]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/isakmp_agg.c
ipsec-317.220.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_agg.c
CommitLineData
d1e348cf
A
1/* $NetBSD: isakmp_agg.c,v 1.9 2006/09/30 21:49:37 manu Exp $ */
2
3/* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
52b7d2ce
A
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34/* Aggressive Exchange (Aggressive Mode) */
35
36#include "config.h"
37
38#include <sys/types.h>
39#include <sys/param.h>
40
41#include <stdlib.h>
42#include <stdio.h>
43#include <string.h>
44#include <errno.h>
45#if TIME_WITH_SYS_TIME
46# include <sys/time.h>
47# include <time.h>
48#else
49# if HAVE_SYS_TIME_H
50# include <sys/time.h>
51# else
52# include <time.h>
53# endif
54#endif
55
56#include "var.h"
57#include "misc.h"
58#include "vmbuf.h"
59#include "plog.h"
60#include "sockmisc.h"
61#include "schedule.h"
62#include "debug.h"
63
65c25746 64#include "fsm.h"
52b7d2ce
A
65#include "localconf.h"
66#include "remoteconf.h"
67#include "isakmp_var.h"
68#include "isakmp.h"
52b7d2ce
A
69#include "oakley.h"
70#include "handler.h"
71#include "ipsec_doi.h"
72#include "crypto_openssl.h"
73#include "pfkey.h"
74#include "isakmp_agg.h"
75#include "isakmp_inf.h"
76#ifdef ENABLE_HYBRID
77#include "isakmp_xauth.h"
78#include "isakmp_cfg.h"
79#endif
80#ifdef ENABLE_FRAG
81#include "isakmp_frag.h"
82#endif
83#include "vendorid.h"
84#include "strnames.h"
85
86#ifdef ENABLE_NATT
87#include "nattraversal.h"
88#endif
89
52b7d2ce
A
90#include "vpn_control.h"
91#include "vpn_control_var.h"
d1e348cf
A
92#include "ipsecSessionTracer.h"
93#include "ipsecMessageTracer.h"
e8d9021d
A
94#ifndef HAVE_OPENSSL
95#include <Security/SecDH.h>
96#endif
52b7d2ce
A
97
98/*
99 * begin Aggressive Mode as initiator.
100 */
101/*
102 * send to responder
103 * psk: HDR, SA, KE, Ni, IDi1
104 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
105 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi
106 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
107 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
108 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
109 */
110int
111agg_i1send(iph1, msg)
65c25746 112 phase1_handle_t *iph1;
52b7d2ce
A
113 vchar_t *msg; /* must be null */
114{
115 struct payload_list *plist = NULL;
116 int need_cr = 0;
d1e348cf 117 vchar_t *cr = NULL;
52b7d2ce
A
118 int error = -1;
119#ifdef ENABLE_NATT
120 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
121 int i;
122#endif
123#ifdef ENABLE_HYBRID
124 vchar_t *vid_xauth = NULL;
125 vchar_t *vid_unity = NULL;
126#endif
127#ifdef ENABLE_FRAG
128 vchar_t *vid_frag = NULL;
129#endif
52b7d2ce
A
130#ifdef ENABLE_DPD
131 vchar_t *vid_dpd = NULL;
132#endif
133
65c25746
A
134 /* validity check */
135 if (iph1->status != IKEV1_STATE_AGG_I_START) {
136 plog(ASL_LEVEL_ERR,
137 "status mismatched %d.\n", iph1->status);
138 goto end;
139 }
52b7d2ce
A
140
141 /* validity check */
142 if (msg != NULL) {
65c25746 143 plog(ASL_LEVEL_ERR,
52b7d2ce
A
144 "msg has to be NULL in this function.\n");
145 goto end;
146 }
52b7d2ce
A
147
148 /* create isakmp index */
149 memset(&iph1->index, 0, sizeof(iph1->index));
150 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
151
152 /* make ID payload into isakmp status */
d1e348cf 153 if (ipsecdoi_setid1(iph1) < 0) {
65c25746 154 plog(ASL_LEVEL_ERR,
d1e348cf 155 "failed to set ID");
52b7d2ce 156 goto end;
d1e348cf 157 }
52b7d2ce
A
158
159 /* create SA payload for my proposal */
65c25746 160 iph1->sa = ipsecdoi_setph1proposal(iph1);
d1e348cf 161 if (iph1->sa == NULL) {
65c25746 162 plog(ASL_LEVEL_ERR,
d1e348cf 163 "failed to set proposal");
52b7d2ce 164 goto end;
d1e348cf 165 }
52b7d2ce
A
166
167 /* consistency check of proposals */
168 if (iph1->rmconf->dhgrp == NULL) {
65c25746 169 plog(ASL_LEVEL_ERR,
52b7d2ce
A
170 "configuration failure about DH group.\n");
171 goto end;
172 }
173
174 /* generate DH public value */
e8d9021d
A
175#ifdef HAVE_OPENSSL
176 if (oakley_dh_generate(iph1->rmconf->dhgrp,
177 &iph1->dhpub, &iph1->dhpriv) < 0) {
178#else
52b7d2ce 179 if (oakley_dh_generate(iph1->rmconf->dhgrp,
e8d9021d
A
180 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
181#endif
65c25746 182 plog(ASL_LEVEL_ERR,
d1e348cf 183 "failed to generate DH");
52b7d2ce 184 goto end;
d1e348cf 185 }
52b7d2ce
A
186
187 /* generate NONCE value */
188 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf 189 if (iph1->nonce == NULL) {
65c25746 190 plog(ASL_LEVEL_ERR,
d1e348cf 191 "failed to generate NONCE");
52b7d2ce 192 goto end;
d1e348cf 193 }
52b7d2ce
A
194
195#ifdef ENABLE_HYBRID
196 /* Do we need Xauth VID? */
d1e348cf
A
197 switch (RMAUTHMETHOD(iph1)) {
198 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
199 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
d1e348cf 200 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
d1e348cf
A
201 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
202 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
52b7d2ce 203 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
65c25746 204 plog(ASL_LEVEL_ERR,
52b7d2ce
A
205 "Xauth vendor ID generation failed\n");
206 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
65c25746 207 plog(ASL_LEVEL_ERR,
52b7d2ce
A
208 "Unity vendor ID generation failed\n");
209 break;
210 default:
211 break;
212 }
213#endif
214
215#ifdef ENABLE_FRAG
216 if (iph1->rmconf->ike_frag) {
217 vid_frag = set_vendorid(VENDORID_FRAG);
218 if (vid_frag != NULL)
219 vid_frag = isakmp_frag_addcap(vid_frag,
220 VENDORID_FRAG_AGG);
