]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/isakmp_agg.c
projects / apple / ipsec.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec-164.10.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_agg.c
CommitLineData
d1e348cf
A		 1/* $NetBSD: isakmp_agg.c,v 1.9 2006/09/30 21:49:37 manu Exp $ */
2
3/* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
52b7d2ce
A		 4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34/* Aggressive Exchange (Aggressive Mode) */
35
36#include "config.h"
37
38#include <sys/types.h>
39#include <sys/param.h>
40
41#include <stdlib.h>
42#include <stdio.h>
43#include <string.h>
44#include <errno.h>
45#if TIME_WITH_SYS_TIME
46# include <sys/time.h>
47# include <time.h>
48#else
49# if HAVE_SYS_TIME_H
50# include <sys/time.h>
51# else
52# include <time.h>
53# endif
54#endif
55
56#include "var.h"
57#include "misc.h"
58#include "vmbuf.h"
59#include "plog.h"
60#include "sockmisc.h"
61#include "schedule.h"
62#include "debug.h"
63
d1e348cf
A		 64#ifdef ENABLE_HYBRID
65#include <resolv.h>
66#endif
67
52b7d2ce
A		 68#include "localconf.h"
69#include "remoteconf.h"
70#include "isakmp_var.h"
71#include "isakmp.h"
72#include "evt.h"
73#include "oakley.h"
74#include "handler.h"
75#include "ipsec_doi.h"
76#include "crypto_openssl.h"
77#include "pfkey.h"
78#include "isakmp_agg.h"
79#include "isakmp_inf.h"
80#ifdef ENABLE_HYBRID
81#include "isakmp_xauth.h"
82#include "isakmp_cfg.h"
83#endif
84#ifdef ENABLE_FRAG
85#include "isakmp_frag.h"
86#endif
87#include "vendorid.h"
88#include "strnames.h"
89
90#ifdef ENABLE_NATT
91#include "nattraversal.h"
92#endif
93
94#ifdef HAVE_GSSAPI
95#include "gssapi.h"
96#endif
97
98#include "vpn_control.h"
99#include "vpn_control_var.h"
d1e348cf
A		 100#include "ipsecSessionTracer.h"
101#include "ipsecMessageTracer.h"
e8d9021d
A		 102#ifndef HAVE_OPENSSL
103#include <Security/SecDH.h>
104#endif
52b7d2ce
A		 105
106/*
107 * begin Aggressive Mode as initiator.
108 */
109/*
110 * send to responder
111 * psk: HDR, SA, KE, Ni, IDi1
112 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
113 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi
114 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
115 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
116 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
117 */
118int
119agg_i1send(iph1, msg)
120 struct ph1handle *iph1;
121 vchar_t *msg; /* must be null */
122{
123 struct payload_list *plist = NULL;
124 int need_cr = 0;
d1e348cf 125 vchar_t *cr = NULL;
52b7d2ce
A		 126 int error = -1;
127#ifdef ENABLE_NATT
128 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
129 int i;
130#endif
131#ifdef ENABLE_HYBRID
132 vchar_t *vid_xauth = NULL;
133 vchar_t *vid_unity = NULL;
134#endif
135#ifdef ENABLE_FRAG
136 vchar_t *vid_frag = NULL;
137#endif
138#ifdef HAVE_GSSAPI
d1e348cf 139 vchar_t *gsstoken = NULL;
52b7d2ce
A		 140 int len;
141#endif
142#ifdef ENABLE_DPD
143 vchar_t *vid_dpd = NULL;
144#endif
145
146
147 /* validity check */
148 if (msg != NULL) {
149 plog(LLV_ERROR, LOCATION, NULL,
150 "msg has to be NULL in this function.\n");
151 goto end;
152 }
153 if (iph1->status != PHASE1ST_START) {
154 plog(LLV_ERROR, LOCATION, NULL,
155 "status mismatched %d.\n", iph1->status);
156 goto end;
157 }
158
159 /* create isakmp index */
160 memset(&iph1->index, 0, sizeof(iph1->index));
161 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
162
163 /* make ID payload into isakmp status */
d1e348cf
A		 164 if (ipsecdoi_setid1(iph1) < 0) {
165 plog(LLV_ERROR, LOCATION, NULL,
166 "failed to set ID");
52b7d2ce 167 goto end;
d1e348cf 168 }
52b7d2ce
A		 169
170 /* create SA payload for my proposal */
171 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
d1e348cf
A		 172 if (iph1->sa == NULL) {
173 plog(LLV_ERROR, LOCATION, NULL,
174 "failed to set proposal");
52b7d2ce 175 goto end;
d1e348cf 176 }
52b7d2ce
A		 177
178 /* consistency check of proposals */
179 if (iph1->rmconf->dhgrp == NULL) {
180 plog(LLV_ERROR, LOCATION, NULL,
181 "configuration failure about DH group.\n");
182 goto end;
183 }
184
185 /* generate DH public value */
e8d9021d
A		 186#ifdef HAVE_OPENSSL
187 if (oakley_dh_generate(iph1->rmconf->dhgrp,
188 &iph1->dhpub, &iph1->dhpriv) < 0) {
189#else
52b7d2ce 190 if (oakley_dh_generate(iph1->rmconf->dhgrp,
e8d9021d
A		 191 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
192#endif
d1e348cf
A		 193 plog(LLV_ERROR, LOCATION, NULL,
194 "failed to generate DH");
52b7d2ce 195 goto end;
d1e348cf 196 }
52b7d2ce
A		 197
198 /* generate NONCE value */
199 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf
A		 200 if (iph1->nonce == NULL) {
201 plog(LLV_ERROR, LOCATION, NULL,
202 "failed to generate NONCE");
52b7d2ce 203 goto end;
d1e348cf 204 }
52b7d2ce
A		 205
206#ifdef ENABLE_HYBRID
207 /* Do we need Xauth VID? */
d1e348cf
A		 208 switch (RMAUTHMETHOD(iph1)) {
209 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
210 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
211 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
212 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
213 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
214 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
215 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
52b7d2ce
A		 216 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
217 plog(LLV_ERROR, LOCATION, NULL,
218 "Xauth vendor ID generation failed\n");
219 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
220 plog(LLV_ERROR, LOCATION, NULL,
221 "Unity vendor ID generation failed\n");
222 break;
223 default:
224 break;
225 }
226#endif
227
228#ifdef ENABLE_FRAG
229 if (iph1->rmconf->ike_frag) {
230 vid_frag = set_vendorid(VENDORID_FRAG);
231 if (vid_frag != NULL)
232 vid_frag = isakmp_frag_addcap(vid_frag,
233 VENDORID_FRAG_AGG);
234 if (vid_frag == NULL)
235 plog(LLV_ERROR, LOCATION, NULL,
236 "Frag vendorID construction failed\n");
237 }
238#endif
239
240 /* create CR if need */
241 if (iph1->rmconf->send_cr
242 && oakley_needcr(iph1->rmconf->proposal->authmethod)
243 && iph1->rmconf->peerscertfile == NULL) {
244 need_cr = 1;
245 cr = oakley_getcr(iph1);
246 if (cr == NULL) {
247 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf 248 "failed to get CR");
52b7d2ce
A		 249 goto end;
250 }
251 }
252
253 plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n",
254 s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
255#ifdef HAVE_GSSAPI
d1e348cf 256 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
52b7d2ce 257 gssapi_get_itoken(iph1, &len);
52b7d2ce
A		 258#endif
259
260 /* set SA payload to propose */
261 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
262
263 /* create isakmp KE payload */
264 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
265
266 /* create isakmp NONCE payload */
267 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
268
269 /* create isakmp ID payload */
270 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
271
272#ifdef HAVE_GSSAPI
d1e348cf 273 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
52b7d2ce
A		 274 gssapi_get_token_to_send(iph1, &gsstoken);
