]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/isakmp_ident.c
projects / apple / ipsec.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec-317.220.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_ident.c
CommitLineData
d1e348cf
A		 1/* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */
2
3/* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
52b7d2ce
A		 4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34/* Identity Protecion Exchange (Main Mode) */
35
36#include "config.h"
37
38#include <sys/types.h>
39#include <sys/param.h>
40
41#include <stdlib.h>
42#include <stdio.h>
43#include <string.h>
44#include <errno.h>
45#if TIME_WITH_SYS_TIME
46# include <sys/time.h>
47# include <time.h>
48#else
49# if HAVE_SYS_TIME_H
50# include <sys/time.h>
51# else
52# include <time.h>
53# endif
54#endif
55
56#include "var.h"
57#include "misc.h"
58#include "vmbuf.h"
59#include "plog.h"
60#include "sockmisc.h"
61#include "schedule.h"
62#include "debug.h"
65c25746 63#include "fsm.h"
52b7d2ce
A		 64
65#include "localconf.h"
66#include "remoteconf.h"
67#include "isakmp_var.h"
68#include "isakmp.h"
52b7d2ce
A		 69#include "oakley.h"
70#include "handler.h"
71#include "ipsec_doi.h"
72#include "crypto_openssl.h"
73#include "pfkey.h"
74#include "isakmp_ident.h"
75#include "isakmp_inf.h"
76#include "vendorid.h"
77
78#ifdef ENABLE_NATT
79#include "nattraversal.h"
80#endif
d1e348cf 81#ifdef ENABLE_HYBRID
d1e348cf
A		 82#include "isakmp_xauth.h"
83#include "isakmp_cfg.h"
84#endif
85#ifdef ENABLE_FRAG
86#include "isakmp_frag.h"
87#endif
52b7d2ce
A		 88
89#include "vpn_control.h"
90#include "vpn_control_var.h"
d1e348cf
A		 91#include "ipsecSessionTracer.h"
92#include "ipsecMessageTracer.h"
e8d9021d
A		 93#ifndef HAVE_OPENSSL
94#include <Security/SecDH.h>
95#endif
52b7d2ce 96
65c25746
A		 97static vchar_t *ident_ir2mx (phase1_handle_t *);
98static vchar_t *ident_ir3mx (phase1_handle_t *);
52b7d2ce
A		 99
100/* %%%
101 * begin Identity Protection Mode as initiator.
102 */
103/*
104 * send to responder
105 * psk: HDR, SA
106 * sig: HDR, SA
107 * rsa: HDR, SA
108 * rev: HDR, SA
109 */
110int
111ident_i1send(iph1, msg)
65c25746 112 phase1_handle_t *iph1;
52b7d2ce
A		 113 vchar_t *msg; /* must be null */
114{
115 struct payload_list *plist = NULL;
116 int error = -1;
117#ifdef ENABLE_NATT
118 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
119 int i;
120#endif
d1e348cf
A		 121#ifdef ENABLE_HYBRID
122 vchar_t *vid_xauth = NULL;
123 vchar_t *vid_unity = NULL;
124#endif
125#ifdef ENABLE_FRAG
126 vchar_t *vid_frag = NULL;
127#endif
52b7d2ce
A		 128#ifdef ENABLE_DPD
129 vchar_t *vid_dpd = NULL;
130#endif
65c25746
A		 131
132 /* validity check */
133 if (iph1->status != IKEV1_STATE_IDENT_I_START) {
134 plog(ASL_LEVEL_ERR,
135 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 136 goto end;
137 }
65c25746
A		 138
139 /* validity check */
140 if (msg != NULL) {
141 plog(ASL_LEVEL_ERR,
142 "msg has to be NULL in this function.\n");
52b7d2ce
A		 143 goto end;
144 }
145
146 /* create isakmp index */
147 memset(&iph1->index, 0, sizeof(iph1->index));
148 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
149
150 /* create SA payload for my proposal */
65c25746 151 iph1->sa = ipsecdoi_setph1proposal(iph1);
d1e348cf 152 if (iph1->sa == NULL) {
65c25746 153 plog(ASL_LEVEL_ERR,
d1e348cf 154 "failed to set proposal");
52b7d2ce 155 goto end;
d1e348cf 156 }
52b7d2ce
A		 157
158 /* set SA payload to propose */
159 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
160
161#ifdef ENABLE_NATT
162 /* set VID payload for NAT-T if NAT-T support allowed in the config file */
163 if (iph1->rmconf->nat_traversal)
164 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
165#endif
d1e348cf
A		 166#ifdef ENABLE_HYBRID
167 /* Do we need Xauth VID? */
168 switch (RMAUTHMETHOD(iph1)) {
169 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
170 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
d1e348cf 171 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
d1e348cf
A		 172 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
173 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
174 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
65c25746 175 plog(ASL_LEVEL_ERR,
d1e348cf
A		 176 "Xauth vendor ID generation failed\n");
177 else
178 plist = isakmp_plist_append(plist,
179 vid_xauth, ISAKMP_NPTYPE_VID);
180
181 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
65c25746 182 plog(ASL_LEVEL_ERR,
d1e348cf
A		 183 "Unity vendor ID generation failed\n");
184 else
185 plist = isakmp_plist_append(plist,
186 vid_unity, ISAKMP_NPTYPE_VID);
187 break;
188 default:
189 break;
190 }
191#endif
192#ifdef ENABLE_FRAG
193 if (iph1->rmconf->ike_frag) {
194 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
65c25746 195 plog(ASL_LEVEL_ERR,
d1e348cf
A		 196 "Frag vendorID construction failed\n");
197 } else {
198 vid_frag = isakmp_frag_addcap(vid_frag,
199 VENDORID_FRAG_IDENT);
200 plist = isakmp_plist_append(plist,
201 vid_frag, ISAKMP_NPTYPE_VID);
202 }
203 }
204#endif
52b7d2ce
A		 205#ifdef ENABLE_DPD
206 if(iph1->rmconf->dpd){
207 vid_dpd = set_vendorid(VENDORID_DPD);
208 if (vid_dpd != NULL)
209 plist = isakmp_plist_append(plist, vid_dpd,
d1e348cf 210 ISAKMP_NPTYPE_VID);
52b7d2ce
A		 211 }
212#endif
213
214 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
215
216#ifdef HAVE_PRINT_ISAKMP_C
217 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
218#endif
219
220 /* send the packet, add to the schedule to resend */
221 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 222 if (isakmp_ph1resend(iph1) == -1) {
65c25746 223 plog(ASL_LEVEL_ERR,
d1e348cf 224 "failed to send packet");
52b7d2ce 225 goto end;
d1e348cf 226 }
52b7d2ce 227
65c25746 228 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG1SENT);
52b7d2ce
A		 229
230 error = 0;
231
d1e348cf
A		 232 IPSECSESSIONTRACEREVENT(iph1->parent_session,
233 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
234 CONSTSTR("Initiator, Main-Mode message 1"),
235 CONSTSTR(NULL));
236
52b7d2ce 237end:
d1e348cf
A		 238 if (error) {
239 IPSECSESSIONTRACEREVENT(iph1->parent_session,
240 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
241 CONSTSTR("Initiator, Main-Mode Message 1"),
242 CONSTSTR("Failed to transmit Main-Mode Message 1"));
243 }
244#ifdef ENABLE_FRAG
245 if (vid_frag)
246 vfree(vid_frag);
247#endif
52b7d2ce
A		 248#ifdef ENABLE_NATT
249 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
250 vfree(vid_natt[i]);
251#endif
d1e348cf
A		 252#ifdef ENABLE_HYBRID
253 if (vid_xauth != NULL)
254 vfree(vid_xauth);
255 if (vid_unity != NULL)
256 vfree(vid_unity);
257#endif
52b7d2ce
A		 258#ifdef ENABLE_DPD
259 if (vid_dpd != NULL)
260 vfree(vid_dpd);
261#endif
262
263 return error;
264}
265
266/*
267 * receive from responder
268 * psk: HDR, SA
269 * sig: HDR, SA
270 * rsa: HDR, SA
271 * rev: HDR, SA
272 */
273int
274ident_i2recv(iph1, msg)
65c25746 275 phase1_handle_t *iph1;
52b7d2ce
A		 276 vchar_t *msg;
277{
278 vchar_t *pbuf = NULL;
279 struct isakmp_parse_t *pa;
280 vchar_t *satmp = NULL;
281 int error = -1;
282 int vid_numeric;
283
65c25746
A		 284 /* validity check */
285 if (iph1->status != IKEV1_STATE_IDENT_I_MSG1SENT) {
286 plog(ASL_LEVEL_ERR,
287 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 288 goto end;
289 }
290
291 /* validate the type of next payload */
292 /*
293 * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here,
294 * if proposal-lifetime > lifetime-redcreek-wants.
295 * (see doi-08 4.5.4)
296 * => According to the seciton 4.6.3 in RFC 2407, This is illegal.
297 * NOTE: we do not really care about ordering of VID and N.
298 * does it matters?
299 * NOTE: even if there's multiple VID/N, we'll ignore them.
