]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_agg.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-146.3.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_agg.c
1 /* $NetBSD: isakmp_agg.c,v 1.9 2006/09/30 21:49:37 manu Exp $ */
2
3 /* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* Aggressive Exchange (Aggressive Mode) */
35
36 #include "config.h"
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40
41 #include <stdlib.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <errno.h>
45 #if TIME_WITH_SYS_TIME
46 # include <sys/time.h>
47 # include <time.h>
48 #else
49 # if HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 # else
52 # include <time.h>
53 # endif
54 #endif
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "schedule.h"
62 #include "debug.h"
63
64 #ifdef ENABLE_HYBRID
65 #include <resolv.h>
66 #endif
67
68 #include "localconf.h"
69 #include "remoteconf.h"
70 #include "isakmp_var.h"
71 #include "isakmp.h"
72 #include "evt.h"
73 #include "oakley.h"
74 #include "handler.h"
75 #include "ipsec_doi.h"
76 #include "crypto_openssl.h"
77 #include "pfkey.h"
78 #include "isakmp_agg.h"
79 #include "isakmp_inf.h"
80 #ifdef ENABLE_HYBRID
81 #include "isakmp_xauth.h"
82 #include "isakmp_cfg.h"
83 #endif
84 #ifdef ENABLE_FRAG
85 #include "isakmp_frag.h"
86 #endif
87 #include "vendorid.h"
88 #include "strnames.h"
89
90 #ifdef ENABLE_NATT
91 #include "nattraversal.h"
92 #endif
93
94 #ifdef HAVE_GSSAPI
95 #include "gssapi.h"
96 #endif
97
98 #include "vpn_control.h"
99 #include "vpn_control_var.h"
100 #include "ipsecSessionTracer.h"
101 #include "ipsecMessageTracer.h"
102 #ifndef HAVE_OPENSSL
103 #include <Security/SecDH.h>
104 #endif
105
106 /*
107 * begin Aggressive Mode as initiator.
108 */
109 /*
110 * send to responder
111 * psk: HDR, SA, KE, Ni, IDi1
112 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
113 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi
114 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
115 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
116 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
117 */
118 int
119 agg_i1send(iph1, msg)
120 struct ph1handle *iph1;
121 vchar_t *msg; /* must be null */
122 {
123 struct payload_list *plist = NULL;
124 int need_cr = 0;
125 vchar_t *cr = NULL;
126 int error = -1;
127 #ifdef ENABLE_NATT
128 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
129 int i;
130 #endif
131 #ifdef ENABLE_HYBRID
132 vchar_t *vid_xauth = NULL;
133 vchar_t *vid_unity = NULL;
134 #endif
135 #ifdef ENABLE_FRAG
136 vchar_t *vid_frag = NULL;
137 #endif
138 #ifdef HAVE_GSSAPI
139 vchar_t *gsstoken = NULL;
140 int len;
141 #endif
142 #ifdef ENABLE_DPD
143 vchar_t *vid_dpd = NULL;
144 #endif
145
146
147 /* validity check */
148 if (msg != NULL) {
149 plog(LLV_ERROR, LOCATION, NULL,
150 "msg has to be NULL in this function.\n");
151 goto end;
152 }
153 if (iph1->status != PHASE1ST_START) {
154 plog(LLV_ERROR, LOCATION, NULL,
155 "status mismatched %d.\n", iph1->status);
156 goto end;
157 }
158
159 /* create isakmp index */
160 memset(&iph1->index, 0, sizeof(iph1->index));
161 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
162
163 /* make ID payload into isakmp status */
164 if (ipsecdoi_setid1(iph1) < 0) {
165 plog(LLV_ERROR, LOCATION, NULL,
166 "failed to set ID");
167 goto end;
168 }
169
170 /* create SA payload for my proposal */
171 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
172 if (iph1->sa == NULL) {
173 plog(LLV_ERROR, LOCATION, NULL,
174 "failed to set proposal");
175 goto end;
176 }
177
178 /* consistency check of proposals */
179 if (iph1->rmconf->dhgrp == NULL) {
180 plog(LLV_ERROR, LOCATION, NULL,
181 "configuration failure about DH group.\n");
182 goto end;
183 }
184
185 /* generate DH public value */
186 #ifdef HAVE_OPENSSL
187 if (oakley_dh_generate(iph1->rmconf->dhgrp,
188 &iph1->dhpub, &iph1->dhpriv) < 0) {
189 #else
190 if (oakley_dh_generate(iph1->rmconf->dhgrp,
191 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
192 #endif
193 plog(LLV_ERROR, LOCATION, NULL,
194 "failed to generate DH");
195 goto end;
196 }
197
198 /* generate NONCE value */
199 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
200 if (iph1->nonce == NULL) {
201 plog(LLV_ERROR, LOCATION, NULL,
202 "failed to generate NONCE");
203 goto end;
204 }
205
206 #ifdef ENABLE_HYBRID
207 /* Do we need Xauth VID? */
208 switch (RMAUTHMETHOD(iph1)) {
209 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
210 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
211 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
212 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
213 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
214 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
215 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
216 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
217 plog(LLV_ERROR, LOCATION, NULL,
218 "Xauth vendor ID generation failed\n");
219 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
220 plog(LLV_ERROR, LOCATION, NULL,
221 "Unity vendor ID generation failed\n");
222 break;
223 default:
224 break;
225 }
226 #endif
227
228 #ifdef ENABLE_FRAG
229 if (iph1->rmconf->ike_frag) {
230 vid_frag = set_vendorid(VENDORID_FRAG);
231 if (vid_frag != NULL)
232 vid_frag = isakmp_frag_addcap(vid_frag,
233 VENDORID_FRAG_AGG);
234 if (vid_frag == NULL)
235 plog(LLV_ERROR, LOCATION, NULL,
236 "Frag vendorID construction failed\n");
237 }
238 #endif
239
240 /* create CR if need */
241 if (iph1->rmconf->send_cr
242 && oakley_needcr(iph1->rmconf->proposal->authmethod)
243 && iph1->rmconf->peerscertfile == NULL) {
244 need_cr = 1;
245 cr = oakley_getcr(iph1);
246 if (cr == NULL) {
247 plog(LLV_ERROR, LOCATION, NULL,
248 "failed to get CR");
249 goto end;
250 }
251 }
252
253 plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n",
254 s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
255 #ifdef HAVE_GSSAPI
256 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
257 gssapi_get_itoken(iph1, &len);
258 #endif
259
260 /* set SA payload to propose */
261 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
262
263 /* create isakmp KE payload */
264 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
265
266 /* create isakmp NONCE payload */
267 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
268
269 /* create isakmp ID payload */
270 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
271
272 #ifdef HAVE_GSSAPI
273 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
274 gssapi_get_token_to_send(iph1, &gsstoken);
