1 /* $NetBSD: isakmp_agg.c,v 1.16 2009/09/18 10:31:11 tteras Exp $ */ 2 3 /* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* Aggressive Exchange (Aggressive Mode) */ 35 36 #include "config.h" 37 38 #include <sys/types.h> 39 #include <sys/param.h> 40 41 #include <stdlib.h> 42 #include <stdio.h> 43 #include <string.h> 44 #include <errno.h> 45 #if TIME_WITH_SYS_TIME 46 # include <sys/time.h> 47 # include <time.h> 48 #else 49 # if HAVE_SYS_TIME_H 50 # include <sys/time.h> 51 # else 52 # include <time.h> 53 # endif 54 #endif 55 56 #include "var.h" 57 #include "misc.h" 58 #include "vmbuf.h" 59 #include "plog.h" 60 #include "sockmisc.h" 61 #include "schedule.h" 62 #include "debug.h" 63 64 #ifdef ENABLE_HYBRID 65 #include <resolv.h> 66 #endif 67 68 #include "localconf.h" 69 #include "remoteconf.h" 70 #include "isakmp_var.h" 71 #include "isakmp.h" 72 #include "evt.h" 73 #include "oakley.h" 74 #include "handler.h" 75 #include "ipsec_doi.h" 76 #include "crypto_openssl.h" 77 #include "pfkey.h" 78 #include "isakmp_agg.h" 79 #include "isakmp_inf.h" 80 #ifdef ENABLE_HYBRID 81 #include "isakmp_xauth.h" 82 #include "isakmp_cfg.h" 83 #endif 84 #ifdef ENABLE_FRAG 85 #include "isakmp_frag.h" 86 #endif 87 #include "vendorid.h" 88 #include "strnames.h" 89 90 #ifdef ENABLE_NATT 91 #include "nattraversal.h" 92 #endif 93 94 #ifdef HAVE_GSSAPI 95 #include "gssapi.h" 96 #endif 97 98 /* 99 * begin Aggressive Mode as initiator. 100 */ 101 /* 102 * send to responder 103 * psk: HDR, SA, KE, Ni, IDi1 104 * sig: HDR, SA, KE, Ni, IDi1 [, CR ] 105 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi 106 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r 107 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, 108 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] 109 */ 110 int 111 agg_i1send(iph1, msg) 112 struct ph1handle *iph1; 113 vchar_t *msg; /* must be null */ 114 { 115 struct payload_list *plist = NULL; 116 int error = -1; 117 #ifdef ENABLE_NATT 118 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; 119 int i; 120 #endif 121 #ifdef ENABLE_HYBRID 122 vchar_t *vid_xauth = NULL; 123 vchar_t *vid_unity = NULL; 124 #endif 125 #ifdef ENABLE_FRAG 126 vchar_t *vid_frag = NULL; 127 #endif 128 #ifdef HAVE_GSSAPI 129 vchar_t *gsstoken = NULL; 130 int len; 131 #endif 132 #ifdef ENABLE_DPD 133 vchar_t *vid_dpd = NULL; 134 #endif 135 136 /* validity check */ 137 if (msg != NULL) { 138 plog(LLV_ERROR, LOCATION, NULL, 139 "msg has to be NULL in this function.\n"); 140 goto end; 141 } 142 if (iph1->status != PHASE1ST_START) { 143 plog(LLV_ERROR, LOCATION, NULL, 144 "status mismatched %d.\n", iph1->status); 145 goto end; 146 } 147 148 /* create isakmp index */ 149 memset(&iph1->index, 0, sizeof(iph1->index)); 150 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); 151 152 /* make ID payload into isakmp status */ 153 if (ipsecdoi_setid1(iph1) < 0) 154 goto end; 155 156 /* create SA payload for my proposal */ 157 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf, iph1->rmconf->proposal); 158 if (iph1->sa == NULL) 159 goto end; 160 161 /* consistency check of proposals */ 162 if (iph1->rmconf->dhgrp == NULL) { 163 plog(LLV_ERROR, LOCATION, NULL, 164 "configuration failure about DH group.\n"); 165 goto end; 166 } 167 168 /* generate DH public value */ 169 if (oakley_dh_generate(iph1->rmconf->dhgrp, 170 &iph1->dhpub, &iph1->dhpriv) < 0) 171 goto end; 172 173 /* generate NONCE value */ 174 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 175 if (iph1->nonce == NULL) 176 goto end; 177 178 #ifdef ENABLE_HYBRID 179 /* Do we need Xauth VID? */ 180 switch (iph1->rmconf->proposal->authmethod) { 181 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 182 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 183 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 184 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 185 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 186 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 187 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 188 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) 189 plog(LLV_ERROR, LOCATION, NULL, 190 "Xauth vendor ID generation failed\n"); 191 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) 192 plog(LLV_ERROR, LOCATION, NULL, 193 "Unity vendor ID generation failed\n"); 194 break; 195 default: 196 break; 197 } 198 #endif 199 200 #ifdef ENABLE_FRAG 201 if (iph1->rmconf->ike_frag) { 202 vid_frag = set_vendorid(VENDORID_FRAG); 203 if (vid_frag != NULL) 204 vid_frag = isakmp_frag_addcap(vid_frag, 205 VENDORID_FRAG_AGG); 206 if (vid_frag == NULL) 207 plog(LLV_ERROR, LOCATION, NULL, 208 "Frag vendorID construction failed\n"); 209 } 210 #endif 211 