]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/isakmp_ident.c
projects / apple / ipsec.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec-292.40.4.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_ident.c
CommitLineData
d1e348cf
A		 1/* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */
2
3/* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
52b7d2ce
A		 4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34/* Identity Protecion Exchange (Main Mode) */
35
36#include "config.h"
37
38#include <sys/types.h>
39#include <sys/param.h>
40
41#include <stdlib.h>
42#include <stdio.h>
43#include <string.h>
44#include <errno.h>
45#if TIME_WITH_SYS_TIME
46# include <sys/time.h>
47# include <time.h>
48#else
49# if HAVE_SYS_TIME_H
50# include <sys/time.h>
51# else
52# include <time.h>
53# endif
54#endif
55
56#include "var.h"
57#include "misc.h"
58#include "vmbuf.h"
59#include "plog.h"
60#include "sockmisc.h"
61#include "schedule.h"
62#include "debug.h"
65c25746 63#include "fsm.h"
52b7d2ce
A		 64
65#include "localconf.h"
66#include "remoteconf.h"
67#include "isakmp_var.h"
68#include "isakmp.h"
52b7d2ce
A		 69#include "oakley.h"
70#include "handler.h"
71#include "ipsec_doi.h"
72#include "crypto_openssl.h"
73#include "pfkey.h"
74#include "isakmp_ident.h"
75#include "isakmp_inf.h"
76#include "vendorid.h"
77
78#ifdef ENABLE_NATT
79#include "nattraversal.h"
80#endif
d1e348cf
A		 81#ifdef ENABLE_HYBRID
82#include <resolv.h>
83#include "isakmp_xauth.h"
84#include "isakmp_cfg.h"
85#endif
86#ifdef ENABLE_FRAG
87#include "isakmp_frag.h"
88#endif
52b7d2ce
A		 89
90#include "vpn_control.h"
91#include "vpn_control_var.h"
d1e348cf
A		 92#include "ipsecSessionTracer.h"
93#include "ipsecMessageTracer.h"
e8d9021d
A		 94#ifndef HAVE_OPENSSL
95#include <Security/SecDH.h>
96#endif
52b7d2ce 97
65c25746
A		 98static vchar_t *ident_ir2mx (phase1_handle_t *);
99static vchar_t *ident_ir3mx (phase1_handle_t *);
52b7d2ce
A		 100
101/* %%%
102 * begin Identity Protection Mode as initiator.
103 */
104/*
105 * send to responder
106 * psk: HDR, SA
107 * sig: HDR, SA
108 * rsa: HDR, SA
109 * rev: HDR, SA
110 */
111int
112ident_i1send(iph1, msg)
65c25746 113 phase1_handle_t *iph1;
52b7d2ce
A		 114 vchar_t *msg; /* must be null */
115{
116 struct payload_list *plist = NULL;
117 int error = -1;
118#ifdef ENABLE_NATT
119 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
120 int i;
121#endif
d1e348cf
A		 122#ifdef ENABLE_HYBRID
123 vchar_t *vid_xauth = NULL;
124 vchar_t *vid_unity = NULL;
125#endif
126#ifdef ENABLE_FRAG
127 vchar_t *vid_frag = NULL;
128#endif
52b7d2ce
A		 129#ifdef ENABLE_DPD
130 vchar_t *vid_dpd = NULL;
131#endif
65c25746
A		 132
133 /* validity check */
134 if (iph1->status != IKEV1_STATE_IDENT_I_START) {
135 plog(ASL_LEVEL_ERR,
136 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 137 goto end;
138 }
65c25746
A		 139
140 /* validity check */
141 if (msg != NULL) {
142 plog(ASL_LEVEL_ERR,
143 "msg has to be NULL in this function.\n");
52b7d2ce
A		 144 goto end;
145 }
146
147 /* create isakmp index */
148 memset(&iph1->index, 0, sizeof(iph1->index));
149 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
150
151 /* create SA payload for my proposal */
65c25746 152 iph1->sa = ipsecdoi_setph1proposal(iph1);
d1e348cf 153 if (iph1->sa == NULL) {
65c25746 154 plog(ASL_LEVEL_ERR,
d1e348cf 155 "failed to set proposal");
52b7d2ce 156 goto end;
d1e348cf 157 }
52b7d2ce
A		 158
159 /* set SA payload to propose */
160 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
161
162#ifdef ENABLE_NATT
163 /* set VID payload for NAT-T if NAT-T support allowed in the config file */
164 if (iph1->rmconf->nat_traversal)
165 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
166#endif
d1e348cf
A		 167#ifdef ENABLE_HYBRID
168 /* Do we need Xauth VID? */
169 switch (RMAUTHMETHOD(iph1)) {
170 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
171 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
d1e348cf 172 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
d1e348cf
A		 173 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
174 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
175 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
65c25746 176 plog(ASL_LEVEL_ERR,
d1e348cf
A		 177 "Xauth vendor ID generation failed\n");
178 else
179 plist = isakmp_plist_append(plist,
180 vid_xauth, ISAKMP_NPTYPE_VID);
181
182 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
65c25746 183 plog(ASL_LEVEL_ERR,
d1e348cf
A		 184 "Unity vendor ID generation failed\n");
185 else
186 plist = isakmp_plist_append(plist,
187 vid_unity, ISAKMP_NPTYPE_VID);
188 break;
189 default:
190 break;
191 }
192#endif
193#ifdef ENABLE_FRAG
194 if (iph1->rmconf->ike_frag) {
195 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
65c25746 196 plog(ASL_LEVEL_ERR,
d1e348cf
A		 197 "Frag vendorID construction failed\n");
198 } else {
199 vid_frag = isakmp_frag_addcap(vid_frag,
200 VENDORID_FRAG_IDENT);
201 plist = isakmp_plist_append(plist,
202 vid_frag, ISAKMP_NPTYPE_VID);
203 }
204 }
205#endif
52b7d2ce
A		 206#ifdef ENABLE_DPD
207 if(iph1->rmconf->dpd){
208 vid_dpd = set_vendorid(VENDORID_DPD);
209 if (vid_dpd != NULL)
210 plist = isakmp_plist_append(plist, vid_dpd,
d1e348cf 211 ISAKMP_NPTYPE_VID);
52b7d2ce
A		 212 }
213#endif
214
215 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
216
217#ifdef HAVE_PRINT_ISAKMP_C
218 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
219#endif
220
221 /* send the packet, add to the schedule to resend */
222 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 223 if (isakmp_ph1resend(iph1) == -1) {
65c25746 224 plog(ASL_LEVEL_ERR,
d1e348cf 225 "failed to send packet");
52b7d2ce 226 goto end;
d1e348cf 227 }
52b7d2ce 228
65c25746 229 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG1SENT);
52b7d2ce
A		 230
231 error = 0;
232
d1e348cf
A		 233 IPSECSESSIONTRACEREVENT(iph1->parent_session,
234 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
235 CONSTSTR("Initiator, Main-Mode message 1"),
236 CONSTSTR(NULL));
237
52b7d2ce 238end:
d1e348cf
A		 239 if (error) {
240 IPSECSESSIONTRACEREVENT(iph1->parent_session,
241 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
242 CONSTSTR("Initiator, Main-Mode Message 1"),
243 CONSTSTR("Failed to transmit Main-Mode Message 1"));
244 }
245#ifdef ENABLE_FRAG
246 if (vid_frag)
247 vfree(vid_frag);
248#endif
52b7d2ce
A		 249#ifdef ENABLE_NATT
250 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
251 vfree(vid_natt[i]);
252#endif
d1e348cf
A		 253#ifdef ENABLE_HYBRID
254 if (vid_xauth != NULL)
255 vfree(vid_xauth);
256 if (vid_unity != NULL)
257 vfree(vid_unity);
258#endif
52b7d2ce
A		 259#ifdef ENABLE_DPD
260 if (vid_dpd != NULL)
261 vfree(vid_dpd);
262#endif
263
264 return error;
265}
266
267/*
268 * receive from responder
269 * psk: HDR, SA
270 * sig: HDR, SA
271 * rsa: HDR, SA
272 * rev: HDR, SA
273 */
274int
275ident_i2recv(iph1, msg)
65c25746 276 phase1_handle_t *iph1;
52b7d2ce
A		 277 vchar_t *msg;
278{
279 vchar_t *pbuf = NULL;
280 struct isakmp_parse_t *pa;
281 vchar_t *satmp = NULL;
282 int error = -1;
283 int vid_numeric;
284
65c25746
A		 285 /* validity check */
286 if (iph1->status != IKEV1_STATE_IDENT_I_MSG1SENT) {
287 plog(ASL_LEVEL_ERR,
288 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 289 goto end;
290 }
291
292 /* validate the type of next payload */
293 /*
294 * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here,
295 * if proposal-lifetime > lifetime-redcreek-wants.
296 * (see doi-08 4.5.4)
297 * => According to the seciton 4.6.3 in RFC 2407, This is illegal.
298 * NOTE: we do not really care about ordering of VID and N.
299 * does it matters?
300 * NOTE: even if there's multiple VID/N, we'll ignore them.
