]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_ident.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-92.4.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_ident.c
1 /* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */
2
3 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* Identity Protecion Exchange (Main Mode) */
35
36 #include "config.h"
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40
41 #include <stdlib.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <errno.h>
45 #if TIME_WITH_SYS_TIME
46 # include <sys/time.h>
47 # include <time.h>
48 #else
49 # if HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 # else
52 # include <time.h>
53 # endif
54 #endif
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "schedule.h"
62 #include "debug.h"
63
64 #include "localconf.h"
65 #include "remoteconf.h"
66 #include "isakmp_var.h"
67 #include "isakmp.h"
68 #include "evt.h"
69 #include "oakley.h"
70 #include "handler.h"
71 #include "ipsec_doi.h"
72 #include "crypto_openssl.h"
73 #include "pfkey.h"
74 #include "isakmp_ident.h"
75 #include "isakmp_inf.h"
76 #include "vendorid.h"
77
78 #ifdef ENABLE_NATT
79 #include "nattraversal.h"
80 #endif
81 #ifdef HAVE_GSSAPI
82 #include "gssapi.h"
83 #endif
84 #ifdef ENABLE_HYBRID
85 #include <resolv.h>
86 #include "isakmp_xauth.h"
87 #include "isakmp_cfg.h"
88 #endif
89 #ifdef ENABLE_FRAG
90 #include "isakmp_frag.h"
91 #endif
92
93 #include "vpn_control.h"
94 #include "vpn_control_var.h"
95 #include "ipsecSessionTracer.h"
96 #include "ipsecMessageTracer.h"
97
98 static vchar_t *ident_ir2mx __P((struct ph1handle *));
99 static vchar_t *ident_ir3mx __P((struct ph1handle *));
100
101 /* %%%
102 * begin Identity Protection Mode as initiator.
103 */
104 /*
105 * send to responder
106 * psk: HDR, SA
107 * sig: HDR, SA
108 * rsa: HDR, SA
109 * rev: HDR, SA
110 */
111 int
112 ident_i1send(iph1, msg)
113 struct ph1handle *iph1;
114 vchar_t *msg; /* must be null */
115 {
116 struct payload_list *plist = NULL;
117 int error = -1;
118 #ifdef ENABLE_NATT
119 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
120 int i;
121 #endif
122 #ifdef ENABLE_HYBRID
123 vchar_t *vid_xauth = NULL;
124 vchar_t *vid_unity = NULL;
125 #endif
126 #ifdef ENABLE_FRAG
127 vchar_t *vid_frag = NULL;
128 #endif
129 #ifdef ENABLE_DPD
130 vchar_t *vid_dpd = NULL;
131 #endif
132 /* validity check */
133 if (msg != NULL) {
134 plog(LLV_ERROR, LOCATION, NULL,
135 "msg has to be NULL in this function.\n");
136 goto end;
137 }
138 if (iph1->status != PHASE1ST_START) {
139 plog(LLV_ERROR, LOCATION, NULL,
140 "status mismatched %d.\n", iph1->status);
141 goto end;
142 }
143
144 /* create isakmp index */
145 memset(&iph1->index, 0, sizeof(iph1->index));
146 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
147
148 /* create SA payload for my proposal */
149 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
150 if (iph1->sa == NULL) {
151 plog(LLV_ERROR, LOCATION, NULL,
152 "failed to set proposal");
153 goto end;
154 }
155
156 /* set SA payload to propose */
157 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
158
159 #ifdef ENABLE_NATT
160 /* set VID payload for NAT-T if NAT-T support allowed in the config file */
161 if (iph1->rmconf->nat_traversal)
162 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
163 #endif
164 #ifdef ENABLE_HYBRID
165 /* Do we need Xauth VID? */
166 switch (RMAUTHMETHOD(iph1)) {
167 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
168 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
169 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
170 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
171 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
172 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
173 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
174 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
175 plog(LLV_ERROR, LOCATION, NULL,
176 "Xauth vendor ID generation failed\n");
177 else
178 plist = isakmp_plist_append(plist,
179 vid_xauth, ISAKMP_NPTYPE_VID);
180
181 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
182 plog(LLV_ERROR, LOCATION, NULL,
183 "Unity vendor ID generation failed\n");
184 else
185 plist = isakmp_plist_append(plist,
186 vid_unity, ISAKMP_NPTYPE_VID);
187 break;
188 default:
189 break;
190 }
191 #endif
192 #ifdef ENABLE_FRAG
193 if (iph1->rmconf->ike_frag) {
194 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
195 plog(LLV_ERROR, LOCATION, NULL,
196 "Frag vendorID construction failed\n");
197 } else {
198 vid_frag = isakmp_frag_addcap(vid_frag,
199 VENDORID_FRAG_IDENT);
200 plist = isakmp_plist_append(plist,
201 vid_frag, ISAKMP_NPTYPE_VID);
202 }
203 }
204 #endif
205 #ifdef ENABLE_DPD
206 if(iph1->rmconf->dpd){
207 vid_dpd = set_vendorid(VENDORID_DPD);
208 if (vid_dpd != NULL)
209 plist = isakmp_plist_append(plist, vid_dpd,
210 ISAKMP_NPTYPE_VID);
211 }
212 #endif
213
214 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
215
216 #ifdef HAVE_PRINT_ISAKMP_C
217 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
218 #endif
219
220 /* send the packet, add to the schedule to resend */
221 iph1->retry_counter = iph1->rmconf->retry_counter;
222 if (isakmp_ph1resend(iph1) == -1) {
223 plog(LLV_ERROR, LOCATION, NULL,
224 "failed to send packet");
225 goto end;
226 }
227
228 iph1->status = PHASE1ST_MSG1SENT;
229
230 error = 0;
231
232 IPSECSESSIONTRACEREVENT(iph1->parent_session,
233 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
234 CONSTSTR("Initiator, Main-Mode message 1"),
235 CONSTSTR(NULL));
236
237 end:
238 if (error) {
239 IPSECSESSIONTRACEREVENT(iph1->parent_session,
240 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
241 CONSTSTR("Initiator, Main-Mode Message 1"),
242 CONSTSTR("Failed to transmit Main-Mode Message 1"));
243 }
244 #ifdef ENABLE_FRAG
245 if (vid_frag)
246 vfree(vid_frag);
247 #endif
248 #ifdef ENABLE_NATT
249 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
250 vfree(vid_natt[i]);
251 #endif
252 #ifdef ENABLE_HYBRID
253 if (vid_xauth != NULL)
254 vfree(vid_xauth);
255 if (vid_unity != NULL)
256 vfree(vid_unity);
257 #endif
258 #ifdef ENABLE_DPD
259 if (vid_dpd != NULL)
260 vfree(vid_dpd);
261 #endif
262
263 return error;
264 }
265
266 /*
267 * receive from responder
268 * psk: HDR, SA
269 * sig: HDR, SA
270 * rsa: HDR, SA
271 * rev: HDR, SA
272 */
273 int
274 ident_i2recv(iph1, msg)
275 struct ph1handle *iph1;
276 vchar_t *msg;
277 {
278 vchar_t *pbuf = NULL;
279 struct isakmp_parse_t *pa;
280 vchar_t *satmp = NULL;
281 int error = -1;
282 int vid_numeric;
283
284 /* validity check */
285 if (iph1->status != PHASE1ST_MSG1SENT) {
286 plog(LLV_ERROR, LOCATION, NULL,
287 "status mismatched %d.\n", iph1->status);
288 goto end;
289 }
290
291 /* validate the type of next payload */
292 /*
293 * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here,
294 * if proposal-lifetime > lifetime-redcreek-wants.
295 * (see doi-08 4.5.4)
296 * => According to the seciton 4.6.3 in RFC 2407, This is illegal.
297 * NOTE: we do not really care about ordering of VID and N.
298 * does it matters?
299 * NOTE: even if there's multiple VID/N, we'll ignore them.