212 plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n", 213 s_oakley_attr_method(iph1->rmconf->proposal->authmethod)); 214 #ifdef HAVE_GSSAPI 215 if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) 216 gssapi_get_itoken(iph1, &len); 217 #endif 218 219 /* set SA payload to propose */ 220 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); 221 222 /* create isakmp KE payload */ 223 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); 224 225 /* create isakmp NONCE payload */ 226 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 227 228 /* create isakmp ID payload */ 229 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 230 231 #ifdef HAVE_GSSAPI 232 if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { 233 if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) { 234 plog(LLV_ERROR, LOCATION, NULL, 235 "Failed to get gssapi token.\n"); 236 goto end; 237 } 238 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS); 239 } 240 #endif 241 /* create isakmp CR payload */ 242 if (oakley_needcr(iph1->rmconf->proposal->authmethod)) 243 plist = oakley_append_cr(plist, iph1); 244 245 #ifdef ENABLE_FRAG 246 if (vid_frag) 247 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); 248 #endif 249 #ifdef ENABLE_NATT 250 /* 251 * set VID payload for NAT-T if NAT-T 252 * support allowed in the config file 253 */ 254 if (iph1->rmconf->nat_traversal) 255 plist = isakmp_plist_append_natt_vids(plist, vid_natt); 256 #endif 257 #ifdef ENABLE_HYBRID 258 if (vid_xauth) 259 plist = isakmp_plist_append(plist, 260 vid_xauth, ISAKMP_NPTYPE_VID); 261 if (vid_unity) 262 plist = isakmp_plist_append(plist, 263 vid_unity, ISAKMP_NPTYPE_VID); 264 #endif 265 #ifdef ENABLE_DPD 266 if(iph1->rmconf->dpd){ 267 vid_dpd = set_vendorid(VENDORID_DPD); 268 if (vid_dpd != NULL) 269 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 270 } 271 #endif 272 273 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 274 275 #ifdef HAVE_PRINT_ISAKMP_C 276 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 277 #endif 278 279 /* send the packet, add to the schedule to resend */ 280 if (isakmp_ph1send(iph1) == -1) 281 goto end; 282 283 iph1->status = PHASE1ST_MSG1SENT; 284 285 error = 0; 286 287 end: 288 #ifdef HAVE_GSSAPI 289 if (gsstoken) 290 vfree(gsstoken); 291 #endif 292 #ifdef ENABLE_FRAG 293 if (vid_frag) 294 vfree(vid_frag); 295 #endif 296 #ifdef ENABLE_NATT 297 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++) 298 vfree(vid_natt[i]); 299 #endif 300 #ifdef ENABLE_HYBRID 301 if (vid_xauth != NULL) 302 vfree(vid_xauth); 303 if (vid_unity != NULL) 304 vfree(vid_unity); 305 #endif 306 #ifdef ENABLE_DPD 307 if (vid_dpd != NULL) 308 vfree(vid_dpd); 309 #endif 310 311 return error; 312 } 313 314 /* 315 * receive from responder 316 * psk: HDR, SA, KE, Nr, IDr1, HASH_R 317 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R 318 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R 319 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R 320 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R 321 */ 322 int 323 agg_i2recv(iph1, msg) 324 struct ph1handle *iph1; 325 vchar_t *msg; 326 { 327 vchar_t *pbuf = NULL; 328 struct isakmp_parse_t *pa; 329 vchar_t *satmp = NULL; 330 int error = -1; 331 int ptype; 332 #ifdef ENABLE_HYBRID 333 vchar_t *unity_vid; 334 vchar_t *xauth_vid; 335 #endif 336 #ifdef HAVE_GSSAPI 337 vchar_t *gsstoken = NULL; 338 #endif 339 340 #ifdef ENABLE_NATT 341 int natd_seq = 0; 342 struct natd_payload { 343 int seq; 344 vchar_t *payload; 345 TAILQ_ENTRY(natd_payload) chain; 346 }; 347 TAILQ_HEAD(_natd_payload, natd_payload) natd_tree; 348 TAILQ_INIT(&natd_tree); 349 #endif 350 351 /* validity check */ 352 if (iph1->status != PHASE1ST_MSG1SENT) { 353 plog(LLV_ERROR, LOCATION, NULL, 354 "status mismatched %d.\n", iph1->status); 355 goto end; 356 } 357 358 /* validate the type of next payload */ 359 pbuf = isakmp_parse(msg); 360 if (pbuf == NULL) 361 goto end; 362 pa = (struct isakmp_parse_t *)pbuf->v; 363 364 iph1->pl_hash = NULL; 365 366 /* SA payload is fixed postion */ 367 if (pa->type != ISAKMP_NPTYPE_SA) { 368 plog(LLV_ERROR, LOCATION, iph1->remote, 369 "received invalid next payload type %d, " 370 "expecting %d.