]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_ident.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-292.40.4.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_ident.c
1 /* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */
2
3 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* Identity Protecion Exchange (Main Mode) */
35
36 #include "config.h"
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40
41 #include <stdlib.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <errno.h>
45 #if TIME_WITH_SYS_TIME
46 # include <sys/time.h>
47 # include <time.h>
48 #else
49 # if HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 # else
52 # include <time.h>
53 # endif
54 #endif
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "schedule.h"
62 #include "debug.h"
63 #include "fsm.h"
64
65 #include "localconf.h"
66 #include "remoteconf.h"
67 #include "isakmp_var.h"
68 #include "isakmp.h"
69 #include "oakley.h"
70 #include "handler.h"
71 #include "ipsec_doi.h"
72 #include "crypto_openssl.h"
73 #include "pfkey.h"
74 #include "isakmp_ident.h"
75 #include "isakmp_inf.h"
76 #include "vendorid.h"
77
78 #ifdef ENABLE_NATT
79 #include "nattraversal.h"
80 #endif
81 #ifdef ENABLE_HYBRID
82 #include <resolv.h>
83 #include "isakmp_xauth.h"
84 #include "isakmp_cfg.h"
85 #endif
86 #ifdef ENABLE_FRAG
87 #include "isakmp_frag.h"
88 #endif
89
90 #include "vpn_control.h"
91 #include "vpn_control_var.h"
92 #include "ipsecSessionTracer.h"
93 #include "ipsecMessageTracer.h"
94 #ifndef HAVE_OPENSSL
95 #include <Security/SecDH.h>
96 #endif
97
98 static vchar_t *ident_ir2mx (phase1_handle_t *);
99 static vchar_t *ident_ir3mx (phase1_handle_t *);
100
101 /* %%%
102 * begin Identity Protection Mode as initiator.
103 */
104 /*
105 * send to responder
106 * psk: HDR, SA
107 * sig: HDR, SA
108 * rsa: HDR, SA
109 * rev: HDR, SA
110 */
111 int
112 ident_i1send(iph1, msg)
113 phase1_handle_t *iph1;
114 vchar_t *msg; /* must be null */
115 {
116 struct payload_list *plist = NULL;
117 int error = -1;
118 #ifdef ENABLE_NATT
119 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
120 int i;
121 #endif
122 #ifdef ENABLE_HYBRID
123 vchar_t *vid_xauth = NULL;
124 vchar_t *vid_unity = NULL;
125 #endif
126 #ifdef ENABLE_FRAG
127 vchar_t *vid_frag = NULL;
128 #endif
129 #ifdef ENABLE_DPD
130 vchar_t *vid_dpd = NULL;
131 #endif
132
133 /* validity check */
134 if (iph1->status != IKEV1_STATE_IDENT_I_START) {
135 plog(ASL_LEVEL_ERR,
136 "status mismatched %d.\n", iph1->status);
137 goto end;
138 }
139
140 /* validity check */
141 if (msg != NULL) {
142 plog(ASL_LEVEL_ERR,
143 "msg has to be NULL in this function.\n");
144 goto end;
145 }
146
147 /* create isakmp index */
148 memset(&iph1->index, 0, sizeof(iph1->index));
149 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
150
151 /* create SA payload for my proposal */
152 iph1->sa = ipsecdoi_setph1proposal(iph1);
153 if (iph1->sa == NULL) {
154 plog(ASL_LEVEL_ERR,
155 "failed to set proposal");
156 goto end;
157 }
158
159 /* set SA payload to propose */
160 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
161
162 #ifdef ENABLE_NATT
163 /* set VID payload for NAT-T if NAT-T support allowed in the config file */
164 if (iph1->rmconf->nat_traversal)
165 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
166 #endif
167 #ifdef ENABLE_HYBRID
168 /* Do we need Xauth VID? */
169 switch (RMAUTHMETHOD(iph1)) {
170 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
171 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
172 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
173 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
174 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
175 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
176 plog(ASL_LEVEL_ERR,
177 "Xauth vendor ID generation failed\n");
178 else
179 plist = isakmp_plist_append(plist,
180 vid_xauth, ISAKMP_NPTYPE_VID);
181
182 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
183 plog(ASL_LEVEL_ERR,
184 "Unity vendor ID generation failed\n");
185 else
186 plist = isakmp_plist_append(plist,
187 vid_unity, ISAKMP_NPTYPE_VID);
188 break;
189 default:
190 break;
191 }
192 #endif
193 #ifdef ENABLE_FRAG
194 if (iph1->rmconf->ike_frag) {
195 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
196 plog(ASL_LEVEL_ERR,
197 "Frag vendorID construction failed\n");
198 } else {
199 vid_frag = isakmp_frag_addcap(vid_frag,
200 VENDORID_FRAG_IDENT);
201 plist = isakmp_plist_append(plist,
202 vid_frag, ISAKMP_NPTYPE_VID);
203 }
204 }
205 #endif
206 #ifdef ENABLE_DPD
207 if(iph1->rmconf->dpd){
208 vid_dpd = set_vendorid(VENDORID_DPD);
209 if (vid_dpd != NULL)
210 plist = isakmp_plist_append(plist, vid_dpd,
211 ISAKMP_NPTYPE_VID);
212 }
213 #endif
214
215 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
216
217 #ifdef HAVE_PRINT_ISAKMP_C
218 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
219 #endif
220
221 /* send the packet, add to the schedule to resend */
222 iph1->retry_counter = iph1->rmconf->retry_counter;
223 if (isakmp_ph1resend(iph1) == -1) {
224 plog(ASL_LEVEL_ERR,
225 "failed to send packet");
226 goto end;
227 }
228
229 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG1SENT);
230
231 error = 0;
232
233 IPSECSESSIONTRACEREVENT(iph1->parent_session,
234 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
235 CONSTSTR("Initiator, Main-Mode message 1"),
236 CONSTSTR(NULL));
237
238 end:
239 if (error) {
240 IPSECSESSIONTRACEREVENT(iph1->parent_session,
241 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
242 CONSTSTR("Initiator, Main-Mode Message 1"),
243 CONSTSTR("Failed to transmit Main-Mode Message 1"));
244 }
245 #ifdef ENABLE_FRAG
246 if (vid_frag)
247 vfree(vid_frag);
248 #endif
249 #ifdef ENABLE_NATT
250 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
251 vfree(vid_natt[i]);
252 #endif
253 #ifdef ENABLE_HYBRID
254 if (vid_xauth != NULL)
255 vfree(vid_xauth);
256 if (vid_unity != NULL)
257 vfree(vid_unity);
258 #endif
259 #ifdef ENABLE_DPD
260 if (vid_dpd != NULL)
261 vfree(vid_dpd);
262 #endif
263
264 return error;
265 }
266
267 /*
268 * receive from responder
269 * psk: HDR, SA
270 * sig: HDR, SA
271 * rsa: HDR, SA
272 * rev: HDR, SA
273 */
274 int
275 ident_i2recv(iph1, msg)
276 phase1_handle_t *iph1;
277 vchar_t *msg;
278 {
279 vchar_t *pbuf = NULL;
280 struct isakmp_parse_t *pa;
281 vchar_t *satmp = NULL;
282 int error = -1;
283 int vid_numeric;
284
285 /* validity check */
286 if (iph1->status != IKEV1_STATE_IDENT_I_MSG1SENT) {
287 plog(ASL_LEVEL_ERR,
288 "status mismatched %d.\n", iph1->status);
289 goto end;
290 }
291
292 /* validate the type of next payload */
293 /*
294 * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here,
295 * if proposal-lifetime > lifetime-redcreek-wants.
296 * (see doi-08 4.5.4)
297 * => According to the seciton 4.6.3 in RFC 2407, This is illegal.
298 * NOTE: we do not really care about ordering of VID and N.
299 * does it matters?
300 * NOTE: even if there's multiple VID/N, we'll ignore them.
