]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_ident.c
projects / apple / ipsec.git / blob
? search:


ff155e617e53b7415decc79cc6ffbaff6a234981
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_ident.c
1 /* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */
2
3 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* Identity Protecion Exchange (Main Mode) */
35
36 #include "config.h"
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40
41 #include <stdlib.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <errno.h>
45 #if TIME_WITH_SYS_TIME
46 # include <sys/time.h>
47 # include <time.h>
48 #else
49 # if HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 # else
52 # include <time.h>
53 # endif
54 #endif
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "schedule.h"
62 #include "debug.h"
63
64 #include "localconf.h"
65 #include "remoteconf.h"
66 #include "isakmp_var.h"
67 #include "isakmp.h"
68 #include "evt.h"
69 #include "oakley.h"
70 #include "handler.h"
71 #include "ipsec_doi.h"
72 #include "crypto_openssl.h"
73 #include "pfkey.h"
74 #include "isakmp_ident.h"
75 #include "isakmp_inf.h"
76 #include "vendorid.h"
77
78 #ifdef ENABLE_NATT
79 #include "nattraversal.h"
80 #endif
81 #ifdef HAVE_GSSAPI
82 #include "gssapi.h"
83 #endif
84 #ifdef ENABLE_HYBRID
85 #include <resolv.h>
86 #include "isakmp_xauth.h"
87 #include "isakmp_cfg.h"
88 #endif
89 #ifdef ENABLE_FRAG
90 #include "isakmp_frag.h"
91 #endif
92
93 #include "vpn_control.h"
94 #include "vpn_control_var.h"
95 #include "ipsecSessionTracer.h"
96 #include "ipsecMessageTracer.h"
97
98 static vchar_t *ident_ir2mx __P((struct ph1handle *));
99 static vchar_t *ident_ir3mx __P((struct ph1handle *));
100
101 /* %%%
102 * begin Identity Protection Mode as initiator.
103 */
104 /*
105 * send to responder
106 * psk: HDR, SA
107 * sig: HDR, SA
108 * rsa: HDR, SA
109 * rev: HDR, SA
110 */
111 int
112 ident_i1send(iph1, msg)
113 struct ph1handle *iph1;
114 vchar_t *msg; /* must be null */
115 {
116 struct payload_list *plist = NULL;
117 int error = -1;
118 #ifdef ENABLE_NATT
119 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
120 int i;
121 #endif
122 #ifdef ENABLE_HYBRID
123 vchar_t *vid_xauth = NULL;
124 vchar_t *vid_unity = NULL;
125 #endif
126 #ifdef ENABLE_FRAG
127 vchar_t *vid_frag = NULL;
128 #endif
129 #ifdef ENABLE_DPD
130 vchar_t *vid_dpd = NULL;
131 #endif
132 /* validity check */
133 if (msg != NULL) {
134 plog(LLV_ERROR, LOCATION, NULL,
135 "msg has to be NULL in this function.\n");
136 goto end;
137 }
138 if (iph1->status != PHASE1ST_START) {
139 plog(LLV_ERROR, LOCATION, NULL,
140 "status mismatched %d.\n", iph1->status);
141 goto end;
142 }
143
144 /* create isakmp index */
145 memset(&iph1->index, 0, sizeof(iph1->index));
146 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
147
148 /* create SA payload for my proposal */
149 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
150 if (iph1->sa == NULL) {
151 plog(LLV_ERROR, LOCATION, NULL,
152 "failed to set proposal");
153 goto end;
154 }
155
156 /* set SA payload to propose */
157 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
158
159 #ifdef ENABLE_NATT
160 /* set VID payload for NAT-T if NAT-T support allowed in the config file */
161 if (iph1->rmconf->nat_traversal)
162 plist = isakmp_plist_append_natt_vids(plist, vid_natt);
163 #endif
164 #ifdef ENABLE_HYBRID
165 /* Do we need Xauth VID? */
166 switch (RMAUTHMETHOD(iph1)) {
167 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
168 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
169 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
170 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
171 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
172 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
173 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
174 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
175 plog(LLV_ERROR, LOCATION, NULL,
176 "Xauth vendor ID generation failed\n");
177 else
178 plist = isakmp_plist_append(plist,
179 vid_xauth, ISAKMP_NPTYPE_VID);
180
181 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
182 plog(LLV_ERROR, LOCATION, NULL,
183 "Unity vendor ID generation failed\n");
184 else
185 plist = isakmp_plist_append(plist,
186 vid_unity, ISAKMP_NPTYPE_VID);
187 break;
188 default:
189 break;
190 }
191 #endif
192 #ifdef ENABLE_FRAG
193 if (iph1->rmconf->ike_frag) {
194 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
195 plog(LLV_ERROR, LOCATION, NULL,
196 "Frag vendorID construction failed\n");
197 } else {
198 vid_frag = isakmp_frag_addcap(vid_frag,
199 VENDORID_FRAG_IDENT);
200 plist = isakmp_plist_append(plist,
201 vid_frag, ISAKMP_NPTYPE_VID);
202 }
203 }
204 #endif
205 #ifdef ENABLE_DPD
206 if(iph1->rmconf->dpd){
207 vid_dpd = set_vendorid(VENDORID_DPD);
208 if (vid_dpd != NULL)
209 plist = isakmp_plist_append(plist, vid_dpd,
210 ISAKMP_NPTYPE_VID);
211 }
212 #endif
213
214 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
215
216 #ifdef HAVE_PRINT_ISAKMP_C
217 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
218 #endif
219
220 /* send the packet, add to the schedule to resend */
221 iph1->retry_counter = iph1->rmconf->retry_counter;
222 if (isakmp_ph1resend(iph1) == -1) {
223 plog(LLV_ERROR, LOCATION, NULL,
224 "failed to send packet");
225 goto end;
226 }
227
228 iph1->status = PHASE1ST_MSG1SENT;
229
230 error = 0;
231
232 IPSECSESSIONTRACEREVENT(iph1->parent_session,
233 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
234 CONSTSTR("Initiator, Main-Mode message 1"),
235 CONSTSTR(NULL));
236
237 end:
238 if (error) {
239 IPSECSESSIONTRACEREVENT(iph1->parent_session,
240 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
241 CONSTSTR("Initiator, Main-Mode Message 1"),
242 CONSTSTR("Failed to transmit Main-Mode Message 1"));
243 }
244 #ifdef ENABLE_FRAG
245 if (vid_frag)
246 vfree(vid_frag);
247 #endif
248 #ifdef ENABLE_NATT
249 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
250 vfree(vid_natt[i]);
251 #endif
252 #ifdef ENABLE_HYBRID
253 if (vid_xauth != NULL)
254 vfree(vid_xauth);
255 if (vid_unity != NULL)
256 vfree(vid_unity);
257 #endif
258 #ifdef ENABLE_DPD
259 if (vid_dpd != NULL)
260 vfree(vid_dpd);
261 #endif
262
263 return error;
264 }
265
266 /*
267 * receive from responder
268 * psk: HDR, SA
269 * sig: HDR, SA
270 * rsa: HDR, SA
271 * rev: HDR, SA
272 */
273 int
274 ident_i2recv(iph1, msg)
275 struct ph1handle *iph1;
276 vchar_t *msg;
277 {
278 vchar_t *pbuf = NULL;
279 struct isakmp_parse_t *pa;
280 vchar_t *satmp = NULL;
281 int error = -1;
282 int vid_numeric;
283
284 /* validity check */
285 if (iph1->status != PHASE1ST_MSG1SENT) {
286 plog(LLV_ERROR, LOCATION, NULL,
287 "status mismatched %d.\n", iph1->status);
288 goto end;
289 }
290
291 /* validate the type of next payload */
292 /*
293 * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here,
294 * if proposal-lifetime > lifetime-redcreek-wants.
295 * (see doi-08 4.5.4)
296 * => According to the seciton 4.6.3 in RFC 2407, This is illegal.
297 * NOTE: we do not really care about ordering of VID and N.
298 * does it matters?
299 * NOTE: even if there's multiple VID/N, we'll ignore them.