\n", 371 pa->type, ISAKMP_NPTYPE_SA); 372 goto end; 373 } 374 375 if (isakmp_p2ph(&satmp, pa->ptr) < 0) 376 goto end; 377 pa++; 378 379 for (/*nothing*/; 380 pa->type != ISAKMP_NPTYPE_NONE; 381 pa++) { 382 383 switch (pa->type) { 384 case ISAKMP_NPTYPE_KE: 385 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 386 goto end; 387 break; 388 case ISAKMP_NPTYPE_NONCE: 389 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 390 goto end; 391 break; 392 case ISAKMP_NPTYPE_ID: 393 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 394 goto end; 395 break; 396 case ISAKMP_NPTYPE_HASH: 397 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 398 break; 399 case ISAKMP_NPTYPE_CR: 400 if (oakley_savecr(iph1, pa->ptr) < 0) 401 goto end; 402 break; 403 case ISAKMP_NPTYPE_CERT: 404 if (oakley_savecert(iph1, pa->ptr) < 0) 405 goto end; 406 break; 407 case ISAKMP_NPTYPE_SIG: 408 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 409 goto end; 410 break; 411 case ISAKMP_NPTYPE_VID: 412 handle_vendorid(iph1, pa->ptr); 413 break; 414 case ISAKMP_NPTYPE_N: 415 isakmp_log_notify(iph1, 416 (struct isakmp_pl_n *) pa->ptr, 417 "aggressive exchange"); 418 break; 419 #ifdef HAVE_GSSAPI 420 case ISAKMP_NPTYPE_GSS: 421 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) 422 goto end; 423 gssapi_save_received_token(iph1, gsstoken); 424 break; 425 #endif 426 427 #ifdef ENABLE_NATT 428 case ISAKMP_NPTYPE_NATD_DRAFT: 429 case ISAKMP_NPTYPE_NATD_RFC: 430 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && 431 pa->type == iph1->natt_options->payload_nat_d) { 432 struct natd_payload *natd; 433 natd = (struct natd_payload *)racoon_malloc(sizeof(*natd)); 434 if (!natd) 435 goto end; 436 437 natd->payload = NULL; 438 439 if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) 440 goto end; 441 442 natd->seq = natd_seq++; 443 444 TAILQ_INSERT_TAIL(&natd_tree, natd, chain); 445 break; 446 } 447 /* passthrough to default... */ 448 #endif 449 450 default: 451 /* don't send information, see isakmp_ident_r1() */ 452 plog(LLV_ERROR, LOCATION, iph1->remote, 453 "ignore the packet, " 454 "received unexpecting payload type %d.\n", 455 pa->type); 456 goto end; 457 } 458 } 459 460 /* payload existency check */ 461 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { 462 plog(LLV_ERROR, LOCATION, iph1->remote, 463 "few isakmp message received.\n"); 464 goto end; 465 } 466 467 /* verify identifier */ 468 if (ipsecdoi_checkid1(iph1) != 0) { 469 plog(LLV_ERROR, LOCATION, iph1->remote, 470 "invalid ID payload.\n"); 471 goto end; 472 } 473 474 /* check SA payload and set approval SA for use */ 475 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { 476 plog(LLV_ERROR, LOCATION, iph1->remote, 477 "failed to get valid proposal.\n"); 478 /* XXX send information */ 479 goto end; 480 } 481 VPTRINIT(iph1->sa_ret); 482 483 /* fix isakmp index */ 484 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, 485 sizeof(cookie_t)); 486 487 #ifdef ENABLE_NATT 488 if (NATT_AVAILABLE(iph1)) { 489 struct natd_payload *natd = NULL; 490 int natd_verified; 491 492 plog(LLV_INFO, LOCATION, iph1->remote, 493 "Selected NAT-T version: %s\n", 494 vid_string_by_id(iph1->natt_options->version)); 495 496 /* set both bits first so that we can clear them 497 upon verifying hashes */ 498 iph1->natt_flags |= NAT_DETECTED; 499 500 while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) { 501 /* this function will clear appropriate bits bits 502 from iph1->natt_flags */ 503 natd_verified = natt_compare_addr_hash (iph1, 504 natd->payload, natd->seq); 505 506 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 507 natd->seq - 1, 508 natd_verified ? "verified" : "doesn't match"); 509 510 vfree (natd->payload); 511 512 TAILQ_REMOVE(&natd_tree, natd, chain); 513 racoon_free (natd); 514 } 515 516 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 517 iph1->natt_flags & NAT_DETECTED ? 518 "detected:" : "not detected", 519 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 520 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 521 522 if (iph1->natt_flags & NAT_DETECTED) 523 natt_float_ports (iph1); 524 } 525 #endif 526 527 /* compute sharing secret of DH */ 528 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub, 529 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 530 goto end; 531 532 /* generate SKEYIDs & IV & final cipher key */ 533 if (oakley_skeyid(iph1) < 0) 534 goto end; 535 if (oakley_skeyid_dae(iph1) < 0) 536 goto end; 537 if (oakley_compute_enckey(iph1) < 0) 538 goto end; 539 if (oakley_newiv(iph1) < 0) 540 goto end; 541 542 /* validate authentication value */ 543 ptype = oakley_validate_auth(iph1); 544 if (ptype != 0) { 545 if (ptype == -1) { 546 /* message printed inner oakley_validate_auth() */ 547 goto end; 548 } 549 evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); 550 isakmp_info_send_n1(iph1, ptype, NULL); 551 goto end; 552 } 553 554 if (oakley_checkcr(iph1) < 0) { 555 /* Ignore this error in order to be interoperability. */ 556 ; 557 } 558 559 /* change status of isakmp status entry */ 560 iph1->status = PHASE1ST_MSG2RECEIVED; 561 562 error = 0; 563 564 end: 565 #ifdef HAVE_GSSAPI 566 if (gsstoken) 567 vfree(gsstoken); 568 #endif 