301 */
302 pbuf = isakmp_parse(msg);
303 if (pbuf == NULL) {
304 plog(ASL_LEVEL_ERR,
305 "failed to parse msg");
306 goto end;
307 }
308 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
309
310 /* SA payload is fixed postion */
311 if (pa->type != ISAKMP_NPTYPE_SA) {
312 plog(ASL_LEVEL_ERR,
313 "received invalid next payload type %d, "
314 "expecting %d.\n",
315 pa->type, ISAKMP_NPTYPE_SA);
316 goto end;
317 }
318 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
319 plog(ASL_LEVEL_ERR,
320 "failed to process SA payload");
321 goto end;
322 }
323 pa++;
324
325 for (/*nothing*/;
326 pa->type != ISAKMP_NPTYPE_NONE;
327 pa++) {
328
329 switch (pa->type) {
330 case ISAKMP_NPTYPE_VID:
331 vid_numeric = check_vendorid(pa->ptr);
332 #ifdef ENABLE_NATT
333 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
334 natt_handle_vendorid(iph1, vid_numeric);
335 #endif
336 #ifdef ENABLE_HYBRID
337 switch (vid_numeric) {
338 case VENDORID_XAUTH:
339 iph1->mode_cfg->flags |=
340 ISAKMP_CFG_VENDORID_XAUTH;
341 break;
342
343 case VENDORID_UNITY:
344 iph1->mode_cfg->flags |=
345 ISAKMP_CFG_VENDORID_UNITY;
346 break;
347
348 default:
349 break;
350 }
351 #endif
352 #ifdef ENABLE_DPD
353 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
354 iph1->dpd_support=1;
355 #endif
356 #ifdef ENABLE_FRAG
357 if ((vid_numeric == VENDORID_FRAG) &&
358 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
359 plog(ASL_LEVEL_DEBUG,
360 "remote supports FRAGMENTATION\n");
361 iph1->frag = 1;
362 }
363 #endif
364 break;
365 default:
366 /* don't send information, see ident_r1recv() */
367 plog(ASL_LEVEL_ERR,
368 "ignore the packet, "
369 "received unexpecting payload type %d.\n",
370 pa->type);
371 goto end;
372 }
373 }
374
375 #ifdef ENABLE_NATT
376 if (NATT_AVAILABLE(iph1)) {
377 plog(ASL_LEVEL_INFO,
378 "Selected NAT-T version: %s\n",
379 vid_string_by_id(iph1->natt_options->version));
380 ike_session_update_natt_version(iph1);
381 }
382 #endif
383
384 /* check SA payload and set approval SA for use */
385 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
386 plog(ASL_LEVEL_ERR,
387 "failed to get valid proposal.\n");
388 /* XXX send information */
389 goto end;
390 }
391 VPTRINIT(iph1->sa_ret);
392
393 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG2RCVD);
394
395 #ifdef ENABLE_VPNCONTROL_PORT
396 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
397 #endif
398
399 error = 0;
400
401 IPSECSESSIONTRACEREVENT(iph1->parent_session,
402 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
403 CONSTSTR("Initiator, Main-Mode message 2"),
404 CONSTSTR(NULL));
405
406 end:
407 if (error) {
408 IPSECSESSIONTRACEREVENT(iph1->parent_session,
409 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
410 CONSTSTR("Initiator, Main-Mode Message 2"),
411 CONSTSTR("Failed to process Main-Mode Message 2"));
412 }
413 if (pbuf)
414 vfree(pbuf);
415 if (satmp)
416 vfree(satmp);
417 return error;
418 }
419
420 /*
421 * send to responder
422 * psk: HDR, KE, Ni
423 * sig: HDR, KE, Ni
424 * gssapi: HDR, KE, Ni, GSSi
425 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
426 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
427 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
428 */
429 int
430 ident_i3send(iph1, msg)
431 phase1_handle_t *iph1;
432 vchar_t *msg;
433 {
434 int error = -1;
435
436 /* validity check */
437 if (iph1->status != IKEV1_STATE_IDENT_I_MSG2RCVD) {
438 plog(ASL_LEVEL_ERR,
439 "status mismatched %d.\n", iph1->status);
440 goto end;
441 }
442
443 /* fix isakmp index */
444 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
445 sizeof(cookie_t));
446
447 /* generate DH public value */
448 #ifdef HAVE_OPENSSL
449 if (oakley_dh_generate(iph1->approval->dhgrp,
450 &iph1->dhpub, &iph1->dhpriv) < 0) {
451 #else
452 if (oakley_dh_generate(iph1->approval->dhgrp,
453 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
454 #endif
455 plog(ASL_LEVEL_ERR,
456 "failed to generate DH");
457 goto end;
458 }
459
460 /* generate NONCE value */
461 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
462 if (iph1->nonce == NULL) {
463 plog(ASL_LEVEL_ERR,
464 "failed to generate NONCE");
465 goto end;
466 }
467
468 /* create buffer to send isakmp payload */
469 iph1->sendbuf = ident_ir2mx(iph1);
470 if (iph1->sendbuf == NULL) {
471 plog(ASL_LEVEL_ERR,
472 "failed to create send buffer");
473 goto end;
474 }
475
476 #ifdef HAVE_PRINT_ISAKMP_C
477 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
478 #endif
479
480 /* send the packet, add to the schedule to resend */
481 iph1->retry_counter = iph1->rmconf->retry_counter;
482 if (isakmp_ph1resend(iph1) == -1) {
483 plog(ASL_LEVEL_ERR,
484 "failed to send packet");
485 goto end;
486 }
487
488 /* the sending message is added to the received-list. */
489 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
490 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
491 plog(ASL_LEVEL_ERR ,
492 "failed to add a response packet to the tree.\n");
493 goto end;
494 }
495
496 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG3SENT);
497
498 error = 0;
499
500 IPSECSESSIONTRACEREVENT(iph1->parent_session,
501 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
502 CONSTSTR("Initiator, Main-Mode message 3"),
503 CONSTSTR(NULL));
504
505 end:
506 if (error) {
507 IPSECSESSIONTRACEREVENT(iph1->parent_session,
508 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
509 CONSTSTR("Initiator, Main-Mode Message 3"),
510 CONSTSTR("Failed to transmit Main-Mode Message 3"));
511 }
512 return error;
513 }
514
515 /*
516 * receive from responder
517 * psk: HDR, KE, Nr
518 * sig: HDR, KE, Nr [, CR ]
519 * gssapi: HDR, KE, Nr, GSSr
520 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
521 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
522 */
523 int
524 ident_i4recv(iph1, msg)
525 phase1_handle_t *iph1;
526 vchar_t *msg;
527 {
528 vchar_t *pbuf = NULL;
529 struct isakmp_parse_t *pa;
530 int error = -1;
531 int vid_numeric;
532 #ifdef ENABLE_NATT
533 vchar_t *natd_received;
534 int natd_seq = 0, natd_verified;
535 #endif
536
537 /* validity check */
538 if (iph1->status != IKEV1_STATE_IDENT_I_MSG3SENT) {
539 plog(ASL_LEVEL_ERR,
540 "status mismatched %d.\n", iph1->status);
541 goto end;
542 }
543
544 /* validate the type of next payload */
545 pbuf = isakmp_parse(msg);
546 if (pbuf == NULL) {
547 plog(ASL_LEVEL_ERR,
548 "failed to parse msg");
549 goto end;
550 }
551
552 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
553 pa->type != ISAKMP_NPTYPE_NONE;
554 pa++) {
555
556 switch (pa->type) {
557 case ISAKMP_NPTYPE_KE:
558 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
559 plog(ASL_LEVEL_ERR,
560 "failed to process KE payload");
561 goto end;
562 }
563 break;
564 case ISAKMP_NPTYPE_NONCE:
565 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
566 plog(ASL_LEVEL_ERR,
567 "failed to process NONCE payload");
568 goto end;
569 }
570 break;
571 case ISAKMP_NPTYPE_VID:
572 vid_numeric = check_vendorid(pa->ptr);
573 #ifdef ENABLE_HYBRID
574 switch (vid_numeric) {
575 case VENDORID_XAUTH:
576 iph1->mode_cfg->flags |=
577 ISAKMP_CFG_VENDORID_XAUTH;
578 break;
579
580 case VENDORID_UNITY:
581 iph1->mode_cfg->flags |=
582 ISAKMP_CFG_VENDORID_UNITY;
583 break;
584
585 default:
586 break;
587 }
588 #endif
589 #ifdef ENABLE_DPD
590 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
591 iph1->dpd_support=1;
592 #endif
593
594 break;
595 case ISAKMP_NPTYPE_CR:
596 if (oakley_savecr(iph1, pa->ptr) < 0) {
597 plog(ASL_LEVEL_ERR,
598 "failed to process CR payload");
599 goto end;
600 }
601 break;
602
603 #ifdef ENABLE_NATT
604 case ISAKMP_NPTYPE_NATD_DRAFT:
605 case ISAKMP_NPTYPE_NATD_RFC:
606 case ISAKMP_NPTYPE_NATD_BADDRAFT:
607 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
608 pa->type == iph1->natt_options->payload_nat_d) {
609 natd_received = NULL;
610 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
611 plog(ASL_LEVEL_ERR,
612 "failed to process NATD payload");
613 goto end;
614 }
615
616 /* set both bits first so that we can clear them
617 upon verifying hashes */
618 if (natd_seq == 0)
619 iph1->natt_flags |= NAT_DETECTED;
620
621 /* this function will clear appropriate bits bits
622 from iph1->natt_flags */
623 natd_verified = natt_compare_addr_hash (iph1,
624 natd_received, natd_seq++);
625
626 plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n",
627 natd_seq - 1,
628 natd_verified ? "verified" : "doesn't match");
629
630 vfree (natd_received);
631 break;
632 }
633 /* %%%% Be lenient here - some servers send natd payloads */
634 /* when no nat is detected */
635 break;
636 #endif
637
638 default:
639 /* don't send information, see ident_r1recv() */
640 plog(ASL_LEVEL_ERR,
641 "ignore the packet, "
642 "received unexpecting payload type %d.\n",
643 pa->type);
644 goto end;
645 }
646 }
647
648 #ifdef ENABLE_NATT
649 if (NATT_AVAILABLE(iph1)) {
650 plog (ASL_LEVEL_INFO, "NAT %s %s%s\n",
651 iph1->natt_flags & NAT_DETECTED ?
