1 /* $NetBSD: isakmp_base.c,v 1.7 2006/10/02 21:51:33 manu Exp $ */ 2 3 /* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* Base Exchange (Base Mode) */ 35 36 #include "config.h" 37 38 #include <sys/types.h> 39 #include <sys/param.h> 40 41 #include <stdlib.h> 42 #include <stdio.h> 43 #include <string.h> 44 #include <errno.h> 45 #if TIME_WITH_SYS_TIME 46 # include <sys/time.h> 47 # include <time.h> 48 #else 49 # if HAVE_SYS_TIME_H 50 # include <sys/time.h> 51 # else 52 # include <time.h> 53 # endif 54 #endif 55 56 #include "var.h" 57 #include "misc.h" 58 #include "vmbuf.h" 59 #include "plog.h" 60 #include "sockmisc.h" 61 #include "schedule.h" 62 #include "debug.h" 63 64 #ifdef ENABLE_HYBRID 65 #include <resolv.h> 66 #endif 67 68 #include "localconf.h" 69 #include "remoteconf.h" 70 #include "isakmp_var.h" 71 #include "isakmp.h" 72 #include "evt.h" 73 #include "oakley.h" 74 #include "handler.h" 75 #include "ipsec_doi.h" 76 #include "crypto_openssl.h" 77 #include "pfkey.h" 78 #include "isakmp_base.h" 79 #include "isakmp_inf.h" 80 #include "vendorid.h" 81 #ifdef ENABLE_NATT 82 #include "nattraversal.h" 83 #endif 84 #ifdef ENABLE_FRAG 85 #include "isakmp_frag.h" 86 #endif 87 #ifdef ENABLE_HYBRID 88 #include "isakmp_xauth.h" 89 #include "isakmp_cfg.h" 90 #endif 91 92 /* %%% 93 * begin Identity Protection Mode as initiator. 94 */ 95 /* 96 * send to responder 97 * psk: HDR, SA, Idii, Ni_b 98 * sig: HDR, SA, Idii, Ni_b 99 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r 100 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i 101 */ 102 int 103 base_i1send(iph1, msg) 104 struct ph1handle *iph1; 105 vchar_t *msg; /* must be null */ 106 { 107 struct payload_list *plist = NULL; 108 int error = -1; 109 #ifdef ENABLE_NATT 110 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; 111 int i, vid_natt_i = 0; 112 #endif 113 #ifdef ENABLE_FRAG 114 vchar_t *vid_frag = NULL; 115 #endif 116 #ifdef ENABLE_HYBRID 117 vchar_t *vid_xauth = NULL; 118 vchar_t *vid_unity = NULL; 119 #endif 120 #ifdef ENABLE_DPD 121 vchar_t *vid_dpd = NULL; 122 #endif 123 124 125 /* validity check */ 126 if (msg != NULL) { 127 plog(LLV_ERROR, LOCATION, NULL, 128 "msg has to be NULL in this function.\n"); 129 goto end; 130 } 131 if (iph1->status != PHASE1ST_START) { 132 plog(LLV_ERROR, LOCATION, NULL, 133 "status mismatched %d.\n", iph1->status); 134 goto end; 135 } 136 137 /* create isakmp index */ 138 memset(&iph1->index, 0, sizeof(iph1->index)); 139 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); 140 141 /* make ID payload into isakmp status */ 142 if (ipsecdoi_setid1(iph1) < 0) 143 goto end; 144 145 /* create SA payload for my proposal */ 146 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); 147 if (iph1->sa == NULL) 148 goto end; 149 150 /* generate NONCE value */ 151 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 152 if (iph1->nonce == NULL) 153 goto end; 154 155 #ifdef ENABLE_HYBRID 156 /* Do we need Xauth VID? */ 157 switch (RMAUTHMETHOD(iph1)) { 158 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 159 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 160 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 161 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 162 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 163 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 164 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 165 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) 166 plog(LLV_ERROR, LOCATION, NULL, 167 "Xauth vendor ID generation failed\n"); 168 169 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) 170 plog(LLV_ERROR, LOCATION, NULL, 171 "Unity vendor ID generation failed\n"); 172 break; 173 default: 174 break; 175 } 176 #endif 177 #ifdef ENABLE_FRAG 178 if (iph1->rmconf->ike_frag) { 179 vid_frag = set_vendorid(VENDORID_FRAG); 180 if (vid_frag != NULL) 181 vid_frag = isakmp_frag_addcap(vid_frag, 182 VENDORID_FRAG_BASE); 183 if (vid_frag == NULL) 184 plog(LLV_ERROR, LOCATION, NULL, 185 "Frag vendorID construction failed\n"); 186 } 187 #endif 188 #ifdef ENABLE_NATT 189 /* Is NAT-T support allowed in the config file? */ 190 if (iph1->rmconf->nat_traversal) { 191 /* Advertise NAT-T capability */ 192 memset (vid_natt, 0, sizeof (vid_natt)); 193 #ifdef VENDORID_NATT_00 194 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL) 195 vid_natt_i++; 196 #endif 197 #ifdef VENDORID_NATT_02 198 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL) 199 vid_natt_i++; 200 #endif 201 #ifdef VENDORID_NATT_02_N 202 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL) 203 vid_natt_i++; 204 #endif 205 #ifdef VENDORID_NATT_RFC 206 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL) 207 vid_natt_i++; 208 #endif 