221 if (vid_frag == NULL)
65c25746 222 plog(ASL_LEVEL_ERR,
52b7d2ce
A
223 "Frag vendorID construction failed\n");
224 }
225#endif
226
227 /* create CR if need */
228 if (iph1->rmconf->send_cr
65c25746 229 && oakley_needcr(iph1->rmconf->proposal->authmethod)) {
52b7d2ce
A
230 need_cr = 1;
231 cr = oakley_getcr(iph1);
232 if (cr == NULL) {
65c25746 233 plog(ASL_LEVEL_ERR,
d1e348cf 234 "failed to get CR");
52b7d2ce
A
235 goto end;
236 }
237 }
238
65c25746 239 plog(ASL_LEVEL_DEBUG, "authmethod is %s\n",
52b7d2ce 240 s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
52b7d2ce
A
241
242 /* set SA payload to propose */
243 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
244
245 /* create isakmp KE payload */
246 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
247
248 /* create isakmp NONCE payload */
249 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
250
251 /* create isakmp ID payload */
252 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
253
52b7d2ce
A
254 /* create isakmp CR payload */
255 if (need_cr)
256 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
257
258#ifdef ENABLE_FRAG
259 if (vid_frag)
260 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
261#endif
262#ifdef ENABLE_NATT
263 /*
264 * set VID payload for NAT-T if NAT-T
265 * support allowed in the config file
266 */
267 if (iph1->rmconf->nat_traversal)
268 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
269#endif
270#ifdef ENABLE_HYBRID
271 if (vid_xauth)
272 plist = isakmp_plist_append(plist,
273 vid_xauth, ISAKMP_NPTYPE_VID);
274 if (vid_unity)
275 plist = isakmp_plist_append(plist,
276 vid_unity, ISAKMP_NPTYPE_VID);
277#endif
278#ifdef ENABLE_DPD
279 if(iph1->rmconf->dpd){
280 vid_dpd = set_vendorid(VENDORID_DPD);
281 if (vid_dpd != NULL)
282 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
283 }
284#endif
285
286 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
287
288#ifdef HAVE_PRINT_ISAKMP_C
289 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
290#endif
291
292 /* send the packet, add to the schedule to resend */
293 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 294 if (isakmp_ph1resend(iph1) == -1) {
65c25746 295 plog(ASL_LEVEL_ERR,
d1e348cf 296 "failed to send packet");
52b7d2ce 297 goto end;
d1e348cf 298 }
52b7d2ce 299
65c25746 300 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_I_MSG1SENT);
52b7d2ce
A
301
302 error = 0;
303
d1e348cf
A
304 IPSECSESSIONTRACEREVENT(iph1->parent_session,
305 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
306 CONSTSTR("Initiator, Aggressive-Mode message 1"),
307 CONSTSTR(NULL));
308
52b7d2ce 309end:
d1e348cf
A
310 if (error) {
311 IPSECSESSIONTRACEREVENT(iph1->parent_session,
312 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
313 CONSTSTR("Initiator, Aggressive-Mode Message 1"),
314 CONSTSTR("Failed to transmit Aggressive-Mode Message 1"));
315 }
52b7d2ce
A
316 if (cr)
317 vfree(cr);
52b7d2ce
A
318#ifdef ENABLE_FRAG
319 if (vid_frag)
320 vfree(vid_frag);
321#endif
322#ifdef ENABLE_NATT
323 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
324 vfree(vid_natt[i]);
325#endif
52b7d2ce
A
326#ifdef ENABLE_HYBRID
327 if (vid_xauth != NULL)
328 vfree(vid_xauth);
329 if (vid_unity != NULL)
330 vfree(vid_unity);
331#endif
d1e348cf
A
332#ifdef ENABLE_DPD
333 if (vid_dpd != NULL)
334 vfree(vid_dpd);
335#endif
52b7d2ce
A
336
337 return error;
338}
339
340/*
341 * receive from responder
342 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
343 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
344 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
345 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
346 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
347 */
348int
349agg_i2recv(iph1, msg)
65c25746 350 phase1_handle_t *iph1;
52b7d2ce
A
351 vchar_t *msg;
352{
353 vchar_t *pbuf = NULL;
354 struct isakmp_parse_t *pa;
355 vchar_t *satmp = NULL;
356 int error = -1;
357 int vid_numeric;
358 int ptype;
e8d9021d 359 int received_cert = 0;
52b7d2ce
A
360
361#ifdef ENABLE_NATT
362 int natd_seq = 0;
363 struct natd_payload {
364 int seq;
365 vchar_t *payload;
366 TAILQ_ENTRY(natd_payload) chain;
367 };
368 TAILQ_HEAD(_natd_payload, natd_payload) natd_tree;
369 TAILQ_INIT(&natd_tree);
370#endif
371
65c25746
A
372 /* validity check */
373 if (iph1->status != IKEV1_STATE_AGG_I_MSG1SENT) {
374 plog(ASL_LEVEL_ERR,
375 "status mismatched %d.\n", iph1->status);
52b7d2ce
A
376 goto end;
377 }
378
379 /* validate the type of next payload */
380 pbuf = isakmp_parse(msg);
d1e348cf 381 if (pbuf == NULL) {
65c25746 382 plog(ASL_LEVEL_ERR,
d1e348cf 383 "failed to parse msg");
52b7d2ce 384 goto end;
d1e348cf 385 }
85f41bec 386 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A
387
388 iph1->pl_hash = NULL;
389
390 /* SA payload is fixed postion */
391 if (pa->type != ISAKMP_NPTYPE_SA) {
65c25746 392 plog(ASL_LEVEL_ERR,
52b7d2ce
A
393 "received invalid next payload type %d, "
394 "expecting %d.\n",
395 pa->type, ISAKMP_NPTYPE_SA);
396 goto end;
397 }
398
d1e348cf 399 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
65c25746 400 plog(ASL_LEVEL_ERR,
d1e348cf 401 "failed to process SA payload");
52b7d2ce 402 goto end;
d1e348cf 403 }
52b7d2ce
A
404 pa++;
405
406 for (/*nothing*/;
407 pa->type != ISAKMP_NPTYPE_NONE;
408 pa++) {
409
410 switch (pa->type) {
411 case ISAKMP_NPTYPE_KE:
d1e348cf 412 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
65c25746 413 plog(ASL_LEVEL_ERR,
d1e348cf 414 "failed to process KE payload");
52b7d2ce 415 goto end;