275 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
276 }
277 #endif
278 /* create isakmp CR payload */
279 if (need_cr)
280 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
281
282 #ifdef ENABLE_FRAG
283 if (vid_frag)
284 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
285 #endif
286 #ifdef ENABLE_NATT
287 /*
288 * set VID payload for NAT-T if NAT-T
289 * support allowed in the config file
290 */
291 if (iph1->rmconf->nat_traversal)
292 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
293 #endif
294 #ifdef ENABLE_HYBRID
295 if (vid_xauth)
296 plist = isakmp_plist_append(plist,
297 vid_xauth, ISAKMP_NPTYPE_VID);
298 if (vid_unity)
299 plist = isakmp_plist_append(plist,
300 vid_unity, ISAKMP_NPTYPE_VID);
301 #endif
302 #ifdef ENABLE_DPD
303 if(iph1->rmconf->dpd){
304 vid_dpd = set_vendorid(VENDORID_DPD);
305 if (vid_dpd != NULL)
306 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
307 }
308 #endif
309
310 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
311
312 #ifdef HAVE_PRINT_ISAKMP_C
313 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
314 #endif
315
316 /* send the packet, add to the schedule to resend */
317 iph1->retry_counter = iph1->rmconf->retry_counter;
318 if (isakmp_ph1resend(iph1) == -1) {
319 plog(LLV_ERROR, LOCATION, NULL,
320 "failed to send packet");
321 goto end;
322 }
323
324 iph1->status = PHASE1ST_MSG1SENT;
325
326 error = 0;
327
328 IPSECSESSIONTRACEREVENT(iph1->parent_session,
329 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
330 CONSTSTR("Initiator, Aggressive-Mode message 1"),
331 CONSTSTR(NULL));
332
333 end:
334 if (error) {
335 IPSECSESSIONTRACEREVENT(iph1->parent_session,
336 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
337 CONSTSTR("Initiator, Aggressive-Mode Message 1"),
338 CONSTSTR("Failed to transmit Aggressive-Mode Message 1"));
339 }
340 if (cr)
341 vfree(cr);
342 #ifdef HAVE_GSSAPI
343 if (gsstoken)
344 vfree(gsstoken);
345 #endif
346 #ifdef ENABLE_FRAG
347 if (vid_frag)
348 vfree(vid_frag);
349 #endif
350 #ifdef ENABLE_NATT
351 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
352 vfree(vid_natt[i]);
353 #endif
354 #ifdef ENABLE_HYBRID
355 if (vid_xauth != NULL)
356 vfree(vid_xauth);
357 if (vid_unity != NULL)
358 vfree(vid_unity);
359 #endif
360 #ifdef ENABLE_DPD
361 if (vid_dpd != NULL)
362 vfree(vid_dpd);
363 #endif
364
365 return error;
366 }
367
368 /*
369 * receive from responder
370 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
371 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
372 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
373 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
374 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
375 */
376 int
377 agg_i2recv(iph1, msg)
378 struct ph1handle *iph1;
379 vchar_t *msg;
380 {
381 vchar_t *pbuf = NULL;
382 struct isakmp_parse_t *pa;
383 vchar_t *satmp = NULL;
384 int error = -1;
385 int vid_numeric;
386 int ptype;
387 #ifdef ENABLE_HYBRID
388 vchar_t *unity_vid;
389 vchar_t *xauth_vid;
390 #endif
391 #ifdef HAVE_GSSAPI
392 vchar_t *gsstoken = NULL;
393 #endif
394 int received_cert = 0;
395
396 #ifdef ENABLE_NATT
397 int natd_seq = 0;
398 struct natd_payload {
399 int seq;
400 vchar_t *payload;
401 TAILQ_ENTRY(natd_payload) chain;
402 };
403 TAILQ_HEAD(_natd_payload, natd_payload) natd_tree;
404 TAILQ_INIT(&natd_tree);
405 #endif
406
407 /* validity check */
408 if (iph1->status != PHASE1ST_MSG1SENT) {
409 plog(LLV_ERROR, LOCATION, NULL,
410 "status mismatched %d.\n", iph1->status);
411 goto end;
412 }
413
414 /* validate the type of next payload */
415 pbuf = isakmp_parse(msg);
416 if (pbuf == NULL) {
417 plog(LLV_ERROR, LOCATION, NULL,
418 "failed to parse msg");
419 goto end;
420 }
421 pa = (struct isakmp_parse_t *)pbuf->v;
422
423 iph1->pl_hash = NULL;
424
425 /* SA payload is fixed postion */
426 if (pa->type != ISAKMP_NPTYPE_SA) {
427 plog(LLV_ERROR, LOCATION, iph1->remote,
428 "received invalid next payload type %d, "
429 "expecting %d.\n",
430 pa->type, ISAKMP_NPTYPE_SA);
431 goto end;
432 }
433
434 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
435 plog(LLV_ERROR, LOCATION, NULL,
436 "failed to process SA payload");
437 goto end;
438 }
439 pa++;
440
441 for (/*nothing*/;
442 pa->type != ISAKMP_NPTYPE_NONE;
443 pa++) {
444
445 switch (pa->type) {
446 case ISAKMP_NPTYPE_KE:
447 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
448 plog(LLV_ERROR, LOCATION, NULL,
449 "failed to process KE payload");
450 goto end;
451 }
452 break;
453 case ISAKMP_NPTYPE_NONCE:
454 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
455 plog(LLV_ERROR, LOCATION, NULL,
456 "failed to process NONCE payload");
457 goto end;
458 }
459 break;
460 case ISAKMP_NPTYPE_ID:
461 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
462 plog(LLV_ERROR, LOCATION, NULL,
463 "failed to process ID payload");
464 goto end;
465 }
466 break;
467 case ISAKMP_NPTYPE_HASH:
468 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
469 break;
470 case ISAKMP_NPTYPE_CR:
471 if (oakley_savecr(iph1, pa->ptr) < 0) {
472 plog(LLV_ERROR, LOCATION, NULL,
473 "failed to process CR payload");
474 goto end;
475 }
476 break;
477 case ISAKMP_NPTYPE_CERT:
478 if (oakley_savecert(iph1, pa->ptr) < 0) {
479 plog(LLV_ERROR, LOCATION, NULL,
480 "failed to process CERT payload");
481 goto end;
482 }
483 received_cert = 1;
484 break;
485 case ISAKMP_NPTYPE_SIG:
486 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
487 plog(LLV_ERROR, LOCATION, NULL,
488 "failed to process SIG payload");
489 goto end;
490 }
491 break;
492 case ISAKMP_NPTYPE_VID:
493 vid_numeric = check_vendorid(pa->ptr);
494 #ifdef ENABLE_NATT
495 if (iph1->rmconf->nat_traversal &&
496 natt_vendorid(vid_numeric))
497 natt_handle_vendorid(iph1, vid_numeric);
498 #endif
499 #ifdef ENABLE_HYBRID
500 switch (vid_numeric) {
501 case VENDORID_XAUTH:
502 iph1->mode_cfg->flags |=
503 ISAKMP_CFG_VENDORID_XAUTH;
504 break;
505
506 case VENDORID_UNITY:
507 iph1->mode_cfg->flags |=
508 ISAKMP_CFG_VENDORID_UNITY;
509 break;
510 default:
511 break;
512 }
513 #endif
514 #ifdef ENABLE_DPD
515 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
516 iph1->dpd_support=1;
517 plog(LLV_DEBUG, LOCATION, NULL,
518 "remote supports DPD\n");
519 }
520 #endif
521 #ifdef ENABLE_FRAG
522 if ((vid_numeric == VENDORID_FRAG) &&
523 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
524 plog(LLV_DEBUG, LOCATION, NULL,
525 "remote supports FRAGMENTATION\n");
526 iph1->frag = 1;
527 }
528 #endif
529 break;
530 case ISAKMP_NPTYPE_N:
