]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/isakmp_agg.c
projects / apple / ipsec.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec-93.15.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_agg.c
CommitLineData
d1e348cf
A		 1/* $NetBSD: isakmp_agg.c,v 1.9 2006/09/30 21:49:37 manu Exp $ */
2
3/* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
52b7d2ce
A		 4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34/* Aggressive Exchange (Aggressive Mode) */
35
36#include "config.h"
37
38#include <sys/types.h>
39#include <sys/param.h>
40
41#include <stdlib.h>
42#include <stdio.h>
43#include <string.h>
44#include <errno.h>
45#if TIME_WITH_SYS_TIME
46# include <sys/time.h>
47# include <time.h>
48#else
49# if HAVE_SYS_TIME_H
50# include <sys/time.h>
51# else
52# include <time.h>
53# endif
54#endif
55
56#include "var.h"
57#include "misc.h"
58#include "vmbuf.h"
59#include "plog.h"
60#include "sockmisc.h"
61#include "schedule.h"
62#include "debug.h"
63
d1e348cf
A		 64#ifdef ENABLE_HYBRID
65#include <resolv.h>
66#endif
67
52b7d2ce
A		 68#include "localconf.h"
69#include "remoteconf.h"
70#include "isakmp_var.h"
71#include "isakmp.h"
72#include "evt.h"
73#include "oakley.h"
74#include "handler.h"
75#include "ipsec_doi.h"
76#include "crypto_openssl.h"
77#include "pfkey.h"
78#include "isakmp_agg.h"
79#include "isakmp_inf.h"
80#ifdef ENABLE_HYBRID
81#include "isakmp_xauth.h"
82#include "isakmp_cfg.h"
83#endif
84#ifdef ENABLE_FRAG
85#include "isakmp_frag.h"
86#endif
87#include "vendorid.h"
88#include "strnames.h"
89
90#ifdef ENABLE_NATT
91#include "nattraversal.h"
92#endif
93
94#ifdef HAVE_GSSAPI
95#include "gssapi.h"
96#endif
97
98#include "vpn_control.h"
99#include "vpn_control_var.h"
d1e348cf
A		 100#include "ipsecSessionTracer.h"
101#include "ipsecMessageTracer.h"
52b7d2ce
A		 102
103/*
104 * begin Aggressive Mode as initiator.
105 */
106/*
107 * send to responder
108 * psk: HDR, SA, KE, Ni, IDi1
109 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
110 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi
111 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
112 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
113 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
114 */
115int
116agg_i1send(iph1, msg)
117 struct ph1handle *iph1;
118 vchar_t *msg; /* must be null */
119{
120 struct payload_list *plist = NULL;
121 int need_cr = 0;
d1e348cf 122 vchar_t *cr = NULL;
52b7d2ce
A		 123 int error = -1;
124#ifdef ENABLE_NATT
125 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
126 int i;
127#endif
128#ifdef ENABLE_HYBRID
129 vchar_t *vid_xauth = NULL;
130 vchar_t *vid_unity = NULL;
131#endif
132#ifdef ENABLE_FRAG
133 vchar_t *vid_frag = NULL;
134#endif
135#ifdef HAVE_GSSAPI
d1e348cf 136 vchar_t *gsstoken = NULL;
52b7d2ce
A		 137 int len;
138#endif
139#ifdef ENABLE_DPD
140 vchar_t *vid_dpd = NULL;
141#endif
142
143
144 /* validity check */
145 if (msg != NULL) {
146 plog(LLV_ERROR, LOCATION, NULL,
147 "msg has to be NULL in this function.\n");
148 goto end;
149 }
150 if (iph1->status != PHASE1ST_START) {
151 plog(LLV_ERROR, LOCATION, NULL,
152 "status mismatched %d.\n", iph1->status);
153 goto end;
154 }
155
156 /* create isakmp index */
157 memset(&iph1->index, 0, sizeof(iph1->index));
158 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
159
160 /* make ID payload into isakmp status */
d1e348cf
A		 161 if (ipsecdoi_setid1(iph1) < 0) {
162 plog(LLV_ERROR, LOCATION, NULL,
163 "failed to set ID");
52b7d2ce 164 goto end;
d1e348cf 165 }
52b7d2ce
A		 166
167 /* create SA payload for my proposal */
168 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
d1e348cf
A		 169 if (iph1->sa == NULL) {
170 plog(LLV_ERROR, LOCATION, NULL,
171 "failed to set proposal");
52b7d2ce 172 goto end;
d1e348cf 173 }
52b7d2ce
A		 174
175 /* consistency check of proposals */
176 if (iph1->rmconf->dhgrp == NULL) {
177 plog(LLV_ERROR, LOCATION, NULL,
178 "configuration failure about DH group.\n");
179 goto end;
180 }
181
182 /* generate DH public value */
183 if (oakley_dh_generate(iph1->rmconf->dhgrp,
d1e348cf
A		 184 &iph1->dhpub, &iph1->dhpriv) < 0) {
185 plog(LLV_ERROR, LOCATION, NULL,
186 "failed to generate DH");
52b7d2ce 187 goto end;
d1e348cf 188 }
52b7d2ce
A		 189
190 /* generate NONCE value */
191 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf
A		 192 if (iph1->nonce == NULL) {
193 plog(LLV_ERROR, LOCATION, NULL,
194 "failed to generate NONCE");
52b7d2ce 195 goto end;
d1e348cf 196 }
52b7d2ce
A		 197
198#ifdef ENABLE_HYBRID
199 /* Do we need Xauth VID? */
d1e348cf
A		 200 switch (RMAUTHMETHOD(iph1)) {
201 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
202 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
203 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
204 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
205 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
206 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
207 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
52b7d2ce
A		 208 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
209 plog(LLV_ERROR, LOCATION, NULL,
210 "Xauth vendor ID generation failed\n");
211 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
212 plog(LLV_ERROR, LOCATION, NULL,
213 "Unity vendor ID generation failed\n");
214 break;
215 default:
216 break;
217 }
218#endif
219
220#ifdef ENABLE_FRAG
221 if (iph1->rmconf->ike_frag) {
222 vid_frag = set_vendorid(VENDORID_FRAG);
223 if (vid_frag != NULL)
224 vid_frag = isakmp_frag_addcap(vid_frag,
225 VENDORID_FRAG_AGG);
226 if (vid_frag == NULL)
227 plog(LLV_ERROR, LOCATION, NULL,
228 "Frag vendorID construction failed\n");
229 }
230#endif
231
232 /* create CR if need */
233 if (iph1->rmconf->send_cr
234 && oakley_needcr(iph1->rmconf->proposal->authmethod)
235 && iph1->rmconf->peerscertfile == NULL) {
236 need_cr = 1;
237 cr = oakley_getcr(iph1);
238 if (cr == NULL) {
239 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf 240 "failed to get CR");
52b7d2ce
A		 241 goto end;
242 }
243 }
244
245 plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n",
246 s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
247#ifdef HAVE_GSSAPI
d1e348cf 248 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
52b7d2ce 249 gssapi_get_itoken(iph1, &len);
52b7d2ce
A		 250#endif
251
252 /* set SA payload to propose */
253 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
254
255 /* create isakmp KE payload */
256 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
257
258 /* create isakmp NONCE payload */
259 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
260
261 /* create isakmp ID payload */
262 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
263
264#ifdef HAVE_GSSAPI
d1e348cf 265 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
52b7d2ce
A		 266 gssapi_get_token_to_send(iph1, &gsstoken);
