1 /* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 /* Base Exchange (Base Mode) */
36 #include <sys/types.h>
37 #include <sys/param.h>
43 #if TIME_WITH_SYS_TIME
44 # include <sys/time.h>
48 # include <sys/time.h>
62 #include "localconf.h"
63 #include "remoteconf.h"
64 #include "isakmp_var.h"
69 #include "ipsec_doi.h"
70 #include "crypto_openssl.h"
72 #include "isakmp_base.h"
73 #include "isakmp_inf.h"
76 #include "nattraversal.h"
79 #include "isakmp_frag.h"
81 #include "vpn_control.h"
82 #include "vpn_control_var.h"
85 * begin Identity Protection Mode as initiator.
89 * psk: HDR, SA, Idii, Ni_b
90 * sig: HDR, SA, Idii, Ni_b
91 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
92 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
95 base_i1send(iph1
, msg
)
96 struct ph1handle
*iph1
;
97 vchar_t
*msg
; /* must be null */
99 struct payload_list
*plist
= NULL
;
102 vchar_t
*vid_natt
[MAX_NATT_VID_COUNT
] = { NULL
};
103 int i
, vid_natt_i
= 0;
106 vchar_t
*vid_frag
= NULL
;
111 plog(LLV_ERROR
, LOCATION
, NULL
,
112 "msg has to be NULL in this function.\n");
115 if (iph1
->status
!= PHASE1ST_START
) {
116 plog(LLV_ERROR
, LOCATION
, NULL
,
117 "status mismatched %d.\n", iph1
->status
);
121 /* create isakmp index */
122 memset(&iph1
->index
, 0, sizeof(iph1
->index
));
123 isakmp_newcookie((caddr_t
)&iph1
->index
, iph1
->remote
, iph1
->local
);
125 /* make ID payload into isakmp status */
126 if (ipsecdoi_setid1(iph1
) < 0)
129 /* create SA payload for my proposal */
130 iph1
->sa
= ipsecdoi_setph1proposal(iph1
->rmconf
->proposal
);
131 if (iph1
->sa
== NULL
)
134 /* generate NONCE value */
135 iph1
->nonce
= eay_set_random(iph1
->rmconf
->nonce_size
);
136 if (iph1
->nonce
== NULL
)
140 if (iph1
->rmconf
->ike_frag
) {
141 vid_frag
= set_vendorid(VENDORID_FRAG
);
142 if (vid_frag
!= NULL
)
143 vid_frag
= isakmp_frag_addcap(vid_frag
,
145 if (vid_frag
== NULL
)
146 plog(LLV_ERROR
, LOCATION
, NULL
,
147 "Frag vendorID construction failed\n");
151 /* Is NAT-T support allowed in the config file? */
152 if (iph1
->rmconf
->nat_traversal
) {
153 /* Advertise NAT-T capability */
154 memset (vid_natt
, 0, sizeof (vid_natt
));
155 #ifdef VENDORID_NATT_00
156 if ((vid_natt
[vid_natt_i
] = set_vendorid(VENDORID_NATT_00
)) != NULL
)
159 #ifdef VENDORID_NATT_02
160 if ((vid_natt
[vid_natt_i
] = set_vendorid(VENDORID_NATT_02
)) != NULL
)
163 #ifdef VENDORID_NATT_02_N
164 if ((vid_natt
[vid_natt_i
] = set_vendorid(VENDORID_NATT_02_N
)) != NULL
)
167 #ifdef VENDORID_NATT_RFC
168 if ((vid_natt
[vid_natt_i
] = set_vendorid(VENDORID_NATT_RFC
)) != NULL
)
174 /* set SA payload to propose */
175 plist
= isakmp_plist_append(plist
, iph1
->sa
, ISAKMP_NPTYPE_SA
);
177 /* create isakmp ID payload */
178 plist
= isakmp_plist_append(plist
, iph1
->id
, ISAKMP_NPTYPE_ID
);
180 /* create isakmp NONCE payload */
181 plist
= isakmp_plist_append(plist
, iph1
->nonce
, ISAKMP_NPTYPE_NONCE
);
185 plist
= isakmp_plist_append(plist
, vid_frag
, ISAKMP_NPTYPE_VID
);
188 /* set VID payload for NAT-T */
189 for (i
= 0; i
< vid_natt_i
; i
++)
190 plist
= isakmp_plist_append(plist
, vid_natt
[i
], ISAKMP_NPTYPE_VID
);
192 iph1
->sendbuf
= isakmp_plist_set_all (&plist
, iph1
);
195 #ifdef HAVE_PRINT_ISAKMP_C
196 isakmp_printpacket(iph1
->sendbuf
, iph1
->local
, iph1
->remote
, 0);
199 /* send the packet, add to the schedule to resend */
200 iph1
->retry_counter
