SKEYID derivation based on libstrongswan
[strongswan.git] / src / pluto / demux.c
1 /* demultiplex incoming IKE messages
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /* Ordering Constraints on Payloads
17 *
18 * rfc2409: The Internet Key Exchange (IKE)
19 *
20 * 5 Exchanges:
21 * "The SA payload MUST precede all other payloads in a phase 1 exchange."
22 *
23 * "Except where otherwise noted, there are no requirements for ISAKMP
24 * payloads in any message to be in any particular order."
25 *
26 * 5.3 Phase 1 Authenticated With a Revised Mode of Public Key Encryption:
27 *
28 * "If the HASH payload is sent it MUST be the first payload of the
29 * second message exchange and MUST be followed by the encrypted
30 * nonce. If the HASH payload is not sent, the first payload of the
31 * second message exchange MUST be the encrypted nonce."
32 *
33 * "Save the requirements on the location of the optional HASH payload
34 * and the mandatory nonce payload there are no further payload
35 * requirements. All payloads-- in whatever order-- following the
36 * encrypted nonce MUST be encrypted with Ke_i or Ke_r depending on the
37 * direction."
38 *
39 * 5.5 Phase 2 - Quick Mode
40 *
41 * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
42 * header and a SA payload MUST immediately follow the HASH."
43 * [NOTE: there may be more than one SA payload, so this is not
44 * totally reasonable. Probably all SAs should be so constrained.]
45 *
46 * "If ISAKMP is acting as a client negotiator on behalf of another
47 * party, the identities of the parties MUST be passed as IDci and
48 * then IDcr."
49 *
50 * "With the exception of the HASH, SA, and the optional ID payloads,
51 * there are no payload ordering restrictions on Quick Mode."
52 */
53
54 /* Unfolding of Identity -- a central mystery
55 *
56 * This concerns Phase 1 identities, those of the IKE hosts.
57 * These are the only ones that are authenticated. Phase 2
58 * identities are for IPsec SAs.
59 *
60 * There are three case of interest:
61 *
62 * (1) We initiate, based on a whack command specifying a Connection.
63 * We know the identity of the peer from the Connection.
64 *
65 * (2) (to be implemented) we initiate based on a flow from our client
66 * to some IP address.
67 * We immediately know one of the peer's client IP addresses from
68 * the flow. We must use this to figure out the peer's IP address
69 * and Id. To be solved.
70 *
71 * (3) We respond to an IKE negotiation.
72 * We immediately know the peer's IP address.
73 * We get an ID Payload in Main I2.
74 *
75 * Unfortunately, this is too late for a number of things:
76 * - the ISAKMP SA proposals have already been made (Main I1)
77 * AND one accepted (Main R1)
78 * - the SA includes a specification of the type of ID
79 * authentication so this is negotiated without being told the ID.
80 * - with Preshared Key authentication, Main I2 is encrypted
81 * using the key, so it cannot be decoded to reveal the ID
82 * without knowing (or guessing) which key to use.
83 *
84 * There are three reasonable choices here for the responder:
85 * + assume that the initiator is making wise offers since it
86 * knows the IDs involved. We can balk later (but not gracefully)
87 * when we find the actual initiator ID
88 * + attempt to infer identity by IP address. Again, we can balk
89 * when the true identity is revealed. Actually, it is enough
90 * to infer properties of the identity (eg. SA properties and
91 * PSK, if needed).
92 * + make all properties universal so discrimination based on
93 * identity isn't required. For example, always accept the same
94 * kinds of encryption. Accept Public Key Id authentication
95 * since the Initiator presumably has our public key and thinks
96 * we must have / can find his. This approach is weakest
97 * for preshared key since the actual key must be known to
98 * decrypt the Initiator's ID Payload.
99 * These choices can be blended. For example, a class of Identities
100 * can be inferred, sufficient to select a preshared key but not
101 * sufficient to infer a unique identity.
102 */
103
104 #include <stdio.h>
105 #include <stdlib.h>
106 #include <stddef.h>
107 #include <string.h>
108 #include <unistd.h>
109 #include <errno.h>
110 #include <sys/types.h>
111 #include <sys/time.h> /* only used for belt-and-suspenders select call */
112 #include <sys/poll.h> /* only used for forensic poll call */
113 #include <sys/socket.h>
114 #include <sys/ioctl.h>
115 #include <netinet/in.h>
116 #include <arpa/inet.h>
117 #include <sys/queue.h>
118
119 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
120 # include <asm/types.h> /* for __u8, __u32 */
121 # include <linux/errqueue.h>
122 # include <sys/uio.h> /* struct iovec */
123 #endif
124
125 #include <freeswan.h>
126
127 #include "constants.h"
128 #include "defs.h"
129 #include "cookie.h"
130 #include "connections.h"
131 #include "state.h"
132 #include "packet.h"
133 #include "crypto.h"
134 #include "ike_alg.h"
135 #include "log.h"
136 #include "demux.h" /* needs packet.h */
137 #include "ipsec_doi.h" /* needs demux.h and state.h */
138 #include "timer.h"
139 #include "whack.h" /* requires connections.h */
140 #include "server.h"
141 #include "nat_traversal.h"
142 #include "vendor.h"
143 #include "modecfg.h"
144
145 /* This file does basic header checking and demux of
146 * incoming packets.
147 */
148
149 /* forward declarations */
150 static bool read_packet(struct msg_digest *md);
151 static void process_packet(struct msg_digest **mdp);
152
153 /* Reply messages are built in this buffer.
154 * Only one state transition function can be using it at a time
155 * so suspended STFs must save and restore it.
156 * It could be an auto variable of complete_state_transition except for the fact
157 * that when a suspended STF resumes, its reply message buffer
158 * must be at the same location -- there are pointers into it.
159 */
160 u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
161
162 /* state_microcode is a tuple of information parameterizing certain
163 * centralized processing of a packet. For example, it roughly
164 * specifies what payloads are expected in this message.
165 * The microcode is selected primarily based on the state.
166 * In Phase 1, the payload structure often depends on the
167 * authentication technique, so that too plays a part in selecting
168 * the state_microcode to use.
169 */
170
171 struct state_microcode {
172 enum state_kind state, next_state;
173 lset_t flags;
174 lset_t req_payloads; /* required payloads (allows just one) */
175 lset_t opt_payloads; /* optional payloads (any mumber) */
176 /* if not ISAKMP_NEXT_NONE, process_packet will emit HDR with this as np */
177 u_int8_t first_out_payload;
178 enum event_type timeout_event;
179 state_transition_fn *processor;
180 };
181
182 /* State Microcode Flags, in several groups */
183
184 /* Oakley Auth values: to which auth values does this entry apply?
185 * Most entries will use SMF_ALL_AUTH because they apply to all.
186 * Note: SMF_ALL_AUTH matches 0 for those circumstances when no auth
187 * has been set.
188 */
189 #define SMF_ALL_AUTH LRANGE(0, OAKLEY_AUTH_ROOF-1)
190 #define SMF_PSK_AUTH LELEM(OAKLEY_PRESHARED_KEY)
191 #define SMF_DS_AUTH (LELEM(OAKLEY_DSS_SIG) | LELEM(OAKLEY_RSA_SIG))
192 #define SMF_PKE_AUTH (LELEM(OAKLEY_RSA_ENC) | LELEM(OAKLEY_ELGAMAL_ENC))
193 #define SMF_RPKE_AUTH (LELEM(OAKLEY_RSA_ENC_REV) | LELEM(OAKLEY_ELGAMAL_ENC_REV))
194
195 /* misc flags */
196
197 #define SMF_INITIATOR LELEM(OAKLEY_AUTH_ROOF + 0)
198 #define SMF_FIRST_ENCRYPTED_INPUT LELEM(OAKLEY_AUTH_ROOF + 1)
199 #define SMF_INPUT_ENCRYPTED LELEM(OAKLEY_AUTH_ROOF + 2)
200 #define SMF_OUTPUT_ENCRYPTED LELEM(OAKLEY_AUTH_ROOF + 3)
201 #define SMF_RETRANSMIT_ON_DUPLICATE LELEM(OAKLEY_AUTH_ROOF + 4)
202
203 #define SMF_ENCRYPTED (SMF_INPUT_ENCRYPTED | SMF_OUTPUT_ENCRYPTED)
204
205 /* this state generates a reply message */
206 #define SMF_REPLY LELEM(OAKLEY_AUTH_ROOF + 5)
207
208 /* this state completes P1, so any pending P2 negotiations should start */
209 #define SMF_RELEASE_PENDING_P2 LELEM(OAKLEY_AUTH_ROOF + 6)
210
211 /* end of flags */
212
213
214 static state_transition_fn /* forward declaration */
215 unexpected,
216 informational;
217
218 /* state_microcode_table is a table of all state_microcode tuples.
219 * It must be in order of state (the first element).
220 * After initialization, ike_microcode_index[s] points to the
221 * first entry in state_microcode_table for state s.
222 * Remember that each state name in Main or Quick Mode describes
223 * what has happened in the past, not what this message is.
224 */
225
226 static const struct state_microcode
227 *ike_microcode_index[STATE_IKE_ROOF - STATE_IKE_FLOOR];
228
229 static const struct state_microcode state_microcode_table[] = {
230 #define PT(n) ISAKMP_NEXT_##n
231 #define P(n) LELEM(PT(n))
232
233 /***** Phase 1 Main Mode *****/
234
235 /* No state for main_outI1: --> HDR, SA */
236
237 /* STATE_MAIN_R0: I1 --> R1
238 * HDR, SA --> HDR, SA
239 */
240 { STATE_MAIN_R0, STATE_MAIN_R1
241 , SMF_ALL_AUTH | SMF_REPLY
242 , P(SA), P(VID) | P(CR), PT(NONE)
243 , EVENT_RETRANSMIT, main_inI1_outR1},
244
245 /* STATE_MAIN_I1: R1 --> I2
246 * HDR, SA --> auth dependent
247 * SMF_PSK_AUTH, SMF_DS_AUTH: --> HDR, KE, Ni
248 * SMF_PKE_AUTH:
249 * --> HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
250 * SMF_RPKE_AUTH:
251 * --> HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
252 * Note: since we don't know auth at start, we cannot differentiate
253 * microcode entries based on it.