301 */
302 pbuf = isakmp_parse(msg);
d1e348cf 303 if (pbuf == NULL) {
65c25746 304 plog(ASL_LEVEL_ERR,
d1e348cf 305 "failed to parse msg");
52b7d2ce 306 goto end;
d1e348cf 307 }
85f41bec 308 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 309
310 /* SA payload is fixed postion */
311 if (pa->type != ISAKMP_NPTYPE_SA) {
65c25746 312 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 313 "received invalid next payload type %d, "
314 "expecting %d.\n",
315 pa->type, ISAKMP_NPTYPE_SA);
316 goto end;
317 }
d1e348cf 318 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
65c25746 319 plog(ASL_LEVEL_ERR,
d1e348cf 320 "failed to process SA payload");
52b7d2ce 321 goto end;
d1e348cf 322 }
52b7d2ce
A		 323 pa++;
324
325 for (/*nothing*/;
326 pa->type != ISAKMP_NPTYPE_NONE;
327 pa++) {
328
329 switch (pa->type) {
330 case ISAKMP_NPTYPE_VID:
331 vid_numeric = check_vendorid(pa->ptr);
332#ifdef ENABLE_NATT
333 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
334 natt_handle_vendorid(iph1, vid_numeric);
335#endif
d1e348cf
A		 336#ifdef ENABLE_HYBRID
337 switch (vid_numeric) {
338 case VENDORID_XAUTH:
339 iph1->mode_cfg->flags |=
340 ISAKMP_CFG_VENDORID_XAUTH;
341 break;
342
343 case VENDORID_UNITY:
344 iph1->mode_cfg->flags |=
345 ISAKMP_CFG_VENDORID_UNITY;
346 break;
347
348 default:
349 break;
350 }
351#endif
52b7d2ce
A		 352#ifdef ENABLE_DPD
353 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
354 iph1->dpd_support=1;
e8d9021d
A		 355#endif
356#ifdef ENABLE_FRAG
357 if ((vid_numeric == VENDORID_FRAG) &&
358 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
65c25746 359 plog(ASL_LEVEL_DEBUG,
e8d9021d
A		 360 "remote supports FRAGMENTATION\n");
361 iph1->frag = 1;
362 }
52b7d2ce
A		 363#endif
364 break;
365 default:
366 /* don't send information, see ident_r1recv() */
65c25746 367 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 368 "ignore the packet, "
369 "received unexpecting payload type %d.\n",
370 pa->type);
371 goto end;
372 }
373 }
374
375#ifdef ENABLE_NATT
80318cb7 376 if (NATT_AVAILABLE(iph1)) {
65c25746 377 plog(ASL_LEVEL_INFO,
52b7d2ce
A		 378 "Selected NAT-T version: %s\n",
379 vid_string_by_id(iph1->natt_options->version));
80318cb7
A		 380 ike_session_update_natt_version(iph1);
381 }
52b7d2ce
A		 382#endif
383
384 /* check SA payload and set approval SA for use */
385 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
65c25746 386 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 387 "failed to get valid proposal.\n");
388 /* XXX send information */
389 goto end;
390 }
391 VPTRINIT(iph1->sa_ret);
392
65c25746 393 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG2RCVD);
52b7d2ce
A		 394
395#ifdef ENABLE_VPNCONTROL_PORT
396 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
397#endif
398
399 error = 0;
400
d1e348cf
A		 401 IPSECSESSIONTRACEREVENT(iph1->parent_session,
402 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
403 CONSTSTR("Initiator, Main-Mode message 2"),
404 CONSTSTR(NULL));
405
52b7d2ce 406end:
d1e348cf
A		 407 if (error) {
408 IPSECSESSIONTRACEREVENT(iph1->parent_session,
409 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
410 CONSTSTR("Initiator, Main-Mode Message 2"),
411 CONSTSTR("Failed to process Main-Mode Message 2"));
412 }
52b7d2ce
A		 413 if (pbuf)
414 vfree(pbuf);
415 if (satmp)
416 vfree(satmp);
417 return error;
418}
419
420/*
421 * send to responder
422 * psk: HDR, KE, Ni
423 * sig: HDR, KE, Ni
424 * gssapi: HDR, KE, Ni, GSSi
425 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
426 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
427 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
428 */
429int
65c25746
A		 430ident_i3send(iph1, msg)
431 phase1_handle_t *iph1;
52b7d2ce
A		 432 vchar_t *msg;
433{
434 int error = -1;
435
65c25746
A		 436 /* validity check */
437 if (iph1->status != IKEV1_STATE_IDENT_I_MSG2RCVD) {
438 plog(ASL_LEVEL_ERR,
439 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 440 goto end;
441 }
442
443 /* fix isakmp index */
444 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
445 sizeof(cookie_t));
446
447 /* generate DH public value */
e8d9021d 448#ifdef HAVE_OPENSSL
52b7d2ce 449 if (oakley_dh_generate(iph1->approval->dhgrp,
d1e348cf 450 &iph1->dhpub, &iph1->dhpriv) < 0) {
e8d9021d
A		 451#else
452 if (oakley_dh_generate(iph1->approval->dhgrp,
453 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
454#endif
65c25746 455 plog(ASL_LEVEL_ERR,
d1e348cf 456 "failed to generate DH");
52b7d2ce 457 goto end;
d1e348cf 458 }
52b7d2ce
A		 459
460 /* generate NONCE value */
461 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf 462 if (iph1->nonce == NULL) {
65c25746 463 plog(ASL_LEVEL_ERR,
d1e348cf 464 "failed to generate NONCE");
52b7d2ce 465 goto end;
d1e348cf 466 }
52b7d2ce 467
52b7d2ce
A		 468 /* create buffer to send isakmp payload */
469 iph1->sendbuf = ident_ir2mx(iph1);
d1e348cf 470 if (iph1->sendbuf == NULL) {
65c25746 471 plog(ASL_LEVEL_ERR,
d1e348cf 472 "failed to create send buffer");
52b7d2ce 473 goto end;
d1e348cf 474 }
52b7d2ce
A		 475
476#ifdef HAVE_PRINT_ISAKMP_C
477 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
478#endif
479
480 /* send the packet, add to the schedule to resend */
481 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 482 if (isakmp_ph1resend(iph1) == -1) {
65c25746 483 plog(ASL_LEVEL_ERR,
d1e348cf 484 "failed to send packet");
52b7d2ce 485 goto end;
d1e348cf 486 }
52b7d2ce
A		 487
488 /* the sending message is added to the received-list. */
65c25746
A		 489 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
490 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
491 plog(ASL_LEVEL_ERR ,
52b7d2ce
A		 492 "failed to add a response packet to the tree.\n");
493 goto end;
494 }
495
65c25746 496 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG3SENT);
52b7d2ce
A		 497
498 error = 0;
499
d1e348cf
A		 500 IPSECSESSIONTRACEREVENT(iph1->parent_session,
501 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
502 CONSTSTR("Initiator, Main-Mode message 3"),
503 CONSTSTR(NULL));
504
52b7d2ce 505end:
d1e348cf
A		 506 if (error) {
507 IPSECSESSIONTRACEREVENT(iph1->parent_session,
508 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
509 CONSTSTR("Initiator, Main-Mode Message 3"),
510 CONSTSTR("Failed to transmit Main-Mode Message 3"));
511 }
52b7d2ce
A		 512 return error;
513}
514
515/*
516 * receive from responder
517 * psk: HDR, KE, Nr
518 * sig: HDR, KE, Nr [, CR ]
519 * gssapi: HDR, KE, Nr, GSSr
520 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
521 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
522 */
523int
65c25746
A		 524ident_i4recv(iph1, msg)
525 phase1_handle_t *iph1;
52b7d2ce
A		 526 vchar_t *msg;
527{
528 vchar_t *pbuf = NULL;
529 struct isakmp_parse_t *pa;
530 int error = -1;
d1e348cf 531 int vid_numeric;
52b7d2ce
A		 532#ifdef ENABLE_NATT
533 vchar_t *natd_received;
534 int natd_seq = 0, natd_verified;
535#endif
536
65c25746
A		 537 /* validity check */
538 if (iph1->status != IKEV1_STATE_IDENT_I_MSG3SENT) {
539 plog(ASL_LEVEL_ERR,
540 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 541 goto end;
542 }
543
544 /* validate the type of next payload */
545 pbuf = isakmp_parse(msg);
d1e348cf 546 if (pbuf == NULL) {
65c25746 547 plog(ASL_LEVEL_ERR,
d1e348cf 548 "failed to parse msg");
52b7d2ce 549 goto end;
d1e348cf 550 }
52b7d2ce 551
85f41bec 552 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 553 pa->type != ISAKMP_NPTYPE_NONE;
554 pa++) {
555
556 switch (pa->type) {
557 case ISAKMP_NPTYPE_KE:
d1e348cf 558 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
65c25746 559 plog(ASL_LEVEL_ERR,
d1e348cf 560 "failed to process KE payload");
52b7d2ce 561 goto end;
d1e348cf 562 }
52b7d2ce
A		 563 break;
564 case ISAKMP_NPTYPE_NONCE:
d1e348cf 565 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
65c25746 566 plog(ASL_LEVEL_ERR,
d1e348cf 567 "failed to process NONCE payload");
52b7d2ce 568 goto end;
d1e348cf 569 }
52b7d2ce
A		 570 break;
571 case ISAKMP_NPTYPE_VID:
d1e348cf
A		 572 vid_numeric = check_vendorid(pa->ptr);
573#ifdef ENABLE_HYBRID
574 switch (vid_numeric) {
575 case VENDORID_XAUTH:
576 iph1->mode_cfg->flags |=
577 ISAKMP_CFG_VENDORID_XAUTH;
578 break;
579
580 case VENDORID_UNITY:
581 iph1->mode_cfg->flags |=
582 ISAKMP_CFG_VENDORID_UNITY;
583 break;
584
585 default:
586 break;
587 }
588#endif
589#ifdef ENABLE_DPD
590 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
591 iph1->dpd_support=1;
592#endif
593
52b7d2ce
A		 594 break;
595 case ISAKMP_NPTYPE_CR:
d1e348cf 596 if (oakley_savecr(iph1, pa->ptr) < 0) {
65c25746 597 plog(ASL_LEVEL_ERR,
d1e348cf 598 "failed to process CR payload");
52b7d2ce 599 goto end;
d1e348cf 600 }
52b7d2ce 601 break;
52b7d2ce
A		 602
603#ifdef ENABLE_NATT
604 case ISAKMP_NPTYPE_NATD_DRAFT:
605 case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce 606 case ISAKMP_NPTYPE_NATD_BADDRAFT:
52b7d2ce
A		 607 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
608 pa->type == iph1->natt_options->payload_nat_d) {
609 natd_received = NULL;
d1e348cf 610 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
65c25746 611 plog(ASL_LEVEL_ERR,
d1e348cf 612 "failed to process NATD payload");
52b7d2ce 613 goto end;
d1e348cf 614 }
52b7d2ce
A		 615
616 /* set both bits first so that we can clear them
617 upon verifying hashes */
618 if (natd_seq == 0)
619 iph1->natt_flags |= NAT_DETECTED;
620
621 /* this function will clear appropriate bits bits
622 from iph1->natt_flags */
623 natd_verified = natt_compare_addr_hash (iph1,
624 natd_received, natd_seq++);
625
65c25746 626 plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n",
52b7d2ce
A		 627 natd_seq - 1,
628 natd_verified ? "verified" : "doesn't match");
629
630 vfree (natd_received);
631 break;
632 }
633 /* %%%% Be lenient here - some servers send natd payloads */
634 /* when no nat is detected */
635 break;
636#endif
637
638 default:
639 /* don't send information, see ident_r1recv() */
65c25746 640 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 641 "ignore the packet, "
642 "received unexpecting payload type %d.\n",
643 pa->type);
644 goto end;
645 }
646 }
647
648#ifdef ENABLE_NATT
649 if (NATT_AVAILABLE(iph1)) {
65c25746 650 plog (ASL_LEVEL_INFO, "NAT %s %s%s\n",
52b7d2ce
A		 651 iph1->natt_flags & NAT_DETECTED ?
