]> git.saurik.com Git - apple/network_cmds.git/blob - racoon.tproj/isakmp_agg.c
projects / apple / network_cmds.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
network_cmds-245.1.tar.gz
[apple/network_cmds.git] / racoon.tproj / isakmp_agg.c
1 /* $KAME: isakmp_agg.c,v 1.55 2001/12/12 15:29:13 sakane Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 /* Aggressive Exchange (Aggressive Mode) */
33
34 #include <sys/types.h>
35 #include <sys/param.h>
36
37 #include <stdlib.h>
38 #include <stdio.h>
39 #include <string.h>
40 #include <errno.h>
41 #if TIME_WITH_SYS_TIME
42 # include <sys/time.h>
43 # include <time.h>
44 #else
45 # if HAVE_SYS_TIME_H
46 # include <sys/time.h>
47 # else
48 # include <time.h>
49 # endif
50 #endif
51 #include <netinet/in.h>
52
53 #include "var.h"
54 #include "misc.h"
55 #include "vmbuf.h"
56 #include "plog.h"
57 #include "sockmisc.h"
58 #include "schedule.h"
59 #include "debug.h"
60
61 #include "localconf.h"
62 #include "remoteconf.h"
63 #include "isakmp_var.h"
64 #include "isakmp.h"
65 #include "oakley.h"
66 #include "handler.h"
67 #include "ipsec_doi.h"
68 #include "crypto_openssl.h"
69 #include "pfkey.h"
70 #include "isakmp_agg.h"
71 #include "isakmp_inf.h"
72 #include "isakmp_natd.h"
73 #include "vendorid.h"
74 #include "strnames.h"
75
76 #ifdef HAVE_GSSAPI
77 #include "gssapi.h"
78 #endif
79
80 /*
81 * begin Aggressive Mode as initiator.
82 */
83 /*
84 * send to responder
85 * psk: HDR, SA, KE, Ni, IDi1
86 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
87 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi
88 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
89 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
90 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
91 */
92 int
93 agg_i1send(iph1, msg)
94 struct ph1handle *iph1;
95 vchar_t *msg; /* must be null */
96 {
97 struct isakmp_gen *gen;
98 caddr_t p;
99 int tlen;
100 int need_cr = 0;
101 vchar_t *cr = NULL, *gsstoken = NULL;
102 vchar_t *vid = NULL;
103 int error = -1;
104 int nptype;
105 #ifdef HAVE_GSSAPI
106 int len;
107 #endif
108
109 /* validity check */
110 if (msg != NULL) {
111 plog(LLV_ERROR, LOCATION, NULL,
112 "msg has to be NULL in this function.\n");
113 goto end;
114 }
115 if (iph1->status != PHASE1ST_START) {
116 plog(LLV_ERROR, LOCATION, NULL,
117 "status mismatched %d.\n", iph1->status);
118 goto end;
119 }
120
121 /* create isakmp index */
122 memset(&iph1->index, 0, sizeof(iph1->index));
123 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
124
125 /* make ID payload into isakmp status */
126 if (ipsecdoi_setid1(iph1) < 0)
127 goto end;
128
129 /* create SA payload for my proposal */
130 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
131 if (iph1->sa == NULL)
132 goto end;
133
134 /* consistency check of proposals */
135 if (iph1->rmconf->dhgrp == NULL) {
136 plog(LLV_ERROR, LOCATION, NULL,
137 "configuration failure about DH group.\n");
138 goto end;
139 }
140
141 /* generate DH public value */
142 if (oakley_dh_generate(iph1->rmconf->dhgrp,
143 &iph1->dhpub, &iph1->dhpriv) < 0)
144 goto end;
145
146 /* generate NONCE value */
147 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
148 if (iph1->nonce == NULL)
149 goto end;
150
151 #ifdef IKE_NAT_T
152 vid = set_vendorid(VENDORID_NATT);
153 #endif
154
155 #ifdef HAVE_SIGNING_C
156 /* create CR if need */
157 if (iph1->rmconf->send_cr
158 && oakley_needcr(iph1->rmconf->proposal->authmethod)
159 && iph1->rmconf->peerscertfile == NULL) {
160 need_cr = 1;
161 cr = oakley_getcr(iph1);
162 if (cr == NULL) {
163 plog(LLV_ERROR, LOCATION, NULL,
164 "failed to get cr buffer.\n");
165 goto end;
166 }
167 }
168 #endif
169 plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n",
170 s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
171 /* create buffer to send isakmp payload */
172 tlen = sizeof(struct isakmp)
173 + sizeof(*gen) + iph1->sa->l
174 + sizeof(*gen) + iph1->dhpub->l
175 + sizeof(*gen) + iph1->nonce->l
176 + sizeof(*gen) + iph1->id->l;
177 if (need_cr)
178 tlen += sizeof(*gen) + cr->l;
179 #ifdef HAVE_GSSAPI
180 if (iph1->rmconf->proposal->authmethod ==
181 OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
182 gssapi_get_itoken(iph1, &len);
183 tlen += sizeof (*gen) + len;
184 }
185 #endif
186 if (vid)
187 tlen += sizeof(*gen) + vid->l;
188
189 iph1->sendbuf = vmalloc(tlen);
190 if (iph1->sendbuf == NULL) {
191 plog(LLV_ERROR, LOCATION, NULL,
192 "failed to get buffer to send.\n");
193 goto end;
194 }
195
