]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_agg.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-34.0.3.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_agg.c
1 /* $Id: isakmp_agg.c,v 1.20.2.5 2005/11/21 09:46:23 vanhu Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 /* Aggressive Exchange (Aggressive Mode) */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38
39 #include <stdlib.h>
40 #include <stdio.h>
41 #include <string.h>
42 #include <errno.h>
43 #if TIME_WITH_SYS_TIME
44 # include <sys/time.h>
45 # include <time.h>
46 #else
47 # if HAVE_SYS_TIME_H
48 # include <sys/time.h>
49 # else
50 # include <time.h>
51 # endif
52 #endif
53
54 #include "var.h"
55 #include "misc.h"
56 #include "vmbuf.h"
57 #include "plog.h"
58 #include "sockmisc.h"
59 #include "schedule.h"
60 #include "debug.h"
61
62 #include "localconf.h"
63 #include "remoteconf.h"
64 #include "isakmp_var.h"
65 #include "isakmp.h"
66 #include "evt.h"
67 #include "oakley.h"
68 #include "handler.h"
69 #include "ipsec_doi.h"
70 #include "crypto_openssl.h"
71 #include "pfkey.h"
72 #include "isakmp_agg.h"
73 #include "isakmp_inf.h"
74 #ifdef ENABLE_HYBRID
75 #include "isakmp_xauth.h"
76 #include "isakmp_cfg.h"
77 #endif
78 #ifdef ENABLE_FRAG
79 #include "isakmp_frag.h"
80 #endif
81 #include "vendorid.h"
82 #include "strnames.h"
83
84 #ifdef ENABLE_NATT
85 #include "nattraversal.h"
86 #endif
87
88 #ifdef HAVE_GSSAPI
89 #include "gssapi.h"
90 #endif
91
92 #include "vpn_control.h"
93 #include "vpn_control_var.h"
94
95 /*
96 * begin Aggressive Mode as initiator.
97 */
98 /*
99 * send to responder
100 * psk: HDR, SA, KE, Ni, IDi1
101 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
102 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi
103 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
104 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
105 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
106 */
107 int
108 agg_i1send(iph1, msg)
109 struct ph1handle *iph1;
110 vchar_t *msg; /* must be null */
111 {
112 struct payload_list *plist = NULL;
113 int need_cr = 0;
114 vchar_t *cr = NULL, *gsstoken = NULL;
115 int error = -1;
116 #ifdef ENABLE_NATT
117 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
118 int i;
119 #endif
120 #ifdef ENABLE_HYBRID
121 vchar_t *vid_xauth = NULL;
122 vchar_t *vid_unity = NULL;
123 #endif
124 #ifdef ENABLE_FRAG
125 vchar_t *vid_frag = NULL;
126 #endif
127 #ifdef HAVE_GSSAPI
128 int len;
129 #endif
130 #ifdef ENABLE_DPD
131 vchar_t *vid_dpd = NULL;
132 #endif
133
134
135 /* validity check */
136 if (msg != NULL) {
137 plog(LLV_ERROR, LOCATION, NULL,
138 "msg has to be NULL in this function.\n");
139 goto end;
140 }
141 if (iph1->status != PHASE1ST_START) {
142 plog(LLV_ERROR, LOCATION, NULL,
143 "status mismatched %d.\n", iph1->status);
144 goto end;
145 }
146
147 /* create isakmp index */
148 memset(&iph1->index, 0, sizeof(iph1->index));
149 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
150
151 /* make ID payload into isakmp status */
152 if (ipsecdoi_setid1(iph1) < 0)
153 goto end;
154
155 /* create SA payload for my proposal */
156 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
157 if (iph1->sa == NULL)
158 goto end;
159
160 /* consistency check of proposals */
161 if (iph1->rmconf->dhgrp == NULL) {
162 plog(LLV_ERROR, LOCATION, NULL,
163 "configuration failure about DH group.\n");
164 goto end;
165 }
166
167 /* generate DH public value */
168 if (oakley_dh_generate(iph1->rmconf->dhgrp,
169 &iph1->dhpub, &iph1->dhpriv) < 0)
170 goto end;
171
172 /* generate NONCE value */
173 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
174 if (iph1->nonce == NULL)
175 goto end;
176
177 #ifdef ENABLE_HYBRID
178 /* Do we need Xauth VID? */
179 switch (iph1->rmconf->proposal->authmethod) {
180 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
181 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
182 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
183 plog(LLV_ERROR, LOCATION, NULL,
184 "Xauth vendor ID generation failed\n");
185 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
186 plog(LLV_ERROR, LOCATION, NULL,
187 "Unity vendor ID generation failed\n");
188 break;
189 default:
190 break;
191 }
192 #endif
193
194 #ifdef ENABLE_FRAG
195 if (iph1->rmconf->ike_frag) {
196 vid_frag = set_vendorid(VENDORID_FRAG);
197 if (vid_frag != NULL)
198 vid_frag = isakmp_frag_addcap(vid_frag,
199 VENDORID_FRAG_AGG);
200 if (vid_frag == NULL)
201 plog(LLV_ERROR, LOCATION, NULL,
202 "Frag vendorID construction failed\n");
203 }
204 #endif
205