209 } 210 #endif 211 212 /* set SA payload to propose */ 213 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); 214 215 /* create isakmp ID payload */ 216 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 217 218 /* create isakmp NONCE payload */ 219 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 220 221 #ifdef ENABLE_FRAG 222 if (vid_frag) 223 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); 224 #endif 225 #ifdef ENABLE_HYBRID 226 if (vid_xauth) 227 plist = isakmp_plist_append(plist, 228 vid_xauth, ISAKMP_NPTYPE_VID); 229 if (vid_unity) 230 plist = isakmp_plist_append(plist, 231 vid_unity, ISAKMP_NPTYPE_VID); 232 #endif 233 #ifdef ENABLE_DPD 234 if (iph1->rmconf->dpd) { 235 vid_dpd = set_vendorid(VENDORID_DPD); 236 if (vid_dpd != NULL) 237 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 238 } 239 #endif 240 #ifdef ENABLE_NATT 241 /* set VID payload for NAT-T */ 242 for (i = 0; i < vid_natt_i; i++) 243 plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID); 244 #endif 245 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 246 247 248 #ifdef HAVE_PRINT_ISAKMP_C 249 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 250 #endif 251 252 /* send the packet, add to the schedule to resend */ 253 iph1->retry_counter = iph1->rmconf->retry_counter; 254 if (isakmp_ph1resend(iph1) == -1) 255 goto end; 256 257 iph1->status = PHASE1ST_MSG1SENT; 258 259 error = 0; 260 261 end: 262 #ifdef ENABLE_FRAG 263 if (vid_frag) 264 vfree(vid_frag); 265 #endif 266 #ifdef ENABLE_NATT 267 for (i = 0; i < vid_natt_i; i++) 268 vfree(vid_natt[i]); 269 #endif 270 #ifdef ENABLE_HYBRID 271 if (vid_xauth != NULL) 272 vfree(vid_xauth); 273 if (vid_unity != NULL) 274 vfree(vid_unity); 275 #endif 276 #ifdef ENABLE_DPD 277 if (vid_dpd != NULL) 278 vfree(vid_dpd); 279 #endif 280 281 return error; 282 } 283 284 /* 285 * receive from responder 286 * psk: HDR, SA, Idir, Nr_b 287 * sig: HDR, SA, Idir, Nr_b, [ CR ] 288 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i 289 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r 290 */ 291 int 292 base_i2recv(iph1, msg) 293 struct ph1handle *iph1; 294 vchar_t *msg; 295 { 296 vchar_t *pbuf = NULL; 297 struct isakmp_parse_t *pa; 298 vchar_t *satmp = NULL; 299 int error = -1; 300 int vid_numeric; 301 #ifdef ENABLE_HYBRID 302 vchar_t *unity_vid; 303 vchar_t *xauth_vid; 304 #endif 305 306 /* validity check */ 307 if (iph1->status != PHASE1ST_MSG1SENT) { 308 plog(LLV_ERROR, LOCATION, NULL, 309 "status mismatched %d.\n", iph1->status); 310 goto end; 311 } 312 313 /* validate the type of next payload */ 314 pbuf = isakmp_parse(msg); 315 if (pbuf == NULL) 316 goto end; 317 pa = (struct isakmp_parse_t *)pbuf->v; 318 319 /* SA payload is fixed postion */ 320 if (pa->type != ISAKMP_NPTYPE_SA) { 321 plog(LLV_ERROR, LOCATION, iph1->remote, 322 "received invalid next payload type %d, " 323 "expecting %d.\n", 324 pa->type, ISAKMP_NPTYPE_SA); 325 goto end; 326 } 327 if (isakmp_p2ph(&satmp, pa->ptr) < 0) 328 goto end; 329 pa++; 330 331 for (/*nothing*/; 332 pa->type != ISAKMP_NPTYPE_NONE; 333 pa++) { 334 335 switch (pa->type) { 336 case ISAKMP_NPTYPE_NONCE: 337 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 338 goto end; 339 break; 340 case ISAKMP_NPTYPE_ID: 341 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 342 goto end; 343 break; 344 case ISAKMP_NPTYPE_VID: 345 vid_numeric = check_vendorid(pa->ptr); 346 #ifdef ENABLE_NATT 347 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric)) 348 natt_handle_vendorid(iph1, vid_numeric); 349 #endif 350 #ifdef ENABLE_HYBRID 351 switch (vid_numeric) { 352 case VENDORID_XAUTH: 353 iph1->mode_cfg->flags |= 354 ISAKMP_CFG_VENDORID_XAUTH; 355 break; 356 357 case VENDORID_UNITY: 358 iph1->mode_cfg->flags |= 359 ISAKMP_CFG_VENDORID_UNITY; 360 break; 361 362 default: 363 break; 364 } 365 #endif 366 #ifdef ENABLE_DPD 367 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) { 368 iph1->dpd_support=1; 369 plog(LLV_DEBUG, LOCATION, NULL, 370 "remote supports DPD\n"); 371 } 372 #endif 373 break; 374 default: 375 /* don't send information, see ident_r1recv() */ 376 plog(LLV_ERROR, LOCATION, iph1->remote, 377 "ignore the packet, " 378 "received unexpecting payload type %d.\n", 379 pa->type); 380 goto end; 381 } 382 } 383 384 if (iph1->nonce_p == NULL || iph1->id_p == NULL) { 385 plog(LLV_ERROR, LOCATION, iph1->remote, 386 "few isakmp message received.\n"); 387 goto end; 388 } 389 390 /* verify identifier */ 391 if (ipsecdoi_checkid1(iph1) != 0) { 392 plog(LLV_ERROR, LOCATION, iph1->remote, 393 "invalid ID payload.