531 isakmp_check_notify(pa->ptr, iph1);
532 break;
533 #ifdef HAVE_GSSAPI
534 case ISAKMP_NPTYPE_GSS:
535 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
536 plog(LLV_ERROR, LOCATION, NULL,
537 "failed to process GSS payload");
538 goto end;
539 }
540 gssapi_save_received_token(iph1, gsstoken);
541 break;
542 #endif
543
544 #ifdef ENABLE_NATT
545 case ISAKMP_NPTYPE_NATD_DRAFT:
546 case ISAKMP_NPTYPE_NATD_RFC:
547 case ISAKMP_NPTYPE_NATD_BADDRAFT:
548 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
549 pa->type == iph1->natt_options->payload_nat_d) {
550 struct natd_payload *natd;
551 natd = (struct natd_payload *)racoon_malloc(sizeof(*natd));
552 if (!natd) {
553 plog(LLV_ERROR, LOCATION, NULL,
554 "failed to pre-process NATD payload");
555 goto end;
556 }
557
558 natd->payload = NULL;
559
560 if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) {
561 plog(LLV_ERROR, LOCATION, NULL,
562 "failed to process NATD payload");
563 goto end;
564 }
565
566 natd->seq = natd_seq++;
567
568 TAILQ_INSERT_TAIL(&natd_tree, natd, chain);
569 break;
570 }
571 /* %%% Be lenient here - some servers send natd payloads */
572 /* when nat not detected */
573 break;
574 #endif
575
576 default:
577 /* don't send information, see isakmp_ident_r1() */
578 plog(LLV_ERROR, LOCATION, iph1->remote,
579 "ignore the packet, "
580 "received unexpecting payload type %d.\n",
581 pa->type);
582 goto end;
583 }
584 }
585
586 if (received_cert) {
587 oakley_verify_certid(iph1);
588 }
589
590 /* payload existency check */
591 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
592 plog(LLV_ERROR, LOCATION, iph1->remote,
593 "few isakmp message received.\n");
594 goto end;
595 }
596
597 /* verify identifier */
598 if (ipsecdoi_checkid1(iph1) != 0) {
599 plog(LLV_ERROR, LOCATION, iph1->remote,
600 "invalid ID payload.\n");
601 goto end;
602 }
603
604 /* check SA payload and set approval SA for use */
605 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
606 plog(LLV_ERROR, LOCATION, iph1->remote,
607 "failed to get valid proposal.\n");
608 /* XXX send information */
609 goto end;
610 }
611 VPTRINIT(iph1->sa_ret);
612
613 /* fix isakmp index */
614 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
615 sizeof(cookie_t));
616
617 #ifdef ENABLE_NATT
618 if (NATT_AVAILABLE(iph1)) {
619 struct natd_payload *natd = NULL;
620 int natd_verified;
621
622 plog(LLV_INFO, LOCATION, iph1->remote,
623 "Selected NAT-T version: %s\n",
624 vid_string_by_id(iph1->natt_options->version));
625
626 /* set both bits first so that we can clear them
627 upon verifying hashes */
628 iph1->natt_flags |= NAT_DETECTED;
629
630 while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) {
631 /* this function will clear appropriate bits bits
632 from iph1->natt_flags */
633 natd_verified = natt_compare_addr_hash (iph1,
634 natd->payload, natd->seq);
635
636 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
637 natd->seq - 1,
638 natd_verified ? "verified" : "doesn't match");
639
640 vfree (natd->payload);
641
642 TAILQ_REMOVE(&natd_tree, natd, chain);
643 racoon_free (natd);
644 }
645
646 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
647 iph1->natt_flags & NAT_DETECTED ?
648 "detected:" : "not detected",
649 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
650 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
651
652 if (iph1->natt_flags & NAT_DETECTED)
653 natt_float_ports (iph1);
654 ike_session_update_natt_version(iph1);
655 }
656 #endif
657
658 /* compute sharing secret of DH */
659 #ifdef HAVE_OPENSSL
660 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
661 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
662 #else
663 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
664 #endif
665 plog(LLV_ERROR, LOCATION, NULL,
666 "failed to compute DH");
667 goto end;
668 }
669
670 /* generate SKEYIDs & IV & final cipher key */
671 if (oakley_skeyid(iph1) < 0) {
672 plog(LLV_ERROR, LOCATION, NULL,
673 "failed to generate SKEYID");
674 goto end;
675 }
676 if (oakley_skeyid_dae(iph1) < 0) {
677 plog(LLV_ERROR, LOCATION, NULL,
678 "failed to generate SKEYID-DAE");
679 goto end;
680 }
681 if (oakley_compute_enckey(iph1) < 0) {
682 plog(LLV_ERROR, LOCATION, NULL,
683 "failed to generate ENCKEY");
684 goto end;
685 }
686 if (oakley_newiv(iph1) < 0) {
687 plog(LLV_ERROR, LOCATION, NULL,
688 "failed to generate IV");
689 goto end;
690 }
691
692 /* validate authentication value */
693 ptype = oakley_validate_auth(iph1);
694 if (ptype != 0) {
695 IPSECSESSIONTRACEREVENT(iph1->parent_session,
696 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
697 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
698 CONSTSTR("Failed to authenticate, Aggressive-Mode Message 2"));
699 if (ptype == -1) {
700 /* message printed inner oakley_validate_auth() */
701 goto end;
702 }
703 EVT_PUSH(iph1->local, iph1->remote,
704 EVTT_PEERPH1AUTH_FAILED, NULL);
705 isakmp_info_send_n1(iph1, ptype, NULL);
706 goto end;
707 }
708 IPSECSESSIONTRACEREVENT(iph1->parent_session,
709 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
710 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
711 CONSTSTR(NULL));
712
713 if (oakley_checkcr(iph1) < 0) {
714 /* Ignore this error in order to be interoperability. */
715 ;
716 }
717
718 /* change status of isakmp status entry */
719 iph1->status = PHASE1ST_MSG2RECEIVED;
720
721 #ifdef ENABLE_VPNCONTROL_PORT
722 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
723 #endif
724
725 error = 0;
726
727 IPSECSESSIONTRACEREVENT(iph1->parent_session,
728 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
729 CONSTSTR("Initiator, Aggressive-Mode message 2"),
730 CONSTSTR(NULL));
731
732 end:
733 if (error) {
734 IPSECSESSIONTRACEREVENT(iph1->parent_session,
735 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
736 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
737 CONSTSTR("Failure processing Aggressive-Mode Message 2"));
738 }
739 #ifdef HAVE_GSSAPI
740 if (gsstoken)
741 vfree(gsstoken);
742 #endif
743 if (pbuf)
744 vfree(pbuf);
745 if (satmp)
746 vfree(satmp);
747 if (error) {
748 VPTRINIT(iph1->dhpub_p);
749 VPTRINIT(iph1->nonce_p);
750 VPTRINIT(iph1->id_p);
751 oakley_delcert(iph1->cert_p);
752 iph1->cert_p = NULL;
753 oakley_delcert(iph1->crl_p);
754 iph1->crl_p = NULL;
755 VPTRINIT(iph1->sig_p);
756 oakley_delcert(iph1->cr_p);
757 iph1->cr_p = NULL;
758 }
759
760 return error;
761 }
762
763 /*
764 * send to responder
765 * psk: HDR, HASH_I
766 * gssapi: HDR, HASH_I
767 * sig: HDR, [ CERT, ] SIG_I
768 * rsa: HDR, HASH_I
