1 /* $NetBSD: isakmp_base.c,v 1.12 2009/03/12 10:57:26 tteras Exp $ */ 2 3 /* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* Base Exchange (Base Mode) */ 35 36 #include "config.h" 37 38 #include <sys/types.h> 39 #include <sys/param.h> 40 41 #include <stdlib.h> 42 #include <stdio.h> 43 #include <string.h> 44 #include <errno.h> 45 #if TIME_WITH_SYS_TIME 46 # include <sys/time.h> 47 # include <time.h> 48 #else 49 # if HAVE_SYS_TIME_H 50 # include <sys/time.h> 51 # else 52 # include <time.h> 53 # endif 54 #endif 55 56 #include "var.h" 57 #include "misc.h" 58 #include "vmbuf.h" 59 #include "plog.h" 60 #include "sockmisc.h" 61 #include "schedule.h" 62 #include "debug.h" 63 64 #ifdef ENABLE_HYBRID 65 #include <resolv.h> 66 #endif 67 68 #include "localconf.h" 69 #include "remoteconf.h" 70 #include "isakmp_var.h" 71 #include "isakmp.h" 72 #include "evt.h" 73 #include "oakley.h" 74 #include "handler.h" 75 #include "ipsec_doi.h" 76 #include "crypto_openssl.h" 77 #include "pfkey.h" 78 #include "isakmp_base.h" 79 #include "isakmp_inf.h" 80 #include "vendorid.h" 81 #ifdef ENABLE_NATT 82 #include "nattraversal.h" 83 #endif 84 #ifdef ENABLE_FRAG 85 #include "isakmp_frag.h" 86 #endif 87 #ifdef ENABLE_HYBRID 88 #include "isakmp_xauth.h" 89 #include "isakmp_cfg.h" 90 #endif 91 92 /* %%% 93 * begin Identity Protection Mode as initiator. 94 */ 95 /* 96 * send to responder 97 * psk: HDR, SA, Idii, Ni_b 98 * sig: HDR, SA, Idii, Ni_b 99 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r 100 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i 101 */ 102 int 103 base_i1send(iph1, msg) 104 struct ph1handle *iph1; 105 vchar_t *msg; /* must be null */ 106 { 107 struct payload_list *plist = NULL; 108 int error = -1; 109 #ifdef ENABLE_NATT 110 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; 111 int i, vid_natt_i = 0; 112 #endif 113 #ifdef ENABLE_FRAG 114 vchar_t *vid_frag = NULL; 115 #endif 116 #ifdef ENABLE_HYBRID 117 vchar_t *vid_xauth = NULL; 118 vchar_t *vid_unity = NULL; 119 #endif 120 #ifdef ENABLE_DPD 121 vchar_t *vid_dpd = NULL; 122 #endif 123 124 125 /* validity check */ 126 if (msg != NULL) { 127 plog(LLV_ERROR, LOCATION, NULL, 128 "msg has to be NULL in this function.\n"); 129 goto end; 130 } 131 if (iph1->status != PHASE1ST_START) { 132 plog(LLV_ERROR, LOCATION, NULL, 133 "status mismatched %d.\n", iph1->status); 134 goto end; 135 } 136 137 /* create isakmp index */ 138 memset(&iph1->index, 0, sizeof(iph1->index)); 139 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); 140 141 /* make ID payload into isakmp status */ 142 if (ipsecdoi_setid1(iph1) < 0) 143 goto end; 144 145 /* create SA payload for my proposal */ 146 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf, 147 iph1->rmconf->proposal); 148 if (iph1->sa == NULL) 149 goto end; 150 151 /* generate NONCE value */ 152 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 153 if (iph1->nonce == NULL) 154 goto end; 155 156 #ifdef ENABLE_HYBRID 157 /* Do we need Xauth VID? */ 158 switch (iph1->rmconf->proposal->authmethod) { 159 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 160 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 161 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 162 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 163 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 164 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 165 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 166 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) 167 plog(LLV_ERROR, LOCATION, NULL, 168 "Xauth vendor ID generation failed\n"); 169 170 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) 171 plog(LLV_ERROR, LOCATION, NULL, 172 "Unity vendor ID generation failed\n"); 173 break; 174 default: 175 break; 176 } 177 #endif 178 #ifdef ENABLE_FRAG 179 if (iph1->rmconf->ike_frag) { 180 vid_frag = set_vendorid(VENDORID_FRAG); 181 if (vid_frag != NULL) 182 vid_frag = isakmp_frag_addcap(vid_frag, 183 VENDORID_FRAG_BASE); 184 if (vid_frag == NULL) 185 plog(LLV_ERROR, LOCATION, NULL, 186 "Frag vendorID construction failed\n"); 187 } 188 #endif 189 #ifdef ENABLE_NATT 190 /* Is NAT-T support allowed in the config file? */ 191 if (iph1->rmconf->nat_traversal) { 192 /* Advertise NAT-T capability */ 193 memset (vid_natt, 0, sizeof (vid_natt)); 194 #ifdef VENDORID_NATT_00 195 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL) 196 vid_natt_i++; 197 #endif 198 #ifdef VENDORID_NATT_02 199 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL) 200 