]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_base.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-146.2.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_base.c
1 /* $NetBSD: isakmp_base.c,v 1.7 2006/10/02 21:51:33 manu Exp $ */
2
3 /* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* Base Exchange (Base Mode) */
35
36 #include "config.h"
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40
41 #include <stdlib.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <errno.h>
45 #if TIME_WITH_SYS_TIME
46 # include <sys/time.h>
47 # include <time.h>
48 #else
49 # if HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 # else
52 # include <time.h>
53 # endif
54 #endif
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "schedule.h"
62 #include "debug.h"
63
64 #ifdef ENABLE_HYBRID
65 #include <resolv.h>
66 #endif
67
68 #include "localconf.h"
69 #include "remoteconf.h"
70 #include "isakmp_var.h"
71 #include "isakmp.h"
72 #include "evt.h"
73 #include "oakley.h"
74 #include "handler.h"
75 #include "ipsec_doi.h"
76 #include "crypto_openssl.h"
77 #include "pfkey.h"
78 #include "isakmp_base.h"
79 #include "isakmp_inf.h"
80 #include "vendorid.h"
81 #ifdef ENABLE_NATT
82 #include "nattraversal.h"
83 #endif
84 #ifdef ENABLE_FRAG
85 #include "isakmp_frag.h"
86 #endif
87 #ifdef ENABLE_HYBRID
88 #include "isakmp_xauth.h"
89 #include "isakmp_cfg.h"
90 #endif
91 #include "vpn_control.h"
92 #include "vpn_control_var.h"
93 #ifndef HAVE_OPENSSL
94 #include <Security/SecDH.h>
95 #endif
96
97 /* %%%
98 * begin Identity Protection Mode as initiator.
99 */
100 /*
101 * send to responder
102 * psk: HDR, SA, Idii, Ni_b
103 * sig: HDR, SA, Idii, Ni_b
104 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
105 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
106 */
107 int
108 base_i1send(iph1, msg)
109 struct ph1handle *iph1;
110 vchar_t *msg; /* must be null */
111 {
112 struct payload_list *plist = NULL;
113 int error = -1;
114 #ifdef ENABLE_NATT
115 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
116 int i, vid_natt_i = 0;
117 #endif
118 #ifdef ENABLE_FRAG
119 vchar_t *vid_frag = NULL;
120 #endif
121 #ifdef ENABLE_HYBRID
122 vchar_t *vid_xauth = NULL;
123 vchar_t *vid_unity = NULL;
124 #endif
125 #ifdef ENABLE_DPD
126 vchar_t *vid_dpd = NULL;
127 #endif
128
129
130 /* validity check */
131 if (msg != NULL) {
132 plog(LLV_ERROR, LOCATION, NULL,
133 "msg has to be NULL in this function.\n");
134 goto end;
135 }
136 if (iph1->status != PHASE1ST_START) {
137 plog(LLV_ERROR, LOCATION, NULL,
138 "status mismatched %d.\n", iph1->status);
139 goto end;
140 }
141
142 /* create isakmp index */
143 memset(&iph1->index, 0, sizeof(iph1->index));
144 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
145
146 /* make ID payload into isakmp status */
147 if (ipsecdoi_setid1(iph1) < 0)
148 goto end;
149
150 /* create SA payload for my proposal */
151 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
152 if (iph1->sa == NULL)
153 goto end;
154
155 /* generate NONCE value */
156 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
157 if (iph1->nonce == NULL)
158 goto end;
159
160 #ifdef ENABLE_HYBRID
161 /* Do we need Xauth VID? */
162 switch (RMAUTHMETHOD(iph1)) {
163 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
164 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
165 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
166 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
167 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
168 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
169 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
170 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
171 plog(LLV_ERROR, LOCATION, NULL,
172 "Xauth vendor ID generation failed\n");
173
174 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
175 plog(LLV_ERROR, LOCATION, NULL,
176 "Unity vendor ID generation failed\n");
177 break;
178 default:
179 break;
180 }
181 #endif
182 #ifdef ENABLE_FRAG
183 if (iph1->rmconf->ike_frag) {
184 vid_frag = set_vendorid(VENDORID_FRAG);
185 if (vid_frag != NULL)
186 vid_frag = isakmp_frag_addcap(vid_frag,
187 VENDORID_FRAG_BASE);
188 if (vid_frag == NULL)
189 plog(LLV_ERROR, LOCATION, NULL,
190 "Frag vendorID construction failed\n");
191 }
192 #endif
193 #ifdef ENABLE_NATT
194 /* Is NAT-T support allowed in the config file? */
195 if (iph1->rmconf->nat_traversal) {
196 /* Advertise NAT-T capability */
197 memset (vid_natt, 0, sizeof (vid_natt));
198 #ifdef VENDORID_NATT_00
199 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL)
200 vid_natt_i++;
201 #endif
202 #ifdef VENDORID_NATT_02
203 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL)
204 vid_natt_i++;
205 #endif
206 #ifdef VENDORID_NATT_02_N
207 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL)
208 vid_natt_i++;
209 #endif
210 #ifdef VENDORID_NATT_RFC
211 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL)
212 vid_natt_i++;
213 #endif
214 }
215 #endif
216
217 /* set SA payload to propose */
218 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
219
220 /* create isakmp ID payload */
221 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
222
223 /* create isakmp NONCE payload */
224 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
225
226 #ifdef ENABLE_FRAG
