]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_ident.c
projects / apple / ipsec.git / blob
? search:


53dfc01f4cb393d5f431cfe3c3ce45a3a968e339
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_ident.c
1 /* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */
2
3 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* Identity Protecion Exchange (Main Mode) */
35
36 #include "config.h"
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40
41 #include <stdlib.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <errno.h>
45 #if TIME_WITH_SYS_TIME
46 # include <sys/time.h>
47 # include <time.h>
48 #else
49 # if HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 # else
52 # include <time.h>
53 # endif
54 #endif
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "schedule.h"
62 #include "debug.h"
63
64 #include "localconf.h"
65 #include "remoteconf.h"
66 #include "isakmp_var.h"
67 #include "isakmp.h"
68 #include "evt.h"
69 #include "oakley.h"
70 #include "handler.h"
71 #include "ipsec_doi.h"
72 #include "crypto_openssl.h"
73 #include "pfkey.h"
74 #include "isakmp_ident.h"
75 #include "isakmp_inf.h"
76 #include "vendorid.h"
77
78 #ifdef ENABLE_NATT
79 #include "nattraversal.h"
80 #endif
81 #ifdef HAVE_GSSAPI
82 #include "gssapi.h"
83 #endif
84 #ifdef ENABLE_HYBRID
85 #include <resolv.h>
86 #include "isakmp_xauth.h"
87 #include "isakmp_cfg.h"
88 #endif
89 #ifdef ENABLE_FRAG
90 #include "isakmp_frag.h"
91 #endif
92
93 #include "vpn_control.h"
94 #include "vpn_control_var.h"
95 #include "ipsecSessionTracer.h"
96 #include "ipsecMessageTracer.h"
97 #ifndef HAVE_OPENSSL
98 #include <Security/SecDH.h>
99 #endif
100
101 static vchar_t *ident_ir2mx __P((struct ph1handle *));
102 static vchar_t *ident_ir3mx __P((struct ph1handle *));
103
104 /* %%%
105 * begin Identity Protection Mode as initiator.
106 */
107 /*
108 * send to responder
109 * psk: HDR, SA
110 * sig: HDR, SA
111 * rsa: HDR, SA
112 * rev: HDR, SA
113 */
114 int
115 ident_i1send(iph1, msg)
116 struct ph1handle *iph1;
117 vchar_t *msg; /* must be null */
118 {
119 struct payload_list *plist = NULL;
120 int error = -1;
121 #ifdef ENABLE_NATT
122 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
123 int i;
124 #endif
125 #ifdef ENABLE_HYBRID
126 vchar_t *vid_xauth = NULL;
127 vchar_t *vid_unity = NULL;
128 #endif
129 #ifdef ENABLE_FRAG
130 vchar_t *vid_frag = NULL;
131 #endif
132 #ifdef ENABLE_DPD
133 vchar_t *vid_dpd = NULL;
134 #endif
135 /* validity check */
136 if (msg != NULL) {
137 plog(LLV_ERROR, LOCATION, NULL,
138 "msg has to be NULL in this function.\n");
139 goto end;
140 }
141 if (iph1->status != PHASE1ST_START) {
142 plog(LLV_ERROR, LOCATION, NULL,
143 "status mismatched %d.\n", iph1->status);
144 goto end;
145 }
146
147 /* create isakmp index */
148 memset(&iph1->index, 0, sizeof(iph1->index));
149 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
150
151 /* create SA payload for my proposal */
152 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
153 if (iph1->sa == NULL) {
154 plog(LLV_ERROR, LOCATION, NULL,
155 "failed to set proposal");
156 goto end;
157 }
158
159 /* set SA payload to propose */
160 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
161
162 #ifdef ENABLE_NATT
163 /* set VID payload for NAT-T if NAT-T support allowed in the config file */
164 if (iph1->rmconf->nat_traversal)
165 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
166 #endif
167 #ifdef ENABLE_HYBRID
168 /* Do we need Xauth VID? */
169 switch (RMAUTHMETHOD(iph1)) {
170 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
171 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
172 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
173 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
174 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
175 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
176 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
177 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
178 plog(LLV_ERROR, LOCATION, NULL,
179 "Xauth vendor ID generation failed\n");
180 else
181 plist = isakmp_plist_append(plist,
182 vid_xauth, ISAKMP_NPTYPE_VID);
183
184 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
185 plog(LLV_ERROR, LOCATION, NULL,
186 "Unity vendor ID generation failed\n");
187 else
188 plist = isakmp_plist_append(plist,
189 vid_unity, ISAKMP_NPTYPE_VID);
190 break;
191 default:
192 break;
193 }
194 #endif
195 #ifdef ENABLE_FRAG
196 if (iph1->rmconf->ike_frag) {
197 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
198 plog(LLV_ERROR, LOCATION, NULL,
199 "Frag vendorID construction failed\n");
200 } else {
201 vid_frag = isakmp_frag_addcap(vid_frag,
202 VENDORID_FRAG_IDENT);
203 plist = isakmp_plist_append(plist,
204 vid_frag, ISAKMP_NPTYPE_VID);
205 }
206 }
207 #endif
208 #ifdef ENABLE_DPD
209 if(iph1->rmconf->dpd){
210 vid_dpd = set_vendorid(VENDORID_DPD);
211 if (vid_dpd != NULL)
212 plist = isakmp_plist_append(plist, vid_dpd,
213 ISAKMP_NPTYPE_VID);
214 }
215 #endif
216
217 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
218
219 #ifdef HAVE_PRINT_ISAKMP_C
220 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
221 #endif
222
223 /* send the packet, add to the schedule to resend */
224 iph1->retry_counter = iph1->rmconf->retry_counter;
225 if (isakmp_ph1resend(iph1) == -1) {
226 plog(LLV_ERROR, LOCATION, NULL,
227 "failed to send packet");
228 goto end;
229 }
230
231 iph1->status = PHASE1ST_MSG1SENT;
232
233 error = 0;
234
235 IPSECSESSIONTRACEREVENT(iph1->parent_session,
236 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
237 CONSTSTR("Initiator, Main-Mode message 1"),
238 CONSTSTR(NULL));
239
240 end:
241 if (error) {
242 IPSECSESSIONTRACEREVENT(iph1->parent_session,
243 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
244 CONSTSTR("Initiator, Main-Mode Message 1"),
245 CONSTSTR("Failed to transmit Main-Mode Message 1"));
246 }
247 #ifdef ENABLE_FRAG
248 if (vid_frag)
249 vfree(vid_frag);
250 #endif
251 #ifdef ENABLE_NATT
252 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
253 vfree(vid_natt[i]);
254 #endif
255 #ifdef ENABLE_HYBRID
256 if (vid_xauth != NULL)
257 vfree(vid_xauth);
258 if (vid_unity != NULL)
259 vfree(vid_unity);
260 #endif
261 #ifdef ENABLE_DPD
262 if (vid_dpd != NULL)
263 vfree(vid_dpd);
264 #endif
265
266 return error;
267 }
268
269 /*
270 * receive from responder
271 * psk: HDR, SA
272 * sig: HDR, SA
273 * rsa: HDR, SA
274 * rev: HDR, SA
275 */
276 int
277 ident_i2recv(iph1, msg)
278 struct ph1handle *iph1;
279 vchar_t *msg;
280 {
281 vchar_t *pbuf = NULL;
282 struct isakmp_parse_t *pa;
283 vchar_t *satmp = NULL;
284 int error = -1;
285 int vid_numeric;
286
287 /* validity check */
288 if (iph1->status != PHASE1ST_MSG1SENT) {
289 plog(LLV_ERROR, LOCATION, NULL,
290 "status mismatched %d.\n", iph1->status);
291 goto end;
292 }
293
294 /* validate the type of next payload */
295 /*
296 * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here,
297 * if proposal-lifetime > lifetime-redcreek-wants.
298 * (see doi-08 4.5.4)
299 * => According to the seciton 4.6.3 in RFC 2407, This is illegal.
300 * NOTE: we do not really care about ordering of VID and N.
301 * does it matters?
302 * NOTE: even if there's multiple VID/N, we'll ignore them.