569 if (pbuf) 570 vfree(pbuf); 571 if (satmp) 572 vfree(satmp); 573 if (error) { 574 VPTRINIT(iph1->dhpub_p); 575 VPTRINIT(iph1->nonce_p); 576 VPTRINIT(iph1->id_p); 577 VPTRINIT(iph1->cert_p); 578 VPTRINIT(iph1->crl_p); 579 VPTRINIT(iph1->sig_p); 580 VPTRINIT(iph1->cr_p); 581 } 582 583 return error; 584 } 585 586 /* 587 * send to responder 588 * psk: HDR, HASH_I 589 * gssapi: HDR, HASH_I 590 * sig: HDR, [ CERT, ] SIG_I 591 * rsa: HDR, HASH_I 592 * rev: HDR, HASH_I 593 */ 594 int 595 agg_i2send(iph1, msg) 596 struct ph1handle *iph1; 597 vchar_t *msg; 598 { 599 struct payload_list *plist = NULL; 600 int need_cert = 0; 601 int error = -1; 602 vchar_t *gsshash = NULL; 603 604 /* validity check */ 605 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 606 plog(LLV_ERROR, LOCATION, NULL, 607 "status mismatched %d.\n", iph1->status); 608 goto end; 609 } 610 611 /* generate HASH to send */ 612 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 613 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 614 if (iph1->hash == NULL) { 615 #ifdef HAVE_GSSAPI 616 if (gssapi_more_tokens(iph1) && 617 #ifdef ENABLE_HYBRID 618 !iph1->rmconf->xauth && 619 #endif 620 1) 621 isakmp_info_send_n1(iph1, 622 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 623 #endif 624 goto end; 625 } 626 627 switch (iph1->approval->authmethod) { 628 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 629 #ifdef ENABLE_HYBRID 630 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 631 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 632 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 633 #endif 634 /* set HASH payload */ 635 plist = isakmp_plist_append(plist, 636 iph1->hash, ISAKMP_NPTYPE_HASH); 637 break; 638 639 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 640 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 641 #ifdef ENABLE_HYBRID 642 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 643 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 644 #endif 645 /* XXX if there is CR or not ? */ 646 647 if (oakley_getmycert(iph1) < 0) 648 goto end; 649 650 if (oakley_getsign(iph1) < 0) 651 goto end; 652 653 if (iph1->cert != NULL && iph1->rmconf->send_cert) 654 need_cert = 1; 655 656 /* add CERT payload if there */ 657 if (need_cert) 658 plist = isakmp_plist_append(plist, iph1->cert, 659 ISAKMP_NPTYPE_CERT); 660 661 /* add SIG payload */ 662 plist = isakmp_plist_append(plist, 663 iph1->sig, ISAKMP_NPTYPE_SIG); 664 break; 665 666 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 667 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 668 #ifdef ENABLE_HYBRID 669 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 670 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 671 #endif 672 break; 673 #ifdef HAVE_GSSAPI 674 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 675 gsshash = gssapi_wraphash(iph1); 676 if (gsshash == NULL) { 677 plog(LLV_ERROR, LOCATION, NULL, 678 "failed to wrap hash\n"); 679 isakmp_info_send_n1(iph1, 680 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 681 goto end; 682 } 683 684 plist = isakmp_plist_append(plist, 685 gsshash, ISAKMP_NPTYPE_HASH); 686 break; 687 #endif 688 } 689 690 #ifdef ENABLE_NATT 691 /* generate NAT-D payloads */ 692 if (NATT_AVAILABLE(iph1)) { 693 vchar_t *natd[2] = { NULL, NULL }; 694 695 plog(LLV_INFO, LOCATION, 696 NULL, "Adding remote and local NAT-D payloads.\n"); 697 698 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 699 plog(LLV_ERROR, LOCATION, NULL, 700 "NAT-D hashing failed for %s\n", 701 saddr2str(iph1->remote)); 702 goto end; 703 } 704 705 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 706 plog(LLV_ERROR, LOCATION, NULL, 707 "NAT-D hashing failed for %s\n", 708 saddr2str(iph1->local)); 709 goto end; 710 } 711 712 plist = isakmp_plist_append(plist, 713 natd[0], iph1->natt_options->payload_nat_d); 714 plist = isakmp_plist_append(plist, 715 natd[1], iph1->natt_options->payload_nat_d); 716 } 717 #endif 718 719 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 720 721 #ifdef HAVE_PRINT_ISAKMP_C 722 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 723 #endif 724 725 /* send to responder */ 726 if (isakmp_send(iph1, iph1->sendbuf) < 0) 727 goto end; 728 729 /* the sending message is added to the received-list. */ 730 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 731 plog(LLV_ERROR , LOCATION, NULL, 732 "failed to add a response packet to the tree.