]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_base.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-92.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_base.c
1 /* $NetBSD: isakmp_base.c,v 1.7 2006/10/02 21:51:33 manu Exp $ */
2
3 /* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* Base Exchange (Base Mode) */
35
36 #include "config.h"
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40
41 #include <stdlib.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <errno.h>
45 #if TIME_WITH_SYS_TIME
46 # include <sys/time.h>
47 # include <time.h>
48 #else
49 # if HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 # else
52 # include <time.h>
53 # endif
54 #endif
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "schedule.h"
62 #include "debug.h"
63
64 #ifdef ENABLE_HYBRID
65 #include <resolv.h>
66 #endif
67
68 #include "localconf.h"
69 #include "remoteconf.h"
70 #include "isakmp_var.h"
71 #include "isakmp.h"
72 #include "evt.h"
73 #include "oakley.h"
74 #include "handler.h"
75 #include "ipsec_doi.h"
76 #include "crypto_openssl.h"
77 #include "pfkey.h"
78 #include "isakmp_base.h"
79 #include "isakmp_inf.h"
80 #include "vendorid.h"
81 #ifdef ENABLE_NATT
82 #include "nattraversal.h"
83 #endif
84 #ifdef ENABLE_FRAG
85 #include "isakmp_frag.h"
86 #endif
87 #ifdef ENABLE_HYBRID
88 #include "isakmp_xauth.h"
89 #include "isakmp_cfg.h"
90 #endif
91 #include "vpn_control.h"
92 #include "vpn_control_var.h"
93
94 /* %%%
95 * begin Identity Protection Mode as initiator.
96 */
97 /*
98 * send to responder
99 * psk: HDR, SA, Idii, Ni_b
100 * sig: HDR, SA, Idii, Ni_b
101 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
102 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
103 */
104 int
105 base_i1send(iph1, msg)
106 struct ph1handle *iph1;
107 vchar_t *msg; /* must be null */
108 {
109 struct payload_list *plist = NULL;
110 int error = -1;
111 #ifdef ENABLE_NATT
112 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
113 int i, vid_natt_i = 0;
114 #endif
115 #ifdef ENABLE_FRAG
116 vchar_t *vid_frag = NULL;
117 #endif
118 #ifdef ENABLE_HYBRID
119 vchar_t *vid_xauth = NULL;
120 vchar_t *vid_unity = NULL;
121 #endif
122 #ifdef ENABLE_DPD
123 vchar_t *vid_dpd = NULL;
124 #endif
125
126
127 /* validity check */
128 if (msg != NULL) {
129 plog(LLV_ERROR, LOCATION, NULL,
130 "msg has to be NULL in this function.\n");
131 goto end;
132 }
133 if (iph1->status != PHASE1ST_START) {
134 plog(LLV_ERROR, LOCATION, NULL,
135 "status mismatched %d.\n", iph1->status);
136 goto end;
137 }
138
139 /* create isakmp index */
140 memset(&iph1->index, 0, sizeof(iph1->index));
141 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
142
143 /* make ID payload into isakmp status */
144 if (ipsecdoi_setid1(iph1) < 0)
145 goto end;
146
147 /* create SA payload for my proposal */
148 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
149 if (iph1->sa == NULL)
150 goto end;
151
152 /* generate NONCE value */
153 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
154 if (iph1->nonce == NULL)
155 goto end;
156
157 #ifdef ENABLE_HYBRID
158 /* Do we need Xauth VID? */
159 switch (RMAUTHMETHOD(iph1)) {
160 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
161 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
162 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
163 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
164 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
165 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
166 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
167 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
168 plog(LLV_ERROR, LOCATION, NULL,
169 "Xauth vendor ID generation failed\n");
170
171 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
172 plog(LLV_ERROR, LOCATION, NULL,
173 "Unity vendor ID generation failed\n");
174 break;
175 default:
176 break;
177 }
178 #endif
179 #ifdef ENABLE_FRAG
180 if (iph1->rmconf->ike_frag) {
181 vid_frag = set_vendorid(VENDORID_FRAG);
182 if (vid_frag != NULL)
183 vid_frag = isakmp_frag_addcap(vid_frag,
184 VENDORID_FRAG_BASE);
185 if (vid_frag == NULL)
186 plog(LLV_ERROR, LOCATION, NULL,
187 "Frag vendorID construction failed\n");
188 }
189 #endif
190 #ifdef ENABLE_NATT
191 /* Is NAT-T support allowed in the config file? */
192 if (iph1->rmconf->nat_traversal) {
193 /* Advertise NAT-T capability */
194 memset (vid_natt, 0, sizeof (vid_natt));
195 #ifdef VENDORID_NATT_00
196 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL)
197 vid_natt_i++;
198 #endif
199 #ifdef VENDORID_NATT_02
200 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL)
201 vid_natt_i++;
202 #endif
203 #ifdef VENDORID_NATT_02_N
204 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL)
205 vid_natt_i++;
206 #endif
207 #ifdef VENDORID_NATT_RFC
208 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL)
209 vid_natt_i++;
210 #endif
211 }
212 #endif
213
214 /* set SA payload to propose */
215 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
216
217 /* create isakmp ID payload */
218 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
219
