]> git.saurik.com Git - apple/ipsec.git/blame_incremental - ipsec-tools/racoon/isakmp_agg.c
projects / apple / ipsec.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
ipsec-258.100.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_agg.c
... / ...
CommitLineData
1/* $NetBSD: isakmp_agg.c,v 1.9 2006/09/30 21:49:37 manu Exp $ */
2
3/* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34/* Aggressive Exchange (Aggressive Mode) */
35
36#include "config.h"
37
38#include <sys/types.h>
39#include <sys/param.h>
40
41#include <stdlib.h>
42#include <stdio.h>
43#include <string.h>
44#include <errno.h>
45#if TIME_WITH_SYS_TIME
46# include <sys/time.h>
47# include <time.h>
48#else
49# if HAVE_SYS_TIME_H
50# include <sys/time.h>
51# else
52# include <time.h>
53# endif
54#endif
55
56#include "var.h"
57#include "misc.h"
58#include "vmbuf.h"
59#include "plog.h"
60#include "sockmisc.h"
61#include "schedule.h"
62#include "debug.h"
63
64#ifdef ENABLE_HYBRID
65#include <resolv.h>
66#endif
67
68#include "fsm.h"
69#include "localconf.h"
70#include "remoteconf.h"
71#include "isakmp_var.h"
72#include "isakmp.h"
73#include "oakley.h"
74#include "handler.h"
75#include "ipsec_doi.h"
76#include "crypto_openssl.h"
77#include "pfkey.h"
78#include "isakmp_agg.h"
79#include "isakmp_inf.h"
80#ifdef ENABLE_HYBRID
81#include "isakmp_xauth.h"
82#include "isakmp_cfg.h"
83#endif
84#ifdef ENABLE_FRAG
85#include "isakmp_frag.h"
86#endif
87#include "vendorid.h"
88#include "strnames.h"
89
90#ifdef ENABLE_NATT
91#include "nattraversal.h"
92#endif
93
94#include "vpn_control.h"
95#include "vpn_control_var.h"
96#include "ipsecSessionTracer.h"
97#include "ipsecMessageTracer.h"
98#ifndef HAVE_OPENSSL
99#include <Security/SecDH.h>
100#endif
101
102/*
103 * begin Aggressive Mode as initiator.
104 */
105/*
106 * send to responder
107 * psk: HDR, SA, KE, Ni, IDi1
108 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
109 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi
110 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
111 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
112 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
113 */
114int
115agg_i1send(iph1, msg)
116 phase1_handle_t *iph1;
117 vchar_t *msg; /* must be null */
118{
119 struct payload_list *plist = NULL;
120 int need_cr = 0;
121 vchar_t *cr = NULL;
122 int error = -1;
123#ifdef ENABLE_NATT
124 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
125 int i;
126#endif
127#ifdef ENABLE_HYBRID
128 vchar_t *vid_xauth = NULL;
129 vchar_t *vid_unity = NULL;
130#endif
131#ifdef ENABLE_FRAG
132 vchar_t *vid_frag = NULL;
133#endif
134#ifdef ENABLE_DPD
135 vchar_t *vid_dpd = NULL;
136#endif
137
138 /* validity check */
139 if (iph1->status != IKEV1_STATE_AGG_I_START) {
140 plog(ASL_LEVEL_ERR,
141 "status mismatched %d.\n", iph1->status);
142 goto end;
143 }
144
145 /* validity check */
146 if (msg != NULL) {
147 plog(ASL_LEVEL_ERR,
148 "msg has to be NULL in this function.\n");
149 goto end;
150 }
151
152 /* create isakmp index */
153 memset(&iph1->index, 0, sizeof(iph1->index));
154 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
155
156 /* make ID payload into isakmp status */
157 if (ipsecdoi_setid1(iph1) < 0) {
158 plog(ASL_LEVEL_ERR,
159 "failed to set ID");
160 goto end;
161 }
162
163 /* create SA payload for my proposal */
164 iph1->sa = ipsecdoi_setph1proposal(iph1);
165 if (iph1->sa == NULL) {
166 plog(ASL_LEVEL_ERR,
167 "failed to set proposal");
168 goto end;
169 }
170
171 /* consistency check of proposals */
172 if (iph1->rmconf->dhgrp == NULL) {
173 plog(ASL_LEVEL_ERR,
174 "configuration failure about DH group.\n");
175 goto end;
176 }
177
178 /* generate DH public value */
179#ifdef HAVE_OPENSSL
180 if (oakley_dh_generate(iph1->rmconf->dhgrp,
181 &iph1->dhpub, &iph1->dhpriv) < 0) {
182#else
183 if (oakley_dh_generate(iph1->rmconf->dhgrp,
184 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
185#endif
186 plog(ASL_LEVEL_ERR,
187 "failed to generate DH");
188 goto end;
189 }
190
191 /* generate NONCE value */
192 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
193 if (iph1->nonce == NULL) {
194 plog(ASL_LEVEL_ERR,
195 "failed to generate NONCE");
196 goto end;
197 }
198
199#ifdef ENABLE_HYBRID
200 /* Do we need Xauth VID? */
201 switch (RMAUTHMETHOD(iph1)) {
202 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
203 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
204 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
205 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
206 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
207 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
208 plog(ASL_LEVEL_ERR,
209 "Xauth vendor ID generation failed\n");
210 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
211 plog(ASL_LEVEL_ERR,
212 "Unity vendor ID generation failed\n");
213 break;
214 default:
215 break;
216 }
217#endif
218
219#ifdef ENABLE_FRAG
220 if (iph1->rmconf->ike_frag) {