\n"); 733 goto end; 734 } 735 736 /* set encryption flag */ 737 iph1->flags |= ISAKMP_FLAG_E; 738 739 iph1->status = PHASE1ST_ESTABLISHED; 740 741 error = 0; 742 743 end: 744 if (gsshash) 745 vfree(gsshash); 746 return error; 747 } 748 749 /* 750 * receive from initiator 751 * psk: HDR, SA, KE, Ni, IDi1 752 * sig: HDR, SA, KE, Ni, IDi1 [, CR ] 753 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi 754 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r 755 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, 756 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] 757 */ 758 int 759 agg_r1recv(iph1, msg) 760 struct ph1handle *iph1; 761 vchar_t *msg; 762 { 763 int error = -1; 764 vchar_t *pbuf = NULL; 765 struct isakmp_parse_t *pa; 766 int vid_numeric; 767 #ifdef HAVE_GSSAPI 768 vchar_t *gsstoken = NULL; 769 #endif 770 771 /* validity check */ 772 if (iph1->status != PHASE1ST_START) { 773 plog(LLV_ERROR, LOCATION, NULL, 774 "status mismatched %d.\n", iph1->status); 775 goto end; 776 } 777 778 /* validate the type of next payload */ 779 pbuf = isakmp_parse(msg); 780 if (pbuf == NULL) 781 goto end; 782 pa = (struct isakmp_parse_t *)pbuf->v; 783 784 /* SA payload is fixed postion */ 785 if (pa->type != ISAKMP_NPTYPE_SA) { 786 plog(LLV_ERROR, LOCATION, iph1->remote, 787 "received invalid next payload type %d, " 788 "expecting %d.\n", 789 pa->type, ISAKMP_NPTYPE_SA); 790 goto end; 791 } 792 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) 793 goto end; 794 pa++; 795 796 for (/*nothing*/; 797 pa->type != ISAKMP_NPTYPE_NONE; 798 pa++) { 799 800 plog(LLV_DEBUG, LOCATION, NULL, 801 "received payload of type %s\n", 802 s_isakmp_nptype(pa->type)); 803 804 switch (pa->type) { 805 case ISAKMP_NPTYPE_KE: 806 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 807 goto end; 808 break; 809 case ISAKMP_NPTYPE_NONCE: 810 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 811 goto end; 812 break; 813 case ISAKMP_NPTYPE_ID: 814 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 815 goto end; 816 break; 817 case ISAKMP_NPTYPE_VID: 818 vid_numeric = handle_vendorid(iph1, pa->ptr); 819 #ifdef ENABLE_FRAG 820 if ((vid_numeric == VENDORID_FRAG) && 821 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) 822 iph1->frag = 1; 823 #endif 824 break; 825 826 case ISAKMP_NPTYPE_CR: 827 if (oakley_savecr(iph1, pa->ptr) < 0) 828 goto end; 829 break; 830 831 #ifdef HAVE_GSSAPI 832 case ISAKMP_NPTYPE_GSS: 833 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) 834 goto end; 835 gssapi_save_received_token(iph1, gsstoken); 836 break; 837 #endif 838 default: 839 /* don't send information, see isakmp_ident_r1() */ 840 plog(LLV_ERROR, LOCATION, iph1->remote, 841 "ignore the packet, " 842 "received unexpecting payload type %d.\n", 843 pa->type); 844 goto end; 845 } 846 } 847 848 /* payload existency check */ 849 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { 850 plog(LLV_ERROR, LOCATION, iph1->remote, 851 "few isakmp message received.\n"); 852 goto end; 853 } 854 855 /* verify identifier */ 856 if (ipsecdoi_checkid1(iph1) != 0) { 857 plog(LLV_ERROR, LOCATION, iph1->remote, 858 "invalid ID payload.\n"); 859 goto end; 860 } 861 862 #ifdef ENABLE_NATT 863 if (NATT_AVAILABLE(iph1)) 864 plog(LLV_INFO, LOCATION, iph1->remote, 865 "Selected NAT-T version: %s\n", 866 vid_string_by_id(iph1->natt_options->version)); 867 #endif 868 869 /* check SA payload and set approval SA for use */ 870 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { 871 plog(LLV_ERROR, LOCATION, iph1->remote, 872 "failed to get valid proposal.\n"); 873 /* XXX send information */ 874 goto end; 875 } 876 877 if (oakley_checkcr(iph1) < 0) { 878 /* Ignore this error in order to be interoperability. */ 879 ; 880 } 881 882 iph1->status = PHASE1ST_MSG1RECEIVED; 883 884 error = 0; 885 886 end: 887 #ifdef HAVE_GSSAPI 888 if (gsstoken) 889 vfree(gsstoken); 890 #endif 891 if (pbuf) 892 vfree(pbuf); 893 if (error) { 894 VPTRINIT(iph1->sa); 895 VPTRINIT(iph1->dhpub_p); 896 VPTRINIT(iph1->nonce_p); 897 VPTRINIT(iph1->id_p); 898 VPTRINIT(iph1->cr_p); 899 } 900 901 return error; 902 } 903 904 /* 905 * send to initiator 906 * psk: HDR, SA, KE, Nr, IDr1, HASH_R 907 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R 908 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R 909 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R 910 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R 911 */ 912 int 913 agg_r1send(iph1, msg) 914 struct ph1handle *iph1; 915 vchar_t *msg; 916 { 917 struct payload_list *plist = NULL; 918 int need_cert = 0; 919 int error = -1; 920 #ifdef ENABLE_HYBRID 921 vchar_t *xauth_vid = NULL; 922 vchar_t *unity_vid = NULL; 923 #endif 924 #ifdef ENABLE_NATT 925 vchar_t *vid_natt = NULL; 926 vchar_t *natd[2] = { NULL, NULL }; 927 #endif 928 #ifdef ENABLE_DPD 929 vchar_t *vid_dpd = NULL; 930 #endif 931 #ifdef ENABLE_FRAG 932 vchar_t *vid_frag = NULL; 933 #endif 934 935 #ifdef HAVE_GSSAPI 936 int gsslen; 937 vchar_t *gsstoken = NULL, *gsshash = NULL; 938 vchar_t *gss_sa = NULL; 939 int free_gss_sa = 0; 940 #endif 941 942 /* validity check */ 943 if (iph1->status != PHASE1ST_MSG1RECEIVED) { 944 plog(LLV_ERROR, LOCATION, NULL, 945 "status mismatched %d.