300 */
301 pbuf = isakmp_parse(msg);
302 if (pbuf == NULL) {
303 plog(LLV_ERROR, LOCATION, NULL,
304 "failed to parse msg");
305 goto end;
306 }
307 pa = (struct isakmp_parse_t *)pbuf->v;
308
309 /* SA payload is fixed postion */
310 if (pa->type != ISAKMP_NPTYPE_SA) {
311 plog(LLV_ERROR, LOCATION, iph1->remote,
312 "received invalid next payload type %d, "
313 "expecting %d.\n",
314 pa->type, ISAKMP_NPTYPE_SA);
315 goto end;
316 }
317 if (isakmp_p2ph(&satmp, pa->ptr) < 0) {
318 plog(LLV_ERROR, LOCATION, NULL,
319 "failed to process SA payload");
320 goto end;
321 }
322 pa++;
323
324 for (/*nothing*/;
325 pa->type != ISAKMP_NPTYPE_NONE;
326 pa++) {
327
328 switch (pa->type) {
329 case ISAKMP_NPTYPE_VID:
330 vid_numeric = check_vendorid(pa->ptr);
331 #ifdef ENABLE_NATT
332 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
333 natt_handle_vendorid(iph1, vid_numeric);
334 #endif
335 #ifdef ENABLE_HYBRID
336 switch (vid_numeric) {
337 case VENDORID_XAUTH:
338 iph1->mode_cfg->flags |=
339 ISAKMP_CFG_VENDORID_XAUTH;
340 break;
341
342 case VENDORID_UNITY:
343 iph1->mode_cfg->flags |=
344 ISAKMP_CFG_VENDORID_UNITY;
345 break;
346
347 default:
348 break;
349 }
350 #endif
351 #ifdef ENABLE_DPD
352 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
353 iph1->dpd_support=1;
354 #endif
355 break;
356 default:
357 /* don't send information, see ident_r1recv() */
358 plog(LLV_ERROR, LOCATION, iph1->remote,
359 "ignore the packet, "
360 "received unexpecting payload type %d.\n",
361 pa->type);
362 goto end;
363 }
364 }
365
366 #ifdef ENABLE_NATT
367 if (NATT_AVAILABLE(iph1)) {
368 plog(LLV_INFO, LOCATION, iph1->remote,
369 "Selected NAT-T version: %s\n",
370 vid_string_by_id(iph1->natt_options->version));
371 ike_session_update_natt_version(iph1);
372 }
373 #endif
374
375 /* check SA payload and set approval SA for use */
376 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
377 plog(LLV_ERROR, LOCATION, iph1->remote,
378 "failed to get valid proposal.\n");
379 /* XXX send information */
380 goto end;
381 }
382 VPTRINIT(iph1->sa_ret);
383
384 iph1->status = PHASE1ST_MSG2RECEIVED;
385
386 #ifdef ENABLE_VPNCONTROL_PORT
387 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL);
388 #endif
389
390 error = 0;
391
392 IPSECSESSIONTRACEREVENT(iph1->parent_session,
393 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
394 CONSTSTR("Initiator, Main-Mode message 2"),
395 CONSTSTR(NULL));
396
397 end:
398 if (error) {
399 IPSECSESSIONTRACEREVENT(iph1->parent_session,
400 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
401 CONSTSTR("Initiator, Main-Mode Message 2"),
402 CONSTSTR("Failed to process Main-Mode Message 2"));
403 }
404 if (pbuf)
405 vfree(pbuf);
406 if (satmp)
407 vfree(satmp);
408 return error;
409 }
410
411 /*
412 * send to responder
413 * psk: HDR, KE, Ni
414 * sig: HDR, KE, Ni
415 * gssapi: HDR, KE, Ni, GSSi
416 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
417 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
418 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
419 */
420 int
421 ident_i2send(iph1, msg)
422 struct ph1handle *iph1;
423 vchar_t *msg;
424 {
425 int error = -1;
426
427 /* validity check */
428 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
429 plog(LLV_ERROR, LOCATION, NULL,
430 "status mismatched %d.\n", iph1->status);
431 goto end;
432 }
433
434 /* fix isakmp index */
435 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
436 sizeof(cookie_t));
437
438 /* generate DH public value */
439 if (oakley_dh_generate(iph1->approval->dhgrp,
440 &iph1->dhpub, &iph1->dhpriv) < 0) {
441 plog(LLV_ERROR, LOCATION, NULL,
442 "failed to generate DH");
443 goto end;
444 }
445
446 /* generate NONCE value */
447 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
448 if (iph1->nonce == NULL) {
449 plog(LLV_ERROR, LOCATION, NULL,
450 "failed to generate NONCE");
451 goto end;
452 }
453
454 #ifdef HAVE_GSSAPI
455 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
456 gssapi_get_itoken(iph1, NULL) < 0) {
457 plog(LLV_ERROR, LOCATION, NULL,
458 "failed to get GSS token");
459 goto end;
460 }
461 #endif
462
463 /* create buffer to send isakmp payload */
464 iph1->sendbuf = ident_ir2mx(iph1);
465 if (iph1->sendbuf == NULL) {
466 plog(LLV_ERROR, LOCATION, NULL,
467 "failed to create send buffer");
468 goto end;
469 }
470
471 #ifdef HAVE_PRINT_ISAKMP_C
472 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
473 #endif
474
475 /* send the packet, add to the schedule to resend */
476 iph1->retry_counter = iph1->rmconf->retry_counter;
477 if (isakmp_ph1resend(iph1) == -1) {
478 plog(LLV_ERROR, LOCATION, NULL,
479 "failed to send packet");
480 goto end;
481 }
482
483 /* the sending message is added to the received-list. */
484 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
485 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
486 plog(LLV_ERROR , LOCATION, NULL,
487 "failed to add a response packet to the tree.\n");
488 goto end;
489 }
490
491 iph1->status = PHASE1ST_MSG2SENT;
492
493 error = 0;
494
495 IPSECSESSIONTRACEREVENT(iph1->parent_session,
496 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
497 CONSTSTR("Initiator, Main-Mode message 3"),
498 CONSTSTR(NULL));
499
500 end:
501 if (error) {
502 IPSECSESSIONTRACEREVENT(iph1->parent_session,
503 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
504 CONSTSTR("Initiator, Main-Mode Message 3"),
505 CONSTSTR("Failed to transmit Main-Mode Message 3"));
506 }
507 return error;
508 }
509
510 /*
511 * receive from responder
512 * psk: HDR, KE, Nr
513 * sig: HDR, KE, Nr [, CR ]
514 * gssapi: HDR, KE, Nr, GSSr
515 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
516 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
517 */
518 int
519 ident_i3recv(iph1, msg)
520 struct ph1handle *iph1;
521 vchar_t *msg;
522 {
523 vchar_t *pbuf = NULL;
524 struct isakmp_parse_t *pa;
525 int error = -1;
526 int vid_numeric;
527 #ifdef HAVE_GSSAPI
528 vchar_t *gsstoken = NULL;
529 #endif
530 #ifdef ENABLE_NATT
531 vchar_t *natd_received;
532 int natd_seq = 0, natd_verified;
533 #endif
534
535 /* validity check */
536 if (iph1->status != PHASE1ST_MSG2SENT) {
537 plog(LLV_ERROR, LOCATION, NULL,
538 "status mismatched %d.\n", iph1->status);
539 goto end;
540 }
541
542 /* validate the type of next payload */
543 pbuf = isakmp_parse(msg);
544 if (pbuf == NULL) {
545 plog(LLV_ERROR, LOCATION, NULL,
546 "failed to parse msg");
547 goto end;
548 }
549
550 for (pa = (struct isakmp_parse_t *)pbuf->v;
551 pa->type != ISAKMP_NPTYPE_NONE;
552 pa++) {
553
554 switch (pa->type) {
555 case ISAKMP_NPTYPE_KE:
556 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
557 plog(LLV_ERROR, LOCATION, NULL,
558 "failed to process KE payload");
559 goto end;
560 }
561 break;
562 case ISAKMP_NPTYPE_NONCE:
563 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
564 plog(LLV_ERROR, LOCATION, NULL,
565 "failed to process NONCE payload");
566 goto end;
567 }
568 break;
569 case ISAKMP_NPTYPE_VID:
570 vid_numeric = check_vendorid(pa->ptr);
571 #ifdef ENABLE_HYBRID
572 switch (vid_numeric) {
573 case VENDORID_XAUTH:
574 iph1->mode_cfg->flags |=
575 ISAKMP_CFG_VENDORID_XAUTH;
576 break;
577
578 case VENDORID_UNITY:
579 iph1->mode_cfg->flags |=
580 ISAKMP_CFG_VENDORID_UNITY;
581 break;
582
583 default:
584 break;
585 }
586 #endif
587 #ifdef ENABLE_DPD
588 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
589 iph1->dpd_support=1;
590 #endif
591
592 break;
593 case ISAKMP_NPTYPE_CR:
594 if (oakley_savecr(iph1, pa->ptr) < 0) {
595 plog(LLV_ERROR, LOCATION, NULL,
596 "failed to process CR payload");
597 goto end;
598 }
599 break;
600 #ifdef HAVE_GSSAPI
601 case ISAKMP_NPTYPE_GSS:
602 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
603 plog(LLV_ERROR, LOCATION, NULL,
604 "failed to process GSS payload");
605 goto end;
606 }
607 gssapi_save_received_token(iph1, gsstoken);
608 break;
609 #endif
610
611 #ifdef ENABLE_NATT
612 case ISAKMP_NPTYPE_NATD_DRAFT:
613 case ISAKMP_NPTYPE_NATD_RFC:
614 #ifdef __APPLE__
615 case ISAKMP_NPTYPE_NATD_BADDRAFT:
616 #endif
617 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
618 pa->type == iph1->natt_options->payload_nat_d) {
619 natd_received = NULL;
620 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
621 plog(LLV_ERROR, LOCATION, NULL,
622 "failed to process NATD payload");
623 goto end;
624 }
625
626 /* set both bits first so that we can clear them
627 upon verifying hashes */
628 if (natd_seq == 0)
629 iph1->natt_flags |= NAT_DETECTED;
630
631 /* this function will clear appropriate bits bits
632 from iph1->natt_flags */
633 natd_verified = natt_compare_addr_hash (iph1,
634 natd_received, natd_seq++);
635
636 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
637 natd_seq - 1,
638 natd_verified ? "verified" : "doesn't match");
639
640 vfree (natd_received);
641 break;
642 }
643 /* %%%% Be lenient here - some servers send natd payloads */
644 /* when no nat is detected */
645 break;
646 #endif
647
648 default:
649 /* don't send information, see ident_r1recv() */
650 plog(LLV_ERROR, LOCATION, iph1->remote,
651 "ignore the packet, "
652 "received unexpecting payload type %d.\n",
653 pa->type);
654 goto end;
655 }
656 }
657
658 #ifdef ENABLE_NATT
659 if (NATT_AVAILABLE(iph1)) {
660 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
661 iph1->natt_flags & NAT_DETECTED ?