221 vid_frag = set_vendorid(VENDORID_FRAG);
222 if (vid_frag != NULL)
223 vid_frag = isakmp_frag_addcap(vid_frag,
224 VENDORID_FRAG_AGG);
225 if (vid_frag == NULL)
226 plog(ASL_LEVEL_ERR,
227 "Frag vendorID construction failed\n");
228 }
229#endif
230
231 /* create CR if need */
232 if (iph1->rmconf->send_cr
233 && oakley_needcr(iph1->rmconf->proposal->authmethod)) {
234 need_cr = 1;
235 cr = oakley_getcr(iph1);
236 if (cr == NULL) {
237 plog(ASL_LEVEL_ERR,
238 "failed to get CR");
239 goto end;
240 }
241 }
242
243 plog(ASL_LEVEL_DEBUG, "authmethod is %s\n",
244 s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
245
246 /* set SA payload to propose */
247 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
248
249 /* create isakmp KE payload */
250 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
251
252 /* create isakmp NONCE payload */
253 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
254
255 /* create isakmp ID payload */
256 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
257
258 /* create isakmp CR payload */
259 if (need_cr)
260 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
261
262#ifdef ENABLE_FRAG
263 if (vid_frag)
264 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
265#endif
266#ifdef ENABLE_NATT
267 /*
268 * set VID payload for NAT-T if NAT-T
269 * support allowed in the config file
270 */
271 if (iph1->rmconf->nat_traversal)
272 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
273#endif
274#ifdef ENABLE_HYBRID
275 if (vid_xauth)
276 plist = isakmp_plist_append(plist,
277 vid_xauth, ISAKMP_NPTYPE_VID);
278 if (vid_unity)
279 plist = isakmp_plist_append(plist,
280 vid_unity, ISAKMP_NPTYPE_VID);
281#endif
282#ifdef ENABLE_DPD
283 if(iph1->rmconf->dpd){
284 vid_dpd = set_vendorid(VENDORID_DPD);
285 if (vid_dpd != NULL)
286 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
287 }
288#endif
289
290 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
291
292#ifdef HAVE_PRINT_ISAKMP_C
293 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
294#endif
295
296 /* send the packet, add to the schedule to resend */
297 iph1->retry_counter = iph1->rmconf->retry_counter;
298 if (isakmp_ph1resend(iph1) == -1) {
299 plog(ASL_LEVEL_ERR,
300 "failed to send packet");
301 goto end;
302 }
303
304 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_I_MSG1SENT);
305
306 error = 0;
307
308 IPSECSESSIONTRACEREVENT(iph1->parent_session,
309 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
310 CONSTSTR("Initiator, Aggressive-Mode message 1"),
311 CONSTSTR(NULL));
312
313end:
314 if (error) {
315 IPSECSESSIONTRACEREVENT(iph1->parent_session,
316 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
317 CONSTSTR("Initiator, Aggressive-Mode Message 1"),
318 CONSTSTR("Failed to transmit Aggressive-Mode Message 1"));
319 }
320 if (cr)
321 vfree(cr);
322#ifdef ENABLE_FRAG
323 if (vid_frag)
324 vfree(vid_frag);
325#endif
326#ifdef ENABLE_NATT
327 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
328 vfree(vid_natt[i]);
329#endif
330#ifdef ENABLE_HYBRID
331 if (vid_xauth != NULL)
332 vfree(vid_xauth);
333 if (vid_unity != NULL)
334 vfree(vid_unity);
335#endif
336#ifdef ENABLE_DPD
337 if (vid_dpd != NULL)
338 vfree(vid_dpd);
339#endif
340
341 return error;
342}
343
344/*
345 * receive from responder
346 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
347 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
348 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
349 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
350 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
351 */
352int
353agg_i2recv(iph1, msg)
354 phase1_handle_t *iph1;
355 vchar_t *msg;
356{
357 vchar_t *pbuf = NULL;
358 struct isakmp_parse_t *pa;
359 vchar_t *satmp = NULL;
360 int error = -1;
361 int vid_numeric;
362 int ptype;
363 int received_cert = 0;
364
365#ifdef ENABLE_NATT
366 int natd_seq = 0;
367 struct natd_payload {
368 int seq;
369 vchar_t *payload;
370 TAILQ_ENTRY(natd_payload) chain;
371 };
372 TAILQ_HEAD(_natd_payload, natd_payload) natd_tree;
373 TAILQ_INIT(&natd_tree);
374#endif
375
376 /* validity check */
377 if (iph1->status != IKEV1_STATE_AGG_I_MSG1SENT) {
378 plog(ASL_LEVEL_ERR,
379 "status mismatched %d.\n", iph1->status);
380 goto end;
381 }
382
383 /* validate the type of next payload */
384 pbuf = isakmp_parse(msg);
385 if (pbuf == NULL) {
386 plog(ASL_LEVEL_ERR,
387 "failed to parse msg");
388 goto end;
389 }
390 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
391
392 iph1->pl_hash = NULL;
393
394 /* SA payload is fixed postion */
395 if (pa->type != ISAKMP_NPTYPE_SA) {
396 plog(ASL_LEVEL_ERR,
397 "received invalid next payload type %d, "
398 "expecting %d.\n",
399 pa->type, ISAKMP_NPTYPE_SA);
400 goto end;
401 }
402
403 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
404 plog(ASL_LEVEL_ERR,
405 "failed to process SA payload");
406 goto end;
407 }
408 pa++;
409
410 for (/*nothing*/;
411 pa->type != ISAKMP_NPTYPE_NONE;