vid_natt_i++; 201 #endif 202 #ifdef VENDORID_NATT_02_N 203 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL) 204 vid_natt_i++; 205 #endif 206 #ifdef VENDORID_NATT_RFC 207 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL) 208 vid_natt_i++; 209 #endif 210 } 211 #endif 212 213 /* set SA payload to propose */ 214 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); 215 216 /* create isakmp ID payload */ 217 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 218 219 /* create isakmp NONCE payload */ 220 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 221 222 #ifdef ENABLE_FRAG 223 if (vid_frag) 224 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); 225 #endif 226 #ifdef ENABLE_HYBRID 227 if (vid_xauth) 228 plist = isakmp_plist_append(plist, 229 vid_xauth, ISAKMP_NPTYPE_VID); 230 if (vid_unity) 231 plist = isakmp_plist_append(plist, 232 vid_unity, ISAKMP_NPTYPE_VID); 233 #endif 234 #ifdef ENABLE_DPD 235 if (iph1->rmconf->dpd) { 236 vid_dpd = set_vendorid(VENDORID_DPD); 237 if (vid_dpd != NULL) 238 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 239 } 240 #endif 241 #ifdef ENABLE_NATT 242 /* set VID payload for NAT-T */ 243 for (i = 0; i < vid_natt_i; i++) 244 plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID); 245 #endif 246 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 247 248 249 #ifdef HAVE_PRINT_ISAKMP_C 250 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 251 #endif 252 253 /* send the packet, add to the schedule to resend */ 254 if (isakmp_ph1send(iph1) == -1) 255 goto end; 256 257 iph1->status = PHASE1ST_MSG1SENT; 258 259 error = 0; 260 261 end: 262 #ifdef ENABLE_FRAG 263 if (vid_frag) 264 vfree(vid_frag); 265 #endif 266 #ifdef ENABLE_NATT 267 for (i = 0; i < vid_natt_i; i++) 268 vfree(vid_natt[i]); 269 #endif 270 #ifdef ENABLE_HYBRID 271 if (vid_xauth != NULL) 272 vfree(vid_xauth); 273 if (vid_unity != NULL) 274 vfree(vid_unity); 275 #endif 276 #ifdef ENABLE_DPD 277 if (vid_dpd != NULL) 278 vfree(vid_dpd); 279 #endif 280 281 return error; 282 } 283 284 /* 285 * receive from responder 286 * psk: HDR, SA, Idir, Nr_b 287 * sig: HDR, SA, Idir, Nr_b, [ CR ] 288 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i 289 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r 290 */ 291 int 292 base_i2recv(iph1, msg) 293 struct ph1handle *iph1; 294 vchar_t *msg; 295 { 296 vchar_t *pbuf = NULL; 297 struct isakmp_parse_t *pa; 298 vchar_t *satmp = NULL; 299 int error = -1; 300 #ifdef ENABLE_HYBRID 301 vchar_t *unity_vid; 302 vchar_t *xauth_vid; 303 #endif 304 305 /* validity check */ 306 if (iph1->status != PHASE1ST_MSG1SENT) { 307 plog(LLV_ERROR, LOCATION, NULL, 308 "status mismatched %d.\n", iph1->status); 309 goto end; 310 } 311 312 /* validate the type of next payload */ 313 pbuf = isakmp_parse(msg); 314 if (pbuf == NULL) 315 goto end; 316 pa = (struct isakmp_parse_t *)pbuf->v; 317 318 /* SA payload is fixed postion */ 319 if (pa->type != ISAKMP_NPTYPE_SA) { 320 plog(LLV_ERROR, LOCATION, iph1->remote, 321 "received invalid next payload type %d, " 322 "expecting %d.\n", 323 pa->type, ISAKMP_NPTYPE_SA); 324 goto end; 325 } 326 if (isakmp_p2ph(&satmp, pa->ptr) < 0) 327 goto end; 328 pa++; 329 330 for (/*nothing*/; 331 pa->type != ISAKMP_NPTYPE_NONE; 332 pa++) { 333 334 switch (pa->type) { 335 case ISAKMP_NPTYPE_NONCE: 336 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 337 goto end; 338 break; 339 case ISAKMP_NPTYPE_ID: 340 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 341 goto end; 342 break; 343 case ISAKMP_NPTYPE_VID: 344 handle_vendorid(iph1, pa->ptr); 345 break; 346 default: 347 /* don't send information, see ident_r1recv() */ 348 plog(LLV_ERROR, LOCATION, iph1->remote, 349 "ignore the packet, " 350 "received unexpecting payload type %d.\n", 351 pa->type); 352 goto end; 353 } 354 } 355 356 if (iph1->nonce_p == NULL || iph1->id_p == NULL) { 357 plog(LLV_ERROR, LOCATION, iph1->remote, 358 "few isakmp message received.\n"); 359 goto end; 360 } 361 362 /* verify identifier */ 363 if (ipsecdoi_checkid1(iph1) != 0) { 364 plog(LLV_ERROR, LOCATION, iph1->remote, 365 "invalid ID payload.\n"); 366 goto end; 367 } 368 369 #ifdef ENABLE_NATT 370 if (NATT_AVAILABLE(iph1)) 371 plog(LLV_INFO, LOCATION, iph1->remote, 372 "Selected NAT-T version: %s\n", 373 vid_string_by_id(iph1->natt_options->version)); 374 #endif 375 376 /* check SA payload and set approval SA for use */ 377 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { 378 plog(LLV_ERROR, LOCATION, iph1->remote, 379 "failed to get valid proposal.