]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/isakmp_ident.c
projects / apple / ipsec.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec-92.4.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_ident.c
CommitLineData
d1e348cf
A		 1/* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */
2
3/* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
52b7d2ce
A		 4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34/* Identity Protecion Exchange (Main Mode) */
35
36#include "config.h"
37
38#include <sys/types.h>
39#include <sys/param.h>
40
41#include <stdlib.h>
42#include <stdio.h>
43#include <string.h>
44#include <errno.h>
45#if TIME_WITH_SYS_TIME
46# include <sys/time.h>
47# include <time.h>
48#else
49# if HAVE_SYS_TIME_H
50# include <sys/time.h>
51# else
52# include <time.h>
53# endif
54#endif
55
56#include "var.h"
57#include "misc.h"
58#include "vmbuf.h"
59#include "plog.h"
60#include "sockmisc.h"
61#include "schedule.h"
62#include "debug.h"
63
64#include "localconf.h"
65#include "remoteconf.h"
66#include "isakmp_var.h"
67#include "isakmp.h"
68#include "evt.h"
69#include "oakley.h"
70#include "handler.h"
71#include "ipsec_doi.h"
72#include "crypto_openssl.h"
73#include "pfkey.h"
74#include "isakmp_ident.h"
75#include "isakmp_inf.h"
76#include "vendorid.h"
77
78#ifdef ENABLE_NATT
79#include "nattraversal.h"
80#endif
81#ifdef HAVE_GSSAPI
82#include "gssapi.h"
83#endif
d1e348cf
A		 84#ifdef ENABLE_HYBRID
85#include <resolv.h>
86#include "isakmp_xauth.h"
87#include "isakmp_cfg.h"
88#endif
89#ifdef ENABLE_FRAG
90#include "isakmp_frag.h"
91#endif
52b7d2ce
A		 92
93#include "vpn_control.h"
94#include "vpn_control_var.h"
d1e348cf
A		 95#include "ipsecSessionTracer.h"
96#include "ipsecMessageTracer.h"
52b7d2ce
A		 97
98static vchar_t *ident_ir2mx __P((struct ph1handle *));
99static vchar_t *ident_ir3mx __P((struct ph1handle *));
100
101/* %%%
102 * begin Identity Protection Mode as initiator.
103 */
104/*
105 * send to responder
106 * psk: HDR, SA
107 * sig: HDR, SA
108 * rsa: HDR, SA
109 * rev: HDR, SA
110 */
111int
112ident_i1send(iph1, msg)
113 struct ph1handle *iph1;
114 vchar_t *msg; /* must be null */
115{
116 struct payload_list *plist = NULL;
117 int error = -1;
118#ifdef ENABLE_NATT
119 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
120 int i;
121#endif
d1e348cf
A		 122#ifdef ENABLE_HYBRID
123 vchar_t *vid_xauth = NULL;
124 vchar_t *vid_unity = NULL;
125#endif
126#ifdef ENABLE_FRAG
127 vchar_t *vid_frag = NULL;
128#endif
52b7d2ce
A		 129#ifdef ENABLE_DPD
130 vchar_t *vid_dpd = NULL;
131#endif
132 /* validity check */
133 if (msg != NULL) {
134 plog(LLV_ERROR, LOCATION, NULL,
135 "msg has to be NULL in this function.\n");
136 goto end;
137 }
138 if (iph1->status != PHASE1ST_START) {
139 plog(LLV_ERROR, LOCATION, NULL,
140 "status mismatched %d.\n", iph1->status);
141 goto end;
142 }
143
144 /* create isakmp index */
145 memset(&iph1->index, 0, sizeof(iph1->index));
146 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
147
148 /* create SA payload for my proposal */
149 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
d1e348cf
A		 150 if (iph1->sa == NULL) {
151 plog(LLV_ERROR, LOCATION, NULL,
152 "failed to set proposal");
52b7d2ce 153 goto end;
d1e348cf 154 }
52b7d2ce
A		 155
156 /* set SA payload to propose */
157 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
158
159#ifdef ENABLE_NATT
160 /* set VID payload for NAT-T if NAT-T support allowed in the config file */
161 if (iph1->rmconf->nat_traversal)
162 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
163#endif
d1e348cf
A		 164#ifdef ENABLE_HYBRID
165 /* Do we need Xauth VID? */
166 switch (RMAUTHMETHOD(iph1)) {
167 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
168 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
169 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
170 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
171 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
172 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
173 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
174 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
175 plog(LLV_ERROR, LOCATION, NULL,
176 "Xauth vendor ID generation failed\n");
177 else
178 plist = isakmp_plist_append(plist,
179 vid_xauth, ISAKMP_NPTYPE_VID);
180
181 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
182 plog(LLV_ERROR, LOCATION, NULL,
183 "Unity vendor ID generation failed\n");
184 else
185 plist = isakmp_plist_append(plist,
186 vid_unity, ISAKMP_NPTYPE_VID);
187 break;
188 default:
189 break;
190 }
191#endif
192#ifdef ENABLE_FRAG
193 if (iph1->rmconf->ike_frag) {
194 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
195 plog(LLV_ERROR, LOCATION, NULL,
196 "Frag vendorID construction failed\n");
197 } else {
198 vid_frag = isakmp_frag_addcap(vid_frag,
199 VENDORID_FRAG_IDENT);
200 plist = isakmp_plist_append(plist,
201 vid_frag, ISAKMP_NPTYPE_VID);
202 }
203 }
204#endif
52b7d2ce
A		 205#ifdef ENABLE_DPD
206 if(iph1->rmconf->dpd){
207 vid_dpd = set_vendorid(VENDORID_DPD);
208 if (vid_dpd != NULL)
209 plist = isakmp_plist_append(plist, vid_dpd,
d1e348cf 210 ISAKMP_NPTYPE_VID);
52b7d2ce
A		 211 }
212#endif
213
214 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
215
216#ifdef HAVE_PRINT_ISAKMP_C
217 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
218#endif
219
220 /* send the packet, add to the schedule to resend */
221 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf
A		 222 if (isakmp_ph1resend(iph1) == -1) {
223 plog(LLV_ERROR, LOCATION, NULL,
224 "failed to send packet");
52b7d2ce 225 goto end;
d1e348cf 226 }
52b7d2ce
A		 227
228 iph1->status = PHASE1ST_MSG1SENT;
229
230 error = 0;
231
d1e348cf
A		 232 IPSECSESSIONTRACEREVENT(iph1->parent_session,
233 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
234 CONSTSTR("Initiator, Main-Mode message 1"),
235 CONSTSTR(NULL));
236
52b7d2ce 237end:
d1e348cf
A		 238 if (error) {
239 IPSECSESSIONTRACEREVENT(iph1->parent_session,
240 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
241 CONSTSTR("Initiator, Main-Mode Message 1"),
242 CONSTSTR("Failed to transmit Main-Mode Message 1"));
243 }
244#ifdef ENABLE_FRAG
245 if (vid_frag)
246 vfree(vid_frag);
247#endif
52b7d2ce
A		 248#ifdef ENABLE_NATT
249 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
250 vfree(vid_natt[i]);
251#endif
d1e348cf
A		 252#ifdef ENABLE_HYBRID
253 if (vid_xauth != NULL)
254 vfree(vid_xauth);
255 if (vid_unity != NULL)
256 vfree(vid_unity);
257#endif
52b7d2ce
A		 258#ifdef ENABLE_DPD
259 if (vid_dpd != NULL)
260 vfree(vid_dpd);
261#endif
262
263 return error;
264}
265
266/*
267 * receive from responder
268 * psk: HDR, SA
269 * sig: HDR, SA
270 * rsa: HDR, SA
271 * rev: HDR, SA
272 */
273int
274ident_i2recv(iph1, msg)
275 struct ph1handle *iph1;
276 vchar_t *msg;
277{
278 vchar_t *pbuf = NULL;
279 struct isakmp_parse_t *pa;
280 vchar_t *satmp = NULL;
281 int error = -1;
282 int vid_numeric;
283
284 /* validity check */
285 if (iph1->status != PHASE1ST_MSG1SENT) {
286 plog(LLV_ERROR, LOCATION, NULL,
287 "status mismatched %d.\n", iph1->status);
288 goto end;
289 }
290
291 /* validate the type of next payload */
292 /*
293 * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here,
294 * if proposal-lifetime > lifetime-redcreek-wants.
295 * (see doi-08 4.5.4)
296 * => According to the seciton 4.6.3 in RFC 2407, This is illegal.
297 * NOTE: we do not really care about ordering of VID and N.
298 * does it matters?
299 * NOTE: even if there's multiple VID/N, we'll ignore them.