652 "detected:" : "not detected",
653 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
654 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
655 if (iph1->natt_flags & NAT_DETECTED)
656 natt_float_ports (iph1);
657 }
658#endif
659
660 /* payload existency check */
661 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
65c25746 662 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 663 "few isakmp message received.\n");
664 goto end;
665 }
666
667 if (oakley_checkcr(iph1) < 0) {
668 /* Ignore this error in order to be interoperability. */
669 ;
670 }
671
65c25746 672 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG4RCVD);
52b7d2ce
A		 673
674 error = 0;
675
d1e348cf
A		 676 IPSECSESSIONTRACEREVENT(iph1->parent_session,
677 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
678 CONSTSTR("Initiator, Main-Mode message 4"),
679 CONSTSTR(NULL));
680
52b7d2ce 681end:
d1e348cf
A		 682 if (error) {
683 IPSECSESSIONTRACEREVENT(iph1->parent_session,
684 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
685 CONSTSTR("Initiator, Main-Mode Message 4"),
686 CONSTSTR("Failed to process Main-Mode Message 4"));
687 }
52b7d2ce
A		 688 if (pbuf)
689 vfree(pbuf);
690 if (error) {
691 VPTRINIT(iph1->dhpub_p);
692 VPTRINIT(iph1->nonce_p);
693 VPTRINIT(iph1->id_p);
694 oakley_delcert(iph1->cr_p);
695 iph1->cr_p = NULL;
696 }
697
698 return error;
699}
700
701/*
702 * send to responder
703 * psk: HDR*, IDi1, HASH_I
704 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
705 * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I >
706 * rsa: HDR*, HASH_I
707 * rev: HDR*, HASH_I
708 */
709int
65c25746
A		 710ident_i5send(iph1, msg0)
711 phase1_handle_t *iph1;
52b7d2ce
A		 712 vchar_t *msg0;
713{
714 int error = -1;
715 int dohash = 1;
52b7d2ce 716
65c25746
A		 717 /* validity check */
718 if (iph1->status != IKEV1_STATE_IDENT_I_MSG4RCVD) {
719 plog(ASL_LEVEL_ERR,
720 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 721 goto end;
722 }
723
724 /* compute sharing secret of DH */
e8d9021d 725#ifdef HAVE_OPENSSL
52b7d2ce 726 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
d1e348cf 727 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
e8d9021d 728#else
65c25746 729 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
e8d9021d 730#endif
65c25746 731 plog(ASL_LEVEL_ERR,
d1e348cf 732 "failed to compute DH");
52b7d2ce 733 goto end;
d1e348cf 734 }
52b7d2ce
A		 735
736 /* generate SKEYIDs & IV & final cipher key */
d1e348cf 737 if (oakley_skeyid(iph1) < 0) {
65c25746 738 plog(ASL_LEVEL_ERR,
d1e348cf 739 "failed to generate SKEYID");
52b7d2ce 740 goto end;
d1e348cf
A		 741 }
742 if (oakley_skeyid_dae(iph1) < 0) {
65c25746 743 plog(ASL_LEVEL_ERR,
d1e348cf 744 "failed to generate SKEYID-DAE");
52b7d2ce 745 goto end;
d1e348cf
A		 746 }
747 if (oakley_compute_enckey(iph1) < 0) {
65c25746 748 plog(ASL_LEVEL_ERR,
d1e348cf 749 "failed to generate ENCKEY");
52b7d2ce 750 goto end;
d1e348cf
A		 751 }
752 if (oakley_newiv(iph1) < 0) {
65c25746 753 plog(ASL_LEVEL_ERR,
d1e348cf 754 "failed to generate IV");
52b7d2ce 755 goto end;
d1e348cf 756 }
52b7d2ce
A		 757
758 /* make ID payload into isakmp status */
d1e348cf 759 if (ipsecdoi_setid1(iph1) < 0) {
65c25746 760 plog(ASL_LEVEL_ERR,
d1e348cf 761 "failed to set ID");
52b7d2ce 762 goto end;
d1e348cf 763 }
52b7d2ce 764
52b7d2ce
A		 765 /* generate HASH to send */
766 if (dohash) {
767 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
d1e348cf 768 if (iph1->hash == NULL) {
65c25746 769 plog(ASL_LEVEL_ERR,
d1e348cf 770 "failed to generate HASH");
52b7d2ce 771 goto end;
d1e348cf 772 }
52b7d2ce
A		 773 } else
774 iph1->hash = NULL;
775
776 /* set encryption flag */
777 iph1->flags |= ISAKMP_FLAG_E;
778
779 /* create HDR;ID;HASH payload */
780 iph1->sendbuf = ident_ir3mx(iph1);
d1e348cf 781 if (iph1->sendbuf == NULL) {
65c25746 782 plog(ASL_LEVEL_ERR,
d1e348cf 783 "failed to allocate send buffer");
52b7d2ce 784 goto end;
d1e348cf 785 }
52b7d2ce
A		 786
787 /* send the packet, add to the schedule to resend */
788 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 789 if (isakmp_ph1resend(iph1) == -1) {
65c25746 790 plog(ASL_LEVEL_ERR,
d1e348cf 791 "failed to send packet");
52b7d2ce 792 goto end;
d1e348cf 793 }
52b7d2ce
A		 794
795 /* the sending message is added to the received-list. */
65c25746
A		 796 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0,
797 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
798 plog(ASL_LEVEL_ERR ,
52b7d2ce
A		 799 "failed to add a response packet to the tree.\n");
800 goto end;
801 }
802
803 /* see handler.h about IV synchronization. */
804 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
805
65c25746 806 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG5SENT);
52b7d2ce
A		 807
808 error = 0;
809
d1e348cf
A		 810 IPSECSESSIONTRACEREVENT(iph1->parent_session,
811 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
812 CONSTSTR("Initiator, Main-Mode message 5"),
813 CONSTSTR(NULL));
814
52b7d2ce 815end:
d1e348cf
A		 816 if (error) {
817 IPSECSESSIONTRACEREVENT(iph1->parent_session,
818 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
819 CONSTSTR("Initiator, Main-Mode Message 5"),
820 CONSTSTR("Failed to transmit Main-Mode Message 5"));
821 }
52b7d2ce
A		 822 return error;
823}
824
825/*
826 * receive from responder
827 * psk: HDR*, IDr1, HASH_R
828 * sig: HDR*, IDr1, [ CERT, ] SIG_R
829 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
830 * rsa: HDR*, HASH_R
831 * rev: HDR*, HASH_R
832 */
833int
65c25746
A		 834ident_i6recv(iph1, msg0)
835 phase1_handle_t *iph1;
52b7d2ce
A		 836 vchar_t *msg0;
837{
838 vchar_t *pbuf = NULL;
839 struct isakmp_parse_t *pa;
840 vchar_t *msg = NULL;
841 int error = -1;
842 int type;
d1e348cf 843 int vid_numeric;
e8d9021d 844 int received_cert = 0;
52b7d2ce 845
65c25746
A		 846 /* validity check */
847 if (iph1->status != IKEV1_STATE_IDENT_I_MSG5SENT) {
848 plog(ASL_LEVEL_ERR,
849 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 850 goto end;
851 }
852
853 /* decrypting */
854 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
65c25746 855 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 856 "ignore the packet, "
857 "expecting the packet encrypted.\n");
858 goto end;
859 }
860 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
d1e348cf 861 if (msg == NULL) {
65c25746 862 plog(ASL_LEVEL_ERR,
d1e348cf 863 "failed to decrypt");
52b7d2ce 864 goto end;
d1e348cf 865 }
52b7d2ce
A		 866
867 /* validate the type of next payload */
868 pbuf = isakmp_parse(msg);
d1e348cf 869 if (pbuf == NULL) {
65c25746 870 plog(ASL_LEVEL_ERR,
d1e348cf 871 "failed to parse msg");
52b7d2ce 872 goto end;
d1e348cf 873 }
52b7d2ce
A		 874
875 iph1->pl_hash = NULL;
876
85f41bec 877 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 878 pa->type != ISAKMP_NPTYPE_NONE;
879 pa++) {
880
881 switch (pa->type) {
882 case ISAKMP_NPTYPE_ID:
d1e348cf 883 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
65c25746 884 plog(ASL_LEVEL_ERR,
d1e348cf 885 "failed to process ID payload");
52b7d2ce 886 goto end;
d1e348cf 887 }
52b7d2ce
A		 888 break;
