initialize new struct msg_digest
[strongswan.git] / src / pluto / demux.c
1 /* demultiplex incoming IKE messages
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id$
16 */
17
18 /* Ordering Constraints on Payloads
19 *
20 * rfc2409: The Internet Key Exchange (IKE)
21 *
22 * 5 Exchanges:
23 * "The SA payload MUST precede all other payloads in a phase 1 exchange."
24 *
25 * "Except where otherwise noted, there are no requirements for ISAKMP
26 * payloads in any message to be in any particular order."
27 *
28 * 5.3 Phase 1 Authenticated With a Revised Mode of Public Key Encryption:
29 *
30 * "If the HASH payload is sent it MUST be the first payload of the
31 * second message exchange and MUST be followed by the encrypted
32 * nonce. If the HASH payload is not sent, the first payload of the
33 * second message exchange MUST be the encrypted nonce."
34 *
35 * "Save the requirements on the location of the optional HASH payload
36 * and the mandatory nonce payload there are no further payload
37 * requirements. All payloads-- in whatever order-- following the
38 * encrypted nonce MUST be encrypted with Ke_i or Ke_r depending on the
39 * direction."
40 *
41 * 5.5 Phase 2 - Quick Mode
42 *
43 * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
44 * header and a SA payload MUST immediately follow the HASH."
45 * [NOTE: there may be more than one SA payload, so this is not
46 * totally reasonable. Probably all SAs should be so constrained.]
47 *
48 * "If ISAKMP is acting as a client negotiator on behalf of another
49 * party, the identities of the parties MUST be passed as IDci and
50 * then IDcr."
51 *
52 * "With the exception of the HASH, SA, and the optional ID payloads,
53 * there are no payload ordering restrictions on Quick Mode."
54 */
55
56 /* Unfolding of Identity -- a central mystery
57 *
58 * This concerns Phase 1 identities, those of the IKE hosts.
59 * These are the only ones that are authenticated. Phase 2
60 * identities are for IPsec SAs.
61 *
62 * There are three case of interest:
63 *
64 * (1) We initiate, based on a whack command specifying a Connection.
65 * We know the identity of the peer from the Connection.
66 *
67 * (2) (to be implemented) we initiate based on a flow from our client
68 * to some IP address.
69 * We immediately know one of the peer's client IP addresses from
70 * the flow. We must use this to figure out the peer's IP address
71 * and Id. To be solved.
72 *
73 * (3) We respond to an IKE negotiation.
74 * We immediately know the peer's IP address.
75 * We get an ID Payload in Main I2.
76 *
77 * Unfortunately, this is too late for a number of things:
78 * - the ISAKMP SA proposals have already been made (Main I1)
79 * AND one accepted (Main R1)
80 * - the SA includes a specification of the type of ID
81 * authentication so this is negotiated without being told the ID.
82 * - with Preshared Key authentication, Main I2 is encrypted
83 * using the key, so it cannot be decoded to reveal the ID
84 * without knowing (or guessing) which key to use.
85 *
86 * There are three reasonable choices here for the responder:
87 * + assume that the initiator is making wise offers since it
88 * knows the IDs involved. We can balk later (but not gracefully)
89 * when we find the actual initiator ID
90 * + attempt to infer identity by IP address. Again, we can balk
91 * when the true identity is revealed. Actually, it is enough
92 * to infer properties of the identity (eg. SA properties and
93 * PSK, if needed).
94 * + make all properties universal so discrimination based on
95 * identity isn't required. For example, always accept the same
96 * kinds of encryption. Accept Public Key Id authentication
97 * since the Initiator presumably has our public key and thinks
98 * we must have / can find his. This approach is weakest
99 * for preshared key since the actual key must be known to
100 * decrypt the Initiator's ID Payload.
101 * These choices can be blended. For example, a class of Identities
102 * can be inferred, sufficient to select a preshared key but not
103 * sufficient to infer a unique identity.
104 */
105
106 #include <stdio.h>
107 #include <stdlib.h>
108 #include <stddef.h>
109 #include <string.h>
110 #include <unistd.h>
111 #include <errno.h>
112 #include <sys/types.h>
113 #include <sys/time.h> /* only used for belt-and-suspenders select call */
114 #include <sys/poll.h> /* only used for forensic poll call */
115 #include <sys/socket.h>
116 #include <sys/ioctl.h>
117 #include <netinet/in.h>
118 #include <arpa/inet.h>
119 #include <sys/queue.h>
120
121 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
122 # include <asm/types.h> /* for __u8, __u32 */
123 # include <linux/errqueue.h>
124 # include <sys/uio.h> /* struct iovec */
125 #endif
126
127 #include <freeswan.h>
128
129 #include "constants.h"
130 #include "defs.h"
131 #include "cookie.h"
132 #include "connections.h"
133 #include "state.h"
134 #include "packet.h"
135 #include "md5.h"
136 #include "sha1.h"
137 #include "crypto.h" /* requires sha1.h and md5.h */
138 #include "ike_alg.h"
139 #include "log.h"
140 #include "demux.h" /* needs packet.h */
141 #include "ipsec_doi.h" /* needs demux.h and state.h */
142 #include "timer.h"
143 #include "whack.h" /* requires connections.h */
144 #include "server.h"
145 #include "nat_traversal.h"
146 #include "vendor.h"
147 #include "modecfg.h"
148
149 /* This file does basic header checking and demux of
150 * incoming packets.
151 */
152
153 /* forward declarations */
154 static bool read_packet(struct msg_digest *md);
155 static void process_packet(struct msg_digest **mdp);
156
157 /* Reply messages are built in this buffer.
158 * Only one state transition function can be using it at a time
159 * so suspended STFs must save and restore it.
160 * It could be an auto variable of complete_state_transition except for the fact
161 * that when a suspended STF resumes, its reply message buffer
162 * must be at the same location -- there are pointers into it.
163 */
164 u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
165
166 /* state_microcode is a tuple of information parameterizing certain
167 * centralized processing of a packet. For example, it roughly
168 * specifies what payloads are expected in this message.
169 * The microcode is selected primarily based on the state.
170 * In Phase 1, the payload structure often depends on the
171 * authentication technique, so that too plays a part in selecting
172 * the state_microcode to use.
173 */
174
175 struct state_microcode {
176 enum state_kind state, next_state;
177 lset_t flags;
178 lset_t req_payloads; /* required payloads (allows just one) */
179 lset_t opt_payloads; /* optional payloads (any mumber) */
180 /* if not ISAKMP_NEXT_NONE, process_packet will emit HDR with this as np */
181 u_int8_t first_out_payload;
182 enum event_type timeout_event;
183 state_transition_fn *processor;
184 };
185
186 /* State Microcode Flags, in several groups */
187
188 /* Oakley Auth values: to which auth values does this entry apply?
189 * Most entries will use SMF_ALL_AUTH because they apply to all.
190 * Note: SMF_ALL_AUTH matches 0 for those circumstances when no auth
191 * has been set.
192 */
193 #define SMF_ALL_AUTH LRANGE(0, OAKLEY_AUTH_ROOF-1)
194 #define SMF_PSK_AUTH LELEM(OAKLEY_PRESHARED_KEY)
195 #define SMF_DS_AUTH (LELEM(OAKLEY_DSS_SIG) | LELEM(OAKLEY_RSA_SIG))
196 #define SMF_PKE_AUTH (LELEM(OAKLEY_RSA_ENC) | LELEM(OAKLEY_ELGAMAL_ENC))
197 #define SMF_RPKE_AUTH (LELEM(OAKLEY_RSA_ENC_REV) | LELEM(OAKLEY_ELGAMAL_ENC_REV))
198
199 /* misc flags */
200
201 #define SMF_INITIATOR LELEM(OAKLEY_AUTH_ROOF + 0)
202 #define SMF_FIRST_ENCRYPTED_INPUT LELEM(OAKLEY_AUTH_ROOF + 1)
203 #define SMF_INPUT_ENCRYPTED LELEM(OAKLEY_AUTH_ROOF + 2)
204 #define SMF_OUTPUT_ENCRYPTED LELEM(OAKLEY_AUTH_ROOF + 3)
205 #define SMF_RETRANSMIT_ON_DUPLICATE LELEM(OAKLEY_AUTH_ROOF + 4)
206
207 #define SMF_ENCRYPTED (SMF_INPUT_ENCRYPTED | SMF_OUTPUT_ENCRYPTED)
208
209 /* this state generates a reply message */
210 #define SMF_REPLY LELEM(OAKLEY_AUTH_ROOF + 5)
211
212 /* this state completes P1, so any pending P2 negotiations should start */
213 #define SMF_RELEASE_PENDING_P2 LELEM(OAKLEY_AUTH_ROOF + 6)
214
215 /* end of flags */
216
217
218 static state_transition_fn /* forward declaration */
219 unexpected,
220 informational;
221
222 /* state_microcode_table is a table of all state_microcode tuples.
223 * It must be in order of state (the first element).
224 * After initialization, ike_microcode_index[s] points to the
225 * first entry in state_microcode_table for state s.
226 * Remember that each state name in Main or Quick Mode describes
227 * what has happened in the past, not what this message is.
228 */
229
230 static const struct state_microcode
231 *ike_microcode_index[STATE_IKE_ROOF - STATE_IKE_FLOOR];
232
233 static const struct state_microcode state_microcode_table[] = {
234 #define PT(n) ISAKMP_NEXT_##n
235 #define P(n) LELEM(PT(n))
236
237 /***** Phase 1 Main Mode *****/
238
239 /* No state for main_outI1: --> HDR, SA */
240
241 /* STATE_MAIN_R0: I1 --> R1
242 * HDR, SA --> HDR, SA
243 */
244 { STATE_MAIN_R0, STATE_MAIN_R1
245 , SMF_ALL_AUTH | SMF_REPLY
246 , P(SA), P(VID) | P(CR), PT(NONE)
247 , EVENT_RETRANSMIT, main_inI1_outR1},
248
249 /* STATE_MAIN_I1: R1 --> I2
250 * HDR, SA --> auth dependent
251 * SMF_PSK_AUTH, SMF_DS_AUTH: --> HDR, KE, Ni
252 * SMF_PKE_AUTH:
253 * --> HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
254 * SMF_RPKE_AUTH:
255 * --> HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
256 * Note: since we don't know auth at start, we cannot differentiate
257 * microcode entries based on it.