412 pa++) {
413
414 switch (pa->type) {
415 case ISAKMP_NPTYPE_KE:
416 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
417 plog(ASL_LEVEL_ERR,
418 "failed to process KE payload");
419 goto end;
420 }
421 break;
422 case ISAKMP_NPTYPE_NONCE:
423 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
424 plog(ASL_LEVEL_ERR,
425 "failed to process NONCE payload");
426 goto end;
427 }
428 break;
429 case ISAKMP_NPTYPE_ID:
430 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
431 plog(ASL_LEVEL_ERR,
432 "failed to process ID payload");
433 goto end;
434 }
435 break;
436 case ISAKMP_NPTYPE_HASH:
437 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
438 break;
439 case ISAKMP_NPTYPE_CR:
440 if (oakley_savecr(iph1, pa->ptr) < 0) {
441 plog(ASL_LEVEL_ERR,
442 "failed to process CR payload");
443 goto end;
444 }
445 break;
446 case ISAKMP_NPTYPE_CERT:
447 if (oakley_savecert(iph1, pa->ptr) < 0) {
448 plog(ASL_LEVEL_ERR,
449 "failed to process CERT payload");
450 goto end;
451 }
452 received_cert = 1;
453 break;
454 case ISAKMP_NPTYPE_SIG:
455 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
456 plog(ASL_LEVEL_ERR,
457 "failed to process SIG payload");
458 goto end;
459 }
460 break;
461 case ISAKMP_NPTYPE_VID:
462 vid_numeric = check_vendorid(pa->ptr);
463#ifdef ENABLE_NATT
464 if (iph1->rmconf->nat_traversal &&
465 natt_vendorid(vid_numeric))
466 natt_handle_vendorid(iph1, vid_numeric);
467#endif
468#ifdef ENABLE_HYBRID
469 switch (vid_numeric) {
470 case VENDORID_XAUTH:
471 iph1->mode_cfg->flags |=
472 ISAKMP_CFG_VENDORID_XAUTH;
473 break;
474
475 case VENDORID_UNITY:
476 iph1->mode_cfg->flags |=
477 ISAKMP_CFG_VENDORID_UNITY;
478 break;
479 default:
480 break;
481 }
482#endif
483#ifdef ENABLE_DPD
484 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
485 iph1->dpd_support=1;
486 plog(ASL_LEVEL_DEBUG,
487 "remote supports DPD\n");
488 }
489#endif
490#ifdef ENABLE_FRAG
491 if ((vid_numeric == VENDORID_FRAG) &&
492 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
493 plog(ASL_LEVEL_DEBUG,
494 "remote supports FRAGMENTATION\n");
495 iph1->frag = 1;
496 }
497#endif
498 break;
499 case ISAKMP_NPTYPE_N:
500 isakmp_check_notify(pa->ptr, iph1);
501 break;
502
503#ifdef ENABLE_NATT
504 case ISAKMP_NPTYPE_NATD_DRAFT:
505 case ISAKMP_NPTYPE_NATD_RFC:
506 case ISAKMP_NPTYPE_NATD_BADDRAFT:
507 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
508 pa->type == iph1->natt_options->payload_nat_d) {
509 struct natd_payload *natd;
510 natd = (struct natd_payload *)racoon_malloc(sizeof(*natd));
511 if (!natd) {
512 plog(ASL_LEVEL_ERR,
513 "failed to pre-process NATD payload");
514 goto end;
515 }
516
517 natd->payload = NULL;
518
519 if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) {
520 plog(ASL_LEVEL_ERR,
521 "failed to process NATD payload");
522 goto end;
523 }
524
525 natd->seq = natd_seq++;
526
527 TAILQ_INSERT_TAIL(&natd_tree, natd, chain);
528 break;
529 }
530 /* %%% Be lenient here - some servers send natd payloads */
531 /* when nat not detected */
532 break;
533#endif
534
535 default:
536 /* don't send information, see isakmp_ident_r1() */
537 plog(ASL_LEVEL_ERR,
538 "ignore the packet, "
539 "received unexpecting payload type %d.\n",
540 pa->type);
541 goto end;
542 }
543 }
544
545 if (received_cert) {
546 oakley_verify_certid(iph1);
547 }
548
549 /* payload existency check */
550 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
551 plog(ASL_LEVEL_ERR,
552 "few isakmp message received.\n");
553 goto end;
554 }
555
556 /* verify identifier */
557 if (ipsecdoi_checkid1(iph1) != 0) {
558 plog(ASL_LEVEL_ERR,
559 "invalid ID payload.\n");
560 goto end;
561 }
562
563 /* check SA payload and set approval SA for use */
564 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
565 plog(ASL_LEVEL_ERR,
566 "failed to get valid proposal.\n");
567 /* XXX send information */
568 goto end;
569 }
570 VPTRINIT(iph1->sa_ret);
571
572 /* fix isakmp index */
573 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
574 sizeof(cookie_t));
575
576#ifdef ENABLE_NATT
577 if (NATT_AVAILABLE(iph1)) {
578 struct natd_payload *natd = NULL;
579 int natd_verified;
580
581 plog(ASL_LEVEL_INFO,
582 "Selected NAT-T version: %s\n",
583 vid_string_by_id(iph1->natt_options->version));
584
585 /* set both bits first so that we can clear them
586 upon verifying hashes */
587 iph1->natt_flags |= NAT_DETECTED;
588
589 while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) {
590 /* this function will clear appropriate bits bits
591 from iph1->natt_flags */
592 natd_verified = natt_compare_addr_hash (iph1,
593 natd->payload, natd->seq);
594
595 plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n",
596 natd->seq - 1,
597 natd_verified ? "verified" : "doesn't match");
598
599 vfree (natd->payload);
600
601 TAILQ_REMOVE(&natd_tree, natd, chain);
602 racoon_free (natd);
603 }
604
605 plog (ASL_LEVEL_INFO, "NAT %s %s%s\n",
606 iph1->natt_flags & NAT_DETECTED ?