303 */
304 pbuf = isakmp_parse(msg);
305 if (pbuf == NULL) {
306 plog(LLV_ERROR, LOCATION, NULL,
307 "failed to parse msg");
308 goto end;
309 }
310 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
311
312 /* SA payload is fixed postion */
313 if (pa->type != ISAKMP_NPTYPE_SA) {
314 plog(LLV_ERROR, LOCATION, iph1->remote,
315 "received invalid next payload type %d, "
316 "expecting %d.\n",
317 pa->type, ISAKMP_NPTYPE_SA);
318 goto end;
319 }
320 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
321 plog(LLV_ERROR, LOCATION, NULL,
322 "failed to process SA payload");
323 goto end;
324 }
325 pa++;
326
327 for (/*nothing*/;
328 pa->type != ISAKMP_NPTYPE_NONE;
329 pa++) {
330
331 switch (pa->type) {
332 case ISAKMP_NPTYPE_VID:
333 vid_numeric = check_vendorid(pa->ptr);
334 #ifdef ENABLE_NATT
335 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
336 natt_handle_vendorid(iph1, vid_numeric);
337 #endif
338 #ifdef ENABLE_HYBRID
339 switch (vid_numeric) {
340 case VENDORID_XAUTH:
341 iph1->mode_cfg->flags |=
342 ISAKMP_CFG_VENDORID_XAUTH;
343 break;
344
345 case VENDORID_UNITY:
346 iph1->mode_cfg->flags |=
347 ISAKMP_CFG_VENDORID_UNITY;
348 break;
349
350 default:
351 break;
352 }
353 #endif
354 #ifdef ENABLE_DPD
355 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
356 iph1->dpd_support=1;
357 #endif
358 #ifdef ENABLE_FRAG
359 if ((vid_numeric == VENDORID_FRAG) &&
360 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
361 plog(LLV_DEBUG, LOCATION, NULL,
362 "remote supports FRAGMENTATION\n");
363 iph1->frag = 1;
364 }
365 #endif
366 break;
367 default:
368 /* don't send information, see ident_r1recv() */
369 plog(LLV_ERROR, LOCATION, iph1->remote,
370 "ignore the packet, "
371 "received unexpecting payload type %d.\n",
372 pa->type);
373 goto end;
374 }
375 }
376
377 #ifdef ENABLE_NATT
378 if (NATT_AVAILABLE(iph1)) {
379 plog(LLV_INFO, LOCATION, iph1->remote,
380 "Selected NAT-T version: %s\n",
381 vid_string_by_id(iph1->natt_options->version));
382 ike_session_update_natt_version(iph1);
383 }
384 #endif
385
386 /* check SA payload and set approval SA for use */
387 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
388 plog(LLV_ERROR, LOCATION, iph1->remote,
389 "failed to get valid proposal.\n");
390 /* XXX send information */
391 goto end;
392 }
393 VPTRINIT(iph1->sa_ret);
394
395 iph1->status = PHASE1ST_MSG2RECEIVED;
396
397 #ifdef ENABLE_VPNCONTROL_PORT
398 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
399 #endif
400
401 error = 0;
402
403 IPSECSESSIONTRACEREVENT(iph1->parent_session,
404 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
405 CONSTSTR("Initiator, Main-Mode message 2"),
406 CONSTSTR(NULL));
407
408 end:
409 if (error) {
410 IPSECSESSIONTRACEREVENT(iph1->parent_session,
411 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
412 CONSTSTR("Initiator, Main-Mode Message 2"),
413 CONSTSTR("Failed to process Main-Mode Message 2"));
414 }
415 if (pbuf)
416 vfree(pbuf);
417 if (satmp)
418 vfree(satmp);
419 return error;
420 }
421
422 /*
423 * send to responder
424 * psk: HDR, KE, Ni
425 * sig: HDR, KE, Ni
426 * gssapi: HDR, KE, Ni, GSSi
427 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
428 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
429 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
430 */
431 int
432 ident_i2send(iph1, msg)
433 struct ph1handle *iph1;
434 vchar_t *msg;
435 {
436 int error = -1;
437
438 /* validity check */
439 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
440 plog(LLV_ERROR, LOCATION, NULL,
441 "status mismatched %d.\n", iph1->status);
442 goto end;
443 }
444
445 /* fix isakmp index */
446 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
447 sizeof(cookie_t));
448
449 /* generate DH public value */
450 #ifdef HAVE_OPENSSL
451 if (oakley_dh_generate(iph1->approval->dhgrp,
452 &iph1->dhpub, &iph1->dhpriv) < 0) {
453 #else
454 if (oakley_dh_generate(iph1->approval->dhgrp,
455 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
456 #endif
457 plog(LLV_ERROR, LOCATION, NULL,
458 "failed to generate DH");
459 goto end;
460 }
461
462 /* generate NONCE value */
463 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
464 if (iph1->nonce == NULL) {
465 plog(LLV_ERROR, LOCATION, NULL,
466 "failed to generate NONCE");
467 goto end;
468 }
469
470 #ifdef HAVE_GSSAPI
471 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
472 gssapi_get_itoken(iph1, NULL) < 0) {
473 plog(LLV_ERROR, LOCATION, NULL,
474 "failed to get GSS token");
475 goto end;
476 }
477 #endif
478
479 /* create buffer to send isakmp payload */
480 iph1->sendbuf = ident_ir2mx(iph1);
481 if (iph1->sendbuf == NULL) {
482 plog(LLV_ERROR, LOCATION, NULL,
483 "failed to create send buffer");
484 goto end;
485 }
486
487 #ifdef HAVE_PRINT_ISAKMP_C
488 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
489 #endif
490
491 /* send the packet, add to the schedule to resend */
492 iph1->retry_counter = iph1->rmconf->retry_counter;
493 if (isakmp_ph1resend(iph1) == -1) {
494 plog(LLV_ERROR, LOCATION, NULL,
495 "failed to send packet");
496 goto end;
497 }
498
499 /* the sending message is added to the received-list. */
500 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
501 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
502 plog(LLV_ERROR , LOCATION, NULL,
503 "failed to add a response packet to the tree.\n");
504 goto end;
505 }
506
507 iph1->status = PHASE1ST_MSG2SENT;
508
509 error = 0;
510
511 IPSECSESSIONTRACEREVENT(iph1->parent_session,
512 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
513 CONSTSTR("Initiator, Main-Mode message 3"),
514 CONSTSTR(NULL));
515
516 end:
517 if (error) {
518 IPSECSESSIONTRACEREVENT(iph1->parent_session,
519 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
520 CONSTSTR("Initiator, Main-Mode Message 3"),
521 CONSTSTR("Failed to transmit Main-Mode Message 3"));
522 }
523 return error;
524 }
525
526 /*
527 * receive from responder
528 * psk: HDR, KE, Nr
529 * sig: HDR, KE, Nr [, CR ]
530 * gssapi: HDR, KE, Nr, GSSr
531 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
532 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
533 */
534 int
535 ident_i3recv(iph1, msg)
536 struct ph1handle *iph1;
537 vchar_t *msg;
538 {
539 vchar_t *pbuf = NULL;
540 struct isakmp_parse_t *pa;
541 int error = -1;
542 int vid_numeric;
543 #ifdef HAVE_GSSAPI
544 vchar_t *gsstoken = NULL;
545 #endif
546 #ifdef ENABLE_NATT
547 vchar_t *natd_received;
548 int natd_seq = 0, natd_verified;
549 #endif
550
551 /* validity check */
552 if (iph1->status != PHASE1ST_MSG2SENT) {
553 plog(LLV_ERROR, LOCATION, NULL,
554 "status mismatched %d.\n", iph1->status);
555 goto end;
556 }
557
558 /* validate the type of next payload */
559 pbuf = isakmp_parse(msg);
560 if (pbuf == NULL) {
561 plog(LLV_ERROR, LOCATION, NULL,
562 "failed to parse msg");
563 goto end;
564 }
565
566 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
567 pa->type != ISAKMP_NPTYPE_NONE;
568 pa++) {
569
570 switch (pa->type) {
571 case ISAKMP_NPTYPE_KE:
572 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
573 plog(LLV_ERROR, LOCATION, NULL,
574 "failed to process KE payload");
575 goto end;
576 }
577 break;
578 case ISAKMP_NPTYPE_NONCE:
579 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
580 plog(LLV_ERROR, LOCATION, NULL,
581 "failed to process NONCE payload");
582 goto end;
583 }
584 break;
585 case ISAKMP_NPTYPE_VID:
586 vid_numeric = check_vendorid(pa->ptr);
587 #ifdef ENABLE_HYBRID
588 switch (vid_numeric) {
589 case VENDORID_XAUTH:
590 iph1->mode_cfg->flags |=
591 ISAKMP_CFG_VENDORID_XAUTH;
592 break;
593
594 case VENDORID_UNITY:
595 iph1->mode_cfg->flags |=
596 ISAKMP_CFG_VENDORID_UNITY;
597 break;
598
599 default:
600 break;
601 }
602 #endif
603 #ifdef ENABLE_DPD
604 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
605 iph1->dpd_support=1;
606 #endif
607
608 break;
609 case ISAKMP_NPTYPE_CR:
610 if (oakley_savecr(iph1, pa->ptr) < 0) {
611 plog(LLV_ERROR, LOCATION, NULL,
612 "failed to process CR payload");
613 goto end;
614 }
615 break;
616 #ifdef HAVE_GSSAPI
617 case ISAKMP_NPTYPE_GSS:
618 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
619 plog(LLV_ERROR, LOCATION, NULL,
620 "failed to process GSS payload");
621 goto end;
622 }
623 gssapi_save_received_token(iph1, gsstoken);
624 break;
625 #endif
626
627 #ifdef ENABLE_NATT
628 case ISAKMP_NPTYPE_NATD_DRAFT:
629 case ISAKMP_NPTYPE_NATD_RFC:
630 case ISAKMP_NPTYPE_NATD_BADDRAFT:
631 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
632 pa->type == iph1->natt_options->payload_nat_d) {
633 natd_received = NULL;
634 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
635 plog(LLV_ERROR, LOCATION, NULL,
636 "failed to process NATD payload");
637 goto end;
638 }
639
640 /* set both bits first so that we can clear them
641 upon verifying hashes */
642 if (natd_seq == 0)
643 iph1->natt_flags |= NAT_DETECTED;
644
645 /* this function will clear appropriate bits bits
646 from iph1->natt_flags */
647 natd_verified = natt_compare_addr_hash (iph1,
648 natd_received, natd_seq++);
649
650 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
651 natd_seq - 1,
652 natd_verified ? "verified" : "doesn't match");
653
654 vfree (natd_received);
655 break;
656 }
657 /* %%%% Be lenient here - some servers send natd payloads */
658 /* when no nat is detected */
659 break;
660 #endif
661
662 default:
663 /* don't send information, see ident_r1recv() */
664 plog(LLV_ERROR, LOCATION, iph1->remote,
665 "ignore the packet, "
666 "received unexpecting payload type %d.\n",
667 pa->type);
668 goto end;
669 }
670 }
671
672 #ifdef ENABLE_NATT
673 if (NATT_AVAILABLE(iph1)) {
674 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
675 iph1->natt_flags & NAT_DETECTED ?