196 /* set isakmp header */
197 p = set_isakmp_header(iph1->sendbuf, iph1, ISAKMP_NPTYPE_SA);
198 if (p == NULL)
199 goto end;
200
201 /* set SA payload to propose */
202 p = set_isakmp_payload(p, iph1->sa, ISAKMP_NPTYPE_KE);
203
204 /* create isakmp KE payload */
205 p = set_isakmp_payload(p, iph1->dhpub, ISAKMP_NPTYPE_NONCE);
206
207 /* create isakmp NONCE payload */
208 p = set_isakmp_payload(p, iph1->nonce, ISAKMP_NPTYPE_ID);
209
210 /* create isakmp ID payload */
211 #ifdef HAVE_GSSAPI
212 if (iph1->rmconf->proposal->authmethod ==
213 OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
214 nptype = ISAKMP_NPTYPE_GSS;
215 else
216 #endif
217 if (need_cr)
218 nptype = ISAKMP_NPTYPE_CR;
219 else
220 nptype = vid ? ISAKMP_NPTYPE_VID : ISAKMP_NPTYPE_NONE;
221
222 p = set_isakmp_payload(p, iph1->id, nptype);
223
224 #ifdef HAVE_GSSAPI
225 if (iph1->rmconf->proposal->authmethod ==
226 OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
227 gssapi_get_token_to_send(iph1, &gsstoken);
228 p = set_isakmp_payload(p, gsstoken, vid ? ISAKMP_NPTYPE_VID : ISAKMP_NPTYPE_NONE);
229 } else
230 #endif
231 if (need_cr)
232 /* create isakmp CR payload */
233 p = set_isakmp_payload(p, cr, vid ? ISAKMP_NPTYPE_VID : ISAKMP_NPTYPE_NONE);
234
235 if (vid)
236 p = set_isakmp_payload(p, vid, ISAKMP_NPTYPE_NONE);
237
238 #ifdef HAVE_PRINT_ISAKMP_C
239 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
240 #endif
241
242 /* send the packet, add to the schedule to resend */
243 iph1->retry_counter = iph1->rmconf->retry_counter;
244 if (isakmp_ph1resend(iph1) == -1)
245 goto end;
246
247 iph1->status = PHASE1ST_MSG1SENT;
248
249 error = 0;
250
251 end:
252 if (cr)
253 vfree(cr);
254 if (gsstoken)
255 vfree(gsstoken);
256 if (vid)
257 vfree(vid);
258
259 return error;
260 }
261
262 /*
263 * receive from responder
264 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
265 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
266 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
267 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
268 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
269 */
270 int
271 agg_i2recv(iph1, msg)
272 struct ph1handle *iph1;
273 vchar_t *msg;
274 {
275 vchar_t *pbuf = NULL;
276 struct isakmp_parse_t *pa;
277 vchar_t *satmp = NULL;
278 int error = -1;
279 #ifdef HAVE_GSSAPI
280 vchar_t *gsstoken = NULL;
281 #endif
282
283 /* validity check */
284 if (iph1->status != PHASE1ST_MSG1SENT) {
285 plog(LLV_ERROR, LOCATION, NULL,
286 "status mismatched %d.\n", iph1->status);
287 goto end;
288 }
289
290 /* validate the type of next payload */
291 pbuf = isakmp_parse(msg);
292 if (pbuf == NULL)
293 goto end;
294 pa = (struct isakmp_parse_t *)pbuf->v;
295
296 iph1->pl_hash = NULL;
297
298 /* SA payload is fixed postion */
299 if (pa->type != ISAKMP_NPTYPE_SA) {
300 plog(LLV_ERROR, LOCATION, iph1->remote,
301 "received invalid next payload type %d, "
302 "expecting %d.\n",
303 pa->type, ISAKMP_NPTYPE_SA);
304 goto end;
305 }
306 if (isakmp_p2ph(&satmp, pa->ptr) < 0)
307 goto end;
308 pa++;
309
310 for (/*nothing*/;
311 pa->type != ISAKMP_NPTYPE_NONE;
312 pa++) {
313
314 switch (pa->type) {
315 case ISAKMP_NPTYPE_KE:
316 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
317 goto end;
318 break;
319 case ISAKMP_NPTYPE_NONCE:
320 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
321 goto end;
322 break;
323 case ISAKMP_NPTYPE_ID:
324 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
325 goto end;
326 break;
327 case ISAKMP_NPTYPE_HASH:
328 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
329 break;
330 #ifdef HAVE_SIGNING_C
331 case ISAKMP_NPTYPE_CR:
332 if (oakley_savecr(iph1, pa->ptr) < 0)
333 goto end;
334 break;
335 case ISAKMP_NPTYPE_CERT:
336 if (oakley_savecert(iph1, pa->ptr) < 0)
337 goto end;
338 break;
339 case ISAKMP_NPTYPE_SIG:
340 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
341 goto end;
342 break;
343 #endif
344 case ISAKMP_NPTYPE_VID:
345 if (check_vendorid(pa->ptr) == VENDORID_NATT)
346 {
347 #ifdef IKE_NAT_T
348 iph1->natt_flags |= natt_remote_support;
349 #endif
350 }
351 break;
352 case ISAKMP_NPTYPE_N:
353 isakmp_check_notify(pa->ptr, iph1);
354 break;
355 #ifdef HAVE_GSSAPI
356 case ISAKMP_NPTYPE_GSS:
357 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
358 goto end;
359 gssapi_save_received_token(iph1, gsstoken);
360 break;
361 #endif
362 case ISAKMP_NPTYPE_NATD:
363 /*
364 * ignored for now, we need to know the hash
365 * algorithm before we can evaluate the natd
366 * payload.
