]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_agg.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-92.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_agg.c
1 /* $NetBSD: isakmp_agg.c,v 1.9 2006/09/30 21:49:37 manu Exp $ */
2
3 /* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* Aggressive Exchange (Aggressive Mode) */
35
36 #include "config.h"
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40
41 #include <stdlib.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <errno.h>
45 #if TIME_WITH_SYS_TIME
46 # include <sys/time.h>
47 # include <time.h>
48 #else
49 # if HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 # else
52 # include <time.h>
53 # endif
54 #endif
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "schedule.h"
62 #include "debug.h"
63
64 #ifdef ENABLE_HYBRID
65 #include <resolv.h>
66 #endif
67
68 #include "localconf.h"
69 #include "remoteconf.h"
70 #include "isakmp_var.h"
71 #include "isakmp.h"
72 #include "evt.h"
73 #include "oakley.h"
74 #include "handler.h"
75 #include "ipsec_doi.h"
76 #include "crypto_openssl.h"
77 #include "pfkey.h"
78 #include "isakmp_agg.h"
79 #include "isakmp_inf.h"
80 #ifdef ENABLE_HYBRID
81 #include "isakmp_xauth.h"
82 #include "isakmp_cfg.h"
83 #endif
84 #ifdef ENABLE_FRAG
85 #include "isakmp_frag.h"
86 #endif
87 #include "vendorid.h"
88 #include "strnames.h"
89
90 #ifdef ENABLE_NATT
91 #include "nattraversal.h"
92 #endif
93
94 #ifdef HAVE_GSSAPI
95 #include "gssapi.h"
96 #endif
97
98 #include "vpn_control.h"
99 #include "vpn_control_var.h"
100 #include "ipsecSessionTracer.h"
101 #include "ipsecMessageTracer.h"
102
103 /*
104 * begin Aggressive Mode as initiator.
105 */
106 /*
107 * send to responder
108 * psk: HDR, SA, KE, Ni, IDi1
109 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
110 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi
111 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
112 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
113 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
114 */
115 int
116 agg_i1send(iph1, msg)
117 struct ph1handle *iph1;
118 vchar_t *msg; /* must be null */
119 {
120 struct payload_list *plist = NULL;
121 int need_cr = 0;
122 vchar_t *cr = NULL;
123 int error = -1;
124 #ifdef ENABLE_NATT
125 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
126 int i;
127 #endif
128 #ifdef ENABLE_HYBRID
129 vchar_t *vid_xauth = NULL;
130 vchar_t *vid_unity = NULL;
131 #endif
132 #ifdef ENABLE_FRAG
133 vchar_t *vid_frag = NULL;
134 #endif
135 #ifdef HAVE_GSSAPI
136 vchar_t *gsstoken = NULL;
137 int len;
138 #endif
139 #ifdef ENABLE_DPD
140 vchar_t *vid_dpd = NULL;
141 #endif
142
143
144 /* validity check */
145 if (msg != NULL) {
146 plog(LLV_ERROR, LOCATION, NULL,
147 "msg has to be NULL in this function.\n");
148 goto end;
149 }
150 if (iph1->status != PHASE1ST_START) {
151 plog(LLV_ERROR, LOCATION, NULL,
152 "status mismatched %d.\n", iph1->status);
153 goto end;
154 }
155
156 /* create isakmp index */
157 memset(&iph1->index, 0, sizeof(iph1->index));
158 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
159
160 /* make ID payload into isakmp status */
161 if (ipsecdoi_setid1(iph1) < 0) {
162 plog(LLV_ERROR, LOCATION, NULL,
163 "failed to set ID");
164 goto end;
165 }
166
167 /* create SA payload for my proposal */
168 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
169 if (iph1->sa == NULL) {
170 plog(LLV_ERROR, LOCATION, NULL,
171 "failed to set proposal");
172 goto end;
173 }
174
175 /* consistency check of proposals */
176 if (iph1->rmconf->dhgrp == NULL) {
177 plog(LLV_ERROR, LOCATION, NULL,
178 "configuration failure about DH group.\n");
179 goto end;
180 }
181
182 /* generate DH public value */
183 if (oakley_dh_generate(iph1->rmconf->dhgrp,
184 &iph1->dhpub, &iph1->dhpriv) < 0) {
185 plog(LLV_ERROR, LOCATION, NULL,
186 "failed to generate DH");
187 goto end;
188 }
189
190 /* generate NONCE value */
191 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
192 if (iph1->nonce == NULL) {
193 plog(LLV_ERROR, LOCATION, NULL,
194 "failed to generate NONCE");
195 goto end;
196 }
197
198 #ifdef ENABLE_HYBRID
199 /* Do we need Xauth VID? */
200 switch (RMAUTHMETHOD(iph1)) {
201 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
202 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
203 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
204 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
205 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
206 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
207 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
208 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
209 plog(LLV_ERROR, LOCATION, NULL,
210 "Xauth vendor ID generation failed\n");
211 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
212 plog(LLV_ERROR, LOCATION, NULL,
213 "Unity vendor ID generation failed\n");
214 break;
215 default:
216 break;
217 }
218 #endif
219
220 #ifdef ENABLE_FRAG
221 if (iph1->rmconf->ike_frag) {
222 vid_frag = set_vendorid(VENDORID_FRAG);
223 if (vid_frag != NULL)
224 vid_frag = isakmp_frag_addcap(vid_frag,
225 VENDORID_FRAG_AGG);
226 if (vid_frag == NULL)
227 plog(LLV_ERROR, LOCATION, NULL,
228 "Frag vendorID construction failed\n");
229 }
230 #endif
231
232 /* create CR if need */
233 if (iph1->rmconf->send_cr
234 && oakley_needcr(iph1->rmconf->proposal->authmethod)
235 && iph1->rmconf->peerscertfile == NULL) {
236 need_cr = 1;
237 cr = oakley_getcr(iph1);
238 if (cr == NULL) {
239 plog(LLV_ERROR, LOCATION, NULL,
240 "failed to get CR");
241 goto end;
242 }
243 }
244
245 plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n",
246 s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
247 #ifdef HAVE_GSSAPI
248 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
249 gssapi_get_itoken(iph1, &len);
250 #endif
251
252 /* set SA payload to propose */
253 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
254
255 /* create isakmp KE payload */
256 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
257
258 /* create isakmp NONCE payload */
259 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
260
261 /* create isakmp ID payload */
262 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
263
264 #ifdef HAVE_GSSAPI
265 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
266 gssapi_get_token_to_send(iph1, &gsstoken);