607 "detected:" : "not detected",
608 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
609 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
610
611 if (iph1->natt_flags & NAT_DETECTED)
612 natt_float_ports (iph1);
613 ike_session_update_natt_version(iph1);
614 }
615#endif
616
617 /* compute sharing secret of DH */
618#ifdef HAVE_OPENSSL
619 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
620 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
621#else
622 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
623#endif
624 plog(ASL_LEVEL_ERR,
625 "failed to compute DH");
626 goto end;
627 }
628
629 /* generate SKEYIDs & IV & final cipher key */
630 if (oakley_skeyid(iph1) < 0) {
631 plog(ASL_LEVEL_ERR,
632 "failed to generate SKEYID");
633 goto end;
634 }
635 if (oakley_skeyid_dae(iph1) < 0) {
636 plog(ASL_LEVEL_ERR,
637 "failed to generate SKEYID-DAE");
638 goto end;
639 }
640 if (oakley_compute_enckey(iph1) < 0) {
641 plog(ASL_LEVEL_ERR,
642 "failed to generate ENCKEY");
643 goto end;
644 }
645 if (oakley_newiv(iph1) < 0) {
646 plog(ASL_LEVEL_ERR,
647 "failed to generate IV");
648 goto end;
649 }
650
651 /* validate authentication value */
652 ptype = oakley_validate_auth(iph1);
653 if (ptype != 0) {
654 IPSECSESSIONTRACEREVENT(iph1->parent_session,
655 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
656 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
657 CONSTSTR("Failed to authenticate, Aggressive-Mode Message 2"));
658 if (ptype == -1) {
659 /* message printed inner oakley_validate_auth() */
660 goto end;
661 }
662 isakmp_info_send_n1(iph1, ptype, NULL);
663 goto end;
664 }
665 IPSECSESSIONTRACEREVENT(iph1->parent_session,
666 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
667 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
668 CONSTSTR(NULL));
669
670 if (oakley_checkcr(iph1) < 0) {
671 /* Ignore this error in order to be interoperability. */
672 ;
673 }
674
675 /* change status of isakmp status entry */
676 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_I_MSG2RCVD);
677
678#ifdef ENABLE_VPNCONTROL_PORT
679 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
680#endif
681
682 error = 0;
683
684 IPSECSESSIONTRACEREVENT(iph1->parent_session,
685 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
686 CONSTSTR("Initiator, Aggressive-Mode message 2"),
687 CONSTSTR(NULL));
688
689end:
690 if (error) {
691 IPSECSESSIONTRACEREVENT(iph1->parent_session,
692 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
693 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
694 CONSTSTR("Failure processing Aggressive-Mode Message 2"));
695 }
696
697 if (pbuf)
698 vfree(pbuf);
699 if (satmp)
700 vfree(satmp);
701 if (error) {
702 VPTRINIT(iph1->dhpub_p);
703 VPTRINIT(iph1->nonce_p);
704 VPTRINIT(iph1->id_p);
705 oakley_delcert(iph1->cert_p);
706 iph1->cert_p = NULL;
707 oakley_delcert(iph1->crl_p);
708 iph1->crl_p = NULL;
709 VPTRINIT(iph1->sig_p);
710 oakley_delcert(iph1->cr_p);
711 iph1->cr_p = NULL;
712 }
713
714 return error;
715}
716
717/*
718 * send to responder
719 * psk: HDR, HASH_I
720 * gssapi: HDR, HASH_I
721 * sig: HDR, [ CERT, ] SIG_I
722 * rsa: HDR, HASH_I
723 * rev: HDR, HASH_I
724 */
725int
726agg_i3send(iph1, msg)
727 phase1_handle_t *iph1;
728 vchar_t *msg;
729{
730 struct payload_list *plist = NULL;
731 int need_cert = 0;
732 int error = -1;
733 vchar_t *gsshash = NULL;
734#ifdef ENABLE_NATT
735 vchar_t *natd[2] = { NULL, NULL };
736#endif
737 vchar_t *notp_unity = NULL;
738 vchar_t *notp_ini = NULL;
739
740 /* validity check */
741 if (iph1->status != IKEV1_STATE_AGG_I_MSG2RCVD) {
742 plog(ASL_LEVEL_ERR,
743 "status mismatched %d.\n", iph1->status);
744 goto end;
745 }
746
747 /* generate HASH to send */
748 plog(ASL_LEVEL_DEBUG, "generate HASH_I\n");
749 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
750 if (iph1->hash == NULL) {
751 plog(ASL_LEVEL_ERR,
752 "failed to generate HASH");
753 goto end;
754 }
755
756 switch (AUTHMETHOD(iph1)) {
757 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
758#ifdef ENABLE_HYBRID
759 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
760 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
761#endif
762 /* set HASH payload */
763 plist = isakmp_plist_append(plist,
764 iph1->hash, ISAKMP_NPTYPE_HASH);
765 break;
766
767 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
768#ifdef ENABLE_HYBRID
769 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
770#endif
771 /* XXX if there is CR or not ? */
772
773 if (oakley_getmycert(iph1) < 0) {
774 plog(ASL_LEVEL_ERR,
775 "failed to get mycert");
776 goto end;
777 }
778
779 if (oakley_getsign(iph1) < 0) {
780 plog(ASL_LEVEL_ERR,
781 "failed to get sign");
782 goto end;
783 }
784
785 if (iph1->cert != NULL && iph1->rmconf->send_cert)
786 need_cert = 1;
787
788 /* add CERT payload if there */
789 // we don't support sending of certchains
790 if (need_cert)
791 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
792
793 /* add SIG payload */
794 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
795 break;
796
797 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
798 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
799#ifdef ENABLE_HYBRID
800 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
801 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
802#endif
803 break;
804 }
805
806#ifdef ENABLE_NATT
807 /* generate NAT-D payloads */
808 if (NATT_AVAILABLE(iph1)) {
809 plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n");
810 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
811 plog(ASL_LEVEL_ERR,
812 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
813 goto end;
814 }
815
816 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
817 plog(ASL_LEVEL_ERR,
818 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
819 goto end;
820 }
821 /* old Apple version sends natd payloads in the wrong order */