889 case ISAKMP_NPTYPE_HASH:
890 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
891 break;
892 case ISAKMP_NPTYPE_CERT:
d1e348cf 893 if (oakley_savecert(iph1, pa->ptr) < 0) {
65c25746 894 plog(ASL_LEVEL_ERR,
d1e348cf 895 "failed to process CERT payload");
52b7d2ce 896 goto end;
d1e348cf 897 }
e8d9021d 898 received_cert = 1;
52b7d2ce
A		 899 break;
900 case ISAKMP_NPTYPE_SIG:
d1e348cf 901 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
65c25746 902 plog(ASL_LEVEL_ERR,
d1e348cf 903 "failed to process SIG payload");
52b7d2ce 904 goto end;
d1e348cf 905 }
52b7d2ce 906 break;
65c25746 907
52b7d2ce 908 case ISAKMP_NPTYPE_VID:
d1e348cf
A		 909 vid_numeric = check_vendorid(pa->ptr);
910#ifdef ENABLE_DPD
911 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
912 iph1->dpd_support=1;
913#endif
914 break;
52b7d2ce
A		 915 case ISAKMP_NPTYPE_N:
916 isakmp_check_notify(pa->ptr, iph1);
917 break;
918 default:
919 /* don't send information, see ident_r1recv() */
65c25746 920 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 921 "ignore the packet, "
922 "received unexpecting payload type %d.\n",
923 pa->type);
924 goto end;
925 }
926 }
927
e8d9021d
A		 928 if (received_cert) {
929 oakley_verify_certid(iph1);
930 }
931
52b7d2ce
A		 932 /* payload existency check */
933
934 /* verify identifier */
935 if (ipsecdoi_checkid1(iph1) != 0) {
65c25746 936 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 937 "invalid ID payload.\n");
938 goto end;
939 }
940
941 /* validate authentication value */
65c25746
A		 942 type = oakley_validate_auth(iph1);
943 if (type != 0) {
944 IPSECSESSIONTRACEREVENT(iph1->parent_session,
945 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
946 CONSTSTR("Initiator, Main-Mode Message 6"),
947 CONSTSTR("Failed to authenticate Main-Mode Message 6"));
948 if (type == -1) {
949 /* msg printed inner oakley_validate_auth() */
950 goto end;
951 }
952 isakmp_info_send_n1(iph1, type, NULL);
953 goto end;
954 }
955 IPSECSESSIONTRACEREVENT(iph1->parent_session,
956 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
957 CONSTSTR("Initiator, Main-Mode Message 6"),
958 CONSTSTR(NULL));
959
52b7d2ce
A		 960
961 /*
962 * XXX: Should we do compare two addresses, ph1handle's and ID
963 * payload's.
964 */
965
65c25746 966 plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID:");
52b7d2ce
A		 967
968 /* see handler.h about IV synchronization. */
969 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
970
971 /*
972 * If we got a GSS token, we need to this roundtrip again.
973 */
65c25746 974 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG6RCVD);
52b7d2ce
A		 975
976 error = 0;
977
d1e348cf
A		 978 IPSECSESSIONTRACEREVENT(iph1->parent_session,
979 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
980 CONSTSTR("Initiator, Main-Mode message 6"),
981 CONSTSTR(NULL));
982
52b7d2ce 983end:
d1e348cf
A		 984 if (error) {
985 IPSECSESSIONTRACEREVENT(iph1->parent_session,
986 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
987 CONSTSTR("Initiator, Main-Mode Message 6"),
988 CONSTSTR("Failed to transmit Main-Mode Message 6"));
989 }
52b7d2ce
A		 990 if (pbuf)
991 vfree(pbuf);
992 if (msg)
993 vfree(msg);
52b7d2ce
A		 994
995 if (error) {
996 VPTRINIT(iph1->id_p);
997 oakley_delcert(iph1->cert_p);
998 iph1->cert_p = NULL;
999 oakley_delcert(iph1->crl_p);
1000 iph1->crl_p = NULL;
1001 VPTRINIT(iph1->sig_p);
1002 }
1003
1004 return error;
1005}
1006
1007/*
1008 * status update and establish isakmp sa.
1009 */
1010int
65c25746
A		 1011ident_ifinalize(iph1, msg)
1012 phase1_handle_t *iph1;
52b7d2ce
A		 1013 vchar_t *msg;
1014{
1015 int error = -1;
1016
65c25746
A		 1017 /* validity check */
1018 if (iph1->status != IKEV1_STATE_IDENT_I_MSG6RCVD) {
1019 plog(ASL_LEVEL_ERR,
1020 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 1021 goto end;
1022 }
1023
1024 /* see handler.h about IV synchronization. */
1025 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1026
65c25746 1027 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
52b7d2ce 1028
d1e348cf
A		 1029 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1030 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
1031 CONSTSTR("Initiator, Main-Mode"),
1032 CONSTSTR(NULL));
1033
52b7d2ce
A		 1034 error = 0;
1035
1036end:
1037 return error;
1038}
1039
1040/*
1041 * receive from initiator
1042 * psk: HDR, SA
1043 * sig: HDR, SA
1044 * rsa: HDR, SA
1045 * rev: HDR, SA
1046 */
1047int
1048ident_r1recv(iph1, msg)
65c25746 1049 phase1_handle_t *iph1;
52b7d2ce
A		 1050 vchar_t *msg;
1051{
1052 vchar_t *pbuf = NULL;
1053 struct isakmp_parse_t *pa;
1054 int error = -1;
1055 int vid_numeric;
1056
1057 /* validity check */
65c25746
A		 1058 if (iph1->status != IKEV1_STATE_IDENT_R_START) {
1059 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1060 "status mismatched %d.\n", iph1->status);
1061 goto end;
1062 }
1063
1064 /* validate the type of next payload */
1065 /*
1066 * NOTE: XXX even if multiple VID, we'll silently ignore those.
1067 */
1068 pbuf = isakmp_parse(msg);
d1e348cf 1069 if (pbuf == NULL) {
65c25746 1070 plog(ASL_LEVEL_ERR,
d1e348cf 1071 "failed to parse msg");
52b7d2ce 1072 goto end;
d1e348cf 1073 }
85f41bec 1074 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 1075
1076 /* check the position of SA payload */
1077 if (pa->type != ISAKMP_NPTYPE_SA) {
65c25746 1078 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1079 "received invalid next payload type %d, "
1080 "expecting %d.\n",
1081 pa->type, ISAKMP_NPTYPE_SA);
1082 goto end;
1083 }
d1e348cf 1084 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
65c25746 1085 plog(ASL_LEVEL_ERR,
d1e348cf 1086 "failed to process SA payload");
52b7d2ce 1087 goto end;
d1e348cf 1088 }
52b7d2ce
A		 1089 pa++;
1090
1091 for (/*nothing*/;
1092 pa->type != ISAKMP_NPTYPE_NONE;
1093 pa++) {
1094
1095 switch (pa->type) {
1096 case ISAKMP_NPTYPE_VID:
1097 vid_numeric = check_vendorid(pa->ptr);
1098#ifdef ENABLE_NATT
1099 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
1100 natt_handle_vendorid(iph1, vid_numeric);
1101#endif
d1e348cf
A		 1102#ifdef ENABLE_HYBRID
1103 switch (vid_numeric) {
1104 case VENDORID_XAUTH:
1105 iph1->mode_cfg->flags |=
1106 ISAKMP_CFG_VENDORID_XAUTH;
1107 break;
1108
1109 case VENDORID_UNITY:
1110 iph1->mode_cfg->flags |=
1111 ISAKMP_CFG_VENDORID_UNITY;
1112 break;
1113
1114 default:
1115 break;
1116 }
1117#endif
52b7d2ce
A		 1118#ifdef ENABLE_DPD
1119 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
1120 iph1->dpd_support=1;
e8d9021d
A		 1121#endif
1122#ifdef ENABLE_FRAG
1123 if ((vid_numeric == VENDORID_FRAG) &&
1124 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
65c25746 1125 plog(ASL_LEVEL_DEBUG,
e8d9021d
A		 1126 "remote supports FRAGMENTATION\n");
1127 iph1->frag = 1;
1128 }
52b7d2ce
A		 1129#endif
1130 break;
1131 default:
1132 /*
1133 * We don't send information to the peer even
1134 * if we received malformed packet. Because we
1135 * can't distinguish the malformed packet and
1136 * the re-sent packet. And we do same behavior
1137 * when we expect encrypted packet.