769 * rev: HDR, HASH_I
770 */
771 int
772 agg_i2send(iph1, msg)
773 struct ph1handle *iph1;
774 vchar_t *msg;
775 {
776 struct payload_list *plist = NULL;
777 int need_cert = 0;
778 int error = -1;
779 vchar_t *gsshash = NULL;
780 #ifdef ENABLE_NATT
781 vchar_t *natd[2] = { NULL, NULL };
782 #endif
783 vchar_t *notp_unity = NULL;
784 vchar_t *notp_ini = NULL;
785
786 /* validity check */
787 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
788 plog(LLV_ERROR, LOCATION, NULL,
789 "status mismatched %d.\n", iph1->status);
790 goto end;
791 }
792
793 /* generate HASH to send */
794 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
795 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
796 if (iph1->hash == NULL) {
797 #ifdef HAVE_GSSAPI
798 if (gssapi_more_tokens(iph1) &&
799 #ifdef ENABLE_HYBRID
800 !iph1->rmconf->xauth &&
801 #endif
802 1)
803 isakmp_info_send_n1(iph1,
804 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
805 #endif
806 plog(LLV_ERROR, LOCATION, NULL,
807 "failed to generate HASH");
808 goto end;
809 }
810
811 switch (AUTHMETHOD(iph1)) {
812 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
813 #ifdef ENABLE_HYBRID
814 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
815 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
816 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
817 #endif
818 /* set HASH payload */
819 plist = isakmp_plist_append(plist,
820 iph1->hash, ISAKMP_NPTYPE_HASH);
821 break;
822
823 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
824 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
825 #ifdef ENABLE_HYBRID
826 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
827 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
828 #endif
829 /* XXX if there is CR or not ? */
830
831 if (oakley_getmycert(iph1) < 0) {
832 plog(LLV_ERROR, LOCATION, NULL,
833 "failed to get mycert");
834 goto end;
835 }
836
837 if (oakley_getsign(iph1) < 0) {
838 plog(LLV_ERROR, LOCATION, NULL,
839 "failed to get sign");
840 goto end;
841 }
842
843 if (iph1->cert != NULL && iph1->rmconf->send_cert)
844 need_cert = 1;
845
846 /* add CERT payload if there */
847 // we don't support sending of certchains
848 if (need_cert)
849 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
850
851 /* add SIG payload */
852 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
853 break;
854
855 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
856 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
857 #ifdef ENABLE_HYBRID
858 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
859 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
860 #endif
861 break;
862 #ifdef HAVE_GSSAPI
863 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
864 gsshash = gssapi_wraphash(iph1);
865 if (gsshash == NULL) {
866 plog(LLV_ERROR, LOCATION, NULL,
867 "failed to get GSS hash\n");
868 isakmp_info_send_n1(iph1,
869 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
870 goto end;
871 }
872
873 plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
874 break;
875 #endif
876 }
877
878 #ifdef ENABLE_NATT
879 /* generate NAT-D payloads */
880 if (NATT_AVAILABLE(iph1)) {
881 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
882 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
883 plog(LLV_ERROR, LOCATION, NULL,
884 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
885 goto end;
886 }
887
888 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
889 plog(LLV_ERROR, LOCATION, NULL,
890 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
891 goto end;
892 }
893 /* old Apple version sends natd payloads in the wrong order */
894 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
895 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
896 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
897 } else
898 {
899 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
900 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
901 }
902 }
903 #endif
904
905
906 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
907
908 #ifdef HAVE_PRINT_ISAKMP_C
909 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
910 #endif
911
912
913 /* send to responder */
914 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
915 plog(LLV_ERROR, LOCATION, NULL,
916 "failed to send packet");
917 goto end;
918 }
919
920 /* the sending message is added to the received-list. */
921 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
922 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
923 plog(LLV_ERROR , LOCATION, NULL,
924 "failed to add a response packet to the tree.\n");
925 goto end;
926 }
927
928 /* set encryption flag */
929 iph1->flags |= ISAKMP_FLAG_E;
930
931 iph1->status = PHASE1ST_ESTABLISHED;
932
933 IPSECSESSIONTRACEREVENT(iph1->parent_session,
934 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
935 CONSTSTR("Initiator, Aggressive-Mode"),
936 CONSTSTR(NULL));
937
938 error = 0;
939
940 IPSECSESSIONTRACEREVENT(iph1->parent_session,
941 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
942 CONSTSTR("Initiator, Aggressive-Mode message 3"),
943 CONSTSTR(NULL));
944
945 end:
946 if (error) {
947 IPSECSESSIONTRACEREVENT(iph1->parent_session,
948 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
949 CONSTSTR("Initiator, Aggressive-Mode Message 3"),
950 CONSTSTR("Failed to transmit Aggressive-Mode Message 3"));
951 }
952 #ifdef ENABLE_NATT
953 if (natd[0])
954 vfree(natd[0]);
955 if (natd[1])
956 vfree(natd[1]);
957 #endif
958 if (notp_unity)
959 vfree(notp_unity);
960 if (notp_ini)
961 vfree(notp_ini);
962 if (gsshash)
963 vfree(gsshash);
964 return error;
965 }
966
967 /*
968 * receive from initiator
969 * psk: HDR, SA, KE, Ni, IDi1
970 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
971 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi
972 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
973 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
974 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
975 */
976 int
977 agg_r1recv(iph1, msg)
978 struct ph1handle *iph1;
979 vchar_t *msg;
980 {
981 int error = -1;
982 vchar_t *pbuf = NULL;
983 struct isakmp_parse_t *pa;
984 int vid_numeric;
985 #ifdef HAVE_GSSAPI
986 vchar_t *gsstoken = NULL;
987 #endif
988
989 /* validity check */
990 if (iph1->status != PHASE1ST_START) {
991 plog(LLV_ERROR, LOCATION, NULL,
992 "status mismatched %d.\n", iph1->status);
993 goto end;
994 }
995
996 /* validate the type of next payload */
997 pbuf = isakmp_parse(msg);
998 if (pbuf == NULL) {
999 plog(LLV_ERROR, LOCATION, NULL,
1000 "failed to parse msg");