300 */
301 pbuf = isakmp_parse(msg);
302 if (pbuf == NULL) {
303 plog(LLV_ERROR, LOCATION, NULL,
304 "failed to parse msg");
305 goto end;
306 }
307 pa = (struct isakmp_parse_t *)pbuf->v;
308
309 /* SA payload is fixed postion */
310 if (pa->type != ISAKMP_NPTYPE_SA) {
311 plog(LLV_ERROR, LOCATION, iph1->remote,
312 "received invalid next payload type %d, "
313 "expecting %d.\n",
314 pa->type, ISAKMP_NPTYPE_SA);
315 goto end;
316 }
317 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
318 plog(LLV_ERROR, LOCATION, NULL,
319 "failed to process SA payload");
320 goto end;
321 }
322 pa++;
323
324 for (/*nothing*/;
325 pa->type != ISAKMP_NPTYPE_NONE;
326 pa++) {
327
328 switch (pa->type) {
329 case ISAKMP_NPTYPE_VID:
330 vid_numeric = check_vendorid(pa->ptr);
331 #ifdef ENABLE_NATT
332 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
333 natt_handle_vendorid(iph1, vid_numeric);
334 #endif
335 #ifdef ENABLE_HYBRID
336 switch (vid_numeric) {
337 case VENDORID_XAUTH:
338 iph1->mode_cfg->flags |=
339 ISAKMP_CFG_VENDORID_XAUTH;
340 break;
341
342 case VENDORID_UNITY:
343 iph1->mode_cfg->flags |=
344 ISAKMP_CFG_VENDORID_UNITY;
345 break;
346
347 default:
348 break;
349 }
350 #endif
351 #ifdef ENABLE_DPD
352 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
353 iph1->dpd_support=1;
354 #endif
355 break;
356 default:
357 /* don't send information, see ident_r1recv() */
358 plog(LLV_ERROR, LOCATION, iph1->remote,
359 "ignore the packet, "
360 "received unexpecting payload type %d.\n",
361 pa->type);
362 goto end;
363 }
364 }
365
366 #ifdef ENABLE_NATT
367 if (NATT_AVAILABLE(iph1))
368 plog(LLV_INFO, LOCATION, iph1->remote,
369 "Selected NAT-T version: %s\n",
370 vid_string_by_id(iph1->natt_options->version));
371 #endif
372
373 /* check SA payload and set approval SA for use */
374 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
375 plog(LLV_ERROR, LOCATION, iph1->remote,
376 "failed to get valid proposal.\n");
377 /* XXX send information */
378 goto end;
379 }
380 VPTRINIT(iph1->sa_ret);
381
382 iph1->status = PHASE1ST_MSG2RECEIVED;
383
384 #ifdef ENABLE_VPNCONTROL_PORT
385 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
386 #endif
387
388 error = 0;
389
390 IPSECSESSIONTRACEREVENT(iph1->parent_session,
391 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
392 CONSTSTR("Initiator, Main-Mode message 2"),
393 CONSTSTR(NULL));
394
395 end:
396 if (error) {
397 IPSECSESSIONTRACEREVENT(iph1->parent_session,
398 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
399 CONSTSTR("Initiator, Main-Mode Message 2"),
400 CONSTSTR("Failed to process Main-Mode Message 2"));
401 }
402 if (pbuf)
403 vfree(pbuf);
404 if (satmp)
405 vfree(satmp);
406 return error;
407 }
408
409 /*
410 * send to responder
411 * psk: HDR, KE, Ni
412 * sig: HDR, KE, Ni
413 * gssapi: HDR, KE, Ni, GSSi
414 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
415 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
416 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
417 */
418 int
419 ident_i2send(iph1, msg)
420 struct ph1handle *iph1;
421 vchar_t *msg;
422 {
423 int error = -1;
424
425 /* validity check */
426 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
427 plog(LLV_ERROR, LOCATION, NULL,
428 "status mismatched %d.\n", iph1->status);
429 goto end;
430 }
431
432 /* fix isakmp index */
433 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
434 sizeof(cookie_t));
435
436 /* generate DH public value */
437 if (oakley_dh_generate(iph1->approval->dhgrp,
438 &iph1->dhpub, &iph1->dhpriv) < 0) {
439 plog(LLV_ERROR, LOCATION, NULL,
440 "failed to generate DH");
441 goto end;
442 }
443
444 /* generate NONCE value */
445 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
446 if (iph1->nonce == NULL) {
447 plog(LLV_ERROR, LOCATION, NULL,
448 "failed to generate NONCE");
449 goto end;
450 }
451
452 #ifdef HAVE_GSSAPI
453 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
454 gssapi_get_itoken(iph1, NULL) < 0) {
455 plog(LLV_ERROR, LOCATION, NULL,
456 "failed to get GSS token");
457 goto end;
458 }
459 #endif
460
461 /* create buffer to send isakmp payload */
462 iph1->sendbuf = ident_ir2mx(iph1);
463 if (iph1->sendbuf == NULL) {
464 plog(LLV_ERROR, LOCATION, NULL,
465 "failed to create send buffer");
466 goto end;
467 }
468
469 #ifdef HAVE_PRINT_ISAKMP_C
470 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
471 #endif
472
473 /* send the packet, add to the schedule to resend */
474 iph1->retry_counter = iph1->rmconf->retry_counter;
475 if (isakmp_ph1resend(iph1) == -1) {
476 plog(LLV_ERROR, LOCATION, NULL,
477 "failed to send packet");
478 goto end;
479 }
480
481 /* the sending message is added to the received-list. */
482 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
483 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
484 plog(LLV_ERROR , LOCATION, NULL,
485 "failed to add a response packet to the tree.\n");
486 goto end;
487 }
488
489 iph1->status = PHASE1ST_MSG2SENT;
490
491 error = 0;
492
493 IPSECSESSIONTRACEREVENT(iph1->parent_session,
494 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
495 CONSTSTR("Initiator, Main-Mode message 3"),
496 CONSTSTR(NULL));
497
498 end:
499 if (error) {
500 IPSECSESSIONTRACEREVENT(iph1->parent_session,
501 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
502 CONSTSTR("Initiator, Main-Mode Message 3"),
503 CONSTSTR("Failed to transmit Main-Mode Message 3"));
504 }
505 return error;
506 }
507
508 /*
509 * receive from responder
510 * psk: HDR, KE, Nr
511 * sig: HDR, KE, Nr [, CR ]
512 * gssapi: HDR, KE, Nr, GSSr
513 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
514 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
515 */
516 int
517 ident_i3recv(iph1, msg)
518 struct ph1handle *iph1;
519 vchar_t *msg;
520 {
521 vchar_t *pbuf = NULL;
522 struct isakmp_parse_t *pa;
523 int error = -1;
524 int vid_numeric;
525 #ifdef HAVE_GSSAPI
526 vchar_t *gsstoken = NULL;
527 #endif
528 #ifdef ENABLE_NATT
529 vchar_t *natd_received;
530 int natd_seq = 0, natd_verified;
531 #endif
532
533 /* validity check */
534 if (iph1->status != PHASE1ST_MSG2SENT) {
535 plog(LLV_ERROR, LOCATION, NULL,
536 "status mismatched %d.\n", iph1->status);
537 goto end;
538 }
539
540 /* validate the type of next payload */
541 pbuf = isakmp_parse(msg);
542 if (pbuf == NULL) {
543 plog(LLV_ERROR, LOCATION, NULL,
544 "failed to parse msg");
545 goto end;
546 }
547
548 for (pa = (struct isakmp_parse_t *)pbuf->v;
549 pa->type != ISAKMP_NPTYPE_NONE;
550 pa++) {
551
552 switch (pa->type) {
553 case ISAKMP_NPTYPE_KE:
554 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
555 plog(LLV_ERROR, LOCATION, NULL,
556 "failed to process KE payload");
557 goto end;
558 }
559 break;
560 case ISAKMP_NPTYPE_NONCE:
561 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
562 plog(LLV_ERROR, LOCATION, NULL,
563 "failed to process NONCE payload");
564 goto end;
565 }
566 break;
567 case ISAKMP_NPTYPE_VID:
568 vid_numeric = check_vendorid(pa->ptr);
569 #ifdef ENABLE_HYBRID
570 switch (vid_numeric) {
571 case VENDORID_XAUTH:
572 iph1->mode_cfg->flags |=
573 ISAKMP_CFG_VENDORID_XAUTH;
574 break;
575
576 case VENDORID_UNITY:
577 iph1->mode_cfg->flags |=
578 ISAKMP_CFG_VENDORID_UNITY;
579 break;
580
581 default:
582 break;
583 }
584 #endif
585 #ifdef ENABLE_DPD
586 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
587 iph1->dpd_support=1;
588 #endif
589
590 break;
591 case ISAKMP_NPTYPE_CR:
592 if (oakley_savecr(iph1, pa->ptr) < 0) {
593 plog(LLV_ERROR, LOCATION, NULL,
594 "failed to process CR payload");
595 goto end;
596 }
597 break;
598 #ifdef HAVE_GSSAPI
599 case ISAKMP_NPTYPE_GSS:
600 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
601 plog(LLV_ERROR, LOCATION, NULL,
602 "failed to process GSS payload");
603 goto end;
604 }
605 gssapi_save_received_token(iph1, gsstoken);
606 break;
607 #endif
608
609 #ifdef ENABLE_NATT
610 case ISAKMP_NPTYPE_NATD_DRAFT:
611 case ISAKMP_NPTYPE_NATD_RFC:
612 #ifdef __APPLE__
613 case ISAKMP_NPTYPE_NATD_BADDRAFT:
614 #endif
615 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
616 pa->type == iph1->natt_options->payload_nat_d) {
617 natd_received = NULL;
618 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
619 plog(LLV_ERROR, LOCATION, NULL,
620 "failed to process NATD payload");
621 goto end;
622 }
623
624 /* set both bits first so that we can clear them
625 upon verifying hashes */
626 if (natd_seq == 0)
627 iph1->natt_flags |= NAT_DETECTED;
628
629 /* this function will clear appropriate bits bits
630 from iph1->natt_flags */
631 natd_verified = natt_compare_addr_hash (iph1,
632 natd_received, natd_seq++);
633
634 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
635 natd_seq - 1,
636 natd_verified ? "verified" : "doesn't match");
637
638 vfree (natd_received);
639 break;
640 }
641 /* %%%% Be lenient here - some servers send natd payloads */
642 /* when no nat is detected */
643 break;
644 #endif
645
646 default:
647 /* don't send information, see ident_r1recv() */
648 plog(LLV_ERROR, LOCATION, iph1->remote,
649 "ignore the packet, "
650 "received unexpecting payload type %d.\n",
651 pa->type);
652 goto end;
653 }
654 }
655
656 #ifdef ENABLE_NATT
657 if (NATT_AVAILABLE(iph1)) {
658 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
659 iph1->natt_flags & NAT_DETECTED ?