227 if (vid_frag)
228 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
229 #endif
230 #ifdef ENABLE_HYBRID
231 if (vid_xauth)
232 plist = isakmp_plist_append(plist,
233 vid_xauth, ISAKMP_NPTYPE_VID);
234 if (vid_unity)
235 plist = isakmp_plist_append(plist,
236 vid_unity, ISAKMP_NPTYPE_VID);
237 #endif
238 #ifdef ENABLE_DPD
239 if (iph1->rmconf->dpd) {
240 vid_dpd = set_vendorid(VENDORID_DPD);
241 if (vid_dpd != NULL)
242 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
243 }
244 #endif
245 #ifdef ENABLE_NATT
246 /* set VID payload for NAT-T */
247 for (i = 0; i < vid_natt_i; i++)
248 plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID);
249 #endif
250 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
251
252
253 #ifdef HAVE_PRINT_ISAKMP_C
254 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
255 #endif
256
257 /* send the packet, add to the schedule to resend */
258 iph1->retry_counter = iph1->rmconf->retry_counter;
259 if (isakmp_ph1resend(iph1) == -1)
260 goto end;
261
262 iph1->status = PHASE1ST_MSG1SENT;
263
264 error = 0;
265
266 end:
267 #ifdef ENABLE_FRAG
268 if (vid_frag)
269 vfree(vid_frag);
270 #endif
271 #ifdef ENABLE_NATT
272 for (i = 0; i < vid_natt_i; i++)
273 vfree(vid_natt[i]);
274 #endif
275 #ifdef ENABLE_HYBRID
276 if (vid_xauth != NULL)
277 vfree(vid_xauth);
278 if (vid_unity != NULL)
279 vfree(vid_unity);
280 #endif
281 #ifdef ENABLE_DPD
282 if (vid_dpd != NULL)
283 vfree(vid_dpd);
284 #endif
285
286 return error;
287 }
288
289 /*
290 * receive from responder
291 * psk: HDR, SA, Idir, Nr_b
292 * sig: HDR, SA, Idir, Nr_b, [ CR ]
293 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
294 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
295 */
296 int
297 base_i2recv(iph1, msg)
298 struct ph1handle *iph1;
299 vchar_t *msg;
300 {
301 vchar_t *pbuf = NULL;
302 struct isakmp_parse_t *pa;
303 vchar_t *satmp = NULL;
304 int error = -1;
305 int vid_numeric;
306 #ifdef ENABLE_HYBRID
307 vchar_t *unity_vid;
308 vchar_t *xauth_vid;
309 #endif
310
311 /* validity check */
312 if (iph1->status != PHASE1ST_MSG1SENT) {
313 plog(LLV_ERROR, LOCATION, NULL,
314 "status mismatched %d.\n", iph1->status);
315 goto end;
316 }
317
318 /* validate the type of next payload */
319 pbuf = isakmp_parse(msg);
320 if (pbuf == NULL)
321 goto end;
322 pa = (struct isakmp_parse_t *)pbuf->v;
323
324 /* SA payload is fixed postion */
325 if (pa->type != ISAKMP_NPTYPE_SA) {
326 plog(LLV_ERROR, LOCATION, iph1->remote,
327 "received invalid next payload type %d, "
328 "expecting %d.\n",
329 pa->type, ISAKMP_NPTYPE_SA);
330 goto end;
331 }
332 if (isakmp_p2ph(&satmp, pa->ptr) < 0)
333 goto end;
334 pa++;
335
336 for (/*nothing*/;
337 pa->type != ISAKMP_NPTYPE_NONE;
338 pa++) {
339
340 switch (pa->type) {
341 case ISAKMP_NPTYPE_NONCE:
342 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
343 goto end;
344 break;
345 case ISAKMP_NPTYPE_ID:
346 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
347 goto end;
348 break;
349 case ISAKMP_NPTYPE_VID:
350 vid_numeric = check_vendorid(pa->ptr);
351 #ifdef ENABLE_NATT
352 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
353 natt_handle_vendorid(iph1, vid_numeric);
354 #endif
355 #ifdef ENABLE_HYBRID
356 switch (vid_numeric) {
357 case VENDORID_XAUTH:
358 iph1->mode_cfg->flags |=
359 ISAKMP_CFG_VENDORID_XAUTH;
360 break;
361
362 case VENDORID_UNITY:
363 iph1->mode_cfg->flags |=
364 ISAKMP_CFG_VENDORID_UNITY;
365 break;
366
367 default:
368 break;
369 }
370 #endif
371 #ifdef ENABLE_DPD
372 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
373 iph1->dpd_support=1;
374 plog(LLV_DEBUG, LOCATION, NULL,
375 "remote supports DPD\n");
376 }
377 #endif
378 #ifdef ENABLE_FRAG
379 if ((vid_numeric == VENDORID_FRAG) &&
380 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) {
381 plog(LLV_DEBUG, LOCATION, NULL,
382 "remote supports FRAGMENTATION\n");
383 iph1->frag = 1;
384 }
385 #endif
386 break;
387 default:
388 /* don't send information, see ident_r1recv() */
389 plog(LLV_ERROR, LOCATION, iph1->remote,
390 "ignore the packet, "
391 "received unexpecting payload type %d.\n",
392 pa->type);
393 goto end;
394 }
395 }
396
397 if (iph1->nonce_p == NULL || iph1->id_p == NULL) {
398 plog(LLV_ERROR, LOCATION, iph1->remote,
399 "few isakmp message received.\n");
400 goto end;
401 }
402
403 /* verify identifier */
404 if (ipsecdoi_checkid1(iph1) != 0) {
405 plog(LLV_ERROR, LOCATION, iph1->remote,
406 "invalid ID payload.\n");
407 goto end;
408 }
409
410 #ifdef ENABLE_NATT
411 if (NATT_AVAILABLE(iph1)) {
412 plog(LLV_INFO, LOCATION, iph1->remote,
413 "Selected NAT-T version: %s\n",
414 vid_string_by_id(iph1->natt_options->version));
415 ike_session_update_natt_version(iph1);
416 }
417 #endif
418
419 /* check SA payload and set approval SA for use */
420 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
421 plog(LLV_ERROR, LOCATION, iph1->remote,
422 "failed to get valid proposal.\n");
423 /* XXX send information */
424 goto end;
425 }
426 VPTRINIT(iph1->sa_ret);
427
428 iph1->status = PHASE1ST_MSG2RECEIVED;
429
430 #ifdef ENABLE_VPNCONTROL_PORT
431 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
432 #endif
433
434 error = 0;
435
436 end:
437 if (pbuf)
438 vfree(pbuf);
439 if (satmp)
440 vfree(satmp);
441
442 if (error) {