220 /* create isakmp NONCE payload */
221 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
222
223 #ifdef ENABLE_FRAG
224 if (vid_frag)
225 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
226 #endif
227 #ifdef ENABLE_HYBRID
228 if (vid_xauth)
229 plist = isakmp_plist_append(plist,
230 vid_xauth, ISAKMP_NPTYPE_VID);
231 if (vid_unity)
232 plist = isakmp_plist_append(plist,
233 vid_unity, ISAKMP_NPTYPE_VID);
234 #endif
235 #ifdef ENABLE_DPD
236 if (iph1->rmconf->dpd) {
237 vid_dpd = set_vendorid(VENDORID_DPD);
238 if (vid_dpd != NULL)
239 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
240 }
241 #endif
242 #ifdef ENABLE_NATT
243 /* set VID payload for NAT-T */
244 for (i = 0; i < vid_natt_i; i++)
245 plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID);
246 #endif
247 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
248
249
250 #ifdef HAVE_PRINT_ISAKMP_C
251 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
252 #endif
253
254 /* send the packet, add to the schedule to resend */
255 iph1->retry_counter = iph1->rmconf->retry_counter;
256 if (isakmp_ph1resend(iph1) == -1)
257 goto end;
258
259 iph1->status = PHASE1ST_MSG1SENT;
260
261 error = 0;
262
263 end:
264 #ifdef ENABLE_FRAG
265 if (vid_frag)
266 vfree(vid_frag);
267 #endif
268 #ifdef ENABLE_NATT
269 for (i = 0; i < vid_natt_i; i++)
270 vfree(vid_natt[i]);
271 #endif
272 #ifdef ENABLE_HYBRID
273 if (vid_xauth != NULL)
274 vfree(vid_xauth);
275 if (vid_unity != NULL)
276 vfree(vid_unity);
277 #endif
278 #ifdef ENABLE_DPD
279 if (vid_dpd != NULL)
280 vfree(vid_dpd);
281 #endif
282
283 return error;
284 }
285
286 /*
287 * receive from responder
288 * psk: HDR, SA, Idir, Nr_b
289 * sig: HDR, SA, Idir, Nr_b, [ CR ]
290 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
291 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
292 */
293 int
294 base_i2recv(iph1, msg)
295 struct ph1handle *iph1;
296 vchar_t *msg;
297 {
298 vchar_t *pbuf = NULL;
299 struct isakmp_parse_t *pa;
300 vchar_t *satmp = NULL;
301 int error = -1;
302 int vid_numeric;
303 #ifdef ENABLE_HYBRID
304 vchar_t *unity_vid;
305 vchar_t *xauth_vid;
306 #endif
307
308 /* validity check */
309 if (iph1->status != PHASE1ST_MSG1SENT) {
310 plog(LLV_ERROR, LOCATION, NULL,
311 "status mismatched %d.\n", iph1->status);
312 goto end;
313 }
314
315 /* validate the type of next payload */
316 pbuf = isakmp_parse(msg);
317 if (pbuf == NULL)
318 goto end;
319 pa = (struct isakmp_parse_t *)pbuf->v;
320
321 /* SA payload is fixed postion */
322 if (pa->type != ISAKMP_NPTYPE_SA) {
323 plog(LLV_ERROR, LOCATION, iph1->remote,
324 "received invalid next payload type %d, "
325 "expecting %d.\n",
326 pa->type, ISAKMP_NPTYPE_SA);
327 goto end;
328 }
329 if (isakmp_p2ph(&satmp, pa->ptr) < 0)
330 goto end;
331 pa++;
332
333 for (/*nothing*/;
334 pa->type != ISAKMP_NPTYPE_NONE;
335 pa++) {
336
337 switch (pa->type) {
338 case ISAKMP_NPTYPE_NONCE:
339 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
340 goto end;
341 break;
342 case ISAKMP_NPTYPE_ID:
343 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
344 goto end;
345 break;
346 case ISAKMP_NPTYPE_VID:
347 vid_numeric = check_vendorid(pa->ptr);
348 #ifdef ENABLE_NATT
349 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
350 natt_handle_vendorid(iph1, vid_numeric);
351 #endif
352 #ifdef ENABLE_HYBRID
353 switch (vid_numeric) {
354 case VENDORID_XAUTH:
355 iph1->mode_cfg->flags |=
356 ISAKMP_CFG_VENDORID_XAUTH;
357 break;
358
359 case VENDORID_UNITY:
360 iph1->mode_cfg->flags |=
361 ISAKMP_CFG_VENDORID_UNITY;
362 break;
363
364 default:
365 break;
366 }
367 #endif
368 #ifdef ENABLE_DPD
369 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
370 iph1->dpd_support=1;
371 plog(LLV_DEBUG, LOCATION, NULL,
372 "remote supports DPD\n");
373 }
374 #endif
375 break;
376 default:
377 /* don't send information, see ident_r1recv() */
378 plog(LLV_ERROR, LOCATION, iph1->remote,
379 "ignore the packet, "
380 "received unexpecting payload type %d.\n",
381 pa->type);
382 goto end;
383 }
384 }
385
386 if (iph1->nonce_p == NULL || iph1->id_p == NULL) {
387 plog(LLV_ERROR, LOCATION, iph1->remote,
388 "few isakmp message received.\n");
389 goto end;
390 }
391
392 /* verify identifier */
393 if (ipsecdoi_checkid1(iph1) != 0) {
394 plog(LLV_ERROR, LOCATION, iph1->remote,
395 "invalid ID payload.\n");
396 goto end;
397 }
398
399 #ifdef ENABLE_NATT
400 if (NATT_AVAILABLE(iph1))
401 plog(LLV_INFO, LOCATION, iph1->remote,
402 "Selected NAT-T version: %s\n",
403 vid_string_by_id(iph1->natt_options->version));
404 #endif
405
406 /* check SA payload and set approval SA for use */
407 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
408 plog(LLV_ERROR, LOCATION, iph1->remote,
409 "failed to get valid proposal.\n");
410 /* XXX send information */
411 goto end;
412 }
413 VPTRINIT(iph1->sa_ret);
414
415 iph1->status = PHASE1ST_MSG2RECEIVED;
416
417 #ifdef ENABLE_VPNCONTROL_PORT
418 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
419 #endif
420
421 error = 0;
422
423 end:
424 if (pbuf)
425 vfree(pbuf);
426 if (satmp)
427 vfree(satmp);
428
429 if (error) {
430 VPTRINIT(iph1->nonce_p);