206 /* create CR if need */
207 if (iph1->rmconf->send_cr
208 && oakley_needcr(iph1->rmconf->proposal->authmethod)
209 && iph1->rmconf->peerscertfile == NULL) {
210 need_cr = 1;
211 cr = oakley_getcr(iph1);
212 if (cr == NULL) {
213 plog(LLV_ERROR, LOCATION, NULL,
214 "failed to get cr buffer.\n");
215 goto end;
216 }
217 }
218
219 plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n",
220 s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
221 #ifdef HAVE_GSSAPI
222 if (iph1->rmconf->proposal->authmethod ==
223 OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
224 gssapi_get_itoken(iph1, &len);
225 }
226 #endif
227
228 /* set SA payload to propose */
229 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
230
231 /* create isakmp KE payload */
232 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
233
234 /* create isakmp NONCE payload */
235 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
236
237 /* create isakmp ID payload */
238 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
239
240 #ifdef HAVE_GSSAPI
241 if (iph1->rmconf->proposal->authmethod ==
242 OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
243 gssapi_get_token_to_send(iph1, &gsstoken);
244 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
245 } else
246 #endif
247 /* create isakmp CR payload */
248 if (need_cr)
249 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
250
251 #ifdef ENABLE_FRAG
252 if (vid_frag)
253 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
254 #endif
255 #ifdef ENABLE_NATT
256 /*
257 * set VID payload for NAT-T if NAT-T
258 * support allowed in the config file
259 */
260 if (iph1->rmconf->nat_traversal)
261 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
262 #endif
263 #ifdef ENABLE_HYBRID
264 if (vid_xauth)
265 plist = isakmp_plist_append(plist,
266 vid_xauth, ISAKMP_NPTYPE_VID);
267 if (vid_unity)
268 plist = isakmp_plist_append(plist,
269 vid_unity, ISAKMP_NPTYPE_VID);
270 #endif
271 #ifdef ENABLE_DPD
272 if(iph1->rmconf->dpd){
273 vid_dpd = set_vendorid(VENDORID_DPD);
274 if (vid_dpd != NULL)
275 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
276 }
277 #endif
278
279 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
280
281 #ifdef HAVE_PRINT_ISAKMP_C
282 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
283 #endif
284
285 /* send the packet, add to the schedule to resend */
286 iph1->retry_counter = iph1->rmconf->retry_counter;
287 if (isakmp_ph1resend(iph1) == -1)
288 goto end;
289
290 iph1->status = PHASE1ST_MSG1SENT;
291
292 error = 0;
293
294 end:
295 if (cr)
296 vfree(cr);
297 if (gsstoken)
298 vfree(gsstoken);
299 #ifdef ENABLE_FRAG
300 if (vid_frag)
301 vfree(vid_frag);
302 #endif
303 #ifdef ENABLE_NATT
304 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
305 vfree(vid_natt[i]);
306 #endif
307 #ifdef ENABLE_DPD
308 if (vid_dpd != NULL)
309 vfree(vid_dpd);
310 #endif
311 #ifdef ENABLE_HYBRID
312 if (vid_xauth != NULL)
313 vfree(vid_xauth);
314 if (vid_unity != NULL)
315 vfree(vid_unity);
316 #endif
317
318 return error;
319 }
320
321 /*
322 * receive from responder
323 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
324 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
325 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
326 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
327 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
328 */
329 int
330 agg_i2recv(iph1, msg)
331 struct ph1handle *iph1;
332 vchar_t *msg;
333 {
334 vchar_t *pbuf = NULL;
335 struct isakmp_parse_t *pa;
336 vchar_t *satmp = NULL;
337 int error = -1;
338 int vid_numeric;
339 int ptype;
340 #ifdef ENABLE_HYBRID
341 vchar_t *unity_vid;
342 vchar_t *xauth_vid;
343 #endif
344 #ifdef HAVE_GSSAPI
345 vchar_t *gsstoken = NULL;
346 #endif
347
348 #ifdef ENABLE_NATT
349 int natd_seq = 0;
350 struct natd_payload {
351 int seq;
352 vchar_t *payload;
353 TAILQ_ENTRY(natd_payload) chain;
354 };
355 TAILQ_HEAD(_natd_payload, natd_payload) natd_tree;
356 TAILQ_INIT(&natd_tree);
357 #endif
358
359 /* validity check */
360 if (iph1->status != PHASE1ST_MSG1SENT) {
361 plog(LLV_ERROR, LOCATION, NULL,
362 "status mismatched %d.\n", iph1->status);
363 goto end;
364 }
365
366 /* validate the type of next payload */
367 pbuf = isakmp_parse(msg);
368 if (pbuf == NULL)
369 goto end;
370 pa = (struct isakmp_parse_t *)pbuf->v;
371
372 iph1->pl_hash = NULL;
373
374 /* SA payload is fixed postion */
375 if (pa->type != ISAKMP_NPTYPE_SA) {
376 plog(LLV_ERROR, LOCATION, iph1->remote,
377 "received invalid next payload type %d, "
378 "expecting %d.\n",
379 pa->type, ISAKMP_NPTYPE_SA);