254 */
255 { STATE_MAIN_I1, STATE_MAIN_I2
256 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_REPLY
257 , P(SA), P(VID) | P(CR), PT(NONE) /* don't know yet */
258 , EVENT_RETRANSMIT, main_inR1_outI2 },
259
260 /* STATE_MAIN_R1: I2 --> R2
261 * SMF_PSK_AUTH, SMF_DS_AUTH: HDR, KE, Ni --> HDR, KE, Nr
262 * SMF_PKE_AUTH: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
263 * --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
264 * SMF_RPKE_AUTH:
265 * HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
266 * --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
267 */
268 { STATE_MAIN_R1, STATE_MAIN_R2
269 , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY
270 , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE)
271 , EVENT_RETRANSMIT, main_inI2_outR2 },
272
273 { STATE_MAIN_R1, STATE_UNDEFINED
274 , SMF_PKE_AUTH | SMF_REPLY
275 , P(KE) | P(ID) | P(NONCE), P(VID) | P(CR) | P(HASH), PT(KE)
276 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
277
278 { STATE_MAIN_R1, STATE_UNDEFINED
279 , SMF_RPKE_AUTH | SMF_REPLY
280 , P(NONCE) | P(KE) | P(ID), P(VID) | P(CR) | P(HASH) | P(CERT), PT(NONCE)
281 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
282
283 /* for states from here on, output message must be encrypted */
284
285 /* STATE_MAIN_I2: R2 --> I3
286 * SMF_PSK_AUTH: HDR, KE, Nr --> HDR*, IDi1, HASH_I
287 * SMF_DS_AUTH: HDR, KE, Nr --> HDR*, IDi1, [ CERT, ] SIG_I
288 * SMF_PKE_AUTH: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
289 * --> HDR*, HASH_I
290 * SMF_RPKE_AUTH: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
291 * --> HDR*, HASH_I
292 */
293 { STATE_MAIN_I2, STATE_MAIN_I3
294 , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
295 , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(ID)
296 , EVENT_RETRANSMIT, main_inR2_outI3 },
297
298 { STATE_MAIN_I2, STATE_UNDEFINED
299 , SMF_PKE_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
300 , P(KE) | P(ID) | P(NONCE), P(VID) | P(CR), PT(HASH)
301 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
302
303 { STATE_MAIN_I2, STATE_UNDEFINED
304 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
305 , P(NONCE) | P(KE) | P(ID), P(VID) | P(CR), PT(HASH)
306 , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
307
308 /* for states from here on, input message must be encrypted */
309
310 /* STATE_MAIN_R2: I3 --> R3
311 * SMF_PSK_AUTH: HDR*, IDi1, HASH_I --> HDR*, IDr1, HASH_R
312 * SMF_DS_AUTH: HDR*, IDi1, [ CERT, ] SIG_I --> HDR*, IDr1, [ CERT, ] SIG_R
313 * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_I --> HDR*, HASH_R
314 */
315 { STATE_MAIN_R2, STATE_MAIN_R3
316 , SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
317 | SMF_REPLY | SMF_RELEASE_PENDING_P2
318 , P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
319 , EVENT_SA_REPLACE, main_inI3_outR3 },
320
321 { STATE_MAIN_R2, STATE_MAIN_R3
322 , SMF_DS_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
323 | SMF_REPLY | SMF_RELEASE_PENDING_P2
324 , P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
325 , EVENT_SA_REPLACE, main_inI3_outR3 },
326
327 { STATE_MAIN_R2, STATE_UNDEFINED
328 , SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
329 | SMF_REPLY | SMF_RELEASE_PENDING_P2
330 , P(HASH), P(VID) | P(CR), PT(NONE)
331 , EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
332
333 /* STATE_MAIN_I3: R3 --> done
334 * SMF_PSK_AUTH: HDR*, IDr1, HASH_R --> done
335 * SMF_DS_AUTH: HDR*, IDr1, [ CERT, ] SIG_R --> done
336 * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_R --> done
337 * May initiate quick mode by calling quick_outI1
338 */
339 { STATE_MAIN_I3, STATE_MAIN_I4
340 , SMF_PSK_AUTH | SMF_INITIATOR
341 | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
342 , P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
343 , EVENT_SA_REPLACE, main_inR3 },
344
345 { STATE_MAIN_I3, STATE_MAIN_I4
346 , SMF_DS_AUTH | SMF_INITIATOR
347 | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
348 , P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
349 , EVENT_SA_REPLACE, main_inR3 },
350
351 { STATE_MAIN_I3, STATE_UNDEFINED
352 , SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_INITIATOR
353 | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
354 , P(HASH), P(VID) | P(CR), PT(NONE)
355 , EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
356
357 /* STATE_MAIN_R3: can only get here due to packet loss */
358 { STATE_MAIN_R3, STATE_UNDEFINED
359 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
360 , LEMPTY, LEMPTY
361 , PT(NONE), EVENT_NULL, unexpected },
362
363 /* STATE_MAIN_I4: can only get here due to packet loss */
364 { STATE_MAIN_I4, STATE_UNDEFINED
365 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED
366 , LEMPTY, LEMPTY
367 , PT(NONE), EVENT_NULL, unexpected },
368
369
370 /***** Phase 2 Quick Mode *****/
371
372 /* No state for quick_outI1:
373 * --> HDR*, HASH(1), SA, Nr [, KE ] [, IDci, IDcr ]
374 */
375
376 /* STATE_QUICK_R0:
377 * HDR*, HASH(1), SA, Ni [, KE ] [, IDci, IDcr ] -->
378 * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ]
379 * Installs inbound IPsec SAs.
380 * Because it may suspend for asynchronous DNS, first_out_payload
381 * is set to NONE to suppress early emission of HDR*.
382 * ??? it is legal to have multiple SAs, but we don't support it yet.
383 */
384 { STATE_QUICK_R0, STATE_QUICK_R1
385 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
386 , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(NONE)
387 , EVENT_RETRANSMIT, quick_inI1_outR1 },
388
389 /* STATE_QUICK_I1:
390 * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ] -->
391 * HDR*, HASH(3)
392 * Installs inbound and outbound IPsec SAs, routing, etc.
393 * ??? it is legal to have multiple SAs, but we don't support it yet.
394 */
395 { STATE_QUICK_I1, STATE_QUICK_I2
396 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_REPLY
397 , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(HASH)
398 , EVENT_SA_REPLACE, quick_inR1_outI2 },
399
400 /* STATE_QUICK_R1: HDR*, HASH(3) --> done
401 * Installs outbound IPsec SAs, routing, etc.
402 */
403 { STATE_QUICK_R1, STATE_QUICK_R2
404 , SMF_ALL_AUTH | SMF_ENCRYPTED
405 , P(HASH), LEMPTY, PT(NONE)
406 , EVENT_SA_REPLACE, quick_inI2 },
407
408 /* STATE_QUICK_I2: can only happen due to lost packet */
409 { STATE_QUICK_I2, STATE_UNDEFINED
410 , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
411 , LEMPTY, LEMPTY, PT(NONE)
412 , EVENT_NULL, unexpected },
413
414 /* STATE_QUICK_R2: can only happen due to lost packet */
415 { STATE_QUICK_R2, STATE_UNDEFINED
416 , SMF_ALL_AUTH | SMF_ENCRYPTED
417 , LEMPTY, LEMPTY, PT(NONE)
418 , EVENT_NULL, unexpected },
419
420
421 /***** informational messages *****/
422
423 /* STATE_INFO: */
424 { STATE_INFO, STATE_UNDEFINED
425 , SMF_ALL_AUTH
426 , LEMPTY, LEMPTY, PT(NONE)
427 , EVENT_NULL, informational },
428
429 /* STATE_INFO_PROTECTED: */
430 { STATE_INFO_PROTECTED, STATE_UNDEFINED
431 , SMF_ALL_AUTH | SMF_ENCRYPTED
432 , P(HASH), LEMPTY, PT(NONE)
433 , EVENT_NULL, informational },
434
435 /* XAUTH state transitions */
436 { STATE_XAUTH_I0, STATE_XAUTH_I1
437 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
438 , P(ATTR) | P(HASH), P(VID), PT(HASH)
439 , EVENT_RETRANSMIT, xauth_inI0 },
440
441 { STATE_XAUTH_R1, STATE_XAUTH_R2
442 , SMF_ALL_AUTH | SMF_ENCRYPTED
443 , P(ATTR) | P(HASH), P(VID), PT(HASH)
444 , EVENT_RETRANSMIT, xauth_inR1 },
445
446 { STATE_XAUTH_I1, STATE_XAUTH_I2
447 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
448 , P(ATTR) | P(HASH), P(VID), PT(HASH)
449 , EVENT_SA_REPLACE, xauth_inI1 },
450
451 { STATE_XAUTH_R2, STATE_XAUTH_R3
452 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
453 , P(ATTR) | P(HASH), P(VID), PT(NONE)
454 , EVENT_SA_REPLACE, xauth_inR2 },
455
456 { STATE_XAUTH_I2, STATE_UNDEFINED
457 , SMF_ALL_AUTH | SMF_ENCRYPTED
458 , LEMPTY, LEMPTY, PT(NONE)
459 , EVENT_NULL, unexpected },
460
461 { STATE_XAUTH_R3, STATE_UNDEFINED
462 , SMF_ALL_AUTH | SMF_ENCRYPTED
463 , LEMPTY, LEMPTY, PT(NONE)
464 , EVENT_NULL, unexpected },
465
466 /* ModeCfg pull mode state transitions */
467
468 { STATE_MODE_CFG_R0, STATE_MODE_CFG_R1
469 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
470 , P(ATTR) | P(HASH), P(VID), PT(HASH)
471 , EVENT_SA_REPLACE, modecfg_inR0 },
472
473 { STATE_MODE_CFG_I1, STATE_MODE_CFG_I2
474 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
475 , P(ATTR) | P(HASH), P(VID), PT(HASH)
476 , EVENT_SA_REPLACE, modecfg_inI1 },
477
478 { STATE_MODE_CFG_R1, STATE_UNDEFINED
479 , SMF_ALL_AUTH | SMF_ENCRYPTED
480 , LEMPTY, LEMPTY, PT(NONE)
481 , EVENT_NULL, unexpected },
482
483 { STATE_MODE_CFG_I2, STATE_UNDEFINED
484 , SMF_ALL_AUTH | SMF_ENCRYPTED
485 , LEMPTY, LEMPTY, PT(NONE)
486 , EVENT_NULL, unexpected },
487
488 /* ModeCfg push mode state transitions */
489
490 { STATE_MODE_CFG_I0, STATE_MODE_CFG_I3
491 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
492 , P(ATTR) | P(HASH), P(VID), PT(HASH)
493 , EVENT_SA_REPLACE, modecfg_inI0 },
494
495 { STATE_MODE_CFG_R3, STATE_MODE_CFG_R4
496 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
497 , P(ATTR) | P(HASH), P(VID), PT(HASH)
498 , EVENT_SA_REPLACE, modecfg_inR3 },
499
500 { STATE_MODE_CFG_I3, STATE_UNDEFINED
501 , SMF_ALL_AUTH | SMF_ENCRYPTED
502 , LEMPTY, LEMPTY, PT(NONE)
503 , EVENT_NULL, unexpected },
504
505 { STATE_MODE_CFG_R4, STATE_UNDEFINED
506 , SMF_ALL_AUTH | SMF_ENCRYPTED
507 , LEMPTY, LEMPTY, PT(NONE)
508 , EVENT_NULL, unexpected },
509
510 #undef P
511 #undef PT
512 };
513
514 void
515 init_demux(void)
516 {
517 /* fill ike_microcode_index:
518 * make ike_microcode_index[s] point to first entry in
519 * state_microcode_table for state s (backward scan makes this easier).
520 * Check that table is in order -- catch coding errors.
521 * For what it's worth, this routine is idempotent.