652 "detected:" : "not detected",
653 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
654 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
655 if (iph1->natt_flags & NAT_DETECTED)
656 natt_float_ports (iph1);
657 }
658 #endif
659
660 /* payload existency check */
661 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
662 plog(ASL_LEVEL_ERR,
663 "few isakmp message received.\n");
664 goto end;
665 }
666
667 if (oakley_checkcr(iph1) < 0) {
668 /* Ignore this error in order to be interoperability. */
669 ;
670 }
671
672 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG4RCVD);
673
674 error = 0;
675
676 IPSECSESSIONTRACEREVENT(iph1->parent_session,
677 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
678 CONSTSTR("Initiator, Main-Mode message 4"),
679 CONSTSTR(NULL));
680
681 end:
682 if (error) {
683 IPSECSESSIONTRACEREVENT(iph1->parent_session,
684 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
685 CONSTSTR("Initiator, Main-Mode Message 4"),
686 CONSTSTR("Failed to process Main-Mode Message 4"));
687 }
688 if (pbuf)
689 vfree(pbuf);
690 if (error) {
691 VPTRINIT(iph1->dhpub_p);
692 VPTRINIT(iph1->nonce_p);
693 VPTRINIT(iph1->id_p);
694 oakley_delcert(iph1->cr_p);
695 iph1->cr_p = NULL;
696 }
697
698 return error;
699 }
700
701 /*
702 * send to responder
703 * psk: HDR*, IDi1, HASH_I
704 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
705 * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I >
706 * rsa: HDR*, HASH_I
707 * rev: HDR*, HASH_I
708 */
709 int
710 ident_i5send(iph1, msg0)
711 phase1_handle_t *iph1;
712 vchar_t *msg0;
713 {
714 int error = -1;
715 int dohash = 1;
716
717 /* validity check */
718 if (iph1->status != IKEV1_STATE_IDENT_I_MSG4RCVD) {
719 plog(ASL_LEVEL_ERR,
720 "status mismatched %d.\n", iph1->status);
721 goto end;
722 }
723
724 /* compute sharing secret of DH */
725 #ifdef HAVE_OPENSSL
726 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
727 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
728 #else
729 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
730 #endif
731 plog(ASL_LEVEL_ERR,
732 "failed to compute DH");
733 goto end;
734 }
735
736 /* generate SKEYIDs & IV & final cipher key */
737 if (oakley_skeyid(iph1) < 0) {
738 plog(ASL_LEVEL_ERR,
739 "failed to generate SKEYID");
740 goto end;
741 }
742 if (oakley_skeyid_dae(iph1) < 0) {
743 plog(ASL_LEVEL_ERR,
744 "failed to generate SKEYID-DAE");
745 goto end;
746 }
747 if (oakley_compute_enckey(iph1) < 0) {
748 plog(ASL_LEVEL_ERR,
749 "failed to generate ENCKEY");
750 goto end;
751 }
752 if (oakley_newiv(iph1) < 0) {
753 plog(ASL_LEVEL_ERR,
754 "failed to generate IV");
755 goto end;
756 }
757
758 /* make ID payload into isakmp status */
759 if (ipsecdoi_setid1(iph1) < 0) {
760 plog(ASL_LEVEL_ERR,
761 "failed to set ID");
762 goto end;
763 }
764
765 /* generate HASH to send */
766 if (dohash) {
767 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
768 if (iph1->hash == NULL) {
769 plog(ASL_LEVEL_ERR,
770 "failed to generate HASH");
771 goto end;
772 }
773 } else
774 iph1->hash = NULL;
775
776 /* set encryption flag */
777 iph1->flags |= ISAKMP_FLAG_E;
778
779 /* create HDR;ID;HASH payload */
780 iph1->sendbuf = ident_ir3mx(iph1);
781 if (iph1->sendbuf == NULL) {
782 plog(ASL_LEVEL_ERR,
783 "failed to allocate send buffer");
784 goto end;
785 }
786
787 /* send the packet, add to the schedule to resend */
788 iph1->retry_counter = iph1->rmconf->retry_counter;
789 if (isakmp_ph1resend(iph1) == -1) {
790 plog(ASL_LEVEL_ERR,
791 "failed to send packet");
792 goto end;
793 }
794
795 /* the sending message is added to the received-list. */
796 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0,
797 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
798 plog(ASL_LEVEL_ERR ,
799 "failed to add a response packet to the tree.\n");
800 goto end;
801 }
802
803 /* see handler.h about IV synchronization. */
804 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
805
806 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG5SENT);
807
808 error = 0;
809
810 IPSECSESSIONTRACEREVENT(iph1->parent_session,
811 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
812 CONSTSTR("Initiator, Main-Mode message 5"),
813 CONSTSTR(NULL));
814
815 end:
816 if (error) {
817 IPSECSESSIONTRACEREVENT(iph1->parent_session,
818 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
819 CONSTSTR("Initiator, Main-Mode Message 5"),
820 CONSTSTR("Failed to transmit Main-Mode Message 5"));
821 }
822 return error;
823 }
824
825 /*
826 * receive from responder
827 * psk: HDR*, IDr1, HASH_R
828 * sig: HDR*, IDr1, [ CERT, ] SIG_R
829 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
830 * rsa: HDR*, HASH_R
831 * rev: HDR*, HASH_R
832 */
833 int
834 ident_i6recv(iph1, msg0)
835 phase1_handle_t *iph1;
836 vchar_t *msg0;
837 {
838 vchar_t *pbuf = NULL;
839 struct isakmp_parse_t *pa;
840 vchar_t *msg = NULL;
841 int error = -1;
842 int type;
843 int vid_numeric;
844 int received_cert = 0;
845
846 /* validity check */
847 if (iph1->status != IKEV1_STATE_IDENT_I_MSG5SENT) {
848 plog(ASL_LEVEL_ERR,
849 "status mismatched %d.\n", iph1->status);
850 goto end;
851 }
852
853 /* decrypting */
854 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
855 plog(ASL_LEVEL_ERR,
856 "ignore the packet, "
857 "expecting the packet encrypted.\n");
858 goto end;
859 }
860 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
861 if (msg == NULL) {
862 plog(ASL_LEVEL_ERR,
863 "failed to decrypt");
864 goto end;
865 }
866
867 /* validate the type of next payload */
868 pbuf = isakmp_parse(msg);
869 if (pbuf == NULL) {
870 plog(ASL_LEVEL_ERR,
871 "failed to parse msg");
872 goto end;
873 }
874
875 iph1->pl_hash = NULL;
876
877 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
878 pa->type != ISAKMP_NPTYPE_NONE;
879 pa++) {
880
881 switch (pa->type) {
882 case ISAKMP_NPTYPE_ID:
883 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
884 plog(ASL_LEVEL_ERR,
885 "failed to process ID payload");
886 goto end;
887 }
888 break;
889 case ISAKMP_NPTYPE_HASH:
890 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
891 break;
892 case ISAKMP_NPTYPE_CERT:
893 if (oakley_savecert(iph1, pa->ptr) < 0) {
894 plog(ASL_LEVEL_ERR,
895 "failed to process CERT payload");
896 goto end;
897 }
898 received_cert = 1;
899 break;
900 case ISAKMP_NPTYPE_SIG:
901 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
902 plog(ASL_LEVEL_ERR,
903 "failed to process SIG payload");
904 goto end;
905 }
906 break;
907
908 case ISAKMP_NPTYPE_VID:
909 vid_numeric = check_vendorid(pa->ptr);
910 #ifdef ENABLE_DPD
911 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
912 iph1->dpd_support=1;
913 #endif
914 break;
915 case ISAKMP_NPTYPE_N:
916 isakmp_check_notify(pa->ptr, iph1);
917 break;
918 default:
919 /* don't send information, see ident_r1recv() */
920 plog(ASL_LEVEL_ERR,
921 "ignore the packet, "
922 "received unexpecting payload type %d.\n",
923 pa->type);
924 goto end;
925 }
926 }
927
928 if (received_cert) {
929 oakley_verify_certid(iph1);
930 }
931
932 /* payload existency check */
933
934 /* verify identifier */
935 if (ipsecdoi_checkid1(iph1) != 0) {
936 plog(ASL_LEVEL_ERR,
937 "invalid ID payload.\n");
938 goto end;
939 }
940
941 /* validate authentication value */
942 type = oakley_validate_auth(iph1);
943 if (type != 0) {
944 IPSECSESSIONTRACEREVENT(iph1->parent_session,
945 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
946 CONSTSTR("Initiator, Main-Mode Message 6"),
947 CONSTSTR("Failed to authenticate Main-Mode Message 6"));
948 if (type == -1) {
949 /* msg printed inner oakley_validate_auth() */
950 goto end;
951 }
952 isakmp_info_send_n1(iph1, type, NULL);
953 goto end;
954 }
955 IPSECSESSIONTRACEREVENT(iph1->parent_session,
956 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
957 CONSTSTR("Initiator, Main-Mode Message 6"),
958 CONSTSTR(NULL));
959
960
961 /*
962 * XXX: Should we do compare two addresses, ph1handle's and ID
963 * payload's.
964 */
965
966 plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID:");
967
968 /* see handler.h about IV synchronization. */
969 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
970
971 /*
972 * If we got a GSS token, we need to this roundtrip again.
973 */
974 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG6RCVD);
975
976 error = 0;
977
978 IPSECSESSIONTRACEREVENT(iph1->parent_session,
979 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
980 CONSTSTR("Initiator, Main-Mode message 6"),
981 CONSTSTR(NULL));
982
983 end:
984 if (error) {
985 IPSECSESSIONTRACEREVENT(iph1->parent_session,
986 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
987 CONSTSTR("Initiator, Main-Mode Message 6"),
988 CONSTSTR("Failed to transmit Main-Mode Message 6"));
989 }
990 if (pbuf)
991 vfree(pbuf);
992 if (msg)
993 vfree(msg);
994
995 if (error) {
996 VPTRINIT(iph1->id_p);
997 oakley_delcert(iph1->cert_p);
998 iph1->cert_p = NULL;
999 oakley_delcert(iph1->crl_p);
1000 iph1->crl_p = NULL;
1001 VPTRINIT(iph1->sig_p);
1002 }
1003
1004 return error;
1005 }
1006
1007 /*
1008 * status update and establish isakmp sa.
1009 */
1010 int
1011 ident_ifinalize(iph1, msg)
1012 phase1_handle_t *iph1;
1013 vchar_t *msg;
1014 {
1015 int error = -1;
1016
1017 /* validity check */
1018 if (iph1->status != IKEV1_STATE_IDENT_I_MSG6RCVD) {
1019 plog(ASL_LEVEL_ERR,
1020 "status mismatched %d.\n", iph1->status);
1021 goto end;
1022 }
1023
1024 /* see handler.h about IV synchronization. */
1025 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1026
1027 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
1028
1029 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1030 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
1031 CONSTSTR("Initiator, Main-Mode"),
1032 CONSTSTR(NULL));
1033
1034 error = 0;
1035
1036 end:
1037 return error;
1038 }
1039
1040 /*
1041 * receive from initiator
1042 * psk: HDR, SA
1043 * sig: HDR, SA
1044 * rsa: HDR, SA
1045 * rev: HDR, SA
1046 */
1047 int
1048 ident_r1recv(iph1, msg)
1049 phase1_handle_t *iph1;
1050 vchar_t *msg;
1051 {
1052 vchar_t *pbuf = NULL;
1053 struct isakmp_parse_t *pa;
1054 int error = -1;
1055 int vid_numeric;
1056
1057 /* validity check */
1058 if (iph1->status != IKEV1_STATE_IDENT_R_START) {
1059 plog(ASL_LEVEL_ERR,
1060 "status mismatched %d.\n", iph1->status);
1061 goto end;
1062 }
1063
1064 /* validate the type of next payload */
1065 /*
1066 * NOTE: XXX even if multiple VID, we'll silently ignore those.
1067 */
1068 pbuf = isakmp_parse(msg);
1069 if (pbuf == NULL) {
1070 plog(ASL_LEVEL_ERR,
1071 "failed to parse msg");
1072 goto end;
1073 }
1074 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1075
1076 /* check the position of SA payload */
1077 if (pa->type != ISAKMP_NPTYPE_SA) {
1078 plog(ASL_LEVEL_ERR,
1079 "received invalid next payload type %d, "
1080 "expecting %d.\n",
1081 pa->type, ISAKMP_NPTYPE_SA);
1082 goto end;
1083 }
1084 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
1085 plog(ASL_LEVEL_ERR,
1086 "failed to process SA payload");
1087 goto end;
1088 }
1089 pa++;
1090
1091 for (/*nothing*/;
1092 pa->type != ISAKMP_NPTYPE_NONE;
1093 pa++) {
1094
1095 switch (pa->type) {
1096 case ISAKMP_NPTYPE_VID:
1097 vid_numeric = check_vendorid(pa->ptr);
1098 #ifdef ENABLE_NATT
1099 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
1100 natt_handle_vendorid(iph1, vid_numeric);
1101 #endif
1102 #ifdef ENABLE_HYBRID
1103 switch (vid_numeric) {
1104 case VENDORID_XAUTH:
1105 iph1->mode_cfg->flags |=
1106 ISAKMP_CFG_VENDORID_XAUTH;
1107 break;
1108
1109 case VENDORID_UNITY:
1110 iph1->mode_cfg->flags |=
1111 ISAKMP_CFG_VENDORID_UNITY;
1112 break;
1113
1114 default:
1115 break;
1116 }
1117 #endif
1118 #ifdef ENABLE_DPD
1119 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
1120 iph1->dpd_support=1;
1121 #endif
1122 #ifdef ENABLE_FRAG
1123 if ((vid_numeric == VENDORID_FRAG) &&
1124 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
1125 plog(ASL_LEVEL_DEBUG,
1126 "remote supports FRAGMENTATION\n");
1127 iph1->frag = 1;
1128 }
1129 #endif
1130 break;
1131 default:
1132 /*
1133 * We don't send information to the peer even
1134 * if we received malformed packet. Because we
1135 * can't distinguish the malformed packet and
1136 * the re-sent packet. And we do same behavior
1137 * when we expect encrypted packet.