380 goto end;
381 }
382
383 if (isakmp_p2ph(&satmp, pa->ptr) < 0)
384 goto end;
385 pa++;
386
387 for (/*nothing*/;
388 pa->type != ISAKMP_NPTYPE_NONE;
389 pa++) {
390
391 switch (pa->type) {
392 case ISAKMP_NPTYPE_KE:
393 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
394 goto end;
395 break;
396 case ISAKMP_NPTYPE_NONCE:
397 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
398 goto end;
399 break;
400 case ISAKMP_NPTYPE_ID:
401 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
402 goto end;
403 break;
404 case ISAKMP_NPTYPE_HASH:
405 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
406 break;
407 case ISAKMP_NPTYPE_CR:
408 if (oakley_savecr(iph1, pa->ptr) < 0)
409 goto end;
410 break;
411 case ISAKMP_NPTYPE_CERT:
412 if (oakley_savecert(iph1, pa->ptr) < 0)
413 goto end;
414 break;
415 case ISAKMP_NPTYPE_SIG:
416 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
417 goto end;
418 break;
419 case ISAKMP_NPTYPE_VID:
420 vid_numeric = check_vendorid(pa->ptr);
421 #ifdef ENABLE_NATT
422 if (iph1->rmconf->nat_traversal &&
423 natt_vendorid(vid_numeric))
424 natt_handle_vendorid(iph1, vid_numeric);
425 #endif
426 #ifdef ENABLE_HYBRID
427 switch (vid_numeric) {
428 case VENDORID_XAUTH:
429 iph1->mode_cfg->flags |=
430 ISAKMP_CFG_VENDORID_XAUTH;
431 break;
432
433 case VENDORID_UNITY:
434 iph1->mode_cfg->flags |=
435 ISAKMP_CFG_VENDORID_UNITY;
436 break;
437 default:
438 break;
439 }
440 #endif
441 #ifdef ENABLE_DPD
442 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
443 iph1->dpd_support=1;
444 plog(LLV_DEBUG, LOCATION, NULL,
445 "remote supports DPD\n");
446 }
447 #endif
448 break;
449 case ISAKMP_NPTYPE_N:
450 isakmp_check_notify(pa->ptr, iph1);
451 break;
452 #ifdef HAVE_GSSAPI
453 case ISAKMP_NPTYPE_GSS:
454 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
455 goto end;
456 gssapi_save_received_token(iph1, gsstoken);
457 break;
458 #endif
459
460 #ifdef ENABLE_NATT
461 case ISAKMP_NPTYPE_NATD_DRAFT:
462 case ISAKMP_NPTYPE_NATD_RFC:
463 #ifdef __APPLE__
464 case ISAKMP_NPTYPE_NATD_BADDRAFT:
465 #endif
466 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
467 pa->type == iph1->natt_options->payload_nat_d) {
468 struct natd_payload *natd;
469 natd = (struct natd_payload *)racoon_malloc(sizeof(*natd));
470 if (!natd)
471 goto end;
472
473 natd->payload = NULL;
474
475 if (isakmp_p2ph (&natd->payload, pa->ptr) < 0)
476 goto end;
477
478 natd->seq = natd_seq++;
479
480 TAILQ_INSERT_TAIL(&natd_tree, natd, chain);
481 break;
482 }
483 /* %%% Be lenient here - some servers send natd payloads */
484 /* when nat not detected */
485 break;
486 #endif
487
488 default:
489 /* don't send information, see isakmp_ident_r1() */
490 plog(LLV_ERROR, LOCATION, iph1->remote,
491 "ignore the packet, "
492 "received unexpecting payload type %d.\n",
493 pa->type);
494 goto end;
495 }
496 }
497
498 /* payload existency check */
499 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
500 plog(LLV_ERROR, LOCATION, iph1->remote,
501 "few isakmp message received.\n");
502 goto end;
503 }
504
505 /* verify identifier */
506 if (ipsecdoi_checkid1(iph1) != 0) {
507 plog(LLV_ERROR, LOCATION, iph1->remote,
508 "invalid ID payload.\n");
509 goto end;
510 }
511
512 /* check SA payload and set approval SA for use */
513 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
514 plog(LLV_ERROR, LOCATION, iph1->remote,
515 "failed to get valid proposal.\n");
516 /* XXX send information */
517 goto end;
518 }
519 VPTRINIT(iph1->sa_ret);
520
521 /* fix isakmp index */
522 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
523 sizeof(cookie_t));
524
525 #ifdef ENABLE_NATT
526 if (NATT_AVAILABLE(iph1)) {
527 struct natd_payload *natd = NULL;
528 int natd_verified;
529
530 plog(LLV_INFO, LOCATION, iph1->remote,
531 "Selected NAT-T version: %s\n",
532 vid_string_by_id(iph1->natt_options->version));
533
534 /* set both bits first so that we can clear them
535 upon verifying hashes */
536 iph1->natt_flags |= NAT_DETECTED;
537
538 while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) {
539 /* this function will clear appropriate bits bits
540 from iph1->natt_flags */
541 natd_verified = natt_compare_addr_hash (iph1,
542 natd->payload, natd->seq);
543
544 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
545 natd->seq - 1,
546 natd_verified ? "verified" : "doesn't match");
547
548 vfree (natd->payload);
549
550 TAILQ_REMOVE(&natd_tree, natd, chain);
551 racoon_free (natd);
552 }
553
554 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
555 iph1->natt_flags & NAT_DETECTED ?
