is not used.
691 * ??? recvmsg(2) says "SOCK_EE_OFFENDER" but
692 * means "SO_EE_OFFENDER". The OFFENDER is really
693 * the router that complained. As such, the port
697 /* ??? cmsg(3) claims that CMSG_DATA returns
698 * void *, but RFC 2292 and /usr/include/bits/socket.h
699 * say unsigned char *. The manual is being fixed.
701 struct sock_extended_err *ee = (void *)CMSG_DATA(cm);
702 const char *offstr = "unspecified";
703 char offstrspace[INET6_ADDRSTRLEN];
706 if (cm->cmsg_len > CMSG_LEN(sizeof(struct sock_extended_err)))
708 const struct sockaddr *offender = SO_EE_OFFENDER(ee);
710 switch (offender->sa_family)
713 offstr = inet_ntop(offender->sa_family
714 , &((const struct sockaddr_in *)offender)->sin_addr
715 , offstrspace, sizeof(offstrspace));
718 offstr = inet_ntop(offender->sa_family
719 , &((const struct sockaddr_in6 *)offender)->sin6_addr
720 , offstrspace, sizeof(offstrspace));
728 switch (ee->ee_origin)
730 case SO_EE_ORIGIN_NONE:
731 snprintf(orname, sizeof(orname), "none");
733 case SO_EE_ORIGIN_LOCAL:
734 snprintf(orname, sizeof(orname), "local");
736 case SO_EE_ORIGIN_ICMP:
737 snprintf(orname, sizeof(orname)
738 , "ICMP type %d code %d (not authenticated)"
739 , ee->ee_type, ee->ee_code
742 case SO_EE_ORIGIN_ICMP6:
743 snprintf(orname, sizeof(orname)
744 , "ICMP6 type %d code %d (not authenticated)"
745 , ee->ee_type, ee->ee_code
749 snprintf(orname, sizeof(orname), "invalid origin %lu"
750 , (unsigned long) ee->ee_origin);
755 struct state *old_state = cur_state;
759 /* note dirty trick to suppress ~ at start of format
760 * if we know what state to blame.
763 if ((packet_len == 1) && (buffer[0] = 0xff)
765 && ((cur_debugging & DBG_NATT) == 0)
768 /* don't log NAT-T keepalive related errors unless NATT debug is
774 log((sender != NULL) + "~"
775 "ERROR: asynchronous network error report on %s"
779 " [errno %lu, origin %s"
780 /* ", pad %d, info %ld" */
786 , strerror(ee->ee_errno)
787 , (unsigned long) ee->ee_errno
789 /* , ee->ee_pad, (unsigned long)ee->ee_info */
790 /* , (unsigned long)ee->ee_data */
792 if(!strcmp(strerror(ee->ee_errno), "Connection refused "))
793 log("The remote host may not have IPSec enabled");
794 if(!strcmp(strerror(ee->ee_errno), "No route to host "))
795 log("The remote host may not be online");
796 cur_state = old_state;
801 log("unknown cmsg: level %d, type %d, len %d"
802 , cm->cmsg_level, cm->cmsg_type, cm->cmsg_len);
806 return (pfd.revents & interest) != 0;
808 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
812 _send_packet(struct state *st, const char *where, bool verbose)
814 send_packet(struct state *st, const char *where)
817 struct connection *c = st->st_connection;
819 u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
823 if ((c->interface->ike_float == TRUE) && (st->st_tpacket.len != 1)) {
824 if ((unsigned long) st->st_tpacket.len >
825 (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t))) {
826 DBG_log("send_packet(): really too big");
830 /** Add Non-ESP marker **/
831 memset(ike_pkt, 0, sizeof(u_int32_t));
832 memcpy(ike_pkt + sizeof(u_int32_t), st->st_tpacket.ptr,
833 (unsigned long)st->st_tpacket.len);
834 len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t);
837 ptr = st->st_tpacket.ptr;
838 len = (unsigned long) st->st_tpacket.len;
844 DBG_log("sending %lu bytes for %s through %s to %s:%u:"
845 , (unsigned long) st->st_tpacket.len
847 , c->interface->rname
848 , ip_str(&c->that.host_addr)
849 , (unsigned)c->that.host_port);
850 DBG_dump_chunk(NULL, st->st_tpacket);
853 /* XXX: Not very clean. We manipulate the port of the ip_address to
854 * have a port in the sockaddr*
857 setportof(htons(c->that.host_port), &c->that.host_addr);
859 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
860 (void) check_msg_errqueue(c->interface, POLLOUT);
861 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
864 if (sendto(c->interface->fd
866 , sockaddrof(&c->that.host_addr)
867 , sockaddrlenof(&c->that.host_addr)) != (ssize_t)len)
869 if (sendto(c->interface->fd
870 , st->st_tpacket.ptr, st->st_tpacket.len, 0
871 , sockaddrof(&c->that.host_addr)
872 , sockaddrlenof(&c->that.host_addr)) != (ssize_t)st->st_tpacket.len)
876 /* do not log NAT-T Keep Alive packets */
880 log_errno((e, "sendto on %s to %s:%u failed in %s"