522 */
523 const struct state_microcode *t;
524
525 for (t = &state_microcode_table[countof(state_microcode_table) - 1];;)
526 {
527 passert(STATE_IKE_FLOOR <= t->state && t->state < STATE_IKE_ROOF);
528 ike_microcode_index[t->state - STATE_IKE_FLOOR] = t;
529 if (t == state_microcode_table)
530 break;
531 t--;
532 passert(t[0].state <= t[1].state);
533 }
534 }
535
536 /* Process any message on the MSG_ERRQUEUE
537 *
538 * This information is generated because of the IP_RECVERR socket option.
539 * The API is sparsely documented, and may be LINUX-only, and only on
540 * fairly recent versions at that (hence the conditional compilation).
541 *
542 * - ip(7) describes IP_RECVERR
543 * - recvmsg(2) describes MSG_ERRQUEUE
544 * - readv(2) describes iovec
545 * - cmsg(3) describes how to process auxilliary messages
546 *
547 * ??? we should link this message with one we've sent
548 * so that the diagnostic can refer to that negotiation.
549 *
550 * ??? how long can the messge be?
551 *
552 * ??? poll(2) has a very incomplete description of the POLL* events.
553 * We assume that POLLIN, POLLOUT, and POLLERR are all we need to deal with
554 * and that POLLERR will be on iff there is a MSG_ERRQUEUE message.
555 *
556 * We have to code around a couple of surprises:
557 *
558 * - Select can say that a socket is ready to read from, and
559 * yet a read will hang. It turns out that a message available on the
560 * MSG_ERRQUEUE will cause select to say something is pending, but
561 * a normal read will hang. poll(2) can tell when a MSG_ERRQUEUE
562 * message is pending.
563 *
564 * This is dealt with by calling check_msg_errqueue after select
565 * has indicated that there is something to read, but before the
566 * read is performed. check_msg_errqueue will return TRUE if there
567 * is something left to read.
568 *
569 * - A write to a socket may fail because there is a pending MSG_ERRQUEUE
570 * message, without there being anything wrong with the write. This
571 * makes for confusing diagnostics.
572 *
573 * To avoid this, we call check_msg_errqueue before a write. True,
574 * there is a race condition (a MSG_ERRQUEUE message might arrive
575 * between the check and the write), but we should eliminate many
576 * of the problematic events. To narrow the window, the poll(2)
577 * will await until an event happens (in the case or a write,
578 * POLLOUT; this should be benign for POLLIN).
579 */
580
581 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
582 static bool
583 check_msg_errqueue(const struct iface *ifp, short interest)
584 {
585 struct pollfd pfd;
586
587 pfd.fd = ifp->fd;
588 pfd.events = interest | POLLPRI | POLLOUT;
589
590 while (pfd.revents = 0
591 , poll(&pfd, 1, -1) > 0 && (pfd.revents & POLLERR))
592 {
593 u_int8_t buffer[3000]; /* hope that this is big enough */
594 union
595 {
596 struct sockaddr sa;
597 struct sockaddr_in sa_in4;
598 struct sockaddr_in6 sa_in6;
599 } from;
600
601 int from_len = sizeof(from);
602
603 int packet_len;
604
605 struct msghdr emh;
606 struct iovec eiov;
607 union {
608 /* force alignment (not documented as necessary) */
609 struct cmsghdr ecms;
610
611 /* how much space is enough? */
612 unsigned char space[256];
613 } ecms_buf;
614
615 struct cmsghdr *cm;
616 char fromstr[sizeof(" for message to port 65536") + INET6_ADDRSTRLEN];
617 struct state *sender = NULL;
618
619 zero(&from.sa);
620 from_len = sizeof(from);
621
622 emh.msg_name = &from.sa; /* ??? filled in? */
623 emh.msg_namelen = sizeof(from);
624 emh.msg_iov = &eiov;
625 emh.msg_iovlen = 1;
626 emh.msg_control = &ecms_buf;
627 emh.msg_controllen = sizeof(ecms_buf);
628 emh.msg_flags = 0;
629
630 eiov.iov_base = buffer; /* see readv(2) */
631 eiov.iov_len = sizeof(buffer);
632
633 packet_len = recvmsg(ifp->fd, &emh, MSG_ERRQUEUE);
634
635 if (packet_len == -1)
636 {
637 log_errno((e, "recvmsg(,, MSG_ERRQUEUE) on %s failed in comm_handle"
638 , ifp->rname));
639 break;
640 }
641 else if (packet_len == sizeof(buffer))
642 {
643 plog("MSG_ERRQUEUE message longer than %lu bytes; truncated"
644 , (unsigned long) sizeof(buffer));
645 }
646 else
647 {
648 sender = find_sender((size_t) packet_len, buffer);
649 }
650
651 DBG_cond_dump(DBG_ALL, "rejected packet:\n", buffer, packet_len);
652 DBG_cond_dump(DBG_ALL, "control:\n", emh.msg_control, emh.msg_controllen);
653 /* ??? Andi Kleen <ak@suse.de> and misc documentation
654 * suggests that name will have the original destination
655 * of the packet. We seem to see msg_namelen == 0.
656 * Andi says that this is a kernel bug and has fixed it.
657 * Perhaps in 2.2.18/2.4.0.
658 */
659 passert(emh.msg_name == &from.sa);
660 DBG_cond_dump(DBG_ALL, "name:\n", emh.msg_name
661 , emh.msg_namelen);
662
663 fromstr[0] = '\0'; /* usual case :-( */
664 switch (from.sa.sa_family)
665 {
666 char as[INET6_ADDRSTRLEN];
667
668 case AF_INET:
669 if (emh.msg_namelen == sizeof(struct sockaddr_in))
670 snprintf(fromstr, sizeof(fromstr)
671 , " for message to %s port %u"
672 , inet_ntop(from.sa.sa_family
673 , &from.sa_in4.sin_addr, as, sizeof(as))
674 , ntohs(from.sa_in4.sin_port));
675 break;
676 case AF_INET6:
677 if (emh.msg_namelen == sizeof(struct sockaddr_in6))
678 snprintf(fromstr, sizeof(fromstr)
679 , " for message to %s port %u"
680 , inet_ntop(from.sa.sa_family
681 , &from.sa_in6.sin6_addr, as, sizeof(as))
682 , ntohs(from.sa_in6.sin6_port));
683 break;
684 }
685
686 for (cm = CMSG_FIRSTHDR(&emh)
687 ; cm != NULL
688 ; cm = CMSG_NXTHDR(&emh,cm))
689 {
690 if (cm->cmsg_level == SOL_IP
691 && cm->cmsg_type == IP_RECVERR)
692 {
693 /* ip(7) and recvmsg(2) specify:
694 * ee_origin is SO_EE_ORIGIN_ICMP for ICMP
695 * or SO_EE_ORIGIN_LOCAL for locally generated errors.
696 * ee_type and ee_code are from the ICMP header.
697 * ee_info is the discovered MTU for EMSGSIZE errors
698 * ee_data is not used.
699 *
700 * ??? recvmsg(2) says "SOCK_EE_OFFENDER" but
701 * means "SO_EE_OFFENDER". The OFFENDER is really
702 * the router that complained. As such, the port
703 * is meaningless.
704 */
705
706 /* ??? cmsg(3) claims that CMSG_DATA returns
707 * void *, but RFC 2292 and /usr/include/bits/socket.h
708 * say unsigned char *. The manual is being fixed.
709 */
710 struct sock_extended_err *ee = (void *)CMSG_DATA(cm);
711 const char *offstr = "unspecified";
712 char offstrspace[INET6_ADDRSTRLEN];
713 char orname[50];
714
715 if (cm->cmsg_len > CMSG_LEN(sizeof(struct sock_extended_err)))
716 {
717 const struct sockaddr *offender = SO_EE_OFFENDER(ee);
718
719 switch (offender->sa_family)
720 {
721 case AF_INET:
722 offstr = inet_ntop(offender->sa_family
723 , &((const struct sockaddr_in *)offender)->sin_addr
724 , offstrspace, sizeof(offstrspace));
725 break;
726 case AF_INET6:
727 offstr = inet_ntop(offender->sa_family
728 , &((const struct sockaddr_in6 *)offender)->sin6_addr
729 , offstrspace, sizeof(offstrspace));
730 break;
731 default:
732 offstr = "unknown";
733 break;
734 }
735 }
736
737 switch (ee->ee_origin)
738 {
739 case SO_EE_ORIGIN_NONE:
740 snprintf(orname, sizeof(orname), "none");
741 break;
742 case SO_EE_ORIGIN_LOCAL:
743 snprintf(orname, sizeof(orname), "local");
744 break;
745 case SO_EE_ORIGIN_ICMP:
746 snprintf(orname, sizeof(orname)
747 , "ICMP type %d code %d (not authenticated)"
748 , ee->ee_type, ee->ee_code
749 );
750 break;
751 case SO_EE_ORIGIN_ICMP6:
752 snprintf(orname, sizeof(orname)
753 , "ICMP6 type %d code %d (not authenticated)"
754 , ee->ee_type, ee->ee_code
755 );
756 break;
757 default:
758 snprintf(orname, sizeof(orname), "invalid origin %lu"
759 , (unsigned long) ee->ee_origin);
760 break;
761 }
762
763 {
764 struct state *old_state = cur_state;
765
766 cur_state = sender;
767
768 /* note dirty trick to suppress ~ at start of format
769 * if we know what state to blame.
770 */
771 if ((packet_len == 1) && (buffer[0] = 0xff)
772 #ifdef DEBUG
773 && ((cur_debugging & DBG_NATT) == 0)
774 #endif
775 ) {
776 /* don't log NAT-T keepalive related errors unless NATT debug is
777 * enabled
778 */
779 }
780 else
781 plog((sender != NULL) + "~"
782 "ERROR: asynchronous network error report on %s"
783 "%s"
784 ", complainant %s"
785 ": %s"
786 " [errno %lu, origin %s"
787 /* ", pad %d, info %ld" */
788 /* ", data %ld" */
789 "]"
790 , ifp->rname
791 , fromstr
792 , offstr
793 , strerror(ee->ee_errno)
794 , (unsigned long) ee->ee_errno
795 , orname
796 /* , ee->ee_pad, (unsigned long)ee->ee_info */
797 /* , (unsigned long)ee->ee_data */
798 );
799 cur_state = old_state;
800 }
801 }
802 else
803 {
804 /* .cmsg_len is a kernel_size_t(!), but the value
805 * certainly ought to fit in an unsigned long.