367 */
368 break;
369 default:
370 /* don't send information, see isakmp_ident_r1() */
371 plog(LLV_ERROR, LOCATION, iph1->remote,
372 "ignore the packet, "
373 "received unexpecting payload type %d.\n",
374 pa->type);
375 goto end;
376 }
377 }
378
379 /* payload existency check */
380 /* XXX to be checked each authentication method. */
381
382 /* verify identifier */
383 if (ipsecdoi_checkid1(iph1) != 0) {
384 plog(LLV_ERROR, LOCATION, iph1->remote,
385 "invalid ID payload.\n");
386 goto end;
387 }
388
389 /* check SA payload and set approval SA for use */
390 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
391 plog(LLV_ERROR, LOCATION, iph1->remote,
392 "failed to get valid proposal.\n");
393 /* XXX send information */
394 goto end;
395 }
396 if (iph1->sa_ret) {
397 vfree(iph1->sa_ret);
398 iph1->sa_ret = NULL;
399 }
400
401 /* fix isakmp index */
402 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
403 sizeof(cookie_t));
404
405 /* check natd payloads */
406 #ifdef IKE_NAT_T
407 for (pa = (struct isakmp_parse_t *)pbuf->v;
408 pa->type != ISAKMP_NPTYPE_NONE;
409 pa++)
410 {
411 if (pa->type == ISAKMP_NPTYPE_NATD)
412 {
413 natd_match_t match = natd_matches(iph1, pa->ptr);
414 iph1->natt_flags |= natt_natd_received;
415 if ((match & natd_match_local) != 0)
416 iph1->natt_flags |= natt_no_local_nat;
417 if ((match & natd_match_remote) != 0)
418 iph1->natt_flags |= natt_no_remote_nat;
419 }
420 }
421 #endif
422
423 /* compute sharing secret of DH */
424 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
425 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
426 goto end;
427
428 /* generate SKEYIDs & IV & final cipher key */
429 if (oakley_skeyid(iph1) < 0)
430 goto end;
431 if (oakley_skeyid_dae(iph1) < 0)
432 goto end;
433 if (oakley_compute_enckey(iph1) < 0)
434 goto end;
435 if (oakley_newiv(iph1) < 0)
436 goto end;
437
438 #ifdef IKE_NAT_T
439 /* Determine if we need to switch to port 4500 */
440 if (natd_hasnat(iph1))
441 {
442 /* There is a NAT between us! Switch to port 4500. */
443 if (iph1->remote->sa_family == AF_INET)
444 {
445 struct sockaddr_in *sin = (struct sockaddr_in*)iph1->remote;
446 plog(LLV_INFO, LOCATION, NULL,
447 "detected NAT, switching to port %d for %s",
448 PORT_ISAKMP_NATT, saddr2str(iph1->remote));
449 sin->sin_port = htons(PORT_ISAKMP_NATT);
450 sin = (struct sockaddr_in*)iph1->local;
451 sin->sin_port = htons(PORT_ISAKMP_NATT);
452 }
453 }
454 #endif
455
456 /* validate authentication value */
457 {
458 int type;
459 type = oakley_validate_auth(iph1);
460 if (type != 0) {
461 if (type == -1) {
462 /* message printed inner oakley_validate_auth() */
463 goto end;
464 }
465 isakmp_info_send_n1(iph1, type, NULL);
466 goto end;
467 }
468 }
469
470 #ifdef HAVE_SIGNING_C
471 if (oakley_checkcr(iph1) < 0) {
472 /* Ignore this error in order to be interoperability. */
473 ;
474 }
475 #endif
476
477 /* change status of isakmp status entry */
478 iph1->status = PHASE1ST_MSG2RECEIVED;
479
480 error = 0;
481
482 end:
483 if (pbuf)
484 vfree(pbuf);
485 if (satmp)
486 vfree(satmp);
487 if (error) {
488 VPTRINIT(iph1->dhpub_p);
489 VPTRINIT(iph1->nonce_p);
490 VPTRINIT(iph1->id_p);
491 oakley_delcert(iph1->cert_p);
492 iph1->cert_p = NULL;
493 oakley_delcert(iph1->crl_p);
494 iph1->crl_p = NULL;
495 VPTRINIT(iph1->sig_p);
496 oakley_delcert(iph1->cr_p);
497 iph1->cr_p = NULL;
498 }
499
500 return error;
501 }
502
503 /*
504 * send to responder
505 * psk: HDR, HASH_I
506 * gssapi: HDR, HASH_I
507 * sig: HDR, [ CERT, ] SIG_I
508 * rsa: HDR, HASH_I
509 * rev: HDR, HASH_I
510 */
511 int
512 agg_i2send(iph1, msg)
513 struct ph1handle *iph1;
514 vchar_t *msg;
515 {
516 struct isakmp_gen *gen;
517 char *p = NULL;
518 int tlen;
519 int need_cert = 0;
520 int error = -1;
521 vchar_t *gsshash = NULL;
522 int need_natd = 0;
523
524 /* validity check */
525 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
526 plog(LLV_ERROR, LOCATION, NULL,
527 "status mismatched %d.\n", iph1->status);
528 goto end;
529 }
530
531 /* generate HASH to send */
532 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
533 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
534 if (iph1->hash == NULL) {
535 #ifdef HAVE_GSSAPI
536 if (gssapi_more_tokens(iph1))
537 isakmp_info_send_n1(iph1,
538 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
539 #endif
540 goto end;
541 }
542
543 tlen = sizeof(struct isakmp);
544