1138 */
1139 plog(ASL_LEVEL_ERR,
1140 "ignore the packet, "
1141 "received unexpecting payload type %d.\n",
1142 pa->type);
1143 goto end;
1144 }
1145 }
1146
1147 #ifdef ENABLE_NATT
1148 if (NATT_AVAILABLE(iph1)) {
1149 plog(ASL_LEVEL_INFO,
1150 "Selected NAT-T version: %s\n",
1151 vid_string_by_id(iph1->natt_options->version));
1152 ike_session_update_natt_version(iph1);
1153 }
1154 #endif
1155
1156 /* check SA payload and set approval SA for use */
1157 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
1158 plog(ASL_LEVEL_ERR,
1159 "failed to get valid proposal.\n");
1160 /* XXX send information */
1161 goto end;
1162 }
1163
1164 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG1RCVD);
1165
1166 error = 0;
1167
1168 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1169 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1170 CONSTSTR("Responder, Main-Mode message 1"),
1171 CONSTSTR(NULL));
1172
1173 end:
1174 if (error) {
1175 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1176 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1177 CONSTSTR("Responder, Main-Mode Message 1"),
1178 CONSTSTR("Failed to process Main-Mode Message 1"));
1179 }
1180 if (pbuf)
1181 vfree(pbuf);
1182 if (error) {
1183 VPTRINIT(iph1->sa);
1184 }
1185
1186 return error;
1187 }
1188
1189 /*
1190 * send to initiator
1191 * psk: HDR, SA
1192 * sig: HDR, SA
1193 * rsa: HDR, SA
1194 * rev: HDR, SA
1195 */
1196 int
1197 ident_r2send(iph1, msg)
1198 phase1_handle_t *iph1;
1199 vchar_t *msg;
1200 {
1201 struct payload_list *plist = NULL;
1202 int error = -1;
1203 vchar_t *gss_sa = NULL;
1204 #ifdef ENABLE_NATT
1205 vchar_t *vid_natt = NULL;
1206 #endif
1207 #ifdef ENABLE_HYBRID
1208 vchar_t *vid_xauth = NULL;
1209 vchar_t *vid_unity = NULL;
1210 #endif
1211 #ifdef ENABLE_DPD
1212 vchar_t *vid_dpd = NULL;
1213 #endif
1214 #ifdef ENABLE_FRAG
1215 vchar_t *vid_frag = NULL;
1216 #endif
1217
1218 /* validity check */
1219 if (iph1->status != IKEV1_STATE_IDENT_R_MSG1RCVD) {
1220 plog(ASL_LEVEL_ERR,
1221 "status mismatched %d.\n", iph1->status);
1222 goto end;
1223 }
1224
1225 /* set responder's cookie */
1226 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1227 gss_sa = iph1->sa_ret;
1228
1229 /* set SA payload to reply */
1230 plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
1231
1232 #ifdef ENABLE_HYBRID
1233 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1234 plog (ASL_LEVEL_INFO, "Adding xauth VID payload.\n");
1235 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
1236 plog(ASL_LEVEL_ERR,
1237 "Cannot create Xauth vendor ID\n");
1238 goto end;
1239 }
1240 plist = isakmp_plist_append(plist,
1241 vid_xauth, ISAKMP_NPTYPE_VID);
1242 }
1243
1244 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1245 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
1246 plog(ASL_LEVEL_ERR,
1247 "Cannot create Unity vendor ID\n");
1248 goto end;
1249 }
1250 plist = isakmp_plist_append(plist,
1251 vid_unity, ISAKMP_NPTYPE_VID);
1252 }
1253 #endif
1254 #ifdef ENABLE_NATT
1255 /* Has the peer announced NAT-T? */
1256 if (NATT_AVAILABLE(iph1))
1257 vid_natt = set_vendorid(iph1->natt_options->version);
1258
1259 if (vid_natt)
1260 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1261 #endif
1262 #ifdef ENABLE_DPD
1263 /* XXX only send DPD VID if remote sent it ? */
1264 if(iph1->rmconf->dpd){
1265 vid_dpd = set_vendorid(VENDORID_DPD);
1266 if (vid_dpd != NULL)
1267 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1268 }
1269 #endif
1270 #ifdef ENABLE_FRAG
1271 if (iph1->frag) {
1272 vid_frag = set_vendorid(VENDORID_FRAG);
1273 if (vid_frag != NULL)
1274 vid_frag = isakmp_frag_addcap(vid_frag,
1275 VENDORID_FRAG_IDENT);
1276 if (vid_frag == NULL)
1277 plog(ASL_LEVEL_ERR,
1278 "Frag vendorID construction failed\n");
1279 else
1280 plist = isakmp_plist_append(plist,
1281 vid_frag, ISAKMP_NPTYPE_VID);
1282 }
1283 #endif
1284
1285 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1286
1287 #ifdef HAVE_PRINT_ISAKMP_C
1288 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1289 #endif
1290
1291 /* send the packet, add to the schedule to resend */
1292 iph1->retry_counter = iph1->rmconf->retry_counter;
1293 if (isakmp_ph1resend(iph1) == -1) {
1294 plog(ASL_LEVEL_ERR,
1295 "failed to send packet");
1296 goto end;
1297 }
1298
1299 /* the sending message is added to the received-list. */
1300 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1301 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1302 plog(ASL_LEVEL_ERR ,
1303 "failed to add a response packet to the tree.\n");
1304 goto end;
1305 }
1306
1307 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG2SENT);
1308
1309 #ifdef ENABLE_VPNCONTROL_PORT
1310 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1311 #endif
1312
1313 error = 0;
1314
1315 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1316 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1317 CONSTSTR("Responder, Main-Mode message 2"),
1318 CONSTSTR(NULL));
1319
1320 end:
1321 if (error) {
1322 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1323 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1324 CONSTSTR("Responder, Main-Mode Message 2"),
1325 CONSTSTR("Failed to transmit Main-Mode Message 2"));
1326 }
1327 #ifdef ENABLE_NATT
1328 if (vid_natt)
1329 vfree(vid_natt);
1330 #endif
1331 #ifdef ENABLE_HYBRID
1332 if (vid_xauth != NULL)
1333 vfree(vid_xauth);
1334 if (vid_unity != NULL)
1335 vfree(vid_unity);
1336 #endif
1337 #ifdef ENABLE_DPD
1338 if (vid_dpd != NULL)
1339 vfree(vid_dpd);
1340 #endif
1341 #ifdef ENABLE_FRAG
1342 if (vid_frag != NULL)
1343 vfree(vid_frag);
1344 #endif
1345
1346 return error;
1347 }
1348
1349 /*
1350 * receive from initiator
1351 * psk: HDR, KE, Ni
1352 * sig: HDR, KE, Ni
1353 * gssapi: HDR, KE, Ni, GSSi
1354 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1355 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1356 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1357 */
1358 int
1359 ident_r3recv(iph1, msg)
1360 phase1_handle_t *iph1;
1361 vchar_t *msg;
1362 {
1363 vchar_t *pbuf = NULL;
1364 struct isakmp_parse_t *pa;
1365 int error = -1;
1366 #ifdef ENABLE_NATT
1367 int natd_seq = 0;
1368 #endif
1369
1370 /* validity check */
1371 if (iph1->status != IKEV1_STATE_IDENT_R_MSG2SENT) {
1372 plog(ASL_LEVEL_ERR,
1373 "status mismatched %d.\n", iph1->status);
1374 goto end;
1375 }
1376
1377 /* validate the type of next payload */
1378 pbuf = isakmp_parse(msg);
1379 if (pbuf == NULL) {
1380 plog(ASL_LEVEL_ERR,
1381 "failed to parse msg");
1382 goto end;
1383 }
1384
1385 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1386 pa->type != ISAKMP_NPTYPE_NONE;
1387 pa++) {
1388 switch (pa->type) {
1389 case ISAKMP_NPTYPE_KE:
1390 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
1391 plog(ASL_LEVEL_ERR,
1392 "failed to process KE payload");
1393 goto end;
1394 }
1395 break;
1396 case ISAKMP_NPTYPE_NONCE:
1397 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
1398 plog(ASL_LEVEL_ERR,
1399 "failed to process NONCE payload");
1400 goto end;
1401 }
1402 break;
1403 case ISAKMP_NPTYPE_VID:
1404 (void)check_vendorid(pa->ptr);
1405 break;
1406 case ISAKMP_NPTYPE_CR:
1407 plog(ASL_LEVEL_WARNING,
