]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_base.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-93.15.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_base.c
1 /* $NetBSD: isakmp_base.c,v 1.7 2006/10/02 21:51:33 manu Exp $ */
2
3 /* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* Base Exchange (Base Mode) */
35
36 #include "config.h"
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40
41 #include <stdlib.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <errno.h>
45 #if TIME_WITH_SYS_TIME
46 # include <sys/time.h>
47 # include <time.h>
48 #else
49 # if HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 # else
52 # include <time.h>
53 # endif
54 #endif
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "schedule.h"
62 #include "debug.h"
63
64 #ifdef ENABLE_HYBRID
65 #include <resolv.h>
66 #endif
67
68 #include "localconf.h"
69 #include "remoteconf.h"
70 #include "isakmp_var.h"
71 #include "isakmp.h"
72 #include "evt.h"
73 #include "oakley.h"
74 #include "handler.h"
75 #include "ipsec_doi.h"
76 #include "crypto_openssl.h"
77 #include "pfkey.h"
78 #include "isakmp_base.h"
79 #include "isakmp_inf.h"
80 #include "vendorid.h"
81 #ifdef ENABLE_NATT
82 #include "nattraversal.h"
83 #endif
84 #ifdef ENABLE_FRAG
85 #include "isakmp_frag.h"
86 #endif
87 #ifdef ENABLE_HYBRID
88 #include "isakmp_xauth.h"
89 #include "isakmp_cfg.h"
90 #endif
91 #include "vpn_control.h"
92 #include "vpn_control_var.h"
93
94 /* %%%
95 * begin Identity Protection Mode as initiator.
96 */
97 /*
98 * send to responder
99 * psk: HDR, SA, Idii, Ni_b
100 * sig: HDR, SA, Idii, Ni_b
101 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
102 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
103 */
104 int
105 base_i1send(iph1, msg)
106 struct ph1handle *iph1;
107 vchar_t *msg; /* must be null */
108 {
109 struct payload_list *plist = NULL;
110 int error = -1;
111 #ifdef ENABLE_NATT
112 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
113 int i, vid_natt_i = 0;
114 #endif
115 #ifdef ENABLE_FRAG
116 vchar_t *vid_frag = NULL;
117 #endif
118 #ifdef ENABLE_HYBRID
119 vchar_t *vid_xauth = NULL;
120 vchar_t *vid_unity = NULL;
121 #endif
122 #ifdef ENABLE_DPD
123 vchar_t *vid_dpd = NULL;
124 #endif
125
126
127 /* validity check */
128 if (msg != NULL) {
129 plog(LLV_ERROR, LOCATION, NULL,
130 "msg has to be NULL in this function.\n");
131 goto end;
132 }
133 if (iph1->status != PHASE1ST_START) {
134 plog(LLV_ERROR, LOCATION, NULL,
135 "status mismatched %d.\n", iph1->status);
136 goto end;
137 }
138
139 /* create isakmp index */
140 memset(&iph1->index, 0, sizeof(iph1->index));
141 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
142
143 /* make ID payload into isakmp status */
144 if (ipsecdoi_setid1(iph1) < 0)
145 goto end;
146
147 /* create SA payload for my proposal */
148 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
149 if (iph1->sa == NULL)
150 goto end;
151
152 /* generate NONCE value */
153 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
154 if (iph1->nonce == NULL)
155 goto end;
156
157 #ifdef ENABLE_HYBRID
158 /* Do we need Xauth VID? */
159 switch (RMAUTHMETHOD(iph1)) {
160 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
161 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
162 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
163 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
164 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
165 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
166 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
167 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
168 plog(LLV_ERROR, LOCATION, NULL,
169 "Xauth vendor ID generation failed\n");
170
171 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
172 plog(LLV_ERROR, LOCATION, NULL,
173 "Unity vendor ID generation failed\n");
174 break;
175 default:
176 break;
177 }
178 #endif
179 #ifdef ENABLE_FRAG
180 if (iph1->rmconf->ike_frag) {
181 vid_frag = set_vendorid(VENDORID_FRAG);
182 if (vid_frag != NULL)
183 vid_frag = isakmp_frag_addcap(vid_frag,
184 VENDORID_FRAG_BASE);
185 if (vid_frag == NULL)
186 plog(LLV_ERROR, LOCATION, NULL,
187 "Frag vendorID construction failed\n");
188 }
189 #endif
190 #ifdef ENABLE_NATT
191 /* Is NAT-T support allowed in the config file? */
192 if (iph1->rmconf->nat_traversal) {
193 /* Advertise NAT-T capability */
194 memset (vid_natt, 0, sizeof (vid_natt));
195 #ifdef VENDORID_NATT_00
196 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL)
197 vid_natt_i++;
198 #endif
199 #ifdef VENDORID_NATT_02
200 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL)
201 vid_natt_i++;
202 #endif
203 #ifdef VENDORID_NATT_02_N
204 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL)
205 vid_natt_i++;
206 #endif
207 #ifdef VENDORID_NATT_RFC
208 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL)
209 vid_natt_i++;
210 #endif
211 }
212 #endif
213
214 /* set SA payload to propose */
215 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
216
217 /* create isakmp ID payload */
218 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
219
220 /* create isakmp NONCE payload */
