return (proc_run(ps, p, procs, nitems(procs), ikev2_run, NULL));

	if (pledge("stdio inet recvfd flock rpath cpath wpath", NULL) == -1)

		fatal("pledge");

	struct iked		*env = p->p_env;

	switch (imsg->hdr.type) {

		return (config_getreset(env, imsg));

		return (config_getcoupled(env, imsg->hdr.type));

		if (config_getmode(env, imsg->hdr.type) == -1)

			return (0);	/* ignore error */

		if (env->sc_passive)

			timer_del(env, &env->sc_inittmr);

			timer_set(env, &env->sc_inittmr, ikev2_init_ike_sa,

			timer_add(env, &env->sc_inittmr,

		return (0);

		return (config_getsocket(env, imsg, ikev2_msg_cb));

		return (config_getpfkey(env, imsg));

		return (config_getpolicy(env, imsg));

		return (config_getflow(env, imsg));

		return (config_getuser(env, imsg));

		return (config_getcompile(env, imsg));

	return (-1);

	struct iked		*env = p->p_env;

	struct iked_sahdr	 sh;

	uint8_t			 type;

	uint8_t			*ptr;

	size_t			 len;

	switch (imsg->hdr.type) {

		IMSG_SIZE_CHECK(imsg, &type);

		ptr = imsg->data;

		memcpy(&type, ptr, sizeof(type));

		ptr += sizeof(type);

		ibuf_release(env->sc_certreq);

		env->sc_certreqtype = type;

		env->sc_certreq = ibuf_new(ptr,

		    IMSG_DATA_SIZE(imsg) - sizeof(type));

		log_debug("%s: updated local CERTREQ type %s length %zu",

		    __func__, print_map(type, ikev2_cert_map),

		    ibuf_length(env->sc_certreq));

		break;

		if (IMSG_DATA_SIZE(imsg) < sizeof(type) + sizeof(sh))

			fatalx("bad length imsg received");

		memcpy(&sh, imsg->data, sizeof(sh));

		memcpy(&type, (uint8_t *)imsg->data + sizeof(sh),

		if ((sa = sa_lookup(env,

		    sh.sh_ispi, sh.sh_rspi, sh.sh_initiator)) == NULL ||

		    sa->sa_state < IKEV2_STATE_EAP)

		if (imsg->hdr.type == IMSG_CERTVALID) {

			log_debug("%s: peer certificate is valid", __func__);

			sa_stateflags(sa, IKED_REQ_CERTVALID);

			log_warnx("%s: peer certificate is invalid", __func__);

			ikev2_send_auth_failed(env, sa);

			break;

		if (ikev2_ike_auth(env, sa) != 0)

			log_debug("%s: failed to send ike auth", __func__);

		if ((sa = ikev2_getimsgdata(env, imsg,

		    &sh, &type, &ptr, &len)) == NULL) {

			log_debug("%s: invalid cert reply", __func__);

			break;

		if (sa->sa_stateflags & IKED_REQ_CERT ||

		    type == IKEV2_CERT_NONE)

			ignore = 1;

		log_debug("%s: cert type %s length %zu, %s", __func__,

		    print_map(type, ikev2_cert_map), len,

		    ignore ? "ignored" : "ok");

		if (ignore)

		if (sh.sh_initiator)

			id = &sa->sa_icert;

			id = &sa->sa_rcert;

		id->id_type = type;

		id->id_offset = 0;

		ibuf_release(id->id_buf);

		id->id_buf = NULL;

		if (len <= 0 || (id->id_buf = ibuf_new(ptr, len)) == NULL) {

			log_debug("%s: failed to get cert payload",

			break;

		sa_stateflags(sa, IKED_REQ_CERT);

		if (ikev2_ike_auth(env, sa) != 0)

			log_debug("%s: failed to send ike auth", __func__);