660 "detected:" : "not detected",
661 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
662 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
663 if (iph1->natt_flags & NAT_DETECTED)
664 natt_float_ports (iph1);
665 }
666 #endif
667
668 /* payload existency check */
669 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
670 plog(LLV_ERROR, LOCATION, iph1->remote,
671 "few isakmp message received.\n");
672 goto end;
673 }
674
675 if (oakley_checkcr(iph1) < 0) {
676 /* Ignore this error in order to be interoperability. */
677 ;
678 }
679
680 iph1->status = PHASE1ST_MSG3RECEIVED;
681
682 error = 0;
683
684 IPSECSESSIONTRACEREVENT(iph1->parent_session,
685 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
686 CONSTSTR("Initiator, Main-Mode message 4"),
687 CONSTSTR(NULL));
688
689 end:
690 if (error) {
691 IPSECSESSIONTRACEREVENT(iph1->parent_session,
692 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
693 CONSTSTR("Initiator, Main-Mode Message 4"),
694 CONSTSTR("Failed to process Main-Mode Message 4"));
695 }
696 #ifdef HAVE_GSSAPI
697 if (gsstoken)
698 vfree(gsstoken);
699 #endif
700 if (pbuf)
701 vfree(pbuf);
702 if (error) {
703 VPTRINIT(iph1->dhpub_p);
704 VPTRINIT(iph1->nonce_p);
705 VPTRINIT(iph1->id_p);
706 oakley_delcert(iph1->cr_p);
707 iph1->cr_p = NULL;
708 }
709
710 return error;
711 }
712
713 /*
714 * send to responder
715 * psk: HDR*, IDi1, HASH_I
716 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
717 * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I >
718 * rsa: HDR*, HASH_I
719 * rev: HDR*, HASH_I
720 */
721 int
722 ident_i3send(iph1, msg0)
723 struct ph1handle *iph1;
724 vchar_t *msg0;
725 {
726 int error = -1;
727 int dohash = 1;
728 #ifdef HAVE_GSSAPI
729 int len;
730 #endif
731
732 /* validity check */
733 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
734 plog(LLV_ERROR, LOCATION, NULL,
735 "status mismatched %d.\n", iph1->status);
736 goto end;
737 }
738
739 /* compute sharing secret of DH */
740 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
741 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
742 plog(LLV_ERROR, LOCATION, NULL,
743 "failed to compute DH");
744 goto end;
745 }
746
747 /* generate SKEYIDs & IV & final cipher key */
748 if (oakley_skeyid(iph1) < 0) {
749 plog(LLV_ERROR, LOCATION, NULL,
750 "failed to generate SKEYID");
751 goto end;
752 }
753 if (oakley_skeyid_dae(iph1) < 0) {
754 plog(LLV_ERROR, LOCATION, NULL,
755 "failed to generate SKEYID-DAE");
756 goto end;
757 }
758 if (oakley_compute_enckey(iph1) < 0) {
759 plog(LLV_ERROR, LOCATION, NULL,
760 "failed to generate ENCKEY");
761 goto end;
762 }
763 if (oakley_newiv(iph1) < 0) {
764 plog(LLV_ERROR, LOCATION, NULL,
765 "failed to generate IV");
766 goto end;
767 }
768
769 /* make ID payload into isakmp status */
770 if (ipsecdoi_setid1(iph1) < 0) {
771 plog(LLV_ERROR, LOCATION, NULL,
772 "failed to set ID");
773 goto end;
774 }
775
776 #ifdef HAVE_GSSAPI
777 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
778 gssapi_more_tokens(iph1)) {
779 plog(LLV_DEBUG, LOCATION, NULL, "calling get_itoken\n");
780 if (gssapi_get_itoken(iph1, &len) < 0) {
781 plog(LLV_ERROR, LOCATION, NULL,
782 "failed to get GSSAPI token");
783 goto end;
784 }
785 if (len != 0)
786 dohash = 0;
787 }
788 #endif
789
790 /* generate HASH to send */
791 if (dohash) {
792 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
793 if (iph1->hash == NULL) {
794 plog(LLV_ERROR, LOCATION, NULL,
795 "failed to generate HASH");
796 goto end;
797 }
798 } else
799 iph1->hash = NULL;
800
801 /* set encryption flag */
802 iph1->flags |= ISAKMP_FLAG_E;
803
804 /* create HDR;ID;HASH payload */
805 iph1->sendbuf = ident_ir3mx(iph1);
806 if (iph1->sendbuf == NULL) {
807 plog(LLV_ERROR, LOCATION, NULL,
808 "failed to allocate send buffer");
809 goto end;
810 }
811
812 /* send the packet, add to the schedule to resend */
813 iph1->retry_counter = iph1->rmconf->retry_counter;
814 if (isakmp_ph1resend(iph1) == -1) {
815 plog(LLV_ERROR, LOCATION, NULL,
816 "failed to send packet");
817 goto end;
818 }
819
820 /* the sending message is added to the received-list. */
821 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0,
822 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
823 plog(LLV_ERROR , LOCATION, NULL,
824 "failed to add a response packet to the tree.\n");
825 goto end;
826 }
827
828 /* see handler.h about IV synchronization. */
829 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
830
831 iph1->status = PHASE1ST_MSG3SENT;
832
833 error = 0;
834
835 IPSECSESSIONTRACEREVENT(iph1->parent_session,
836 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
837 CONSTSTR("Initiator, Main-Mode message 5"),
838 CONSTSTR(NULL));
839
840 end:
841 if (error) {
842 IPSECSESSIONTRACEREVENT(iph1->parent_session,
843 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
844 CONSTSTR("Initiator, Main-Mode Message 5"),
845 CONSTSTR("Failed to transmit Main-Mode Message 5"));
846 }
847 return error;
848 }
849
850 /*
851 * receive from responder
852 * psk: HDR*, IDr1, HASH_R
853 * sig: HDR*, IDr1, [ CERT, ] SIG_R
854 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
855 * rsa: HDR*, HASH_R
856 * rev: HDR*, HASH_R
857 */
858 int
859 ident_i4recv(iph1, msg0)
860 struct ph1handle *iph1;
861 vchar_t *msg0;
862 {
863 vchar_t *pbuf = NULL;
864 struct isakmp_parse_t *pa;
865 vchar_t *msg = NULL;
866 int error = -1;
867 int type;
868 int vid_numeric;
869 #ifdef HAVE_GSSAPI
870 vchar_t *gsstoken = NULL;
871 #endif
872
873 /* validity check */
874 if (iph1->status != PHASE1ST_MSG3SENT) {
875 plog(LLV_ERROR, LOCATION, NULL,
876 "status mismatched %d.\n", iph1->status);
877 goto end;
878 }
879
880 /* decrypting */
881 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
882 plog(LLV_ERROR, LOCATION, iph1->remote,
883 "ignore the packet, "
884 "expecting the packet encrypted.\n");
885 goto end;
886 }
887 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
888 if (msg == NULL) {
889 plog(LLV_ERROR, LOCATION, NULL,
890 "failed to decrypt");
891 goto end;
892 }
893
894 /* validate the type of next payload */
895 pbuf = isakmp_parse(msg);
896 if (pbuf == NULL) {
897 plog(LLV_ERROR, LOCATION, NULL,
898 "failed to parse msg");
899 goto end;
900 }
901
902 iph1->pl_hash = NULL;
903
904 for (pa = (struct isakmp_parse_t *)pbuf->v;
905 pa->type != ISAKMP_NPTYPE_NONE;
906 pa++) {
907
908 switch (pa->type) {
909 case ISAKMP_NPTYPE_ID:
910 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
911 plog(LLV_ERROR, LOCATION, NULL,
912 "failed to process ID payload");
913 goto end;
914 }
915 break;
916 case ISAKMP_NPTYPE_HASH:
917 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
918 break;
919 case ISAKMP_NPTYPE_CERT:
920 if (oakley_savecert(iph1, pa->ptr) < 0) {