822 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
823 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
824 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
825 } else
826 {
827 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
828 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
829 }
830 }
831#endif
832
833
834 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
835
836#ifdef HAVE_PRINT_ISAKMP_C
837 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
838#endif
839
840
841 /* send to responder */
842 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
843 plog(ASL_LEVEL_ERR,
844 "failed to send packet");
845 goto end;
846 }
847
848 /* the sending message is added to the received-list. */
849 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
850 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
851 plog(ASL_LEVEL_ERR ,
852 "failed to add a response packet to the tree.\n");
853 goto end;
854 }
855
856 /* set encryption flag */
857 iph1->flags |= ISAKMP_FLAG_E;
858
859 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
860
861 IPSECSESSIONTRACEREVENT(iph1->parent_session,
862 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
863 CONSTSTR("Initiator, Aggressive-Mode"),
864 CONSTSTR(NULL));
865
866 error = 0;
867
868 IPSECSESSIONTRACEREVENT(iph1->parent_session,
869 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
870 CONSTSTR("Initiator, Aggressive-Mode message 3"),
871 CONSTSTR(NULL));
872
873end:
874 if (error) {
875 IPSECSESSIONTRACEREVENT(iph1->parent_session,
876 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
877 CONSTSTR("Initiator, Aggressive-Mode Message 3"),
878 CONSTSTR("Failed to transmit Aggressive-Mode Message 3"));
879 }
880#ifdef ENABLE_NATT
881 if (natd[0])
882 vfree(natd[0]);
883 if (natd[1])
884 vfree(natd[1]);
885#endif
886 if (notp_unity)
887 vfree(notp_unity);
888 if (notp_ini)
889 vfree(notp_ini);
890 if (gsshash)
891 vfree(gsshash);
892 return error;
893}
894
895/*
896 * receive from initiator
897 * psk: HDR, SA, KE, Ni, IDi1
898 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
899 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi
900 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
901 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
902 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
903 */
904int
905agg_r1recv(iph1, msg)
906 phase1_handle_t *iph1;
907 vchar_t *msg;
908{
909 int error = -1;
910 vchar_t *pbuf = NULL;
911 struct isakmp_parse_t *pa;
912 int vid_numeric;
913
914 /* validity check */
915 if (iph1->status != IKEV1_STATE_AGG_R_START) {
916 plog(ASL_LEVEL_ERR,
917 "status mismatched %d.\n", iph1->status);
918 goto end;
919 }
920
921 /* validate the type of next payload */
922 pbuf = isakmp_parse(msg);
923 if (pbuf == NULL) {
924 plog(ASL_LEVEL_ERR,
925 "failed to parse msg");
926 goto end;
927 }
928 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
929
930 /* SA payload is fixed postion */
931 if (pa->type != ISAKMP_NPTYPE_SA) {
932 plog(ASL_LEVEL_ERR,
933 "received invalid next payload type %d, "
934 "expecting %d.\n",
935 pa->type, ISAKMP_NPTYPE_SA);
936 goto end;
937 }
938 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
939 plog(ASL_LEVEL_ERR,
940 "failed to process SA payload");
941 goto end;
942 }
943 pa++;
944
945 for (/*nothing*/;
946 pa->type != ISAKMP_NPTYPE_NONE;
947 pa++) {
948
949 plog(ASL_LEVEL_DEBUG,
950 "received payload of type %s\n",
951 s_isakmp_nptype(pa->type));
952
953 switch (pa->type) {
954 case ISAKMP_NPTYPE_KE:
955 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
956 plog(ASL_LEVEL_ERR,
957 "failed to process KE payload");
958 goto end;
959 }
960 break;
961 case ISAKMP_NPTYPE_NONCE:
962 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
963 plog(ASL_LEVEL_ERR,
964 "failed to process NONCE payload");
965 goto end;
966 }
967 break;
968 case ISAKMP_NPTYPE_ID:
969 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
970 plog(ASL_LEVEL_ERR,
971 "failed to process ID payload");
972 goto end;
973 }
974 break;
975 case ISAKMP_NPTYPE_VID:
976 vid_numeric = check_vendorid(pa->ptr);
977
978#ifdef ENABLE_NATT
979 if (iph1->rmconf->nat_traversal &&
980 natt_vendorid(vid_numeric)) {
981 natt_handle_vendorid(iph1, vid_numeric);
982 break;
983 }
984#endif
985#ifdef ENABLE_HYBRID
986 switch (vid_numeric) {
987 case VENDORID_XAUTH:
988 iph1->mode_cfg->flags |=
989 ISAKMP_CFG_VENDORID_XAUTH;
990 break;
991
992 case VENDORID_UNITY:
993 iph1->mode_cfg->flags |=
994 ISAKMP_CFG_VENDORID_UNITY;
995 break;
996 default:
997 break;
998 }
999#endif
1000#ifdef ENABLE_DPD
1001 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
1002 iph1->dpd_support=1;
1003 plog(ASL_LEVEL_DEBUG,
1004 "remote supports DPD\n");
1005 }
1006#endif
1007#ifdef ENABLE_FRAG
1008 if ((vid_numeric == VENDORID_FRAG) &&
1009 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
1010 plog(ASL_LEVEL_DEBUG,
1011 "remote supports FRAGMENTATION\n");
1012 iph1->frag = 1;
1013 }
1014#endif
1015 break;
1016
1017 case ISAKMP_NPTYPE_CR:
1018 if (oakley_savecr(iph1, pa->ptr) < 0) {
1019 plog(ASL_LEVEL_ERR,
1020 "failed to process CR payload");
1021 goto end;
1022 }
1023 break;
1024
1025 default:
1026 /* don't send information, see isakmp_ident_r1() */
1027 plog(ASL_LEVEL_ERR,
1028 "ignore the packet, "
1029 "received unexpecting payload type %d.\n",
1030 pa->type);
1031 goto end;
1032 }
1033 }
1034
1035 /* payload existency check */
1036 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1037 plog(ASL_LEVEL_ERR,
1038 "few isakmp message received.\n");
1039 goto end;
1040 }
1041
1042 /* verify identifier */
1043 if (ipsecdoi_checkid1(iph1) != 0) {
1044 plog(ASL_LEVEL_ERR,
1045 "invalid ID payload.\n");
1046 goto end;
1047 }
1048
1049#ifdef ENABLE_NATT
1050 if (NATT_AVAILABLE(iph1)) {
1051 plog(ASL_LEVEL_INFO,
1052 "Selected NAT-T version: %s\n",
