1 /* $NetBSD: isakmp_agg.c,v 1.9 2006/09/30 21:49:37 manu Exp $ */ 2 3 /* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* Aggressive Exchange (Aggressive Mode) */ 35 36 #include "config.h" 37 38 #include <sys/types.h> 39 #include <sys/param.h> 40 41 #include <stdlib.h> 42 #include <stdio.h> 43 #include <string.h> 44 #include <errno.h> 45 #if TIME_WITH_SYS_TIME 46 # include <sys/time.h> 47 # include <time.h> 48 #else 49 # if HAVE_SYS_TIME_H 50 # include <sys/time.h> 51 # else 52 # include <time.h> 53 # endif 54 #endif 55 56 #include "var.h" 57 #include "misc.h" 58 #include "vmbuf.h" 59 #include "plog.h" 60 #include "sockmisc.h" 61 #include "schedule.h" 62 #include "debug.h" 63 64 #ifdef ENABLE_HYBRID 65 #include <resolv.h> 66 #endif 67 68 #include "localconf.h" 69 #include "remoteconf.h" 70 #include "isakmp_var.h" 71 #include "isakmp.h" 72 #include "evt.h" 73 #include "oakley.h" 74 #include "handler.h" 75 #include "ipsec_doi.h" 76 #include "crypto_openssl.h" 77 #include "pfkey.h" 78 #include "isakmp_agg.h" 79 #include "isakmp_inf.h" 80 #ifdef ENABLE_HYBRID 81 #include "isakmp_xauth.h" 82 #include "isakmp_cfg.h" 83 #endif 84 #ifdef ENABLE_FRAG 85 #include "isakmp_frag.h" 86 #endif 87 #include "vendorid.h" 88 #include "strnames.h" 89 90 #ifdef ENABLE_NATT 91 #include "nattraversal.h" 92 #endif 93 94 #ifdef HAVE_GSSAPI 95 #include "gssapi.h" 96 #endif 97 98 /* 99 * begin Aggressive Mode as initiator. 100 */ 101 /* 102 * send to responder 103 * psk: HDR, SA, KE, Ni, IDi1 104 * sig: HDR, SA, KE, Ni, IDi1 [, CR ] 105 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi 106 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r 107 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, 108 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] 109 */ 110 int 111 agg_i1send(iph1, msg) 112 struct ph1handle *iph1; 113 vchar_t *msg; /* must be null */ 114 { 115 struct payload_list *plist = NULL; 116 int need_cr = 0; 117 vchar_t *cr = NULL; 118 int error = -1; 119 #ifdef ENABLE_NATT 120 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; 121 int i; 122 #endif 123 #ifdef ENABLE_HYBRID 124 vchar_t *vid_xauth = NULL; 125 vchar_t *vid_unity = NULL; 126 #endif 127 #ifdef ENABLE_FRAG 128 vchar_t *vid_frag = NULL; 129 #endif 130 #ifdef HAVE_GSSAPI 131 vchar_t *gsstoken = NULL; 132 int len; 133 #endif 134 #ifdef ENABLE_DPD 135 vchar_t *vid_dpd = NULL; 136 #endif 137 138 139 /* validity check */ 140 if (msg != NULL) { 141 plog(LLV_ERROR, LOCATION, NULL, 142 "msg has to be NULL in this function.\n"); 143 goto end; 144 } 145 if (iph1->status != PHASE1ST_START) { 146 plog(LLV_ERROR, LOCATION, NULL, 147 "status mismatched %d.\n", iph1->status); 148 goto end; 149 } 150 151 /* create isakmp index */ 152 memset(&iph1->index, 0, sizeof(iph1->index)); 153 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); 154 155 /* make ID payload into isakmp status */ 156 if (ipsecdoi_setid1(iph1) < 0) 157 goto end; 158 159 /* create SA payload for my proposal */ 160 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); 161 if (iph1->sa == NULL) 162 goto end; 163 164 /* consistency check of proposals */ 165 if (iph1->rmconf->dhgrp == NULL) { 166 plog(LLV_ERROR, LOCATION, NULL, 167 "configuration failure about DH group.