676 "detected:" : "not detected",
677 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
678 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
679 if (iph1->natt_flags & NAT_DETECTED)
680 natt_float_ports (iph1);
681 }
682 #endif
683
684 /* payload existency check */
685 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
686 plog(LLV_ERROR, LOCATION, iph1->remote,
687 "few isakmp message received.\n");
688 goto end;
689 }
690
691 if (oakley_checkcr(iph1) < 0) {
692 /* Ignore this error in order to be interoperability. */
693 ;
694 }
695
696 iph1->status = PHASE1ST_MSG3RECEIVED;
697
698 error = 0;
699
700 IPSECSESSIONTRACEREVENT(iph1->parent_session,
701 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
702 CONSTSTR("Initiator, Main-Mode message 4"),
703 CONSTSTR(NULL));
704
705 end:
706 if (error) {
707 IPSECSESSIONTRACEREVENT(iph1->parent_session,
708 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
709 CONSTSTR("Initiator, Main-Mode Message 4"),
710 CONSTSTR("Failed to process Main-Mode Message 4"));
711 }
712 #ifdef HAVE_GSSAPI
713 if (gsstoken)
714 vfree(gsstoken);
715 #endif
716 if (pbuf)
717 vfree(pbuf);
718 if (error) {
719 VPTRINIT(iph1->dhpub_p);
720 VPTRINIT(iph1->nonce_p);
721 VPTRINIT(iph1->id_p);
722 oakley_delcert(iph1->cr_p);
723 iph1->cr_p = NULL;
724 }
725
726 return error;
727 }
728
729 /*
730 * send to responder
731 * psk: HDR*, IDi1, HASH_I
732 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
733 * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I >
734 * rsa: HDR*, HASH_I
735 * rev: HDR*, HASH_I
736 */
737 int
738 ident_i3send(iph1, msg0)
739 struct ph1handle *iph1;
740 vchar_t *msg0;
741 {
742 int error = -1;
743 int dohash = 1;
744 #ifdef HAVE_GSSAPI
745 int len;
746 #endif
747
748 /* validity check */
749 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
750 plog(LLV_ERROR, LOCATION, NULL,
751 "status mismatched %d.\n", iph1->status);
752 goto end;
753 }
754
755 /* compute sharing secret of DH */
756 #ifdef HAVE_OPENSSL
757 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
758 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
759 #else
760 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
761 #endif
762 plog(LLV_ERROR, LOCATION, NULL,
763 "failed to compute DH");
764 goto end;
765 }
766
767 /* generate SKEYIDs & IV & final cipher key */
768 if (oakley_skeyid(iph1) < 0) {
769 plog(LLV_ERROR, LOCATION, NULL,
770 "failed to generate SKEYID");
771 goto end;
772 }
773 if (oakley_skeyid_dae(iph1) < 0) {
774 plog(LLV_ERROR, LOCATION, NULL,
775 "failed to generate SKEYID-DAE");
776 goto end;
777 }
778 if (oakley_compute_enckey(iph1) < 0) {
779 plog(LLV_ERROR, LOCATION, NULL,
780 "failed to generate ENCKEY");
781 goto end;
782 }
783 if (oakley_newiv(iph1) < 0) {
784 plog(LLV_ERROR, LOCATION, NULL,
785 "failed to generate IV");
786 goto end;
787 }
788
789 /* make ID payload into isakmp status */
790 if (ipsecdoi_setid1(iph1) < 0) {
791 plog(LLV_ERROR, LOCATION, NULL,
792 "failed to set ID");
793 goto end;
794 }
795
796 #ifdef HAVE_GSSAPI
797 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
798 gssapi_more_tokens(iph1)) {
799 plog(LLV_DEBUG, LOCATION, NULL, "calling get_itoken\n");
800 if (gssapi_get_itoken(iph1, &len) < 0) {
801 plog(LLV_ERROR, LOCATION, NULL,
802 "failed to get GSSAPI token");
803 goto end;
804 }
805 if (len != 0)
806 dohash = 0;
807 }
808 #endif
809
810 /* generate HASH to send */
811 if (dohash) {
812 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
813 if (iph1->hash == NULL) {
814 plog(LLV_ERROR, LOCATION, NULL,
815 "failed to generate HASH");
816 goto end;
817 }
818 } else
819 iph1->hash = NULL;
820
821 /* set encryption flag */
822 iph1->flags |= ISAKMP_FLAG_E;
823
824 /* create HDR;ID;HASH payload */
825 iph1->sendbuf = ident_ir3mx(iph1);
826 if (iph1->sendbuf == NULL) {
827 plog(LLV_ERROR, LOCATION, NULL,
828 "failed to allocate send buffer");
829 goto end;
830 }
831
832 /* send the packet, add to the schedule to resend */
833 iph1->retry_counter = iph1->rmconf->retry_counter;
834 if (isakmp_ph1resend(iph1) == -1) {
835 plog(LLV_ERROR, LOCATION, NULL,
836 "failed to send packet");
837 goto end;
838 }
839
840 /* the sending message is added to the received-list. */
841 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0,
842 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
843 plog(LLV_ERROR , LOCATION, NULL,
844 "failed to add a response packet to the tree.\n");
845 goto end;
846 }
847
848 /* see handler.h about IV synchronization. */
849 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
850
851 iph1->status = PHASE1ST_MSG3SENT;
852
853 error = 0;
854
855 IPSECSESSIONTRACEREVENT(iph1->parent_session,
856 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
857 CONSTSTR("Initiator, Main-Mode message 5"),
858 CONSTSTR(NULL));
859
860 end:
861 if (error) {
862 IPSECSESSIONTRACEREVENT(iph1->parent_session,
863 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
864 CONSTSTR("Initiator, Main-Mode Message 5"),
865 CONSTSTR("Failed to transmit Main-Mode Message 5"));
866 }
867 return error;
868 }
869
870 /*
871 * receive from responder
872 * psk: HDR*, IDr1, HASH_R
873 * sig: HDR*, IDr1, [ CERT, ] SIG_R
874 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
875 * rsa: HDR*, HASH_R
876 * rev: HDR*, HASH_R
877 */
878 int
879 ident_i4recv(iph1, msg0)
880 struct ph1handle *iph1;
881 vchar_t *msg0;
882 {
883 vchar_t *pbuf = NULL;
884 struct isakmp_parse_t *pa;
885 vchar_t *msg = NULL;
886 int error = -1;
887 int type;
888 int vid_numeric;
889 #ifdef HAVE_GSSAPI
890 vchar_t *gsstoken = NULL;
891 #endif
892 int received_cert = 0;
893
894 /* validity check */
895 if (iph1->status != PHASE1ST_MSG3SENT) {
896 plog(LLV_ERROR, LOCATION, NULL,
897 "status mismatched %d.\n", iph1->status);
898 goto end;
899 }
900
901 /* decrypting */
902 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
903 plog(LLV_ERROR, LOCATION, iph1->remote,
904 "ignore the packet, "
905 "expecting the packet encrypted.\n");
906 goto end;
907 }
908 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
909 if (msg == NULL) {
910 plog(LLV_ERROR, LOCATION, NULL,
911 "failed to decrypt");
912 goto end;
913 }
914
915 /* validate the type of next payload */
916 pbuf = isakmp_parse(msg);
917 if (pbuf == NULL) {
918 plog(LLV_ERROR, LOCATION, NULL,
919 "failed to parse msg");
920 goto end;
921 }
922
923 iph1->pl_hash = NULL;
924
925 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
926 pa->type != ISAKMP_NPTYPE_NONE;
927 pa++) {
928
929 switch (pa->type) {
930 case ISAKMP_NPTYPE_ID:
931 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
932 plog(LLV_ERROR, LOCATION, NULL,
933 "failed to process ID payload");
934 goto end;
935 }
936 break;
937 case ISAKMP_NPTYPE_HASH:
938 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
939 break;
940 case ISAKMP_NPTYPE_CERT:
941 if (oakley_savecert(iph1, pa->ptr) < 0) {
942 plog(LLV_ERROR, LOCATION, NULL,
943 "failed to process CERT payload");