662 "detected:" : "not detected",
663 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
664 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
665 if (iph1->natt_flags & NAT_DETECTED)
666 natt_float_ports (iph1);
667 }
668 #endif
669
670 /* payload existency check */
671 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
672 plog(LLV_ERROR, LOCATION, iph1->remote,
673 "few isakmp message received.\n");
674 goto end;
675 }
676
677 if (oakley_checkcr(iph1) < 0) {
678 /* Ignore this error in order to be interoperability. */
679 ;
680 }
681
682 iph1->status = PHASE1ST_MSG3RECEIVED;
683
684 error = 0;
685
686 IPSECSESSIONTRACEREVENT(iph1->parent_session,
687 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
688 CONSTSTR("Initiator, Main-Mode message 4"),
689 CONSTSTR(NULL));
690
691 end:
692 if (error) {
693 IPSECSESSIONTRACEREVENT(iph1->parent_session,
694 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
695 CONSTSTR("Initiator, Main-Mode Message 4"),
696 CONSTSTR("Failed to process Main-Mode Message 4"));
697 }
698 #ifdef HAVE_GSSAPI
699 if (gsstoken)
700 vfree(gsstoken);
701 #endif
702 if (pbuf)
703 vfree(pbuf);
704 if (error) {
705 VPTRINIT(iph1->dhpub_p);
706 VPTRINIT(iph1->nonce_p);
707 VPTRINIT(iph1->id_p);
708 oakley_delcert(iph1->cr_p);
709 iph1->cr_p = NULL;
710 }
711
712 return error;
713 }
714
715 /*
716 * send to responder
717 * psk: HDR*, IDi1, HASH_I
718 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
719 * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I >
720 * rsa: HDR*, HASH_I
721 * rev: HDR*, HASH_I
722 */
723 int
724 ident_i3send(iph1, msg0)
725 struct ph1handle *iph1;
726 vchar_t *msg0;
727 {
728 int error = -1;
729 int dohash = 1;
730 #ifdef HAVE_GSSAPI
731 int len;
732 #endif
733
734 /* validity check */
735 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
736 plog(LLV_ERROR, LOCATION, NULL,
737 "status mismatched %d.\n", iph1->status);
738 goto end;
739 }
740
741 /* compute sharing secret of DH */
742 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
743 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
744 plog(LLV_ERROR, LOCATION, NULL,
745 "failed to compute DH");
746 goto end;
747 }
748
749 /* generate SKEYIDs & IV & final cipher key */
750 if (oakley_skeyid(iph1) < 0) {
751 plog(LLV_ERROR, LOCATION, NULL,
752 "failed to generate SKEYID");
753 goto end;
754 }
755 if (oakley_skeyid_dae(iph1) < 0) {
756 plog(LLV_ERROR, LOCATION, NULL,
757 "failed to generate SKEYID-DAE");
758 goto end;
759 }
760 if (oakley_compute_enckey(iph1) < 0) {
761 plog(LLV_ERROR, LOCATION, NULL,
762 "failed to generate ENCKEY");
763 goto end;
764 }
765 if (oakley_newiv(iph1) < 0) {
766 plog(LLV_ERROR, LOCATION, NULL,
767 "failed to generate IV");
768 goto end;
769 }
770
771 /* make ID payload into isakmp status */
772 if (ipsecdoi_setid1(iph1) < 0) {
773 plog(LLV_ERROR, LOCATION, NULL,
774 "failed to set ID");
775 goto end;
776 }
777
778 #ifdef HAVE_GSSAPI
779 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
780 gssapi_more_tokens(iph1)) {
781 plog(LLV_DEBUG, LOCATION, NULL, "calling get_itoken\n");
782 if (gssapi_get_itoken(iph1, &len) < 0) {
783 plog(LLV_ERROR, LOCATION, NULL,
784 "failed to get GSSAPI token");
785 goto end;
786 }
787 if (len != 0)
788 dohash = 0;
789 }
790 #endif
791
792 /* generate HASH to send */
793 if (dohash) {
794 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
795 if (iph1->hash == NULL) {
796 plog(LLV_ERROR, LOCATION, NULL,
797 "failed to generate HASH");
798 goto end;
799 }
800 } else
801 iph1->hash = NULL;
802
803 /* set encryption flag */
804 iph1->flags |= ISAKMP_FLAG_E;
805
806 /* create HDR;ID;HASH payload */
807 iph1->sendbuf = ident_ir3mx(iph1);
808 if (iph1->sendbuf == NULL) {
809 plog(LLV_ERROR, LOCATION, NULL,
810 "failed to allocate send buffer");
811 goto end;
812 }
813
814 /* send the packet, add to the schedule to resend */
815 iph1->retry_counter = iph1->rmconf->retry_counter;
816 if (isakmp_ph1resend(iph1) == -1) {
817 plog(LLV_ERROR, LOCATION, NULL,
818 "failed to send packet");
819 goto end;
820 }
821
822 /* the sending message is added to the received-list. */
823 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0,
824 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
825 plog(LLV_ERROR , LOCATION, NULL,
826 "failed to add a response packet to the tree.\n");
827 goto end;
828 }
829
830 /* see handler.h about IV synchronization. */
831 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
832
833 iph1->status = PHASE1ST_MSG3SENT;
834
835 error = 0;
836
837 IPSECSESSIONTRACEREVENT(iph1->parent_session,
838 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
839 CONSTSTR("Initiator, Main-Mode message 5"),
840 CONSTSTR(NULL));
841
842 end:
843 if (error) {
844 IPSECSESSIONTRACEREVENT(iph1->parent_session,
845 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
846 CONSTSTR("Initiator, Main-Mode Message 5"),
847 CONSTSTR("Failed to transmit Main-Mode Message 5"));
848 }
849 return error;
850 }
851
852 /*
853 * receive from responder
854 * psk: HDR*, IDr1, HASH_R
855 * sig: HDR*, IDr1, [ CERT, ] SIG_R
856 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
857 * rsa: HDR*, HASH_R
858 * rev: HDR*, HASH_R
859 */
860 int
861 ident_i4recv(iph1, msg0)
862 struct ph1handle *iph1;
863 vchar_t *msg0;
864 {
865 vchar_t *pbuf = NULL;
866 struct isakmp_parse_t *pa;
867 vchar_t *msg = NULL;
868 int error = -1;
869 int type;
870 int vid_numeric;
871 #ifdef HAVE_GSSAPI
872 vchar_t *gsstoken = NULL;
873 #endif
874
875 /* validity check */
876 if (iph1->status != PHASE1ST_MSG3SENT) {
877 plog(LLV_ERROR, LOCATION, NULL,
878 "status mismatched %d.\n", iph1->status);
879 goto end;
880 }
881
882 /* decrypting */
883 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
884 plog(LLV_ERROR, LOCATION, iph1->remote,
885 "ignore the packet, "
886 "expecting the packet encrypted.\n");
887 goto end;
888 }
889 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
890 if (msg == NULL) {
891 plog(LLV_ERROR, LOCATION, NULL,
892 "failed to decrypt");
893 goto end;
894 }
895
896 /* validate the type of next payload */
897 pbuf = isakmp_parse(msg);
898 if (pbuf == NULL) {
899 plog(LLV_ERROR, LOCATION, NULL,
900 "failed to parse msg");
901 goto end;
902 }
903
904 iph1->pl_hash = NULL;
905
906 for (pa = (struct isakmp_parse_t *)pbuf->v;
907 pa->type != ISAKMP_NPTYPE_NONE;
908 pa++) {
909
910 switch (pa->type) {
911 case ISAKMP_NPTYPE_ID:
912 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
913 plog(LLV_ERROR, LOCATION, NULL,
914 "failed to process ID payload");
915 goto end;
916 }
917 break;
918 case ISAKMP_NPTYPE_HASH:
919 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
920 break;
921 case ISAKMP_NPTYPE_CERT:
922 if (oakley_savecert(iph1, pa->ptr) < 0) {
923 plog(LLV_ERROR, LOCATION, NULL,