\n"); 380 /* XXX send information */ 381 goto end; 382 } 383 VPTRINIT(iph1->sa_ret); 384 385 iph1->status = PHASE1ST_MSG2RECEIVED; 386 387 error = 0; 388 389 end: 390 if (pbuf) 391 vfree(pbuf); 392 if (satmp) 393 vfree(satmp); 394 395 if (error) { 396 VPTRINIT(iph1->nonce_p); 397 VPTRINIT(iph1->id_p); 398 } 399 400 return error; 401 } 402 403 /* 404 * send to responder 405 * psk: HDR, KE, HASH_I 406 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I 407 * rsa: HDR, KE, HASH_I 408 * rev: HDR, <KE>Ke_i, HASH_I 409 */ 410 int 411 base_i2send(iph1, msg) 412 struct ph1handle *iph1; 413 vchar_t *msg; 414 { 415 struct payload_list *plist = NULL; 416 vchar_t *vid = NULL; 417 int need_cert = 0; 418 int error = -1; 419 420 /* validity check */ 421 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 422 plog(LLV_ERROR, LOCATION, NULL, 423 "status mismatched %d.\n", iph1->status); 424 goto end; 425 } 426 427 /* fix isakmp index */ 428 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, 429 sizeof(cookie_t)); 430 431 /* generate DH public value */ 432 if (oakley_dh_generate(iph1->approval->dhgrp, 433 &iph1->dhpub, &iph1->dhpriv) < 0) 434 goto end; 435 436 /* generate SKEYID to compute hash if not signature mode */ 437 switch (iph1->approval->authmethod) { 438 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 439 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 440 #ifdef ENABLE_HYBRID 441 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 442 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 443 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 444 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 445 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 446 #endif 447 break; 448 default: 449 if (oakley_skeyid(iph1) < 0) 450 goto end; 451 break; 452 } 453 454 /* generate HASH to send */ 455 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 456 iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE); 457 if (iph1->hash == NULL) 458 goto end; 459 switch (iph1->approval->authmethod) { 460 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 461 #ifdef ENABLE_HYBRID 462 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 463 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 464 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 465 #endif 466 vid = set_vendorid(iph1->approval->vendorid); 467 468 /* create isakmp KE payload */ 469 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); 470 471 /* create isakmp HASH payload */ 472 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH); 473 474 /* append vendor id, if needed */ 475 if (vid) 476 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID); 477 break; 478 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 479 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 480 #ifdef ENABLE_HYBRID 481 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 482 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 483 #endif 484 /* XXX if there is CR or not ? */ 485 486 if (oakley_getmycert(iph1) < 0) 487 goto end; 488 489 if (oakley_getsign(iph1) < 0) 490 goto end; 491 492 if (iph1->cert && iph1->rmconf->send_cert) 493 need_cert = 1; 494 495 /* create isakmp KE payload */ 496 plist = isakmp_plist_append(plist, iph1->dhpub, 497 ISAKMP_NPTYPE_KE); 498 499 /* add CERT payload if there */ 500 if (need_cert) 501 plist = isakmp_plist_append(plist, iph1->cert, 502 ISAKMP_NPTYPE_CERT); 503 504 /* add SIG payload */ 505 plist = isakmp_plist_append(plist, 506 iph1->sig, ISAKMP_NPTYPE_SIG); 507 508 break; 509 #ifdef HAVE_GSSAPI 510 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 511 /* ... */ 512 break; 513 #endif 514 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 515 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 516 #ifdef ENABLE_HYBRID 517 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 518 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 519 #endif 520 break; 521 } 522 523 #ifdef ENABLE_NATT 524 /* generate NAT-D payloads */ 525 if (NATT_AVAILABLE(iph1)) 526 { 527 vchar_t *natd[2] = { NULL, NULL }; 528 529 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); 530 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 531 plog(LLV_ERROR, LOCATION, NULL, 532 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); 533 goto end; 534 } 535 536 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 537 plog(LLV_ERROR, LOCATION, NULL, 538 "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); 539 goto end; 540 } 541 542 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); 543 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); 544 } 545 #endif 546 547 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 548 549 #ifdef HAVE_PRINT_ISAKMP_C 550 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 551 #endif 552 553 /* send the packet, add to the schedule to resend */ 554 if (isakmp_ph1send(iph1) == -1) 555 goto end; 556 557 /* the sending message is added to the received-list. */ 558 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 559 plog(LLV_ERROR , LOCATION, NULL, 560 "failed to add a response packet to the tree.