806 */
807 plog("unknown cmsg: level %d, type %d, len %lu"
808 , cm->cmsg_level, cm->cmsg_type
809 , (unsigned long) cm->cmsg_len);
810 }
811 }
812 }
813 return (pfd.revents & interest) != 0;
814 }
815 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
816
817 bool
818 send_packet(struct state *st, const char *where)
819 {
820 struct connection *c = st->st_connection;
821 int port_buf;
822 bool err;
823 u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
824 u_int8_t *ptr;
825 unsigned long len;
826
827 if (c->interface->ike_float && st->st_tpacket.len != 1)
828 {
829 if ((unsigned long) st->st_tpacket.len > (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t)))
830 {
831 DBG_log("send_packet(): really too big");
832 return FALSE;
833 }
834 ptr = ike_pkt;
835 /** Add Non-ESP marker **/
836 memset(ike_pkt, 0, sizeof(u_int32_t));
837 memcpy(ike_pkt + sizeof(u_int32_t), st->st_tpacket.ptr,
838 (unsigned long)st->st_tpacket.len);
839 len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t);
840 }
841 else
842 {
843 ptr = st->st_tpacket.ptr;
844 len = (unsigned long) st->st_tpacket.len;
845 }
846
847 DBG(DBG_RAW,
848 {
849 DBG_log("sending %lu bytes for %s through %s to %s:%u:"
850 , (unsigned long) st->st_tpacket.len
851 , where
852 , c->interface->rname
853 , ip_str(&c->spd.that.host_addr)
854 , (unsigned)c->spd.that.host_port);
855 DBG_dump_chunk(NULL, st->st_tpacket);
856 });
857
858 /* XXX: Not very clean. We manipulate the port of the ip_address to
859 * have a port in the sockaddr*, but we retain the original port
860 * and restore it afterwards.
861 */
862
863 port_buf = portof(&c->spd.that.host_addr);
864 setportof(htons(c->spd.that.host_port), &c->spd.that.host_addr);
865
866 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
867 (void) check_msg_errqueue(c->interface, POLLOUT);
868 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
869
870 err = sendto(c->interface->fd
871 , ptr, len, 0
872 , sockaddrof(&c->spd.that.host_addr)
873 , sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)len;
874
875 /* restore port */
876 setportof(port_buf, &c->spd.that.host_addr);
877
878 if (err)
879 {
880 /* do not log NAT-T Keep Alive packets */
881 if (streq(where, "NAT-T Keep Alive"))
882 return FALSE;
883 log_errno((e, "sendto on %s to %s:%u failed in %s"
884 , c->interface->rname
885 , ip_str(&c->spd.that.host_addr)
886 , (unsigned)c->spd.that.host_port
887 , where));
888 return FALSE;
889 }
890 else
891 {
892 return TRUE;
893 }
894 }
895
896 static stf_status
897 unexpected(struct msg_digest *md)
898 {
899 loglog(RC_LOG_SERIOUS, "unexpected message received in state %s"
900 , enum_name(&state_names, md->st->st_state));
901 return STF_IGNORE;
902 }
903
904 static stf_status
905 informational(struct msg_digest *md UNUSED)
906 {
907 struct payload_digest *const n_pld = md->chain[ISAKMP_NEXT_N];
908
909 /* If the Notification Payload is not null... */
910 if (n_pld != NULL)
911 {
912 pb_stream *const n_pbs = &n_pld->pbs;
913 struct isakmp_notification *const n = &n_pld->payload.notification;
914 int disp_len;
915 char disp_buf[200];
916
917 /* Switch on Notification Type (enum) */
918 switch (n->isan_type)
919 {
920 case R_U_THERE:
921 return dpd_inI_outR(md->st, n, n_pbs);
922
923 case R_U_THERE_ACK:
924 return dpd_inR(md->st, n, n_pbs);
925 default:
926 if (pbs_left(n_pbs) >= sizeof(disp_buf)-1)
927 disp_len = sizeof(disp_buf)-1;
928 else
929 disp_len = pbs_left(n_pbs);
930 memcpy(disp_buf, n_pbs->cur, disp_len);
931 disp_buf[disp_len] = '\0';
932 break;
933 }
934 }
935 return STF_IGNORE;
936 }
937
938 /* message digest allocation and deallocation */
939
940 static struct msg_digest *md_pool = NULL;
941
942 /* free_md_pool is only used to avoid leak reports */
943 void
944 free_md_pool(void)
945 {
946 for (;;)
947 {
948 struct msg_digest *md = md_pool;
949
950 if (md == NULL)
951 break;
952 md_pool = md->next;
953 free(md);
954 }
955 }
956
957 static struct msg_digest *
958 malloc_md(void)
959 {
960 struct msg_digest *md = md_pool;
961
962 /* convenient initializer:
963 * - all pointers NULL
964 * - .note = NOTHING_WRONG
965 * - .encrypted = FALSE
966 */
967 static const struct msg_digest blank_md;
968
969 if (md == NULL)
970 {
971 md = malloc_thing(struct msg_digest);
972 zero(md);
973 }
974 else
975 md_pool = md->next;
976
977 *md = blank_md;
978 md->digest_roof = md->digest;
979
980 /* note: although there may be multiple msg_digests at once
981 * (due to suspended state transitions), there is a single
982 * global reply_buffer. It will need to be saved and restored.
983 */
984 init_pbs(&md->reply, reply_buffer, sizeof(reply_buffer), "reply packet");
985
986 return md;
987 }
988
989 void
990 release_md(struct msg_digest *md)
991 {
992 chunk_free(&md->raw_packet);
993 free(md->packet_pbs.start);
994 md->packet_pbs.start = NULL;
995 md->next = md_pool;
996 md_pool = md;
997 }
998
999 /* wrapper for read_packet and process_packet
1000 *
1001 * The main purpose of this wrapper is to factor out teardown code
1002 * from the many return points in process_packet. This amounts to
1003 * releasing the msg_digest and resetting global variables.
1004 *
1005 * When processing of a packet is suspended (STF_SUSPEND),
1006 * process_packet sets md to NULL to prevent the msg_digest being freed.
1007 * Someone else must ensure that msg_digest is freed eventually.
1008 *
1009 * read_packet is broken out to minimize the lifetime of the
1010 * enormous input packet buffer, an auto.
1011 */
1012 void
1013 comm_handle(const struct iface *ifp)
1014 {
1015 static struct msg_digest *md;
1016
1017 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
1018 /* Even though select(2) says that there is a message,
1019 * it might only be a MSG_ERRQUEUE message. At least
1020 * sometimes that leads to a hanging recvfrom. To avoid
1021 * what appears to be a kernel bug, check_msg_errqueue
1022 * uses poll(2) and tells us if there is anything for us
1023 * to read.
1024 *
1025 * This is early enough that teardown isn't required:
1026 * just return on failure.
1027 */
1028 if (!check_msg_errqueue(ifp, POLLIN))
1029 return; /* no normal message to read */
1030 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
1031
1032 md = malloc_md();
1033 md->iface = ifp;
1034
1035 if (read_packet(md))
1036 process_packet(&md);
1037
1038 if (md != NULL)
1039 release_md(md);
1040
1041 cur_state = NULL;
1042 reset_cur_connection();
1043 cur_from = NULL;
1044 }
1045
1046 /* read the message.
1047 * Since we don't know its size, we read it into
1048 * an overly large buffer and then copy it to a
1049 * new, properly sized buffer.
1050 */
1051 static bool
1052 read_packet(struct msg_digest *md)
1053 {
1054 const struct iface *ifp = md->iface;
1055 int packet_len;
1056 u_int8_t *buffer;
1057 u_int8_t *buffer_nat;
1058 union
1059 {
1060 struct sockaddr sa;
1061 struct sockaddr_in sa_in4;
1062 struct sockaddr_in6 sa_in6;
1063 } from;
1064 int from_len = sizeof(from);
1065 err_t from_ugh = NULL;
1066 static const char undisclosed[] = "unknown source";
1067
1068 happy(anyaddr(addrtypeof(&ifp->addr), &md->sender));
1069 zero(&from.sa);
1070 ioctl(ifp->fd, FIONREAD, &packet_len);
1071 buffer = malloc(packet_len);
1072 packet_len = recvfrom(ifp->fd, buffer, packet_len, 0
1073 , &from.sa, &from_len);
1074
1075 /* First: digest the from address.
1076 * We presume that nothing here disturbs errno.
1077 */
1078 if (packet_len == -1
1079 && from_len == sizeof(from)
1080 && all_zero((const void *)&from.sa, sizeof(from)))
1081 {
1082 /* "from" is untouched -- not set by recvfrom */
1083 from_ugh = undisclosed;
1084 }
1085 else if (from_len
1086 < (int) (offsetof(struct sockaddr, sa_family) + sizeof(from.sa.sa_family)))
1087 {
1088 from_ugh = "truncated";
1089 }
1090 else
1091 {
1092 const struct af_info *afi = aftoinfo(from.sa.sa_family);
1093
1094 if (afi == NULL)
1095 {
1096 from_ugh = "unexpected Address Family";
1097 }
1098 else if (from_len != (int)afi->sa_sz)
1099 {
1100 from_ugh = "wrong length";
1101 }
1102 else
1103 {
1104 switch (from.sa.sa_family)
1105 {
1106 case AF_INET:
1107 from_ugh = initaddr((void *) &from.sa_in4.sin_addr
1108 , sizeof(from.sa_in4.sin_addr), AF_INET, &md->sender);
1109 md->sender_port = ntohs(from.sa_in4.sin_port);
1110 break;
1111 case AF_INET6:
1112 from_ugh = initaddr((void *) &from.sa_in6.sin6_addr
1113 , sizeof(from.sa_in6.sin6_addr), AF_INET6, &md->sender);
1114 md->sender_port = ntohs(from.sa_in6.sin6_port);
1115 break;
1116 }
1117 }
1118 }
1119
1120 /* now we report any actual I/O error */
1121 if (packet_len == -1)
1122 {
1123 if (from_ugh == undisclosed
1124 && errno == ECONNREFUSED)
1125 {
1126 /* Tone down scary message for vague event:
1127 * We get "connection refused" in response to some
1128 * datagram we sent, but we cannot tell which one.
1129 */
1130 plog("some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details)");
1131 }
1132 else if (from_ugh != NULL)
1133 {
1134 log_errno((e, "recvfrom on %s failed; Pluto cannot decode source sockaddr in rejection: %s"
1135 , ifp->rname, from_ugh));
1136 }
1137 else
1138 {
1139 log_errno((e, "recvfrom on %s from %s:%u failed"
1140 , ifp->rname
1141 , ip_str(&md->sender), (unsigned)md->sender_port));
1142 }
1143
1144 return FALSE;
1145 }
1146 else if (from_ugh != NULL)
1147 {
1148 plog("recvfrom on %s returned misformed source sockaddr: %s"
1149 , ifp->rname, from_ugh);
1150 return FALSE;
1151 }
1152 cur_from = &md->sender;
1153 cur_from_port = md->sender_port;
1154
1155 if (ifp->ike_float == TRUE)
1156 {
1157 u_int32_t non_esp;
1158
1159 if (packet_len < (int)sizeof(u_int32_t))
1160 {
1161 plog("recvfrom %s:%u too small packet (%d)"
1162 , ip_str(cur_from), (unsigned) cur_from_port, packet_len);
1163 return FALSE;
1164 }
1165 memcpy(&non_esp, buffer, sizeof(u_int32_t));
1166 if (non_esp != 0)
1167 {
1168 plog("recvfrom %s:%u has no Non-ESP marker"
1169 , ip_str(cur_from), (unsigned) cur_from_port);
1170 return FALSE;
1171 }
1172 packet_len -= sizeof(u_int32_t);
1173 buffer_nat = malloc(packet_len);
1174 memcpy(buffer_nat, buffer + sizeof(u_int32_t), packet_len);
1175 free(buffer);
1176 buffer = buffer_nat;
1177 }
1178
1179 /* Clone actual message contents
1180 * and set up md->packet_pbs to describe it.