267 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
268 }
269 #endif
270 /* create isakmp CR payload */
271 if (need_cr)
272 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
273
274 #ifdef ENABLE_FRAG
275 if (vid_frag)
276 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
277 #endif
278 #ifdef ENABLE_NATT
279 /*
280 * set VID payload for NAT-T if NAT-T
281 * support allowed in the config file
282 */
283 if (iph1->rmconf->nat_traversal)
284 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
285 #endif
286 #ifdef ENABLE_HYBRID
287 if (vid_xauth)
288 plist = isakmp_plist_append(plist,
289 vid_xauth, ISAKMP_NPTYPE_VID);
290 if (vid_unity)
291 plist = isakmp_plist_append(plist,
292 vid_unity, ISAKMP_NPTYPE_VID);
293 #endif
294 #ifdef ENABLE_DPD
295 if(iph1->rmconf->dpd){
296 vid_dpd = set_vendorid(VENDORID_DPD);
297 if (vid_dpd != NULL)
298 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
299 }
300 #endif
301
302 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
303
304 #ifdef HAVE_PRINT_ISAKMP_C
305 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
306 #endif
307
308 /* send the packet, add to the schedule to resend */
309 iph1->retry_counter = iph1->rmconf->retry_counter;
310 if (isakmp_ph1resend(iph1) == -1) {
311 plog(LLV_ERROR, LOCATION, NULL,
312 "failed to send packet");
313 goto end;
314 }
315
316 iph1->status = PHASE1ST_MSG1SENT;
317
318 error = 0;
319
320 IPSECSESSIONTRACEREVENT(iph1->parent_session,
321 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
322 CONSTSTR("Initiator, Aggressive-Mode message 1"),
323 CONSTSTR(NULL));
324
325 end:
326 if (error) {
327 IPSECSESSIONTRACEREVENT(iph1->parent_session,
328 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
329 CONSTSTR("Initiator, Aggressive-Mode Message 1"),
330 CONSTSTR("Failed to transmit Aggressive-Mode Message 1"));
331 }
332 if (cr)
333 vfree(cr);
334 #ifdef HAVE_GSSAPI
335 if (gsstoken)
336 vfree(gsstoken);
337 #endif
338 #ifdef ENABLE_FRAG
339 if (vid_frag)
340 vfree(vid_frag);
341 #endif
342 #ifdef ENABLE_NATT
343 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
344 vfree(vid_natt[i]);
345 #endif
346 #ifdef ENABLE_HYBRID
347 if (vid_xauth != NULL)
348 vfree(vid_xauth);
349 if (vid_unity != NULL)
350 vfree(vid_unity);
351 #endif
352 #ifdef ENABLE_DPD
353 if (vid_dpd != NULL)
354 vfree(vid_dpd);
355 #endif
356
357 return error;
358 }
359
360 /*
361 * receive from responder
362 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
363 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
364 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
365 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
366 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
367 */
368 int
369 agg_i2recv(iph1, msg)
370 struct ph1handle *iph1;
371 vchar_t *msg;
372 {
373 vchar_t *pbuf = NULL;
374 struct isakmp_parse_t *pa;
375 vchar_t *satmp = NULL;
376 int error = -1;
377 int vid_numeric;
378 int ptype;
379 #ifdef ENABLE_HYBRID
380 vchar_t *unity_vid;
381 vchar_t *xauth_vid;
382 #endif
383 #ifdef HAVE_GSSAPI
384 vchar_t *gsstoken = NULL;
385 #endif
386
387 #ifdef ENABLE_NATT
388 int natd_seq = 0;
389 struct natd_payload {
390 int seq;
391 vchar_t *payload;
392 TAILQ_ENTRY(natd_payload) chain;
393 };
394 TAILQ_HEAD(_natd_payload, natd_payload) natd_tree;
395 TAILQ_INIT(&natd_tree);
396 #endif
397
398 /* validity check */
399 if (iph1->status != PHASE1ST_MSG1SENT) {
400 plog(LLV_ERROR, LOCATION, NULL,
401 "status mismatched %d.\n", iph1->status);
402 goto end;
403 }
404
405 /* validate the type of next payload */
406 pbuf = isakmp_parse(msg);
407 if (pbuf == NULL) {
408 plog(LLV_ERROR, LOCATION, NULL,
409 "failed to parse msg");
410 goto end;
411 }
412 pa = (struct isakmp_parse_t *)pbuf->v;
413
414 iph1->pl_hash = NULL;
415
416 /* SA payload is fixed postion */
417 if (pa->type != ISAKMP_NPTYPE_SA) {
418 plog(LLV_ERROR, LOCATION, iph1->remote,
419 "received invalid next payload type %d, "
420 "expecting %d.\n",
421 pa->type, ISAKMP_NPTYPE_SA);
422 goto end;
423 }
424
425 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
426 plog(LLV_ERROR, LOCATION, NULL,
427 "failed to process SA payload");
428 goto end;
429 }
430 pa++;
431
432 for (/*nothing*/;
433 pa->type != ISAKMP_NPTYPE_NONE;
434 pa++) {
435
436 switch (pa->type) {
437 case ISAKMP_NPTYPE_KE:
438 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
439 plog(LLV_ERROR, LOCATION, NULL,
440 "failed to process KE payload");
441 goto end;
442 }
443 break;
444 case ISAKMP_NPTYPE_NONCE:
445 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
446 plog(LLV_ERROR, LOCATION, NULL,
447 "failed to process NONCE payload");
448 goto end;
449 }
450 break;
451 case ISAKMP_NPTYPE_ID:
452 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
453 plog(LLV_ERROR, LOCATION, NULL,
454 "failed to process ID payload");
455 goto end;
456 }
457 break;
458 case ISAKMP_NPTYPE_HASH:
459 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
460 break;
461 case ISAKMP_NPTYPE_CR:
462 if (oakley_savecr(iph1, pa->ptr) < 0) {
463 plog(LLV_ERROR, LOCATION, NULL,
464 "failed to process CR payload");
465 goto end;
466 }
467 break;
468 case ISAKMP_NPTYPE_CERT:
469 if (oakley_savecert(iph1, pa->ptr) < 0) {
470 plog(LLV_ERROR, LOCATION, NULL,
471 "failed to process CERT payload");
472 goto end;
473 }
474 break;
475 case ISAKMP_NPTYPE_SIG:
476 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
477 plog(LLV_ERROR, LOCATION, NULL,
478 "failed to process SIG payload");
479 goto end;
480 }
481 break;
482 case ISAKMP_NPTYPE_VID:
483 vid_numeric = check_vendorid(pa->ptr);
484 #ifdef ENABLE_NATT
485 if (iph1->rmconf->nat_traversal &&
486 natt_vendorid(vid_numeric))
487 natt_handle_vendorid(iph1, vid_numeric);
488 #endif
489 #ifdef ENABLE_HYBRID
490 switch (vid_numeric) {
491 case VENDORID_XAUTH:
492 iph1->mode_cfg->flags |=
493 ISAKMP_CFG_VENDORID_XAUTH;
494 break;
495
496 case VENDORID_UNITY:
497 iph1->mode_cfg->flags |=
498 ISAKMP_CFG_VENDORID_UNITY;
499 break;
500 default:
501 break;
502 }
503 #endif
504 #ifdef ENABLE_DPD
505 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
506 iph1->dpd_support=1;
507 plog(LLV_DEBUG, LOCATION, NULL,
508 "remote supports DPD\n");
509 }
510 #endif
511 break;
512 case ISAKMP_NPTYPE_N:
513 isakmp_check_notify(pa->ptr, iph1);
514 break;
515 #ifdef HAVE_GSSAPI
516 case ISAKMP_NPTYPE_GSS:
517 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