258 */
259 { STATE_MAIN_I1, STATE_MAIN_I2
260 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_REPLY
261 , P(SA), P(VID) | P(CR), PT(NONE) /* don't know yet */
262 , EVENT_RETRANSMIT, main_inR1_outI2 },
263
264 /* STATE_MAIN_R1: I2 --> R2
265 * SMF_PSK_AUTH, SMF_DS_AUTH: HDR, KE, Ni --> HDR, KE, Nr
266 * SMF_PKE_AUTH: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
267 * --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
268 * SMF_RPKE_AUTH:
269 * HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
270 * --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
271 */
272 { STATE_MAIN_R1, STATE_MAIN_R2
273 , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY
274 , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE)
275 , EVENT_RETRANSMIT, main_inI2_outR2 },
276
277 { STATE_MAIN_R1, STATE_UNDEFINED
278 , SMF_PKE_AUTH | SMF_REPLY
279 , P(KE) | P(ID) | P(NONCE), P(VID) | P(CR) | P(HASH), PT(KE)
280 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
281
282 { STATE_MAIN_R1, STATE_UNDEFINED
283 , SMF_RPKE_AUTH | SMF_REPLY
284 , P(NONCE) | P(KE) | P(ID), P(VID) | P(CR) | P(HASH) | P(CERT), PT(NONCE)
285 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
286
287 /* for states from here on, output message must be encrypted */
288
289 /* STATE_MAIN_I2: R2 --> I3
290 * SMF_PSK_AUTH: HDR, KE, Nr --> HDR*, IDi1, HASH_I
291 * SMF_DS_AUTH: HDR, KE, Nr --> HDR*, IDi1, [ CERT, ] SIG_I
292 * SMF_PKE_AUTH: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
293 * --> HDR*, HASH_I
294 * SMF_RPKE_AUTH: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
295 * --> HDR*, HASH_I
296 */
297 { STATE_MAIN_I2, STATE_MAIN_I3
298 , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
299 , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(ID)
300 , EVENT_RETRANSMIT, main_inR2_outI3 },
301
302 { STATE_MAIN_I2, STATE_UNDEFINED
303 , SMF_PKE_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
304 , P(KE) | P(ID) | P(NONCE), P(VID) | P(CR), PT(HASH)
305 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
306
307 { STATE_MAIN_I2, STATE_UNDEFINED
308 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
309 , P(NONCE) | P(KE) | P(ID), P(VID) | P(CR), PT(HASH)
310 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
311
312 /* for states from here on, input message must be encrypted */
313
314 /* STATE_MAIN_R2: I3 --> R3
315 * SMF_PSK_AUTH: HDR*, IDi1, HASH_I --> HDR*, IDr1, HASH_R
316 * SMF_DS_AUTH: HDR*, IDi1, [ CERT, ] SIG_I --> HDR*, IDr1, [ CERT, ] SIG_R
317 * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_I --> HDR*, HASH_R
318 */
319 { STATE_MAIN_R2, STATE_MAIN_R3
320 , SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
321 | SMF_REPLY | SMF_RELEASE_PENDING_P2
322 , P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
323 , EVENT_SA_REPLACE, main_inI3_outR3 },
324
325 { STATE_MAIN_R2, STATE_MAIN_R3
326 , SMF_DS_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
327 | SMF_REPLY | SMF_RELEASE_PENDING_P2
328 , P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
329 , EVENT_SA_REPLACE, main_inI3_outR3 },
330
331 { STATE_MAIN_R2, STATE_UNDEFINED
332 , SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
333 | SMF_REPLY | SMF_RELEASE_PENDING_P2
334 , P(HASH), P(VID) | P(CR), PT(NONE)
335 , EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
336
337 /* STATE_MAIN_I3: R3 --> done
338 * SMF_PSK_AUTH: HDR*, IDr1, HASH_R --> done
339 * SMF_DS_AUTH: HDR*, IDr1, [ CERT, ] SIG_R --> done
340 * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_R --> done
341 * May initiate quick mode by calling quick_outI1
342 */
343 { STATE_MAIN_I3, STATE_MAIN_I4
344 , SMF_PSK_AUTH | SMF_INITIATOR
345 | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
346 , P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
347 , EVENT_SA_REPLACE, main_inR3 },
348
349 { STATE_MAIN_I3, STATE_MAIN_I4
350 , SMF_DS_AUTH | SMF_INITIATOR
351 | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
352 , P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
353 , EVENT_SA_REPLACE, main_inR3 },
354
355 { STATE_MAIN_I3, STATE_UNDEFINED
356 , SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_INITIATOR
357 | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
358 , P(HASH), P(VID) | P(CR), PT(NONE)
359 , EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
360
361 /* STATE_MAIN_R3: can only get here due to packet loss */
362 { STATE_MAIN_R3, STATE_UNDEFINED
363 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
364 , LEMPTY, LEMPTY
365 , PT(NONE), EVENT_NULL, unexpected },
366
367 /* STATE_MAIN_I4: can only get here due to packet loss */
368 { STATE_MAIN_I4, STATE_UNDEFINED
369 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED
370 , LEMPTY, LEMPTY
371 , PT(NONE), EVENT_NULL, unexpected },
372
373
374 /***** Phase 2 Quick Mode *****/
375
376 /* No state for quick_outI1:
377 * --> HDR*, HASH(1), SA, Nr [, KE ] [, IDci, IDcr ]
378 */
379
380 /* STATE_QUICK_R0:
381 * HDR*, HASH(1), SA, Ni [, KE ] [, IDci, IDcr ] -->
382 * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ]
383 * Installs inbound IPsec SAs.
384 * Because it may suspend for asynchronous DNS, first_out_payload
385 * is set to NONE to suppress early emission of HDR*.
386 * ??? it is legal to have multiple SAs, but we don't support it yet.
387 */
388 { STATE_QUICK_R0, STATE_QUICK_R1
389 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
390 , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(NONE)
391 , EVENT_RETRANSMIT, quick_inI1_outR1 },
392
393 /* STATE_QUICK_I1:
394 * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ] -->
395 * HDR*, HASH(3)
396 * Installs inbound and outbound IPsec SAs, routing, etc.
397 * ??? it is legal to have multiple SAs, but we don't support it yet.
398 */
399 { STATE_QUICK_I1, STATE_QUICK_I2
400 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_REPLY
401 , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(HASH)
402 , EVENT_SA_REPLACE, quick_inR1_outI2 },
403
404 /* STATE_QUICK_R1: HDR*, HASH(3) --> done
405 * Installs outbound IPsec SAs, routing, etc.
406 */
407 { STATE_QUICK_R1, STATE_QUICK_R2
408 , SMF_ALL_AUTH | SMF_ENCRYPTED
409 , P(HASH), LEMPTY, PT(NONE)
410 , EVENT_SA_REPLACE, quick_inI2 },
411
412 /* STATE_QUICK_I2: can only happen due to lost packet */
413 { STATE_QUICK_I2, STATE_UNDEFINED
414 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
415 , LEMPTY, LEMPTY, PT(NONE)
416 , EVENT_NULL, unexpected },
417
418 /* STATE_QUICK_R2: can only happen due to lost packet */
419 { STATE_QUICK_R2, STATE_UNDEFINED
420 , SMF_ALL_AUTH | SMF_ENCRYPTED
421 , LEMPTY, LEMPTY, PT(NONE)
422 , EVENT_NULL, unexpected },
423
424
425 /***** informational messages *****/
426
427 /* STATE_INFO: */
428 { STATE_INFO, STATE_UNDEFINED
429 , SMF_ALL_AUTH
430 , LEMPTY, LEMPTY, PT(NONE)
431 , EVENT_NULL, informational },
432
433 /* STATE_INFO_PROTECTED: */
434 { STATE_INFO_PROTECTED, STATE_UNDEFINED
435 , SMF_ALL_AUTH | SMF_ENCRYPTED
436 , P(HASH), LEMPTY, PT(NONE)
437 , EVENT_NULL, informational },
438
439 /* XAUTH state transitions */
440 { STATE_XAUTH_I0, STATE_XAUTH_I1
441 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
442 , P(ATTR) | P(HASH), P(VID), PT(HASH)
443 , EVENT_RETRANSMIT, xauth_inI0 },
444
445 { STATE_XAUTH_R1, STATE_XAUTH_R2
446 , SMF_ALL_AUTH | SMF_ENCRYPTED
447 , P(ATTR) | P(HASH), P(VID), PT(HASH)
448 , EVENT_RETRANSMIT, xauth_inR1 },
449
450 { STATE_XAUTH_I1, STATE_XAUTH_I2
451 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
452 , P(ATTR) | P(HASH), P(VID), PT(HASH)
453 , EVENT_SA_REPLACE, xauth_inI1 },
454
455 { STATE_XAUTH_R2, STATE_XAUTH_R3
456 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
457 , P(ATTR) | P(HASH), P(VID), PT(NONE)
458 , EVENT_SA_REPLACE, xauth_inR2 },
459
460 { STATE_XAUTH_I2, STATE_UNDEFINED
461 , SMF_ALL_AUTH | SMF_ENCRYPTED
462 , LEMPTY, LEMPTY, PT(NONE)
463 , EVENT_NULL, unexpected },
464
465 { STATE_XAUTH_R3, STATE_UNDEFINED
466 , SMF_ALL_AUTH | SMF_ENCRYPTED
467 , LEMPTY, LEMPTY, PT(NONE)
468 , EVENT_NULL, unexpected },
469
470 /* ModeCfg pull mode state transitions */
471
472 { STATE_MODE_CFG_R0, STATE_MODE_CFG_R1
473 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
474 , P(ATTR) | P(HASH), P(VID), PT(HASH)
475 , EVENT_SA_REPLACE, modecfg_inR0 },
476
477 { STATE_MODE_CFG_I1, STATE_MODE_CFG_I2
478 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
479 , P(ATTR) | P(HASH), P(VID), PT(HASH)
480 , EVENT_SA_REPLACE, modecfg_inI1 },
481
482 { STATE_MODE_CFG_R1, STATE_UNDEFINED
483 , SMF_ALL_AUTH | SMF_ENCRYPTED
484 , LEMPTY, LEMPTY, PT(NONE)
485 , EVENT_NULL, unexpected },
486
487 { STATE_MODE_CFG_I2, STATE_UNDEFINED
488 , SMF_ALL_AUTH | SMF_ENCRYPTED
489 , LEMPTY, LEMPTY, PT(NONE)
490 , EVENT_NULL, unexpected },
491
492 /* ModeCfg push mode state transitions */
493
494 { STATE_MODE_CFG_I0, STATE_MODE_CFG_I3
495 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
496 , P(ATTR) | P(HASH), P(VID), PT(HASH)
497 , EVENT_SA_REPLACE, modecfg_inI0 },
498
499 { STATE_MODE_CFG_R3, STATE_MODE_CFG_R4
500 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
501 , P(ATTR) | P(HASH), P(VID), PT(HASH)
502 , EVENT_SA_REPLACE, modecfg_inR3 },
503
504 { STATE_MODE_CFG_I3, STATE_UNDEFINED
505 , SMF_ALL_AUTH | SMF_ENCRYPTED
506 , LEMPTY, LEMPTY, PT(NONE)
507 , EVENT_NULL, unexpected },
508
509 { STATE_MODE_CFG_R4, STATE_UNDEFINED
510 , SMF_ALL_AUTH | SMF_ENCRYPTED
511 , LEMPTY, LEMPTY, PT(NONE)
512 , EVENT_NULL, unexpected },
513
514 #undef P
515 #undef PT
516 };
517
518 void
519 init_demux(void)
520 {
521 /* fill ike_microcode_index:
522 * make ike_microcode_index[s] point to first entry in
523 * state_microcode_table for state s (backward scan makes this easier).
524 * Check that table is in order -- catch coding errors.
525 * For what it's worth, this routine is idempotent.