300 */
301 pbuf = isakmp_parse(msg);
d1e348cf 302 if (pbuf == NULL) {
65c25746 303 plog(ASL_LEVEL_ERR,
d1e348cf 304 "failed to parse msg");
52b7d2ce 305 goto end;
d1e348cf 306 }
85f41bec 307 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 308
309 /* SA payload is fixed postion */
310 if (pa->type != ISAKMP_NPTYPE_SA) {
65c25746 311 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 312 "received invalid next payload type %d, "
313 "expecting %d.\n",
314 pa->type, ISAKMP_NPTYPE_SA);
315 goto end;
316 }
d1e348cf 317 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
65c25746 318 plog(ASL_LEVEL_ERR,
d1e348cf 319 "failed to process SA payload");
52b7d2ce 320 goto end;
d1e348cf 321 }
52b7d2ce
A		 322 pa++;
323
324 for (/*nothing*/;
325 pa->type != ISAKMP_NPTYPE_NONE;
326 pa++) {
327
328 switch (pa->type) {
329 case ISAKMP_NPTYPE_VID:
330 vid_numeric = check_vendorid(pa->ptr);
331#ifdef ENABLE_NATT
332 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
333 natt_handle_vendorid(iph1, vid_numeric);
334#endif
d1e348cf
A		 335#ifdef ENABLE_HYBRID
336 switch (vid_numeric) {
337 case VENDORID_XAUTH:
338 iph1->mode_cfg->flags |=
339 ISAKMP_CFG_VENDORID_XAUTH;
340 break;
341
342 case VENDORID_UNITY:
343 iph1->mode_cfg->flags |=
344 ISAKMP_CFG_VENDORID_UNITY;
345 break;
346
347 default:
348 break;
349 }
350#endif
52b7d2ce
A		 351#ifdef ENABLE_DPD
352 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
353 iph1->dpd_support=1;
e8d9021d
A		 354#endif
355#ifdef ENABLE_FRAG
356 if ((vid_numeric == VENDORID_FRAG) &&
357 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
65c25746 358 plog(ASL_LEVEL_DEBUG,
e8d9021d
A		 359 "remote supports FRAGMENTATION\n");
360 iph1->frag = 1;
361 }
52b7d2ce
A		 362#endif
363 break;
364 default:
365 /* don't send information, see ident_r1recv() */
65c25746 366 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 367 "ignore the packet, "
368 "received unexpecting payload type %d.\n",
369 pa->type);
370 goto end;
371 }
372 }
373
374#ifdef ENABLE_NATT
80318cb7 375 if (NATT_AVAILABLE(iph1)) {
7ebaebe2 376 plog(ASL_LEVEL_NOTICE,
52b7d2ce
A		 377 "Selected NAT-T version: %s\n",
378 vid_string_by_id(iph1->natt_options->version));
80318cb7
A		 379 ike_session_update_natt_version(iph1);
380 }
52b7d2ce
A		 381#endif
382
383 /* check SA payload and set approval SA for use */
384 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
65c25746 385 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 386 "failed to get valid proposal.\n");
387 /* XXX send information */
388 goto end;
389 }
390 VPTRINIT(iph1->sa_ret);
391
65c25746 392 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG2RCVD);
52b7d2ce
A		 393
394#ifdef ENABLE_VPNCONTROL_PORT
395 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
396#endif
397
398 error = 0;
399
d1e348cf
A		 400 IPSECSESSIONTRACEREVENT(iph1->parent_session,
401 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
402 CONSTSTR("Initiator, Main-Mode message 2"),
403 CONSTSTR(NULL));
404
52b7d2ce 405end:
d1e348cf
A		 406 if (error) {
407 IPSECSESSIONTRACEREVENT(iph1->parent_session,
408 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
409 CONSTSTR("Initiator, Main-Mode Message 2"),
410 CONSTSTR("Failed to process Main-Mode Message 2"));
411 }
52b7d2ce
A		 412 if (pbuf)
413 vfree(pbuf);
414 if (satmp)
415 vfree(satmp);
416 return error;
417}
418
419/*
420 * send to responder
421 * psk: HDR, KE, Ni
422 * sig: HDR, KE, Ni
423 * gssapi: HDR, KE, Ni, GSSi
424 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
425 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
426 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
427 */
428int
65c25746
A		 429ident_i3send(iph1, msg)
430 phase1_handle_t *iph1;
52b7d2ce
A		 431 vchar_t *msg;
432{
433 int error = -1;
434
65c25746
A		 435 /* validity check */
436 if (iph1->status != IKEV1_STATE_IDENT_I_MSG2RCVD) {
437 plog(ASL_LEVEL_ERR,
438 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 439 goto end;
440 }
441
442 /* fix isakmp index */
443 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
444 sizeof(cookie_t));
445
446 /* generate DH public value */
e8d9021d 447#ifdef HAVE_OPENSSL
52b7d2ce 448 if (oakley_dh_generate(iph1->approval->dhgrp,
d1e348cf 449 &iph1->dhpub, &iph1->dhpriv) < 0) {
e8d9021d
A		 450#else
451 if (oakley_dh_generate(iph1->approval->dhgrp,
452 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
453#endif
65c25746 454 plog(ASL_LEVEL_ERR,
d1e348cf 455 "failed to generate DH");
52b7d2ce 456 goto end;
d1e348cf 457 }
52b7d2ce
A		 458
459 /* generate NONCE value */
460 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf 461 if (iph1->nonce == NULL) {
65c25746 462 plog(ASL_LEVEL_ERR,
d1e348cf 463 "failed to generate NONCE");
52b7d2ce 464 goto end;
d1e348cf 465 }
52b7d2ce 466
52b7d2ce
A		 467 /* create buffer to send isakmp payload */
468 iph1->sendbuf = ident_ir2mx(iph1);
d1e348cf 469 if (iph1->sendbuf == NULL) {
65c25746 470 plog(ASL_LEVEL_ERR,
d1e348cf 471 "failed to create send buffer");
52b7d2ce 472 goto end;
d1e348cf 473 }
52b7d2ce
A		 474
475#ifdef HAVE_PRINT_ISAKMP_C
476 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
477#endif
478
479 /* send the packet, add to the schedule to resend */
480 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 481 if (isakmp_ph1resend(iph1) == -1) {
65c25746 482 plog(ASL_LEVEL_ERR,
d1e348cf 483 "failed to send packet");
52b7d2ce 484 goto end;
d1e348cf 485 }
52b7d2ce
A		 486
487 /* the sending message is added to the received-list. */
65c25746
A		 488 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
489 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
490 plog(ASL_LEVEL_ERR ,
52b7d2ce
A		 491 "failed to add a response packet to the tree.\n");
492 goto end;
493 }
494
65c25746 495 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG3SENT);
52b7d2ce
A		 496
497 error = 0;
498
d1e348cf
A		 499 IPSECSESSIONTRACEREVENT(iph1->parent_session,
500 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
501 CONSTSTR("Initiator, Main-Mode message 3"),
502 CONSTSTR(NULL));
503
52b7d2ce 504end:
d1e348cf
A		 505 if (error) {
506 IPSECSESSIONTRACEREVENT(iph1->parent_session,
507 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
508 CONSTSTR("Initiator, Main-Mode Message 3"),
509 CONSTSTR("Failed to transmit Main-Mode Message 3"));
510 }
52b7d2ce
A		 511 return error;
512}
513
514/*
515 * receive from responder
516 * psk: HDR, KE, Nr
517 * sig: HDR, KE, Nr [, CR ]
518 * gssapi: HDR, KE, Nr, GSSr
519 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
520 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
521 */
522int
65c25746
A		 523ident_i4recv(iph1, msg)
524 phase1_handle_t *iph1;
52b7d2ce
A		 525 vchar_t *msg;
526{
527 vchar_t *pbuf = NULL;
528 struct isakmp_parse_t *pa;
529 int error = -1;
d1e348cf 530 int vid_numeric;
52b7d2ce
A		 531#ifdef ENABLE_NATT
532 vchar_t *natd_received;
533 int natd_seq = 0, natd_verified;
534#endif
535
65c25746
A		 536 /* validity check */
537 if (iph1->status != IKEV1_STATE_IDENT_I_MSG3SENT) {
538 plog(ASL_LEVEL_ERR,
539 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 540 goto end;
541 }
542
543 /* validate the type of next payload */
544 pbuf = isakmp_parse(msg);
d1e348cf 545 if (pbuf == NULL) {
65c25746 546 plog(ASL_LEVEL_ERR,
d1e348cf 547 "failed to parse msg");
52b7d2ce 548 goto end;
d1e348cf 549 }
52b7d2ce 550
85f41bec 551 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 552 pa->type != ISAKMP_NPTYPE_NONE;
553 pa++) {
554
555 switch (pa->type) {
556 case ISAKMP_NPTYPE_KE:
d1e348cf 557 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
65c25746 558 plog(ASL_LEVEL_ERR,
d1e348cf 559 "failed to process KE payload");
52b7d2ce 560 goto end;
d1e348cf 561 }
52b7d2ce
A		 562 break;
563 case ISAKMP_NPTYPE_NONCE:
d1e348cf 564 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
65c25746 565 plog(ASL_LEVEL_ERR,
d1e348cf 566 "failed to process NONCE payload");
52b7d2ce 567 goto end;
d1e348cf 568 }
52b7d2ce
A		 569 break;
570 case ISAKMP_NPTYPE_VID:
d1e348cf
A		 571 vid_numeric = check_vendorid(pa->ptr);
572#ifdef ENABLE_HYBRID
573 switch (vid_numeric) {
574 case VENDORID_XAUTH:
575 iph1->mode_cfg->flags |=
576 ISAKMP_CFG_VENDORID_XAUTH;
577 break;
578
579 case VENDORID_UNITY:
580 iph1->mode_cfg->flags |=
581 ISAKMP_CFG_VENDORID_UNITY;
582 break;
583
584 default:
585 break;
586 }
587#endif
588#ifdef ENABLE_DPD
589 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
590 iph1->dpd_support=1;
591#endif
592
52b7d2ce
A		 593 break;
594 case ISAKMP_NPTYPE_CR:
d1e348cf 595 if (oakley_savecr(iph1, pa->ptr) < 0) {
65c25746 596 plog(ASL_LEVEL_ERR,
d1e348cf 597 "failed to process CR payload");
52b7d2ce 598 goto end;
d1e348cf 599 }
52b7d2ce 600 break;
52b7d2ce
A		 601
602#ifdef ENABLE_NATT
603 case ISAKMP_NPTYPE_NATD_DRAFT:
604 case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce 605 case ISAKMP_NPTYPE_NATD_BADDRAFT:
52b7d2ce
A		 606 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
607 pa->type == iph1->natt_options->payload_nat_d) {
608 natd_received = NULL;
d1e348cf 609 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
65c25746 610 plog(ASL_LEVEL_ERR,
d1e348cf 611 "failed to process NATD payload");
52b7d2ce 612 goto end;
d1e348cf 613 }
52b7d2ce
A		 614
615 /* set both bits first so that we can clear them
616 upon verifying hashes */
617 if (natd_seq == 0)
618 iph1->natt_flags |= NAT_DETECTED;
619
620 /* this function will clear appropriate bits bits
621 from iph1->natt_flags */
622 natd_verified = natt_compare_addr_hash (iph1,
623 natd_received, natd_seq++);
624
7ebaebe2 625 plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n",
52b7d2ce
A		 626 natd_seq - 1,
627 natd_verified ? "verified" : "doesn't match");
628
629 vfree (natd_received);
630 break;
631 }
632 /* %%%% Be lenient here - some servers send natd payloads */
633 /* when no nat is detected */
634 break;
635#endif
636
637 default:
638 /* don't send information, see ident_r1recv() */
65c25746 639 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 640 "ignore the packet, "
641 "received unexpecting payload type %d.\n",
642 pa->type);
643 goto end;
644 }
645 }
646
647#ifdef ENABLE_NATT
648 if (NATT_AVAILABLE(iph1)) {
7ebaebe2 649 plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n",
52b7d2ce
A		 650 iph1->natt_flags & NAT_DETECTED ?