300 */
301 pbuf = isakmp_parse(msg);
d1e348cf
A		 302 if (pbuf == NULL) {
303 plog(LLV_ERROR, LOCATION, NULL,
304 "failed to parse msg");
52b7d2ce 305 goto end;
d1e348cf 306 }
52b7d2ce
A		 307 pa = (struct isakmp_parse_t *)pbuf->v;
308
309 /* SA payload is fixed postion */
310 if (pa->type != ISAKMP_NPTYPE_SA) {
311 plog(LLV_ERROR, LOCATION, iph1->remote,
312 "received invalid next payload type %d, "
313 "expecting %d.\n",
314 pa->type, ISAKMP_NPTYPE_SA);
315 goto end;
316 }
d1e348cf
A		 317 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
318 plog(LLV_ERROR, LOCATION, NULL,
319 "failed to process SA payload");
52b7d2ce 320 goto end;
d1e348cf 321 }
52b7d2ce
A		 322 pa++;
323
324 for (/*nothing*/;
325 pa->type != ISAKMP_NPTYPE_NONE;
326 pa++) {
327
328 switch (pa->type) {
329 case ISAKMP_NPTYPE_VID:
330 vid_numeric = check_vendorid(pa->ptr);
331#ifdef ENABLE_NATT
332 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
333 natt_handle_vendorid(iph1, vid_numeric);
334#endif
d1e348cf
A		 335#ifdef ENABLE_HYBRID
336 switch (vid_numeric) {
337 case VENDORID_XAUTH:
338 iph1->mode_cfg->flags |=
339 ISAKMP_CFG_VENDORID_XAUTH;
340 break;
341
342 case VENDORID_UNITY:
343 iph1->mode_cfg->flags |=
344 ISAKMP_CFG_VENDORID_UNITY;
345 break;
346
347 default:
348 break;
349 }
350#endif
52b7d2ce
A		 351#ifdef ENABLE_DPD
352 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
353 iph1->dpd_support=1;
354#endif
355 break;
356 default:
357 /* don't send information, see ident_r1recv() */
358 plog(LLV_ERROR, LOCATION, iph1->remote,
359 "ignore the packet, "
360 "received unexpecting payload type %d.\n",
361 pa->type);
362 goto end;
363 }
364 }
365
366#ifdef ENABLE_NATT
367 if (NATT_AVAILABLE(iph1))
368 plog(LLV_INFO, LOCATION, iph1->remote,
369 "Selected NAT-T version: %s\n",
370 vid_string_by_id(iph1->natt_options->version));
371#endif
372
373 /* check SA payload and set approval SA for use */
374 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
375 plog(LLV_ERROR, LOCATION, iph1->remote,
376 "failed to get valid proposal.\n");
377 /* XXX send information */
378 goto end;
379 }
380 VPTRINIT(iph1->sa_ret);
381
382 iph1->status = PHASE1ST_MSG2RECEIVED;
383
384#ifdef ENABLE_VPNCONTROL_PORT
385 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
386#endif
387
388 error = 0;
389
d1e348cf
A		 390 IPSECSESSIONTRACEREVENT(iph1->parent_session,
391 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
392 CONSTSTR("Initiator, Main-Mode message 2"),
393 CONSTSTR(NULL));
394
52b7d2ce 395end:
d1e348cf
A		 396 if (error) {
397 IPSECSESSIONTRACEREVENT(iph1->parent_session,
398 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
399 CONSTSTR("Initiator, Main-Mode Message 2"),
400 CONSTSTR("Failed to process Main-Mode Message 2"));
401 }
52b7d2ce
A		 402 if (pbuf)
403 vfree(pbuf);
404 if (satmp)
405 vfree(satmp);
406 return error;
407}
408
409/*
410 * send to responder
411 * psk: HDR, KE, Ni
412 * sig: HDR, KE, Ni
413 * gssapi: HDR, KE, Ni, GSSi
414 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
415 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
416 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
417 */
418int
419ident_i2send(iph1, msg)
420 struct ph1handle *iph1;
421 vchar_t *msg;
422{
423 int error = -1;
424
425 /* validity check */
426 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
427 plog(LLV_ERROR, LOCATION, NULL,
428 "status mismatched %d.\n", iph1->status);
429 goto end;
430 }
431
432 /* fix isakmp index */
433 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
434 sizeof(cookie_t));
435
436 /* generate DH public value */
437 if (oakley_dh_generate(iph1->approval->dhgrp,
d1e348cf
A		 438 &iph1->dhpub, &iph1->dhpriv) < 0) {
439 plog(LLV_ERROR, LOCATION, NULL,
440 "failed to generate DH");
52b7d2ce 441 goto end;
d1e348cf 442 }
52b7d2ce
A		 443
444 /* generate NONCE value */
445 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf
A		 446 if (iph1->nonce == NULL) {
447 plog(LLV_ERROR, LOCATION, NULL,
448 "failed to generate NONCE");
52b7d2ce 449 goto end;
d1e348cf 450 }
52b7d2ce
A		 451
452#ifdef HAVE_GSSAPI
d1e348cf
A		 453 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
454 gssapi_get_itoken(iph1, NULL) < 0) {
455 plog(LLV_ERROR, LOCATION, NULL,
456 "failed to get GSS token");
52b7d2ce 457 goto end;
d1e348cf 458 }
52b7d2ce
A		 459#endif
460
461 /* create buffer to send isakmp payload */
462 iph1->sendbuf = ident_ir2mx(iph1);
d1e348cf
A		 463 if (iph1->sendbuf == NULL) {
464 plog(LLV_ERROR, LOCATION, NULL,
465 "failed to create send buffer");
52b7d2ce 466 goto end;
d1e348cf 467 }
52b7d2ce
A		 468
469#ifdef HAVE_PRINT_ISAKMP_C
470 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
471#endif
472
473 /* send the packet, add to the schedule to resend */
474 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf
A		 475 if (isakmp_ph1resend(iph1) == -1) {
476 plog(LLV_ERROR, LOCATION, NULL,
477 "failed to send packet");
52b7d2ce 478 goto end;
d1e348cf 479 }
52b7d2ce
A		 480
481 /* the sending message is added to the received-list. */
d1e348cf
A		 482 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
483 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
52b7d2ce
A		 484 plog(LLV_ERROR , LOCATION, NULL,
485 "failed to add a response packet to the tree.\n");
486 goto end;
487 }
488
489 iph1->status = PHASE1ST_MSG2SENT;
490
491 error = 0;
492
d1e348cf
A		 493 IPSECSESSIONTRACEREVENT(iph1->parent_session,
494 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
495 CONSTSTR("Initiator, Main-Mode message 3"),
496 CONSTSTR(NULL));
497
52b7d2ce 498end:
d1e348cf
A		 499 if (error) {
500 IPSECSESSIONTRACEREVENT(iph1->parent_session,
501 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
502 CONSTSTR("Initiator, Main-Mode Message 3"),
503 CONSTSTR("Failed to transmit Main-Mode Message 3"));
504 }
52b7d2ce
A		 505 return error;
506}
507
508/*
509 * receive from responder
510 * psk: HDR, KE, Nr
511 * sig: HDR, KE, Nr [, CR ]
512 * gssapi: HDR, KE, Nr, GSSr
513 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
514 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
515 */
516int
517ident_i3recv(iph1, msg)
518 struct ph1handle *iph1;
519 vchar_t *msg;
520{
521 vchar_t *pbuf = NULL;
522 struct isakmp_parse_t *pa;
523 int error = -1;
d1e348cf 524 int vid_numeric;
52b7d2ce
A		 525#ifdef HAVE_GSSAPI
526 vchar_t *gsstoken = NULL;
527#endif
528#ifdef ENABLE_NATT
529 vchar_t *natd_received;
530 int natd_seq = 0, natd_verified;
531#endif
532
533 /* validity check */
534 if (iph1->status != PHASE1ST_MSG2SENT) {
535 plog(LLV_ERROR, LOCATION, NULL,
536 "status mismatched %d.\n", iph1->status);
537 goto end;
538 }
539
540 /* validate the type of next payload */
541 pbuf = isakmp_parse(msg);
d1e348cf
A		 542 if (pbuf == NULL) {
543 plog(LLV_ERROR, LOCATION, NULL,
544 "failed to parse msg");
52b7d2ce 545 goto end;
d1e348cf 546 }
52b7d2ce
A		 547
548 for (pa = (struct isakmp_parse_t *)pbuf->v;
549 pa->type != ISAKMP_NPTYPE_NONE;
550 pa++) {
551
552 switch (pa->type) {
553 case ISAKMP_NPTYPE_KE:
d1e348cf
A		 554 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
555 plog(LLV_ERROR, LOCATION, NULL,
556 "failed to process KE payload");
52b7d2ce 557 goto end;
d1e348cf 558 }
52b7d2ce
A		 559 break;
560 case ISAKMP_NPTYPE_NONCE:
d1e348cf
A		 561 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
562 plog(LLV_ERROR, LOCATION, NULL,
563 "failed to process NONCE payload");
52b7d2ce 564 goto end;
d1e348cf 565 }
52b7d2ce
A		 566 break;
567 case ISAKMP_NPTYPE_VID:
d1e348cf
A		 568 vid_numeric = check_vendorid(pa->ptr);
569#ifdef ENABLE_HYBRID
570 switch (vid_numeric) {
571 case VENDORID_XAUTH:
572 iph1->mode_cfg->flags |=
573 ISAKMP_CFG_VENDORID_XAUTH;
574 break;
575
576 case VENDORID_UNITY:
577 iph1->mode_cfg->flags |=
578 ISAKMP_CFG_VENDORID_UNITY;
579 break;
580
581 default:
582 break;
583 }
584#endif
585#ifdef ENABLE_DPD
586 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
587 iph1->dpd_support=1;
588#endif
589
52b7d2ce
A		 590 break;
591 case ISAKMP_NPTYPE_CR:
d1e348cf
A		 592 if (oakley_savecr(iph1, pa->ptr) < 0) {
593 plog(LLV_ERROR, LOCATION, NULL,
594 "failed to process CR payload");
52b7d2ce 595 goto end;
d1e348cf 596 }
52b7d2ce
A		 597 break;
598#ifdef HAVE_GSSAPI
599 case ISAKMP_NPTYPE_GSS:
d1e348cf
A		 600 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
601 plog(LLV_ERROR, LOCATION, NULL,
602 "failed to process GSS payload");
52b7d2ce 603 goto end;
d1e348cf 604 }
52b7d2ce
A		 605 gssapi_save_received_token(iph1, gsstoken);
606 break;
607#endif
608
609#ifdef ENABLE_NATT
610 case ISAKMP_NPTYPE_NATD_DRAFT:
611 case ISAKMP_NPTYPE_NATD_RFC:
612#ifdef __APPLE__
613 case ISAKMP_NPTYPE_NATD_BADDRAFT:
614#endif
615 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
616 pa->type == iph1->natt_options->payload_nat_d) {
617 natd_received = NULL;
d1e348cf
A		 618 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
619 plog(LLV_ERROR, LOCATION, NULL,
620 "failed to process NATD payload");
52b7d2ce 621 goto end;
d1e348cf 622 }
52b7d2ce
A		 623
624 /* set both bits first so that we can clear them
625 upon verifying hashes */
626 if (natd_seq == 0)
627 iph1->natt_flags |= NAT_DETECTED;
628
629 /* this function will clear appropriate bits bits
630 from iph1->natt_flags */
631 natd_verified = natt_compare_addr_hash (iph1,
632 natd_received, natd_seq++);
633
634 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
635 natd_seq - 1,
636 natd_verified ? "verified" : "doesn't match");
637
638 vfree (natd_received);
639 break;
640 }
641 /* %%%% Be lenient here - some servers send natd payloads */
642 /* when no nat is detected */
643 break;
644#endif
645
646 default:
647 /* don't send information, see ident_r1recv() */
648 plog(LLV_ERROR, LOCATION, iph1->remote,
649 "ignore the packet, "
650 "received unexpecting payload type %d.\n",
651 pa->type);
652 goto end;
653 }
654 }
655
656#ifdef ENABLE_NATT
657 if (NATT_AVAILABLE(iph1)) {
658 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
659 iph1->natt_flags & NAT_DETECTED ?