431 VPTRINIT(iph1->id_p);
432 }
433
434 return error;
435 }
436
437 /*
438 * send to responder
439 * psk: HDR, KE, HASH_I
440 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
441 * rsa: HDR, KE, HASH_I
442 * rev: HDR, <KE>Ke_i, HASH_I
443 */
444 int
445 base_i2send(iph1, msg)
446 struct ph1handle *iph1;
447 vchar_t *msg;
448 {
449 struct payload_list *plist = NULL;
450 vchar_t *vid = NULL;
451 int need_cert = 0;
452 int error = -1;
453
454 /* validity check */
455 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
456 plog(LLV_ERROR, LOCATION, NULL,
457 "status mismatched %d.\n", iph1->status);
458 goto end;
459 }
460
461 /* fix isakmp index */
462 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
463 sizeof(cookie_t));
464
465 /* generate DH public value */
466 if (oakley_dh_generate(iph1->approval->dhgrp,
467 &iph1->dhpub, &iph1->dhpriv) < 0)
468 goto end;
469
470 /* generate SKEYID to compute hash if not signature mode */
471 switch (AUTHMETHOD(iph1)) {
472 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
473 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
474 #ifdef ENABLE_HYBRID
475 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
476 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
477 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
478 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
479 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
480 #endif
481 break;
482 default:
483 if (oakley_skeyid(iph1) < 0)
484 goto end;
485 break;
486 }
487
488 /* generate HASH to send */
489 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
490 iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE);
491 if (iph1->hash == NULL)
492 goto end;
493 switch (AUTHMETHOD(iph1)) {
494 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
495 #ifdef ENABLE_HYBRID
496 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
497 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
498 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
499 #endif
500 vid = set_vendorid(iph1->approval->vendorid);
501
502 /* create isakmp KE payload */
503 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
504
505 /* create isakmp HASH payload */
506 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
507
508 /* append vendor id, if needed */
509 if (vid)
510 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
511 break;
512 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
513 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
514 #ifdef ENABLE_HYBRID
515 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
516 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
517 #endif
518 /* XXX if there is CR or not ? */
519
520 if (oakley_getmycert(iph1) < 0)
521 goto end;
522
523 if (oakley_getsign(iph1) < 0)
524 goto end;
525
526 if (iph1->cert && iph1->rmconf->send_cert)
527 need_cert = 1;
528
529 /* create isakmp KE payload */
530 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
531
532 /* add CERT payload if there */
533 if (need_cert)
534 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
535
536 /* add SIG payload */
537 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
538 break;
539 #ifdef HAVE_GSSAPI
540 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
541 /* ... */
542 break;
543 #endif
544 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
545 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
546 #ifdef ENABLE_HYBRID
547 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
548 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
549 #endif
550 break;
551 }
552
553 #ifdef ENABLE_NATT
554 /* generate NAT-D payloads */
555 if (NATT_AVAILABLE(iph1))
556 {
557 vchar_t *natd[2] = { NULL, NULL };
558
559 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
560 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
561 plog(LLV_ERROR, LOCATION, NULL,
562 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
563 goto end;
564 }
565
566 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
567 plog(LLV_ERROR, LOCATION, NULL,
568 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
569 goto end;
570 }
571
572 #ifdef __APPLE__
573 /* old Apple version sends natd payloads in the wrong order */
574 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
575 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
576 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
577 } else
578 #endif
579 {
580 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
581 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
582 }
583 }
584 #endif
585
586 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
587
588 #ifdef HAVE_PRINT_ISAKMP_C
589 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
590 #endif
591
592 /* send the packet, add to the schedule to resend */
593 iph1->retry_counter = iph1->rmconf->retry_counter;
594 if (isakmp_ph1resend(iph1) == -1)
595 goto end;
596
597 /* the sending message is added to the received-list. */
598 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
599 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
600 plog(LLV_ERROR , LOCATION, NULL,
