git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/isakmp

Commit	Line	Data
d1e348cf A	1	/* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */
	2
	3	/* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
52b7d2ce A	4
	5	/*
	6	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	7	* All rights reserved.
	8	*
	9	* Redistribution and use in source and binary forms, with or without
	10	* modification, are permitted provided that the following conditions
	11	* are met:
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	* 2. Redistributions in binary form must reproduce the above copyright
	15	* notice, this list of conditions and the following disclaimer in the
	16	* documentation and/or other materials provided with the distribution.
	17	* 3. Neither the name of the project nor the names of its contributors
	18	* may be used to endorse or promote products derived from this software
	19	* without specific prior written permission.
	20	*
	21	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	24	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	31	* SUCH DAMAGE.
	32	*/
	33
	34	/* Identity Protecion Exchange (Main Mode) */
	35
	36	#include "config.h"
	37
	38	#include <sys/types.h>
	39	#include <sys/param.h>
	40
	41	#include <stdlib.h>
	42	#include <stdio.h>
	43	#include <string.h>
	44	#include <errno.h>
	45	#if TIME_WITH_SYS_TIME
	46	# include <sys/time.h>
	47	# include <time.h>
	48	#else
	49	# if HAVE_SYS_TIME_H
	50	# include <sys/time.h>
	51	# else
	52	# include <time.h>
	53	# endif
	54	#endif
	55
	56	#include "var.h"
	57	#include "misc.h"
	58	#include "vmbuf.h"
	59	#include "plog.h"
	60	#include "sockmisc.h"
	61	#include "schedule.h"
	62	#include "debug.h"
65c25746	63	#include "fsm.h"
52b7d2ce A	64
	65	#include "localconf.h"
	66	#include "remoteconf.h"
	67	#include "isakmp_var.h"
	68	#include "isakmp.h"
52b7d2ce A	69	#include "oakley.h"
	70	#include "handler.h"
	71	#include "ipsec_doi.h"
	72	#include "crypto_openssl.h"
	73	#include "pfkey.h"
	74	#include "isakmp_ident.h"
	75	#include "isakmp_inf.h"
	76	#include "vendorid.h"
	77
	78	#ifdef ENABLE_NATT
	79	#include "nattraversal.h"
	80	#endif
d1e348cf	81	#ifdef ENABLE_HYBRID
d1e348cf A	82	#include "isakmp_xauth.h"
	83	#include "isakmp_cfg.h"
	84	#endif
	85	#ifdef ENABLE_FRAG
	86	#include "isakmp_frag.h"
	87	#endif
52b7d2ce A	88
	89	#include "vpn_control.h"
	90	#include "vpn_control_var.h"
e8d9021d A	91	#ifndef HAVE_OPENSSL
	92	#include <Security/SecDH.h>
	93	#endif
52b7d2ce	94
65c25746 A	95	static vchar_t ident_ir2mx (phase1_handle_t );
65c25746 A	96	static vchar_t ident_ir3mx (phase1_handle_t );
52b7d2ce A	97
	98	/* %%%
	99	* begin Identity Protection Mode as initiator.
	100	*/
	101	/*
	102	* send to responder
	103	* psk: HDR, SA
	104	* sig: HDR, SA
	105	* rsa: HDR, SA
	106	* rev: HDR, SA
	107	*/
	108	int
	109	ident_i1send(iph1, msg)
65c25746	110	phase1_handle_t *iph1;
52b7d2ce A	111	vchar_t msg; / must be null */
	112	{
	113	struct payload_list *plist = NULL;
	114	int error = -1;
	115	#ifdef ENABLE_NATT
	116	vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
	117	int i;
	118	#endif
d1e348cf A	119	#ifdef ENABLE_HYBRID
	120	vchar_t *vid_xauth = NULL;
	121	vchar_t *vid_unity = NULL;
	122	#endif
	123	#ifdef ENABLE_FRAG
	124	vchar_t *vid_frag = NULL;
	125	#endif
52b7d2ce A	126	#ifdef ENABLE_DPD
	127	vchar_t *vid_dpd = NULL;
	128	#endif
65c25746 A	129
	130	/* validity check */
	131	if (iph1->status != IKEV1_STATE_IDENT_I_START) {
	132	plog(ASL_LEVEL_ERR,
	133	"status mismatched %d.\n", iph1->status);
52b7d2ce A	134	goto end;
52b7d2ce A	135	}
65c25746 A	136
	137	/* validity check */
	138	if (msg != NULL) {
	139	plog(ASL_LEVEL_ERR,
	140	"msg has to be NULL in this function.\n");
52b7d2ce A	141	goto end;
	142	}
	143
	144	/* create isakmp index */
	145	memset(&iph1->index, 0, sizeof(iph1->index));
	146	isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
	147
	148	/* create SA payload for my proposal */
65c25746	149	iph1->sa = ipsecdoi_setph1proposal(iph1);
d1e348cf	150	if (iph1->sa == NULL) {
65c25746	151	plog(ASL_LEVEL_ERR,
d1e348cf	152	"failed to set proposal");
52b7d2ce	153	goto end;
d1e348cf	154	}
52b7d2ce A	155
	156	/* set SA payload to propose */
	157	plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
	158
	159	#ifdef ENABLE_NATT
	160	/* set VID payload for NAT-T if NAT-T support allowed in the config file */
	161	if (iph1->rmconf->nat_traversal)
	162	plist = isakmp_plist_append_natt_vids(plist, vid_natt);
	163	#endif
d1e348cf A	164	#ifdef ENABLE_HYBRID
	165	/* Do we need Xauth VID? */
	166	switch (RMAUTHMETHOD(iph1)) {
	167	case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
	168	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
d1e348cf	169	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
d1e348cf A	170	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
	171	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
	172	if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
65c25746	173	plog(ASL_LEVEL_ERR,
d1e348cf A	174	"Xauth vendor ID generation failed\n");
	175	else
	176	plist = isakmp_plist_append(plist,
	177	vid_xauth, ISAKMP_NPTYPE_VID);
	178
	179	if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
65c25746	180	plog(ASL_LEVEL_ERR,
d1e348cf A	181	"Unity vendor ID generation failed\n");
	182	else
	183	plist = isakmp_plist_append(plist,
	184	vid_unity, ISAKMP_NPTYPE_VID);
	185	break;
	186	default:
	187	break;
	188	}
	189	#endif
	190	#ifdef ENABLE_FRAG
	191	if (iph1->rmconf->ike_frag) {
	192	if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
65c25746	193	plog(ASL_LEVEL_ERR,
d1e348cf A	194	"Frag vendorID construction failed\n");
	195	} else {
	196	vid_frag = isakmp_frag_addcap(vid_frag,
	197	VENDORID_FRAG_IDENT);
	198	plist = isakmp_plist_append(plist,
	199	vid_frag, ISAKMP_NPTYPE_VID);
	200	}
	201	}
	202	#endif
52b7d2ce A	203	#ifdef ENABLE_DPD
	204	if(iph1->rmconf->dpd){
	205	vid_dpd = set_vendorid(VENDORID_DPD);
	206	if (vid_dpd != NULL)
	207	plist = isakmp_plist_append(plist, vid_dpd,
d1e348cf	208	ISAKMP_NPTYPE_VID);
52b7d2ce A	209	}
	210	#endif
	211
	212	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
	213
	214	#ifdef HAVE_PRINT_ISAKMP_C
	215	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
	216	#endif
	217
	218	/* send the packet, add to the schedule to resend */
	219	iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf	220	if (isakmp_ph1resend(iph1) == -1) {
65c25746	221	plog(ASL_LEVEL_ERR,
d1e348cf	222	"failed to send packet");
52b7d2ce	223	goto end;
d1e348cf	224	}
52b7d2ce	225
65c25746	226	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG1SENT);
52b7d2ce A	227
52b7d2ce A	228	error = 0;
52b7d2ce	229	end:
d1e348cf A	230	#ifdef ENABLE_FRAG
	231	if (vid_frag)
	232	vfree(vid_frag);
	233	#endif
52b7d2ce A	234	#ifdef ENABLE_NATT
	235	for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
	236	vfree(vid_natt[i]);
	237	#endif
d1e348cf A	238	#ifdef ENABLE_HYBRID
	239	if (vid_xauth != NULL)
	240	vfree(vid_xauth);
	241	if (vid_unity != NULL)
	242	vfree(vid_unity);
	243	#endif
52b7d2ce A	244	#ifdef ENABLE_DPD
	245	if (vid_dpd != NULL)
	246	vfree(vid_dpd);
	247	#endif
	248
	249	return error;
	250	}
	251
	252	/*
	253	* receive from responder
	254	* psk: HDR, SA
	255	* sig: HDR, SA
	256	* rsa: HDR, SA
	257	* rev: HDR, SA
	258	*/
	259	int
	260	ident_i2recv(iph1, msg)
65c25746	261	phase1_handle_t *iph1;
52b7d2ce A	262	vchar_t *msg;
	263	{
	264	vchar_t *pbuf = NULL;
	265	struct isakmp_parse_t *pa;
	266	vchar_t *satmp = NULL;
	267	int error = -1;
	268	int vid_numeric;
	269
65c25746 A	270	/* validity check */
	271	if (iph1->status != IKEV1_STATE_IDENT_I_MSG1SENT) {
	272	plog(ASL_LEVEL_ERR,
	273	"status mismatched %d.\n", iph1->status);
52b7d2ce A	274	goto end;
	275	}
	276
	277	/* validate the type of next payload */
	278	/*
	279	* NOTE: RedCreek(as responder) attaches N[responder-lifetime] here,
	280	* if proposal-lifetime > lifetime-redcreek-wants.