924 "failed to process CERT payload");
925 goto end;
926 }
927 break;
928 case ISAKMP_NPTYPE_SIG:
929 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
930 plog(LLV_ERROR, LOCATION, NULL,
931 "failed to process SIG payload");
932 goto end;
933 }
934 break;
935 #ifdef HAVE_GSSAPI
936 case ISAKMP_NPTYPE_GSS:
937 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
938 plog(LLV_ERROR, LOCATION, NULL,
939 "failed to process GSS payload");
940 goto end;
941 }
942 gssapi_save_received_token(iph1, gsstoken);
943 break;
944 #endif
945 case ISAKMP_NPTYPE_VID:
946 vid_numeric = check_vendorid(pa->ptr);
947 #ifdef ENABLE_DPD
948 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
949 iph1->dpd_support=1;
950 #endif
951 break;
952 case ISAKMP_NPTYPE_N:
953 isakmp_check_notify(pa->ptr, iph1);
954 break;
955 default:
956 /* don't send information, see ident_r1recv() */
957 plog(LLV_ERROR, LOCATION, iph1->remote,
958 "ignore the packet, "
959 "received unexpecting payload type %d.\n",
960 pa->type);
961 goto end;
962 }
963 }
964
965 /* payload existency check */
966
967 /* verify identifier */
968 if (ipsecdoi_checkid1(iph1) != 0) {
969 plog(LLV_ERROR, LOCATION, iph1->remote,
970 "invalid ID payload.\n");
971 goto end;
972 }
973
974 /* validate authentication value */
975 #ifdef HAVE_GSSAPI
976 if (gsstoken == NULL) {
977 #endif
978 type = oakley_validate_auth(iph1);
979 if (type != 0) {
980 IPSECSESSIONTRACEREVENT(iph1->parent_session,
981 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
982 CONSTSTR("Initiator, Main-Mode Message 6"),
983 CONSTSTR("Failed to authenticate Main-Mode Message 6"));
984 if (type == -1) {
985 /* msg printed inner oakley_validate_auth() */
986 goto end;
987 }
988 EVT_PUSH(iph1->local, iph1->remote,
989 EVTT_PEERPH1AUTH_FAILED, NULL);
990 isakmp_info_send_n1(iph1, type, NULL);
991 goto end;
992 }
993 IPSECSESSIONTRACEREVENT(iph1->parent_session,
994 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
995 CONSTSTR("Initiator, Main-Mode Message 6"),
996 CONSTSTR(NULL));
997 #ifdef HAVE_GSSAPI
998 }
999 #endif
1000
1001 /*
1002 * XXX: Should we do compare two addresses, ph1handle's and ID
1003 * payload's.
1004 */
1005
1006 plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID:");
1007 plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
1008
1009 /* see handler.h about IV synchronization. */
1010 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1011
1012 /*
1013 * If we got a GSS token, we need to this roundtrip again.
1014 */
1015 #ifdef HAVE_GSSAPI
1016 iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED :
1017 PHASE1ST_MSG4RECEIVED;
1018 #else
1019 iph1->status = PHASE1ST_MSG4RECEIVED;
1020 #endif
1021
1022 error = 0;
1023
1024 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1025 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1026 CONSTSTR("Initiator, Main-Mode message 6"),
1027 CONSTSTR(NULL));
1028
1029 end:
1030 if (error) {
1031 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1032 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1033 CONSTSTR("Initiator, Main-Mode Message 6"),
1034 CONSTSTR("Failed to transmit Main-Mode Message 6"));
1035 }
1036 if (pbuf)
1037 vfree(pbuf);
1038 if (msg)
1039 vfree(msg);
1040 #ifdef HAVE_GSSAPI
1041 if (gsstoken)
1042 vfree(gsstoken);
1043 #endif
1044
1045 if (error) {
1046 VPTRINIT(iph1->id_p);
1047 oakley_delcert(iph1->cert_p);
1048 iph1->cert_p = NULL;
1049 oakley_delcert(iph1->crl_p);
1050 iph1->crl_p = NULL;
1051 VPTRINIT(iph1->sig_p);
1052 }
1053
1054 return error;
1055 }
1056
1057 /*
1058 * status update and establish isakmp sa.
1059 */
1060 int
1061 ident_i4send(iph1, msg)
1062 struct ph1handle *iph1;
1063 vchar_t *msg;
1064 {
1065 int error = -1;
1066
1067 /* validity check */
1068 if (iph1->status != PHASE1ST_MSG4RECEIVED) {
1069 plog(LLV_ERROR, LOCATION, NULL,
1070 "status mismatched %d.\n", iph1->status);
1071 goto end;
1072 }
1073
1074 /* see handler.h about IV synchronization. */
1075 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1076
1077 iph1->status = PHASE1ST_ESTABLISHED;
1078
1079 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1080 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
1081 CONSTSTR("Initiator, Main-Mode"),
1082 CONSTSTR(NULL));
1083
1084 error = 0;
1085
1086 end:
1087 return error;
1088 }
1089
1090 /*
1091 * receive from initiator
1092 * psk: HDR, SA
1093 * sig: HDR, SA
1094 * rsa: HDR, SA
1095 * rev: HDR, SA
1096 */
1097 int
1098 ident_r1recv(iph1, msg)
1099 struct ph1handle *iph1;
1100 vchar_t *msg;
1101 {
1102 vchar_t *pbuf = NULL;
1103 struct isakmp_parse_t *pa;
1104 int error = -1;
1105 int vid_numeric;
1106
1107 /* validity check */
1108 if (iph1->status != PHASE1ST_START) {
1109 plog(LLV_ERROR, LOCATION, NULL,
1110 "status mismatched %d.\n", iph1->status);
1111 goto end;
1112 }
1113
1114 /* validate the type of next payload */
1115 /*
1116 * NOTE: XXX even if multiple VID, we'll silently ignore those.
1117 */
1118 pbuf = isakmp_parse(msg);
1119 if (pbuf == NULL) {
1120 plog(LLV_ERROR, LOCATION, NULL,
1121 "failed to parse msg");
1122 goto end;
1123 }
1124 pa = (struct isakmp_parse_t *)pbuf->v;
1125
1126 /* check the position of SA payload */
1127 if (pa->type != ISAKMP_NPTYPE_SA) {
1128 plog(LLV_ERROR, LOCATION, iph1->remote,
1129 "received invalid next payload type %d, "
1130 "expecting %d.\n",
1131 pa->type, ISAKMP_NPTYPE_SA);
1132 goto end;
1133 }
1134 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) {
1135 plog(LLV_ERROR, LOCATION, NULL,
1136 "failed to process SA payload");
1137 goto end;
1138 }
1139 pa++;
1140
1141 for (/*nothing*/;
1142 pa->type != ISAKMP_NPTYPE_NONE;
1143 pa++) {
1144
1145 switch (pa->type) {
1146 case ISAKMP_NPTYPE_VID:
1147 vid_numeric = check_vendorid(pa->ptr);
1148 #ifdef ENABLE_NATT
1149 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
1150 natt_handle_vendorid(iph1, vid_numeric);
1151 #endif
1152 #ifdef ENABLE_FRAG
1153 if ((vid_numeric == VENDORID_FRAG) &&
1154 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT))
1155 iph1->frag = 1;
1156 #endif
1157 #ifdef ENABLE_HYBRID
1158 switch (vid_numeric) {
1159 case VENDORID_XAUTH:
1160 iph1->mode_cfg->flags |=
1161 ISAKMP_CFG_VENDORID_XAUTH;
1162 break;
1163
1164 case VENDORID_UNITY:
1165 iph1->mode_cfg->flags |=
1166 ISAKMP_CFG_VENDORID_UNITY;
1167 break;
1168
1169 default:
1170 break;
1171 }
1172 #endif
1173 #ifdef ENABLE_DPD
1174 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
1175 iph1->dpd_support=1;
1176 #endif
1177 break;
1178 default:
1179 /*
1180 * We don't send information to the peer even
1181 * if we received malformed packet. Because we
1182 * can't distinguish the malformed packet and
1183 * the re-sent packet. And we do same behavior
1184 * when we expect encrypted packet.