1138 */
65c25746 1139 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1140 "ignore the packet, "
1141 "received unexpecting payload type %d.\n",
1142 pa->type);
1143 goto end;
1144 }
1145 }
1146
1147#ifdef ENABLE_NATT
80318cb7 1148 if (NATT_AVAILABLE(iph1)) {
65c25746 1149 plog(ASL_LEVEL_INFO,
52b7d2ce
A		 1150 "Selected NAT-T version: %s\n",
1151 vid_string_by_id(iph1->natt_options->version));
80318cb7
A		 1152 ike_session_update_natt_version(iph1);
1153 }
52b7d2ce
A		 1154#endif
1155
1156 /* check SA payload and set approval SA for use */
1157 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
65c25746 1158 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1159 "failed to get valid proposal.\n");
1160 /* XXX send information */
1161 goto end;
1162 }
1163
65c25746 1164 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG1RCVD);
52b7d2ce
A		 1165
1166 error = 0;
1167
d1e348cf
A		 1168 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1169 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1170 CONSTSTR("Responder, Main-Mode message 1"),
1171 CONSTSTR(NULL));
1172
52b7d2ce 1173end:
d1e348cf
A		 1174 if (error) {
1175 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1176 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1177 CONSTSTR("Responder, Main-Mode Message 1"),
1178 CONSTSTR("Failed to process Main-Mode Message 1"));
1179 }
52b7d2ce
A		 1180 if (pbuf)
1181 vfree(pbuf);
1182 if (error) {
1183 VPTRINIT(iph1->sa);
1184 }
1185
1186 return error;
1187}
1188
1189/*
1190 * send to initiator
1191 * psk: HDR, SA
1192 * sig: HDR, SA
1193 * rsa: HDR, SA
1194 * rev: HDR, SA
1195 */
1196int
65c25746
A		 1197ident_r2send(iph1, msg)
1198 phase1_handle_t *iph1;
52b7d2ce
A		 1199 vchar_t *msg;
1200{
1201 struct payload_list *plist = NULL;
1202 int error = -1;
1203 vchar_t *gss_sa = NULL;
52b7d2ce
A		 1204#ifdef ENABLE_NATT
1205 vchar_t *vid_natt = NULL;
1206#endif
d1e348cf
A		 1207#ifdef ENABLE_HYBRID
1208 vchar_t *vid_xauth = NULL;
1209 vchar_t *vid_unity = NULL;
1210#endif
52b7d2ce
A		 1211#ifdef ENABLE_DPD
1212 vchar_t *vid_dpd = NULL;
1213#endif
d1e348cf
A		 1214#ifdef ENABLE_FRAG
1215 vchar_t *vid_frag = NULL;
1216#endif
52b7d2ce
A		 1217
1218 /* validity check */
65c25746
A		 1219 if (iph1->status != IKEV1_STATE_IDENT_R_MSG1RCVD) {
1220 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1221 "status mismatched %d.\n", iph1->status);
1222 goto end;
1223 }
1224
1225 /* set responder's cookie */
1226 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
65c25746 1227 gss_sa = iph1->sa_ret;
52b7d2ce
A		 1228
1229 /* set SA payload to reply */
1230 plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
1231
d1e348cf
A		 1232#ifdef ENABLE_HYBRID
1233 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
65c25746 1234 plog (ASL_LEVEL_INFO, "Adding xauth VID payload.\n");
d1e348cf 1235 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
65c25746 1236 plog(ASL_LEVEL_ERR,
d1e348cf
A		 1237 "Cannot create Xauth vendor ID\n");
1238 goto end;
1239 }
1240 plist = isakmp_plist_append(plist,
1241 vid_xauth, ISAKMP_NPTYPE_VID);
1242 }
52b7d2ce 1243
d1e348cf
A		 1244 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1245 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
65c25746 1246 plog(ASL_LEVEL_ERR,
d1e348cf
A		 1247 "Cannot create Unity vendor ID\n");
1248 goto end;
1249 }
1250 plist = isakmp_plist_append(plist,
1251 vid_unity, ISAKMP_NPTYPE_VID);
1252 }
1253#endif
52b7d2ce
A		 1254#ifdef ENABLE_NATT
1255 /* Has the peer announced NAT-T? */
1256 if (NATT_AVAILABLE(iph1))
1257 vid_natt = set_vendorid(iph1->natt_options->version);
1258
1259 if (vid_natt)
1260 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1261#endif
1262#ifdef ENABLE_DPD
1263 /* XXX only send DPD VID if remote sent it ? */
1264 if(iph1->rmconf->dpd){
1265 vid_dpd = set_vendorid(VENDORID_DPD);
1266 if (vid_dpd != NULL)
1267 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1268 }
1269#endif
d1e348cf
A		 1270#ifdef ENABLE_FRAG
1271 if (iph1->frag) {
1272 vid_frag = set_vendorid(VENDORID_FRAG);
1273 if (vid_frag != NULL)
1274 vid_frag = isakmp_frag_addcap(vid_frag,
1275 VENDORID_FRAG_IDENT);
1276 if (vid_frag == NULL)
65c25746 1277 plog(ASL_LEVEL_ERR,
d1e348cf
A		 1278 "Frag vendorID construction failed\n");
1279 else
1280 plist = isakmp_plist_append(plist,
1281 vid_frag, ISAKMP_NPTYPE_VID);
1282 }
1283#endif
52b7d2ce
A		 1284
1285 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1286
1287#ifdef HAVE_PRINT_ISAKMP_C
1288 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1289#endif
1290
1291 /* send the packet, add to the schedule to resend */
1292 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 1293 if (isakmp_ph1resend(iph1) == -1) {
65c25746 1294 plog(ASL_LEVEL_ERR,
d1e348cf 1295 "failed to send packet");
52b7d2ce 1296 goto end;
d1e348cf 1297 }
52b7d2ce
A		 1298
1299 /* the sending message is added to the received-list. */
65c25746
A		 1300 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1301 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1302 plog(ASL_LEVEL_ERR ,
52b7d2ce
A		 1303 "failed to add a response packet to the tree.\n");
1304 goto end;
1305 }
1306
65c25746 1307 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG2SENT);
52b7d2ce
A		 1308
1309#ifdef ENABLE_VPNCONTROL_PORT
1310 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1311#endif
1312
1313 error = 0;
1314
d1e348cf
A		 1315 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1316 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1317 CONSTSTR("Responder, Main-Mode message 2"),
1318 CONSTSTR(NULL));
1319
52b7d2ce 1320end:
d1e348cf
A		 1321 if (error) {
1322 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1323 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1324 CONSTSTR("Responder, Main-Mode Message 2"),
1325 CONSTSTR("Failed to transmit Main-Mode Message 2"));
1326 }
52b7d2ce
A		 1327#ifdef ENABLE_NATT
1328 if (vid_natt)
1329 vfree(vid_natt);
1330#endif
d1e348cf
A		 1331#ifdef ENABLE_HYBRID
1332 if (vid_xauth != NULL)
1333 vfree(vid_xauth);
1334 if (vid_unity != NULL)
1335 vfree(vid_unity);
1336#endif
52b7d2ce
A		 1337#ifdef ENABLE_DPD
1338 if (vid_dpd != NULL)
1339 vfree(vid_dpd);
1340#endif
d1e348cf
A		 1341#ifdef ENABLE_FRAG
1342 if (vid_frag != NULL)
1343 vfree(vid_frag);
1344#endif
52b7d2ce
A		 1345
1346 return error;
1347}
1348
1349/*
1350 * receive from initiator
1351 * psk: HDR, KE, Ni
1352 * sig: HDR, KE, Ni
1353 * gssapi: HDR, KE, Ni, GSSi
1354 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1355 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1356 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1357 */
1358int
65c25746
A		 1359ident_r3recv(iph1, msg)
1360 phase1_handle_t *iph1;
52b7d2ce
A		 1361 vchar_t *msg;
1362{
1363 vchar_t *pbuf = NULL;
1364 struct isakmp_parse_t *pa;
1365 int error = -1;
52b7d2ce
A		 1366#ifdef ENABLE_NATT
1367 int natd_seq = 0;
1368#endif
1369
1370 /* validity check */
65c25746
A		 1371 if (iph1->status != IKEV1_STATE_IDENT_R_MSG2SENT) {
1372 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1373 "status mismatched %d.\n", iph1->status);
1374 goto end;
1375 }
1376
1377 /* validate the type of next payload */
1378 pbuf = isakmp_parse(msg);
d1e348cf 1379 if (pbuf == NULL) {
65c25746 1380 plog(ASL_LEVEL_ERR,
d1e348cf 1381 "failed to parse msg");
52b7d2ce 1382 goto end;
d1e348cf 1383 }
52b7d2ce 1384
85f41bec 1385 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 1386 pa->type != ISAKMP_NPTYPE_NONE;
1387 pa++) {
1388 switch (pa->type) {
1389 case ISAKMP_NPTYPE_KE:
d1e348cf 1390 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
65c25746 1391 plog(ASL_LEVEL_ERR,
d1e348cf 1392 "failed to process KE payload");
52b7d2ce 1393 goto end;
d1e348cf 1394 }
52b7d2ce
A		 1395 break;
1396 case ISAKMP_NPTYPE_NONCE:
d1e348cf 1397 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
65c25746 1398 plog(ASL_LEVEL_ERR,
d1e348cf 1399 "failed to process NONCE payload");
52b7d2ce 1400 goto end;
d1e348cf 1401 }
52b7d2ce
A		 1402 break;
1403 case ISAKMP_NPTYPE_VID:
1404 (void)check_vendorid(pa->ptr);
1405 break;
1406 case ISAKMP_NPTYPE_CR:
65c25746 1407 plog(ASL_LEVEL_WARNING,
52b7d2ce
A		 1408 "CR received, ignore it. "
1409 "It should be in other exchange.\n");
1410 break;
52b7d2ce
A		 1411
1412#ifdef ENABLE_NATT
1413 case ISAKMP_NPTYPE_NATD_DRAFT:
1414 case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce 1415 case ISAKMP_NPTYPE_NATD_BADDRAFT:
52b7d2ce
A		 1416 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1417 pa->type == iph1->natt_options->payload_nat_d)
1418 {
1419 vchar_t *natd_received = NULL;
1420 int natd_verified;
1421
d1e348cf 1422 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
65c25746 1423 plog(ASL_LEVEL_ERR,
d1e348cf 1424 "failed to process NATD payload");
52b7d2ce 1425 goto end;
d1e348cf 1426 }
52b7d2ce
A		 1427
1428 if (natd_seq == 0)
1429 iph1->natt_flags |= NAT_DETECTED;
1430
1431 natd_verified = natt_compare_addr_hash (iph1,
1432 natd_received, natd_seq++);
1433
65c25746 1434 plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n",
52b7d2ce
A		 1435 natd_seq - 1,
1436 natd_verified ? "verified" : "doesn't match");
1437
1438 vfree (natd_received);
1439 break;
1440 }
1441 /* %%%% Be lenient here - some servers send natd payloads */
1442 /* when no nat is detected */
1443 break;
1444#endif
1445
1446 default:
1447 /* don't send information, see ident_r1recv() */
65c25746 1448 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1449 "ignore the packet, "
1450 "received unexpecting payload type %d.\n",
1451 pa->type);
1452 goto end;
1453 }
1454 }
1455
1456#ifdef ENABLE_NATT
1457 if (NATT_AVAILABLE(iph1))
65c25746 1458 plog (ASL_LEVEL_INFO, "NAT %s %s%s\n",
52b7d2ce
A		 1459 iph1->natt_flags & NAT_DETECTED ?