651 "detected:" : "not detected",
652 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
653 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
654 if (iph1->natt_flags & NAT_DETECTED)
655 natt_float_ports (iph1);
656 }
657#endif
658
659 /* payload existency check */
660 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
65c25746 661 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 662 "few isakmp message received.\n");
663 goto end;
664 }
665
666 if (oakley_checkcr(iph1) < 0) {
667 /* Ignore this error in order to be interoperability. */
668 ;
669 }
670
65c25746 671 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG4RCVD);
52b7d2ce
A		 672
673 error = 0;
674
d1e348cf
A		 675 IPSECSESSIONTRACEREVENT(iph1->parent_session,
676 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
677 CONSTSTR("Initiator, Main-Mode message 4"),
678 CONSTSTR(NULL));
679
52b7d2ce 680end:
d1e348cf
A		 681 if (error) {
682 IPSECSESSIONTRACEREVENT(iph1->parent_session,
683 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
684 CONSTSTR("Initiator, Main-Mode Message 4"),
685 CONSTSTR("Failed to process Main-Mode Message 4"));
686 }
52b7d2ce
A		 687 if (pbuf)
688 vfree(pbuf);
689 if (error) {
690 VPTRINIT(iph1->dhpub_p);
691 VPTRINIT(iph1->nonce_p);
692 VPTRINIT(iph1->id_p);
693 oakley_delcert(iph1->cr_p);
694 iph1->cr_p = NULL;
695 }
696
697 return error;
698}
699
700/*
701 * send to responder
702 * psk: HDR*, IDi1, HASH_I
703 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
704 * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I >
705 * rsa: HDR*, HASH_I
706 * rev: HDR*, HASH_I
707 */
708int
65c25746
A		 709ident_i5send(iph1, msg0)
710 phase1_handle_t *iph1;
52b7d2ce
A		 711 vchar_t *msg0;
712{
713 int error = -1;
714 int dohash = 1;
52b7d2ce 715
65c25746
A		 716 /* validity check */
717 if (iph1->status != IKEV1_STATE_IDENT_I_MSG4RCVD) {
718 plog(ASL_LEVEL_ERR,
719 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 720 goto end;
721 }
722
723 /* compute sharing secret of DH */
e8d9021d 724#ifdef HAVE_OPENSSL
52b7d2ce 725 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
d1e348cf 726 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
e8d9021d 727#else
65c25746 728 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
e8d9021d 729#endif
65c25746 730 plog(ASL_LEVEL_ERR,
d1e348cf 731 "failed to compute DH");
52b7d2ce 732 goto end;
d1e348cf 733 }
52b7d2ce
A		 734
735 /* generate SKEYIDs & IV & final cipher key */
d1e348cf 736 if (oakley_skeyid(iph1) < 0) {
65c25746 737 plog(ASL_LEVEL_ERR,
d1e348cf 738 "failed to generate SKEYID");
52b7d2ce 739 goto end;
d1e348cf
A		 740 }
741 if (oakley_skeyid_dae(iph1) < 0) {
65c25746 742 plog(ASL_LEVEL_ERR,
d1e348cf 743 "failed to generate SKEYID-DAE");
52b7d2ce 744 goto end;
d1e348cf
A		 745 }
746 if (oakley_compute_enckey(iph1) < 0) {
65c25746 747 plog(ASL_LEVEL_ERR,
d1e348cf 748 "failed to generate ENCKEY");
52b7d2ce 749 goto end;
d1e348cf
A		 750 }
751 if (oakley_newiv(iph1) < 0) {
65c25746 752 plog(ASL_LEVEL_ERR,
d1e348cf 753 "failed to generate IV");
52b7d2ce 754 goto end;
d1e348cf 755 }
52b7d2ce
A		 756
757 /* make ID payload into isakmp status */
d1e348cf 758 if (ipsecdoi_setid1(iph1) < 0) {
65c25746 759 plog(ASL_LEVEL_ERR,
d1e348cf 760 "failed to set ID");
52b7d2ce 761 goto end;
d1e348cf 762 }
52b7d2ce 763
52b7d2ce
A		 764 /* generate HASH to send */
765 if (dohash) {
766 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
d1e348cf 767 if (iph1->hash == NULL) {
65c25746 768 plog(ASL_LEVEL_ERR,
d1e348cf 769 "failed to generate HASH");
52b7d2ce 770 goto end;
d1e348cf 771 }
52b7d2ce
A		 772 } else
773 iph1->hash = NULL;
774
775 /* set encryption flag */
776 iph1->flags |= ISAKMP_FLAG_E;
777
778 /* create HDR;ID;HASH payload */
779 iph1->sendbuf = ident_ir3mx(iph1);
d1e348cf 780 if (iph1->sendbuf == NULL) {
65c25746 781 plog(ASL_LEVEL_ERR,
d1e348cf 782 "failed to allocate send buffer");
52b7d2ce 783 goto end;
d1e348cf 784 }
52b7d2ce
A		 785
786 /* send the packet, add to the schedule to resend */
787 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 788 if (isakmp_ph1resend(iph1) == -1) {
65c25746 789 plog(ASL_LEVEL_ERR,
d1e348cf 790 "failed to send packet");
52b7d2ce 791 goto end;
d1e348cf 792 }
52b7d2ce
A		 793
794 /* the sending message is added to the received-list. */
65c25746
A		 795 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0,
796 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
797 plog(ASL_LEVEL_ERR ,
52b7d2ce
A		 798 "failed to add a response packet to the tree.\n");
799 goto end;
800 }
801
802 /* see handler.h about IV synchronization. */
803 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
804
65c25746 805 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG5SENT);
52b7d2ce
A		 806
807 error = 0;
808
d1e348cf
A		 809 IPSECSESSIONTRACEREVENT(iph1->parent_session,
810 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
811 CONSTSTR("Initiator, Main-Mode message 5"),
812 CONSTSTR(NULL));
813
52b7d2ce 814end:
d1e348cf
A		 815 if (error) {
816 IPSECSESSIONTRACEREVENT(iph1->parent_session,
817 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
818 CONSTSTR("Initiator, Main-Mode Message 5"),
819 CONSTSTR("Failed to transmit Main-Mode Message 5"));
820 }
52b7d2ce
A		 821 return error;
822}
823
824/*
825 * receive from responder
826 * psk: HDR*, IDr1, HASH_R
827 * sig: HDR*, IDr1, [ CERT, ] SIG_R
828 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
829 * rsa: HDR*, HASH_R
830 * rev: HDR*, HASH_R
831 */
832int
65c25746
A		 833ident_i6recv(iph1, msg0)
834 phase1_handle_t *iph1;
52b7d2ce
A		 835 vchar_t *msg0;
836{
837 vchar_t *pbuf = NULL;
838 struct isakmp_parse_t *pa;
839 vchar_t *msg = NULL;
840 int error = -1;
841 int type;
d1e348cf 842 int vid_numeric;
e8d9021d 843 int received_cert = 0;
52b7d2ce 844
65c25746
A		 845 /* validity check */
846 if (iph1->status != IKEV1_STATE_IDENT_I_MSG5SENT) {
847 plog(ASL_LEVEL_ERR,
848 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 849 goto end;
850 }
851
852 /* decrypting */
853 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
65c25746 854 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 855 "ignore the packet, "
856 "expecting the packet encrypted.\n");
857 goto end;
858 }
859 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
d1e348cf 860 if (msg == NULL) {
65c25746 861 plog(ASL_LEVEL_ERR,
d1e348cf 862 "failed to decrypt");
52b7d2ce 863 goto end;
d1e348cf 864 }
52b7d2ce
A		 865
866 /* validate the type of next payload */
867 pbuf = isakmp_parse(msg);
d1e348cf 868 if (pbuf == NULL) {
65c25746 869 plog(ASL_LEVEL_ERR,
d1e348cf 870 "failed to parse msg");
52b7d2ce 871 goto end;
d1e348cf 872 }
52b7d2ce
A		 873
874 iph1->pl_hash = NULL;
875
85f41bec 876 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 877 pa->type != ISAKMP_NPTYPE_NONE;
878 pa++) {
879
880 switch (pa->type) {
881 case ISAKMP_NPTYPE_ID:
d1e348cf 882 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
65c25746 883 plog(ASL_LEVEL_ERR,
d1e348cf 884 "failed to process ID payload");
52b7d2ce 885 goto end;
d1e348cf 886 }
52b7d2ce
A		 887 break;