\n", iph1->status); 946 goto end; 947 } 948 949 /* set responder's cookie */ 950 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); 951 952 /* make ID payload into isakmp status */ 953 if (ipsecdoi_setid1(iph1) < 0) 954 goto end; 955 956 /* generate DH public value */ 957 if (oakley_dh_generate(iph1->rmconf->dhgrp, 958 &iph1->dhpub, &iph1->dhpriv) < 0) 959 goto end; 960 961 /* generate NONCE value */ 962 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 963 if (iph1->nonce == NULL) 964 goto end; 965 966 /* compute sharing secret of DH */ 967 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 968 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 969 goto end; 970 971 /* generate SKEYIDs & IV & final cipher key */ 972 if (oakley_skeyid(iph1) < 0) 973 goto end; 974 if (oakley_skeyid_dae(iph1) < 0) 975 goto end; 976 if (oakley_compute_enckey(iph1) < 0) 977 goto end; 978 if (oakley_newiv(iph1) < 0) 979 goto end; 980 981 #ifdef HAVE_GSSAPI 982 if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) 983 gssapi_get_rtoken(iph1, &gsslen); 984 #endif 985 986 /* generate HASH to send */ 987 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n"); 988 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 989 if (iph1->hash == NULL) { 990 #ifdef HAVE_GSSAPI 991 if (gssapi_more_tokens(iph1)) 992 isakmp_info_send_n1(iph1, 993 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 994 #endif 995 goto end; 996 } 997 998 #ifdef ENABLE_NATT 999 /* Has the peer announced NAT-T? */ 1000 if (NATT_AVAILABLE(iph1)) { 1001 /* set chosen VID */ 1002 vid_natt = set_vendorid(iph1->natt_options->version); 1003 1004 /* generate NAT-D payloads */ 1005 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); 1006 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 1007 plog(LLV_ERROR, LOCATION, NULL, 1008 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); 1009 goto end; 1010 } 1011 1012 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 1013 plog(LLV_ERROR, LOCATION, NULL, 1014 "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); 1015 goto end; 1016 } 1017 } 1018 #endif 1019 #ifdef ENABLE_DPD 1020 /* Only send DPD support if remote announced DPD and if DPD support is active */ 1021 if (iph1->dpd_support && iph1->rmconf->dpd) 1022 vid_dpd = set_vendorid(VENDORID_DPD); 1023 #endif 1024 #ifdef ENABLE_FRAG 1025 if (iph1->frag) { 1026 vid_frag = set_vendorid(VENDORID_FRAG); 1027 if (vid_frag != NULL) 1028 vid_frag = isakmp_frag_addcap(vid_frag, 1029 VENDORID_FRAG_AGG); 1030 if (vid_frag == NULL) 1031 plog(LLV_ERROR, LOCATION, NULL, 1032 "Frag vendorID construction failed\n"); 1033 } 1034 #endif 1035 1036 switch (iph1->approval->authmethod) { 1037 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1038 #ifdef ENABLE_HYBRID 1039 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1040 #endif 1041 /* set SA payload to reply */ 1042 plist = isakmp_plist_append(plist, 1043 iph1->sa_ret, ISAKMP_NPTYPE_SA); 1044 1045 /* create isakmp KE payload */ 1046 plist = isakmp_plist_append(plist, 1047 iph1->dhpub, ISAKMP_NPTYPE_KE); 1048 1049 /* create isakmp NONCE payload */ 1050 plist = isakmp_plist_append(plist, 1051 iph1->nonce, ISAKMP_NPTYPE_NONCE); 1052 1053 /* create isakmp ID payload */ 1054 plist = isakmp_plist_append(plist, 1055 iph1->id, ISAKMP_NPTYPE_ID); 1056 1057 /* create isakmp HASH payload */ 1058 plist = isakmp_plist_append(plist, 1059 iph1->hash, ISAKMP_NPTYPE_HASH); 1060 1061 /* create isakmp CR payload if needed */ 1062 if (oakley_needcr(iph1->approval->authmethod)) 1063 plist = oakley_append_cr(plist, iph1); 1064 break; 1065 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1066 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1067 #ifdef ENABLE_HYBRID 1068 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1069 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1070 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1071 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1072 #endif 1073 /* XXX if there is CR or not ? */ 1074 1075 if (oakley_getmycert(iph1) < 0) 1076 goto end; 1077 1078 if (oakley_getsign(iph1) < 0) 1079 goto end; 1080 1081 if (iph1->cert != NULL && iph1->rmconf->send_cert) 1082 need_cert = 1; 1083 1084 /* set SA payload to reply */ 1085 plist = isakmp_plist_append(plist, 1086 iph1->sa_ret, ISAKMP_NPTYPE_SA); 1087 1088 /* create isakmp KE payload */ 1089 plist = isakmp_plist_append(plist, 1090 iph1->dhpub, ISAKMP_NPTYPE_KE); 1091 1092 /* create isakmp NONCE