881 , c->interface->rname
882 , ip_str(&c->that.host_addr)
883 , (unsigned)c->that.host_port
894 unexpected(struct msg_digest *md)
896 loglog(RC_LOG_SERIOUS, "unexpected message received in state %s"
897 , enum_name(&state_names, md->st->st_state));
902 informational(struct msg_digest *md)
904 struct payload_digest *const n_pld = md->chain[ISAKMP_NEXT_N];
906 /* log contents of any notification payload */
909 pb_stream *const n_pbs = &n_pld->pbs;
910 struct isakmp_notification *const n = &n_pld->payload.notification;
914 switch (n->isan_type)
918 loglog(RC_LOG_SERIOUS, "received bogus R_U_THERE informational message");
921 return dpd_inI_outR(md->st, n, n_pbs);
925 loglog(RC_LOG_SERIOUS, "received bogus R_U_THERE informational message");
928 return dpd_inR(md->st, n, n_pbs);
931 if (pbs_left(n_pbs) >= sizeof(disp_buf)-1)
932 disp_len = sizeof(disp_buf)-1;
934 disp_len = pbs_left(n_pbs);
935 memcpy(disp_buf, n_pbs->cur, disp_len);
936 disp_buf[disp_len] = '\0';
938 /* should indicate from where... FIXME */
939 log("Notification: Pid=%d SPIsz=%d Type=%d Val=%s\n"
940 , n->isan_protoid, n->isan_spisize, n->isan_type
946 /* loglog(RC_LOG_SERIOUS, "received and ignored informational message"); */
950 /* message digest allocation and deallocation */
952 static struct msg_digest *md_pool = NULL;
954 /* free_md_pool is only used to avoid leak reports */
960 struct msg_digest *md = md_pool;
969 static struct msg_digest *
972 struct msg_digest *md = md_pool;
974 /* convenient initializer:
975 * - all pointers NULL
976 * - .note = NOTHING_WRONG
977 * - .encrypted = FALSE
979 static const struct msg_digest blank_md;
982 md = alloc_thing(struct msg_digest, "msg_digest");
987 md->digest_roof = md->digest;
989 /* note: although there may be multiple msg_digests at once
990 * (due to suspended state transitions), there is a single
991 * global reply_buffer. It will need to be saved and restored.
993 init_pbs(&md->reply, reply_buffer, sizeof(reply_buffer), "reply packet");
999 release_md(struct msg_digest *md)
1001 freeanychunk(md->raw_packet);
1002 pfreeany(md->packet_pbs.start);
1003 md->packet_pbs.start = NULL;
1008 /* wrapper for read_packet and process_packet
1010 * The main purpose of this wrapper is to factor out teardown code
1011 * from the many return points in process_packet. This amounts to
1012 * releasing the msg_digest and resetting global variables.
1014 * When processing of a packet is suspended (STF_SUSPEND),
1015 * process_packet sets md to NULL to prevent the msg_digest being freed.
1016 * Someone else must ensure that msg_digest is freed eventually.
1018 * read_packet is broken out to minimize the lifetime of the
1019 * enormous input packet buffer, an auto.
1022 comm_handle(const struct iface *ifp)
1024 static struct msg_digest *md;
1026 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
1027 /* Even though select(2) says that there is a message,
1028 * it might only be a MSG_ERRQUEUE message. At least
1029 * sometimes that leads to a hanging recvfrom. To avoid
1030 * what appears to be a kernel bug, check_msg_errqueue
1031 * uses poll(2) and tells us if there is anything for us
1034 * This is early enough that teardown isn't required:
1035 * just return on failure.
1037 if (!check_msg_errqueue(ifp, POLLIN))
1038 return; /* no normal message to read */
1039 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
1044 if (read_packet(md))
1045 process_packet(&md);
1051 reset_cur_connection();
1055 /* read the message.
1056 * Since we don't know its size, we read it into
1057 * an overly large buffer and then copy it to a
1058 * new, properly sized buffer.
1061 read_packet(struct msg_digest *md)
1063 const struct iface *ifp = md->iface;
1065 u_int8_t bigbuffer[MAX_INPUT_UDP_SIZE];
1066 #ifdef NAT_TRAVERSAL
1067 u_int8_t *_buffer = bigbuffer;
1072 struct sockaddr_in sa_in4;
1073 struct sockaddr_in6 sa_in6;
1075 int from_len = sizeof(from);
1076 err_t from_ugh = NULL;
1077 static const char undisclosed[] = "unknown source";
1079 happy(anyaddr(addrtypeof(&ifp->addr), &md->sender));
1081 packet_len = recvfrom(ifp->fd, bigbuffer, sizeof(bigbuffer), 0
1082 , &from.sa, &from_len);
1084 /* First: digest the from address.
1085 * We presume that nothing here disturbs errno.