		if ((sa = ikev2_getimsgdata(env, imsg,

		    &sh, &type, &ptr, &len)) == NULL) {

			log_debug("%s: invalid auth reply", __func__);

			break;

		if (sa_stateok(sa, IKEV2_STATE_VALID)) {

			log_warnx("%s: ignoring AUTH in state %s", __func__,

			    print_map(sa->sa_state, ikev2_state_map));

			break;

		log_debug("%s: AUTH type %d len %zu", __func__, type, len);

		id = &sa->sa_localauth;

		id->id_type = type;

		id->id_offset = 0;

		ibuf_release(id->id_buf);

		id->id_buf = NULL;

		if (type != IKEV2_AUTH_NONE) {

			if (len <= 0 ||

			    (id->id_buf = ibuf_new(ptr, len)) == NULL) {

				log_debug("%s: failed to get auth payload",

				break;

		sa_stateflags(sa, IKED_REQ_AUTH);

		if (ikev2_ike_auth(env, sa) != 0)

			log_debug("%s: failed to send ike auth", __func__);

		return (-1);

	return (0);

	IMSG_SIZE_CHECK(imsg, sh);

	ptr = imsg->data;

	len = IMSG_DATA_SIZE(imsg) - sizeof(*sh) - sizeof(*type);

	memcpy(sh, ptr, sizeof(*sh));

	memcpy(type, ptr + sizeof(*sh), sizeof(*type));

	sa = sa_lookup(env, sh->sh_ispi, sh->sh_rspi, sh->sh_initiator);

	log_debug("%s: imsg %d rspi %s ispi %s initiator %d sa %s"

	    __func__, imsg->hdr.type,

	    print_spi(sh->sh_rspi, 8),

	    print_spi(sh->sh_ispi, 8),

	    sh->sh_initiator,

	    sa == NULL ? "invalid" : "valid", *type, len);

	if (sa == NULL)

		return (NULL);

	*buf = ptr + sizeof(*sh) + sizeof(*type);

	*size = len;

	return (sa);

	hdr = ibuf_seek(msg->msg_data, msg->msg_offset, sizeof(*hdr));

	if (hdr == NULL || ibuf_size(msg->msg_data) <

	    (betoh32(hdr->ike_length) - msg->msg_offset))

		return;

	initiator = (hdr->ike_flags & IKEV2_FLAG_INITIATOR) ? 0 : 1;

	msg->msg_response = (hdr->ike_flags & IKEV2_FLAG_RESPONSE) ? 1 : 0;

	msg->msg_sa = sa_lookup(env,

	    betoh64(hdr->ike_ispi), betoh64(hdr->ike_rspi),

	msg->msg_msgid = betoh32(hdr->ike_msgid);

	if (policy_lookup(env, msg) != 0)

		return;

	log_info("%s: %s %s from %s %s to %s policy '%s' id %u, %ld bytes",

	    __func__, print_map(hdr->ike_exchange, ikev2_exchange_map),

	    msg->msg_response ? "response" : "request",

	    initiator ? "responder" : "initiator",

	    print_host((struct sockaddr *)&msg->msg_peer, NULL, 0),

	    print_host((struct sockaddr *)&msg->msg_local, NULL, 0),

	    msg->msg_policy->pol_name, msg->msg_msgid,

	    ibuf_length(msg->msg_data));

	log_debug("%s: ispi %s rspi %s", __func__,

	    print_spi(betoh64(hdr->ike_ispi), 8),

	    print_spi(betoh64(hdr->ike_rspi), 8));

	if ((sa = msg->msg_sa) == NULL)

	if (hdr->ike_exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA)

		flag = IKED_REQ_CHILDSA;

	if (hdr->ike_exchange == IKEV2_EXCHANGE_INFORMATIONAL)

		flag = IKED_REQ_INF;

	if (msg->msg_response) {

		if (msg->msg_msgid > sa->sa_reqid)

			return;