526 */
527 const struct state_microcode *t;
528
529 for (t = &state_microcode_table[countof(state_microcode_table) - 1];;)
530 {
531 passert(STATE_IKE_FLOOR <= t->state && t->state < STATE_IKE_ROOF);
532 ike_microcode_index[t->state - STATE_IKE_FLOOR] = t;
533 if (t == state_microcode_table)
534 break;
535 t--;
536 passert(t[0].state <= t[1].state);
537 }
538 }
539
540 /* Process any message on the MSG_ERRQUEUE
541 *
542 * This information is generated because of the IP_RECVERR socket option.
543 * The API is sparsely documented, and may be LINUX-only, and only on
544 * fairly recent versions at that (hence the conditional compilation).
545 *
546 * - ip(7) describes IP_RECVERR
547 * - recvmsg(2) describes MSG_ERRQUEUE
548 * - readv(2) describes iovec
549 * - cmsg(3) describes how to process auxilliary messages
550 *
551 * ??? we should link this message with one we've sent
552 * so that the diagnostic can refer to that negotiation.
553 *
554 * ??? how long can the messge be?
555 *
556 * ??? poll(2) has a very incomplete description of the POLL* events.
557 * We assume that POLLIN, POLLOUT, and POLLERR are all we need to deal with
558 * and that POLLERR will be on iff there is a MSG_ERRQUEUE message.
559 *
560 * We have to code around a couple of surprises:
561 *
562 * - Select can say that a socket is ready to read from, and
563 * yet a read will hang. It turns out that a message available on the
564 * MSG_ERRQUEUE will cause select to say something is pending, but
565 * a normal read will hang. poll(2) can tell when a MSG_ERRQUEUE
566 * message is pending.
567 *
568 * This is dealt with by calling check_msg_errqueue after select
569 * has indicated that there is something to read, but before the
570 * read is performed. check_msg_errqueue will return TRUE if there
571 * is something left to read.
572 *
573 * - A write to a socket may fail because there is a pending MSG_ERRQUEUE
574 * message, without there being anything wrong with the write. This
575 * makes for confusing diagnostics.
576 *
577 * To avoid this, we call check_msg_errqueue before a write. True,
578 * there is a race condition (a MSG_ERRQUEUE message might arrive
579 * between the check and the write), but we should eliminate many
580 * of the problematic events. To narrow the window, the poll(2)
581 * will await until an event happens (in the case or a write,
582 * POLLOUT; this should be benign for POLLIN).
583 */
584
585 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
586 static bool
587 check_msg_errqueue(const struct iface *ifp, short interest)
588 {
589 struct pollfd pfd;
590
591 pfd.fd = ifp->fd;
592 pfd.events = interest | POLLPRI | POLLOUT;
593
594 while (pfd.revents = 0
595 , poll(&pfd, 1, -1) > 0 && (pfd.revents & POLLERR))
596 {
597 u_int8_t buffer[3000]; /* hope that this is big enough */
598 union
599 {
600 struct sockaddr sa;
601 struct sockaddr_in sa_in4;
602 struct sockaddr_in6 sa_in6;
603 } from;
604
605 int from_len = sizeof(from);
606
607 int packet_len;
608
609 struct msghdr emh;
610 struct iovec eiov;
611 union {
612 /* force alignment (not documented as necessary) */
613 struct cmsghdr ecms;
614
615 /* how much space is enough? */
616 unsigned char space[256];
617 } ecms_buf;
618
619 struct cmsghdr *cm;
620 char fromstr[sizeof(" for message to port 65536") + INET6_ADDRSTRLEN];
621 struct state *sender = NULL;
622
623 zero(&from.sa);
624 from_len = sizeof(from);
625
626 emh.msg_name = &from.sa; /* ??? filled in? */
627 emh.msg_namelen = sizeof(from);
628 emh.msg_iov = &eiov;
629 emh.msg_iovlen = 1;
630 emh.msg_control = &ecms_buf;
631 emh.msg_controllen = sizeof(ecms_buf);
632 emh.msg_flags = 0;
633
634 eiov.iov_base = buffer; /* see readv(2) */
635 eiov.iov_len = sizeof(buffer);
636
637 packet_len = recvmsg(ifp->fd, &emh, MSG_ERRQUEUE);
638
639 if (packet_len == -1)
640 {
641 log_errno((e, "recvmsg(,, MSG_ERRQUEUE) on %s failed in comm_handle"
642 , ifp->rname));
643 break;
644 }
645 else if (packet_len == sizeof(buffer))
646 {
647 plog("MSG_ERRQUEUE message longer than %lu bytes; truncated"
648 , (unsigned long) sizeof(buffer));
649 }
650 else
651 {
652 sender = find_sender((size_t) packet_len, buffer);
653 }
654
655 DBG_cond_dump(DBG_ALL, "rejected packet:\n", buffer, packet_len);
656 DBG_cond_dump(DBG_ALL, "control:\n", emh.msg_control, emh.msg_controllen);
657 /* ??? Andi Kleen <ak@suse.de> and misc documentation
658 * suggests that name will have the original destination
659 * of the packet. We seem to see msg_namelen == 0.
660 * Andi says that this is a kernel bug and has fixed it.
661 * Perhaps in 2.2.18/2.4.0.
662 */
663 passert(emh.msg_name == &from.sa);
664 DBG_cond_dump(DBG_ALL, "name:\n", emh.msg_name
665 , emh.msg_namelen);
666
667 fromstr[0] = '\0'; /* usual case :-( */
668 switch (from.sa.sa_family)
669 {
670 char as[INET6_ADDRSTRLEN];
671
672 case AF_INET:
673 if (emh.msg_namelen == sizeof(struct sockaddr_in))
674 snprintf(fromstr, sizeof(fromstr)
675 , " for message to %s port %u"
676 , inet_ntop(from.sa.sa_family
677 , &from.sa_in4.sin_addr, as, sizeof(as))
678 , ntohs(from.sa_in4.sin_port));
679 break;
680 case AF_INET6:
681 if (emh.msg_namelen == sizeof(struct sockaddr_in6))
682 snprintf(fromstr, sizeof(fromstr)
683 , " for message to %s port %u"
684 , inet_ntop(from.sa.sa_family
685 , &from.sa_in6.sin6_addr, as, sizeof(as))
686 , ntohs(from.sa_in6.sin6_port));
687 break;
688 }
689
690 for (cm = CMSG_FIRSTHDR(&emh)
691 ; cm != NULL
692 ; cm = CMSG_NXTHDR(&emh,cm))
693 {
694 if (cm->cmsg_level == SOL_IP
695 && cm->cmsg_type == IP_RECVERR)
696 {
697 /* ip(7) and recvmsg(2) specify:
698 * ee_origin is SO_EE_ORIGIN_ICMP for ICMP
699 * or SO_EE_ORIGIN_LOCAL for locally generated errors.
700 * ee_type and ee_code are from the ICMP header.
701 * ee_info is the discovered MTU for EMSGSIZE errors
702 * ee_data is not used.
703 *
704 * ??? recvmsg(2) says "SOCK_EE_OFFENDER" but
705 * means "SO_EE_OFFENDER". The OFFENDER is really
706 * the router that complained. As such, the port
707 * is meaningless.
708 */
709
710 /* ??? cmsg(3) claims that CMSG_DATA returns
711 * void *, but RFC 2292 and /usr/include/bits/socket.h
712 * say unsigned char *. The manual is being fixed.
713 */
714 struct sock_extended_err *ee = (void *)CMSG_DATA(cm);
715 const char *offstr = "unspecified";
716 char offstrspace[INET6_ADDRSTRLEN];
717 char orname[50];
718
719 if (cm->cmsg_len > CMSG_LEN(sizeof(struct sock_extended_err)))
720 {
721 const struct sockaddr *offender = SO_EE_OFFENDER(ee);
722
723 switch (offender->sa_family)
724 {
725 case AF_INET:
726 offstr = inet_ntop(offender->sa_family
727 , &((const struct sockaddr_in *)offender)->sin_addr
728 , offstrspace, sizeof(offstrspace));
729 break;
730 case AF_INET6:
731 offstr = inet_ntop(offender->sa_family
732 , &((const struct sockaddr_in6 *)offender)->sin6_addr
733 , offstrspace, sizeof(offstrspace));
734 break;
735 default:
736 offstr = "unknown";
737 break;
738 }
739 }
740
741 switch (ee->ee_origin)
742 {
743 case SO_EE_ORIGIN_NONE:
744 snprintf(orname, sizeof(orname), "none");
745 break;
746 case SO_EE_ORIGIN_LOCAL:
747 snprintf(orname, sizeof(orname), "local");
748 break;
749 case SO_EE_ORIGIN_ICMP:
750 snprintf(orname, sizeof(orname)
751 , "ICMP type %d code %d (not authenticated)"
752 , ee->ee_type, ee->ee_code
753 );
754 break;
755 case SO_EE_ORIGIN_ICMP6:
756 snprintf(orname, sizeof(orname)
757 , "ICMP6 type %d code %d (not authenticated)"
758 , ee->ee_type, ee->ee_code
759 );
760 break;
761 default:
762 snprintf(orname, sizeof(orname), "invalid origin %lu"
763 , (unsigned long) ee->ee_origin);
764 break;
765 }
766
767 {
768 struct state *old_state = cur_state;
769
770 cur_state = sender;
771
772 /* note dirty trick to suppress ~ at start of format
773 * if we know what state to blame.
774 */
775 if ((packet_len == 1) && (buffer[0] = 0xff)
776 #ifdef DEBUG
777 && ((cur_debugging & DBG_NATT) == 0)
778 #endif
779 ) {
780 /* don't log NAT-T keepalive related errors unless NATT debug is
781 * enabled
782 */
783 }
784 else
785 plog((sender != NULL) + "~"
786 "ERROR: asynchronous network error report on %s"
787 "%s"
788 ", complainant %s"
789 ": %s"
790 " [errno %lu, origin %s"
791 /* ", pad %d, info %ld" */
792 /* ", data %ld" */
793 "]"
794 , ifp->rname
795 , fromstr
796 , offstr
797 , strerror(ee->ee_errno)
798 , (unsigned long) ee->ee_errno
799 , orname
800 /* , ee->ee_pad, (unsigned long)ee->ee_info */
801 /* , (unsigned long)ee->ee_data */
802 );
803 cur_state = old_state;
804 }
805 }
806 else
807 {
808 /* .cmsg_len is a kernel_size_t(!), but the value
809 * certainly ought to fit in an unsigned long.