221 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
222
223 #ifdef ENABLE_FRAG
224 if (vid_frag)
225 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
226 #endif
227 #ifdef ENABLE_HYBRID
228 if (vid_xauth)
229 plist = isakmp_plist_append(plist,
230 vid_xauth, ISAKMP_NPTYPE_VID);
231 if (vid_unity)
232 plist = isakmp_plist_append(plist,
233 vid_unity, ISAKMP_NPTYPE_VID);
234 #endif
235 #ifdef ENABLE_DPD
236 if (iph1->rmconf->dpd) {
237 vid_dpd = set_vendorid(VENDORID_DPD);
238 if (vid_dpd != NULL)
239 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
240 }
241 #endif
242 #ifdef ENABLE_NATT
243 /* set VID payload for NAT-T */
244 for (i = 0; i < vid_natt_i; i++)
245 plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID);
246 #endif
247 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
248
249
250 #ifdef HAVE_PRINT_ISAKMP_C
251 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
252 #endif
253
254 /* send the packet, add to the schedule to resend */
255 iph1->retry_counter = iph1->rmconf->retry_counter;
256 if (isakmp_ph1resend(iph1) == -1)
257 goto end;
258
259 iph1->status = PHASE1ST_MSG1SENT;
260
261 error = 0;
262
263 end:
264 #ifdef ENABLE_FRAG
265 if (vid_frag)
266 vfree(vid_frag);
267 #endif
268 #ifdef ENABLE_NATT
269 for (i = 0; i < vid_natt_i; i++)
270 vfree(vid_natt[i]);
271 #endif
272 #ifdef ENABLE_HYBRID
273 if (vid_xauth != NULL)
274 vfree(vid_xauth);
275 if (vid_unity != NULL)
276 vfree(vid_unity);
277 #endif
278 #ifdef ENABLE_DPD
279 if (vid_dpd != NULL)
280 vfree(vid_dpd);
281 #endif
282
283 return error;
284 }
285
286 /*
287 * receive from responder
288 * psk: HDR, SA, Idir, Nr_b
289 * sig: HDR, SA, Idir, Nr_b, [ CR ]
290 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
291 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
292 */
293 int
294 base_i2recv(iph1, msg)
295 struct ph1handle *iph1;
296 vchar_t *msg;
297 {
298 vchar_t *pbuf = NULL;
299 struct isakmp_parse_t *pa;
300 vchar_t *satmp = NULL;
301 int error = -1;
302 int vid_numeric;
303 #ifdef ENABLE_HYBRID
304 vchar_t *unity_vid;
305 vchar_t *xauth_vid;
306 #endif
307
308 /* validity check */
309 if (iph1->status != PHASE1ST_MSG1SENT) {
310 plog(LLV_ERROR, LOCATION, NULL,
311 "status mismatched %d.\n", iph1->status);
312 goto end;
313 }
314
315 /* validate the type of next payload */
316 pbuf = isakmp_parse(msg);
317 if (pbuf == NULL)
318 goto end;
319 pa = (struct isakmp_parse_t *)pbuf->v;
320
321 /* SA payload is fixed postion */
322 if (pa->type != ISAKMP_NPTYPE_SA) {
323 plog(LLV_ERROR, LOCATION, iph1->remote,
324 "received invalid next payload type %d, "
325 "expecting %d.\n",
326 pa->type, ISAKMP_NPTYPE_SA);
327 goto end;
328 }
329 if (isakmp_p2ph(&satmp, pa->ptr) < 0)
330 goto end;
331 pa++;
332
333 for (/*nothing*/;
334 pa->type != ISAKMP_NPTYPE_NONE;
335 pa++) {
336
337 switch (pa->type) {
338 case ISAKMP_NPTYPE_NONCE:
339 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
340 goto end;
341 break;
342 case ISAKMP_NPTYPE_ID:
343 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
344 goto end;
345 break;
346 case ISAKMP_NPTYPE_VID:
347 vid_numeric = check_vendorid(pa->ptr);
348 #ifdef ENABLE_NATT
349 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
350 natt_handle_vendorid(iph1, vid_numeric);
351 #endif
352 #ifdef ENABLE_HYBRID
353 switch (vid_numeric) {
354 case VENDORID_XAUTH:
355 iph1->mode_cfg->flags |=
356 ISAKMP_CFG_VENDORID_XAUTH;
357 break;
358
359 case VENDORID_UNITY:
360 iph1->mode_cfg->flags |=
361 ISAKMP_CFG_VENDORID_UNITY;
362 break;
363
364 default:
365 break;
366 }
367 #endif
368 #ifdef ENABLE_DPD
369 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
370 iph1->dpd_support=1;
371 plog(LLV_DEBUG, LOCATION, NULL,
372 "remote supports DPD\n");
373 }
374 #endif
375 break;
376 default:
377 /* don't send information, see ident_r1recv() */
378 plog(LLV_ERROR, LOCATION, iph1->remote,
379 "ignore the packet, "
380 "received unexpecting payload type %d.\n",
381 pa->type);
382 goto end;
383 }
384 }
385
386 if (iph1->nonce_p == NULL || iph1->id_p == NULL) {
387 plog(LLV_ERROR, LOCATION, iph1->remote,
388 "few isakmp message received.\n");
389 goto end;
390 }
391
392 /* verify identifier */
393 if (ipsecdoi_checkid1(iph1) != 0) {
394 plog(LLV_ERROR, LOCATION, iph1->remote,
395 "invalid ID payload.\n");
396 goto end;
397 }
398
399 #ifdef ENABLE_NATT
400 if (NATT_AVAILABLE(iph1)) {
401 plog(LLV_INFO, LOCATION, iph1->remote,
402 "Selected NAT-T version: %s\n",
403 vid_string_by_id(iph1->natt_options->version));
404 ike_session_update_natt_version(iph1);
405 }
406 #endif
407
408 /* check SA payload and set approval SA for use */
409 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
410 plog(LLV_ERROR, LOCATION, iph1->remote,
411 "failed to get valid proposal.\n");
412 /* XXX send information */
413 goto end;
414 }
415 VPTRINIT(iph1->sa_ret);
416
417 iph1->status = PHASE1ST_MSG2RECEIVED;
418
419 #ifdef ENABLE_VPNCONTROL_PORT
420 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
421 #endif
422
423 error = 0;
424
425 end:
426 if (pbuf)
427 vfree(pbuf);
428 if (satmp)
429 vfree(satmp);
430
431 if (error) {