d1e348cf 416 }
52b7d2ce
A
417 break;
418 case ISAKMP_NPTYPE_NONCE:
d1e348cf 419 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
65c25746 420 plog(ASL_LEVEL_ERR,
d1e348cf 421 "failed to process NONCE payload");
52b7d2ce 422 goto end;
d1e348cf 423 }
52b7d2ce
A
424 break;
425 case ISAKMP_NPTYPE_ID:
d1e348cf 426 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
65c25746 427 plog(ASL_LEVEL_ERR,
d1e348cf 428 "failed to process ID payload");
52b7d2ce 429 goto end;
d1e348cf 430 }
52b7d2ce
A
431 break;
432 case ISAKMP_NPTYPE_HASH:
433 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
434 break;
435 case ISAKMP_NPTYPE_CR:
d1e348cf 436 if (oakley_savecr(iph1, pa->ptr) < 0) {
65c25746 437 plog(ASL_LEVEL_ERR,
d1e348cf 438 "failed to process CR payload");
52b7d2ce 439 goto end;
d1e348cf 440 }
52b7d2ce
A
441 break;
442 case ISAKMP_NPTYPE_CERT:
d1e348cf 443 if (oakley_savecert(iph1, pa->ptr) < 0) {
65c25746 444 plog(ASL_LEVEL_ERR,
d1e348cf 445 "failed to process CERT payload");
52b7d2ce 446 goto end;
d1e348cf 447 }
e8d9021d 448 received_cert = 1;
52b7d2ce
A
449 break;
450 case ISAKMP_NPTYPE_SIG:
d1e348cf 451 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
65c25746 452 plog(ASL_LEVEL_ERR,
d1e348cf 453 "failed to process SIG payload");
52b7d2ce 454 goto end;
d1e348cf 455 }
52b7d2ce
A
456 break;
457 case ISAKMP_NPTYPE_VID:
458 vid_numeric = check_vendorid(pa->ptr);
459#ifdef ENABLE_NATT
460 if (iph1->rmconf->nat_traversal &&
461 natt_vendorid(vid_numeric))
462 natt_handle_vendorid(iph1, vid_numeric);
463#endif
464#ifdef ENABLE_HYBRID
465 switch (vid_numeric) {
466 case VENDORID_XAUTH:
467 iph1->mode_cfg->flags |=
468 ISAKMP_CFG_VENDORID_XAUTH;
469 break;
470
471 case VENDORID_UNITY:
472 iph1->mode_cfg->flags |=
473 ISAKMP_CFG_VENDORID_UNITY;
474 break;
475 default:
476 break;
477 }
478#endif
479#ifdef ENABLE_DPD
480 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
481 iph1->dpd_support=1;
65c25746 482 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
483 "remote supports DPD\n");
484 }
e8d9021d
A
485#endif
486#ifdef ENABLE_FRAG
487 if ((vid_numeric == VENDORID_FRAG) &&
488 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
65c25746 489 plog(ASL_LEVEL_DEBUG,
e8d9021d
A
490 "remote supports FRAGMENTATION\n");
491 iph1->frag = 1;
492 }
52b7d2ce
A
493#endif
494 break;
495 case ISAKMP_NPTYPE_N:
496 isakmp_check_notify(pa->ptr, iph1);
497 break;
52b7d2ce
A
498
499#ifdef ENABLE_NATT
500 case ISAKMP_NPTYPE_NATD_DRAFT:
501 case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce 502 case ISAKMP_NPTYPE_NATD_BADDRAFT:
52b7d2ce
A
503 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
504 pa->type == iph1->natt_options->payload_nat_d) {
505 struct natd_payload *natd;
506 natd = (struct natd_payload *)racoon_malloc(sizeof(*natd));
d1e348cf 507 if (!natd) {
65c25746 508 plog(ASL_LEVEL_ERR,
d1e348cf 509 "failed to pre-process NATD payload");
52b7d2ce 510 goto end;
d1e348cf 511 }
52b7d2ce
A
512
513 natd->payload = NULL;
514
d1e348cf 515 if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) {
65c25746 516 plog(ASL_LEVEL_ERR,
d1e348cf 517 "failed to process NATD payload");
7ebaebe2 518 racoon_free(natd);
52b7d2ce 519 goto end;
d1e348cf 520 }
52b7d2ce
A
521
522 natd->seq = natd_seq++;
523
524 TAILQ_INSERT_TAIL(&natd_tree, natd, chain);
525 break;
526 }
527 /* %%% Be lenient here - some servers send natd payloads */
528 /* when nat not detected */
529 break;
530#endif
531
532 default:
533 /* don't send information, see isakmp_ident_r1() */
65c25746 534 plog(ASL_LEVEL_ERR,
52b7d2ce
A
535 "ignore the packet, "
536 "received unexpecting payload type %d.\n",
537 pa->type);
538 goto end;
539 }
540 }
541
e8d9021d
A
542 if (received_cert) {
543 oakley_verify_certid(iph1);
544 }
545
52b7d2ce
A
546 /* payload existency check */
547 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
65c25746 548 plog(ASL_LEVEL_ERR,
52b7d2ce
A
549 "few isakmp message received.\n");
550 goto end;
551 }
552
553 /* verify identifier */
554 if (ipsecdoi_checkid1(iph1) != 0) {
65c25746 555 plog(ASL_LEVEL_ERR,
52b7d2ce
A
556 "invalid ID payload.\n");
557 goto end;
558 }
559
560 /* check SA payload and set approval SA for use */
561 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
65c25746 562 plog(ASL_LEVEL_ERR,
52b7d2ce
A
563 "failed to get valid proposal.\n");
564 /* XXX send information */
565 goto end;
566 }
567 VPTRINIT(iph1->sa_ret);
568
569 /* fix isakmp index */
570 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
571 sizeof(cookie_t));
572
573#ifdef ENABLE_NATT
574 if (NATT_AVAILABLE(iph1)) {
575 struct natd_payload *natd = NULL;
576 int natd_verified;
577
7ebaebe2 578 plog(ASL_LEVEL_NOTICE,
52b7d2ce
A
579 "Selected NAT-T version: %s\n",
580 vid_string_by_id(iph1->natt_options->version));
581
582 /* set both bits first so that we can clear them
583 upon verifying hashes */
584 iph1->natt_flags |= NAT_DETECTED;
585
586 while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) {
587 /* this function will clear appropriate bits bits
588 from iph1->natt_flags */
589 natd_verified = natt_compare_addr_hash (iph1,
590 natd->payload, natd->seq);
591
7ebaebe2 592 plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n",
52b7d2ce
A
593 natd->seq - 1,
594 natd_verified ? "verified" : "doesn't match");
595
596 vfree (natd->payload);
597
598 TAILQ_REMOVE(&natd_tree, natd, chain);
599 racoon_free (natd);
600 }
601
7ebaebe2 602 plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n",
52b7d2ce
A
603 iph1->natt_flags & NAT_DETECTED ?