888 case ISAKMP_NPTYPE_HASH:
889 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
890 break;
891 case ISAKMP_NPTYPE_CERT:
d1e348cf 892 if (oakley_savecert(iph1, pa->ptr) < 0) {
65c25746 893 plog(ASL_LEVEL_ERR,
d1e348cf 894 "failed to process CERT payload");
52b7d2ce 895 goto end;
d1e348cf 896 }
e8d9021d 897 received_cert = 1;
52b7d2ce
A		 898 break;
899 case ISAKMP_NPTYPE_SIG:
d1e348cf 900 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
65c25746 901 plog(ASL_LEVEL_ERR,
d1e348cf 902 "failed to process SIG payload");
52b7d2ce 903 goto end;
d1e348cf 904 }
52b7d2ce 905 break;
65c25746 906
52b7d2ce 907 case ISAKMP_NPTYPE_VID:
d1e348cf
A		 908 vid_numeric = check_vendorid(pa->ptr);
909#ifdef ENABLE_DPD
910 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
911 iph1->dpd_support=1;
912#endif
913 break;
52b7d2ce
A		 914 case ISAKMP_NPTYPE_N:
915 isakmp_check_notify(pa->ptr, iph1);
916 break;
917 default:
918 /* don't send information, see ident_r1recv() */
65c25746 919 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 920 "ignore the packet, "
921 "received unexpecting payload type %d.\n",
922 pa->type);
923 goto end;
924 }
925 }
926
e8d9021d
A		 927 if (received_cert) {
928 oakley_verify_certid(iph1);
929 }
930
52b7d2ce
A		 931 /* payload existency check */
932
933 /* verify identifier */
934 if (ipsecdoi_checkid1(iph1) != 0) {
65c25746 935 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 936 "invalid ID payload.\n");
937 goto end;
938 }
939
940 /* validate authentication value */
65c25746
A		 941 type = oakley_validate_auth(iph1);
942 if (type != 0) {
943 IPSECSESSIONTRACEREVENT(iph1->parent_session,
944 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
945 CONSTSTR("Initiator, Main-Mode Message 6"),
946 CONSTSTR("Failed to authenticate Main-Mode Message 6"));
947 if (type == -1) {
948 /* msg printed inner oakley_validate_auth() */
949 goto end;
950 }
951 isakmp_info_send_n1(iph1, type, NULL);
952 goto end;
953 }
954 IPSECSESSIONTRACEREVENT(iph1->parent_session,
955 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
956 CONSTSTR("Initiator, Main-Mode Message 6"),
957 CONSTSTR(NULL));
958
52b7d2ce
A		 959
960 /*
961 * XXX: Should we do compare two addresses, ph1handle's and ID
962 * payload's.
963 */
964
65c25746 965 plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID:");
52b7d2ce
A		 966
967 /* see handler.h about IV synchronization. */
968 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
969
970 /*
971 * If we got a GSS token, we need to this roundtrip again.
972 */
65c25746 973 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG6RCVD);
52b7d2ce
A		 974
975 error = 0;
976
d1e348cf
A		 977 IPSECSESSIONTRACEREVENT(iph1->parent_session,
978 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
979 CONSTSTR("Initiator, Main-Mode message 6"),
980 CONSTSTR(NULL));
981
52b7d2ce 982end:
d1e348cf
A		 983 if (error) {
984 IPSECSESSIONTRACEREVENT(iph1->parent_session,
985 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
986 CONSTSTR("Initiator, Main-Mode Message 6"),
987 CONSTSTR("Failed to transmit Main-Mode Message 6"));
988 }
52b7d2ce
A		 989 if (pbuf)
990 vfree(pbuf);
991 if (msg)
992 vfree(msg);
52b7d2ce
A		 993
994 if (error) {
995 VPTRINIT(iph1->id_p);
996 oakley_delcert(iph1->cert_p);
997 iph1->cert_p = NULL;
998 oakley_delcert(iph1->crl_p);
999 iph1->crl_p = NULL;
1000 VPTRINIT(iph1->sig_p);
1001 }
1002
1003 return error;
1004}
1005
1006/*
1007 * status update and establish isakmp sa.
1008 */
1009int
65c25746
A		 1010ident_ifinalize(iph1, msg)
1011 phase1_handle_t *iph1;
52b7d2ce
A		 1012 vchar_t *msg;
1013{
1014 int error = -1;
1015
65c25746
A		 1016 /* validity check */
1017 if (iph1->status != IKEV1_STATE_IDENT_I_MSG6RCVD) {
1018 plog(ASL_LEVEL_ERR,
1019 "status mismatched %d.\n", iph1->status);
52b7d2ce
A		 1020 goto end;
1021 }
1022
1023 /* see handler.h about IV synchronization. */
1024 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1025
65c25746 1026 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
52b7d2ce 1027
d1e348cf
A		 1028 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1029 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
1030 CONSTSTR("Initiator, Main-Mode"),
1031 CONSTSTR(NULL));
1032
52b7d2ce
A		 1033 error = 0;
1034
1035end:
1036 return error;
1037}
1038
1039/*
1040 * receive from initiator
1041 * psk: HDR, SA
1042 * sig: HDR, SA
1043 * rsa: HDR, SA
1044 * rev: HDR, SA
1045 */
1046int
1047ident_r1recv(iph1, msg)
65c25746 1048 phase1_handle_t *iph1;
52b7d2ce
A		 1049 vchar_t *msg;
1050{
1051 vchar_t *pbuf = NULL;
1052 struct isakmp_parse_t *pa;
1053 int error = -1;
1054 int vid_numeric;
1055
1056 /* validity check */
65c25746
A		 1057 if (iph1->status != IKEV1_STATE_IDENT_R_START) {
1058 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1059 "status mismatched %d.\n", iph1->status);
1060 goto end;
1061 }
1062
1063 /* validate the type of next payload */
1064 /*
1065 * NOTE: XXX even if multiple VID, we'll silently ignore those.
1066 */
1067 pbuf = isakmp_parse(msg);
d1e348cf 1068 if (pbuf == NULL) {
65c25746 1069 plog(ASL_LEVEL_ERR,
d1e348cf 1070 "failed to parse msg");
52b7d2ce 1071 goto end;
d1e348cf 1072 }
85f41bec 1073 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 1074
1075 /* check the position of SA payload */
1076 if (pa->type != ISAKMP_NPTYPE_SA) {
65c25746 1077 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1078 "received invalid next payload type %d, "
1079 "expecting %d.\n",
1080 pa->type, ISAKMP_NPTYPE_SA);
1081 goto end;
1082 }
d1e348cf 1083 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
65c25746 1084 plog(ASL_LEVEL_ERR,
d1e348cf 1085 "failed to process SA payload");
52b7d2ce 1086 goto end;
d1e348cf 1087 }
52b7d2ce
A		 1088 pa++;
1089
1090 for (/*nothing*/;
1091 pa->type != ISAKMP_NPTYPE_NONE;
1092 pa++) {
1093
1094 switch (pa->type) {
1095 case ISAKMP_NPTYPE_VID:
1096 vid_numeric = check_vendorid(pa->ptr);
1097#ifdef ENABLE_NATT
1098 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
1099 natt_handle_vendorid(iph1, vid_numeric);
1100#endif
d1e348cf
A		 1101#ifdef ENABLE_HYBRID
1102 switch (vid_numeric) {
1103 case VENDORID_XAUTH:
1104 iph1->mode_cfg->flags |=
1105 ISAKMP_CFG_VENDORID_XAUTH;
1106 break;
1107
1108 case VENDORID_UNITY:
1109 iph1->mode_cfg->flags |=
1110 ISAKMP_CFG_VENDORID_UNITY;
1111 break;
1112
1113 default:
1114 break;
1115 }
1116#endif
52b7d2ce
A		 1117#ifdef ENABLE_DPD
1118 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
1119 iph1->dpd_support=1;
e8d9021d
A		 1120#endif
1121#ifdef ENABLE_FRAG
1122 if ((vid_numeric == VENDORID_FRAG) &&
1123 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
65c25746 1124 plog(ASL_LEVEL_DEBUG,
e8d9021d
A		 1125 "remote supports FRAGMENTATION\n");
1126 iph1->frag = 1;
1127 }
52b7d2ce
A		 1128#endif
1129 break;
1130 default:
1131 /*
1132 * We don't send information to the peer even
1133 * if we received malformed packet. Because we
1134 * can't distinguish the malformed packet and
1135 * the re-sent packet. And we do same behavior
1136 * when we expect encrypted packet.