432 VPTRINIT(iph1->nonce_p);
433 VPTRINIT(iph1->id_p);
434 }
435
436 return error;
437 }
438
439 /*
440 * send to responder
441 * psk: HDR, KE, HASH_I
442 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
443 * rsa: HDR, KE, HASH_I
444 * rev: HDR, <KE>Ke_i, HASH_I
445 */
446 int
447 base_i2send(iph1, msg)
448 struct ph1handle *iph1;
449 vchar_t *msg;
450 {
451 struct payload_list *plist = NULL;
452 vchar_t *vid = NULL;
453 int need_cert = 0;
454 int error = -1;
455
456 /* validity check */
457 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
458 plog(LLV_ERROR, LOCATION, NULL,
459 "status mismatched %d.\n", iph1->status);
460 goto end;
461 }
462
463 /* fix isakmp index */
464 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
465 sizeof(cookie_t));
466
467 /* generate DH public value */
468 if (oakley_dh_generate(iph1->approval->dhgrp,
469 &iph1->dhpub, &iph1->dhpriv) < 0)
470 goto end;
471
472 /* generate SKEYID to compute hash if not signature mode */
473 switch (AUTHMETHOD(iph1)) {
474 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
475 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
476 #ifdef ENABLE_HYBRID
477 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
478 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
479 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
480 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
481 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
482 #endif
483 break;
484 default:
485 if (oakley_skeyid(iph1) < 0)
486 goto end;
487 break;
488 }
489
490 /* generate HASH to send */
491 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
492 iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE);
493 if (iph1->hash == NULL)
494 goto end;
495 switch (AUTHMETHOD(iph1)) {
496 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
497 #ifdef ENABLE_HYBRID
498 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
499 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
500 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
501 #endif
502 vid = set_vendorid(iph1->approval->vendorid);
503
504 /* create isakmp KE payload */
505 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
506
507 /* create isakmp HASH payload */
508 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
509
510 /* append vendor id, if needed */
511 if (vid)
512 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
513 break;
514 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
515 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
516 #ifdef ENABLE_HYBRID
517 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
518 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
519 #endif
520 /* XXX if there is CR or not ? */
521
522 if (oakley_getmycert(iph1) < 0)
523 goto end;
524
525 if (oakley_getsign(iph1) < 0)
526 goto end;
527
528 if (iph1->cert && iph1->rmconf->send_cert)
529 need_cert = 1;
530
531 /* create isakmp KE payload */
532 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
533
534 /* add CERT payload if there */
535 if (need_cert)
536 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
537
538 /* add SIG payload */
539 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
540 break;
541 #ifdef HAVE_GSSAPI
542 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
543 /* ... */
544 break;
545 #endif
546 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
547 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
548 #ifdef ENABLE_HYBRID
549 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
550 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
551 #endif
552 break;
553 }
554
555 #ifdef ENABLE_NATT
556 /* generate NAT-D payloads */
557 if (NATT_AVAILABLE(iph1))
558 {
559 vchar_t *natd[2] = { NULL, NULL };
560
561 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
562 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
563 plog(LLV_ERROR, LOCATION, NULL,
564 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
565 goto end;
566 }
567
568 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
569 plog(LLV_ERROR, LOCATION, NULL,
570 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
571 goto end;
572 }
573
574 #ifdef __APPLE__
575 /* old Apple version sends natd payloads in the wrong order */
576 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
577 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
578 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
579 } else
580 #endif
581 {
582 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
583 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
584 }
585 }
586 #endif
587
588 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
589
590 #ifdef HAVE_PRINT_ISAKMP_C
591 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
592 #endif
593
594 /* send the packet, add to the schedule to resend */
595 iph1->retry_counter = iph1->rmconf->retry_counter;
596 if (isakmp_ph1resend(iph1) == -1)
597 goto end;
598
599 /* the sending message is added to the received-list. */
600 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
601 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
602 plog(LLV_ERROR , LOCATION, NULL,