267 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
d1e348cf 268 }
52b7d2ce
A		 269#endif
270 /* create isakmp CR payload */
271 if (need_cr)
272 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
273
274#ifdef ENABLE_FRAG
275 if (vid_frag)
276 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
277#endif
278#ifdef ENABLE_NATT
279 /*
280 * set VID payload for NAT-T if NAT-T
281 * support allowed in the config file
282 */
283 if (iph1->rmconf->nat_traversal)
284 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
285#endif
286#ifdef ENABLE_HYBRID
287 if (vid_xauth)
288 plist = isakmp_plist_append(plist,
289 vid_xauth, ISAKMP_NPTYPE_VID);
290 if (vid_unity)
291 plist = isakmp_plist_append(plist,
292 vid_unity, ISAKMP_NPTYPE_VID);
293#endif
294#ifdef ENABLE_DPD
295 if(iph1->rmconf->dpd){
296 vid_dpd = set_vendorid(VENDORID_DPD);
297 if (vid_dpd != NULL)
298 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
299 }
300#endif
301
302 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
303
304#ifdef HAVE_PRINT_ISAKMP_C
305 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
306#endif
307
308 /* send the packet, add to the schedule to resend */
309 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf
A		 310 if (isakmp_ph1resend(iph1) == -1) {
311 plog(LLV_ERROR, LOCATION, NULL,
312 "failed to send packet");
52b7d2ce 313 goto end;
d1e348cf 314 }
52b7d2ce
A		 315
316 iph1->status = PHASE1ST_MSG1SENT;
317
318 error = 0;
319
d1e348cf
A		 320 IPSECSESSIONTRACEREVENT(iph1->parent_session,
321 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
322 CONSTSTR("Initiator, Aggressive-Mode message 1"),
323 CONSTSTR(NULL));
324
52b7d2ce 325end:
d1e348cf
A		 326 if (error) {
327 IPSECSESSIONTRACEREVENT(iph1->parent_session,
328 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
329 CONSTSTR("Initiator, Aggressive-Mode Message 1"),
330 CONSTSTR("Failed to transmit Aggressive-Mode Message 1"));
331 }
52b7d2ce
A		 332 if (cr)
333 vfree(cr);
d1e348cf 334#ifdef HAVE_GSSAPI
52b7d2ce
A		 335 if (gsstoken)
336 vfree(gsstoken);
d1e348cf 337#endif
52b7d2ce
A		 338#ifdef ENABLE_FRAG
339 if (vid_frag)
340 vfree(vid_frag);
341#endif
342#ifdef ENABLE_NATT
343 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
344 vfree(vid_natt[i]);
345#endif
52b7d2ce
A		 346#ifdef ENABLE_HYBRID
347 if (vid_xauth != NULL)
348 vfree(vid_xauth);
349 if (vid_unity != NULL)
350 vfree(vid_unity);
351#endif
d1e348cf
A		 352#ifdef ENABLE_DPD
353 if (vid_dpd != NULL)
354 vfree(vid_dpd);
355#endif
52b7d2ce
A		 356
357 return error;
358}
359
360/*
361 * receive from responder
362 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
363 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
364 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
365 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
366 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
367 */
368int
369agg_i2recv(iph1, msg)
370 struct ph1handle *iph1;
371 vchar_t *msg;
372{
373 vchar_t *pbuf = NULL;
374 struct isakmp_parse_t *pa;
375 vchar_t *satmp = NULL;
376 int error = -1;
377 int vid_numeric;
378 int ptype;
379#ifdef ENABLE_HYBRID
380 vchar_t *unity_vid;
381 vchar_t *xauth_vid;
382#endif
383#ifdef HAVE_GSSAPI
384 vchar_t *gsstoken = NULL;
385#endif
386
387#ifdef ENABLE_NATT
388 int natd_seq = 0;
389 struct natd_payload {
390 int seq;
391 vchar_t *payload;
392 TAILQ_ENTRY(natd_payload) chain;
393 };
394 TAILQ_HEAD(_natd_payload, natd_payload) natd_tree;
395 TAILQ_INIT(&natd_tree);
396#endif
397
398 /* validity check */
399 if (iph1->status != PHASE1ST_MSG1SENT) {
400 plog(LLV_ERROR, LOCATION, NULL,
401 "status mismatched %d.\n", iph1->status);
402 goto end;
403 }
404
405 /* validate the type of next payload */
406 pbuf = isakmp_parse(msg);
d1e348cf
A		 407 if (pbuf == NULL) {
408 plog(LLV_ERROR, LOCATION, NULL,
409 "failed to parse msg");
52b7d2ce 410 goto end;
d1e348cf 411 }
52b7d2ce
A		 412 pa = (struct isakmp_parse_t *)pbuf->v;
413
414 iph1->pl_hash = NULL;
415
416 /* SA payload is fixed postion */
417 if (pa->type != ISAKMP_NPTYPE_SA) {
418 plog(LLV_ERROR, LOCATION, iph1->remote,
419 "received invalid next payload type %d, "
420 "expecting %d.\n",
421 pa->type, ISAKMP_NPTYPE_SA);
422 goto end;
423 }
424
d1e348cf
A		 425 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
426 plog(LLV_ERROR, LOCATION, NULL,
427 "failed to process SA payload");
52b7d2ce 428 goto end;
d1e348cf 429 }
52b7d2ce
A		 430 pa++;
431
432 for (/*nothing*/;
433 pa->type != ISAKMP_NPTYPE_NONE;
434 pa++) {
435
436 switch (pa->type) {
437 case ISAKMP_NPTYPE_KE:
d1e348cf
A		 438 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
439 plog(LLV_ERROR, LOCATION, NULL,
440 "failed to process KE payload");
52b7d2ce 441 goto end;
d1e348cf 442 }
52b7d2ce
A		 443 break;
444 case ISAKMP_NPTYPE_NONCE:
d1e348cf
A		 445 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
446 plog(LLV_ERROR, LOCATION, NULL,
447 "failed to process NONCE payload");
52b7d2ce 448 goto end;
d1e348cf 449 }
52b7d2ce
A		 450 break;
451 case ISAKMP_NPTYPE_ID:
d1e348cf
A		 452 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
453 plog(LLV_ERROR, LOCATION, NULL,
454 "failed to process ID payload");
52b7d2ce 455 goto end;
d1e348cf 456 }
52b7d2ce
A		 457 break;
458 case ISAKMP_NPTYPE_HASH:
459 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
460 break;
461 case ISAKMP_NPTYPE_CR:
d1e348cf
A		 462 if (oakley_savecr(iph1, pa->ptr) < 0) {
463 plog(LLV_ERROR, LOCATION, NULL,
464 "failed to process CR payload");
52b7d2ce 465 goto end;
d1e348cf 466 }
52b7d2ce
A		 467 break;
468 case ISAKMP_NPTYPE_CERT:
d1e348cf
A		 469 if (oakley_savecert(iph1, pa->ptr) < 0) {
470 plog(LLV_ERROR, LOCATION, NULL,
471 "failed to process CERT payload");
52b7d2ce 472 goto end;
d1e348cf 473 }
52b7d2ce
A		 474 break;
475 case ISAKMP_NPTYPE_SIG:
d1e348cf
A		 476 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
477 plog(LLV_ERROR, LOCATION, NULL,
478 "failed to process SIG payload");
52b7d2ce 479 goto end;
d1e348cf 480 }
52b7d2ce
A		 481 break;
482 case ISAKMP_NPTYPE_VID:
483 vid_numeric = check_vendorid(pa->ptr);
484#ifdef ENABLE_NATT
485 if (iph1->rmconf->nat_traversal &&
486 natt_vendorid(vid_numeric))
487 natt_handle_vendorid(iph1, vid_numeric);
488#endif
489#ifdef ENABLE_HYBRID
490 switch (vid_numeric) {
491 case VENDORID_XAUTH:
492 iph1->mode_cfg->flags |=
493 ISAKMP_CFG_VENDORID_XAUTH;
494 break;
495
496 case VENDORID_UNITY:
497 iph1->mode_cfg->flags |=
498 ISAKMP_CFG_VENDORID_UNITY;
499 break;
500 default:
501 break;
502 }
503#endif
504#ifdef ENABLE_DPD
505 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
506 iph1->dpd_support=1;
507 plog(LLV_DEBUG, LOCATION, NULL,
508 "remote supports DPD\n");
509 }
510#endif
511 break;
512 case ISAKMP_NPTYPE_N:
513 isakmp_check_notify(pa->ptr, iph1);
514 break;
515#ifdef HAVE_GSSAPI
516 case ISAKMP_NPTYPE_GSS:
d1e348cf