443 VPTRINIT(iph1->nonce_p);
444 VPTRINIT(iph1->id_p);
445 }
446
447 return error;
448 }
449
450 /*
451 * send to responder
452 * psk: HDR, KE, HASH_I
453 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
454 * rsa: HDR, KE, HASH_I
455 * rev: HDR, <KE>Ke_i, HASH_I
456 */
457 int
458 base_i2send(iph1, msg)
459 struct ph1handle *iph1;
460 vchar_t *msg;
461 {
462 struct payload_list *plist = NULL;
463 vchar_t *vid = NULL;
464 int need_cert = 0;
465 int error = -1;
466
467 /* validity check */
468 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
469 plog(LLV_ERROR, LOCATION, NULL,
470 "status mismatched %d.\n", iph1->status);
471 goto end;
472 }
473
474 /* fix isakmp index */
475 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
476 sizeof(cookie_t));
477
478 /* generate DH public value */
479 #ifdef HAVE_OPENSSL
480 if (oakley_dh_generate(iph1->approval->dhgrp,
481 &iph1->dhpub, &iph1->dhpriv) < 0)
482 #else
483 if (oakley_dh_generate(iph1->approval->dhgrp,
484 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0)
485 #endif
486 goto end;
487
488 /* generate SKEYID to compute hash if not signature mode */
489 switch (AUTHMETHOD(iph1)) {
490 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
491 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
492 #ifdef ENABLE_HYBRID
493 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
494 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
495 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
496 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
497 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
498 #endif
499 break;
500 default:
501 if (oakley_skeyid(iph1) < 0)
502 goto end;
503 break;
504 }
505
506 /* generate HASH to send */
507 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
508 iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE);
509 if (iph1->hash == NULL)
510 goto end;
511 switch (AUTHMETHOD(iph1)) {
512 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
513 #ifdef ENABLE_HYBRID
514 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
515 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
516 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
517 #endif
518 vid = set_vendorid(iph1->approval->vendorid);
519
520 /* create isakmp KE payload */
521 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
522
523 /* create isakmp HASH payload */
524 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
525
526 /* append vendor id, if needed */
527 if (vid)
528 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
529 break;
530 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
531 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
532 #ifdef ENABLE_HYBRID
533 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
534 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
535 #endif
536 /* XXX if there is CR or not ? */
537
538 if (oakley_getmycert(iph1) < 0)
539 goto end;
540
541 if (oakley_getsign(iph1) < 0)
542 goto end;
543
544 if (iph1->cert && iph1->rmconf->send_cert)
545 need_cert = 1;
546
547 /* create isakmp KE payload */
548 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
549
550 /* add CERT payload if there */
551 if (need_cert)
552 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
553
554 /* add SIG payload */
555 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
556 break;
557 #ifdef HAVE_GSSAPI
558 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
559 /* ... */
560 break;
561 #endif
562 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
563 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
564 #ifdef ENABLE_HYBRID
565 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
566 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
567 #endif
568 break;
569 }
570
571 #ifdef ENABLE_NATT
572 /* generate NAT-D payloads */
573 if (NATT_AVAILABLE(iph1))
574 {
575 vchar_t *natd[2] = { NULL, NULL };
576
577 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
578 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
579 plog(LLV_ERROR, LOCATION, NULL,
580 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
581 goto end;
582 }
583
584 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
585 plog(LLV_ERROR, LOCATION, NULL,
586 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
587 goto end;
588 }
589
590 /* old Apple version sends natd payloads in the wrong order */
591 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
592 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
593 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
594 } else
595 {
596 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
597 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
598 }
599 }
600 #endif
601
602 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
603
604 #ifdef HAVE_PRINT_ISAKMP_C
605 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
606 #endif
607
608 /* send the packet, add to the schedule to resend */
609 iph1->retry_counter = iph1->rmconf->retry_counter;
610 if (isakmp_ph1resend(iph1) == -1)
611 goto end;
612
613 /* the sending message is added to the received-list. */
614 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
615 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
616 plog(LLV_ERROR , LOCATION, NULL,