payload */ 1093 plist = isakmp_plist_append(plist, 1094 iph1->nonce, ISAKMP_NPTYPE_NONCE); 1095 1096 /* add ID payload */ 1097 plist = isakmp_plist_append(plist, 1098 iph1->id, ISAKMP_NPTYPE_ID); 1099 1100 /* add CERT payload if there */ 1101 if (need_cert) 1102 plist = isakmp_plist_append(plist, iph1->cert, 1103 ISAKMP_NPTYPE_CERT); 1104 1105 /* add SIG payload */ 1106 plist = isakmp_plist_append(plist, 1107 iph1->sig, ISAKMP_NPTYPE_SIG); 1108 1109 /* create isakmp CR payload if needed */ 1110 if (oakley_needcr(iph1->approval->authmethod)) 1111 plist = oakley_append_cr(plist, iph1); 1112 break; 1113 1114 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1115 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1116 #ifdef ENABLE_HYBRID 1117 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1118 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1119 #endif 1120 break; 1121 #ifdef HAVE_GSSAPI 1122 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1123 /* create buffer to send isakmp payload */ 1124 gsshash = gssapi_wraphash(iph1); 1125 if (gsshash == NULL) { 1126 plog(LLV_ERROR, LOCATION, NULL, 1127 "failed to wrap hash\n"); 1128 /* 1129 * This is probably due to the GSS 1130 * roundtrips not being finished yet. 1131 * Return this error in the hope that 1132 * a fallback to main mode will be done. 1133 */ 1134 isakmp_info_send_n1(iph1, 1135 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 1136 goto end; 1137 } 1138 if (iph1->approval->gssid != NULL) 1139 gss_sa = ipsecdoi_setph1proposal(iph1->rmconf, 1140 iph1->approval); 1141 else 1142 gss_sa = iph1->sa_ret; 1143 1144 if (gss_sa != iph1->sa_ret) 1145 free_gss_sa = 1; 1146 1147 /* set SA payload to reply */ 1148 plist = isakmp_plist_append(plist, 1149 gss_sa, ISAKMP_NPTYPE_SA); 1150 1151 /* create isakmp KE payload */ 1152 plist = isakmp_plist_append(plist, 1153 iph1->dhpub, ISAKMP_NPTYPE_KE); 1154 1155 /* create isakmp NONCE payload */ 1156 plist = isakmp_plist_append(plist, 1157 iph1->nonce, ISAKMP_NPTYPE_NONCE); 1158 1159 /* create isakmp ID payload */ 1160 plist = isakmp_plist_append(plist, 1161 iph1->id, ISAKMP_NPTYPE_ID); 1162 1163 /* create GSS payload */ 1164 if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) { 1165 plog(LLV_ERROR, LOCATION, NULL, 1166 "Failed to get gssapi token.\n"); 1167 goto end; 1168 } 1169 plist = isakmp_plist_append(plist, 1170 gsstoken, ISAKMP_NPTYPE_GSS); 1171 1172 /* create isakmp HASH payload */ 1173 plist = isakmp_plist_append(plist, 1174 gsshash, ISAKMP_NPTYPE_HASH); 1175 1176 /* append vendor id, if needed */ 1177 break; 1178 #endif 1179 } 1180 1181 #ifdef ENABLE_HYBRID 1182 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 1183 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); 1184 if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) { 1185 plog(LLV_ERROR, LOCATION, NULL, 1186 "Cannot create Xauth vendor ID\n"); 1187 goto end; 1188 } 1189 plist = isakmp_plist_append(plist, 1190 xauth_vid, ISAKMP_NPTYPE_VID); 1191 } 1192 1193 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { 1194 if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) { 1195 plog(LLV_ERROR, LOCATION, NULL, 1196 "Cannot create Unity vendor ID\n"); 1197 goto end; 1198 } 1199 plist = isakmp_plist_append(plist, 1200 unity_vid, ISAKMP_NPTYPE_VID); 1201 } 1202 #endif 1203 1204 #ifdef ENABLE_NATT 1205 /* append NAT-T payloads */ 1206 if (vid_natt) { 1207 /* chosen VID */ 1208 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); 1209 /* NAT-D */ 1210 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); 1211 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); 1212 } 1213 #endif 1214 1215 #ifdef ENABLE_FRAG 1216 if (vid_frag) 1217 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); 1218 #endif 1219 1220 #ifdef ENABLE_DPD 1221 if (vid_dpd) 1222 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 1223 #endif 1224 1225 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 1226 1227 #ifdef HAVE_PRINT_ISAKMP_C 1228 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1); 1229 #endif 1230 1231 /* send the packet, add to the schedule to resend */ 1232 if (isakmp_ph1send(iph1) == -1) 1233 goto end; 1234 1235 /* the sending message is added to the received-list. */ 1236 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1237 plog(LLV_ERROR , LOCATION, NULL, 1238 "failed to add a response packet to the tree.