		if (hdr->ike_exchange != IKEV2_EXCHANGE_INFORMATIONAL &&

		    !ikev2_msg_lookup(env, &sa->sa_requests, msg, hdr))

			return;

		if (flag) {

			if ((sa->sa_stateflags & flag) == 0)

				return;

		if ((m = ikev2_msg_lookup(env, &sa->sa_requests, msg, hdr)))

			ikev2_msg_dispose(env, &sa->sa_requests, m);

		if (msg->msg_msgid < sa->sa_msgid)

			return;

		if (flag)

			initiator = 0;

		if ((m = ikev2_msg_lookup(env, &sa->sa_responses, msg, hdr))) {

			if (ikev2_msg_retransmit_response(env, sa, m)) {

				log_warn("%s: failed to retransmit a "

				sa_free(env, sa);

			return;

		} else if (sa->sa_msgid_set && msg->msg_msgid == sa->sa_msgid) {

			return;

		sa->sa_msgid = msg->msg_msgid;

		sa->sa_msgid_set = 1;

		ikev2_msg_prevail(env, &sa->sa_responses, msg);

	if (sa_address(sa, &sa->sa_peer, &msg->msg_peer) == -1 ||

	    sa_address(sa, &sa->sa_local, &msg->msg_local) == -1)

		return;

	sa->sa_fd = msg->msg_fd;

	log_debug("%s: updated SA to peer %s local %s", __func__,

	    print_host((struct sockaddr *)&sa->sa_peer.addr, NULL, 0),

	    print_host((struct sockaddr *)&sa->sa_local.addr, NULL, 0));

	if (initiator)

		ikev2_init_recv(env, msg, hdr);

		ikev2_resp_recv(env, msg, hdr);

	if (sa != NULL && sa->sa_state == IKEV2_STATE_CLOSED) {

		log_debug("%s: closing SA", __func__);

		sa_free(env, sa);

	if (wire == IKEV2_AUTH_SIG_ANY)		/* internal, not on wire */

		return (-1);

	if (policy == wire || policy == IKEV2_AUTH_NONE)

		return (0);

	switch (policy) {

		switch (wire) {

			return (0);

		switch (wire) {

			if (sa->sa_sigsha2)

				return (0);

	return (-1);

	struct iked_auth	 ikeauth;

	struct iked_policy	*policy = sa->sa_policy;

	if (sa->sa_hdr.sh_initiator) {

		id = &sa->sa_rid;

		certid = &sa->sa_rcert;

	} else {

		id = &sa->sa_iid;

		certid = &sa->sa_icert;

	if (msg->msg_id.id_type && !sa->sa_hdr.sh_initiator) {

		struct iked_policy	*old = sa->sa_policy;

		sa->sa_policy = NULL;

		if (policy_lookup(env, msg) == 0 && msg->msg_policy &&

		    msg->msg_policy != old) {

			policy = sa->sa_policy = msg->msg_policy;

			TAILQ_REMOVE(&old->pol_sapeers, sa, sa_peer_entry);

			TAILQ_INSERT_TAIL(&policy->pol_sapeers,

			if (old->pol_flags & IKED_POLICY_REFCNT)

				policy_unref(env, old);

			if (policy->pol_flags & IKED_POLICY_REFCNT)

				policy_ref(env, policy);

			msg->msg_policy = sa->sa_policy = old;

	if (msg->msg_id.id_type) {

		memcpy(id, &msg->msg_id, sizeof(*id));

		bzero(&msg->msg_id, sizeof(msg->msg_id));

		if (!sa->sa_hdr.sh_initiator) {

			if ((authmsg = ikev2_msg_auth(env, sa,

			    !sa->sa_hdr.sh_initiator)) == NULL) {

				log_debug("%s: failed to get response "

				return (-1);

			ca_setauth(env, sa, authmsg, PROC_CERT);

			ibuf_release(authmsg);

	if (msg->msg_cert.id_type) {

		memcpy(certid, &msg->msg_cert, sizeof(*certid));