921 plog(LLV_ERROR, LOCATION, NULL,
922 "failed to process CERT payload");
923 goto end;
924 }
925 break;
926 case ISAKMP_NPTYPE_SIG:
927 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
928 plog(LLV_ERROR, LOCATION, NULL,
929 "failed to process SIG payload");
930 goto end;
931 }
932 break;
933 #ifdef HAVE_GSSAPI
934 case ISAKMP_NPTYPE_GSS:
935 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
936 plog(LLV_ERROR, LOCATION, NULL,
937 "failed to process GSS payload");
938 goto end;
939 }
940 gssapi_save_received_token(iph1, gsstoken);
941 break;
942 #endif
943 case ISAKMP_NPTYPE_VID:
944 vid_numeric = check_vendorid(pa->ptr);
945 #ifdef ENABLE_DPD
946 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
947 iph1->dpd_support=1;
948 #endif
949 break;
950 case ISAKMP_NPTYPE_N:
951 isakmp_check_notify(pa->ptr, iph1);
952 break;
953 default:
954 /* don't send information, see ident_r1recv() */
955 plog(LLV_ERROR, LOCATION, iph1->remote,
956 "ignore the packet, "
957 "received unexpecting payload type %d.\n",
958 pa->type);
959 goto end;
960 }
961 }
962
963 /* payload existency check */
964
965 /* verify identifier */
966 if (ipsecdoi_checkid1(iph1) != 0) {
967 plog(LLV_ERROR, LOCATION, iph1->remote,
968 "invalid ID payload.\n");
969 goto end;
970 }
971
972 /* validate authentication value */
973 #ifdef HAVE_GSSAPI
974 if (gsstoken == NULL) {
975 #endif
976 type = oakley_validate_auth(iph1);
977 if (type != 0) {
978 IPSECSESSIONTRACEREVENT(iph1->parent_session,
979 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
980 CONSTSTR("Initiator, Main-Mode Message 6"),
981 CONSTSTR("Failed to authenticate Main-Mode Message 6"));
982 if (type == -1) {
983 /* msg printed inner oakley_validate_auth() */
984 goto end;
985 }
986 EVT_PUSH(iph1->local, iph1->remote,
987 EVTT_PEERPH1AUTH_FAILED, NULL);
988 isakmp_info_send_n1(iph1, type, NULL);
989 goto end;
990 }
991 IPSECSESSIONTRACEREVENT(iph1->parent_session,
992 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
993 CONSTSTR("Initiator, Main-Mode Message 6"),
994 CONSTSTR(NULL));
995 #ifdef HAVE_GSSAPI
996 }
997 #endif
998
999 /*
1000 * XXX: Should we do compare two addresses, ph1handle's and ID
1001 * payload's.
1002 */
1003
1004 plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID:");
1005 plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
1006
1007 /* see handler.h about IV synchronization. */
1008 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1009
1010 /*
1011 * If we got a GSS token, we need to this roundtrip again.
1012 */
1013 #ifdef HAVE_GSSAPI
1014 iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED :
1015 PHASE1ST_MSG4RECEIVED;
1016 #else
1017 iph1->status = PHASE1ST_MSG4RECEIVED;
1018 #endif
1019
1020 error = 0;
1021
1022 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1023 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1024 CONSTSTR("Initiator, Main-Mode message 6"),
1025 CONSTSTR(NULL));
1026
1027 end:
1028 if (error) {
1029 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1030 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1031 CONSTSTR("Initiator, Main-Mode Message 6"),
1032 CONSTSTR("Failed to transmit Main-Mode Message 6"));
1033 }
1034 if (pbuf)
1035 vfree(pbuf);
1036 if (msg)
1037 vfree(msg);
1038 #ifdef HAVE_GSSAPI
1039 if (gsstoken)
1040 vfree(gsstoken);
1041 #endif
1042
1043 if (error) {
1044 VPTRINIT(iph1->id_p);
1045 oakley_delcert(iph1->cert_p);
1046 iph1->cert_p = NULL;
1047 oakley_delcert(iph1->crl_p);
1048 iph1->crl_p = NULL;
1049 VPTRINIT(iph1->sig_p);
1050 }
1051
1052 return error;
1053 }
1054
1055 /*
1056 * status update and establish isakmp sa.
1057 */
1058 int
1059 ident_i4send(iph1, msg)
1060 struct ph1handle *iph1;
1061 vchar_t *msg;
1062 {
1063 int error = -1;
1064
1065 /* validity check */
1066 if (iph1->status != PHASE1ST_MSG4RECEIVED) {
1067 plog(LLV_ERROR, LOCATION, NULL,
1068 "status mismatched %d.\n", iph1->status);
1069 goto end;
1070 }
1071
1072 /* see handler.h about IV synchronization. */
1073 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1074
1075 iph1->status = PHASE1ST_ESTABLISHED;
1076
1077 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1078 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
1079 CONSTSTR("Initiator, Main-Mode"),
1080 CONSTSTR(NULL));
1081
1082 error = 0;
1083
1084 end:
1085 return error;
1086 }
1087
1088 /*
1089 * receive from initiator
1090 * psk: HDR, SA
1091 * sig: HDR, SA
1092 * rsa: HDR, SA
1093 * rev: HDR, SA
1094 */
1095 int
1096 ident_r1recv(iph1, msg)
1097 struct ph1handle *iph1;
1098 vchar_t *msg;
1099 {
1100 vchar_t *pbuf = NULL;
1101 struct isakmp_parse_t *pa;
1102 int error = -1;
1103 int vid_numeric;
1104
1105 /* validity check */
1106 if (iph1->status != PHASE1ST_START) {
1107 plog(LLV_ERROR, LOCATION, NULL,
1108 "status mismatched %d.\n", iph1->status);
1109 goto end;
1110 }
1111
1112 /* validate the type of next payload */
1113 /*
1114 * NOTE: XXX even if multiple VID, we'll silently ignore those.
1115 */
1116 pbuf = isakmp_parse(msg);
1117 if (pbuf == NULL) {
1118 plog(LLV_ERROR, LOCATION, NULL,
1119 "failed to parse msg");
1120 goto end;
1121 }
1122 pa = (struct isakmp_parse_t *)pbuf->v;
1123
1124 /* check the position of SA payload */
1125 if (pa->type != ISAKMP_NPTYPE_SA) {
1126 plog(LLV_ERROR, LOCATION, iph1->remote,
1127 "received invalid next payload type %d, "
1128 "expecting %d.\n",
1129 pa->type, ISAKMP_NPTYPE_SA);
1130 goto end;
1131 }
1132 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
1133 plog(LLV_ERROR, LOCATION, NULL,
1134 "failed to process SA payload");
1135 goto end;
1136 }
1137 pa++;
1138
1139 for (/*nothing*/;
1140 pa->type != ISAKMP_NPTYPE_NONE;
1141 pa++) {
1142
1143 switch (pa->type) {
1144 case ISAKMP_NPTYPE_VID:
1145 vid_numeric = check_vendorid(pa->ptr);
1146 #ifdef ENABLE_NATT
1147 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
1148 natt_handle_vendorid(iph1, vid_numeric);
1149 #endif
1150 #ifdef ENABLE_FRAG
1151 if ((vid_numeric == VENDORID_FRAG) &&
1152 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT))
1153 iph1->frag = 1;
1154 #endif
1155 #ifdef ENABLE_HYBRID
1156 switch (vid_numeric) {
1157 case VENDORID_XAUTH:
1158 iph1->mode_cfg->flags |=
1159 ISAKMP_CFG_VENDORID_XAUTH;
1160 break;
1161
1162 case VENDORID_UNITY:
1163 iph1->mode_cfg->flags |=
1164 ISAKMP_CFG_VENDORID_UNITY;
1165 break;
1166
1167 default:
1168 break;
1169 }
1170 #endif
1171 #ifdef ENABLE_DPD
1172 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
1173 iph1->dpd_support=1;
1174 #endif
1175 break;
1176 default:
1177 /*
1178 * We don't send information to the peer even
1179 * if we received malformed packet. Because we
1180 * can't distinguish the malformed packet and
1181 * the re-sent packet. And we do same behavior
1182 * when we expect encrypted packet.