275 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
d1e348cf 276 }
52b7d2ce
A		 277#endif
278 /* create isakmp CR payload */
279 if (need_cr)
280 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
281
282#ifdef ENABLE_FRAG
283 if (vid_frag)
284 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
285#endif
286#ifdef ENABLE_NATT
287 /*
288 * set VID payload for NAT-T if NAT-T
289 * support allowed in the config file
290 */
291 if (iph1->rmconf->nat_traversal)
292 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
293#endif
294#ifdef ENABLE_HYBRID
295 if (vid_xauth)
296 plist = isakmp_plist_append(plist,
297 vid_xauth, ISAKMP_NPTYPE_VID);
298 if (vid_unity)
299 plist = isakmp_plist_append(plist,
300 vid_unity, ISAKMP_NPTYPE_VID);
301#endif
302#ifdef ENABLE_DPD
303 if(iph1->rmconf->dpd){
304 vid_dpd = set_vendorid(VENDORID_DPD);
305 if (vid_dpd != NULL)
306 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
307 }
308#endif
309
310 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
311
312#ifdef HAVE_PRINT_ISAKMP_C
313 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
314#endif
315
316 /* send the packet, add to the schedule to resend */
317 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf
A		 318 if (isakmp_ph1resend(iph1) == -1) {
319 plog(LLV_ERROR, LOCATION, NULL,
320 "failed to send packet");
52b7d2ce 321 goto end;
d1e348cf 322 }
52b7d2ce
A		 323
324 iph1->status = PHASE1ST_MSG1SENT;
325
326 error = 0;
327
d1e348cf
A		 328 IPSECSESSIONTRACEREVENT(iph1->parent_session,
329 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
330 CONSTSTR("Initiator, Aggressive-Mode message 1"),
331 CONSTSTR(NULL));
332
52b7d2ce 333end:
d1e348cf
A		 334 if (error) {
335 IPSECSESSIONTRACEREVENT(iph1->parent_session,
336 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
337 CONSTSTR("Initiator, Aggressive-Mode Message 1"),
338 CONSTSTR("Failed to transmit Aggressive-Mode Message 1"));
339 }
52b7d2ce
A		 340 if (cr)
341 vfree(cr);
d1e348cf 342#ifdef HAVE_GSSAPI
52b7d2ce
A		 343 if (gsstoken)
344 vfree(gsstoken);
d1e348cf 345#endif
52b7d2ce
A		 346#ifdef ENABLE_FRAG
347 if (vid_frag)
348 vfree(vid_frag);
349#endif
350#ifdef ENABLE_NATT
351 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
352 vfree(vid_natt[i]);
353#endif
52b7d2ce
A		 354#ifdef ENABLE_HYBRID
355 if (vid_xauth != NULL)
356 vfree(vid_xauth);
357 if (vid_unity != NULL)
358 vfree(vid_unity);
359#endif
d1e348cf
A		 360#ifdef ENABLE_DPD
361 if (vid_dpd != NULL)
362 vfree(vid_dpd);
363#endif
52b7d2ce
A		 364
365 return error;
366}
367
368/*
369 * receive from responder
370 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
371 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
372 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
373 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
374 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
375 */
376int
377agg_i2recv(iph1, msg)
378 struct ph1handle *iph1;
379 vchar_t *msg;
380{
381 vchar_t *pbuf = NULL;
382 struct isakmp_parse_t *pa;
383 vchar_t *satmp = NULL;
384 int error = -1;
385 int vid_numeric;
386 int ptype;
52b7d2ce
A		 387#ifdef HAVE_GSSAPI
388 vchar_t *gsstoken = NULL;
389#endif
e8d9021d 390 int received_cert = 0;
52b7d2ce
A		 391
392#ifdef ENABLE_NATT
393 int natd_seq = 0;
394 struct natd_payload {
395 int seq;
396 vchar_t *payload;
397 TAILQ_ENTRY(natd_payload) chain;
398 };
399 TAILQ_HEAD(_natd_payload, natd_payload) natd_tree;
400 TAILQ_INIT(&natd_tree);
401#endif
402
403 /* validity check */
404 if (iph1->status != PHASE1ST_MSG1SENT) {
405 plog(LLV_ERROR, LOCATION, NULL,
406 "status mismatched %d.\n", iph1->status);
407 goto end;
408 }
409
410 /* validate the type of next payload */
411 pbuf = isakmp_parse(msg);
d1e348cf
A		 412 if (pbuf == NULL) {
413 plog(LLV_ERROR, LOCATION, NULL,
414 "failed to parse msg");
52b7d2ce 415 goto end;
d1e348cf 416 }
85f41bec 417 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 418
419 iph1->pl_hash = NULL;
420
421 /* SA payload is fixed postion */
422 if (pa->type != ISAKMP_NPTYPE_SA) {
423 plog(LLV_ERROR, LOCATION, iph1->remote,
424 "received invalid next payload type %d, "
425 "expecting %d.\n",
426 pa->type, ISAKMP_NPTYPE_SA);
427 goto end;
428 }
429
d1e348cf
A		 430 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
431 plog(LLV_ERROR, LOCATION, NULL,
432 "failed to process SA payload");
52b7d2ce 433 goto end;
d1e348cf 434 }
52b7d2ce
A		 435 pa++;
436
437 for (/*nothing*/;
438 pa->type != ISAKMP_NPTYPE_NONE;
439 pa++) {
440
441 switch (pa->type) {
442 case ISAKMP_NPTYPE_KE:
d1e348cf
A		 443 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
444 plog(LLV_ERROR, LOCATION, NULL,
445 "failed to process KE payload");
52b7d2ce 446 goto end;
d1e348cf 447 }
52b7d2ce
A		 448 break;
449 case ISAKMP_NPTYPE_NONCE:
d1e348cf
A		 450 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
451 plog(LLV_ERROR, LOCATION, NULL,
452 "failed to process NONCE payload");
52b7d2ce 453 goto end;
d1e348cf 454 }
52b7d2ce
A		 455 break;
456 case ISAKMP_NPTYPE_ID:
d1e348cf
A		 457 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
458 plog(LLV_ERROR, LOCATION, NULL,
459 "failed to process ID payload");
52b7d2ce 460 goto end;
d1e348cf 461 }
52b7d2ce
A		 462 break;
463 case ISAKMP_NPTYPE_HASH:
464 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
465 break;
466 case ISAKMP_NPTYPE_CR:
d1e348cf
A		 467 if (oakley_savecr(iph1, pa->ptr) < 0) {
468 plog(LLV_ERROR, LOCATION, NULL,
469 "failed to process CR payload");
52b7d2ce 470 goto end;
d1e348cf 471 }
52b7d2ce
A		 472 break;
473 case ISAKMP_NPTYPE_CERT:
d1e348cf
A		 474 if (oakley_savecert(iph1, pa->ptr) < 0) {
475 plog(LLV_ERROR, LOCATION, NULL,
476 "failed to process CERT payload");
52b7d2ce 477 goto end;
d1e348cf 478 }
e8d9021d 479 received_cert = 1;
52b7d2ce
A		 480 break;
481 case ISAKMP_NPTYPE_SIG:
d1e348cf
A		 482 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
483 plog(LLV_ERROR, LOCATION, NULL,
484 "failed to process SIG payload");
52b7d2ce 485 goto end;
d1e348cf 486 }
52b7d2ce
A		 487 break;
488 case ISAKMP_NPTYPE_VID:
489 vid_numeric = check_vendorid(pa->ptr);
490#ifdef ENABLE_NATT
491 if (iph1->rmconf->nat_traversal &&
492 natt_vendorid(vid_numeric))
493 natt_handle_vendorid(iph1, vid_numeric);
494#endif
495#ifdef ENABLE_HYBRID
496 switch (vid_numeric) {
497 case VENDORID_XAUTH:
498 iph1->mode_cfg->flags |=
499 ISAKMP_CFG_VENDORID_XAUTH;
500 break;
501
502 case VENDORID_UNITY:
503 iph1->mode_cfg->flags |=
504 ISAKMP_CFG_VENDORID_UNITY;
505 break;
506 default:
507 break;
508 }
509#endif
510#ifdef ENABLE_DPD
511 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
512 iph1->dpd_support=1;
513 plog(LLV_DEBUG, LOCATION, NULL,
514 "remote supports DPD\n");
515 }
e8d9021d
A		 516#endif
517#ifdef ENABLE_FRAG
518 if ((vid_numeric == VENDORID_FRAG) &&
519 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
520 plog(LLV_DEBUG, LOCATION, NULL,
521 "remote supports FRAGMENTATION\n");
522 iph1->frag = 1;
523 }
52b7d2ce
A		 524#endif
525 break;
526 case ISAKMP_NPTYPE_N:
527 isakmp_check_notify(pa->ptr, iph1);
528 break;
529#ifdef HAVE_GSSAPI