	281	* (see doi-08 4.5.4)
	282	* => According to the seciton 4.6.3 in RFC 2407, This is illegal.
	283	* NOTE: we do not really care about ordering of VID and N.
	284	* does it matters?
	285	* NOTE: even if there's multiple VID/N, we'll ignore them.
	286	*/
	287	pbuf = isakmp_parse(msg);
d1e348cf	288	if (pbuf == NULL) {
65c25746	289	plog(ASL_LEVEL_ERR,
d1e348cf	290	"failed to parse msg");
52b7d2ce	291	goto end;
d1e348cf	292	}
85f41bec	293	pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce A	294
	295	/* SA payload is fixed postion */
	296	if (pa->type != ISAKMP_NPTYPE_SA) {
65c25746	297	plog(ASL_LEVEL_ERR,
52b7d2ce A	298	"received invalid next payload type %d, "
	299	"expecting %d.\n",
	300	pa->type, ISAKMP_NPTYPE_SA);
	301	goto end;
	302	}
d1e348cf	303	if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
65c25746	304	plog(ASL_LEVEL_ERR,
d1e348cf	305	"failed to process SA payload");
52b7d2ce	306	goto end;
d1e348cf	307	}
52b7d2ce A	308	pa++;
	309
	310	for (/nothing/;
	311	pa->type != ISAKMP_NPTYPE_NONE;
	312	pa++) {
	313
	314	switch (pa->type) {
	315	case ISAKMP_NPTYPE_VID:
	316	vid_numeric = check_vendorid(pa->ptr);
	317	#ifdef ENABLE_NATT
	318	if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
	319	natt_handle_vendorid(iph1, vid_numeric);
	320	#endif
d1e348cf A	321	#ifdef ENABLE_HYBRID
	322	switch (vid_numeric) {
	323	case VENDORID_XAUTH:
	324	iph1->mode_cfg->flags \|=
	325	ISAKMP_CFG_VENDORID_XAUTH;
	326	break;
	327
	328	case VENDORID_UNITY:
	329	iph1->mode_cfg->flags \|=
	330	ISAKMP_CFG_VENDORID_UNITY;
	331	break;
	332
	333	default:
	334	break;
	335	}
	336	#endif
52b7d2ce A	337	#ifdef ENABLE_DPD
	338	if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
	339	iph1->dpd_support=1;
e8d9021d A	340	#endif
	341	#ifdef ENABLE_FRAG
	342	if ((vid_numeric == VENDORID_FRAG) &&
	343	(vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
65c25746	344	plog(ASL_LEVEL_DEBUG,
e8d9021d A	345	"remote supports FRAGMENTATION\n");
	346	iph1->frag = 1;
	347	}
52b7d2ce A	348	#endif
	349	break;
	350	default:
	351	/* don't send information, see ident_r1recv() */
65c25746	352	plog(ASL_LEVEL_ERR,
52b7d2ce A	353	"ignore the packet, "
	354	"received unexpecting payload type %d.\n",
	355	pa->type);
	356	goto end;
	357	}
	358	}
	359
	360	#ifdef ENABLE_NATT
80318cb7	361	if (NATT_AVAILABLE(iph1)) {
7ebaebe2	362	plog(ASL_LEVEL_NOTICE,
52b7d2ce A	363	"Selected NAT-T version: %s\n",
52b7d2ce A	364	vid_string_by_id(iph1->natt_options->version));
80318cb7 A	365	ike_session_update_natt_version(iph1);
80318cb7 A	366	}
52b7d2ce A	367	#endif
	368
	369	/* check SA payload and set approval SA for use */
	370	if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
65c25746	371	plog(ASL_LEVEL_ERR,
52b7d2ce A	372	"failed to get valid proposal.\n");
	373	/* XXX send information */
	374	goto end;
	375	}
	376	VPTRINIT(iph1->sa_ret);
	377
65c25746	378	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG2RCVD);
52b7d2ce A	379
	380	#ifdef ENABLE_VPNCONTROL_PORT
	381	vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
	382	#endif
	383
	384	error = 0;
52b7d2ce A	385	end:
	386	if (pbuf)
	387	vfree(pbuf);
	388	if (satmp)
	389	vfree(satmp);
	390	return error;
	391	}
	392
	393	/*
	394	* send to responder
	395	* psk: HDR, KE, Ni
	396	* sig: HDR, KE, Ni
	397	* gssapi: HDR, KE, Ni, GSSi
	398	* rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
	399	* rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
	400	* <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
	401	*/
	402	int
65c25746 A	403	ident_i3send(iph1, msg)
65c25746 A	404	phase1_handle_t *iph1;
52b7d2ce A	405	vchar_t *msg;
	406	{
	407	int error = -1;
	408
65c25746 A	409	/* validity check */
	410	if (iph1->status != IKEV1_STATE_IDENT_I_MSG2RCVD) {
	411	plog(ASL_LEVEL_ERR,
	412	"status mismatched %d.\n", iph1->status);
52b7d2ce A	413	goto end;
	414	}
	415
	416	/* fix isakmp index */
	417	memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
	418	sizeof(cookie_t));
	419
	420	/* generate DH public value */
e8d9021d	421	#ifdef HAVE_OPENSSL
52b7d2ce	422	if (oakley_dh_generate(iph1->approval->dhgrp,
d1e348cf	423	&iph1->dhpub, &iph1->dhpriv) < 0) {
e8d9021d A	424	#else
	425	if (oakley_dh_generate(iph1->approval->dhgrp,
	426	&iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
	427	#endif
65c25746	428	plog(ASL_LEVEL_ERR,
d1e348cf	429	"failed to generate DH");
52b7d2ce	430	goto end;
d1e348cf	431	}
52b7d2ce A	432
	433	/* generate NONCE value */
	434	iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf	435	if (iph1->nonce == NULL) {
65c25746	436	plog(ASL_LEVEL_ERR,
d1e348cf	437	"failed to generate NONCE");
52b7d2ce	438	goto end;
d1e348cf	439	}
52b7d2ce	440
52b7d2ce A	441	/* create buffer to send isakmp payload */
52b7d2ce A	442	iph1->sendbuf = ident_ir2mx(iph1);
d1e348cf	443	if (iph1->sendbuf == NULL) {
65c25746	444	plog(ASL_LEVEL_ERR,
d1e348cf	445	"failed to create send buffer");
52b7d2ce	446	goto end;
d1e348cf	447	}
52b7d2ce A	448
	449	#ifdef HAVE_PRINT_ISAKMP_C
	450	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
	451	#endif
	452
	453	/* send the packet, add to the schedule to resend */
	454	iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf	455	if (isakmp_ph1resend(iph1) == -1) {
65c25746	456	plog(ASL_LEVEL_ERR,
d1e348cf	457	"failed to send packet");
52b7d2ce	458	goto end;
d1e348cf	459	}
52b7d2ce A	460
52b7d2ce A	461	/* the sending message is added to the received-list. */
65c25746 A	462	if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
	463	PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
	464	plog(ASL_LEVEL_ERR ,
52b7d2ce A	465	"failed to add a response packet to the tree.\n");
	466	goto end;
	467	}
	468
65c25746	469	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG3SENT);
52b7d2ce A	470
52b7d2ce A	471	error = 0;
52b7d2ce A	472	end:
	473	return error;
	474	}
	475
	476	/*
	477	* receive from responder
	478	* psk: HDR, KE, Nr
	479	* sig: HDR, KE, Nr [, CR ]
	480	* gssapi: HDR, KE, Nr, GSSr
	481	* rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
	482	* rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
	483	*/
	484	int
65c25746 A	485	ident_i4recv(iph1, msg)
65c25746 A	486	phase1_handle_t *iph1;
52b7d2ce A	487	vchar_t *msg;
	488	{
	489	vchar_t *pbuf = NULL;
	490	struct isakmp_parse_t *pa;
	491	int error = -1;
d1e348cf	492	int vid_numeric;
52b7d2ce A	493	#ifdef ENABLE_NATT
	494	vchar_t *natd_received;
	495	int natd_seq = 0, natd_verified;
	496	#endif
	497
65c25746 A	498	/* validity check */
	499	if (iph1->status != IKEV1_STATE_IDENT_I_MSG3SENT) {
	500	plog(ASL_LEVEL_ERR,
	501	"status mismatched %d.\n", iph1->status);
52b7d2ce A	502	goto end;
	503	}
	504
	505	/* validate the type of next payload */
	506	pbuf = isakmp_parse(msg);
d1e348cf	507	if (pbuf == NULL) {
65c25746	508	plog(ASL_LEVEL_ERR,
d1e348cf	509	"failed to parse msg");
52b7d2ce	510	goto end;
d1e348cf	511	}
52b7d2ce	512
85f41bec	513	for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce A	514	pa->type != ISAKMP_NPTYPE_NONE;
	515	pa++) {
	516
	517	switch (pa->type) {
	518	case ISAKMP_NPTYPE_KE:
d1e348cf	519	if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
65c25746	520	plog(ASL_LEVEL_ERR,
d1e348cf	521	"failed to process KE payload");
52b7d2ce	522	goto end;
d1e348cf	523	}
52b7d2ce A	524	break;
52b7d2ce A	525	case ISAKMP_NPTYPE_NONCE:
d1e348cf	526	if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
65c25746	527	plog(ASL_LEVEL_ERR,
d1e348cf	528	"failed to process NONCE payload");