1183 */
1184 plog(LLV_ERROR, LOCATION, iph1->remote,
1185 "ignore the packet, "
1186 "received unexpecting payload type %d.\n",
1187 pa->type);
1188 goto end;
1189 }
1190 }
1191
1192 #ifdef ENABLE_NATT
1193 if (NATT_AVAILABLE(iph1))
1194 plog(LLV_INFO, LOCATION, iph1->remote,
1195 "Selected NAT-T version: %s\n",
1196 vid_string_by_id(iph1->natt_options->version));
1197 #endif
1198
1199 /* check SA payload and set approval SA for use */
1200 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
1201 plog(LLV_ERROR, LOCATION, iph1->remote,
1202 "failed to get valid proposal.\n");
1203 /* XXX send information */
1204 goto end;
1205 }
1206
1207 iph1->status = PHASE1ST_MSG1RECEIVED;
1208
1209 error = 0;
1210
1211 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1212 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1213 CONSTSTR("Responder, Main-Mode message 1"),
1214 CONSTSTR(NULL));
1215
1216 end:
1217 if (error) {
1218 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1219 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1220 CONSTSTR("Responder, Main-Mode Message 1"),
1221 CONSTSTR("Failed to process Main-Mode Message 1"));
1222 }
1223 if (pbuf)
1224 vfree(pbuf);
1225 if (error) {
1226 VPTRINIT(iph1->sa);
1227 }
1228
1229 return error;
1230 }
1231
1232 /*
1233 * send to initiator
1234 * psk: HDR, SA
1235 * sig: HDR, SA
1236 * rsa: HDR, SA
1237 * rev: HDR, SA
1238 */
1239 int
1240 ident_r1send(iph1, msg)
1241 struct ph1handle *iph1;
1242 vchar_t *msg;
1243 {
1244 struct payload_list *plist = NULL;
1245 int error = -1;
1246 vchar_t *gss_sa = NULL;
1247 #ifdef HAVE_GSSAPI
1248 int free_gss_sa = 0;
1249 #endif
1250 #ifdef ENABLE_NATT
1251 vchar_t *vid_natt = NULL;
1252 #endif
1253 #ifdef ENABLE_HYBRID
1254 vchar_t *vid_xauth = NULL;
1255 vchar_t *vid_unity = NULL;
1256 #endif
1257 #ifdef ENABLE_DPD
1258 vchar_t *vid_dpd = NULL;
1259 #endif
1260 #ifdef ENABLE_FRAG
1261 vchar_t *vid_frag = NULL;
1262 #endif
1263
1264 /* validity check */
1265 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1266 plog(LLV_ERROR, LOCATION, NULL,
1267 "status mismatched %d.\n", iph1->status);
1268 goto end;
1269 }
1270
1271 /* set responder's cookie */
1272 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1273
1274 #ifdef HAVE_GSSAPI
1275 if (iph1->approval->gssid != NULL) {
1276 gss_sa = ipsecdoi_setph1proposal(iph1->approval);
1277 if (gss_sa != iph1->sa_ret)
1278 free_gss_sa = 1;
1279 } else
1280 #endif
1281 gss_sa = iph1->sa_ret;
1282
1283 /* set SA payload to reply */
1284 plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
1285
1286 #ifdef ENABLE_HYBRID
1287 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1288 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
1289 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
1290 plog(LLV_ERROR, LOCATION, NULL,
1291 "Cannot create Xauth vendor ID\n");
1292 goto end;
1293 }
1294 plist = isakmp_plist_append(plist,
1295 vid_xauth, ISAKMP_NPTYPE_VID);
1296 }
1297
1298 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1299 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
1300 plog(LLV_ERROR, LOCATION, NULL,
1301 "Cannot create Unity vendor ID\n");
1302 goto end;
1303 }
1304 plist = isakmp_plist_append(plist,
1305 vid_unity, ISAKMP_NPTYPE_VID);
1306 }
1307 #endif
1308 #ifdef ENABLE_NATT
1309 /* Has the peer announced NAT-T? */
1310 if (NATT_AVAILABLE(iph1))
1311 vid_natt = set_vendorid(iph1->natt_options->version);
1312
1313 if (vid_natt)
1314 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1315 #endif
1316 #ifdef ENABLE_DPD
1317 /* XXX only send DPD VID if remote sent it ? */
1318 if(iph1->rmconf->dpd){
1319 vid_dpd = set_vendorid(VENDORID_DPD);
1320 if (vid_dpd != NULL)
1321 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1322 }
1323 #endif
1324 #ifdef ENABLE_FRAG
1325 if (iph1->frag) {
1326 vid_frag = set_vendorid(VENDORID_FRAG);
1327 if (vid_frag != NULL)
1328 vid_frag = isakmp_frag_addcap(vid_frag,
1329 VENDORID_FRAG_IDENT);
1330 if (vid_frag == NULL)
1331 plog(LLV_ERROR, LOCATION, NULL,
1332 "Frag vendorID construction failed\n");
1333 else
1334 plist = isakmp_plist_append(plist,
1335 vid_frag, ISAKMP_NPTYPE_VID);
1336 }
1337 #endif
1338
1339 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1340
1341 #ifdef HAVE_PRINT_ISAKMP_C
1342 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1343 #endif
1344
1345 /* send the packet, add to the schedule to resend */
1346 iph1->retry_counter = iph1->rmconf->retry_counter;
1347 if (isakmp_ph1resend(iph1) == -1) {
1348 plog(LLV_ERROR, LOCATION, NULL,
1349 "failed to send packet");
1350 goto end;
1351 }
1352
1353 /* the sending message is added to the received-list. */
1354 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1355 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
1356 plog(LLV_ERROR , LOCATION, NULL,
1357 "failed to add a response packet to the tree.\n");
1358 goto end;
1359 }
1360
1361 iph1->status = PHASE1ST_MSG1SENT;
1362
1363 #ifdef ENABLE_VPNCONTROL_PORT
1364 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1365 #endif
1366
1367 error = 0;
1368
1369 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1370 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1371 CONSTSTR("Responder, Main-Mode message 2"),
1372 CONSTSTR(NULL));
1373
1374 end:
1375 if (error) {
1376 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1377 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1378 CONSTSTR("Responder, Main-Mode Message 2"),
1379 CONSTSTR("Failed to transmit Main-Mode Message 2"));
1380 }
1381 #ifdef HAVE_GSSAPI
1382 if (free_gss_sa)
1383 vfree(gss_sa);
1384 #endif
1385 #ifdef ENABLE_NATT
1386 if (vid_natt)
1387 vfree(vid_natt);
1388 #endif
1389 #ifdef ENABLE_HYBRID
1390 if (vid_xauth != NULL)
1391 vfree(vid_xauth);
1392 if (vid_unity != NULL)
1393 vfree(vid_unity);
1394 #endif
1395 #ifdef ENABLE_DPD
1396 if (vid_dpd != NULL)
1397 vfree(vid_dpd);
1398 #endif
1399 #ifdef ENABLE_FRAG
1400 if (vid_frag != NULL)
1401 vfree(vid_frag);
1402 #endif
1403
1404 return error;
1405 }
1406
1407 /*
1408 * receive from initiator
1409 * psk: HDR, KE, Ni
1410 * sig: HDR, KE, Ni
1411 * gssapi: HDR, KE, Ni, GSSi
1412 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1413 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1414 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1415 */
1416 int
1417 ident_r2recv(iph1, msg)
1418 struct ph1handle *iph1;
1419 vchar_t *msg;
1420 {
1421 vchar_t *pbuf = NULL;
1422 struct isakmp_parse_t *pa;
1423 int error = -1;
1424 #ifdef HAVE_GSSAPI
1425 vchar_t *gsstoken = NULL;
1426 #endif
1427 #ifdef ENABLE_NATT
1428 int natd_seq = 0;
1429 #endif
1430
1431 /* validity check */
1432 if (iph1->status != PHASE1ST_MSG1SENT) {
1433 plog(LLV_ERROR, LOCATION, NULL,
1434 "status mismatched %d.\n", iph1->status);
1435 goto end;
1436 }
1437
1438 /* validate the type of next payload */
1439 pbuf = isakmp_parse(msg);
1440 if (pbuf == NULL) {
1441 plog(LLV_ERROR, LOCATION, NULL,
1442 "failed to parse msg");
1443 goto end;
1444 }
1445
1446 for (pa = (struct isakmp_parse_t *)pbuf->v;
1447 pa->type != ISAKMP_NPTYPE_NONE;
1448 pa++) {
1449 switch (pa->type) {
1450 case ISAKMP_NPTYPE_KE:
1451 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
1452 plog(LLV_ERROR, LOCATION, NULL,
1453 "failed to process KE payload");
1454 goto end;
1455 }
1456 break;
1457 case ISAKMP_NPTYPE_NONCE:
1458 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
1459 plog(LLV_ERROR, LOCATION, NULL,
1460 "failed to process NONCE payload");
1461 goto end;
1462 }
1463 break;
1464 case ISAKMP_NPTYPE_VID:
1465 (void)check_vendorid(pa->ptr);
1466 break;
1467 case ISAKMP_NPTYPE_CR:
1468 plog(LLV_WARNING, LOCATION, iph1->remote,
1469 "CR received, ignore it. "
1470 "It should be in other exchange.\n");
1471 break;
1472 #ifdef HAVE_GSSAPI
1473 case ISAKMP_NPTYPE_GSS:
1474 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1475 plog(LLV_ERROR, LOCATION, NULL,
1476 "failed to process GSS payload");
1477 goto end;
1478 }
1479 gssapi_save_received_token(iph1, gsstoken);
1480 break;
1481 #endif
1482
1483 #ifdef ENABLE_NATT
1484 case ISAKMP_NPTYPE_NATD_DRAFT:
1485 case ISAKMP_NPTYPE_NATD_RFC:
1486 #ifdef __APPLE__
1487 case ISAKMP_NPTYPE_NATD_BADDRAFT:
1488 #endif
1489 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1490 pa->type == iph1->natt_options->payload_nat_d)
1491 {
1492 vchar_t *natd_received = NULL;
1493 int natd_verified;
1494
1495 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
1496 plog(LLV_ERROR, LOCATION, NULL,
1497 "failed to process NATD payload");
1498 goto end;
1499 }
1500
1501 if (natd_seq == 0)
1502 iph1->natt_flags |= NAT_DETECTED;
1503
1504 natd_verified = natt_compare_addr_hash (iph1,
1505 natd_received, natd_seq++);
1506
1507 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1508 natd_seq - 1,
1509 natd_verified ? "verified" : "doesn't match");
1510
1511 vfree (natd_received);
1512 break;
1513 }
1514 /* %%%% Be lenient here - some servers send natd payloads */
1515 /* when no nat is detected */
1516 break;
1517 #endif
1518
1519 default:
1520 /* don't send information, see ident_r1recv() */
1521 plog(LLV_ERROR, LOCATION, iph1->remote,
1522 "ignore the packet, "
1523 "received unexpecting payload type %d.\n",
1524 pa->type);
1525 goto end;
1526 }
1527 }
1528
1529 #ifdef ENABLE_NATT
1530 if (NATT_AVAILABLE(iph1))
1531 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1532 iph1->natt_flags & NAT_DETECTED ?