518 plog(LLV_ERROR, LOCATION, NULL,
519 "failed to process GSS payload");
520 goto end;
521 }
522 gssapi_save_received_token(iph1, gsstoken);
523 break;
524 #endif
525
526 #ifdef ENABLE_NATT
527 case ISAKMP_NPTYPE_NATD_DRAFT:
528 case ISAKMP_NPTYPE_NATD_RFC:
529 #ifdef __APPLE__
530 case ISAKMP_NPTYPE_NATD_BADDRAFT:
531 #endif
532 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
533 pa->type == iph1->natt_options->payload_nat_d) {
534 struct natd_payload *natd;
535 natd = (struct natd_payload *)racoon_malloc(sizeof(*natd));
536 if (!natd) {
537 plog(LLV_ERROR, LOCATION, NULL,
538 "failed to pre-process NATD payload");
539 goto end;
540 }
541
542 natd->payload = NULL;
543
544 if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) {
545 plog(LLV_ERROR, LOCATION, NULL,
546 "failed to process NATD payload");
547 goto end;
548 }
549
550 natd->seq = natd_seq++;
551
552 TAILQ_INSERT_TAIL(&natd_tree, natd, chain);
553 break;
554 }
555 /* %%% Be lenient here - some servers send natd payloads */
556 /* when nat not detected */
557 break;
558 #endif
559
560 default:
561 /* don't send information, see isakmp_ident_r1() */
562 plog(LLV_ERROR, LOCATION, iph1->remote,
563 "ignore the packet, "
564 "received unexpecting payload type %d.\n",
565 pa->type);
566 goto end;
567 }
568 }
569
570 /* payload existency check */
571 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
572 plog(LLV_ERROR, LOCATION, iph1->remote,
573 "few isakmp message received.\n");
574 goto end;
575 }
576
577 /* verify identifier */
578 if (ipsecdoi_checkid1(iph1) != 0) {
579 plog(LLV_ERROR, LOCATION, iph1->remote,
580 "invalid ID payload.\n");
581 goto end;
582 }
583
584 /* check SA payload and set approval SA for use */
585 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
586 plog(LLV_ERROR, LOCATION, iph1->remote,
587 "failed to get valid proposal.\n");
588 /* XXX send information */
589 goto end;
590 }
591 VPTRINIT(iph1->sa_ret);
592
593 /* fix isakmp index */
594 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
595 sizeof(cookie_t));
596
597 #ifdef ENABLE_NATT
598 if (NATT_AVAILABLE(iph1)) {
599 struct natd_payload *natd = NULL;
600 int natd_verified;
601
602 plog(LLV_INFO, LOCATION, iph1->remote,
603 "Selected NAT-T version: %s\n",
604 vid_string_by_id(iph1->natt_options->version));
605
606 /* set both bits first so that we can clear them
607 upon verifying hashes */
608 iph1->natt_flags |= NAT_DETECTED;
609
610 while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) {
611 /* this function will clear appropriate bits bits
612 from iph1->natt_flags */
613 natd_verified = natt_compare_addr_hash (iph1,
614 natd->payload, natd->seq);
615
616 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
617 natd->seq - 1,
618 natd_verified ? "verified" : "doesn't match");
619
620 vfree (natd->payload);
621
622 TAILQ_REMOVE(&natd_tree, natd, chain);
623 racoon_free (natd);
624 }
625
626 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
627 iph1->natt_flags & NAT_DETECTED ?
628 "detected:" : "not detected",
629 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
630 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
631
632 if (iph1->natt_flags & NAT_DETECTED)
633 natt_float_ports (iph1);
634 }
635 #endif
636
637 /* compute sharing secret of DH */
638 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
639 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
640 plog(LLV_ERROR, LOCATION, NULL,
641 "failed to compute DH");
642 goto end;
643 }
644
645 /* generate SKEYIDs & IV & final cipher key */
646 if (oakley_skeyid(iph1) < 0) {
647 plog(LLV_ERROR, LOCATION, NULL,
648 "failed to generate SKEYID");
649 goto end;
650 }
651 if (oakley_skeyid_dae(iph1) < 0) {
652 plog(LLV_ERROR, LOCATION, NULL,
653 "failed to generate SKEYID-DAE");
654 goto end;
655 }
656 if (oakley_compute_enckey(iph1) < 0) {
657 plog(LLV_ERROR, LOCATION, NULL,
658 "failed to generate ENCKEY");
659 goto end;
660 }
661 if (oakley_newiv(iph1) < 0) {
662 plog(LLV_ERROR, LOCATION, NULL,
663 "failed to generate IV");
664 goto end;
665 }
666
667 /* validate authentication value */
668 ptype = oakley_validate_auth(iph1);
669 if (ptype != 0) {
670 IPSECSESSIONTRACEREVENT(iph1->parent_session,
671 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
672 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
673 CONSTSTR("Failed to authenticate, Aggressive-Mode Message 2"));
674 if (ptype == -1) {
675 /* message printed inner oakley_validate_auth() */
676 goto end;
677 }
678 EVT_PUSH(iph1->local, iph1->remote,
679 EVTT_PEERPH1AUTH_FAILED, NULL);
680 isakmp_info_send_n1(iph1, ptype, NULL);
681 goto end;
682 }
683 IPSECSESSIONTRACEREVENT(iph1->parent_session,
684 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
685 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
686 CONSTSTR(NULL));
687
688 if (oakley_checkcr(iph1) < 0) {
689 /* Ignore this error in order to be interoperability. */
690 ;
691 }
692
693 /* change status of isakmp status entry */
694 iph1->status = PHASE1ST_MSG2RECEIVED;
695
696 #ifdef ENABLE_VPNCONTROL_PORT
697 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
698 #endif
699
700 error = 0;
701
702 IPSECSESSIONTRACEREVENT(iph1->parent_session,
703 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
704 CONSTSTR("Initiator, Aggressive-Mode message 2"),
705 CONSTSTR(NULL));
706
707 end:
708 if (error) {
709 IPSECSESSIONTRACEREVENT(iph1->parent_session,
710 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
711 CONSTSTR("Initiator, Aggressive-Mode Message 2"),
712 CONSTSTR("Failure processing Aggressive-Mode Message 2"));
713 }
714 #ifdef HAVE_GSSAPI
715 if (gsstoken)
716 vfree(gsstoken);
717 #endif
718 if (pbuf)
719 vfree(pbuf);
720 if (satmp)
721 vfree(satmp);
722 if (error) {
723 VPTRINIT(iph1->dhpub_p);
724 VPTRINIT(iph1->nonce_p);
725 VPTRINIT(iph1->id_p);
726 oakley_delcert(iph1->cert_p);
727 iph1->cert_p = NULL;
728 oakley_delcert(iph1->crl_p);
729 iph1->crl_p = NULL;
730 VPTRINIT(iph1->sig_p);
731 oakley_delcert(iph1->cr_p);
732 iph1->cr_p = NULL;
733 }
734
735 return error;
736 }
737
738 /*
739 * send to responder
740 * psk: HDR, HASH_I
741 * gssapi: HDR, HASH_I
742 * sig: HDR, [ CERT, ] SIG_I
743 * rsa: HDR, HASH_I
744 * rev: HDR, HASH_I
745 */
746 int
747 agg_i2send(iph1, msg)
748 struct ph1handle *iph1;
749 vchar_t *msg;
750 {
751 struct payload_list *plist = NULL;