A		 517 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
518 plog(LLV_ERROR, LOCATION, NULL,
519 "failed to process GSS payload");
52b7d2ce 520 goto end;
d1e348cf 521 }
52b7d2ce
A		 522 gssapi_save_received_token(iph1, gsstoken);
523 break;
524#endif
525
526#ifdef ENABLE_NATT
527 case ISAKMP_NPTYPE_NATD_DRAFT:
528 case ISAKMP_NPTYPE_NATD_RFC:
529#ifdef __APPLE__
530 case ISAKMP_NPTYPE_NATD_BADDRAFT:
531#endif
532 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
533 pa->type == iph1->natt_options->payload_nat_d) {
534 struct natd_payload *natd;
535 natd = (struct natd_payload *)racoon_malloc(sizeof(*natd));
d1e348cf
A		 536 if (!natd) {
537 plog(LLV_ERROR, LOCATION, NULL,
538 "failed to pre-process NATD payload");
52b7d2ce 539 goto end;
d1e348cf 540 }
52b7d2ce
A		 541
542 natd->payload = NULL;
543
d1e348cf
A		 544 if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) {
545 plog(LLV_ERROR, LOCATION, NULL,
546 "failed to process NATD payload");
52b7d2ce 547 goto end;
d1e348cf 548 }
52b7d2ce
A		 549
550 natd->seq = natd_seq++;
551
552 TAILQ_INSERT_TAIL(&natd_tree, natd, chain);
553 break;
554 }
555 /* %%% Be lenient here - some servers send natd payloads */
556 /* when nat not detected */
557 break;
558#endif
559
560 default:
561 /* don't send information, see isakmp_ident_r1() */
562 plog(LLV_ERROR, LOCATION, iph1->remote,
563 "ignore the packet, "
564 "received unexpecting payload type %d.\n",
565 pa->type);
566 goto end;
567 }
568 }
569
570 /* payload existency check */
571 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
572 plog(LLV_ERROR, LOCATION, iph1->remote,
573 "few isakmp message received.\n");
574 goto end;
575 }
576
577 /* verify identifier */
578 if (ipsecdoi_checkid1(iph1) != 0) {
579 plog(LLV_ERROR, LOCATION, iph1->remote,
580 "invalid ID payload.\n");
581 goto end;
582 }
583
584 /* check SA payload and set approval SA for use */
585 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
586 plog(LLV_ERROR, LOCATION, iph1->remote,
587 "failed to get valid proposal.\n");
588 /* XXX send information */
589 goto end;
590 }
591 VPTRINIT(iph1->sa_ret);
592
593 /* fix isakmp index */
594 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
595 sizeof(cookie_t));
596
597#ifdef ENABLE_NATT
598 if (NATT_AVAILABLE(iph1)) {
599 struct natd_payload *natd = NULL;
600 int natd_verified;
601
602 plog(LLV_INFO, LOCATION, iph1->remote,
603 "Selected NAT-T version: %s\n",
604 vid_string_by_id(iph1->natt_options->version));
605
606 /* set both bits first so that we can clear them
607 upon verifying hashes */
608 iph1->natt_flags |= NAT_DETECTED;
609
610 while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) {
611 /* this function will clear appropriate bits bits
612 from iph1->natt_flags */
613 natd_verified = natt_compare_addr_hash (iph1,
614 natd->payload, natd->seq);
615
616 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
617 natd->seq - 1,
618 natd_verified ? "verified" : "doesn't match");
619
620 vfree (natd->payload);
621
622 TAILQ_REMOVE(&natd_tree, natd, chain);
623 racoon_free (natd);
624 }
625
626 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
627 iph1->natt_flags & NAT_DETECTED ?
628 "detected:" : "not detected",
629 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
630 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
631
632 if (iph1->natt_flags & NAT_DETECTED)
633 natt_float_ports (iph1);
80318cb7 634 ike_session_update_natt_version(iph1);
52b7d2ce
A		 635 }
636#endif
637
638 /* compute sharing secret of DH */
639 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
d1e348cf
A		 640 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
641 plog(LLV_ERROR, LOCATION, NULL,
642 "failed to compute DH");
52b7d2ce 643 goto end;
d1e348cf 644 }
52b7d2ce
A		 645
646 /* generate SKEYIDs & IV & final cipher key */
d1e348cf
A		 647 if (oakley_skeyid(iph1) < 0) {
648 plog(LLV_ERROR, LOCATION, NULL,
649 "failed to generate SKEYID");
52b7d2ce 650 goto end;
d1e348cf
A		 651 }
652 if (oakley_skeyid_dae(iph1) < 0) {
653 plog(LLV_ERROR, LOCATION, NULL,
654 "failed to generate SKEYID-DAE");
52b7d2ce 655 goto end;
d1e348cf
A		 656 }
657 if (oakley_compute_enckey(iph1) < 0) {
658 plog(LLV_ERROR, LOCATION, NULL,
659 "failed to generate ENCKEY");
52b7d2ce 660 goto end;
d1e348cf
A		 661 }
662 if (oakley_newiv(iph1) < 0) {
663 plog(LLV_ERROR, LOCATION, NULL,
664 "failed to generate IV");
52b7d2ce 665 goto end;
d1e348cf 666 }
52b7d2ce
A		 667
668 /* validate authentication value */
669 ptype = oakley_validate_auth(iph1);
670 if (ptype != 0) {
d1e348cf
A		 671 IPSECSESSIONTRACEREVENT(iph1->parent_session,
672 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
673 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
674 CONSTSTR("Failed to authenticate, Aggressive-Mode Message 2"));
52b7d2ce
A		 675 if (ptype == -1) {
676 /* message printed inner oakley_validate_auth() */
677 goto end;
678 }
679 EVT_PUSH(iph1->local, iph1->remote,
680 EVTT_PEERPH1AUTH_FAILED, NULL);
681 isakmp_info_send_n1(iph1, ptype, NULL);
682 goto end;
683 }
d1e348cf
A		 684 IPSECSESSIONTRACEREVENT(iph1->parent_session,
685 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
686 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
687 CONSTSTR(NULL));
688
52b7d2ce
A		 689 if (oakley_checkcr(iph1) < 0) {
690 /* Ignore this error in order to be interoperability. */
691 ;
692 }
693
694 /* change status of isakmp status entry */
695 iph1->status = PHASE1ST_MSG2RECEIVED;
696
697#ifdef ENABLE_VPNCONTROL_PORT
698 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
699#endif
700
701 error = 0;
702
d1e348cf
A		 703 IPSECSESSIONTRACEREVENT(iph1->parent_session,
704 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
705 CONSTSTR("Initiator, Aggressive-Mode message 2"),
706 CONSTSTR(NULL));
707
52b7d2ce 708end:
d1e348cf
A		 709 if (error) {
710 IPSECSESSIONTRACEREVENT(iph1->parent_session,
711 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
712 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
713 CONSTSTR("Failure processing Aggressive-Mode Message 2"));
714 }
715#ifdef HAVE_GSSAPI
716 if (gsstoken)
717 vfree(gsstoken);
718#endif
52b7d2ce
A		 719 if (pbuf)
720 vfree(pbuf);
721 if (satmp)
722 vfree(satmp);
723 if (error) {
724 VPTRINIT(iph1->dhpub_p);
725 VPTRINIT(iph1->nonce_p);
726 VPTRINIT(iph1->id_p);
727 oakley_delcert(iph1->cert_p);
728 iph1->cert_p = NULL;
729 oakley_delcert(iph1->crl_p);
730 iph1->crl_p = NULL;
731 VPTRINIT(iph1->sig_p);
732 oakley_delcert(iph1->cr_p);
733 iph1->cr_p = NULL;
734 }
735
736 return error;
737}
738
739/*
740 * send to responder
741 * psk: HDR, HASH_I
742 * gssapi: HDR, HASH_I
743 * sig: HDR, [ CERT, ] SIG_I
744 * rsa: HDR, HASH_I
745 * rev: HDR, HASH_I
746 */
747int
748agg_i2send(iph1, msg)
749 struct ph1handle *iph1;
750 vchar_t *msg;
751{
752 struct payload_list *plist = NULL;
753 int need_cert = 0;
754 int error = -1;