1533 "detected:" : "not detected",
1534 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1535 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1536 #endif
1537
1538 /* payload existency check */
1539 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1540 plog(LLV_ERROR, LOCATION, iph1->remote,
1541 "few isakmp message received.\n");
1542 goto end;
1543 }
1544
1545 iph1->status = PHASE1ST_MSG2RECEIVED;
1546
1547 error = 0;
1548
1549 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1550 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1551 CONSTSTR("Responder, Main-Mode message 3"),
1552 CONSTSTR(NULL));
1553
1554 end:
1555 if (error) {
1556 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1557 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1558 CONSTSTR("Responder, Main-Mode Message 3"),
1559 CONSTSTR("Failed to process Main-Mode Message 3"));
1560 }
1561 if (pbuf)
1562 vfree(pbuf);
1563 #ifdef HAVE_GSSAPI
1564 if (gsstoken)
1565 vfree(gsstoken);
1566 #endif
1567
1568 if (error) {
1569 VPTRINIT(iph1->dhpub_p);
1570 VPTRINIT(iph1->nonce_p);
1571 VPTRINIT(iph1->id_p);
1572 }
1573
1574 return error;
1575 }
1576
1577 /*
1578 * send to initiator
1579 * psk: HDR, KE, Nr
1580 * sig: HDR, KE, Nr [, CR ]
1581 * gssapi: HDR, KE, Nr, GSSr
1582 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1583 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1584 */
1585 int
1586 ident_r2send(iph1, msg)
1587 struct ph1handle *iph1;
1588 vchar_t *msg;
1589 {
1590 int error = -1;
1591
1592 /* validity check */
1593 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1594 plog(LLV_ERROR, LOCATION, NULL,
1595 "status mismatched %d.\n", iph1->status);
1596 goto end;
1597 }
1598
1599 /* generate DH public value */
1600 if (oakley_dh_generate(iph1->approval->dhgrp,
1601 &iph1->dhpub, &iph1->dhpriv) < 0) {
1602 plog(LLV_ERROR, LOCATION, NULL,
1603 "failed to generate DH");
1604 goto end;
1605 }
1606
1607 /* generate NONCE value */
1608 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1609 if (iph1->nonce == NULL) {
1610 plog(LLV_ERROR, LOCATION, NULL,
1611 "failed to generate NONCE");
1612 goto end;
1613 }
1614
1615 #ifdef HAVE_GSSAPI
1616 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
1617 gssapi_get_rtoken(iph1, NULL);
1618 #endif
1619
1620 /* create HDR;KE;NONCE payload */
1621 iph1->sendbuf = ident_ir2mx(iph1);
1622 if (iph1->sendbuf == NULL) {
1623 plog(LLV_ERROR, LOCATION, NULL,
1624 "failed to allocate send buffer");
1625 goto end;
1626 }
1627
1628 #ifdef HAVE_PRINT_ISAKMP_C
1629 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1630 #endif
1631
1632 /* send the packet, add to the schedule to resend */
1633 iph1->retry_counter = iph1->rmconf->retry_counter;
1634 if (isakmp_ph1resend(iph1) == -1) {
1635 plog(LLV_ERROR, LOCATION, NULL,
1636 "failed to send packet");
1637 goto end;
1638 }
1639
1640 /* the sending message is added to the received-list. */
1641 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1642 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
1643 plog(LLV_ERROR , LOCATION, NULL,
1644 "failed to add a response packet to the tree.\n");
1645 goto end;
1646 }
1647
1648 /* compute sharing secret of DH */
1649 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1650 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1651 plog(LLV_ERROR, LOCATION, NULL,
1652 "failed to compute DH");
1653 goto end;
1654 }
1655
1656 /* generate SKEYIDs & IV & final cipher key */
1657 if (oakley_skeyid(iph1) < 0) {
1658 plog(LLV_ERROR, LOCATION, NULL,
1659 "failed to generate SKEYID");
1660 goto end;
1661 }
1662 if (oakley_skeyid_dae(iph1) < 0) {
1663 plog(LLV_ERROR, LOCATION, NULL,
1664 "failed to generate SKEYID-DAE");
1665 goto end;
1666 }
1667 if (oakley_compute_enckey(iph1) < 0) {
1668 plog(LLV_ERROR, LOCATION, NULL,
1669 "failed to generate ENCKEY");
1670 goto end;
1671 }
1672 if (oakley_newiv(iph1) < 0) {
1673 plog(LLV_ERROR, LOCATION, NULL,
1674 "failed to generate IV");
1675 goto end;
1676 }
1677
1678 iph1->status = PHASE1ST_MSG2SENT;
1679
1680 error = 0;
1681
1682 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1683 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1684 CONSTSTR("Responder, Main-Mode message 4"),
1685 CONSTSTR(NULL));
1686
1687 end:
1688 if (error) {
1689 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1690 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1691 CONSTSTR("Responder, Main-Mode Message 4"),
1692 CONSTSTR("Failed to transmit Main-Mode Message 4"));
1693 }
1694 return error;
1695 }
1696
1697 /*
1698 * receive from initiator
1699 * psk: HDR*, IDi1, HASH_I
1700 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
1701 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
1702 * rsa: HDR*, HASH_I
1703 * rev: HDR*, HASH_I
1704 */
1705 int
1706 ident_r3recv(iph1, msg0)
1707 struct ph1handle *iph1;
1708 vchar_t *msg0;
1709 {
1710 vchar_t *msg = NULL;
1711 vchar_t *pbuf = NULL;
1712 struct isakmp_parse_t *pa;
1713 int error = -1;
1714 int type;
1715 #ifdef HAVE_GSSAPI
1716 vchar_t *gsstoken = NULL;
1717 #endif
1718
1719 /* validity check */
1720 if (iph1->status != PHASE1ST_MSG2SENT) {
1721 plog(LLV_ERROR, LOCATION, NULL,
1722 "status mismatched %d.\n", iph1->status);
1723 goto end;
1724 }
1725
1726 /* decrypting */
1727 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1728 plog(LLV_ERROR, LOCATION, iph1->remote,
1729 "reject the packet, "
1730 "expecting the packet encrypted.\n");
1731 goto end;
1732 }
1733 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
1734 if (msg == NULL) {
1735 plog(LLV_ERROR, LOCATION, NULL,
1736 "failed to decrypt");
1737 goto end;
1738 }
1739
1740 /* validate the type of next payload */
1741 pbuf = isakmp_parse(msg);
1742 if (pbuf == NULL) {
1743 plog(LLV_ERROR, LOCATION, NULL,
1744 "failed to parse msg");
1745 goto end;
1746 }
1747
1748 iph1->pl_hash = NULL;
1749
1750 for (pa = (struct isakmp_parse_t *)pbuf->v;
1751 pa->type != ISAKMP_NPTYPE_NONE;
1752 pa++) {
1753
1754 switch (pa->type) {
1755 case ISAKMP_NPTYPE_ID:
1756 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
1757 plog(LLV_ERROR, LOCATION, NULL,
1758 "failed to process ID payload");
1759 goto end;
1760 }
1761 break;
1762 case ISAKMP_NPTYPE_HASH:
1763 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1764 break;
1765 case ISAKMP_NPTYPE_CR:
1766 if (oakley_savecr(iph1, pa->ptr) < 0) {
1767 plog(LLV_ERROR, LOCATION, NULL,
1768 "failed to process CR payload");
1769 goto end;
1770 }
1771 break;
1772 case ISAKMP_NPTYPE_CERT:
1773 if (oakley_savecert(iph1, pa->ptr) < 0) {
1774 plog(LLV_ERROR, LOCATION, NULL,
1775 "failed to process CERT payload");
1776 goto end;
1777 }
1778 break;
1779 case ISAKMP_NPTYPE_SIG:
1780 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
1781 plog(LLV_ERROR, LOCATION, NULL,
1782 "failed to process SIG payload");
1783 goto end;
1784 }
1785 break;
1786 #ifdef HAVE_GSSAPI
1787 case ISAKMP_NPTYPE_GSS:
1788 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1789 plog(LLV_ERROR, LOCATION, NULL,
1790 "failed to process GSS payload");
1791 goto end;
1792 }
1793 gssapi_save_received_token(iph1, gsstoken);
1794 break;
1795 #endif
1796 case ISAKMP_NPTYPE_VID:
1797 (void)check_vendorid(pa->ptr);
1798 break;
1799 case ISAKMP_NPTYPE_N:
1800 isakmp_check_notify(pa->ptr, iph1);
1801 break;
1802 default:
1803 /* don't send information, see ident_r1recv() */
1804 plog(LLV_ERROR, LOCATION, iph1->remote,
1805 "ignore the packet, "
1806 "received unexpecting payload type %d.\n",
1807 pa->type);
1808 goto end;
1809 }
1810 }
1811
1812 /* payload existency check */
1813 /* XXX same as ident_i4recv(), should be merged. */
1814 {
1815 int ng = 0;
1816
1817 switch (AUTHMETHOD(iph1)) {
1818 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1819 #ifdef ENABLE_HYBRID