660 "detected:" : "not detected",
661 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
662 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
663 if (iph1->natt_flags & NAT_DETECTED)
664 natt_float_ports (iph1);
665 }
666#endif
667
668 /* payload existency check */
669 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
670 plog(LLV_ERROR, LOCATION, iph1->remote,
671 "few isakmp message received.\n");
672 goto end;
673 }
674
675 if (oakley_checkcr(iph1) < 0) {
676 /* Ignore this error in order to be interoperability. */
677 ;
678 }
679
680 iph1->status = PHASE1ST_MSG3RECEIVED;
681
682 error = 0;
683
d1e348cf
A		 684 IPSECSESSIONTRACEREVENT(iph1->parent_session,
685 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
686 CONSTSTR("Initiator, Main-Mode message 4"),
687 CONSTSTR(NULL));
688
52b7d2ce 689end:
d1e348cf
A		 690 if (error) {
691 IPSECSESSIONTRACEREVENT(iph1->parent_session,
692 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
693 CONSTSTR("Initiator, Main-Mode Message 4"),
694 CONSTSTR("Failed to process Main-Mode Message 4"));
695 }
696#ifdef HAVE_GSSAPI
697 if (gsstoken)
698 vfree(gsstoken);
699#endif
52b7d2ce
A		 700 if (pbuf)
701 vfree(pbuf);
702 if (error) {
703 VPTRINIT(iph1->dhpub_p);
704 VPTRINIT(iph1->nonce_p);
705 VPTRINIT(iph1->id_p);
706 oakley_delcert(iph1->cr_p);
707 iph1->cr_p = NULL;
708 }
709
710 return error;
711}
712
713/*
714 * send to responder
715 * psk: HDR*, IDi1, HASH_I
716 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
717 * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I >
718 * rsa: HDR*, HASH_I
719 * rev: HDR*, HASH_I
720 */
721int
722ident_i3send(iph1, msg0)
723 struct ph1handle *iph1;
724 vchar_t *msg0;
725{
726 int error = -1;
727 int dohash = 1;
728#ifdef HAVE_GSSAPI
729 int len;
730#endif
731
732 /* validity check */
733 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
734 plog(LLV_ERROR, LOCATION, NULL,
735 "status mismatched %d.\n", iph1->status);
736 goto end;
737 }
738
739 /* compute sharing secret of DH */
740 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
d1e348cf
A		 741 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
742 plog(LLV_ERROR, LOCATION, NULL,
743 "failed to compute DH");
52b7d2ce 744 goto end;
d1e348cf 745 }
52b7d2ce
A		 746
747 /* generate SKEYIDs & IV & final cipher key */
d1e348cf
A		 748 if (oakley_skeyid(iph1) < 0) {
749 plog(LLV_ERROR, LOCATION, NULL,
750 "failed to generate SKEYID");
52b7d2ce 751 goto end;
d1e348cf
A		 752 }
753 if (oakley_skeyid_dae(iph1) < 0) {
754 plog(LLV_ERROR, LOCATION, NULL,
755 "failed to generate SKEYID-DAE");
52b7d2ce 756 goto end;
d1e348cf
A		 757 }
758 if (oakley_compute_enckey(iph1) < 0) {
759 plog(LLV_ERROR, LOCATION, NULL,
760 "failed to generate ENCKEY");
52b7d2ce 761 goto end;
d1e348cf
A		 762 }
763 if (oakley_newiv(iph1) < 0) {
764 plog(LLV_ERROR, LOCATION, NULL,
765 "failed to generate IV");
52b7d2ce 766 goto end;
d1e348cf 767 }
52b7d2ce
A		 768
769 /* make ID payload into isakmp status */
d1e348cf
A		 770 if (ipsecdoi_setid1(iph1) < 0) {
771 plog(LLV_ERROR, LOCATION, NULL,
772 "failed to set ID");
52b7d2ce 773 goto end;
d1e348cf 774 }
52b7d2ce
A		 775
776#ifdef HAVE_GSSAPI
d1e348cf 777 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
52b7d2ce
A		 778 gssapi_more_tokens(iph1)) {
779 plog(LLV_DEBUG, LOCATION, NULL, "calling get_itoken\n");
d1e348cf
A		 780 if (gssapi_get_itoken(iph1, &len) < 0) {
781 plog(LLV_ERROR, LOCATION, NULL,
782 "failed to get GSSAPI token");
52b7d2ce 783 goto end;
d1e348cf 784 }
52b7d2ce
A		 785 if (len != 0)
786 dohash = 0;
787 }
788#endif
789
790 /* generate HASH to send */
791 if (dohash) {
792 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
d1e348cf
A		 793 if (iph1->hash == NULL) {
794 plog(LLV_ERROR, LOCATION, NULL,
795 "failed to generate HASH");
52b7d2ce 796 goto end;
d1e348cf 797 }
52b7d2ce
A		 798 } else
799 iph1->hash = NULL;
800
801 /* set encryption flag */
802 iph1->flags |= ISAKMP_FLAG_E;
803
804 /* create HDR;ID;HASH payload */
805 iph1->sendbuf = ident_ir3mx(iph1);
d1e348cf
A		 806 if (iph1->sendbuf == NULL) {
807 plog(LLV_ERROR, LOCATION, NULL,
808 "failed to allocate send buffer");
52b7d2ce 809 goto end;
d1e348cf 810 }
52b7d2ce
A		 811
812 /* send the packet, add to the schedule to resend */
813 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf
A		 814 if (isakmp_ph1resend(iph1) == -1) {
815 plog(LLV_ERROR, LOCATION, NULL,
816 "failed to send packet");
52b7d2ce 817 goto end;
d1e348cf 818 }
52b7d2ce
A		 819
820 /* the sending message is added to the received-list. */
d1e348cf
A		 821 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0,
822 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
52b7d2ce
A		 823 plog(LLV_ERROR , LOCATION, NULL,
824 "failed to add a response packet to the tree.\n");
825 goto end;
826 }
827
828 /* see handler.h about IV synchronization. */
829 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
830
831 iph1->status = PHASE1ST_MSG3SENT;
832
833 error = 0;
834
d1e348cf
A		 835 IPSECSESSIONTRACEREVENT(iph1->parent_session,
836 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
837 CONSTSTR("Initiator, Main-Mode message 5"),
838 CONSTSTR(NULL));
839
52b7d2ce 840end:
d1e348cf
A		 841 if (error) {
842 IPSECSESSIONTRACEREVENT(iph1->parent_session,
843 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
844 CONSTSTR("Initiator, Main-Mode Message 5"),
845 CONSTSTR("Failed to transmit Main-Mode Message 5"));
846 }
52b7d2ce
A		 847 return error;
848}
849
850/*
851 * receive from responder
852 * psk: HDR*, IDr1, HASH_R
853 * sig: HDR*, IDr1, [ CERT, ] SIG_R
854 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
855 * rsa: HDR*, HASH_R
856 * rev: HDR*, HASH_R
857 */
858int
859ident_i4recv(iph1, msg0)
860 struct ph1handle *iph1;
861 vchar_t *msg0;
862{
863 vchar_t *pbuf = NULL;
864 struct isakmp_parse_t *pa;
865 vchar_t *msg = NULL;
866 int error = -1;
867 int type;
d1e348cf 868 int vid_numeric;
52b7d2ce
A		 869#ifdef HAVE_GSSAPI
870 vchar_t *gsstoken = NULL;
871#endif
872
873 /* validity check */
874 if (iph1->status != PHASE1ST_MSG3SENT) {
875 plog(LLV_ERROR, LOCATION, NULL,
876 "status mismatched %d.\n", iph1->status);
877 goto end;
878 }
879
880 /* decrypting */
881 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
882 plog(LLV_ERROR, LOCATION, iph1->remote,
883 "ignore the packet, "
884 "expecting the packet encrypted.\n");
885 goto end;
886 }
887 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
d1e348cf
A		 888 if (msg == NULL) {
889 plog(LLV_ERROR, LOCATION, NULL,
890 "failed to decrypt");
52b7d2ce 891 goto end;
d1e348cf 892 }
52b7d2ce
A		 893
894 /* validate the type of next payload */
895 pbuf = isakmp_parse(msg);
d1e348cf
A		 896 if (pbuf == NULL) {
897 plog(LLV_ERROR, LOCATION, NULL,
898 "failed to parse msg");
52b7d2ce 899 goto end;
d1e348cf 900 }
52b7d2ce
A		 901
902 iph1->pl_hash = NULL;
903
904 for (pa = (struct isakmp_parse_t *)pbuf->v;
905 pa->type != ISAKMP_NPTYPE_NONE;
906 pa++) {
907
908 switch (pa->type) {
909 case ISAKMP_NPTYPE_ID:
d1e348cf
A		 910 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
911 plog(LLV_ERROR, LOCATION, NULL,
912 "failed to process ID payload");
52b7d2ce 913 goto end;
d1e348cf 914 }
52b7d2ce
A		 915 break;
916 case ISAKMP_NPTYPE_HASH:
917 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
918 break;
919 case ISAKMP_NPTYPE_CERT:
d1e348cf
A		 920 if (oakley_savecert(iph1, pa->ptr) < 0) {
921 plog(LLV_ERROR, LOCATION, NULL,
922 "failed to process CERT payload");
52b7d2ce 923 goto end;
d1e348cf 924 }
52b7d2ce
A		 925 break;
926 case ISAKMP_NPTYPE_SIG:
d1e348cf
A		 927 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
928 plog(LLV_ERROR, LOCATION, NULL,
929 "failed to process SIG payload");
52b7d2ce 930 goto end;
d1e348cf 931 }
52b7d2ce
A		 932 break;
933#ifdef HAVE_GSSAPI
934 case ISAKMP_NPTYPE_GSS:
d1e348cf
A		 935 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
936 plog(LLV_ERROR, LOCATION, NULL,
937 "failed to process GSS payload");
52b7d2ce 938 goto end;
d1e348cf 939 }
52b7d2ce
A		 940 gssapi_save_received_token(iph1, gsstoken);
941 break;
942#endif
943 case ISAKMP_NPTYPE_VID:
d1e348cf
A		 944 vid_numeric = check_vendorid(pa->ptr);
945#ifdef ENABLE_DPD
946 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
947 iph1->dpd_support=1;
948#endif
949 break;
52b7d2ce
A		 950 case ISAKMP_NPTYPE_N:
951 isakmp_check_notify(pa->ptr, iph1);
952 break;
953 default:
954 /* don't send information, see ident_r1recv() */
955 plog(LLV_ERROR, LOCATION, iph1->remote,
956 "ignore the packet, "
957 "received unexpecting payload type %d.\n",
958 pa->type);
959 goto end;
960 }
961 }
962
963 /* payload existency check */
964
965 /* verify identifier */
966 if (ipsecdoi_checkid1(iph1) != 0) {
967 plog(LLV_ERROR, LOCATION, iph1->remote,
968 "invalid ID payload.\n");
969 goto end;
970 }
971
972 /* validate authentication value */
973#ifdef HAVE_GSSAPI
974 if (gsstoken == NULL) {
975#endif
976 type = oakley_validate_auth(iph1);
977 if (type != 0) {
d1e348cf
A		 978 IPSECSESSIONTRACEREVENT(iph1->parent_session,
979 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
980 CONSTSTR("Initiator, Main-Mode Message 6"),
981 CONSTSTR("Failed to authenticate Main-Mode Message 6"));
52b7d2ce
A		 982 if (type == -1) {
983 /* msg printed inner oakley_validate_auth() */
984 goto end;
985 }
986 EVT_PUSH(iph1->local, iph1->remote,
987 EVTT_PEERPH1AUTH_FAILED, NULL);
988 isakmp_info_send_n1(iph1, type, NULL);
989 goto end;
990 }
d1e348cf
A		 991 IPSECSESSIONTRACEREVENT(iph1->parent_session,
992 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
993 CONSTSTR("Initiator, Main-Mode Message 6"),
994 CONSTSTR(NULL));
52b7d2ce
A		 995#ifdef HAVE_GSSAPI
996 }
997#endif
998
999 /*
1000 * XXX: Should we do compare two addresses, ph1handle's and ID
1001 * payload's.
1002 */
1003
1004 plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID:");
1005 plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
1006
1007 /* see handler.h about IV synchronization. */
1008 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1009
1010 /*
1011 * If we got a GSS token, we need to this roundtrip again.
1012 */
1013#ifdef HAVE_GSSAPI
1014 iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED :
1015 PHASE1ST_MSG4RECEIVED;
1016#else
1017 iph1->status = PHASE1ST_MSG4RECEIVED;
1018#endif
1019
1020 error = 0;
1021
d1e348cf
A		 1022 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1023 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1024 CONSTSTR("Initiator, Main-Mode message 6"),
1025 CONSTSTR(NULL));
1026
52b7d2ce 1027end:
d1e348cf
A		 1028 if (error) {
1029 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1030 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1031 CONSTSTR("Initiator, Main-Mode Message 6"),
1032 CONSTSTR("Failed to transmit Main-Mode Message 6"));
1033 }
52b7d2ce
A		 1034 if (pbuf)
1035 vfree(pbuf);
1036 if (msg)
1037 vfree(msg);
1038#ifdef HAVE_GSSAPI
1039 if (gsstoken)
1040 vfree(gsstoken);
1041#endif
1042
1043 if (error) {
1044 VPTRINIT(iph1->id_p);
1045 oakley_delcert(iph1->cert_p);
1046 iph1->cert_p = NULL;
1047 oakley_delcert(iph1->crl_p);
1048 iph1->crl_p = NULL;
1049 VPTRINIT(iph1->sig_p);
1050 }
1051
1052 return error;
1053}
1054
1055/*
1056 * status update and establish isakmp sa.
1057 */
1058int
1059ident_i4send(iph1, msg)
1060 struct ph1handle *iph1;
1061 vchar_t *msg;
1062{
1063 int error = -1;
1064
1065 /* validity check */
1066 if (iph1->status != PHASE1ST_MSG4RECEIVED) {
1067 plog(LLV_ERROR, LOCATION, NULL,
1068 "status mismatched %d.\n", iph1->status);
1069 goto end;
1070 }
1071
1072 /* see handler.h about IV synchronization. */
1073 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1074
1075 iph1->status = PHASE1ST_ESTABLISHED;
1076
d1e348cf
A		 1077 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1078 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
1079 CONSTSTR("Initiator, Main-Mode"),
1080 CONSTSTR(NULL));
1081
52b7d2ce
A		 1082 error = 0;
1083
1084end:
1085 return error;
1086}
1087
1088/*
1089 * receive from initiator
1090 * psk: HDR, SA
1091 * sig: HDR, SA
1092 * rsa: HDR, SA
1093 * rev: HDR, SA
1094 */
1095int
1096ident_r1recv(iph1, msg)
1097 struct ph1handle *iph1;
1098 vchar_t *msg;
1099{
1100 vchar_t *pbuf = NULL;
1101 struct isakmp_parse_t *pa;
1102 int error = -1;
1103 int vid_numeric;
1104
1105 /* validity check */
1106 if (iph1->status != PHASE1ST_START) {
1107 plog(LLV_ERROR, LOCATION, NULL,
1108 "status mismatched %d.\n", iph1->status);
1109 goto end;
1110 }
1111
1112 /* validate the type of next payload */
1113 /*
1114 * NOTE: XXX even if multiple VID, we'll silently ignore those.
1115 */
1116 pbuf = isakmp_parse(msg);
d1e348cf
A		 1117 if (pbuf == NULL) {
1118 plog(LLV_ERROR, LOCATION, NULL,
1119 "failed to parse msg");
52b7d2ce 1120 goto end;
d1e348cf 1121 }
52b7d2ce
A		 1122 pa = (struct isakmp_parse_t *)pbuf->v;
1123
1124 /* check the position of SA payload */
1125 if (pa->type != ISAKMP_NPTYPE_SA) {
1126 plog(LLV_ERROR, LOCATION, iph1->remote,
1127 "received invalid next payload type %d, "
1128 "expecting %d.\n",
1129 pa->type, ISAKMP_NPTYPE_SA);
1130 goto end;
1131 }
d1e348cf
A		 1132 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
1133 plog(LLV_ERROR, LOCATION, NULL,
1134 "failed to process SA payload");
52b7d2ce 1135 goto end;
d1e348cf 1136 }
52b7d2ce
A		 1137 pa++;
1138
1139 for (/*nothing*/;
1140 pa->type != ISAKMP_NPTYPE_NONE;
1141 pa++) {
1142
1143 switch (pa->type) {
1144 case ISAKMP_NPTYPE_VID:
1145 vid_numeric = check_vendorid(pa->ptr);
1146#ifdef ENABLE_NATT
1147 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
1148 natt_handle_vendorid(iph1, vid_numeric);
1149#endif
d1e348cf
A		 1150#ifdef ENABLE_FRAG
1151 if ((vid_numeric == VENDORID_FRAG) &&
1152 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT))
1153 iph1->frag = 1;
1154#endif
1155#ifdef ENABLE_HYBRID
1156 switch (vid_numeric) {
1157 case VENDORID_XAUTH:
1158 iph1->mode_cfg->flags |=
1159 ISAKMP_CFG_VENDORID_XAUTH;
1160 break;
1161
1162 case VENDORID_UNITY:
1163 iph1->mode_cfg->flags |=
1164 ISAKMP_CFG_VENDORID_UNITY;
1165 break;
1166
1167 default:
1168 break;
1169 }
1170#endif
52b7d2ce
A		 1171#ifdef ENABLE_DPD
1172 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
1173 iph1->dpd_support=1;
1174#endif
1175 break;
1176 default:
1177 /*
1178 * We don't send information to the peer even
1179 * if we received malformed packet. Because we
1180 * can't distinguish the malformed packet and
1181 * the re-sent packet. And we do same behavior
1182 * when we expect encrypted packet.