601 "failed to add a response packet to the tree.\n");
602 goto end;
603 }
604
605 iph1->status = PHASE1ST_MSG2SENT;
606
607 error = 0;
608
609 end:
610 if (vid)
611 vfree(vid);
612 return error;
613 }
614
615 /*
616 * receive from responder
617 * psk: HDR, KE, HASH_R
618 * sig: HDR, KE, [CERT,] SIG_R
619 * rsa: HDR, KE, HASH_R
620 * rev: HDR, <KE>_Ke_r, HASH_R
621 */
622 int
623 base_i3recv(iph1, msg)
624 struct ph1handle *iph1;
625 vchar_t *msg;
626 {
627 vchar_t *pbuf = NULL;
628 struct isakmp_parse_t *pa;
629 int error = -1;
630 int ptype;
631 #ifdef ENABLE_NATT
632 vchar_t *natd_received;
633 int natd_seq = 0, natd_verified;
634 #endif
635
636 /* validity check */
637 if (iph1->status != PHASE1ST_MSG2SENT) {
638 plog(LLV_ERROR, LOCATION, NULL,
639 "status mismatched %d.\n", iph1->status);
640 goto end;
641 }
642
643 /* validate the type of next payload */
644 pbuf = isakmp_parse(msg);
645 if (pbuf == NULL)
646 goto end;
647
648 for (pa = (struct isakmp_parse_t *)pbuf->v;
649 pa->type != ISAKMP_NPTYPE_NONE;
650 pa++) {
651
652 switch (pa->type) {
653 case ISAKMP_NPTYPE_KE:
654 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
655 goto end;
656 break;
657 case ISAKMP_NPTYPE_HASH:
658 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
659 break;
660 case ISAKMP_NPTYPE_CERT:
661 if (oakley_savecert(iph1, pa->ptr) < 0)
662 goto end;
663 break;
664 case ISAKMP_NPTYPE_SIG:
665 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
666 goto end;
667 break;
668 case ISAKMP_NPTYPE_VID:
669 (void)check_vendorid(pa->ptr);
670 break;
671
672 #ifdef ENABLE_NATT
673 case ISAKMP_NPTYPE_NATD_DRAFT:
674 case ISAKMP_NPTYPE_NATD_RFC:
675 #ifdef __APPLE__
676 case ISAKMP_NPTYPE_NATD_BADDRAFT:
677 #endif
678 if (NATT_AVAILABLE(iph1) && iph1->natt_options &&
679 pa->type == iph1->natt_options->payload_nat_d) {
680 natd_received = NULL;
681 if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
682 goto end;
683
684 /* set both bits first so that we can clear them
685 upon verifying hashes */
686 if (natd_seq == 0)
687 iph1->natt_flags |= NAT_DETECTED;
688
689 /* this function will clear appropriate bits bits
690 from iph1->natt_flags */
691 natd_verified = natt_compare_addr_hash (iph1,
692 natd_received, natd_seq++);
693
694 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
695 natd_seq - 1,
696 natd_verified ? "verified" : "doesn't match");
697
698 vfree (natd_received);
699 break;
700 }
701 /* %%%% Be lenient here - some servers send natd payloads */
702 /* when no nat is detected */
703 break;
704 #endif
705
706 default:
707 /* don't send information, see ident_r1recv() */
708 plog(LLV_ERROR, LOCATION, iph1->remote,
709 "ignore the packet, "
710 "received unexpecting payload type %d.\n",
711 pa->type);
712 goto end;
713 }
714 }
715
716 #ifdef ENABLE_NATT
717 if (NATT_AVAILABLE(iph1)) {
718 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
719 iph1->natt_flags & NAT_DETECTED ?
720 "detected:" : "not detected",
721 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
722 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
723 if (iph1->natt_flags & NAT_DETECTED)
724 natt_float_ports (iph1);
725 }
726 #endif
727
728 /* payload existency check */
729 /* validate authentication value */
730 ptype = oakley_validate_auth(iph1);
731 if (ptype != 0) {
732 if (ptype == -1) {
733 /* message printed inner oakley_validate_auth() */
734 goto end;
735 }
736 EVT_PUSH(iph1->local, iph1->remote,
737 EVTT_PEERPH1AUTH_FAILED, NULL);
738 isakmp_info_send_n1(iph1, ptype, NULL);
739 goto end;
740 }
741
742 /* compute sharing secret of DH */
743 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
744 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
745 goto end;
746
747 /* generate SKEYID to compute hash if signature mode */
748 switch (AUTHMETHOD(iph1)) {
749 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
750 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
751 #ifdef ENABLE_HYBRID
752 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
753 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
754 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
755 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
756 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
757 #endif
758 if (oakley_skeyid(iph1) < 0)
759 goto end;
760 break;
761 default:
762 break;
763 }
764
765 /* generate SKEYIDs & IV & final cipher key */
766 if (oakley_skeyid_dae(iph1) < 0)
767 goto end;
768 if (oakley_compute_enckey(iph1) < 0)
769 goto end;
770 if (oakley_newiv(iph1) < 0)
771 goto end;
772
773 /* see handler.h about IV synchronization. */
774 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
775
776 /* set encryption flag */
777 iph1->flags |= ISAKMP_FLAG_E;
778
779 iph1->status = PHASE1ST_MSG3RECEIVED;
780
781 error = 0;
782
783 end:
784 if (pbuf)
785 vfree(pbuf);
786
787 if (error) {
788 VPTRINIT(iph1->dhpub_p);
789 oakley_delcert(iph1->cert_p);
790 iph1->cert_p = NULL;
791 oakley_delcert(iph1->crl_p);
792 iph1->crl_p = NULL;
793 VPTRINIT(iph1->sig_p);
794 }
795
796 return error;
797 }
798
799 /*
800 * status update and establish isakmp sa.