556 "detected:" : "not detected",
557 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
558 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
559
560 if (iph1->natt_flags & NAT_DETECTED)
561 natt_float_ports (iph1);
562 }
563 #endif
564
565 /* compute sharing secret of DH */
566 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
567 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
568 goto end;
569
570 /* generate SKEYIDs & IV & final cipher key */
571 if (oakley_skeyid(iph1) < 0)
572 goto end;
573 if (oakley_skeyid_dae(iph1) < 0)
574 goto end;
575 if (oakley_compute_enckey(iph1) < 0)
576 goto end;
577 if (oakley_newiv(iph1) < 0)
578 goto end;
579
580 /* validate authentication value */
581 ptype = oakley_validate_auth(iph1);
582 if (ptype != 0) {
583 if (ptype == -1) {
584 /* message printed inner oakley_validate_auth() */
585 goto end;
586 }
587 EVT_PUSH(iph1->local, iph1->remote,
588 EVTT_PEERPH1AUTH_FAILED, NULL);
589 isakmp_info_send_n1(iph1, ptype, NULL);
590 goto end;
591 }
592
593 if (oakley_checkcr(iph1) < 0) {
594 /* Ignore this error in order to be interoperability. */
595 ;
596 }
597
598 /* change status of isakmp status entry */
599 iph1->status = PHASE1ST_MSG2RECEIVED;
600
601 #ifdef ENABLE_VPNCONTROL_PORT
602 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
603 #endif
604
605 error = 0;
606
607 end:
608 if (pbuf)
609 vfree(pbuf);
610 if (satmp)
611 vfree(satmp);
612 if (error) {
613 VPTRINIT(iph1->dhpub_p);
614 VPTRINIT(iph1->nonce_p);
615 VPTRINIT(iph1->id_p);
616 oakley_delcert(iph1->cert_p);
617 iph1->cert_p = NULL;
618 oakley_delcert(iph1->crl_p);
619 iph1->crl_p = NULL;
620 VPTRINIT(iph1->sig_p);
621 oakley_delcert(iph1->cr_p);
622 iph1->cr_p = NULL;
623 }
624
625 return error;
626 }
627
628 /*
629 * send to responder
630 * psk: HDR, HASH_I
631 * gssapi: HDR, HASH_I
632 * sig: HDR, [ CERT, ] SIG_I
633 * rsa: HDR, HASH_I
634 * rev: HDR, HASH_I
635 */
636 int
637 agg_i2send(iph1, msg)
638 struct ph1handle *iph1;
639 vchar_t *msg;
640 {
641 struct payload_list *plist = NULL;
642 int need_cert = 0;
643 int error = -1;
644 vchar_t *gsshash = NULL;
645
646 /* validity check */
647 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
648 plog(LLV_ERROR, LOCATION, NULL,
649 "status mismatched %d.\n", iph1->status);
650 goto end;
651 }
652
653 /* generate HASH to send */
654 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
655 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
656 if (iph1->hash == NULL) {
657 #ifdef HAVE_GSSAPI
658 if (gssapi_more_tokens(iph1))
659 isakmp_info_send_n1(iph1,
660 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
661 #endif
662 goto end;
663 }
664
665 switch (iph1->approval->authmethod) {
666 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
667 #ifdef ENABLE_HYBRID
668 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
669 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
670 #endif
671 /* set HASH payload */
672 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
673 break;
674 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
675 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
676 #ifdef ENABLE_HYBRID
677 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
678 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
679 #endif
680 /* XXX if there is CR or not ? */
681
682 if (oakley_getmycert(iph1) < 0)
683 goto end;
684
685 if (oakley_getsign(iph1) < 0)
686 goto end;
687
688 if (iph1->cert != NULL && iph1->rmconf->send_cert)
689 need_cert = 1;
690
691 /* add CERT payload if there */
692 if (need_cert)
693 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
694
695 /* add SIG payload */
696 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
697 break;
698
699 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
700 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
701 break;
702 #ifdef HAVE_GSSAPI
703 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
704 gsshash = gssapi_wraphash(iph1);
705 if (gsshash == NULL) {
706 plog(LLV_ERROR, LOCATION, NULL,
707 "failed to wrap hash\n");
708 isakmp_info_send_n1(iph1,
709 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
710 goto end;
711 }
712
713 plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
714 break;
715 #endif
716 default:
717 plog(LLV_ERROR, LOCATION, NULL, "invalid authmethod %d\n",
718 iph1->approval->authmethod);
719 goto end;
720 break;
721 }
722
723 #ifdef ENABLE_NATT
724 /* generate NAT-D payloads */
725 if (NATT_AVAILABLE(iph1))
726 {
727 vchar_t *natd[2] = { NULL, NULL };
728
729 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
730 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
731 plog(LLV_ERROR, LOCATION, NULL,
732 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
733 goto end;
734 }
735
736 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
737 plog(LLV_ERROR, LOCATION, NULL,
738 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
739 goto end;
740 }
741
742 #ifdef __APPLE__
743 /* old Apple version sends natd payloads in the wrong order */
744 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
745 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