= iph1
->rmconf
->retry_counter
;
201 if (isakmp_ph1resend(iph1
) == -1)
204 iph1
->status
= PHASE1ST_MSG1SENT
;
214 for (i
= 0; i
< vid_natt_i
; i
++)
222 * receive from responder
223 * psk: HDR, SA, Idir, Nr_b
224 * sig: HDR, SA, Idir, Nr_b, [ CR ]
225 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
226 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
229 base_i2recv(iph1
, msg
)
230 struct ph1handle
*iph1
;
233 vchar_t
*pbuf
= NULL
;
234 struct isakmp_parse_t
*pa
;
235 vchar_t
*satmp
= NULL
;
240 if (iph1
->status
!= PHASE1ST_MSG1SENT
) {
241 plog(LLV_ERROR
, LOCATION
, NULL
,
242 "status mismatched %d.\n", iph1
->status
);
246 /* validate the type of next payload */
247 pbuf
= isakmp_parse(msg
);
250 pa
= (struct isakmp_parse_t
*)pbuf
->v
;
252 /* SA payload is fixed postion */
253 if (pa
->type
!= ISAKMP_NPTYPE_SA
) {
254 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
255 "received invalid next payload type %d, "
257 pa
->type
, ISAKMP_NPTYPE_SA
);
260 if (isakmp_p2ph(&satmp
, pa
->ptr
) < 0)
265 pa
->type
!= ISAKMP_NPTYPE_NONE
;
269 case ISAKMP_NPTYPE_NONCE
:
270 if (isakmp_p2ph(&iph1
->nonce_p
, pa
->ptr
) < 0)
273 case ISAKMP_NPTYPE_ID
:
274 if (isakmp_p2ph(&iph1
->id_p
, pa
->ptr
) < 0)
277 case ISAKMP_NPTYPE_VID
:
278 vid_numeric
= check_vendorid(pa
->ptr
);
280 if (iph1
->rmconf
->nat_traversal
&& natt_vendorid(vid_numeric
))
281 natt_handle_vendorid(iph1
, vid_numeric
);
285 /* don't send information, see ident_r1recv() */
286 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
287 "ignore the packet, "
288 "received unexpecting payload type %d.\n",
294 if (iph1
->nonce_p
== NULL
|| iph1
->id_p
== NULL
) {
295 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
296 "few isakmp message received.\n");
300 /* verify identifier */
301 if (ipsecdoi_checkid1(iph1
) != 0) {
302 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
303 "invalid ID payload.\n");
308 if (NATT_AVAILABLE(iph1
))
309 plog(LLV_INFO
, LOCATION
, iph1
->remote
,
310 "Selected NAT-T version: %s\n",
311 vid_string_by_id(iph1
->natt_options
->version
));
314 /* check SA payload and set approval SA for use */
315 if (ipsecdoi_checkph1proposal(satmp
, iph1
) < 0) {
316 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
317 "failed to get valid proposal.\n");
318 /* XXX send information */
321 VPTRINIT(iph1
->sa_ret
);
323 iph1
->status
= PHASE1ST_MSG2RECEIVED
;
325 #ifdef ENABLE_VPNCONTROL_PORT
326 vpncontrol_notify_phase_change(1, FROM_REMOTE
, iph1
, NULL
);
338 VPTRINIT(iph1
->nonce_p
);
339 VPTRINIT(iph1
->id_p
);
347 * psk: HDR, KE, HASH_I
348 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
349 * rsa: HDR, KE, HASH_I
350 * rev: HDR, <KE>Ke_i, HASH_I
353 base_i2send(iph1
, msg
)
354 struct ph1handle
*iph1
;
357 struct payload_list
*plist
= NULL
;
363 if (iph1
->status
!= PHASE1ST_MSG2RECEIVED
) {
364 plog(LLV_ERROR
, LOCATION
, NULL
,
365 "status mismatched %d.\n", iph1
->status
);
369 /* fix isakmp index */
370 memcpy(&iph1
->index
.r_ck
, &((struct isakmp
*)msg
->v
)->r_ck
,
373 /* generate DH public value */
374 if (oakley_dh_generate(iph1
->approval
->dhgrp
,
375 &iph1
->dhpub
, &iph1
->dhpriv
) < 0)
378 /* generate SKEYID to compute hash if not signature mode */
379 if (iph1
->approval
->authmethod
!= OAKLEY_ATTR_AUTH_METHOD_RSASIG
380 && iph1
->approval
->authmethod
!= OAKLEY_ATTR_AUTH_METHOD_DSSSIG
) {
381 if (oakley_skeyid(iph1