\n"); 168 goto end; 169 } 170 171 /* generate DH public value */ 172 if (oakley_dh_generate(iph1->rmconf->dhgrp, 173 &iph1->dhpub, &iph1->dhpriv) < 0) 174 goto end; 175 176 /* generate NONCE value */ 177 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 178 if (iph1->nonce == NULL) 179 goto end; 180 181 #ifdef ENABLE_HYBRID 182 /* Do we need Xauth VID? */ 183 switch (RMAUTHMETHOD(iph1)) { 184 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 185 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 186 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 187 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 188 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 189 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 190 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 191 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) 192 plog(LLV_ERROR, LOCATION, NULL, 193 "Xauth vendor ID generation failed\n"); 194 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) 195 plog(LLV_ERROR, LOCATION, NULL, 196 "Unity vendor ID generation failed\n"); 197 break; 198 default: 199 break; 200 } 201 #endif 202 203 #ifdef ENABLE_FRAG 204 if (iph1->rmconf->ike_frag) { 205 vid_frag = set_vendorid(VENDORID_FRAG); 206 if (vid_frag != NULL) 207 vid_frag = isakmp_frag_addcap(vid_frag, 208 VENDORID_FRAG_AGG); 209 if (vid_frag == NULL) 210 plog(LLV_ERROR, LOCATION, NULL, 211 "Frag vendorID construction failed\n"); 212 } 213 #endif 214 215 /* create CR if need */ 216 if (iph1->rmconf->send_cr 217 && oakley_needcr(iph1->rmconf->proposal->authmethod) 218 && iph1->rmconf->peerscertfile == NULL) { 219 need_cr = 1; 220 cr = oakley_getcr(iph1); 221 if (cr == NULL) { 222 plog(LLV_ERROR, LOCATION, NULL, 223 "failed to get cr buffer.\n"); 224 goto end; 225 } 226 } 227 228 plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n", 229 s_oakley_attr_method(iph1->rmconf->proposal->authmethod)); 230 #ifdef HAVE_GSSAPI 231 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) 232 gssapi_get_itoken(iph1, &len); 233 #endif 234 235 /* set SA payload to propose */ 236 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); 237 238 /* create isakmp KE payload */ 239 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); 240 241 /* create isakmp NONCE payload */ 242 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 243 244 /* create isakmp ID payload */ 245 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 246 247 #ifdef HAVE_GSSAPI 248 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { 249 gssapi_get_token_to_send(iph1, &gsstoken); 250 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS); 251 } 252 #endif 253 /* create isakmp CR payload */ 254 if (need_cr) 255 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR); 256 257 #ifdef ENABLE_FRAG 258 if (vid_frag) 259 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); 260 #endif 261 #ifdef ENABLE_NATT 262 /* 263 * set VID payload for NAT-T if NAT-T 264 * support allowed in the config file 265 */ 266 if (iph1->rmconf->nat_traversal) 267 plist = isakmp_plist_append_natt_vids(plist, vid_natt); 268 #endif 269 #ifdef ENABLE_HYBRID 270 if (vid_xauth) 271 plist = isakmp_plist_append(plist, 272 vid_xauth, ISAKMP_NPTYPE_VID); 273 if (vid_unity) 274 plist = isakmp_plist_append(plist, 275 vid_unity, ISAKMP_NPTYPE_VID); 276 #endif 277 #ifdef ENABLE_DPD 278 if(iph1->rmconf->dpd){ 279 vid_dpd = set_vendorid(VENDORID_DPD); 280 if (vid_dpd != NULL) 281 