1460 "detected:" : "not detected",
1461 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1462 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1463#endif
1464
1465 /* payload existency check */
1466 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
65c25746 1467 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1468 "few isakmp message received.\n");
1469 goto end;
1470 }
1471
65c25746 1472 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG3RCVD);
52b7d2ce
A		 1473
1474 error = 0;
1475
d1e348cf
A		 1476 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1477 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1478 CONSTSTR("Responder, Main-Mode message 3"),
1479 CONSTSTR(NULL));
1480
52b7d2ce 1481end:
d1e348cf
A		 1482 if (error) {
1483 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1484 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1485 CONSTSTR("Responder, Main-Mode Message 3"),
1486 CONSTSTR("Failed to process Main-Mode Message 3"));
1487 }
52b7d2ce
A		 1488 if (pbuf)
1489 vfree(pbuf);
52b7d2ce
A		 1490
1491 if (error) {
1492 VPTRINIT(iph1->dhpub_p);
1493 VPTRINIT(iph1->nonce_p);
1494 VPTRINIT(iph1->id_p);
1495 }
1496
1497 return error;
1498}
1499
1500/*
1501 * send to initiator
1502 * psk: HDR, KE, Nr
1503 * sig: HDR, KE, Nr [, CR ]
1504 * gssapi: HDR, KE, Nr, GSSr
1505 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1506 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1507 */
1508int
65c25746
A		 1509ident_r4send(iph1, msg)
1510 phase1_handle_t *iph1;
52b7d2ce
A		 1511 vchar_t *msg;
1512{
1513 int error = -1;
1514
1515 /* validity check */
65c25746
A		 1516 if (iph1->status != IKEV1_STATE_IDENT_R_MSG3RCVD) {
1517 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1518 "status mismatched %d.\n", iph1->status);
1519 goto end;
1520 }
1521
1522 /* generate DH public value */
e8d9021d 1523#ifdef HAVE_OPENSSL
52b7d2ce 1524 if (oakley_dh_generate(iph1->approval->dhgrp,
d1e348cf 1525 &iph1->dhpub, &iph1->dhpriv) < 0) {
e8d9021d
A		 1526#else
1527 if (oakley_dh_generate(iph1->approval->dhgrp,
1528 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
1529#endif
65c25746 1530 plog(ASL_LEVEL_ERR,
d1e348cf 1531 "failed to generate DH");
52b7d2ce 1532 goto end;
d1e348cf 1533 }
52b7d2ce
A		 1534
1535 /* generate NONCE value */
1536 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf 1537 if (iph1->nonce == NULL) {
65c25746 1538 plog(ASL_LEVEL_ERR,
d1e348cf 1539 "failed to generate NONCE");
52b7d2ce 1540 goto end;
d1e348cf 1541 }
52b7d2ce 1542
52b7d2ce
A		 1543 /* create HDR;KE;NONCE payload */
1544 iph1->sendbuf = ident_ir2mx(iph1);
d1e348cf 1545 if (iph1->sendbuf == NULL) {
65c25746 1546 plog(ASL_LEVEL_ERR,
d1e348cf 1547 "failed to allocate send buffer");
52b7d2ce 1548 goto end;
d1e348cf 1549 }
52b7d2ce
A		 1550
1551#ifdef HAVE_PRINT_ISAKMP_C
1552 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1553#endif
1554
1555 /* send the packet, add to the schedule to resend */
1556 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 1557 if (isakmp_ph1resend(iph1) == -1) {
65c25746 1558 plog(ASL_LEVEL_ERR,
d1e348cf 1559 "failed to send packet");
52b7d2ce 1560 goto end;
d1e348cf 1561 }
52b7d2ce
A		 1562
1563 /* the sending message is added to the received-list. */
65c25746
A		 1564 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1565 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1566 plog(ASL_LEVEL_ERR ,
52b7d2ce
A		 1567 "failed to add a response packet to the tree.\n");
1568 goto end;
1569 }
1570
1571 /* compute sharing secret of DH */
e8d9021d
A		 1572#ifdef HAVE_OPENSSL
1573 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1574 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1575#else
65c25746 1576 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
e8d9021d 1577#endif
65c25746 1578 plog(ASL_LEVEL_ERR,
d1e348cf 1579 "failed to compute DH");
52b7d2ce 1580 goto end;
d1e348cf 1581 }
52b7d2ce
A		 1582
1583 /* generate SKEYIDs & IV & final cipher key */
d1e348cf 1584 if (oakley_skeyid(iph1) < 0) {
65c25746 1585 plog(ASL_LEVEL_ERR,
d1e348cf 1586 "failed to generate SKEYID");
52b7d2ce 1587 goto end;
d1e348cf
A		 1588 }
1589 if (oakley_skeyid_dae(iph1) < 0) {
65c25746 1590 plog(ASL_LEVEL_ERR,
d1e348cf 1591 "failed to generate SKEYID-DAE");
52b7d2ce 1592 goto end;
d1e348cf
A		 1593 }
1594 if (oakley_compute_enckey(iph1) < 0) {
65c25746 1595 plog(ASL_LEVEL_ERR,
d1e348cf 1596 "failed to generate ENCKEY");
52b7d2ce 1597 goto end;
d1e348cf
A		 1598 }
1599 if (oakley_newiv(iph1) < 0) {
65c25746 1600 plog(ASL_LEVEL_ERR,
d1e348cf 1601 "failed to generate IV");
52b7d2ce 1602 goto end;
d1e348cf 1603 }
52b7d2ce 1604
65c25746 1605 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG4SENT);
52b7d2ce
A		 1606
1607 error = 0;
1608
d1e348cf
A		 1609 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1610 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1611 CONSTSTR("Responder, Main-Mode message 4"),
1612 CONSTSTR(NULL));
1613
52b7d2ce 1614end:
d1e348cf
A		 1615 if (error) {
1616 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1617 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1618 CONSTSTR("Responder, Main-Mode Message 4"),
1619 CONSTSTR("Failed to transmit Main-Mode Message 4"));
1620 }
52b7d2ce
A		 1621 return error;
1622}
1623
1624/*
1625 * receive from initiator
1626 * psk: HDR*, IDi1, HASH_I
1627 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
1628 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
1629 * rsa: HDR*, HASH_I
1630 * rev: HDR*, HASH_I
1631 */
1632int
65c25746
A		 1633ident_r5recv(iph1, msg0)
1634 phase1_handle_t *iph1;
52b7d2ce
A		 1635 vchar_t *msg0;
1636{
1637 vchar_t *msg = NULL;
1638 vchar_t *pbuf = NULL;
1639 struct isakmp_parse_t *pa;
1640 int error = -1;
1641 int type;
e8d9021d 1642 int received_cert = 0;
52b7d2ce
A		 1643
1644 /* validity check */
65c25746
A		 1645 if (iph1->status != IKEV1_STATE_IDENT_R_MSG4SENT) {
1646 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1647 "status mismatched %d.\n", iph1->status);
1648 goto end;
1649 }
1650
1651 /* decrypting */
1652 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
65c25746 1653 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1654 "reject the packet, "
1655 "expecting the packet encrypted.\n");
1656 goto end;
1657 }
1658 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
d1e348cf 1659 if (msg == NULL) {
65c25746 1660 plog(ASL_LEVEL_ERR,
d1e348cf 1661 "failed to decrypt");
52b7d2ce 1662 goto end;
d1e348cf 1663 }
52b7d2ce
A		 1664
1665 /* validate the type of next payload */
1666 pbuf = isakmp_parse(msg);
d1e348cf 1667 if (pbuf == NULL) {
65c25746 1668 plog(ASL_LEVEL_ERR,
d1e348cf 1669 "failed to parse msg");
52b7d2ce 1670 goto end;
d1e348cf 1671 }
52b7d2ce
A		 1672
1673 iph1->pl_hash = NULL;
1674
85f41bec 1675 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 1676 pa->type != ISAKMP_NPTYPE_NONE;
1677 pa++) {
1678
1679 switch (pa->type) {
1680 case ISAKMP_NPTYPE_ID:
d1e348cf 1681 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
65c25746 1682 plog(ASL_LEVEL_ERR,
d1e348cf 1683 "failed to process ID payload");
52b7d2ce 1684 goto end;
d1e348cf 1685 }
52b7d2ce
A		 1686 break;
1687 case ISAKMP_NPTYPE_HASH:
1688 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1689 break;
1690 case ISAKMP_NPTYPE_CR:
d1e348cf 1691 if (oakley_savecr(iph1, pa->ptr) < 0) {
65c25746 1692 plog(ASL_LEVEL_ERR,
d1e348cf 1693 "failed to process CR payload");
52b7d2ce 1694 goto end;
d1e348cf 1695 }
52b7d2ce
A		 1696 break;
1697 case ISAKMP_NPTYPE_CERT:
d1e348cf 1698 if (oakley_savecert(iph1, pa->ptr) < 0) {
65c25746 1699 plog(ASL_LEVEL_ERR,
d1e348cf 1700 "failed to process CERT payload");
52b7d2ce 1701 goto end;
d1e348cf 1702 }