604 "detected:" : "not detected",
605 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
606 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
607
608 if (iph1->natt_flags & NAT_DETECTED)
609 natt_float_ports (iph1);
80318cb7 610 ike_session_update_natt_version(iph1);
52b7d2ce
A
611 }
612#endif
613
614 /* compute sharing secret of DH */
e8d9021d 615#ifdef HAVE_OPENSSL
52b7d2ce 616 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
d1e348cf 617 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
e8d9021d 618#else
65c25746 619 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
e8d9021d 620#endif
65c25746 621 plog(ASL_LEVEL_ERR,
d1e348cf 622 "failed to compute DH");
52b7d2ce 623 goto end;
d1e348cf 624 }
52b7d2ce
A
625
626 /* generate SKEYIDs & IV & final cipher key */
d1e348cf 627 if (oakley_skeyid(iph1) < 0) {
65c25746 628 plog(ASL_LEVEL_ERR,
d1e348cf 629 "failed to generate SKEYID");
52b7d2ce 630 goto end;
d1e348cf
A
631 }
632 if (oakley_skeyid_dae(iph1) < 0) {
65c25746 633 plog(ASL_LEVEL_ERR,
d1e348cf 634 "failed to generate SKEYID-DAE");
52b7d2ce 635 goto end;
d1e348cf
A
636 }
637 if (oakley_compute_enckey(iph1) < 0) {
65c25746 638 plog(ASL_LEVEL_ERR,
d1e348cf 639 "failed to generate ENCKEY");
52b7d2ce 640 goto end;
d1e348cf
A
641 }
642 if (oakley_newiv(iph1) < 0) {
65c25746 643 plog(ASL_LEVEL_ERR,
d1e348cf 644 "failed to generate IV");
52b7d2ce 645 goto end;
d1e348cf 646 }
52b7d2ce
A
647
648 /* validate authentication value */
649 ptype = oakley_validate_auth(iph1);
650 if (ptype != 0) {
d1e348cf
A
651 IPSECSESSIONTRACEREVENT(iph1->parent_session,
652 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
653 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
654 CONSTSTR("Failed to authenticate, Aggressive-Mode Message 2"));
52b7d2ce
A
655 if (ptype == -1) {
656 /* message printed inner oakley_validate_auth() */
657 goto end;
658 }
52b7d2ce
A
659 isakmp_info_send_n1(iph1, ptype, NULL);
660 goto end;
661 }
d1e348cf
A
662 IPSECSESSIONTRACEREVENT(iph1->parent_session,
663 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
664 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
665 CONSTSTR(NULL));
666
52b7d2ce
A
667 if (oakley_checkcr(iph1) < 0) {
668 /* Ignore this error in order to be interoperability. */
669 ;
670 }
671
672 /* change status of isakmp status entry */
65c25746 673 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_I_MSG2RCVD);
52b7d2ce
A
674
675#ifdef ENABLE_VPNCONTROL_PORT
676 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
677#endif
678
679 error = 0;
680
d1e348cf
A
681 IPSECSESSIONTRACEREVENT(iph1->parent_session,
682 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
683 CONSTSTR("Initiator, Aggressive-Mode message 2"),
684 CONSTSTR(NULL));
685
52b7d2ce 686end:
d1e348cf
A
687 if (error) {
688 IPSECSESSIONTRACEREVENT(iph1->parent_session,
689 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
690 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
691 CONSTSTR("Failure processing Aggressive-Mode Message 2"));
692 }
65c25746 693
52b7d2ce
A
694 if (pbuf)
695 vfree(pbuf);
696 if (satmp)
697 vfree(satmp);
698 if (error) {
699 VPTRINIT(iph1->dhpub_p);
700 VPTRINIT(iph1->nonce_p);
701 VPTRINIT(iph1->id_p);
702 oakley_delcert(iph1->cert_p);
703 iph1->cert_p = NULL;
704 oakley_delcert(iph1->crl_p);
705 iph1->crl_p = NULL;
706 VPTRINIT(iph1->sig_p);
707 oakley_delcert(iph1->cr_p);
708 iph1->cr_p = NULL;
709 }
710
711 return error;
712}
713
714/*
715 * send to responder
716 * psk: HDR, HASH_I
717 * gssapi: HDR, HASH_I
718 * sig: HDR, [ CERT, ] SIG_I
719 * rsa: HDR, HASH_I
720 * rev: HDR, HASH_I
721 */
722int
65c25746
A
723agg_i3send(iph1, msg)
724 phase1_handle_t *iph1;
52b7d2ce
A
725 vchar_t *msg;
726{
727 struct payload_list *plist = NULL;
728 int need_cert = 0;
729 int error = -1;
730 vchar_t *gsshash = NULL;
d1e348cf
A
731#ifdef ENABLE_NATT
732 vchar_t *natd[2] = { NULL, NULL };
733#endif
734 vchar_t *notp_unity = NULL;
735 vchar_t *notp_ini = NULL;
52b7d2ce 736
65c25746
A
737 /* validity check */
738 if (iph1->status != IKEV1_STATE_AGG_I_MSG2RCVD) {
739 plog(ASL_LEVEL_ERR,
740 "status mismatched %d.\n", iph1->status);
52b7d2ce
A
741 goto end;
742 }
743
744 /* generate HASH to send */
65c25746 745 plog(ASL_LEVEL_DEBUG, "generate HASH_I\n");
52b7d2ce
A
746 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
747 if (iph1->hash == NULL) {
65c25746 748 plog(ASL_LEVEL_ERR,
d1e348cf 749 "failed to generate HASH");
52b7d2ce
A
750 goto end;
751 }
752
d1e348cf 753 switch (AUTHMETHOD(iph1)) {
52b7d2ce
A
754 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
755#ifdef ENABLE_HYBRID
d1e348cf
A
756 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
757 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
52b7d2ce
A
758#endif
759 /* set HASH payload */
d1e348cf
A
760 plist = isakmp_plist_append(plist,
761 iph1->hash, ISAKMP_NPTYPE_HASH);
52b7d2ce 762 break;
d1e348cf 763
52b7d2ce
A
764 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
765#ifdef ENABLE_HYBRID
d1e348cf 766 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
d1e348cf 767#endif
52b7d2ce
A
768 /* XXX if there is CR or not ? */
769
d1e348cf 770 if (oakley_getmycert(iph1) < 0) {
65c25746 771 plog(ASL_LEVEL_ERR,
d1e348cf 772 "failed to get mycert");
52b7d2ce 773 goto end;
d1e348cf 774 }
52b7d2ce 775
d1e348cf 776 if (oakley_getsign(iph1) < 0) {
65c25746 777 plog(ASL_LEVEL_ERR,
d1e348cf 778 "failed to get sign");
52b7d2ce 779 goto end;
d1e348cf 780 }
52b7d2ce
A
781
782 if (iph1->cert != NULL && iph1->rmconf->send_cert)
783 need_cert = 1;
784
785 /* add CERT payload if there */
e8d9021d 786 // we don't support sending of certchains
52b7d2ce
A
787 if (need_cert)
788 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
789
790 /* add SIG payload */
791 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
792 break;
793
794 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
795 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf
A
796#ifdef ENABLE_HYBRID
797 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
798 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
799#endif
52b7d2ce 800 break;
52b7d2ce
A
801 }
802
803#ifdef ENABLE_NATT
804 /* generate NAT-D payloads */
d1e348cf 805 if (NATT_AVAILABLE(iph1)) {
7ebaebe2 806 plog (ASL_LEVEL_NOTICE, "Adding remote and local NAT-D payloads.\n");
52b7d2ce 807 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
65c25746 808 plog(ASL_LEVEL_ERR,
85f41bec 809 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
52b7d2ce
A
810 goto end;
811 }
812
813 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
65c25746 814 plog(ASL_LEVEL_ERR,
85f41bec 815 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