1185 */
1186 plog(LLV_ERROR, LOCATION, iph1->remote,
1187 "ignore the packet, "
1188 "received unexpecting payload type %d.\n",
1189 pa->type);
1190 goto end;
1191 }
1192 }
1193
1194 #ifdef ENABLE_NATT
1195 if (NATT_AVAILABLE(iph1)) {
1196 plog(LLV_INFO, LOCATION, iph1->remote,
1197 "Selected NAT-T version: %s\n",
1198 vid_string_by_id(iph1->natt_options->version));
1199 ike_session_update_natt_version(iph1);
1200 }
1201 #endif
1202
1203 /* check SA payload and set approval SA for use */
1204 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
1205 plog(LLV_ERROR, LOCATION, iph1->remote,
1206 "failed to get valid proposal.\n");
1207 /* XXX send information */
1208 goto end;
1209 }
1210
1211 iph1->status = PHASE1ST_MSG1RECEIVED;
1212
1213 error = 0;
1214
1215 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1216 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1217 CONSTSTR("Responder, Main-Mode message 1"),
1218 CONSTSTR(NULL));
1219
1220 end:
1221 if (error) {
1222 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1223 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1224 CONSTSTR("Responder, Main-Mode Message 1"),
1225 CONSTSTR("Failed to process Main-Mode Message 1"));
1226 }
1227 if (pbuf)
1228 vfree(pbuf);
1229 if (error) {
1230 VPTRINIT(iph1->sa);
1231 }
1232
1233 return error;
1234 }
1235
1236 /*
1237 * send to initiator
1238 * psk: HDR, SA
1239 * sig: HDR, SA
1240 * rsa: HDR, SA
1241 * rev: HDR, SA
1242 */
1243 int
1244 ident_r1send(iph1, msg)
1245 struct ph1handle *iph1;
1246 vchar_t *msg;
1247 {
1248 struct payload_list *plist = NULL;
1249 int error = -1;
1250 vchar_t *gss_sa = NULL;
1251 #ifdef HAVE_GSSAPI
1252 int free_gss_sa = 0;
1253 #endif
1254 #ifdef ENABLE_NATT
1255 vchar_t *vid_natt = NULL;
1256 #endif
1257 #ifdef ENABLE_HYBRID
1258 vchar_t *vid_xauth = NULL;
1259 vchar_t *vid_unity = NULL;
1260 #endif
1261 #ifdef ENABLE_DPD
1262 vchar_t *vid_dpd = NULL;
1263 #endif
1264 #ifdef ENABLE_FRAG
1265 vchar_t *vid_frag = NULL;
1266 #endif
1267
1268 /* validity check */
1269 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
1270 plog(LLV_ERROR, LOCATION, NULL,
1271 "status mismatched %d.\n", iph1->status);
1272 goto end;
1273 }
1274
1275 /* set responder's cookie */
1276 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
1277
1278 #ifdef HAVE_GSSAPI
1279 if (iph1->approval->gssid != NULL) {
1280 gss_sa = ipsecdoi_setph1proposal(iph1->approval);
1281 if (gss_sa != iph1->sa_ret)
1282 free_gss_sa = 1;
1283 } else
1284 #endif
1285 gss_sa = iph1->sa_ret;
1286
1287 /* set SA payload to reply */
1288 plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
1289
1290 #ifdef ENABLE_HYBRID
1291 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1292 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
1293 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
1294 plog(LLV_ERROR, LOCATION, NULL,
1295 "Cannot create Xauth vendor ID\n");
1296 goto end;
1297 }
1298 plist = isakmp_plist_append(plist,
1299 vid_xauth, ISAKMP_NPTYPE_VID);
1300 }
1301
1302 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1303 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
1304 plog(LLV_ERROR, LOCATION, NULL,
1305 "Cannot create Unity vendor ID\n");
1306 goto end;
1307 }
1308 plist = isakmp_plist_append(plist,
1309 vid_unity, ISAKMP_NPTYPE_VID);
1310 }
1311 #endif
1312 #ifdef ENABLE_NATT
1313 /* Has the peer announced NAT-T? */
1314 if (NATT_AVAILABLE(iph1))
1315 vid_natt = set_vendorid(iph1->natt_options->version);
1316
1317 if (vid_natt)
1318 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1319 #endif
1320 #ifdef ENABLE_DPD
1321 /* XXX only send DPD VID if remote sent it ? */
1322 if(iph1->rmconf->dpd){
1323 vid_dpd = set_vendorid(VENDORID_DPD);
1324 if (vid_dpd != NULL)
1325 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1326 }
1327 #endif
1328 #ifdef ENABLE_FRAG
1329 if (iph1->frag) {
1330 vid_frag = set_vendorid(VENDORID_FRAG);
1331 if (vid_frag != NULL)
1332 vid_frag = isakmp_frag_addcap(vid_frag,
1333 VENDORID_FRAG_IDENT);
1334 if (vid_frag == NULL)
1335 plog(LLV_ERROR, LOCATION, NULL,
1336 "Frag vendorID construction failed\n");
1337 else
1338 plist = isakmp_plist_append(plist,
1339 vid_frag, ISAKMP_NPTYPE_VID);
1340 }
1341 #endif
1342
1343 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1344
1345 #ifdef HAVE_PRINT_ISAKMP_C
1346 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1347 #endif
1348
1349 /* send the packet, add to the schedule to resend */
1350 iph1->retry_counter = iph1->rmconf->retry_counter;
1351 if (isakmp_ph1resend(iph1) == -1) {
1352 plog(LLV_ERROR, LOCATION, NULL,
1353 "failed to send packet");
1354 goto end;
1355 }
1356
1357 /* the sending message is added to the received-list. */
1358 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1359 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
1360 plog(LLV_ERROR , LOCATION, NULL,
1361 "failed to add a response packet to the tree.\n");
1362 goto end;
1363 }
1364
1365 iph1->status = PHASE1ST_MSG1SENT;
1366
1367 #ifdef ENABLE_VPNCONTROL_PORT
1368 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL);
1369 #endif
1370
1371 error = 0;
1372
1373 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1374 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1375 CONSTSTR("Responder, Main-Mode message 2"),
1376 CONSTSTR(NULL));
1377
1378 end:
1379 if (error) {
1380 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1381 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1382 CONSTSTR("Responder, Main-Mode Message 2"),
1383 CONSTSTR("Failed to transmit Main-Mode Message 2"));
1384 }
1385 #ifdef HAVE_GSSAPI
1386 if (free_gss_sa)
1387 vfree(gss_sa);
1388 #endif
1389 #ifdef ENABLE_NATT
1390 if (vid_natt)
1391 vfree(vid_natt);
1392 #endif
1393 #ifdef ENABLE_HYBRID
1394 if (vid_xauth != NULL)
1395 vfree(vid_xauth);
1396 if (vid_unity != NULL)
1397 vfree(vid_unity);
1398 #endif
1399 #ifdef ENABLE_DPD
1400 if (vid_dpd != NULL)
1401 vfree(vid_dpd);
1402 #endif
1403 #ifdef ENABLE_FRAG
1404 if (vid_frag != NULL)
1405 vfree(vid_frag);
1406 #endif
1407
1408 return error;
1409 }
1410
1411 /*
1412 * receive from initiator
1413 * psk: HDR, KE, Ni
1414 * sig: HDR, KE, Ni
1415 * gssapi: HDR, KE, Ni, GSSi
1416 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1417 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1418 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1419 */
1420 int
1421 ident_r2recv(iph1, msg)
1422 struct ph1handle *iph1;
1423 vchar_t *msg;
1424 {
1425 vchar_t *pbuf = NULL;
1426 struct isakmp_parse_t *pa;
1427 int error = -1;
1428 #ifdef HAVE_GSSAPI
1429 vchar_t *gsstoken = NULL;
1430 #endif
1431 #ifdef ENABLE_NATT
1432 int natd_seq = 0;
1433 #endif
1434
1435 /* validity check */
1436 if (iph1->status != PHASE1ST_MSG1SENT) {
1437 plog(LLV_ERROR, LOCATION, NULL,
1438 "status mismatched %d.\n", iph1->status);
1439 goto end;
1440 }
1441
1442 /* validate the type of next payload */
1443 pbuf = isakmp_parse(msg);
1444 if (pbuf == NULL) {
1445 plog(LLV_ERROR, LOCATION, NULL,
1446 "failed to parse msg");
1447 goto end;
1448 }
1449
1450 for (pa = (struct isakmp_parse_t *)pbuf->v;
1451 pa->type != ISAKMP_NPTYPE_NONE;
1452 pa++) {
1453 switch (pa->type) {
1454 case ISAKMP_NPTYPE_KE:
1455 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) {
1456 plog(LLV_ERROR, LOCATION, NULL,
1457 "failed to process KE payload");
1458 goto end;
1459 }
1460 break;
1461 case ISAKMP_NPTYPE_NONCE:
1462 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) {
1463 plog(LLV_ERROR, LOCATION, NULL,
1464 "failed to process NONCE payload");
1465 goto end;
1466 }
1467 break;
1468 case ISAKMP_NPTYPE_VID:
1469 (void)check_vendorid(pa->ptr);
1470 break;
1471 case ISAKMP_NPTYPE_CR:
1472 plog(LLV_WARNING, LOCATION, iph1->remote,
1473 "CR received, ignore it. "
1474 "It should be in other exchange.\n");
1475 break;
1476 #ifdef HAVE_GSSAPI
1477 case ISAKMP_NPTYPE_GSS:
1478 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1479 plog(LLV_ERROR, LOCATION, NULL,
1480 "failed to process GSS payload");
1481 goto end;
1482 }
1483 gssapi_save_received_token(iph1, gsstoken);
1484 break;
1485 #endif
1486
1487 #ifdef ENABLE_NATT
1488 case ISAKMP_NPTYPE_NATD_DRAFT:
1489 case ISAKMP_NPTYPE_NATD_RFC:
1490 #ifdef __APPLE__
1491 case ISAKMP_NPTYPE_NATD_BADDRAFT:
1492 #endif
1493 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1494 pa->type == iph1->natt_options->payload_nat_d)
1495 {
1496 vchar_t *natd_received = NULL;
1497 int natd_verified;
1498
1499 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) {
1500 plog(LLV_ERROR, LOCATION, NULL,
1501 "failed to process NATD payload");
1502 goto end;
1503 }
1504
1505 if (natd_seq == 0)
1506 iph1->natt_flags |= NAT_DETECTED;
1507
1508 natd_verified = natt_compare_addr_hash (iph1,
1509 natd_received, natd_seq++);
1510
1511 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1512 natd_seq - 1,
1513 natd_verified ? "verified" : "doesn't match");
1514
1515 vfree (natd_received);
1516 break;
1517 }
1518 /* %%%% Be lenient here - some servers send natd payloads */
1519 /* when no nat is detected */
1520 break;
1521 #endif
1522
1523 default:
1524 /* don't send information, see ident_r1recv() */
1525 plog(LLV_ERROR, LOCATION, iph1->remote,
1526 "ignore the packet, "
1527 "received unexpecting payload type %d.\n",
1528 pa->type);
1529 goto end;
1530 }
1531 }
1532
1533 #ifdef ENABLE_NATT
1534 if (NATT_AVAILABLE(iph1))
1535 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1536 iph1->natt_flags & NAT_DETECTED ?