1053 vid_string_by_id(iph1->natt_options->version));
1054 ike_session_update_natt_version(iph1);
1055 }
1056#endif
1057
1058 /* check SA payload and set approval SA for use */
1059 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
1060 plog(ASL_LEVEL_ERR,
1061 "failed to get valid proposal.\n");
1062 /* XXX send information */
1063 goto end;
1064 }
1065
1066 if (oakley_checkcr(iph1) < 0) {
1067 /* Ignore this error in order to be interoperability. */
1068 ;
1069 }
1070
1071 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG1RCVD);
1072
1073 error = 0;
1074
1075 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1076 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1077 CONSTSTR("Responder, Aggressive-Mode message 1"),
1078 CONSTSTR(NULL));
1079
1080end:
1081 if (error) {
1082 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1083 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1084 CONSTSTR("Responder, Aggressive-Mode Message 1"),
1085 CONSTSTR("Failed to process Aggressive-Mode Message 1"));
1086 }
1087
1088 if (pbuf)
1089 vfree(pbuf);
1090 if (error) {
1091 VPTRINIT(iph1->sa);
1092 VPTRINIT(iph1->dhpub_p);
1093 VPTRINIT(iph1->nonce_p);
1094 VPTRINIT(iph1->id_p);
1095 oakley_delcert(iph1->cr_p);
1096 iph1->cr_p = NULL;
1097 }
1098
1099 return error;
1100}
1101
1102/*
1103 * send to initiator
1104 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
1105 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
1106 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
1107 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
1108 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
1109 */
1110int
1111agg_r2send(iph1, msg)
1112 phase1_handle_t *iph1;
1113 vchar_t *msg;
1114{
1115 struct payload_list *plist = NULL;
1116 int need_cr = 0;
1117 int need_cert = 0;
1118 vchar_t *cr = NULL;
1119 int error = -1;
1120#ifdef ENABLE_HYBRID
1121 vchar_t *xauth_vid = NULL;
1122 vchar_t *unity_vid = NULL;
1123#endif
1124#ifdef ENABLE_NATT
1125 vchar_t *vid_natt = NULL;
1126 vchar_t *natd[2] = { NULL, NULL };
1127#endif
1128#ifdef ENABLE_DPD
1129 vchar_t *vid_dpd = NULL;
1130#endif
1131#ifdef ENABLE_FRAG
1132 vchar_t *vid_frag = NULL;
1133#endif
1134
1135 /* validity check */
1136 if (iph1->status != IKEV1_STATE_AGG_R_MSG1RCVD) {
1137 plog(ASL_LEVEL_ERR,
1138 "status mismatched %d.\n", iph1->status);
1139 goto end;
1140 }
1141
1142 /* set responder's cookie */
1143 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1144
1145 /* make ID payload into isakmp status */
1146 if (ipsecdoi_setid1(iph1) < 0) {
1147 plog(ASL_LEVEL_ERR,
1148 "failed to set ID");
1149 goto end;
1150 }
1151
1152 /* generate DH public value */
1153#ifdef HAVE_OPENSSL
1154 if (oakley_dh_generate(iph1->rmconf->dhgrp,
1155 &iph1->dhpub, &iph1->dhpriv) < 0) {
1156#else
1157 if (oakley_dh_generate(iph1->rmconf->dhgrp,
1158 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
1159#endif
1160 plog(ASL_LEVEL_ERR,
1161 "failed to generate DH");
1162 goto end;
1163 }
1164
1165 /* generate NONCE value */
1166 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1167 if (iph1->nonce == NULL) {
1168 plog(ASL_LEVEL_ERR,
1169 "failed to generate NONCE");
1170 goto end;
1171 }
1172
1173 /* compute sharing secret of DH */
1174#ifdef HAVE_OPENSSL
1175 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1176 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1177#else
1178 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
1179#endif
1180 plog(ASL_LEVEL_ERR,
1181 "failed to compute DH");
1182 goto end;
1183 }
1184
1185 /* generate SKEYIDs & IV & final cipher key */
1186 if (oakley_skeyid(iph1) < 0) {
1187 plog(ASL_LEVEL_ERR,
1188 "failed to generate SKEYID");
1189 goto end;
1190 }
1191 if (oakley_skeyid_dae(iph1) < 0) {
1192 plog(ASL_LEVEL_ERR,
1193 "failed to generate SKEYID-DAE");
1194 goto end;
1195 }
1196 if (oakley_compute_enckey(iph1) < 0) {
1197 plog(ASL_LEVEL_ERR,
1198 "failed to generate ENCKEY");
1199 goto end;
1200 }
1201 if (oakley_newiv(iph1) < 0) {
1202 plog(ASL_LEVEL_ERR,
1203 "failed to generate IV");
1204 goto end;
1205 }
1206
1207 /* generate HASH to send */
1208 plog(ASL_LEVEL_DEBUG, "generate HASH_R\n");
1209 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1210 if (iph1->hash == NULL) {
1211 plog(ASL_LEVEL_ERR,
1212 "failed to generate GSS HASH");
1213 goto end;
1214 }
1215
1216 /* create CR if need */
1217 if (iph1->rmconf->send_cr
1218 && oakley_needcr(iph1->approval->authmethod)) {
1219 need_cr = 1;
1220 cr = oakley_getcr(iph1);
1221 if (cr == NULL) {
1222 plog(ASL_LEVEL_ERR,
1223 "failed to get CR.\n");
1224 goto end;
1225 }
1226 }
1227
1228#ifdef ENABLE_NATT
1229 /* Has the peer announced NAT-T? */
1230 if (NATT_AVAILABLE(iph1)) {
1231 /* set chosen VID */
1232 vid_natt = set_vendorid(iph1->natt_options->version);
1233
1234 /* generate NAT-D payloads */
1235 plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n");
1236 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1237 plog(ASL_LEVEL_ERR,
1238 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
1239 goto end;
1240 }
1241
1242 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1243 plog(ASL_LEVEL_ERR,
1244 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
1245 goto end;
1246 }
1247 }
1248#endif
1249#ifdef ENABLE_DPD
1250 /* Only send DPD support if remote announced DPD and if DPD support is active */
1251 if (iph1->dpd_support && iph1->rmconf->dpd)
1252 vid_dpd = set_vendorid(VENDORID_DPD);
1253#endif
1254#ifdef ENABLE_FRAG
1255 if (iph1->frag) {
1256 vid_frag = set_vendorid(VENDORID_FRAG);
1257 if (vid_frag != NULL)
1258 vid_frag = isakmp_frag_addcap(vid_frag,
1259 VENDORID_FRAG_AGG);
1260 if (vid_frag == NULL)
1261 plog(ASL_LEVEL_ERR,
1262 "Frag vendorID construction failed\n");
1263 }
1264#endif
1265
1266 switch (AUTHMETHOD(iph1)) {
1267 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1268#ifdef ENABLE_HYBRID