52b7d2ce
A
816 goto end;
817 }
52b7d2ce
A
818 /* old Apple version sends natd payloads in the wrong order */
819 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
820 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
821 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
822 } else
52b7d2ce
A
823 {
824 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
825 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
826 }
827 }
828#endif
829
52b7d2ce 830
d1e348cf
A
831 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
832
52b7d2ce
A
833#ifdef HAVE_PRINT_ISAKMP_C
834 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
835#endif
836
d1e348cf 837
52b7d2ce 838 /* send to responder */
d1e348cf 839 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
65c25746 840 plog(ASL_LEVEL_ERR,
d1e348cf 841 "failed to send packet");
52b7d2ce 842 goto end;
d1e348cf 843 }
52b7d2ce
A
844
845 /* the sending message is added to the received-list. */
65c25746
A
846 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
847 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
848 plog(ASL_LEVEL_ERR ,
52b7d2ce
A
849 "failed to add a response packet to the tree.\n");
850 goto end;
851 }
852
853 /* set encryption flag */
854 iph1->flags |= ISAKMP_FLAG_E;
855
65c25746 856 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
52b7d2ce 857
d1e348cf
A
858 IPSECSESSIONTRACEREVENT(iph1->parent_session,
859 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
860 CONSTSTR("Initiator, Aggressive-Mode"),
861 CONSTSTR(NULL));
862
52b7d2ce
A
863 error = 0;
864
d1e348cf
A
865 IPSECSESSIONTRACEREVENT(iph1->parent_session,
866 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
867 CONSTSTR("Initiator, Aggressive-Mode message 3"),
868 CONSTSTR(NULL));
869
52b7d2ce 870end:
d1e348cf
A
871 if (error) {
872 IPSECSESSIONTRACEREVENT(iph1->parent_session,
873 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
874 CONSTSTR("Initiator, Aggressive-Mode Message 3"),
875 CONSTSTR("Failed to transmit Aggressive-Mode Message 3"));
876 }
877#ifdef ENABLE_NATT
878 if (natd[0])
879 vfree(natd[0]);
880 if (natd[1])
881 vfree(natd[1]);
882#endif
883 if (notp_unity)
884 vfree(notp_unity);
885 if (notp_ini)
886 vfree(notp_ini);
52b7d2ce
A
887 if (gsshash)
888 vfree(gsshash);
889 return error;
890}
891
892/*
893 * receive from initiator
894 * psk: HDR, SA, KE, Ni, IDi1
895 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
896 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi
897 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
898 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
899 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
900 */
901int
902agg_r1recv(iph1, msg)
65c25746 903 phase1_handle_t *iph1;
52b7d2ce
A
904 vchar_t *msg;
905{
906 int error = -1;
907 vchar_t *pbuf = NULL;
908 struct isakmp_parse_t *pa;
909 int vid_numeric;
52b7d2ce 910
65c25746
A
911 /* validity check */
912 if (iph1->status != IKEV1_STATE_AGG_R_START) {
913 plog(ASL_LEVEL_ERR,
914 "status mismatched %d.\n", iph1->status);
52b7d2ce
A
915 goto end;
916 }
917
918 /* validate the type of next payload */
919 pbuf = isakmp_parse(msg);
d1e348cf 920 if (pbuf == NULL) {
65c25746 921 plog(ASL_LEVEL_ERR,
d1e348cf 922 "failed to parse msg");
52b7d2ce 923 goto end;
d1e348cf 924 }
85f41bec 925 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A
926
927 /* SA payload is fixed postion */
928 if (pa->type != ISAKMP_NPTYPE_SA) {
65c25746 929 plog(ASL_LEVEL_ERR,
52b7d2ce
A
930 "received invalid next payload type %d, "
931 "expecting %d.\n",
932 pa->type, ISAKMP_NPTYPE_SA);
933 goto end;
934 }
d1e348cf 935 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
65c25746 936 plog(ASL_LEVEL_ERR,
d1e348cf 937 "failed to process SA payload");
52b7d2ce 938 goto end;
d1e348cf 939 }
52b7d2ce
A
940 pa++;
941
942 for (/*nothing*/;
943 pa->type != ISAKMP_NPTYPE_NONE;
944 pa++) {
945
65c25746 946 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
947 "received payload of type %s\n",
948 s_isakmp_nptype(pa->type));
949
950 switch (pa->type) {
951 case ISAKMP_NPTYPE_KE:
d1e348cf 952 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
65c25746 953 plog(ASL_LEVEL_ERR,
d1e348cf 954 "failed to process KE payload");
52b7d2ce 955 goto end;
d1e348cf 956 }
52b7d2ce
A
957 break;
958 case ISAKMP_NPTYPE_NONCE:
d1e348cf 959 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
65c25746 960 plog(ASL_LEVEL_ERR,
d1e348cf 961 "failed to process NONCE payload");
52b7d2ce 962 goto end;
d1e348cf 963 }
52b7d2ce
A
964 break;
965 case ISAKMP_NPTYPE_ID:
d1e348cf 966 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
65c25746 967 plog(ASL_LEVEL_ERR,
d1e348cf 968 "failed to process ID payload");
52b7d2ce 969 goto end;
d1e348cf 970 }
52b7d2ce
A
971 break;
972 case ISAKMP_NPTYPE_VID:
973 vid_numeric = check_vendorid(pa->ptr);
974
975#ifdef ENABLE_NATT
976 if (iph1->rmconf->nat_traversal &&
977 natt_vendorid(vid_numeric)) {
978 natt_handle_vendorid(iph1, vid_numeric);
979 break;
980 }
981#endif
982#ifdef ENABLE_HYBRID
983 switch (vid_numeric) {
984 case VENDORID_XAUTH:
985 iph1->mode_cfg->flags |=
986 ISAKMP_CFG_VENDORID_XAUTH;
987 break;
988
989 case VENDORID_UNITY:
990 iph1->mode_cfg->flags |=
991 ISAKMP_CFG_VENDORID_UNITY;
992 break;
993 default:
994 break;
995 }
996#endif
997#ifdef ENABLE_DPD
998 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
999 iph1->dpd_support=1;
65c25746 1000 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
1001 "remote supports DPD\n");
1002 }
1003#endif
1004#ifdef ENABLE_FRAG
1005 if ((vid_numeric == VENDORID_FRAG) &&
e8d9021d 1006 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
65c25746 1007 plog(ASL_LEVEL_DEBUG,
e8d9021d 1008 "remote supports FRAGMENTATION\n");
52b7d2ce 1009 iph1->frag = 1;
e8d9021d 1010 }
52b7d2ce
A
1011#endif
1012 break;
1013
1014 case ISAKMP_NPTYPE_CR:
d1e348cf 1015 if (oakley_savecr(iph1, pa->ptr) < 0) {
65c25746 1016 plog(ASL_LEVEL_ERR,
d1e348cf 1017 "failed to process CR payload");
52b7d2ce 1018 goto end;
d1e348cf 1019 }
52b7d2ce
A
1020 break;
1021
52b7d2ce
A
1022 default:
1023 /* don't send information, see isakmp_ident_r1() */
65c25746 1024 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1025 "ignore the packet, "
1026 "received unexpecting payload type %d.\n",
1027 pa->type);
1028 goto end;
1029 }
1030 }
1031
1032 /* payload existency check */
1033 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
65c25746 1034 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1035 "few isakmp message received.\n");
1036 goto end;
1037 }
1038
1039 /* verify identifier */
1040 if (ipsecdoi_checkid1(iph1) != 0) {