1087 if (packet_len == -1
1088 && from_len == sizeof(from)
1089 && all_zero((const void *)&from.sa, sizeof(from)))
1091 /* "from" is untouched -- not set by recvfrom */
1092 from_ugh = undisclosed;
1095 < (int) (offsetof(struct sockaddr, sa_family) + sizeof(from.sa.sa_family)))
1097 from_ugh = "truncated";
1101 const struct af_info *afi = aftoinfo(from.sa.sa_family);
1105 from_ugh = "unexpected Address Family";
1107 else if (from_len != (int)afi->sa_sz)
1109 from_ugh = "wrong length";
1113 switch (from.sa.sa_family)
1116 from_ugh = initaddr((void *) &from.sa_in4.sin_addr
1117 , sizeof(from.sa_in4.sin_addr), AF_INET, &md->sender);
1118 md->sender_port = ntohs(from.sa_in4.sin_port);
1121 from_ugh = initaddr((void *) &from.sa_in6.sin6_addr
1122 , sizeof(from.sa_in6.sin6_addr), AF_INET6, &md->sender);
1123 md->sender_port = ntohs(from.sa_in6.sin6_port);
1129 /* now we report any actual I/O error */
1130 if (packet_len == -1)
1132 if (from_ugh == undisclosed
1133 && errno == ECONNREFUSED)
1135 /* Tone down scary message for vague event:
1136 * We get "connection refused" in response to some
1137 * datagram we sent, but we cannot tell which one.
1139 log("some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details)");
1141 else if (from_ugh != NULL)
1143 log_errno((e, "recvfrom on %s failed; Pluto cannot decode source sockaddr in rejection: %s"
1144 , ifp->rname, from_ugh));
1148 log_errno((e, "recvfrom on %s from %s:%u failed"
1150 , ip_str(&md->sender), (unsigned)md->sender_port));
1155 else if (packet_len == 0)
1157 log("received 0 size packet");
1160 else if (from_ugh != NULL)
1162 log("recvfrom on %s returned misformed source sockaddr: %s"
1163 , ifp->rname, from_ugh);
1166 cur_from = &md->sender;
1167 cur_from_port = md->sender_port;
1169 #ifdef NAT_TRAVERSAL
1170 if (ifp->ike_float == TRUE) {
1172 if (packet_len < (int)sizeof(u_int32_t)) {
1173 log("recvfrom %s:%u too small packet (%d)"
1174 , ip_str(cur_from), (unsigned) cur_from_port, packet_len);
1177 memcpy(&non_esp, _buffer, sizeof(u_int32_t));
1179 log("recvfrom %s:%u has no Non-ESP marker"
1180 , ip_str(cur_from), (unsigned) cur_from_port);
1183 _buffer += sizeof(u_int32_t);
1184 packet_len -= sizeof(u_int32_t);
1188 /* Clone actual message contents
1189 * and set up md->packet_pbs to describe it.
1191 init_pbs(&md->packet_pbs,
1192 #ifdef NAT_TRAVERSAL
1193 clone_bytes(_buffer, packet_len, "message buffer in comm_handle()"),
1195 clone_bytes(bigbuffer, packet_len, "message buffer in comm_handle()"),
1197 packet_len, "packet");
1199 DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL,
1201 DBG_log(BLANK_FORMAT);
1202 DBG_log("*received %d bytes from %s:%u on %s"
1203 , (int) pbs_room(&md->packet_pbs)
1204 , ip_str(cur_from), (unsigned) cur_from_port
1209 DBG_dump("", md->packet_pbs.start, pbs_room(&md->packet_pbs)));
1211 #ifdef NAT_TRAVERSAL
1212 if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff)) {
1214 * NAT-T Keep-alive packets should be discared by kernel ESPinUDP
1215 * layer. But boggus keep-alive packets (sent with a non-esp marker)
1216 * can reach this point. Complain and discard them.
1219 DBG_log("NAT-T keep-alive (boggus ?) should not reach this point. "
1220 "Ignored. Sender: %s:%u", ip_str(cur_from),
1221 (unsigned) cur_from_port);
1230 /* process an input packet, possibly generating a reply.
1232 * If all goes well, this routine eventually calls a state-specific
1233 * transition function.
1236 process_packet(struct msg_digest **mdp)
1238 struct msg_digest *md = *mdp;
1239 const struct state_microcode *smc;
1240 bool new_iv_set = FALSE;
1241 struct state *st = NULL;
1242 enum state_kind from_state = STATE_UNDEFINED; /* state we started in */
1244 #define SEND_NOTIFICATION(t) { \
1245 if (st) send_notification_from_state(st, from_state, t); \
1246 else send_notification_from_md(md, t); }
1248 if (!in_struct(&md->hdr, &isakmp_hdr_desc, &md->packet_pbs, &md->message_pbs))
1250 /* Identify specific failures:
1251 * - bad ISAKMP major/minor version numbers
1253 if (md->packet_pbs.roof - md->packet_pbs.cur >= (ptrdiff_t)isakmp_hdr_desc.size) {
1254 struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
1255 if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION) {
1256 SEND_NOTIFICATION(INVALID_MAJOR_VERSION);
1259 else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION) {
1260 SEND_NOTIFICATION(INVALID_MINOR_VERSION);
1264 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1268 if (md->packet_pbs.roof != md->message_pbs.roof)
1270 log("size (%u) differs from size specified in ISAKMP HDR (%u)"
1271 , (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
1272 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1276 switch (md->hdr.isa_xchg)
1279 case ISAKMP_XCHG_NONE:
1280 case ISAKMP_XCHG_BASE:
1283 case ISAKMP_XCHG_AGGR:
1284 case ISAKMP_XCHG_IDPROT: /* part of a Main Mode exchange */
1285 if (md->hdr.isa_msgid != 0)
1287 log("Message ID was 0x%08lx but should be zero in Main Mode",
1288 (unsigned long) md->hdr.isa_msgid);
1289 SEND_NOTIFICATION(INVALID_MESSAGE_ID);
1293 if (is_zero_cookie(md->hdr.isa_icookie))
1295 log("Initiator Cookie must not be zero in Phase 1 message");
1296 SEND_NOTIFICATION(INVALID_COOKIE);
1300 if (is_zero_cookie(md->hdr.isa_rcookie))
1302 /* initial message from initiator
1303 * ??? what if this is a duplicate of another message?