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 282 } 283 #endif 284 285 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 286 287 #ifdef HAVE_PRINT_ISAKMP_C 288 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 289 #endif 290 291 /* send the packet, add to the schedule to resend */ 292 iph1->retry_counter = iph1->rmconf->retry_counter; 293 if (isakmp_ph1resend(iph1) == -1) 294 goto end; 295 296 iph1->status = PHASE1ST_MSG1SENT; 297 298 error = 0; 299 300 end: 301 if (cr) 302 vfree(cr); 303 #ifdef HAVE_GSSAPI 304 if (gsstoken) 305 vfree(gsstoken); 306 #endif 307 #ifdef ENABLE_FRAG 308 if (vid_frag) 309 vfree(vid_frag); 310 #endif 311 #ifdef ENABLE_NATT 312 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++) 313 vfree(vid_natt[i]); 314 #endif 315 #ifdef ENABLE_HYBRID 316 if (vid_xauth != NULL) 317 vfree(vid_xauth); 318 if (vid_unity != NULL) 319 vfree(vid_unity); 320 #endif 321 #ifdef ENABLE_DPD 322 if (vid_dpd != NULL) 323 vfree(vid_dpd); 324 #endif 325 326 return error; 327 } 328 329 /* 330 * receive from responder 331 * psk: HDR, SA, KE, Nr, IDr1, HASH_R 332 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R 333 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R 334 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R 335 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R 336 */ 337 int 338 agg_i2recv(iph1, msg) 339 struct ph1handle *iph1; 340 vchar_t *msg; 341 { 342 vchar_t *pbuf = NULL; 343 struct isakmp_parse_t *pa; 344 vchar_t *satmp = NULL; 345 int error = -1; 346 int vid_numeric; 347 int ptype; 348 #ifdef ENABLE_HYBRID 349 vchar_t *unity_vid; 350 vchar_t *xauth_vid; 351 #endif 352 #ifdef HAVE_GSSAPI 353 vchar_t *gsstoken = NULL; 354 #endif 355 356 #ifdef ENABLE_NATT 357 int natd_seq = 0; 358 struct natd_payload { 359 int seq; 360 vchar_t *payload; 361 TAILQ_ENTRY(natd_payload) chain; 362 }; 363 TAILQ_HEAD(_natd_payload, natd_payload) natd_tree; 364 TAILQ_INIT(&natd_tree); 365 #endif 366 367 /* validity check */ 368 if (iph1->status != PHASE1ST_MSG1SENT) { 369 plog(LLV_ERROR, LOCATION, NULL, 370 "status mismatched %d.\n", iph1->status); 371 goto end; 372 } 373 374 /* validate the type of next payload */ 375 pbuf = isakmp_parse(msg); 376 if (pbuf == NULL) 377 goto end; 378 pa = (struct isakmp_parse_t *)pbuf->v; 379 380 iph1->pl_hash = NULL; 381 382 /* SA payload is fixed postion */ 383 if (pa->type != ISAKMP_NPTYPE_SA) { 384 plog(LLV_ERROR, LOCATION, iph1->remote, 385 "received invalid next payload type %d, " 386 "expecting %d.\n", 387 pa->type, ISAKMP_NPTYPE_SA); 388 goto end; 389 } 390 391 if (isakmp_p2ph(&satmp, pa->ptr) < 0) 392 goto end; 393 pa++; 394 395 for (/*nothing*/; 396 pa->type != ISAKMP_NPTYPE_NONE; 397 pa++) { 398 399 switch (pa->type) { 400 case ISAKMP_NPTYPE_KE: 401 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 402 goto end; 403 break; 404 case ISAKMP_NPTYPE_NONCE: 405 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 406 goto end; 407 break; 408 case ISAKMP_NPTYPE_ID: 409 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 410 goto end; 411 break; 412 case ISAKMP_NPTYPE_HASH: 413 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 414 break; 415 case ISAKMP_NPTYPE_CR: 416 if (oakley_savecr(iph1, pa->ptr) < 0) 417 goto end; 418 break; 419 case ISAKMP_NPTYPE_CERT: 420 if (oakley_savecert(iph1, pa->ptr) < 0) 421 goto end; 422 break; 423 case