617 "failed to add a response packet to the tree.\n");
618 goto end;
619 }
620
621 iph1->status = PHASE1ST_MSG2SENT;
622
623 error = 0;
624
625 end:
626 if (vid)
627 vfree(vid);
628 return error;
629 }
630
631 /*
632 * receive from responder
633 * psk: HDR, KE, HASH_R
634 * sig: HDR, KE, [CERT,] SIG_R
635 * rsa: HDR, KE, HASH_R
636 * rev: HDR, <KE>_Ke_r, HASH_R
637 */
638 int
639 base_i3recv(iph1, msg)
640 struct ph1handle *iph1;
641 vchar_t *msg;
642 {
643 vchar_t *pbuf = NULL;
644 struct isakmp_parse_t *pa;
645 int error = -1;
646 int ptype;
647 #ifdef ENABLE_NATT
648 vchar_t *natd_received;
649 int natd_seq = 0, natd_verified;
650 #endif
651 int received_cert = 0;
652
653 /* validity check */
654 if (iph1->status != PHASE1ST_MSG2SENT) {
655 plog(LLV_ERROR, LOCATION, NULL,
656 "status mismatched %d.\n", iph1->status);
657 goto end;
658 }
659
660 /* validate the type of next payload */
661 pbuf = isakmp_parse(msg);
662 if (pbuf == NULL)
663 goto end;
664
665 for (pa = (struct isakmp_parse_t *)pbuf->v;
666 pa->type != ISAKMP_NPTYPE_NONE;
667 pa++) {
668
669 switch (pa->type) {
670 case ISAKMP_NPTYPE_KE:
671 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
672 goto end;
673 break;
674 case ISAKMP_NPTYPE_HASH:
675 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
676 break;
677 case ISAKMP_NPTYPE_CERT:
678 if (oakley_savecert(iph1, pa->ptr) < 0)
679 goto end;
680 received_cert = 1;
681 break;
682 case ISAKMP_NPTYPE_SIG:
683 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
684 goto end;
685 break;
686 case ISAKMP_NPTYPE_VID:
687 (void)check_vendorid(pa->ptr);
688 break;
689
690 #ifdef ENABLE_NATT
691 case ISAKMP_NPTYPE_NATD_DRAFT:
692 case ISAKMP_NPTYPE_NATD_RFC:
693 case ISAKMP_NPTYPE_NATD_BADDRAFT:
694 if (NATT_AVAILABLE(iph1) && iph1->natt_options &&
695 pa->type == iph1->natt_options->payload_nat_d) {
696 natd_received = NULL;
697 if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
698 goto end;
699
700 /* set both bits first so that we can clear them
701 upon verifying hashes */
702 if (natd_seq == 0)
703 iph1->natt_flags |= NAT_DETECTED;
704
705 /* this function will clear appropriate bits bits
706 from iph1->natt_flags */
707 natd_verified = natt_compare_addr_hash (iph1,
708 natd_received, natd_seq++);
709
710 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
711 natd_seq - 1,
712 natd_verified ? "verified" : "doesn't match");
713
714 vfree (natd_received);
715 break;
716 }
717 /* %%%% Be lenient here - some servers send natd payloads */
718 /* when no nat is detected */
719 break;
720 #endif
721
722 default:
723 /* don't send information, see ident_r1recv() */
724 plog(LLV_ERROR, LOCATION, iph1->remote,
725 "ignore the packet, "
726 "received unexpecting payload type %d.\n",
727 pa->type);
728 goto end;
729 }
730 }
731
732 #ifdef ENABLE_NATT
733 if (NATT_AVAILABLE(iph1)) {
734 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
735 iph1->natt_flags & NAT_DETECTED ?
736 "detected:" : "not detected",
737 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
738 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
739 if (iph1->natt_flags & NAT_DETECTED)
740 natt_float_ports (iph1);
741 }
742 #endif
743
744 if (received_cert) {
745 oakley_verify_certid(iph1);
746 }
747
748 /* payload existency check */
749 /* validate authentication value */
750 ptype = oakley_validate_auth(iph1);
751 if (ptype != 0) {
752 if (ptype == -1) {
753 /* message printed inner oakley_validate_auth() */
754 goto end;
755 }
756 EVT_PUSH(iph1->local, iph1->remote,
757 EVTT_PEERPH1AUTH_FAILED, NULL);
758 isakmp_info_send_n1(iph1, ptype, NULL);
759 goto end;
760 }
761
762 /* compute sharing secret of DH */
763 #ifdef HAVE_OPENSSL
764 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
765 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
766 #else
767 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0)
768 #endif
769 goto end;
770
771 /* generate SKEYID to compute hash if signature mode */
772 switch (AUTHMETHOD(iph1)) {
773 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
774 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
775 #ifdef ENABLE_HYBRID
776 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
777 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
778 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
779 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
780 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
781 #endif
782 if (oakley_skeyid(iph1) < 0)
783 goto end;
784 break;
785 default:
786 break;
787 }
788
789 /* generate SKEYIDs & IV & final cipher key */
790 if (oakley_skeyid_dae(iph1) < 0)
791 goto end;
792 if (oakley_compute_enckey(iph1) < 0)
793 goto end;
794 if (oakley_newiv(iph1) < 0)
795 goto end;
796
797 /* see handler.h about IV synchronization. */
798 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
799
800 /* set encryption flag */
801 iph1->flags |= ISAKMP_FLAG_E;
802
803 iph1->status = PHASE1ST_MSG3RECEIVED;
804
805 error = 0;
806
807 end:
808 if (pbuf)
809 vfree(pbuf);
810
811 if (error) {
812 VPTRINIT(iph1->dhpub_p);
813 oakley_delcert(iph1->cert_p);
814 iph1->cert_p = NULL;
815 oakley_delcert(iph1->crl_p);
816 iph1->crl_p = NULL;
817 VPTRINIT(iph1->sig_p);
818 }
819
820 return error;
821 }
822
823 /*
824 * status update and establish isakmp sa.