1305 if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
1307 log("initial Phase 1 message is invalid:"
1308 " its Encrypted Flag is on");
1309 SEND_NOTIFICATION(INVALID_FLAGS);
1313 /* don't build a state until the message looks tasty */
1314 from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT
1315 ? STATE_MAIN_R0 : STATE_AGGR_R0);
1319 /* not an initial message */
1321 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1322 , &md->sender, md->hdr.isa_msgid);
1326 /* perhaps this is a first message from the responder
1327 * and contains a responder cookie that we've not yet seen.
1329 st = find_state(md->hdr.isa_icookie, zero_cookie
1330 , &md->sender, md->hdr.isa_msgid);
1334 log("Phase 1 message is part of an unknown exchange");
1335 /* XXX Could send notification back */
1340 from_state = st->st_state;
1345 case ISAKMP_XCHG_AO:
1348 case ISAKMP_XCHG_INFO: /* an informational exchange */
1349 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1355 if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
1359 log("Informational Exchange is for an unknown (expired?) SA");
1360 /* XXX Could send notification back */
1364 if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
1366 loglog(RC_LOG_SERIOUS, "encrypted Informational Exchange message is invalid"
1367 " because it is for incomplete ISAKMP SA");
1368 /* XXX Could send notification back */
1372 if (md->hdr.isa_msgid == 0)
1374 loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
1375 " it has a Message ID of 0");
1376 /* XXX Could send notification back */
1380 if (!reserve_msgid(st, md->hdr.isa_msgid))
1382 loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
1383 " it has a previously used Message ID (0x%08lx)"
1384 , (unsigned long)md->hdr.isa_msgid);
1385 /* XXX Could send notification back */
1389 init_phase2_iv(st, &md->hdr.isa_msgid);
1392 from_state = STATE_INFO_PROTECTED;
1396 if (st != NULL && IS_ISAKMP_SA_ESTABLISHED(st->st_state))
1398 loglog(RC_LOG_SERIOUS, "Informational Exchange message for"
1399 " an established ISAKMP SA must be encrypted");
1400 /* XXX Could send notification back */
1403 from_state = STATE_INFO;
1407 case ISAKMP_XCHG_QUICK: /* part of a Quick Mode exchange */
1408 if (is_zero_cookie(md->hdr.isa_icookie))
1410 log("Quick Mode message is invalid because"
1411 " it has an Initiator Cookie of 0");
1412 SEND_NOTIFICATION(INVALID_COOKIE);
1416 if (is_zero_cookie(md->hdr.isa_rcookie))
1418 log("Quick Mode message is invalid because"
1419 " it has a Responder Cookie of 0");
1420 SEND_NOTIFICATION(INVALID_COOKIE);
1424 if (md->hdr.isa_msgid == 0)
1426 log("Quick Mode message is invalid because"
1427 " it has a Message ID of 0");
1428 SEND_NOTIFICATION(INVALID_MESSAGE_ID);
1432 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1433 , &md->sender, md->hdr.isa_msgid);
1437 /* No appropriate Quick Mode state.
1438 * See if we have a Main Mode state.
1439 * ??? what if this is a duplicate of another message?
1441 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1446 log("Quick Mode message is for a non-existent (expired?)"
1448 /* XXX Could send notification back */
1454 if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
1456 loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because"
1457 " it is for an incomplete ISAKMP SA");
1458 SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
1462 /* only accept this new Quick Mode exchange if it has a unique message ID */
1463 if (!reserve_msgid(st, md->hdr.isa_msgid))
1465 loglog(RC_LOG_SERIOUS, "Quick Mode I1 message is unacceptable because"
1466 " it uses a previously used Message ID 0x%08lx"
1467 " (perhaps this is a duplicated packet)"
1468 , (unsigned long) md->hdr.isa_msgid);
1469 SEND_NOTIFICATION(INVALID_MESSAGE_ID);
1473 /* Quick Mode Initial IV */
1474 init_phase2_iv(st, &md->hdr.isa_msgid);
1477 from_state = STATE_QUICK_R0;
1482 from_state = st->st_state;
1488 case ISAKMP_XCHG_NGRP:
1489 case ISAKMP_XCHG_ACK_INFO:
1493 log("unsupported exchange type %s in message"
1494 , enum_show(&exchange_names, md->hdr.isa_xchg));
1495 SEND_NOTIFICATION(UNSUPPORTED_EXCHANGE_TYPE);
1499 /* We have found a from_state, and perhaps a state object.