530 case ISAKMP_NPTYPE_GSS:
d1e348cf
A		 531 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
532 plog(LLV_ERROR, LOCATION, NULL,
533 "failed to process GSS payload");
52b7d2ce 534 goto end;
d1e348cf 535 }
52b7d2ce
A		 536 gssapi_save_received_token(iph1, gsstoken);
537 break;
538#endif
539
540#ifdef ENABLE_NATT
541 case ISAKMP_NPTYPE_NATD_DRAFT:
542 case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce 543 case ISAKMP_NPTYPE_NATD_BADDRAFT:
52b7d2ce
A		 544 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
545 pa->type == iph1->natt_options->payload_nat_d) {
546 struct natd_payload *natd;
547 natd = (struct natd_payload *)racoon_malloc(sizeof(*natd));
d1e348cf
A		 548 if (!natd) {
549 plog(LLV_ERROR, LOCATION, NULL,
550 "failed to pre-process NATD payload");
52b7d2ce 551 goto end;
d1e348cf 552 }
52b7d2ce
A		 553
554 natd->payload = NULL;
555
d1e348cf
A		 556 if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) {
557 plog(LLV_ERROR, LOCATION, NULL,
558 "failed to process NATD payload");
52b7d2ce 559 goto end;
d1e348cf 560 }
52b7d2ce
A		 561
562 natd->seq = natd_seq++;
563
564 TAILQ_INSERT_TAIL(&natd_tree, natd, chain);
565 break;
566 }
567 /* %%% Be lenient here - some servers send natd payloads */
568 /* when nat not detected */
569 break;
570#endif
571
572 default:
573 /* don't send information, see isakmp_ident_r1() */
574 plog(LLV_ERROR, LOCATION, iph1->remote,
575 "ignore the packet, "
576 "received unexpecting payload type %d.\n",
577 pa->type);
578 goto end;
579 }
580 }
581
e8d9021d
A		 582 if (received_cert) {
583 oakley_verify_certid(iph1);
584 }
585
52b7d2ce
A		 586 /* payload existency check */
587 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
588 plog(LLV_ERROR, LOCATION, iph1->remote,
589 "few isakmp message received.\n");
590 goto end;
591 }
592
593 /* verify identifier */
594 if (ipsecdoi_checkid1(iph1) != 0) {
595 plog(LLV_ERROR, LOCATION, iph1->remote,
596 "invalid ID payload.\n");
597 goto end;
598 }
599
600 /* check SA payload and set approval SA for use */
601 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
602 plog(LLV_ERROR, LOCATION, iph1->remote,
603 "failed to get valid proposal.\n");
604 /* XXX send information */
605 goto end;
606 }
607 VPTRINIT(iph1->sa_ret);
608
609 /* fix isakmp index */
610 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
611 sizeof(cookie_t));
612
613#ifdef ENABLE_NATT
614 if (NATT_AVAILABLE(iph1)) {
615 struct natd_payload *natd = NULL;
616 int natd_verified;
617
618 plog(LLV_INFO, LOCATION, iph1->remote,
619 "Selected NAT-T version: %s\n",
620 vid_string_by_id(iph1->natt_options->version));
621
622 /* set both bits first so that we can clear them
623 upon verifying hashes */
624 iph1->natt_flags |= NAT_DETECTED;
625
626 while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) {
627 /* this function will clear appropriate bits bits
628 from iph1->natt_flags */
629 natd_verified = natt_compare_addr_hash (iph1,
630 natd->payload, natd->seq);
631
632 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
633 natd->seq - 1,
634 natd_verified ? "verified" : "doesn't match");
635
636 vfree (natd->payload);
637
638 TAILQ_REMOVE(&natd_tree, natd, chain);
639 racoon_free (natd);
640 }
641
642 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
643 iph1->natt_flags & NAT_DETECTED ?
644 "detected:" : "not detected",
645 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
646 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
647
648 if (iph1->natt_flags & NAT_DETECTED)
649 natt_float_ports (iph1);
80318cb7 650 ike_session_update_natt_version(iph1);
52b7d2ce
A		 651 }
652#endif
653
654 /* compute sharing secret of DH */
e8d9021d 655#ifdef HAVE_OPENSSL
52b7d2ce 656 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
d1e348cf 657 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
e8d9021d
A		 658#else
659 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
660#endif
d1e348cf
A		 661 plog(LLV_ERROR, LOCATION, NULL,
662 "failed to compute DH");
52b7d2ce 663 goto end;
d1e348cf 664 }
52b7d2ce
A		 665
666 /* generate SKEYIDs & IV & final cipher key */
d1e348cf
A		 667 if (oakley_skeyid(iph1) < 0) {
668 plog(LLV_ERROR, LOCATION, NULL,
669 "failed to generate SKEYID");
52b7d2ce 670 goto end;
d1e348cf
A		 671 }
672 if (oakley_skeyid_dae(iph1) < 0) {
673 plog(LLV_ERROR, LOCATION, NULL,
674 "failed to generate SKEYID-DAE");
52b7d2ce 675 goto end;
d1e348cf
A		 676 }
677 if (oakley_compute_enckey(iph1) < 0) {
678 plog(LLV_ERROR, LOCATION, NULL,
679 "failed to generate ENCKEY");
52b7d2ce 680 goto end;
d1e348cf
A		 681 }
682 if (oakley_newiv(iph1) < 0) {
683 plog(LLV_ERROR, LOCATION, NULL,
684 "failed to generate IV");
52b7d2ce 685 goto end;
d1e348cf 686 }
52b7d2ce
A		 687
688 /* validate authentication value */
689 ptype = oakley_validate_auth(iph1);
690 if (ptype != 0) {
d1e348cf
A		 691 IPSECSESSIONTRACEREVENT(iph1->parent_session,
692 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
693 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
694 CONSTSTR("Failed to authenticate, Aggressive-Mode Message 2"));
52b7d2ce
A		 695 if (ptype == -1) {
696 /* message printed inner oakley_validate_auth() */
697 goto end;
698 }
699 EVT_PUSH(iph1->local, iph1->remote,
700 EVTT_PEERPH1AUTH_FAILED, NULL);
701 isakmp_info_send_n1(iph1, ptype, NULL);
702 goto end;
703 }
d1e348cf
A		 704 IPSECSESSIONTRACEREVENT(iph1->parent_session,
705 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
706 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
707 CONSTSTR(NULL));
708
52b7d2ce
A		 709 if (oakley_checkcr(iph1) < 0) {
710 /* Ignore this error in order to be interoperability. */
711 ;
712 }
713
714 /* change status of isakmp status entry */
715 iph1->status = PHASE1ST_MSG2RECEIVED;
716
717#ifdef ENABLE_VPNCONTROL_PORT
718 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
719#endif
720
721 error = 0;
722
d1e348cf
A		 723 IPSECSESSIONTRACEREVENT(iph1->parent_session,
724 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
725 CONSTSTR("Initiator, Aggressive-Mode message 2"),
726 CONSTSTR(NULL));
727
52b7d2ce 728end:
d1e348cf
A		 729 if (error) {
730 IPSECSESSIONTRACEREVENT(iph1->parent_session,
731 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
732 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
733 CONSTSTR("Failure processing Aggressive-Mode Message 2"));
734 }
735#ifdef HAVE_GSSAPI
736 if (gsstoken)
737 vfree(gsstoken);
738#endif
52b7d2ce
A		 739 if (pbuf)
740 vfree(pbuf);
741 if (satmp)
742 vfree(satmp);
743 if (error) {
744 VPTRINIT(iph1->dhpub_p);
745 VPTRINIT(iph1->nonce_p);
746 VPTRINIT(iph1->id_p);
747 oakley_delcert(iph1->cert_p);
748 iph1->cert_p = NULL;
749 oakley_delcert(iph1->crl_p);
750 iph1->crl_p = NULL;
751 VPTRINIT(iph1->sig_p);
752 oakley_delcert(iph1->cr_p);
753 iph1->cr_p = NULL;
754 }
755
756 return error;
757}
758
759/*
760 * send to responder
761 * psk: HDR, HASH_I
762 * gssapi: HDR, HASH_I
763 * sig: HDR, [ CERT, ] SIG_I
764 * rsa: HDR, HASH_I
765 * rev: HDR, HASH_I
766 */
767int
768agg_i2send(iph1, msg)
769 struct ph1handle *iph1;
770 vchar_t *msg;
771{