1408 "CR received, ignore it. "
1409 "It should be in other exchange.\n");
1410 break;
1411
1412 #ifdef ENABLE_NATT
1413 case ISAKMP_NPTYPE_NATD_DRAFT:
1414 case ISAKMP_NPTYPE_NATD_RFC:
1415 case ISAKMP_NPTYPE_NATD_BADDRAFT:
1416 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1417 pa->type == iph1->natt_options->payload_nat_d)
1418 {
1419 vchar_t *natd_received = NULL;
1420 int natd_verified;
1421
1422 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
1423 plog(ASL_LEVEL_ERR,
1424 "failed to process NATD payload");
1425 goto end;
1426 }
1427
1428 if (natd_seq == 0)
1429 iph1->natt_flags |= NAT_DETECTED;
1430
1431 natd_verified = natt_compare_addr_hash (iph1,
1432 natd_received, natd_seq++);
1433
1434 plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n",
1435 natd_seq - 1,
1436 natd_verified ? "verified" : "doesn't match");
1437
1438 vfree (natd_received);
1439 break;
1440 }
1441 /* %%%% Be lenient here - some servers send natd payloads */
1442 /* when no nat is detected */
1443 break;
1444 #endif
1445
1446 default:
1447 /* don't send information, see ident_r1recv() */
1448 plog(ASL_LEVEL_ERR,
1449 "ignore the packet, "
1450 "received unexpecting payload type %d.\n",
1451 pa->type);
1452 goto end;
1453 }
1454 }
1455
1456 #ifdef ENABLE_NATT
1457 if (NATT_AVAILABLE(iph1))
1458 plog (ASL_LEVEL_INFO, "NAT %s %s%s\n",
1459 iph1->natt_flags & NAT_DETECTED ?
1460 "detected:" : "not detected",
1461 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1462 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1463 #endif
1464
1465 /* payload existency check */
1466 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1467 plog(ASL_LEVEL_ERR,
1468 "few isakmp message received.\n");
1469 goto end;
1470 }
1471
1472 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG3RCVD);
1473
1474 error = 0;
1475
1476 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1477 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1478 CONSTSTR("Responder, Main-Mode message 3"),
1479 CONSTSTR(NULL));
1480
1481 end:
1482 if (error) {
1483 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1484 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1485 CONSTSTR("Responder, Main-Mode Message 3"),
1486 CONSTSTR("Failed to process Main-Mode Message 3"));
1487 }
1488 if (pbuf)
1489 vfree(pbuf);
1490
1491 if (error) {
1492 VPTRINIT(iph1->dhpub_p);
1493 VPTRINIT(iph1->nonce_p);
1494 VPTRINIT(iph1->id_p);
1495 }
1496
1497 return error;
1498 }
1499
1500 /*
1501 * send to initiator
1502 * psk: HDR, KE, Nr
1503 * sig: HDR, KE, Nr [, CR ]
1504 * gssapi: HDR, KE, Nr, GSSr
1505 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1506 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1507 */
1508 int
1509 ident_r4send(iph1, msg)
1510 phase1_handle_t *iph1;
1511 vchar_t *msg;
1512 {
1513 int error = -1;
1514
1515 /* validity check */
1516 if (iph1->status != IKEV1_STATE_IDENT_R_MSG3RCVD) {
1517 plog(ASL_LEVEL_ERR,
1518 "status mismatched %d.\n", iph1->status);
1519 goto end;
1520 }
1521
1522 /* generate DH public value */
1523 #ifdef HAVE_OPENSSL
1524 if (oakley_dh_generate(iph1->approval->dhgrp,
1525 &iph1->dhpub, &iph1->dhpriv) < 0) {
1526 #else
1527 if (oakley_dh_generate(iph1->approval->dhgrp,
1528 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
1529 #endif
1530 plog(ASL_LEVEL_ERR,
1531 "failed to generate DH");
1532 goto end;
1533 }
1534
1535 /* generate NONCE value */
1536 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1537 if (iph1->nonce == NULL) {
1538 plog(ASL_LEVEL_ERR,
1539 "failed to generate NONCE");
1540 goto end;
1541 }
1542
1543 /* create HDR;KE;NONCE payload */
1544 iph1->sendbuf = ident_ir2mx(iph1);
1545 if (iph1->sendbuf == NULL) {
1546 plog(ASL_LEVEL_ERR,
1547 "failed to allocate send buffer");
1548 goto end;
1549 }
1550
1551 #ifdef HAVE_PRINT_ISAKMP_C
1552 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1553 #endif
1554
1555 /* send the packet, add to the schedule to resend */
1556 iph1->retry_counter = iph1->rmconf->retry_counter;
1557 if (isakmp_ph1resend(iph1) == -1) {
1558 plog(ASL_LEVEL_ERR,
1559 "failed to send packet");
1560 goto end;
1561 }
1562
1563 /* the sending message is added to the received-list. */
1564 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1565 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1566 plog(ASL_LEVEL_ERR ,
1567 "failed to add a response packet to the tree.\n");
1568 goto end;
1569 }
1570
1571 /* compute sharing secret of DH */
1572 #ifdef HAVE_OPENSSL
1573 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1574 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1575 #else
1576 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) {
1577 #endif
1578 plog(ASL_LEVEL_ERR,
1579 "failed to compute DH");
1580 goto end;
1581 }
1582
1583 /* generate SKEYIDs & IV & final cipher key */
1584 if (oakley_skeyid(iph1) < 0) {
1585 plog(ASL_LEVEL_ERR,
1586 "failed to generate SKEYID");
1587 goto end;
1588 }
1589 if (oakley_skeyid_dae(iph1) < 0) {
1590 plog(ASL_LEVEL_ERR,
1591 "failed to generate SKEYID-DAE");
1592 goto end;
1593 }
1594 if (oakley_compute_enckey(iph1) < 0) {
1595 plog(ASL_LEVEL_ERR,
1596 "failed to generate ENCKEY");
1597 goto end;
1598 }
1599 if (oakley_newiv(iph1) < 0) {
1600 plog(ASL_LEVEL_ERR,
1601 "failed to generate IV");
1602 goto end;
1603 }
1604
1605 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG4SENT);
1606
1607 error = 0;
1608
1609 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1610 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1611 CONSTSTR("Responder, Main-Mode message 4"),
1612 CONSTSTR(NULL));
1613
1614 end:
1615 if (error) {
1616 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1617 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1618 CONSTSTR("Responder, Main-Mode Message 4"),
1619 CONSTSTR("Failed to transmit Main-Mode Message 4"));
1620 }
1621 return error;
1622 }
1623
1624 /*
1625 * receive from initiator
1626 * psk: HDR*, IDi1, HASH_I
1627 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
1628 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
1629 * rsa: HDR*, HASH_I
1630 * rev: HDR*, HASH_I
1631 */
1632 int
1633 ident_r5recv(iph1, msg0)
1634 phase1_handle_t *iph1;
1635 vchar_t *msg0;
1636 {
1637 vchar_t *msg = NULL;
1638 vchar_t *pbuf = NULL;
1639 struct isakmp_parse_t *pa;
1640 int error = -1;
1641 int type;
1642 int received_cert = 0;
1643
1644 /* validity check */
1645 if (iph1->status != IKEV1_STATE_IDENT_R_MSG4SENT) {
1646 plog(ASL_LEVEL_ERR,
1647 "status mismatched %d.\n", iph1->status);
1648 goto end;
1649 }
1650
1651 /* decrypting */
1652 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1653 plog(ASL_LEVEL_ERR,
1654 "reject the packet, "
1655 "expecting the packet encrypted.\n");
1656 goto end;
1657 }
1658 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
1659 if (msg == NULL) {
1660 plog(ASL_LEVEL_ERR,
1661 "failed to decrypt");
1662 goto end;
1663 }
1664
1665 /* validate the type of next payload */
1666 pbuf = isakmp_parse(msg);
1667 if (pbuf == NULL) {
1668 plog(ASL_LEVEL_ERR,
1669 "failed to parse msg");
1670 goto end;
1671 }
1672
1673 iph1->pl_hash = NULL;
1674
1675 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