1183 */
1184 plog(LLV_ERROR, LOCATION, iph1->remote,
1185 "ignore the packet, "
1186 "received unexpecting payload type %d.\n",
1187 pa->type);
1188 goto end;
1189 }
1190 }
1191
1192#ifdef ENABLE_NATT
1193 if (NATT_AVAILABLE(iph1))
1194 plog(LLV_INFO, LOCATION, iph1->remote,
1195 "Selected NAT-T version: %s\n",
1196 vid_string_by_id(iph1->natt_options->version));
1197#endif
1198
1199 /* check SA payload and set approval SA for use */
1200 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
1201 plog(LLV_ERROR, LOCATION, iph1->remote,
1202 "failed to get valid proposal.\n");
1203 /* XXX send information */
1204 goto end;
1205 }
1206
1207 iph1->status = PHASE1ST_MSG1RECEIVED;
1208
1209 error = 0;
1210
d1e348cf
A		 1211 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1212 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1213 CONSTSTR("Responder, Main-Mode message 1"),
1214 CONSTSTR(NULL));
1215
52b7d2ce 1216end:
d1e348cf
A		 1217 if (error) {
1218 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1219 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1220 CONSTSTR("Responder, Main-Mode Message 1"),
1221 CONSTSTR("Failed to process Main-Mode Message 1"));
1222 }
52b7d2ce
A		 1223 if (pbuf)
1224 vfree(pbuf);
1225 if (error) {
1226 VPTRINIT(iph1->sa);
1227 }
1228
1229 return error;
1230}
1231
1232/*
1233 * send to initiator
1234 * psk: HDR, SA
1235 * sig: HDR, SA
1236 * rsa: HDR, SA
1237 * rev: HDR, SA
1238 */
1239int
1240ident_r1send(iph1, msg)
1241 struct ph1handle *iph1;
1242 vchar_t *msg;
1243{
1244 struct payload_list *plist = NULL;
1245 int error = -1;
1246 vchar_t *gss_sa = NULL;
d1e348cf
A		 1247#ifdef HAVE_GSSAPI
1248 int free_gss_sa = 0;
1249#endif
52b7d2ce
A		 1250#ifdef ENABLE_NATT
1251 vchar_t *vid_natt = NULL;
1252#endif
d1e348cf
A		 1253#ifdef ENABLE_HYBRID
1254 vchar_t *vid_xauth = NULL;
1255 vchar_t *vid_unity = NULL;
1256#endif
52b7d2ce
A		 1257#ifdef ENABLE_DPD
1258 vchar_t *vid_dpd = NULL;
1259#endif
d1e348cf
A		 1260#ifdef ENABLE_FRAG
1261 vchar_t *vid_frag = NULL;
1262#endif
52b7d2ce
A		 1263
1264 /* validity check */
1265 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1266 plog(LLV_ERROR, LOCATION, NULL,
1267 "status mismatched %d.\n", iph1->status);
1268 goto end;
1269 }
1270
1271 /* set responder's cookie */
1272 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1273
1274#ifdef HAVE_GSSAPI
d1e348cf 1275 if (iph1->approval->gssid != NULL) {
52b7d2ce 1276 gss_sa = ipsecdoi_setph1proposal(iph1->approval);
d1e348cf
A		 1277 if (gss_sa != iph1->sa_ret)
1278 free_gss_sa = 1;
1279 } else
52b7d2ce
A		 1280#endif
1281 gss_sa = iph1->sa_ret;
1282
1283 /* set SA payload to reply */
1284 plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
1285
d1e348cf
A		 1286#ifdef ENABLE_HYBRID
1287 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1288 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
1289 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
1290 plog(LLV_ERROR, LOCATION, NULL,
1291 "Cannot create Xauth vendor ID\n");
1292 goto end;
1293 }
1294 plist = isakmp_plist_append(plist,
1295 vid_xauth, ISAKMP_NPTYPE_VID);
1296 }
52b7d2ce 1297
d1e348cf
A		 1298 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1299 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
1300 plog(LLV_ERROR, LOCATION, NULL,
1301 "Cannot create Unity vendor ID\n");
1302 goto end;
1303 }
1304 plist = isakmp_plist_append(plist,
1305 vid_unity, ISAKMP_NPTYPE_VID);
1306 }
1307#endif
52b7d2ce
A		 1308#ifdef ENABLE_NATT
1309 /* Has the peer announced NAT-T? */
1310 if (NATT_AVAILABLE(iph1))
1311 vid_natt = set_vendorid(iph1->natt_options->version);
1312
1313 if (vid_natt)
1314 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1315#endif
1316#ifdef ENABLE_DPD
1317 /* XXX only send DPD VID if remote sent it ? */
1318 if(iph1->rmconf->dpd){
1319 vid_dpd = set_vendorid(VENDORID_DPD);
1320 if (vid_dpd != NULL)
1321 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1322 }
1323#endif
d1e348cf
A		 1324#ifdef ENABLE_FRAG
1325 if (iph1->frag) {
1326 vid_frag = set_vendorid(VENDORID_FRAG);
1327 if (vid_frag != NULL)
1328 vid_frag = isakmp_frag_addcap(vid_frag,
1329 VENDORID_FRAG_IDENT);
1330 if (vid_frag == NULL)
1331 plog(LLV_ERROR, LOCATION, NULL,
1332 "Frag vendorID construction failed\n");
1333 else
1334 plist = isakmp_plist_append(plist,
1335 vid_frag, ISAKMP_NPTYPE_VID);
1336 }
1337#endif
52b7d2ce
A		 1338
1339 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1340
1341#ifdef HAVE_PRINT_ISAKMP_C
1342 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1343#endif
1344
1345 /* send the packet, add to the schedule to resend */
1346 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf
A		 1347 if (isakmp_ph1resend(iph1) == -1) {
1348 plog(LLV_ERROR, LOCATION, NULL,
1349 "failed to send packet");
52b7d2ce 1350 goto end;
d1e348cf 1351 }
52b7d2ce
A		 1352
1353 /* the sending message is added to the received-list. */
d1e348cf
A		 1354 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1355 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
52b7d2ce
A		 1356 plog(LLV_ERROR , LOCATION, NULL,
1357 "failed to add a response packet to the tree.\n");
1358 goto end;
1359 }
1360
1361 iph1->status = PHASE1ST_MSG1SENT;
1362
1363#ifdef ENABLE_VPNCONTROL_PORT
1364 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1365#endif
1366
1367 error = 0;
1368
d1e348cf
A		 1369 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1370 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1371 CONSTSTR("Responder, Main-Mode message 2"),
1372 CONSTSTR(NULL));
1373
52b7d2ce 1374end:
d1e348cf
A		 1375 if (error) {
1376 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1377 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1378 CONSTSTR("Responder, Main-Mode Message 2"),
1379 CONSTSTR("Failed to transmit Main-Mode Message 2"));
1380 }
52b7d2ce 1381#ifdef HAVE_GSSAPI
d1e348cf 1382 if (free_gss_sa)
52b7d2ce
A		 1383 vfree(gss_sa);
1384#endif
52b7d2ce
A		 1385#ifdef ENABLE_NATT
1386 if (vid_natt)
1387 vfree(vid_natt);
1388#endif
d1e348cf
A		 1389#ifdef ENABLE_HYBRID
1390 if (vid_xauth != NULL)
1391 vfree(vid_xauth);
1392 if (vid_unity != NULL)
1393 vfree(vid_unity);
1394#endif
52b7d2ce
A		 1395#ifdef ENABLE_DPD
1396 if (vid_dpd != NULL)
1397 vfree(vid_dpd);
1398#endif
d1e348cf
A		 1399#ifdef ENABLE_FRAG
1400 if (vid_frag != NULL)
1401 vfree(vid_frag);
1402#endif
52b7d2ce
A		 1403
1404 return error;
1405}
1406
1407/*
1408 * receive from initiator
1409 * psk: HDR, KE, Ni
1410 * sig: HDR, KE, Ni
1411 * gssapi: HDR, KE, Ni, GSSi
1412 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1413 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1414 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1415 */
1416int
1417ident_r2recv(iph1, msg)
1418 struct ph1handle *iph1;
1419 vchar_t *msg;
1420{
1421 vchar_t *pbuf = NULL;
1422 struct isakmp_parse_t *pa;
1423 int error = -1;
1424#ifdef HAVE_GSSAPI
1425 vchar_t *gsstoken = NULL;
1426#endif
1427#ifdef ENABLE_NATT
1428 int natd_seq = 0;
1429#endif
1430
1431 /* validity check */
1432 if (iph1->status != PHASE1ST_MSG1SENT) {
1433 plog(LLV_ERROR, LOCATION, NULL,
1434 "status mismatched %d.\n", iph1->status);
1435 goto end;
1436 }
1437
1438 /* validate the type of next payload */
1439 pbuf = isakmp_parse(msg);
d1e348cf
A		 1440 if (pbuf == NULL) {
1441 plog(LLV_ERROR, LOCATION, NULL,
1442 "failed to parse msg");
52b7d2ce 1443 goto end;
d1e348cf 1444 }
52b7d2ce
A		 1445
1446 for (pa = (struct isakmp_parse_t *)pbuf->v;
1447 pa->type != ISAKMP_NPTYPE_NONE;
1448 pa++) {
1449 switch (pa->type) {
1450 case ISAKMP_NPTYPE_KE:
d1e348cf
A		 1451 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
1452 plog(LLV_ERROR, LOCATION, NULL,
1453 "failed to process KE payload");
52b7d2ce 1454 goto end;
d1e348cf 1455 }
52b7d2ce
A		 1456 break;
1457 case ISAKMP_NPTYPE_NONCE:
d1e348cf
A		 1458 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
1459 plog(LLV_ERROR, LOCATION, NULL,
1460 "failed to process NONCE payload");
52b7d2ce 1461 goto end;
d1e348cf 1462 }
52b7d2ce
A		 1463 break;
1464 case ISAKMP_NPTYPE_VID:
1465 (void)check_vendorid(pa->ptr);
1466 break;
1467 case ISAKMP_NPTYPE_CR:
1468 plog(LLV_WARNING, LOCATION, iph1->remote,
1469 "CR received, ignore it. "
1470 "It should be in other exchange.\n");
1471 break;
1472#ifdef HAVE_GSSAPI
1473 case ISAKMP_NPTYPE_GSS:
d1e348cf
A		 1474 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1475 plog(LLV_ERROR, LOCATION, NULL,
1476 "failed to process GSS payload");
52b7d2ce 1477 goto end;
d1e348cf 1478 }
52b7d2ce
A		 1479 gssapi_save_received_token(iph1, gsstoken);
1480 break;
1481#endif
1482
1483#ifdef ENABLE_NATT
1484 case ISAKMP_NPTYPE_NATD_DRAFT:
1485 case ISAKMP_NPTYPE_NATD_RFC:
1486#ifdef __APPLE__
1487 case ISAKMP_NPTYPE_NATD_BADDRAFT:
1488#endif
1489 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1490 pa->type == iph1->natt_options->payload_nat_d)
1491 {
1492 vchar_t *natd_received = NULL;
1493 int natd_verified;
1494
d1e348cf
A		 1495 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
1496 plog(LLV_ERROR, LOCATION, NULL,
1497 "failed to process NATD payload");
52b7d2ce 1498 goto end;
d1e348cf 1499 }
52b7d2ce
A		 1500
1501 if (natd_seq == 0)
1502 iph1->natt_flags |= NAT_DETECTED;
1503
1504 natd_verified = natt_compare_addr_hash (iph1,
1505 natd_received, natd_seq++);
1506
1507 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1508 natd_seq - 1,
1509 natd_verified ? "verified" : "doesn't match");
1510
1511 vfree (natd_received);
1512 break;
1513 }
1514 /* %%%% Be lenient here - some servers send natd payloads */
1515 /* when no nat is detected */
1516 break;
1517#endif
1518
1519 default:
1520 /* don't send information, see ident_r1recv() */
1521 plog(LLV_ERROR, LOCATION, iph1->remote,
1522 "ignore the packet, "
1523 "received unexpecting payload type %d.\n",
1524 pa->type);
1525 goto end;
1526 }
1527 }
1528
1529#ifdef ENABLE_NATT
1530 if (NATT_AVAILABLE(iph1))
1531 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1532 iph1->natt_flags & NAT_DETECTED ?