\n"); 561 goto end; 562 } 563 564 iph1->status = PHASE1ST_MSG2SENT; 565 566 error = 0; 567 568 end: 569 if (vid) 570 vfree(vid); 571 return error; 572 } 573 574 /* 575 * receive from responder 576 * psk: HDR, KE, HASH_R 577 * sig: HDR, KE, [CERT,] SIG_R 578 * rsa: HDR, KE, HASH_R 579 * rev: HDR, <KE>_Ke_r, HASH_R 580 */ 581 int 582 base_i3recv(iph1, msg) 583 struct ph1handle *iph1; 584 vchar_t *msg; 585 { 586 vchar_t *pbuf = NULL; 587 struct isakmp_parse_t *pa; 588 int error = -1, ptype; 589 #ifdef ENABLE_NATT 590 vchar_t *natd_received; 591 int natd_seq = 0, natd_verified; 592 #endif 593 594 /* validity check */ 595 if (iph1->status != PHASE1ST_MSG2SENT) { 596 plog(LLV_ERROR, LOCATION, NULL, 597 "status mismatched %d.\n", iph1->status); 598 goto end; 599 } 600 601 /* validate the type of next payload */ 602 pbuf = isakmp_parse(msg); 603 if (pbuf == NULL) 604 goto end; 605 606 for (pa = (struct isakmp_parse_t *)pbuf->v; 607 pa->type != ISAKMP_NPTYPE_NONE; 608 pa++) { 609 610 switch (pa->type) { 611 case ISAKMP_NPTYPE_KE: 612 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 613 goto end; 614 break; 615 case ISAKMP_NPTYPE_HASH: 616 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 617 break; 618 case ISAKMP_NPTYPE_CERT: 619 if (oakley_savecert(iph1, pa->ptr) < 0) 620 goto end; 621 break; 622 case ISAKMP_NPTYPE_SIG: 623 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 624 goto end; 625 break; 626 case ISAKMP_NPTYPE_VID: 627 handle_vendorid(iph1, pa->ptr); 628 break; 629 630 #ifdef ENABLE_NATT 631 case ISAKMP_NPTYPE_NATD_DRAFT: 632 case ISAKMP_NPTYPE_NATD_RFC: 633 if (NATT_AVAILABLE(iph1) && iph1->natt_options && 634 pa->type == iph1->natt_options->payload_nat_d) { 635 natd_received = NULL; 636 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 637 goto end; 638 639 /* set both bits first so that we can clear them 640 upon verifying hashes */ 641 if (natd_seq == 0) 642 iph1->natt_flags |= NAT_DETECTED; 643 644 /* this function will clear appropriate bits bits 645 from iph1->natt_flags */ 646 natd_verified = natt_compare_addr_hash (iph1, 647 natd_received, natd_seq++); 648 649 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 650 natd_seq - 1, 651 natd_verified ? "verified" : "doesn't match"); 652 653 vfree (natd_received); 654 break; 655 } 656 /* passthrough to default... */ 657 #endif 658 659 default: 660 /* don't send information, see ident_r1recv() */ 661 plog(LLV_ERROR, LOCATION, iph1->remote, 662 "ignore the packet, " 663 "received unexpecting payload type %d.\n", 664 pa->type); 665 goto end; 666 } 667 } 668 669 #ifdef ENABLE_NATT 670 if (NATT_AVAILABLE(iph1)) { 671 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 672 iph1->natt_flags & NAT_DETECTED ? 673 "detected:" : "not detected", 674 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 675 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 676 if (iph1->natt_flags & NAT_DETECTED) 677 natt_float_ports (iph1); 678 } 679 #endif 680 681 /* payload existency check */ 682 /* validate authentication value */ 683 ptype = oakley_validate_auth(iph1); 684 if (ptype != 0) { 685 if (ptype == -1) { 686 /* message printed inner oakley_validate_auth() */ 687 goto end; 688 } 689 evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); 690 isakmp_info_send_n1(iph1, ptype, NULL); 691 goto end; 692 } 693 694 /* compute sharing secret of DH */ 695 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 696 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 697 goto end; 698 699 /* generate SKEYID to compute hash if signature mode */ 700 switch (iph1->approval->authmethod) { 701 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 702 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 703 #ifdef ENABLE_HYBRID 704 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 705 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 706 