772 struct payload_list *plist = NULL;
773 int need_cert = 0;
774 int error = -1;
775 vchar_t *gsshash = NULL;
d1e348cf
A		 776#ifdef ENABLE_NATT
777 vchar_t *natd[2] = { NULL, NULL };
778#endif
779 vchar_t *notp_unity = NULL;
780 vchar_t *notp_ini = NULL;
52b7d2ce
A		 781
782 /* validity check */
783 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
784 plog(LLV_ERROR, LOCATION, NULL,
785 "status mismatched %d.\n", iph1->status);
786 goto end;
787 }
788
789 /* generate HASH to send */
790 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
791 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
792 if (iph1->hash == NULL) {
793#ifdef HAVE_GSSAPI
d1e348cf
A		 794 if (gssapi_more_tokens(iph1) &&
795#ifdef ENABLE_HYBRID
796 !iph1->rmconf->xauth &&
797#endif
798 1)
52b7d2ce
A		 799 isakmp_info_send_n1(iph1,
800 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
801#endif
d1e348cf
A		 802 plog(LLV_ERROR, LOCATION, NULL,
803 "failed to generate HASH");
52b7d2ce
A		 804 goto end;
805 }
806
d1e348cf 807 switch (AUTHMETHOD(iph1)) {
52b7d2ce
A		 808 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
809#ifdef ENABLE_HYBRID
d1e348cf
A		 810 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
811 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
812 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
52b7d2ce
A		 813#endif
814 /* set HASH payload */
d1e348cf
A		 815 plist = isakmp_plist_append(plist,
816 iph1->hash, ISAKMP_NPTYPE_HASH);
52b7d2ce 817 break;
d1e348cf 818
52b7d2ce
A		 819 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
820 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
821#ifdef ENABLE_HYBRID
d1e348cf
A		 822 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
823 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
824#endif
52b7d2ce
A		 825 /* XXX if there is CR or not ? */
826
d1e348cf
A		 827 if (oakley_getmycert(iph1) < 0) {
828 plog(LLV_ERROR, LOCATION, NULL,
829 "failed to get mycert");
52b7d2ce 830 goto end;
d1e348cf 831 }
52b7d2ce 832
d1e348cf
A		 833 if (oakley_getsign(iph1) < 0) {
834 plog(LLV_ERROR, LOCATION, NULL,
835 "failed to get sign");
52b7d2ce 836 goto end;
d1e348cf 837 }
52b7d2ce
A		 838
839 if (iph1->cert != NULL && iph1->rmconf->send_cert)
840 need_cert = 1;
841
842 /* add CERT payload if there */
e8d9021d 843 // we don't support sending of certchains
52b7d2ce
A		 844 if (need_cert)
845 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
846
847 /* add SIG payload */
848 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
849 break;
850
851 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
852 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf
A		 853#ifdef ENABLE_HYBRID
854 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
855 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
856#endif
52b7d2ce
A		 857 break;
858#ifdef HAVE_GSSAPI
859 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
860 gsshash = gssapi_wraphash(iph1);
861 if (gsshash == NULL) {
862 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf 863 "failed to get GSS hash\n");
52b7d2ce
A		 864 isakmp_info_send_n1(iph1,
865 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
866 goto end;
867 }
868
869 plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
870 break;
871#endif
52b7d2ce
A		 872 }
873
874#ifdef ENABLE_NATT
875 /* generate NAT-D payloads */
d1e348cf 876 if (NATT_AVAILABLE(iph1)) {
52b7d2ce
A		 877 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
878 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
879 plog(LLV_ERROR, LOCATION, NULL,
85f41bec 880 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
52b7d2ce
A		 881 goto end;
882 }
883
884 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
885 plog(LLV_ERROR, LOCATION, NULL,
85f41bec 886 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
52b7d2ce
A		 887 goto end;
888 }
52b7d2ce
A		 889 /* old Apple version sends natd payloads in the wrong order */
890 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
891 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
892 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
893 } else
52b7d2ce
A		 894 {
895 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
896 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
897 }
898 }
899#endif
900
52b7d2ce 901
d1e348cf
A		 902 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
903
52b7d2ce
A		 904#ifdef HAVE_PRINT_ISAKMP_C
905 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
906#endif
907
d1e348cf 908
52b7d2ce 909 /* send to responder */
d1e348cf
A		 910 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
911 plog(LLV_ERROR, LOCATION, NULL,
912 "failed to send packet");
52b7d2ce 913 goto end;
d1e348cf 914 }
52b7d2ce
A		 915
916 /* the sending message is added to the received-list. */
d1e348cf 917 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
e8d9021d 918 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
52b7d2ce
A		 919 plog(LLV_ERROR , LOCATION, NULL,
920 "failed to add a response packet to the tree.\n");
921 goto end;
922 }
923
924 /* set encryption flag */
925 iph1->flags |= ISAKMP_FLAG_E;
926
927 iph1->status = PHASE1ST_ESTABLISHED;
928
d1e348cf
A		 929 IPSECSESSIONTRACEREVENT(iph1->parent_session,
930 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
931 CONSTSTR("Initiator, Aggressive-Mode"),
932 CONSTSTR(NULL));
933
52b7d2ce
A		 934 error = 0;
935
d1e348cf
A		 936 IPSECSESSIONTRACEREVENT(iph1->parent_session,
937 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
938 CONSTSTR("Initiator, Aggressive-Mode message 3"),
939 CONSTSTR(NULL));
940
52b7d2ce 941end:
d1e348cf
A		 942 if (error) {
943 IPSECSESSIONTRACEREVENT(iph1->parent_session,
944 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
945 CONSTSTR("Initiator, Aggressive-Mode Message 3"),
946 CONSTSTR("Failed to transmit Aggressive-Mode Message 3"));
947 }
948#ifdef ENABLE_NATT
949 if (natd[0])
950 vfree(natd[0]);
951 if (natd[1])
952 vfree(natd[1]);
953#endif
954 if (notp_unity)
955 vfree(notp_unity);
956 if (notp_ini)
957 vfree(notp_ini);
52b7d2ce
A		 958 if (gsshash)
959 vfree(gsshash);
960 return error;
961}
962
963/*
964 * receive from initiator
965 * psk: HDR, SA, KE, Ni, IDi1
966 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
967 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi
968 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
969 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
970 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
971 */
972int
973agg_r1recv(iph1, msg)
974 struct ph1handle *iph1;
975 vchar_t *msg;
976{
977 int error = -1;
978 vchar_t *pbuf = NULL;
979 struct isakmp_parse_t *pa;
980 int vid_numeric;
981#ifdef HAVE_GSSAPI
982 vchar_t *gsstoken = NULL;
983#endif
984
985 /* validity check */
986 if (iph1->status != PHASE1ST_START) {
987 plog(LLV_ERROR, LOCATION, NULL,
988 "status mismatched %d.\n", iph1->status);
989 goto end;
990 }
991
992 /* validate the type of next payload */
993 pbuf = isakmp_parse(msg);
d1e348cf
A		 994 if (pbuf == NULL) {
995 plog(LLV_ERROR, LOCATION, NULL,
996 "failed to parse msg");