1137 */
65c25746 1138 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1139 "ignore the packet, "
1140 "received unexpecting payload type %d.\n",
1141 pa->type);
1142 goto end;
1143 }
1144 }
1145
1146#ifdef ENABLE_NATT
80318cb7 1147 if (NATT_AVAILABLE(iph1)) {
7ebaebe2 1148 plog(ASL_LEVEL_NOTICE,
52b7d2ce
A		 1149 "Selected NAT-T version: %s\n",
1150 vid_string_by_id(iph1->natt_options->version));
80318cb7
A		 1151 ike_session_update_natt_version(iph1);
1152 }
52b7d2ce
A		 1153#endif
1154
1155 /* check SA payload and set approval SA for use */
1156 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
65c25746 1157 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1158 "failed to get valid proposal.\n");
1159 /* XXX send information */
1160 goto end;
1161 }
1162
65c25746 1163 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG1RCVD);
52b7d2ce
A		 1164
1165 error = 0;
1166
d1e348cf
A		 1167 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1168 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1169 CONSTSTR("Responder, Main-Mode message 1"),
1170 CONSTSTR(NULL));
1171
52b7d2ce 1172end:
d1e348cf
A		 1173 if (error) {
1174 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1175 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1176 CONSTSTR("Responder, Main-Mode Message 1"),
1177 CONSTSTR("Failed to process Main-Mode Message 1"));
1178 }
52b7d2ce
A		 1179 if (pbuf)
1180 vfree(pbuf);
1181 if (error) {
1182 VPTRINIT(iph1->sa);
1183 }
1184
1185 return error;
1186}
1187
1188/*
1189 * send to initiator
1190 * psk: HDR, SA
1191 * sig: HDR, SA
1192 * rsa: HDR, SA
1193 * rev: HDR, SA
1194 */
1195int
65c25746
A		 1196ident_r2send(iph1, msg)
1197 phase1_handle_t *iph1;
52b7d2ce
A		 1198 vchar_t *msg;
1199{
1200 struct payload_list *plist = NULL;
1201 int error = -1;
1202 vchar_t *gss_sa = NULL;
52b7d2ce
A		 1203#ifdef ENABLE_NATT
1204 vchar_t *vid_natt = NULL;
1205#endif
d1e348cf
A		 1206#ifdef ENABLE_HYBRID
1207 vchar_t *vid_xauth = NULL;
1208 vchar_t *vid_unity = NULL;
1209#endif
52b7d2ce
A		 1210#ifdef ENABLE_DPD
1211 vchar_t *vid_dpd = NULL;
1212#endif
d1e348cf
A		 1213#ifdef ENABLE_FRAG
1214 vchar_t *vid_frag = NULL;
1215#endif
52b7d2ce
A		 1216
1217 /* validity check */
65c25746
A		 1218 if (iph1->status != IKEV1_STATE_IDENT_R_MSG1RCVD) {
1219 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1220 "status mismatched %d.\n", iph1->status);
1221 goto end;
1222 }
1223
1224 /* set responder's cookie */
1225 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
65c25746 1226 gss_sa = iph1->sa_ret;
52b7d2ce
A		 1227
1228 /* set SA payload to reply */
1229 plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
1230
d1e348cf
A		 1231#ifdef ENABLE_HYBRID
1232 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
7ebaebe2 1233 plog (ASL_LEVEL_NOTICE, "Adding xauth VID payload.\n");
d1e348cf 1234 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
65c25746 1235 plog(ASL_LEVEL_ERR,
d1e348cf
A		 1236 "Cannot create Xauth vendor ID\n");
1237 goto end;
1238 }
1239 plist = isakmp_plist_append(plist,
1240 vid_xauth, ISAKMP_NPTYPE_VID);
1241 }
52b7d2ce 1242
d1e348cf
A		 1243 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1244 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
65c25746 1245 plog(ASL_LEVEL_ERR,
d1e348cf
A		 1246 "Cannot create Unity vendor ID\n");
1247 goto end;
1248 }
1249 plist = isakmp_plist_append(plist,
1250 vid_unity, ISAKMP_NPTYPE_VID);
1251 }
1252#endif
52b7d2ce
A		 1253#ifdef ENABLE_NATT
1254 /* Has the peer announced NAT-T? */
1255 if (NATT_AVAILABLE(iph1))
1256 vid_natt = set_vendorid(iph1->natt_options->version);
1257
1258 if (vid_natt)
1259 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1260#endif
1261#ifdef ENABLE_DPD
1262 /* XXX only send DPD VID if remote sent it ? */
1263 if(iph1->rmconf->dpd){
1264 vid_dpd = set_vendorid(VENDORID_DPD);
1265 if (vid_dpd != NULL)
1266 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1267 }
1268#endif
d1e348cf
A		 1269#ifdef ENABLE_FRAG
1270 if (iph1->frag) {
1271 vid_frag = set_vendorid(VENDORID_FRAG);
1272 if (vid_frag != NULL)
1273 vid_frag = isakmp_frag_addcap(vid_frag,
1274 VENDORID_FRAG_IDENT);
1275 if (vid_frag == NULL)
65c25746 1276 plog(ASL_LEVEL_ERR,
d1e348cf
A		 1277 "Frag vendorID construction failed\n");
1278 else
1279 plist = isakmp_plist_append(plist,
1280 vid_frag, ISAKMP_NPTYPE_VID);
1281 }
1282#endif
52b7d2ce
A		 1283
1284 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1285
1286#ifdef HAVE_PRINT_ISAKMP_C
1287 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1288#endif
1289
1290 /* send the packet, add to the schedule to resend */
1291 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 1292 if (isakmp_ph1resend(iph1) == -1) {
65c25746 1293 plog(ASL_LEVEL_ERR,
d1e348cf 1294 "failed to send packet");
52b7d2ce 1295 goto end;
d1e348cf 1296 }
52b7d2ce
A		 1297
1298 /* the sending message is added to the received-list. */
65c25746
A		 1299 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1300 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1301 plog(ASL_LEVEL_ERR ,
52b7d2ce
A		 1302 "failed to add a response packet to the tree.\n");
1303 goto end;
1304 }
1305
65c25746 1306 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG2SENT);
52b7d2ce
A		 1307
1308#ifdef ENABLE_VPNCONTROL_PORT
1309 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1310#endif
1311
1312 error = 0;
1313
d1e348cf
A		 1314 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1315 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1316 CONSTSTR("Responder, Main-Mode message 2"),
1317 CONSTSTR(NULL));
1318
52b7d2ce 1319end:
d1e348cf
A		 1320 if (error) {
1321 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1322 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1323 CONSTSTR("Responder, Main-Mode Message 2"),
1324 CONSTSTR("Failed to transmit Main-Mode Message 2"));
1325 }
52b7d2ce
A		 1326#ifdef ENABLE_NATT
1327 if (vid_natt)
1328 vfree(vid_natt);
1329#endif
d1e348cf
A		 1330#ifdef ENABLE_HYBRID
1331 if (vid_xauth != NULL)
1332 vfree(vid_xauth);
1333 if (vid_unity != NULL)
1334 vfree(vid_unity);
1335#endif
52b7d2ce
A		 1336#ifdef ENABLE_DPD
1337 if (vid_dpd != NULL)
1338 vfree(vid_dpd);
1339#endif
d1e348cf
A		 1340#ifdef ENABLE_FRAG
1341 if (vid_frag != NULL)
1342 vfree(vid_frag);
1343#endif
52b7d2ce
A		 1344
1345 return error;
1346}
1347
1348/*
1349 * receive from initiator
1350 * psk: HDR, KE, Ni
1351 * sig: HDR, KE, Ni
1352 * gssapi: HDR, KE, Ni, GSSi
1353 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1354 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1355 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1356 */
1357int
65c25746
A		 1358ident_r3recv(iph1, msg)
1359 phase1_handle_t *iph1;
52b7d2ce
A		 1360 vchar_t *msg;
1361{
1362 vchar_t *pbuf = NULL;
1363 struct isakmp_parse_t *pa;
1364 int error = -1;
52b7d2ce
A		 1365#ifdef ENABLE_NATT
1366 int natd_seq = 0;
1367#endif
1368
1369 /* validity check */
65c25746
A		 1370 if (iph1->status != IKEV1_STATE_IDENT_R_MSG2SENT) {
1371 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1372 "status mismatched %d.\n", iph1->status);
1373 goto end;
1374 }
1375
1376 /* validate the type of next payload */
1377 pbuf = isakmp_parse(msg);
d1e348cf 1378 if (pbuf == NULL) {
65c25746 1379 plog(ASL_LEVEL_ERR,
d1e348cf 1380 "failed to parse msg");
52b7d2ce 1381 goto end;
d1e348cf 1382 }
52b7d2ce 1383
85f41bec 1384 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 1385 pa->type != ISAKMP_NPTYPE_NONE;
1386 pa++) {
1387 switch (pa->type) {
1388 case ISAKMP_NPTYPE_KE:
d1e348cf 1389 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
65c25746 1390 plog(ASL_LEVEL_ERR,
d1e348cf 1391 "failed to process KE payload");
52b7d2ce 1392 goto end;
d1e348cf 1393 }
52b7d2ce
A		 1394 break;
1395 case ISAKMP_NPTYPE_NONCE:
d1e348cf 1396 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
65c25746 1397 plog(ASL_LEVEL_ERR,
d1e348cf 1398 "failed to process NONCE payload");
52b7d2ce 1399 goto end;
d1e348cf 1400 }
52b7d2ce
A		 1401 break;
1402 case ISAKMP_NPTYPE_VID:
1403 (void)check_vendorid(pa->ptr);
1404 break;
1405 case ISAKMP_NPTYPE_CR:
65c25746 1406 plog(ASL_LEVEL_WARNING,
52b7d2ce
A		 1407 "CR received, ignore it. "
1408 "It should be in other exchange.\n");
1409 break;
52b7d2ce
A		 1410
1411#ifdef ENABLE_NATT
1412 case ISAKMP_NPTYPE_NATD_DRAFT:
1413 case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce 1414 case ISAKMP_NPTYPE_NATD_BADDRAFT:
52b7d2ce
A		 1415 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1416 pa->type == iph1->natt_options->payload_nat_d)
1417 {
1418 vchar_t *natd_received = NULL;
1419 int natd_verified;
1420
d1e348cf 1421 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
65c25746 1422 plog(ASL_LEVEL_ERR,
d1e348cf 1423 "failed to process NATD payload");
52b7d2ce 1424 goto end;
d1e348cf 1425 }
52b7d2ce
A		 1426
1427 if (natd_seq == 0)
1428 iph1->natt_flags |= NAT_DETECTED;
1429
1430 natd_verified = natt_compare_addr_hash (iph1,
1431 natd_received, natd_seq++);
1432
7ebaebe2 1433 plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n",
52b7d2ce
A		 1434 natd_seq - 1,
1435 natd_verified ? "verified" : "doesn't match");
1436
1437 vfree (natd_received);
1438 break;
1439 }
1440 /* %%%% Be lenient here - some servers send natd payloads */
1441 /* when no nat is detected */
1442 break;
1443#endif
1444
1445 default:
1446 /* don't send information, see ident_r1recv() */
65c25746 1447 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1448 "ignore the packet, "
1449 "received unexpecting payload type %d.\n",
1450 pa->type);
1451 goto end;
1452 }
1453 }
1454
1455#ifdef ENABLE_NATT
1456 if (NATT_AVAILABLE(iph1))
7ebaebe2 1457 plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n",
52b7d2ce
A		 1458 iph1->natt_flags & NAT_DETECTED ?