603 "failed to add a response packet to the tree.\n");
604 goto end;
605 }
606
607 iph1->status = PHASE1ST_MSG2SENT;
608
609 error = 0;
610
611 end:
612 if (vid)
613 vfree(vid);
614 return error;
615 }
616
617 /*
618 * receive from responder
619 * psk: HDR, KE, HASH_R
620 * sig: HDR, KE, [CERT,] SIG_R
621 * rsa: HDR, KE, HASH_R
622 * rev: HDR, <KE>_Ke_r, HASH_R
623 */
624 int
625 base_i3recv(iph1, msg)
626 struct ph1handle *iph1;
627 vchar_t *msg;
628 {
629 vchar_t *pbuf = NULL;
630 struct isakmp_parse_t *pa;
631 int error = -1;
632 int ptype;
633 #ifdef ENABLE_NATT
634 vchar_t *natd_received;
635 int natd_seq = 0, natd_verified;
636 #endif
637
638 /* validity check */
639 if (iph1->status != PHASE1ST_MSG2SENT) {
640 plog(LLV_ERROR, LOCATION, NULL,
641 "status mismatched %d.\n", iph1->status);
642 goto end;
643 }
644
645 /* validate the type of next payload */
646 pbuf = isakmp_parse(msg);
647 if (pbuf == NULL)
648 goto end;
649
650 for (pa = (struct isakmp_parse_t *)pbuf->v;
651 pa->type != ISAKMP_NPTYPE_NONE;
652 pa++) {
653
654 switch (pa->type) {
655 case ISAKMP_NPTYPE_KE:
656 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
657 goto end;
658 break;
659 case ISAKMP_NPTYPE_HASH:
660 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
661 break;
662 case ISAKMP_NPTYPE_CERT:
663 if (oakley_savecert(iph1, pa->ptr) < 0)
664 goto end;
665 break;
666 case ISAKMP_NPTYPE_SIG:
667 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
668 goto end;
669 break;
670 case ISAKMP_NPTYPE_VID:
671 (void)check_vendorid(pa->ptr);
672 break;
673
674 #ifdef ENABLE_NATT
675 case ISAKMP_NPTYPE_NATD_DRAFT:
676 case ISAKMP_NPTYPE_NATD_RFC:
677 #ifdef __APPLE__
678 case ISAKMP_NPTYPE_NATD_BADDRAFT:
679 #endif
680 if (NATT_AVAILABLE(iph1) && iph1->natt_options &&
681 pa->type == iph1->natt_options->payload_nat_d) {
682 natd_received = NULL;
683 if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
684 goto end;
685
686 /* set both bits first so that we can clear them
687 upon verifying hashes */
688 if (natd_seq == 0)
689 iph1->natt_flags |= NAT_DETECTED;
690
691 /* this function will clear appropriate bits bits
692 from iph1->natt_flags */
693 natd_verified = natt_compare_addr_hash (iph1,
694 natd_received, natd_seq++);
695
696 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
697 natd_seq - 1,
698 natd_verified ? "verified" : "doesn't match");
699
700 vfree (natd_received);
701 break;
702 }
703 /* %%%% Be lenient here - some servers send natd payloads */
704 /* when no nat is detected */
705 break;
706 #endif
707
708 default:
709 /* don't send information, see ident_r1recv() */
710 plog(LLV_ERROR, LOCATION, iph1->remote,
711 "ignore the packet, "
712 "received unexpecting payload type %d.\n",
713 pa->type);
714 goto end;
715 }
716 }
717
718 #ifdef ENABLE_NATT
719 if (NATT_AVAILABLE(iph1)) {
720 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
721 iph1->natt_flags & NAT_DETECTED ?
722 "detected:" : "not detected",
723 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
724 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
725 if (iph1->natt_flags & NAT_DETECTED)
726 natt_float_ports (iph1);
727 }
728 #endif
729
730 /* payload existency check */
731 /* validate authentication value */
732 ptype = oakley_validate_auth(iph1);
733 if (ptype != 0) {
734 if (ptype == -1) {
735 /* message printed inner oakley_validate_auth() */
736 goto end;
737 }
738 EVT_PUSH(iph1->local, iph1->remote,
739 EVTT_PEERPH1AUTH_FAILED, NULL);
740 isakmp_info_send_n1(iph1, ptype, NULL);
741 goto end;
742 }
743
744 /* compute sharing secret of DH */
745 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
746 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
747 goto end;
748
749 /* generate SKEYID to compute hash if signature mode */
750 switch (AUTHMETHOD(iph1)) {
751 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
752 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
753 #ifdef ENABLE_HYBRID
754 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
755 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
756 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
757 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
758 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
759 #endif
760 if (oakley_skeyid(iph1) < 0)
761 goto end;
762 break;
763 default:
764 break;
765 }
766
767 /* generate SKEYIDs & IV & final cipher key */
768 if (oakley_skeyid_dae(iph1) < 0)
769 goto end;
770 if (oakley_compute_enckey(iph1) < 0)
771 goto end;
772 if (oakley_newiv(iph1) < 0)
773 goto end;
774
775 /* see handler.h about IV synchronization. */
776 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
777
778 /* set encryption flag */
779 iph1->flags |= ISAKMP_FLAG_E;
780
781 iph1->status = PHASE1ST_MSG3RECEIVED;
782
783 error = 0;
784
785 end:
786 if (pbuf)
787 vfree(pbuf);
788
789 if (error) {
790 VPTRINIT(iph1->dhpub_p);
791 oakley_delcert(iph1->cert_p);
792 iph1->cert_p = NULL;
793 oakley_delcert(iph1->crl_p);
794 iph1->crl_p = NULL;
795 VPTRINIT(iph1->sig_p);
796 }
797
798 return error;
799 }
800
801 /*
802 * status update and establish isakmp sa.