52b7d2ce	529	goto end;
d1e348cf	530	}
52b7d2ce A	531	break;
52b7d2ce A	532	case ISAKMP_NPTYPE_VID:
d1e348cf A	533	vid_numeric = check_vendorid(pa->ptr);
	534	#ifdef ENABLE_HYBRID
	535	switch (vid_numeric) {
	536	case VENDORID_XAUTH:
	537	iph1->mode_cfg->flags \|=
	538	ISAKMP_CFG_VENDORID_XAUTH;
	539	break;
	540
	541	case VENDORID_UNITY:
	542	iph1->mode_cfg->flags \|=
	543	ISAKMP_CFG_VENDORID_UNITY;
	544	break;
	545
	546	default:
	547	break;
	548	}
	549	#endif
	550	#ifdef ENABLE_DPD
	551	if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
	552	iph1->dpd_support=1;
	553	#endif
	554
52b7d2ce A	555	break;
52b7d2ce A	556	case ISAKMP_NPTYPE_CR:
d1e348cf	557	if (oakley_savecr(iph1, pa->ptr) < 0) {
65c25746	558	plog(ASL_LEVEL_ERR,
d1e348cf	559	"failed to process CR payload");
52b7d2ce	560	goto end;
d1e348cf	561	}
52b7d2ce	562	break;
52b7d2ce A	563
	564	#ifdef ENABLE_NATT
	565	case ISAKMP_NPTYPE_NATD_DRAFT:
	566	case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce	567	case ISAKMP_NPTYPE_NATD_BADDRAFT:
52b7d2ce A	568	if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
	569	pa->type == iph1->natt_options->payload_nat_d) {
	570	natd_received = NULL;
d1e348cf	571	if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
65c25746	572	plog(ASL_LEVEL_ERR,
d1e348cf	573	"failed to process NATD payload");
52b7d2ce	574	goto end;
d1e348cf	575	}
52b7d2ce A	576
	577	/* set both bits first so that we can clear them
	578	upon verifying hashes */
	579	if (natd_seq == 0)
	580	iph1->natt_flags \|= NAT_DETECTED;
	581
	582	/* this function will clear appropriate bits bits
	583	from iph1->natt_flags */
	584	natd_verified = natt_compare_addr_hash (iph1,
	585	natd_received, natd_seq++);
	586
7ebaebe2	587	plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n",
52b7d2ce A	588	natd_seq - 1,
	589	natd_verified ? "verified" : "doesn't match");
	590
	591	vfree (natd_received);
	592	break;
	593	}
	594	/* %%%% Be lenient here - some servers send natd payloads */
	595	/* when no nat is detected */
	596	break;
	597	#endif
	598
	599	default:
	600	/* don't send information, see ident_r1recv() */
65c25746	601	plog(ASL_LEVEL_ERR,
52b7d2ce A	602	"ignore the packet, "
	603	"received unexpecting payload type %d.\n",
	604	pa->type);
	605	goto end;
	606	}
	607	}
	608
	609	#ifdef ENABLE_NATT
	610	if (NATT_AVAILABLE(iph1)) {
7ebaebe2	611	plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n",
52b7d2ce A	612	iph1->natt_flags & NAT_DETECTED ?
	613	"detected:" : "not detected",
	614	iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
	615	iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
	616	if (iph1->natt_flags & NAT_DETECTED)
	617	natt_float_ports (iph1);
	618	}
	619	#endif
	620
	621	/* payload existency check */
	622	if (iph1->dhpub_p == NULL \|\| iph1->nonce_p == NULL) {
65c25746	623	plog(ASL_LEVEL_ERR,
52b7d2ce A	624	"few isakmp message received.\n");
	625	goto end;
	626	}
	627
	628	if (oakley_checkcr(iph1) < 0) {
	629	/* Ignore this error in order to be interoperability. */
	630	;
	631	}
	632
65c25746	633	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG4RCVD);
52b7d2ce A	634
52b7d2ce A	635	error = 0;
52b7d2ce A	636	end:
	637	if (pbuf)
	638	vfree(pbuf);
	639	if (error) {
	640	VPTRINIT(iph1->dhpub_p);
	641	VPTRINIT(iph1->nonce_p);
	642	VPTRINIT(iph1->id_p);
	643	oakley_delcert(iph1->cr_p);
	644	iph1->cr_p = NULL;
	645	}
	646
	647	return error;
	648	}
	649
	650	/*
	651	* send to responder
	652	* psk: HDR*, IDi1, HASH_I
	653	* sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
	654	* gssapi: HDR*, IDi1, < Gssi(n) \| HASH_I >
	655	* rsa: HDR*, HASH_I
	656	* rev: HDR*, HASH_I
	657	*/
	658	int
65c25746 A	659	ident_i5send(iph1, msg0)
65c25746 A	660	phase1_handle_t *iph1;
52b7d2ce A	661	vchar_t *msg0;
	662	{
	663	int error = -1;
	664	int dohash = 1;
52b7d2ce	665
65c25746 A	666	/* validity check */
	667	if (iph1->status != IKEV1_STATE_IDENT_I_MSG4RCVD) {
	668	plog(ASL_LEVEL_ERR,
	669	"status mismatched %d.\n", iph1->status);
52b7d2ce A	670	goto end;
	671	}
	672
	673	/* compute sharing secret of DH */
e8d9021d	674	#ifdef HAVE_OPENSSL
52b7d2ce	675	if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
d1e348cf	676	iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
e8d9021d	677	#else
65c25746	678	if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
e8d9021d	679	#endif
65c25746	680	plog(ASL_LEVEL_ERR,
d1e348cf	681	"failed to compute DH");
52b7d2ce	682	goto end;
d1e348cf	683	}
52b7d2ce A	684
52b7d2ce A	685	/* generate SKEYIDs & IV & final cipher key */
d1e348cf	686	if (oakley_skeyid(iph1) < 0) {
65c25746	687	plog(ASL_LEVEL_ERR,
d1e348cf	688	"failed to generate SKEYID");
52b7d2ce	689	goto end;
d1e348cf A	690	}
d1e348cf A	691	if (oakley_skeyid_dae(iph1) < 0) {
65c25746	692	plog(ASL_LEVEL_ERR,
d1e348cf	693	"failed to generate SKEYID-DAE");
52b7d2ce	694	goto end;
d1e348cf A	695	}
d1e348cf A	696	if (oakley_compute_enckey(iph1) < 0) {
65c25746	697	plog(ASL_LEVEL_ERR,
d1e348cf	698	"failed to generate ENCKEY");
52b7d2ce	699	goto end;
d1e348cf A	700	}
d1e348cf A	701	if (oakley_newiv(iph1) < 0) {
65c25746	702	plog(ASL_LEVEL_ERR,
d1e348cf	703	"failed to generate IV");
52b7d2ce	704	goto end;
d1e348cf	705	}
52b7d2ce A	706
52b7d2ce A	707	/* make ID payload into isakmp status */
d1e348cf	708	if (ipsecdoi_setid1(iph1) < 0) {
65c25746	709	plog(ASL_LEVEL_ERR,
d1e348cf	710	"failed to set ID");
52b7d2ce	711	goto end;
d1e348cf	712	}
52b7d2ce	713
52b7d2ce A	714	/* generate HASH to send */
	715	if (dohash) {
	716	iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
d1e348cf	717	if (iph1->hash == NULL) {
65c25746	718	plog(ASL_LEVEL_ERR,
d1e348cf	719	"failed to generate HASH");
52b7d2ce	720	goto end;
d1e348cf	721	}
52b7d2ce A	722	} else
	723	iph1->hash = NULL;
	724
	725	/* set encryption flag */
	726	iph1->flags \|= ISAKMP_FLAG_E;
	727
	728	/* create HDR;ID;HASH payload */
	729	iph1->sendbuf = ident_ir3mx(iph1);
d1e348cf	730	if (iph1->sendbuf == NULL) {
65c25746	731	plog(ASL_LEVEL_ERR,
d1e348cf	732	"failed to allocate send buffer");
52b7d2ce	733	goto end;
d1e348cf	734	}
52b7d2ce A	735
	736	/* send the packet, add to the schedule to resend */
	737	iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf	738	if (isakmp_ph1resend(iph1) == -1) {
65c25746	739	plog(ASL_LEVEL_ERR,
d1e348cf	740	"failed to send packet");
52b7d2ce	741	goto end;
d1e348cf	742	}
52b7d2ce A	743
52b7d2ce A	744	/* the sending message is added to the received-list. */
65c25746 A	745	if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0,
	746	PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
	747	plog(ASL_LEVEL_ERR ,
52b7d2ce A	748	"failed to add a response packet to the tree.\n");
	749	goto end;
	750	}
	751
	752	/* see handler.h about IV synchronization. */
	753	memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
	754
65c25746	755	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG5SENT);
52b7d2ce A	756
52b7d2ce A	757	error = 0;
52b7d2ce A	758	end:
	759	return error;
	760	}
	761
	762	/*
	763	* receive from responder
	764	* psk: HDR*, IDr1, HASH_R
	765	* sig: HDR*, IDr1, [ CERT, ] SIG_R
	766	* gssapi: HDR*, IDr1, < GSSr(n) \| HASH_R >
	767	* rsa: HDR*, HASH_R
	768	* rev: HDR*, HASH_R
	769	*/
	770	int
65c25746 A	771	ident_i6recv(iph1, msg0)
65c25746 A	772	phase1_handle_t *iph1;
52b7d2ce A	773	vchar_t *msg0;
	774	{
	775	vchar_t *pbuf = NULL;
	776	struct isakmp_parse_t *pa;
	777	vchar_t *msg = NULL;
	778	int error = -1;
	779	int type;