752 int need_cert = 0;
753 int error = -1;
754 vchar_t *gsshash = NULL;
755 #ifdef ENABLE_NATT
756 vchar_t *natd[2] = { NULL, NULL };
757 #endif
758 vchar_t *notp_unity = NULL;
759 vchar_t *notp_ini = NULL;
760
761 /* validity check */
762 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
763 plog(LLV_ERROR, LOCATION, NULL,
764 "status mismatched %d.\n", iph1->status);
765 goto end;
766 }
767
768 /* generate HASH to send */
769 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
770 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
771 if (iph1->hash == NULL) {
772 #ifdef HAVE_GSSAPI
773 if (gssapi_more_tokens(iph1) &&
774 #ifdef ENABLE_HYBRID
775 !iph1->rmconf->xauth &&
776 #endif
777 1)
778 isakmp_info_send_n1(iph1,
779 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
780 #endif
781 plog(LLV_ERROR, LOCATION, NULL,
782 "failed to generate HASH");
783 goto end;
784 }
785
786 switch (AUTHMETHOD(iph1)) {
787 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
788 #ifdef ENABLE_HYBRID
789 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
790 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
791 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
792 #endif
793 /* set HASH payload */
794 plist = isakmp_plist_append(plist,
795 iph1->hash, ISAKMP_NPTYPE_HASH);
796 break;
797
798 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
799 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
800 #ifdef ENABLE_HYBRID
801 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
802 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
803 #endif
804 /* XXX if there is CR or not ? */
805
806 if (oakley_getmycert(iph1) < 0) {
807 plog(LLV_ERROR, LOCATION, NULL,
808 "failed to get mycert");
809 goto end;
810 }
811
812 if (oakley_getsign(iph1) < 0) {
813 plog(LLV_ERROR, LOCATION, NULL,
814 "failed to get sign");
815 goto end;
816 }
817
818 if (iph1->cert != NULL && iph1->rmconf->send_cert)
819 need_cert = 1;
820
821 /* add CERT payload if there */
822 if (need_cert)
823 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
824
825 /* add SIG payload */
826 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
827 break;
828
829 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
830 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
831 #ifdef ENABLE_HYBRID
832 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
833 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
834 #endif
835 break;
836 #ifdef HAVE_GSSAPI
837 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
838 gsshash = gssapi_wraphash(iph1);
839 if (gsshash == NULL) {
840 plog(LLV_ERROR, LOCATION, NULL,
841 "failed to get GSS hash\n");
842 isakmp_info_send_n1(iph1,
843 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
844 goto end;
845 }
846
847 plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
848 break;
849 #endif
850 }
851
852 #ifdef ENABLE_NATT
853 /* generate NAT-D payloads */
854 if (NATT_AVAILABLE(iph1)) {
855 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
856 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
857 plog(LLV_ERROR, LOCATION, NULL,
858 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
859 goto end;
860 }
861
862 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
863 plog(LLV_ERROR, LOCATION, NULL,
864 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
865 goto end;
866 }
867
868 #ifdef __APPLE__
869 /* old Apple version sends natd payloads in the wrong order */
870 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
871 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
872 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
873 } else
874 #endif
875 {
876 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
877 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
878 }
879 }
880 #endif
881
882
883 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
884
885 #ifdef HAVE_PRINT_ISAKMP_C
886 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
887 #endif
888
889
890 /* send to responder */
891 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
892 plog(LLV_ERROR, LOCATION, NULL,
893 "failed to send packet");
894 goto end;
895 }
896
897 /* the sending message is added to the received-list. */
898 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
899 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
900 plog(LLV_ERROR , LOCATION, NULL,
901 "failed to add a response packet to the tree.\n");
902 goto end;
903 }
904
905 /* set encryption flag */
906 iph1->flags |= ISAKMP_FLAG_E;
907
908 iph1->status = PHASE1ST_ESTABLISHED;
909
910 IPSECSESSIONTRACEREVENT(iph1->parent_session,
911 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
912 CONSTSTR("Initiator, Aggressive-Mode"),
913 CONSTSTR(NULL));
914
915 error = 0;
916
917 IPSECSESSIONTRACEREVENT(iph1->parent_session,
918 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
919 CONSTSTR("Initiator, Aggressive-Mode message 3"),
920 CONSTSTR(NULL));
921
922 end:
923 if (error) {
924 IPSECSESSIONTRACEREVENT(iph1->parent_session,
925 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
926 CONSTSTR("Initiator, Aggressive-Mode Message 3"),
927 CONSTSTR("Failed to transmit Aggressive-Mode Message 3"));
928 }
929 #ifdef ENABLE_NATT
930 if (natd[0])
931 vfree(natd[0]);
932 if (natd[1])
933 vfree(natd[1]);
934 #endif
935 if (notp_unity)
936 vfree(notp_unity);
937 if (notp_ini)
938 vfree(notp_ini);
939 if (gsshash)
940 vfree(gsshash);
941 return error;
942 }
943
944 /*
945 * receive from initiator
946 * psk: HDR, SA, KE, Ni, IDi1
947 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
948 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi
949 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
950 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
951 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
952 */
953 int
954 agg_r1recv(iph1, msg)
955 struct ph1handle *iph1;
956 vchar_t *msg;
957 {
958 int error = -1;
959 vchar_t *pbuf = NULL;
960 struct isakmp_parse_t *pa;
961 int vid_numeric;
962 #ifdef HAVE_GSSAPI
963 vchar_t *gsstoken = NULL;
964 #endif
965
966 /* validity check */
967 if (iph1->status != PHASE1ST_START) {
968 plog(LLV_ERROR, LOCATION, NULL,
969 "status mismatched %d.\n", iph1->status);
970 goto end;
971 }
972
973 /* validate the type of next payload */
974 pbuf = isakmp_parse(msg);
975 if (pbuf == NULL) {