1001 goto end;
1002 }
1003 pa = (struct isakmp_parse_t *)pbuf->v;
1004
1005 /* SA payload is fixed postion */
1006 if (pa->type != ISAKMP_NPTYPE_SA) {
1007 plog(LLV_ERROR, LOCATION, iph1->remote,
1008 "received invalid next payload type %d, "
1009 "expecting %d.\n",
1010 pa->type, ISAKMP_NPTYPE_SA);
1011 goto end;
1012 }
1013 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
1014 plog(LLV_ERROR, LOCATION, NULL,
1015 "failed to process SA payload");
1016 goto end;
1017 }
1018 pa++;
1019
1020 for (/*nothing*/;
1021 pa->type != ISAKMP_NPTYPE_NONE;
1022 pa++) {
1023
1024 plog(LLV_DEBUG, LOCATION, NULL,
1025 "received payload of type %s\n",
1026 s_isakmp_nptype(pa->type));
1027
1028 switch (pa->type) {
1029 case ISAKMP_NPTYPE_KE:
1030 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
1031 plog(LLV_ERROR, LOCATION, NULL,
1032 "failed to process KE payload");
1033 goto end;
1034 }
1035 break;
1036 case ISAKMP_NPTYPE_NONCE:
1037 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
1038 plog(LLV_ERROR, LOCATION, NULL,
1039 "failed to process NONCE payload");
1040 goto end;
1041 }
1042 break;
1043 case ISAKMP_NPTYPE_ID:
1044 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
1045 plog(LLV_ERROR, LOCATION, NULL,
1046 "failed to process ID payload");
1047 goto end;
1048 }
1049 break;
1050 case ISAKMP_NPTYPE_VID:
1051 vid_numeric = check_vendorid(pa->ptr);
1052
1053 #ifdef ENABLE_NATT
1054 if (iph1->rmconf->nat_traversal &&
1055 natt_vendorid(vid_numeric)) {
1056 natt_handle_vendorid(iph1, vid_numeric);
1057 break;
1058 }
1059 #endif
1060 #ifdef ENABLE_HYBRID
1061 switch (vid_numeric) {
1062 case VENDORID_XAUTH:
1063 iph1->mode_cfg->flags |=
1064 ISAKMP_CFG_VENDORID_XAUTH;
1065 break;
1066
1067 case VENDORID_UNITY:
1068 iph1->mode_cfg->flags |=
1069 ISAKMP_CFG_VENDORID_UNITY;
1070 break;
1071 default:
1072 break;
1073 }
1074 #endif
1075 #ifdef ENABLE_DPD
1076 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
1077 iph1->dpd_support=1;
1078 plog(LLV_DEBUG, LOCATION, NULL,
1079 "remote supports DPD\n");
1080 }
1081 #endif
1082 #ifdef ENABLE_FRAG
1083 if ((vid_numeric == VENDORID_FRAG) &&
1084 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
1085 plog(LLV_DEBUG, LOCATION, NULL,
1086 "remote supports FRAGMENTATION\n");
1087 iph1->frag = 1;
1088 }
1089 #endif
1090 break;
1091
1092 case ISAKMP_NPTYPE_CR:
1093 if (oakley_savecr(iph1, pa->ptr) < 0) {
1094 plog(LLV_ERROR, LOCATION, NULL,
1095 "failed to process CR payload");
1096 goto end;
1097 }
1098 break;
1099
1100 #ifdef HAVE_GSSAPI
1101 case ISAKMP_NPTYPE_GSS:
1102 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1103 plog(LLV_ERROR, LOCATION, NULL,
1104 "failed to process GSS payload");
1105 goto end;
1106 }
1107 gssapi_save_received_token(iph1, gsstoken);
1108 break;
1109 #endif
1110 default:
1111 /* don't send information, see isakmp_ident_r1() */
1112 plog(LLV_ERROR, LOCATION, iph1->remote,
1113 "ignore the packet, "
1114 "received unexpecting payload type %d.\n",
1115 pa->type);
1116 goto end;
1117 }
1118 }
1119
1120 /* payload existency check */
1121 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1122 plog(LLV_ERROR, LOCATION, iph1->remote,
1123 "few isakmp message received.\n");
1124 goto end;
1125 }
1126
1127 /* verify identifier */
1128 if (ipsecdoi_checkid1(iph1) != 0) {
1129 plog(LLV_ERROR, LOCATION, iph1->remote,
1130 "invalid ID payload.\n");
1131 goto end;
1132 }
1133
1134 #ifdef ENABLE_NATT
1135 if (NATT_AVAILABLE(iph1)) {
1136 plog(LLV_INFO, LOCATION, iph1->remote,
1137 "Selected NAT-T version: %s\n",
1138 vid_string_by_id(iph1->natt_options->version));
1139 ike_session_update_natt_version(iph1);
1140 }
1141 #endif
1142
1143 /* check SA payload and set approval SA for use */
1144 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
1145 plog(LLV_ERROR, LOCATION, iph1->remote,
1146 "failed to get valid proposal.\n");
1147 /* XXX send information */
1148 goto end;
1149 }
1150
1151 if (oakley_checkcr(iph1) < 0) {
1152 /* Ignore this error in order to be interoperability. */
1153 ;
1154 }
1155
1156 iph1->status = PHASE1ST_MSG1RECEIVED;
1157
1158 error = 0;
1159
1160 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1161 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1162 CONSTSTR("Responder, Aggressive-Mode message 1"),
1163 CONSTSTR(NULL));
1164
1165 end:
1166 if (error) {
1167 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1168 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1169 CONSTSTR("Responder, Aggressive-Mode Message 1"),
1170 CONSTSTR("Failed to process Aggressive-Mode Message 1"));
1171 }
1172 #ifdef HAVE_GSSAPI
1173 if (gsstoken)
1174 vfree(gsstoken);
1175 #endif
1176 if (pbuf)
1177 vfree(pbuf);
1178 if (error) {
1179 VPTRINIT(iph1->sa);
1180 VPTRINIT(iph1->dhpub_p);
1181 VPTRINIT(iph1->nonce_p);
1182 VPTRINIT(iph1->id_p);
1183 oakley_delcert(iph1->cr_p);
1184 iph1->cr_p = NULL;
1185 }
1186
1187 return error;
1188 }
1189
1190 /*
1191 * send to initiator
1192 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
1193 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
1194 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
1195 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
1196 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
1197 */
1198 int
1199 agg_r1send(iph1, msg)
1200 struct ph1handle *iph1;
1201 vchar_t *msg;
1202 {
1203 struct payload_list *plist = NULL;
1204 int need_cr = 0;
1205 int need_cert = 0;
1206 vchar_t *cr = NULL;
1207 int error = -1;
1208 #ifdef ENABLE_HYBRID
1209 vchar_t *xauth_vid = NULL;
1210 vchar_t *unity_vid = NULL;
1211 #endif
1212 #ifdef ENABLE_NATT
1213 vchar_t *vid_natt = NULL;
1214 vchar_t *natd[2] = { NULL, NULL };
1215 #endif
1216 #ifdef ENABLE_DPD
1217 vchar_t *vid_dpd = NULL;
1218 #endif
1219 #ifdef ENABLE_FRAG
1220 vchar_t *vid_frag = NULL;
1221 #endif
1222
1223 #ifdef HAVE_GSSAPI
1224 int gsslen;
1225 vchar_t *gsstoken = NULL, *gsshash = NULL;
1226 vchar_t *gss_sa = NULL;
1227 int free_gss_sa = 0;
1228 #endif
1229
1230 /* validity check */
1231 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1232 plog(LLV_ERROR, LOCATION, NULL,
1233 "status mismatched %d.\n", iph1->status);
1234 goto end;
1235 }
1236
1237 /* set responder's cookie */
1238 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1239
1240 /* make ID payload into isakmp status */
1241 if (ipsecdoi_setid1(iph1) < 0) {
1242 plog(LLV_ERROR, LOCATION, NULL,
1243 "failed to set ID");
1244 goto end;
1245 }
1246
1247 /* generate DH public value */
1248 #ifdef HAVE_OPENSSL
1249 if (oakley_dh_generate(iph1->rmconf->dhgrp,