801 */
802 int
803 base_i3send(iph1, msg)
804 struct ph1handle *iph1;
805 vchar_t *msg;
806 {
807 int error = -1;
808
809 /* validity check */
810 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
811 plog(LLV_ERROR, LOCATION, NULL,
812 "status mismatched %d.\n", iph1->status);
813 goto end;
814 }
815
816 iph1->status = PHASE1ST_ESTABLISHED;
817
818 error = 0;
819
820 end:
821 return error;
822 }
823
824 /*
825 * receive from initiator
826 * psk: HDR, SA, Idii, Ni_b
827 * sig: HDR, SA, Idii, Ni_b
828 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
829 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
830 */
831 int
832 base_r1recv(iph1, msg)
833 struct ph1handle *iph1;
834 vchar_t *msg;
835 {
836 vchar_t *pbuf = NULL;
837 struct isakmp_parse_t *pa;
838 int error = -1;
839 int vid_numeric;
840
841 /* validity check */
842 if (iph1->status != PHASE1ST_START) {
843 plog(LLV_ERROR, LOCATION, NULL,
844 "status mismatched %d.\n", iph1->status);
845 goto end;
846 }
847
848 /* validate the type of next payload */
849 /*
850 * NOTE: XXX even if multiple VID, we'll silently ignore those.
851 */
852 pbuf = isakmp_parse(msg);
853 if (pbuf == NULL)
854 goto end;
855 pa = (struct isakmp_parse_t *)pbuf->v;
856
857 /* check the position of SA payload */
858 if (pa->type != ISAKMP_NPTYPE_SA) {
859 plog(LLV_ERROR, LOCATION, iph1->remote,
860 "received invalid next payload type %d, "
861 "expecting %d.\n",
862 pa->type, ISAKMP_NPTYPE_SA);
863 goto end;
864 }
865 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
866 goto end;
867 pa++;
868
869 for (/*nothing*/;
870 pa->type != ISAKMP_NPTYPE_NONE;
871 pa++) {
872
873 switch (pa->type) {
874 case ISAKMP_NPTYPE_NONCE:
875 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
876 goto end;
877 break;
878 case ISAKMP_NPTYPE_ID:
879 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
880 goto end;
881 break;
882 case ISAKMP_NPTYPE_VID:
883 vid_numeric = check_vendorid(pa->ptr);
884 #ifdef ENABLE_NATT
885 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
886 natt_handle_vendorid(iph1, vid_numeric);
887 #endif
888 #ifdef ENABLE_FRAG
889 if ((vid_numeric == VENDORID_FRAG) &&
890 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE))
891 iph1->frag = 1;
892 #endif
893 #ifdef ENABLE_HYBRID
894 switch (vid_numeric) {
895 case VENDORID_XAUTH:
896 iph1->mode_cfg->flags |=
897 ISAKMP_CFG_VENDORID_XAUTH;
898 break;
899
900 case VENDORID_UNITY:
901 iph1->mode_cfg->flags |=
902 ISAKMP_CFG_VENDORID_UNITY;
903 break;
904
905 default:
906 break;
907 }
908 #endif
909 #ifdef ENABLE_DPD
910 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
911 iph1->dpd_support=1;
912 plog(LLV_DEBUG, LOCATION, NULL,
913 "remote supports DPD\n");
914 }
915 #endif
916 break;
917 default:
918 /* don't send information, see ident_r1recv() */
919 plog(LLV_ERROR, LOCATION, iph1->remote,
920 "ignore the packet, "
921 "received unexpecting payload type %d.\n",
922 pa->type);
923 goto end;
924 }
925 }
926
927 if (iph1->nonce_p == NULL || iph1->id_p == NULL) {
928 plog(LLV_ERROR, LOCATION, iph1->remote,
929 "few isakmp message received.\n");
930 goto end;
931 }
932
933 /* verify identifier */
934 if (ipsecdoi_checkid1(iph1) != 0) {
935 plog(LLV_ERROR, LOCATION, iph1->remote,
936 "invalid ID payload.\n");
937 goto end;
938 }
939
940 #ifdef ENABLE_NATT
941 if (NATT_AVAILABLE(iph1))
942 plog(LLV_INFO, LOCATION, iph1->remote,
943 "Selected NAT-T version: %s\n",
944 vid_string_by_id(iph1->natt_options->version));
945 #endif
946
947 /* check SA payload and set approval SA for use */
948 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
949 plog(LLV_ERROR, LOCATION, iph1->remote,
950 "failed to get valid proposal.\n");
951 /* XXX send information */
952 goto end;
953 }
954
955 iph1->status = PHASE1ST_MSG1RECEIVED;
956
957 error = 0;
958
959 end:
960 if (pbuf)
961 vfree(pbuf);
962
963 if (error) {