944 goto end;
945 }
946 received_cert = 1;
947 break;
948 case ISAKMP_NPTYPE_SIG:
949 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
950 plog(LLV_ERROR, LOCATION, NULL,
951 "failed to process SIG payload");
952 goto end;
953 }
954 break;
955 #ifdef HAVE_GSSAPI
956 case ISAKMP_NPTYPE_GSS:
957 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
958 plog(LLV_ERROR, LOCATION, NULL,
959 "failed to process GSS payload");
960 goto end;
961 }
962 gssapi_save_received_token(iph1, gsstoken);
963 break;
964 #endif
965 case ISAKMP_NPTYPE_VID:
966 vid_numeric = check_vendorid(pa->ptr);
967 #ifdef ENABLE_DPD
968 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
969 iph1->dpd_support=1;
970 #endif
971 break;
972 case ISAKMP_NPTYPE_N:
973 isakmp_check_notify(pa->ptr, iph1);
974 break;
975 default:
976 /* don't send information, see ident_r1recv() */
977 plog(LLV_ERROR, LOCATION, iph1->remote,
978 "ignore the packet, "
979 "received unexpecting payload type %d.\n",
980 pa->type);
981 goto end;
982 }
983 }
984
985 if (received_cert) {
986 oakley_verify_certid(iph1);
987 }
988
989 /* payload existency check */
990
991 /* verify identifier */
992 if (ipsecdoi_checkid1(iph1) != 0) {
993 plog(LLV_ERROR, LOCATION, iph1->remote,
994 "invalid ID payload.\n");
995 goto end;
996 }
997
998 /* validate authentication value */
999 #ifdef HAVE_GSSAPI
1000 if (gsstoken == NULL) {
1001 #endif
1002 type = oakley_validate_auth(iph1);
1003 if (type != 0) {
1004 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1005 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1006 CONSTSTR("Initiator, Main-Mode Message 6"),
1007 CONSTSTR("Failed to authenticate Main-Mode Message 6"));
1008 if (type == -1) {
1009 /* msg printed inner oakley_validate_auth() */
1010 goto end;
1011 }
1012 EVT_PUSH(iph1->local, iph1->remote,
1013 EVTT_PEERPH1AUTH_FAILED, NULL);
1014 isakmp_info_send_n1(iph1, type, NULL);
1015 goto end;
1016 }
1017 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1018 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1019 CONSTSTR("Initiator, Main-Mode Message 6"),
1020 CONSTSTR(NULL));
1021 #ifdef HAVE_GSSAPI
1022 }
1023 #endif
1024
1025 /*
1026 * XXX: Should we do compare two addresses, ph1handle's and ID
1027 * payload's.
1028 */
1029
1030 plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID:");
1031 plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
1032
1033 /* see handler.h about IV synchronization. */
1034 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1035
1036 /*
1037 * If we got a GSS token, we need to this roundtrip again.
1038 */
1039 #ifdef HAVE_GSSAPI
1040 iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED :
1041 PHASE1ST_MSG4RECEIVED;
1042 #else
1043 iph1->status = PHASE1ST_MSG4RECEIVED;
1044 #endif
1045
1046 error = 0;
1047
1048 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1049 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1050 CONSTSTR("Initiator, Main-Mode message 6"),
1051 CONSTSTR(NULL));
1052
1053 end:
1054 if (error) {
1055 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1056 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1057 CONSTSTR("Initiator, Main-Mode Message 6"),
1058 CONSTSTR("Failed to transmit Main-Mode Message 6"));
1059 }
1060 if (pbuf)
1061 vfree(pbuf);
1062 if (msg)
1063 vfree(msg);
1064 #ifdef HAVE_GSSAPI
1065 if (gsstoken)
1066 vfree(gsstoken);
1067 #endif
1068
1069 if (error) {
1070 VPTRINIT(iph1->id_p);
1071 oakley_delcert(iph1->cert_p);
1072 iph1->cert_p = NULL;
1073 oakley_delcert(iph1->crl_p);
1074 iph1->crl_p = NULL;
1075 VPTRINIT(iph1->sig_p);
1076 }
1077
1078 return error;
1079 }
1080
1081 /*
1082 * status update and establish isakmp sa.
1083 */
1084 int
1085 ident_i4send(iph1, msg)
1086 struct ph1handle *iph1;
1087 vchar_t *msg;
1088 {
1089 int error = -1;
1090
1091 /* validity check */
1092 if (iph1->status != PHASE1ST_MSG4RECEIVED) {
1093 plog(LLV_ERROR, LOCATION, NULL,
1094 "status mismatched %d.\n", iph1->status);
1095 goto end;
1096 }
1097
1098 /* see handler.h about IV synchronization. */
1099 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1100
1101 iph1->status = PHASE1ST_ESTABLISHED;
1102
1103 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1104 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
1105 CONSTSTR("Initiator, Main-Mode"),
1106 CONSTSTR(NULL));
1107
1108 error = 0;
1109
1110 end:
1111 return error;
1112 }
1113
1114 /*
1115 * receive from initiator
1116 * psk: HDR, SA
1117 * sig: HDR, SA
1118 * rsa: HDR, SA
1119 * rev: HDR, SA
1120 */
1121 int
1122 ident_r1recv(iph1, msg)
1123 struct ph1handle *iph1;
1124 vchar_t *msg;
1125 {
1126 vchar_t *pbuf = NULL;
1127 struct isakmp_parse_t *pa;
1128 int error = -1;
1129 int vid_numeric;
1130
1131 /* validity check */
1132 if (iph1->status != PHASE1ST_START) {
1133 plog(LLV_ERROR, LOCATION, NULL,
1134 "status mismatched %d.\n", iph1->status);
1135 goto end;
1136 }
1137
1138 /* validate the type of next payload */
1139 /*
1140 * NOTE: XXX even if multiple VID, we'll silently ignore those.
1141 */
1142 pbuf = isakmp_parse(msg);
1143 if (pbuf == NULL) {
1144 plog(LLV_ERROR, LOCATION, NULL,
1145 "failed to parse msg");
1146 goto end;
1147 }
1148 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1149
1150 /* check the position of SA payload */
1151 if (pa->type != ISAKMP_NPTYPE_SA) {
1152 plog(LLV_ERROR, LOCATION, iph1->remote,
1153 "received invalid next payload type %d, "
1154 "expecting %d.\n",
1155 pa->type, ISAKMP_NPTYPE_SA);
1156 goto end;
1157 }
1158 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
1159 plog(LLV_ERROR, LOCATION, NULL,
1160 "failed to process SA payload");
1161 goto end;
1162 }
1163 pa++;
1164
1165 for (/*nothing*/;
1166 pa->type != ISAKMP_NPTYPE_NONE;
1167 pa++) {
1168
1169 switch (pa->type) {
1170 case ISAKMP_NPTYPE_VID:
1171 vid_numeric = check_vendorid(pa->ptr);
1172 #ifdef ENABLE_NATT
1173 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
1174 natt_handle_vendorid(iph1, vid_numeric);
1175 #endif
1176 #ifdef ENABLE_HYBRID
1177 switch (vid_numeric) {
1178 case VENDORID_XAUTH:
1179 iph1->mode_cfg->flags |=
1180 ISAKMP_CFG_VENDORID_XAUTH;
1181 break;
1182
1183 case VENDORID_UNITY:
1184 iph1->mode_cfg->flags |=
1185 ISAKMP_CFG_VENDORID_UNITY;
1186 break;
1187
1188 default:
1189 break;
1190 }
1191 #endif
1192 #ifdef ENABLE_DPD
1193 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
1194 iph1->dpd_support=1;
1195 #endif
1196 #ifdef ENABLE_FRAG
1197 if ((vid_numeric == VENDORID_FRAG) &&
1198 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
1199 plog(LLV_DEBUG, LOCATION, NULL,
1200 "remote supports FRAGMENTATION\n");
1201 iph1->frag = 1;
1202 }
1203 #endif
1204 break;
1205 default:
1206 /*
1207 * We don't send information to the peer even
1208 * if we received malformed packet. Because we
1209 * can't distinguish the malformed packet and
1210 * the re-sent packet. And we do same behavior
1211 * when we expect encrypted packet.