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 707 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 708 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 709 #endif 710 if (oakley_skeyid(iph1) < 0) 711 goto end; 712 break; 713 default: 714 break; 715 } 716 717 /* generate SKEYIDs & IV & final cipher key */ 718 if (oakley_skeyid_dae(iph1) < 0) 719 goto end; 720 if (oakley_compute_enckey(iph1) < 0) 721 goto end; 722 if (oakley_newiv(iph1) < 0) 723 goto end; 724 725 /* see handler.h about IV synchronization. */ 726 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); 727 728 /* set encryption flag */ 729 iph1->flags |= ISAKMP_FLAG_E; 730 731 iph1->status = PHASE1ST_MSG3RECEIVED; 732 733 error = 0; 734 735 end: 736 if (pbuf) 737 vfree(pbuf); 738 739 if (error) { 740 VPTRINIT(iph1->dhpub_p); 741 VPTRINIT(iph1->cert_p); 742 VPTRINIT(iph1->crl_p); 743 VPTRINIT(iph1->sig_p); 744 } 745 746 return error; 747 } 748 749 /* 750 * status update and establish isakmp sa. 751 */ 752 int 753 base_i3send(iph1, msg) 754 struct ph1handle *iph1; 755 vchar_t *msg; 756 { 757 int error = -1; 758 759 /* validity check */ 760 if (iph1->status != PHASE1ST_MSG3RECEIVED) { 761 plog(LLV_ERROR, LOCATION, NULL, 762 "status mismatched %d.\n", iph1->status); 763 goto end; 764 } 765 766 iph1->status = PHASE1ST_ESTABLISHED; 767 768 error = 0; 769 770 end: 771 return error; 772 } 773 774 /* 775 * receive from initiator 776 * psk: HDR, SA, Idii, Ni_b 777 * sig: HDR, SA, Idii, Ni_b 778 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r 779 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i 780 */ 781 int 782 base_r1recv(iph1, msg) 783 struct ph1handle *iph1; 784 vchar_t *msg; 785 { 786 vchar_t *pbuf = NULL; 787 struct isakmp_parse_t *pa; 788 int error = -1; 789 int vid_numeric; 790 791 /* validity check */ 792 if (iph1->status != PHASE1ST_START) { 793 plog(LLV_ERROR, LOCATION, NULL, 794 "status mismatched %d.\n", iph1->status); 795 goto end; 796 } 797 798 /* validate the type of next payload */ 799 pbuf = isakmp_parse(msg); 800 if (pbuf == NULL) 801 goto end; 802 pa = (struct isakmp_parse_t *)pbuf->v; 803 804 /* check the position of SA payload */ 805 if (pa->type != ISAKMP_NPTYPE_SA) { 806 plog(LLV_ERROR, LOCATION, iph1->remote, 807 "received invalid next payload type %d, " 808 "expecting %d.\n", 809 pa->type, ISAKMP_NPTYPE_SA); 810 goto end; 811 } 812 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) 813 goto end; 814 pa++; 815 816 for (/*nothing*/; 817 pa->type != ISAKMP_NPTYPE_NONE; 818 pa++) { 819 820 switch (pa->type) { 821 case ISAKMP_NPTYPE_NONCE: 822 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 823 goto end; 824 break; 825 case ISAKMP_NPTYPE_ID: 826 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 827 goto end; 828 break; 829 case ISAKMP_NPTYPE_VID: 830 vid_numeric = handle_vendorid(iph1, pa->ptr); 831 #ifdef ENABLE_FRAG 832 if ((vid_numeric == VENDORID_FRAG) && 833 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) 834 iph1->frag = 1; 835 #endif 836 break; 837 default: 838 /* don't send information, see ident_r1recv() */ 839 plog(LLV_ERROR, LOCATION, iph1->remote, 840 "ignore the packet, " 841 "received unexpecting payload type %d.\n", 842 pa->type); 843 goto end; 844 } 845 } 846 847 if (iph1->nonce_p == NULL || iph1->id_p == NULL) { 848 plog(LLV_ERROR, LOCATION, iph1->remote, 849 "few isakmp message received.\n"); 850 goto end; 851 } 852 853 /* verify identifier */ 854 if (ipsecdoi_checkid1(iph1) != 0) { 855 plog(LLV_ERROR, LOCATION, iph1->remote, 856 "invalid ID payload.\n"); 857 goto end; 858 } 859 860 #ifdef ENABLE_NATT 861 if (NATT_AVAILABLE(iph1)) 862 plog(LLV_INFO, LOCATION, iph1->remote, 863 "Selected NAT-T version: %s\n", 864 vid_string_by_id(iph1->natt_options->version)); 865 #endif 866 867 /* check SA payload and set approval SA for use */ 868 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { 869 plog(LLV_ERROR, LOCATION, iph1->remote, 870 "failed to get valid proposal.\n"); 871 /* XXX send information */ 872 goto end; 873 } 874 875 iph1->status = PHASE1ST_MSG1RECEIVED; 876 877 error = 0; 878 879 end: 880 if (pbuf) 881 vfree(pbuf); 882 883 if (error) { 884 VPTRINIT(iph1->sa); 885 VPTRINIT(iph1->nonce_p); 886 VPTRINIT(iph1->id_p); 887 } 888 889 return error; 890 } 891 892 /* 893 * send to initiator 894 * psk: HDR, SA, Idir, Nr_b 895 * sig: HDR, SA, Idir, Nr_b, [ CR ] 896 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i 897 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r 898 */ 899 int 900 base_r1send(iph1, msg) 901 struct ph1handle *iph1; 902 vchar_t *msg; 903 { 904 struct payload_list *plist = NULL; 905 int error = -1; 906 #ifdef ENABLE_NATT 907 vchar_t *vid_natt = NULL; 908 #endif 909 #ifdef ENABLE_HYBRID 910 vchar_t *vid_xauth = NULL; 911 vchar_t *vid_unity = NULL; 912 #endif 913 #ifdef ENABLE_FRAG 914 vchar_t *vid_frag = NULL; 915 #endif 916 #ifdef ENABLE_DPD 917 vchar_t *vid_dpd = NULL; 918 #endif 919 920 /* validity check */ 921 if (iph1->status != PHASE1ST_MSG1RECEIVED) { 922 plog(LLV_ERROR, LOCATION, NULL, 923 "status mismatched %d.