e8d9021d 1703 received_cert = 1;
52b7d2ce
A		 1704 break;
1705 case ISAKMP_NPTYPE_SIG:
d1e348cf 1706 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
65c25746 1707 plog(ASL_LEVEL_ERR,
d1e348cf 1708 "failed to process SIG payload");
52b7d2ce 1709 goto end;
d1e348cf 1710 }
52b7d2ce 1711 break;
52b7d2ce
A		 1712 case ISAKMP_NPTYPE_VID:
1713 (void)check_vendorid(pa->ptr);
1714 break;
1715 case ISAKMP_NPTYPE_N:
1716 isakmp_check_notify(pa->ptr, iph1);
1717 break;
1718 default:
1719 /* don't send information, see ident_r1recv() */
65c25746 1720 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1721 "ignore the packet, "
1722 "received unexpecting payload type %d.\n",
1723 pa->type);
1724 goto end;
1725 }
1726 }
1727
e8d9021d
A		 1728 if (received_cert) {
1729 oakley_verify_certid(iph1);
1730 }
1731
52b7d2ce
A		 1732 /* payload existency check */
1733 /* XXX same as ident_i4recv(), should be merged. */
1734 {
1735 int ng = 0;
1736
d1e348cf 1737 switch (AUTHMETHOD(iph1)) {
52b7d2ce 1738 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf
A		 1739#ifdef ENABLE_HYBRID
1740 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1741 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
d1e348cf 1742#endif
52b7d2ce
A		 1743 if (iph1->id_p == NULL || iph1->pl_hash == NULL)
1744 ng++;
1745 break;
52b7d2ce 1746 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
d1e348cf
A		 1747#ifdef ENABLE_HYBRID
1748 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
d1e348cf 1749#endif
52b7d2ce
A		 1750 if (iph1->id_p == NULL || iph1->sig_p == NULL)
1751 ng++;
1752 break;
1753 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1754 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf
A		 1755#ifdef ENABLE_HYBRID
1756 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1757 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1758#endif
52b7d2ce
A		 1759 if (iph1->pl_hash == NULL)
1760 ng++;
1761 break;
52b7d2ce 1762 default:
65c25746 1763 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1764 "invalid authmethod %d why ?\n",
1765 iph1->approval->authmethod);
1766 goto end;
1767 }
1768 if (ng) {
65c25746 1769 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1770 "few isakmp message received.\n");
1771 goto end;
1772 }
1773 }
1774
1775 /* verify identifier */
1776 if (ipsecdoi_checkid1(iph1) != 0) {
65c25746 1777 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1778 "invalid ID payload.\n");
1779 goto end;
1780 }
1781
1782 /* validate authentication value */
65c25746
A		 1783
1784 type = oakley_validate_auth(iph1);
1785 if (type != 0) {
1786 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1787 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1788 CONSTSTR("Responder, Main-Mode Message 5"),
1789 CONSTSTR("Failed to authenticate Main-Mode Message 5"));
1790 if (type == -1) {
1791 /* msg printed inner oakley_validate_auth() */
1792 goto end;
1793 }
1794 isakmp_info_send_n1(iph1, type, NULL);
1795 goto end;
1796 }
1797 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1798 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1799 CONSTSTR("Responder, Main-Mode Message 5"),
1800 CONSTSTR(NULL));
52b7d2ce
A		 1801
1802 if (oakley_checkcr(iph1) < 0) {
1803 /* Ignore this error in order to be interoperability. */
1804 ;
1805 }
1806
1807 /*
1808 * XXX: Should we do compare two addresses, ph1handle's and ID
1809 * payload's.
1810 */
1811
65c25746 1812 plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID\n");
52b7d2ce
A		 1813
1814 /* see handler.h about IV synchronization. */
1815 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1816
65c25746 1817 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG5RCVD);
52b7d2ce
A		 1818 error = 0;
1819
d1e348cf
A		 1820 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1821 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1822 CONSTSTR("Responder, Main-Mode message 5"),
1823 CONSTSTR(NULL));
1824
52b7d2ce 1825end:
d1e348cf
A		 1826 if (error) {
1827 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1828 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1829 CONSTSTR("Responder, Main-Mode Message 5"),
1830 CONSTSTR("Failed to process Main-Mode Message 5"));
1831 }
52b7d2ce
A		 1832 if (pbuf)
1833 vfree(pbuf);
1834 if (msg)
1835 vfree(msg);
52b7d2ce
A		 1836
1837 if (error) {
1838 VPTRINIT(iph1->id_p);
1839 oakley_delcert(iph1->cert_p);
1840 iph1->cert_p = NULL;
1841 oakley_delcert(iph1->crl_p);
1842 iph1->crl_p = NULL;
1843 VPTRINIT(iph1->sig_p);
1844 oakley_delcert(iph1->cr_p);
1845 iph1->cr_p = NULL;
1846 }
1847
1848 return error;
1849}
1850
1851/*
1852 * send to initiator
1853 * psk: HDR*, IDr1, HASH_R
1854 * sig: HDR*, IDr1, [ CERT, ] SIG_R
1855 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
1856 * rsa: HDR*, HASH_R
1857 * rev: HDR*, HASH_R
1858 */
1859int
65c25746
A		 1860ident_r6send(iph1, msg)
1861 phase1_handle_t *iph1;
52b7d2ce
A		 1862 vchar_t *msg;
1863{
1864 int error = -1;
1865 int dohash = 1;
52b7d2ce
A		 1866
1867 /* validity check */
65c25746
A		 1868 if (iph1->status != IKEV1_STATE_IDENT_R_MSG5RCVD) {
1869 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1870 "status mismatched %d.\n", iph1->status);
1871 goto end;
1872 }
1873
1874 /* make ID payload into isakmp status */
d1e348cf 1875 if (ipsecdoi_setid1(iph1) < 0) {
65c25746 1876 plog(ASL_LEVEL_ERR,
d1e348cf 1877 "failed to set ID");
52b7d2ce 1878 goto end;
d1e348cf 1879 }
52b7d2ce 1880
52b7d2ce
A		 1881 if (dohash) {
1882 /* generate HASH to send */
65c25746 1883 plog(ASL_LEVEL_DEBUG, "generate HASH_R\n");
52b7d2ce 1884 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
d1e348cf 1885 if (iph1->hash == NULL) {
65c25746 1886 plog(ASL_LEVEL_ERR,
d1e348cf 1887 "failed to generate HASH");
52b7d2ce 1888 goto end;
d1e348cf 1889 }
52b7d2ce
A		 1890 } else
1891 iph1->hash = NULL;
1892
1893 /* set encryption flag */
1894 iph1->flags |= ISAKMP_FLAG_E;
1895
1896 /* create HDR;ID;HASH payload */
1897 iph1->sendbuf = ident_ir3mx(iph1);
d1e348cf 1898 if (iph1->sendbuf == NULL) {
65c25746 1899 plog(ASL_LEVEL_ERR,
d1e348cf 1900 "failed to create send buffer");
52b7d2ce 1901 goto end;
d1e348cf 1902 }
52b7d2ce
A		 1903
1904 /* send HDR;ID;HASH to responder */
d1e348cf 1905 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
65c25746 1906 plog(ASL_LEVEL_ERR,
d1e348cf 1907 "failed to send packet");
52b7d2ce 1908 goto end;
d1e348cf 1909 }
52b7d2ce
A		 1910
1911 /* the sending message is added to the received-list. */
65c25746
A		 1912 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1913 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1914 plog(ASL_LEVEL_ERR ,
52b7d2ce
A		 1915 "failed to add a response packet to the tree.\n");
1916 goto end;
1917 }
1918
1919 /* see handler.h about IV synchronization. */
1920 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
1921
65c25746 1922 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
52b7d2ce 1923
d1e348cf
A		 1924 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1925 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
1926 CONSTSTR("Responder, Main-Mode"),
1927 CONSTSTR(NULL));
1928
52b7d2ce
A		 1929 error = 0;
1930
d1e348cf
A		 1931 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1932 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1933 CONSTSTR("Responder, Main-Mode message 6"),
1934 CONSTSTR(NULL));
1935
52b7d2ce 1936end:
d1e348cf
A		 1937 if (error) {
1938 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1939 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1940 CONSTSTR("Responder, Main-Mode Message 6"),
1941 CONSTSTR("Failed to process Main-Mode Message 6"));
1942 }
52b7d2ce
A		 1943
1944 return error;
1945}
1946
1947/*
1948 * This is used in main mode for:
1949 * initiator's 3rd exchange send to responder
1950 * psk: HDR, KE, Ni
1951 * sig: HDR, KE, Ni
1952 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1953 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1954 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1955 * responders 2nd exchnage send to initiator
1956 * psk: HDR, KE, Nr
1957 * sig: HDR, KE, Nr [, CR ]
1958 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1959 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1960 */
1961static vchar_t *
1962ident_ir2mx(iph1)
65c25746 1963 phase1_handle_t *iph1;
52b7d2ce
A		 1964{
1965 vchar_t *buf = 0;
1966 struct payload_list *plist = NULL;
1967 int need_cr = 0;
1968 vchar_t *cr = NULL;
1969 vchar_t *vid = NULL;
1970 int error = -1;
52b7d2ce
A		 1971#ifdef ENABLE_NATT
1972 vchar_t *natd[2] = { NULL, NULL };
1973#endif
1974
1975 /* create CR if need */
1976 if (iph1->side == RESPONDER
1977 && iph1->rmconf->send_cr
65c25746 1978 && oakley_needcr(iph1->approval->authmethod)) {
52b7d2ce
A		 1979 need_cr = 1;
1980 cr = oakley_getcr(iph1);
1981 if (cr == NULL) {
65c25746 1982 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1983 "failed to get cr buffer.\n");
1984 goto end;
1985 }
1986 }
1987
52b7d2ce
A		 1988 /* create isakmp KE payload */
1989 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1990
1991 /* create isakmp NONCE payload */
1992 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1993
52b7d2ce
A		 1994 /* append vendor id, if needed */
1995 if (vid)
1996 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
1997
1998 /* create isakmp CR payload if needed */
1999 if (need_cr)
2000 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2001
2002#ifdef ENABLE_NATT
2003 /* generate and append NAT-D payloads */
65c25746 2004 if (NATT_AVAILABLE(iph1))
52b7d2ce
A		 2005 {
2006 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
65c25746 2007 plog(ASL_LEVEL_ERR,
85f41bec 2008 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
52b7d2ce
A		 2009 goto end;
2010 }
2011
2012 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
65c25746 2013 plog(ASL_LEVEL_ERR,
85f41bec 2014 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
52b7d2ce
A		 2015 goto end;
2016 }
2017
65c25746 2018 plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n");
52b7d2ce
A		 2019 /* old Apple version sends natd payloads in the wrong order */
2020 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
2021 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2022 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2023 } else
52b7d2ce
A		 2024 {
2025 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2026 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2027 }
2028 }
2029#endif
2030
2031 buf = isakmp_plist_set_all (&plist, iph1);
2032
2033 error = 0;
2034
2035end:
2036 if (error && buf != NULL) {
2037 vfree(buf);
2038 buf = NULL;
2039 }
2040 if (cr)
2041 vfree(cr);
52b7d2ce
A		 2042 if (vid)
2043 vfree(vid);
2044
2045#ifdef ENABLE_NATT
2046 if (natd[0])
2047 vfree(natd[0]);
2048 if (natd[1])
2049 vfree(natd[1]);
2050#endif
2051
2052 return buf;
2053}
2054
2055/*
2056 * This is used in main mode for:
2057 * initiator's 4th exchange send to responder
2058 * psk: HDR*, IDi1, HASH_I
2059 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
2060 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
2061 * rsa: HDR*, HASH_I
2062 * rev: HDR*, HASH_I
2063 * responders 3rd exchnage send to initiator
2064 * psk: HDR*, IDr1, HASH_R
2065 * sig: HDR*, IDr1, [ CERT, ] SIG_R
2066 * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R >
2067 * rsa: HDR*, HASH_R
2068 * rev: HDR*, HASH_R
2069 */
2070static vchar_t *
2071ident_ir3mx(iph1)
65c25746 2072 phase1_handle_t *iph1;
52b7d2ce
A		 2073{
2074 struct payload_list *plist = NULL;
2075 vchar_t *buf = NULL, *new = NULL;
2076 int need_cr = 0;
2077 int need_cert = 0;
2078 vchar_t *cr = NULL;
2079 int error = -1;
b8c37798 2080 vchar_t *notp_ini = NULL;
52b7d2ce 2081
d1e348cf 2082 switch (AUTHMETHOD(iph1)) {
52b7d2ce 2083 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf
A		 2084#ifdef ENABLE_HYBRID
2085 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
2086 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
2087 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
d1e348cf 2088#endif
52b7d2ce
A		 2089 /* create isakmp ID payload */
2090 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2091
2092 /* create isakmp HASH payload */
2093 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
2094 break;
52b7d2ce 2095 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
d1e348cf
A		 2096#ifdef ENABLE_HYBRID
2097 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
d1e348cf
A		 2098 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2099 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
d1e348cf
A		 2100#endif
2101 if (oakley_getmycert(iph1) < 0) {
65c25746 2102 plog(ASL_LEVEL_ERR,
d1e348cf 2103 "failed to get mycert");
52b7d2ce 2104 goto end;
d1e348cf 2105 }
52b7d2ce 2106
d1e348cf 2107 if (oakley_getsign(iph1) < 0) {
65c25746 2108 plog(ASL_LEVEL_ERR,
d1e348cf 2109 "failed to get sign");
52b7d2ce 2110 goto end;
d1e348cf 2111 }
52b7d2ce
A		 2112
2113 /* create CR if need */
2114 if (iph1->side == INITIATOR
2115 && iph1->rmconf->send_cr
65c25746 2116 && oakley_needcr(iph1->approval->authmethod)) {
52b7d2ce
A		 2117 need_cr = 1;
2118 cr = oakley_getcr(iph1);
2119 if (cr == NULL) {
65c25746 2120 plog(ASL_LEVEL_ERR,
d1e348cf 2121 "failed to get CR");
52b7d2ce
A		 2122 goto end;
2123 }
2124 }
2125
2126 if (iph1->cert != NULL && iph1->rmconf->send_cert)
2127 need_cert = 1;
2128
2129 /* add ID payload */
2130 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2131
2132 /* add CERT payload if there */
e8d9021d 2133 // we don't support sending of certchains
52b7d2ce
A		 2134 if (need_cert)
2135 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
2136 /* add SIG payload */
2137 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
2138
2139 /* create isakmp CR payload */
2140 if (need_cr)
2141 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2142 break;
52b7d2ce 2143
52b7d2ce
A		 2144 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2145 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf
A		 2146#ifdef ENABLE_HYBRID
2147 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
2148 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
2149 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
2150 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
2151#endif
65c25746 2152 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 2153 "not supported authentication type %d\n",
2154 iph1->approval->authmethod);
2155 goto end;
2156 default:
65c25746 2157 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 2158 "invalid authentication type %d\n",
2159 iph1->approval->authmethod);
2160 goto end;
2161 }
2162
b8c37798
A		 2163 if (iph1->side == INITIATOR) {
2164 notp_ini = isakmp_plist_append_initial_contact(iph1, plist);
2165 }
2166
52b7d2ce
A		 2167 buf = isakmp_plist_set_all (&plist, iph1);
2168
2169#ifdef HAVE_PRINT_ISAKMP_C
2170 isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
2171#endif
2172
2173 /* encoding */
2174 new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv);
d1e348cf 2175 if (new == NULL) {
65c25746 2176 plog(ASL_LEVEL_ERR,
d1e348cf 2177 "failed to encrypt");
52b7d2ce 2178 goto end;
d1e348cf 2179 }
52b7d2ce
A		 2180
2181 vfree(buf);
2182
2183 buf = new;
2184
2185 error = 0;
2186
2187end:
2188 if (cr)
2189 vfree(cr);
2190 if (error && buf != NULL) {
2191 vfree(buf);
2192 buf = NULL;
2193 }
b8c37798
A		 2194 if (notp_ini)
2195 vfree(notp_ini);
52b7d2ce
A		 2196
2197 return buf;
2198}
mirror of ipsec