1500 * If we need to build a new state object,
1501 * we wait until the packet has been sanity checked.
1504 /* We don't support the Commit Flag. It is such a bad feature.
1505 * It isn't protected -- neither encrypted nor authenticated.
1506 * A man in the middle turns it on, leading to DoS.
1507 * We just ignore it, with a warning.
1508 * By placing the check here, we could easily add a policy bit
1509 * to a connection to suppress the warning. This might be useful
1510 * because the Commit Flag is expected from some peers.
1512 if (md->hdr.isa_flags & ISAKMP_FLAG_COMMIT)
1514 log("IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag");
1517 /* Set smc to describe this state's properties.
1518 * Look up the appropriate microcode based on state and
1519 * possibly Oakley Auth type.
1521 passert(STATE_IKE_FLOOR <= from_state && from_state <= STATE_IKE_ROOF);
1522 smc = ike_microcode_index[from_state - STATE_IKE_FLOOR];
1526 while ((smc->flags & LELEM(st->st_oakley.auth)) == 0)
1529 passert(smc->state == from_state);
1533 /* Ignore a packet if the state has a suspended state transition
1534 * Probably a duplicated packet but the original packet is not yet
1535 * recorded in st->st_rpacket, so duplicate checking won't catch.
1536 * ??? Should the packet be recorded earlier to improve diagnosis?
1538 if (st != NULL && st->st_suspended_md != NULL)
1540 loglog(RC_LOG, "discarding packet received during DNS lookup");
1544 /* Detect and handle duplicated packets.
1545 * This won't work for the initial packet of an exchange
1546 * because we won't have a state object to remember it.
1547 * If we are in a non-receiving state (terminal), and the preceding
1548 * state did transmit, then the duplicate may indicate that that
1549 * transmission wasn't received -- retransmit it.
1550 * Otherwise, just discard it.
1551 * ??? Notification packets are like exchanges -- I hope that
1552 * they are idempotent!
1555 && st->st_rpacket.ptr != NULL
1556 && st->st_rpacket.len == pbs_room(&md->packet_pbs)
1557 && memcmp(st->st_rpacket.ptr, md->packet_pbs.start, st->st_rpacket.len) == 0)
1559 if (smc->flags & SMF_RETRANSMIT_ON_DUPLICATE)
1561 if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
1563 st->st_retransmit++;
1564 loglog(RC_RETRANSMISSION
1565 , "retransmitting in response to duplicate packet; already %s"
1566 , enum_name(&state_names, st->st_state));
1567 send_packet(st, "retransmit in response to duplicate");
1571 loglog(RC_LOG_SERIOUS, "discarding duplicate packet -- exhausted retransmission; already %s"
1572 , enum_name(&state_names, st->st_state));
1577 loglog(RC_LOG_SERIOUS, "discarding duplicate packet; already %s"
1578 , enum_name(&state_names, st->st_state));
1583 if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
1585 DBG(DBG_CRYPT, DBG_log("received encrypted packet from %s:%u"
1586 , ip_str(&md->sender), (unsigned)md->sender_port));
1590 log("discarding encrypted message for an unknown ISAKMP SA");
1591 SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
1594 if (st->st_skeyid_e.ptr == (u_char *) NULL)
1596 loglog(RC_LOG_SERIOUS, "discarding encrypted message"
1597 " because we haven't yet negotiated keying materiel");
1598 SEND_NOTIFICATION(INVALID_FLAGS);
1602 /* Mark as encrypted */
1603 md->encrypted = TRUE;
1605 DBG(DBG_CRYPT, DBG_log("decrypting %u bytes using algorithm %s",
1606 (unsigned) pbs_left(&md->message_pbs),
1607 enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
1609 /* do the specified decryption
1611 * IV is from st->st_iv or (if new_iv_set) st->st_new_iv.
1612 * The new IV is placed in st->st_new_iv
1614 * See draft-ietf-ipsec-isakmp-oakley-07.txt Appendix B
1616 * XXX The IV should only be updated really if the packet
1617 * is successfully processed.
1618 * We should keep this value, check for a success return
1619 * value from the parsing routines and then replace.
1621 * Each post phase 1 exchange generates IVs from
1622 * the last phase 1 block, not the last block sent.
1625 const struct encrypt_desc *e = st->st_oakley.encrypter;
1627 if (pbs_left(&md->message_pbs) % e->enc_blocksize != 0)
1629 loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize");
1630 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1634 /* XXX Detect weak keys */
1636 /* grab a copy of raw packet (for duplicate packet detection) */
1637 clonetochunk(md->raw_packet, md->packet_pbs.start
1638 , pbs_room(&md->packet_pbs), "raw packet");
1640 /* Decrypt everything after header */
1644 passert(st->st_iv_len <= sizeof(st->st_new_iv));
1645 st->st_new_iv_len = st->st_iv_len;
1646 memcpy(st->st_new_iv, st->st_iv, st->st_new_iv_len);
1648 crypto_cbc_encrypt(e, FALSE, md->message_pbs.cur,
1649 pbs_left(&md->message_pbs) , st);
1652 DBG_cond_dump(DBG_CRYPT, "decrypted:\n", md->message_pbs.cur,
1653 md->message_pbs.roof - md->message_pbs.cur);
1655 DBG_cond_dump(DBG_CRYPT, "next IV:"
1656 , st->st_new_iv, st->st_new_iv_len);
1660 /* packet was not encryped -- should it have been? */
1662 if (smc->flags & SMF_INPUT_ENCRYPTED)
1664 loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
1665 SEND_NOTIFICATION(INVALID_FLAGS);
1670 /* Digest the message.