52b7d2ce 997 goto end;
d1e348cf 998 }
85f41bec 999 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 1000
1001 /* SA payload is fixed postion */
1002 if (pa->type != ISAKMP_NPTYPE_SA) {
1003 plog(LLV_ERROR, LOCATION, iph1->remote,
1004 "received invalid next payload type %d, "
1005 "expecting %d.\n",
1006 pa->type, ISAKMP_NPTYPE_SA);
1007 goto end;
1008 }
d1e348cf
A		 1009 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
1010 plog(LLV_ERROR, LOCATION, NULL,
1011 "failed to process SA payload");
52b7d2ce 1012 goto end;
d1e348cf 1013 }
52b7d2ce
A		 1014 pa++;
1015
1016 for (/*nothing*/;
1017 pa->type != ISAKMP_NPTYPE_NONE;
1018 pa++) {
1019
1020 plog(LLV_DEBUG, LOCATION, NULL,
1021 "received payload of type %s\n",
1022 s_isakmp_nptype(pa->type));
1023
1024 switch (pa->type) {
1025 case ISAKMP_NPTYPE_KE:
d1e348cf
A		 1026 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
1027 plog(LLV_ERROR, LOCATION, NULL,
1028 "failed to process KE payload");
52b7d2ce 1029 goto end;
d1e348cf 1030 }
52b7d2ce
A		 1031 break;
1032 case ISAKMP_NPTYPE_NONCE:
d1e348cf
A		 1033 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
1034 plog(LLV_ERROR, LOCATION, NULL,
1035 "failed to process NONCE payload");
52b7d2ce 1036 goto end;
d1e348cf 1037 }
52b7d2ce
A		 1038 break;
1039 case ISAKMP_NPTYPE_ID:
d1e348cf
A		 1040 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
1041 plog(LLV_ERROR, LOCATION, NULL,
1042 "failed to process ID payload");
52b7d2ce 1043 goto end;
d1e348cf 1044 }
52b7d2ce
A		 1045 break;
1046 case ISAKMP_NPTYPE_VID:
1047 vid_numeric = check_vendorid(pa->ptr);
1048
1049#ifdef ENABLE_NATT
1050 if (iph1->rmconf->nat_traversal &&
1051 natt_vendorid(vid_numeric)) {
1052 natt_handle_vendorid(iph1, vid_numeric);
1053 break;
1054 }
1055#endif
1056#ifdef ENABLE_HYBRID
1057 switch (vid_numeric) {
1058 case VENDORID_XAUTH:
1059 iph1->mode_cfg->flags |=
1060 ISAKMP_CFG_VENDORID_XAUTH;
1061 break;
1062
1063 case VENDORID_UNITY:
1064 iph1->mode_cfg->flags |=
1065 ISAKMP_CFG_VENDORID_UNITY;
1066 break;
1067 default:
1068 break;
1069 }
1070#endif
1071#ifdef ENABLE_DPD
1072 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
1073 iph1->dpd_support=1;
1074 plog(LLV_DEBUG, LOCATION, NULL,
1075 "remote supports DPD\n");
1076 }
1077#endif
1078#ifdef ENABLE_FRAG
1079 if ((vid_numeric == VENDORID_FRAG) &&
e8d9021d
A		 1080 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
1081 plog(LLV_DEBUG, LOCATION, NULL,
1082 "remote supports FRAGMENTATION\n");
52b7d2ce 1083 iph1->frag = 1;
e8d9021d 1084 }
52b7d2ce
A		 1085#endif
1086 break;
1087
1088 case ISAKMP_NPTYPE_CR:
d1e348cf
A		 1089 if (oakley_savecr(iph1, pa->ptr) < 0) {
1090 plog(LLV_ERROR, LOCATION, NULL,
1091 "failed to process CR payload");
52b7d2ce 1092 goto end;
d1e348cf 1093 }
52b7d2ce
A		 1094 break;
1095
1096#ifdef HAVE_GSSAPI
1097 case ISAKMP_NPTYPE_GSS:
d1e348cf
A		 1098 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1099 plog(LLV_ERROR, LOCATION, NULL,
1100 "failed to process GSS payload");
52b7d2ce 1101 goto end;
d1e348cf 1102 }
52b7d2ce
A		 1103 gssapi_save_received_token(iph1, gsstoken);
1104 break;
1105#endif
1106 default:
1107 /* don't send information, see isakmp_ident_r1() */
1108 plog(LLV_ERROR, LOCATION, iph1->remote,
1109 "ignore the packet, "
1110 "received unexpecting payload type %d.\n",
1111 pa->type);
1112 goto end;
1113 }
1114 }
1115
1116 /* payload existency check */
1117 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1118 plog(LLV_ERROR, LOCATION, iph1->remote,
1119 "few isakmp message received.\n");
1120 goto end;
1121 }
1122
1123 /* verify identifier */
1124 if (ipsecdoi_checkid1(iph1) != 0) {
1125 plog(LLV_ERROR, LOCATION, iph1->remote,
1126 "invalid ID payload.\n");
1127 goto end;
1128 }
1129
1130#ifdef ENABLE_NATT
80318cb7 1131 if (NATT_AVAILABLE(iph1)) {
52b7d2ce
A		 1132 plog(LLV_INFO, LOCATION, iph1->remote,
1133 "Selected NAT-T version: %s\n",
1134 vid_string_by_id(iph1->natt_options->version));
80318cb7
A		 1135 ike_session_update_natt_version(iph1);
1136 }
52b7d2ce
A		 1137#endif
1138
1139 /* check SA payload and set approval SA for use */
1140 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
1141 plog(LLV_ERROR, LOCATION, iph1->remote,
1142 "failed to get valid proposal.\n");
1143 /* XXX send information */
1144 goto end;
1145 }
1146
1147 if (oakley_checkcr(iph1) < 0) {
1148 /* Ignore this error in order to be interoperability. */
1149 ;
1150 }
1151
1152 iph1->status = PHASE1ST_MSG1RECEIVED;
1153
1154 error = 0;
1155
d1e348cf
A		 1156 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1157 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1158 CONSTSTR("Responder, Aggressive-Mode message 1"),
1159 CONSTSTR(NULL));
1160
52b7d2ce 1161end:
d1e348cf
A		 1162 if (error) {
1163 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1164 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1165 CONSTSTR("Responder, Aggressive-Mode Message 1"),
1166 CONSTSTR("Failed to process Aggressive-Mode Message 1"));
1167 }
1168#ifdef HAVE_GSSAPI
1169 if (gsstoken)
1170 vfree(gsstoken);
1171#endif
52b7d2ce
A		 1172 if (pbuf)
1173 vfree(pbuf);
1174 if (error) {
1175 VPTRINIT(iph1->sa);
1176 VPTRINIT(iph1->dhpub_p);
1177 VPTRINIT(iph1->nonce_p);
1178 VPTRINIT(iph1->id_p);
1179 oakley_delcert(iph1->cr_p);
1180 iph1->cr_p = NULL;
1181 }
1182
1183 return error;
1184}
1185
1186/*
1187 * send to initiator
1188 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
1189 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
1190 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
1191 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
1192 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
1193 */
1194int
1195agg_r1send(iph1, msg)
1196 struct ph1handle *iph1;
1197 vchar_t *msg;
1198{
1199 struct payload_list *plist = NULL;
1200 int need_cr = 0;
1201 int need_cert = 0;
1202 vchar_t *cr = NULL;
52b7d2ce
A		 1203 int error = -1;
1204#ifdef ENABLE_HYBRID
1205 vchar_t *xauth_vid = NULL;
1206 vchar_t *unity_vid = NULL;
1207#endif
1208#ifdef ENABLE_NATT
1209 vchar_t *vid_natt = NULL;
1210 vchar_t *natd[2] = { NULL, NULL };
1211#endif
1212#ifdef ENABLE_DPD
1213 vchar_t *vid_dpd = NULL;
1214#endif
d1e348cf
A		 1215#ifdef ENABLE_FRAG
1216 vchar_t *vid_frag = NULL;
1217#endif
52b7d2ce
A		 1218
1219#ifdef HAVE_GSSAPI
1220 int gsslen;
1221 vchar_t *gsstoken = NULL, *gsshash = NULL;
1222 vchar_t *gss_sa = NULL;
d1e348cf 1223 int free_gss_sa = 0;
52b7d2ce
A		 1224#endif
1225
1226 /* validity check */
1227 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1228 plog(LLV_ERROR, LOCATION, NULL,
1229 "status mismatched %d.\n", iph1->status);
1230 goto end;
1231 }
1232
1233 /* set responder's cookie */
1234 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1235
1236 /* make ID payload into isakmp status */
d1e348cf
A		 1237 if (ipsecdoi_setid1(iph1) < 0) {
1238 plog(LLV_ERROR, LOCATION, NULL,
1239 "failed to set ID");
52b7d2ce 1240 goto end;
d1e348cf 1241 }
52b7d2ce
A		 1242
1243 /* generate DH public value */
e8d9021d 1244#ifdef HAVE_OPENSSL
52b7d2ce 1245 if (oakley_dh_generate(iph1->rmconf->dhgrp,
e8d9021d