ISAKMP_NPTYPE_SIG: 424 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 425 goto end; 426 break; 427 case ISAKMP_NPTYPE_VID: 428 handle_vendorid(iph1, pa->ptr); 429 break; 430 case ISAKMP_NPTYPE_N: 431 isakmp_check_notify(pa->ptr, iph1); 432 break; 433 #ifdef HAVE_GSSAPI 434 case ISAKMP_NPTYPE_GSS: 435 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) 436 goto end; 437 gssapi_save_received_token(iph1, gsstoken); 438 break; 439 #endif 440 441 #ifdef ENABLE_NATT 442 case ISAKMP_NPTYPE_NATD_DRAFT: 443 case ISAKMP_NPTYPE_NATD_RFC: 444 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && 445 pa->type == iph1->natt_options->payload_nat_d) { 446 struct natd_payload *natd; 447 natd = (struct natd_payload *)racoon_malloc(sizeof(*natd)); 448 if (!natd) 449 goto end; 450 451 natd->payload = NULL; 452 453 if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) 454 goto end; 455 456 natd->seq = natd_seq++; 457 458 TAILQ_INSERT_TAIL(&natd_tree, natd, chain); 459 break; 460 } 461 /* passthrough to default... */ 462 #endif 463 464 default: 465 /* don't send information, see isakmp_ident_r1() */ 466 plog(LLV_ERROR, LOCATION, iph1->remote, 467 "ignore the packet, " 468 "received unexpecting payload type %d.\n", 469 pa->type); 470 goto end; 471 } 472 } 473 474 /* payload existency check */ 475 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { 476 plog(LLV_ERROR, LOCATION, iph1->remote, 477 "few isakmp message received.\n"); 478 goto end; 479 } 480 481 /* verify identifier */ 482 if (ipsecdoi_checkid1(iph1) != 0) { 483 plog(LLV_ERROR, LOCATION, iph1->remote, 484 "invalid ID payload.\n"); 485 goto end; 486 } 487 488 /* check SA payload and set approval SA for use */ 489 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { 490 plog(LLV_ERROR, LOCATION, iph1->remote, 491 "failed to get valid proposal.\n"); 492 /* XXX send information */ 493 goto end; 494 } 495 VPTRINIT(iph1->sa_ret); 496 497 /* fix isakmp index */ 498 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, 499 sizeof(cookie_t)); 500 501 #ifdef ENABLE_NATT 502 if (NATT_AVAILABLE(iph1)) { 503 struct natd_payload *natd = NULL; 504 int natd_verified; 505 506 plog(LLV_INFO, LOCATION, iph1->remote, 507 "Selected NAT-T version: %s\n", 508 vid_string_by_id(iph1->natt_options->version)); 509 510 /* set both bits first so that we can clear them 511 upon verifying hashes */ 512 iph1->natt_flags |= NAT_DETECTED; 513 514 while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) { 515 /* this function will clear appropriate bits bits 516 from iph1->natt_flags */ 517 natd_verified = natt_compare_addr_hash (iph1, 518 natd->payload, natd->seq); 519 520 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 521 natd->seq - 1, 522 natd_verified ? "verified" : "doesn't match"); 523 524 vfree (natd->payload); 525 526 TAILQ_REMOVE(&natd_tree, natd, chain); 527 racoon_free (natd); 528 } 529 530 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 531 iph1->natt_flags & NAT_DETECTED ? 