803 */
804 int
805 base_i3send(iph1, msg)
806 struct ph1handle *iph1;
807 vchar_t *msg;
808 {
809 int error = -1;
810
811 /* validity check */
812 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
813 plog(LLV_ERROR, LOCATION, NULL,
814 "status mismatched %d.\n", iph1->status);
815 goto end;
816 }
817
818 iph1->status = PHASE1ST_ESTABLISHED;
819
820 error = 0;
821
822 end:
823 return error;
824 }
825
826 /*
827 * receive from initiator
828 * psk: HDR, SA, Idii, Ni_b
829 * sig: HDR, SA, Idii, Ni_b
830 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
831 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
832 */
833 int
834 base_r1recv(iph1, msg)
835 struct ph1handle *iph1;
836 vchar_t *msg;
837 {
838 vchar_t *pbuf = NULL;
839 struct isakmp_parse_t *pa;
840 int error = -1;
841 int vid_numeric;
842
843 /* validity check */
844 if (iph1->status != PHASE1ST_START) {
845 plog(LLV_ERROR, LOCATION, NULL,
846 "status mismatched %d.\n", iph1->status);
847 goto end;
848 }
849
850 /* validate the type of next payload */
851 /*
852 * NOTE: XXX even if multiple VID, we'll silently ignore those.
853 */
854 pbuf = isakmp_parse(msg);
855 if (pbuf == NULL)
856 goto end;
857 pa = (struct isakmp_parse_t *)pbuf->v;
858
859 /* check the position of SA payload */
860 if (pa->type != ISAKMP_NPTYPE_SA) {
861 plog(LLV_ERROR, LOCATION, iph1->remote,
862 "received invalid next payload type %d, "
863 "expecting %d.\n",
864 pa->type, ISAKMP_NPTYPE_SA);
865 goto end;
866 }
867 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
868 goto end;
869 pa++;
870
871 for (/*nothing*/;
872 pa->type != ISAKMP_NPTYPE_NONE;
873 pa++) {
874
875 switch (pa->type) {
876 case ISAKMP_NPTYPE_NONCE:
877 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
878 goto end;
879 break;
880 case ISAKMP_NPTYPE_ID:
881 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
882 goto end;
883 break;
884 case ISAKMP_NPTYPE_VID:
885 vid_numeric = check_vendorid(pa->ptr);
886 #ifdef ENABLE_NATT
887 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
888 natt_handle_vendorid(iph1, vid_numeric);
889 #endif
890 #ifdef ENABLE_FRAG
891 if ((vid_numeric == VENDORID_FRAG) &&
892 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE))
893 iph1->frag = 1;
894 #endif
895 #ifdef ENABLE_HYBRID
896 switch (vid_numeric) {
897 case VENDORID_XAUTH:
898 iph1->mode_cfg->flags |=
899 ISAKMP_CFG_VENDORID_XAUTH;
900 break;
901
902 case VENDORID_UNITY:
903 iph1->mode_cfg->flags |=
904 ISAKMP_CFG_VENDORID_UNITY;
905 break;
906
907 default:
908 break;
909 }
910 #endif
911 #ifdef ENABLE_DPD
912 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
913 iph1->dpd_support=1;
914 plog(LLV_DEBUG, LOCATION, NULL,
915 "remote supports DPD\n");
916 }
917 #endif
918 break;
919 default:
920 /* don't send information, see ident_r1recv() */
921 plog(LLV_ERROR, LOCATION, iph1->remote,
922 "ignore the packet, "
923 "received unexpecting payload type %d.\n",
924 pa->type);
925 goto end;
926 }
927 }
928
929 if (iph1->nonce_p == NULL || iph1->id_p == NULL) {
930 plog(LLV_ERROR, LOCATION, iph1->remote,
931 "few isakmp message received.\n");
932 goto end;
933 }
934
935 /* verify identifier */
936 if (ipsecdoi_checkid1(iph1) != 0) {
937 plog(LLV_ERROR, LOCATION, iph1->remote,
938 "invalid ID payload.\n");
939 goto end;
940 }
941
942 #ifdef ENABLE_NATT
943 if (NATT_AVAILABLE(iph1)) {
944 plog(LLV_INFO, LOCATION, iph1->remote,
945 "Selected NAT-T version: %s\n",
946 vid_string_by_id(iph1->natt_options->version));
947 ike_session_update_natt_version(iph1);
948 }
949 #endif
950
951 /* check SA payload and set approval SA for use */
952 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
953 plog(LLV_ERROR, LOCATION, iph1->remote,
954 "failed to get valid proposal.\n");
955 /* XXX send information */
956 goto end;
957 }
958
959 iph1->status = PHASE1ST_MSG1RECEIVED;
960
961 error = 0;
962
963 end:
964 if (pbuf)
965 vfree(pbuf);