1212 */
1213 plog(LLV_ERROR, LOCATION, iph1->remote,
1214 "ignore the packet, "
1215 "received unexpecting payload type %d.\n",
1216 pa->type);
1217 goto end;
1218 }
1219 }
1220
1221 #ifdef ENABLE_NATT
1222 if (NATT_AVAILABLE(iph1)) {
1223 plog(LLV_INFO, LOCATION, iph1->remote,
1224 "Selected NAT-T version: %s\n",
1225 vid_string_by_id(iph1->natt_options->version));
1226 ike_session_update_natt_version(iph1);
1227 }
1228 #endif
1229
1230 /* check SA payload and set approval SA for use */
1231 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
1232 plog(LLV_ERROR, LOCATION, iph1->remote,
1233 "failed to get valid proposal.\n");
1234 /* XXX send information */
1235 goto end;
1236 }
1237
1238 iph1->status = PHASE1ST_MSG1RECEIVED;
1239
1240 error = 0;
1241
1242 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1243 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1244 CONSTSTR("Responder, Main-Mode message 1"),
1245 CONSTSTR(NULL));
1246
1247 end:
1248 if (error) {
1249 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1250 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1251 CONSTSTR("Responder, Main-Mode Message 1"),
1252 CONSTSTR("Failed to process Main-Mode Message 1"));
1253 }
1254 if (pbuf)
1255 vfree(pbuf);
1256 if (error) {
1257 VPTRINIT(iph1->sa);
1258 }
1259
1260 return error;
1261 }
1262
1263 /*
1264 * send to initiator
1265 * psk: HDR, SA
1266 * sig: HDR, SA
1267 * rsa: HDR, SA
1268 * rev: HDR, SA
1269 */
1270 int
1271 ident_r1send(iph1, msg)
1272 struct ph1handle *iph1;
1273 vchar_t *msg;
1274 {
1275 struct payload_list *plist = NULL;
1276 int error = -1;
1277 vchar_t *gss_sa = NULL;
1278 #ifdef HAVE_GSSAPI
1279 int free_gss_sa = 0;
1280 #endif
1281 #ifdef ENABLE_NATT
1282 vchar_t *vid_natt = NULL;
1283 #endif
1284 #ifdef ENABLE_HYBRID
1285 vchar_t *vid_xauth = NULL;
1286 vchar_t *vid_unity = NULL;
1287 #endif
1288 #ifdef ENABLE_DPD
1289 vchar_t *vid_dpd = NULL;
1290 #endif
1291 #ifdef ENABLE_FRAG
1292 vchar_t *vid_frag = NULL;
1293 #endif
1294
1295 /* validity check */
1296 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1297 plog(LLV_ERROR, LOCATION, NULL,
1298 "status mismatched %d.\n", iph1->status);
1299 goto end;
1300 }
1301
1302 /* set responder's cookie */
1303 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1304
1305 #ifdef HAVE_GSSAPI
1306 if (iph1->approval->gssid != NULL) {
1307 gss_sa = ipsecdoi_setph1proposal(iph1->approval);
1308 if (gss_sa != iph1->sa_ret)
1309 free_gss_sa = 1;
1310 } else
1311 #endif
1312 gss_sa = iph1->sa_ret;
1313
1314 /* set SA payload to reply */
1315 plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
1316
1317 #ifdef ENABLE_HYBRID
1318 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1319 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
1320 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
1321 plog(LLV_ERROR, LOCATION, NULL,
1322 "Cannot create Xauth vendor ID\n");
1323 goto end;
1324 }
1325 plist = isakmp_plist_append(plist,
1326 vid_xauth, ISAKMP_NPTYPE_VID);
1327 }
1328
1329 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1330 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
1331 plog(LLV_ERROR, LOCATION, NULL,
1332 "Cannot create Unity vendor ID\n");
1333 goto end;
1334 }
1335 plist = isakmp_plist_append(plist,
1336 vid_unity, ISAKMP_NPTYPE_VID);
1337 }
1338 #endif
1339 #ifdef ENABLE_NATT
1340 /* Has the peer announced NAT-T? */
1341 if (NATT_AVAILABLE(iph1))
1342 vid_natt = set_vendorid(iph1->natt_options->version);
1343
1344 if (vid_natt)
1345 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1346 #endif
1347 #ifdef ENABLE_DPD
1348 /* XXX only send DPD VID if remote sent it ? */
1349 if(iph1->rmconf->dpd){
1350 vid_dpd = set_vendorid(VENDORID_DPD);
1351 if (vid_dpd != NULL)
1352 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1353 }
1354 #endif
1355 #ifdef ENABLE_FRAG
1356 if (iph1->frag) {
1357 vid_frag = set_vendorid(VENDORID_FRAG);
1358 if (vid_frag != NULL)
1359 vid_frag = isakmp_frag_addcap(vid_frag,
1360 VENDORID_FRAG_IDENT);
1361 if (vid_frag == NULL)
1362 plog(LLV_ERROR, LOCATION, NULL,
1363 "Frag vendorID construction failed\n");
1364 else
1365 plist = isakmp_plist_append(plist,
1366 vid_frag, ISAKMP_NPTYPE_VID);
1367 }
1368 #endif
1369
1370 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1371
1372 #ifdef HAVE_PRINT_ISAKMP_C
1373 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1374 #endif
1375
1376 /* send the packet, add to the schedule to resend */
1377 iph1->retry_counter = iph1->rmconf->retry_counter;
1378 if (isakmp_ph1resend(iph1) == -1) {
1379 plog(LLV_ERROR, LOCATION, NULL,
1380 "failed to send packet");
1381 goto end;
1382 }
1383
1384 /* the sending message is added to the received-list. */
1385 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1386 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
1387 plog(LLV_ERROR , LOCATION, NULL,
1388 "failed to add a response packet to the tree.\n");
1389 goto end;
1390 }
1391
1392 iph1->status = PHASE1ST_MSG1SENT;
1393
1394 #ifdef ENABLE_VPNCONTROL_PORT
1395 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1396 #endif
1397
1398 error = 0;
1399
1400 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1401 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1402 CONSTSTR("Responder, Main-Mode message 2"),
1403 CONSTSTR(NULL));
1404
1405 end:
1406 if (error) {
1407 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1408 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1409 CONSTSTR("Responder, Main-Mode Message 2"),
1410 CONSTSTR("Failed to transmit Main-Mode Message 2"));
1411 }
1412 #ifdef HAVE_GSSAPI
1413 if (free_gss_sa)
1414 vfree(gss_sa);
1415 #endif
1416 #ifdef ENABLE_NATT
1417 if (vid_natt)
1418 vfree(vid_natt);
1419 #endif
1420 #ifdef ENABLE_HYBRID
1421 if (vid_xauth != NULL)
1422 vfree(vid_xauth);
1423 if (vid_unity != NULL)
1424 vfree(vid_unity);
1425 #endif
1426 #ifdef ENABLE_DPD
1427 if (vid_dpd != NULL)
1428 vfree(vid_dpd);
1429 #endif
1430 #ifdef ENABLE_FRAG
1431 if (vid_frag != NULL)
1432 vfree(vid_frag);
1433 #endif
1434
1435 return error;
1436 }
1437
1438 /*
1439 * receive from initiator
1440 * psk: HDR, KE, Ni
1441 * sig: HDR, KE, Ni
1442 * gssapi: HDR, KE, Ni, GSSi
1443 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1444 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1445 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1446 */
1447 int
1448 ident_r2recv(iph1, msg)
1449 struct ph1handle *iph1;
1450 vchar_t *msg;
1451 {
1452 vchar_t *pbuf = NULL;
1453 struct isakmp_parse_t *pa;
1454 int error = -1;
1455 #ifdef HAVE_GSSAPI
1456 vchar_t *gsstoken = NULL;
1457 #endif
1458 #ifdef ENABLE_NATT
1459 int natd_seq = 0;
1460 #endif
1461
1462 /* validity check */
1463 if (iph1->status != PHASE1ST_MSG1SENT) {
1464 plog(LLV_ERROR, LOCATION, NULL,
1465 "status mismatched %d.\n", iph1->status);
1466 goto end;
1467 }
1468
1469 /* validate the type of next payload */
1470 pbuf = isakmp_parse(msg);
1471 if (pbuf == NULL) {
1472 plog(LLV_ERROR, LOCATION, NULL,
1473 "failed to parse msg");
1474 goto end;
1475 }
1476
1477 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1478 pa->type != ISAKMP_NPTYPE_NONE;
1479 pa++) {
1480 switch (pa->type) {
1481 case ISAKMP_NPTYPE_KE:
1482 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
1483 plog(LLV_ERROR, LOCATION, NULL,
1484 "failed to process KE payload");
1485 goto end;
1486 }
1487 break;
1488 case ISAKMP_NPTYPE_NONCE:
1489 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
1490 plog(LLV_ERROR, LOCATION, NULL,
1491 "failed to process NONCE payload");
1492 goto end;
1493 }
1494 break;
1495 case ISAKMP_NPTYPE_VID:
1496 (void)check_vendorid(pa->ptr);
1497 break;
1498 case ISAKMP_NPTYPE_CR:
1499 plog(LLV_WARNING, LOCATION, iph1->remote,
1500 "CR received, ignore it. "
1501 "It should be in other exchange.\n");
1502 break;
1503 #ifdef HAVE_GSSAPI
1504 case ISAKMP_NPTYPE_GSS:
1505 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1506 plog(LLV_ERROR, LOCATION, NULL,
1507 "failed to process GSS payload");
1508 goto end;
1509 }
1510 gssapi_save_received_token(iph1, gsstoken);
1511 break;
1512 #endif
1513
1514 #ifdef ENABLE_NATT
1515 case ISAKMP_NPTYPE_NATD_DRAFT:
1516 case ISAKMP_NPTYPE_NATD_RFC:
1517 case ISAKMP_NPTYPE_NATD_BADDRAFT:
1518 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1519 pa->type == iph1->natt_options->payload_nat_d)
1520 {
1521 vchar_t *natd_received = NULL;
1522 int natd_verified;
1523
1524 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
1525 plog(LLV_ERROR, LOCATION, NULL,
1526 "failed to process NATD payload");
1527 goto end;
1528 }
1529
1530 if (natd_seq == 0)
1531 iph1->natt_flags |= NAT_DETECTED;
1532
1533 natd_verified = natt_compare_addr_hash (iph1,
1534 natd_received, natd_seq++);
1535
1536 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1537 natd_seq - 1,
1538 natd_verified ? "verified" : "doesn't match");
1539
1540 vfree (natd_received);
1541 break;
1542 }
1543 /* %%%% Be lenient here - some servers send natd payloads */
1544 /* when no nat is detected */
1545 break;
1546 #endif
1547
1548 default:
1549 /* don't send information, see ident_r1recv() */
1550 plog(LLV_ERROR, LOCATION, iph1->remote,
1551 "ignore the packet, "
1552 "received unexpecting payload type %d.\n",
1553 pa->type);
1554 goto end;
1555 }
1556 }
1557
1558 #ifdef ENABLE_NATT
1559 if (NATT_AVAILABLE(iph1))
1560 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1561 iph1->natt_flags & NAT_DETECTED ?