\n", iph1->status); 924 goto end; 925 } 926 927 /* set responder's cookie */ 928 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); 929 930 /* make ID payload into isakmp status */ 931 if (ipsecdoi_setid1(iph1) < 0) 932 goto end; 933 934 /* generate NONCE value */ 935 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 936 if (iph1->nonce == NULL) 937 goto end; 938 939 /* set SA payload to reply */ 940 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA); 941 942 /* create isakmp ID payload */ 943 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 944 945 /* create isakmp NONCE payload */ 946 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 947 948 #ifdef ENABLE_NATT 949 /* has the peer announced nat-t? */ 950 if (NATT_AVAILABLE(iph1)) 951 vid_natt = set_vendorid(iph1->natt_options->version); 952 if (vid_natt) 953 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); 954 #endif 955 #ifdef ENABLE_HYBRID 956 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 957 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); 958 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) { 959 plog(LLV_ERROR, LOCATION, NULL, 960 "Cannot create Xauth vendor ID\n"); 961 goto end; 962 } 963 plist = isakmp_plist_append(plist, 964 vid_xauth, ISAKMP_NPTYPE_VID); 965 } 966 967 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { 968 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) { 969 plog(LLV_ERROR, LOCATION, NULL, 970 "Cannot create Unity vendor ID\n"); 971 goto end; 972 } 973 plist = isakmp_plist_append(plist, 974 vid_unity, ISAKMP_NPTYPE_VID); 975 } 976 #endif 977 #ifdef ENABLE_DPD 978 /* 979 * Only send DPD support if remote announced DPD 980 * and if DPD support is active 981 */ 982 if (iph1->dpd_support && iph1->rmconf->dpd) { 983 if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) { 984 plog(LLV_ERROR, LOCATION, NULL, 985 "DPD vendorID construction failed\n"); 986 } else { 987 plist = isakmp_plist_append(plist, vid_dpd, 988 ISAKMP_NPTYPE_VID); 989 } 990 } 991 #endif 992 #ifdef ENABLE_FRAG 993 if (iph1->rmconf->ike_frag) { 994 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) { 995 plog(LLV_ERROR, LOCATION, NULL, 996 "Frag vendorID construction failed\n"); 997 } else { 998 vid_frag = isakmp_frag_addcap(vid_frag, 999 VENDORID_FRAG_BASE); 1000 plist = isakmp_plist_append(plist, 1001 vid_frag, ISAKMP_NPTYPE_VID); 1002 } 1003 } 1004 #endif 1005 1006 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 1007 1008 #ifdef HAVE_PRINT_ISAKMP_C 1009 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 1010 #endif 1011 1012 /* send the packet, add to the schedule to resend */ 1013 if (isakmp_ph1send(iph1) == -1) { 1014 iph1 = NULL; 1015 goto end; 1016 } 1017 1018 /* the sending message is added to the received-list. */ 1019 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1020 plog(LLV_ERROR , LOCATION, NULL, 1021 "failed to add a response packet to the tree.\n"); 1022 goto end; 1023 } 1024 1025 iph1->status = PHASE1ST_MSG1SENT; 1026 1027 error = 0; 1028 1029 end: 1030 #ifdef ENABLE_NATT 1031 if (vid_natt) 1032 vfree(vid_natt); 1033 #endif 1034 #ifdef ENABLE_HYBRID 1035 if (vid_xauth != NULL) 1036 vfree(vid_xauth); 1037 if (vid_unity != NULL) 1038 vfree(vid_unity); 1039 #endif 1040 #ifdef ENABLE_FRAG 1041 if (vid_frag) 1042 vfree(vid_frag); 1043 #endif 1044 #ifdef ENABLE_DPD 1045 if (vid_dpd) 1046 vfree(vid_dpd); 1047 #endif 1048 1049 if (iph1 != NULL) 1050 VPTRINIT(iph1->sa_ret); 1051 1052 return error; 1053 } 1054 1055 /* 1056 * receive from initiator 1057 * psk: HDR, KE, HASH_I 1058 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I 1059 * rsa: HDR, KE, HASH_I 1060 * rev: HDR, <KE>Ke_i, HASH_I 1061 */ 1062 int 1063 base_r2recv(iph1, msg) 1064 struct ph1handle *iph1; 1065 vchar_t *msg; 1066 { 1067 vchar_t *pbuf = NULL; 1068 struct isakmp_parse_t *pa; 1069 int error = -1, ptype; 1070 #ifdef ENABLE_NATT 1071 int natd_seq = 0; 1072 #endif 1073 1074 /* validity check */ 1075 if (iph1->status != PHASE1ST_MSG1SENT) { 1076 plog(LLV_ERROR, LOCATION, NULL, 1077 "status mismatched %d.