966
967 if (error) {
968 VPTRINIT(iph1->sa);
969 VPTRINIT(iph1->nonce_p);
970 VPTRINIT(iph1->id_p);
971 }
972
973 return error;
974 }
975
976 /*
977 * send to initiator
978 * psk: HDR, SA, Idir, Nr_b
979 * sig: HDR, SA, Idir, Nr_b, [ CR ]
980 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
981 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
982 */
983 int
984 base_r1send(iph1, msg)
985 struct ph1handle *iph1;
986 vchar_t *msg;
987 {
988 struct payload_list *plist = NULL;
989 int error = -1;
990 #ifdef ENABLE_NATT
991 vchar_t *vid_natt = NULL;
992 #endif
993 #ifdef ENABLE_HYBRID
994 vchar_t *vid_xauth = NULL;
995 vchar_t *vid_unity = NULL;
996 #endif
997 #ifdef ENABLE_FRAG
998 vchar_t *vid_frag = NULL;
999 #endif
1000 #ifdef ENABLE_DPD
1001 vchar_t *vid_dpd = NULL;
1002 #endif
1003
1004 /* validity check */
1005 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1006 plog(LLV_ERROR, LOCATION, NULL,
1007 "status mismatched %d.\n", iph1->status);
1008 goto end;
1009 }
1010
1011 /* set responder's cookie */
1012 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1013
1014 /* make ID payload into isakmp status */
1015 if (ipsecdoi_setid1(iph1) < 0)
1016 goto end;
1017
1018 /* generate NONCE value */
1019 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1020 if (iph1->nonce == NULL)
1021 goto end;
1022
1023 /* set SA payload to reply */
1024 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1025
1026 /* create isakmp ID payload */
1027 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1028
1029 /* create isakmp NONCE payload */
1030 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1031
1032 #ifdef ENABLE_NATT
1033 /* has the peer announced nat-t? */
1034 if (NATT_AVAILABLE(iph1))
1035 vid_natt = set_vendorid(iph1->natt_options->version);
1036 if (vid_natt)
1037 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1038 #endif
1039 #ifdef ENABLE_HYBRID
1040 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1041 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
1042 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
1043 plog(LLV_ERROR, LOCATION, NULL,
1044 "Cannot create Xauth vendor ID\n");
1045 goto end;
1046 }
1047 plist = isakmp_plist_append(plist,
1048 vid_xauth, ISAKMP_NPTYPE_VID);
1049 }
1050
1051 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1052 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
1053 plog(LLV_ERROR, LOCATION, NULL,
1054 "Cannot create Unity vendor ID\n");
1055 goto end;
1056 }
1057 plist = isakmp_plist_append(plist,
1058 vid_unity, ISAKMP_NPTYPE_VID);
1059 }
1060 #endif
1061 #ifdef ENABLE_DPD
1062 /*
1063 * Only send DPD support if remote announced DPD
1064 * and if DPD support is active
1065 */
1066 if (iph1->dpd_support && iph1->rmconf->dpd) {
1067 if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) {
1068 plog(LLV_ERROR, LOCATION, NULL,
1069 "DPD vendorID construction failed\n");
1070 } else {
1071 plist = isakmp_plist_append(plist, vid_dpd,
1072 ISAKMP_NPTYPE_VID);
1073 }
1074 }
1075 #endif
1076 #ifdef ENABLE_FRAG
1077 if (iph1->rmconf->ike_frag) {
1078 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
1079 plog(LLV_ERROR, LOCATION, NULL,
1080 "Frag vendorID construction failed\n");
1081 } else {
1082 vid_frag = isakmp_frag_addcap(vid_frag,
1083 VENDORID_FRAG_BASE);
1084 plist = isakmp_plist_append(plist,
1085 vid_frag, ISAKMP_NPTYPE_VID);
1086 }
1087 }
1088 #endif
1089
1090 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1091
1092 #ifdef HAVE_PRINT_ISAKMP_C
1093 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1094 #endif
1095
1096 /* send the packet, add to the schedule to resend */
1097 iph1->retry_counter = iph1->rmconf->retry_counter;
1098 if (isakmp_ph1resend(iph1) == -1) {
1099 iph1 = NULL;
1100 goto end;
1101 }
1102
1103 /* the sending message is added to the received-list. */