		bzero(&msg->msg_cert, sizeof(msg->msg_cert));

		ca_setcert(env, &sa->sa_hdr,

		    id, certid->id_type,

		    ibuf_data(certid->id_buf),

		    ibuf_length(certid->id_buf), PROC_CERT);

	if (msg->msg_auth.id_type) {

		memcpy(&ikeauth, &policy->pol_auth, sizeof(ikeauth));

		if (policy->pol_auth.auth_eap && sa->sa_eapmsk != NULL) {

			ikeauth.auth_method = IKEV2_AUTH_SHARED_KEY_MIC;

			memcpy(ikeauth.auth_data, ibuf_data(sa->sa_eapmsk),

			    ibuf_size(sa->sa_eapmsk));

			ikeauth.auth_length = ibuf_size(sa->sa_eapmsk);

		if (ikev2_ike_auth_compatible(sa,

		    ikeauth.auth_method, msg->msg_auth.id_type) < 0) {

			log_warnx("%s: unexpected auth method %s, was "

			    print_map(msg->msg_auth.id_type, ikev2_auth_map),

			    print_map(ikeauth.auth_method, ikev2_auth_map));

			return (-1);

		ikeauth.auth_method = msg->msg_auth.id_type;

		if ((authmsg = ikev2_msg_auth(env, sa,

		    sa->sa_hdr.sh_initiator)) == NULL) {

			log_debug("%s: failed to get auth data", __func__);

			return (-1);

		ret = ikev2_msg_authverify(env, sa, &ikeauth,

		    ibuf_data(msg->msg_auth.id_buf),

		    ibuf_length(msg->msg_auth.id_buf),

		ibuf_release(authmsg);

		if (ret != 0) {

			log_debug("%s: ikev2_msg_authverify failed", __func__);

			ikev2_send_auth_failed(env, sa);

			return (-1);

		if (sa->sa_eapmsk != NULL) {

			if ((authmsg = ikev2_msg_auth(env, sa,

			    !sa->sa_hdr.sh_initiator)) == NULL) {

				log_debug("%s: failed to get auth data",

				return (-1);

			ret = ikev2_msg_authsign(env, sa, &ikeauth, authmsg);

			ibuf_release(authmsg);

			if (ret != 0) {

				return (-1);

			sa_stateflags(sa, IKED_REQ_AUTHVALID);

			sa_stateflags(sa, IKED_REQ_EAPVALID);

			sa_state(env, sa, IKEV2_STATE_EAP_SUCCESS);

	if (!TAILQ_EMPTY(&msg->msg_proposals)) {

		if (ikev2_sa_negotiate(&sa->sa_proposals,

		    &sa->sa_policy->pol_proposals, &msg->msg_proposals,

		    0) != 0) {

			log_info("%s: no proposal chosen", __func__);

			msg->msg_error = IKEV2_N_NO_PROPOSAL_CHOSEN;

			return (-1);

			sa_stateflags(sa, IKED_REQ_SA);

	return ikev2_ike_auth(env, sa);

	struct iked_policy	*pol = sa->sa_policy;

	if (sa->sa_state == IKEV2_STATE_EAP_SUCCESS)

		sa_state(env, sa, IKEV2_STATE_EAP_VALID);

	else if (sa->sa_state == IKEV2_STATE_AUTH_SUCCESS)

		sa_state(env, sa, IKEV2_STATE_VALID);

	if (sa->sa_hdr.sh_initiator) {

		if (sa_stateok(sa, IKEV2_STATE_AUTH_SUCCESS))

			return (ikev2_init_done(env, sa));

			return (ikev2_init_ike_auth(env, sa));

	if (sa->sa_statevalid & IKED_REQ_CERT) {

		if ((sa->sa_stateflags & IKED_REQ_CERTREQ) == 0) {

			log_debug("%s: no CERTREQ, using default", __func__);

			if (pol->pol_certreqtype)

				certreqtype = pol->pol_certreqtype;

				certreqtype = env->sc_certreqtype;

			return (ca_setreq(env, sa,

			    &pol->pol_localid, certreqtype,

			    ibuf_data(env->sc_certreq),

			    ibuf_size(env->sc_certreq), PROC_CERT));