\n"); 394 goto end; 395 } 396 397 #ifdef ENABLE_NATT 398 if (NATT_AVAILABLE(iph1)) 399 plog(LLV_INFO, LOCATION, iph1->remote, 400 "Selected NAT-T version: %s\n", 401 vid_string_by_id(iph1->natt_options->version)); 402 #endif 403 404 /* check SA payload and set approval SA for use */ 405 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { 406 plog(LLV_ERROR, LOCATION, iph1->remote, 407 "failed to get valid proposal.\n"); 408 /* XXX send information */ 409 goto end; 410 } 411 VPTRINIT(iph1->sa_ret); 412 413 iph1->status = PHASE1ST_MSG2RECEIVED; 414 415 error = 0; 416 417 end: 418 if (pbuf) 419 vfree(pbuf); 420 if (satmp) 421 vfree(satmp); 422 423 if (error) { 424 VPTRINIT(iph1->nonce_p); 425 VPTRINIT(iph1->id_p); 426 } 427 428 return error; 429 } 430 431 /* 432 * send to responder 433 * psk: HDR, KE, HASH_I 434 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I 435 * rsa: HDR, KE, HASH_I 436 * rev: HDR, <KE>Ke_i, HASH_I 437 */ 438 int 439 base_i2send(iph1, msg) 440 struct ph1handle *iph1; 441 vchar_t *msg; 442 { 443 struct payload_list *plist = NULL; 444 vchar_t *vid = NULL; 445 int need_cert = 0; 446 int error = -1; 447 448 /* validity check */ 449 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 450 plog(LLV_ERROR, LOCATION, NULL, 451 "status mismatched %d.\n", iph1->status); 452 goto end; 453 } 454 455 /* fix isakmp index */ 456 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, 457 sizeof(cookie_t)); 458 459 /* generate DH public value */ 460 if (oakley_dh_generate(iph1->approval->dhgrp, 461 &iph1->dhpub, &iph1->dhpriv) < 0) 462 goto end; 463 464 /* generate SKEYID to compute hash if not signature mode */ 465 switch (AUTHMETHOD(iph1)) { 466 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 467 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 468 #ifdef ENABLE_HYBRID 469 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 470 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 471 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 472 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 473 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 474 #endif 475 break; 476 default: 477 if (oakley_skeyid(iph1) < 0) 478 goto end; 479 break; 480 } 481 482 /* generate HASH to send */ 483 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 484 iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE); 485 if (iph1->hash == NULL) 486 goto end; 487 switch (AUTHMETHOD(iph1)) { 488 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 489 #ifdef ENABLE_HYBRID 490 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 491 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 492 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 493 #endif 494 vid = set_vendorid(iph1->approval->vendorid); 495 496 /* create isakmp KE payload */ 497 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); 498 499 /* create isakmp HASH payload */ 500 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH); 501 502 /* append vendor id, if needed */ 503 if (vid) 504 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID); 505 break; 506 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 507 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 508 #ifdef ENABLE_HYBRID 509 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 510 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 511 #endif 512 /* XXX if there is CR or not ? */ 513 514 if (oakley_getmycert(iph1) < 0) 515 goto end; 516 517 if (oakley_getsign(iph1) < 0) 518 goto end; 519 520 if (iph1->cert && iph1->rmconf->send_cert) 521 need_cert = 1; 522 523 /* create isakmp KE payload */ 524 plist = isakmp_plist_append(plist, 525 iph1->dhpub, ISAKMP_NPTYPE_KE); 526 527 /* add CERT payload if there */ 528 if (need_cert) 529 plist = isakmp_plist_append(plist, 530 iph1->cert->pl, ISAKMP_NPTYPE_CERT); 531 532 /* add SIG payload */ 533 plist = isakmp_plist_append(plist, 534 iph1->sig, ISAKMP_NPTYPE_SIG); 535 536 break; 537 #ifdef HAVE_GSSAPI 538 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 539 /* ... */ 540 break; 541 #endif 542 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 543 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 544 #ifdef ENABLE_HYBRID 545 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 546 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 547 #endif 548 break; 549 } 550 551 #ifdef ENABLE_NATT 552 /* generate NAT-D payloads */ 553 if (NATT_AVAILABLE(iph1)) 554 { 555 vchar_t *natd[2] = { NULL, NULL }; 556 557 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); 558 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 559 plog(LLV_ERROR, LOCATION, NULL, 560 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); 561 goto end; 562 } 563 564 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 565 plog(LLV_ERROR, LOCATION, NULL, 566 "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); 567 goto end; 568 } 569 570 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); 571 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); 572 } 573 #endif 574 575 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 576 577 #ifdef HAVE_PRINT_ISAKMP_C 578 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 579 #endif 580 581 /* send the packet, add to the schedule to resend */ 582 iph1->retry_counter = iph1->rmconf->retry_counter; 583 if (isakmp_ph1resend(iph1) == -1) 584 goto end; 585 586 /* the sending message is added to the received-list. */ 587 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 588 plog(LLV_ERROR , LOCATION, NULL, 589 "failed to add a response packet to the tree.