976 plog(LLV_ERROR, LOCATION, NULL,
977 "failed to parse msg");
978 goto end;
979 }
980 pa = (struct isakmp_parse_t *)pbuf->v;
981
982 /* SA payload is fixed postion */
983 if (pa->type != ISAKMP_NPTYPE_SA) {
984 plog(LLV_ERROR, LOCATION, iph1->remote,
985 "received invalid next payload type %d, "
986 "expecting %d.\n",
987 pa->type, ISAKMP_NPTYPE_SA);
988 goto end;
989 }
990 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
991 plog(LLV_ERROR, LOCATION, NULL,
992 "failed to process SA payload");
993 goto end;
994 }
995 pa++;
996
997 for (/*nothing*/;
998 pa->type != ISAKMP_NPTYPE_NONE;
999 pa++) {
1000
1001 plog(LLV_DEBUG, LOCATION, NULL,
1002 "received payload of type %s\n",
1003 s_isakmp_nptype(pa->type));
1004
1005 switch (pa->type) {
1006 case ISAKMP_NPTYPE_KE:
1007 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
1008 plog(LLV_ERROR, LOCATION, NULL,
1009 "failed to process KE payload");
1010 goto end;
1011 }
1012 break;
1013 case ISAKMP_NPTYPE_NONCE:
1014 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
1015 plog(LLV_ERROR, LOCATION, NULL,
1016 "failed to process NONCE payload");
1017 goto end;
1018 }
1019 break;
1020 case ISAKMP_NPTYPE_ID:
1021 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
1022 plog(LLV_ERROR, LOCATION, NULL,
1023 "failed to process ID payload");
1024 goto end;
1025 }
1026 break;
1027 case ISAKMP_NPTYPE_VID:
1028 vid_numeric = check_vendorid(pa->ptr);
1029
1030 #ifdef ENABLE_NATT
1031 if (iph1->rmconf->nat_traversal &&
1032 natt_vendorid(vid_numeric)) {
1033 natt_handle_vendorid(iph1, vid_numeric);
1034 break;
1035 }
1036 #endif
1037 #ifdef ENABLE_HYBRID
1038 switch (vid_numeric) {
1039 case VENDORID_XAUTH:
1040 iph1->mode_cfg->flags |=
1041 ISAKMP_CFG_VENDORID_XAUTH;
1042 break;
1043
1044 case VENDORID_UNITY:
1045 iph1->mode_cfg->flags |=
1046 ISAKMP_CFG_VENDORID_UNITY;
1047 break;
1048 default:
1049 break;
1050 }
1051 #endif
1052 #ifdef ENABLE_DPD
1053 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
1054 iph1->dpd_support=1;
1055 plog(LLV_DEBUG, LOCATION, NULL,
1056 "remote supports DPD\n");
1057 }
1058 #endif
1059 #ifdef ENABLE_FRAG
1060 if ((vid_numeric == VENDORID_FRAG) &&
1061 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG))
1062 iph1->frag = 1;
1063 #endif
1064 break;
1065
1066 case ISAKMP_NPTYPE_CR:
1067 if (oakley_savecr(iph1, pa->ptr) < 0) {
1068 plog(LLV_ERROR, LOCATION, NULL,
1069 "failed to process CR payload");
1070 goto end;
1071 }
1072 break;
1073
1074 #ifdef HAVE_GSSAPI
1075 case ISAKMP_NPTYPE_GSS:
1076 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1077 plog(LLV_ERROR, LOCATION, NULL,
1078 "failed to process GSS payload");
1079 goto end;
1080 }
1081 gssapi_save_received_token(iph1, gsstoken);
1082 break;
1083 #endif
1084 default:
1085 /* don't send information, see isakmp_ident_r1() */
1086 plog(LLV_ERROR, LOCATION, iph1->remote,
1087 "ignore the packet, "
1088 "received unexpecting payload type %d.\n",
1089 pa->type);
1090 goto end;
1091 }
1092 }
1093
1094 /* payload existency check */
1095 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1096 plog(LLV_ERROR, LOCATION, iph1->remote,
1097 "few isakmp message received.\n");
1098 goto end;
1099 }
1100
1101 /* verify identifier */
1102 if (ipsecdoi_checkid1(iph1) != 0) {
1103 plog(LLV_ERROR, LOCATION, iph1->remote,
1104 "invalid ID payload.\n");
1105 goto end;
1106 }
1107
1108 #ifdef ENABLE_NATT
1109 if (NATT_AVAILABLE(iph1))
1110 plog(LLV_INFO, LOCATION, iph1->remote,
1111 "Selected NAT-T version: %s\n",
1112 vid_string_by_id(iph1->natt_options->version));
1113 #endif
1114
1115 /* check SA payload and set approval SA for use */
1116 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
1117 plog(LLV_ERROR, LOCATION, iph1->remote,
1118 "failed to get valid proposal.\n");
1119 /* XXX send information */
1120 goto end;
1121 }
1122
1123 if (oakley_checkcr(iph1) < 0) {
1124 /* Ignore this error in order to be interoperability. */
1125 ;
1126 }
1127
1128 iph1->status = PHASE1ST_MSG1RECEIVED;
1129
1130 error = 0;
1131
1132 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1133 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1134 CONSTSTR("Responder, Aggressive-Mode message 1"),
1135 CONSTSTR(NULL));
1136
1137 end:
1138 if (error) {
1139 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1140 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1141 CONSTSTR("Responder, Aggressive-Mode Message 1"),
1142 CONSTSTR("Failed to process Aggressive-Mode Message 1"));
1143 }
1144 #ifdef HAVE_GSSAPI
1145 if (gsstoken)
1146 vfree(gsstoken);
1147 #endif
1148 if (pbuf)
1149 vfree(pbuf);
1150 if (error) {
1151 VPTRINIT(iph1->sa);
1152 VPTRINIT(iph1->dhpub_p);
1153 VPTRINIT(iph1->nonce_p);
1154 VPTRINIT(iph1->id_p);
1155 oakley_delcert(iph1->cr_p);
1156 iph1->cr_p = NULL;
1157 }
1158
1159 return error;
1160 }
1161
1162 /*
1163 * send to initiator
1164 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
1165 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
1166 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
1167 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
1168 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
1169 */
1170 int
1171 agg_r1send(iph1, msg)
1172 struct ph1handle *iph1;
1173 vchar_t *msg;
1174 {
1175 struct payload_list *plist = NULL;
1176 int need_cr = 0;
1177 int need_cert = 0;
1178 vchar_t *cr = NULL;
1179 int error = -1;
1180 #ifdef ENABLE_HYBRID
1181 vchar_t *xauth_vid = NULL;
1182 vchar_t *unity_vid = NULL;
1183 #endif
1184 #ifdef ENABLE_NATT
1185 vchar_t *vid_natt = NULL;
1186 vchar_t *natd[2] = { NULL, NULL };
1187 #endif
1188 #ifdef ENABLE_DPD
1189 vchar_t *vid_dpd = NULL;
1190 #endif
1191 #ifdef ENABLE_FRAG
1192 vchar_t *vid_frag = NULL;
1193 #endif
1194
1195 #ifdef HAVE_GSSAPI
1196 int gsslen;
1197 vchar_t *gsstoken = NULL, *gsshash = NULL;
1198 vchar_t *gss_sa = NULL;
1199 int free_gss_sa = 0;
1200 #endif
1201
1202 /* validity check */
1203 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1204 plog(LLV_ERROR, LOCATION, NULL,
1205 "status mismatched %d.\n", iph1->status);
1206 goto end;
1207 }
1208
1209 /* set responder's cookie */
1210 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1211
1212 /* make ID payload into isakmp status */
1213 if (ipsecdoi_setid1(iph1) < 0) {
1214 plog(LLV_ERROR, LOCATION, NULL,
1215 "failed to set ID");
1216 goto end;
1217 }
1218
1219 /* generate DH public value */