1250 &iph1->dhpub, &iph1->dhpriv) < 0) {
1251 #else
1252 if (oakley_dh_generate(iph1->rmconf->dhgrp,
1253 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
1254 #endif
1255 plog(LLV_ERROR, LOCATION, NULL,
1256 "failed to generate DH");
1257 goto end;
1258 }
1259
1260 /* generate NONCE value */
1261 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1262 if (iph1->nonce == NULL) {
1263 plog(LLV_ERROR, LOCATION, NULL,
1264 "failed to generate NONCE");
1265 goto end;
1266 }
1267
1268 /* compute sharing secret of DH */
1269 #ifdef HAVE_OPENSSL
1270 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1271 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1272 #else
1273 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
1274 #endif
1275 plog(LLV_ERROR, LOCATION, NULL,
1276 "failed to compute DH");
1277 goto end;
1278 }
1279
1280 /* generate SKEYIDs & IV & final cipher key */
1281 if (oakley_skeyid(iph1) < 0) {
1282 plog(LLV_ERROR, LOCATION, NULL,
1283 "failed to generate SKEYID");
1284 goto end;
1285 }
1286 if (oakley_skeyid_dae(iph1) < 0) {
1287 plog(LLV_ERROR, LOCATION, NULL,
1288 "failed to generate SKEYID-DAE");
1289 goto end;
1290 }
1291 if (oakley_compute_enckey(iph1) < 0) {
1292 plog(LLV_ERROR, LOCATION, NULL,
1293 "failed to generate ENCKEY");
1294 goto end;
1295 }
1296 if (oakley_newiv(iph1) < 0) {
1297 plog(LLV_ERROR, LOCATION, NULL,
1298 "failed to generate IV");
1299 goto end;
1300 }
1301
1302 #ifdef HAVE_GSSAPI
1303 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
1304 gssapi_get_rtoken(iph1, &gsslen);
1305 #endif
1306
1307 /* generate HASH to send */
1308 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
1309 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1310 if (iph1->hash == NULL) {
1311 #ifdef HAVE_GSSAPI
1312 if (gssapi_more_tokens(iph1))
1313 isakmp_info_send_n1(iph1,
1314 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1315 #endif
1316 plog(LLV_ERROR, LOCATION, NULL,
1317 "failed to generate GSS HASH");
1318 goto end;
1319 }
1320
1321 /* create CR if need */
1322 if (iph1->rmconf->send_cr
1323 && oakley_needcr(iph1->approval->authmethod)
1324 && iph1->rmconf->peerscertfile == NULL) {
1325 need_cr = 1;
1326 cr = oakley_getcr(iph1);
1327 if (cr == NULL) {
1328 plog(LLV_ERROR, LOCATION, NULL,
1329 "failed to get CR.\n");
1330 goto end;
1331 }
1332 }
1333
1334 #ifdef ENABLE_NATT
1335 /* Has the peer announced NAT-T? */
1336 if (NATT_AVAILABLE(iph1)) {
1337 /* set chosen VID */
1338 vid_natt = set_vendorid(iph1->natt_options->version);
1339
1340 /* generate NAT-D payloads */
1341 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
1342 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1343 plog(LLV_ERROR, LOCATION, NULL,
1344 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
1345 goto end;
1346 }
1347
1348 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1349 plog(LLV_ERROR, LOCATION, NULL,
1350 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
1351 goto end;
1352 }
1353 }
1354 #endif
1355 #ifdef ENABLE_DPD
1356 /* Only send DPD support if remote announced DPD and if DPD support is active */
1357 if (iph1->dpd_support && iph1->rmconf->dpd)
1358 vid_dpd = set_vendorid(VENDORID_DPD);
1359 #endif
1360 #ifdef ENABLE_FRAG
1361 if (iph1->frag) {
1362 vid_frag = set_vendorid(VENDORID_FRAG);
1363 if (vid_frag != NULL)
1364 vid_frag = isakmp_frag_addcap(vid_frag,
1365 VENDORID_FRAG_AGG);
1366 if (vid_frag == NULL)
1367 plog(LLV_ERROR, LOCATION, NULL,
1368 "Frag vendorID construction failed\n");
1369 }
1370 #endif
1371
1372 switch (AUTHMETHOD(iph1)) {
1373 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1374 #ifdef ENABLE_HYBRID
1375 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1376 #endif
1377 /* set SA payload to reply */
1378 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1379
1380 /* create isakmp KE payload */
1381 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1382
1383 /* create isakmp NONCE payload */
1384 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1385
1386 /* create isakmp ID payload */
1387 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1388
1389 /* create isakmp HASH payload */
1390 plist = isakmp_plist_append(plist,
1391 iph1->hash, ISAKMP_NPTYPE_HASH);
1392
1393 /* create isakmp CR payload if needed */
1394 if (need_cr)
1395 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
1396 break;
1397 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1398 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1399 #ifdef ENABLE_HYBRID
1400 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1401 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1402 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1403 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1404 #endif
1405 /* XXX if there is CR or not ? */
1406
1407 if (oakley_getmycert(iph1) < 0) {
1408 plog(LLV_ERROR, LOCATION, NULL,
1409 "failed to get mycert");
1410 goto end;
1411 }
1412
1413 if (oakley_getsign(iph1) < 0) {
1414 plog(LLV_ERROR, LOCATION, NULL,
1415 "failed to get sign");
1416 goto end;
1417 }
1418
1419 if (iph1->cert != NULL && iph1->rmconf->send_cert)
1420 need_cert = 1;
1421
1422 /* set SA payload to reply */
1423 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1424
1425 /* create isakmp KE payload */
1426 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1427
1428 /* create isakmp NONCE payload */
1429 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1430
1431 /* add ID payload */
1432 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1433
1434 /* add CERT payload if there */
1435 if (need_cert)
1436 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1437
1438 /* add SIG payload */
1439 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1440
1441 /* create isakmp CR payload if needed */
1442 if (need_cr)
1443 plist = isakmp_plist_append(plist,
1444 cr, ISAKMP_NPTYPE_CR);
1445 break;
1446
1447 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1448 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1449 #ifdef ENABLE_HYBRID
1450 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1451 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1452 #endif
1453 break;
1454 #ifdef HAVE_GSSAPI
1455 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1456 /* create buffer to send isakmp payload */
1457 gsshash = gssapi_wraphash(iph1);
1458 if (gsshash == NULL) {
1459 plog(LLV_ERROR, LOCATION, NULL,
1460 "failed to generate GSS HASH\n");
1461 /*
1462 * This is probably due to the GSS
1463 * roundtrips not being finished yet.