\n"); 590 goto end; 591 } 592 593 iph1->status = PHASE1ST_MSG2SENT; 594 595 error = 0; 596 597 end: 598 if (vid) 599 vfree(vid); 600 return error; 601 } 602 603 /* 604 * receive from responder 605 * psk: HDR, KE, HASH_R 606 * sig: HDR, KE, [CERT,] SIG_R 607 * rsa: HDR, KE, HASH_R 608 * rev: HDR, <KE>_Ke_r, HASH_R 609 */ 610 int 611 base_i3recv(iph1, msg) 612 struct ph1handle *iph1; 613 vchar_t *msg; 614 { 615 vchar_t *pbuf = NULL; 616 struct isakmp_parse_t *pa; 617 int error = -1; 618 int ptype; 619 #ifdef ENABLE_NATT 620 vchar_t *natd_received; 621 int natd_seq = 0, natd_verified; 622 #endif 623 624 /* validity check */ 625 if (iph1->status != PHASE1ST_MSG2SENT) { 626 plog(LLV_ERROR, LOCATION, NULL, 627 "status mismatched %d.\n", iph1->status); 628 goto end; 629 } 630 631 /* validate the type of next payload */ 632 pbuf = isakmp_parse(msg); 633 if (pbuf == NULL) 634 goto end; 635 636 for (pa = (struct isakmp_parse_t *)pbuf->v; 637 pa->type != ISAKMP_NPTYPE_NONE; 638 pa++) { 639 640 switch (pa->type) { 641 case ISAKMP_NPTYPE_KE: 642 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 643 goto end; 644 break; 645 case ISAKMP_NPTYPE_HASH: 646 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 647 break; 648 case ISAKMP_NPTYPE_CERT: 649 if (oakley_savecert(iph1, pa->ptr) < 0) 650 goto end; 651 break; 652 case ISAKMP_NPTYPE_SIG: 653 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 654 goto end; 655 break; 656 case ISAKMP_NPTYPE_VID: 657 (void)check_vendorid(pa->ptr); 658 break; 659 660 #ifdef ENABLE_NATT 661 case ISAKMP_NPTYPE_NATD_DRAFT: 662 case ISAKMP_NPTYPE_NATD_RFC: 663 if (NATT_AVAILABLE(iph1) && iph1->natt_options && 664 pa->type == iph1->natt_options->payload_nat_d) { 665 natd_received = NULL; 666 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 667 goto end; 668 669 /* set both bits first so that we can clear them 670 upon verifying hashes */ 671 if (natd_seq == 0) 672 iph1->natt_flags |= NAT_DETECTED; 673 674 /* this function will clear appropriate bits bits 675 from iph1->natt_flags */ 676 natd_verified = natt_compare_addr_hash (iph1, 677 natd_received, natd_seq++); 678 679 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 680 natd_seq - 1, 681 natd_verified ? "verified" : "doesn't match"); 682 683 vfree (natd_received); 684 break; 685 } 686 /* passthrough to default... */ 687 #endif 688 689 default: 690 /* don't send information, see ident_r1recv() */ 691 plog(LLV_ERROR, LOCATION, iph1->remote, 692 "ignore the packet, " 693 "received unexpecting payload type %d.\n", 694 pa->type); 695 goto end; 696 } 697 } 698 699 #ifdef ENABLE_NATT 700 if (NATT_AVAILABLE(iph1)) { 701 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 702 iph1->natt_flags & NAT_DETECTED ? 703 "detected:" : "not detected", 704 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 705 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 706 if (iph1->natt_flags & NAT_DETECTED) 707 natt_float_ports (iph1); 708 } 709 #endif 710 711 /* payload existency check */ 712 /* validate authentication value */ 713 ptype = oakley_validate_auth(iph1); 714 if (ptype != 0) { 715 if (ptype == -1) { 716 /* message printed inner oakley_validate_auth() */ 717 goto end; 718 } 719 EVT_PUSH(iph1->local, iph1->remote, 720 EVTT_PEERPH1AUTH_FAILED, NULL); 721 isakmp_info_send_n1(iph1, ptype, NULL); 722 goto end; 723 } 724 725 /* compute sharing secret of DH */ 726 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 727 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 728 goto end; 729 730 /* generate SKEYID to compute hash if signature mode */ 731 switch (AUTHMETHOD(iph1)) { 732 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 733 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 734 #ifdef ENABLE_HYBRID 735 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 736 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 737 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 738 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 739 