755 vchar_t *gsshash = NULL;
d1e348cf
A		 756#ifdef ENABLE_NATT
757 vchar_t *natd[2] = { NULL, NULL };
758#endif
759 vchar_t *notp_unity = NULL;
760 vchar_t *notp_ini = NULL;
52b7d2ce
A		 761
762 /* validity check */
763 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
764 plog(LLV_ERROR, LOCATION, NULL,
765 "status mismatched %d.\n", iph1->status);
766 goto end;
767 }
768
769 /* generate HASH to send */
770 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
771 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
772 if (iph1->hash == NULL) {
773#ifdef HAVE_GSSAPI
d1e348cf
A		 774 if (gssapi_more_tokens(iph1) &&
775#ifdef ENABLE_HYBRID
776 !iph1->rmconf->xauth &&
777#endif
778 1)
52b7d2ce
A		 779 isakmp_info_send_n1(iph1,
780 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
781#endif
d1e348cf
A		 782 plog(LLV_ERROR, LOCATION, NULL,
783 "failed to generate HASH");
52b7d2ce
A		 784 goto end;
785 }
786
d1e348cf 787 switch (AUTHMETHOD(iph1)) {
52b7d2ce
A		 788 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
789#ifdef ENABLE_HYBRID
d1e348cf
A		 790 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
791 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
792 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
52b7d2ce
A		 793#endif
794 /* set HASH payload */
d1e348cf
A		 795 plist = isakmp_plist_append(plist,
796 iph1->hash, ISAKMP_NPTYPE_HASH);
52b7d2ce 797 break;
d1e348cf 798
52b7d2ce
A		 799 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
800 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
801#ifdef ENABLE_HYBRID
d1e348cf
A		 802 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
803 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
804#endif
52b7d2ce
A		 805 /* XXX if there is CR or not ? */
806
d1e348cf
A		 807 if (oakley_getmycert(iph1) < 0) {
808 plog(LLV_ERROR, LOCATION, NULL,
809 "failed to get mycert");
52b7d2ce 810 goto end;
d1e348cf 811 }
52b7d2ce 812
d1e348cf
A		 813 if (oakley_getsign(iph1) < 0) {
814 plog(LLV_ERROR, LOCATION, NULL,
815 "failed to get sign");
52b7d2ce 816 goto end;
d1e348cf 817 }
52b7d2ce
A		 818
819 if (iph1->cert != NULL && iph1->rmconf->send_cert)
820 need_cert = 1;
821
822 /* add CERT payload if there */
823 if (need_cert)
824 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
825
826 /* add SIG payload */
827 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
828 break;
829
830 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
831 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf
A		 832#ifdef ENABLE_HYBRID
833 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
834 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
835#endif
52b7d2ce
A		 836 break;
837#ifdef HAVE_GSSAPI
838 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
839 gsshash = gssapi_wraphash(iph1);
840 if (gsshash == NULL) {
841 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf 842 "failed to get GSS hash\n");
52b7d2ce
A		 843 isakmp_info_send_n1(iph1,
844 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
845 goto end;
846 }
847
848 plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
849 break;
850#endif
52b7d2ce
A		 851 }
852
853#ifdef ENABLE_NATT
854 /* generate NAT-D payloads */
d1e348cf 855 if (NATT_AVAILABLE(iph1)) {
52b7d2ce
A		 856 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
857 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
858 plog(LLV_ERROR, LOCATION, NULL,
859 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
860 goto end;
861 }
862
863 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
864 plog(LLV_ERROR, LOCATION, NULL,
865 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
866 goto end;
867 }
868
869#ifdef __APPLE__
870 /* old Apple version sends natd payloads in the wrong order */
871 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
872 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
873 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
874 } else
875#endif
876 {
877 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
878 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
879 }
880 }
881#endif
882
52b7d2ce 883
d1e348cf
A		 884 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
885
52b7d2ce
A		 886#ifdef HAVE_PRINT_ISAKMP_C
887 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
888#endif
889
d1e348cf 890
52b7d2ce 891 /* send to responder */
d1e348cf
A		 892 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
893 plog(LLV_ERROR, LOCATION, NULL,
894 "failed to send packet");
52b7d2ce 895 goto end;
d1e348cf 896 }
52b7d2ce
A		 897
898 /* the sending message is added to the received-list. */
d1e348cf
A		 899 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
900 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
52b7d2ce
A		 901 plog(LLV_ERROR , LOCATION, NULL,
902 "failed to add a response packet to the tree.\n");
903 goto end;
904 }
905
906 /* set encryption flag */
907 iph1->flags |= ISAKMP_FLAG_E;
908
909 iph1->status = PHASE1ST_ESTABLISHED;
910
d1e348cf
A		 911 IPSECSESSIONTRACEREVENT(iph1->parent_session,
912 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
913 CONSTSTR("Initiator, Aggressive-Mode"),
914 CONSTSTR(NULL));
915
52b7d2ce
A		 916 error = 0;
917
d1e348cf
A		 918 IPSECSESSIONTRACEREVENT(iph1->parent_session,
919 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
920 CONSTSTR("Initiator, Aggressive-Mode message 3"),
921 CONSTSTR(NULL));
922
52b7d2ce 923end:
d1e348cf
A		 924 if (error) {
925 IPSECSESSIONTRACEREVENT(iph1->parent_session,
926 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
927 CONSTSTR("Initiator, Aggressive-Mode Message 3"),
928 CONSTSTR("Failed to transmit Aggressive-Mode Message 3"));
929 }
930#ifdef ENABLE_NATT
931 if (natd[0])
932 vfree(natd[0]);
933 if (natd[1])
934 vfree(natd[1]);
935#endif
936 if (notp_unity)
937 vfree(notp_unity);
938 if (notp_ini)
939 vfree(notp_ini);
52b7d2ce
A		 940 if (gsshash)
941 vfree(gsshash);
942 return error;
943}
944
945/*
946 * receive from initiator
947 * psk: HDR, SA, KE, Ni, IDi1
948 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
949 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi
950 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
951 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
952 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
953 */
954int
955agg_r1recv(iph1, msg)
956 struct ph1handle *iph1;
957 vchar_t *msg;
958{
959 int error = -1;
960 vchar_t *pbuf = NULL;
961 struct isakmp_parse_t *pa;
962 int vid_numeric;
963#ifdef HAVE_GSSAPI
964 vchar_t *gsstoken = NULL;
965#endif
966
967 /* validity check */
968 if (iph1->status != PHASE1ST_START) {
969 plog(LLV_ERROR, LOCATION, NULL,
970 "status mismatched %d.\n", iph1->status);
971 goto end;
972 }
973
974 /* validate the type of next payload */
975 pbuf = isakmp_parse(msg);
d1e348cf
A		 976 if (pbuf == NULL) {
977 plog(LLV_ERROR, LOCATION, NULL,