1676 pa->type != ISAKMP_NPTYPE_NONE;
1677 pa++) {
1678
1679 switch (pa->type) {
1680 case ISAKMP_NPTYPE_ID:
1681 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
1682 plog(ASL_LEVEL_ERR,
1683 "failed to process ID payload");
1684 goto end;
1685 }
1686 break;
1687 case ISAKMP_NPTYPE_HASH:
1688 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1689 break;
1690 case ISAKMP_NPTYPE_CR:
1691 if (oakley_savecr(iph1, pa->ptr) < 0) {
1692 plog(ASL_LEVEL_ERR,
1693 "failed to process CR payload");
1694 goto end;
1695 }
1696 break;
1697 case ISAKMP_NPTYPE_CERT:
1698 if (oakley_savecert(iph1, pa->ptr) < 0) {
1699 plog(ASL_LEVEL_ERR,
1700 "failed to process CERT payload");
1701 goto end;
1702 }
1703 received_cert = 1;
1704 break;
1705 case ISAKMP_NPTYPE_SIG:
1706 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
1707 plog(ASL_LEVEL_ERR,
1708 "failed to process SIG payload");
1709 goto end;
1710 }
1711 break;
1712 case ISAKMP_NPTYPE_VID:
1713 (void)check_vendorid(pa->ptr);
1714 break;
1715 case ISAKMP_NPTYPE_N:
1716 isakmp_check_notify(pa->ptr, iph1);
1717 break;
1718 default:
1719 /* don't send information, see ident_r1recv() */
1720 plog(ASL_LEVEL_ERR,
1721 "ignore the packet, "
1722 "received unexpecting payload type %d.\n",
1723 pa->type);
1724 goto end;
1725 }
1726 }
1727
1728 if (received_cert) {
1729 oakley_verify_certid(iph1);
1730 }
1731
1732 /* payload existency check */
1733 /* XXX same as ident_i4recv(), should be merged. */
1734 {
1735 int ng = 0;
1736
1737 switch (AUTHMETHOD(iph1)) {
1738 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1739 #ifdef ENABLE_HYBRID
1740 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1741 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1742 #endif
1743 if (iph1->id_p == NULL || iph1->pl_hash == NULL)
1744 ng++;
1745 break;
1746 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1747 #ifdef ENABLE_HYBRID
1748 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1749 #endif
1750 if (iph1->id_p == NULL || iph1->sig_p == NULL)
1751 ng++;
1752 break;
1753 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1754 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1755 #ifdef ENABLE_HYBRID
1756 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1757 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1758 #endif
1759 if (iph1->pl_hash == NULL)
1760 ng++;
1761 break;
1762 default:
1763 plog(ASL_LEVEL_ERR,
1764 "invalid authmethod %d why ?\n",
1765 iph1->approval->authmethod);
1766 goto end;
1767 }
1768 if (ng) {
1769 plog(ASL_LEVEL_ERR,
1770 "few isakmp message received.\n");
1771 goto end;
1772 }
1773 }
1774
1775 /* verify identifier */
1776 if (ipsecdoi_checkid1(iph1) != 0) {
1777 plog(ASL_LEVEL_ERR,
1778 "invalid ID payload.\n");
1779 goto end;
1780 }
1781
1782 /* validate authentication value */
1783
1784 type = oakley_validate_auth(iph1);
1785 if (type != 0) {
1786 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1787 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1788 CONSTSTR("Responder, Main-Mode Message 5"),
1789 CONSTSTR("Failed to authenticate Main-Mode Message 5"));
1790 if (type == -1) {
1791 /* msg printed inner oakley_validate_auth() */
1792 goto end;
1793 }
1794 isakmp_info_send_n1(iph1, type, NULL);
1795 goto end;
1796 }
1797 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1798 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1799 CONSTSTR("Responder, Main-Mode Message 5"),
1800 CONSTSTR(NULL));
1801
1802 if (oakley_checkcr(iph1) < 0) {
1803 /* Ignore this error in order to be interoperability. */
1804 ;
1805 }
1806
1807 /*
1808 * XXX: Should we do compare two addresses, ph1handle's and ID
1809 * payload's.
1810 */
1811
1812 plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID\n");
1813
1814 /* see handler.h about IV synchronization. */
1815 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1816
1817 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG5RCVD);
1818 error = 0;
1819
1820 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1821 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1822 CONSTSTR("Responder, Main-Mode message 5"),
1823 CONSTSTR(NULL));
1824
1825 end:
1826 if (error) {
1827 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1828 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1829 CONSTSTR("Responder, Main-Mode Message 5"),
1830 CONSTSTR("Failed to process Main-Mode Message 5"));
1831 }
1832 if (pbuf)
1833 vfree(pbuf);
1834 if (msg)
1835 vfree(msg);
1836
1837 if (error) {
1838 VPTRINIT(iph1->id_p);
1839 oakley_delcert(iph1->cert_p);
1840 iph1->cert_p = NULL;
1841 oakley_delcert(iph1->crl_p);
1842 iph1->crl_p = NULL;
1843 VPTRINIT(iph1->sig_p);
1844 oakley_delcert(iph1->cr_p);
1845 iph1->cr_p = NULL;
1846 }
1847
1848 return error;
1849 }
1850
1851 /*
1852 * send to initiator
1853 * psk: HDR*, IDr1, HASH_R
1854 * sig: HDR*, IDr1, [ CERT, ] SIG_R
1855 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
1856 * rsa: HDR*, HASH_R
1857 * rev: HDR*, HASH_R
1858 */
1859 int
1860 ident_r6send(iph1, msg)
1861 phase1_handle_t *iph1;
1862 vchar_t *msg;
1863 {
1864 int error = -1;
1865 int dohash = 1;
1866
1867 /* validity check */
1868 if (iph1->status != IKEV1_STATE_IDENT_R_MSG5RCVD) {
1869 plog(ASL_LEVEL_ERR,
1870 "status mismatched %d.\n", iph1->status);
1871 goto end;
1872 }
1873
1874 /* make ID payload into isakmp status */
1875 if (ipsecdoi_setid1(iph1) < 0) {
1876 plog(ASL_LEVEL_ERR,
1877 "failed to set ID");
1878 goto end;
1879 }
1880
1881 if (dohash) {
1882 /* generate HASH to send */
1883 plog(ASL_LEVEL_DEBUG, "generate HASH_R\n");
1884 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1885 if (iph1->hash == NULL) {
1886 plog(ASL_LEVEL_ERR,
1887 "failed to generate HASH");
1888 goto end;
1889 }
1890 } else
1891 iph1->hash = NULL;
1892
1893 /* set encryption flag */
1894 iph1->flags |= ISAKMP_FLAG_E;
1895
1896 /* create HDR;ID;HASH payload */
1897 iph1->sendbuf = ident_ir3mx(iph1);
1898 if (iph1->sendbuf == NULL) {
1899 plog(ASL_LEVEL_ERR,
1900 "failed to create send buffer");
1901 goto end;
1902 }
1903
1904 /* send HDR;ID;HASH to responder */
1905 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
1906 plog(ASL_LEVEL_ERR,
1907 "failed to send packet");
1908 goto end;
1909 }
1910
1911 /* the sending message is added to the received-list. */
1912 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1913 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
1914 plog(ASL_LEVEL_ERR ,
1915 "failed to add a response packet to the tree.\n");
1916 goto end;
1917 }
1918
1919 /* see handler.h about IV synchronization. */
1920 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
1921
1922 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
1923
1924 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1925 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
1926 CONSTSTR("Responder, Main-Mode"),
1927 CONSTSTR(NULL));
1928
1929 error = 0;
1930
1931 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1932 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1933 CONSTSTR("Responder, Main-Mode message 6"),
1934 CONSTSTR(NULL));
1935
1936 end:
1937 if (error) {