1104 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1105 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
1106 plog(LLV_ERROR , LOCATION, NULL,
1107 "failed to add a response packet to the tree.\n");
1108 goto end;
1109 }
1110
1111 iph1->status = PHASE1ST_MSG1SENT;
1112
1113 #ifdef ENABLE_VPNCONTROL_PORT
1114 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1115 #endif
1116
1117 error = 0;
1118
1119 end:
1120 #ifdef ENABLE_NATT
1121 if (vid_natt)
1122 vfree(vid_natt);
1123 #endif
1124 #ifdef ENABLE_HYBRID
1125 if (vid_xauth != NULL)
1126 vfree(vid_xauth);
1127 if (vid_unity != NULL)
1128 vfree(vid_unity);
1129 #endif
1130 #ifdef ENABLE_FRAG
1131 if (vid_frag)
1132 vfree(vid_frag);
1133 #endif
1134 #ifdef ENABLE_DPD
1135 if (vid_dpd)
1136 vfree(vid_dpd);
1137 #endif
1138
1139 if (iph1 != NULL)
1140 VPTRINIT(iph1->sa_ret);
1141
1142 return error;
1143 }
1144
1145 /*
1146 * receive from initiator
1147 * psk: HDR, KE, HASH_I
1148 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
1149 * rsa: HDR, KE, HASH_I
1150 * rev: HDR, <KE>Ke_i, HASH_I
1151 */
1152 int
1153 base_r2recv(iph1, msg)
1154 struct ph1handle *iph1;
1155 vchar_t *msg;
1156 {
1157 vchar_t *pbuf = NULL;
1158 struct isakmp_parse_t *pa;
1159 int error = -1;
1160 int ptype;
1161 #ifdef ENABLE_NATT
1162 int natd_seq = 0;
1163 #endif
1164
1165 /* validity check */
1166 if (iph1->status != PHASE1ST_MSG1SENT) {
1167 plog(LLV_ERROR, LOCATION, NULL,
1168 "status mismatched %d.\n", iph1->status);
1169 goto end;
1170 }
1171
1172 /* validate the type of next payload */
1173 pbuf = isakmp_parse(msg);
1174 if (pbuf == NULL)
1175 goto end;
1176
1177 iph1->pl_hash = NULL;
1178
1179 for (pa = (struct isakmp_parse_t *)pbuf->v;
1180 pa->type != ISAKMP_NPTYPE_NONE;
1181 pa++) {
1182
1183 switch (pa->type) {
1184 case ISAKMP_NPTYPE_KE:
1185 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
1186 goto end;
1187 break;
1188 case ISAKMP_NPTYPE_HASH:
1189 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1190 break;
1191 case ISAKMP_NPTYPE_CERT:
1192 if (oakley_savecert(iph1, pa->ptr) < 0)
1193 goto end;
1194 break;
1195 case ISAKMP_NPTYPE_SIG:
1196 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
1197 goto end;
1198 break;
1199 case ISAKMP_NPTYPE_VID:
1200 (void)check_vendorid(pa->ptr);
1201 break;
1202
1203 #ifdef ENABLE_NATT
1204 case ISAKMP_NPTYPE_NATD_DRAFT:
1205 case ISAKMP_NPTYPE_NATD_RFC:
1206 #ifdef __APPLE__
1207 case ISAKMP_NPTYPE_NATD_BADDRAFT:
1208 #endif
1209 if (pa->type == iph1->natt_options->payload_nat_d)
1210 {
1211 vchar_t *natd_received = NULL;
1212 int natd_verified;
1213
1214 if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
1215 goto end;
1216
1217 if (natd_seq == 0)
1218 iph1->natt_flags |= NAT_DETECTED;
1219
1220 natd_verified = natt_compare_addr_hash (iph1,
1221 natd_received, natd_seq++);
1222
1223 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1224 natd_seq - 1,
1225 natd_verified ? "verified" : "doesn't match");
1226
1227 vfree (natd_received);
1228 break;
1229 }
1230 /* %%%% Be lenient here - some servers send natd payloads */
1231 /* when no nat is detected */
1232 break;
1233 #endif
1234
1235 default:
1236 /* don't send information, see ident_r1recv() */
1237 plog(LLV_ERROR, LOCATION, iph1->remote,
1238 "ignore the packet, "
1239 "received unexpecting payload type %d.\n",
1240 pa->type);
1241 goto end;
1242 }
1243 }
1244
1245 /* generate DH public value */
1246 if (oakley_dh_generate(iph1->approval->dhgrp,
1247 &iph1->dhpub, &iph1->dhpriv) < 0)
1248 goto end;
1249
1250 /* compute sharing secret of DH */
1251 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1252 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
1253 goto end;
1254
1255 /* generate SKEYID */
1256 if (oakley_skeyid(iph1) < 0)
1257 goto end;
1258
1259 #ifdef ENABLE_NATT
1260 if (NATT_AVAILABLE(iph1))
1261 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1262 iph1->natt_flags & NAT_DETECTED ?