d1e348cf	780	int vid_numeric;
e8d9021d	781	int received_cert = 0;
52b7d2ce	782
65c25746 A	783	/* validity check */
	784	if (iph1->status != IKEV1_STATE_IDENT_I_MSG5SENT) {
	785	plog(ASL_LEVEL_ERR,
	786	"status mismatched %d.\n", iph1->status);
52b7d2ce A	787	goto end;
	788	}
	789
	790	/* decrypting */
	791	if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
65c25746	792	plog(ASL_LEVEL_ERR,
52b7d2ce A	793	"ignore the packet, "
	794	"expecting the packet encrypted.\n");
	795	goto end;
	796	}
	797	msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
d1e348cf	798	if (msg == NULL) {
65c25746	799	plog(ASL_LEVEL_ERR,
d1e348cf	800	"failed to decrypt");
52b7d2ce	801	goto end;
d1e348cf	802	}
52b7d2ce A	803
	804	/* validate the type of next payload */
	805	pbuf = isakmp_parse(msg);
d1e348cf	806	if (pbuf == NULL) {
65c25746	807	plog(ASL_LEVEL_ERR,
d1e348cf	808	"failed to parse msg");
52b7d2ce	809	goto end;
d1e348cf	810	}
52b7d2ce A	811
	812	iph1->pl_hash = NULL;
	813
85f41bec	814	for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce A	815	pa->type != ISAKMP_NPTYPE_NONE;
	816	pa++) {
	817
	818	switch (pa->type) {
	819	case ISAKMP_NPTYPE_ID:
d1e348cf	820	if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
65c25746	821	plog(ASL_LEVEL_ERR,
d1e348cf	822	"failed to process ID payload");
52b7d2ce	823	goto end;
d1e348cf	824	}
52b7d2ce A	825	break;
	826	case ISAKMP_NPTYPE_HASH:
	827	iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
	828	break;
	829	case ISAKMP_NPTYPE_CERT:
d1e348cf	830	if (oakley_savecert(iph1, pa->ptr) < 0) {
65c25746	831	plog(ASL_LEVEL_ERR,
d1e348cf	832	"failed to process CERT payload");
52b7d2ce	833	goto end;
d1e348cf	834	}
e8d9021d	835	received_cert = 1;
52b7d2ce A	836	break;
52b7d2ce A	837	case ISAKMP_NPTYPE_SIG:
d1e348cf	838	if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
65c25746	839	plog(ASL_LEVEL_ERR,
d1e348cf	840	"failed to process SIG payload");
52b7d2ce	841	goto end;
d1e348cf	842	}
52b7d2ce	843	break;
65c25746	844
52b7d2ce	845	case ISAKMP_NPTYPE_VID:
d1e348cf A	846	vid_numeric = check_vendorid(pa->ptr);
	847	#ifdef ENABLE_DPD
	848	if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
	849	iph1->dpd_support=1;
	850	#endif
	851	break;
52b7d2ce A	852	case ISAKMP_NPTYPE_N:
	853	isakmp_check_notify(pa->ptr, iph1);
	854	break;
	855	default:
	856	/* don't send information, see ident_r1recv() */
65c25746	857	plog(ASL_LEVEL_ERR,
52b7d2ce A	858	"ignore the packet, "
	859	"received unexpecting payload type %d.\n",
	860	pa->type);
	861	goto end;
	862	}
	863	}
	864
e8d9021d A	865	if (received_cert) {
	866	oakley_verify_certid(iph1);
	867	}
	868
52b7d2ce A	869	/* payload existency check */
	870
	871	/* verify identifier */
	872	if (ipsecdoi_checkid1(iph1) != 0) {
65c25746	873	plog(ASL_LEVEL_ERR,
52b7d2ce A	874	"invalid ID payload.\n");
	875	goto end;
	876	}
	877
	878	/* validate authentication value */
65c25746 A	879	type = oakley_validate_auth(iph1);
65c25746 A	880	if (type != 0) {
65c25746 A	881	if (type == -1) {
	882	/* msg printed inner oakley_validate_auth() */
	883	goto end;
	884	}
	885	isakmp_info_send_n1(iph1, type, NULL);
	886	goto end;
	887	}
52b7d2ce A	888
	889	/*
	890	* XXX: Should we do compare two addresses, ph1handle's and ID
	891	* payload's.
	892	*/
	893
65c25746	894	plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID:");
52b7d2ce A	895
	896	/* see handler.h about IV synchronization. */
	897	memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
	898
	899	/*
	900	* If we got a GSS token, we need to this roundtrip again.
	901	*/
65c25746	902	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG6RCVD);
52b7d2ce A	903
52b7d2ce A	904	error = 0;
52b7d2ce A	905	end:
	906	if (pbuf)
	907	vfree(pbuf);
	908	if (msg)
	909	vfree(msg);
52b7d2ce A	910
	911	if (error) {
	912	VPTRINIT(iph1->id_p);
	913	oakley_delcert(iph1->cert_p);
	914	iph1->cert_p = NULL;
	915	oakley_delcert(iph1->crl_p);
	916	iph1->crl_p = NULL;
	917	VPTRINIT(iph1->sig_p);
	918	}
	919
	920	return error;
	921	}
	922
	923	/*
	924	* status update and establish isakmp sa.
	925	*/
	926	int
65c25746 A	927	ident_ifinalize(iph1, msg)
65c25746 A	928	phase1_handle_t *iph1;
52b7d2ce A	929	vchar_t *msg;
	930	{
	931	int error = -1;
	932
65c25746 A	933	/* validity check */
	934	if (iph1->status != IKEV1_STATE_IDENT_I_MSG6RCVD) {
	935	plog(ASL_LEVEL_ERR,
	936	"status mismatched %d.\n", iph1->status);
52b7d2ce A	937	goto end;
	938	}
	939
	940	/* see handler.h about IV synchronization. */
	941	memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
	942
65c25746	943	fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
52b7d2ce	944	error = 0;
52b7d2ce A	945	end:
	946	return error;
	947	}
	948
	949	/*
	950	* receive from initiator
	951	* psk: HDR, SA
	952	* sig: HDR, SA
	953	* rsa: HDR, SA
	954	* rev: HDR, SA
	955	*/
	956	int
	957	ident_r1recv(iph1, msg)
65c25746	958	phase1_handle_t *iph1;
52b7d2ce A	959	vchar_t *msg;
	960	{
	961	vchar_t *pbuf = NULL;
	962	struct isakmp_parse_t *pa;
	963	int error = -1;
	964	int vid_numeric;
	965
	966	/* validity check */
65c25746 A	967	if (iph1->status != IKEV1_STATE_IDENT_R_START) {
65c25746 A	968	plog(ASL_LEVEL_ERR,
52b7d2ce A	969	"status mismatched %d.\n", iph1->status);
	970	goto end;
	971	}
	972
	973	/* validate the type of next payload */
	974	/*
	975	* NOTE: XXX even if multiple VID, we'll silently ignore those.
	976	*/
	977	pbuf = isakmp_parse(msg);
d1e348cf	978	if (pbuf == NULL) {
65c25746	979	plog(ASL_LEVEL_ERR,
d1e348cf	980	"failed to parse msg");
52b7d2ce	981	goto end;
d1e348cf	982	}
85f41bec	983	pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce A	984
	985	/* check the position of SA payload */
	986	if (pa->type != ISAKMP_NPTYPE_SA) {
65c25746	987	plog(ASL_LEVEL_ERR,
52b7d2ce A	988	"received invalid next payload type %d, "
	989	"expecting %d.\n",
	990	pa->type, ISAKMP_NPTYPE_SA);
	991	goto end;
	992	}
d1e348cf	993	if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
65c25746	994	plog(ASL_LEVEL_ERR,
d1e348cf	995	"failed to process SA payload");
52b7d2ce	996	goto end;
d1e348cf	997	}
52b7d2ce A	998	pa++;
	999
	1000	for (/nothing/;
	1001	pa->type != ISAKMP_NPTYPE_NONE;
	1002	pa++) {
	1003
	1004	switch (pa->type) {
	1005	case ISAKMP_NPTYPE_VID:
	1006	vid_numeric = check_vendorid(pa->ptr);
	1007	#ifdef ENABLE_NATT
	1008	if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
	1009	natt_handle_vendorid(iph1, vid_numeric);
	1010	#endif
d1e348cf A	1011	#ifdef ENABLE_HYBRID
	1012	switch (vid_numeric) {
	1013	case VENDORID_XAUTH:
	1014	iph1->mode_cfg->flags \|=
	1015	ISAKMP_CFG_VENDORID_XAUTH;
	1016	break;
	1017
	1018	case VENDORID_UNITY:
	1019	iph1->mode_cfg->flags \|=
	1020	ISAKMP_CFG_VENDORID_UNITY;
	1021	break;
	1022
	1023	default:
	1024	break;
	1025	}
	1026	#endif
52b7d2ce A	1027	#ifdef ENABLE_DPD
	1028	if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
	1029	iph1->dpd_support=1;
e8d9021d A	1030	#endif
	1031	#ifdef ENABLE_FRAG
	1032	if ((vid_numeric == VENDORID_FRAG) &&
	1033	(vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
65c25746	1034	plog(ASL_LEVEL_DEBUG,
e8d9021d A	1035	"remote supports FRAGMENTATION\n");
	1036	iph1->frag = 1;
	1037	}
52b7d2ce A	1038	#endif
	1039	break;
	1040	default:
	1041	/*
	1042	* We don't send information to the peer even
	1043	* if we received malformed packet. Because we
	1044	* can't distinguish the malformed packet and
	1045	* the re-sent packet. And we do same behavior
	1046	* when we expect encrypted packet.