1181 */
1182 init_pbs(&md->packet_pbs, buffer, packet_len, "packet");
1183
1184 DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL,
1185 {
1186 DBG_log(BLANK_FORMAT);
1187 DBG_log("*received %d bytes from %s:%u on %s"
1188 , (int) pbs_room(&md->packet_pbs)
1189 , ip_str(cur_from), (unsigned) cur_from_port
1190 , ifp->rname);
1191 });
1192
1193 DBG(DBG_RAW,
1194 DBG_dump("", md->packet_pbs.start, pbs_room(&md->packet_pbs)));
1195
1196 if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff))
1197 {
1198 /**
1199 * NAT-T Keep-alive packets should be discarded by kernel ESPinUDP
1200 * layer. But bogus keep-alive packets (sent with a non-esp marker)
1201 * can reach this point. Complain and discard them.
1202 */
1203 DBG(DBG_NATT,
1204 DBG_log("NAT-T keep-alive (bogus ?) should not reach this point. "
1205 "Ignored. Sender: %s:%u", ip_str(cur_from),
1206 (unsigned) cur_from_port);
1207 )
1208 return FALSE;
1209 }
1210
1211 #define IKEV2_VERSION_OFFSET 17
1212 #define IKEV2_VERSION 0x20
1213
1214 /* ignore IKEv2 packets - they will be handled by charon */
1215 if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET
1216 && md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION)
1217 {
1218 DBG(DBG_CONTROLMORE,
1219 DBG_log(" ignoring IKEv2 packet")
1220 )
1221 return FALSE;
1222 }
1223
1224 return TRUE;
1225 }
1226
1227 /* process an input packet, possibly generating a reply.
1228 *
1229 * If all goes well, this routine eventually calls a state-specific
1230 * transition function.
1231 */
1232 static void
1233 process_packet(struct msg_digest **mdp)
1234 {
1235 struct msg_digest *md = *mdp;
1236 const struct state_microcode *smc;
1237 bool new_iv_set = FALSE;
1238 bool restore_iv = FALSE;
1239 u_char new_iv[MAX_DIGEST_LEN];
1240 u_int new_iv_len = 0;
1241
1242 struct state *st = NULL;
1243 enum state_kind from_state = STATE_UNDEFINED; /* state we started in */
1244
1245 #define SEND_NOTIFICATION(t) { \
1246 if (st) send_notification_from_state(st, from_state, t); \
1247 else send_notification_from_md(md, t); }
1248
1249 if (!in_struct(&md->hdr, &isakmp_hdr_desc, &md->packet_pbs, &md->message_pbs))
1250 {
1251 /* Identify specific failures:
1252 * - bad ISAKMP major/minor version numbers
1253 */
1254 if (md->packet_pbs.roof - md->packet_pbs.cur >= (ptrdiff_t)isakmp_hdr_desc.size)
1255 {
1256 struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
1257 if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION)
1258 {
1259 SEND_NOTIFICATION(INVALID_MAJOR_VERSION);
1260 return;
1261 }
1262 else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION)
1263 {
1264 SEND_NOTIFICATION(INVALID_MINOR_VERSION);
1265 return;
1266 }
1267 }
1268 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1269 return;
1270 }
1271
1272 if (md->packet_pbs.roof != md->message_pbs.roof)
1273 {
1274 plog("size (%u) differs from size specified in ISAKMP HDR (%u)"
1275 , (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
1276 #ifdef CISCO_QUIRKS
1277 if (pbs_room(&md->packet_pbs) - md->hdr.isa_length == 16)
1278 plog("Cisco VPN client appends 16 surplus NULL bytes");
1279 else
1280 #endif
1281 return;
1282 }
1283
1284 switch (md->hdr.isa_xchg)
1285 {
1286 #ifdef NOTYET
1287 case ISAKMP_XCHG_NONE:
1288 case ISAKMP_XCHG_BASE:
1289 #endif
1290
1291 case ISAKMP_XCHG_IDPROT: /* part of a Main Mode exchange */
1292 if (md->hdr.isa_msgid != MAINMODE_MSGID)
1293 {
1294 plog("Message ID was 0x%08lx but should be zero in Main Mode",
1295 (unsigned long) md->hdr.isa_msgid);
1296 SEND_NOTIFICATION(INVALID_MESSAGE_ID);
1297 return;
1298 }
1299
1300 if (is_zero_cookie(md->hdr.isa_icookie))
1301 {
1302 plog("Initiator Cookie must not be zero in Main Mode message");
1303 SEND_NOTIFICATION(INVALID_COOKIE);
1304 return;
1305 }
1306
1307 if (is_zero_cookie(md->hdr.isa_rcookie))
1308 {
1309 /* initial message from initiator
1310 * ??? what if this is a duplicate of another message?
1311 */
1312 if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
1313 {
1314 plog("initial Main Mode message is invalid:"
1315 " its Encrypted Flag is on");
1316 SEND_NOTIFICATION(INVALID_FLAGS);
1317 return;
1318 }
1319
1320 /* don't build a state until the message looks tasty */
1321 from_state = STATE_MAIN_R0;
1322 }
1323 else
1324 {
1325 /* not an initial message */
1326
1327 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1328 , &md->sender, md->hdr.isa_msgid);
1329
1330 if (st == NULL)
1331 {
1332 /* perhaps this is a first message from the responder
1333 * and contains a responder cookie that we've not yet seen.
1334 */
1335 st = find_state(md->hdr.isa_icookie, zero_cookie
1336 , &md->sender, md->hdr.isa_msgid);
1337
1338 if (st == NULL)
1339 {
1340 plog("Main Mode message is part of an unknown exchange");
1341 /* XXX Could send notification back */
1342 return;
1343 }
1344 }
1345 set_cur_state(st);
1346 from_state = st->st_state;
1347 }
1348 break;
1349
1350 #ifdef NOTYET
1351 case ISAKMP_XCHG_AO:
1352 case ISAKMP_XCHG_AGGR:
1353 #endif
1354
1355 case ISAKMP_XCHG_INFO: /* an informational exchange */
1356 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1357 , &md->sender, MAINMODE_MSGID);
1358
1359 if (st != NULL)
1360 set_cur_state(st);
1361
1362 if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
1363 {
1364 if (st == NULL)
1365 {
1366 plog("Informational Exchange is for an unknown (expired?) SA");
1367 /* XXX Could send notification back */
1368 return;
1369 }
1370
1371 if (!IS_ISAKMP_ENCRYPTED(st->st_state))
1372 {
1373 loglog(RC_LOG_SERIOUS, "encrypted Informational Exchange message is invalid"
1374 " because no key is known");
1375 /* XXX Could send notification back */
1376 return;
1377 }
1378
1379 if (md->hdr.isa_msgid == MAINMODE_MSGID)
1380 {
1381 loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
1382 " it has a Message ID of 0");
1383 /* XXX Could send notification back */
1384 return;
1385 }
1386
1387 if (!reserve_msgid(st, md->hdr.isa_msgid))
1388 {
1389 loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
1390 " it has a previously used Message ID (0x%08lx)"
1391 , (unsigned long)md->hdr.isa_msgid);
1392 /* XXX Could send notification back */
1393 return;
1394 }
1395
1396 if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
1397 {
1398 memcpy(st->st_ph1_iv, st->st_new_iv, st->st_new_iv_len);
1399 st->st_ph1_iv_len = st->st_new_iv_len;
1400
1401 /* backup new_iv */
1402 new_iv_len = st->st_new_iv_len;
1403 passert(new_iv_len <= MAX_DIGEST_LEN)
1404 memcpy(new_iv, st->st_new_iv, new_iv_len);
1405 restore_iv = TRUE;
1406 }
1407 init_phase2_iv(st, &md->hdr.isa_msgid);
1408 new_iv_set = TRUE;
1409
1410 from_state = STATE_INFO_PROTECTED;
1411 }
1412 else
1413 {
1414 if (st != NULL && IS_ISAKMP_ENCRYPTED(st->st_state))
1415 {
1416 loglog(RC_LOG_SERIOUS, "Informational Exchange message"
1417 " must be encrypted");
1418 /* XXX Could send notification back */
1419 return;
1420 }
1421 from_state = STATE_INFO;
1422 }
1423 break;
1424
1425 case ISAKMP_XCHG_QUICK: /* part of a Quick Mode exchange */
1426 if (is_zero_cookie(md->hdr.isa_icookie))
1427 {
1428 plog("Quick Mode message is invalid because"
1429 " it has an Initiator Cookie of 0");
1430 SEND_NOTIFICATION(INVALID_COOKIE);
1431 return;
1432 }
1433
1434 if (is_zero_cookie(md->hdr.isa_rcookie))
1435 {
1436 plog("Quick Mode message is invalid because"
1437 " it has a Responder Cookie of 0");
1438 SEND_NOTIFICATION(INVALID_COOKIE);
1439 return;
1440 }
1441
1442 if (md->hdr.isa_msgid == MAINMODE_MSGID)
1443 {
1444 plog("Quick Mode message is invalid because"
1445 " it has a Message ID of 0");
1446 SEND_NOTIFICATION(INVALID_MESSAGE_ID);
1447 return;
1448 }
1449
1450 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1451 , &md->sender, md->hdr.isa_msgid);
1452
1453 if (st == NULL)
1454 {
1455 /* No appropriate Quick Mode state.
1456 * See if we have a Main Mode state.
1457 * ??? what if this is a duplicate of another message?
1458 */
1459 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1460 , &md->sender, MAINMODE_MSGID);
1461
1462 if (st == NULL)
1463 {
1464 plog("Quick Mode message is for a non-existent (expired?)"
1465 " ISAKMP SA");
1466 /* XXX Could send notification back */
1467 return;
1468 }
1469
1470 set_cur_state(st);
1471
1472 if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
1473 {
1474 loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because"
1475 " it is for an incomplete ISAKMP SA");
1476 SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
1477 return;
1478 }
1479
1480 /* only accept this new Quick Mode exchange if it has a unique message ID */
1481 if (!reserve_msgid(st, md->hdr.isa_msgid))
1482 {
1483 loglog(RC_LOG_SERIOUS, "Quick Mode I1 message is unacceptable because"
1484 " it uses a previously used Message ID 0x%08lx"
1485 " (perhaps this is a duplicated packet)"
1486 , (unsigned long) md->hdr.isa_msgid);
1487 SEND_NOTIFICATION(INVALID_MESSAGE_ID);
1488 return;
1489 }
1490
1491 /* Quick Mode Initial IV */
1492 init_phase2_iv(st, &md->hdr.isa_msgid);
1493 new_iv_set = TRUE;
1494
1495 from_state = STATE_QUICK_R0;
1496 }
1497 else
1498 {
1499 set_cur_state(st);
1500 from_state = st->st_state;
1501 }
1502
1503 break;
1504
1505 case ISAKMP_XCHG_MODE_CFG:
1506 if (is_zero_cookie(md->hdr.isa_icookie))
1507 {
1508 plog("ModeCfg message is invalid because"
1509 " it has an Initiator Cookie of 0");
1510 /* XXX Could send notification back */
1511 return;
1512 }
1513
1514 if (is_zero_cookie(md->hdr.isa_rcookie))
1515 {
1516 plog("ModeCfg message is invalid because"
1517 " it has a Responder Cookie of 0");
1518 /* XXX Could send notification back */
1519 return;
1520 }
1521
1522 if (md->hdr.isa_msgid == 0)
1523 {
1524 plog("ModeCfg message is invalid because"
1525 " it has a Message ID of 0");
1526 /* XXX Could send notification back */
1527 return;
1528 }
1529
1530 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1531 , &md->sender, md->hdr.isa_msgid);
1532
1533 if (st == NULL)
1534 {
1535 bool has_xauth_policy;
1536
1537 /* No appropriate ModeCfg state.