1671 * Padding must be removed to make hashing work.
1672 * Padding comes from encryption (so this code must be after decryption).
1673 * Padding rules are described before the definition of
1674 * struct isakmp_hdr in packet.h.
1677 struct payload_digest *pd = md->digest;
1678 int np = md->hdr.isa_np;
1679 lset_t needed = smc->req_payloads;
1681 = LALLIN(smc->flags, SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT)
1682 ? "probable authentication failure (mismatch of preshared secrets?): "
1685 while (np != ISAKMP_NEXT_NONE)
1687 struct_desc *sd = np < ISAKMP_NEXT_ROOF? payload_descs[np] : NULL;
1689 if (pd == &md->digest[PAYLIMIT])
1691 loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT);
1692 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1696 #ifdef NAT_TRAVERSAL
1699 case ISAKMP_NEXT_NATD_RFC:
1700 case ISAKMP_NEXT_NATOA_RFC:
1701 if ((!st) || (!(st->nat_traversal & NAT_T_WITH_RFC_VALUES))) {
1703 * don't accept NAT-D/NAT-OA reloc directly in message, unless
1704 * we're using NAT-T RFC
1714 /* payload type is out of range or requires special handling */
1717 case ISAKMP_NEXT_ID:
1718 sd = IS_PHASE1(from_state)
1719 ? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
1721 #ifdef NAT_TRAVERSAL
1722 case ISAKMP_NEXT_NATD_DRAFTS:
1723 np = ISAKMP_NEXT_NATD_RFC; /* NAT-D relocated */
1724 sd = payload_descs[np];
1726 case ISAKMP_NEXT_NATOA_DRAFTS:
1727 np = ISAKMP_NEXT_NATOA_RFC; /* NAT-OA relocated */
1728 sd = payload_descs[np];
1732 loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
1733 " unexpected payload type (%s) at the outermost level"
1734 , excuse, enum_show(&payload_names, np));
1735 SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
1741 lset_t s = LELEM(np);
1743 if (0 == (s & (needed | smc->opt_payloads
1744 | LELEM(ISAKMP_NEXT_N) | LELEM(ISAKMP_NEXT_D))))
1746 loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an"
1747 " payload type (%s) unexpected in this message"
1748 , excuse, enum_show(&payload_names, np));
1749 SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
1755 if (!in_struct(&pd->payload, sd, &md->message_pbs, &pd->pbs))
1757 loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse);
1758 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1762 /* place this payload at the end of the chain for this type */
1764 struct payload_digest **p;
1766 for (p = &md->chain[np]; *p != NULL; p = &(*p)->next)
1772 np = pd->payload.generic.isag_np;
1775 /* since we've digested one payload happily, it is probably
1776 * the case that any decryption worked. So we will not suggest
1777 * encryption failure as an excuse for subsequent payload
1783 md->digest_roof = pd;
1786 if (pbs_left(&md->message_pbs) != 0)
1787 DBG_log("removing %d bytes of padding", (int) pbs_left(&md->message_pbs)));
1789 md->message_pbs.roof = md->message_pbs.cur;
1791 /* check that all mandatory payloads appeared */
1795 loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s"
1796 , enum_show(&state_names, from_state)
1797 , bitnamesof(payload_name, needed));
1798 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1803 /* more sanity checking: enforce most ordering constraints */
1805 if (IS_PHASE1(from_state))
1807 /* rfc2409: The Internet Key Exchange (IKE), 5 Exchanges:
1808 * "The SA payload MUST precede all other payloads in a phase 1 exchange."
1810 if (md->chain[ISAKMP_NEXT_SA] != NULL
1811 && md->hdr.isa_np != ISAKMP_NEXT_SA)
1813 loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload");
1814 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1818 else if (IS_QUICK(from_state))
1820 /* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode
1822 * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
1823 * header and a SA payload MUST immediately follow the HASH."
1824 * [NOTE: there may be more than one SA payload, so this is not
1825 * totally reasonable. Probably all SAs should be so constrained.]
1827 * "If ISAKMP is acting as a client negotiator on behalf of another
1828 * party, the identities of the parties MUST be passed as IDci and
1831 * "With the exception of the HASH, SA, and the optional ID payloads,
1832 * there are no payload ordering restrictions on Quick Mode."