1220 if (oakley_dh_generate(iph1->rmconf->dhgrp,
1221 &iph1->dhpub, &iph1->dhpriv) < 0) {
1222 plog(LLV_ERROR, LOCATION, NULL,
1223 "failed to generate DH");
1224 goto end;
1225 }
1226
1227 /* generate NONCE value */
1228 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1229 if (iph1->nonce == NULL) {
1230 plog(LLV_ERROR, LOCATION, NULL,
1231 "failed to generate NONCE");
1232 goto end;
1233 }
1234
1235 /* compute sharing secret of DH */
1236 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1237 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1238 plog(LLV_ERROR, LOCATION, NULL,
1239 "failed to compute DH");
1240 goto end;
1241 }
1242
1243 /* generate SKEYIDs & IV & final cipher key */
1244 if (oakley_skeyid(iph1) < 0) {
1245 plog(LLV_ERROR, LOCATION, NULL,
1246 "failed to generate SKEYID");
1247 goto end;
1248 }
1249 if (oakley_skeyid_dae(iph1) < 0) {
1250 plog(LLV_ERROR, LOCATION, NULL,
1251 "failed to generate SKEYID-DAE");
1252 goto end;
1253 }
1254 if (oakley_compute_enckey(iph1) < 0) {
1255 plog(LLV_ERROR, LOCATION, NULL,
1256 "failed to generate ENCKEY");
1257 goto end;
1258 }
1259 if (oakley_newiv(iph1) < 0) {
1260 plog(LLV_ERROR, LOCATION, NULL,
1261 "failed to generate IV");
1262 goto end;
1263 }
1264
1265 #ifdef HAVE_GSSAPI
1266 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
1267 gssapi_get_rtoken(iph1, &gsslen);
1268 #endif
1269
1270 /* generate HASH to send */
1271 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
1272 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1273 if (iph1->hash == NULL) {
1274 #ifdef HAVE_GSSAPI
1275 if (gssapi_more_tokens(iph1))
1276 isakmp_info_send_n1(iph1,
1277 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1278 #endif
1279 plog(LLV_ERROR, LOCATION, NULL,
1280 "failed to generate GSS HASH");
1281 goto end;
1282 }
1283
1284 /* create CR if need */
1285 if (iph1->rmconf->send_cr
1286 && oakley_needcr(iph1->approval->authmethod)
1287 && iph1->rmconf->peerscertfile == NULL) {
1288 need_cr = 1;
1289 cr = oakley_getcr(iph1);
1290 if (cr == NULL) {
1291 plog(LLV_ERROR, LOCATION, NULL,
1292 "failed to get CR.\n");
1293 goto end;
1294 }
1295 }
1296
1297 #ifdef ENABLE_NATT
1298 /* Has the peer announced NAT-T? */
1299 if (NATT_AVAILABLE(iph1)) {
1300 /* set chosen VID */
1301 vid_natt = set_vendorid(iph1->natt_options->version);
1302
1303 /* generate NAT-D payloads */
1304 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
1305 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1306 plog(LLV_ERROR, LOCATION, NULL,
1307 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
1308 goto end;
1309 }
1310
1311 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1312 plog(LLV_ERROR, LOCATION, NULL,
1313 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
1314 goto end;
1315 }
1316 }
1317 #endif
1318 #ifdef ENABLE_DPD
1319 /* Only send DPD support if remote announced DPD and if DPD support is active */
1320 if (iph1->dpd_support && iph1->rmconf->dpd)
1321 vid_dpd = set_vendorid(VENDORID_DPD);
1322 #endif
1323 #ifdef ENABLE_FRAG
1324 if (iph1->frag) {
1325 vid_frag = set_vendorid(VENDORID_FRAG);
1326 if (vid_frag != NULL)
1327 vid_frag = isakmp_frag_addcap(vid_frag,
1328 VENDORID_FRAG_AGG);
1329 if (vid_frag == NULL)
1330 plog(LLV_ERROR, LOCATION, NULL,
1331 "Frag vendorID construction failed\n");
1332 }
1333 #endif
1334
1335 switch (AUTHMETHOD(iph1)) {
1336 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1337 #ifdef ENABLE_HYBRID
1338 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1339 #endif
1340 /* set SA payload to reply */
1341 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1342
1343 /* create isakmp KE payload */
1344 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1345
1346 /* create isakmp NONCE payload */
1347 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1348
1349 /* create isakmp ID payload */
1350 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1351
1352 /* create isakmp HASH payload */
1353 plist = isakmp_plist_append(plist,
1354 iph1->hash, ISAKMP_NPTYPE_HASH);
1355
1356 /* create isakmp CR payload if needed */
1357 if (need_cr)
1358 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
1359 break;
1360 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1361 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1362 #ifdef ENABLE_HYBRID
1363 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1364 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1365 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1366 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1367 #endif
1368 /* XXX if there is CR or not ? */
1369
1370 if (oakley_getmycert(iph1) < 0) {
1371 plog(LLV_ERROR, LOCATION, NULL,
1372 "failed to get mycert");
1373 goto end;
1374 }
1375
1376 if (oakley_getsign(iph1) < 0) {
1377 plog(LLV_ERROR, LOCATION, NULL,
1378 "failed to get sign");
1379 goto end;
1380 }
1381
1382 if (iph1->cert != NULL && iph1->rmconf->send_cert)
1383 need_cert = 1;
1384
1385 /* set SA payload to reply */
1386 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1387
1388 /* create isakmp KE payload */
1389 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1390
1391 /* create isakmp NONCE payload */
1392 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1393
1394 /* add ID payload */
1395 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1396
1397 /* add CERT payload if there */
1398 if (need_cert)
1399 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1400
1401 /* add SIG payload */
1402 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1403
1404 /* create isakmp CR payload if needed */
1405 if (need_cr)
1406 plist = isakmp_plist_append(plist,
1407 cr, ISAKMP_NPTYPE_CR);
1408 break;
1409
1410 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1411 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1412 #ifdef ENABLE_HYBRID
1413 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1414 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1415 #endif
1416 break;
1417 #ifdef HAVE_GSSAPI
1418 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1419 /* create buffer to send isakmp payload */
1420 gsshash = gssapi_wraphash(iph1);
1421 if (gsshash == NULL) {
1422 plog(LLV_ERROR, LOCATION, NULL,
1423 "failed to generate GSS HASH\n");
1424 /*
1425 * This is probably due to the GSS
1426 * roundtrips not being finished yet.