1938 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1939 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1940 CONSTSTR("Responder, Main-Mode Message 6"),
1941 CONSTSTR("Failed to process Main-Mode Message 6"));
1942 }
1943
1944 return error;
1945 }
1946
1947 /*
1948 * This is used in main mode for:
1949 * initiator's 3rd exchange send to responder
1950 * psk: HDR, KE, Ni
1951 * sig: HDR, KE, Ni
1952 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1953 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1954 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1955 * responders 2nd exchnage send to initiator
1956 * psk: HDR, KE, Nr
1957 * sig: HDR, KE, Nr [, CR ]
1958 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1959 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1960 */
1961 static vchar_t *
1962 ident_ir2mx(iph1)
1963 phase1_handle_t *iph1;
1964 {
1965 vchar_t *buf = 0;
1966 struct payload_list *plist = NULL;
1967 int need_cr = 0;
1968 vchar_t *cr = NULL;
1969 vchar_t *vid = NULL;
1970 int error = -1;
1971 #ifdef ENABLE_NATT
1972 vchar_t *natd[2] = { NULL, NULL };
1973 #endif
1974
1975 /* create CR if need */
1976 if (iph1->side == RESPONDER
1977 && iph1->rmconf->send_cr
1978 && oakley_needcr(iph1->approval->authmethod)) {
1979 need_cr = 1;
1980 cr = oakley_getcr(iph1);
1981 if (cr == NULL) {
1982 plog(ASL_LEVEL_ERR,
1983 "failed to get cr buffer.\n");
1984 goto end;
1985 }
1986 }
1987
1988 /* create isakmp KE payload */
1989 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1990
1991 /* create isakmp NONCE payload */
1992 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1993
1994 /* append vendor id, if needed */
1995 if (vid)
1996 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
1997
1998 /* create isakmp CR payload if needed */
1999 if (need_cr)
2000 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2001
2002 #ifdef ENABLE_NATT
2003 /* generate and append NAT-D payloads */
2004 if (NATT_AVAILABLE(iph1))
2005 {
2006 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
2007 plog(ASL_LEVEL_ERR,
2008 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
2009 goto end;
2010 }
2011
2012 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
2013 plog(ASL_LEVEL_ERR,
2014 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
2015 goto end;
2016 }
2017
2018 plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n");
2019 /* old Apple version sends natd payloads in the wrong order */
2020 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
2021 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2022 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2023 } else
2024 {
2025 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2026 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2027 }
2028 }
2029 #endif
2030
2031 buf = isakmp_plist_set_all (&plist, iph1);
2032
2033 error = 0;
2034
2035 end:
2036 if (error && buf != NULL) {
2037 vfree(buf);
2038 buf = NULL;
2039 }
2040 if (cr)
2041 vfree(cr);
2042 if (vid)
2043 vfree(vid);
2044
2045 #ifdef ENABLE_NATT
2046 if (natd[0])
2047 vfree(natd[0]);
2048 if (natd[1])
2049 vfree(natd[1]);
2050 #endif
2051
2052 return buf;
2053 }
2054
2055 /*
2056 * This is used in main mode for:
2057 * initiator's 4th exchange send to responder
2058 * psk: HDR*, IDi1, HASH_I
2059 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
2060 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
2061 * rsa: HDR*, HASH_I
2062 * rev: HDR*, HASH_I
2063 * responders 3rd exchnage send to initiator
2064 * psk: HDR*, IDr1, HASH_R
2065 * sig: HDR*, IDr1, [ CERT, ] SIG_R
2066 * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R >
2067 * rsa: HDR*, HASH_R
2068 * rev: HDR*, HASH_R
2069 */
2070 static vchar_t *
2071 ident_ir3mx(iph1)
2072 phase1_handle_t *iph1;
2073 {
2074 struct payload_list *plist = NULL;
2075 vchar_t *buf = NULL, *new = NULL;
2076 int need_cr = 0;
2077 int need_cert = 0;
2078 vchar_t *cr = NULL;
2079 int error = -1;
2080 vchar_t *notp_ini = NULL;
2081
2082 switch (AUTHMETHOD(iph1)) {
2083 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
2084 #ifdef ENABLE_HYBRID
2085 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
2086 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
2087 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2088 #endif
2089 /* create isakmp ID payload */
2090 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2091
2092 /* create isakmp HASH payload */
2093 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
2094 break;
2095 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2096 #ifdef ENABLE_HYBRID
2097 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
2098 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2099 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
2100 #endif
2101 if (oakley_getmycert(iph1) < 0) {
2102 plog(ASL_LEVEL_ERR,
2103 "failed to get mycert");
2104 goto end;
2105 }
2106
2107 if (oakley_getsign(iph1) < 0) {
2108 plog(ASL_LEVEL_ERR,
2109 "failed to get sign");
2110 goto end;
2111 }
2112
2113 /* create CR if need */
2114 if (iph1->side == INITIATOR
2115 && iph1->rmconf->send_cr
2116 && oakley_needcr(iph1->approval->authmethod)) {
2117 need_cr = 1;
2118 cr = oakley_getcr(iph1);
2119 if (cr == NULL) {
2120 plog(ASL_LEVEL_ERR,
2121 "failed to get CR");
2122 goto end;
2123 }
2124 }
2125
2126 if (iph1->cert != NULL && iph1->rmconf->send_cert)
2127 need_cert = 1;
2128
2129 /* add ID payload */
2130 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2131
2132 /* add CERT payload if there */
2133 // we don't support sending of certchains
2134 if (need_cert)
2135 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
2136 /* add SIG payload */
2137 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
2138
2139 /* create isakmp CR payload */
2140 if (need_cr)
2141 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2142 break;
2143
2144 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2145 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
2146 #ifdef ENABLE_HYBRID
2147 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
2148 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
2149 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
2150 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
2151 #endif
2152 plog(ASL_LEVEL_ERR,
2153 "not supported authentication type %d\n",
2154 iph1->approval->authmethod);
2155 goto end;
2156 default:
2157 plog(ASL_LEVEL_ERR,
2158 "invalid authentication type %d\n",
2159 iph1->approval->authmethod);
2160 goto end;
2161 }
2162
2163 if (iph1->side == INITIATOR) {
2164 notp_ini = isakmp_plist_append_initial_contact(iph1, plist);
2165 }
2166
2167 buf = isakmp_plist_set_all (&plist, iph1);
2168
2169 #ifdef HAVE_PRINT_ISAKMP_C
2170 isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
2171 #endif
2172
2173 /* encoding */
2174 new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv);
2175 if (new == NULL) {
2176 plog(ASL_LEVEL_ERR,
2177 "failed to encrypt");
2178 goto end;
2179 }
2180
2181 vfree(buf);
2182
2183 buf = new;
2184
2185 error = 0;
2186
2187 end:
2188 if (cr)
2189 vfree(cr);
2190 if (error && buf != NULL) {
2191 vfree(buf);
2192 buf = NULL;
2193 }
2194 if (notp_ini)
2195 vfree(notp_ini);
2196
2197 return buf;
2198 }
mirror of ipsec