]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_newg.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-34.0.2.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_newg.c
1 /* $KAME: isakmp_newg.c,v 1.10 2002/09/27 05:55:52 itojun Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include "config.h"
33
34 #include <sys/types.h>
35 #include <sys/param.h>
36
37 #include <stdlib.h>
38 #include <stdio.h>
39 #include <string.h>
40 #include <errno.h>
41
42 #include "var.h"
43 #include "misc.h"
44 #include "vmbuf.h"
45 #include "plog.h"
46 #include "sockmisc.h"
47 #include "debug.h"
48
49 #include "schedule.h"
50 #include "cfparse_proto.h"
51 #include "isakmp_var.h"
52 #include "isakmp.h"
53 #include "isakmp_newg.h"
54 #include "oakley.h"
55 #include "ipsec_doi.h"
56 #include "crypto_openssl.h"
57 #include "handler.h"
58 #include "pfkey.h"
59 #include "admin.h"
60 #include "str2val.h"
61 #include "vendorid.h"
62
63 /*
64 * New group mode as responder
65 */
66 int
67 isakmp_newgroup_r(iph1, msg)
68 struct ph1handle *iph1;
69 vchar_t *msg;
70 {
71 #if 0
72 struct isakmp *isakmp = (struct isakmp *)msg->v;
73 struct isakmp_pl_hash *hash = NULL;
74 struct isakmp_pl_sa *sa = NULL;
75 int error = -1;
76 vchar_t *buf;
77 struct oakley_sa *osa;
78 int len;
79
80 /* validate the type of next payload */
81 /*
82 * ISAKMP_ETYPE_NEWGRP,
83 * ISAKMP_NPTYPE_HASH, (ISAKMP_NPTYPE_VID), ISAKMP_NPTYPE_SA,
84 * ISAKMP_NPTYPE_NONE
85 */
86 {
87 vchar_t *pbuf = NULL;
88 struct isakmp_parse_t *pa;
89
90 if ((pbuf = isakmp_parse(msg)) == NULL)
91 goto end;
92
93 for (pa = (struct isakmp_parse_t *)pbuf->v;
94 pa->type != ISAKMP_NPTYPE_NONE;
95 pa++) {
96
97 switch (pa->type) {
98 case ISAKMP_NPTYPE_HASH:
99 if (hash) {
100 isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
101 plog(LLV_ERROR, LOCATION, iph1->remote,
102 "received multiple payload type %d.\n",
103 pa->type);
104 vfree(pbuf);
105 goto end;
106 }
107 hash = (struct isakmp_pl_hash *)pa->ptr;
108 break;
109 case ISAKMP_NPTYPE_SA:
110 if (sa) {
111 isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
112 plog(LLV_ERROR, LOCATION, iph1->remote,
113 "received multiple payload type %d.\n",
114 pa->type);
115 vfree(pbuf);
116 goto end;
117 }
118 sa = (struct isakmp_pl_sa *)pa->ptr;
119 break;
120 case ISAKMP_NPTYPE_VID:
121 (void)check_vendorid(pa->ptr);
122 break;
123 default:
124 isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
125 plog(LLV_ERROR, LOCATION, iph1->remote,
126 "ignore the packet, "
127 "received unexpecting payload type %d.\n",
128 pa->type);
129 vfree(pbuf);
130 goto end;
131 }
132 }
133 vfree(pbuf);
134
135 if (!hash || !sa) {
136 isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
137 plog(LLV_ERROR, LOCATION, iph1->remote,
138 "no HASH, or no SA payload.\n");
139 goto end;
140 }
141 }
142
143 /* validate HASH */
144 {
145 char *r_hash;
146 vchar_t *my_hash = NULL;
147 int result;
148
149 plog(LLV_DEBUG, LOCATION, NULL, "validate HASH\n");
150
151 len = sizeof(isakmp->msgid) + ntohs(sa->h.len);
152 buf = vmalloc(len);
153 if (buf == NULL) {
154 plog(LLV_ERROR, LOCATION, NULL,
155 "failed to get buffer to send.\n");
156 goto end;
157 }
158 memcpy(buf->v, &isakmp->msgid, sizeof(isakmp->msgid));
159 memcpy(buf->v + sizeof(isakmp->msgid), sa, ntohs(sa->h.len));
160
161 plog(LLV_DEBUG, LOCATION, NULL, "hash source\n");
162 plogdump(LLV_DEBUG, buf->v, buf->l);
163
164 my_hash = isakmp_prf(iph1->skeyid_a, buf, iph1);
165 vfree(buf);
166 if (my_hash == NULL)
167 goto end;
168
169 plog(LLV_DEBUG, LOCATION, NULL, "hash result\n");
170 plogdump(LLV_DEBUG, my_hash->v, my_hash->l);
171
172 r_hash = (char *)hash + sizeof(*hash);
173
174 plog(LLV_DEBUG, LOCATION, NULL, "original hash\n"));
175 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)));
176
177 result = memcmp(my_hash->v, r_hash, my_hash->l);
178 vfree(my_hash);
179
180 if (result) {
181 plog(LLV_ERROR, LOCATION, iph1->remote,
182 "HASH mismatch.\n");
183 isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_HASH_INFORMATION, NULL);
184 goto end;
185 }
186 }
187
188 /* check SA payload and get new one for use */
189 buf = ipsecdoi_get_proposal((struct ipsecdoi_sa *)sa,
190 OAKLEY_NEWGROUP_MODE);
191 if (buf == NULL) {
192 isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL);
193 goto end;
194 }
195
196 /* save sa parameters */
197 osa = ipsecdoi_get_oakley(buf);
198 if (osa == NULL) {
199 isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL);
200 goto end;
201 }
202 vfree(buf);
203
204 switch (osa->dhgrp) {
205 case OAKLEY_ATTR_GRP_DESC_MODP768:
206 case OAKLEY_ATTR_GRP_DESC_MODP1024:
207 case OAKLEY_ATTR_GRP_DESC_MODP1536:
208 /*XXX*/
209 default:
210 isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL);
211 plog(LLV_ERROR, LOCATION, NULL,
212 "dh group %d isn't supported.\n", osa->dhgrp);
213 goto end;
214 }
215
216 plog(LLV_INFO, LOCATION, iph1->remote,
217 "got new dh group %s.\n", isakmp_pindex(&iph1->index, 0));
218
219 error = 0;
220
221 end:
222 if (error) {
223 if (iph1 != NULL)
224 (void)isakmp_free_ph1(iph1);
225 }
226 return error;
227 #endif
228 return 0;
229 }
230
mirror of ipsec