532 "detected:" : "not detected", 533 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 534 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 535 536 if (iph1->natt_flags & NAT_DETECTED) 537 natt_float_ports (iph1); 538 } 539 #endif 540 541 /* compute sharing secret of DH */ 542 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub, 543 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 544 goto end; 545 546 /* generate SKEYIDs & IV & final cipher key */ 547 if (oakley_skeyid(iph1) < 0) 548 goto end; 549 if (oakley_skeyid_dae(iph1) < 0) 550 goto end; 551 if (oakley_compute_enckey(iph1) < 0) 552 goto end; 553 if (oakley_newiv(iph1) < 0) 554 goto end; 555 556 /* validate authentication value */ 557 ptype = oakley_validate_auth(iph1); 558 if (ptype != 0) { 559 if (ptype == -1) { 560 /* message printed inner oakley_validate_auth() */ 561 goto end; 562 } 563 EVT_PUSH(iph1->local, iph1->remote, 564 EVTT_PEERPH1AUTH_FAILED, NULL); 565 isakmp_info_send_n1(iph1, ptype, NULL); 566 goto end; 567 } 568 569 if (oakley_checkcr(iph1) < 0) { 570 /* Ignore this error in order to be interoperability. */ 571 ; 572 } 573 574 /* change status of isakmp status entry */ 575 iph1->status = PHASE1ST_MSG2RECEIVED; 576 577 error = 0; 578 579 end: 580 #ifdef HAVE_GSSAPI 581 if (gsstoken) 582 vfree(gsstoken); 583 #endif 584 if (pbuf) 585 vfree(pbuf); 586 if (satmp) 587 vfree(satmp); 588 if (error) { 589 VPTRINIT(iph1->dhpub_p); 590 VPTRINIT(iph1->nonce_p); 591 VPTRINIT(iph1->id_p); 592 oakley_delcert(iph1->cert_p); 593 iph1->cert_p = NULL; 594 oakley_delcert(iph1->crl_p); 595 iph1->crl_p = NULL; 596 VPTRINIT(iph1->sig_p); 597 oakley_delcert(iph1->cr_p); 598 iph1->cr_p = NULL; 599 } 600 601 return error; 602 } 603 604 /* 605 * send to responder 606 * psk: HDR, HASH_I 607 * gssapi: HDR, HASH_I 608 * sig: HDR, [ CERT, ] SIG_I 609 * rsa: HDR, HASH_I 610 * rev: HDR, HASH_I 611 */ 612 int 613 agg_i2send(iph1, msg) 614 struct ph1handle *iph1; 615 vchar_t *msg; 616 { 617 struct payload_list *plist = NULL; 618 int need_cert = 0; 619 int error = -1; 620 vchar_t *gsshash = NULL; 621 622 /* validity check */ 623 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 624 plog(LLV_ERROR, LOCATION, NULL, 625 "status mismatched %d.\n", iph1->status); 626 goto end; 627 } 628 629 /* generate HASH to send */ 630 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 631 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 632 if (iph1->hash == NULL) { 633 #ifdef HAVE_GSSAPI 634 if (gssapi_more_tokens(iph1) && 635 #ifdef ENABLE_HYBRID 636 !iph1->rmconf->xauth && 637 #endif 638 1) 639 isakmp_info_send_n1(iph1, 640 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 641 #endif 642 goto end; 643 } 644 645 switch (AUTHMETHOD(iph1)) { 646 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 647 #ifdef ENABLE_HYBRID 648 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 649 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 650 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 651 #endif 652 /* set HASH payload */ 653 plist = isakmp_plist_append(plist, 654 iph1->hash, ISAKMP_NPTYPE_HASH); 655 break; 656 657 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 658 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 659 #ifdef ENABLE_HYBRID 660 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 661 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 662 #endif 663 /* XXX if there is CR or not ? */ 664 665 if (oakley_getmycert(iph1) < 0) 666 goto end; 667 668 if (oakley_getsign(iph1) < 0) 669 goto end; 670 671 if (iph1->cert != NULL && iph1->rmconf->send_cert) 672 need_cert = 1; 673 674 /* add CERT payload if there */ 675 if (need_cert) 676 plist = isakmp_plist_append(plist, 677 