746 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
747 } else
748 #endif
749 {
750 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
751 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
752 }
753 }
754 #endif
755
756 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
757
758 #ifdef HAVE_PRINT_ISAKMP_C
759 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
760 #endif
761
762 /* send to responder */
763 if (isakmp_send(iph1, iph1->sendbuf) < 0)
764 goto end;
765
766 /* the sending message is added to the received-list. */
767 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
768 plog(LLV_ERROR , LOCATION, NULL,
769 "failed to add a response packet to the tree.\n");
770 goto end;
771 }
772
773 /* set encryption flag */
774 iph1->flags |= ISAKMP_FLAG_E;
775
776 iph1->status = PHASE1ST_ESTABLISHED;
777
778 error = 0;
779
780 end:
781 if (gsshash)
782 vfree(gsshash);
783 return error;
784 }
785
786 /*
787 * receive from initiator
788 * psk: HDR, SA, KE, Ni, IDi1
789 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
790 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi
791 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
792 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
793 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
794 */
795 int
796 agg_r1recv(iph1, msg)
797 struct ph1handle *iph1;
798 vchar_t *msg;
799 {
800 int error = -1;
801 vchar_t *pbuf = NULL;
802 struct isakmp_parse_t *pa;
803 int vid_numeric;
804 #ifdef HAVE_GSSAPI
805 vchar_t *gsstoken = NULL;
806 #endif
807
808 /* validity check */
809 if (iph1->status != PHASE1ST_START) {
810 plog(LLV_ERROR, LOCATION, NULL,
811 "status mismatched %d.\n", iph1->status);
812 goto end;
813 }
814
815 /* validate the type of next payload */
816 pbuf = isakmp_parse(msg);
817 if (pbuf == NULL)
818 goto end;
819 pa = (struct isakmp_parse_t *)pbuf->v;
820
821 /* SA payload is fixed postion */
822 if (pa->type != ISAKMP_NPTYPE_SA) {
823 plog(LLV_ERROR, LOCATION, iph1->remote,
824 "received invalid next payload type %d, "
825 "expecting %d.\n",
826 pa->type, ISAKMP_NPTYPE_SA);
827 goto end;
828 }
829 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
830 goto end;
831 pa++;
832
833 for (/*nothing*/;
834 pa->type != ISAKMP_NPTYPE_NONE;
835 pa++) {
836
837 plog(LLV_DEBUG, LOCATION, NULL,
838 "received payload of type %s\n",
839 s_isakmp_nptype(pa->type));
840
841 switch (pa->type) {
842 case ISAKMP_NPTYPE_KE:
843 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
844 goto end;
845 break;
846 case ISAKMP_NPTYPE_NONCE:
847 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
848 goto end;
849 break;
850 case ISAKMP_NPTYPE_ID:
851 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
852 goto end;
853 break;
854 case ISAKMP_NPTYPE_VID:
855 vid_numeric = check_vendorid(pa->ptr);
856
857 #ifdef ENABLE_NATT
858 if (iph1->rmconf->nat_traversal &&
859 natt_vendorid(vid_numeric)) {
860 natt_handle_vendorid(iph1, vid_numeric);
861 break;
862 }
863 #endif
864 #ifdef ENABLE_HYBRID
865 switch (vid_numeric) {
866 case VENDORID_XAUTH:
867 iph1->mode_cfg->flags |=
868 ISAKMP_CFG_VENDORID_XAUTH;
869 break;
870
871 case VENDORID_UNITY:
872 iph1->mode_cfg->flags |=
873 ISAKMP_CFG_VENDORID_UNITY;
874 break;
875 default:
876 break;
877 }
878 #endif
879 #ifdef ENABLE_DPD
880 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
881 iph1->dpd_support=1;
882 plog(LLV_DEBUG, LOCATION, NULL,
883 "remote supports DPD\n");
884 }
885 #endif
886 #ifdef ENABLE_FRAG
887 if ((vid_numeric == VENDORID_FRAG) &&
888 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG))
889 iph1->frag = 1;
890 #endif
891 break;
892
893 case ISAKMP_NPTYPE_CR:
894 if (oakley_savecr(iph1, pa->ptr) < 0)
895 goto end;
896 break;
897
898 #ifdef HAVE_GSSAPI
899 case ISAKMP_NPTYPE_GSS:
900 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
901 goto end;
902 gssapi_save_received_token(iph1, gsstoken);
903 break;
904 #endif
905 default:
906 /* don't send information, see isakmp_ident_r1() */
907 plog(LLV_ERROR, LOCATION, iph1->remote,
908 "ignore the packet, "
909 "received unexpecting payload type %d.\n",
910 pa->type);
911 goto end;
912 }
913 }
914
915 /* payload existency check */
916 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
917 plog(LLV_ERROR, LOCATION, iph1->remote,
918 "few isakmp message received.\n");
919 goto end;
920 }
921
922 /* verify identifier */
923 if (ipsecdoi_checkid1(iph1) != 0) {
924 plog(LLV_ERROR, LOCATION, iph1->remote,
925 "invalid ID payload.\n");
926 goto end;
927 }
928
929 #ifdef ENABLE_NATT
930 if (NATT_AVAILABLE(iph1))
931 plog(LLV_INFO, LOCATION, iph1->remote,
932 "Selected NAT-T version: %s\n",
933 vid_string_by_id(iph1->natt_options->version));
934 #endif
935
936 /* check SA payload and set approval SA for use */
937 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
938 plog(LLV_ERROR, LOCATION, iph1->remote,
939 "failed to get valid proposal.\n");
940 /* XXX send information */
941 goto end;
942 }
943
944 if (oakley_checkcr(iph1) < 0) {
945 /* Ignore this error in order to be interoperability. */
946 ;
947 }
948