1562 "detected:" : "not detected",
1563 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1564 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1565 #endif
1566
1567 /* payload existency check */
1568 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1569 plog(LLV_ERROR, LOCATION, iph1->remote,
1570 "few isakmp message received.\n");
1571 goto end;
1572 }
1573
1574 iph1->status = PHASE1ST_MSG2RECEIVED;
1575
1576 error = 0;
1577
1578 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1579 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1580 CONSTSTR("Responder, Main-Mode message 3"),
1581 CONSTSTR(NULL));
1582
1583 end:
1584 if (error) {
1585 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1586 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1587 CONSTSTR("Responder, Main-Mode Message 3"),
1588 CONSTSTR("Failed to process Main-Mode Message 3"));
1589 }
1590 if (pbuf)
1591 vfree(pbuf);
1592 #ifdef HAVE_GSSAPI
1593 if (gsstoken)
1594 vfree(gsstoken);
1595 #endif
1596
1597 if (error) {
1598 VPTRINIT(iph1->dhpub_p);
1599 VPTRINIT(iph1->nonce_p);
1600 VPTRINIT(iph1->id_p);
1601 }
1602
1603 return error;
1604 }
1605
1606 /*
1607 * send to initiator
1608 * psk: HDR, KE, Nr
1609 * sig: HDR, KE, Nr [, CR ]
1610 * gssapi: HDR, KE, Nr, GSSr
1611 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1612 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1613 */
1614 int
1615 ident_r2send(iph1, msg)
1616 struct ph1handle *iph1;
1617 vchar_t *msg;
1618 {
1619 int error = -1;
1620
1621 /* validity check */
1622 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1623 plog(LLV_ERROR, LOCATION, NULL,
1624 "status mismatched %d.\n", iph1->status);
1625 goto end;
1626 }
1627
1628 /* generate DH public value */
1629 #ifdef HAVE_OPENSSL
1630 if (oakley_dh_generate(iph1->approval->dhgrp,
1631 &iph1->dhpub, &iph1->dhpriv) < 0) {
1632 #else
1633 if (oakley_dh_generate(iph1->approval->dhgrp,
1634 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
1635 #endif
1636 plog(LLV_ERROR, LOCATION, NULL,
1637 "failed to generate DH");
1638 goto end;
1639 }
1640
1641 /* generate NONCE value */
1642 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1643 if (iph1->nonce == NULL) {
1644 plog(LLV_ERROR, LOCATION, NULL,
1645 "failed to generate NONCE");
1646 goto end;
1647 }
1648
1649 #ifdef HAVE_GSSAPI
1650 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
1651 gssapi_get_rtoken(iph1, NULL);
1652 #endif
1653
1654 /* create HDR;KE;NONCE payload */
1655 iph1->sendbuf = ident_ir2mx(iph1);
1656 if (iph1->sendbuf == NULL) {
1657 plog(LLV_ERROR, LOCATION, NULL,
1658 "failed to allocate send buffer");
1659 goto end;
1660 }
1661
1662 #ifdef HAVE_PRINT_ISAKMP_C
1663 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1664 #endif
1665
1666 /* send the packet, add to the schedule to resend */
1667 iph1->retry_counter = iph1->rmconf->retry_counter;
1668 if (isakmp_ph1resend(iph1) == -1) {
1669 plog(LLV_ERROR, LOCATION, NULL,
1670 "failed to send packet");
1671 goto end;
1672 }
1673
1674 /* the sending message is added to the received-list. */
1675 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1676 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
1677 plog(LLV_ERROR , LOCATION, NULL,
1678 "failed to add a response packet to the tree.\n");
1679 goto end;
1680 }
1681
1682 /* compute sharing secret of DH */
1683 #ifdef HAVE_OPENSSL
1684 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1685 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1686 #else
1687 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
1688 #endif
1689 plog(LLV_ERROR, LOCATION, NULL,
1690 "failed to compute DH");
1691 goto end;
1692 }
1693
1694 /* generate SKEYIDs & IV & final cipher key */
1695 if (oakley_skeyid(iph1) < 0) {
1696 plog(LLV_ERROR, LOCATION, NULL,
1697 "failed to generate SKEYID");
1698 goto end;
1699 }
1700 if (oakley_skeyid_dae(iph1) < 0) {
1701 plog(LLV_ERROR, LOCATION, NULL,
1702 "failed to generate SKEYID-DAE");
1703 goto end;
1704 }
1705 if (oakley_compute_enckey(iph1) < 0) {
1706 plog(LLV_ERROR, LOCATION, NULL,
1707 "failed to generate ENCKEY");
1708 goto end;
1709 }
1710 if (oakley_newiv(iph1) < 0) {
1711 plog(LLV_ERROR, LOCATION, NULL,
1712 "failed to generate IV");
1713 goto end;
1714 }
1715
1716 iph1->status = PHASE1ST_MSG2SENT;
1717
1718 error = 0;
1719
1720 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1721 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1722 CONSTSTR("Responder, Main-Mode message 4"),
1723 CONSTSTR(NULL));
1724
1725 end:
1726 if (error) {
1727 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1728 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1729 CONSTSTR("Responder, Main-Mode Message 4"),
1730 CONSTSTR("Failed to transmit Main-Mode Message 4"));
1731 }
1732 return error;
1733 }
1734
1735 /*
1736 * receive from initiator
1737 * psk: HDR*, IDi1, HASH_I
1738 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
1739 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
1740 * rsa: HDR*, HASH_I
1741 * rev: HDR*, HASH_I
1742 */
1743 int
1744 ident_r3recv(iph1, msg0)
1745 struct ph1handle *iph1;
1746 vchar_t *msg0;
1747 {
1748 vchar_t *msg = NULL;
1749 vchar_t *pbuf = NULL;
1750 struct isakmp_parse_t *pa;
1751 int error = -1;
1752 int type;
1753 #ifdef HAVE_GSSAPI
1754 vchar_t *gsstoken = NULL;
1755 #endif
1756 int received_cert = 0;
1757
1758 /* validity check */
1759 if (iph1->status != PHASE1ST_MSG2SENT) {
1760 plog(LLV_ERROR, LOCATION, NULL,
1761 "status mismatched %d.\n", iph1->status);
1762 goto end;
1763 }
1764
1765 /* decrypting */
1766 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1767 plog(LLV_ERROR, LOCATION, iph1->remote,
1768 "reject the packet, "
1769 "expecting the packet encrypted.\n");
1770 goto end;
1771 }
1772 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
1773 if (msg == NULL) {
1774 plog(LLV_ERROR, LOCATION, NULL,
1775 "failed to decrypt");
1776 goto end;
1777 }
1778
1779 /* validate the type of next payload */
1780 pbuf = isakmp_parse(msg);
1781 if (pbuf == NULL) {
1782 plog(LLV_ERROR, LOCATION, NULL,
1783 "failed to parse msg");
1784 goto end;
1785 }
1786
1787 iph1->pl_hash = NULL;
1788
1789 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1790 pa->type != ISAKMP_NPTYPE_NONE;
1791 pa++) {
1792
1793 switch (pa->type) {
1794 case ISAKMP_NPTYPE_ID:
1795 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
1796 plog(LLV_ERROR, LOCATION, NULL,
1797 "failed to process ID payload");
1798 goto end;
1799 }
1800 break;
1801 case ISAKMP_NPTYPE_HASH:
1802 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1803 break;
1804 case ISAKMP_NPTYPE_CR:
1805 if (oakley_savecr(iph1, pa->ptr) < 0) {
1806 plog(LLV_ERROR, LOCATION, NULL,
1807 "failed to process CR payload");
1808 goto end;
1809 }
1810 break;
1811 case ISAKMP_NPTYPE_CERT:
1812 if (oakley_savecert(iph1, pa->ptr) < 0) {
1813 plog(LLV_ERROR, LOCATION, NULL,
1814 "failed to process CERT payload");
1815 goto end;
1816 }
1817 received_cert = 1;
1818 break;
1819 case ISAKMP_NPTYPE_SIG:
1820 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
1821 plog(LLV_ERROR, LOCATION, NULL,
1822 "failed to process SIG payload");
1823 goto end;
1824 }
1825 break;
1826 #ifdef HAVE_GSSAPI
1827 case ISAKMP_NPTYPE_GSS:
1828 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1829 plog(LLV_ERROR, LOCATION, NULL,
1830 "failed to process GSS payload");
1831 goto end;
1832 }
1833 gssapi_save_received_token(iph1, gsstoken);
1834 break;
1835 #endif
1836 case ISAKMP_NPTYPE_VID:
1837 (void)check_vendorid(pa->ptr);
1838 break;
1839 case ISAKMP_NPTYPE_N:
1840 isakmp_check_notify(pa->ptr, iph1);
1841 break;
1842 default:
1843 /* don't send information, see ident_r1recv() */
1844 plog(LLV_ERROR, LOCATION, iph1->remote,
1845 "ignore the packet, "
1846 "received unexpecting payload type %d.\n",
1847 pa->type);
1848 goto end;
1849 }
1850 }
1851
1852 if (received_cert) {
1853 oakley_verify_certid(iph1);
1854 }
1855
1856 /* payload existency check */
1857 /* XXX same as ident_i4recv(), should be merged. */