) < 0)
385 /* generate HASH to send */
386 plog(LLV_DEBUG
, LOCATION
, NULL
, "generate HASH_I\n");
387 iph1
->hash
= oakley_ph1hash_base_i(iph1
, GENERATE
);
388 if (iph1
->hash
== NULL
)
391 switch (iph1
->approval
->authmethod
) {
392 case OAKLEY_ATTR_AUTH_METHOD_PSKEY
:
393 vid
= set_vendorid(iph1
->approval
->vendorid
);
395 /* create isakmp KE payload */
396 plist
= isakmp_plist_append(plist
, iph1
->dhpub
, ISAKMP_NPTYPE_KE
);
398 /* create isakmp HASH payload */
399 plist
= isakmp_plist_append(plist
, iph1
->hash
, ISAKMP_NPTYPE_HASH
);
401 /* append vendor id, if needed */
403 plist
= isakmp_plist_append(plist
, vid
, ISAKMP_NPTYPE_VID
);
405 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG
:
406 case OAKLEY_ATTR_AUTH_METHOD_RSASIG
:
407 /* XXX if there is CR or not ? */
409 if (oakley_getmycert(iph1
) < 0)
412 if (oakley_getsign(iph1
) < 0)
415 if (iph1
->cert
&& iph1
->rmconf
->send_cert
)
418 /* create isakmp KE payload */
419 plist
= isakmp_plist_append(plist
, iph1
->dhpub
, ISAKMP_NPTYPE_KE
);
421 /* add CERT payload if there */
423 plist
= isakmp_plist_append(plist
, iph1
->cert
->pl
, ISAKMP_NPTYPE_CERT
);
425 /* add SIG payload */
426 plist
= isakmp_plist_append(plist
, iph1
->sig
, ISAKMP_NPTYPE_SIG
);
428 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB
:
431 case OAKLEY_ATTR_AUTH_METHOD_RSAENC
:
432 case OAKLEY_ATTR_AUTH_METHOD_RSAREV
:
435 plog(LLV_ERROR
, LOCATION
, NULL
, "invalid authmethod %d\n",
436 iph1
->approval
->authmethod
);
442 /* generate NAT-D payloads */
443 if (NATT_AVAILABLE(iph1
))
445 vchar_t
*natd
[2] = { NULL
, NULL
};
447 plog (LLV_INFO
, LOCATION
, NULL
, "Adding remote and local NAT-D payloads.\n");
448 if ((natd
[0] = natt_hash_addr (iph1
, iph1
->remote
)) == NULL
) {
449 plog(LLV_ERROR
, LOCATION
, NULL
,
450 "NAT-D hashing failed for %s\n", saddr2str(iph1
->remote
));
454 if ((natd
[1] = natt_hash_addr (iph1
, iph1
->local
)) == NULL
) {
455 plog(LLV_ERROR
, LOCATION
, NULL
,
456 "NAT-D hashing failed for %s\n", saddr2str(iph1
->local
));
461 /* old Apple version sends natd payloads in the wrong order */
462 if (iph1
->natt_options
->version
== VENDORID_NATT_APPLE
) {
463 plist
= isakmp_plist_append(plist
, natd
[1], iph1
->natt_options
->payload_nat_d
);
464 plist
= isakmp_plist_append(plist
, natd
[0], iph1
->natt_options
->payload_nat_d
);
468 plist
= isakmp_plist_append(plist
, natd
[0], iph1
->natt_options
->payload_nat_d
);
469 plist
= isakmp_plist_append(plist
, natd
[1], iph1
->natt_options
->payload_nat_d
);
474 iph1
->sendbuf
= isakmp_plist_set_all (&plist
, iph1
);
476 #ifdef HAVE_PRINT_ISAKMP_C
477 isakmp_printpacket(iph1
->sendbuf
, iph1
->local
, iph1
->remote
, 0);
480 /* send the packet, add to the schedule to resend */
481 iph1
->retry_counter
= iph1
->rmconf
->retry_counter
;
482 if (isakmp_ph1resend(iph1
) == -1)
485 /* the sending message is added to the received-list. */
486 if (add_recvdpkt(iph1
->remote
, iph1
->local
, iph1
->sendbuf
, msg
) == -1) {
487 plog(LLV_ERROR
, LOCATION
, NULL
,
488 "failed to add a response packet to the tree.\n");
492 iph1
->status
= PHASE1ST_MSG2SENT
;
503 * receive from responder
504 * psk: HDR, KE, HASH_R
505 * sig: HDR, KE, [CERT,] SIG_R
506 * rsa: HDR, KE, HASH_R
507 * rev: HDR, <KE>_Ke_r, HASH_R
510 base_i3recv(iph1
, msg
)
511 struct ph1handle
*iph1
;
514 vchar_t
*pbuf
= NULL
;
515 struct isakmp_parse_t
*pa
;