iph1->cert->pl, ISAKMP_NPTYPE_CERT); 678 679 /* add SIG payload */ 680 plist = isakmp_plist_append(plist, 681 iph1->sig, ISAKMP_NPTYPE_SIG); 682 break; 683 684 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 685 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 686 #ifdef ENABLE_HYBRID 687 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 688 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 689 #endif 690 break; 691 #ifdef HAVE_GSSAPI 692 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 693 gsshash = gssapi_wraphash(iph1); 694 if (gsshash == NULL) { 695 plog(LLV_ERROR, LOCATION, NULL, 696 "failed to wrap hash\n"); 697 isakmp_info_send_n1(iph1, 698 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 699 goto end; 700 } 701 702 plist = isakmp_plist_append(plist, 703 gsshash, ISAKMP_NPTYPE_HASH); 704 break; 705 #endif 706 } 707 708 #ifdef ENABLE_NATT 709 /* generate NAT-D payloads */ 710 if (NATT_AVAILABLE(iph1)) { 711 vchar_t *natd[2] = { NULL, NULL }; 712 713 plog(LLV_INFO, LOCATION, 714 NULL, "Adding remote and local NAT-D payloads.\n"); 715 716 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 717 plog(LLV_ERROR, LOCATION, NULL, 718 "NAT-D hashing failed for %s\n", 719 saddr2str(iph1->remote)); 720 goto end; 721 } 722 723 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 724 plog(LLV_ERROR, LOCATION, NULL, 725 "NAT-D hashing failed for %s\n", 726 saddr2str(iph1->local)); 727 goto end; 728 } 729 730 plist = isakmp_plist_append(plist, 731 natd[0], iph1->natt_options->payload_nat_d); 732 plist = isakmp_plist_append(plist, 733 natd[1], iph1->natt_options->payload_nat_d); 734 } 735 #endif 736 737 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 738 739 #ifdef HAVE_PRINT_ISAKMP_C 740 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 741 #endif 742 743 /* send to responder */ 744 if (isakmp_send(iph1, iph1->sendbuf) < 0) 745 goto end; 746 747 /* the sending message is added to the received-list. */ 748 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 749 plog(LLV_ERROR , LOCATION, NULL, 750 "failed to add a response packet to the tree.\n"); 751 goto end; 752 } 753 754 /* set encryption flag */ 755 iph1->flags |= ISAKMP_FLAG_E; 756 757 iph1->status = PHASE1ST_ESTABLISHED; 758 759 error = 0; 760 761 end: 762 if (gsshash) 763 vfree(gsshash); 764 return error; 765 } 766 767 /* 768 * receive from initiator 769 * psk: HDR, SA, KE, Ni, IDi1 770 * sig: HDR, SA, KE, Ni, IDi1 [, CR ] 771 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi 772 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r 773 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, 774 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] 775 */ 776 int 777 agg_r1recv(iph1, msg) 778 struct ph1handle *iph1; 779 vchar_t *msg; 780 { 781 int error = -1; 782 vchar_t *pbuf = NULL; 783 struct isakmp_parse_t *pa; 784 int vid_numeric; 785 #ifdef HAVE_GSSAPI 786 vchar_t *gsstoken = NULL; 787 #endif 788 789 /* validity check */ 790 if (iph1->status != PHASE1ST_START) { 791 plog(LLV_ERROR, LOCATION, NULL, 792 "status mismatched %d.\n", iph1->status); 793 goto end; 794 } 795 796 /* validate the type of next payload */ 797 pbuf = isakmp_parse(msg); 798 if (pbuf == NULL) 799 goto end; 800 pa = (struct isakmp_parse_t *)pbuf->v; 801 802 /* SA payload is fixed postion */ 803 if (pa->type != ISAKMP_NPTYPE_SA) { 804 plog(LLV_ERROR, LOCATION, iph1->remote, 805 "received invalid next payload type %d, " 806 "expecting %d.