1858 {
1859 int ng = 0;
1860
1861 switch (AUTHMETHOD(iph1)) {
1862 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1863 #ifdef ENABLE_HYBRID
1864 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1865 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1866 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1867 #endif
1868 if (iph1->id_p == NULL || iph1->pl_hash == NULL)
1869 ng++;
1870 break;
1871 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1872 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1873 #ifdef ENABLE_HYBRID
1874 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1875 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1876 #endif
1877 if (iph1->id_p == NULL || iph1->sig_p == NULL)
1878 ng++;
1879 break;
1880 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1881 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1882 #ifdef ENABLE_HYBRID
1883 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1884 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1885 #endif
1886 if (iph1->pl_hash == NULL)
1887 ng++;
1888 break;
1889 #ifdef HAVE_GSSAPI
1890 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1891 if (gsstoken == NULL && iph1->pl_hash == NULL)
1892 ng++;
1893 break;
1894 #endif
1895 default:
1896 plog(LLV_ERROR, LOCATION, iph1->remote,
1897 "invalid authmethod %d why ?\n",
1898 iph1->approval->authmethod);
1899 goto end;
1900 }
1901 if (ng) {
1902 plog(LLV_ERROR, LOCATION, iph1->remote,
1903 "few isakmp message received.\n");
1904 goto end;
1905 }
1906 }
1907
1908 /* verify identifier */
1909 if (ipsecdoi_checkid1(iph1) != 0) {
1910 plog(LLV_ERROR, LOCATION, iph1->remote,
1911 "invalid ID payload.\n");
1912 goto end;
1913 }
1914
1915 /* validate authentication value */
1916 #ifdef HAVE_GSSAPI
1917 if (gsstoken == NULL) {
1918 #endif
1919 type = oakley_validate_auth(iph1);
1920 if (type != 0) {
1921 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1922 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1923 CONSTSTR("Responder, Main-Mode Message 5"),
1924 CONSTSTR("Failed to authenticate Main-Mode Message 5"));
1925 if (type == -1) {
1926 /* msg printed inner oakley_validate_auth() */
1927 goto end;
1928 }
1929 EVT_PUSH(iph1->local, iph1->remote,
1930 EVTT_PEERPH1AUTH_FAILED, NULL);
1931 isakmp_info_send_n1(iph1, type, NULL);
1932 goto end;
1933 }
1934 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1935 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1936 CONSTSTR("Responder, Main-Mode Message 5"),
1937 CONSTSTR(NULL));
1938 #ifdef HAVE_GSSAPI
1939 }
1940 #endif
1941
1942 if (oakley_checkcr(iph1) < 0) {
1943 /* Ignore this error in order to be interoperability. */
1944 ;
1945 }
1946
1947 /*
1948 * XXX: Should we do compare two addresses, ph1handle's and ID
1949 * payload's.
1950 */
1951
1952 plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID\n");
1953 plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
1954
1955 /* see handler.h about IV synchronization. */
1956 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1957
1958 #ifdef HAVE_GSSAPI
1959 iph1->status = gsstoken != NULL ? PHASE1ST_MSG2RECEIVED :
1960 PHASE1ST_MSG3RECEIVED;
1961 #else
1962 iph1->status = PHASE1ST_MSG3RECEIVED;
1963 #endif
1964
1965 error = 0;
1966
1967 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1968 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1969 CONSTSTR("Responder, Main-Mode message 5"),
1970 CONSTSTR(NULL));
1971
1972 end:
1973 if (error) {
1974 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1975 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1976 CONSTSTR("Responder, Main-Mode Message 5"),
1977 CONSTSTR("Failed to process Main-Mode Message 5"));
1978 }
1979 if (pbuf)
1980 vfree(pbuf);
1981 if (msg)
1982 vfree(msg);
1983 #ifdef HAVE_GSSAPI
1984 if (gsstoken)
1985 vfree(gsstoken);
1986 #endif
1987
1988 if (error) {
1989 VPTRINIT(iph1->id_p);
1990 oakley_delcert(iph1->cert_p);
1991 iph1->cert_p = NULL;
1992 oakley_delcert(iph1->crl_p);
1993 iph1->crl_p = NULL;
1994 VPTRINIT(iph1->sig_p);
1995 oakley_delcert(iph1->cr_p);
1996 iph1->cr_p = NULL;
1997 }
1998
1999 return error;
2000 }
2001
2002 /*
2003 * send to initiator
2004 * psk: HDR*, IDr1, HASH_R
2005 * sig: HDR*, IDr1, [ CERT, ] SIG_R
2006 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
2007 * rsa: HDR*, HASH_R
2008 * rev: HDR*, HASH_R
2009 */
2010 int
2011 ident_r3send(iph1, msg)
2012 struct ph1handle *iph1;
2013 vchar_t *msg;
2014 {
2015 int error = -1;
2016 int dohash = 1;
2017 #ifdef HAVE_GSSAPI
2018 int len;
2019 #endif
2020
2021 /* validity check */
2022 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
2023 plog(LLV_ERROR, LOCATION, NULL,
2024 "status mismatched %d.\n", iph1->status);
2025 goto end;
2026 }
2027
2028 /* make ID payload into isakmp status */
2029 if (ipsecdoi_setid1(iph1) < 0) {
2030 plog(LLV_ERROR, LOCATION, NULL,
2031 "failed to set ID");
2032 goto end;
2033 }
2034
2035 #ifdef HAVE_GSSAPI
2036 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
2037 gssapi_more_tokens(iph1)) {
2038 gssapi_get_rtoken(iph1, &len);
2039 if (len != 0)
2040 dohash = 0;
2041 }
2042 #endif
2043
2044 if (dohash) {
2045 /* generate HASH to send */
2046 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
2047 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
2048 if (iph1->hash == NULL) {
2049 plog(LLV_ERROR, LOCATION, NULL,
2050 "failed to generate HASH");
2051 goto end;
2052 }
2053 } else
2054 iph1->hash = NULL;
2055
2056 /* set encryption flag */
2057 iph1->flags |= ISAKMP_FLAG_E;
2058
2059 /* create HDR;ID;HASH payload */
2060 iph1->sendbuf = ident_ir3mx(iph1);
2061 if (iph1->sendbuf == NULL) {
2062 plog(LLV_ERROR, LOCATION, NULL,
2063 "failed to create send buffer");
2064 goto end;
2065 }
2066
2067 /* send HDR;ID;HASH to responder */
2068 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
2069 plog(LLV_ERROR, LOCATION, NULL,
2070 "failed to send packet");
2071 goto end;
2072 }
2073
2074 /* the sending message is added to the received-list. */
2075 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
2076 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
2077 plog(LLV_ERROR , LOCATION, NULL,
2078 "failed to add a response packet to the tree.\n");
2079 goto end;
2080 }
2081
2082 /* see handler.h about IV synchronization. */
2083 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
2084
2085 iph1->status = PHASE1ST_ESTABLISHED;
2086
2087 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2088 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
2089 CONSTSTR("Responder, Main-Mode"),
2090 CONSTSTR(NULL));
2091
2092 error = 0;
2093
2094 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2095 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
2096 CONSTSTR("Responder, Main-Mode message 6"),
2097 CONSTSTR(NULL));
2098
2099 end:
2100 if (error) {
2101 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2102 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
2103 CONSTSTR("Responder, Main-Mode Message 6"),
2104 CONSTSTR("Failed to process Main-Mode Message 6"));
2105 }
2106
2107 return error;
2108 }
2109
2110 /*
2111 * This is used in main mode for:
2112 * initiator's 3rd exchange send to responder
2113 * psk: HDR, KE, Ni
2114 * sig: HDR, KE, Ni
2115 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
2116 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
2117 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
2118 * responders 2nd exchnage send to initiator
2119 * psk: HDR, KE, Nr
2120 * sig: HDR, KE, Nr [, CR ]
2121 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
2122 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
2123 */
2124 static vchar_t *
2125 ident_ir2mx(iph1)
2126 struct ph1handle *iph1;
2127 {
2128 vchar_t *buf = 0;
2129 struct payload_list *plist = NULL;
2130 int need_cr = 0;
2131 vchar_t *cr = NULL;
2132 vchar_t *vid = NULL;
2133 int error = -1;
2134 #ifdef HAVE_GSSAPI
2135 vchar_t *gsstoken = NULL;
2136 #endif
2137 #ifdef ENABLE_NATT