825 */
826 int
827 base_i3send(iph1, msg)
828 struct ph1handle *iph1;
829 vchar_t *msg;
830 {
831 int error = -1;
832
833 /* validity check */
834 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
835 plog(LLV_ERROR, LOCATION, NULL,
836 "status mismatched %d.\n", iph1->status);
837 goto end;
838 }
839
840 iph1->status = PHASE1ST_ESTABLISHED;
841
842 error = 0;
843
844 end:
845 return error;
846 }
847
848 /*
849 * receive from initiator
850 * psk: HDR, SA, Idii, Ni_b
851 * sig: HDR, SA, Idii, Ni_b
852 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
853 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
854 */
855 int
856 base_r1recv(iph1, msg)
857 struct ph1handle *iph1;
858 vchar_t *msg;
859 {
860 vchar_t *pbuf = NULL;
861 struct isakmp_parse_t *pa;
862 int error = -1;
863 int vid_numeric;
864
865 /* validity check */
866 if (iph1->status != PHASE1ST_START) {
867 plog(LLV_ERROR, LOCATION, NULL,
868 "status mismatched %d.\n", iph1->status);
869 goto end;
870 }
871
872 /* validate the type of next payload */
873 /*
874 * NOTE: XXX even if multiple VID, we'll silently ignore those.
875 */
876 pbuf = isakmp_parse(msg);
877 if (pbuf == NULL)
878 goto end;
879 pa = (struct isakmp_parse_t *)pbuf->v;
880
881 /* check the position of SA payload */
882 if (pa->type != ISAKMP_NPTYPE_SA) {
883 plog(LLV_ERROR, LOCATION, iph1->remote,
884 "received invalid next payload type %d, "
885 "expecting %d.\n",
886 pa->type, ISAKMP_NPTYPE_SA);
887 goto end;
888 }
889 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
890 goto end;
891 pa++;
892
893 for (/*nothing*/;
894 pa->type != ISAKMP_NPTYPE_NONE;
895 pa++) {
896
897 switch (pa->type) {
898 case ISAKMP_NPTYPE_NONCE:
899 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
900 goto end;
901 break;
902 case ISAKMP_NPTYPE_ID:
903 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
904 goto end;
905 break;
906 case ISAKMP_NPTYPE_VID:
907 vid_numeric = check_vendorid(pa->ptr);
908 #ifdef ENABLE_NATT
909 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
910 natt_handle_vendorid(iph1, vid_numeric);
911 #endif
912 #ifdef ENABLE_HYBRID
913 switch (vid_numeric) {
914 case VENDORID_XAUTH:
915 iph1->mode_cfg->flags |=
916 ISAKMP_CFG_VENDORID_XAUTH;
917 break;
918
919 case VENDORID_UNITY:
920 iph1->mode_cfg->flags |=
921 ISAKMP_CFG_VENDORID_UNITY;
922 break;
923
924 default:
925 break;
926 }
927 #endif
928 #ifdef ENABLE_DPD
929 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) {
930 iph1->dpd_support=1;
931 plog(LLV_DEBUG, LOCATION, NULL,
932 "remote supports DPD\n");
933 }
934 #endif
935 #ifdef ENABLE_FRAG
936 if ((vid_numeric == VENDORID_FRAG) &&
937 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) {
938 plog(LLV_DEBUG, LOCATION, NULL,
939 "remote supports FRAGMENTATION\n");
940 iph1->frag = 1;
941 }
942 #endif
943 break;
944 default:
945 /* don't send information, see ident_r1recv() */
946 plog(LLV_ERROR, LOCATION, iph1->remote,
947 "ignore the packet, "
948 "received unexpecting payload type %d.\n",
949 pa->type);
950 goto end;
951 }
952 }
953
954 if (iph1->nonce_p == NULL || iph1->id_p == NULL) {
955 plog(LLV_ERROR, LOCATION, iph1->remote,
956 "few isakmp message received.\n");
957 goto end;
958 }
959
960 /* verify identifier */
961 if (ipsecdoi_checkid1(iph1) != 0) {
962 plog(LLV_ERROR, LOCATION, iph1->remote,
963 "invalid ID payload.\n");
964 goto end;
965 }
966
967 #ifdef ENABLE_NATT
968 if (NATT_AVAILABLE(iph1)) {
969 plog(LLV_INFO, LOCATION, iph1->remote,
970 "Selected NAT-T version: %s\n",
971 vid_string_by_id(iph1->natt_options->version));
972 ike_session_update_natt_version(iph1);
973 }
974 #endif
975
976 /* check SA payload and set approval SA for use */
977 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
978 plog(LLV_ERROR, LOCATION, iph1->remote,
979 "failed to get valid proposal.\n");
980 /* XXX send information */
981 goto end;
982 }
983
984 iph1->status = PHASE1ST_MSG1RECEIVED;
985
986 error = 0;
987
988 end:
989 if (pbuf)
990 vfree(pbuf);
991
992 if (error) {
993 VPTRINIT(iph1->sa);
994 VPTRINIT(iph1->nonce_p);