964 VPTRINIT(iph1->sa);
965 VPTRINIT(iph1->nonce_p);
966 VPTRINIT(iph1->id_p);
967 }
968
969 return error;
970 }
971
972 /*
973 * send to initiator
974 * psk: HDR, SA, Idir, Nr_b
975 * sig: HDR, SA, Idir, Nr_b, [ CR ]
976 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
977 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
978 */
979 int
980 base_r1send(iph1, msg)
981 struct ph1handle *iph1;
982 vchar_t *msg;
983 {
984 struct payload_list *plist = NULL;
985 int error = -1;
986 #ifdef ENABLE_NATT
987 vchar_t *vid_natt = NULL;
988 #endif
989 #ifdef ENABLE_HYBRID
990 vchar_t *vid_xauth = NULL;
991 vchar_t *vid_unity = NULL;
992 #endif
993 #ifdef ENABLE_FRAG
994 vchar_t *vid_frag = NULL;
995 #endif
996 #ifdef ENABLE_DPD
997 vchar_t *vid_dpd = NULL;
998 #endif
999
1000 /* validity check */
1001 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1002 plog(LLV_ERROR, LOCATION, NULL,
1003 "status mismatched %d.\n", iph1->status);
1004 goto end;
1005 }
1006
1007 /* set responder's cookie */
1008 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1009
1010 /* make ID payload into isakmp status */
1011 if (ipsecdoi_setid1(iph1) < 0)
1012 goto end;
1013
1014 /* generate NONCE value */
1015 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1016 if (iph1->nonce == NULL)
1017 goto end;
1018
1019 /* set SA payload to reply */
1020 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1021
1022 /* create isakmp ID payload */
1023 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1024
1025 /* create isakmp NONCE payload */
1026 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1027
1028 #ifdef ENABLE_NATT
1029 /* has the peer announced nat-t? */
1030 if (NATT_AVAILABLE(iph1))
1031 vid_natt = set_vendorid(iph1->natt_options->version);
1032 if (vid_natt)
1033 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1034 #endif
1035 #ifdef ENABLE_HYBRID
1036 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1037 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
1038 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
1039 plog(LLV_ERROR, LOCATION, NULL,
1040 "Cannot create Xauth vendor ID\n");
1041 goto end;
1042 }
1043 plist = isakmp_plist_append(plist,
1044 vid_xauth, ISAKMP_NPTYPE_VID);
1045 }
1046
1047 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1048 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
1049 plog(LLV_ERROR, LOCATION, NULL,
1050 "Cannot create Unity vendor ID\n");
1051 goto end;
1052 }
1053 plist = isakmp_plist_append(plist,
1054 vid_unity, ISAKMP_NPTYPE_VID);
1055 }
1056 #endif
1057 #ifdef ENABLE_DPD
1058 /*
1059 * Only send DPD support if remote announced DPD
1060 * and if DPD support is active
1061 */
1062 if (iph1->dpd_support && iph1->rmconf->dpd) {
1063 if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) {
1064 plog(LLV_ERROR, LOCATION, NULL,
1065 "DPD vendorID construction failed\n");
1066 } else {
1067 plist = isakmp_plist_append(plist, vid_dpd,
1068 ISAKMP_NPTYPE_VID);
1069 }
1070 }
1071 #endif
1072 #ifdef ENABLE_FRAG
1073 if (iph1->rmconf->ike_frag) {
1074 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
1075 plog(LLV_ERROR, LOCATION, NULL,
1076 "Frag vendorID construction failed\n");
1077 } else {
1078 vid_frag = isakmp_frag_addcap(vid_frag,
1079 VENDORID_FRAG_BASE);
1080 plist = isakmp_plist_append(plist,
1081 vid_frag, ISAKMP_NPTYPE_VID);
1082 }
1083 }
1084 #endif
1085
1086 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1087
1088 #ifdef HAVE_PRINT_ISAKMP_C
1089 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1090 #endif
1091
1092 /* send the packet, add to the schedule to resend */
1093 iph1->retry_counter = iph1->rmconf->retry_counter;
1094 if (isakmp_ph1resend(iph1) == -1) {
1095 iph1 = NULL;
1096 goto end;
1097 }
1098
1099 /* the sending message is added to the received-list. */
1100 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1101 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