519 vchar_t
*natd_received
;
520 int natd_seq
= 0, natd_verified
;
524 if (iph1
->status
!= PHASE1ST_MSG2SENT
) {
525 plog(LLV_ERROR
, LOCATION
, NULL
,
526 "status mismatched %d.\n", iph1
->status
);
530 /* validate the type of next payload */
531 pbuf
= isakmp_parse(msg
);
535 for (pa
= (struct isakmp_parse_t
*)pbuf
->v
;
536 pa
->type
!= ISAKMP_NPTYPE_NONE
;
540 case ISAKMP_NPTYPE_KE
:
541 if (isakmp_p2ph(&iph1
->dhpub_p
, pa
->ptr
) < 0)
544 case ISAKMP_NPTYPE_HASH
:
545 iph1
->pl_hash
= (struct isakmp_pl_hash
*)pa
->ptr
;
547 case ISAKMP_NPTYPE_CERT
:
548 if (oakley_savecert(iph1
, pa
->ptr
) < 0)
551 case ISAKMP_NPTYPE_SIG
:
552 if (isakmp_p2ph(&iph1
->sig_p
, pa
->ptr
) < 0)
555 case ISAKMP_NPTYPE_VID
:
556 (void)check_vendorid(pa
->ptr
);
560 case ISAKMP_NPTYPE_NATD_DRAFT
:
561 case ISAKMP_NPTYPE_NATD_RFC
:
563 case ISAKMP_NPTYPE_NATD_BADDRAFT
:
565 if (NATT_AVAILABLE(iph1
) && iph1
->natt_options
&&
566 pa
->type
== iph1
->natt_options
->payload_nat_d
) {
567 natd_received
= NULL
;
568 if (isakmp_p2ph (&natd_received
, pa
->ptr
) < 0)
571 /* set both bits first so that we can clear them
572 upon verifying hashes */
574 iph1
->natt_flags
|= NAT_DETECTED
;
576 /* this function will clear appropriate bits bits
577 from iph1->natt_flags */
578 natd_verified
= natt_compare_addr_hash (iph1
,
579 natd_received
, natd_seq
++);
581 plog (LLV_INFO
, LOCATION
, NULL
, "NAT-D payload #%d %s\n",
583 natd_verified
? "verified" : "doesn't match");
585 vfree (natd_received
);
588 /* %%%% Be lenient here - some servers send natd payloads */
589 /* when no nat is detected */
594 /* don't send information, see ident_r1recv() */
595 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
596 "ignore the packet, "
597 "received unexpecting payload type %d.\n",
604 if (NATT_AVAILABLE(iph1
)) {
605 plog (LLV_INFO
, LOCATION
, NULL
, "NAT %s %s%s\n",
606 iph1
->natt_flags
& NAT_DETECTED
?
607 "detected:" : "not detected",
608 iph1
->natt_flags
& NAT_DETECTED_ME
? "ME " : "",
609 iph1
->natt_flags
& NAT_DETECTED_PEER
? "PEER" : "");
610 if (iph1
->natt_flags
& NAT_DETECTED
)
611 natt_float_ports (iph1
);
615 /* payload existency check */
616 /* validate authentication value */
617 ptype
= oakley_validate_auth(iph1
);
620 /* message printed inner oakley_validate_auth() */
623 EVT_PUSH(iph1
->local
, iph1
->remote
,
624 EVTT_PEERPH1AUTH_FAILED
, NULL
);
625 isakmp_info_send_n1(iph1
, ptype
, NULL
);
629 /* compute sharing secret of DH */
630 if (oakley_dh_compute(iph1
->approval
->dhgrp
, iph1
->dhpub
,
631 iph1
->dhpriv
, iph1
->dhpub_p
, &iph1
->dhgxy
) < 0)
634 /* generate SKEYID to compute hash if signature mode */
635 if (iph1
->approval
->authmethod
== OAKLEY_ATTR_AUTH_METHOD_RSASIG
636 || iph1
->approval
->authmethod
== OAKLEY_ATTR_AUTH_METHOD_DSSSIG
) {
637 if (oakley_skeyid(iph1
) < 0)
641 /* generate SKEYIDs & IV & final cipher key */
642 if (oakley_skeyid_dae(iph1
) < 0)
644 if (oakley_compute_enckey(iph1
) < 0)
646 if (oakley_newiv(iph1
) < 0)
649 /* see handler.h about IV synchronization. */
650 memcpy(iph1
->ivm
->iv
->v
, iph1
->ivm
->ive
->v
, iph1
->ivm
->iv
->l
);
652 /* set encryption flag */
653 iph1
->flags
|= ISAKMP_FLAG_E
;
655 iph1
->status
= PHASE1ST_MSG3RECEIVED
;
664 VPTRINIT(iph1
->dhpub_p
);
665 oakley_delcert(iph1
->cert_p
);
667 oakley_delcert(iph1
->crl_p
);
669 VPTRINIT(iph1
->sig_p
);
676 * status update and establish isakmp sa.