545 #ifdef IKE_NAT_T
546 if ((iph1->natt_flags & natt_remote_support) != 0) {
547 need_natd = 1;
548 natd_create(iph1);
549 if (iph1->local_natd)
550 tlen += sizeof(*gen) + iph1->local_natd->l;
551 if (iph1->remote_natd)
552 tlen += sizeof(*gen) + iph1->remote_natd->l;
553 }
554 #endif
555
556 switch (iph1->approval->authmethod) {
557 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
558 tlen += sizeof(*gen) + iph1->hash->l;
559
560 iph1->sendbuf = vmalloc(tlen);
561 if (iph1->sendbuf == NULL) {
562 plog(LLV_ERROR, LOCATION, NULL,
563 "failed to get buffer to send.\n");
564 goto end;
565 }
566
567 /* set isakmp header */
568 p = set_isakmp_header(iph1->sendbuf, iph1, ISAKMP_NPTYPE_HASH);
569 if (p == NULL)
570 goto end;
571
572 /* set HASH payload */
573 p = set_isakmp_payload(p, iph1->hash,
574 need_natd ? ISAKMP_NPTYPE_NATD
575 : ISAKMP_NPTYPE_NONE);
576 break;
577 #ifdef HAVE_SIGNING_C
578 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
579 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
580 /* XXX if there is CR or not ? */
581
582 if (oakley_getmycert(iph1) < 0)
583 goto end;
584
585 if (oakley_getsign(iph1) < 0)
586 goto end;
587
588 if (iph1->cert != NULL && iph1->rmconf->send_cert)
589 need_cert = 1;
590
591 tlen += sizeof(*gen) + iph1->sig->l;
592 if (need_cert)
593 tlen += sizeof(*gen) + iph1->cert->pl->l;
594
595 iph1->sendbuf = vmalloc(tlen);
596 if (iph1->sendbuf == NULL) {
597 plog(LLV_ERROR, LOCATION, NULL,
598 "failed to get buffer to send.\n");
599 goto end;
600 }
601
602 /* set isakmp header */
603 p = set_isakmp_header(iph1->sendbuf, iph1, need_cert
604 ? ISAKMP_NPTYPE_CERT
605 : ISAKMP_NPTYPE_SIG);
606 if (p == NULL)
607 goto end;
608
609 /* add CERT payload if there */
610 if (need_cert)
611 p = set_isakmp_payload(p, iph1->cert->pl, ISAKMP_NPTYPE_SIG);
612 /* add SIG payload */
613 p = set_isakmp_payload(p, iph1->sig,
614 need_natd ? ISAKMP_NPTYPE_NATD
615 : ISAKMP_NPTYPE_NONE);
616 break;
617 #endif
618 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
619 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
620 tlen += sizeof(*gen) + iph1->hash->l;
621 break;
622 #ifdef HAVE_GSSAPI
623 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
624 gsshash = gssapi_wraphash(iph1);
625 if (gsshash == NULL) {
626 plog(LLV_ERROR, LOCATION, NULL,
627 "failed to wrap hash\n");
628 isakmp_info_send_n1(iph1,
629 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
630 goto end;
631 }
632 tlen += sizeof(*gen) + gsshash->l;
633
634 iph1->sendbuf = vmalloc(tlen);
635 if (iph1->sendbuf == NULL) {
636 plog(LLV_ERROR, LOCATION, NULL,
637 "failed to get buffer to send.\n");
638 goto end;
639 }
640 /* set isakmp header */
641 p = set_isakmp_header(iph1->sendbuf, iph1, ISAKMP_NPTYPE_HASH);
642 if (p == NULL)
643 goto end;
644 p = set_isakmp_payload(p, gsshash,
645 need_natd ? ISAKMP_NPTYPE_NATD
646 : ISAKMP_NPTYPE_NONE);
647 break;
648 #endif
649 }
650
651 #ifdef IKE_NAT_T
652 if (need_natd) {
653 if (iph1->local_natd)
654 p = set_isakmp_payload(p, iph1->local_natd, ISAKMP_NPTYPE_NATD);
655 if (iph1->remote_natd)
656 p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
657 }
658 #endif
659
660 #ifdef HAVE_PRINT_ISAKMP_C
661 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
662 #endif
663
664 /* send to responder */
665 if (isakmp_send(iph1, iph1->sendbuf) < 0)
666 goto end;
667
668 /* the sending message is added to the received-list. */
669 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
670 plog(LLV_ERROR , LOCATION, NULL,
671 "failed to add a response packet to the tree.\n");
672 goto end;
673 }
674
675 /* set encryption flag */
676 iph1->flags |= ISAKMP_FLAG_E;
677
678 iph1->status = PHASE1ST_ESTABLISHED;
679
680 error = 0;
681
682 end:
683 if (gsshash)
684 vfree(gsshash);
685 return error;
686 }
687
688 /*
689 * receive from initiator
690 * psk: HDR, SA, KE, Ni, IDi1
691 * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
692 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi
693 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
694 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
695 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
696 */
697 int
698 agg_r1recv(iph1, msg)
699 struct ph1handle *iph1;
700 vchar_t *msg;
701 {
702 int error = -1;
703 vchar_t *pbuf = NULL;
704 struct isakmp_parse_t *pa;
705 #ifdef HAVE_GSSAPI
706 vchar_t *gsstoken = NULL;
707 #endif
708