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 740 #endif 741 if (oakley_skeyid(iph1) < 0) 742 goto end; 743 break; 744 default: 745 break; 746 } 747 748 /* generate SKEYIDs & IV & final cipher key */ 749 if (oakley_skeyid_dae(iph1) < 0) 750 goto end; 751 if (oakley_compute_enckey(iph1) < 0) 752 goto end; 753 if (oakley_newiv(iph1) < 0) 754 goto end; 755 756 /* see handler.h about IV synchronization. */ 757 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); 758 759 /* set encryption flag */ 760 iph1->flags |= ISAKMP_FLAG_E; 761 762 iph1->status = PHASE1ST_MSG3RECEIVED; 763 764 error = 0; 765 766 end: 767 if (pbuf) 768 vfree(pbuf); 769 770 if (error) { 771 VPTRINIT(iph1->dhpub_p); 772 oakley_delcert(iph1->cert_p); 773 iph1->cert_p = NULL; 774 oakley_delcert(iph1->crl_p); 775 iph1->crl_p = NULL; 776 VPTRINIT(iph1->sig_p); 777 } 778 779 return error; 780 } 781 782 /* 783 * status update and establish isakmp sa. 784 */ 785 int 786 base_i3send(iph1, msg) 787 struct ph1handle *iph1; 788 vchar_t *msg; 789 { 790 int error = -1; 791 792 /* validity check */ 793 if (iph1->status != PHASE1ST_MSG3RECEIVED) { 794 plog(LLV_ERROR, LOCATION, NULL, 795 "status mismatched %d.\n", iph1->status); 796 goto end; 797 } 798 799 iph1->status = PHASE1ST_ESTABLISHED; 800 801 error = 0; 802 803 end: 804 return error; 805 } 806 807 /* 808 * receive from initiator 809 * psk: HDR, SA, Idii, Ni_b 810 * sig: HDR, SA, Idii, Ni_b 811 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r 812 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i 813 */ 814 int 815 base_r1recv(iph1, msg) 816 struct ph1handle *iph1; 817 vchar_t *msg; 818 { 819 vchar_t *pbuf = NULL; 820 struct isakmp_parse_t *pa; 821 int error = -1; 822 int vid_numeric; 823 824 /* validity check */ 825 if (iph1->status != PHASE1ST_START) { 826 plog(LLV_ERROR, LOCATION, NULL, 827 "status mismatched %d.\n", iph1->status); 828 goto end; 829 } 830 831 /* validate the type of next payload */ 832 /* 833 * NOTE: XXX even if multiple VID, we'll silently ignore those. 834 */ 835 pbuf = isakmp_parse(msg); 836 if (pbuf == NULL) 837 goto end; 838 pa = (struct isakmp_parse_t *)pbuf->v; 839 840 /* check the position of SA payload */ 841 if (pa->type != ISAKMP_NPTYPE_SA) { 842 plog(LLV_ERROR, LOCATION, iph1->remote, 843 "received invalid next payload type %d, " 844 "expecting %d.\n", 845 pa->type, ISAKMP_NPTYPE_SA); 846 goto end; 847 } 848 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) 849 goto end; 850 pa++; 851 852 for (/*nothing*/; 853 pa->type != ISAKMP_NPTYPE_NONE; 854 pa++) { 855 856 switch (pa->type) { 857 case ISAKMP_NPTYPE_NONCE: 858 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 859 goto end; 860 break; 861 case ISAKMP_NPTYPE_ID: 862 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 863 goto end; 864 break; 865 case ISAKMP_NPTYPE_VID: 866 vid_numeric = check_vendorid(pa->ptr); 867 #ifdef ENABLE_NATT 868 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric)) 869 natt_handle_vendorid(iph1, vid_numeric); 870 #endif 871 #ifdef ENABLE_FRAG 872 if ((vid_numeric == VENDORID_FRAG) && 873 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) 874 iph1->frag = 1; 875 #endif 876 #ifdef ENABLE_HYBRID 877 switch (vid_numeric) { 878 case VENDORID_XAUTH: 879 iph1->mode_cfg->flags |= 880 ISAKMP_CFG_VENDORID_XAUTH; 881 break; 882 883 case VENDORID_UNITY: 884 iph1->mode_cfg->flags |= 885 ISAKMP_CFG_VENDORID_UNITY; 886 break; 887 888 default: 889 break; 890 } 891 #endif 892 #ifdef ENABLE_DPD 893 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) { 894 iph1->dpd_support=1; 895 plog(LLV_DEBUG, LOCATION, NULL, 896 "remote supports DPD\n"); 897 } 898 #endif 899 break; 900 default: 901 /* don't send information, see ident_r1recv() */ 902 plog(LLV_ERROR, LOCATION, iph1->remote, 903 "ignore the packet, " 904 "received unexpecting payload type %d.\n", 905 pa->type); 906 goto end; 907 } 908 } 909 910 if (iph1->nonce_p == NULL || iph1->id_p == NULL) { 911 plog(LLV_ERROR, LOCATION, iph1->remote, 912 "few isakmp message received.\n"); 913 goto end; 914 } 915 916 /* verify identifier */ 917 if (ipsecdoi_checkid1(iph1) != 0) { 918 plog(LLV_ERROR, LOCATION, iph1->remote, 919 "invalid ID payload.\n"); 920 goto end; 921 } 922 923 #ifdef ENABLE_NATT 924 if (NATT_AVAILABLE(iph1)) 925 plog(LLV_INFO, LOCATION, iph1->remote, 926 "Selected NAT-T version: %s\n", 927 vid_string_by_id(iph1->natt_options->version)); 928 #endif 929 930 /* check SA payload and set approval SA for use */ 931 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { 932 plog(LLV_ERROR, LOCATION, iph1->remote, 933 "failed to get valid proposal.