949 iph1->status = PHASE1ST_MSG1RECEIVED;
950
951 error = 0;
952
953 end:
954 if (pbuf)
955 vfree(pbuf);
956 if (error) {
957 VPTRINIT(iph1->sa);
958 VPTRINIT(iph1->dhpub_p);
959 VPTRINIT(iph1->nonce_p);
960 VPTRINIT(iph1->id_p);
961 oakley_delcert(iph1->cr_p);
962 iph1->cr_p = NULL;
963 }
964
965 return error;
966 }
967
968 /*
969 * send to initiator
970 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
971 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
972 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
973 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
974 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
975 */
976 int
977 agg_r1send(iph1, msg)
978 struct ph1handle *iph1;
979 vchar_t *msg;
980 {
981 struct payload_list *plist = NULL;
982 int need_cr = 0;
983 int need_cert = 0;
984 vchar_t *cr = NULL;
985 vchar_t *vid = NULL;
986 int error = -1;
987 #ifdef ENABLE_HYBRID
988 vchar_t *xauth_vid = NULL;
989 vchar_t *unity_vid = NULL;
990 #endif
991 #ifdef ENABLE_NATT
992 vchar_t *vid_natt = NULL;
993 vchar_t *natd[2] = { NULL, NULL };
994 #endif
995 #ifdef ENABLE_DPD
996 vchar_t *vid_dpd = NULL;
997 #endif
998
999 #ifdef HAVE_GSSAPI
1000 int gsslen;
1001 vchar_t *gsstoken = NULL, *gsshash = NULL;
1002 vchar_t *gss_sa = NULL;
1003 #endif
1004
1005 /* validity check */
1006 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1007 plog(LLV_ERROR, LOCATION, NULL,
1008 "status mismatched %d.\n", iph1->status);
1009 goto end;
1010 }
1011
1012 /* set responder's cookie */
1013 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1014
1015 /* make ID payload into isakmp status */
1016 if (ipsecdoi_setid1(iph1) < 0)
1017 goto end;
1018
1019 /* generate DH public value */
1020 if (oakley_dh_generate(iph1->rmconf->dhgrp,
1021 &iph1->dhpub, &iph1->dhpriv) < 0)
1022 goto end;
1023
1024 /* generate NONCE value */
1025 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1026 if (iph1->nonce == NULL)
1027 goto end;
1028
1029 /* compute sharing secret of DH */
1030 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1031 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
1032 goto end;
1033
1034 /* generate SKEYIDs & IV & final cipher key */
1035 if (oakley_skeyid(iph1) < 0)
1036 goto end;
1037 if (oakley_skeyid_dae(iph1) < 0)
1038 goto end;
1039 if (oakley_compute_enckey(iph1) < 0)
1040 goto end;
1041 if (oakley_newiv(iph1) < 0)
1042 goto end;
1043
1044 #ifdef HAVE_GSSAPI
1045 if (iph1->rmconf->proposal->authmethod ==
1046 OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
1047 gssapi_get_rtoken(iph1, &gsslen);
1048 #endif
1049
1050 /* generate HASH to send */
1051 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
1052 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1053 if (iph1->hash == NULL) {
1054 #ifdef HAVE_GSSAPI
1055 if (gssapi_more_tokens(iph1))
1056 isakmp_info_send_n1(iph1,
1057 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1058 #endif
1059 goto end;
1060 }
1061
1062 /* create CR if need */
1063 if (iph1->rmconf->send_cr
1064 && oakley_needcr(iph1->approval->authmethod)
1065 && iph1->rmconf->peerscertfile == NULL) {
1066 need_cr = 1;
1067 cr = oakley_getcr(iph1);
1068 if (cr == NULL) {
1069 plog(LLV_ERROR, LOCATION, NULL,
1070 "failed to get cr buffer.\n");
1071 goto end;
1072 }
1073 }
1074
1075 #ifdef ENABLE_NATT
1076 /* Has the peer announced NAT-T? */
1077 if (NATT_AVAILABLE(iph1)) {
1078 /* set chosen VID */
1079 vid_natt = set_vendorid(iph1->natt_options->version);
1080
1081 /* generate NAT-D payloads */
1082 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
1083 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1084 plog(LLV_ERROR, LOCATION, NULL,
1085 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
1086 goto end;
1087 }
1088
1089 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1090 plog(LLV_ERROR, LOCATION, NULL,
1091 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
1092 goto end;
1093 }
1094 }
1095 #endif
1096 #ifdef ENABLE_DPD
1097 /* Only send DPD support if remote announced DPD and if DPD support is active */
1098 if (iph1->dpd_support && iph1->rmconf->dpd)
1099 vid_dpd = set_vendorid(VENDORID_DPD);
1100 #endif
1101
1102 switch (iph1->approval->authmethod) {
1103 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1104 /* set SA payload to reply */
1105 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1106
1107 /* create isakmp KE payload */
1108 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1109
1110 /* create isakmp NONCE payload */
1111 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1112
1113 /* create isakmp ID payload */
1114 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1115
1116 /* create isakmp HASH payload */
1117 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
1118
1119 /* append vendor id, if needed */
1120 if (vid)
1121 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
1122
1123 /* create isakmp CR payload if needed */
1124 if (need_cr)
1125 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
1126 break;
1127 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1128 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1129 #ifdef ENABLE_HYBRID