1269 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1270#endif
1271 /* set SA payload to reply */
1272 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1273
1274 /* create isakmp KE payload */
1275 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1276
1277 /* create isakmp NONCE payload */
1278 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1279
1280 /* create isakmp ID payload */
1281 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1282
1283 /* create isakmp HASH payload */
1284 plist = isakmp_plist_append(plist,
1285 iph1->hash, ISAKMP_NPTYPE_HASH);
1286
1287 /* create isakmp CR payload if needed */
1288 if (need_cr)
1289 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
1290 break;
1291 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1292#ifdef ENABLE_HYBRID
1293 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1294 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1295#endif
1296 /* XXX if there is CR or not ? */
1297
1298 if (oakley_getmycert(iph1) < 0) {
1299 plog(ASL_LEVEL_ERR,
1300 "failed to get mycert");
1301 goto end;
1302 }
1303
1304 if (oakley_getsign(iph1) < 0) {
1305 plog(ASL_LEVEL_ERR,
1306 "failed to get sign");
1307 goto end;
1308 }
1309
1310 if (iph1->cert != NULL && iph1->rmconf->send_cert)
1311 need_cert = 1;
1312
1313 /* set SA payload to reply */
1314 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1315
1316 /* create isakmp KE payload */
1317 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1318
1319 /* create isakmp NONCE payload */
1320 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1321
1322 /* add ID payload */
1323 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1324
1325 /* add CERT payload if there */
1326 if (need_cert)
1327 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1328
1329 /* add SIG payload */
1330 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1331
1332 /* create isakmp CR payload if needed */
1333 if (need_cr)
1334 plist = isakmp_plist_append(plist,
1335 cr, ISAKMP_NPTYPE_CR);
1336 break;
1337
1338 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1339 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1340#ifdef ENABLE_HYBRID
1341 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1342 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1343#endif
1344 break;
1345 }
1346
1347#ifdef ENABLE_HYBRID
1348 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1349 plog (ASL_LEVEL_INFO, "Adding xauth VID payload.\n");
1350 if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) {
1351 plog(ASL_LEVEL_ERR,
1352 "Cannot create Xauth vendor ID\n");
1353 goto end;
1354 }
1355 plist = isakmp_plist_append(plist,
1356 xauth_vid, ISAKMP_NPTYPE_VID);
1357 }
1358
1359 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1360 if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) {
1361 plog(ASL_LEVEL_ERR,
1362 "Cannot create Unity vendor ID\n");
1363 goto end;
1364 }
1365 plist = isakmp_plist_append(plist,
1366 unity_vid, ISAKMP_NPTYPE_VID);
1367 }
1368#endif
1369
1370#ifdef ENABLE_NATT
1371 /* append NAT-T payloads */
1372 if (vid_natt) {
1373 /* chosen VID */
1374 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1375 /* NAT-D */
1376 /* old Apple version sends natd payloads in the wrong order */
1377 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
1378 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1379 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1380 } else
1381 {
1382 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1383 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1384 }
1385 }
1386#endif
1387
1388#ifdef ENABLE_FRAG
1389 if (vid_frag)
1390 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
1391#endif
1392
1393#ifdef ENABLE_DPD
1394 if (vid_dpd)
1395 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1396#endif
1397
1398 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1399
1400#ifdef HAVE_PRINT_ISAKMP_C
1401 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
1402#endif
1403
1404 /* send the packet, add to the schedule to resend */
1405 iph1->retry_counter = iph1->rmconf->retry_counter;
1406 if (isakmp_ph1resend(iph1) == -1) {
1407 plog(ASL_LEVEL_ERR ,
1408 "failed to send packet");
1409 goto end;
1410 }
1411
1412 /* the sending message is added to the received-list. */
1413 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1414 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1415 plog(ASL_LEVEL_ERR ,
1416 "failed to add a response packet to the tree.\n");
1417 goto end;
1418 }
1419
1420 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG2SENT);
1421
1422#ifdef ENABLE_VPNCONTROL_PORT
1423 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1424#endif
1425
1426 error = 0;
1427
1428 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1429 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1430 CONSTSTR("Responder, Aggressive-Mode message 2"),
1431 CONSTSTR(NULL));
1432
1433end:
1434 if (error) {
1435 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1436 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1437 CONSTSTR("Responder, Aggressive-Mode Message 2"),
1438 CONSTSTR("Failed to process Aggressive-Mode Message 2"));
1439 }
1440 if (cr)
1441 vfree(cr);
1442#ifdef ENABLE_HYBRID
1443 if (xauth_vid)
1444 vfree(xauth_vid);
1445 if (unity_vid)
1446 vfree(unity_vid);
1447#endif
1448#ifdef ENABLE_NATT
1449 if (vid_natt)
1450 vfree(vid_natt);
1451 if (natd[0])
1452 vfree(natd[0]);
1453 if (natd[1])
1454 vfree(natd[1]);
1455#endif
1456#ifdef ENABLE_DPD
1457 if (vid_dpd)
1458 vfree(vid_dpd);
1459#endif
1460#ifdef ENABLE_FRAG
1461 if (vid_frag)
1462 vfree(vid_frag);
1463#endif
1464
1465 return error;
1466}
1467
1468/*
1469 * receive from initiator
1470 * psk: HDR, HASH_I
1471 * gssapi: HDR, HASH_I
1472 * sig: HDR, [ CERT, ] SIG_I
1473 * rsa: HDR, HASH_I