1835 if (md->hdr.isa_np != ISAKMP_NEXT_HASH)
1837 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload");
1838 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1843 struct payload_digest *p;
1846 for (p = md->chain[ISAKMP_NEXT_SA], i = 1; p != NULL
1849 if (p != &md->digest[i])
1851 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position");
1852 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1858 /* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode:
1859 * "If ISAKMP is acting as a client negotiator on behalf of another
1860 * party, the identities of the parties MUST be passed as IDci and
1864 struct payload_digest *id = md->chain[ISAKMP_NEXT_ID];
1868 if (id->next == NULL || id->next->next != NULL)
1870 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
1871 " if any ID payload is present,"
1872 " there must be exactly two");
1873 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1876 if (id+1 != id->next)
1878 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
1879 " the ID payloads are not adjacent");
1880 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1887 /* Handle (ignore!) Delete/Notification/VendorID Payloads */
1888 /* XXX Handle deletions */
1889 /* XXX Handle Notifications */
1890 /* XXX Handle VID payloads */
1892 struct payload_digest *p;
1894 for (p = md->chain[ISAKMP_NEXT_N]; p != NULL; p = p->next)
1896 if (strncmp(enum_show(&ipsec_notification_names, p->payload.notification.isan_type),"36137",strlen("36137")) &&
1897 strncmp(enum_show(&ipsec_notification_names, p->payload.notification.isan_type),"36136",strlen("36136"))){
1898 loglog(RC_LOG_SERIOUS, "ignoring informational payload, type %s"
1899 , enum_show(&ipsec_notification_names, p->payload.notification.isan_type));
1900 DBG_cond_dump(DBG_PARSING, "info:", p->pbs.cur, pbs_left(&p->pbs));
1904 for (p = md->chain[ISAKMP_NEXT_D]; p != NULL; p = p->next)
1906 accept_delete(st, md, p);
1907 DBG_cond_dump(DBG_PARSING, "del:", p->pbs.cur, pbs_left(&p->pbs));
1911 for (p = md->chain[ISAKMP_NEXT_VID]; p != NULL; p = p->next)
1914 loglog(RC_LOG_SERIOUS, "ignoring Vendor ID payload");
1916 handle_vendorid(md, p->pbs.cur, pbs_left(&p->pbs));
1917 DBG_cond_dump(DBG_PARSING, "VID:", p->pbs.cur, pbs_left(&p->pbs));
1920 md->from_state = from_state;
1923 /* possibly fill in hdr */
1924 if (smc->first_out_payload != ISAKMP_NEXT_NONE)
1925 echo_hdr(md, (smc->flags & SMF_OUTPUT_ENCRYPTED) != 0
1926 , smc->first_out_payload);
1928 complete_state_transition(mdp, smc->processor(md));
1931 /* complete job started by the state-specific state transition function */
1934 complete_state_transition(struct msg_digest **mdp, stf_status result)
1936 struct msg_digest *md = *mdp;
1937 const struct state_microcode *smc = md->smc;
1938 enum state_kind from_state = md->from_state;
1942 /* Handle VID payloads */
1944 struct payload_digest *vid;
1946 for (vid = md->chain[ISAKMP_NEXT_VID]; vid != NULL; vid = vid->next)
1948 if (pbs_left(&vid->pbs) == dpd_vid_length
1949 && memcmp(vid->pbs.cur, dpd_vid, dpd_vid_length)==0)
1955 loglog(RC_LOG_SERIOUS, "ignoring Vendor ID payload");
1956 DBG_cond_dump(DBG_PARSING, "VID:", vid->pbs.cur, pbs_left(&vid->pbs));
1962 cur_state = st = md->st; /* might have changed */
1964 st->st_dpd = md->dpd;
1971 /* the stf didn't complete its job: don't relase md */
1976 /* advance the state */
1977 st->st_state = smc->next_state;
1979 /* Delete previous retransmission event.
1980 * New event will be scheduled below.
1984 /* replace previous receive packet with latest */
1986 pfreeany(st->st_rpacket.ptr);
1990 /* if encrypted, duplication already done */
1991 st->st_rpacket = md->raw_packet;
1992 md->raw_packet.ptr = NULL;
1996 clonetochunk(st->st_rpacket
1997 , md->packet_pbs.start
1998 , pbs_room(&md->packet_pbs), "raw packet");
2001 /* free previous transmit packet */
2002 freeanychunk(st->st_tpacket);
2004 /* if requested, send the new reply packet */
2005 if (smc->flags & SMF_REPLY)
2007 close_output_pbs(&md->reply); /* good form, but actually a no-op */
2009 clonetochunk(st->st_tpacket, md->reply.start
2010 , pbs_offset(&md->reply), "reply packet");
2012 #ifdef NAT_TRAVERSAL
2013 if (nat_traversal_enabled) {
2014 nat_traversal_change_port_lookup(md, md->st);
2018 /* actually send the packet
2019 * Note: this is a great place to implement "impairments"
2020 * for testing purposes. Suppress or duplicate the
2021 * send_packet call depending on st->st_state.
2023 send_packet(st, enum_name(&state_names, from_state));
2026 /* Schedule for whatever timeout is specified */
2029 enum event_type kind = smc->timeout_event;
2033 case EVENT_RETRANSMIT: /* Retransmit packet */
2034 delay = EVENT_RETRANSMIT_DELAY_0;
2037 case EVENT_SA_REPLACE: /* SA replacement event */
2038 if (IS_PHASE1(st->st_state))
2040 delay = st->st_connection->sa_ike_life_seconds;
2041 if (delay >= st->st_oakley.life_seconds)
2042 delay = st->st_oakley.life_seconds;
2046 /* Delay is min of up to four things:
2047 * each can limit the lifetime.