1427 * Return this error in the hope that
1428 * a fallback to main mode will be done.
1429 */
1430 isakmp_info_send_n1(iph1,
1431 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1432 goto end;
1433 }
1434 if (iph1->approval->gssid != NULL)
1435 gss_sa =
1436 ipsecdoi_setph1proposal(iph1->approval);
1437 else
1438 gss_sa = iph1->sa_ret;
1439
1440 if (gss_sa != iph1->sa_ret)
1441 free_gss_sa = 1;
1442
1443 /* set SA payload to reply */
1444 plist = isakmp_plist_append(plist,
1445 gss_sa, ISAKMP_NPTYPE_SA);
1446
1447 /* create isakmp KE payload */
1448 plist = isakmp_plist_append(plist,
1449 iph1->dhpub, ISAKMP_NPTYPE_KE);
1450
1451 /* create isakmp NONCE payload */
1452 plist = isakmp_plist_append(plist,
1453 iph1->nonce, ISAKMP_NPTYPE_NONCE);
1454
1455 /* create isakmp ID payload */
1456 plist = isakmp_plist_append(plist,
1457 iph1->id, ISAKMP_NPTYPE_ID);
1458
1459 /* create GSS payload */
1460 gssapi_get_token_to_send(iph1, &gsstoken);
1461 plist = isakmp_plist_append(plist,
1462 gsstoken, ISAKMP_NPTYPE_GSS);
1463
1464 /* create isakmp HASH payload */
1465 plist = isakmp_plist_append(plist,
1466 gsshash, ISAKMP_NPTYPE_HASH);
1467
1468 /* append vendor id, if needed */
1469 break;
1470 #endif
1471 }
1472
1473 #ifdef ENABLE_HYBRID
1474 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1475 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
1476 if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) {
1477 plog(LLV_ERROR, LOCATION, NULL,
1478 "Cannot create Xauth vendor ID\n");
1479 goto end;
1480 }
1481 plist = isakmp_plist_append(plist,
1482 xauth_vid, ISAKMP_NPTYPE_VID);
1483 }
1484
1485 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1486 if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) {
1487 plog(LLV_ERROR, LOCATION, NULL,
1488 "Cannot create Unity vendor ID\n");
1489 goto end;
1490 }
1491 plist = isakmp_plist_append(plist,
1492 unity_vid, ISAKMP_NPTYPE_VID);
1493 }
1494 #endif
1495
1496 #ifdef ENABLE_NATT
1497 /* append NAT-T payloads */
1498 if (vid_natt) {
1499 /* chosen VID */
1500 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1501 /* NAT-D */
1502 #ifdef __APPLE__
1503 /* old Apple version sends natd payloads in the wrong order */
1504 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
1505 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1506 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1507 } else
1508 #endif
1509 {
1510 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1511 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1512 }
1513 }
1514 #endif
1515
1516 #ifdef ENABLE_FRAG
1517 if (vid_frag)
1518 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
1519 #endif
1520
1521 #ifdef ENABLE_DPD
1522 if (vid_dpd)
1523 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1524 #endif
1525
1526 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1527
1528 #ifdef HAVE_PRINT_ISAKMP_C
1529 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
1530 #endif
1531
1532 /* send the packet, add to the schedule to resend */
1533 iph1->retry_counter = iph1->rmconf->retry_counter;
1534 if (isakmp_ph1resend(iph1) == -1) {
1535 plog(LLV_ERROR , LOCATION, NULL,
1536 "failed to send packet");
1537 goto end;
1538 }
1539
1540 /* the sending message is added to the received-list. */
1541 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1542 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
1543 plog(LLV_ERROR , LOCATION, NULL,
1544 "failed to add a response packet to the tree.\n");
1545 goto end;
1546 }
1547
1548 iph1->status = PHASE1ST_MSG1SENT;
1549
1550 #ifdef ENABLE_VPNCONTROL_PORT
1551 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1552 #endif
1553
1554 error = 0;
1555
1556 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1557 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1558 CONSTSTR("Responder, Aggressive-Mode message 2"),
1559 CONSTSTR(NULL));
1560
1561 end:
1562 if (error) {
1563 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1564 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1565 CONSTSTR("Responder, Aggressive-Mode Message 2"),
1566 CONSTSTR("Failed to process Aggressive-Mode Message 2"));
1567 }
1568 if (cr)
1569 vfree(cr);
1570 #ifdef ENABLE_HYBRID
1571 if (xauth_vid)
1572 vfree(xauth_vid);
1573 if (unity_vid)
1574 vfree(unity_vid);
1575 #endif
1576 #ifdef HAVE_GSSAPI
1577 if (gsstoken)
1578 vfree(gsstoken);
1579 if (gsshash)
1580 vfree(gsshash);
1581 if (free_gss_sa)
1582 vfree(gss_sa);
1583 #endif
1584 #ifdef ENABLE_NATT
1585 if (vid_natt)
1586 vfree(vid_natt);
1587 if (natd[0])
1588 vfree(natd[0]);
1589 if (natd[1])
1590 vfree(natd[1]);
1591 #endif
1592 #ifdef ENABLE_DPD
1593 if (vid_dpd)
1594 vfree(vid_dpd);
1595 #endif
1596 #ifdef ENABLE_FRAG
1597 if (vid_frag)
1598 vfree(vid_frag);
1599 #endif
1600
1601 return error;
1602 }
1603
1604 /*
1605 * receive from initiator
1606 * psk: HDR, HASH_I
1607 * gssapi: HDR, HASH_I
1608 * sig: HDR, [ CERT, ] SIG_I
1609 * rsa: HDR, HASH_I
1610 * rev: HDR, HASH_I
1611 */
1612 int
1613 agg_r2recv(iph1, msg0)
1614 struct ph1handle *iph1;
1615 vchar_t *msg0;
1616 {
1617 vchar_t *msg = NULL;
1618 vchar_t *pbuf = NULL;
1619 struct isakmp_parse_t *pa;
1620 int error = -1;
1621 int ptype;
1622
1623 #ifdef ENABLE_NATT
1624 int natd_seq = 0;
1625 #endif
1626
1627 /* validity check */
1628 if (iph1->status != PHASE1ST_MSG1SENT) {
1629 plog(LLV_ERROR, LOCATION, NULL,
1630 "status mismatched %d.\n", iph1->status);