1820 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1821 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1822 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1823 #endif
1824 if (iph1->id_p == NULL || iph1->pl_hash == NULL)
1825 ng++;
1826 break;
1827 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1828 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1829 #ifdef ENABLE_HYBRID
1830 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1831 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1832 #endif
1833 if (iph1->id_p == NULL || iph1->sig_p == NULL)
1834 ng++;
1835 break;
1836 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1837 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1838 #ifdef ENABLE_HYBRID
1839 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1840 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1841 #endif
1842 if (iph1->pl_hash == NULL)
1843 ng++;
1844 break;
1845 #ifdef HAVE_GSSAPI
1846 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1847 if (gsstoken == NULL && iph1->pl_hash == NULL)
1848 ng++;
1849 break;
1850 #endif
1851 default:
1852 plog(LLV_ERROR, LOCATION, iph1->remote,
1853 "invalid authmethod %d why ?\n",
1854 iph1->approval->authmethod);
1855 goto end;
1856 }
1857 if (ng) {
1858 plog(LLV_ERROR, LOCATION, iph1->remote,
1859 "few isakmp message received.\n");
1860 goto end;
1861 }
1862 }
1863
1864 /* verify identifier */
1865 if (ipsecdoi_checkid1(iph1) != 0) {
1866 plog(LLV_ERROR, LOCATION, iph1->remote,
1867 "invalid ID payload.\n");
1868 goto end;
1869 }
1870
1871 /* validate authentication value */
1872 #ifdef HAVE_GSSAPI
1873 if (gsstoken == NULL) {
1874 #endif
1875 type = oakley_validate_auth(iph1);
1876 if (type != 0) {
1877 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1878 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1879 CONSTSTR("Responder, Main-Mode Message 5"),
1880 CONSTSTR("Failed to authenticate Main-Mode Message 5"));
1881 if (type == -1) {
1882 /* msg printed inner oakley_validate_auth() */
1883 goto end;
1884 }
1885 EVT_PUSH(iph1->local, iph1->remote,
1886 EVTT_PEERPH1AUTH_FAILED, NULL);
1887 isakmp_info_send_n1(iph1, type, NULL);
1888 goto end;
1889 }
1890 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1891 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1892 CONSTSTR("Responder, Main-Mode Message 5"),
1893 CONSTSTR(NULL));
1894 #ifdef HAVE_GSSAPI
1895 }
1896 #endif
1897
1898 if (oakley_checkcr(iph1) < 0) {
1899 /* Ignore this error in order to be interoperability. */
1900 ;
1901 }
1902
1903 /*
1904 * XXX: Should we do compare two addresses, ph1handle's and ID
1905 * payload's.
1906 */
1907
1908 plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID\n");
1909 plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
1910
1911 /* see handler.h about IV synchronization. */
1912 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1913
1914 #ifdef HAVE_GSSAPI
1915 iph1->status = gsstoken != NULL ? PHASE1ST_MSG2RECEIVED :
1916 PHASE1ST_MSG3RECEIVED;
1917 #else
1918 iph1->status = PHASE1ST_MSG3RECEIVED;
1919 #endif
1920
1921 error = 0;
1922
1923 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1924 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1925 CONSTSTR("Responder, Main-Mode message 5"),
1926 CONSTSTR(NULL));
1927
1928 end:
1929 if (error) {
1930 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1931 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1932 CONSTSTR("Responder, Main-Mode Message 5"),
1933 CONSTSTR("Failed to process Main-Mode Message 5"));
1934 }
1935 if (pbuf)
1936 vfree(pbuf);
1937 if (msg)
1938 vfree(msg);
1939 #ifdef HAVE_GSSAPI
1940 if (gsstoken)
1941 vfree(gsstoken);
1942 #endif
1943
1944 if (error) {
1945 VPTRINIT(iph1->id_p);
1946 oakley_delcert(iph1->cert_p);
1947 iph1->cert_p = NULL;
1948 oakley_delcert(iph1->crl_p);
1949 iph1->crl_p = NULL;
1950 VPTRINIT(iph1->sig_p);
1951 oakley_delcert(iph1->cr_p);
1952 iph1->cr_p = NULL;
1953 }
1954
1955 return error;
1956 }
1957
1958 /*
1959 * send to initiator
1960 * psk: HDR*, IDr1, HASH_R
1961 * sig: HDR*, IDr1, [ CERT, ] SIG_R
1962 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
1963 * rsa: HDR*, HASH_R
1964 * rev: HDR*, HASH_R
1965 */
1966 int
1967 ident_r3send(iph1, msg)
1968 struct ph1handle *iph1;
1969 vchar_t *msg;
1970 {
1971 int error = -1;
1972 int dohash = 1;
1973 #ifdef HAVE_GSSAPI
1974 int len;
1975 #endif
1976
1977 /* validity check */
1978 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
1979 plog(LLV_ERROR, LOCATION, NULL,
1980 "status mismatched %d.\n", iph1->status);
1981 goto end;
1982 }
1983
1984 /* make ID payload into isakmp status */
1985 if (ipsecdoi_setid1(iph1) < 0) {
1986 plog(LLV_ERROR, LOCATION, NULL,
1987 "failed to set ID");
1988 goto end;
1989 }
1990
1991 #ifdef HAVE_GSSAPI
1992 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
1993 gssapi_more_tokens(iph1)) {
1994 gssapi_get_rtoken(iph1, &len);
1995 if (len != 0)
1996 dohash = 0;
1997 }
1998 #endif
1999
2000 if (dohash) {
2001 /* generate HASH to send */
2002 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
2003 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
2004 if (iph1->hash == NULL) {
2005 plog(LLV_ERROR, LOCATION, NULL,
2006 "failed to generate HASH");
2007 goto end;
2008 }
2009 } else
2010 iph1->hash = NULL;
2011
2012 /* set encryption flag */
2013 iph1->flags |= ISAKMP_FLAG_E;
2014
2015 /* create HDR;ID;HASH payload */
2016 iph1->sendbuf = ident_ir3mx(iph1);
2017 if (iph1->sendbuf == NULL) {
2018 plog(LLV_ERROR, LOCATION, NULL,
2019 "failed to create send buffer");
2020 goto end;
2021 }
2022
2023 /* send HDR;ID;HASH to responder */
2024 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
2025 plog(LLV_ERROR, LOCATION, NULL,
2026 "failed to send packet");
2027 goto end;
2028 }
2029
2030 /* the sending message is added to the received-list. */
2031 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
2032 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
2033 plog(LLV_ERROR , LOCATION, NULL,
2034 "failed to add a response packet to the tree.\n");
2035 goto end;
2036 }
2037
2038 /* see handler.h about IV synchronization. */
2039 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
2040
2041 iph1->status = PHASE1ST_ESTABLISHED;
2042
2043 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2044 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
2045 CONSTSTR("Responder, Main-Mode"),
2046 CONSTSTR(NULL));
2047
2048 error = 0;
2049
2050 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2051 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
2052 CONSTSTR("Responder, Main-Mode message 6"),
2053 CONSTSTR(NULL));
2054
2055 end:
2056 if (error) {
2057 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2058 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
2059 CONSTSTR("Responder, Main-Mode Message 6"),
2060 CONSTSTR("Failed to process Main-Mode Message 6"));
2061 }
2062
2063 return error;
2064 }
2065
2066 /*
2067 * This is used in main mode for:
2068 * initiator's 3rd exchange send to responder
2069 * psk: HDR, KE, Ni
2070 * sig: HDR, KE, Ni
2071 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
2072 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
2073 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
2074 * responders 2nd exchnage send to initiator
2075 * psk: HDR, KE, Nr
2076 * sig: HDR, KE, Nr [, CR ]
2077 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
2078 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
2079 */
2080 static vchar_t *
2081 ident_ir2mx(iph1)
2082 struct ph1handle *iph1;
2083 {
2084 vchar_t *buf = 0;
2085 struct payload_list *plist = NULL;
2086 int need_cr = 0;
2087 vchar_t *cr = NULL;
2088 vchar_t *vid = NULL;
2089 int error = -1;
2090 #ifdef HAVE_GSSAPI
2091 vchar_t *gsstoken = NULL;
2092 #endif
2093 #ifdef ENABLE_NATT