\n"); 1239 goto end; 1240 } 1241 1242 iph1->status = PHASE1ST_MSG1SENT; 1243 1244 error = 0; 1245 1246 end: 1247 #ifdef ENABLE_HYBRID 1248 if (xauth_vid) 1249 vfree(xauth_vid); 1250 if (unity_vid) 1251 vfree(unity_vid); 1252 #endif 1253 #ifdef HAVE_GSSAPI 1254 if (gsstoken) 1255 vfree(gsstoken); 1256 if (gsshash) 1257 vfree(gsshash); 1258 if (free_gss_sa) 1259 vfree(gss_sa); 1260 #endif 1261 #ifdef ENABLE_DPD 1262 if (vid_dpd) 1263 vfree(vid_dpd); 1264 #endif 1265 #ifdef ENABLE_FRAG 1266 if (vid_frag) 1267 vfree(vid_frag); 1268 #endif 1269 1270 return error; 1271 } 1272 1273 /* 1274 * receive from initiator 1275 * psk: HDR, HASH_I 1276 * gssapi: HDR, HASH_I 1277 * sig: HDR, [ CERT, ] SIG_I 1278 * rsa: HDR, HASH_I 1279 * rev: HDR, HASH_I 1280 */ 1281 int 1282 agg_r2recv(iph1, msg0) 1283 struct ph1handle *iph1; 1284 vchar_t *msg0; 1285 { 1286 vchar_t *msg = NULL; 1287 vchar_t *pbuf = NULL; 1288 struct isakmp_parse_t *pa; 1289 int error = -1, ptype; 1290 #ifdef ENABLE_NATT 1291 int natd_seq = 0; 1292 #endif 1293 1294 /* validity check */ 1295 if (iph1->status != PHASE1ST_MSG1SENT) { 1296 plog(LLV_ERROR, LOCATION, NULL, 1297 "status mismatched %d.\n", iph1->status); 1298 goto end; 1299 } 1300 1301 /* decrypting if need. */ 1302 /* XXX configurable ? */ 1303 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1304 msg = oakley_do_decrypt(iph1, msg0, 1305 iph1->ivm->iv, iph1->ivm->ive); 1306 if (msg == NULL) 1307 goto end; 1308 } else 1309 msg = vdup(msg0); 1310 1311 /* validate the type of next payload */ 1312 pbuf = isakmp_parse(msg); 1313 if (pbuf == NULL) 1314 goto end; 1315 1316 iph1->pl_hash = NULL; 1317 1318 for (pa = (struct isakmp_parse_t *)pbuf->v; 1319 pa->type != ISAKMP_NPTYPE_NONE; 1320 pa++) { 1321 1322 switch (pa->type) { 1323 case ISAKMP_NPTYPE_HASH: 1324 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 1325 break; 1326 case ISAKMP_NPTYPE_VID: 1327 handle_vendorid(iph1, pa->ptr); 1328 break; 1329 case ISAKMP_NPTYPE_CERT: 1330 if (oakley_savecert(iph1, pa->ptr) < 0) 1331 goto end; 1332 break; 1333 case ISAKMP_NPTYPE_SIG: 1334 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 1335 goto end; 1336 break; 1337 case ISAKMP_NPTYPE_N: 1338 isakmp_log_notify(iph1, 1339 (struct isakmp_pl_n *) pa->ptr, 1340 "aggressive exchange"); 1341 break; 1342 1343 #ifdef ENABLE_NATT 1344 case ISAKMP_NPTYPE_NATD_DRAFT: 1345 case ISAKMP_NPTYPE_NATD_RFC: 1346 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && 1347 pa->type == iph1->natt_options->payload_nat_d) 1348 { 1349 vchar_t *natd_received = NULL; 1350 int natd_verified; 1351 1352 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 1353 goto end; 1354 1355 if (natd_seq == 0) 1356 iph1->natt_flags |= NAT_DETECTED; 1357 1358 natd_verified = natt_compare_addr_hash (iph1, 1359 natd_received, natd_seq++); 1360 1361 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 1362 natd_seq - 1, 1363 natd_verified ? "verified" : "doesn't match"); 1364 1365 vfree (natd_received); 1366 break; 1367 } 1368 /* passthrough to default... */ 1369 #endif 1370 1371 default: 1372 /* don't send information, see isakmp_ident_r1() */ 1373 plog(LLV_ERROR, LOCATION, iph1->remote, 1374 "ignore the packet, " 1375 "received unexpecting payload type %d.\n", 1376 pa->type); 1377 goto end; 1378 } 1379 } 1380 1381 #ifdef ENABLE_NATT 1382 if (NATT_AVAILABLE(iph1)) 1383 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 1384 iph1->natt_flags & NAT_DETECTED ? 1385 "detected:" : "not detected", 1386 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 1387 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 1388 #endif 1389 1390 /* validate authentication value */ 1391 ptype = oakley_validate_auth(iph1); 1392 if (ptype != 0) { 1393 if (ptype == -1) { 1394 /* message printed inner oakley_validate_auth() */ 1395 goto end; 1396 } 1397 evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); 1398 isakmp_info_send_n1(iph1, ptype, NULL); 1399 goto end; 1400 } 1401 1402 iph1->status = PHASE1ST_MSG2RECEIVED; 1403 1404 error = 0; 1405 1406 end: 1407 if (pbuf) 1408 vfree(pbuf); 1409 if (msg) 1410 vfree(msg); 1411 if (error) { 1412 VPTRINIT(iph1->cert_p); 1413 VPTRINIT(iph1->crl_p); 1414 VPTRINIT(iph1->sig_p); 1415 } 1416 1417 return error; 1418 } 1419 1420 /* 1421 * status update and establish isakmp sa. 1422 */ 1423 int 1424 agg_r2send(iph1, msg) 1425 struct ph1handle *iph1; 1426 vchar_t *msg; 1427 { 1428 int error = -1; 1429 1430 /* validity check */ 1431 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 1432 plog(LLV_ERROR, LOCATION, NULL, 1433 "status mismatched %d.\n", iph1->status); 1434 goto end; 1435 } 1436 1437 /* IV synchronized when packet encrypted. */ 1438 /* see handler.h about IV synchronization. */ 1439 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E)) 1440 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); 1441 1442 /* set encryption flag */ 1443 iph1->flags |= ISAKMP_FLAG_E; 1444 1445 iph1->status = PHASE1ST_ESTABLISHED; 1446 1447 error = 0; 1448 1449 end: 1450 return error; 1451 } 1452