810 */
811 plog("unknown cmsg: level %d, type %d, len %lu"
812 , cm->cmsg_level, cm->cmsg_type
813 , (unsigned long) cm->cmsg_len);
814 }
815 }
816 }
817 return (pfd.revents & interest) != 0;
818 }
819 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
820
821 bool
822 send_packet(struct state *st, const char *where)
823 {
824 struct connection *c = st->st_connection;
825 int port_buf;
826 bool err;
827 u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
828 u_int8_t *ptr;
829 unsigned long len;
830
831 if (c->interface->ike_float && st->st_tpacket.len != 1)
832 {
833 if ((unsigned long) st->st_tpacket.len > (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t)))
834 {
835 DBG_log("send_packet(): really too big");
836 return FALSE;
837 }
838 ptr = ike_pkt;
839 /** Add Non-ESP marker **/
840 memset(ike_pkt, 0, sizeof(u_int32_t));
841 memcpy(ike_pkt + sizeof(u_int32_t), st->st_tpacket.ptr,
842 (unsigned long)st->st_tpacket.len);
843 len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t);
844 }
845 else
846 {
847 ptr = st->st_tpacket.ptr;
848 len = (unsigned long) st->st_tpacket.len;
849 }
850
851 DBG(DBG_RAW,
852 {
853 DBG_log("sending %lu bytes for %s through %s to %s:%u:"
854 , (unsigned long) st->st_tpacket.len
855 , where
856 , c->interface->rname
857 , ip_str(&c->spd.that.host_addr)
858 , (unsigned)c->spd.that.host_port);
859 DBG_dump_chunk(NULL, st->st_tpacket);
860 });
861
862 /* XXX: Not very clean. We manipulate the port of the ip_address to
863 * have a port in the sockaddr*, but we retain the original port
864 * and restore it afterwards.
865 */
866
867 port_buf = portof(&c->spd.that.host_addr);
868 setportof(htons(c->spd.that.host_port), &c->spd.that.host_addr);
869
870 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
871 (void) check_msg_errqueue(c->interface, POLLOUT);
872 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
873
874 err = sendto(c->interface->fd
875 , ptr, len, 0
876 , sockaddrof(&c->spd.that.host_addr)
877 , sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)len;
878
879 /* restore port */
880 setportof(port_buf, &c->spd.that.host_addr);
881
882 if (err)
883 {
884 /* do not log NAT-T Keep Alive packets */
885 if (streq(where, "NAT-T Keep Alive"))
886 return FALSE;
887 log_errno((e, "sendto on %s to %s:%u failed in %s"
888 , c->interface->rname
889 , ip_str(&c->spd.that.host_addr)
890 , (unsigned)c->spd.that.host_port
891 , where));
892 return FALSE;
893 }
894 else
895 {
896 return TRUE;
897 }
898 }
899
900 static stf_status
901 unexpected(struct msg_digest *md)
902 {
903 loglog(RC_LOG_SERIOUS, "unexpected message received in state %s"
904 , enum_name(&state_names, md->st->st_state));
905 return STF_IGNORE;
906 }
907
908 static stf_status
909 informational(struct msg_digest *md UNUSED)
910 {
911 struct payload_digest *const n_pld = md->chain[ISAKMP_NEXT_N];
912
913 /* If the Notification Payload is not null... */
914 if (n_pld != NULL)
915 {
916 pb_stream *const n_pbs = &n_pld->pbs;
917 struct isakmp_notification *const n = &n_pld->payload.notification;
918 int disp_len;
919 char disp_buf[200];
920
921 /* Switch on Notification Type (enum) */
922 switch (n->isan_type)
923 {
924 case R_U_THERE:
925 return dpd_inI_outR(md->st, n, n_pbs);
926
927 case R_U_THERE_ACK:
928 return dpd_inR(md->st, n, n_pbs);
929 default:
930 if (pbs_left(n_pbs) >= sizeof(disp_buf)-1)
931 disp_len = sizeof(disp_buf)-1;
932 else
933 disp_len = pbs_left(n_pbs);
934 memcpy(disp_buf, n_pbs->cur, disp_len);
935 disp_buf[disp_len] = '\0';
936 break;
937 }
938 }
939 return STF_IGNORE;
940 }
941
942 /* message digest allocation and deallocation */
943
944 static struct msg_digest *md_pool = NULL;
945
946 /* free_md_pool is only used to avoid leak reports */
947 void
948 free_md_pool(void)
949 {
950 for (;;)
951 {
952 struct msg_digest *md = md_pool;
953
954 if (md == NULL)
955 break;
956 md_pool = md->next;
957 free(md);
958 }
959 }
960
961 static struct msg_digest *
962 malloc_md(void)
963 {
964 struct msg_digest *md = md_pool;
965
966 /* convenient initializer:
967 * - all pointers NULL
968 * - .note = NOTHING_WRONG
969 * - .encrypted = FALSE
970 */
971 static const struct msg_digest blank_md;
972
973 if (md == NULL)
974 {
975 md = malloc_thing(struct msg_digest);
976 zero(md);
977 }
978 else
979 md_pool = md->next;
980
981 *md = blank_md;
982 md->digest_roof = md->digest;
983
984 /* note: although there may be multiple msg_digests at once
985 * (due to suspended state transitions), there is a single
986 * global reply_buffer. It will need to be saved and restored.
987 */
988 init_pbs(&md->reply, reply_buffer, sizeof(reply_buffer), "reply packet");
989
990 return md;
991 }
992
993 void
994 release_md(struct msg_digest *md)
995 {
996 chunk_free(&md->raw_packet);
997 free(md->packet_pbs.start);
998 md->packet_pbs.start = NULL;
999 md->next = md_pool;
1000 md_pool = md;
1001 }
1002
1003 /* wrapper for read_packet and process_packet
1004 *
1005 * The main purpose of this wrapper is to factor out teardown code
1006 * from the many return points in process_packet. This amounts to
1007 * releasing the msg_digest and resetting global variables.
1008 *
1009 * When processing of a packet is suspended (STF_SUSPEND),
1010 * process_packet sets md to NULL to prevent the msg_digest being freed.
1011 * Someone else must ensure that msg_digest is freed eventually.
1012 *
1013 * read_packet is broken out to minimize the lifetime of the
1014 * enormous input packet buffer, an auto.
1015 */
1016 void
1017 comm_handle(const struct iface *ifp)
1018 {
1019 static struct msg_digest *md;
1020
1021 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
1022 /* Even though select(2) says that there is a message,
1023 * it might only be a MSG_ERRQUEUE message. At least
1024 * sometimes that leads to a hanging recvfrom. To avoid
1025 * what appears to be a kernel bug, check_msg_errqueue
1026 * uses poll(2) and tells us if there is anything for us
1027 * to read.
1028 *
1029 * This is early enough that teardown isn't required:
1030 * just return on failure.
1031 */
1032 if (!check_msg_errqueue(ifp, POLLIN))
1033 return; /* no normal message to read */
1034 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
1035
1036 md = malloc_md();
1037 md->iface = ifp;
1038
1039 if (read_packet(md))
1040 process_packet(&md);
1041
1042 if (md != NULL)
1043 release_md(md);
1044
1045 cur_state = NULL;
1046 reset_cur_connection();
1047 cur_from = NULL;
1048 }
1049
1050 /* read the message.
1051 * Since we don't know its size, we read it into
1052 * an overly large buffer and then copy it to a
1053 * new, properly sized buffer.
1054 */
1055 static bool
1056 read_packet(struct msg_digest *md)
1057 {
1058 const struct iface *ifp = md->iface;
1059 int packet_len;
1060 u_int8_t *buffer;
1061 u_int8_t *buffer_nat;
1062 union
1063 {
1064 struct sockaddr sa;
1065 struct sockaddr_in sa_in4;
1066 struct sockaddr_in6 sa_in6;
1067 } from;
1068 int from_len = sizeof(from);
1069 err_t from_ugh = NULL;
1070 static const char undisclosed[] = "unknown source";
1071
1072 happy(anyaddr(addrtypeof(&ifp->addr), &md->sender));
1073 zero(&from.sa);
1074 ioctl(ifp->fd, FIONREAD, &packet_len);
1075 buffer = malloc(packet_len);
1076 packet_len = recvfrom(ifp->fd, buffer, packet_len, 0
1077 , &from.sa, &from_len);
1078
1079 /* First: digest the from address.
1080 * We presume that nothing here disturbs errno.
1081 */
1082 if (packet_len == -1
1083 && from_len == sizeof(from)
1084 && all_zero((const void *)&from.sa, sizeof(from)))
1085 {
1086 /* "from" is untouched -- not set by recvfrom */
1087 from_ugh = undisclosed;
1088 }
1089 else if (from_len
1090 < (int) (offsetof(struct sockaddr, sa_family) + sizeof(from.sa.sa_family)))
1091 {
1092 from_ugh = "truncated";
1093 }
1094 else
1095 {
1096 const struct af_info *afi = aftoinfo(from.sa.sa_family);
1097
1098 if (afi == NULL)
1099 {
1100 from_ugh = "unexpected Address Family";
1101 }
1102 else if (from_len != (int)afi->sa_sz)
1103 {
1104 from_ugh = "wrong length";
1105 }
1106 else
1107 {
1108 switch (from.sa.sa_family)
1109 {
1110 case AF_INET:
1111 from_ugh = initaddr((void *) &from.sa_in4.sin_addr
1112 , sizeof(from.sa_in4.sin_addr), AF_INET, &md->sender);
1113 md->sender_port = ntohs(from.sa_in4.sin_port);
1114 break;
1115 case AF_INET6:
1116 from_ugh = initaddr((void *) &from.sa_in6.sin6_addr
1117 , sizeof(from.sa_in6.sin6_addr), AF_INET6, &md->sender);
1118 md->sender_port = ntohs(from.sa_in6.sin6_port);
1119 break;
1120 }
1121 }
1122 }
1123
1124 /* now we report any actual I/O error */
1125 if (packet_len == -1)
1126 {
1127 if (from_ugh == undisclosed
1128 && errno == ECONNREFUSED)
1129 {
1130 /* Tone down scary message for vague event:
1131 * We get "connection refused" in response to some
1132 * datagram we sent, but we cannot tell which one.
1133 */
1134 plog("some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details)");
1135 }
1136 else if (from_ugh != NULL)
1137 {
1138 log_errno((e, "recvfrom on %s failed; Pluto cannot decode source sockaddr in rejection: %s"
1139 , ifp->rname, from_ugh));
1140 }
1141 else
1142 {
1143 log_errno((e, "recvfrom on %s from %s:%u failed"
1144 , ifp->rname
1145 , ip_str(&md->sender), (unsigned)md->sender_port));
1146 }
1147
1148 return FALSE;
1149 }
1150 else if (from_ugh != NULL)
1151 {
1152 plog("recvfrom on %s returned misformed source sockaddr: %s"
1153 , ifp->rname, from_ugh);
1154 return FALSE;
1155 }
1156 cur_from = &md->sender;
1157 cur_from_port = md->sender_port;
1158
1159 if (ifp->ike_float == TRUE)
1160 {
1161 u_int32_t non_esp;
1162
1163 if (packet_len < (int)sizeof(u_int32_t))
1164 {
1165 plog("recvfrom %s:%u too small packet (%d)"
1166 , ip_str(cur_from), (unsigned) cur_from_port, packet_len);
1167 return FALSE;
1168 }
1169 memcpy(&non_esp, buffer, sizeof(u_int32_t));
1170 if (non_esp != 0)
1171 {
1172 plog("recvfrom %s:%u has no Non-ESP marker"
1173 , ip_str(cur_from), (unsigned) cur_from_port);
1174 return FALSE;
1175 }
1176 packet_len -= sizeof(u_int32_t);
1177 buffer_nat = malloc(packet_len);
1178 memcpy(buffer_nat, buffer + sizeof(u_int32_t), packet_len);
1179 free(buffer);
1180 buffer = buffer_nat;
1181 }
1182
1183 /* Clone actual message contents
1184 * and set up md->packet_pbs to describe it.