995 VPTRINIT(iph1->id_p);
996 }
997
998 return error;
999 }
1000
1001 /*
1002 * send to initiator
1003 * psk: HDR, SA, Idir, Nr_b
1004 * sig: HDR, SA, Idir, Nr_b, [ CR ]
1005 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
1006 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
1007 */
1008 int
1009 base_r1send(iph1, msg)
1010 struct ph1handle *iph1;
1011 vchar_t *msg;
1012 {
1013 struct payload_list *plist = NULL;
1014 int error = -1;
1015 #ifdef ENABLE_NATT
1016 vchar_t *vid_natt = NULL;
1017 #endif
1018 #ifdef ENABLE_HYBRID
1019 vchar_t *vid_xauth = NULL;
1020 vchar_t *vid_unity = NULL;
1021 #endif
1022 #ifdef ENABLE_FRAG
1023 vchar_t *vid_frag = NULL;
1024 #endif
1025 #ifdef ENABLE_DPD
1026 vchar_t *vid_dpd = NULL;
1027 #endif
1028
1029 /* validity check */
1030 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1031 plog(LLV_ERROR, LOCATION, NULL,
1032 "status mismatched %d.\n", iph1->status);
1033 goto end;
1034 }
1035
1036 /* set responder's cookie */
1037 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1038
1039 /* make ID payload into isakmp status */
1040 if (ipsecdoi_setid1(iph1) < 0)
1041 goto end;
1042
1043 /* generate NONCE value */
1044 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1045 if (iph1->nonce == NULL)
1046 goto end;
1047
1048 /* set SA payload to reply */
1049 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
1050
1051 /* create isakmp ID payload */
1052 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1053
1054 /* create isakmp NONCE payload */
1055 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1056
1057 #ifdef ENABLE_NATT
1058 /* has the peer announced nat-t? */
1059 if (NATT_AVAILABLE(iph1))
1060 vid_natt = set_vendorid(iph1->natt_options->version);
1061 if (vid_natt)
1062 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1063 #endif
1064 #ifdef ENABLE_HYBRID
1065 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1066 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
1067 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
1068 plog(LLV_ERROR, LOCATION, NULL,
1069 "Cannot create Xauth vendor ID\n");
1070 goto end;
1071 }
1072 plist = isakmp_plist_append(plist,
1073 vid_xauth, ISAKMP_NPTYPE_VID);
1074 }
1075
1076 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1077 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
1078 plog(LLV_ERROR, LOCATION, NULL,
1079 "Cannot create Unity vendor ID\n");
1080 goto end;
1081 }
1082 plist = isakmp_plist_append(plist,
1083 vid_unity, ISAKMP_NPTYPE_VID);
1084 }
1085 #endif
1086 #ifdef ENABLE_DPD
1087 /*
1088 * Only send DPD support if remote announced DPD
1089 * and if DPD support is active
1090 */
1091 if (iph1->dpd_support && iph1->rmconf->dpd) {
1092 if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) {
1093 plog(LLV_ERROR, LOCATION, NULL,
1094 "DPD vendorID construction failed\n");
1095 } else {
1096 plist = isakmp_plist_append(plist, vid_dpd,
1097 ISAKMP_NPTYPE_VID);
1098 }
1099 }
1100 #endif
1101 #ifdef ENABLE_FRAG
1102 if (iph1->rmconf->ike_frag) {
1103 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
1104 plog(LLV_ERROR, LOCATION, NULL,
1105 "Frag vendorID construction failed\n");
1106 } else {
1107 vid_frag = isakmp_frag_addcap(vid_frag,
1108 VENDORID_FRAG_BASE);
1109 plist = isakmp_plist_append(plist,
1110 vid_frag, ISAKMP_NPTYPE_VID);
1111 }
1112 }
1113 #endif
1114
1115 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1116
1117 #ifdef HAVE_PRINT_ISAKMP_C
1118 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1119 #endif
1120
1121 /* send the packet, add to the schedule to resend */
1122 iph1->retry_counter = iph1->rmconf->retry_counter;
1123 if (isakmp_ph1resend(iph1) == -1) {
1124 iph1 = NULL;
1125 goto end;
1126 }
1127
1128 /* the sending message is added to the received-list. */
1129 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1130 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
1131 plog(LLV_ERROR , LOCATION, NULL,
1132 "failed to add a response packet to the tree.\n");
1133 goto end;
1134 }
1135