\n"); 934 /* XXX send information */ 935 goto end; 936 } 937 938 iph1->status = PHASE1ST_MSG1RECEIVED; 939 940 error = 0; 941 942 end: 943 if (pbuf) 944 vfree(pbuf); 945 946 if (error) { 947 VPTRINIT(iph1->sa); 948 VPTRINIT(iph1->nonce_p); 949 VPTRINIT(iph1->id_p); 950 } 951 952 return error; 953 } 954 955 /* 956 * send to initiator 957 * psk: HDR, SA, Idir, Nr_b 958 * sig: HDR, SA, Idir, Nr_b, [ CR ] 959 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i 960 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r 961 */ 962 int 963 base_r1send(iph1, msg) 964 struct ph1handle *iph1; 965 vchar_t *msg; 966 { 967 struct payload_list *plist = NULL; 968 int error = -1; 969 #ifdef ENABLE_NATT 970 vchar_t *vid_natt = NULL; 971 #endif 972 #ifdef ENABLE_HYBRID 973 vchar_t *vid_xauth = NULL; 974 vchar_t *vid_unity = NULL; 975 #endif 976 #ifdef ENABLE_FRAG 977 vchar_t *vid_frag = NULL; 978 #endif 979 #ifdef ENABLE_DPD 980 vchar_t *vid_dpd = NULL; 981 #endif 982 983 /* validity check */ 984 if (iph1->status != PHASE1ST_MSG1RECEIVED) { 985 plog(LLV_ERROR, LOCATION, NULL, 986 "status mismatched %d.\n", iph1->status); 987 goto end; 988 } 989 990 /* set responder's cookie */ 991 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); 992 993 /* make ID payload into isakmp status */ 994 if (ipsecdoi_setid1(iph1) < 0) 995 goto end; 996 997 /* generate NONCE value */ 998 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 999 if (iph1->nonce == NULL) 1000 goto end; 1001 1002 /* set SA payload to reply */ 1003 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA); 1004 1005 /* create isakmp ID payload */ 1006 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 1007 1008 /* create isakmp NONCE payload */ 1009 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 1010 1011 #ifdef ENABLE_NATT 1012 /* has the peer announced nat-t? */ 1013 if (NATT_AVAILABLE(iph1)) 1014 vid_natt = set_vendorid(iph1->natt_options->version); 1015 if (vid_natt) 1016 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); 1017 #endif 1018 #ifdef ENABLE_HYBRID 1019 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 1020 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); 1021 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) { 1022 plog(LLV_ERROR, LOCATION, NULL, 1023 "Cannot create Xauth vendor ID\n"); 1024 goto end; 1025 } 1026 plist = isakmp_plist_append(plist, 1027 vid_xauth, ISAKMP_NPTYPE_VID); 1028 } 1029 1030 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { 1031 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) { 1032 plog(LLV_ERROR, LOCATION, NULL, 1033 "Cannot create Unity vendor ID\n"); 1034 goto end; 1035 } 1036 plist = isakmp_plist_append(plist, 1037 vid_unity, ISAKMP_NPTYPE_VID); 1038 } 1039 #endif 1040 #ifdef ENABLE_DPD 1041 /* 1042 * Only send DPD support if remote announced DPD 1043 * and if DPD support is active 1044 */ 1045 if (iph1->dpd_support && iph1->rmconf->dpd) { 1046 if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) { 1047 plog(LLV_ERROR, LOCATION, NULL, 1048 "DPD vendorID construction failed\n"); 1049 } else { 1050 plist = isakmp_plist_append(plist, vid_dpd, 1051 ISAKMP_NPTYPE_VID); 1052 } 1053 } 1054 #endif 1055 #ifdef ENABLE_FRAG 1056 if (iph1->rmconf->ike_frag) { 1057 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) { 1058 plog(LLV_ERROR, LOCATION, NULL, 1059 "Frag vendorID construction failed\n"); 1060 } else { 1061 vid_frag = isakmp_frag_addcap(vid_frag, 1062 VENDORID_FRAG_BASE); 1063 plist = isakmp_plist_append(plist, 1064 vid_frag, ISAKMP_NPTYPE_VID); 1065 } 1066 } 1067 #endif 1068 1069 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 1070 1071 #ifdef HAVE_PRINT_ISAKMP_C 1072 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 1073 #endif 1074 1075 /* send the packet, add to the schedule to resend */ 1076 iph1->retry_counter = iph1->rmconf->retry_counter; 1077 if (isakmp_ph1resend(iph1) == -1) { 1078 iph1 = NULL; 1079 goto end; 1080 } 1081 1082 /* the sending message is added to the received-list. */ 1083 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1084 plog(LLV_ERROR , LOCATION, NULL, 1085 "failed to add a response packet to the tree.\n"); 1086 goto end; 1087 } 1088 1089 iph1->status = PHASE1ST_MSG1SENT; 1090 1091 error = 0; 1092 1093 end: 1094 #ifdef ENABLE_NATT 1095 if (vid_natt) 1096 vfree(vid_natt); 1097 #endif 1098 #ifdef ENABLE_HYBRID 1099 if (vid_xauth != NULL) 1100 vfree(vid_xauth); 1101 if (vid_unity != NULL) 1102 vfree(vid_unity); 1103 #endif 1104 #ifdef ENABLE_FRAG 1105 if (vid_frag) 1106 vfree(vid_frag); 1107 #endif 1108 #ifdef ENABLE_DPD 1109 if (vid_dpd) 1110 vfree(vid_dpd); 1111 #endif 1112 1113 if (iph1 != NULL) 1114 VPTRINIT(iph1->sa_ret); 1115 1116 return error; 1117 } 1118 1119 /* 1120 * receive from initiator 1121 * psk: HDR, KE, HASH_I 1122 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I 1123 * rsa: HDR, KE, HASH_I 1124 * rev: HDR, <KE>Ke_i, HASH_I 1125 */ 1126 int 1127 base_r2recv(iph1, msg) 1128 struct ph1handle *iph1; 1129 vchar_t *msg; 1130 { 1131 vchar_t *pbuf = NULL; 1132 struct isakmp_parse_t *pa; 1133 int error = -1; 1134 int ptype; 1135 #ifdef ENABLE_NATT 1136 int natd_seq = 0; 1137 #endif 1138 1139 /* validity check */ 1140 if (iph1->status != PHASE1ST_MSG1SENT) { 1141 plog(LLV_ERROR, LOCATION, NULL, 1142 "status mismatched %d.