1538 * See if we have a Main Mode state.
1539 * ??? what if this is a duplicate of another message?
1540 */
1541 st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
1542 , &md->sender, 0);
1543
1544 if (st == NULL)
1545 {
1546 plog("ModeCfg message is for a non-existent (expired?)"
1547 " ISAKMP SA");
1548 /* XXX Could send notification back */
1549 return;
1550 }
1551
1552 set_cur_state(st);
1553
1554 /* the XAUTH_STATUS message might have a new msgid */
1555 if (st->st_state == STATE_XAUTH_I1)
1556 {
1557 init_phase2_iv(st, &md->hdr.isa_msgid);
1558 new_iv_set = TRUE;
1559 from_state = st->st_state;
1560 break;
1561 }
1562
1563 if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
1564 {
1565 loglog(RC_LOG_SERIOUS, "ModeCfg message is unacceptable because"
1566 " it is for an incomplete ISAKMP SA (state=%s)"
1567 , enum_name(&state_names, st->st_state));
1568 /* XXX Could send notification back */
1569 return;
1570 }
1571 init_phase2_iv(st, &md->hdr.isa_msgid);
1572 new_iv_set = TRUE;
1573
1574 /*
1575 * okay, now we have to figure out if we are receiving a bogus
1576 * new message in an oustanding XAUTH server conversation
1577 * (i.e. a reply to our challenge)
1578 * (this occurs with some broken other implementations).
1579 *
1580 * or if receiving for the first time, an XAUTH challenge.
1581 *
1582 * or if we are getting a MODECFG request.
1583 *
1584 * we distinguish these states because we can not both be an
1585 * XAUTH server and client, and our policy tells us which
1586 * one we are.
1587 *
1588 * to complicate further, it is normal to start a new msgid
1589 * when going from one state to another, or when restarting
1590 * the challenge.
1591 *
1592 */
1593
1594 has_xauth_policy = (st->st_connection->policy
1595 & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
1596 != LEMPTY;
1597
1598 if (has_xauth_policy && !st->st_xauth.started
1599 && IS_PHASE1(st->st_state))
1600 {
1601 from_state = STATE_XAUTH_I0;
1602 }
1603 else if (st->st_connection->spd.that.modecfg
1604 && IS_PHASE1(st->st_state))
1605 {
1606 from_state = STATE_MODE_CFG_R0;
1607 }
1608 else if (st->st_connection->spd.this.modecfg
1609 && IS_PHASE1(st->st_state))
1610 {
1611 from_state = STATE_MODE_CFG_I0;
1612 }
1613 else
1614 {
1615 /* XXX check if we are being a mode config server here */
1616 plog("received ModeCfg message when in state %s, and we aren't mode config client"
1617 , enum_name(&state_names, st->st_state));
1618 return;
1619 }
1620 }
1621 else
1622 {
1623 set_cur_state(st);
1624 from_state = st->st_state;
1625 }
1626 break;
1627
1628 #ifdef NOTYET
1629 case ISAKMP_XCHG_NGRP:
1630 case ISAKMP_XCHG_ACK_INFO:
1631 #endif
1632
1633 default:
1634 plog("unsupported exchange type %s in message"
1635 , enum_show(&exchange_names, md->hdr.isa_xchg));
1636 SEND_NOTIFICATION(UNSUPPORTED_EXCHANGE_TYPE);
1637 return;
1638 }
1639
1640 /* We have found a from_state, and perhaps a state object.
1641 * If we need to build a new state object,
1642 * we wait until the packet has been sanity checked.
1643 */
1644
1645 /* We don't support the Commit Flag. It is such a bad feature.
1646 * It isn't protected -- neither encrypted nor authenticated.
1647 * A man in the middle turns it on, leading to DoS.
1648 * We just ignore it, with a warning.
1649 * By placing the check here, we could easily add a policy bit
1650 * to a connection to suppress the warning. This might be useful
1651 * because the Commit Flag is expected from some peers.
1652 */
1653 if (md->hdr.isa_flags & ISAKMP_FLAG_COMMIT)
1654 {
1655 plog("IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag");
1656 }
1657
1658 /* Set smc to describe this state's properties.
1659 * Look up the appropriate microcode based on state and
1660 * possibly Oakley Auth type.
1661 */
1662 passert(STATE_IKE_FLOOR <= from_state && from_state <= STATE_IKE_ROOF);
1663 smc = ike_microcode_index[from_state - STATE_IKE_FLOOR];
1664
1665 if (st != NULL)
1666 {
1667 u_int16_t auth;
1668
1669 switch (st->st_oakley.auth)
1670 {
1671 case XAUTHInitPreShared:
1672 case XAUTHRespPreShared:
1673 auth = OAKLEY_PRESHARED_KEY;
1674 break;
1675 case XAUTHInitRSA:
1676 case XAUTHRespRSA:
1677 auth = OAKLEY_RSA_SIG;
1678 break;
1679 default:
1680 auth = st->st_oakley.auth;
1681 }
1682
1683 while (!LHAS(smc->flags, auth))
1684 {
1685 smc++;
1686 passert(smc->state == from_state);
1687 }
1688 }
1689
1690 /* Ignore a packet if the state has a suspended state transition
1691 * Probably a duplicated packet but the original packet is not yet
1692 * recorded in st->st_rpacket, so duplicate checking won't catch.
1693 * ??? Should the packet be recorded earlier to improve diagnosis?
1694 */
1695 if (st != NULL && st->st_suspended_md != NULL)
1696 {
1697 loglog(RC_LOG, "discarding packet received during DNS lookup in %s"
1698 , enum_name(&state_names, st->st_state));
1699 return;
1700 }
1701
1702 /* Detect and handle duplicated packets.
1703 * This won't work for the initial packet of an exchange
1704 * because we won't have a state object to remember it.
1705 * If we are in a non-receiving state (terminal), and the preceding
1706 * state did transmit, then the duplicate may indicate that that
1707 * transmission wasn't received -- retransmit it.
1708 * Otherwise, just discard it.
1709 * ??? Notification packets are like exchanges -- I hope that
1710 * they are idempotent!
1711 */
1712 if (st != NULL
1713 && st->st_rpacket.ptr != NULL
1714 && st->st_rpacket.len == pbs_room(&md->packet_pbs)
1715 && memeq(st->st_rpacket.ptr, md->packet_pbs.start, st->st_rpacket.len))
1716 {
1717 if (smc->flags & SMF_RETRANSMIT_ON_DUPLICATE)
1718 {
1719 if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
1720 {
1721 st->st_retransmit++;
1722 loglog(RC_RETRANSMISSION
1723 , "retransmitting in response to duplicate packet; already %s"
1724 , enum_name(&state_names, st->st_state));
1725 send_packet(st, "retransmit in response to duplicate");
1726 }
1727 else
1728 {
1729 loglog(RC_LOG_SERIOUS, "discarding duplicate packet -- exhausted retransmission; already %s"
1730 , enum_name(&state_names, st->st_state));
1731 }
1732 }
1733 else
1734 {
1735 loglog(RC_LOG_SERIOUS, "discarding duplicate packet; already %s"
1736 , enum_name(&state_names, st->st_state));
1737 }
1738 return;
1739 }
1740
1741 if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
1742 {
1743 DBG(DBG_CRYPT, DBG_log("received encrypted packet from %s:%u"
1744 , ip_str(&md->sender), (unsigned)md->sender_port));
1745
1746 if (st == NULL)
1747 {
1748 plog("discarding encrypted message for an unknown ISAKMP SA");
1749 SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
1750 return;
1751 }
1752 if (st->st_skeyid_e.ptr == (u_char *) NULL)
1753 {
1754 loglog(RC_LOG_SERIOUS, "discarding encrypted message"
1755 " because we haven't yet negotiated keying materiel");
1756 SEND_NOTIFICATION(INVALID_FLAGS);
1757 return;
1758 }
1759
1760 /* Mark as encrypted */
1761 md->encrypted = TRUE;
1762
1763 DBG(DBG_CRYPT, DBG_log("decrypting %u bytes using algorithm %s"
1764 , (unsigned) pbs_left(&md->message_pbs)
1765 , enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
1766
1767 /* do the specified decryption
1768 *
1769 * IV is from st->st_iv or (if new_iv_set) st->st_new_iv.
1770 * The new IV is placed in st->st_new_iv
1771 *
1772 * See RFC 2409 "IKE" Appendix B
1773 *
1774 * XXX The IV should only be updated really if the packet
1775 * is successfully processed.
1776 * We should keep this value, check for a success return
1777 * value from the parsing routines and then replace.
1778 *
1779 * Each post phase 1 exchange generates IVs from
1780 * the last phase 1 block, not the last block sent.
1781 */
1782 {
1783 const struct encrypt_desc *e = st->st_oakley.encrypter;
1784
1785 if (pbs_left(&md->message_pbs) % e->enc_blocksize != 0)
1786 {
1787 loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize");
1788 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1789 return;
1790 }
1791
1792 /* XXX Detect weak keys */
1793
1794 /* grab a copy of raw packet (for duplicate packet detection) */
1795 md->raw_packet = chunk_create(md->packet_pbs.start, pbs_room(&md->packet_pbs));
1796 md->raw_packet = chunk_clone(md->raw_packet);
1797
1798 /* Decrypt everything after header */
1799 if (!new_iv_set)
1800 {
1801 /* use old IV */
1802 passert(st->st_iv_len <= sizeof(st->st_new_iv));
1803 st->st_new_iv_len = st->st_iv_len;
1804 memcpy(st->st_new_iv, st->st_iv, st->st_new_iv_len);
1805 }
1806 crypto_cbc_encrypt(e, FALSE, md->message_pbs.cur,
1807 pbs_left(&md->message_pbs) , st);
1808 if (restore_iv)
1809 {
1810 memcpy(st->st_new_iv, new_iv, new_iv_len);
1811 st->st_new_iv_len = new_iv_len;
1812 }
1813 }
1814
1815 DBG_cond_dump(DBG_CRYPT, "decrypted:\n", md->message_pbs.cur
1816 , md->message_pbs.roof - md->message_pbs.cur);
1817
1818 DBG_cond_dump(DBG_CRYPT, "next IV:"
1819 , st->st_new_iv, st->st_new_iv_len);
1820 }
1821 else
1822 {
1823 /* packet was not encryped -- should it have been? */
1824
1825 if (smc->flags & SMF_INPUT_ENCRYPTED)
1826 {
1827 loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
1828 SEND_NOTIFICATION(INVALID_FLAGS);
1829 return;
1830 }
1831 }
1832
1833 /* Digest the message.