978 "failed to parse msg");
52b7d2ce 979 goto end;
d1e348cf 980 }
52b7d2ce
A		 981 pa = (struct isakmp_parse_t *)pbuf->v;
982
983 /* SA payload is fixed postion */
984 if (pa->type != ISAKMP_NPTYPE_SA) {
985 plog(LLV_ERROR, LOCATION, iph1->remote,
986 "received invalid next payload type %d, "
987 "expecting %d.\n",
988 pa->type, ISAKMP_NPTYPE_SA);
989 goto end;
990 }
d1e348cf
A		 991 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
992 plog(LLV_ERROR, LOCATION, NULL,
993 "failed to process SA payload");
52b7d2ce 994 goto end;
d1e348cf 995 }
52b7d2ce
A		 996 pa++;
997
998 for (/*nothing*/;
999 pa->type != ISAKMP_NPTYPE_NONE;
1000 pa++) {
1001
1002 plog(LLV_DEBUG, LOCATION, NULL,
1003 "received payload of type %s\n",
1004 s_isakmp_nptype(pa->type));
1005
1006 switch (pa->type) {
1007 case ISAKMP_NPTYPE_KE:
d1e348cf
A		 1008 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
1009 plog(LLV_ERROR, LOCATION, NULL,
1010 "failed to process KE payload");
52b7d2ce 1011 goto end;
d1e348cf 1012 }
52b7d2ce
A		 1013 break;
1014 case ISAKMP_NPTYPE_NONCE:
d1e348cf
A		 1015 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
1016 plog(LLV_ERROR, LOCATION, NULL,
1017 "failed to process NONCE payload");
52b7d2ce 1018 goto end;
d1e348cf 1019 }
52b7d2ce
A		 1020 break;
1021 case ISAKMP_NPTYPE_ID:
d1e348cf
A		 1022 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
1023 plog(LLV_ERROR, LOCATION, NULL,
1024 "failed to process ID payload");
52b7d2ce 1025 goto end;
d1e348cf 1026 }
52b7d2ce
A		 1027 break;
1028 case ISAKMP_NPTYPE_VID:
1029 vid_numeric = check_vendorid(pa->ptr);
1030
1031#ifdef ENABLE_NATT
1032 if (iph1->rmconf->nat_traversal &&
1033 natt_vendorid(vid_numeric)) {
1034 natt_handle_vendorid(iph1, vid_numeric);
1035 break;
1036 }
1037#endif
1038#ifdef ENABLE_HYBRID
1039 switch (vid_numeric) {
1040 case VENDORID_XAUTH:
1041 iph1->mode_cfg->flags |=
1042 ISAKMP_CFG_VENDORID_XAUTH;
1043 break;
1044
1045 case VENDORID_UNITY:
1046 iph1->mode_cfg->flags |=
1047 ISAKMP_CFG_VENDORID_UNITY;
1048 break;
1049 default:
1050 break;
1051 }
1052#endif
1053#ifdef ENABLE_DPD
1054 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
1055 iph1->dpd_support=1;
1056 plog(LLV_DEBUG, LOCATION, NULL,
1057 "remote supports DPD\n");
1058 }
1059#endif
1060#ifdef ENABLE_FRAG
1061 if ((vid_numeric == VENDORID_FRAG) &&
1062 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG))
1063 iph1->frag = 1;
1064#endif
1065 break;
1066
1067 case ISAKMP_NPTYPE_CR:
d1e348cf
A		 1068 if (oakley_savecr(iph1, pa->ptr) < 0) {
1069 plog(LLV_ERROR, LOCATION, NULL,
1070 "failed to process CR payload");
52b7d2ce 1071 goto end;
d1e348cf 1072 }
52b7d2ce
A		 1073 break;
1074
1075#ifdef HAVE_GSSAPI
1076 case ISAKMP_NPTYPE_GSS:
d1e348cf
A		 1077 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1078 plog(LLV_ERROR, LOCATION, NULL,
1079 "failed to process GSS payload");
52b7d2ce 1080 goto end;
d1e348cf 1081 }
52b7d2ce
A		 1082 gssapi_save_received_token(iph1, gsstoken);
1083 break;
1084#endif
1085 default:
1086 /* don't send information, see isakmp_ident_r1() */
1087 plog(LLV_ERROR, LOCATION, iph1->remote,
1088 "ignore the packet, "
1089 "received unexpecting payload type %d.\n",
1090 pa->type);
1091 goto end;
1092 }
1093 }
1094
1095 /* payload existency check */
1096 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1097 plog(LLV_ERROR, LOCATION, iph1->remote,
1098 "few isakmp message received.\n");
1099 goto end;
1100 }
1101
1102 /* verify identifier */
1103 if (ipsecdoi_checkid1(iph1) != 0) {
1104 plog(LLV_ERROR, LOCATION, iph1->remote,
1105 "invalid ID payload.\n");
1106 goto end;
1107 }
1108
1109#ifdef ENABLE_NATT
80318cb7 1110 if (NATT_AVAILABLE(iph1)) {
52b7d2ce
A		 1111 plog(LLV_INFO, LOCATION, iph1->remote,
1112 "Selected NAT-T version: %s\n",
1113 vid_string_by_id(iph1->natt_options->version));
80318cb7
A		 1114 ike_session_update_natt_version(iph1);
1115 }
52b7d2ce
A		 1116#endif
1117
1118 /* check SA payload and set approval SA for use */
1119 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
1120 plog(LLV_ERROR, LOCATION, iph1->remote,
1121 "failed to get valid proposal.\n");
1122 /* XXX send information */
1123 goto end;
1124 }
1125
1126 if (oakley_checkcr(iph1) < 0) {
1127 /* Ignore this error in order to be interoperability. */
1128 ;
1129 }
1130
1131 iph1->status = PHASE1ST_MSG1RECEIVED;
1132
1133 error = 0;
1134
d1e348cf
A		 1135 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1136 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1137 CONSTSTR("Responder, Aggressive-Mode message 1"),
1138 CONSTSTR(NULL));
1139
52b7d2ce 1140end:
d1e348cf
A		 1141 if (error) {
1142 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1143 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1144 CONSTSTR("Responder, Aggressive-Mode Message 1"),
1145 CONSTSTR("Failed to process Aggressive-Mode Message 1"));
1146 }
1147#ifdef HAVE_GSSAPI
1148 if (gsstoken)
1149 vfree(gsstoken);
1150#endif
52b7d2ce
A		 1151 if (pbuf)
1152 vfree(pbuf);
1153 if (error) {
1154 VPTRINIT(iph1->sa);
1155 VPTRINIT(iph1->dhpub_p);
1156 VPTRINIT(iph1->nonce_p);
1157 VPTRINIT(iph1->id_p);
1158 oakley_delcert(iph1->cr_p);
1159 iph1->cr_p = NULL;
1160 }
1161
1162 return error;
1163}
1164
1165/*
1166 * send to initiator
1167 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
1168 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
1169 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
1170 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
1171 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
1172 */
1173int
1174agg_r1send(iph1, msg)
1175 struct ph1handle *iph1;
1176 vchar_t *msg;
1177{
1178 struct payload_list *plist = NULL;
1179 int need_cr = 0;
1180 int need_cert = 0;
1181 vchar_t *cr = NULL;
52b7d2ce
A		 1182 int error = -1;
1183#ifdef ENABLE_HYBRID
1184 vchar_t *xauth_vid = NULL;
1185 vchar_t *unity_vid = NULL;
1186#endif
1187#ifdef ENABLE_NATT
1188 vchar_t *vid_natt = NULL;
1189 vchar_t *natd[2] = { NULL, NULL };
1190#endif
1191#ifdef ENABLE_DPD
1192 vchar_t *vid_dpd = NULL;
1193#endif
d1e348cf
A		 1194#ifdef ENABLE_FRAG
1195 vchar_t *vid_frag = NULL;
1196#endif
52b7d2ce
A		 1197
1198#ifdef HAVE_GSSAPI
1199 int gsslen;
1200 vchar_t *gsstoken = NULL, *gsshash = NULL;
1201 vchar_t *gss_sa = NULL;
d1e348cf 1202 int free_gss_sa = 0;
52b7d2ce
A		 1203#endif
1204
1205 /* validity check */
1206 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1207 plog(LLV_ERROR, LOCATION, NULL,
1208 "status mismatched %d.\n", iph1->status);
1209 goto end;
1210 }
1211
1212 /* set responder's cookie */
1213 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1214
1215 /* make ID payload into isakmp status */
d1e348cf
A		 1216 if (ipsecdoi_setid1(iph1) < 0) {
1217 plog(LLV_ERROR, LOCATION, NULL,
1218 "failed to set ID");
52b7d2ce 1219 goto end;
d1e348cf 1220 }
52b7d2ce
A		 1221