1185 */
1186 init_pbs(&md->packet_pbs, buffer, packet_len, "packet");
1187
1188 DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL,
1189 {
1190 DBG_log(BLANK_FORMAT);
1191 DBG_log("*received %d bytes from %s:%u on %s"
1192 , (int) pbs_room(&md->packet_pbs)
1193 , ip_str(cur_from), (unsigned) cur_from_port
1194 , ifp->rname);
1195 });
1196
1197 DBG(DBG_RAW,
1198 DBG_dump("", md->packet_pbs.start, pbs_room(&md->packet_pbs)));
1199
1200 if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff))
1201 {
1202 /**
1203 * NAT-T Keep-alive packets should be discarded by kernel ESPinUDP
1204 * layer. But bogus keep-alive packets (sent with a non-esp marker)
1205 * can reach this point. Complain and discard them.
1206 */
1207 DBG(DBG_NATT,
1208 DBG_log("NAT-T keep-alive (bogus ?) should not reach this point. "
1209 "Ignored. Sender: %s:%u", ip_str(cur_from),
1210 (unsigned) cur_from_port);
1211 )
1212 return FALSE;
1213 }
1214
1215 #define IKEV2_VERSION_OFFSET 17
1216 #define IKEV2_VERSION 0x20
1217
1218 /* ignore IKEv2 packets - they will be handled by charon */
1219 if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET
1220 && md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION)
1221 {
1222 DBG(DBG_CONTROLMORE,
1223 DBG_log(" ignoring IKEv2 packet")
1224 )
1225 return FALSE;
1226 }
1227
1228 return TRUE;
1229 }
1230
1231 /* process an input packet, possibly generating a reply.
1232 *
1233 * If all goes well, this routine eventually calls a state-specific
1234 * transition function.
1235 */
1236 static void
1237 process_packet(struct msg_digest **mdp)
1238 {
1239 struct msg_digest *md = *mdp;
1240 const struct state_microcode *smc;
1241 bool new_iv_set = FALSE;
1242 bool restore_iv = FALSE;
1243 u_char new_iv[MAX_DIGEST_LEN];
1244 u_int new_iv_len = 0;
1245
1246 struct state *st = NULL;
1247 enum state_kind from_state = STATE_UNDEFINED; /* state we started in */
1248
1249 #define SEND_NOTIFICATION(t) { \
1250 if (st) send_notification_from_state(st, from_state, t); \
1251 else send_notification_from_md(md, t); }
1252
1253 if (!in_struct(&md->hdr, &isakmp_hdr_desc, &md->packet_pbs, &md->message_pbs))
1254 {
1255 /* Identify specific failures:
1256 * - bad ISAKMP major/minor version numbers
1257 */
1258 if (md->packet_pbs.roof - md->packet_pbs.cur >= (ptrdiff_t)isakmp_hdr_desc.size)
1259 {
1260 struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
1261 if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION)
1262 {
1263 SEND_NOTIFICATION(INVALID_MAJOR_VERSION);
1264 return;
1265 }
1266 else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION)
1267 {
1268 SEND_NOTIFICATION(INVALID_MINOR_VERSION);
1269 return;
1270 }
1271 }
1272 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1273 return;
1274 }
1275
1276 if (md->packet_pbs.roof != md->message_pbs.roof)
1277 {
1278 plog("size (%u) differs from size specified in ISAKMP HDR (%u)"
1279 , (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
1280 #ifdef CISCO_QUIRKS
1281 if (pbs_room(&md->packet_pbs) - md->hdr.isa_length == 16)
1282 plog("Cisco VPN client appends 16 surplus NULL bytes");
1283 else
1284 #endif
1285 return;
1286 }
1287
1288 switch (md->hdr.isa_xchg)
1289 {
1290 #ifdef NOTYET
1291 case ISAKMP_XCHG_NONE:
1292 case ISAKMP_XCHG_BASE:
1293 #endif
1294
1295 case ISAKMP_XCHG_IDPROT: /* part of a Main Mode exchange */
1296 if (md->hdr.isa_msgid != MAINMODE_MSGID)
1297 {
1298 plog("Message ID was 0x%08lx but should be zero in Main Mode",
1299 (unsigned long) md->hdr.isa_msgid);
1300 SEND_NOTIFICATION(INVALID_MESSAGE_ID);
1301 return;
1302 }
1303
1304 if (is_zero_cookie(md->hdr.isa_icookie))
1305 {
1306 plog("Initiator Cookie must not be zero in Main Mode message");
1307 SEND_NOTIFICATION(INVALID_COOKIE);
1308 return;
1309 }
1310
1311 if (is_zero_cookie(md->hdr.isa_rcookie))
1312 {
1313 /* initial message from initiator
1314 * ??? what if this is a duplicate of another message?
1315 */
1316 if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
1317 {
1318 plog("initial Main Mode message is invalid:"
1319 " its Encrypted Flag is on");
1320 SEND_NOTIFICATION(INVALID_FLAGS);
1321 return;
1322 }
1323
1324 /* don't build a state until the message looks tasty */
1325 from_state = STATE_MAIN_R0;
1326 }
1327 else
1328 {
1329 /* not an initial message */
1330
1331 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1332 , &md->sender, md->hdr.isa_msgid);
1333
1334 if (st == NULL)
1335 {
1336 /* perhaps this is a first message from the responder
1337 * and contains a responder cookie that we've not yet seen.
1338 */
1339 st = find_state(md->hdr.isa_icookie, zero_cookie
1340 , &md->sender, md->hdr.isa_msgid);
1341
1342 if (st == NULL)
1343 {
1344 plog("Main Mode message is part of an unknown exchange");
1345 /* XXX Could send notification back */
1346 return;
1347 }
1348 }
1349 set_cur_state(st);
1350 from_state = st->st_state;
1351 }
1352 break;
1353
1354 #ifdef NOTYET
1355 case ISAKMP_XCHG_AO:
1356 case ISAKMP_XCHG_AGGR:
1357 #endif
1358
1359 case ISAKMP_XCHG_INFO: /* an informational exchange */
1360 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1361 , &md->sender, MAINMODE_MSGID);
1362
1363 if (st != NULL)
1364 set_cur_state(st);
1365
1366 if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
1367 {
1368 if (st == NULL)
1369 {
1370 plog("Informational Exchange is for an unknown (expired?) SA");
1371 /* XXX Could send notification back */
1372 return;
1373 }
1374
1375 if (!IS_ISAKMP_ENCRYPTED(st->st_state))
1376 {
1377 loglog(RC_LOG_SERIOUS, "encrypted Informational Exchange message is invalid"
1378 " because no key is known");
1379 /* XXX Could send notification back */
1380 return;
1381 }
1382
1383 if (md->hdr.isa_msgid == MAINMODE_MSGID)
1384 {
1385 loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
1386 " it has a Message ID of 0");
1387 /* XXX Could send notification back */
1388 return;
1389 }
1390
1391 if (!reserve_msgid(st, md->hdr.isa_msgid))
1392 {
1393 loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
1394 " it has a previously used Message ID (0x%08lx)"
1395 , (unsigned long)md->hdr.isa_msgid);
1396 /* XXX Could send notification back */
1397 return;
1398 }
1399
1400 if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
1401 {
1402 memcpy(st->st_ph1_iv, st->st_new_iv, st->st_new_iv_len);
1403 st->st_ph1_iv_len = st->st_new_iv_len;
1404
1405 /* backup new_iv */
1406 new_iv_len = st->st_new_iv_len;
1407 passert(new_iv_len <= MAX_DIGEST_LEN)
1408 memcpy(new_iv, st->st_new_iv, new_iv_len);
1409 restore_iv = TRUE;
1410 }
1411 init_phase2_iv(st, &md->hdr.isa_msgid);
1412 new_iv_set = TRUE;
1413
1414 from_state = STATE_INFO_PROTECTED;
1415 }
1416 else
1417 {
1418 if (st != NULL && IS_ISAKMP_ENCRYPTED(st->st_state))
1419 {
1420 loglog(RC_LOG_SERIOUS, "Informational Exchange message"
1421 " must be encrypted");
1422 /* XXX Could send notification back */
1423 return;
1424 }
1425 from_state = STATE_INFO;
1426 }
1427 break;
1428
1429 case ISAKMP_XCHG_QUICK: /* part of a Quick Mode exchange */
1430 if (is_zero_cookie(md->hdr.isa_icookie))
1431 {
1432 plog("Quick Mode message is invalid because"
1433 " it has an Initiator Cookie of 0");
1434 SEND_NOTIFICATION(INVALID_COOKIE);
1435 return;
1436 }
1437
1438 if (is_zero_cookie(md->hdr.isa_rcookie))
1439 {
1440 plog("Quick Mode message is invalid because"
1441 " it has a Responder Cookie of 0");
1442 SEND_NOTIFICATION(INVALID_COOKIE);
1443 return;
1444 }
1445
1446 if (md->hdr.isa_msgid == MAINMODE_MSGID)
1447 {
1448 plog("Quick Mode message is invalid because"
1449 " it has a Message ID of 0");
1450 SEND_NOTIFICATION(INVALID_MESSAGE_ID);
1451 return;
1452 }
1453
1454 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1455 , &md->sender, md->hdr.isa_msgid);
1456
1457 if (st == NULL)
1458 {
1459 /* No appropriate Quick Mode state.
1460 * See if we have a Main Mode state.
1461 * ??? what if this is a duplicate of another message?
1462 */
1463 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1464 , &md->sender, MAINMODE_MSGID);
1465
1466 if (st == NULL)
1467 {
1468 plog("Quick Mode message is for a non-existent (expired?)"
1469 " ISAKMP SA");
1470 /* XXX Could send notification back */
1471 return;
1472 }
1473
1474 set_cur_state(st);
1475
1476 if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
1477 {
1478 loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because"
1479 " it is for an incomplete ISAKMP SA");
1480 SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
1481 return;
1482 }
1483
1484 /* only accept this new Quick Mode exchange if it has a unique message ID */
1485 if (!reserve_msgid(st, md->hdr.isa_msgid))
1486 {
1487 loglog(RC_LOG_SERIOUS, "Quick Mode I1 message is unacceptable because"
1488 " it uses a previously used Message ID 0x%08lx"
1489 " (perhaps this is a duplicated packet)"
1490 , (unsigned long) md->hdr.isa_msgid);
1491 SEND_NOTIFICATION(INVALID_MESSAGE_ID);
1492 return;
1493 }
1494
1495 /* Quick Mode Initial IV */
1496 init_phase2_iv(st, &md->hdr.isa_msgid);
1497 new_iv_set = TRUE;
1498
1499 from_state = STATE_QUICK_R0;
1500 }
1501 else
1502 {
1503 set_cur_state(st);
1504 from_state = st->st_state;
1505 }
1506
1507 break;
1508
1509 case ISAKMP_XCHG_MODE_CFG:
1510 if (is_zero_cookie(md->hdr.isa_icookie))
1511 {
1512 plog("ModeCfg message is invalid because"
1513 " it has an Initiator Cookie of 0");
1514 /* XXX Could send notification back */
1515 return;
1516 }
1517
1518 if (is_zero_cookie(md->hdr.isa_rcookie))
1519 {
1520 plog("ModeCfg message is invalid because"
1521 " it has a Responder Cookie of 0");
1522 /* XXX Could send notification back */
1523 return;
1524 }
1525
1526 if (md->hdr.isa_msgid == 0)
1527 {
1528 plog("ModeCfg message is invalid because"
1529 " it has a Message ID of 0");
1530 /* XXX Could send notification back */
1531 return;
1532 }
1533
1534 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1535 , &md->sender, md->hdr.isa_msgid);
1536
1537 if (st == NULL)
1538 {
1539 bool has_xauth_policy;
1540
1541 /* No appropriate ModeCfg state.