	1047	*/
65c25746	1048	plog(ASL_LEVEL_ERR,
52b7d2ce A	1049	"ignore the packet, "
	1050	"received unexpecting payload type %d.\n",
	1051	pa->type);
	1052	goto end;
	1053	}
	1054	}
	1055
	1056	#ifdef ENABLE_NATT
80318cb7	1057	if (NATT_AVAILABLE(iph1)) {
7ebaebe2	1058	plog(ASL_LEVEL_NOTICE,
52b7d2ce A	1059	"Selected NAT-T version: %s\n",
52b7d2ce A	1060	vid_string_by_id(iph1->natt_options->version));
80318cb7 A	1061	ike_session_update_natt_version(iph1);
80318cb7 A	1062	}
52b7d2ce A	1063	#endif
	1064
	1065	/* check SA payload and set approval SA for use */
	1066	if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
65c25746	1067	plog(ASL_LEVEL_ERR,
52b7d2ce A	1068	"failed to get valid proposal.\n");
	1069	/* XXX send information */
	1070	goto end;
	1071	}
	1072
65c25746	1073	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG1RCVD);
52b7d2ce A	1074
52b7d2ce A	1075	error = 0;
52b7d2ce A	1076	end:
	1077	if (pbuf)
	1078	vfree(pbuf);
	1079	if (error) {
	1080	VPTRINIT(iph1->sa);
	1081	}
	1082
	1083	return error;
	1084	}
	1085
	1086	/*
	1087	* send to initiator
	1088	* psk: HDR, SA
	1089	* sig: HDR, SA
	1090	* rsa: HDR, SA
	1091	* rev: HDR, SA
	1092	*/
	1093	int
65c25746 A	1094	ident_r2send(iph1, msg)
65c25746 A	1095	phase1_handle_t *iph1;
52b7d2ce A	1096	vchar_t *msg;
	1097	{
	1098	struct payload_list *plist = NULL;
	1099	int error = -1;
	1100	vchar_t *gss_sa = NULL;
52b7d2ce A	1101	#ifdef ENABLE_NATT
	1102	vchar_t *vid_natt = NULL;
	1103	#endif
d1e348cf A	1104	#ifdef ENABLE_HYBRID
	1105	vchar_t *vid_xauth = NULL;
	1106	vchar_t *vid_unity = NULL;
	1107	#endif
52b7d2ce A	1108	#ifdef ENABLE_DPD
	1109	vchar_t *vid_dpd = NULL;
	1110	#endif
d1e348cf A	1111	#ifdef ENABLE_FRAG
	1112	vchar_t *vid_frag = NULL;
	1113	#endif
52b7d2ce A	1114
52b7d2ce A	1115	/* validity check */
65c25746 A	1116	if (iph1->status != IKEV1_STATE_IDENT_R_MSG1RCVD) {
65c25746 A	1117	plog(ASL_LEVEL_ERR,
52b7d2ce A	1118	"status mismatched %d.\n", iph1->status);
	1119	goto end;
	1120	}
	1121
	1122	/* set responder's cookie */
	1123	isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
65c25746	1124	gss_sa = iph1->sa_ret;
52b7d2ce A	1125
	1126	/* set SA payload to reply */
	1127	plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
	1128
d1e348cf A	1129	#ifdef ENABLE_HYBRID
d1e348cf A	1130	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
7ebaebe2	1131	plog (ASL_LEVEL_NOTICE, "Adding xauth VID payload.\n");
d1e348cf	1132	if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
65c25746	1133	plog(ASL_LEVEL_ERR,
d1e348cf A	1134	"Cannot create Xauth vendor ID\n");
	1135	goto end;
	1136	}
	1137	plist = isakmp_plist_append(plist,
	1138	vid_xauth, ISAKMP_NPTYPE_VID);
	1139	}
52b7d2ce	1140
d1e348cf A	1141	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
d1e348cf A	1142	if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
65c25746	1143	plog(ASL_LEVEL_ERR,
d1e348cf A	1144	"Cannot create Unity vendor ID\n");
	1145	goto end;
	1146	}
	1147	plist = isakmp_plist_append(plist,
	1148	vid_unity, ISAKMP_NPTYPE_VID);
	1149	}
	1150	#endif
52b7d2ce A	1151	#ifdef ENABLE_NATT
	1152	/* Has the peer announced NAT-T? */
	1153	if (NATT_AVAILABLE(iph1))
	1154	vid_natt = set_vendorid(iph1->natt_options->version);
	1155
	1156	if (vid_natt)
	1157	plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
	1158	#endif
	1159	#ifdef ENABLE_DPD
	1160	/* XXX only send DPD VID if remote sent it ? */
	1161	if(iph1->rmconf->dpd){
	1162	vid_dpd = set_vendorid(VENDORID_DPD);
	1163	if (vid_dpd != NULL)
	1164	plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
	1165	}
	1166	#endif
d1e348cf A	1167	#ifdef ENABLE_FRAG
	1168	if (iph1->frag) {
	1169	vid_frag = set_vendorid(VENDORID_FRAG);
	1170	if (vid_frag != NULL)
	1171	vid_frag = isakmp_frag_addcap(vid_frag,
	1172	VENDORID_FRAG_IDENT);
	1173	if (vid_frag == NULL)
65c25746	1174	plog(ASL_LEVEL_ERR,
d1e348cf A	1175	"Frag vendorID construction failed\n");
	1176	else
	1177	plist = isakmp_plist_append(plist,
	1178	vid_frag, ISAKMP_NPTYPE_VID);
	1179	}
	1180	#endif
52b7d2ce A	1181
	1182	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
	1183
	1184	#ifdef HAVE_PRINT_ISAKMP_C
	1185	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
	1186	#endif
	1187
	1188	/* send the packet, add to the schedule to resend */
	1189	iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf	1190	if (isakmp_ph1resend(iph1) == -1) {
65c25746	1191	plog(ASL_LEVEL_ERR,
d1e348cf	1192	"failed to send packet");
52b7d2ce	1193	goto end;
d1e348cf	1194	}
52b7d2ce A	1195
52b7d2ce A	1196	/* the sending message is added to the received-list. */
65c25746 A	1197	if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
	1198	PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
	1199	plog(ASL_LEVEL_ERR ,
52b7d2ce A	1200	"failed to add a response packet to the tree.\n");
	1201	goto end;
	1202	}
	1203
65c25746	1204	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG2SENT);
52b7d2ce A	1205
	1206	#ifdef ENABLE_VPNCONTROL_PORT
	1207	vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
	1208	#endif
	1209
	1210	error = 0;
52b7d2ce	1211	end:
52b7d2ce A	1212	#ifdef ENABLE_NATT
	1213	if (vid_natt)
	1214	vfree(vid_natt);
	1215	#endif
d1e348cf A	1216	#ifdef ENABLE_HYBRID
	1217	if (vid_xauth != NULL)
	1218	vfree(vid_xauth);
	1219	if (vid_unity != NULL)
	1220	vfree(vid_unity);
	1221	#endif
52b7d2ce A	1222	#ifdef ENABLE_DPD
	1223	if (vid_dpd != NULL)
	1224	vfree(vid_dpd);
	1225	#endif
d1e348cf A	1226	#ifdef ENABLE_FRAG
	1227	if (vid_frag != NULL)
	1228	vfree(vid_frag);
	1229	#endif
52b7d2ce A	1230
	1231	return error;
	1232	}
	1233
	1234	/*
	1235	* receive from initiator
	1236	* psk: HDR, KE, Ni
	1237	* sig: HDR, KE, Ni
	1238	* gssapi: HDR, KE, Ni, GSSi
	1239	* rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
	1240	* rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
	1241	* <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
	1242	*/
	1243	int
65c25746 A	1244	ident_r3recv(iph1, msg)
65c25746 A	1245	phase1_handle_t *iph1;
52b7d2ce A	1246	vchar_t *msg;
	1247	{
	1248	vchar_t *pbuf = NULL;
	1249	struct isakmp_parse_t *pa;
	1250	int error = -1;
52b7d2ce A	1251	#ifdef ENABLE_NATT
	1252	int natd_seq = 0;
	1253	#endif
	1254
	1255	/* validity check */
65c25746 A	1256	if (iph1->status != IKEV1_STATE_IDENT_R_MSG2SENT) {
65c25746 A	1257	plog(ASL_LEVEL_ERR,
52b7d2ce A	1258	"status mismatched %d.\n", iph1->status);
	1259	goto end;
	1260	}
	1261
	1262	/* validate the type of next payload */
	1263	pbuf = isakmp_parse(msg);
d1e348cf	1264	if (pbuf == NULL) {
65c25746	1265	plog(ASL_LEVEL_ERR,
d1e348cf	1266	"failed to parse msg");
52b7d2ce	1267	goto end;
d1e348cf	1268	}
52b7d2ce	1269
85f41bec	1270	for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce A	1271	pa->type != ISAKMP_NPTYPE_NONE;
	1272	pa++) {
	1273	switch (pa->type) {
	1274	case ISAKMP_NPTYPE_KE:
d1e348cf	1275	if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
65c25746	1276	plog(ASL_LEVEL_ERR,
d1e348cf	1277	"failed to process KE payload");
52b7d2ce	1278	goto end;
d1e348cf	1279	}
52b7d2ce A	1280	break;
52b7d2ce A	1281	case ISAKMP_NPTYPE_NONCE:
d1e348cf	1282	if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
65c25746	1283	plog(ASL_LEVEL_ERR,
d1e348cf	1284	"failed to process NONCE payload");
52b7d2ce	1285	goto end;
d1e348cf	1286	}
52b7d2ce A	1287	break;
	1288	case ISAKMP_NPTYPE_VID:
	1289	(void)check_vendorid(pa->ptr);
	1290	break;
	1291	case ISAKMP_NPTYPE_CR:
65c25746	1292	plog(ASL_LEVEL_WARNING,
52b7d2ce A	1293	"CR received, ignore it. "
	1294	"It should be in other exchange.\n");
	1295	break;
52b7d2ce A	1296
	1297	#ifdef ENABLE_NATT
	1298	case ISAKMP_NPTYPE_NATD_DRAFT:
	1299	case ISAKMP_NPTYPE_NATD_RFC:
52b7d2ce	1300	case ISAKMP_NPTYPE_NATD_BADDRAFT:
52b7d2ce A	1301	if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
	1302	pa->type == iph1->natt_options->payload_nat_d)
	1303	{
	1304	vchar_t *natd_received = NULL;
	1305	int natd_verified;
	1306
d1e348cf	1307	if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
65c25746	1308	plog(ASL_LEVEL_ERR,
d1e348cf	1309	"failed to process NATD payload");
52b7d2ce	1310	goto end;
d1e348cf	1311	}
52b7d2ce A	1312
	1313	if (natd_seq == 0)
	1314	iph1->natt_flags \|= NAT_DETECTED;
	1315
	1316	natd_verified = natt_compare_addr_hash (iph1,
	1317	natd_received, natd_seq++);
	1318
7ebaebe2	1319	plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n",
52b7d2ce A	1320	natd_seq - 1,
	1321	natd_verified ? "verified" : "doesn't match");
	1322
	1323	vfree (natd_received);
	1324	break;
	1325	}
	1326	/* %%%% Be lenient here - some servers send natd payloads */
	1327	/* when no nat is detected */
	1328	break;
	1329	#endif
	1330
	1331	default:
	1332	/* don't send information, see ident_r1recv() */
65c25746	1333	plog(ASL_LEVEL_ERR,
52b7d2ce A	1334	"ignore the packet, "
	1335	"received unexpecting payload type %d.\n",
	1336	pa->type);
	1337	goto end;
	1338	}
	1339	}
	1340
	1341	#ifdef ENABLE_NATT
	1342	if (NATT_AVAILABLE(iph1))
7ebaebe2	1343	plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n",
52b7d2ce A	1344	iph1->natt_flags & NAT_DETECTED ?