1464 * Return this error in the hope that
1465 * a fallback to main mode will be done.
1466 */
1467 isakmp_info_send_n1(iph1,
1468 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1469 goto end;
1470 }
1471 if (iph1->approval->gssid != NULL)
1472 gss_sa =
1473 ipsecdoi_setph1proposal(iph1->approval);
1474 else
1475 gss_sa = iph1->sa_ret;
1476
1477 if (gss_sa != iph1->sa_ret)
1478 free_gss_sa = 1;
1479
1480 /* set SA payload to reply */
1481 plist = isakmp_plist_append(plist,
1482 gss_sa, ISAKMP_NPTYPE_SA);
1483
1484 /* create isakmp KE payload */
1485 plist = isakmp_plist_append(plist,
1486 iph1->dhpub, ISAKMP_NPTYPE_KE);
1487
1488 /* create isakmp NONCE payload */
1489 plist = isakmp_plist_append(plist,
1490 iph1->nonce, ISAKMP_NPTYPE_NONCE);
1491
1492 /* create isakmp ID payload */
1493 plist = isakmp_plist_append(plist,
1494 iph1->id, ISAKMP_NPTYPE_ID);
1495
1496 /* create GSS payload */
1497 gssapi_get_token_to_send(iph1, &gsstoken);
1498 plist = isakmp_plist_append(plist,
1499 gsstoken, ISAKMP_NPTYPE_GSS);
1500
1501 /* create isakmp HASH payload */
1502 plist = isakmp_plist_append(plist,
1503 gsshash, ISAKMP_NPTYPE_HASH);
1504
1505 /* append vendor id, if needed */
1506 break;
1507 #endif
1508 }
1509
1510 #ifdef ENABLE_HYBRID
1511 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1512 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
1513 if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) {
1514 plog(LLV_ERROR, LOCATION, NULL,
1515 "Cannot create Xauth vendor ID\n");
1516 goto end;
1517 }
1518 plist = isakmp_plist_append(plist,
1519 xauth_vid, ISAKMP_NPTYPE_VID);
1520 }
1521
1522 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1523 if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) {
1524 plog(LLV_ERROR, LOCATION, NULL,
1525 "Cannot create Unity vendor ID\n");
1526 goto end;
1527 }
1528 plist = isakmp_plist_append(plist,
1529 unity_vid, ISAKMP_NPTYPE_VID);
1530 }
1531 #endif
1532
1533 #ifdef ENABLE_NATT
1534 /* append NAT-T payloads */
1535 if (vid_natt) {
1536 /* chosen VID */
1537 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1538 /* NAT-D */
1539 /* old Apple version sends natd payloads in the wrong order */
1540 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
1541 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1542 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1543 } else
1544 {
1545 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1546 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1547 }
1548 }
1549 #endif
1550
1551 #ifdef ENABLE_FRAG
1552 if (vid_frag)
1553 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
1554 #endif
1555
1556 #ifdef ENABLE_DPD
1557 if (vid_dpd)
1558 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1559 #endif
1560
1561 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1562
1563 #ifdef HAVE_PRINT_ISAKMP_C
1564 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
1565 #endif
1566
1567 /* send the packet, add to the schedule to resend */
1568 iph1->retry_counter = iph1->rmconf->retry_counter;
1569 if (isakmp_ph1resend(iph1) == -1) {
1570 plog(LLV_ERROR , LOCATION, NULL,
1571 "failed to send packet");
1572 goto end;
1573 }
1574
1575 /* the sending message is added to the received-list. */
1576 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1577 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
1578 plog(LLV_ERROR , LOCATION, NULL,
1579 "failed to add a response packet to the tree.\n");
1580 goto end;
1581 }
1582
1583 iph1->status = PHASE1ST_MSG1SENT;
1584
1585 #ifdef ENABLE_VPNCONTROL_PORT
1586 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1587 #endif
1588
1589 error = 0;
1590
1591 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1592 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1593 CONSTSTR("Responder, Aggressive-Mode message 2"),
1594 CONSTSTR(NULL));
1595
1596 end:
1597 if (error) {
1598 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1599 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1600 CONSTSTR("Responder, Aggressive-Mode Message 2"),
1601 CONSTSTR("Failed to process Aggressive-Mode Message 2"));
1602 }
1603 if (cr)
1604 vfree(cr);
1605 #ifdef ENABLE_HYBRID
1606 if (xauth_vid)
1607 vfree(xauth_vid);
1608 if (unity_vid)
1609 vfree(unity_vid);
1610 #endif
1611 #ifdef HAVE_GSSAPI
1612 if (gsstoken)
1613 vfree(gsstoken);
1614 if (gsshash)
1615 vfree(gsshash);
1616 if (free_gss_sa)
1617 vfree(gss_sa);
1618 #endif
1619 #ifdef ENABLE_NATT
1620 if (vid_natt)
1621 vfree(vid_natt);
1622 if (natd[0])
1623 vfree(natd[0]);
1624 if (natd[1])
1625 vfree(natd[1]);
1626 #endif
1627 #ifdef ENABLE_DPD
1628 if (vid_dpd)
1629 vfree(vid_dpd);
1630 #endif
1631 #ifdef ENABLE_FRAG
1632 if (vid_frag)
1633 vfree(vid_frag);
1634 #endif
1635
1636 return error;
1637 }
1638
1639 /*
1640 * receive from initiator
1641 * psk: HDR, HASH_I
1642 * gssapi: HDR, HASH_I
1643 * sig: HDR, [ CERT, ] SIG_I
1644 * rsa: HDR, HASH_I
1645 * rev: HDR, HASH_I
1646 */
1647 int
1648 agg_r2recv(iph1, msg0)
1649 struct ph1handle *iph1;
1650 vchar_t *msg0;
1651 {
1652 vchar_t *msg = NULL;
1653 vchar_t *pbuf = NULL;
1654 struct isakmp_parse_t *pa;
1655 int error = -1;
1656 int ptype;
1657
1658 #ifdef ENABLE_NATT
1659 int natd_seq = 0;
1660 #endif
1661 int received_cert = 0;
1662
1663 /* validity check */
1664 if (iph1->status != PHASE1ST_MSG1SENT) {
1665 plog(LLV_ERROR, LOCATION, NULL,
1666 "status mismatched %d.\n", iph1->status);
1667 goto end;
1668 }
1669
1670 /* decrypting if need. */