\n", iph1->status); 1078 goto end; 1079 } 1080 1081 /* validate the type of next payload */ 1082 pbuf = isakmp_parse(msg); 1083 if (pbuf == NULL) 1084 goto end; 1085 1086 iph1->pl_hash = NULL; 1087 1088 for (pa = (struct isakmp_parse_t *)pbuf->v; 1089 pa->type != ISAKMP_NPTYPE_NONE; 1090 pa++) { 1091 1092 switch (pa->type) { 1093 case ISAKMP_NPTYPE_KE: 1094 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 1095 goto end; 1096 break; 1097 case ISAKMP_NPTYPE_HASH: 1098 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 1099 break; 1100 case ISAKMP_NPTYPE_CERT: 1101 if (oakley_savecert(iph1, pa->ptr) < 0) 1102 goto end; 1103 break; 1104 case ISAKMP_NPTYPE_SIG: 1105 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 1106 goto end; 1107 break; 1108 case ISAKMP_NPTYPE_VID: 1109 handle_vendorid(iph1, pa->ptr); 1110 break; 1111 1112 #ifdef ENABLE_NATT 1113 case ISAKMP_NPTYPE_NATD_DRAFT: 1114 case ISAKMP_NPTYPE_NATD_RFC: 1115 if (pa->type == iph1->natt_options->payload_nat_d) 1116 { 1117 vchar_t *natd_received = NULL; 1118 int natd_verified; 1119 1120 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 1121 goto end; 1122 1123 if (natd_seq == 0) 1124 iph1->natt_flags |= NAT_DETECTED; 1125 1126 natd_verified = natt_compare_addr_hash (iph1, 1127 natd_received, natd_seq++); 1128 1129 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 1130 natd_seq - 1, 1131 natd_verified ? "verified" : "doesn't match"); 1132 1133 vfree (natd_received); 1134 break; 1135 } 1136 /* passthrough to default... */ 1137 #endif 1138 1139 default: 1140 /* don't send information, see ident_r1recv() */ 1141 plog(LLV_ERROR, LOCATION, iph1->remote, 1142 "ignore the packet, " 1143 "received unexpecting payload type %d.\n", 1144 pa->type); 1145 goto end; 1146 } 1147 } 1148 1149 /* generate DH public value */ 1150 if (oakley_dh_generate(iph1->approval->dhgrp, 1151 &iph1->dhpub, &iph1->dhpriv) < 0) 1152 goto end; 1153 1154 /* compute sharing secret of DH */ 1155 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 1156 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 1157 goto end; 1158 1159 /* generate SKEYID */ 1160 if (oakley_skeyid(iph1) < 0) 1161 goto end; 1162 1163 #ifdef ENABLE_NATT 1164 if (NATT_AVAILABLE(iph1)) 1165 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 1166 iph1->natt_flags & NAT_DETECTED ? 1167 "detected:" : "not detected", 1168 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 1169 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 1170 #endif 1171 1172 /* payload existency check */ 1173 /* validate authentication value */ 1174 ptype = oakley_validate_auth(iph1); 1175 if (ptype != 0) { 1176 if (ptype == -1) { 1177 /* message printed inner oakley_validate_auth() */ 1178 goto end; 1179 } 1180 evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); 1181 isakmp_info_send_n1(iph1, ptype, NULL); 1182 goto end; 1183 } 1184 1185 iph1->status = PHASE1ST_MSG2RECEIVED; 1186 1187 error = 0; 1188 1189 end: 1190 if (pbuf) 1191 vfree(pbuf); 1192 1193 if (error) { 1194 VPTRINIT(iph1->dhpub_p); 1195 VPTRINIT(iph1->cert_p); 1196 VPTRINIT(iph1->crl_p); 1197 VPTRINIT(iph1->sig_p); 1198 } 1199 1200 return error; 1201 } 1202 1203 /* 1204 * send to initiator 1205 * psk: HDR, KE, HASH_R 1206 * sig: HDR, KE, [CERT,] SIG_R 1207 * rsa: HDR, KE, HASH_R 1208 * rev: HDR, <KE>_Ke_r, HASH_R 1209 */ 1210 int 1211 base_r2send(iph1, msg) 1212 struct ph1handle *iph1; 1213 vchar_t *msg; 1214 { 1215 struct payload_list *plist = NULL; 1216 vchar_t *vid = NULL; 1217 int need_cert = 0; 1218 int error = -1; 1219 1220 /* validity check */ 1221 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 1222 plog(LLV_ERROR, LOCATION, NULL, 1223 "status mismatched %d.\n", iph1->status); 1224 goto end; 1225 } 1226 1227 /* generate HASH to send */ 1228 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 1229 switch (iph1->approval->authmethod) { 1230 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1231 #ifdef ENABLE_HYBRID 1232 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1233 #endif 1234 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1235 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1236 #ifdef ENABLE_HYBRID 1237 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1238 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1239 #endif 1240 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 1241 break; 1242 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1243 