709 /* validity check */
710 if (iph1->status != PHASE1ST_START) {
711 plog(LLV_ERROR, LOCATION, NULL,
712 "status mismatched %d.\n", iph1->status);
713 goto end;
714 }
715
716 /* validate the type of next payload */
717 pbuf = isakmp_parse(msg);
718 if (pbuf == NULL)
719 goto end;
720 pa = (struct isakmp_parse_t *)pbuf->v;
721
722 /* SA payload is fixed postion */
723 if (pa->type != ISAKMP_NPTYPE_SA) {
724 plog(LLV_ERROR, LOCATION, iph1->remote,
725 "received invalid next payload type %d, "
726 "expecting %d.\n",
727 pa->type, ISAKMP_NPTYPE_SA);
728 goto end;
729 }
730 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
731 goto end;
732 pa++;
733
734 for (/*nothing*/;
735 pa->type != ISAKMP_NPTYPE_NONE;
736 pa++) {
737
738 plog(LLV_DEBUG, LOCATION, NULL,
739 "received payload of type %s\n",
740 s_isakmp_nptype(pa->type));
741
742 switch (pa->type) {
743 case ISAKMP_NPTYPE_KE:
744 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
745 goto end;
746 break;
747 case ISAKMP_NPTYPE_NONCE:
748 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
749 goto end;
750 break;
751 case ISAKMP_NPTYPE_ID:
752 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
753 goto end;
754 break;
755 case ISAKMP_NPTYPE_VID:
756 if (check_vendorid(pa->ptr) == VENDORID_NATT)
757 {
758 #ifdef IKE_NAT_T
759 iph1->natt_flags |= natt_remote_support;
760 #endif
761 }
762 break;
763 #ifdef HAVE_SIGNING_C
764 case ISAKMP_NPTYPE_CR:
765 if (oakley_savecr(iph1, pa->ptr) < 0)
766 goto end;
767 break;
768 #endif
769 #ifdef HAVE_GSSAPI
770 case ISAKMP_NPTYPE_GSS:
771 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
772 goto end;
773 gssapi_save_received_token(iph1, gsstoken);
774 break;
775 #endif
776 default:
777 /* don't send information, see isakmp_ident_r1() */
778 plog(LLV_ERROR, LOCATION, iph1->remote,
779 "ignore the packet, "
780 "received unexpecting payload type %d.\n",
781 pa->type);
782 goto end;
783 }
784 }
785
786 /* payload existency check */
787 /* XXX to be checked each authentication method. */
788
789 /* verify identifier */
790 if (ipsecdoi_checkid1(iph1) != 0) {
791 plog(LLV_ERROR, LOCATION, iph1->remote,
792 "invalid ID payload.\n");
793 goto end;
794 }
795
796 /* check SA payload and set approval SA for use */
797 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
798 plog(LLV_ERROR, LOCATION, iph1->remote,
799 "failed to get valid proposal.\n");
800 /* XXX send information */
801 goto end;
802 }
803
804 #ifdef HAVE_SIGNING_C
805 if (oakley_checkcr(iph1) < 0) {
806 /* Ignore this error in order to be interoperability. */
807 ;
808 }
809 #endif
810
811 iph1->status = PHASE1ST_MSG1RECEIVED;
812
813 error = 0;
814
815 end:
816 if (pbuf)
817 vfree(pbuf);
818 if (error) {
819 VPTRINIT(iph1->sa);
820 VPTRINIT(iph1->dhpub_p);
821 VPTRINIT(iph1->nonce_p);
822 VPTRINIT(iph1->id_p);
823 oakley_delcert(iph1->cr_p);
824 iph1->cr_p = NULL;
825 }
826
827 return error;
828 }
829
830 /*
831 * send to initiator
832 * psk: HDR, SA, KE, Nr, IDr1, HASH_R
833 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
834 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
835 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
836 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
837 */
838 int
839 agg_r1send(iph1, msg)
840 struct ph1handle *iph1;
841 vchar_t *msg;
842 {
843 struct isakmp_gen *gen;
844 char *p = NULL;
845 int tlen;
846 int need_cr = 0;
847 int need_cert = 0;
848 vchar_t *cr = NULL;
849 vchar_t *vid = NULL;
850 int error = -1;
851 #ifdef HAVE_GSSAPI
852 int gsslen;
853 vchar_t *gsstoken = NULL, *gsshash = NULL;
854 vchar_t *gss_sa = NULL;
855 #endif
856 vchar_t *nattvid = NULL;
857
858 /* validity check */
859 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
860 plog(LLV_ERROR, LOCATION, NULL,
861 "status mismatched %d.\n", iph1->status);
862 goto end;
863 }
864
865 /* set responder's cookie */
866 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
867
868 /* make ID payload into isakmp status */
869 if (ipsecdoi_setid1(iph1) < 0)
870 goto end;
871
872 /* generate DH public value */
873 if (oakley_dh_generate(iph1->rmconf->dhgrp,
874 &iph1->dhpub, &iph1->dhpriv) < 0)
875 goto end;
876
877 /* generate NONCE value */
878 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
879 if (iph1->nonce == NULL)
880 goto end;
881
882 /* compute sharing secret of DH */
883 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