1222 /* generate DH public value */
1223 if (oakley_dh_generate(iph1->rmconf->dhgrp,
d1e348cf
A		 1224 &iph1->dhpub, &iph1->dhpriv) < 0) {
1225 plog(LLV_ERROR, LOCATION, NULL,
1226 "failed to generate DH");
52b7d2ce 1227 goto end;
d1e348cf 1228 }
52b7d2ce
A		 1229
1230 /* generate NONCE value */
1231 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf
A		 1232 if (iph1->nonce == NULL) {
1233 plog(LLV_ERROR, LOCATION, NULL,
1234 "failed to generate NONCE");
52b7d2ce 1235 goto end;
d1e348cf 1236 }
52b7d2ce
A		 1237
1238 /* compute sharing secret of DH */
1239 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
d1e348cf
A		 1240 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1241 plog(LLV_ERROR, LOCATION, NULL,
1242 "failed to compute DH");
52b7d2ce 1243 goto end;
d1e348cf 1244 }
52b7d2ce
A		 1245
1246 /* generate SKEYIDs & IV & final cipher key */
d1e348cf
A		 1247 if (oakley_skeyid(iph1) < 0) {
1248 plog(LLV_ERROR, LOCATION, NULL,
1249 "failed to generate SKEYID");
52b7d2ce 1250 goto end;
d1e348cf
A		 1251 }
1252 if (oakley_skeyid_dae(iph1) < 0) {
1253 plog(LLV_ERROR, LOCATION, NULL,
1254 "failed to generate SKEYID-DAE");
52b7d2ce 1255 goto end;
d1e348cf
A		 1256 }
1257 if (oakley_compute_enckey(iph1) < 0) {
1258 plog(LLV_ERROR, LOCATION, NULL,
1259 "failed to generate ENCKEY");
52b7d2ce 1260 goto end;
d1e348cf
A		 1261 }
1262 if (oakley_newiv(iph1) < 0) {
1263 plog(LLV_ERROR, LOCATION, NULL,
1264 "failed to generate IV");
52b7d2ce 1265 goto end;
d1e348cf 1266 }
52b7d2ce
A		 1267
1268#ifdef HAVE_GSSAPI
d1e348cf 1269 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
52b7d2ce
A		 1270 gssapi_get_rtoken(iph1, &gsslen);
1271#endif
1272
1273 /* generate HASH to send */
1274 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
1275 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1276 if (iph1->hash == NULL) {
1277#ifdef HAVE_GSSAPI
1278 if (gssapi_more_tokens(iph1))
1279 isakmp_info_send_n1(iph1,
1280 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1281#endif
d1e348cf
A		 1282 plog(LLV_ERROR, LOCATION, NULL,
1283 "failed to generate GSS HASH");
52b7d2ce
A		 1284 goto end;
1285 }
1286
1287 /* create CR if need */
1288 if (iph1->rmconf->send_cr
1289 && oakley_needcr(iph1->approval->authmethod)
1290 && iph1->rmconf->peerscertfile == NULL) {
1291 need_cr = 1;
1292 cr = oakley_getcr(iph1);
1293 if (cr == NULL) {
1294 plog(LLV_ERROR, LOCATION, NULL,
d1e348cf 1295 "failed to get CR.\n");
52b7d2ce
A		 1296 goto end;
1297 }
1298 }
1299
1300#ifdef ENABLE_NATT
1301 /* Has the peer announced NAT-T? */
1302 if (NATT_AVAILABLE(iph1)) {
1303 /* set chosen VID */
1304 vid_natt = set_vendorid(iph1->natt_options->version);
1305
1306 /* generate NAT-D payloads */
1307 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
1308 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1309 plog(LLV_ERROR, LOCATION, NULL,
1310 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
1311 goto end;
1312 }
1313
1314 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1315 plog(LLV_ERROR, LOCATION, NULL,
1316 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
1317 goto end;
1318 }
1319 }
1320#endif
1321#ifdef ENABLE_DPD
1322 /* Only send DPD support if remote announced DPD and if DPD support is active */
1323 if (iph1->dpd_support && iph1->rmconf->dpd)
1324 vid_dpd = set_vendorid(VENDORID_DPD);
1325#endif
d1e348cf
A		 1326#ifdef ENABLE_FRAG
1327 if (iph1->frag) {
1328 vid_frag = set_vendorid(VENDORID_FRAG);
1329 if (vid_frag != NULL)
1330 vid_frag = isakmp_frag_addcap(vid_frag,
1331 VENDORID_FRAG_AGG);
1332 if (vid_frag == NULL)
1333 plog(LLV_ERROR, LOCATION, NULL,
1334 "Frag vendorID construction failed\n");
1335 }
1336#endif
52b7d2ce 1337
d1e348cf 1338 switch (AUTHMETHOD(iph1)) {
52b7d2ce 1339 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf
A		 1340#ifdef ENABLE_HYBRID
1341 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1342#endif
52b7d2ce
A		 1343 /* set SA payload to reply */
1344 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1345
1346 /* create isakmp KE payload */
1347 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1348
1349 /* create isakmp NONCE payload */
1350 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1351
1352 /* create isakmp ID payload */
1353 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1354
1355 /* create isakmp HASH payload */
d1e348cf
A		 1356 plist = isakmp_plist_append(plist,
1357 iph1->hash, ISAKMP_NPTYPE_HASH);
52b7d2ce
A		 1358
1359 /* create isakmp CR payload if needed */
1360 if (need_cr)
1361 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
1362 break;
1363 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1364 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1365#ifdef ENABLE_HYBRID
d1e348cf
A		 1366 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1367 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1368 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1369 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
52b7d2ce
A		 1370#endif
1371 /* XXX if there is CR or not ? */
1372
d1e348cf
A		 1373 if (oakley_getmycert(iph1) < 0) {
1374 plog(LLV_ERROR, LOCATION, NULL,
1375 "failed to get mycert");
52b7d2ce 1376 goto end;
d1e348cf 1377 }
52b7d2ce 1378
d1e348cf
A		 1379 if (oakley_getsign(iph1) < 0) {
1380 plog(LLV_ERROR, LOCATION, NULL,
1381 "failed to get sign");
52b7d2ce 1382 goto end;
d1e348cf 1383 }
52b7d2ce
A		 1384
1385 if (iph1->cert != NULL && iph1->rmconf->send_cert)
1386 need_cert = 1;
1387
1388 /* set SA payload to reply */
1389 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1390
1391 /* create isakmp KE payload */
1392 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1393
1394 /* create isakmp NONCE payload */
1395 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1396
1397 /* add ID payload */
1398 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1399
1400 /* add CERT payload if there */
1401 if (need_cert)
1402 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1403
1404 /* add SIG payload */
1405 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1406
d1e348cf
A		 1407 /* create isakmp CR payload if needed */
1408 if (need_cr)
1409 plist = isakmp_plist_append(plist,
1410 cr, ISAKMP_NPTYPE_CR);
1411 break;
1412
1413 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1414 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1415#ifdef ENABLE_HYBRID
1416 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1417 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1418#endif
1419 break;
1420#ifdef HAVE_GSSAPI
1421 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1422 /* create buffer to send isakmp payload */
1423 gsshash = gssapi_wraphash(iph1);
1424 if (gsshash == NULL) {
1425 plog(LLV_ERROR, LOCATION, NULL,
1426 "failed to generate GSS HASH\n");
1427 /*
1428 * This is probably due to the GSS
1429 * roundtrips not being finished yet.