2138 vchar_t *natd[2] = { NULL, NULL };
2139 #endif
2140
2141 /* create CR if need */
2142 if (iph1->side == RESPONDER
2143 && iph1->rmconf->send_cr
2144 && oakley_needcr(iph1->approval->authmethod)
2145 && iph1->rmconf->peerscertfile == NULL) {
2146 need_cr = 1;
2147 cr = oakley_getcr(iph1);
2148 if (cr == NULL) {
2149 plog(LLV_ERROR, LOCATION, NULL,
2150 "failed to get cr buffer.\n");
2151 goto end;
2152 }
2153 }
2154
2155 #ifdef HAVE_GSSAPI
2156 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
2157 gssapi_get_token_to_send(iph1, &gsstoken);
2158 #endif
2159
2160 /* create isakmp KE payload */
2161 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
2162
2163 /* create isakmp NONCE payload */
2164 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
2165
2166 #ifdef HAVE_GSSAPI
2167 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
2168 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
2169 #endif
2170
2171 /* append vendor id, if needed */
2172 if (vid)
2173 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
2174
2175 /* create isakmp CR payload if needed */
2176 if (need_cr)
2177 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2178
2179 #ifdef ENABLE_NATT
2180 /* generate and append NAT-D payloads */
2181 if (NATT_AVAILABLE(iph1) && iph1->status == PHASE1ST_MSG2RECEIVED)
2182 {
2183 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
2184 plog(LLV_ERROR, LOCATION, NULL,
2185 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
2186 goto end;
2187 }
2188
2189 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
2190 plog(LLV_ERROR, LOCATION, NULL,
2191 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
2192 goto end;
2193 }
2194
2195 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
2196 /* old Apple version sends natd payloads in the wrong order */
2197 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
2198 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2199 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2200 } else
2201 {
2202 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2203 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2204 }
2205 }
2206 #endif
2207
2208 buf = isakmp_plist_set_all (&plist, iph1);
2209
2210 error = 0;
2211
2212 end:
2213 if (error && buf != NULL) {
2214 vfree(buf);
2215 buf = NULL;
2216 }
2217 if (cr)
2218 vfree(cr);
2219 #ifdef HAVE_GSSAPI
2220 if (gsstoken)
2221 vfree(gsstoken);
2222 #endif
2223 if (vid)
2224 vfree(vid);
2225
2226 #ifdef ENABLE_NATT
2227 if (natd[0])
2228 vfree(natd[0]);
2229 if (natd[1])
2230 vfree(natd[1]);
2231 #endif
2232
2233 return buf;
2234 }
2235
2236 /*
2237 * This is used in main mode for:
2238 * initiator's 4th exchange send to responder
2239 * psk: HDR*, IDi1, HASH_I
2240 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
2241 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
2242 * rsa: HDR*, HASH_I
2243 * rev: HDR*, HASH_I
2244 * responders 3rd exchnage send to initiator
2245 * psk: HDR*, IDr1, HASH_R
2246 * sig: HDR*, IDr1, [ CERT, ] SIG_R
2247 * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R >
2248 * rsa: HDR*, HASH_R
2249 * rev: HDR*, HASH_R
2250 */
2251 static vchar_t *
2252 ident_ir3mx(iph1)
2253 struct ph1handle *iph1;
2254 {
2255 struct payload_list *plist = NULL;
2256 vchar_t *buf = NULL, *new = NULL;
2257 int need_cr = 0;
2258 int need_cert = 0;
2259 vchar_t *cr = NULL;
2260 int error = -1;
2261 #ifdef HAVE_GSSAPI
2262 int nptype;
2263 vchar_t *gsstoken = NULL;
2264 vchar_t *gsshash = NULL;
2265 #endif
2266 vchar_t *notp_ini = NULL;
2267
2268 switch (AUTHMETHOD(iph1)) {
2269 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
2270 #ifdef ENABLE_HYBRID
2271 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
2272 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
2273 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2274 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
2275 #endif
2276 /* create isakmp ID payload */
2277 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2278
2279 /* create isakmp HASH payload */
2280 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
2281 break;
2282 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2283 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2284 #ifdef ENABLE_HYBRID
2285 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
2286 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
2287 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2288 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
2289 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
2290 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
2291 #endif
2292 if (oakley_getmycert(iph1) < 0) {
2293 plog(LLV_ERROR, LOCATION, NULL,
2294 "failed to get mycert");
2295 goto end;
2296 }
2297
2298 if (oakley_getsign(iph1) < 0) {
2299 plog(LLV_ERROR, LOCATION, NULL,
2300 "failed to get sign");
2301 goto end;
2302 }
2303
2304 /* create CR if need */
2305 if (iph1->side == INITIATOR
2306 && iph1->rmconf->send_cr
2307 && oakley_needcr(iph1->approval->authmethod)
2308 && iph1->rmconf->peerscertfile == NULL) {
2309 need_cr = 1;
2310 cr = oakley_getcr(iph1);
2311 if (cr == NULL) {
2312 plog(LLV_ERROR, LOCATION, NULL,
2313 "failed to get CR");
2314 goto end;
2315 }
2316 }
2317
2318 if (iph1->cert != NULL && iph1->rmconf->send_cert)
2319 need_cert = 1;
2320
2321 /* add ID payload */
2322 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2323
2324 /* add CERT payload if there */
2325 // we don't support sending of certchains
2326 if (need_cert)
2327 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
2328 /* add SIG payload */
2329 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
2330
2331 /* create isakmp CR payload */
2332 if (need_cr)
2333 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2334 break;
2335 #ifdef HAVE_GSSAPI
2336 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
2337 if (iph1->hash != NULL) {
2338 gsshash = gssapi_wraphash(iph1);
2339 if (gsshash == NULL) {
2340 plog(LLV_ERROR, LOCATION, NULL,
2341 "failed to generate GSSAPI HASH");
2342 goto end;
2343 }
2344 } else {
2345 gssapi_get_token_to_send(iph1, &gsstoken);
2346 }
2347
2348 if (!gssapi_id_sent(iph1)) {
2349 /* create isakmp ID payload */
2350 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2351 gssapi_set_id_sent(iph1);
2352 }
2353
2354 if (iph1->hash != NULL)
2355 /* create isakmp HASH payload */
2356 plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
2357 else
2358 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
2359 break;
2360 #endif
2361 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2362 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
2363 #ifdef ENABLE_HYBRID
2364 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
2365 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
2366 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
2367 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
2368 #endif
2369 plog(LLV_ERROR, LOCATION, NULL,
2370 "not supported authentication type %d\n",
2371 iph1->approval->authmethod);
2372 goto end;
2373 default:
2374 plog(LLV_ERROR, LOCATION, NULL,
2375 "invalid authentication type %d\n",
2376 iph1->approval->authmethod);
2377 goto end;
2378 }
2379
2380 if (iph1->side == INITIATOR) {
2381 notp_ini = isakmp_plist_append_initial_contact(iph1, plist);
2382 }
2383
2384 buf = isakmp_plist_set_all (&plist, iph1);
2385
2386 #ifdef HAVE_PRINT_ISAKMP_C
2387 isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
2388 #endif
2389
2390 /* encoding */
2391 new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv);
2392 if (new == NULL) {
2393 plog(LLV_ERROR, LOCATION, NULL,
2394 "failed to encrypt");
2395 goto end;
2396 }
2397
2398 vfree(buf);
2399
2400 buf = new;
2401
2402 error = 0;
2403
2404 end:
2405 #ifdef HAVE_GSSAPI
2406 if (gsstoken)
2407 vfree(gsstoken);
2408 #endif
2409 if (cr)
2410 vfree(cr);
2411 if (error && buf != NULL) {
2412 vfree(buf);
2413 buf = NULL;
2414 }
2415 if (notp_ini)
2416 vfree(notp_ini);
2417
2418 return buf;
2419 }
mirror of ipsec