		} else if ((sa->sa_stateflags & IKED_REQ_CERT) == 0)

			return (0);	/* ignored, wait for cert */

	return (ikev2_resp_ike_auth(env, sa));

	if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1) {

		log_debug("%s: unknown SA", __func__);

		return;

	sa = msg->msg_sa;

	switch (hdr->ike_exchange) {

		if ((sa = sa_new(env,

		    betoh64(hdr->ike_ispi), betoh64(hdr->ike_rspi), 1,

		    NULL)) == NULL || sa != msg->msg_sa) {

			log_debug("%s: invalid new SA", __func__);

			if (sa)

				sa_free(env, sa);

		if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1)

			return;

		log_debug("%s: unsupported exchange: %s", __func__,

		    print_map(hdr->ike_exchange, ikev2_exchange_map));

		return;

	if (ikev2_pld_parse(env, hdr, msg, msg->msg_offset) != 0) {

		log_debug("%s: failed to parse message", __func__);

		return;

	if (!ikev2_msg_frompeer(msg))

		return;

	if (sa->sa_udpencap && sa->sa_natt == 0 &&

	    (sock = ikev2_msg_getsocket(env,

	    sa->sa_local.addr_af, 1)) != NULL) {

		port = htons(socket_getport(

		sa->sa_local.addr_port = port;

		sa->sa_peer.addr_port = port;

		(void)socket_af((struct sockaddr *)&sa->sa_local.addr, port);

		(void)socket_af((struct sockaddr *)&sa->sa_peer.addr, port);

		msg->msg_fd = sa->sa_fd = sock->sock_fd;

		msg->msg_sock = sock;

		sa->sa_natt = 1;

		log_debug("%s: NAT detected, updated SA to "

		    print_host((struct sockaddr *)&sa->sa_peer.addr, NULL, 0),

		    print_host((struct sockaddr *)&sa->sa_local.addr, NULL, 0));

	switch (hdr->ike_exchange) {

		if (ibuf_length(msg->msg_cookie)) {

			pol = sa->sa_policy;

			if (ikev2_init_ike_sa_peer(env, pol,

			    &pol->pol_peer, msg) != 0)

				log_warnx("%s: failed to initiate a "

		(void)ikev2_init_auth(env, msg);

		break;

		(void)ikev2_ike_auth_recv(env, sa, msg);

		break;

		(void)ikev2_init_create_child_sa(env, msg);

		break;

		sa->sa_stateflags &= ~IKED_REQ_INF;

		break;

		log_debug("%s: exchange %s not implemented", __func__,

		    print_map(hdr->ike_exchange, ikev2_exchange_map));

		break;

	TAILQ_FOREACH(pol, &env->sc_policies, pol_entry) {

		if ((pol->pol_flags & IKED_POLICY_ACTIVE) == 0)

		if (!TAILQ_EMPTY(&pol->pol_sapeers)) {

			log_debug("%s: \"%s\" is already active",

			continue;

		log_debug("%s: initiating \"%s\"", __func__, pol->pol_name);

		if (ikev2_init_ike_sa_peer(env, pol, &pol->pol_peer, NULL))

			log_debug("%s: failed to initiate with peer %s",

			    print_host((struct sockaddr *)&pol->pol_peer.addr,

	timer_set(env, &env->sc_inittmr, ikev2_init_ike_sa, NULL);

	timer_add(env, &env->sc_inittmr, IKED_INITIATOR_INTERVAL);

	struct iked_sa	 *sa = arg;

	log_debug("%s: ispi %s rspi %s", __func__,

	    print_spi(sa->sa_hdr.sh_ispi, 8),

	    print_spi(sa->sa_hdr.sh_rspi, 8));