1533 "detected:" : "not detected",
1534 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1535 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1536#endif
1537
1538 /* payload existency check */
1539 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1540 plog(LLV_ERROR, LOCATION, iph1->remote,
1541 "few isakmp message received.\n");
1542 goto end;
1543 }
1544
1545 iph1->status = PHASE1ST_MSG2RECEIVED;
1546
1547 error = 0;
1548
d1e348cf
A		 1549 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1550 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1551 CONSTSTR("Responder, Main-Mode message 3"),
1552 CONSTSTR(NULL));
1553
52b7d2ce 1554end:
d1e348cf
A		 1555 if (error) {
1556 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1557 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1558 CONSTSTR("Responder, Main-Mode Message 3"),
1559 CONSTSTR("Failed to process Main-Mode Message 3"));
1560 }
52b7d2ce
A		 1561 if (pbuf)
1562 vfree(pbuf);
1563#ifdef HAVE_GSSAPI
1564 if (gsstoken)
1565 vfree(gsstoken);
1566#endif
1567
1568 if (error) {
1569 VPTRINIT(iph1->dhpub_p);
1570 VPTRINIT(iph1->nonce_p);
1571 VPTRINIT(iph1->id_p);
1572 }
1573
1574 return error;
1575}
1576
1577/*
1578 * send to initiator
1579 * psk: HDR, KE, Nr
1580 * sig: HDR, KE, Nr [, CR ]
1581 * gssapi: HDR, KE, Nr, GSSr
1582 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1583 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1584 */
1585int
1586ident_r2send(iph1, msg)
1587 struct ph1handle *iph1;
1588 vchar_t *msg;
1589{
1590 int error = -1;
1591
1592 /* validity check */
1593 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1594 plog(LLV_ERROR, LOCATION, NULL,
1595 "status mismatched %d.\n", iph1->status);
1596 goto end;
1597 }
1598
1599 /* generate DH public value */
1600 if (oakley_dh_generate(iph1->approval->dhgrp,
d1e348cf
A		 1601 &iph1->dhpub, &iph1->dhpriv) < 0) {
1602 plog(LLV_ERROR, LOCATION, NULL,
1603 "failed to generate DH");
52b7d2ce 1604 goto end;
d1e348cf 1605 }
52b7d2ce
A		 1606
1607 /* generate NONCE value */
1608 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf
A		 1609 if (iph1->nonce == NULL) {
1610 plog(LLV_ERROR, LOCATION, NULL,
1611 "failed to generate NONCE");
52b7d2ce 1612 goto end;
d1e348cf 1613 }
52b7d2ce
A		 1614
1615#ifdef HAVE_GSSAPI
d1e348cf 1616 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
52b7d2ce
A		 1617 gssapi_get_rtoken(iph1, NULL);
1618#endif
1619
1620 /* create HDR;KE;NONCE payload */
1621 iph1->sendbuf = ident_ir2mx(iph1);
d1e348cf
A		 1622 if (iph1->sendbuf == NULL) {
1623 plog(LLV_ERROR, LOCATION, NULL,
1624 "failed to allocate send buffer");
52b7d2ce 1625 goto end;
d1e348cf 1626 }
52b7d2ce
A		 1627
1628#ifdef HAVE_PRINT_ISAKMP_C
1629 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1630#endif
1631
1632 /* send the packet, add to the schedule to resend */
1633 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf
A		 1634 if (isakmp_ph1resend(iph1) == -1) {
1635 plog(LLV_ERROR, LOCATION, NULL,
1636 "failed to send packet");
52b7d2ce 1637 goto end;
d1e348cf 1638 }
52b7d2ce
A		 1639
1640 /* the sending message is added to the received-list. */
d1e348cf
A		 1641 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1642 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
52b7d2ce
A		 1643 plog(LLV_ERROR , LOCATION, NULL,
1644 "failed to add a response packet to the tree.\n");
1645 goto end;
1646 }
1647
1648 /* compute sharing secret of DH */
1649 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
d1e348cf
A		 1650 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1651 plog(LLV_ERROR, LOCATION, NULL,
1652 "failed to compute DH");
52b7d2ce 1653 goto end;
d1e348cf 1654 }
52b7d2ce
A		 1655
1656 /* generate SKEYIDs & IV & final cipher key */
d1e348cf
A		 1657 if (oakley_skeyid(iph1) < 0) {
1658 plog(LLV_ERROR, LOCATION, NULL,
1659 "failed to generate SKEYID");
52b7d2ce 1660 goto end;
d1e348cf
A		 1661 }
1662 if (oakley_skeyid_dae(iph1) < 0) {
1663 plog(LLV_ERROR, LOCATION, NULL,
1664 "failed to generate SKEYID-DAE");
52b7d2ce 1665 goto end;
d1e348cf
A		 1666 }
1667 if (oakley_compute_enckey(iph1) < 0) {
1668 plog(LLV_ERROR, LOCATION, NULL,
1669 "failed to generate ENCKEY");
52b7d2ce 1670 goto end;
d1e348cf
A		 1671 }
1672 if (oakley_newiv(iph1) < 0) {
1673 plog(LLV_ERROR, LOCATION, NULL,
1674 "failed to generate IV");
52b7d2ce 1675 goto end;
d1e348cf 1676 }
52b7d2ce
A		 1677
1678 iph1->status = PHASE1ST_MSG2SENT;
1679
1680 error = 0;
1681
d1e348cf
A		 1682 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1683 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1684 CONSTSTR("Responder, Main-Mode message 4"),
1685 CONSTSTR(NULL));
1686
52b7d2ce 1687end:
d1e348cf
A		 1688 if (error) {
1689 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1690 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1691 CONSTSTR("Responder, Main-Mode Message 4"),
1692 CONSTSTR("Failed to transmit Main-Mode Message 4"));
1693 }
52b7d2ce
A		 1694 return error;
1695}
1696
1697/*
1698 * receive from initiator
1699 * psk: HDR*, IDi1, HASH_I
1700 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
1701 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
1702 * rsa: HDR*, HASH_I
1703 * rev: HDR*, HASH_I
1704 */
1705int
1706ident_r3recv(iph1, msg0)
1707 struct ph1handle *iph1;
1708 vchar_t *msg0;
1709{
1710 vchar_t *msg = NULL;
1711 vchar_t *pbuf = NULL;
1712 struct isakmp_parse_t *pa;
1713 int error = -1;
1714 int type;
1715#ifdef HAVE_GSSAPI
1716 vchar_t *gsstoken = NULL;
1717#endif
1718
1719 /* validity check */
1720 if (iph1->status != PHASE1ST_MSG2SENT) {
1721 plog(LLV_ERROR, LOCATION, NULL,
1722 "status mismatched %d.\n", iph1->status);
1723 goto end;
1724 }
1725
1726 /* decrypting */
1727 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1728 plog(LLV_ERROR, LOCATION, iph1->remote,
1729 "reject the packet, "
1730 "expecting the packet encrypted.\n");
1731 goto end;
1732 }
1733 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
d1e348cf
A		 1734 if (msg == NULL) {
1735 plog(LLV_ERROR, LOCATION, NULL,
1736 "failed to decrypt");
52b7d2ce 1737 goto end;
d1e348cf 1738 }
52b7d2ce
A		 1739
1740 /* validate the type of next payload */
1741 pbuf = isakmp_parse(msg);
d1e348cf
A		 1742 if (pbuf == NULL) {
1743 plog(LLV_ERROR, LOCATION, NULL,
1744 "failed to parse msg");
52b7d2ce 1745 goto end;
d1e348cf 1746 }
52b7d2ce
A		 1747
1748 iph1->pl_hash = NULL;
1749
1750 for (pa = (struct isakmp_parse_t *)pbuf->v;
1751 pa->type != ISAKMP_NPTYPE_NONE;
1752 pa++) {
1753
1754 switch (pa->type) {
1755 case ISAKMP_NPTYPE_ID:
d1e348cf
A		 1756 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
1757 plog(LLV_ERROR, LOCATION, NULL,
1758 "failed to process ID payload");
52b7d2ce 1759 goto end;
d1e348cf 1760 }
52b7d2ce
A		 1761 break;
1762 case ISAKMP_NPTYPE_HASH:
1763 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1764 break;
1765 case ISAKMP_NPTYPE_CR:
d1e348cf
A		 1766 if (oakley_savecr(iph1, pa->ptr) < 0) {
1767 plog(LLV_ERROR, LOCATION, NULL,
1768 "failed to process CR payload");
52b7d2ce 1769 goto end;
d1e348cf 1770 }
52b7d2ce
A		 1771 break;
1772 case ISAKMP_NPTYPE_CERT:
d1e348cf
A		 1773 if (oakley_savecert(iph1, pa->ptr) < 0) {
1774 plog(LLV_ERROR, LOCATION, NULL,
1775 "failed to process CERT payload");
52b7d2ce 1776 goto end;
d1e348cf 1777 }
52b7d2ce
A		 1778 break;
1779 case ISAKMP_NPTYPE_SIG:
d1e348cf
A		 1780 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
1781 plog(LLV_ERROR, LOCATION, NULL,
1782 "failed to process SIG payload");
52b7d2ce 1783 goto end;
d1e348cf 1784 }
52b7d2ce
A		 1785 break;
1786#ifdef HAVE_GSSAPI
1787 case ISAKMP_NPTYPE_GSS:
d1e348cf
A		 1788 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1789 plog(LLV_ERROR, LOCATION, NULL,
1790 "failed to process GSS payload");
52b7d2ce 1791 goto end;
d1e348cf 1792 }
52b7d2ce
A		 1793 gssapi_save_received_token(iph1, gsstoken);
1794 break;
1795#endif
1796 case ISAKMP_NPTYPE_VID:
1797 (void)check_vendorid(pa->ptr);
1798 break;
1799 case ISAKMP_NPTYPE_N:
1800 isakmp_check_notify(pa->ptr, iph1);
1801 break;
1802 default:
1803 /* don't send information, see ident_r1recv() */
1804 plog(LLV_ERROR, LOCATION, iph1->remote,
1805 "ignore the packet, "
1806 "received unexpecting payload type %d.\n",
1807 pa->type);
1808 goto end;
1809 }
1810 }
1811