A		 1246 &iph1->dhpub, &iph1->dhpriv) < 0) {
1247#else
1248 if (oakley_dh_generate(iph1->rmconf->dhgrp,
1249 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
1250#endif
d1e348cf
A		 1251 plog(LLV_ERROR, LOCATION, NULL,
1252 "failed to generate DH");
52b7d2ce 1253 goto end;
d1e348cf 1254 }
52b7d2ce
A		 1255
1256 /* generate NONCE value */
1257 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf
A		 1258 if (iph1->nonce == NULL) {
1259 plog(LLV_ERROR, LOCATION, NULL,
1260 "failed to generate NONCE");
52b7d2ce 1261 goto end;
d1e348cf 1262 }
52b7d2ce
A		 1263
1264 /* compute sharing secret of DH */
e8d9021d
A		 1265#ifdef HAVE_OPENSSL
1266 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1267 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1268#else
1269 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
1270#endif
d1e348cf
A		 1271 plog(LLV_ERROR, LOCATION, NULL,
1272 "failed to compute DH");
52b7d2ce 1273 goto end;
d1e348cf 1274 }
52b7d2ce
A		 1275
1276 /* generate SKEYIDs & IV & final cipher key */
d1e348cf
A		 1277 if (oakley_skeyid(iph1) < 0) {
1278 plog(LLV_ERROR, LOCATION, NULL,
1279 "failed to generate SKEYID");
52b7d2ce 1280 goto end;
d1e348cf
A		 1281 }
1282 if (oakley_skeyid_dae(iph1) < 0) {
1283 plog(LLV_ERROR, LOCATION, NULL,
1284 "failed to generate SKEYID-DAE");
52b7d2ce 1285 goto end;
d1e348cf
A		 1286 }
1287 if (oakley_compute_enckey(iph1) < 0) {
1288 plog(LLV_ERROR, LOCATION, NULL,
1289 "failed to generate ENCKEY");
52b7d2ce 1290 goto end;
d1e348cf
A		 1291 }
1292 if (oakley_newiv(iph1) < 0) {
1293 plog(LLV_ERROR, LOCATION, NULL,
1294 "failed to generate IV");
52b7d2ce 1295 goto end;
d1e348cf 1296 }
52b7d2ce
A		 1297
1298#ifdef HAVE_GSSAPI
d1e348cf 1299 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
52b7d2ce
A		 1300 gssapi_get_rtoken(iph1, &gsslen);
1301#endif
1302
1303 /* generate HASH to send */
1304 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
1305 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1306 if (iph1->hash == NULL) {
1307#ifdef HAVE_GSSAPI
1308 if (gssapi_more_tokens(iph1))
1309 isakmp_info_send_n1(iph1,
1310 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1311#endif
d1e348cf
A		 1312 plog(LLV_ERROR, LOCATION, NULL,
1313 "failed to generate GSS HASH");
52b7d2ce
A		 1314 goto end;
1315 }
1316
1317 /* create CR if need */
1318 if (iph1->rmconf->send_cr
1319 && oakley_needcr(iph1->approval->authmethod)
1320 && iph1->rmconf->peerscertfile == NULL) {
1321 need_cr = 1;
1322 cr = oakley_getcr(iph1);
1323 if (cr == NULL) {
1324 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf 1325 "failed to get CR.\n");
52b7d2ce
A		 1326 goto end;
1327 }
1328 }
1329
1330#ifdef ENABLE_NATT
1331 /* Has the peer announced NAT-T? */
1332 if (NATT_AVAILABLE(iph1)) {
1333 /* set chosen VID */
1334 vid_natt = set_vendorid(iph1->natt_options->version);
1335
1336 /* generate NAT-D payloads */
1337 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
1338 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1339 plog(LLV_ERROR, LOCATION, NULL,
85f41bec 1340 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
52b7d2ce
A		 1341 goto end;
1342 }
1343
1344 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1345 plog(LLV_ERROR, LOCATION, NULL,
85f41bec 1346 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
52b7d2ce
A		 1347 goto end;
1348 }
1349 }
1350#endif
1351#ifdef ENABLE_DPD
1352 /* Only send DPD support if remote announced DPD and if DPD support is active */
1353 if (iph1->dpd_support && iph1->rmconf->dpd)
1354 vid_dpd = set_vendorid(VENDORID_DPD);
1355#endif
d1e348cf
A		 1356#ifdef ENABLE_FRAG
1357 if (iph1->frag) {
1358 vid_frag = set_vendorid(VENDORID_FRAG);
1359 if (vid_frag != NULL)
1360 vid_frag = isakmp_frag_addcap(vid_frag,
1361 VENDORID_FRAG_AGG);
1362 if (vid_frag == NULL)
1363 plog(LLV_ERROR, LOCATION, NULL,
1364 "Frag vendorID construction failed\n");
1365 }
1366#endif
52b7d2ce 1367
d1e348cf 1368 switch (AUTHMETHOD(iph1)) {
52b7d2ce 1369 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf
A		 1370#ifdef ENABLE_HYBRID
1371 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1372#endif
52b7d2ce
A		 1373 /* set SA payload to reply */
1374 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1375
1376 /* create isakmp KE payload */
1377 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1378
1379 /* create isakmp NONCE payload */
1380 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1381
1382 /* create isakmp ID payload */
1383 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1384
1385 /* create isakmp HASH payload */
d1e348cf
A		 1386 plist = isakmp_plist_append(plist,
1387 iph1->hash, ISAKMP_NPTYPE_HASH);
52b7d2ce
A		 1388
1389 /* create isakmp CR payload if needed */
1390 if (need_cr)
1391 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
1392 break;
1393 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1394 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1395#ifdef ENABLE_HYBRID
d1e348cf
A		 1396 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1397 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1398 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1399 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
52b7d2ce
A		 1400#endif
1401 /* XXX if there is CR or not ? */
1402
d1e348cf
A		 1403 if (oakley_getmycert(iph1) < 0) {
1404 plog(LLV_ERROR, LOCATION, NULL,
1405 "failed to get mycert");
52b7d2ce 1406 goto end;
d1e348cf 1407 }
52b7d2ce 1408
d1e348cf
A		 1409 if (oakley_getsign(iph1) < 0) {
1410 plog(LLV_ERROR, LOCATION, NULL,
1411 "failed to get sign");
52b7d2ce 1412 goto end;
d1e348cf 1413 }
52b7d2ce
A		 1414
1415 if (iph1->cert != NULL && iph1->rmconf->send_cert)
1416 need_cert = 1;
1417
1418 /* set SA payload to reply */
1419 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1420
1421 /* create isakmp KE payload */
1422 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1423
1424 /* create isakmp NONCE payload */
1425 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1426
1427 /* add ID payload */
1428 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1429
1430 /* add CERT payload if there */
1431 if (need_cert)
1432 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1433
1434 /* add SIG payload */
1435 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1436
d1e348cf
A		 1437 /* create isakmp CR payload if needed */
1438 if (need_cr)
1439 plist = isakmp_plist_append(plist,
1440 cr, ISAKMP_NPTYPE_CR);
1441 break;
1442
1443 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1444 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1445#ifdef ENABLE_HYBRID
1446 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1447 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1448#endif
1449 break;
1450#ifdef HAVE_GSSAPI
1451 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1452 /* create buffer to send isakmp payload */
1453 gsshash = gssapi_wraphash(iph1);
1454 if (gsshash == NULL) {
1455 plog(LLV_ERROR, LOCATION, NULL,
1456 "failed to generate GSS HASH\n");
1457 /*
1458 * This is probably due to the GSS
1459 * roundtrips not being finished yet.