65c25746 1041 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1042 "invalid ID payload.\n");
1043 goto end;
1044 }
1045
1046#ifdef ENABLE_NATT
80318cb7 1047 if (NATT_AVAILABLE(iph1)) {
7ebaebe2 1048 plog(ASL_LEVEL_NOTICE,
52b7d2ce
A
1049 "Selected NAT-T version: %s\n",
1050 vid_string_by_id(iph1->natt_options->version));
80318cb7
A
1051 ike_session_update_natt_version(iph1);
1052 }
52b7d2ce
A
1053#endif
1054
1055 /* check SA payload and set approval SA for use */
1056 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
65c25746 1057 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1058 "failed to get valid proposal.\n");
1059 /* XXX send information */
1060 goto end;
1061 }
1062
1063 if (oakley_checkcr(iph1) < 0) {
1064 /* Ignore this error in order to be interoperability. */
1065 ;
1066 }
1067
65c25746 1068 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG1RCVD);
52b7d2ce
A
1069
1070 error = 0;
1071
d1e348cf
A
1072 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1073 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1074 CONSTSTR("Responder, Aggressive-Mode message 1"),
1075 CONSTSTR(NULL));
1076
52b7d2ce 1077end:
d1e348cf
A
1078 if (error) {
1079 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1080 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1081 CONSTSTR("Responder, Aggressive-Mode Message 1"),
1082 CONSTSTR("Failed to process Aggressive-Mode Message 1"));
1083 }
65c25746 1084
52b7d2ce
A
1085 if (pbuf)
1086 vfree(pbuf);
1087 if (error) {
1088 VPTRINIT(iph1->sa);
1089 VPTRINIT(iph1->dhpub_p);
1090 VPTRINIT(iph1->nonce_p);
1091 VPTRINIT(iph1->id_p);
1092 oakley_delcert(iph1->cr_p);
1093 iph1->cr_p = NULL;
1094 }
1095
1096 return error;
1097}
1098
1099/*
1100 * send to initiator
1101 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
1102 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
1103 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
1104 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
1105 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
1106 */
1107int
65c25746
A
1108agg_r2send(iph1, msg)
1109 phase1_handle_t *iph1;
52b7d2ce
A
1110 vchar_t *msg;
1111{
1112 struct payload_list *plist = NULL;
1113 int need_cr = 0;
1114 int need_cert = 0;
1115 vchar_t *cr = NULL;
52b7d2ce
A
1116 int error = -1;
1117#ifdef ENABLE_HYBRID
1118 vchar_t *xauth_vid = NULL;
1119 vchar_t *unity_vid = NULL;
1120#endif
1121#ifdef ENABLE_NATT
1122 vchar_t *vid_natt = NULL;
1123 vchar_t *natd[2] = { NULL, NULL };
1124#endif
1125#ifdef ENABLE_DPD
1126 vchar_t *vid_dpd = NULL;
1127#endif
d1e348cf
A
1128#ifdef ENABLE_FRAG
1129 vchar_t *vid_frag = NULL;
1130#endif
52b7d2ce 1131
65c25746
A
1132 /* validity check */
1133 if (iph1->status != IKEV1_STATE_AGG_R_MSG1RCVD) {
1134 plog(ASL_LEVEL_ERR,
1135 "status mismatched %d.\n", iph1->status);
52b7d2ce
A
1136 goto end;
1137 }
1138
1139 /* set responder's cookie */
1140 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1141
1142 /* make ID payload into isakmp status */
d1e348cf 1143 if (ipsecdoi_setid1(iph1) < 0) {
65c25746 1144 plog(ASL_LEVEL_ERR,
d1e348cf 1145 "failed to set ID");
52b7d2ce 1146 goto end;
d1e348cf 1147 }
52b7d2ce
A
1148
1149 /* generate DH public value */
e8d9021d 1150#ifdef HAVE_OPENSSL
52b7d2ce 1151 if (oakley_dh_generate(iph1->rmconf->dhgrp,
e8d9021d
A
1152 &iph1->dhpub, &iph1->dhpriv) < 0) {
1153#else
1154 if (oakley_dh_generate(iph1->rmconf->dhgrp,
1155 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
1156#endif
65c25746 1157 plog(ASL_LEVEL_ERR,
d1e348cf 1158 "failed to generate DH");
52b7d2ce 1159 goto end;
d1e348cf 1160 }
52b7d2ce
A
1161
1162 /* generate NONCE value */
1163 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf 1164 if (iph1->nonce == NULL) {
65c25746 1165 plog(ASL_LEVEL_ERR,
d1e348cf 1166 "failed to generate NONCE");
52b7d2ce 1167 goto end;
d1e348cf 1168 }
52b7d2ce
A
1169
1170 /* compute sharing secret of DH */
e8d9021d
A
1171#ifdef HAVE_OPENSSL
1172 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1173 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1174#else
65c25746 1175 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
e8d9021d 1176#endif
65c25746 1177 plog(ASL_LEVEL_ERR,
d1e348cf 1178 "failed to compute DH");
52b7d2ce 1179 goto end;
d1e348cf 1180 }
52b7d2ce
A
1181
1182 /* generate SKEYIDs & IV & final cipher key */
d1e348cf 1183 if (oakley_skeyid(iph1) < 0) {
65c25746 1184 plog(ASL_LEVEL_ERR,
d1e348cf 1185 "failed to generate SKEYID");
52b7d2ce 1186 goto end;
d1e348cf
A
1187 }
1188 if (oakley_skeyid_dae(iph1) < 0) {
65c25746 1189 plog(ASL_LEVEL_ERR,
d1e348cf 1190 "failed to generate SKEYID-DAE");
52b7d2ce 1191 goto end;
d1e348cf
A
1192 }
1193 if (oakley_compute_enckey(iph1) < 0) {
65c25746 1194 plog(ASL_LEVEL_ERR,
d1e348cf 1195 "failed to generate ENCKEY");
52b7d2ce 1196 goto end;
d1e348cf
A
1197 }
1198 if (oakley_newiv(iph1) < 0) {
65c25746 1199 plog(ASL_LEVEL_ERR,
d1e348cf 1200 "failed to generate IV");
52b7d2ce 1201 goto end;
d1e348cf 1202 }
52b7d2ce 1203
52b7d2ce 1204 /* generate HASH to send */
65c25746 1205 plog(ASL_LEVEL_DEBUG, "generate HASH_R\n");
52b7d2ce
A
1206 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1207 if (iph1->hash == NULL) {
65c25746 1208 plog(ASL_LEVEL_ERR,
d1e348cf 1209 "failed to generate GSS HASH");
52b7d2ce
A
1210 goto end;
1211 }
1212
1213 /* create CR if need */
1214 if (iph1->rmconf->send_cr
65c25746 1215 && oakley_needcr(iph1->approval->authmethod)) {
52b7d2ce
A
1216 need_cr = 1;
1217 cr = oakley_getcr(iph1);
1218 if (cr == NULL) {
65c25746 1219 plog(ASL_LEVEL_ERR,
d1e348cf 1220 "failed to get CR.\n");
52b7d2ce
A
1221 goto end;
1222 }
1223 }
1224
1225#ifdef ENABLE_NATT
1226 /* Has the peer announced NAT-T? */
1227 if (NATT_AVAILABLE(iph1)) {
1228 /* set chosen VID */
1229 vid_natt = set_vendorid(iph1->natt_options->version);
1230
1231 /* generate NAT-D payloads */
7ebaebe2 1232 plog (ASL_LEVEL_NOTICE, "Adding remote and local NAT-D payloads.\n");
52b7d2ce 1233 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
65c25746 1234 plog(ASL_LEVEL_ERR,
85f41bec 1235 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
52b7d2ce
A
1236 goto end;
1237 }
1238
1239 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
65c25746 1240 plog(ASL_LEVEL_ERR,
85f41bec 1241 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
52b7d2ce
A
1242 goto end;
1243 }
1244 }
1245#endif
1246#ifdef ENABLE_DPD
1247 /* Only send DPD support if remote announced DPD and if DPD support is active */
1248 if (iph1->dpd_support && iph1->rmconf->dpd)
1249 vid_dpd = set_vendorid(VENDORID_DPD);
1250#endif
d1e348cf
A
1251#ifdef ENABLE_FRAG
1252 if (iph1->frag) {
1253 vid_frag = set_vendorid(VENDORID_FRAG);
1254 if (vid_frag != NULL)