1812 /* payload existency check */
1813 /* XXX same as ident_i4recv(), should be merged. */
1814 {
1815 int ng = 0;
1816
d1e348cf 1817 switch (AUTHMETHOD(iph1)) {
52b7d2ce 1818 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf
A		 1819#ifdef ENABLE_HYBRID
1820 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1821 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1822 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1823#endif
52b7d2ce
A		 1824 if (iph1->id_p == NULL || iph1->pl_hash == NULL)
1825 ng++;
1826 break;
1827 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1828 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
d1e348cf
A		 1829#ifdef ENABLE_HYBRID
1830 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1831 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1832#endif
52b7d2ce
A		 1833 if (iph1->id_p == NULL || iph1->sig_p == NULL)
1834 ng++;
1835 break;
1836 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1837 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf
A		 1838#ifdef ENABLE_HYBRID
1839 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1840 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1841#endif
52b7d2ce
A		 1842 if (iph1->pl_hash == NULL)
1843 ng++;
1844 break;
1845#ifdef HAVE_GSSAPI
1846 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1847 if (gsstoken == NULL && iph1->pl_hash == NULL)
1848 ng++;
1849 break;
1850#endif
1851 default:
1852 plog(LLV_ERROR, LOCATION, iph1->remote,
1853 "invalid authmethod %d why ?\n",
1854 iph1->approval->authmethod);
1855 goto end;
1856 }
1857 if (ng) {
1858 plog(LLV_ERROR, LOCATION, iph1->remote,
1859 "few isakmp message received.\n");
1860 goto end;
1861 }
1862 }
1863
1864 /* verify identifier */
1865 if (ipsecdoi_checkid1(iph1) != 0) {
1866 plog(LLV_ERROR, LOCATION, iph1->remote,
1867 "invalid ID payload.\n");
1868 goto end;
1869 }
1870
1871 /* validate authentication value */
1872#ifdef HAVE_GSSAPI
1873 if (gsstoken == NULL) {
1874#endif
1875 type = oakley_validate_auth(iph1);
1876 if (type != 0) {
d1e348cf
A		 1877 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1878 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1879 CONSTSTR("Responder, Main-Mode Message 5"),
1880 CONSTSTR("Failed to authenticate Main-Mode Message 5"));
52b7d2ce
A		 1881 if (type == -1) {
1882 /* msg printed inner oakley_validate_auth() */
1883 goto end;
1884 }
1885 EVT_PUSH(iph1->local, iph1->remote,
1886 EVTT_PEERPH1AUTH_FAILED, NULL);
1887 isakmp_info_send_n1(iph1, type, NULL);
1888 goto end;
1889 }
d1e348cf
A		 1890 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1891 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1892 CONSTSTR("Responder, Main-Mode Message 5"),
1893 CONSTSTR(NULL));
52b7d2ce
A		 1894#ifdef HAVE_GSSAPI
1895 }
1896#endif
1897
1898 if (oakley_checkcr(iph1) < 0) {
1899 /* Ignore this error in order to be interoperability. */
1900 ;
1901 }
1902
1903 /*
1904 * XXX: Should we do compare two addresses, ph1handle's and ID
1905 * payload's.
1906 */
1907
1908 plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID\n");
1909 plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
1910
1911 /* see handler.h about IV synchronization. */
1912 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1913
1914#ifdef HAVE_GSSAPI
1915 iph1->status = gsstoken != NULL ? PHASE1ST_MSG2RECEIVED :
1916 PHASE1ST_MSG3RECEIVED;
1917#else
1918 iph1->status = PHASE1ST_MSG3RECEIVED;
1919#endif
1920
1921 error = 0;
1922
d1e348cf
A		 1923 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1924 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1925 CONSTSTR("Responder, Main-Mode message 5"),
1926 CONSTSTR(NULL));
1927
52b7d2ce 1928end:
d1e348cf
A		 1929 if (error) {
1930 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1931 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1932 CONSTSTR("Responder, Main-Mode Message 5"),
1933 CONSTSTR("Failed to process Main-Mode Message 5"));
1934 }
52b7d2ce
A		 1935 if (pbuf)
1936 vfree(pbuf);
1937 if (msg)
1938 vfree(msg);
1939#ifdef HAVE_GSSAPI
1940 if (gsstoken)
1941 vfree(gsstoken);
1942#endif
1943
1944 if (error) {
1945 VPTRINIT(iph1->id_p);
1946 oakley_delcert(iph1->cert_p);
1947 iph1->cert_p = NULL;
1948 oakley_delcert(iph1->crl_p);
1949 iph1->crl_p = NULL;
1950 VPTRINIT(iph1->sig_p);
1951 oakley_delcert(iph1->cr_p);
1952 iph1->cr_p = NULL;
1953 }
1954
1955 return error;
1956}
1957
1958/*
1959 * send to initiator
1960 * psk: HDR*, IDr1, HASH_R
1961 * sig: HDR*, IDr1, [ CERT, ] SIG_R
1962 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
1963 * rsa: HDR*, HASH_R
1964 * rev: HDR*, HASH_R
1965 */
1966int
1967ident_r3send(iph1, msg)
1968 struct ph1handle *iph1;
1969 vchar_t *msg;
1970{
1971 int error = -1;
1972 int dohash = 1;
1973#ifdef HAVE_GSSAPI
1974 int len;
1975#endif
1976
1977 /* validity check */
1978 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
1979 plog(LLV_ERROR, LOCATION, NULL,
1980 "status mismatched %d.\n", iph1->status);
1981 goto end;
1982 }
1983
1984 /* make ID payload into isakmp status */
d1e348cf
A		 1985 if (ipsecdoi_setid1(iph1) < 0) {
1986 plog(LLV_ERROR, LOCATION, NULL,
1987 "failed to set ID");
52b7d2ce 1988 goto end;
d1e348cf 1989 }
52b7d2ce
A		 1990
1991#ifdef HAVE_GSSAPI
d1e348cf 1992 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
52b7d2ce
A		 1993 gssapi_more_tokens(iph1)) {
1994 gssapi_get_rtoken(iph1, &len);
1995 if (len != 0)
1996 dohash = 0;
1997 }
1998#endif
1999
2000 if (dohash) {
2001 /* generate HASH to send */
2002 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
2003 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
d1e348cf
A		 2004 if (iph1->hash == NULL) {
2005 plog(LLV_ERROR, LOCATION, NULL,
2006 "failed to generate HASH");
52b7d2ce 2007 goto end;
d1e348cf 2008 }
52b7d2ce
A		 2009 } else
2010 iph1->hash = NULL;
2011
2012 /* set encryption flag */
2013 iph1->flags |= ISAKMP_FLAG_E;
2014
2015 /* create HDR;ID;HASH payload */
2016 iph1->sendbuf = ident_ir3mx(iph1);
d1e348cf
A		 2017 if (iph1->sendbuf == NULL) {
2018 plog(LLV_ERROR, LOCATION, NULL,
2019 "failed to create send buffer");
52b7d2ce 2020 goto end;
d1e348cf 2021 }
52b7d2ce
A		 2022
2023 /* send HDR;ID;HASH to responder */
d1e348cf
A		 2024 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
2025 plog(LLV_ERROR, LOCATION, NULL,
2026 "failed to send packet");
52b7d2ce 2027 goto end;
d1e348cf 2028 }
52b7d2ce
A		 2029
2030 /* the sending message is added to the received-list. */
d1e348cf
A		 2031 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
2032 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
52b7d2ce
A		 2033 plog(LLV_ERROR , LOCATION, NULL,
2034 "failed to add a response packet to the tree.\n");
2035 goto end;
2036 }
2037
2038 /* see handler.h about IV synchronization. */
2039 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
2040
2041 iph1->status = PHASE1ST_ESTABLISHED;
2042
d1e348cf
A		 2043 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2044 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
2045 CONSTSTR("Responder, Main-Mode"),
2046 CONSTSTR(NULL));
2047
52b7d2ce
A		 2048 error = 0;
2049
d1e348cf
A		 2050 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2051 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
2052 CONSTSTR("Responder, Main-Mode message 6"),
2053 CONSTSTR(NULL));
2054
52b7d2ce 2055end:
d1e348cf
A		 2056 if (error) {
2057 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2058 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
2059 CONSTSTR("Responder, Main-Mode Message 6"),
2060 CONSTSTR("Failed to process Main-Mode Message 6"));
2061 }
52b7d2ce
A		 2062
2063 return error;
2064}
2065
2066/*
2067 * This is used in main mode for:
2068 * initiator's 3rd exchange send to responder
2069 * psk: HDR, KE, Ni
2070 * sig: HDR, KE, Ni
2071 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
2072 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
2073 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
2074 * responders 2nd exchnage send to initiator
2075 * psk: HDR, KE, Nr
2076 * sig: HDR, KE, Nr [, CR ]
2077 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
2078 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
2079 */
2080static vchar_t *
2081ident_ir2mx(iph1)
2082 struct ph1handle *iph1;
2083{
2084 vchar_t *buf = 0;
2085 struct payload_list *plist = NULL;