\n", iph1->status); 1143 goto end; 1144 } 1145 1146 /* validate the type of next payload */ 1147 pbuf = isakmp_parse(msg); 1148 if (pbuf == NULL) 1149 goto end; 1150 1151 iph1->pl_hash = NULL; 1152 1153 for (pa = (struct isakmp_parse_t *)pbuf->v; 1154 pa->type != ISAKMP_NPTYPE_NONE; 1155 pa++) { 1156 1157 switch (pa->type) { 1158 case ISAKMP_NPTYPE_KE: 1159 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 1160 goto end; 1161 break; 1162 case ISAKMP_NPTYPE_HASH: 1163 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 1164 break; 1165 case ISAKMP_NPTYPE_CERT: 1166 if (oakley_savecert(iph1, pa->ptr) < 0) 1167 goto end; 1168 break; 1169 case ISAKMP_NPTYPE_SIG: 1170 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 1171 goto end; 1172 break; 1173 case ISAKMP_NPTYPE_VID: 1174 (void)check_vendorid(pa->ptr); 1175 break; 1176 1177 #ifdef ENABLE_NATT 1178 case ISAKMP_NPTYPE_NATD_DRAFT: 1179 case ISAKMP_NPTYPE_NATD_RFC: 1180 if (pa->type == iph1->natt_options->payload_nat_d) 1181 { 1182 vchar_t *natd_received = NULL; 1183 int natd_verified; 1184 1185 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 1186 goto end; 1187 1188 if (natd_seq == 0) 1189 iph1->natt_flags |= NAT_DETECTED; 1190 1191 natd_verified = natt_compare_addr_hash (iph1, 1192 natd_received, natd_seq++); 1193 1194 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 1195 natd_seq - 1, 1196 natd_verified ? "verified" : "doesn't match"); 1197 1198 vfree (natd_received); 1199 break; 1200 } 1201 /* passthrough to default... */ 1202 #endif 1203 1204 default: 1205 /* don't send information, see ident_r1recv() */ 1206 plog(LLV_ERROR, LOCATION, iph1->remote, 1207 "ignore the packet, " 1208 "received unexpecting payload type %d.\n", 1209 pa->type); 1210 goto end; 1211 } 1212 } 1213 1214 /* generate DH public value */ 1215 if (oakley_dh_generate(iph1->approval->dhgrp, 1216 &iph1->dhpub, &iph1->dhpriv) < 0) 1217 goto end; 1218 1219 /* compute sharing secret of DH */ 1220 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 1221 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 1222 goto end; 1223 1224 /* generate SKEYID */ 1225 if (oakley_skeyid(iph1) < 0) 1226 goto end; 1227 1228 #ifdef ENABLE_NATT 1229 if (NATT_AVAILABLE(iph1)) 1230 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 1231 iph1->natt_flags & NAT_DETECTED ? 1232 "detected:" : "not detected", 1233 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 1234 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 1235 #endif 1236 1237 /* payload existency check */ 1238 /* validate authentication value */ 1239 ptype = oakley_validate_auth(iph1); 1240 if (ptype != 0) { 1241 if (ptype == -1) { 1242 /* message printed inner oakley_validate_auth() */ 1243 goto end; 1244 } 1245 EVT_PUSH(iph1->local, iph1->remote, 1246 EVTT_PEERPH1AUTH_FAILED, NULL); 1247 isakmp_info_send_n1(iph1, ptype, NULL); 1248 goto end; 1249 } 1250 1251 iph1->status = PHASE1ST_MSG2RECEIVED; 1252 1253 error = 0; 1254 1255 end: 1256 if (pbuf) 1257 vfree(pbuf); 1258 1259 if (error) { 1260 VPTRINIT(iph1->dhpub_p); 1261 oakley_delcert(iph1->cert_p); 1262 iph1->cert_p = NULL; 1263 oakley_delcert(iph1->crl_p); 1264 iph1->crl_p = NULL; 1265 VPTRINIT(iph1->sig_p); 1266 } 1267 1268 return error; 1269 } 1270 1271 /* 1272 * send to initiator 1273 * psk: HDR, KE, HASH_R 1274 * sig: HDR, KE, [CERT,] SIG_R 1275 * rsa: HDR, KE, HASH_R 1276 * rev: HDR, <KE>_Ke_r, HASH_R 1277 */ 1278 int 1279 base_r2send(iph1, msg) 1280 struct ph1handle *iph1; 1281 vchar_t *msg; 1282 { 1283 struct payload_list *plist = NULL; 1284 vchar_t *vid = NULL; 1285 int need_cert = 0; 1286 int error = -1; 1287 1288 /* validity check */ 1289 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 1290 plog(LLV_ERROR, LOCATION, NULL, 1291 "status mismatched %d.