679 base_i3send(iph1
, msg
)
680 struct ph1handle
*iph1
;
686 if (iph1
->status
!= PHASE1ST_MSG3RECEIVED
) {
687 plog(LLV_ERROR
, LOCATION
, NULL
,
688 "status mismatched %d.\n", iph1
->status
);
692 iph1
->status
= PHASE1ST_ESTABLISHED
;
701 * receive from initiator
702 * psk: HDR, SA, Idii, Ni_b
703 * sig: HDR, SA, Idii, Ni_b
704 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
705 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
708 base_r1recv(iph1
, msg
)
709 struct ph1handle
*iph1
;
712 vchar_t
*pbuf
= NULL
;
713 struct isakmp_parse_t
*pa
;
718 if (iph1
->status
!= PHASE1ST_START
) {
719 plog(LLV_ERROR
, LOCATION
, NULL
,
720 "status mismatched %d.\n", iph1
->status
);
724 /* validate the type of next payload */
726 * NOTE: XXX even if multiple VID, we'll silently ignore those.
728 pbuf
= isakmp_parse(msg
);
731 pa
= (struct isakmp_parse_t
*)pbuf
->v
;
733 /* check the position of SA payload */
734 if (pa
->type
!= ISAKMP_NPTYPE_SA
) {
735 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
736 "received invalid next payload type %d, "
738 pa
->type
, ISAKMP_NPTYPE_SA
);
741 if (isakmp_p2ph(&iph1
->sa
, pa
->ptr
) < 0)
746 pa
->type
!= ISAKMP_NPTYPE_NONE
;
750 case ISAKMP_NPTYPE_NONCE
:
751 if (isakmp_p2ph(&iph1
->nonce_p
, pa
->ptr
) < 0)
754 case ISAKMP_NPTYPE_ID
:
755 if (isakmp_p2ph(&iph1
->id_p
, pa
->ptr
) < 0)
758 case ISAKMP_NPTYPE_VID
:
759 vid_numeric
= check_vendorid(pa
->ptr
);
761 if (iph1
->rmconf
->nat_traversal
&& natt_vendorid(vid_numeric
))
762 natt_handle_vendorid(iph1
, vid_numeric
);
765 if ((vid_numeric
== VENDORID_FRAG
) &&
766 (vendorid_frag_cap(pa
->ptr
) & VENDORID_FRAG_BASE
))
771 /* don't send information, see ident_r1recv() */
772 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
773 "ignore the packet, "
774 "received unexpecting payload type %d.\n",
780 if (iph1
->nonce_p
== NULL
|| iph1
->id_p
== NULL
) {
781 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
782 "few isakmp message received.\n");
786 /* verify identifier */
787 if (ipsecdoi_checkid1(iph1
) != 0) {
788 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
789 "invalid ID payload.\n");
794 if (NATT_AVAILABLE(iph1
))
795 plog(LLV_INFO
, LOCATION
, iph1
->remote
,
796 "Selected NAT-T version: %s\n",
797 vid_string_by_id(iph1
->natt_options
->version
));
800 /* check SA payload and set approval SA for use */
801 if (ipsecdoi_checkph1proposal(iph1
->sa
, iph1
) < 0) {
802 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
803 "failed to get valid proposal.\n");
804 /* XXX send information */
808 iph1
->status
= PHASE1ST_MSG1RECEIVED
;
818 VPTRINIT(iph1
->nonce_p
);
819 VPTRINIT(iph1
->id_p
);
827 * psk: HDR, SA, Idir, Nr_b
828 * sig: HDR, SA, Idir, Nr_b, [ CR ]
829 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
830 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
833 base_r1send(iph1
, msg
)
834 struct ph1handle
*iph1
;
837 struct payload_list
*plist
= NULL
;
840 vchar_t
*vid_natt
= NULL
;
844 if (iph1
->status