1834 * Padding must be removed to make hashing work.
1835 * Padding comes from encryption (so this code must be after decryption).
1836 * Padding rules are described before the definition of
1837 * struct isakmp_hdr in packet.h.
1838 */
1839 {
1840 struct payload_digest *pd = md->digest;
1841 int np = md->hdr.isa_np;
1842 lset_t needed = smc->req_payloads;
1843 const char *excuse
1844 = LIN(SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT, smc->flags)
1845 ? "probable authentication failure (mismatch of preshared secrets?): "
1846 : "";
1847
1848 while (np != ISAKMP_NEXT_NONE)
1849 {
1850 struct_desc *sd = np < ISAKMP_NEXT_ROOF? payload_descs[np] : NULL;
1851
1852 if (pd == &md->digest[PAYLIMIT])
1853 {
1854 loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT);
1855 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1856 return;
1857 }
1858
1859 switch (np)
1860 {
1861 case ISAKMP_NEXT_NATD_RFC:
1862 case ISAKMP_NEXT_NATOA_RFC:
1863 if (!st || !(st->nat_traversal & NAT_T_WITH_RFC_VALUES))
1864 {
1865 /*
1866 * don't accept NAT-D/NAT-OA reloc directly in message, unless
1867 * we're using NAT-T RFC
1868 */
1869 sd = NULL;
1870 }
1871 break;
1872 }
1873
1874 if (sd == NULL)
1875 {
1876 /* payload type is out of range or requires special handling */
1877 switch (np)
1878 {
1879 case ISAKMP_NEXT_ID:
1880 sd = IS_PHASE1(from_state)
1881 ? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
1882 break;
1883 case ISAKMP_NEXT_NATD_DRAFTS:
1884 np = ISAKMP_NEXT_NATD_RFC; /* NAT-D relocated */
1885 sd = payload_descs[np];
1886 break;
1887 case ISAKMP_NEXT_NATOA_DRAFTS:
1888 np = ISAKMP_NEXT_NATOA_RFC; /* NAT-OA relocated */
1889 sd = payload_descs[np];
1890 break;
1891 default:
1892 loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
1893 " unexpected payload type (%s) at the outermost level"
1894 , excuse, enum_show(&payload_names, np));
1895 SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
1896 return;
1897 }
1898 }
1899
1900 {
1901 lset_t s = LELEM(np);
1902
1903 if (LDISJOINT(s
1904 , needed | smc->opt_payloads| LELEM(ISAKMP_NEXT_N) | LELEM(ISAKMP_NEXT_D)))
1905 {
1906 loglog(RC_LOG_SERIOUS, "%smessage ignored because it "
1907 "contains an unexpected payload type (%s)"
1908 , excuse, enum_show(&payload_names, np));
1909 SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
1910 return;
1911 }
1912 needed &= ~s;
1913 }
1914
1915 if (!in_struct(&pd->payload, sd, &md->message_pbs, &pd->pbs))
1916 {
1917 loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse);
1918 if (md->hdr.isa_xchg != ISAKMP_XCHG_INFO)
1919 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1920 return;
1921 }
1922
1923 /* place this payload at the end of the chain for this type */
1924 {
1925 struct payload_digest **p;
1926
1927 for (p = &md->chain[np]; *p != NULL; p = &(*p)->next)
1928 ;
1929 *p = pd;
1930 pd->next = NULL;
1931 }
1932
1933 np = pd->payload.generic.isag_np;
1934 pd++;
1935
1936 /* since we've digested one payload happily, it is probably
1937 * the case that any decryption worked. So we will not suggest
1938 * encryption failure as an excuse for subsequent payload
1939 * problems.
1940 */
1941 excuse = "";
1942 }
1943
1944 md->digest_roof = pd;
1945
1946 DBG(DBG_PARSING,
1947 if (pbs_left(&md->message_pbs) != 0)
1948 DBG_log("removing %d bytes of padding", (int) pbs_left(&md->message_pbs)));
1949
1950 md->message_pbs.roof = md->message_pbs.cur;
1951
1952 /* check that all mandatory payloads appeared */
1953
1954 if (needed != 0)
1955 {
1956 loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s"
1957 , enum_show(&state_names, from_state)
1958 , bitnamesof(payload_name, needed));
1959 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1960 return;
1961 }
1962 }
1963
1964 /* more sanity checking: enforce most ordering constraints */
1965
1966 if (IS_PHASE1(from_state))
1967 {
1968 /* rfc2409: The Internet Key Exchange (IKE), 5 Exchanges:
1969 * "The SA payload MUST precede all other payloads in a phase 1 exchange."
1970 */
1971 if (md->chain[ISAKMP_NEXT_SA] != NULL
1972 && md->hdr.isa_np != ISAKMP_NEXT_SA)
1973 {
1974 loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload");
1975 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
1976 return;
1977 }
1978 }
1979 else if (IS_QUICK(from_state))
1980 {
1981 /* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode
1982 *
1983 * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
1984 * header and a SA payload MUST immediately follow the HASH."
1985 * [NOTE: there may be more than one SA payload, so this is not
1986 * totally reasonable. Probably all SAs should be so constrained.]
1987 *
1988 * "If ISAKMP is acting as a client negotiator on behalf of another
1989 * party, the identities of the parties MUST be passed as IDci and
1990 * then IDcr."
1991 *
1992 * "With the exception of the HASH, SA, and the optional ID payloads,
1993 * there are no payload ordering restrictions on Quick Mode."
1994 */
1995
1996 if (md->hdr.isa_np != ISAKMP_NEXT_HASH)
1997 {
1998 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload");
1999 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
2000 return;
2001 }
2002
2003 {
2004 struct payload_digest *p;
2005 int i;
2006
2007 for (p = md->chain[ISAKMP_NEXT_SA], i = 1; p != NULL
2008 ; p = p->next, i++)
2009 {
2010 if (p != &md->digest[i])
2011 {
2012 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position");
2013 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
2014 return;
2015 }
2016 }
2017 }
2018
2019 /* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode:
2020 * "If ISAKMP is acting as a client negotiator on behalf of another
2021 * party, the identities of the parties MUST be passed as IDci and
2022 * then IDcr."
2023 */
2024 {
2025 struct payload_digest *id = md->chain[ISAKMP_NEXT_ID];
2026
2027 if (id != NULL)
2028 {
2029 if (id->next == NULL || id->next->next != NULL)
2030 {
2031 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
2032 " if any ID payload is present,"
2033 " there must be exactly two");
2034 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
2035 return;
2036 }
2037 if (id+1 != id->next)
2038 {
2039 loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
2040 " the ID payloads are not adjacent");
2041 SEND_NOTIFICATION(PAYLOAD_MALFORMED);
2042 return;
2043 }
2044 }
2045 }
2046 }
2047
2048 /* Ignore payloads that we don't handle:
2049 * Delete, Notification, VendorID
2050 */
2051 /* XXX Handle deletions */
2052 /* XXX Handle Notifications */
2053 /* XXX Handle VID payloads */
2054 {
2055 struct payload_digest *p;
2056
2057 for (p = md->chain[ISAKMP_NEXT_N]; p != NULL; p = p->next)
2058 {
2059 if (p->payload.notification.isan_type != R_U_THERE
2060 && p->payload.notification.isan_type != R_U_THERE_ACK)
2061 {
2062 loglog(RC_LOG_SERIOUS, "ignoring informational payload, type %s"
2063 , enum_show(&notification_names, p->payload.notification.isan_type));
2064 }
2065 DBG_cond_dump(DBG_PARSING, "info:", p->pbs.cur, pbs_left(&p->pbs));
2066 }
2067
2068 for (p = md->chain[ISAKMP_NEXT_D]; p != NULL; p = p->next)
2069 {
2070 accept_delete(st, md, p);
2071 DBG_cond_dump(DBG_PARSING, "del:", p->pbs.cur, pbs_left(&p->pbs));
2072 }
2073
2074 for (p = md->chain[ISAKMP_NEXT_VID]; p != NULL; p = p->next)
2075 {
2076 handle_vendorid(md, p->pbs.cur, pbs_left(&p->pbs));
2077 }
2078 }
2079 md->from_state = from_state;
2080 md->smc = smc;
2081 md->st = st;
2082
2083 /* possibly fill in hdr */
2084 if (smc->first_out_payload != ISAKMP_NEXT_NONE)
2085 echo_hdr(md, (smc->flags & SMF_OUTPUT_ENCRYPTED) != 0
2086 , smc->first_out_payload);
2087
2088 complete_state_transition(mdp, smc->processor(md));
2089 }
2090
2091 /* complete job started by the state-specific state transition function */
2092
2093 void
2094 complete_state_transition(struct msg_digest **mdp, stf_status result)
2095 {
2096 bool has_xauth_policy;
2097 bool is_xauth_server;
2098 struct msg_digest *md = *mdp;
2099 const struct state_microcode *smc = md->smc;
2100 enum state_kind from_state = md->from_state;
2101 struct state *st;
2102
2103 cur_state = st = md->st; /* might have changed */
2104
2105 /* If state has DPD support, import it */
2106 if (st && md->dpd)
2107 st->st_dpd = TRUE;
2108
2109 switch (result)
2110 {
2111 case STF_IGNORE:
2112 break;
2113
2114 case STF_SUSPEND:
2115 /* the stf didn't complete its job: don't relase md */
2116 *mdp = NULL;
2117 break;
2118
2119 case STF_OK:
2120 /* advance the state */
2121 st->st_state = smc->next_state;
2122
2123 /* Delete previous retransmission event.
2124 * New event will be scheduled below.
2125 */
2126 delete_event(st);
2127
2128 /* replace previous receive packet with latest */
2129
2130 free(st->st_rpacket.ptr);
2131
2132 if (md->encrypted)
2133 {
2134 /* if encrypted, duplication already done */
2135 st->st_rpacket = md->raw_packet;
2136 md->raw_packet.ptr = NULL;
2137 }
2138 else
2139 {
2140 st->st_rpacket = chunk_create(md->packet_pbs.start,
2141 pbs_room(&md->packet_pbs));
2142 st->st_rpacket = chunk_clone(st->st_rpacket);
2143 }
2144
2145 /* free previous transmit packet */
2146 chunk_free(&st->st_tpacket);
2147
2148 /* if requested, send the new reply packet */
2149 if (smc->flags & SMF_REPLY)
2150 {
2151 close_output_pbs(&md->reply); /* good form, but actually a no-op */
2152
2153 st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
2154 st->st_tpacket = chunk_clone(st->st_tpacket);
2155
2156 if (nat_traversal_enabled)
2157 nat_traversal_change_port_lookup(md, md->st);
2158
2159 /* actually send the packet
2160 * Note: this is a great place to implement "impairments"
2161 * for testing purposes. Suppress or duplicate the
2162 * send_packet call depending on st->st_state.