1542 * See if we have a Main Mode state.
1543 * ??? what if this is a duplicate of another message?
1544 */
1545 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1546 , &md->sender, 0);
1547
1548 if (st == NULL)
1549 {
1550 plog("ModeCfg message is for a non-existent (expired?)"
1551 " ISAKMP SA");
1552 /* XXX Could send notification back */
1553 return;
1554 }
1555
1556 set_cur_state(st);
1557
1558 /* the XAUTH_STATUS message might have a new msgid */
1559 if (st->st_state == STATE_XAUTH_I1)
1560 {
1561 init_phase2_iv(st, &md->hdr.isa_msgid);
1562 new_iv_set = TRUE;
1563 from_state = st->st_state;
1564 break;
1565 }
1566
1567 if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
1568 {
1569 loglog(RC_LOG_SERIOUS, "ModeCfg message is unacceptable because"
1570 " it is for an incomplete ISAKMP SA (state=%s)"
1571 , enum_name(&state_names, st->st_state));
1572 /* XXX Could send notification back */
1573 return;
1574 }
1575 init_phase2_iv(st, &md->hdr.isa_msgid);
1576 new_iv_set = TRUE;
1577
1578 /*
1579 * okay, now we have to figure out if we are receiving a bogus
1580 * new message in an oustanding XAUTH server conversation
1581 * (i.e. a reply to our challenge)
1582 * (this occurs with some broken other implementations).
1583 *
1584 * or if receiving for the first time, an XAUTH challenge.
1585 *
1586 * or if we are getting a MODECFG request.
1587 *
1588 * we distinguish these states because we can not both be an
1589 * XAUTH server and client, and our policy tells us which
1590 * one we are.
1591 *
1592 * to complicate further, it is normal to start a new msgid
1593 * when going from one state to another, or when restarting
1594 * the challenge.
1595 *
1596 */
1597
1598 has_xauth_policy = (st->st_connection->policy
1599 & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
1600 != LEMPTY;
1601
1602 if (has_xauth_policy && !st->st_xauth.started
1603 && IS_PHASE1(st->st_state))
1604 {
1605 from_state = STATE_XAUTH_I0;
1606 }
1607 else if (st->st_connection->spd.that.modecfg
1608 && IS_PHASE1(st->st_state))
1609 {
1610 from_state = STATE_MODE_CFG_R0;
1611 }
1612 else if (st->st_connection->spd.this.modecfg
1613 && IS_PHASE1(st->st_state))
1614 {
1615 from_state = STATE_MODE_CFG_I0;
1616 }
1617 else
1618 {
1619 /* XXX check if we are being a mode config server here */
1620 plog("received ModeCfg message when in state %s, and we aren't mode config client"
1621 , enum_name(&state_names, st->st_state));
1622 return;
1623 }
1624 }
1625 else
1626 {
1627 set_cur_state(st);
1628 from_state = st->st_state;
1629 }
1630 break;
1631
1632 #ifdef NOTYET
1633 case ISAKMP_XCHG_NGRP:
1634 case ISAKMP_XCHG_ACK_INFO:
1635 #endif
1636
1637 default:
1638 plog("unsupported exchange type %s in message"
1639 , enum_show(&exchange_names, md->hdr.isa_xchg));
1640 SEND_NOTIFICATION(UNSUPPORTED_EXCHANGE_TYPE);
1641 return;
1642 }
1643
1644 /* We have found a from_state, and perhaps a state object.
1645 * If we need to build a new state object,
1646 * we wait until the packet has been sanity checked.
1647 */
1648
1649 /* We don't support the Commit Flag. It is such a bad feature.
1650 * It isn't protected -- neither encrypted nor authenticated.
1651 * A man in the middle turns it on, leading to DoS.
1652 * We just ignore it, with a warning.
1653 * By placing the check here, we could easily add a policy bit
1654 * to a connection to suppress the warning. This might be useful
1655 * because the Commit Flag is expected from some peers.
1656 */
1657 if (md->hdr.isa_flags & ISAKMP_FLAG_COMMIT)
1658 {
1659 plog("IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag");
1660 }
1661
1662 /* Set smc to describe this state's properties.
1663 * Look up the appropriate microcode based on state and
1664 * possibly Oakley Auth type.
1665 */
1666 passert(STATE_IKE_FLOOR <= from_state && from_state <= STATE_IKE_ROOF);
1667 smc = ike_microcode_index[from_state - STATE_IKE_FLOOR];
1668
1669 if (st != NULL)
1670 {
1671 u_int16_t auth;
1672
1673 switch (st->st_oakley.auth)
1674 {
1675 case XAUTHInitPreShared:
1676 case XAUTHRespPreShared:
1677 auth = OAKLEY_PRESHARED_KEY;
1678 break;
1679 case XAUTHInitRSA:
1680 case XAUTHRespRSA:
1681 auth = OAKLEY_RSA_SIG;
1682 break;
1683 default:
1684 auth = st->st_oakley.auth;
1685 }
1686
1687 while (!LHAS(smc->flags, auth))
1688 {
1689 smc++;
1690 passert(smc->state == from_state);
1691 }
1692 }
1693
1694 /* Ignore a packet if the state has a suspended state transition
1695 * Probably a duplicated packet but the original packet is not yet
1696 * recorded in st->st_rpacket, so duplicate checking won't catch.
1697 * ??? Should the packet be recorded earlier to improve diagnosis?
1698 */
1699 if (st != NULL && st->st_suspended_md != NULL)
1700 {
1701 loglog(RC_LOG, "discarding packet received during DNS lookup in %s"
1702 , enum_name(&state_names, st->st_state));
1703 return;
1704 }
1705
1706 /* Detect and handle duplicated packets.
1707 * This won't work for the initial packet of an exchange
1708 * because we won't have a state object to remember it.
1709 * If we are in a non-receiving state (terminal), and the preceding
1710 * state did transmit, then the duplicate may indicate that that
1711 * transmission wasn't received -- retransmit it.
1712 * Otherwise, just discard it.
1713 * ??? Notification packets are like exchanges -- I hope that
1714 * they are idempotent!
1715 */
1716 if (st != NULL
1717 && st->st_rpacket.ptr != NULL
1718 && st->st_rpacket.len == pbs_room(&md->packet_pbs)
1719 && memeq(st->st_rpacket.ptr, md->packet_pbs.start, st->st_rpacket.len))
1720 {
1721 if (smc->flags & SMF_RETRANSMIT_ON_DUPLICATE)
1722 {
1723 if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
1724 {
1725 st->st_retransmit++;
1726 loglog(RC_RETRANSMISSION
1727 , "retransmitting in response to duplicate packet; already %s"
1728 , enum_name(&state_names, st->st_state));
1729 send_packet(st, "retransmit in response to duplicate");
1730 }
1731 else
1732 {
1733 loglog(RC_LOG_SERIOUS, "discarding duplicate packet -- exhausted retransmission; already %s"
1734 , enum_name(&state_names, st->st_state));
1735 }
1736 }
1737 else
1738 {
1739 loglog(RC_LOG_SERIOUS, "discarding duplicate packet; already %s"
1740 , enum_name(&state_names, st->st_state));
1741 }
1742 return;
1743 }
1744
1745 if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
1746 {
1747 DBG(DBG_CRYPT, DBG_log("received encrypted packet from %s:%u"
1748 , ip_str(&md->sender), (unsigned)md->sender_port));
1749
1750 if (st == NULL)
1751 {
1752 plog("discarding encrypted message for an unknown ISAKMP SA");
1753 SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
1754 return;
1755 }
1756 if (st->st_skeyid_e.ptr == (u_char *) NULL)
1757 {
1758 loglog(RC_LOG_SERIOUS, "discarding encrypted message"
1759 " because we haven't yet negotiated keying materiel");
1760 SEND_NOTIFICATION(INVALID_FLAGS);
1761 return;
1762 }
1763
1764 /* Mark as encrypted */
1765 md->encrypted = TRUE;
1766
1767 DBG(DBG_CRYPT, DBG_log("decrypting %u bytes using algorithm %s"
1768 , (unsigned) pbs_left(&md->message_pbs)
1769 , enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
1770
1771 /* do the specified decryption
1772 *
1773 * IV is from st->st_iv or (if new_iv_set) st->st_new_iv.
1774 * The new IV is placed in st->st_new_iv
1775 *
1776 * See RFC 2409 "IKE" Appendix B
1777 *
1778 * XXX The IV should only be updated really if the packet
1779 * is successfully processed.
1780 * We should keep this value, check for a success return
1781 * value from the parsing routines and then replace.
1782 *
1783 * Each post phase 1 exchange generates IVs from
1784 * the last phase 1 block, not the last block sent.
1785 */
1786 {
1787 const struct encrypt_desc *e = st->st_oakley.encrypter;
1788
1789 if (pbs_left(&md->message_pbs) % e->enc_blocksize != 0)
1790 {
1791 loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize");
1792 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1793 return;
1794 }
1795
1796 /* XXX Detect weak keys */
1797
1798 /* grab a copy of raw packet (for duplicate packet detection) */
1799 md->raw_packet = chunk_create(md->packet_pbs.start, pbs_room(&md->packet_pbs));
1800 md->raw_packet = chunk_clone(md->raw_packet);
1801
1802 /* Decrypt everything after header */
1803 if (!new_iv_set)
1804 {
1805 /* use old IV */
1806 passert(st->st_iv_len <= sizeof(st->st_new_iv));
1807 st->st_new_iv_len = st->st_iv_len;
1808 memcpy(st->st_new_iv, st->st_iv, st->st_new_iv_len);
1809 }
1810 crypto_cbc_encrypt(e, FALSE, md->message_pbs.cur,
1811 pbs_left(&md->message_pbs) , st);
1812 if (restore_iv)
1813 {
1814 memcpy(st->st_new_iv, new_iv, new_iv_len);
1815 st->st_new_iv_len = new_iv_len;
1816 }
1817 }
1818
1819 DBG_cond_dump(DBG_CRYPT, "decrypted:\n", md->message_pbs.cur
1820 , md->message_pbs.roof - md->message_pbs.cur);
1821
1822 DBG_cond_dump(DBG_CRYPT, "next IV:"
1823 , st->st_new_iv, st->st_new_iv_len);
1824 }
1825 else
1826 {
1827 /* packet was not encryped -- should it have been? */
1828
1829 if (smc->flags & SMF_INPUT_ENCRYPTED)
1830 {
1831 loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
1832 SEND_NOTIFICATION(INVALID_FLAGS);
1833 return;
1834 }
1835 }
1836
1837 /* Digest the message.