1430 * Return this error in the hope that
1431 * a fallback to main mode will be done.
1432 */
1433 isakmp_info_send_n1(iph1,
1434 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1435 goto end;
1436 }
1437 if (iph1->approval->gssid != NULL)
1438 gss_sa =
1439 ipsecdoi_setph1proposal(iph1->approval);
1440 else
1441 gss_sa = iph1->sa_ret;
1442
1443 if (gss_sa != iph1->sa_ret)
1444 free_gss_sa = 1;
1445
1446 /* set SA payload to reply */
1447 plist = isakmp_plist_append(plist,
1448 gss_sa, ISAKMP_NPTYPE_SA);
1449
1450 /* create isakmp KE payload */
1451 plist = isakmp_plist_append(plist,
1452 iph1->dhpub, ISAKMP_NPTYPE_KE);
1453
1454 /* create isakmp NONCE payload */
1455 plist = isakmp_plist_append(plist,
1456 iph1->nonce, ISAKMP_NPTYPE_NONCE);
1457
1458 /* create isakmp ID payload */
1459 plist = isakmp_plist_append(plist,
1460 iph1->id, ISAKMP_NPTYPE_ID);
1461
1462 /* create GSS payload */
1463 gssapi_get_token_to_send(iph1, &gsstoken);
1464 plist = isakmp_plist_append(plist,
1465 gsstoken, ISAKMP_NPTYPE_GSS);
1466
1467 /* create isakmp HASH payload */
1468 plist = isakmp_plist_append(plist,
1469 gsshash, ISAKMP_NPTYPE_HASH);
1470
1471 /* append vendor id, if needed */
1472 break;
1473#endif
1474 }
52b7d2ce
A		 1475
1476#ifdef ENABLE_HYBRID
1477 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
d1e348cf 1478 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
52b7d2ce
A		 1479 if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) {
1480 plog(LLV_ERROR, LOCATION, NULL,
1481 "Cannot create Xauth vendor ID\n");
1482 goto end;
1483 }
1484 plist = isakmp_plist_append(plist,
1485 xauth_vid, ISAKMP_NPTYPE_VID);
1486 }
1487
1488 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1489 if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) {
1490 plog(LLV_ERROR, LOCATION, NULL,
1491 "Cannot create Unity vendor ID\n");
1492 goto end;
1493 }
1494 plist = isakmp_plist_append(plist,
1495 unity_vid, ISAKMP_NPTYPE_VID);
1496 }
1497#endif
1498
52b7d2ce
A		 1499#ifdef ENABLE_NATT
1500 /* append NAT-T payloads */
1501 if (vid_natt) {
1502 /* chosen VID */
1503 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1504 /* NAT-D */
1505#ifdef __APPLE__
1506 /* old Apple version sends natd payloads in the wrong order */
1507 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
1508 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1509 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1510 } else
1511#endif
1512 {
1513 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1514 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1515 }
1516 }
1517#endif
d1e348cf
A		 1518
1519#ifdef ENABLE_FRAG
1520 if (vid_frag)
1521 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
1522#endif
1523
52b7d2ce
A		 1524#ifdef ENABLE_DPD
1525 if (vid_dpd)
1526 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1527#endif
1528
1529 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1530
1531#ifdef HAVE_PRINT_ISAKMP_C
1532 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
1533#endif
1534
1535 /* send the packet, add to the schedule to resend */
1536 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf
A		 1537 if (isakmp_ph1resend(iph1) == -1) {
1538 plog(LLV_ERROR , LOCATION, NULL,
1539 "failed to send packet");
52b7d2ce 1540 goto end;
d1e348cf 1541 }
52b7d2ce
A		 1542
1543 /* the sending message is added to the received-list. */
d1e348cf
A		 1544 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1545 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
52b7d2ce
A		 1546 plog(LLV_ERROR , LOCATION, NULL,
1547 "failed to add a response packet to the tree.\n");
1548 goto end;
1549 }
1550
1551 iph1->status = PHASE1ST_MSG1SENT;
1552
1553#ifdef ENABLE_VPNCONTROL_PORT
1554 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1555#endif
1556
1557 error = 0;
1558
d1e348cf
A		 1559 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1560 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1561 CONSTSTR("Responder, Aggressive-Mode message 2"),
1562 CONSTSTR(NULL));
1563
52b7d2ce 1564end:
d1e348cf
A		 1565 if (error) {
1566 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1567 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1568 CONSTSTR("Responder, Aggressive-Mode Message 2"),
1569 CONSTSTR("Failed to process Aggressive-Mode Message 2"));
1570 }
52b7d2ce
A		 1571 if (cr)
1572 vfree(cr);
52b7d2ce
A		 1573#ifdef ENABLE_HYBRID
1574 if (xauth_vid)
1575 vfree(xauth_vid);
1576 if (unity_vid)
1577 vfree(unity_vid);
1578#endif
1579#ifdef HAVE_GSSAPI
1580 if (gsstoken)
1581 vfree(gsstoken);
1582 if (gsshash)
1583 vfree(gsshash);
d1e348cf 1584 if (free_gss_sa)
52b7d2ce
A		 1585 vfree(gss_sa);
1586#endif
d1e348cf
A		 1587#ifdef ENABLE_NATT
1588 if (vid_natt)
1589 vfree(vid_natt);
1590 if (natd[0])
1591 vfree(natd[0]);
1592 if (natd[1])
1593 vfree(natd[1]);
1594#endif
52b7d2ce
A		 1595#ifdef ENABLE_DPD
1596 if (vid_dpd)
1597 vfree(vid_dpd);
1598#endif
d1e348cf
A		 1599#ifdef ENABLE_FRAG
1600 if (vid_frag)
1601 vfree(vid_frag);
1602#endif
52b7d2ce
A		 1603
1604 return error;
1605}
1606
1607/*
1608 * receive from initiator
1609 * psk: HDR, HASH_I
1610 * gssapi: HDR, HASH_I
1611 * sig: HDR, [ CERT, ] SIG_I
1612 * rsa: HDR, HASH_I
1613 * rev: HDR, HASH_I
1614 */
1615int
1616agg_r2recv(iph1, msg0)
1617 struct ph1handle *iph1;
1618 vchar_t *msg0;
1619{
1620 vchar_t *msg = NULL;
1621 vchar_t *pbuf = NULL;
1622 struct isakmp_parse_t *pa;
1623 int error = -1;
1624 int ptype;
1625
1626#ifdef ENABLE_NATT
1627 int natd_seq = 0;
1628#endif
1629
1630 /* validity check */
1631 if (iph1->status != PHASE1ST_MSG1SENT) {
1632 plog(LLV_ERROR, LOCATION, NULL,
1633 "status mismatched %d.\n", iph1->status);
1634 goto end;
1635 }
1636
1637 /* decrypting if need. */