1537 "detected:" : "not detected",
1538 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1539 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1540 #endif
1541
1542 /* payload existency check */
1543 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1544 plog(LLV_ERROR, LOCATION, iph1->remote,
1545 "few isakmp message received.\n");
1546 goto end;
1547 }
1548
1549 iph1->status = PHASE1ST_MSG2RECEIVED;
1550
1551 error = 0;
1552
1553 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1554 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1555 CONSTSTR("Responder, Main-Mode message 3"),
1556 CONSTSTR(NULL));
1557
1558 end:
1559 if (error) {
1560 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1561 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1562 CONSTSTR("Responder, Main-Mode Message 3"),
1563 CONSTSTR("Failed to process Main-Mode Message 3"));
1564 }
1565 if (pbuf)
1566 vfree(pbuf);
1567 #ifdef HAVE_GSSAPI
1568 if (gsstoken)
1569 vfree(gsstoken);
1570 #endif
1571
1572 if (error) {
1573 VPTRINIT(iph1->dhpub_p);
1574 VPTRINIT(iph1->nonce_p);
1575 VPTRINIT(iph1->id_p);
1576 }
1577
1578 return error;
1579 }
1580
1581 /*
1582 * send to initiator
1583 * psk: HDR, KE, Nr
1584 * sig: HDR, KE, Nr [, CR ]
1585 * gssapi: HDR, KE, Nr, GSSr
1586 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1587 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1588 */
1589 int
1590 ident_r2send(iph1, msg)
1591 struct ph1handle *iph1;
1592 vchar_t *msg;
1593 {
1594 int error = -1;
1595
1596 /* validity check */
1597 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1598 plog(LLV_ERROR, LOCATION, NULL,
1599 "status mismatched %d.\n", iph1->status);
1600 goto end;
1601 }
1602
1603 /* generate DH public value */
1604 if (oakley_dh_generate(iph1->approval->dhgrp,
1605 &iph1->dhpub, &iph1->dhpriv) < 0) {
1606 plog(LLV_ERROR, LOCATION, NULL,
1607 "failed to generate DH");
1608 goto end;
1609 }
1610
1611 /* generate NONCE value */
1612 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
1613 if (iph1->nonce == NULL) {
1614 plog(LLV_ERROR, LOCATION, NULL,
1615 "failed to generate NONCE");
1616 goto end;
1617 }
1618
1619 #ifdef HAVE_GSSAPI
1620 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
1621 gssapi_get_rtoken(iph1, NULL);
1622 #endif
1623
1624 /* create HDR;KE;NONCE payload */
1625 iph1->sendbuf = ident_ir2mx(iph1);
1626 if (iph1->sendbuf == NULL) {
1627 plog(LLV_ERROR, LOCATION, NULL,
1628 "failed to allocate send buffer");
1629 goto end;
1630 }
1631
1632 #ifdef HAVE_PRINT_ISAKMP_C
1633 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1634 #endif
1635
1636 /* send the packet, add to the schedule to resend */
1637 iph1->retry_counter = iph1->rmconf->retry_counter;
1638 if (isakmp_ph1resend(iph1) == -1) {
1639 plog(LLV_ERROR, LOCATION, NULL,
1640 "failed to send packet");
1641 goto end;
1642 }
1643
1644 /* the sending message is added to the received-list. */
1645 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
1646 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
1647 plog(LLV_ERROR , LOCATION, NULL,
1648 "failed to add a response packet to the tree.\n");
1649 goto end;
1650 }
1651
1652 /* compute sharing secret of DH */
1653 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1654 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
1655 plog(LLV_ERROR, LOCATION, NULL,
1656 "failed to compute DH");
1657 goto end;
1658 }
1659
1660 /* generate SKEYIDs & IV & final cipher key */
1661 if (oakley_skeyid(iph1) < 0) {
1662 plog(LLV_ERROR, LOCATION, NULL,
1663 "failed to generate SKEYID");
1664 goto end;
1665 }
1666 if (oakley_skeyid_dae(iph1) < 0) {
1667 plog(LLV_ERROR, LOCATION, NULL,
1668 "failed to generate SKEYID-DAE");
1669 goto end;
1670 }
1671 if (oakley_compute_enckey(iph1) < 0) {
1672 plog(LLV_ERROR, LOCATION, NULL,
1673 "failed to generate ENCKEY");
1674 goto end;
1675 }
1676 if (oakley_newiv(iph1) < 0) {
1677 plog(LLV_ERROR, LOCATION, NULL,
1678 "failed to generate IV");
1679 goto end;
1680 }
1681
1682 iph1->status = PHASE1ST_MSG2SENT;
1683
1684 error = 0;
1685
1686 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1687 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1688 CONSTSTR("Responder, Main-Mode message 4"),
1689 CONSTSTR(NULL));
1690
1691 end:
1692 if (error) {
1693 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1694 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1695 CONSTSTR("Responder, Main-Mode Message 4"),
1696 CONSTSTR("Failed to transmit Main-Mode Message 4"));
1697 }
1698 return error;
1699 }
1700
1701 /*
1702 * receive from initiator
1703 * psk: HDR*, IDi1, HASH_I
1704 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
1705 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
1706 * rsa: HDR*, HASH_I
1707 * rev: HDR*, HASH_I
1708 */
1709 int
1710 ident_r3recv(iph1, msg0)
1711 struct ph1handle *iph1;
1712 vchar_t *msg0;
1713 {
1714 vchar_t *msg = NULL;
1715 vchar_t *pbuf = NULL;
1716 struct isakmp_parse_t *pa;
1717 int error = -1;
1718 int type;
1719 #ifdef HAVE_GSSAPI
1720 vchar_t *gsstoken = NULL;
1721 #endif
1722
1723 /* validity check */
1724 if (iph1->status != PHASE1ST_MSG2SENT) {
1725 plog(LLV_ERROR, LOCATION, NULL,
1726 "status mismatched %d.\n", iph1->status);
1727 goto end;
1728 }
1729
1730 /* decrypting */
1731 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1732 plog(LLV_ERROR, LOCATION, iph1->remote,
1733 "reject the packet, "
1734 "expecting the packet encrypted.\n");
1735 goto end;
1736 }
1737 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
1738 if (msg == NULL) {
1739 plog(LLV_ERROR, LOCATION, NULL,
1740 "failed to decrypt");
1741 goto end;
1742 }
1743
1744 /* validate the type of next payload */
1745 pbuf = isakmp_parse(msg);
1746 if (pbuf == NULL) {
1747 plog(LLV_ERROR, LOCATION, NULL,
1748 "failed to parse msg");
1749 goto end;
1750 }
1751
1752 iph1->pl_hash = NULL;
1753
1754 for (pa = (struct isakmp_parse_t *)pbuf->v;
1755 pa->type != ISAKMP_NPTYPE_NONE;
1756 pa++) {
1757
1758 switch (pa->type) {
1759 case ISAKMP_NPTYPE_ID:
1760 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) {
1761 plog(LLV_ERROR, LOCATION, NULL,
1762 "failed to process ID payload");
1763 goto end;
1764 }
1765 break;
1766 case ISAKMP_NPTYPE_HASH:
1767 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1768 break;
1769 case ISAKMP_NPTYPE_CR:
1770 if (oakley_savecr(iph1, pa->ptr) < 0) {
1771 plog(LLV_ERROR, LOCATION, NULL,
1772 "failed to process CR payload");
1773 goto end;
1774 }
1775 break;
1776 case ISAKMP_NPTYPE_CERT:
1777 if (oakley_savecert(iph1, pa->ptr) < 0) {
1778 plog(LLV_ERROR, LOCATION, NULL,
1779 "failed to process CERT payload");
1780 goto end;
1781 }
1782 break;
1783 case ISAKMP_NPTYPE_SIG:
1784 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
1785 plog(LLV_ERROR, LOCATION, NULL,
1786 "failed to process SIG payload");
1787 goto end;
1788 }
1789 break;
1790 #ifdef HAVE_GSSAPI
1791 case ISAKMP_NPTYPE_GSS:
1792 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) {
1793 plog(LLV_ERROR, LOCATION, NULL,
1794 "failed to process GSS payload");
1795 goto end;
1796 }
1797 gssapi_save_received_token(iph1, gsstoken);
1798 break;
1799 #endif
1800 case ISAKMP_NPTYPE_VID:
1801 (void)check_vendorid(pa->ptr);
1802 break;
1803 case ISAKMP_NPTYPE_N:
1804 isakmp_check_notify(pa->ptr, iph1);
1805 break;
1806 default:
1807 /* don't send information, see ident_r1recv() */
1808 plog(LLV_ERROR, LOCATION, iph1->remote,
1809 "ignore the packet, "
1810 "received unexpecting payload type %d.\n",
1811 pa->type);
1812 goto end;
1813 }
1814 }
1815
1816 /* payload existency check */
1817 /* XXX same as ident_i4recv(), should be merged. */
1818 {
1819 int ng = 0;
1820
1821 switch (AUTHMETHOD(iph1)) {
1822 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1823 #ifdef ENABLE_HYBRID