1255 vid_frag = isakmp_frag_addcap(vid_frag,
1256 VENDORID_FRAG_AGG);
1257 if (vid_frag == NULL)
65c25746 1258 plog(ASL_LEVEL_ERR,
d1e348cf
A
1259 "Frag vendorID construction failed\n");
1260 }
1261#endif
52b7d2ce 1262
d1e348cf 1263 switch (AUTHMETHOD(iph1)) {
52b7d2ce 1264 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf
A
1265#ifdef ENABLE_HYBRID
1266 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1267#endif
52b7d2ce
A
1268 /* set SA payload to reply */
1269 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1270
1271 /* create isakmp KE payload */
1272 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1273
1274 /* create isakmp NONCE payload */
1275 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1276
1277 /* create isakmp ID payload */
1278 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1279
1280 /* create isakmp HASH payload */
d1e348cf
A
1281 plist = isakmp_plist_append(plist,
1282 iph1->hash, ISAKMP_NPTYPE_HASH);
52b7d2ce
A
1283
1284 /* create isakmp CR payload if needed */
1285 if (need_cr)
1286 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
1287 break;
52b7d2ce
A
1288 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1289#ifdef ENABLE_HYBRID
d1e348cf 1290 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
d1e348cf 1291 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
52b7d2ce
A
1292#endif
1293 /* XXX if there is CR or not ? */
1294
d1e348cf 1295 if (oakley_getmycert(iph1) < 0) {
65c25746 1296 plog(ASL_LEVEL_ERR,
d1e348cf 1297 "failed to get mycert");
52b7d2ce 1298 goto end;
d1e348cf 1299 }
52b7d2ce 1300
d1e348cf 1301 if (oakley_getsign(iph1) < 0) {
65c25746 1302 plog(ASL_LEVEL_ERR,
d1e348cf 1303 "failed to get sign");
52b7d2ce 1304 goto end;
d1e348cf 1305 }
52b7d2ce
A
1306
1307 if (iph1->cert != NULL && iph1->rmconf->send_cert)
1308 need_cert = 1;
1309
1310 /* set SA payload to reply */
1311 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1312
1313 /* create isakmp KE payload */
1314 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1315
1316 /* create isakmp NONCE payload */
1317 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1318
1319 /* add ID payload */
1320 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1321
1322 /* add CERT payload if there */
1323 if (need_cert)
1324 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1325
1326 /* add SIG payload */
1327 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1328
d1e348cf
A
1329 /* create isakmp CR payload if needed */
1330 if (need_cr)
1331 plist = isakmp_plist_append(plist,
1332 cr, ISAKMP_NPTYPE_CR);
1333 break;
1334
1335 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1336 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1337#ifdef ENABLE_HYBRID
1338 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1339 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1340#endif
1341 break;
d1e348cf 1342 }
52b7d2ce
A
1343
1344#ifdef ENABLE_HYBRID
1345 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
7ebaebe2 1346 plog (ASL_LEVEL_NOTICE, "Adding xauth VID payload.\n");
52b7d2ce 1347 if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) {
65c25746 1348 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1349 "Cannot create Xauth vendor ID\n");
1350 goto end;
1351 }
1352 plist = isakmp_plist_append(plist,
1353 xauth_vid, ISAKMP_NPTYPE_VID);
1354 }
1355
1356 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1357 if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) {
65c25746 1358 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1359 "Cannot create Unity vendor ID\n");
1360 goto end;
1361 }
1362 plist = isakmp_plist_append(plist,
1363 unity_vid, ISAKMP_NPTYPE_VID);
1364 }
1365#endif
1366
52b7d2ce
A
1367#ifdef ENABLE_NATT
1368 /* append NAT-T payloads */
1369 if (vid_natt) {
1370 /* chosen VID */
1371 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1372 /* NAT-D */
52b7d2ce
A
1373 /* old Apple version sends natd payloads in the wrong order */
1374 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
1375 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1376 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1377 } else
52b7d2ce
A
1378 {
1379 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1380 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1381 }
1382 }
1383#endif
d1e348cf
A
1384
1385#ifdef ENABLE_FRAG
1386 if (vid_frag)
1387 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
1388#endif
1389
52b7d2ce
A
1390#ifdef ENABLE_DPD
1391 if (vid_dpd)
1392 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1393#endif
1394
1395 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1396
1397#ifdef HAVE_PRINT_ISAKMP_C
1398 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
1399#endif
1400
1401 /* send the packet, add to the schedule to resend */
1402 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 1403 if (isakmp_ph1resend(iph1) == -1) {
65c25746 1404 plog(ASL_LEVEL_ERR ,
d1e348cf 1405 "failed to send packet");
52b7d2ce 1406 goto end;
d1e348cf 1407 }
52b7d2ce
A
1408
1409 /* the sending message is added to the received-list. */
65c25746
A
1410 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1411 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1412 plog(ASL_LEVEL_ERR ,
52b7d2ce
A
1413 "failed to add a response packet to the tree.\n");
1414 goto end;
1415 }
1416
65c25746 1417 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG2SENT);
52b7d2ce
A
1418
1419#ifdef ENABLE_VPNCONTROL_PORT
1420 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1421#endif
1422
1423 error = 0;
1424
d1e348cf
A
1425 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1426 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1427 CONSTSTR("Responder, Aggressive-Mode message 2"),
1428 CONSTSTR(NULL));
1429
52b7d2ce 1430end:
d1e348cf
A
1431 if (error) {
1432 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1433 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1434 CONSTSTR("Responder, Aggressive-Mode Message 2"),
1435 CONSTSTR("Failed to process Aggressive-Mode Message 2"));
1436 }
52b7d2ce
A
1437 if (cr)
1438 vfree(cr);
52b7d2ce
A
1439#ifdef ENABLE_HYBRID
1440 if (xauth_vid)
1441 vfree(xauth_vid);
1442 if (unity_vid)
1443 vfree(unity_vid);
1444#endif
d1e348cf
A
1445#ifdef ENABLE_NATT
1446 if (vid_natt)
1447 vfree(vid_natt);
1448 if (natd[0])
1449 vfree(natd[0]);
1450 if (natd[1])
1451 vfree(natd[1]);
1452#endif
52b7d2ce
A
1453#ifdef ENABLE_DPD
1454 if (vid_dpd)
1455 vfree(vid_dpd);
1456#endif
d1e348cf
A
1457#ifdef ENABLE_FRAG
1458 if (vid_frag)
1459 vfree(vid_frag);
1460#endif
52b7d2ce
A
1461
1462 return error;
1463}
1464
1465/*
1466 * receive from initiator
1467 * psk: HDR, HASH_I