1671 /* XXX configurable ? */
1672 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1673 msg = oakley_do_decrypt(iph1, msg0,
1674 iph1->ivm->iv, iph1->ivm->ive);
1675 if (msg == NULL) {
1676 plog(LLV_ERROR, LOCATION, NULL,
1677 "failed to decrypt msg");
1678 goto end;
1679 }
1680 } else
1681 msg = vdup(msg0);
1682
1683 /* validate the type of next payload */
1684 pbuf = isakmp_parse(msg);
1685 if (pbuf == NULL) {
1686 plog(LLV_ERROR, LOCATION, NULL,
1687 "failed to parse msg");
1688 goto end;
1689 }
1690
1691 iph1->pl_hash = NULL;
1692
1693 for (pa = (struct isakmp_parse_t *)pbuf->v;
1694 pa->type != ISAKMP_NPTYPE_NONE;
1695 pa++) {
1696
1697 switch (pa->type) {
1698 case ISAKMP_NPTYPE_HASH:
1699 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1700 break;
1701 case ISAKMP_NPTYPE_VID:
1702 (void)check_vendorid(pa->ptr);
1703 break;
1704 case ISAKMP_NPTYPE_CERT:
1705 if (oakley_savecert(iph1, pa->ptr) < 0) {
1706 plog(LLV_ERROR, LOCATION, NULL,
1707 "failed to process CERT payload");
1708 goto end;
1709 }
1710 received_cert = 1;
1711 break;
1712 case ISAKMP_NPTYPE_SIG:
1713 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
1714 plog(LLV_ERROR, LOCATION, NULL,
1715 "failed to process SIG payload");
1716 goto end;
1717 }
1718 break;
1719 case ISAKMP_NPTYPE_N:
1720 isakmp_check_notify(pa->ptr, iph1);
1721 break;
1722
1723 #ifdef ENABLE_NATT
1724 case ISAKMP_NPTYPE_NATD_DRAFT:
1725 case ISAKMP_NPTYPE_NATD_RFC:
1726 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1727 pa->type == iph1->natt_options->payload_nat_d)
1728 {
1729 vchar_t *natd_received = NULL;
1730 int natd_verified;
1731
1732 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
1733 plog(LLV_ERROR, LOCATION, NULL,
1734 "failed to process NATD payload");
1735 goto end;
1736 }
1737
1738 if (natd_seq == 0)
1739 iph1->natt_flags |= NAT_DETECTED;
1740
1741 natd_verified = natt_compare_addr_hash (iph1,
1742 natd_received, natd_seq++);
1743
1744 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1745 natd_seq - 1,
1746 natd_verified ? "verified" : "doesn't match");
1747
1748 vfree (natd_received);
1749 break;
1750 }
1751 /* %%%% Be lenient here - some servers send natd payloads */
1752 /* when no nat is detected */
1753 break;
1754 #endif
1755
1756 default:
1757 /* don't send information, see isakmp_ident_r1() */
1758 plog(LLV_ERROR, LOCATION, iph1->remote,
1759 "ignore the packet, "
1760 "received unexpecting payload type %d.\n",
1761 pa->type);
1762 goto end;
1763 }
1764 }
1765
1766 #ifdef ENABLE_NATT
1767 if (NATT_AVAILABLE(iph1))
1768 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1769 iph1->natt_flags & NAT_DETECTED ?
1770 "detected:" : "not detected",
1771 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1772 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1773 #endif
1774
1775 if (received_cert) {
1776 oakley_verify_certid(iph1);
1777 }
1778
1779 /* validate authentication value */
1780 ptype = oakley_validate_auth(iph1);
1781 if (ptype != 0) {
1782 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1783 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1784 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1785 CONSTSTR("Failed to authenticate Aggressive-Mode Message 3"));
1786 if (ptype == -1) {
1787 /* message printed inner oakley_validate_auth() */
1788 goto end;
1789 }
1790 EVT_PUSH(iph1->local, iph1->remote,
1791 EVTT_PEERPH1AUTH_FAILED, NULL);
1792 isakmp_info_send_n1(iph1, ptype, NULL);
1793 goto end;
1794 }
1795 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1796 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1797 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1798 CONSTSTR(NULL));
1799
1800 iph1->status = PHASE1ST_MSG2RECEIVED;
1801
1802 error = 0;
1803
1804 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1805 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1806 CONSTSTR("Responder, Aggressive-Mode message 3"),
1807 CONSTSTR(NULL));
1808
1809 end:
1810 if (error) {
1811 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1812 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1813 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1814 CONSTSTR("Failed to process Aggressive-Mode Message 3"));
1815 }
1816 if (pbuf)
1817 vfree(pbuf);
1818 if (msg)
1819 vfree(msg);
1820 if (error) {
1821 oakley_delcert(iph1->cert_p);
1822 iph1->cert_p = NULL;
1823 oakley_delcert(iph1->crl_p);
1824 iph1->crl_p = NULL;
1825 VPTRINIT(iph1->sig_p);
1826 }
1827
1828 return error;
1829 }
1830
1831 /*
1832 * status update and establish isakmp sa.
1833 */
1834 int
1835 agg_r2send(iph1, msg)
1836 struct ph1handle *iph1;
1837 vchar_t *msg;
1838 {
1839 int error = -1;
1840
1841 /* validity check */
1842 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1843 plog(LLV_ERROR, LOCATION, NULL,
1844 "status mismatched %d.\n", iph1->status);
1845 goto end;
1846 }
1847
1848 /* IV synchronized when packet encrypted. */
1849 /* see handler.h about IV synchronization. */
1850 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E))
1851 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1852
1853 /* set encryption flag */
1854 iph1->flags |= ISAKMP_FLAG_E;
1855
1856 iph1->status = PHASE1ST_ESTABLISHED;
1857
1858 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1859 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
1860 CONSTSTR("Responder, Aggressive-Mode"),
1861 CONSTSTR(NULL));
1862
1863 error = 0;
1864
1865 end:
1866 return error;
1867 }
mirror of ipsec