884 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
885 goto end;
886
887 /* generate SKEYIDs & IV & final cipher key */
888 if (oakley_skeyid(iph1) < 0)
889 goto end;
890 if (oakley_skeyid_dae(iph1) < 0)
891 goto end;
892 if (oakley_compute_enckey(iph1) < 0)
893 goto end;
894 if (oakley_newiv(iph1) < 0)
895 goto end;
896
897 #ifdef HAVE_GSSAPI
898 if (iph1->rmconf->proposal->authmethod ==
899 OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
900 gssapi_get_rtoken(iph1, &gsslen);
901 #endif
902
903 /* generate HASH to send */
904 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
905 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
906 if (iph1->hash == NULL) {
907 #ifdef HAVE_GSSAPI
908 if (gssapi_more_tokens(iph1))
909 isakmp_info_send_n1(iph1,
910 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
911 #endif
912 goto end;
913 }
914
915 #ifdef HAVE_SIGNING_C
916 /* create CR if need */
917 if (iph1->rmconf->send_cr
918 && oakley_needcr(iph1->approval->authmethod)
919 && iph1->rmconf->peerscertfile == NULL) {
920 need_cr = 1;
921 cr = oakley_getcr(iph1);
922 if (cr == NULL) {
923 plog(LLV_ERROR, LOCATION, NULL,
924 "failed to get cr buffer.\n");
925 goto end;
926 }
927 }
928 #endif
929
930 tlen = sizeof(struct isakmp);
931
932 #ifdef IKE_NAT_T
933 if ((iph1->natt_flags & natt_remote_support) != 0) {
934 nattvid = set_vendorid(VENDORID_NATT);
935 natd_create(iph1);
936 if (nattvid) {
937 tlen += sizeof(*gen) + nattvid->l;
938 if (iph1->local_natd)
939 tlen += sizeof(*gen) + iph1->local_natd->l;
940 if (iph1->remote_natd)
941 tlen += sizeof(*gen) + iph1->remote_natd->l;
942 }
943 }
944 #endif
945
946 switch (iph1->approval->authmethod) {
947 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
948 /* create buffer to send isakmp payload */
949 tlen += sizeof(*gen) + iph1->sa_ret->l
950 + sizeof(*gen) + iph1->dhpub->l
951 + sizeof(*gen) + iph1->nonce->l
952 + sizeof(*gen) + iph1->id->l
953 + sizeof(*gen) + iph1->hash->l;
954 if ((vid = set_vendorid(iph1->approval->vendorid)) != NULL)
955 tlen += sizeof(*gen) + vid->l;
956 if (need_cr)
957 tlen += sizeof(*gen) + cr->l;
958
959 iph1->sendbuf = vmalloc(tlen);
960 if (iph1->sendbuf == NULL) {
961 plog(LLV_ERROR, LOCATION, NULL,
962 "failed to get buffer to send\n");
963 goto end;
964 }
965
966 /* set isakmp header */
967 p = set_isakmp_header(iph1->sendbuf, iph1, ISAKMP_NPTYPE_SA);
968 if (p == NULL)
969 goto end;
970
971 /* set SA payload to reply */
972 p = set_isakmp_payload(p, iph1->sa_ret, ISAKMP_NPTYPE_KE);
973
974 /* create isakmp KE payload */
975 p = set_isakmp_payload(p, iph1->dhpub, ISAKMP_NPTYPE_NONCE);
976
977 /* create isakmp NONCE payload */
978 p = set_isakmp_payload(p, iph1->nonce, ISAKMP_NPTYPE_ID);
979
980 /* create isakmp ID payload */
981 p = set_isakmp_payload(p, iph1->id, ISAKMP_NPTYPE_HASH);
982
983 /* create isakmp HASH payload */
984 p = set_isakmp_payload(p, iph1->hash,
985 vid ? ISAKMP_NPTYPE_VID
986 : (need_cr ? ISAKMP_NPTYPE_CR
987 : (nattvid ? ISAKMP_NPTYPE_VID
988 : ISAKMP_NPTYPE_NONE)));
989
990 /* append vendor id, if needed */
991 if (vid)
992 p = set_isakmp_payload(p, vid,
993 need_cr ? ISAKMP_NPTYPE_CR
994 : (nattvid ? ISAKMP_NPTYPE_VID
995 : ISAKMP_NPTYPE_NONE));
996
997 /* create isakmp CR payload if needed */
998 if (need_cr)
999 p = set_isakmp_payload(p, cr,
1000 nattvid ? ISAKMP_NPTYPE_VID
1001 : ISAKMP_NPTYPE_NONE);
1002 break;
1003 #ifdef HAVE_SIGNING_C
1004 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1005 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1006 /* XXX if there is CR or not ? */
1007
1008 if (oakley_getmycert(iph1) < 0)
1009 goto end;
1010
1011 if (oakley_getsign(iph1) < 0)
1012 goto end;
1013
1014 if (iph1->cert != NULL && iph1->rmconf->send_cert)
1015 need_cert = 1;
1016
1017 tlen += sizeof(*gen) + iph1->sa_ret->l
1018 + sizeof(*gen) + iph1->dhpub->l
1019 + sizeof(*gen) + iph1->nonce->l
1020 + sizeof(*gen) + iph1->id->l
1021 + sizeof(*gen) + iph1->sig->l;
1022 if (need_cert)
1023 tlen += sizeof(*gen) + iph1->cert->pl->l;
1024 if ((vid = set_vendorid(iph1->approval->vendorid)) != NULL)
1025 tlen += sizeof(*gen) + vid->l;
1026 if (need_cr)
1027 tlen += sizeof(*gen) + cr->l;
1028
1029 iph1->sendbuf = vmalloc(tlen);
1030 if (iph1->sendbuf == NULL) {
1031 plog(LLV_ERROR, LOCATION, NULL,
1032 "failed to get buffer to send.\n");
1033 goto end;
1034 }
1035
1036 /* set isakmp header */