1631 goto end;
1632 }
1633
1634 /* decrypting if need. */
1635 /* XXX configurable ? */
1636 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1637 msg = oakley_do_decrypt(iph1, msg0,
1638 iph1->ivm->iv, iph1->ivm->ive);
1639 if (msg == NULL) {
1640 plog(LLV_ERROR, LOCATION, NULL,
1641 "failed to decrypt msg");
1642 goto end;
1643 }
1644 } else
1645 msg = vdup(msg0);
1646
1647 /* validate the type of next payload */
1648 pbuf = isakmp_parse(msg);
1649 if (pbuf == NULL) {
1650 plog(LLV_ERROR, LOCATION, NULL,
1651 "failed to parse msg");
1652 goto end;
1653 }
1654
1655 iph1->pl_hash = NULL;
1656
1657 for (pa = (struct isakmp_parse_t *)pbuf->v;
1658 pa->type != ISAKMP_NPTYPE_NONE;
1659 pa++) {
1660
1661 switch (pa->type) {
1662 case ISAKMP_NPTYPE_HASH:
1663 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1664 break;
1665 case ISAKMP_NPTYPE_VID:
1666 (void)check_vendorid(pa->ptr);
1667 break;
1668 case ISAKMP_NPTYPE_CERT:
1669 if (oakley_savecert(iph1, pa->ptr) < 0) {
1670 plog(LLV_ERROR, LOCATION, NULL,
1671 "failed to process CERT payload");
1672 goto end;
1673 }
1674 break;
1675 case ISAKMP_NPTYPE_SIG:
1676 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
1677 plog(LLV_ERROR, LOCATION, NULL,
1678 "failed to process SIG payload");
1679 goto end;
1680 }
1681 break;
1682 case ISAKMP_NPTYPE_N:
1683 isakmp_check_notify(pa->ptr, iph1);
1684 break;
1685
1686 #ifdef ENABLE_NATT
1687 case ISAKMP_NPTYPE_NATD_DRAFT:
1688 case ISAKMP_NPTYPE_NATD_RFC:
1689 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1690 pa->type == iph1->natt_options->payload_nat_d)
1691 {
1692 vchar_t *natd_received = NULL;
1693 int natd_verified;
1694
1695 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
1696 plog(LLV_ERROR, LOCATION, NULL,
1697 "failed to process NATD payload");
1698 goto end;
1699 }
1700
1701 if (natd_seq == 0)
1702 iph1->natt_flags |= NAT_DETECTED;
1703
1704 natd_verified = natt_compare_addr_hash (iph1,
1705 natd_received, natd_seq++);
1706
1707 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1708 natd_seq - 1,
1709 natd_verified ? "verified" : "doesn't match");
1710
1711 vfree (natd_received);
1712 break;
1713 }
1714 /* %%%% Be lenient here - some servers send natd payloads */
1715 /* when no nat is detected */
1716 break;
1717 #endif
1718
1719 default:
1720 /* don't send information, see isakmp_ident_r1() */
1721 plog(LLV_ERROR, LOCATION, iph1->remote,
1722 "ignore the packet, "
1723 "received unexpecting payload type %d.\n",
1724 pa->type);
1725 goto end;
1726 }
1727 }
1728
1729 #ifdef ENABLE_NATT
1730 if (NATT_AVAILABLE(iph1))
1731 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1732 iph1->natt_flags & NAT_DETECTED ?
1733 "detected:" : "not detected",
1734 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1735 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1736 #endif
1737
1738 /* validate authentication value */
1739 ptype = oakley_validate_auth(iph1);
1740 if (ptype != 0) {
1741 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1742 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1743 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1744 CONSTSTR("Failed to authenticate Aggressive-Mode Message 3"));
1745 if (ptype == -1) {
1746 /* message printed inner oakley_validate_auth() */
1747 goto end;
1748 }
1749 EVT_PUSH(iph1->local, iph1->remote,
1750 EVTT_PEERPH1AUTH_FAILED, NULL);
1751 isakmp_info_send_n1(iph1, ptype, NULL);
1752 goto end;
1753 }
1754 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1755 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1756 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1757 CONSTSTR(NULL));
1758
1759 iph1->status = PHASE1ST_MSG2RECEIVED;
1760
1761 error = 0;
1762
1763 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1764 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1765 CONSTSTR("Responder, Aggressive-Mode message 3"),
1766 CONSTSTR(NULL));
1767
1768 end:
1769 if (error) {
1770 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1771 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1772 CONSTSTR("Responder, Aggressive-Mode Message 3"),
1773 CONSTSTR("Failed to process Aggressive-Mode Message 3"));
1774 }
1775 if (pbuf)
1776 vfree(pbuf);
1777 if (msg)
1778 vfree(msg);
1779 if (error) {
1780 oakley_delcert(iph1->cert_p);
1781 iph1->cert_p = NULL;
1782 oakley_delcert(iph1->crl_p);
1783 iph1->crl_p = NULL;
1784 VPTRINIT(iph1->sig_p);
1785 }
1786
1787 return error;
1788 }
1789
1790 /*
1791 * status update and establish isakmp sa.
1792 */
1793 int
1794 agg_r2send(iph1, msg)
1795 struct ph1handle *iph1;
1796 vchar_t *msg;
1797 {
1798 int error = -1;
1799
1800 /* validity check */
1801 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1802 plog(LLV_ERROR, LOCATION, NULL,
1803 "status mismatched %d.\n", iph1->status);
1804 goto end;
1805 }
1806
1807 /* IV synchronized when packet encrypted. */
1808 /* see handler.h about IV synchronization. */
1809 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E))
1810 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1811
1812 /* set encryption flag */
1813 iph1->flags |= ISAKMP_FLAG_E;
1814
1815 iph1->status = PHASE1ST_ESTABLISHED;
1816
1817 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1818 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
1819 CONSTSTR("Responder, Aggressive-Mode"),
1820 CONSTSTR(NULL));
1821
1822 error = 0;
1823
1824 end:
1825 return error;
1826 }
mirror of ipsec