1459 "detected:" : "not detected",
1460 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1461 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1462#endif
1463
1464 /* payload existency check */
1465 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
65c25746 1466 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1467 "few isakmp message received.\n");
1468 goto end;
1469 }
1470
65c25746 1471 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG3RCVD);
52b7d2ce
A		 1472
1473 error = 0;
1474
d1e348cf
A		 1475 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1476 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1477 CONSTSTR("Responder, Main-Mode message 3"),
1478 CONSTSTR(NULL));
1479
52b7d2ce 1480end:
d1e348cf
A		 1481 if (error) {
1482 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1483 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1484 CONSTSTR("Responder, Main-Mode Message 3"),
1485 CONSTSTR("Failed to process Main-Mode Message 3"));
1486 }
52b7d2ce
A		 1487 if (pbuf)
1488 vfree(pbuf);
52b7d2ce
A		 1489
1490 if (error) {
1491 VPTRINIT(iph1->dhpub_p);
1492 VPTRINIT(iph1->nonce_p);
1493 VPTRINIT(iph1->id_p);
1494 }
1495
1496 return error;
1497}
1498
1499/*
1500 * send to initiator
1501 * psk: HDR, KE, Nr
1502 * sig: HDR, KE, Nr [, CR ]
1503 * gssapi: HDR, KE, Nr, GSSr
1504 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1505 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1506 */
1507int
65c25746
A		 1508ident_r4send(iph1, msg)
1509 phase1_handle_t *iph1;
52b7d2ce
A		 1510 vchar_t *msg;
1511{
1512 int error = -1;
1513
1514 /* validity check */
65c25746
A		 1515 if (iph1->status != IKEV1_STATE_IDENT_R_MSG3RCVD) {
1516 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1517 "status mismatched %d.\n", iph1->status);
1518 goto end;
1519 }
1520
1521 /* generate DH public value */
e8d9021d 1522#ifdef HAVE_OPENSSL
52b7d2ce 1523 if (oakley_dh_generate(iph1->approval->dhgrp,
d1e348cf 1524 &iph1->dhpub, &iph1->dhpriv) < 0) {
e8d9021d
A		 1525#else
1526 if (oakley_dh_generate(iph1->approval->dhgrp,
1527 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
1528#endif
65c25746 1529 plog(ASL_LEVEL_ERR,
d1e348cf 1530 "failed to generate DH");
52b7d2ce 1531 goto end;
d1e348cf 1532 }
52b7d2ce
A		 1533
1534 /* generate NONCE value */
1535 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf 1536 if (iph1->nonce == NULL) {
65c25746 1537 plog(ASL_LEVEL_ERR,
d1e348cf 1538 "failed to generate NONCE");
52b7d2ce 1539 goto end;
d1e348cf 1540 }
52b7d2ce 1541
52b7d2ce
A		 1542 /* create HDR;KE;NONCE payload */
1543 iph1->sendbuf = ident_ir2mx(iph1);
d1e348cf 1544 if (iph1->sendbuf == NULL) {
65c25746 1545 plog(ASL_LEVEL_ERR,
d1e348cf 1546 "failed to allocate send buffer");
52b7d2ce 1547 goto end;
d1e348cf 1548 }
52b7d2ce
A		 1549
1550#ifdef HAVE_PRINT_ISAKMP_C
1551 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1552#endif
1553
1554 /* send the packet, add to the schedule to resend */
1555 iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf 1556 if (isakmp_ph1resend(iph1) == -1) {
65c25746 1557 plog(ASL_LEVEL_ERR,
d1e348cf 1558 "failed to send packet");
52b7d2ce 1559 goto end;
d1e348cf 1560 }
52b7d2ce
A		 1561
1562 /* the sending message is added to the received-list. */
65c25746
A		 1563 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1564 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1565 plog(ASL_LEVEL_ERR ,
52b7d2ce
A		 1566 "failed to add a response packet to the tree.\n");
1567 goto end;
1568 }
1569
1570 /* compute sharing secret of DH */
e8d9021d
A		 1571#ifdef HAVE_OPENSSL
1572 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1573 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1574#else
65c25746 1575 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
e8d9021d 1576#endif
65c25746 1577 plog(ASL_LEVEL_ERR,
d1e348cf 1578 "failed to compute DH");
52b7d2ce 1579 goto end;
d1e348cf 1580 }
52b7d2ce
A		 1581
1582 /* generate SKEYIDs & IV & final cipher key */
d1e348cf 1583 if (oakley_skeyid(iph1) < 0) {
65c25746 1584 plog(ASL_LEVEL_ERR,
d1e348cf 1585 "failed to generate SKEYID");
52b7d2ce 1586 goto end;
d1e348cf
A		 1587 }
1588 if (oakley_skeyid_dae(iph1) < 0) {
65c25746 1589 plog(ASL_LEVEL_ERR,
d1e348cf 1590 "failed to generate SKEYID-DAE");
52b7d2ce 1591 goto end;
d1e348cf
A		 1592 }
1593 if (oakley_compute_enckey(iph1) < 0) {
65c25746 1594 plog(ASL_LEVEL_ERR,
d1e348cf 1595 "failed to generate ENCKEY");
52b7d2ce 1596 goto end;
d1e348cf
A		 1597 }
1598 if (oakley_newiv(iph1) < 0) {
65c25746 1599 plog(ASL_LEVEL_ERR,
d1e348cf 1600 "failed to generate IV");
52b7d2ce 1601 goto end;
d1e348cf 1602 }
52b7d2ce 1603
65c25746 1604 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG4SENT);
52b7d2ce
A		 1605
1606 error = 0;
1607
d1e348cf
A		 1608 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1609 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1610 CONSTSTR("Responder, Main-Mode message 4"),
1611 CONSTSTR(NULL));
1612
52b7d2ce 1613end:
d1e348cf
A		 1614 if (error) {
1615 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1616 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1617 CONSTSTR("Responder, Main-Mode Message 4"),
1618 CONSTSTR("Failed to transmit Main-Mode Message 4"));
1619 }
52b7d2ce
A		 1620 return error;
1621}
1622
1623/*
1624 * receive from initiator
1625 * psk: HDR*, IDi1, HASH_I
1626 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
1627 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
1628 * rsa: HDR*, HASH_I
1629 * rev: HDR*, HASH_I
1630 */
1631int
65c25746
A		 1632ident_r5recv(iph1, msg0)
1633 phase1_handle_t *iph1;
52b7d2ce
A		 1634 vchar_t *msg0;
1635{
1636 vchar_t *msg = NULL;
1637 vchar_t *pbuf = NULL;
1638 struct isakmp_parse_t *pa;
1639 int error = -1;
1640 int type;
e8d9021d 1641 int received_cert = 0;
52b7d2ce
A		 1642
1643 /* validity check */
65c25746
A		 1644 if (iph1->status != IKEV1_STATE_IDENT_R_MSG4SENT) {
1645 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1646 "status mismatched %d.\n", iph1->status);
1647 goto end;
1648 }
1649
1650 /* decrypting */
1651 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
65c25746 1652 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1653 "reject the packet, "
1654 "expecting the packet encrypted.\n");
1655 goto end;
1656 }
1657 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
d1e348cf 1658 if (msg == NULL) {
65c25746 1659 plog(ASL_LEVEL_ERR,
d1e348cf 1660 "failed to decrypt");
52b7d2ce 1661 goto end;
d1e348cf 1662 }
52b7d2ce
A		 1663
1664 /* validate the type of next payload */
1665 pbuf = isakmp_parse(msg);
d1e348cf 1666 if (pbuf == NULL) {
65c25746 1667 plog(ASL_LEVEL_ERR,
d1e348cf 1668 "failed to parse msg");
52b7d2ce 1669 goto end;
d1e348cf 1670 }
52b7d2ce
A		 1671
1672 iph1->pl_hash = NULL;
1673
85f41bec 1674 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A		 1675 pa->type != ISAKMP_NPTYPE_NONE;
1676 pa++) {
1677
1678 switch (pa->type) {
1679 case ISAKMP_NPTYPE_ID:
d1e348cf 1680 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
65c25746 1681 plog(ASL_LEVEL_ERR,
d1e348cf 1682 "failed to process ID payload");
52b7d2ce 1683 goto end;
d1e348cf 1684 }
52b7d2ce
A		 1685 break;
1686 case ISAKMP_NPTYPE_HASH:
1687 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1688 break;
1689 case ISAKMP_NPTYPE_CR:
d1e348cf 1690 if (oakley_savecr(iph1, pa->ptr) < 0) {
65c25746 1691 plog(ASL_LEVEL_ERR,
d1e348cf 1692 "failed to process CR payload");
52b7d2ce 1693 goto end;
d1e348cf 1694 }
52b7d2ce
A		 1695 break;
1696 case ISAKMP_NPTYPE_CERT:
d1e348cf 1697 if (oakley_savecert(iph1, pa->ptr) < 0) {
65c25746 1698 plog(ASL_LEVEL_ERR,
d1e348cf 1699 "failed to process CERT payload");
52b7d2ce 1700 goto end;
d1e348cf 1701 }