1037 p = set_isakmp_header(iph1->sendbuf, iph1, ISAKMP_NPTYPE_SA);
1038 if (p == NULL)
1039 goto end;
1040
1041 /* set SA payload to reply */
1042 p = set_isakmp_payload(p, iph1->sa_ret, ISAKMP_NPTYPE_KE);
1043
1044 /* create isakmp KE payload */
1045 p = set_isakmp_payload(p, iph1->dhpub, ISAKMP_NPTYPE_NONCE);
1046
1047 /* create isakmp NONCE payload */
1048 p = set_isakmp_payload(p, iph1->nonce, ISAKMP_NPTYPE_ID);
1049
1050 /* add ID payload */
1051 p = set_isakmp_payload(p, iph1->id, need_cert
1052 ? ISAKMP_NPTYPE_CERT
1053 : ISAKMP_NPTYPE_SIG);
1054
1055 /* add CERT payload if there */
1056 if (need_cert)
1057 p = set_isakmp_payload(p, iph1->cert->pl, ISAKMP_NPTYPE_SIG);
1058 /* add SIG payload */
1059 p = set_isakmp_payload(p, iph1->sig,
1060 vid ? ISAKMP_NPTYPE_VID
1061 : (need_cr ? ISAKMP_NPTYPE_CR
1062 : ISAKMP_NPTYPE_NONE));
1063
1064 /* append vendor id, if needed */
1065 if (vid)
1066 p = set_isakmp_payload(p, vid,
1067 need_cr ? ISAKMP_NPTYPE_CR
1068 : (nattvid ? ISAKMP_NPTYPE_VID
1069 : ISAKMP_NPTYPE_NONE));
1070
1071 /* create isakmp CR payload if needed */
1072 if (need_cr)
1073 p = set_isakmp_payload(p, cr,
1074 nattvid ? ISAKMP_NPTYPE_VID
1075 : ISAKMP_NPTYPE_NONE);
1076
1077 #ifdef IKE_NAT_T
1078 if (nattvid) {
1079 p = set_isakmp_payload(p, nattvid, ISAKMP_NPTYPE_NATD);
1080 if (iph1->local_natd)
1081 p = set_isakmp_payload(p, iph1->local_natd, ISAKMP_NPTYPE_NATD);
1082 if (iph1->remote_natd)
1083 p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
1084 }
1085 #endif
1086 break;
1087 #endif
1088 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1089 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1090 tlen += sizeof(*gen) + iph1->hash->l;
1091 break;
1092 #ifdef HAVE_GSSAPI
1093 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1094 /* create buffer to send isakmp payload */
1095 gsshash = gssapi_wraphash(iph1);
1096 if (gsshash == NULL) {
1097 plog(LLV_ERROR, LOCATION, NULL,
1098 "failed to wrap hash\n");
1099 /*
1100 * This is probably due to the GSS roundtrips not
1101 * being finished yet. Return this error in
1102 * the hope that a fallback to main mode will
1103 * be done.
1104 */
1105 isakmp_info_send_n1(iph1,
1106 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
1107 goto end;
1108 }
1109 if (iph1->approval->gssid != NULL)
1110 gss_sa = ipsecdoi_setph1proposal(iph1->approval);
1111 else
1112 gss_sa = iph1->sa_ret;
1113
1114 tlen += sizeof(*gen) + gss_sa->l
1115 + sizeof(*gen) + iph1->dhpub->l
1116 + sizeof(*gen) + iph1->nonce->l
1117 + sizeof(*gen) + iph1->id->l
1118 + sizeof(*gen) + gsslen
1119 + sizeof(*gen) + gsshash->l;
1120 if ((vid = set_vendorid(iph1->approval->vendorid)) != NULL)
1121 tlen += sizeof(*gen) + vid->l;
1122 iph1->sendbuf = vmalloc(tlen);
1123 if (iph1->sendbuf == NULL) {
1124 plog(LLV_ERROR, LOCATION, NULL,
1125 "failed to get buffer to send\n");
1126 goto end;
1127 }
1128
1129 /* set isakmp header */
1130 p = set_isakmp_header(iph1->sendbuf, iph1, ISAKMP_NPTYPE_SA);
1131 if (p == NULL)
1132 goto end;
1133
1134 /* set SA payload to reply */
1135 p = set_isakmp_payload(p, gss_sa, ISAKMP_NPTYPE_KE);
1136
1137 /* create isakmp KE payload */
1138 p = set_isakmp_payload(p, iph1->dhpub, ISAKMP_NPTYPE_NONCE);
1139
1140 /* create isakmp NONCE payload */
1141 p = set_isakmp_payload(p, iph1->nonce, ISAKMP_NPTYPE_ID);
1142
1143 /* create isakmp ID payload */
1144 p = set_isakmp_payload(p, iph1->id, ISAKMP_NPTYPE_GSS);
1145
1146 /* create GSS payload */
1147 gssapi_get_token_to_send(iph1, &gsstoken);
1148 p = set_isakmp_payload(p, gsstoken, ISAKMP_NPTYPE_HASH);
1149
1150 /* create isakmp HASH payload */
1151 p = set_isakmp_payload(p, gsshash,
1152 vid != NULL || nattvid != NULL ? ISAKMP_NPTYPE_VID
1153 : ISAKMP_NPTYPE_NONE);
1154
1155 /* append vendor id, if needed */
1156 if (vid)
1157 p = set_isakmp_payload(p, vid,
1158 nattvid != NULL ? ISAKMP_NPTYPE_VID
1159 : ISAKMP_NPTYPE_NONE);
1160 break;
1161 #endif
1162 }
1163
1164 #ifdef IKE_NAT_T
1165 if (nattvid) {
1166 p = set_isakmp_payload(p, nattvid, ISAKMP_NPTYPE_NATD);
1167 if (iph1->local_natd)
1168 p = set_isakmp_payload(p, iph1->local_natd, ISAKMP_NPTYPE_NATD);
1169 if (iph1->remote_natd)
1170 p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
1171 }
1172 #endif
1173
1174
1175 #ifdef HAVE_PRINT_ISAKMP_C
1176 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
1177 #endif
1178
1179 /* send the packet, add to the schedule to resend */