1102 plog(LLV_ERROR , LOCATION, NULL,
1103 "failed to add a response packet to the tree.\n");
1104 goto end;
1105 }
1106
1107 iph1->status = PHASE1ST_MSG1SENT;
1108
1109 #ifdef ENABLE_VPNCONTROL_PORT
1110 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1111 #endif
1112
1113 error = 0;
1114
1115 end:
1116 #ifdef ENABLE_NATT
1117 if (vid_natt)
1118 vfree(vid_natt);
1119 #endif
1120 #ifdef ENABLE_HYBRID
1121 if (vid_xauth != NULL)
1122 vfree(vid_xauth);
1123 if (vid_unity != NULL)
1124 vfree(vid_unity);
1125 #endif
1126 #ifdef ENABLE_FRAG
1127 if (vid_frag)
1128 vfree(vid_frag);
1129 #endif
1130 #ifdef ENABLE_DPD
1131 if (vid_dpd)
1132 vfree(vid_dpd);
1133 #endif
1134
1135 if (iph1 != NULL)
1136 VPTRINIT(iph1->sa_ret);
1137
1138 return error;
1139 }
1140
1141 /*
1142 * receive from initiator
1143 * psk: HDR, KE, HASH_I
1144 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
1145 * rsa: HDR, KE, HASH_I
1146 * rev: HDR, <KE>Ke_i, HASH_I
1147 */
1148 int
1149 base_r2recv(iph1, msg)
1150 struct ph1handle *iph1;
1151 vchar_t *msg;
1152 {
1153 vchar_t *pbuf = NULL;
1154 struct isakmp_parse_t *pa;
1155 int error = -1;
1156 int ptype;
1157 #ifdef ENABLE_NATT
1158 int natd_seq = 0;
1159 #endif
1160
1161 /* validity check */
1162 if (iph1->status != PHASE1ST_MSG1SENT) {
1163 plog(LLV_ERROR, LOCATION, NULL,
1164 "status mismatched %d.\n", iph1->status);
1165 goto end;
1166 }
1167
1168 /* validate the type of next payload */
1169 pbuf = isakmp_parse(msg);
1170 if (pbuf == NULL)
1171 goto end;
1172
1173 iph1->pl_hash = NULL;
1174
1175 for (pa = (struct isakmp_parse_t *)pbuf->v;
1176 pa->type != ISAKMP_NPTYPE_NONE;
1177 pa++) {
1178
1179 switch (pa->type) {
1180 case ISAKMP_NPTYPE_KE:
1181 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
1182 goto end;
1183 break;
1184 case ISAKMP_NPTYPE_HASH:
1185 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1186 break;
1187 case ISAKMP_NPTYPE_CERT:
1188 if (oakley_savecert(iph1, pa->ptr) < 0)
1189 goto end;
1190 break;
1191 case ISAKMP_NPTYPE_SIG:
1192 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
1193 goto end;
1194 break;
1195 case ISAKMP_NPTYPE_VID:
1196 (void)check_vendorid(pa->ptr);
1197 break;
1198
1199 #ifdef ENABLE_NATT
1200 case ISAKMP_NPTYPE_NATD_DRAFT:
1201 case ISAKMP_NPTYPE_NATD_RFC:
1202 #ifdef __APPLE__
1203 case ISAKMP_NPTYPE_NATD_BADDRAFT:
1204 #endif
1205 if (pa->type == iph1->natt_options->payload_nat_d)
1206 {
1207 vchar_t *natd_received = NULL;
1208 int natd_verified;
1209
1210 if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
1211 goto end;
1212
1213 if (natd_seq == 0)
1214 iph1->natt_flags |= NAT_DETECTED;
1215
1216 natd_verified = natt_compare_addr_hash (iph1,
1217 natd_received, natd_seq++);
1218
1219 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1220 natd_seq - 1,
1221 natd_verified ? "verified" : "doesn't match");
1222
1223 vfree (natd_received);
1224 break;
1225 }
1226 /* %%%% Be lenient here - some servers send natd payloads */
1227 /* when no nat is detected */
1228 break;
1229 #endif
1230
1231 default:
1232 /* don't send information, see ident_r1recv() */
1233 plog(LLV_ERROR, LOCATION, iph1->remote,
1234 "ignore the packet, "
1235 "received unexpecting payload type %d.\n",
1236 pa->type);
1237 goto end;
1238 }
1239 }
1240
1241 /* generate DH public value */
1242 if (oakley_dh_generate(iph1->approval->dhgrp,
1243 &iph1->dhpub, &iph1->dhpriv) < 0)
1244 goto end;
1245
1246 /* compute sharing secret of DH */
1247 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1248 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
1249 goto end;
1250
1251 /* generate SKEYID */
1252 if (oakley_skeyid(iph1) < 0)
1253 goto end;
1254
1255 #ifdef ENABLE_NATT
1256 if (NATT_AVAILABLE(iph1))
1257 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1258 iph1->natt_flags & NAT_DETECTED ?