1136 iph1->status = PHASE1ST_MSG1SENT;
1137
1138 #ifdef ENABLE_VPNCONTROL_PORT
1139 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1140 #endif
1141
1142 error = 0;
1143
1144 end:
1145 #ifdef ENABLE_NATT
1146 if (vid_natt)
1147 vfree(vid_natt);
1148 #endif
1149 #ifdef ENABLE_HYBRID
1150 if (vid_xauth != NULL)
1151 vfree(vid_xauth);
1152 if (vid_unity != NULL)
1153 vfree(vid_unity);
1154 #endif
1155 #ifdef ENABLE_FRAG
1156 if (vid_frag)
1157 vfree(vid_frag);
1158 #endif
1159 #ifdef ENABLE_DPD
1160 if (vid_dpd)
1161 vfree(vid_dpd);
1162 #endif
1163
1164 if (iph1 != NULL)
1165 VPTRINIT(iph1->sa_ret);
1166
1167 return error;
1168 }
1169
1170 /*
1171 * receive from initiator
1172 * psk: HDR, KE, HASH_I
1173 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
1174 * rsa: HDR, KE, HASH_I
1175 * rev: HDR, <KE>Ke_i, HASH_I
1176 */
1177 int
1178 base_r2recv(iph1, msg)
1179 struct ph1handle *iph1;
1180 vchar_t *msg;
1181 {
1182 vchar_t *pbuf = NULL;
1183 struct isakmp_parse_t *pa;
1184 int error = -1;
1185 int ptype;
1186 #ifdef ENABLE_NATT
1187 int natd_seq = 0;
1188 #endif
1189 int received_cert = 0;
1190
1191 /* validity check */
1192 if (iph1->status != PHASE1ST_MSG1SENT) {
1193 plog(LLV_ERROR, LOCATION, NULL,
1194 "status mismatched %d.\n", iph1->status);
1195 goto end;
1196 }
1197
1198 /* validate the type of next payload */
1199 pbuf = isakmp_parse(msg);
1200 if (pbuf == NULL)
1201 goto end;
1202
1203 iph1->pl_hash = NULL;
1204
1205 for (pa = (struct isakmp_parse_t *)pbuf->v;
1206 pa->type != ISAKMP_NPTYPE_NONE;
1207 pa++) {
1208
1209 switch (pa->type) {
1210 case ISAKMP_NPTYPE_KE:
1211 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
1212 goto end;
1213 break;
1214 case ISAKMP_NPTYPE_HASH:
1215 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1216 break;
1217 case ISAKMP_NPTYPE_CERT:
1218 if (oakley_savecert(iph1, pa->ptr) < 0)
1219 goto end;
1220 received_cert = 1;
1221 break;
1222 case ISAKMP_NPTYPE_SIG:
1223 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
1224 goto end;
1225 break;
1226 case ISAKMP_NPTYPE_VID:
1227 (void)check_vendorid(pa->ptr);
1228 break;
1229
1230 #ifdef ENABLE_NATT
1231 case ISAKMP_NPTYPE_NATD_DRAFT:
1232 case ISAKMP_NPTYPE_NATD_RFC:
1233 case ISAKMP_NPTYPE_NATD_BADDRAFT:
1234 if (pa->type == iph1->natt_options->payload_nat_d)
1235 {
1236 vchar_t *natd_received = NULL;
1237 int natd_verified;
1238
1239 if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
1240 goto end;
1241
1242 if (natd_seq == 0)
1243 iph1->natt_flags |= NAT_DETECTED;
1244
1245 natd_verified = natt_compare_addr_hash (iph1,
1246 natd_received, natd_seq++);
1247
1248 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1249 natd_seq - 1,
1250 natd_verified ? "verified" : "doesn't match");
1251
1252 vfree (natd_received);
1253 break;
1254 }
1255 /* %%%% Be lenient here - some servers send natd payloads */
1256 /* when no nat is detected */
1257 break;
1258 #endif
1259
1260 default:
1261 /* don't send information, see ident_r1recv() */
1262 plog(LLV_ERROR, LOCATION, iph1->remote,
1263 "ignore the packet, "
1264 "received unexpecting payload type %d.\n",
1265 pa->type);
1266 goto end;
1267 }
1268 }
1269
1270 if (received_cert) {
1271 oakley_verify_certid(iph1);
1272 }
1273
1274 /* generate DH public value */
1275 #ifdef HAVE_OPENSSL
1276 if (oakley_dh_generate(iph1->approval->dhgrp,
1277 &iph1->dhpub, &iph1->dhpriv) < 0)
1278 #else
1279 if (oakley_dh_generate(iph1->approval->dhgrp,
1280 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0)
1281 #endif
1282 goto end;
1283
1284 /* compute sharing secret of DH */
1285 #ifdef HAVE_OPENSSL
1286 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1287 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
1288 #else
1289 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0)
1290 #endif
1291 goto end;
1292
1293 /* generate SKEYID */
1294 if (oakley_skeyid(iph1) < 0)
1295 goto end;
1296
1297 #ifdef ENABLE_NATT
1298 if (NATT_AVAILABLE(iph1))
1299 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1300 iph1->natt_flags & NAT_DETECTED ?