1838 * Padding must be removed to make hashing work.
1839 * Padding comes from encryption (so this code must be after decryption).
1840 * Padding rules are described before the definition of
1841 * struct isakmp_hdr in packet.h.
1842 */
1843 {
1844 struct payload_digest *pd = md->digest;
1845 int np = md->hdr.isa_np;
1846 lset_t needed = smc->req_payloads;
1847 const char *excuse
1848 = LIN(SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT, smc->flags)
1849 ? "probable authentication failure (mismatch of preshared secrets?): "
1850 : "";
1851
1852 while (np != ISAKMP_NEXT_NONE)
1853 {
1854 struct_desc *sd = np < ISAKMP_NEXT_ROOF? payload_descs[np] : NULL;
1855
1856 if (pd == &md->digest[PAYLIMIT])
1857 {
1858 loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT);
1859 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1860 return;
1861 }
1862
1863 switch (np)
1864 {
1865 case ISAKMP_NEXT_NATD_RFC:
1866 case ISAKMP_NEXT_NATOA_RFC:
1867 if (!st || !(st->nat_traversal & NAT_T_WITH_RFC_VALUES))
1868 {
1869 /*
1870 * don't accept NAT-D/NAT-OA reloc directly in message, unless
1871 * we're using NAT-T RFC
1872 */
1873 sd = NULL;
1874 }
1875 break;
1876 }
1877
1878 if (sd == NULL)
1879 {
1880 /* payload type is out of range or requires special handling */
1881 switch (np)
1882 {
1883 case ISAKMP_NEXT_ID:
1884 sd = IS_PHASE1(from_state)
1885 ? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
1886 break;
1887 case ISAKMP_NEXT_NATD_DRAFTS:
1888 np = ISAKMP_NEXT_NATD_RFC; /* NAT-D relocated */
1889 sd = payload_descs[np];
1890 break;
1891 case ISAKMP_NEXT_NATOA_DRAFTS:
1892 np = ISAKMP_NEXT_NATOA_RFC; /* NAT-OA relocated */
1893 sd = payload_descs[np];
1894 break;
1895 default:
1896 loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
1897 " unexpected payload type (%s) at the outermost level"
1898 , excuse, enum_show(&payload_names, np));
1899 SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
1900 return;
1901 }
1902 }
1903
1904 {
1905 lset_t s = LELEM(np);
1906
1907 if (LDISJOINT(s
1908 , needed | smc->opt_payloads| LELEM(ISAKMP_NEXT_N) | LELEM(ISAKMP_NEXT_D)))
1909 {
1910 loglog(RC_LOG_SERIOUS, "%smessage ignored because it "
1911 "contains an unexpected payload type (%s)"
1912 , excuse, enum_show(&payload_names, np));
1913 SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
1914 return;
1915 }
1916 needed &= ~s;
1917 }
1918
1919 if (!in_struct(&pd->payload, sd, &md->message_pbs, &pd->pbs))
1920 {
1921 loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse);
1922 if (md->hdr.isa_xchg != ISAKMP_XCHG_INFO)
1923 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1924 return;
1925 }
1926
1927 /* place this payload at the end of the chain for this type */
1928 {
1929 struct payload_digest **p;
1930
1931 for (p = &md->chain[np]; *p != NULL; p = &(*p)->next)
1932 ;
1933 *p = pd;
1934 pd->next = NULL;
1935 }
1936
1937 np = pd->payload.generic.isag_np;
1938 pd++;
1939
1940 /* since we've digested one payload happily, it is probably
1941 * the case that any decryption worked. So we will not suggest
1942 * encryption failure as an excuse for subsequent payload
1943 * problems.
1944 */
1945 excuse = "";
1946 }
1947
1948 md->digest_roof = pd;
1949
1950 DBG(DBG_PARSING,
1951 if (pbs_left(&md->message_pbs) != 0)
1952 DBG_log("removing %d bytes of padding", (int) pbs_left(&md->message_pbs)));
1953
1954 md->message_pbs.roof = md->message_pbs.cur;
1955
1956 /* check that all mandatory payloads appeared */
1957
1958 if (needed != 0)
1959 {
1960 loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s"
1961 , enum_show(&state_names, from_state)
1962 , bitnamesof(payload_name, needed));
1963 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1964 return;
1965 }
1966 }
1967
1968 /* more sanity checking: enforce most ordering constraints */
1969
1970 if (IS_PHASE1(from_state))
1971 {
1972 /* rfc2409: The Internet Key Exchange (IKE), 5 Exchanges:
1973 * "The SA payload MUST precede all other payloads in a phase 1 exchange."
1974 */
1975 if (md->chain[ISAKMP_NEXT_SA] != NULL
1976 && md->hdr.isa_np != ISAKMP_NEXT_SA)
1977 {
1978 loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload");
1979 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1980 return;
1981 }
1982 }
1983 else if (IS_QUICK(from_state))
1984 {
1985 /* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode
1986 *
1987 * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
1988 * header and a SA payload MUST immediately follow the HASH."
1989 * [NOTE: there may be more than one SA payload, so this is not
1990 * totally reasonable. Probably all SAs should be so constrained.]
1991 *
1992 * "If ISAKMP is acting as a client negotiator on behalf of another
1993 * party, the identities of the parties MUST be passed as IDci and
1994 * then IDcr."
1995 *
1996 * "With the exception of the HASH, SA, and the optional ID payloads,
1997 * there are no payload ordering restrictions on Quick Mode."
1998 */
1999
2000 if (md->hdr.isa_np != ISAKMP_NEXT_HASH)
2001 {
2002 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload");
2003 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
2004 return;
2005 }
2006
2007 {
2008 struct payload_digest *p;
2009 int i;
2010
2011 for (p = md->chain[ISAKMP_NEXT_SA], i = 1; p != NULL
2012 ; p = p->next, i++)
2013 {
2014 if (p != &md->digest[i])
2015 {
2016 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position");
2017 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
2018 return;
2019 }
2020 }
2021 }
2022
2023 /* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode:
2024 * "If ISAKMP is acting as a client negotiator on behalf of another
2025 * party, the identities of the parties MUST be passed as IDci and
2026 * then IDcr."
2027 */
2028 {
2029 struct payload_digest *id = md->chain[ISAKMP_NEXT_ID];
2030
2031 if (id != NULL)
2032 {
2033 if (id->next == NULL || id->next->next != NULL)
2034 {
2035 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
2036 " if any ID payload is present,"
2037 " there must be exactly two");
2038 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
2039 return;
2040 }
2041 if (id+1 != id->next)
2042 {
2043 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
2044 " the ID payloads are not adjacent");
2045 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
2046 return;
2047 }
2048 }
2049 }
2050 }
2051
2052 /* Ignore payloads that we don't handle:
2053 * Delete, Notification, VendorID
2054 */
2055 /* XXX Handle deletions */
2056 /* XXX Handle Notifications */
2057 /* XXX Handle VID payloads */
2058 {
2059 struct payload_digest *p;
2060
2061 for (p = md->chain[ISAKMP_NEXT_N]; p != NULL; p = p->next)
2062 {
2063 if (p->payload.notification.isan_type != R_U_THERE
2064 && p->payload.notification.isan_type != R_U_THERE_ACK)
2065 {
2066 loglog(RC_LOG_SERIOUS, "ignoring informational payload, type %s"
2067 , enum_show(&notification_names, p->payload.notification.isan_type));
2068 }
2069 DBG_cond_dump(DBG_PARSING, "info:", p->pbs.cur, pbs_left(&p->pbs));
2070 }
2071
2072 for (p = md->chain[ISAKMP_NEXT_D]; p != NULL; p = p->next)
2073 {
2074 accept_delete(st, md, p);
2075 DBG_cond_dump(DBG_PARSING, "del:", p->pbs.cur, pbs_left(&p->pbs));
2076 }
2077
2078 for (p = md->chain[ISAKMP_NEXT_VID]; p != NULL; p = p->next)
2079 {
2080 handle_vendorid(md, p->pbs.cur, pbs_left(&p->pbs));
2081 }
2082 }
2083 md->from_state = from_state;
2084 md->smc = smc;
2085 md->st = st;
2086
2087 /* possibly fill in hdr */
2088 if (smc->first_out_payload != ISAKMP_NEXT_NONE)
2089 echo_hdr(md, (smc->flags & SMF_OUTPUT_ENCRYPTED) != 0
2090 , smc->first_out_payload);
2091
2092 complete_state_transition(mdp, smc->processor(md));
2093 }
2094
2095 /* complete job started by the state-specific state transition function */
2096
2097 void
2098 complete_state_transition(struct msg_digest **mdp, stf_status result)
2099 {
2100 bool has_xauth_policy;
2101 bool is_xauth_server;
2102 struct msg_digest *md = *mdp;
2103 const struct state_microcode *smc = md->smc;
2104 enum state_kind from_state = md->from_state;
2105 struct state *st;
2106
2107 cur_state = st = md->st; /* might have changed */
2108
2109 /* If state has DPD support, import it */
2110 if (st && md->dpd)
2111 st->st_dpd = TRUE;
2112
2113 switch (result)
2114 {
2115 case STF_IGNORE:
2116 break;
2117
2118 case STF_SUSPEND:
2119 /* the stf didn't complete its job: don't relase md */
2120 *mdp = NULL;
2121 break;
2122
2123 case STF_OK:
2124 /* advance the state */
2125 st->st_state = smc->next_state;
2126
2127 /* Delete previous retransmission event.
2128 * New event will be scheduled below.
2129 */
2130 delete_event(st);
2131
2132 /* replace previous receive packet with latest */
2133
2134 free(st->st_rpacket.ptr);
2135
2136 if (md->encrypted)
2137 {
2138 /* if encrypted, duplication already done */
2139 st->st_rpacket = md->raw_packet;
2140 md->raw_packet.ptr = NULL;
2141 }
2142 else
2143 {
2144 st->st_rpacket = chunk_create(md->packet_pbs.start,
2145 pbs_room(&md->packet_pbs));
2146 st->st_rpacket = chunk_clone(st->st_rpacket);
2147 }
2148
2149 /* free previous transmit packet */
2150 chunk_free(&st->st_tpacket);
2151
2152 /* if requested, send the new reply packet */
2153 if (smc->flags & SMF_REPLY)
2154 {
2155 close_output_pbs(&md->reply); /* good form, but actually a no-op */
2156
2157 st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
2158 st->st_tpacket = chunk_clone(st->st_tpacket);
2159
2160 if (nat_traversal_enabled)
2161 nat_traversal_change_port_lookup(md, md->st);
2162
2163 /* actually send the packet
2164 * Note: this is a great place to implement "impairments"
2165 * for testing purposes. Suppress or duplicate the
2166 * send_packet call depending on st->st_state.