1474 * rev: HDR, HASH_I
1475 */
1476int
1477agg_r3recv(iph1, msg0)
1478 phase1_handle_t *iph1;
1479 vchar_t *msg0;
1480{
1481 vchar_t *msg = NULL;
1482 vchar_t *pbuf = NULL;
1483 struct isakmp_parse_t *pa;
1484 int error = -1;
1485 int ptype;
1486
1487#ifdef ENABLE_NATT
1488 int natd_seq = 0;
1489#endif
1490 int received_cert = 0;
1491
1492 /* validity check */
1493 if (iph1->status != IKEV1_STATE_AGG_R_MSG2SENT) {
1494 plog(ASL_LEVEL_ERR,
1495 "status mismatched %d.\n", iph1->status);
1496 goto end;
1497 }
1498
1499 /* decrypting if need. */
1500 /* XXX configurable ? */
1501 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1502 msg = oakley_do_decrypt(iph1, msg0,
1503 iph1->ivm->iv, iph1->ivm->ive);
1504 if (msg == NULL) {
1505 plog(ASL_LEVEL_ERR,
1506 "failed to decrypt msg");
1507 goto end;
1508 }
1509 } else
1510 msg = vdup(msg0);
1511
1512 /* validate the type of next payload */
1513 pbuf = isakmp_parse(msg);
1514 if (pbuf == NULL) {
1515 plog(ASL_LEVEL_ERR,
1516 "failed to parse msg");
1517 goto end;
1518 }
1519
1520 iph1->pl_hash = NULL;
1521
1522 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1523 pa->type != ISAKMP_NPTYPE_NONE;
1524 pa++) {
1525
1526 switch (pa->type) {
1527 case ISAKMP_NPTYPE_HASH:
1528 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1529 break;
1530 case ISAKMP_NPTYPE_VID:
1531 (void)check_vendorid(pa->ptr);
1532 break;
1533 case ISAKMP_NPTYPE_CERT:
1534 if (oakley_savecert(iph1, pa->ptr) < 0) {
1535 plog(ASL_LEVEL_ERR,
1536 "failed to process CERT payload");
1537 goto end;
1538 }
1539 received_cert = 1;
1540 break;
1541 case ISAKMP_NPTYPE_SIG:
1542 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
1543 plog(ASL_LEVEL_ERR,
1544 "failed to process SIG payload");
1545 goto end;
1546 }
1547 break;
1548 case ISAKMP_NPTYPE_N:
1549 isakmp_check_notify(pa->ptr, iph1);
1550 break;
1551
1552#ifdef ENABLE_NATT
1553 case ISAKMP_NPTYPE_NATD_DRAFT:
1554 case ISAKMP_NPTYPE_NATD_RFC:
1555 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1556 pa->type == iph1->natt_options->payload_nat_d)
1557 {
1558 vchar_t *natd_received = NULL;
1559 int natd_verified;
1560
1561 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
1562 plog(ASL_LEVEL_ERR,
1563 "failed to process NATD payload");
1564 goto end;
1565 }
1566
1567 if (natd_seq == 0)
1568 iph1->natt_flags |= NAT_DETECTED;
1569
1570 natd_verified = natt_compare_addr_hash (iph1,
1571 natd_received, natd_seq++);
1572
1573 plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n",
1574 natd_seq - 1,
1575 natd_verified ? "verified" : "doesn't match");
1576
1577 vfree (natd_received);
1578 break;
1579 }
1580 /* %%%% Be lenient here - some servers send natd payloads */
1581 /* when no nat is detected */
1582 break;
1583#endif
1584
1585 default:
1586 /* don't send information, see isakmp_ident_r1() */
1587 plog(ASL_LEVEL_ERR,
1588 "ignore the packet, "
1589 "received unexpecting payload type %d.\n",
1590 pa->type);
1591 goto end;
1592 }
1593 }
1594
1595#ifdef ENABLE_NATT
1596 if (NATT_AVAILABLE(iph1))
1597 plog (ASL_LEVEL_INFO, "NAT %s %s%s\n",
1598 iph1->natt_flags & NAT_DETECTED ?
1599 "detected:" : "not detected",
1600 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1601 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1602#endif
1603
1604 if (received_cert) {
1605 oakley_verify_certid(iph1);
1606 }
1607
1608 /* validate authentication value */
1609 ptype = oakley_validate_auth(iph1);
1610 if (ptype != 0) {
1611 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1612 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1613 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1614 CONSTSTR("Failed to authenticate Aggressive-Mode Message 3"));
1615 if (ptype == -1) {
1616 /* message printed inner oakley_validate_auth() */
1617 goto end;
1618 }
1619 isakmp_info_send_n1(iph1, ptype, NULL);
1620 goto end;
1621 }
1622 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1623 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1624 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1625 CONSTSTR(NULL));
1626
1627 fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG3RCVD);
1628
1629 error = 0;
1630
1631 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1632 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1633 CONSTSTR("Responder, Aggressive-Mode message 3"),
1634 CONSTSTR(NULL));
1635
1636end:
1637 if (error) {
1638 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1639 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1640 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1641 CONSTSTR("Failed to process Aggressive-Mode Message 3"));
1642 }
1643 if (pbuf)
1644 vfree(pbuf);
1645 if (msg)
1646 vfree(msg);
1647 if (error) {
1648 oakley_delcert(iph1->cert_p);
1649 iph1->cert_p = NULL;
1650 oakley_delcert(iph1->crl_p);
1651 iph1->crl_p = NULL;
1652 VPTRINIT(iph1->sig_p);
1653 }
1654
1655 return error;
1656}
1657
1658/*
1659 * status update and establish isakmp sa.
1660 */
1661int
1662agg_rfinalize(iph1, msg)
1663 phase1_handle_t *iph1;
1664 vchar_t *msg;
1665{
1666 int error = -1;
1667
1668 /* validity check */
1669 if (iph1->status != IKEV1_STATE_AGG_R_MSG3RCVD) {
1670 plog(ASL_LEVEL_ERR,
1671 "status mismatched %d.\n", iph1->status);
1672 goto end;
1673 }
1674
1675 /* IV synchronized when packet encrypted. */
1676 /* see handler.h about IV synchronization. */
1677 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E))
1678 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1679
1680 /* set encryption flag */
1681 iph1->flags |= ISAKMP_FLAG_E;
1682
1683 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
1684
1685 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1686 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
1687 CONSTSTR("Responder, Aggressive-Mode"),
1688 CONSTSTR(NULL));
1689
1690 error = 0;
1691
1692end:
1693 return error;
1694}
mirror of ipsec