1301 "detected:" : "not detected",
1302 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1303 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1304 #endif
1305
1306 /* payload existency check */
1307 /* validate authentication value */
1308 ptype = oakley_validate_auth(iph1);
1309 if (ptype != 0) {
1310 if (ptype == -1) {
1311 /* message printed inner oakley_validate_auth() */
1312 goto end;
1313 }
1314 EVT_PUSH(iph1->local, iph1->remote,
1315 EVTT_PEERPH1AUTH_FAILED, NULL);
1316 isakmp_info_send_n1(iph1, ptype, NULL);
1317 goto end;
1318 }
1319
1320 iph1->status = PHASE1ST_MSG2RECEIVED;
1321
1322 error = 0;
1323
1324 end:
1325 if (pbuf)
1326 vfree(pbuf);
1327
1328 if (error) {
1329 VPTRINIT(iph1->dhpub_p);
1330 oakley_delcert(iph1->cert_p);
1331 iph1->cert_p = NULL;
1332 oakley_delcert(iph1->crl_p);
1333 iph1->crl_p = NULL;
1334 VPTRINIT(iph1->sig_p);
1335 }
1336
1337 return error;
1338 }
1339
1340 /*
1341 * send to initiator
1342 * psk: HDR, KE, HASH_R
1343 * sig: HDR, KE, [CERT,] SIG_R
1344 * rsa: HDR, KE, HASH_R
1345 * rev: HDR, <KE>_Ke_r, HASH_R
1346 */
1347 int
1348 base_r2send(iph1, msg)
1349 struct ph1handle *iph1;
1350 vchar_t *msg;
1351 {
1352 struct payload_list *plist = NULL;
1353 vchar_t *vid = NULL;
1354 int need_cert = 0;
1355 int error = -1;
1356
1357 /* validity check */
1358 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1359 plog(LLV_ERROR, LOCATION, NULL,
1360 "status mismatched %d.\n", iph1->status);
1361 goto end;
1362 }
1363
1364 /* generate HASH to send */
1365 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
1366 switch (AUTHMETHOD(iph1)) {
1367 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1368 #ifdef ENABLE_HYBRID
1369 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1370 #endif
1371 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1372 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1373 #ifdef ENABLE_HYBRID
1374 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1375 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1376 #endif
1377 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1378 break;
1379 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1380 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1381 #ifdef ENABLE_HYBRID
1382 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1383 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1384 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1385 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1386 #endif
1387 #ifdef HAVE_GSSAPI
1388 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1389 #endif
1390 iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE);
1391 break;
1392 default:
1393 plog(LLV_ERROR, LOCATION, NULL,
1394 "invalid authentication method %d\n",
1395 iph1->approval->authmethod);
1396 goto end;
1397 }
1398 if (iph1->hash == NULL)
1399 goto end;
1400
1401 switch (AUTHMETHOD(iph1)) {
1402 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1403 #ifdef ENABLE_HYBRID
1404 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1405 #endif
1406 vid = set_vendorid(iph1->approval->vendorid);
1407
1408 /* create isakmp KE payload */
1409 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1410
1411 /* create isakmp HASH payload */
1412 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
1413
1414 /* append vendor id, if needed */
1415 if (vid)
1416 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
1417 break;
1418 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1419 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1420 #ifdef ENABLE_HYBRID
1421 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1422 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1423 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1424 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1425 #endif
1426 /* XXX if there is CR or not ? */
1427
1428 if (oakley_getmycert(iph1) < 0)
1429 goto end;
1430
1431 if (oakley_getsign(iph1) < 0)
1432 goto end;
1433
1434 if (iph1->cert && iph1->rmconf->send_cert)
1435 need_cert = 1;
1436
1437 /* create isakmp KE payload */
1438 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1439
1440 /* add CERT payload if there */
1441 if (need_cert)
1442 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1443 /* add SIG payload */
1444 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1445 break;
1446 #ifdef HAVE_GSSAPI
1447 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1448 /* ... */
1449 break;
1450 #endif
1451 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1452 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1453 #ifdef ENABLE_HYBRID
1454 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1455 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1456 #endif
1457 break;
1458 }
1459
1460 #ifdef ENABLE_NATT
1461 /* generate NAT-D payloads */
1462 if (NATT_AVAILABLE(iph1)) {
1463 vchar_t *natd[2] = { NULL, NULL };
1464
1465 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
1466 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1467 plog(LLV_ERROR, LOCATION, NULL,
1468 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
1469 goto end;
1470 }
1471
1472 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1473 plog(LLV_ERROR, LOCATION, NULL,
1474 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
1475 goto end;
1476 }
1477
1478 /* old Apple version sends natd payloads in the wrong order */
1479 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
1480 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1481 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1482 } else
1483 {
1484 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1485 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1486 }
1487 }
1488 #endif
1489
1490 iph1->sendbuf = isakmp_plist_set_all(&plist, iph1);
1491
1492 #ifdef HAVE_PRINT_ISAKMP_C
1493 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1494 #endif
1495
1496 /* send HDR;KE;NONCE to responder */
1497 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1498 goto end;
1499
1500 /* the sending message is added to the received-list. */
1501 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1502 PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
1503 plog(LLV_ERROR , LOCATION, NULL,
1504 "failed to add a response packet to the tree.\n");
1505 goto end;
1506 }
1507
1508 /* generate SKEYIDs & IV & final cipher key */
1509 if (oakley_skeyid_dae(iph1) < 0)
1510 goto end;
1511 if (oakley_compute_enckey(iph1) < 0)
1512 goto end;
1513 if (oakley_newiv(iph1) < 0)
1514 goto end;
1515
1516 /* set encryption flag */
1517 iph1->flags |= ISAKMP_FLAG_E;
1518
1519 iph1->status = PHASE1ST_ESTABLISHED;
1520
1521 error = 0;
1522
1523 end:
1524 if (vid)
1525 vfree(vid);
1526 return error;
1527 }
mirror of ipsec