2049 delay = st->st_connection->sa_ipsec_life_seconds;
2050 if (st->st_ah.present
2051 && delay >= st->st_ah.attrs.life_seconds)
2052 delay = st->st_ah.attrs.life_seconds;
2053 if (st->st_esp.present
2054 && delay >= st->st_esp.attrs.life_seconds)
2055 delay = st->st_esp.attrs.life_seconds;
2056 if (st->st_ipcomp.present
2057 && delay >= st->st_ipcomp.attrs.life_seconds)
2058 delay = st->st_ipcomp.attrs.life_seconds;
2061 /* If we have enough time, save some for
2062 * replacement. Otherwise, don't attempt.
2063 * In fact, we should always have time.
2064 * Whack enforces this restriction on our
2065 * own lifetime. If a smaller liftime comes
2066 * from the other IKE, we won't have
2069 * Important policy lies buried here.
2070 * For example, we favour the initiator over the
2071 * responder by making the initiator start rekeying
2072 * sooner. Also, fuzz is only added to the
2073 * initiator's margin.
2075 if (st->st_connection->policy & POLICY_DONT_REKEY)
2077 kind = EVENT_SA_EXPIRE;
2081 unsigned long marg = st->st_connection->sa_rekey_margin;
2083 if (smc->flags & SMF_INITIATOR)
2085 * st->st_connection->sa_rekey_fuzz / 100.E0
2086 * (rand() / (RAND_MAX + 1.E0));
2090 if ((unsigned long)delay > marg)
2093 st->st_margin = marg;
2097 kind = EVENT_SA_EXPIRE;
2102 case EVENT_NULL: /* non-event */
2103 case EVENT_REINIT_SECRET: /* Refresh cookie secret */
2107 event_schedule(kind, delay, st);
2110 /* tell whack and log of progress */
2112 const char *story = state_story[st->st_state - STATE_MAIN_R0];
2113 enum rc_type w = RC_NEW_STATE + st->st_state;
2115 if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2116 || IS_IPSEC_SA_ESTABLISHED(st->st_state))
2118 /* log our success */
2120 if (st->st_connection) {
2121 struct connection *c = st->st_connection;
2122 char lhs[SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF];
2123 char rhs[SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF];
2124 (void) format_end(lhs, sizeof(lhs), &c->this, &c->that, TRUE);
2125 (void) format_end(rhs, sizeof(rhs), &c->that, &c->this, FALSE);
2126 log("%s...%s", lhs, rhs);
2130 switch (st->st_state) {
2131 case STATE_QUICK_I2:
2132 case STATE_QUICK_R2:
2133 if (st->st_ah.present)
2134 st->st_ah.attrs.born = time(NULL);
2135 if (st->st_esp.present)
2136 st->st_esp.attrs.born = time(NULL);
2137 if (st->st_ipcomp.present)
2138 st->st_ipcomp.attrs.born = time(NULL);
2142 st->st_oakley.born = time(NULL);
2146 /* tell whack our progress */
2149 , enum_name(&state_names, st->st_state)
2153 if (smc->flags & SMF_RELEASE_PENDING_P2)
2155 /* Initiate any Quick Mode negotiations that
2156 * were waiting to piggyback on this Keying Channel.
2158 * ??? there is a potential race condition
2159 * if we are the responder: the initial Phase 2
2160 * message might outrun the final Phase 1 message.
2161 * I think that retransmission will recover.
2166 if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2167 || IS_IPSEC_SA_ESTABLISHED(st->st_state))
2171 case STF_INTERNAL_ERROR:
2172 whack_log(RC_INTERNALERR + md->note
2173 , "%s: internal error"
2174 , enum_name(&state_names, st->st_state));
2177 DBG_log("state transition function for %s had internal error",
2178 enum_name(&state_names, from_state)));
2181 #ifdef DODGE_DH_MISSING_ZERO_BUG
2182 case STF_REPLACE_DOOMED_EXCHANGE:
2183 /* we've got a distateful DH shared secret --
2184 * let's renegotiate.
2186 loglog(RC_LOG_SERIOUS, "dropping and reinitiating exchange"
2187 " to avoid Pluto 1.0 bug handling DH shared secret"
2188 " with leading zero byte");
2189 ipsecdoi_replace(st, st->st_try);
2195 default: /* a shortcut to STF_FAIL, setting md->note */
2196 passert(result > STF_FAIL);
2197 md->note = result - STF_FAIL;
2199 /* FALL THROUGH ... */
2201 /* As it is, we act as if this message never happened:
2202 * whatever retrying was in place, remains in place.
2204 whack_log(RC_NOTIFICATION + md->note
2205 , "%s: %s", enum_name(&state_names, st->st_state)
2206 , enum_name(&ipsec_notification_names, md->note));
2208 SEND_NOTIFICATION(md->note);
2211 DBG_log("state transition function for %s failed: %s"
2212 , enum_name(&state_names, from_state)
2213 , enum_name(&ipsec_notification_names, md->note)));