1824 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1825 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1826 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1827 #endif
1828 if (iph1->id_p == NULL || iph1->pl_hash == NULL)
1829 ng++;
1830 break;
1831 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1832 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1833 #ifdef ENABLE_HYBRID
1834 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1835 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1836 #endif
1837 if (iph1->id_p == NULL || iph1->sig_p == NULL)
1838 ng++;
1839 break;
1840 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1841 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1842 #ifdef ENABLE_HYBRID
1843 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1844 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1845 #endif
1846 if (iph1->pl_hash == NULL)
1847 ng++;
1848 break;
1849 #ifdef HAVE_GSSAPI
1850 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1851 if (gsstoken == NULL && iph1->pl_hash == NULL)
1852 ng++;
1853 break;
1854 #endif
1855 default:
1856 plog(LLV_ERROR, LOCATION, iph1->remote,
1857 "invalid authmethod %d why ?\n",
1858 iph1->approval->authmethod);
1859 goto end;
1860 }
1861 if (ng) {
1862 plog(LLV_ERROR, LOCATION, iph1->remote,
1863 "few isakmp message received.\n");
1864 goto end;
1865 }
1866 }
1867
1868 /* verify identifier */
1869 if (ipsecdoi_checkid1(iph1) != 0) {
1870 plog(LLV_ERROR, LOCATION, iph1->remote,
1871 "invalid ID payload.\n");
1872 goto end;
1873 }
1874
1875 /* validate authentication value */
1876 #ifdef HAVE_GSSAPI
1877 if (gsstoken == NULL) {
1878 #endif
1879 type = oakley_validate_auth(iph1);
1880 if (type != 0) {
1881 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1882 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
1883 CONSTSTR("Responder, Main-Mode Message 5"),
1884 CONSTSTR("Failed to authenticate Main-Mode Message 5"));
1885 if (type == -1) {
1886 /* msg printed inner oakley_validate_auth() */
1887 goto end;
1888 }
1889 EVT_PUSH(iph1->local, iph1->remote,
1890 EVTT_PEERPH1AUTH_FAILED, NULL);
1891 isakmp_info_send_n1(iph1, type, NULL);
1892 goto end;
1893 }
1894 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1895 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
1896 CONSTSTR("Responder, Main-Mode Message 5"),
1897 CONSTSTR(NULL));
1898 #ifdef HAVE_GSSAPI
1899 }
1900 #endif
1901
1902 if (oakley_checkcr(iph1) < 0) {
1903 /* Ignore this error in order to be interoperability. */
1904 ;
1905 }
1906
1907 /*
1908 * XXX: Should we do compare two addresses, ph1handle's and ID
1909 * payload's.
1910 */
1911
1912 plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID\n");
1913 plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
1914
1915 /* see handler.h about IV synchronization. */
1916 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1917
1918 #ifdef HAVE_GSSAPI
1919 iph1->status = gsstoken != NULL ? PHASE1ST_MSG2RECEIVED :
1920 PHASE1ST_MSG3RECEIVED;
1921 #else
1922 iph1->status = PHASE1ST_MSG3RECEIVED;
1923 #endif
1924
1925 error = 0;
1926
1927 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1928 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1929 CONSTSTR("Responder, Main-Mode message 5"),
1930 CONSTSTR(NULL));
1931
1932 end:
1933 if (error) {
1934 IPSECSESSIONTRACEREVENT(iph1->parent_session,
1935 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1936 CONSTSTR("Responder, Main-Mode Message 5"),
1937 CONSTSTR("Failed to process Main-Mode Message 5"));
1938 }
1939 if (pbuf)
1940 vfree(pbuf);
1941 if (msg)
1942 vfree(msg);
1943 #ifdef HAVE_GSSAPI
1944 if (gsstoken)
1945 vfree(gsstoken);
1946 #endif
1947
1948 if (error) {
1949 VPTRINIT(iph1->id_p);
1950 oakley_delcert(iph1->cert_p);
1951 iph1->cert_p = NULL;
1952 oakley_delcert(iph1->crl_p);
1953 iph1->crl_p = NULL;
1954 VPTRINIT(iph1->sig_p);
1955 oakley_delcert(iph1->cr_p);
1956 iph1->cr_p = NULL;
1957 }
1958
1959 return error;
1960 }
1961
1962 /*
1963 * send to initiator
1964 * psk: HDR*, IDr1, HASH_R
1965 * sig: HDR*, IDr1, [ CERT, ] SIG_R
1966 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
1967 * rsa: HDR*, HASH_R
1968 * rev: HDR*, HASH_R
1969 */
1970 int
1971 ident_r3send(iph1, msg)
1972 struct ph1handle *iph1;
1973 vchar_t *msg;
1974 {
1975 int error = -1;
1976 int dohash = 1;
1977 #ifdef HAVE_GSSAPI
1978 int len;
1979 #endif
1980
1981 /* validity check */
1982 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
1983 plog(LLV_ERROR, LOCATION, NULL,
1984 "status mismatched %d.\n", iph1->status);
1985 goto end;
1986 }
1987
1988 /* make ID payload into isakmp status */
1989 if (ipsecdoi_setid1(iph1) < 0) {
1990 plog(LLV_ERROR, LOCATION, NULL,
1991 "failed to set ID");
1992 goto end;
1993 }
1994
1995 #ifdef HAVE_GSSAPI
1996 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
1997 gssapi_more_tokens(iph1)) {
1998 gssapi_get_rtoken(iph1, &len);
1999 if (len != 0)
2000 dohash = 0;
2001 }
2002 #endif
2003
2004 if (dohash) {
2005 /* generate HASH to send */
2006 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
2007 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
2008 if (iph1->hash == NULL) {
2009 plog(LLV_ERROR, LOCATION, NULL,
2010 "failed to generate HASH");
2011 goto end;
2012 }
2013 } else
2014 iph1->hash = NULL;
2015
2016 /* set encryption flag */
2017 iph1->flags |= ISAKMP_FLAG_E;
2018
2019 /* create HDR;ID;HASH payload */
2020 iph1->sendbuf = ident_ir3mx(iph1);
2021 if (iph1->sendbuf == NULL) {
2022 plog(LLV_ERROR, LOCATION, NULL,
2023 "failed to create send buffer");
2024 goto end;
2025 }
2026
2027 /* send HDR;ID;HASH to responder */
2028 if (isakmp_send(iph1, iph1->sendbuf) < 0) {
2029 plog(LLV_ERROR, LOCATION, NULL,
2030 "failed to send packet");
2031 goto end;
2032 }
2033
2034 /* the sending message is added to the received-list. */
2035 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
2036 PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
2037 plog(LLV_ERROR , LOCATION, NULL,
2038 "failed to add a response packet to the tree.\n");
2039 goto end;
2040 }
2041
2042 /* see handler.h about IV synchronization. */
2043 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
2044
2045 iph1->status = PHASE1ST_ESTABLISHED;
2046
2047 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2048 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
2049 CONSTSTR("Responder, Main-Mode"),
2050 CONSTSTR(NULL));
2051
2052 error = 0;
2053
2054 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2055 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
2056 CONSTSTR("Responder, Main-Mode message 6"),
2057 CONSTSTR(NULL));
2058
2059 end:
2060 if (error) {
2061 IPSECSESSIONTRACEREVENT(iph1->parent_session,
2062 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
2063 CONSTSTR("Responder, Main-Mode Message 6"),
2064 CONSTSTR("Failed to process Main-Mode Message 6"));
2065 }
2066
2067 return error;
2068 }
2069
2070 /*
2071 * This is used in main mode for:
2072 * initiator's 3rd exchange send to responder
2073 * psk: HDR, KE, Ni
2074 * sig: HDR, KE, Ni
2075 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
2076 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
2077 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
2078 * responders 2nd exchnage send to initiator
2079 * psk: HDR, KE, Nr
2080 * sig: HDR, KE, Nr [, CR ]
2081 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
2082 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
2083 */
2084 static vchar_t *
2085 ident_ir2mx(iph1)
2086 struct ph1handle *iph1;
2087 {
2088 vchar_t *buf = 0;
2089 struct payload_list *plist = NULL;
2090 int need_cr = 0;
2091 vchar_t *cr = NULL;
2092 vchar_t *vid = NULL;
2093 int error = -1;
2094 #ifdef HAVE_GSSAPI
2095 vchar_t *gsstoken = NULL;
2096 #endif
2097 #ifdef ENABLE_NATT