1460 * Return this error in the hope that
1461 * a fallback to main mode will be done.
1462 */
1463 isakmp_info_send_n1(iph1,
1464 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1465 goto end;
1466 }
1467 if (iph1->approval->gssid != NULL)
1468 gss_sa =
1469 ipsecdoi_setph1proposal(iph1->approval);
1470 else
1471 gss_sa = iph1->sa_ret;
1472
1473 if (gss_sa != iph1->sa_ret)
1474 free_gss_sa = 1;
1475
1476 /* set SA payload to reply */
1477 plist = isakmp_plist_append(plist,
1478 gss_sa, ISAKMP_NPTYPE_SA);
1479
1480 /* create isakmp KE payload */
1481 plist = isakmp_plist_append(plist,
1482 iph1->dhpub, ISAKMP_NPTYPE_KE);
1483
1484 /* create isakmp NONCE payload */
1485 plist = isakmp_plist_append(plist,
1486 iph1->nonce, ISAKMP_NPTYPE_NONCE);
1487
1488 /* create isakmp ID payload */
1489 plist = isakmp_plist_append(plist,
1490 iph1->id, ISAKMP_NPTYPE_ID);
1491
1492 /* create GSS payload */
1493 gssapi_get_token_to_send(iph1, &gsstoken);
1494 plist = isakmp_plist_append(plist,
1495 gsstoken, ISAKMP_NPTYPE_GSS);
1496
1497 /* create isakmp HASH payload */
1498 plist = isakmp_plist_append(plist,
1499 gsshash, ISAKMP_NPTYPE_HASH);
1500
1501 /* append vendor id, if needed */
1502 break;
1503#endif
1504 }
52b7d2ce
A		 1505
1506#ifdef ENABLE_HYBRID
1507 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
d1e348cf 1508 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
52b7d2ce
A		 1509 if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) {
1510 plog(LLV_ERROR, LOCATION, NULL,
1511 "Cannot create Xauth vendor ID\n");
1512 goto end;
1513 }
1514 plist = isakmp_plist_append(plist,
1515 xauth_vid, ISAKMP_NPTYPE_VID);
1516 }
1517
1518 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1519 if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) {
1520 plog(LLV_ERROR, LOCATION, NULL,
1521 "Cannot create Unity vendor ID\n");
1522 goto end;
1523 }
1524 plist = isakmp_plist_append(plist,
1525 unity_vid, ISAKMP_NPTYPE_VID);
1526 }
1527#endif
1528
52b7d2ce
A		 1529#ifdef ENABLE_NATT
1530 /* append NAT-T payloads */
1531 if (vid_natt) {
1532 /* chosen VID */
1533 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1534 /* NAT-D */
52b7d2ce
A		 1535 /* old Apple version sends natd payloads in the wrong order */
1536 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
1537 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1538 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1539 } else
52b7d2ce
A		 1540 {
1541 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1542 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1543 }
1544 }
1545#endif
d1e348cf
A		 1546
1547#ifdef ENABLE_FRAG
1548 if (vid_frag)
1549 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
1550#endif
1551
52b7d2ce
A		 1552#ifdef ENABLE_DPD
1553 if (vid_dpd)
1554 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1555#endif
1556
1557 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1558
1559#ifdef HAVE_PRINT_ISAKMP_C
1560 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
1561#endif
1562
1563 /* send the packet, add to the schedule to resend */
1564 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf
A		 1565 if (isakmp_ph1resend(iph1) == -1) {
1566 plog(LLV_ERROR , LOCATION, NULL,
1567 "failed to send packet");
52b7d2ce 1568 goto end;
d1e348cf 1569 }
52b7d2ce
A		 1570
1571 /* the sending message is added to the received-list. */
d1e348cf 1572 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
e8d9021d 1573 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
52b7d2ce
A		 1574 plog(LLV_ERROR , LOCATION, NULL,
1575 "failed to add a response packet to the tree.\n");
1576 goto end;
1577 }
1578
1579 iph1->status = PHASE1ST_MSG1SENT;
1580
1581#ifdef ENABLE_VPNCONTROL_PORT
1582 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1583#endif
1584
1585 error = 0;
1586
d1e348cf
A		 1587 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1588 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1589 CONSTSTR("Responder, Aggressive-Mode message 2"),
1590 CONSTSTR(NULL));
1591
52b7d2ce 1592end:
d1e348cf
A		 1593 if (error) {
1594 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1595 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1596 CONSTSTR("Responder, Aggressive-Mode Message 2"),
1597 CONSTSTR("Failed to process Aggressive-Mode Message 2"));
1598 }
52b7d2ce
A		 1599 if (cr)
1600 vfree(cr);
52b7d2ce
A		 1601#ifdef ENABLE_HYBRID
1602 if (xauth_vid)
1603 vfree(xauth_vid);
1604 if (unity_vid)
1605 vfree(unity_vid);
1606#endif
1607#ifdef HAVE_GSSAPI
1608 if (gsstoken)
1609 vfree(gsstoken);
1610 if (gsshash)
1611 vfree(gsshash);
d1e348cf 1612 if (free_gss_sa)
52b7d2ce
A		 1613 vfree(gss_sa);
1614#endif
d1e348cf
A		 1615#ifdef ENABLE_NATT
1616 if (vid_natt)
1617 vfree(vid_natt);
1618 if (natd[0])
1619 vfree(natd[0]);
1620 if (natd[1])
1621 vfree(natd[1]);
1622#endif
52b7d2ce
A		 1623#ifdef ENABLE_DPD
1624 if (vid_dpd)
1625 vfree(vid_dpd);
1626#endif
d1e348cf
A		 1627#ifdef ENABLE_FRAG
1628 if (vid_frag)
1629 vfree(vid_frag);
1630#endif
52b7d2ce
A		 1631
1632 return error;
1633}
1634
1635/*
1636 * receive from initiator
1637 * psk: HDR, HASH_I
1638 * gssapi: HDR, HASH_I
1639 * sig: HDR, [ CERT, ] SIG_I
1640 * rsa: HDR, HASH_I
1641 * rev: HDR, HASH_I
1642 */
1643int
1644agg_r2recv(iph1, msg0)
1645 struct ph1handle *iph1;
1646 vchar_t *msg0;
1647{
1648 vchar_t *msg = NULL;
1649 vchar_t *pbuf = NULL;
1650 struct isakmp_parse_t *pa;
1651 int error = -1;
1652 int ptype;
1653
1654#ifdef ENABLE_NATT
1655 int natd_seq = 0;
1656#endif
e8d9021d 1657 int received_cert = 0;
52b7d2ce
A		 1658
1659 /* validity check */
1660 if (iph1->status != PHASE1ST_MSG1SENT) {
1661 plog(LLV_ERROR, LOCATION, NULL,
1662 "status mismatched %d.\n", iph1->status);
1663 goto end;
1664 }
1665
1666 /* decrypting if need. */
1667 /* XXX configurable ? */