1259 "detected:" : "not detected",
1260 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1261 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1262 #endif
1263
1264 /* payload existency check */
1265 /* validate authentication value */
1266 ptype = oakley_validate_auth(iph1);
1267 if (ptype != 0) {
1268 if (ptype == -1) {
1269 /* message printed inner oakley_validate_auth() */
1270 goto end;
1271 }
1272 EVT_PUSH(iph1->local, iph1->remote,
1273 EVTT_PEERPH1AUTH_FAILED, NULL);
1274 isakmp_info_send_n1(iph1, ptype, NULL);
1275 goto end;
1276 }
1277
1278 iph1->status = PHASE1ST_MSG2RECEIVED;
1279
1280 error = 0;
1281
1282 end:
1283 if (pbuf)
1284 vfree(pbuf);
1285
1286 if (error) {
1287 VPTRINIT(iph1->dhpub_p);
1288 oakley_delcert(iph1->cert_p);
1289 iph1->cert_p = NULL;
1290 oakley_delcert(iph1->crl_p);
1291 iph1->crl_p = NULL;
1292 VPTRINIT(iph1->sig_p);
1293 }
1294
1295 return error;
1296 }
1297
1298 /*
1299 * send to initiator
1300 * psk: HDR, KE, HASH_R
1301 * sig: HDR, KE, [CERT,] SIG_R
1302 * rsa: HDR, KE, HASH_R
1303 * rev: HDR, <KE>_Ke_r, HASH_R
1304 */
1305 int
1306 base_r2send(iph1, msg)
1307 struct ph1handle *iph1;
1308 vchar_t *msg;
1309 {
1310 struct payload_list *plist = NULL;
1311 vchar_t *vid = NULL;
1312 int need_cert = 0;
1313 int error = -1;
1314
1315 /* validity check */
1316 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1317 plog(LLV_ERROR, LOCATION, NULL,
1318 "status mismatched %d.\n", iph1->status);
1319 goto end;
1320 }
1321
1322 /* generate HASH to send */
1323 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
1324 switch (AUTHMETHOD(iph1)) {
1325 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1326 #ifdef ENABLE_HYBRID
1327 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1328 #endif
1329 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1330 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1331 #ifdef ENABLE_HYBRID
1332 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1333 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1334 #endif
1335 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1336 break;
1337 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1338 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1339 #ifdef ENABLE_HYBRID
1340 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1341 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1342 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1343 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1344 #endif
1345 #ifdef HAVE_GSSAPI
1346 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1347 #endif
1348 iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE);
1349 break;
1350 default:
1351 plog(LLV_ERROR, LOCATION, NULL,
1352 "invalid authentication method %d\n",
1353 iph1->approval->authmethod);
1354 goto end;
1355 }
1356 if (iph1->hash == NULL)
1357 goto end;
1358
1359 switch (AUTHMETHOD(iph1)) {
1360 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1361 #ifdef ENABLE_HYBRID
1362 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1363 #endif
1364 vid = set_vendorid(iph1->approval->vendorid);
1365
1366 /* create isakmp KE payload */
1367 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1368
1369 /* create isakmp HASH payload */
1370 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
1371
1372 /* append vendor id, if needed */
1373 if (vid)
1374 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
1375 break;
1376 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1377 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1378 #ifdef ENABLE_HYBRID
1379 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1380 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1381 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1382 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1383 #endif
1384 /* XXX if there is CR or not ? */
1385
1386 if (oakley_getmycert(iph1) < 0)
1387 goto end;
1388
1389 if (oakley_getsign(iph1) < 0)
1390 goto end;
1391
1392 if (iph1->cert && iph1->rmconf->send_cert)
1393 need_cert = 1;
1394
1395 /* create isakmp KE payload */
1396 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1397
1398 /* add CERT payload if there */
1399 if (need_cert)
1400 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1401 /* add SIG payload */
1402 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1403 break;
1404 #ifdef HAVE_GSSAPI
1405 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1406 /* ... */
1407 break;
1408 #endif
1409 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1410 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1411 #ifdef ENABLE_HYBRID
1412 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1413 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1414 #endif
1415 break;
1416 }
1417
1418 #ifdef ENABLE_NATT
1419 /* generate NAT-D payloads */
1420 if (NATT_AVAILABLE(iph1)) {
1421 vchar_t *natd[2] = { NULL, NULL };
1422
1423 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
1424 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1425 plog(LLV_ERROR, LOCATION, NULL,
1426 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
1427 goto end;
1428 }
1429
1430 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1431 plog(LLV_ERROR, LOCATION, NULL,
1432 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
1433 goto end;
1434 }
1435
1436 #ifdef __APPLE__
1437 /* old Apple version sends natd payloads in the wrong order */
1438 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
1439 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1440 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1441 } else
1442 #endif
1443 {
1444 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1445 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1446 }
1447 }
1448 #endif
1449
1450 iph1->sendbuf = isakmp_plist_set_all(&plist, iph1);
1451
1452 #ifdef HAVE_PRINT_ISAKMP_C
1453 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1454 #endif
1455
1456 /* send HDR;KE;NONCE to responder */
1457 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1458 goto end;
1459
1460 /* the sending message is added to the received-list. */
1461 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1462 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
1463 plog(LLV_ERROR , LOCATION, NULL,
1464 "failed to add a response packet to the tree.\n");
1465 goto end;
1466 }
1467
1468 /* generate SKEYIDs & IV & final cipher key */
1469 if (oakley_skeyid_dae(iph1) < 0)
1470 goto end;
1471 if (oakley_compute_enckey(iph1) < 0)
1472 goto end;
1473 if (oakley_newiv(iph1) < 0)
1474 goto end;
1475
1476 /* set encryption flag */
1477 iph1->flags |= ISAKMP_FLAG_E;
1478
1479 iph1->status = PHASE1ST_ESTABLISHED;
1480
1481 error = 0;
1482
1483 end:
1484 if (vid)
1485 vfree(vid);
1486 return error;
1487 }
mirror of ipsec