2098 vchar_t *natd[2] = { NULL, NULL };
2099 #endif
2100
2101 /* create CR if need */
2102 if (iph1->side == RESPONDER
2103 && iph1->rmconf->send_cr
2104 && oakley_needcr(iph1->approval->authmethod)
2105 && iph1->rmconf->peerscertfile == NULL) {
2106 need_cr = 1;
2107 cr = oakley_getcr(iph1);
2108 if (cr == NULL) {
2109 plog(LLV_ERROR, LOCATION, NULL,
2110 "failed to get cr buffer.\n");
2111 goto end;
2112 }
2113 }
2114
2115 #ifdef HAVE_GSSAPI
2116 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
2117 gssapi_get_token_to_send(iph1, &gsstoken);
2118 #endif
2119
2120 /* create isakmp KE payload */
2121 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
2122
2123 /* create isakmp NONCE payload */
2124 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
2125
2126 #ifdef HAVE_GSSAPI
2127 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
2128 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
2129 #endif
2130
2131 /* append vendor id, if needed */
2132 if (vid)
2133 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
2134
2135 /* create isakmp CR payload if needed */
2136 if (need_cr)
2137 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2138
2139 #ifdef ENABLE_NATT
2140 /* generate and append NAT-D payloads */
2141 if (NATT_AVAILABLE(iph1) && iph1->status == PHASE1ST_MSG2RECEIVED)
2142 {
2143 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
2144 plog(LLV_ERROR, LOCATION, NULL,
2145 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
2146 goto end;
2147 }
2148
2149 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
2150 plog(LLV_ERROR, LOCATION, NULL,
2151 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
2152 goto end;
2153 }
2154
2155 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
2156 #ifdef __APPLE__
2157 /* old Apple version sends natd payloads in the wrong order */
2158 if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
2159 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2160 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2161 } else
2162 #endif
2163 {
2164 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
2165 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
2166 }
2167 }
2168 #endif
2169
2170 buf = isakmp_plist_set_all (&plist, iph1);
2171
2172 error = 0;
2173
2174 end:
2175 if (error && buf != NULL) {
2176 vfree(buf);
2177 buf = NULL;
2178 }
2179 if (cr)
2180 vfree(cr);
2181 #ifdef HAVE_GSSAPI
2182 if (gsstoken)
2183 vfree(gsstoken);
2184 #endif
2185 if (vid)
2186 vfree(vid);
2187
2188 #ifdef ENABLE_NATT
2189 if (natd[0])
2190 vfree(natd[0]);
2191 if (natd[1])
2192 vfree(natd[1]);
2193 #endif
2194
2195 return buf;
2196 }
2197
2198 /*
2199 * This is used in main mode for:
2200 * initiator's 4th exchange send to responder
2201 * psk: HDR*, IDi1, HASH_I
2202 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
2203 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
2204 * rsa: HDR*, HASH_I
2205 * rev: HDR*, HASH_I
2206 * responders 3rd exchnage send to initiator
2207 * psk: HDR*, IDr1, HASH_R
2208 * sig: HDR*, IDr1, [ CERT, ] SIG_R
2209 * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R >
2210 * rsa: HDR*, HASH_R
2211 * rev: HDR*, HASH_R
2212 */
2213 static vchar_t *
2214 ident_ir3mx(iph1)
2215 struct ph1handle *iph1;
2216 {
2217 struct payload_list *plist = NULL;
2218 vchar_t *buf = NULL, *new = NULL;
2219 int need_cr = 0;
2220 int need_cert = 0;
2221 vchar_t *cr = NULL;
2222 int error = -1;
2223 #ifdef HAVE_GSSAPI
2224 int nptype;
2225 vchar_t *gsstoken = NULL;
2226 vchar_t *gsshash = NULL;
2227 #endif
2228
2229 switch (AUTHMETHOD(iph1)) {
2230 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
2231 #ifdef ENABLE_HYBRID
2232 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
2233 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
2234 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2235 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
2236 #endif
2237 /* create isakmp ID payload */
2238 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2239
2240 /* create isakmp HASH payload */
2241 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
2242 break;
2243 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2244 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2245 #ifdef ENABLE_HYBRID
2246 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
2247 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
2248 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2249 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
2250 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
2251 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
2252 #endif
2253 if (oakley_getmycert(iph1) < 0) {
2254 plog(LLV_ERROR, LOCATION, NULL,
2255 "failed to get mycert");
2256 goto end;
2257 }
2258
2259 if (oakley_getsign(iph1) < 0) {
2260 plog(LLV_ERROR, LOCATION, NULL,
2261 "failed to get sign");
2262 goto end;
2263 }
2264
2265 /* create CR if need */
2266 if (iph1->side == INITIATOR
2267 && iph1->rmconf->send_cr
2268 && oakley_needcr(iph1->approval->authmethod)
2269 && iph1->rmconf->peerscertfile == NULL) {
2270 need_cr = 1;
2271 cr = oakley_getcr(iph1);
2272 if (cr == NULL) {
2273 plog(LLV_ERROR, LOCATION, NULL,
2274 "failed to get CR");
2275 goto end;
2276 }
2277 }
2278
2279 if (iph1->cert != NULL && iph1->rmconf->send_cert)
2280 need_cert = 1;
2281
2282 /* add ID payload */
2283 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2284
2285 /* add CERT payload if there */
2286 if (need_cert)
2287 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
2288 /* add SIG payload */
2289 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
2290
2291 /* create isakmp CR payload */
2292 if (need_cr)
2293 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
2294 break;
2295 #ifdef HAVE_GSSAPI
2296 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
2297 if (iph1->hash != NULL) {
2298 gsshash = gssapi_wraphash(iph1);
2299 if (gsshash == NULL) {
2300 plog(LLV_ERROR, LOCATION, NULL,
2301 "failed to generate GSSAPI HASH");
2302 goto end;
2303 }
2304 } else {
2305 gssapi_get_token_to_send(iph1, &gsstoken);
2306 }
2307
2308 if (!gssapi_id_sent(iph1)) {
2309 /* create isakmp ID payload */
2310 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
2311 gssapi_set_id_sent(iph1);
2312 }
2313
2314 if (iph1->hash != NULL)
2315 /* create isakmp HASH payload */
2316 plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
2317 else
2318 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
2319 break;
2320 #endif
2321 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2322 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
2323 #ifdef ENABLE_HYBRID
2324 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
2325 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
2326 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
2327 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
2328 #endif
2329 plog(LLV_ERROR, LOCATION, NULL,
2330 "not supported authentication type %d\n",
2331 iph1->approval->authmethod);
2332 goto end;
2333 default:
2334 plog(LLV_ERROR, LOCATION, NULL,
2335 "invalid authentication type %d\n",
2336 iph1->approval->authmethod);
2337 goto end;
2338 }
2339
2340 buf = isakmp_plist_set_all (&plist, iph1);
2341
2342 #ifdef HAVE_PRINT_ISAKMP_C
2343 isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
2344 #endif
2345
2346 /* encoding */
2347 new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv);
2348 if (new == NULL) {
2349 plog(LLV_ERROR, LOCATION, NULL,
2350 "failed to encrypt");
2351 goto end;
2352 }
2353
2354 vfree(buf);
2355
2356 buf = new;
2357
2358 error = 0;
2359
2360 end:
2361 #ifdef HAVE_GSSAPI
2362 if (gsstoken)
2363 vfree(gsstoken);
2364 #endif
2365 if (cr)
2366 vfree(cr);
2367 if (error && buf != NULL) {
2368 vfree(buf);
2369 buf = NULL;
2370 }
2371
2372 return buf;
2373 }
mirror of ipsec