1263 "detected:" : "not detected",
1264 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1265 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1266 #endif
1267
1268 /* payload existency check */
1269 /* validate authentication value */
1270 ptype = oakley_validate_auth(iph1);
1271 if (ptype != 0) {
1272 if (ptype == -1) {
1273 /* message printed inner oakley_validate_auth() */
1274 goto end;
1275 }
1276 EVT_PUSH(iph1->local, iph1->remote,
1277 EVTT_PEERPH1AUTH_FAILED, NULL);
1278 isakmp_info_send_n1(iph1, ptype, NULL);
1279 goto end;
1280 }
1281
1282 iph1->status = PHASE1ST_MSG2RECEIVED;
1283
1284 error = 0;
1285
1286 end:
1287 if (pbuf)
1288 vfree(pbuf);
1289
1290 if (error) {
1291 VPTRINIT(iph1->dhpub_p);
1292 oakley_delcert(iph1->cert_p);
1293 iph1->cert_p = NULL;
1294 oakley_delcert(iph1->crl_p);
1295 iph1->crl_p = NULL;
1296 VPTRINIT(iph1->sig_p);
1297 }
1298
1299 return error;
1300 }
1301
1302 /*
1303 * send to initiator
1304 * psk: HDR, KE, HASH_R
1305 * sig: HDR, KE, [CERT,] SIG_R
1306 * rsa: HDR, KE, HASH_R
1307 * rev: HDR, <KE>_Ke_r, HASH_R
1308 */
1309 int
1310 base_r2send(iph1, msg)
1311 struct ph1handle *iph1;
1312 vchar_t *msg;
1313 {
1314 struct payload_list *plist = NULL;
1315 vchar_t *vid = NULL;
1316 int need_cert = 0;
1317 int error = -1;
1318
1319 /* validity check */
1320 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1321 plog(LLV_ERROR, LOCATION, NULL,
1322 "status mismatched %d.\n", iph1->status);
1323 goto end;
1324 }
1325
1326 /* generate HASH to send */
1327 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
1328 switch (AUTHMETHOD(iph1)) {
1329 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1330 #ifdef ENABLE_HYBRID
1331 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1332 #endif
1333 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1334 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1335 #ifdef ENABLE_HYBRID
1336 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1337 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1338 #endif
1339 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1340 break;
1341 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1342 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1343 #ifdef ENABLE_HYBRID
1344 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1345 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1346 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1347 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1348 #endif
1349 #ifdef HAVE_GSSAPI
1350 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1351 #endif
1352 iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE);
1353 break;
1354 default:
1355 plog(LLV_ERROR, LOCATION, NULL,
1356 "invalid authentication method %d\n",
1357 iph1->approval->authmethod);
1358 goto end;
1359 }
1360 if (iph1->hash == NULL)
1361 goto end;
1362
1363 switch (AUTHMETHOD(iph1)) {
1364 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1365 #ifdef ENABLE_HYBRID
1366 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1367 #endif
1368 vid = set_vendorid(iph1->approval->vendorid);
1369
1370 /* create isakmp KE payload */
1371 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1372
1373 /* create isakmp HASH payload */
1374 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
1375
1376 /* append vendor id, if needed */
1377 if (vid)
1378 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
1379 break;
1380 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1381 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1382 #ifdef ENABLE_HYBRID
1383 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1384 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1385 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1386 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1387 #endif
1388 /* XXX if there is CR or not ? */
1389
1390 if (oakley_getmycert(iph1) < 0)
1391 goto end;
1392
1393 if (oakley_getsign(iph1) < 0)
1394 goto end;
1395
1396 if (iph1->cert && iph1->rmconf->send_cert)
1397 need_cert = 1;
1398
1399 /* create isakmp KE payload */
1400 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1401
1402 /* add CERT payload if there */
1403 if (need_cert)
1404 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1405 /* add SIG payload */
1406 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1407 break;
1408 #ifdef HAVE_GSSAPI
1409 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1410 /* ... */
1411 break;
1412 #endif
1413 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1414 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1415 #ifdef ENABLE_HYBRID
1416 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1417 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1418 #endif
1419 break;
1420 }
1421
1422 #ifdef ENABLE_NATT
1423 /* generate NAT-D payloads */
1424 if (NATT_AVAILABLE(iph1)) {
1425 vchar_t *natd[2] = { NULL, NULL };
1426
1427 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
1428 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1429 plog(LLV_ERROR, LOCATION, NULL,
1430 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
1431 goto end;
1432 }
1433
1434 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1435 plog(LLV_ERROR, LOCATION, NULL,
1436 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
1437 goto end;
1438 }
1439
1440 #ifdef __APPLE__
1441 /* old Apple version sends natd payloads in the wrong order */
1442 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
1443 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1444 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1445 } else
1446 #endif
1447 {
1448 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1449 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1450 }
1451 }
1452 #endif
1453
1454 iph1->sendbuf = isakmp_plist_set_all(&plist, iph1);
1455
1456 #ifdef HAVE_PRINT_ISAKMP_C
1457 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1458 #endif
1459
1460 /* send HDR;KE;NONCE to responder */
1461 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1462 goto end;
1463
1464 /* the sending message is added to the received-list. */
1465 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1466 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
1467 plog(LLV_ERROR , LOCATION, NULL,
1468 "failed to add a response packet to the tree.\n");
1469 goto end;
1470 }
1471
1472 /* generate SKEYIDs & IV & final cipher key */
1473 if (oakley_skeyid_dae(iph1) < 0)
1474 goto end;
1475 if (oakley_compute_enckey(iph1) < 0)
1476 goto end;
1477 if (oakley_newiv(iph1) < 0)
1478 goto end;
1479
1480 /* set encryption flag */
1481 iph1->flags |= ISAKMP_FLAG_E;
1482
1483 iph1->status = PHASE1ST_ESTABLISHED;
1484
1485 error = 0;
1486
1487 end:
1488 if (vid)
1489 vfree(vid);
1490 return error;
1491 }
mirror of ipsec