1468 * gssapi: HDR, HASH_I
1469 * sig: HDR, [ CERT, ] SIG_I
1470 * rsa: HDR, HASH_I
1471 * rev: HDR, HASH_I
1472 */
1473int
65c25746
A
1474agg_r3recv(iph1, msg0)
1475 phase1_handle_t *iph1;
52b7d2ce
A
1476 vchar_t *msg0;
1477{
1478 vchar_t *msg = NULL;
1479 vchar_t *pbuf = NULL;
1480 struct isakmp_parse_t *pa;
1481 int error = -1;
1482 int ptype;
1483
1484#ifdef ENABLE_NATT
1485 int natd_seq = 0;
1486#endif
e8d9021d 1487 int received_cert = 0;
52b7d2ce 1488
65c25746
A
1489 /* validity check */
1490 if (iph1->status != IKEV1_STATE_AGG_R_MSG2SENT) {
1491 plog(ASL_LEVEL_ERR,
1492 "status mismatched %d.\n", iph1->status);
52b7d2ce
A
1493 goto end;
1494 }
1495
1496 /* decrypting if need. */
1497 /* XXX configurable ? */
1498 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1499 msg = oakley_do_decrypt(iph1, msg0,
1500 iph1->ivm->iv, iph1->ivm->ive);
d1e348cf 1501 if (msg == NULL) {
65c25746 1502 plog(ASL_LEVEL_ERR,
d1e348cf 1503 "failed to decrypt msg");
52b7d2ce 1504 goto end;
d1e348cf 1505 }
52b7d2ce
A
1506 } else
1507 msg = vdup(msg0);
1508
1509 /* validate the type of next payload */
1510 pbuf = isakmp_parse(msg);
d1e348cf 1511 if (pbuf == NULL) {
65c25746 1512 plog(ASL_LEVEL_ERR,
d1e348cf 1513 "failed to parse msg");
52b7d2ce 1514 goto end;
d1e348cf 1515 }
52b7d2ce
A
1516
1517 iph1->pl_hash = NULL;
1518
85f41bec 1519 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A
1520 pa->type != ISAKMP_NPTYPE_NONE;
1521 pa++) {
1522
1523 switch (pa->type) {
1524 case ISAKMP_NPTYPE_HASH:
1525 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1526 break;
1527 case ISAKMP_NPTYPE_VID:
1528 (void)check_vendorid(pa->ptr);
1529 break;
1530 case ISAKMP_NPTYPE_CERT:
d1e348cf 1531 if (oakley_savecert(iph1, pa->ptr) < 0) {
65c25746 1532 plog(ASL_LEVEL_ERR,
d1e348cf 1533 "failed to process CERT payload");
52b7d2ce 1534 goto end;
d1e348cf 1535 }
e8d9021d 1536 received_cert = 1;
52b7d2ce
A
1537 break;
1538 case ISAKMP_NPTYPE_SIG:
d1e348cf 1539 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
65c25746 1540 plog(ASL_LEVEL_ERR,
d1e348cf 1541 "failed to process SIG payload");
52b7d2ce 1542 goto end;
d1e348cf 1543 }
52b7d2ce
A
1544 break;
1545 case ISAKMP_NPTYPE_N:
1546 isakmp_check_notify(pa->ptr, iph1);
1547 break;
1548
1549#ifdef ENABLE_NATT
1550 case ISAKMP_NPTYPE_NATD_DRAFT:
1551 case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce
A
1552 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1553 pa->type == iph1->natt_options->payload_nat_d)
1554 {
1555 vchar_t *natd_received = NULL;
1556 int natd_verified;
1557
d1e348cf 1558 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
65c25746 1559 plog(ASL_LEVEL_ERR,
d1e348cf 1560 "failed to process NATD payload");
52b7d2ce 1561 goto end;
d1e348cf 1562 }
52b7d2ce
A
1563
1564 if (natd_seq == 0)
1565 iph1->natt_flags |= NAT_DETECTED;
1566
1567 natd_verified = natt_compare_addr_hash (iph1,
1568 natd_received, natd_seq++);
1569
7ebaebe2 1570 plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n",
52b7d2ce
A
1571 natd_seq - 1,
1572 natd_verified ? "verified" : "doesn't match");
1573
1574 vfree (natd_received);
1575 break;
1576 }
1577 /* %%%% Be lenient here - some servers send natd payloads */
1578 /* when no nat is detected */
1579 break;
1580#endif
1581
1582 default:
1583 /* don't send information, see isakmp_ident_r1() */
65c25746 1584 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1585 "ignore the packet, "
1586 "received unexpecting payload type %d.\n",
1587 pa->type);
1588 goto end;
1589 }
1590 }
1591
1592#ifdef ENABLE_NATT
1593 if (NATT_AVAILABLE(iph1))
7ebaebe2 1594 plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n",
52b7d2ce
A
1595 iph1->natt_flags & NAT_DETECTED ?
1596 "detected:" : "not detected",
1597 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1598 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1599#endif
1600
e8d9021d
A
1601 if (received_cert) {
1602 oakley_verify_certid(iph1);
1603 }
1604
52b7d2ce
A
1605 /* validate authentication value */
1606 ptype = oakley_validate_auth(iph1);
1607 if (ptype != 0) {
d1e348cf
A
1608 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1609 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1610 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1611 CONSTSTR("Failed to authenticate Aggressive-Mode Message 3"));
52b7d2ce
A
1612 if (ptype == -1) {
1613 /* message printed inner oakley_validate_auth() */
1614 goto end;
1615 }
52b7d2ce
A
1616 isakmp_info_send_n1(iph1, ptype, NULL);
1617 goto end;
1618 }
d1e348cf
A
1619 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1620 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1621 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1622 CONSTSTR(NULL));
52b7d2ce 1623
65c25746 1624 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG3RCVD);
52b7d2ce
A
1625
1626 error = 0;
1627
d1e348cf
A
1628 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1629 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1630 CONSTSTR("Responder, Aggressive-Mode message 3"),
1631 CONSTSTR(NULL));
1632
52b7d2ce 1633end:
d1e348cf
A
1634 if (error) {
1635 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1636 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1637 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1638 CONSTSTR("Failed to process Aggressive-Mode Message 3"));
1639 }
52b7d2ce
A
1640 if (pbuf)
1641 vfree(pbuf);
1642 if (msg)
1643 vfree(msg);
1644 if (error) {
1645 oakley_delcert(iph1->cert_p);
1646 iph1->cert_p = NULL;
1647 oakley_delcert(iph1->crl_p);
1648 iph1->crl_p = NULL;
1649 VPTRINIT(iph1->sig_p);
1650 }
1651
1652 return error;
1653}
1654
1655/*
1656 * status update and establish isakmp sa.
1657 */
1658int
65c25746
A
1659agg_rfinalize(iph1, msg)
1660 phase1_handle_t *iph1;
52b7d2ce
A
1661 vchar_t *msg;
1662{
1663 int error = -1;
1664
65c25746
A
1665 /* validity check */
1666 if (iph1->status != IKEV1_STATE_AGG_R_MSG3RCVD) {
1667 plog(ASL_LEVEL_ERR,
1668 "status mismatched %d.\n", iph1->status);
52b7d2ce
A
1669 goto end;
1670 }
1671
1672 /* IV synchronized when packet encrypted. */
1673 /* see handler.h about IV synchronization. */
1674 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E))
1675 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1676
1677 /* set encryption flag */
1678 iph1->flags |= ISAKMP_FLAG_E;
1679
65c25746 1680 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
52b7d2ce 1681
d1e348cf
A
1682 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1683 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
1684 CONSTSTR("Responder, Aggressive-Mode"),
1685 CONSTSTR(NULL));
1686
52b7d2ce
A
1687 error = 0;
1688
1689end:
1690 return error;
1691}