1130 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1131 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1132 #endif
1133 /* XXX if there is CR or not ? */
1134
1135 if (oakley_getmycert(iph1) < 0)
1136 goto end;
1137
1138 if (oakley_getsign(iph1) < 0)
1139 goto end;
1140
1141 if (iph1->cert != NULL && iph1->rmconf->send_cert)
1142 need_cert = 1;
1143
1144 /* set SA payload to reply */
1145 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1146
1147 /* create isakmp KE payload */
1148 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1149
1150 /* create isakmp NONCE payload */
1151 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1152
1153 /* add ID payload */
1154 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1155
1156 /* add CERT payload if there */
1157 if (need_cert)
1158 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1159
1160 /* add SIG payload */
1161 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1162
1163 /* append vendor id, if needed */
1164 if (vid)
1165 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
1166
1167 #ifdef ENABLE_HYBRID
1168 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1169 if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) {
1170 plog(LLV_ERROR, LOCATION, NULL,
1171 "Cannot create Xauth vendor ID\n");
1172 goto end;
1173 }
1174 plist = isakmp_plist_append(plist,
1175 xauth_vid, ISAKMP_NPTYPE_VID);
1176 }
1177
1178 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1179 if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) {
1180 plog(LLV_ERROR, LOCATION, NULL,
1181 "Cannot create Unity vendor ID\n");
1182 goto end;
1183 }
1184 plist = isakmp_plist_append(plist,
1185 unity_vid, ISAKMP_NPTYPE_VID);
1186 }
1187 #endif
1188
1189 /* create isakmp CR payload if needed */
1190 if (need_cr)
1191 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
1192 break;
1193
1194 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1195 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1196 break;
1197 #ifdef HAVE_GSSAPI
1198 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1199 /* create buffer to send isakmp payload */
1200 gsshash = gssapi_wraphash(iph1);
1201 if (gsshash == NULL) {
1202 plog(LLV_ERROR, LOCATION, NULL,
1203 "failed to wrap hash\n");
1204 /*
1205 * This is probably due to the GSS roundtrips not
1206 * being finished yet. Return this error in
1207 * the hope that a fallback to main mode will
1208 * be done.
1209 */
1210 isakmp_info_send_n1(iph1,
1211 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1212 goto end;
1213 }
1214 if (iph1->approval->gssid != NULL)
1215 gss_sa = ipsecdoi_setph1proposal(iph1->approval);
1216 else
1217 gss_sa = iph1->sa_ret;
1218
1219 /* set SA payload to reply */
1220 plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
1221
1222 /* create isakmp KE payload */
1223 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1224
1225 /* create isakmp NONCE payload */
1226 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1227
1228 /* create isakmp ID payload */
1229 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1230
1231 /* create GSS payload */
1232 gssapi_get_token_to_send(iph1, &gsstoken);
1233 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
1234
1235 /* create isakmp HASH payload */
1236 plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
1237
1238 /* append vendor id, if needed */
1239 if (vid)
1240 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
1241
1242 break;
1243 #endif
1244 default:
1245 plog(LLV_ERROR, LOCATION, NULL, "Invalid authmethod %d\n",
1246 iph1->approval->authmethod);
1247 goto end;
1248 break;
1249 }
1250
1251 #ifdef ENABLE_NATT
1252 /* append NAT-T payloads */
1253 if (vid_natt) {
1254 /* chosen VID */
1255 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1256 /* NAT-D */
1257 #ifdef __APPLE__
1258 /* old Apple version sends natd payloads in the wrong order */
1259 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
1260 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1261 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1262 } else
1263 #endif
1264 {
1265 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1266 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1267 }
1268 }
1269 #endif
1270 #ifdef ENABLE_DPD
1271 if (vid_dpd)
1272 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1273 #endif
1274
1275 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1276
1277 #ifdef HAVE_PRINT_ISAKMP_C
1278 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
1279 #endif
1280
1281 /* send the packet, add to the schedule to resend */
1282 iph1->retry_counter = iph1->rmconf->retry_counter;
1283 if (isakmp_ph1resend(iph1) == -1)
1284 goto end;
1285
1286 /* the sending message is added to the received-list. */
1287 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
1288 plog(LLV_ERROR , LOCATION, NULL,
1289 "failed to add a response packet to the tree.\n");
1290 goto end;
1291 }
1292
1293 iph1->status = PHASE1ST_MSG1SENT;
1294
1295 #ifdef ENABLE_VPNCONTROL_PORT
1296 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1297 #endif
1298