!= PHASE1ST_MSG1RECEIVED
) {
845 plog(LLV_ERROR
, LOCATION
, NULL
,
846 "status mismatched %d.\n", iph1
->status
);
850 /* set responder's cookie */
851 isakmp_newcookie((caddr_t
)&iph1
->index
.r_ck
, iph1
->remote
, iph1
->local
);
853 /* make ID payload into isakmp status */
854 if (ipsecdoi_setid1(iph1
) < 0)
857 /* generate NONCE value */
858 iph1
->nonce
= eay_set_random(iph1
->rmconf
->nonce_size
);
859 if (iph1
->nonce
== NULL
)
862 /* set SA payload to reply */
863 plist
= isakmp_plist_append(plist
, iph1
->sa_ret
, ISAKMP_NPTYPE_SA
);
865 /* create isakmp ID payload */
866 plist
= isakmp_plist_append(plist
, iph1
->id
, ISAKMP_NPTYPE_ID
);
868 /* create isakmp NONCE payload */
869 plist
= isakmp_plist_append(plist
, iph1
->nonce
, ISAKMP_NPTYPE_NONCE
);
872 /* has the peer announced nat-t? */
873 if (NATT_AVAILABLE(iph1
))
874 vid_natt
= set_vendorid(iph1
->natt_options
->version
);
876 plist
= isakmp_plist_append(plist
, vid_natt
, ISAKMP_NPTYPE_VID
);
879 iph1
->sendbuf
= isakmp_plist_set_all (&plist
, iph1
);
881 #ifdef HAVE_PRINT_ISAKMP_C
882 isakmp_printpacket(iph1
->sendbuf
, iph1
->local
, iph1
->remote
, 0);
885 /* send the packet, add to the schedule to resend */
886 iph1
->retry_counter
= iph1
->rmconf
->retry_counter
;
887 if (isakmp_ph1resend(iph1
) == -1)
890 /* the sending message is added to the received-list. */
891 if (add_recvdpkt(iph1
->remote
, iph1
->local
, iph1
->sendbuf
, msg
) == -1) {
892 plog(LLV_ERROR
, LOCATION
, NULL
,
893 "failed to add a response packet to the tree.\n");
897 iph1
->status
= PHASE1ST_MSG1SENT
;
899 #ifdef ENABLE_VPNCONTROL_PORT
900 vpncontrol_notify_phase_change(1, FROM_LOCAL
, iph1
, NULL
);
911 VPTRINIT(iph1
->sa_ret
);
917 * receive from initiator
918 * psk: HDR, KE, HASH_I
919 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
920 * rsa: HDR, KE, HASH_I
921 * rev: HDR, <KE>Ke_i, HASH_I
924 base_r2recv(iph1
, msg
)
925 struct ph1handle
*iph1
;
928 vchar_t
*pbuf
= NULL
;
929 struct isakmp_parse_t
*pa
;
937 if (iph1
->status
!= PHASE1ST_MSG1SENT
) {
938 plog(LLV_ERROR
, LOCATION
, NULL
,
939 "status mismatched %d.\n", iph1
->status
);
943 /* validate the type of next payload */
944 pbuf
= isakmp_parse(msg
);
948 iph1
->pl_hash
= NULL
;
950 for (pa
= (struct isakmp_parse_t
*)pbuf
->v
;
951 pa
->type
!= ISAKMP_NPTYPE_NONE
;
955 case ISAKMP_NPTYPE_KE
:
956 if (isakmp_p2ph(&iph1
->dhpub_p
, pa
->ptr
) < 0)
959 case ISAKMP_NPTYPE_HASH
:
960 iph1
->pl_hash
= (struct isakmp_pl_hash
*)pa
->ptr
;
962 case ISAKMP_NPTYPE_CERT
:
963 if (oakley_savecert(iph1
, pa
->ptr
) < 0)
966 case ISAKMP_NPTYPE_SIG
:
967 if (isakmp_p2ph(&iph1
->sig_p
, pa
->ptr
) < 0)
970 case ISAKMP_NPTYPE_VID
:
971 (void)check_vendorid(pa
->ptr
);
975 case ISAKMP_NPTYPE_NATD_DRAFT
:
976 case ISAKMP_NPTYPE_NATD_RFC
:
978 case ISAKMP_NPTYPE_NATD_BADDRAFT
:
980 if (pa
->type
== iph1
->natt_options
->payload_nat_d
)
982 vchar_t
*natd_received
= NULL
;
985 if (isakmp_p2ph (&natd_received
, pa
->ptr
) < 0)
989 iph1
->natt_flags