e8d9021d 1702 received_cert = 1;
52b7d2ce
A		 1703 break;
1704 case ISAKMP_NPTYPE_SIG:
d1e348cf 1705 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
65c25746 1706 plog(ASL_LEVEL_ERR,
d1e348cf 1707 "failed to process SIG payload");
52b7d2ce 1708 goto end;
d1e348cf 1709 }
52b7d2ce 1710 break;
52b7d2ce
A		 1711 case ISAKMP_NPTYPE_VID:
1712 (void)check_vendorid(pa->ptr);
1713 break;
1714 case ISAKMP_NPTYPE_N:
1715 isakmp_check_notify(pa->ptr, iph1);
1716 break;
1717 default:
1718 /* don't send information, see ident_r1recv() */
65c25746 1719 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1720 "ignore the packet, "
1721 "received unexpecting payload type %d.\n",
1722 pa->type);
1723 goto end;
1724 }
1725 }
1726
e8d9021d
A		 1727 if (received_cert) {
1728 oakley_verify_certid(iph1);
1729 }
1730
52b7d2ce
A		 1731 /* payload existency check */
1732 /* XXX same as ident_i4recv(), should be merged. */
1733 {
1734 int ng = 0;
1735
d1e348cf 1736 switch (AUTHMETHOD(iph1)) {
52b7d2ce 1737 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf
A		 1738#ifdef ENABLE_HYBRID
1739 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1740 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
d1e348cf 1741#endif
52b7d2ce
A		 1742 if (iph1->id_p == NULL || iph1->pl_hash == NULL)
1743 ng++;
1744 break;
52b7d2ce 1745 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
d1e348cf
A		 1746#ifdef ENABLE_HYBRID
1747 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
d1e348cf 1748#endif
52b7d2ce
A		 1749 if (iph1->id_p == NULL || iph1->sig_p == NULL)
1750 ng++;
1751 break;
1752 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1753 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf
A		 1754#ifdef ENABLE_HYBRID
1755 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1756 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1757#endif
52b7d2ce
A		 1758 if (iph1->pl_hash == NULL)
1759 ng++;
1760 break;
52b7d2ce 1761 default:
65c25746 1762 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1763 "invalid authmethod %d why ?\n",
1764 iph1->approval->authmethod);
1765 goto end;
1766 }
1767 if (ng) {
65c25746 1768 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1769 "few isakmp message received.\n");
1770 goto end;
1771 }
1772 }
1773
1774 /* verify identifier */
1775 if (ipsecdoi_checkid1(iph1) != 0) {
65c25746 1776 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1777 "invalid ID payload.\n");
1778 goto end;
1779 }
1780
1781 /* validate authentication value */
65c25746
A		 1782
1783 type = oakley_validate_auth(iph1);
1784 if (type != 0) {
1785 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1786 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1787 CONSTSTR("Responder, Main-Mode Message 5"),
1788 CONSTSTR("Failed to authenticate Main-Mode Message 5"));
1789 if (type == -1) {
1790 /* msg printed inner oakley_validate_auth() */
1791 goto end;
1792 }
1793 isakmp_info_send_n1(iph1, type, NULL);
1794 goto end;
1795 }
1796 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1797 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1798 CONSTSTR("Responder, Main-Mode Message 5"),
1799 CONSTSTR(NULL));
52b7d2ce
A		 1800
1801 if (oakley_checkcr(iph1) < 0) {
1802 /* Ignore this error in order to be interoperability. */
1803 ;
1804 }
1805
1806 /*
1807 * XXX: Should we do compare two addresses, ph1handle's and ID
1808 * payload's.
1809 */
1810
65c25746 1811 plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID\n");
52b7d2ce
A		 1812
1813 /* see handler.h about IV synchronization. */
1814 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1815
65c25746 1816 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG5RCVD);
52b7d2ce
A		 1817 error = 0;
1818
d1e348cf
A		 1819 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1820 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1821 CONSTSTR("Responder, Main-Mode message 5"),
1822 CONSTSTR(NULL));
1823
52b7d2ce 1824end:
d1e348cf
A		 1825 if (error) {
1826 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1827 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1828 CONSTSTR("Responder, Main-Mode Message 5"),
1829 CONSTSTR("Failed to process Main-Mode Message 5"));
1830 }
52b7d2ce
A		 1831 if (pbuf)
1832 vfree(pbuf);
1833 if (msg)
1834 vfree(msg);
52b7d2ce
A		 1835
1836 if (error) {
1837 VPTRINIT(iph1->id_p);
1838 oakley_delcert(iph1->cert_p);
1839 iph1->cert_p = NULL;
1840 oakley_delcert(iph1->crl_p);
1841 iph1->crl_p = NULL;
1842 VPTRINIT(iph1->sig_p);
1843 oakley_delcert(iph1->cr_p);
1844 iph1->cr_p = NULL;
1845 }
1846
1847 return error;
1848}
1849
1850/*
1851 * send to initiator
1852 * psk: HDR*, IDr1, HASH_R
1853 * sig: HDR*, IDr1, [ CERT, ] SIG_R
1854 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
1855 * rsa: HDR*, HASH_R
1856 * rev: HDR*, HASH_R
1857 */
1858int
65c25746
A		 1859ident_r6send(iph1, msg)
1860 phase1_handle_t *iph1;
52b7d2ce
A		 1861 vchar_t *msg;
1862{
1863 int error = -1;
1864 int dohash = 1;
52b7d2ce
A		 1865
1866 /* validity check */
65c25746
A		 1867 if (iph1->status != IKEV1_STATE_IDENT_R_MSG5RCVD) {
1868 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1869 "status mismatched %d.\n", iph1->status);
1870 goto end;
1871 }
1872
1873 /* make ID payload into isakmp status */
d1e348cf 1874 if (ipsecdoi_setid1(iph1) < 0) {
65c25746 1875 plog(ASL_LEVEL_ERR,
d1e348cf 1876 "failed to set ID");
52b7d2ce 1877 goto end;
d1e348cf 1878 }
52b7d2ce 1879
52b7d2ce
A		 1880 if (dohash) {
1881 /* generate HASH to send */
65c25746 1882 plog(ASL_LEVEL_DEBUG, "generate HASH_R\n");
52b7d2ce 1883 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
d1e348cf 1884 if (iph1->hash == NULL) {
65c25746 1885 plog(ASL_LEVEL_ERR,
d1e348cf 1886 "failed to generate HASH");
52b7d2ce 1887 goto end;
d1e348cf 1888 }
52b7d2ce
A		 1889 } else
1890 iph1->hash = NULL;
1891
1892 /* set encryption flag */
1893 iph1->flags |= ISAKMP_FLAG_E;
1894
1895 /* create HDR;ID;HASH payload */
1896 iph1->sendbuf = ident_ir3mx(iph1);
d1e348cf 1897 if (iph1->sendbuf == NULL) {
65c25746 1898 plog(ASL_LEVEL_ERR,
d1e348cf 1899 "failed to create send buffer");
52b7d2ce 1900 goto end;
d1e348cf 1901 }
52b7d2ce
A		 1902
1903 /* send HDR;ID;HASH to responder */
d1e348cf 1904 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
65c25746 1905 plog(ASL_LEVEL_ERR,
d1e348cf 1906 "failed to send packet");
52b7d2ce 1907 goto end;
d1e348cf 1908 }
52b7d2ce
A		 1909
1910 /* the sending message is added to the received-list. */
65c25746
A		 1911 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1912 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1913 plog(ASL_LEVEL_ERR ,
52b7d2ce
A		 1914 "failed to add a response packet to the tree.\n");
1915 goto end;
1916 }
1917
1918 /* see handler.h about IV synchronization. */
1919 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
1920
65c25746 1921 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
52b7d2ce 1922
d1e348cf
A		 1923 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1924 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
1925 CONSTSTR("Responder, Main-Mode"),
1926 CONSTSTR(NULL));
1927
52b7d2ce
A		 1928 error = 0;
1929
d1e348cf
A		 1930 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1931 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1932 CONSTSTR("Responder, Main-Mode message 6"),
1933 CONSTSTR(NULL));
1934
52b7d2ce 1935end:
d1e348cf
A		 1936 if (error) {
1937 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1938 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1939 CONSTSTR("Responder, Main-Mode Message 6"),
1940 CONSTSTR("Failed to process Main-Mode Message 6"));
1941 }
52b7d2ce
A		 1942
1943 return error;
1944}
1945
1946/*
1947 * This is used in main mode for:
1948 * initiator's 3rd exchange send to responder
1949 * psk: HDR, KE, Ni
1950 * sig: HDR, KE, Ni
1951 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1952 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1953 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1954 * responders 2nd exchnage send to initiator
1955 * psk: HDR, KE, Nr
1956 * sig: HDR, KE, Nr [, CR ]
1957 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1958 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1959 */
1960static vchar_t *
1961ident_ir2mx(iph1)
65c25746 1962 phase1_handle_t *iph1;
52b7d2ce
A		 1963{
1964 vchar_t *buf = 0;
1965 struct payload_list *plist = NULL;
1966 int need_cr = 0;
1967 vchar_t *cr = NULL;
1968 vchar_t *vid = NULL;
1969 int error = -1;
52b7d2ce
A		 1970#ifdef ENABLE_NATT
1971 vchar_t *natd[2] = { NULL, NULL };
1972#endif
1973
1974 /* create CR if need */
1975 if (iph1->side == RESPONDER
1976 && iph1->rmconf->send_cr
65c25746 1977 && oakley_needcr(iph1->approval->authmethod)) {
52b7d2ce
A		 1978 need_cr = 1;
1979 cr = oakley_getcr(iph1);
1980 if (cr == NULL) {
65c25746 1981 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 1982 "failed to get cr buffer.\n");
1983 goto end;
1984 }
1985 }
1986
52b7d2ce
A		 1987 /* create isakmp KE payload */
1988 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1989
1990 /* create isakmp NONCE payload */
1991 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1992
52b7d2ce
A		 1993 /* append vendor id, if needed */
1994 if (vid)
1995 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
1996
1997 /* create isakmp CR payload if needed */
1998 if (need_cr)
1999 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2000
2001#ifdef ENABLE_NATT
2002 /* generate and append NAT-D payloads */
65c25746 2003 if (NATT_AVAILABLE(iph1))
52b7d2ce
A		 2004 {
2005 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
65c25746 2006 plog(ASL_LEVEL_ERR,
85f41bec 2007 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
52b7d2ce
A		 2008 goto end;
2009 }
2010
2011 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
65c25746 2012 plog(ASL_LEVEL_ERR,
85f41bec 2013 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
52b7d2ce
A		 2014 goto end;
2015 }
2016
7ebaebe2 2017 plog (ASL_LEVEL_NOTICE, "Adding remote and local NAT-D payloads.\n");
52b7d2ce
A		 2018 /* old Apple version sends natd payloads in the wrong order */
2019 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
2020 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2021 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2022 } else
52b7d2ce
A		 2023 {
2024 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2025 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2026 }
2027 }
2028#endif
2029
2030 buf = isakmp_plist_set_all (&plist, iph1);
2031
2032 error = 0;
2033
2034end:
2035 if (error && buf != NULL) {
2036 vfree(buf);
2037 buf = NULL;
2038 }
2039 if (cr)
2040 vfree(cr);
52b7d2ce
A		 2041 if (vid)
2042 vfree(vid);
2043
2044#ifdef ENABLE_NATT
2045 if (natd[0])
2046 vfree(natd[0]);
2047 if (natd[1])
2048 vfree(natd[1]);
2049#endif
2050
2051 return buf;
2052}
2053
2054/*
2055 * This is used in main mode for:
2056 * initiator's 4th exchange send to responder
2057 * psk: HDR*, IDi1, HASH_I
2058 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
2059 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
2060 * rsa: HDR*, HASH_I
2061 * rev: HDR*, HASH_I
2062 * responders 3rd exchnage send to initiator
2063 * psk: HDR*, IDr1, HASH_R
2064 * sig: HDR*, IDr1, [ CERT, ] SIG_R
2065 * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R >
2066 * rsa: HDR*, HASH_R
2067 * rev: HDR*, HASH_R
2068 */
2069static vchar_t *
2070ident_ir3mx(iph1)
65c25746 2071 phase1_handle_t *iph1;
52b7d2ce
A		 2072{
2073 struct payload_list *plist = NULL;
2074 vchar_t *buf = NULL, *new = NULL;
2075 int need_cr = 0;
2076 int need_cert = 0;
2077 vchar_t *cr = NULL;
2078 int error = -1;
b8c37798 2079 vchar_t *notp_ini = NULL;
52b7d2ce 2080
d1e348cf 2081 switch (AUTHMETHOD(iph1)) {
52b7d2ce 2082 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf
A		 2083#ifdef ENABLE_HYBRID
2084 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
2085 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
2086 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
d1e348cf 2087#endif
52b7d2ce
A		 2088 /* create isakmp ID payload */
2089 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2090
2091 /* create isakmp HASH payload */
2092 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
2093 break;
52b7d2ce 2094 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
d1e348cf
A		 2095#ifdef ENABLE_HYBRID
2096 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
d1e348cf
A		 2097 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2098 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
d1e348cf
A		 2099#endif
2100 if (oakley_getmycert(iph1) < 0) {
65c25746 2101 plog(ASL_LEVEL_ERR,
d1e348cf 2102 "failed to get mycert");
52b7d2ce 2103 goto end;
d1e348cf 2104 }
52b7d2ce 2105
d1e348cf 2106 if (oakley_getsign(iph1) < 0) {
65c25746 2107 plog(ASL_LEVEL_ERR,
d1e348cf 2108 "failed to get sign");
52b7d2ce 2109 goto end;
d1e348cf 2110 }
52b7d2ce
A		 2111
2112 /* create CR if need */
2113 if (iph1->side == INITIATOR
2114 && iph1->rmconf->send_cr
65c25746 2115 && oakley_needcr(iph1->approval->authmethod)) {
52b7d2ce
A		 2116 need_cr = 1;
2117 cr = oakley_getcr(iph1);
2118 if (cr == NULL) {
65c25746 2119 plog(ASL_LEVEL_ERR,
d1e348cf 2120 "failed to get CR");
52b7d2ce
A		 2121 goto end;
2122 }
2123 }
2124
2125 if (iph1->cert != NULL && iph1->rmconf->send_cert)
2126 need_cert = 1;
2127
2128 /* add ID payload */
2129 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2130
2131 /* add CERT payload if there */
e8d9021d 2132 // we don't support sending of certchains
52b7d2ce
A		 2133 if (need_cert)
2134 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
2135 /* add SIG payload */
2136 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
2137
2138 /* create isakmp CR payload */
2139 if (need_cr)
2140 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2141 break;
52b7d2ce 2142
52b7d2ce
A		 2143 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2144 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf
A		 2145#ifdef ENABLE_HYBRID
2146 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
2147 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
2148 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
2149 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
2150#endif
65c25746 2151 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 2152 "not supported authentication type %d\n",
2153 iph1->approval->authmethod);
2154 goto end;
2155 default:
65c25746 2156 plog(ASL_LEVEL_ERR,
52b7d2ce
A		 2157 "invalid authentication type %d\n",
2158 iph1->approval->authmethod);
2159 goto end;
2160 }
2161
b8c37798
A		 2162 if (iph1->side == INITIATOR) {
2163 notp_ini = isakmp_plist_append_initial_contact(iph1, plist);
2164 }
2165
52b7d2ce
A		 2166 buf = isakmp_plist_set_all (&plist, iph1);
2167
2168#ifdef HAVE_PRINT_ISAKMP_C
2169 isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
2170#endif
2171
2172 /* encoding */
2173 new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv);
d1e348cf 2174 if (new == NULL) {
65c25746 2175 plog(ASL_LEVEL_ERR,
d1e348cf 2176 "failed to encrypt");
52b7d2ce 2177 goto end;
d1e348cf 2178 }
52b7d2ce
A		 2179
2180 vfree(buf);
2181
2182 buf = new;
2183
2184 error = 0;
2185
2186end:
2187 if (cr)
2188 vfree(cr);
2189 if (error && buf != NULL) {
2190 vfree(buf);
2191 buf = NULL;
2192 }
b8c37798
A		 2193 if (notp_ini)
2194 vfree(notp_ini);
52b7d2ce
A		 2195
2196 return buf;
2197}
mirror of ipsec