	sa_free(env, sa);

	struct sockaddr_storage		 ss;

	struct iked_message		 req;

	struct ikev2_payload		*pld;

	if ((sock = ikev2_msg_getsocket(env, peer->addr_af, 0)) == NULL)

		return (-1);

	if (retry != NULL) {

		sa = retry->msg_sa;

		cookie = retry->msg_cookie;

		sa_state(env, sa, IKEV2_STATE_INIT);

	if (sa == NULL &&

	    (sa = sa_new(env, 0, 0, 1, pol)) == NULL)

		return (-1);

	if (pol->pol_peerdh > 0 && sa->sa_dhgroup == NULL &&

	    (sa->sa_dhgroup = group_get(pol->pol_peerdh)) == NULL) {

		log_warnx("%s: invalid peer DH group %u", __func__,

		    pol->pol_peerdh);

		goto closeonly;

	sa->sa_reqid = 0;

	if (ikev2_sa_initiator(env, sa, NULL, NULL) == -1)

	if (pol->pol_local.addr.ss_family == AF_UNSPEC) {

		if (socket_getaddr(sock->sock_fd, &ss) == -1)

		memcpy(&ss, &pol->pol_local.addr, pol->pol_local.addr.ss_len);

	if ((buf = ikev2_msg_init(env, &req, &peer->addr, peer->addr.ss_len,

	    &ss, ss.ss_len, 0)) == NULL)

	port = htons(socket_getport((struct sockaddr *)&sock->sock_addr));

	(void)socket_af((struct sockaddr *)&req.msg_local, port);

	(void)socket_af((struct sockaddr *)&req.msg_peer, port);

	req.msg_fd = sock->sock_fd;

	req.msg_sa = sa;

	req.msg_sock = sock;

	req.msg_msgid = ikev2_msg_id(env, sa);

	if ((hdr = ikev2_add_header(buf, sa, req.msg_msgid,

	    cookie == NULL ? IKEV2_PAYLOAD_SA : IKEV2_PAYLOAD_NOTIFY,

	    IKEV2_EXCHANGE_IKE_SA_INIT, 0)) == NULL)

	if (cookie) {

		if ((pld = ikev2_add_payload(buf)) == NULL)

		if ((n = ibuf_advance(buf, sizeof(*n))) == NULL)

		n->n_protoid = IKEV2_SAPROTO_NONE;

		n->n_spisize = 0;

		n->n_type = htobe16(IKEV2_N_COOKIE);

		if (ikev2_add_buf(buf, cookie) == -1)

		len = sizeof(*n) + ibuf_size(cookie);

		log_debug("%s: added cookie, len %zu", __func__,

		    ibuf_size(cookie));

		print_hex(ibuf_data(cookie), 0, ibuf_size(cookie));

		if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_SA) == -1)

	if ((pld = ikev2_add_payload(buf)) == NULL)

	if ((len = ikev2_add_proposals(env, sa, buf, &pol->pol_proposals,

	    IKEV2_SAPROTO_IKE, sa->sa_hdr.sh_initiator, 0)) == -1)

	if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_KE) == -1)

	if ((pld = ikev2_add_payload(buf)) == NULL)

	if ((ke = ibuf_advance(buf, sizeof(*ke))) == NULL)

	if ((group = sa->sa_dhgroup) == NULL) {

		log_debug("%s: invalid dh", __func__);

		goto done;

	ke->kex_dhgroup = htobe16(group->id);

	if (ikev2_add_buf(buf, sa->sa_dhiexchange) == -1)

	len = sizeof(*ke) + dh_getlen(group);

	if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONCE) == -1)

	if ((pld = ikev2_add_payload(buf)) == NULL)

	if (ikev2_add_buf(buf, sa->sa_inonce) == -1)

	len = ibuf_size(sa->sa_inonce);