1299 error = 0;
1300
1301 end:
1302 if (cr)
1303 vfree(cr);
1304 if (vid)
1305 vfree(vid);
1306 #ifdef ENABLE_HYBRID
1307 if (xauth_vid)
1308 vfree(xauth_vid);
1309 if (unity_vid)
1310 vfree(unity_vid);
1311 #endif
1312 #ifdef HAVE_GSSAPI
1313 if (gsstoken)
1314 vfree(gsstoken);
1315 if (gsshash)
1316 vfree(gsshash);
1317 if (gss_sa != iph1->sa_ret)
1318 vfree(gss_sa);
1319 #endif
1320 #ifdef ENABLE_DPD
1321 if (vid_dpd)
1322 vfree(vid_dpd);
1323 #endif
1324
1325 return error;
1326 }
1327
1328 /*
1329 * receive from initiator
1330 * psk: HDR, HASH_I
1331 * gssapi: HDR, HASH_I
1332 * sig: HDR, [ CERT, ] SIG_I
1333 * rsa: HDR, HASH_I
1334 * rev: HDR, HASH_I
1335 */
1336 int
1337 agg_r2recv(iph1, msg0)
1338 struct ph1handle *iph1;
1339 vchar_t *msg0;
1340 {
1341 vchar_t *msg = NULL;
1342 vchar_t *pbuf = NULL;
1343 struct isakmp_parse_t *pa;
1344 int error = -1;
1345 int ptype;
1346
1347 #ifdef ENABLE_NATT
1348 int natd_seq = 0;
1349 #endif
1350
1351 /* validity check */
1352 if (iph1->status != PHASE1ST_MSG1SENT) {
1353 plog(LLV_ERROR, LOCATION, NULL,
1354 "status mismatched %d.\n", iph1->status);
1355 goto end;
1356 }
1357
1358 /* decrypting if need. */
1359 /* XXX configurable ? */
1360 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1361 msg = oakley_do_decrypt(iph1, msg0,
1362 iph1->ivm->iv, iph1->ivm->ive);
1363 if (msg == NULL)
1364 goto end;
1365 } else
1366 msg = vdup(msg0);
1367
1368 /* validate the type of next payload */
1369 pbuf = isakmp_parse(msg);
1370 if (pbuf == NULL)
1371 goto end;
1372
1373 iph1->pl_hash = NULL;
1374
1375 for (pa = (struct isakmp_parse_t *)pbuf->v;
1376 pa->type != ISAKMP_NPTYPE_NONE;
1377 pa++) {
1378
1379 switch (pa->type) {
1380 case ISAKMP_NPTYPE_HASH:
1381 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1382 break;
1383 case ISAKMP_NPTYPE_VID:
1384 (void)check_vendorid(pa->ptr);
1385 break;
1386 case ISAKMP_NPTYPE_CERT:
1387 if (oakley_savecert(iph1, pa->ptr) < 0)
1388 goto end;
1389 break;
1390 case ISAKMP_NPTYPE_SIG:
1391 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
1392 goto end;
1393 break;
1394 case ISAKMP_NPTYPE_N:
1395 isakmp_check_notify(pa->ptr, iph1);
1396 break;
1397
1398 #ifdef ENABLE_NATT
1399 case ISAKMP_NPTYPE_NATD_DRAFT:
1400 case ISAKMP_NPTYPE_NATD_RFC:
1401 #ifdef __APPLE__
1402 case ISAKMP_NPTYPE_NATD_BADDRAFT:
1403 #endif
1404 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1405 pa->type == iph1->natt_options->payload_nat_d)
1406 {
1407 vchar_t *natd_received = NULL;
1408 int natd_verified;
1409
1410 if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
1411 goto end;
1412
1413 if (natd_seq == 0)
1414 iph1->natt_flags |= NAT_DETECTED;
1415
1416 natd_verified = natt_compare_addr_hash (iph1,
1417 natd_received, natd_seq++);
1418
1419 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1420 natd_seq - 1,
1421 natd_verified ? "verified" : "doesn't match");
1422
1423 vfree (natd_received);
1424 break;
1425 }
1426 /* %%%% Be lenient here - some servers send natd payloads */
1427 /* when no nat is detected */
1428 break;
1429 #endif
1430
1431 default:
1432 /* don't send information, see isakmp_ident_r1() */
1433 plog(LLV_ERROR, LOCATION, iph1->remote,
1434 "ignore the packet, "
1435 "received unexpecting payload type %d.\n",
1436 pa->type);
1437 goto end;
1438 }
1439 }
1440
1441 #ifdef ENABLE_NATT
1442 if (NATT_AVAILABLE(iph1))
1443 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1444 iph1->natt_flags & NAT_DETECTED ?
1445 "detected:" : "not detected",
1446 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1447 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1448 #endif
1449
1450 /* validate authentication value */
1451 ptype = oakley_validate_auth(iph1);
1452 if (ptype != 0) {
1453 if (ptype == -1) {
1454 /* message printed inner oakley_validate_auth() */
1455 goto end;
1456 }
1457 EVT_PUSH(iph1->local, iph1->remote,
1458 EVTT_PEERPH1AUTH_FAILED, NULL);
1459 isakmp_info_send_n1(iph1, ptype, NULL);
1460 goto end;
1461 }
1462
1463 iph1->status = PHASE1ST_MSG2RECEIVED;
1464
1465 error = 0;
1466
1467 end:
1468 if (pbuf)
1469 vfree(pbuf);
1470 if (msg)
1471 vfree(msg);
1472 if (error) {
1473 oakley_delcert(iph1->cert_p);
1474 iph1->cert_p = NULL;
1475 oakley_delcert(iph1->crl_p);
1476 iph1->crl_p = NULL;
1477 VPTRINIT(iph1->sig_p);
1478 }
1479
1480 return error;
1481 }
1482
1483 /*
1484 * status update and establish isakmp sa.
1485 */
1486 int
1487 agg_r2send(iph1, msg)
1488 struct ph1handle *iph1;
1489 vchar_t *msg;
1490 {
1491 int error = -1;
1492
1493 /* validity check */
1494 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1495 plog(LLV_ERROR, LOCATION, NULL,
1496 "status mismatched %d.\n", iph1->status);
1497 goto end;
1498 }
1499
1500 /* IV synchronized when packet encrypted. */
1501 /* see handler.h about IV synchronization. */
1502 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E))
1503 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1504
1505 /* set encryption flag */
1506 iph1->flags |= ISAKMP_FLAG_E;
1507
1508 iph1->status = PHASE1ST_ESTABLISHED;
1509
1510 error = 0;
1511
1512 end:
1513 return error;
1514 }
mirror of ipsec