1638 /* XXX configurable ? */
1639 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1640 msg = oakley_do_decrypt(iph1, msg0,
1641 iph1->ivm->iv, iph1->ivm->ive);
d1e348cf
A		 1642 if (msg == NULL) {
1643 plog(LLV_ERROR, LOCATION, NULL,
1644 "failed to decrypt msg");
52b7d2ce 1645 goto end;
d1e348cf 1646 }
52b7d2ce
A		 1647 } else
1648 msg = vdup(msg0);
1649
1650 /* validate the type of next payload */
1651 pbuf = isakmp_parse(msg);
d1e348cf
A		 1652 if (pbuf == NULL) {
1653 plog(LLV_ERROR, LOCATION, NULL,
1654 "failed to parse msg");
52b7d2ce 1655 goto end;
d1e348cf 1656 }
52b7d2ce
A		 1657
1658 iph1->pl_hash = NULL;
1659
1660 for (pa = (struct isakmp_parse_t *)pbuf->v;
1661 pa->type != ISAKMP_NPTYPE_NONE;
1662 pa++) {
1663
1664 switch (pa->type) {
1665 case ISAKMP_NPTYPE_HASH:
1666 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1667 break;
1668 case ISAKMP_NPTYPE_VID:
1669 (void)check_vendorid(pa->ptr);
1670 break;
1671 case ISAKMP_NPTYPE_CERT:
d1e348cf
A		 1672 if (oakley_savecert(iph1, pa->ptr) < 0) {
1673 plog(LLV_ERROR, LOCATION, NULL,
1674 "failed to process CERT payload");
52b7d2ce 1675 goto end;
d1e348cf 1676 }
52b7d2ce
A		 1677 break;
1678 case ISAKMP_NPTYPE_SIG:
d1e348cf
A		 1679 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
1680 plog(LLV_ERROR, LOCATION, NULL,
1681 "failed to process SIG payload");
52b7d2ce 1682 goto end;
d1e348cf 1683 }
52b7d2ce
A		 1684 break;
1685 case ISAKMP_NPTYPE_N:
1686 isakmp_check_notify(pa->ptr, iph1);
1687 break;
1688
1689#ifdef ENABLE_NATT
1690 case ISAKMP_NPTYPE_NATD_DRAFT:
1691 case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce
A		 1692 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1693 pa->type == iph1->natt_options->payload_nat_d)
1694 {
1695 vchar_t *natd_received = NULL;
1696 int natd_verified;
1697
d1e348cf
A		 1698 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
1699 plog(LLV_ERROR, LOCATION, NULL,
1700 "failed to process NATD payload");
52b7d2ce 1701 goto end;
d1e348cf 1702 }
52b7d2ce
A		 1703
1704 if (natd_seq == 0)
1705 iph1->natt_flags |= NAT_DETECTED;
1706
1707 natd_verified = natt_compare_addr_hash (iph1,
1708 natd_received, natd_seq++);
1709
1710 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1711 natd_seq - 1,
1712 natd_verified ? "verified" : "doesn't match");
1713
1714 vfree (natd_received);
1715 break;
1716 }
1717 /* %%%% Be lenient here - some servers send natd payloads */
1718 /* when no nat is detected */
1719 break;
1720#endif
1721
1722 default:
1723 /* don't send information, see isakmp_ident_r1() */
1724 plog(LLV_ERROR, LOCATION, iph1->remote,
1725 "ignore the packet, "
1726 "received unexpecting payload type %d.\n",
1727 pa->type);
1728 goto end;
1729 }
1730 }
1731
1732#ifdef ENABLE_NATT
1733 if (NATT_AVAILABLE(iph1))
1734 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1735 iph1->natt_flags & NAT_DETECTED ?
1736 "detected:" : "not detected",
1737 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1738 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1739#endif
1740
1741 /* validate authentication value */
1742 ptype = oakley_validate_auth(iph1);
1743 if (ptype != 0) {
d1e348cf
A		 1744 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1745 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1746 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1747 CONSTSTR("Failed to authenticate Aggressive-Mode Message 3"));
52b7d2ce
A		 1748 if (ptype == -1) {
1749 /* message printed inner oakley_validate_auth() */
1750 goto end;
1751 }
1752 EVT_PUSH(iph1->local, iph1->remote,
1753 EVTT_PEERPH1AUTH_FAILED, NULL);
1754 isakmp_info_send_n1(iph1, ptype, NULL);
1755 goto end;
1756 }
d1e348cf
A		 1757 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1758 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1759 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1760 CONSTSTR(NULL));
52b7d2ce
A		 1761
1762 iph1->status = PHASE1ST_MSG2RECEIVED;
1763
1764 error = 0;
1765
d1e348cf
A		 1766 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1767 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1768 CONSTSTR("Responder, Aggressive-Mode message 3"),
1769 CONSTSTR(NULL));
1770
52b7d2ce 1771end:
d1e348cf
A		 1772 if (error) {
1773 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1774 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1775 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1776 CONSTSTR("Failed to process Aggressive-Mode Message 3"));
1777 }
52b7d2ce
A		 1778 if (pbuf)
1779 vfree(pbuf);
1780 if (msg)
1781 vfree(msg);
1782 if (error) {
1783 oakley_delcert(iph1->cert_p);
1784 iph1->cert_p = NULL;
1785 oakley_delcert(iph1->crl_p);
1786 iph1->crl_p = NULL;
1787 VPTRINIT(iph1->sig_p);
1788 }
1789
1790 return error;
1791}
1792
1793/*
1794 * status update and establish isakmp sa.
1795 */
1796int
1797agg_r2send(iph1, msg)
1798 struct ph1handle *iph1;
1799 vchar_t *msg;
1800{
1801 int error = -1;
1802
1803 /* validity check */
1804 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1805 plog(LLV_ERROR, LOCATION, NULL,
1806 "status mismatched %d.\n", iph1->status);
1807 goto end;
1808 }
1809
1810 /* IV synchronized when packet encrypted. */
1811 /* see handler.h about IV synchronization. */
1812 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E))
1813 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1814
1815 /* set encryption flag */
1816 iph1->flags |= ISAKMP_FLAG_E;
1817
1818 iph1->status = PHASE1ST_ESTABLISHED;
1819
d1e348cf
A		 1820 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1821 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
1822 CONSTSTR("Responder, Aggressive-Mode"),
1823 CONSTSTR(NULL));
1824
52b7d2ce
A		 1825 error = 0;
1826
1827end:
1828 return error;
1829}
mirror of ipsec