|= NAT_DETECTED
;
991 natd_verified
= natt_compare_addr_hash (iph1
,
992 natd_received
, natd_seq
++);
994 plog (LLV_INFO
, LOCATION
, NULL
, "NAT-D payload #%d %s\n",
996 natd_verified
? "verified" : "doesn't match");
998 vfree (natd_received
);
1001 /* %%%% Be lenient here - some servers send natd payloads */
1002 /* when no nat is detected */
1007 /* don't send information, see ident_r1recv() */
1008 plog(LLV_ERROR
, LOCATION
, iph1
->remote
,
1009 "ignore the packet, "
1010 "received unexpecting payload type %d.\n",
1016 /* generate DH public value */
1017 if (oakley_dh_generate(iph1
->approval
->dhgrp
,
1018 &iph1
->dhpub
, &iph1
->dhpriv
) < 0)
1021 /* compute sharing secret of DH */
1022 if (oakley_dh_compute(iph1
->approval
->dhgrp
, iph1
->dhpub
,
1023 iph1
->dhpriv
, iph1
->dhpub_p
, &iph1
->dhgxy
) < 0)
1026 /* generate SKEYID */
1027 if (oakley_skeyid(iph1
) < 0)
1031 if (NATT_AVAILABLE(iph1
))
1032 plog (LLV_INFO
, LOCATION
, NULL
, "NAT %s %s%s\n",
1033 iph1
->natt_flags
& NAT_DETECTED
?
1034 "detected:" : "not detected",
1035 iph1
->natt_flags
& NAT_DETECTED_ME
? "ME " : "",
1036 iph1
->natt_flags
& NAT_DETECTED_PEER
? "PEER" : "");
1039 /* payload existency check */
1040 /* validate authentication value */
1041 ptype
= oakley_validate_auth(iph1
);
1044 /* message printed inner oakley_validate_auth() */
1047 EVT_PUSH(iph1
->local
, iph1
->remote
,
1048 EVTT_PEERPH1AUTH_FAILED
, NULL
);
1049 isakmp_info_send_n1(iph1
, ptype
, NULL
);
1053 iph1
->status
= PHASE1ST_MSG2RECEIVED
;
1062 VPTRINIT(iph1
->dhpub_p
);
1063 oakley_delcert(iph1
->cert_p
);
1064 iph1
->cert_p
= NULL
;
1065 oakley_delcert(iph1
->crl_p
);
1067 VPTRINIT(iph1
->sig_p
);
1075 * psk: HDR, KE, HASH_R
1076 * sig: HDR, KE, [CERT,] SIG_R
1077 * rsa: HDR, KE, HASH_R
1078 * rev: HDR, <KE>_Ke_r, HASH_R
1081 base_r2send(iph1
, msg
)
1082 struct ph1handle
*iph1
;
1085 struct payload_list
*plist
= NULL
;
1086 vchar_t
*vid
= NULL
;
1090 /* validity check */
1091 if (iph1
->status
!= PHASE1ST_MSG2RECEIVED
) {
1092 plog(LLV_ERROR
, LOCATION
, NULL
,
1093 "status mismatched %d.\n", iph1
->status
);
1097 /* generate HASH to send */
1098 plog(LLV_DEBUG
, LOCATION
, NULL
, "generate HASH_I\n");
1099 switch (iph1
->approval
->authmethod
) {
1100 case OAKLEY_ATTR_AUTH_METHOD_PSKEY
:
1101 case OAKLEY_ATTR_AUTH_METHOD_RSAENC
:
1102 case OAKLEY_ATTR_AUTH_METHOD_RSAREV
:
1103 iph1
->hash
= oakley_ph1hash_common(iph1
, GENERATE
);
1105 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG
:
1106 case OAKLEY_ATTR_AUTH_METHOD_RSASIG
:
1107 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB
:
1108 iph1
->hash
= oakley_ph1hash_base_r(iph1
, GENERATE
);
1111 plog(LLV_ERROR
, LOCATION
, NULL
,
1112 "invalid authentication method %d\n",
1113 iph1
->approval
->authmethod
);
1116 if (iph1
->hash
== NULL
)
1119 switch (iph1
->approval
->authmethod
) {
1120 case OAKLEY_ATTR_AUTH_METHOD_PSKEY
:
1121 vid
= set_vendorid(iph1
->approval
->vendorid
);
1123 /* create isakmp KE payload */
1124 plist