1668 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1669 msg = oakley_do_decrypt(iph1, msg0,
1670 iph1->ivm->iv, iph1->ivm->ive);
d1e348cf
A		 1671 if (msg == NULL) {
1672 plog(LLV_ERROR, LOCATION, NULL,
1673 "failed to decrypt msg");
52b7d2ce 1674 goto end;
d1e348cf 1675 }
52b7d2ce
A		 1676 } else
1677 msg = vdup(msg0);
1678
1679 /* validate the type of next payload */
1680 pbuf = isakmp_parse(msg);
d1e348cf
A		 1681 if (pbuf == NULL) {
1682 plog(LLV_ERROR, LOCATION, NULL,
1683 "failed to parse msg");
52b7d2ce 1684 goto end;
d1e348cf 1685 }
52b7d2ce
A		 1686
1687 iph1->pl_hash = NULL;
1688
85f41bec 1689 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 1690 pa->type != ISAKMP_NPTYPE_NONE;
1691 pa++) {
1692
1693 switch (pa->type) {
1694 case ISAKMP_NPTYPE_HASH:
1695 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1696 break;
1697 case ISAKMP_NPTYPE_VID:
1698 (void)check_vendorid(pa->ptr);
1699 break;
1700 case ISAKMP_NPTYPE_CERT:
d1e348cf
A		 1701 if (oakley_savecert(iph1, pa->ptr) < 0) {
1702 plog(LLV_ERROR, LOCATION, NULL,
1703 "failed to process CERT payload");
52b7d2ce 1704 goto end;
d1e348cf 1705 }
e8d9021d 1706 received_cert = 1;
52b7d2ce
A		 1707 break;
1708 case ISAKMP_NPTYPE_SIG:
d1e348cf
A		 1709 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
1710 plog(LLV_ERROR, LOCATION, NULL,
1711 "failed to process SIG payload");
52b7d2ce 1712 goto end;
d1e348cf 1713 }
52b7d2ce
A		 1714 break;
1715 case ISAKMP_NPTYPE_N:
1716 isakmp_check_notify(pa->ptr, iph1);
1717 break;
1718
1719#ifdef ENABLE_NATT
1720 case ISAKMP_NPTYPE_NATD_DRAFT:
1721 case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce
A		 1722 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1723 pa->type == iph1->natt_options->payload_nat_d)
1724 {
1725 vchar_t *natd_received = NULL;
1726 int natd_verified;
1727
d1e348cf
A		 1728 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
1729 plog(LLV_ERROR, LOCATION, NULL,
1730 "failed to process NATD payload");
52b7d2ce 1731 goto end;
d1e348cf 1732 }
52b7d2ce
A		 1733
1734 if (natd_seq == 0)
1735 iph1->natt_flags |= NAT_DETECTED;
1736
1737 natd_verified = natt_compare_addr_hash (iph1,
1738 natd_received, natd_seq++);
1739
1740 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1741 natd_seq - 1,
1742 natd_verified ? "verified" : "doesn't match");
1743
1744 vfree (natd_received);
1745 break;
1746 }
1747 /* %%%% Be lenient here - some servers send natd payloads */
1748 /* when no nat is detected */
1749 break;
1750#endif
1751
1752 default:
1753 /* don't send information, see isakmp_ident_r1() */
1754 plog(LLV_ERROR, LOCATION, iph1->remote,
1755 "ignore the packet, "
1756 "received unexpecting payload type %d.\n",
1757 pa->type);
1758 goto end;
1759 }
1760 }
1761
1762#ifdef ENABLE_NATT
1763 if (NATT_AVAILABLE(iph1))
1764 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1765 iph1->natt_flags & NAT_DETECTED ?
1766 "detected:" : "not detected",
1767 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1768 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1769#endif
1770
e8d9021d
A		 1771 if (received_cert) {
1772 oakley_verify_certid(iph1);
1773 }
1774
52b7d2ce
A		 1775 /* validate authentication value */
1776 ptype = oakley_validate_auth(iph1);
1777 if (ptype != 0) {
d1e348cf
A		 1778 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1779 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1780 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1781 CONSTSTR("Failed to authenticate Aggressive-Mode Message 3"));
52b7d2ce
A		 1782 if (ptype == -1) {
1783 /* message printed inner oakley_validate_auth() */
1784 goto end;
1785 }
1786 EVT_PUSH(iph1->local, iph1->remote,
1787 EVTT_PEERPH1AUTH_FAILED, NULL);
1788 isakmp_info_send_n1(iph1, ptype, NULL);
1789 goto end;
1790 }
d1e348cf
A		 1791 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1792 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1793 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1794 CONSTSTR(NULL));
52b7d2ce
A		 1795
1796 iph1->status = PHASE1ST_MSG2RECEIVED;
1797
1798 error = 0;
1799
d1e348cf
A		 1800 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1801 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1802 CONSTSTR("Responder, Aggressive-Mode message 3"),
1803 CONSTSTR(NULL));
1804
52b7d2ce 1805end:
d1e348cf
A		 1806 if (error) {
1807 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1808 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1809 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1810 CONSTSTR("Failed to process Aggressive-Mode Message 3"));
1811 }
52b7d2ce
A		 1812 if (pbuf)
1813 vfree(pbuf);
1814 if (msg)
1815 vfree(msg);
1816 if (error) {
1817 oakley_delcert(iph1->cert_p);
1818 iph1->cert_p = NULL;
1819 oakley_delcert(iph1->crl_p);
1820 iph1->crl_p = NULL;
1821 VPTRINIT(iph1->sig_p);
1822 }
1823
1824 return error;
1825}
1826
1827/*
1828 * status update and establish isakmp sa.
1829 */
1830int
1831agg_r2send(iph1, msg)
1832 struct ph1handle *iph1;
1833 vchar_t *msg;
1834{
1835 int error = -1;
1836
1837 /* validity check */
1838 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1839 plog(LLV_ERROR, LOCATION, NULL,
1840 "status mismatched %d.\n", iph1->status);
1841 goto end;
1842 }
1843
1844 /* IV synchronized when packet encrypted. */
1845 /* see handler.h about IV synchronization. */
1846 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E))
1847 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1848
1849 /* set encryption flag */
1850 iph1->flags |= ISAKMP_FLAG_E;
1851
1852 iph1->status = PHASE1ST_ESTABLISHED;
1853
d1e348cf
A		 1854 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1855 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
1856 CONSTSTR("Responder, Aggressive-Mode"),
1857 CONSTSTR(NULL));
1858
52b7d2ce
A		 1859 error = 0;
1860
1861end:
1862 return error;
1863}
mirror of ipsec