	1345	"detected:" : "not detected",
	1346	iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
	1347	iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
	1348	#endif
	1349
	1350	/* payload existency check */
	1351	if (iph1->dhpub_p == NULL \|\| iph1->nonce_p == NULL) {
65c25746	1352	plog(ASL_LEVEL_ERR,
52b7d2ce A	1353	"few isakmp message received.\n");
	1354	goto end;
	1355	}
	1356
65c25746	1357	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG3RCVD);
52b7d2ce A	1358
52b7d2ce A	1359	error = 0;
52b7d2ce A	1360	end:
	1361	if (pbuf)
	1362	vfree(pbuf);
52b7d2ce A	1363
	1364	if (error) {
	1365	VPTRINIT(iph1->dhpub_p);
	1366	VPTRINIT(iph1->nonce_p);
	1367	VPTRINIT(iph1->id_p);
	1368	}
	1369
	1370	return error;
	1371	}
	1372
	1373	/*
	1374	* send to initiator
	1375	* psk: HDR, KE, Nr
	1376	* sig: HDR, KE, Nr [, CR ]
	1377	* gssapi: HDR, KE, Nr, GSSr
	1378	* rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
	1379	* rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
	1380	*/
	1381	int
65c25746 A	1382	ident_r4send(iph1, msg)
65c25746 A	1383	phase1_handle_t *iph1;
52b7d2ce A	1384	vchar_t *msg;
	1385	{
	1386	int error = -1;
	1387
	1388	/* validity check */
65c25746 A	1389	if (iph1->status != IKEV1_STATE_IDENT_R_MSG3RCVD) {
65c25746 A	1390	plog(ASL_LEVEL_ERR,
52b7d2ce A	1391	"status mismatched %d.\n", iph1->status);
	1392	goto end;
	1393	}
	1394
	1395	/* generate DH public value */
e8d9021d	1396	#ifdef HAVE_OPENSSL
52b7d2ce	1397	if (oakley_dh_generate(iph1->approval->dhgrp,
d1e348cf	1398	&iph1->dhpub, &iph1->dhpriv) < 0) {
e8d9021d A	1399	#else
	1400	if (oakley_dh_generate(iph1->approval->dhgrp,
	1401	&iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
	1402	#endif
65c25746	1403	plog(ASL_LEVEL_ERR,
d1e348cf	1404	"failed to generate DH");
52b7d2ce	1405	goto end;
d1e348cf	1406	}
52b7d2ce A	1407
	1408	/* generate NONCE value */
	1409	iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
d1e348cf	1410	if (iph1->nonce == NULL) {
65c25746	1411	plog(ASL_LEVEL_ERR,
d1e348cf	1412	"failed to generate NONCE");
52b7d2ce	1413	goto end;
d1e348cf	1414	}
52b7d2ce	1415
52b7d2ce A	1416	/* create HDR;KE;NONCE payload */
52b7d2ce A	1417	iph1->sendbuf = ident_ir2mx(iph1);
d1e348cf	1418	if (iph1->sendbuf == NULL) {
65c25746	1419	plog(ASL_LEVEL_ERR,
d1e348cf	1420	"failed to allocate send buffer");
52b7d2ce	1421	goto end;
d1e348cf	1422	}
52b7d2ce A	1423
	1424	#ifdef HAVE_PRINT_ISAKMP_C
	1425	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
	1426	#endif
	1427
	1428	/* send the packet, add to the schedule to resend */
	1429	iph1->retry_counter = iph1->rmconf->retry_counter;
d1e348cf	1430	if (isakmp_ph1resend(iph1) == -1) {
65c25746	1431	plog(ASL_LEVEL_ERR,
d1e348cf	1432	"failed to send packet");
52b7d2ce	1433	goto end;
d1e348cf	1434	}
52b7d2ce A	1435
52b7d2ce A	1436	/* the sending message is added to the received-list. */
65c25746 A	1437	if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
	1438	PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
	1439	plog(ASL_LEVEL_ERR ,
52b7d2ce A	1440	"failed to add a response packet to the tree.\n");
	1441	goto end;
	1442	}
	1443
	1444	/* compute sharing secret of DH */
e8d9021d A	1445	#ifdef HAVE_OPENSSL
	1446	if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
	1447	iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
	1448	#else
65c25746	1449	if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
e8d9021d	1450	#endif
65c25746	1451	plog(ASL_LEVEL_ERR,
d1e348cf	1452	"failed to compute DH");
52b7d2ce	1453	goto end;
d1e348cf	1454	}
52b7d2ce A	1455
52b7d2ce A	1456	/* generate SKEYIDs & IV & final cipher key */
d1e348cf	1457	if (oakley_skeyid(iph1) < 0) {
65c25746	1458	plog(ASL_LEVEL_ERR,
d1e348cf	1459	"failed to generate SKEYID");
52b7d2ce	1460	goto end;
d1e348cf A	1461	}
d1e348cf A	1462	if (oakley_skeyid_dae(iph1) < 0) {
65c25746	1463	plog(ASL_LEVEL_ERR,
d1e348cf	1464	"failed to generate SKEYID-DAE");
52b7d2ce	1465	goto end;
d1e348cf A	1466	}
d1e348cf A	1467	if (oakley_compute_enckey(iph1) < 0) {
65c25746	1468	plog(ASL_LEVEL_ERR,
d1e348cf	1469	"failed to generate ENCKEY");
52b7d2ce	1470	goto end;
d1e348cf A	1471	}
d1e348cf A	1472	if (oakley_newiv(iph1) < 0) {
65c25746	1473	plog(ASL_LEVEL_ERR,
d1e348cf	1474	"failed to generate IV");
52b7d2ce	1475	goto end;
d1e348cf	1476	}
52b7d2ce	1477
65c25746	1478	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG4SENT);
52b7d2ce A	1479
52b7d2ce A	1480	error = 0;
52b7d2ce A	1481	end:
	1482	return error;
	1483	}
	1484
	1485	/*
	1486	* receive from initiator
	1487	* psk: HDR*, IDi1, HASH_I
	1488	* sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
	1489	* gssapi: HDR*, [ IDi1, ] < GSSi(n) \| HASH_I >
	1490	* rsa: HDR*, HASH_I
	1491	* rev: HDR*, HASH_I
	1492	*/
	1493	int
65c25746 A	1494	ident_r5recv(iph1, msg0)
65c25746 A	1495	phase1_handle_t *iph1;
52b7d2ce A	1496	vchar_t *msg0;
	1497	{
	1498	vchar_t *msg = NULL;
	1499	vchar_t *pbuf = NULL;
	1500	struct isakmp_parse_t *pa;
	1501	int error = -1;
	1502	int type;
e8d9021d	1503	int received_cert = 0;
52b7d2ce A	1504
52b7d2ce A	1505	/* validity check */
65c25746 A	1506	if (iph1->status != IKEV1_STATE_IDENT_R_MSG4SENT) {
65c25746 A	1507	plog(ASL_LEVEL_ERR,
52b7d2ce A	1508	"status mismatched %d.\n", iph1->status);
	1509	goto end;
	1510	}
	1511
	1512	/* decrypting */
	1513	if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
65c25746	1514	plog(ASL_LEVEL_ERR,
52b7d2ce A	1515	"reject the packet, "
	1516	"expecting the packet encrypted.\n");
	1517	goto end;
	1518	}
	1519	msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
d1e348cf	1520	if (msg == NULL) {
65c25746	1521	plog(ASL_LEVEL_ERR,
d1e348cf	1522	"failed to decrypt");
52b7d2ce	1523	goto end;
d1e348cf	1524	}
52b7d2ce A	1525
	1526	/* validate the type of next payload */
	1527	pbuf = isakmp_parse(msg);
d1e348cf	1528	if (pbuf == NULL) {
65c25746	1529	plog(ASL_LEVEL_ERR,
d1e348cf	1530	"failed to parse msg");
52b7d2ce	1531	goto end;
d1e348cf	1532	}
52b7d2ce A	1533
	1534	iph1->pl_hash = NULL;
	1535
85f41bec	1536	for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce A	1537	pa->type != ISAKMP_NPTYPE_NONE;
	1538	pa++) {
	1539
	1540	switch (pa->type) {
	1541	case ISAKMP_NPTYPE_ID:
d1e348cf	1542	if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
65c25746	1543	plog(ASL_LEVEL_ERR,
d1e348cf	1544	"failed to process ID payload");
52b7d2ce	1545	goto end;
d1e348cf	1546	}
52b7d2ce A	1547	break;
	1548	case ISAKMP_NPTYPE_HASH:
	1549	iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
	1550	break;
	1551	case ISAKMP_NPTYPE_CR:
d1e348cf	1552	if (oakley_savecr(iph1, pa->ptr) < 0) {
65c25746	1553	plog(ASL_LEVEL_ERR,
d1e348cf	1554	"failed to process CR payload");
52b7d2ce	1555	goto end;
d1e348cf	1556	}
52b7d2ce A	1557	break;
52b7d2ce A	1558	case ISAKMP_NPTYPE_CERT:
d1e348cf	1559	if (oakley_savecert(iph1, pa->ptr) < 0) {
65c25746	1560	plog(ASL_LEVEL_ERR,
d1e348cf	1561	"failed to process CERT payload");
52b7d2ce	1562	goto end;
d1e348cf	1563	}
e8d9021d	1564	received_cert = 1;
52b7d2ce A	1565	break;
52b7d2ce A	1566	case ISAKMP_NPTYPE_SIG:
d1e348cf	1567	if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
65c25746	1568	plog(ASL_LEVEL_ERR,
d1e348cf	1569	"failed to process SIG payload");
52b7d2ce	1570	goto end;
d1e348cf	1571	}
52b7d2ce	1572	break;
52b7d2ce A	1573	case ISAKMP_NPTYPE_VID:
	1574	(void)check_vendorid(pa->ptr);
	1575	break;
	1576	case ISAKMP_NPTYPE_N:
	1577	isakmp_check_notify(pa->ptr, iph1);
	1578	break;
	1579	default:
	1580	/* don't send information, see ident_r1recv() */
65c25746	1581	plog(ASL_LEVEL_ERR,
52b7d2ce A	1582	"ignore the packet, "
	1583	"received unexpecting payload type %d.\n",
	1584	pa->type);
	1585	goto end;
	1586	}
	1587	}
	1588
e8d9021d A	1589	if (received_cert) {
	1590	oakley_verify_certid(iph1);
	1591	}
	1592
52b7d2ce A	1593	/* payload existency check */
	1594	/* XXX same as ident_i4recv(), should be merged. */
	1595	{
	1596	int ng = 0;
	1597
d1e348cf	1598	switch (AUTHMETHOD(iph1)) {
52b7d2ce	1599	case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf A	1600	#ifdef ENABLE_HYBRID
	1601	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
	1602	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
d1e348cf	1603	#endif
52b7d2ce A	1604	if (iph1->id_p == NULL \|\| iph1->pl_hash == NULL)
	1605	ng++;
	1606	break;
52b7d2ce	1607	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
d1e348cf A	1608	#ifdef ENABLE_HYBRID
d1e348cf A	1609	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
d1e348cf	1610	#endif
52b7d2ce A	1611	if (iph1->id_p == NULL \|\| iph1->sig_p == NULL)
	1612	ng++;
	1613	break;
	1614	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
	1615	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf A	1616	#ifdef ENABLE_HYBRID
	1617	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
	1618	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
	1619	#endif
52b7d2ce A	1620	if (iph1->pl_hash == NULL)
	1621	ng++;
	1622	break;
52b7d2ce	1623	default:
65c25746	1624	plog(ASL_LEVEL_ERR,
52b7d2ce A	1625	"invalid authmethod %d why ?\n",
	1626	iph1->approval->authmethod);
	1627	goto end;
	1628	}
	1629	if (ng) {
65c25746	1630	plog(ASL_LEVEL_ERR,
52b7d2ce A	1631	"few isakmp message received.\n");
	1632	goto end;
	1633	}
	1634	}
	1635
	1636	/* verify identifier */
	1637	if (ipsecdoi_checkid1(iph1) != 0) {
65c25746	1638	plog(ASL_LEVEL_ERR,
52b7d2ce A	1639	"invalid ID payload.\n");
	1640	goto end;
	1641	}
	1642
	1643	/* validate authentication value */
65c25746 A	1644
	1645	type = oakley_validate_auth(iph1);
	1646	if (type != 0) {
65c25746 A	1647	if (type == -1) {
	1648	/* msg printed inner oakley_validate_auth() */
	1649	goto end;
	1650	}
	1651	isakmp_info_send_n1(iph1, type, NULL);
	1652	goto end;
	1653	}
52b7d2ce A	1654
	1655	if (oakley_checkcr(iph1) < 0) {
	1656	/* Ignore this error in order to be interoperability. */
	1657	;
	1658	}
	1659
	1660	/*
	1661	* XXX: Should we do compare two addresses, ph1handle's and ID
	1662	* payload's.
	1663	*/
	1664
65c25746	1665	plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID\n");
52b7d2ce A	1666
	1667	/* see handler.h about IV synchronization. */
	1668	memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
	1669
65c25746	1670	fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG5RCVD);
52b7d2ce	1671	error = 0;
52b7d2ce A	1672	end:
	1673	if (pbuf)
	1674	vfree(pbuf);
	1675	if (msg)
	1676	vfree(msg);
52b7d2ce A	1677
	1678	if (error) {
	1679	VPTRINIT(iph1->id_p);
	1680	oakley_delcert(iph1->cert_p);
	1681	iph1->cert_p = NULL;
	1682	oakley_delcert(iph1->crl_p);
	1683	iph1->crl_p = NULL;
	1684	VPTRINIT(iph1->sig_p);
	1685	oakley_delcert(iph1->cr_p);
	1686	iph1->cr_p = NULL;
	1687	}
	1688
	1689	return error;
	1690	}
	1691
	1692	/*
	1693	* send to initiator
	1694	* psk: HDR*, IDr1, HASH_R
	1695	* sig: HDR*, IDr1, [ CERT, ] SIG_R
	1696	* gssapi: HDR*, IDr1, < GSSr(n) \| HASH_R >
	1697	* rsa: HDR*, HASH_R
	1698	* rev: HDR*, HASH_R
	1699	*/
	1700	int
65c25746 A	1701	ident_r6send(iph1, msg)
65c25746 A	1702	phase1_handle_t *iph1;
52b7d2ce A	1703	vchar_t *msg;
	1704	{
	1705	int error = -1;
	1706	int dohash = 1;
52b7d2ce A	1707
52b7d2ce A	1708	/* validity check */
65c25746 A	1709	if (iph1->status != IKEV1_STATE_IDENT_R_MSG5RCVD) {
65c25746 A	1710	plog(ASL_LEVEL_ERR,
52b7d2ce A	1711	"status mismatched %d.\n", iph1->status);
	1712	goto end;
	1713	}
	1714
	1715	/* make ID payload into isakmp status */
d1e348cf	1716	if (ipsecdoi_setid1(iph1) < 0) {
65c25746	1717	plog(ASL_LEVEL_ERR,
d1e348cf	1718	"failed to set ID");
52b7d2ce	1719	goto end;
d1e348cf	1720	}
52b7d2ce	1721
52b7d2ce A	1722	if (dohash) {
52b7d2ce A	1723	/* generate HASH to send */
65c25746	1724	plog(ASL_LEVEL_DEBUG, "generate HASH_R\n");
52b7d2ce	1725	iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
d1e348cf	1726	if (iph1->hash == NULL) {
65c25746	1727	plog(ASL_LEVEL_ERR,
d1e348cf	1728	"failed to generate HASH");
52b7d2ce	1729	goto end;
d1e348cf	1730	}
52b7d2ce A	1731	} else
	1732	iph1->hash = NULL;
	1733
	1734	/* set encryption flag */
	1735	iph1->flags \|= ISAKMP_FLAG_E;
	1736
	1737	/* create HDR;ID;HASH payload */
	1738	iph1->sendbuf = ident_ir3mx(iph1);
d1e348cf	1739	if (iph1->sendbuf == NULL) {
65c25746	1740	plog(ASL_LEVEL_ERR,
d1e348cf	1741	"failed to create send buffer");
52b7d2ce	1742	goto end;
d1e348cf	1743	}
52b7d2ce A	1744
52b7d2ce A	1745	/* send HDR;ID;HASH to responder */
d1e348cf	1746	if (isakmp_send(iph1, iph1->sendbuf) < 0) {
65c25746	1747	plog(ASL_LEVEL_ERR,
d1e348cf	1748	"failed to send packet");
52b7d2ce	1749	goto end;
d1e348cf	1750	}
52b7d2ce A	1751
52b7d2ce A	1752	/* the sending message is added to the received-list. */
65c25746 A	1753	if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
	1754	PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
	1755	plog(ASL_LEVEL_ERR ,
52b7d2ce A	1756	"failed to add a response packet to the tree.\n");
	1757	goto end;
	1758	}
	1759
	1760	/* see handler.h about IV synchronization. */
	1761	memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
	1762
65c25746	1763	fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
52b7d2ce	1764	error = 0;
52b7d2ce	1765	end:
52b7d2ce A	1766	return error;
	1767	}
	1768
	1769	/*
	1770	* This is used in main mode for:
	1771	* initiator's 3rd exchange send to responder
	1772	* psk: HDR, KE, Ni
	1773	* sig: HDR, KE, Ni
	1774	* rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
	1775	* rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
	1776	* <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
	1777	* responders 2nd exchnage send to initiator
	1778	* psk: HDR, KE, Nr
	1779	* sig: HDR, KE, Nr [, CR ]
	1780	* rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
	1781	* rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
	1782	*/
	1783	static vchar_t *
	1784	ident_ir2mx(iph1)
65c25746	1785	phase1_handle_t *iph1;
52b7d2ce A	1786	{
	1787	vchar_t *buf = 0;
	1788	struct payload_list *plist = NULL;
	1789	int need_cr = 0;
	1790	vchar_t *cr = NULL;
	1791	vchar_t *vid = NULL;
	1792	int error = -1;
52b7d2ce A	1793	#ifdef ENABLE_NATT
	1794	vchar_t *natd[2] = { NULL, NULL };
	1795	#endif
	1796