1180 iph1->retry_counter = iph1->rmconf->retry_counter;
1181 if (isakmp_ph1resend(iph1) == -1)
1182 goto end;
1183
1184 /* the sending message is added to the received-list. */
1185 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
1186 plog(LLV_ERROR , LOCATION, NULL,
1187 "failed to add a response packet to the tree.\n");
1188 goto end;
1189 }
1190
1191 iph1->status = PHASE1ST_MSG1SENT;
1192
1193 error = 0;
1194
1195 end:
1196 if (cr)
1197 vfree(cr);
1198 if (vid)
1199 vfree(vid);
1200 if (nattvid)
1201 vfree(nattvid);
1202 #ifdef HAVE_GSSAPI
1203 if (gsstoken)
1204 vfree(gsstoken);
1205 if (gsshash)
1206 vfree(gsshash);
1207 if (gss_sa != iph1->sa_ret)
1208 vfree(gss_sa);
1209 #endif
1210
1211 return error;
1212 }
1213
1214 /*
1215 * receive from initiator
1216 * psk: HDR, HASH_I
1217 * gssapi: HDR, HASH_I
1218 * sig: HDR, [ CERT, ] SIG_I
1219 * rsa: HDR, HASH_I
1220 * rev: HDR, HASH_I
1221 */
1222 int
1223 agg_r2recv(iph1, msg0)
1224 struct ph1handle *iph1;
1225 vchar_t *msg0;
1226 {
1227 vchar_t *msg = NULL;
1228 vchar_t *pbuf = NULL;
1229 struct isakmp_parse_t *pa;
1230 int error = -1;
1231
1232 /* validity check */
1233 if (iph1->status != PHASE1ST_MSG1SENT) {
1234 plog(LLV_ERROR, LOCATION, NULL,
1235 "status mismatched %d.\n", iph1->status);
1236 goto end;
1237 }
1238
1239 /* decrypting if need. */
1240 /* XXX configurable ? */
1241 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1242 msg = oakley_do_decrypt(iph1, msg0,
1243 iph1->ivm->iv, iph1->ivm->ive);
1244 if (msg == NULL)
1245 goto end;
1246 } else
1247 msg = vdup(msg0);
1248
1249 /* validate the type of next payload */
1250 pbuf = isakmp_parse(msg);
1251 if (pbuf == NULL)
1252 goto end;
1253
1254 iph1->pl_hash = NULL;
1255
1256 for (pa = (struct isakmp_parse_t *)pbuf->v;
1257 pa->type != ISAKMP_NPTYPE_NONE;
1258 pa++) {
1259
1260 switch (pa->type) {
1261 case ISAKMP_NPTYPE_HASH:
1262 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1263 break;
1264 case ISAKMP_NPTYPE_VID:
1265 (void)check_vendorid(pa->ptr);
1266 break;
1267 #ifdef HAVE_SIGNING_C
1268 case ISAKMP_NPTYPE_CERT:
1269 if (oakley_savecert(iph1, pa->ptr) < 0)
1270 goto end;
1271 break;
1272 case ISAKMP_NPTYPE_SIG:
1273 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
1274 goto end;
1275 break;
1276 #endif
1277 case ISAKMP_NPTYPE_N:
1278 isakmp_check_notify(pa->ptr, iph1);
1279 break;
1280 case ISAKMP_NPTYPE_NATD:
1281 #ifdef IKE_NAT_T
1282 {
1283 natd_match_t match = natd_matches(iph1, pa->ptr);
1284 iph1->natt_flags |= natt_natd_received;
1285 if ((match & natd_match_local) != 0)
1286 iph1->natt_flags |= natt_no_local_nat;
1287 if ((match & natd_match_remote) != 0)
1288 iph1->natt_flags |= natt_no_remote_nat;
1289 }
1290 #endif
1291 break;
1292 default:
1293 /* don't send information, see isakmp_ident_r1() */
1294 plog(LLV_ERROR, LOCATION, iph1->remote,
1295 "ignore the packet, "
1296 "received unexpecting payload type %d.\n",
1297 pa->type);
1298 goto end;
1299 }
1300 }
1301
1302 /* validate authentication value */
1303 {
1304 int type;
1305 type = oakley_validate_auth(iph1);
1306 if (type != 0) {
1307 if (type == -1) {
1308 /* message printed inner oakley_validate_auth() */
1309 goto end;
1310 }
1311 isakmp_info_send_n1(iph1, type, NULL);
1312 goto end;
1313 }
1314 }
1315
1316 iph1->status = PHASE1ST_MSG2RECEIVED;
1317
1318 error = 0;
1319
1320 end:
1321 if (pbuf)
1322 vfree(pbuf);
1323 if (msg)
1324 vfree(msg);
1325 if (error) {
1326 oakley_delcert(iph1->cert_p);
1327 iph1->cert_p = NULL;
1328 oakley_delcert(iph1->crl_p);
1329 iph1->crl_p = NULL;
1330 VPTRINIT(iph1->sig_p);
1331 }
1332
1333 return error;
1334 }
1335
1336 /*
1337 * status update and establish isakmp sa.
1338 */
1339 int
1340 agg_r2send(iph1, msg)
1341 struct ph1handle *iph1;
1342 vchar_t *msg;
1343 {
1344 int error = -1;
1345
1346 /* validity check */
1347 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1348 plog(LLV_ERROR, LOCATION, NULL,
1349 "status mismatched %d.\n", iph1->status);
1350 goto end;
1351 }
1352
1353 /* IV synchronized when packet encrypted. */
1354 /* see handler.h about IV synchronization. */
1355 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E))
1356 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1357
1358 /* set encryption flag */
1359 iph1->flags |= ISAKMP_FLAG_E;
1360
1361 iph1->status = PHASE1ST_ESTABLISHED;
1362
1363 error = 0;
1364
1365 end:
1366 return error;
1367 }
mirror of network_cmds