2086 int need_cr = 0;
2087 vchar_t *cr = NULL;
2088 vchar_t *vid = NULL;
2089 int error = -1;
2090#ifdef HAVE_GSSAPI
2091 vchar_t *gsstoken = NULL;
2092#endif
2093#ifdef ENABLE_NATT
2094 vchar_t *natd[2] = { NULL, NULL };
2095#endif
2096
2097 /* create CR if need */
2098 if (iph1->side == RESPONDER
2099 && iph1->rmconf->send_cr
2100 && oakley_needcr(iph1->approval->authmethod)
2101 && iph1->rmconf->peerscertfile == NULL) {
2102 need_cr = 1;
2103 cr = oakley_getcr(iph1);
2104 if (cr == NULL) {
2105 plog(LLV_ERROR, LOCATION, NULL,
2106 "failed to get cr buffer.\n");
2107 goto end;
2108 }
2109 }
2110
2111#ifdef HAVE_GSSAPI
d1e348cf 2112 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
52b7d2ce
A		 2113 gssapi_get_token_to_send(iph1, &gsstoken);
2114#endif
2115
2116 /* create isakmp KE payload */
2117 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
2118
2119 /* create isakmp NONCE payload */
2120 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
2121
2122#ifdef HAVE_GSSAPI
d1e348cf 2123 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
52b7d2ce
A		 2124 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
2125#endif
2126
2127 /* append vendor id, if needed */
2128 if (vid)
2129 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
2130
2131 /* create isakmp CR payload if needed */
2132 if (need_cr)
2133 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2134
2135#ifdef ENABLE_NATT
2136 /* generate and append NAT-D payloads */
2137 if (NATT_AVAILABLE(iph1) && iph1->status == PHASE1ST_MSG2RECEIVED)
2138 {
2139 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
2140 plog(LLV_ERROR, LOCATION, NULL,
2141 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
2142 goto end;
2143 }
2144
2145 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
2146 plog(LLV_ERROR, LOCATION, NULL,
2147 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
2148 goto end;
2149 }
2150
2151 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
2152#ifdef __APPLE__
2153 /* old Apple version sends natd payloads in the wrong order */
2154 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
2155 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2156 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2157 } else
2158#endif
2159 {
2160 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2161 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2162 }
2163 }
2164#endif
2165
2166 buf = isakmp_plist_set_all (&plist, iph1);
2167
2168 error = 0;
2169
2170end:
2171 if (error && buf != NULL) {
2172 vfree(buf);
2173 buf = NULL;
2174 }
2175 if (cr)
2176 vfree(cr);
2177#ifdef HAVE_GSSAPI
2178 if (gsstoken)
2179 vfree(gsstoken);
2180#endif
2181 if (vid)
2182 vfree(vid);
2183
2184#ifdef ENABLE_NATT
2185 if (natd[0])
2186 vfree(natd[0]);
2187 if (natd[1])
2188 vfree(natd[1]);
2189#endif
2190
2191 return buf;
2192}
2193
2194/*
2195 * This is used in main mode for:
2196 * initiator's 4th exchange send to responder
2197 * psk: HDR*, IDi1, HASH_I
2198 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
2199 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
2200 * rsa: HDR*, HASH_I
2201 * rev: HDR*, HASH_I
2202 * responders 3rd exchnage send to initiator
2203 * psk: HDR*, IDr1, HASH_R
2204 * sig: HDR*, IDr1, [ CERT, ] SIG_R
2205 * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R >
2206 * rsa: HDR*, HASH_R
2207 * rev: HDR*, HASH_R
2208 */
2209static vchar_t *
2210ident_ir3mx(iph1)
2211 struct ph1handle *iph1;
2212{
2213 struct payload_list *plist = NULL;
2214 vchar_t *buf = NULL, *new = NULL;
2215 int need_cr = 0;
2216 int need_cert = 0;
2217 vchar_t *cr = NULL;
2218 int error = -1;
2219#ifdef HAVE_GSSAPI
2220 int nptype;
2221 vchar_t *gsstoken = NULL;
2222 vchar_t *gsshash = NULL;
2223#endif
2224
d1e348cf 2225 switch (AUTHMETHOD(iph1)) {
52b7d2ce 2226 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf
A		 2227#ifdef ENABLE_HYBRID
2228 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
2229 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
2230 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2231 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
2232#endif
52b7d2ce
A		 2233 /* create isakmp ID payload */
2234 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2235
2236 /* create isakmp HASH payload */
2237 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
2238 break;
2239 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2240 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
d1e348cf
A		 2241#ifdef ENABLE_HYBRID
2242 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
2243 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
2244 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2245 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
2246 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
2247 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
2248#endif
2249 if (oakley_getmycert(iph1) < 0) {
2250 plog(LLV_ERROR, LOCATION, NULL,
2251 "failed to get mycert");
52b7d2ce 2252 goto end;
d1e348cf 2253 }
52b7d2ce 2254
d1e348cf
A		 2255 if (oakley_getsign(iph1) < 0) {
2256 plog(LLV_ERROR, LOCATION, NULL,
2257 "failed to get sign");
52b7d2ce 2258 goto end;
d1e348cf 2259 }
52b7d2ce
A		 2260
2261 /* create CR if need */
2262 if (iph1->side == INITIATOR
2263 && iph1->rmconf->send_cr
2264 && oakley_needcr(iph1->approval->authmethod)
2265 && iph1->rmconf->peerscertfile == NULL) {
2266 need_cr = 1;
2267 cr = oakley_getcr(iph1);
2268 if (cr == NULL) {
2269 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf 2270 "failed to get CR");
52b7d2ce
A		 2271 goto end;
2272 }
2273 }
2274
2275 if (iph1->cert != NULL && iph1->rmconf->send_cert)
2276 need_cert = 1;
2277
2278 /* add ID payload */
2279 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2280
2281 /* add CERT payload if there */
2282 if (need_cert)
2283 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
2284 /* add SIG payload */
2285 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
2286
2287 /* create isakmp CR payload */
2288 if (need_cr)
2289 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2290 break;
2291#ifdef HAVE_GSSAPI
2292 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
2293 if (iph1->hash != NULL) {
2294 gsshash = gssapi_wraphash(iph1);
d1e348cf
A		 2295 if (gsshash == NULL) {
2296 plog(LLV_ERROR, LOCATION, NULL,
2297 "failed to generate GSSAPI HASH");
52b7d2ce 2298 goto end;
d1e348cf 2299 }
52b7d2ce
A		 2300 } else {
2301 gssapi_get_token_to_send(iph1, &gsstoken);
2302 }
2303
2304 if (!gssapi_id_sent(iph1)) {
2305 /* create isakmp ID payload */
2306 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2307 gssapi_set_id_sent(iph1);
2308 }
2309
2310 if (iph1->hash != NULL)
2311 /* create isakmp HASH payload */
2312 plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
2313 else
2314 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
2315 break;
2316#endif
2317 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2318 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf
A		 2319#ifdef ENABLE_HYBRID
2320 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
2321 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
2322 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
2323 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
2324#endif
52b7d2ce
A		 2325 plog(LLV_ERROR, LOCATION, NULL,
2326 "not supported authentication type %d\n",
2327 iph1->approval->authmethod);
2328 goto end;
2329 default:
2330 plog(LLV_ERROR, LOCATION, NULL,
2331 "invalid authentication type %d\n",
2332 iph1->approval->authmethod);
2333 goto end;
2334 }
2335
2336 buf = isakmp_plist_set_all (&plist, iph1);
2337
2338#ifdef HAVE_PRINT_ISAKMP_C
2339 isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
2340#endif
2341
2342 /* encoding */
2343 new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv);
d1e348cf
A		 2344 if (new == NULL) {
2345 plog(LLV_ERROR, LOCATION, NULL,
2346 "failed to encrypt");
52b7d2ce 2347 goto end;
d1e348cf 2348 }
52b7d2ce
A		 2349
2350 vfree(buf);
2351
2352 buf = new;
2353
2354 error = 0;
2355
2356end:
d1e348cf
A		 2357#ifdef HAVE_GSSAPI
2358 if (gsstoken)
2359 vfree(gsstoken);
2360#endif
52b7d2ce
A		 2361 if (cr)
2362 vfree(cr);
2363 if (error && buf != NULL) {
2364 vfree(buf);
2365 buf = NULL;
2366 }
2367
2368 return buf;
2369}
mirror of ipsec