2094 vchar_t *natd[2] = { NULL, NULL };
2095 #endif
2096
2097 /* create CR if need */
2098 if (iph1->side == RESPONDER
2099 && iph1->rmconf->send_cr
2100 && oakley_needcr(iph1->approval->authmethod)
2101 && iph1->rmconf->peerscertfile == NULL) {
2102 need_cr = 1;
2103 cr = oakley_getcr(iph1);
2104 if (cr == NULL) {
2105 plog(LLV_ERROR, LOCATION, NULL,
2106 "failed to get cr buffer.\n");
2107 goto end;
2108 }
2109 }
2110
2111 #ifdef HAVE_GSSAPI
2112 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
2113 gssapi_get_token_to_send(iph1, &gsstoken);
2114 #endif
2115
2116 /* create isakmp KE payload */
2117 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
2118
2119 /* create isakmp NONCE payload */
2120 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
2121
2122 #ifdef HAVE_GSSAPI
2123 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
2124 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
2125 #endif
2126
2127 /* append vendor id, if needed */
2128 if (vid)
2129 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
2130
2131 /* create isakmp CR payload if needed */
2132 if (need_cr)
2133 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2134
2135 #ifdef ENABLE_NATT
2136 /* generate and append NAT-D payloads */
2137 if (NATT_AVAILABLE(iph1) && iph1->status == PHASE1ST_MSG2RECEIVED)
2138 {
2139 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
2140 plog(LLV_ERROR, LOCATION, NULL,
2141 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
2142 goto end;
2143 }
2144
2145 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
2146 plog(LLV_ERROR, LOCATION, NULL,
2147 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
2148 goto end;
2149 }
2150
2151 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
2152 #ifdef __APPLE__
2153 /* old Apple version sends natd payloads in the wrong order */
2154 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
2155 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2156 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2157 } else
2158 #endif
2159 {
2160 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2161 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2162 }
2163 }
2164 #endif
2165
2166 buf = isakmp_plist_set_all (&plist, iph1);
2167
2168 error = 0;
2169
2170 end:
2171 if (error && buf != NULL) {
2172 vfree(buf);
2173 buf = NULL;
2174 }
2175 if (cr)
2176 vfree(cr);
2177 #ifdef HAVE_GSSAPI
2178 if (gsstoken)
2179 vfree(gsstoken);
2180 #endif
2181 if (vid)
2182 vfree(vid);
2183
2184 #ifdef ENABLE_NATT
2185 if (natd[0])
2186 vfree(natd[0]);
2187 if (natd[1])
2188 vfree(natd[1]);
2189 #endif
2190
2191 return buf;
2192 }
2193
2194 /*
2195 * This is used in main mode for:
2196 * initiator's 4th exchange send to responder
2197 * psk: HDR*, IDi1, HASH_I
2198 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
2199 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
2200 * rsa: HDR*, HASH_I
2201 * rev: HDR*, HASH_I
2202 * responders 3rd exchnage send to initiator
2203 * psk: HDR*, IDr1, HASH_R
2204 * sig: HDR*, IDr1, [ CERT, ] SIG_R
2205 * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R >
2206 * rsa: HDR*, HASH_R
2207 * rev: HDR*, HASH_R
2208 */
2209 static vchar_t *
2210 ident_ir3mx(iph1)
2211 struct ph1handle *iph1;
2212 {
2213 struct payload_list *plist = NULL;
2214 vchar_t *buf = NULL, *new = NULL;
2215 int need_cr = 0;
2216 int need_cert = 0;
2217 vchar_t *cr = NULL;
2218 int error = -1;
2219 #ifdef HAVE_GSSAPI
2220 int nptype;
2221 vchar_t *gsstoken = NULL;
2222 vchar_t *gsshash = NULL;
2223 #endif
2224
2225 switch (AUTHMETHOD(iph1)) {
2226 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
2227 #ifdef ENABLE_HYBRID
2228 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
2229 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
2230 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2231 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
2232 #endif
2233 /* create isakmp ID payload */
2234 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2235
2236 /* create isakmp HASH payload */
2237 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
2238 break;
2239 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2240 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2241 #ifdef ENABLE_HYBRID
2242 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
2243 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
2244 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2245 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
2246 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
2247 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
2248 #endif
2249 if (oakley_getmycert(iph1) < 0) {
2250 plog(LLV_ERROR, LOCATION, NULL,
2251 "failed to get mycert");
2252 goto end;
2253 }
2254
2255 if (oakley_getsign(iph1) < 0) {
2256 plog(LLV_ERROR, LOCATION, NULL,
2257 "failed to get sign");
2258 goto end;
2259 }
2260
2261 /* create CR if need */
2262 if (iph1->side == INITIATOR
2263 && iph1->rmconf->send_cr
2264 && oakley_needcr(iph1->approval->authmethod)
2265 && iph1->rmconf->peerscertfile == NULL) {
2266 need_cr = 1;
2267 cr = oakley_getcr(iph1);
2268 if (cr == NULL) {
2269 plog(LLV_ERROR, LOCATION, NULL,
2270 "failed to get CR");
2271 goto end;
2272 }
2273 }
2274
2275 if (iph1->cert != NULL && iph1->rmconf->send_cert)
2276 need_cert = 1;
2277
2278 /* add ID payload */
2279 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2280
2281 /* add CERT payload if there */
2282 if (need_cert)
2283 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
2284 /* add SIG payload */
2285 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
2286
2287 /* create isakmp CR payload */
2288 if (need_cr)
2289 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2290 break;
2291 #ifdef HAVE_GSSAPI
2292 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
2293 if (iph1->hash != NULL) {
2294 gsshash = gssapi_wraphash(iph1);
2295 if (gsshash == NULL) {
2296 plog(LLV_ERROR, LOCATION, NULL,
2297 "failed to generate GSSAPI HASH");
2298 goto end;
2299 }
2300 } else {
2301 gssapi_get_token_to_send(iph1, &gsstoken);
2302 }
2303
2304 if (!gssapi_id_sent(iph1)) {
2305 /* create isakmp ID payload */
2306 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2307 gssapi_set_id_sent(iph1);
2308 }
2309
2310 if (iph1->hash != NULL)
2311 /* create isakmp HASH payload */
2312 plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
2313 else
2314 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
2315 break;
2316 #endif
2317 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2318 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
2319 #ifdef ENABLE_HYBRID
2320 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
2321 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
2322 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
2323 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
2324 #endif
2325 plog(LLV_ERROR, LOCATION, NULL,
2326 "not supported authentication type %d\n",
2327 iph1->approval->authmethod);
2328 goto end;
2329 default:
2330 plog(LLV_ERROR, LOCATION, NULL,
2331 "invalid authentication type %d\n",
2332 iph1->approval->authmethod);
2333 goto end;
2334 }
2335
2336 buf = isakmp_plist_set_all (&plist, iph1);
2337
2338 #ifdef HAVE_PRINT_ISAKMP_C
2339 isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
2340 #endif
2341
2342 /* encoding */
2343 new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv);
2344 if (new == NULL) {
2345 plog(LLV_ERROR, LOCATION, NULL,
2346 "failed to encrypt");
2347 goto end;
2348 }
2349
2350 vfree(buf);
2351
2352 buf = new;
2353
2354 error = 0;
2355
2356 end:
2357 #ifdef HAVE_GSSAPI
2358 if (gsstoken)
2359 vfree(gsstoken);
2360 #endif
2361 if (cr)
2362 vfree(cr);
2363 if (error && buf != NULL) {
2364 vfree(buf);
2365 buf = NULL;
2366 }
2367
2368 return buf;
2369 }
mirror of ipsec