2167 */
2168 send_packet(st, enum_name(&state_names, from_state));
2169 }
2170
2171 /* Schedule for whatever timeout is specified */
2172 {
2173 time_t delay = UNDEFINED_TIME;
2174 enum event_type kind = smc->timeout_event;
2175 bool agreed_time = FALSE;
2176 struct connection *c = st->st_connection;
2177
2178 switch (kind)
2179 {
2180 case EVENT_RETRANSMIT: /* Retransmit packet */
2181 delay = EVENT_RETRANSMIT_DELAY_0;
2182 break;
2183
2184 case EVENT_SA_REPLACE: /* SA replacement event */
2185 if (IS_PHASE1(st->st_state))
2186 {
2187 /* Note: we will defer to the "negotiated" (dictated)
2188 * lifetime if we are POLICY_DONT_REKEY.
2189 * This allows the other side to dictate
2190 * a time we would not otherwise accept
2191 * but it prevents us from having to initiate
2192 * rekeying. The negative consequences seem
2193 * minor.
2194 */
2195 delay = c->sa_ike_life_seconds;
2196 if ((c->policy & POLICY_DONT_REKEY)
2197 || delay >= st->st_oakley.life_seconds)
2198 {
2199 agreed_time = TRUE;
2200 delay = st->st_oakley.life_seconds;
2201 }
2202 }
2203 else
2204 {
2205 /* Delay is min of up to four things:
2206 * each can limit the lifetime.
2207 */
2208 delay = c->sa_ipsec_life_seconds;
2209 if (st->st_ah.present
2210 && delay >= st->st_ah.attrs.life_seconds)
2211 {
2212 agreed_time = TRUE;
2213 delay = st->st_ah.attrs.life_seconds;
2214 }
2215 if (st->st_esp.present
2216 && delay >= st->st_esp.attrs.life_seconds)
2217 {
2218 agreed_time = TRUE;
2219 delay = st->st_esp.attrs.life_seconds;
2220 }
2221 if (st->st_ipcomp.present
2222 && delay >= st->st_ipcomp.attrs.life_seconds)
2223 {
2224 agreed_time = TRUE;
2225 delay = st->st_ipcomp.attrs.life_seconds;
2226 }
2227 }
2228
2229 /* By default, we plan to rekey.
2230 *
2231 * If there isn't enough time to rekey, plan to
2232 * expire.
2233 *
2234 * If we are --dontrekey, a lot more rules apply.
2235 * If we are the Initiator, use REPLACE_IF_USED.
2236 * If we are the Responder, and the dictated time
2237 * was unacceptable (too large), plan to REPLACE
2238 * (the only way to ratchet down the time).
2239 * If we are the Responder, and the dictated time
2240 * is acceptable, plan to EXPIRE.
2241 *
2242 * Important policy lies buried here.
2243 * For example, we favour the initiator over the
2244 * responder by making the initiator start rekeying
2245 * sooner. Also, fuzz is only added to the
2246 * initiator's margin.
2247 *
2248 * Note: for ISAKMP SA, we let the negotiated
2249 * time stand (implemented by earlier logic).
2250 */
2251 if (agreed_time
2252 && (c->policy & POLICY_DONT_REKEY))
2253 {
2254 kind = (smc->flags & SMF_INITIATOR)
2255 ? EVENT_SA_REPLACE_IF_USED
2256 : EVENT_SA_EXPIRE;
2257 }
2258 if (kind != EVENT_SA_EXPIRE)
2259 {
2260 unsigned long marg = c->sa_rekey_margin;
2261
2262 if (smc->flags & SMF_INITIATOR)
2263 marg += marg
2264 * c->sa_rekey_fuzz / 100.E0
2265 * (rand() / (RAND_MAX + 1.E0));
2266 else
2267 marg /= 2;
2268
2269 if ((unsigned long)delay > marg)
2270 {
2271 delay -= marg;
2272 st->st_margin = marg;
2273 }
2274 else
2275 {
2276 kind = EVENT_SA_EXPIRE;
2277 }
2278 }
2279 break;
2280
2281 case EVENT_NULL: /* non-event */
2282 case EVENT_REINIT_SECRET: /* Refresh cookie secret */
2283 default:
2284 bad_case(kind);
2285 }
2286 event_schedule(kind, delay, st);
2287 }
2288
2289 /* tell whack and log of progress */
2290 {
2291 const char *story = state_story[st->st_state - STATE_MAIN_R0];
2292 enum rc_type w = RC_NEW_STATE + st->st_state;
2293 char sadetails[128];
2294
2295 sadetails[0]='\0';
2296
2297 if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
2298 {
2299 char *b = sadetails;
2300 const char *ini = " {";
2301 const char *fin = "";
2302
2303 /* -1 is to leave space for "fin" */
2304
2305 if (st->st_esp.present)
2306 {
2307 snprintf(b, sizeof(sadetails)-(b-sadetails)-1
2308 , "%sESP=>0x%08x <0x%08x"
2309 , ini
2310 , ntohl(st->st_esp.attrs.spi)
2311 , ntohl(st->st_esp.our_spi));
2312 ini = " ";
2313 fin = "}";
2314 }
2315 /* advance b to end of string */
2316 b = b + strlen(b);
2317
2318 if (st->st_ah.present)
2319 {
2320 snprintf(b, sizeof(sadetails)-(b-sadetails)-1
2321 , "%sAH=>0x%08x <0x%08x"
2322 , ini
2323 , ntohl(st->st_ah.attrs.spi)
2324 , ntohl(st->st_ah.our_spi));
2325 ini = " ";
2326 fin = "}";
2327 }
2328 /* advance b to end of string */
2329 b = b + strlen(b);
2330
2331 if (st->st_ipcomp.present)
2332 {
2333 snprintf(b, sizeof(sadetails)-(b-sadetails)-1
2334 , "%sIPCOMP=>0x%08x <0x%08x"
2335 , ini
2336 , ntohl(st->st_ipcomp.attrs.spi)
2337 , ntohl(st->st_ipcomp.our_spi));
2338 ini = " ";
2339 fin = "}";
2340 }
2341 /* advance b to end of string */
2342 b = b + strlen(b);
2343
2344 if (st->nat_traversal)
2345 {
2346 char oa[ADDRTOT_BUF];
2347 addrtot(&st->nat_oa, 0, oa, sizeof(oa));
2348 snprintf(b, sizeof(sadetails)-(b-sadetails)-1
2349 , "%sNATOA=%s"
2350 , ini, oa);
2351 ini = " ";
2352 fin = "}";
2353 }
2354
2355 /* advance b to end of string */
2356 b = b + strlen(b);
2357
2358 if (st->st_dpd)
2359 {
2360 snprintf(b, sizeof(sadetails)-(b-sadetails)-1
2361 , "%sDPD"
2362 , ini);
2363 ini = " ";
2364 fin = "}";
2365 }
2366
2367 strcat(b, fin);
2368 }
2369
2370 if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2371 || IS_IPSEC_SA_ESTABLISHED(st->st_state))
2372 {
2373 /* log our success */
2374 plog("%s%s", story, sadetails);
2375 w = RC_SUCCESS;
2376 }
2377
2378 /* tell whack our progress */
2379 whack_log(w
2380 , "%s: %s%s"
2381 , enum_name(&state_names, st->st_state)
2382 , story, sadetails);
2383 }
2384
2385 has_xauth_policy = (st->st_connection->policy
2386 & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
2387 != LEMPTY;
2388 is_xauth_server = (st->st_connection->policy
2389 & POLICY_XAUTH_SERVER)
2390 != LEMPTY;
2391
2392 /* Should we start XAUTH as a server */
2393 if (has_xauth_policy && is_xauth_server
2394 && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2395 && !st->st_xauth.started)
2396 {
2397 DBG(DBG_CONTROL,
2398 DBG_log("starting XAUTH server")
2399 )
2400 xauth_send_request(st);
2401 break;
2402 }
2403
2404 /* Wait for XAUTH request from server */
2405 if (has_xauth_policy && !is_xauth_server
2406 && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2407 && !st->st_xauth.started)
2408 {
2409 DBG(DBG_CONTROL,
2410 DBG_log("waiting for XAUTH request from server")
2411 )
2412 break;
2413 }
2414
2415 /* Should we start ModeConfig as a client? */
2416 if (st->st_connection->spd.this.modecfg
2417 && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2418 && !(st->st_connection->policy & POLICY_MODECFG_PUSH)
2419 && !st->st_modecfg.started)
2420 {
2421 DBG(DBG_CONTROL,
2422 DBG_log("starting ModeCfg client in pull mode")
2423 )
2424 modecfg_send_request(st);
2425 break;
2426 }
2427
2428 /* Should we start ModeConfig as a server? */
2429 if (st->st_connection->spd.that.modecfg
2430 && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2431 && !st->st_modecfg.started
2432 && (st->st_connection->policy & POLICY_MODECFG_PUSH))
2433 {
2434 DBG(DBG_CONTROL,
2435 DBG_log("starting ModeCfg server in push mode")
2436 )
2437 modecfg_send_set(st);
2438 break;
2439 }
2440
2441 /* Wait for ModeConfig set from server */
2442 if (st->st_connection->spd.this.modecfg
2443 && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2444 && !st->st_modecfg.vars_set)
2445 {
2446 DBG(DBG_CONTROL,
2447 DBG_log("waiting for ModeCfg set from server")
2448 )
2449 break;
2450 }
2451
2452 if (smc->flags & SMF_RELEASE_PENDING_P2)
2453 {
2454 /* Initiate any Quick Mode negotiations that
2455 * were waiting to piggyback on this Keying Channel.
2456 *
2457 * ??? there is a potential race condition
2458 * if we are the responder: the initial Phase 2
2459 * message might outrun the final Phase 1 message.
2460 * I think that retransmission will recover.
2461 */
2462 unpend(st);
2463 }
2464
2465 if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2466 || IS_IPSEC_SA_ESTABLISHED(st->st_state))
2467 release_whack(st);
2468 break;
2469
2470 case STF_INTERNAL_ERROR:
2471 whack_log(RC_INTERNALERR + md->note
2472 , "%s: internal error"
2473 , enum_name(&state_names, st->st_state));
2474
2475 DBG(DBG_CONTROL,
2476 DBG_log("state transition function for %s had internal error"
2477 , enum_name(&state_names, from_state)));
2478 break;
2479
2480 default: /* a shortcut to STF_FAIL, setting md->note */
2481 passert(result > STF_FAIL);
2482 md->note = result - STF_FAIL;
2483 result = STF_FAIL;
2484 /* FALL THROUGH ... */
2485 case STF_FAIL:
2486 /* As it is, we act as if this message never happened:
2487 * whatever retrying was in place, remains in place.
2488 */
2489 whack_log(RC_NOTIFICATION + md->note
2490 , "%s: %s"
2491 , enum_name(&state_names, (st == NULL)? STATE_MAIN_R0:st->st_state)
2492 , enum_name(&notification_names, md->note));
2493
2494 SEND_NOTIFICATION(md->note);
2495
2496 DBG(DBG_CONTROL,
2497 DBG_log("state transition function for %s failed: %s"
2498 , enum_name(&state_names, from_state)
2499 , enum_name(&notification_names, md->note)));
2500 break;
2501 }
2502 }