	1797	/* create CR if need */
	1798	if (iph1->side == RESPONDER
	1799	&& iph1->rmconf->send_cr
65c25746	1800	&& oakley_needcr(iph1->approval->authmethod)) {
52b7d2ce A	1801	need_cr = 1;
	1802	cr = oakley_getcr(iph1);
	1803	if (cr == NULL) {
65c25746	1804	plog(ASL_LEVEL_ERR,
52b7d2ce A	1805	"failed to get cr buffer.\n");
	1806	goto end;
	1807	}
	1808	}
	1809
52b7d2ce A	1810	/* create isakmp KE payload */
	1811	plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
	1812
	1813	/* create isakmp NONCE payload */
	1814	plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
	1815
52b7d2ce A	1816	/* append vendor id, if needed */
	1817	if (vid)
	1818	plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
	1819
	1820	/* create isakmp CR payload if needed */
	1821	if (need_cr)
	1822	plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
	1823
	1824	#ifdef ENABLE_NATT
	1825	/* generate and append NAT-D payloads */
65c25746	1826	if (NATT_AVAILABLE(iph1))
52b7d2ce A	1827	{
52b7d2ce A	1828	if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
65c25746	1829	plog(ASL_LEVEL_ERR,
85f41bec	1830	"NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
52b7d2ce A	1831	goto end;
	1832	}
	1833
	1834	if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
65c25746	1835	plog(ASL_LEVEL_ERR,
85f41bec	1836	"NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
52b7d2ce A	1837	goto end;
	1838	}
	1839
7ebaebe2	1840	plog (ASL_LEVEL_NOTICE, "Adding remote and local NAT-D payloads.\n");
52b7d2ce A	1841	/* old Apple version sends natd payloads in the wrong order */
	1842	if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
	1843	plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
	1844	plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
	1845	} else
52b7d2ce A	1846	{
	1847	plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
	1848	plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
	1849	}
	1850	}
	1851	#endif
	1852
	1853	buf = isakmp_plist_set_all (&plist, iph1);
	1854
	1855	error = 0;
	1856
	1857	end:
	1858	if (error && buf != NULL) {
	1859	vfree(buf);
	1860	buf = NULL;
	1861	}
	1862	if (cr)
	1863	vfree(cr);
52b7d2ce A	1864	if (vid)
	1865	vfree(vid);
	1866
	1867	#ifdef ENABLE_NATT
	1868	if (natd[0])
	1869	vfree(natd[0]);
	1870	if (natd[1])
	1871	vfree(natd[1]);
	1872	#endif
	1873
	1874	return buf;
	1875	}
	1876
	1877	/*
	1878	* This is used in main mode for:
	1879	* initiator's 4th exchange send to responder
	1880	* psk: HDR*, IDi1, HASH_I
	1881	* sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
	1882	* gssapi: HDR*, [ IDi1, ] < GSSi(n) \| HASH_I >
	1883	* rsa: HDR*, HASH_I
	1884	* rev: HDR*, HASH_I
	1885	* responders 3rd exchnage send to initiator
	1886	* psk: HDR*, IDr1, HASH_R
	1887	* sig: HDR*, IDr1, [ CERT, ] SIG_R
	1888	* gssapi: HDR*, [ IDr1, ] < GSSr(n) \| HASH_R >
	1889	* rsa: HDR*, HASH_R
	1890	* rev: HDR*, HASH_R
	1891	*/
	1892	static vchar_t *
	1893	ident_ir3mx(iph1)
65c25746	1894	phase1_handle_t *iph1;
52b7d2ce A	1895	{
	1896	struct payload_list *plist = NULL;
	1897	vchar_t buf = NULL, new = NULL;
	1898	int need_cr = 0;
	1899	int need_cert = 0;
	1900	vchar_t *cr = NULL;
	1901	int error = -1;
b8c37798	1902	vchar_t *notp_ini = NULL;
52b7d2ce	1903
d1e348cf	1904	switch (AUTHMETHOD(iph1)) {
52b7d2ce	1905	case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
d1e348cf A	1906	#ifdef ENABLE_HYBRID
	1907	case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
	1908	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
	1909	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
d1e348cf	1910	#endif
52b7d2ce A	1911	/* create isakmp ID payload */
	1912	plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
	1913
	1914	/* create isakmp HASH payload */
	1915	plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
	1916	break;
52b7d2ce	1917	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
d1e348cf A	1918	#ifdef ENABLE_HYBRID
d1e348cf A	1919	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
d1e348cf A	1920	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
d1e348cf A	1921	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
d1e348cf A	1922	#endif
d1e348cf A	1923	if (oakley_getmycert(iph1) < 0) {
65c25746	1924	plog(ASL_LEVEL_ERR,
d1e348cf	1925	"failed to get mycert");
52b7d2ce	1926	goto end;
d1e348cf	1927	}
52b7d2ce	1928
d1e348cf	1929	if (oakley_getsign(iph1) < 0) {
65c25746	1930	plog(ASL_LEVEL_ERR,
d1e348cf	1931	"failed to get sign");
52b7d2ce	1932	goto end;
d1e348cf	1933	}
52b7d2ce A	1934
	1935	/* create CR if need */
	1936	if (iph1->side == INITIATOR
	1937	&& iph1->rmconf->send_cr
65c25746	1938	&& oakley_needcr(iph1->approval->authmethod)) {
52b7d2ce A	1939	need_cr = 1;
	1940	cr = oakley_getcr(iph1);
	1941	if (cr == NULL) {
65c25746	1942	plog(ASL_LEVEL_ERR,
d1e348cf	1943	"failed to get CR");
52b7d2ce A	1944	goto end;
	1945	}
	1946	}
	1947
	1948	if (iph1->cert != NULL && iph1->rmconf->send_cert)
	1949	need_cert = 1;
	1950
	1951	/* add ID payload */
	1952	plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
	1953
	1954	/* add CERT payload if there */
e8d9021d	1955	// we don't support sending of certchains
52b7d2ce A	1956	if (need_cert)
	1957	plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
	1958	/* add SIG payload */
	1959	plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
	1960
	1961	/* create isakmp CR payload */
	1962	if (need_cr)
	1963	plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
	1964	break;
52b7d2ce	1965
52b7d2ce A	1966	case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
52b7d2ce A	1967	case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
d1e348cf A	1968	#ifdef ENABLE_HYBRID
	1969	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
	1970	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
	1971	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
	1972	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
	1973	#endif
65c25746	1974	plog(ASL_LEVEL_ERR,
52b7d2ce A	1975	"not supported authentication type %d\n",
	1976	iph1->approval->authmethod);
	1977	goto end;
	1978	default:
65c25746	1979	plog(ASL_LEVEL_ERR,
52b7d2ce A	1980	"invalid authentication type %d\n",
	1981	iph1->approval->authmethod);
	1982	goto end;
	1983	}
	1984
b8c37798 A	1985	if (iph1->side == INITIATOR) {
	1986	notp_ini = isakmp_plist_append_initial_contact(iph1, plist);
	1987	}
	1988
52b7d2ce A	1989	buf = isakmp_plist_set_all (&plist, iph1);
	1990
	1991	#ifdef HAVE_PRINT_ISAKMP_C
	1992	isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
	1993	#endif
	1994
	1995	/* encoding */
	1996	new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv);
d1e348cf	1997	if (new == NULL) {
65c25746	1998	plog(ASL_LEVEL_ERR,
d1e348cf	1999	"failed to encrypt");
52b7d2ce	2000	goto end;
d1e348cf	2001	}
52b7d2ce A	2002
	2003	vfree(buf);
	2004
	2005	buf = new;
	2006
	2007	error = 0;
	2008
	2009	end:
	2010	if (cr)
	2011	vfree(cr);
	2012	if (error && buf != NULL) {
	2013	vfree(buf);
	2014	buf = NULL;
	2015	}
b8c37798 A	2016	if (notp_ini)
b8c37798 A	2017	vfree(notp_ini);
52b7d2ce A	2018
	2019	return buf;
	2020	}