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1244 #ifdef ENABLE_HYBRID 1245 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1246 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1247 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1248 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1249 #endif 1250 #ifdef HAVE_GSSAPI 1251 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1252 #endif 1253 iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE); 1254 break; 1255 default: 1256 plog(LLV_ERROR, LOCATION, NULL, 1257 "invalid authentication method %d\n", 1258 iph1->approval->authmethod); 1259 goto end; 1260 } 1261 if (iph1->hash == NULL) 1262 goto end; 1263 1264 switch (iph1->approval->authmethod) { 1265 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1266 #ifdef ENABLE_HYBRID 1267 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1268 #endif 1269 vid = set_vendorid(iph1->approval->vendorid); 1270 1271 /* create isakmp KE payload */ 1272 plist = isakmp_plist_append(plist, 1273 iph1->dhpub, ISAKMP_NPTYPE_KE); 1274 1275 /* create isakmp HASH payload */ 1276 plist = isakmp_plist_append(plist, 1277 iph1->hash, ISAKMP_NPTYPE_HASH); 1278 1279 /* append vendor id, if needed */ 1280 if (vid) 1281 plist = isakmp_plist_append(plist, 1282 vid, ISAKMP_NPTYPE_VID); 1283 break; 1284 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1285 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1286 #ifdef ENABLE_HYBRID 1287 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1288 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1289 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1290 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1291 #endif 1292 /* XXX if there is CR or not ? */ 1293 1294 if (oakley_getmycert(iph1) < 0) 1295 goto end; 1296 1297 if (oakley_getsign(iph1) < 0) 1298 goto end; 1299 1300 if (iph1->cert && iph1->rmconf->send_cert) 1301 need_cert = 1; 1302 1303 /* create isakmp KE payload */ 1304 plist = isakmp_plist_append(plist, iph1->dhpub, 1305 ISAKMP_NPTYPE_KE); 1306 1307 /* add CERT payload if there */ 1308 if (need_cert) 1309 plist = isakmp_plist_append(plist, iph1->cert, 1310 ISAKMP_NPTYPE_CERT); 1311 1312 /* add SIG payload */ 1313 plist = isakmp_plist_append(plist, iph1->sig, 1314 ISAKMP_NPTYPE_SIG); 1315 break; 1316 #ifdef HAVE_GSSAPI 1317 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1318 /* ... */ 1319 break; 1320 #endif 1321 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1322 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1323 #ifdef ENABLE_HYBRID 1324 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1325 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1326 #endif 1327 break; 1328 } 1329 1330 #ifdef ENABLE_NATT 1331 /* generate NAT-D payloads */ 1332 if (NATT_AVAILABLE(iph1)) { 1333 vchar_t *natd[2] = { NULL, NULL }; 1334 1335 plog(LLV_INFO, LOCATION, 1336 NULL, "Adding remote and local NAT-D payloads.\n"); 1337 if ((natd[0] = natt_hash_addr(iph1, iph1->remote)) == NULL) { 1338 plog(LLV_ERROR, LOCATION, NULL, 1339 "NAT-D hashing failed for %s\n", 1340 saddr2str(iph1->remote)); 1341 goto end; 1342 } 1343 1344 if ((natd[1] = natt_hash_addr(iph1, iph1->local)) == NULL) { 1345 plog(LLV_ERROR, LOCATION, NULL, 1346 "NAT-D hashing failed for %s\n", 1347 saddr2str(iph1->local)); 1348 goto end; 1349 } 1350 1351 plist = isakmp_plist_append(plist, 1352 natd[0], iph1->natt_options->payload_nat_d); 1353 plist = isakmp_plist_append(plist, 1354 natd[1], iph1->natt_options->payload_nat_d); 1355 } 1356 #endif 1357 1358 iph1->sendbuf = isakmp_plist_set_all(&plist, iph1); 1359 1360 #ifdef HAVE_PRINT_ISAKMP_C 1361 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 1362 #endif 1363 1364 /* send HDR;KE;NONCE to responder */ 1365 if (isakmp_send(iph1, iph1->sendbuf) < 0) 1366 goto end; 1367 1368 /* the sending message is added to the received-list. */ 1369 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1370 plog(LLV_ERROR , LOCATION, NULL, 1371 "failed to add a response packet to the tree.\n"); 1372 goto end; 1373 } 1374 1375 /* generate SKEYIDs & IV & final cipher key */ 1376 if (oakley_skeyid_dae(iph1) < 0) 1377 goto end; 1378 if (oakley_compute_enckey(iph1) < 0) 1379 goto end; 1380 if (oakley_newiv(iph1) < 0) 1381 goto end; 1382 1383 /* set encryption flag */ 1384 iph1->flags |= ISAKMP_FLAG_E; 1385 1386 iph1->status = PHASE1ST_ESTABLISHED; 1387 1388 error = 0; 1389 1390 end: 1391 if (vid) 1392 vfree(vid); 1393 return error; 1394 } 1395