2163 */
2164 send_packet(st, enum_name(&state_names, from_state));
2165 }
2166
2167 /* Schedule for whatever timeout is specified */
2168 {
2169 time_t delay = UNDEFINED_TIME;
2170 enum event_type kind = smc->timeout_event;
2171 bool agreed_time = FALSE;
2172 struct connection *c = st->st_connection;
2173
2174 switch (kind)
2175 {
2176 case EVENT_RETRANSMIT: /* Retransmit packet */
2177 delay = EVENT_RETRANSMIT_DELAY_0;
2178 break;
2179
2180 case EVENT_SA_REPLACE: /* SA replacement event */
2181 if (IS_PHASE1(st->st_state))
2182 {
2183 /* Note: we will defer to the "negotiated" (dictated)
2184 * lifetime if we are POLICY_DONT_REKEY.
2185 * This allows the other side to dictate
2186 * a time we would not otherwise accept
2187 * but it prevents us from having to initiate
2188 * rekeying. The negative consequences seem
2189 * minor.
2190 */
2191 delay = c->sa_ike_life_seconds;
2192 if ((c->policy & POLICY_DONT_REKEY)
2193 || delay >= st->st_oakley.life_seconds)
2194 {
2195 agreed_time = TRUE;
2196 delay = st->st_oakley.life_seconds;
2197 }
2198 }
2199 else
2200 {
2201 /* Delay is min of up to four things:
2202 * each can limit the lifetime.
2203 */
2204 delay = c->sa_ipsec_life_seconds;
2205 if (st->st_ah.present
2206 && delay >= st->st_ah.attrs.life_seconds)
2207 {
2208 agreed_time = TRUE;
2209 delay = st->st_ah.attrs.life_seconds;
2210 }
2211 if (st->st_esp.present
2212 && delay >= st->st_esp.attrs.life_seconds)
2213 {
2214 agreed_time = TRUE;
2215 delay = st->st_esp.attrs.life_seconds;
2216 }
2217 if (st->st_ipcomp.present
2218 && delay >= st->st_ipcomp.attrs.life_seconds)
2219 {
2220 agreed_time = TRUE;
2221 delay = st->st_ipcomp.attrs.life_seconds;
2222 }
2223 }
2224
2225 /* By default, we plan to rekey.
2226 *
2227 * If there isn't enough time to rekey, plan to
2228 * expire.
2229 *
2230 * If we are --dontrekey, a lot more rules apply.
2231 * If we are the Initiator, use REPLACE_IF_USED.
2232 * If we are the Responder, and the dictated time
2233 * was unacceptable (too large), plan to REPLACE
2234 * (the only way to ratchet down the time).
2235 * If we are the Responder, and the dictated time
2236 * is acceptable, plan to EXPIRE.
2237 *
2238 * Important policy lies buried here.
2239 * For example, we favour the initiator over the
2240 * responder by making the initiator start rekeying
2241 * sooner. Also, fuzz is only added to the
2242 * initiator's margin.
2243 *
2244 * Note: for ISAKMP SA, we let the negotiated
2245 * time stand (implemented by earlier logic).
2246 */
2247 if (agreed_time
2248 && (c->policy & POLICY_DONT_REKEY))
2249 {
2250 kind = (smc->flags & SMF_INITIATOR)
2251 ? EVENT_SA_REPLACE_IF_USED
2252 : EVENT_SA_EXPIRE;
2253 }
2254 if (kind != EVENT_SA_EXPIRE)
2255 {
2256 unsigned long marg = c->sa_rekey_margin;
2257
2258 if (smc->flags & SMF_INITIATOR)
2259 marg += marg
2260 * c->sa_rekey_fuzz / 100.E0
2261 * (rand() / (RAND_MAX + 1.E0));
2262 else
2263 marg /= 2;
2264
2265 if ((unsigned long)delay > marg)
2266 {
2267 delay -= marg;
2268 st->st_margin = marg;
2269 }
2270 else
2271 {
2272 kind = EVENT_SA_EXPIRE;
2273 }
2274 }
2275 break;
2276
2277 case EVENT_NULL: /* non-event */
2278 case EVENT_REINIT_SECRET: /* Refresh cookie secret */
2279 default:
2280 bad_case(kind);
2281 }
2282 event_schedule(kind, delay, st);
2283 }
2284
2285 /* tell whack and log of progress */
2286 {
2287 const char *story = state_story[st->st_state - STATE_MAIN_R0];
2288 enum rc_type w = RC_NEW_STATE + st->st_state;
2289 char sadetails[128];
2290
2291 sadetails[0]='\0';
2292
2293 if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
2294 {
2295 char *b = sadetails;
2296 const char *ini = " {";
2297 const char *fin = "";
2298
2299 /* -1 is to leave space for "fin" */
2300
2301 if (st->st_esp.present)
2302 {
2303 snprintf(b, sizeof(sadetails)-(b-sadetails)-1
2304 , "%sESP=>0x%08x <0x%08x"
2305 , ini
2306 , ntohl(st->st_esp.attrs.spi)
2307 , ntohl(st->st_esp.our_spi));
2308 ini = " ";
2309 fin = "}";
2310 }
2311 /* advance b to end of string */
2312 b = b + strlen(b);
2313
2314 if (st->st_ah.present)
2315 {
2316 snprintf(b, sizeof(sadetails)-(b-sadetails)-1
2317 , "%sAH=>0x%08x <0x%08x"
2318 , ini
2319 , ntohl(st->st_ah.attrs.spi)
2320 , ntohl(st->st_ah.our_spi));
2321 ini = " ";
2322 fin = "}";
2323 }
2324 /* advance b to end of string */
2325 b = b + strlen(b);
2326
2327 if (st->st_ipcomp.present)
2328 {
2329 snprintf(b, sizeof(sadetails)-(b-sadetails)-1
2330 , "%sIPCOMP=>0x%08x <0x%08x"
2331 , ini
2332 , ntohl(st->st_ipcomp.attrs.spi)
2333 , ntohl(st->st_ipcomp.our_spi));
2334 ini = " ";
2335 fin = "}";
2336 }
2337 /* advance b to end of string */
2338 b = b + strlen(b);
2339
2340 if (st->nat_traversal)
2341 {
2342 char oa[ADDRTOT_BUF];
2343 addrtot(&st->nat_oa, 0, oa, sizeof(oa));
2344 snprintf(b, sizeof(sadetails)-(b-sadetails)-1
2345 , "%sNATOA=%s"
2346 , ini, oa);
2347 ini = " ";
2348 fin = "}";
2349 }
2350
2351 /* advance b to end of string */
2352 b = b + strlen(b);
2353
2354 if (st->st_dpd)
2355 {
2356 snprintf(b, sizeof(sadetails)-(b-sadetails)-1
2357 , "%sDPD"
2358 , ini);
2359 ini = " ";
2360 fin = "}";
2361 }
2362
2363 strcat(b, fin);
2364 }
2365
2366 if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2367 || IS_IPSEC_SA_ESTABLISHED(st->st_state))
2368 {
2369 /* log our success */
2370 plog("%s%s", story, sadetails);
2371 w = RC_SUCCESS;
2372 }
2373
2374 /* tell whack our progress */
2375 whack_log(w
2376 , "%s: %s%s"
2377 , enum_name(&state_names, st->st_state)
2378 , story, sadetails);
2379 }
2380
2381 has_xauth_policy = (st->st_connection->policy
2382 & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
2383 != LEMPTY;
2384 is_xauth_server = (st->st_connection->policy
2385 & POLICY_XAUTH_SERVER)
2386 != LEMPTY;
2387
2388 /* Should we start XAUTH as a server */
2389 if (has_xauth_policy && is_xauth_server
2390 && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2391 && !st->st_xauth.started)
2392 {
2393 DBG(DBG_CONTROL,
2394 DBG_log("starting XAUTH server")
2395 )
2396 xauth_send_request(st);
2397 break;
2398 }
2399
2400 /* Wait for XAUTH request from server */
2401 if (has_xauth_policy && !is_xauth_server
2402 && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2403 && !st->st_xauth.started)
2404 {
2405 DBG(DBG_CONTROL,
2406 DBG_log("waiting for XAUTH request from server")
2407 )
2408 break;
2409 }
2410
2411 /* Should we start ModeConfig as a client? */
2412 if (st->st_connection->spd.this.modecfg
2413 && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2414 && !(st->st_connection->policy & POLICY_MODECFG_PUSH)
2415 && !st->st_modecfg.started)
2416 {
2417 DBG(DBG_CONTROL,
2418 DBG_log("starting ModeCfg client in pull mode")
2419 )
2420 modecfg_send_request(st);
2421 break;
2422 }
2423
2424 /* Should we start ModeConfig as a server? */
2425 if (st->st_connection->spd.that.modecfg
2426 && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2427 && !st->st_modecfg.started
2428 && (st->st_connection->policy & POLICY_MODECFG_PUSH))
2429 {
2430 DBG(DBG_CONTROL,
2431 DBG_log("starting ModeCfg server in push mode")
2432 )
2433 modecfg_send_set(st);
2434 break;
2435 }
2436
2437 /* Wait for ModeConfig set from server */
2438 if (st->st_connection->spd.this.modecfg
2439 && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2440 && !st->st_modecfg.vars_set)
2441 {
2442 DBG(DBG_CONTROL,
2443 DBG_log("waiting for ModeCfg set from server")
2444 )
2445 break;
2446 }
2447
2448 if (smc->flags & SMF_RELEASE_PENDING_P2)
2449 {
2450 /* Initiate any Quick Mode negotiations that
2451 * were waiting to piggyback on this Keying Channel.
2452 *
2453 * ??? there is a potential race condition
2454 * if we are the responder: the initial Phase 2
2455 * message might outrun the final Phase 1 message.
2456 * I think that retransmission will recover.
2457 */
2458 unpend(st);
2459 }
2460
2461 if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
2462 || IS_IPSEC_SA_ESTABLISHED(st->st_state))
2463 release_whack(st);
2464 break;
2465
2466 case STF_INTERNAL_ERROR:
2467 whack_log(RC_INTERNALERR + md->note
2468 , "%s: internal error"
2469 , enum_name(&state_names, st->st_state));
2470
2471 DBG(DBG_CONTROL,
2472 DBG_log("state transition function for %s had internal error"
2473 , enum_name(&state_names, from_state)));
2474 break;
2475
2476 default: /* a shortcut to STF_FAIL, setting md->note */
2477 passert(result > STF_FAIL);
2478 md->note = result - STF_FAIL;
2479 result = STF_FAIL;
2480 /* FALL THROUGH ... */
2481 case STF_FAIL:
2482 /* As it is, we act as if this message never happened:
2483 * whatever retrying was in place, remains in place.
2484 */
2485 whack_log(RC_NOTIFICATION + md->note
2486 , "%s: %s"
2487 , enum_name(&state_names, (st == NULL)? STATE_MAIN_R0:st->st_state)
2488 , enum_name(&notification_names, md->note));
2489
2490 SEND_NOTIFICATION(md->note);
2491
2492 DBG(DBG_CONTROL,
2493 DBG_log("state transition function for %s failed: %s"
2494 , enum_name(&state_names, from_state)
2495 , enum_name(&notification_names, md->note)));
2496 break;
2497 }
2498 }