= isakmp_plist_append(plist
, iph1
->dhpub
, ISAKMP_NPTYPE_KE
);
1126 /* create isakmp HASH payload */
1127 plist
= isakmp_plist_append(plist
, iph1
->hash
, ISAKMP_NPTYPE_HASH
);
1129 /* append vendor id, if needed */
1131 plist
= isakmp_plist_append(plist
, vid
, ISAKMP_NPTYPE_VID
);
1133 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG
:
1134 case OAKLEY_ATTR_AUTH_METHOD_RSASIG
:
1135 /* XXX if there is CR or not ? */
1137 if (oakley_getmycert(iph1
) < 0)
1140 if (oakley_getsign(iph1
) < 0)
1143 if (iph1
->cert
&& iph1
->rmconf
->send_cert
)
1146 /* create isakmp KE payload */
1147 plist
= isakmp_plist_append(plist
, iph1
->dhpub
, ISAKMP_NPTYPE_KE
);
1149 /* add CERT payload if there */
1151 plist
= isakmp_plist_append(plist
, iph1
->cert
->pl
, ISAKMP_NPTYPE_CERT
);
1152 /* add SIG payload */
1153 plist
= isakmp_plist_append(plist
, iph1
->sig
, ISAKMP_NPTYPE_SIG
);
1155 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB
:
1158 case OAKLEY_ATTR_AUTH_METHOD_RSAENC
:
1159 case OAKLEY_ATTR_AUTH_METHOD_RSAREV
:
1162 plog(LLV_ERROR
, LOCATION
, NULL
, "invalid authmethod %d\n",
1163 iph1
->approval
->authmethod
);
1169 /* generate NAT-D payloads */
1170 if (NATT_AVAILABLE(iph1
))
1172 vchar_t
*natd
[2] = { NULL
, NULL
};
1174 plog (LLV_INFO
, LOCATION
, NULL
, "Adding remote and local NAT-D payloads.\n");
1175 if ((natd
[0] = natt_hash_addr (iph1
, iph1
->remote
)) == NULL
) {
1176 plog(LLV_ERROR
, LOCATION
, NULL
,
1177 "NAT-D hashing failed for %s\n", saddr2str(iph1
->remote
));
1181 if ((natd
[1] = natt_hash_addr (iph1
, iph1
->local
)) == NULL
) {
1182 plog(LLV_ERROR
, LOCATION
, NULL
,
1183 "NAT-D hashing failed for %s\n", saddr2str(iph1
->local
));
1188 /* old Apple version sends natd payloads in the wrong order */
1189 if (iph1
->natt_options
->version
== VENDORID_NATT_APPLE
) {
1190 plist
= isakmp_plist_append(plist
, natd
[1], iph1
->natt_options
->payload_nat_d
);
1191 plist
= isakmp_plist_append(plist
, natd
[0], iph1
->natt_options
->payload_nat_d
);
1195 plist
= isakmp_plist_append(plist
, natd
[0], iph1
->natt_options
->payload_nat_d
);
1196 plist
= isakmp_plist_append(plist
, natd
[1], iph1
->natt_options
->payload_nat_d
);
1201 iph1
->sendbuf
= isakmp_plist_set_all (&plist
, iph1
);
1203 #ifdef HAVE_PRINT_ISAKMP_C
1204 isakmp_printpacket(iph1
->sendbuf
, iph1
->local
, iph1
->remote
, 0);
1207 /* send HDR;KE;NONCE to responder */
1208 if (isakmp_send(iph1
, iph1
->sendbuf
) < 0)
1211 /* the sending message is added to the received-list. */
1212 if (add_recvdpkt(iph1
->remote
, iph1
->local
, iph1
->sendbuf
, msg
) == -1) {
1213 plog(LLV_ERROR
, LOCATION
, NULL
,
1214 "failed to add a response packet to the tree.\n");
1218 /* generate SKEYIDs & IV & final cipher key */
1219 if (oakley_skeyid_dae(iph1
) < 0)
1221 if (oakley_compute_enckey(iph1
) < 0)
1223 if (oakley_newiv(iph1
) < 0)
1226 /* set encryption flag */
1227 iph1
->flags
|= ISAKMP_FLAG_E
;
1229 iph1
->status
= PHASE1ST_ESTABLISHED
;
projects / apple / ipsec.git / blob