\n", iph1->status); 1292 goto end; 1293 } 1294 1295 /* generate HASH to send */ 1296 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 1297 switch (AUTHMETHOD(iph1)) { 1298 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1299 #ifdef ENABLE_HYBRID 1300 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1301 #endif 1302 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1303 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1304 #ifdef ENABLE_HYBRID 1305 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1306 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1307 #endif 1308 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 1309 break; 1310 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1311 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1312 #ifdef ENABLE_HYBRID 1313 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1314 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1315 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1316 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1317 #endif 1318 #ifdef HAVE_GSSAPI 1319 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1320 #endif 1321 iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE); 1322 break; 1323 default: 1324 plog(LLV_ERROR, LOCATION, NULL, 1325 "invalid authentication method %d\n", 1326 iph1->approval->authmethod); 1327 goto end; 1328 } 1329 if (iph1->hash == NULL) 1330 goto end; 1331 1332 switch (AUTHMETHOD(iph1)) { 1333 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1334 #ifdef ENABLE_HYBRID 1335 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1336 #endif 1337 vid = set_vendorid(iph1->approval->vendorid); 1338 1339 /* create isakmp KE payload */ 1340 plist = isakmp_plist_append(plist, 1341 iph1->dhpub, ISAKMP_NPTYPE_KE); 1342 1343 /* create isakmp HASH payload */ 1344 plist = isakmp_plist_append(plist, 1345 iph1->hash, ISAKMP_NPTYPE_HASH); 1346 1347 /* append vendor id, if needed */ 1348 if (vid) 1349 plist = isakmp_plist_append(plist, 1350 vid, ISAKMP_NPTYPE_VID); 1351 break; 1352 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1353 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1354 #ifdef ENABLE_HYBRID 1355 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1356 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1357 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1358 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1359 #endif 1360 /* XXX if there is CR or not ? */ 1361 1362 if (oakley_getmycert(iph1) < 0) 1363 goto end; 1364 1365 if (oakley_getsign(iph1) < 0) 1366 goto end; 1367 1368 if (iph1->cert && iph1->rmconf->send_cert) 1369 need_cert = 1; 1370 1371 /* create isakmp KE payload */ 1372 plist = isakmp_plist_append(plist, 1373 iph1->dhpub, ISAKMP_NPTYPE_KE); 1374 1375 /* add CERT payload if there */ 1376 if (need_cert) 1377 plist = isakmp_plist_append(plist, 1378 iph1->cert->pl, ISAKMP_NPTYPE_CERT); 1379 /* add SIG payload */ 1380 plist = isakmp_plist_append(plist, 1381 iph1->sig, ISAKMP_NPTYPE_SIG); 1382 break; 1383 #ifdef HAVE_GSSAPI 1384 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1385 /* ... */ 1386 break; 1387 #endif 1388 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1389 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1390 #ifdef ENABLE_HYBRID 1391 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1392 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1393 #endif 1394 break; 1395 } 1396 1397 #ifdef ENABLE_NATT 1398 /* generate NAT-D payloads */ 1399 if (NATT_AVAILABLE(iph1)) { 1400 vchar_t *natd[2] = { NULL, NULL }; 1401 1402 plog(LLV_INFO, LOCATION, 1403 NULL, "Adding remote and local NAT-D payloads.\n"); 1404 if ((natd[0] = natt_hash_addr(iph1, iph1->remote)) == NULL) { 1405 plog(LLV_ERROR, LOCATION, NULL, 1406 "NAT-D hashing failed for %s\n", 1407 saddr2str(iph1->remote)); 1408 goto end; 1409 } 1410 1411 if ((natd[1] = natt_hash_addr(iph1, iph1->local)) == NULL) { 1412 plog(LLV_ERROR, LOCATION, NULL, 1413 "NAT-D hashing failed for %s\n", 1414 saddr2str(iph1->local)); 1415 goto end; 1416 } 1417 1418 plist = isakmp_plist_append(plist, 1419 natd[0], iph1->natt_options->payload_nat_d); 1420 plist = isakmp_plist_append(plist, 1421 natd[1], iph1->natt_options->payload_nat_d); 1422 } 1423 #endif 1424 1425 iph1->sendbuf = isakmp_plist_set_all(&plist, iph1); 1426 1427 #ifdef HAVE_PRINT_ISAKMP_C 1428 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 1429 #endif 1430 1431 /* send HDR;KE;NONCE to responder */ 1432 if (isakmp_send(iph1, iph1->sendbuf) < 0) 1433 goto end; 1434 1435 /* the sending message is added to the received-list. */ 1436 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1437 plog(LLV_ERROR , LOCATION, NULL, 1438 "failed to add a response packet to the tree.\n"); 1439 goto end; 1440 } 1441 1442 /* generate SKEYIDs & IV & final cipher key */ 1443 if (oakley_skeyid_dae(iph1) < 0) 1444 goto end; 1445 if (oakley_compute_enckey(iph1) < 0) 1446 goto end; 1447 if (oakley_newiv(iph1) < 0) 1448 goto end; 1449 1450 /* set encryption flag */ 1451 iph1->flags |= ISAKMP_FLAG_E; 1452 1453 iph1->status = PHASE1ST_ESTABLISHED; 1454 1455 error = 0; 1456 1457 end: 1458 if (vid) 1459 vfree(vid); 1460 return error; 1461 } 1462