\n", 807 pa->type, ISAKMP_NPTYPE_SA); 808 goto end; 809 } 810 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) 811 goto end; 812 pa++; 813 814 for (/*nothing*/; 815 pa->type != ISAKMP_NPTYPE_NONE; 816 pa++) { 817 818 plog(LLV_DEBUG, LOCATION, NULL, 819 "received payload of type %s\n", 820 s_isakmp_nptype(pa->type)); 821 822 switch (pa->type) { 823 case ISAKMP_NPTYPE_KE: 824 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 825 goto end; 826 break; 827 case ISAKMP_NPTYPE_NONCE: 828 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 829 goto end; 830 break; 831 case ISAKMP_NPTYPE_ID: 832 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 833 goto end; 834 break; 835 case ISAKMP_NPTYPE_VID: 836 vid_numeric = handle_vendorid(iph1, pa->ptr); 837 #ifdef ENABLE_FRAG 838 if ((vid_numeric == VENDORID_FRAG) && 839 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) 840 iph1->frag = 1; 841 #endif 842 break; 843 844 case ISAKMP_NPTYPE_CR: 845 if (oakley_savecr(iph1, pa->ptr) < 0) 846 goto end; 847 break; 848 849 #ifdef HAVE_GSSAPI 850 case ISAKMP_NPTYPE_GSS: 851 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) 852 goto end; 853 gssapi_save_received_token(iph1, gsstoken); 854 break; 855 #endif 856 default: 857 /* don't send information, see isakmp_ident_r1() */ 858 plog(LLV_ERROR, LOCATION, iph1->remote, 859 "ignore the packet, " 860 "received unexpecting payload type %d.\n", 861 pa->type); 862 goto end; 863 } 864 } 865 866 /* payload existency check */ 867 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { 868 plog(LLV_ERROR, LOCATION, iph1->remote, 869 "few isakmp message received.\n"); 870 goto end; 871 } 872 873 /* verify identifier */ 874 if (ipsecdoi_checkid1(iph1) != 0) { 875 plog(LLV_ERROR, LOCATION, iph1->remote, 876 "invalid ID payload.\n"); 877 goto end; 878 } 879 880 #ifdef ENABLE_NATT 881 if (NATT_AVAILABLE(iph1)) 882 plog(LLV_INFO, LOCATION, iph1->remote, 883 "Selected NAT-T version: %s\n", 884 vid_string_by_id(iph1->natt_options->version)); 885 #endif 886 887 /* check SA payload and set approval SA for use */ 888 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { 889 plog(LLV_ERROR, LOCATION, iph1->remote, 890 "failed to get valid proposal.\n"); 891 /* XXX send information */ 892 goto end; 893 } 894 895 if (oakley_checkcr(iph1) < 0) { 896 /* Ignore this error in order to be interoperability. */ 897 ; 898 } 899 900 iph1->status = PHASE1ST_MSG1RECEIVED; 901 902 error = 0; 903 904 end: 905 #ifdef HAVE_GSSAPI 906 if (gsstoken) 907 vfree(gsstoken); 908 #endif 909 if (pbuf) 910 vfree(pbuf); 911 if (error) { 912 VPTRINIT(iph1->sa); 913 VPTRINIT(iph1->dhpub_p); 914 VPTRINIT(iph1->nonce_p); 915 VPTRINIT(iph1->id_p); 916 oakley_delcert(iph1->cr_p); 917 iph1->cr_p = NULL; 918 } 919 920 return error; 921 } 922 923 /* 924 * send to initiator 925 * psk: HDR, SA, KE, Nr, IDr1, HASH_R 926 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R 927 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R 928 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R 929 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R 930 */ 931 int 932 agg_r1send(iph1, msg) 933 struct ph1handle *iph1; 934 vchar_t *msg; 935 { 936 struct payload_list *plist = NULL; 937 int need_cr = 0; 938 int need_cert = 0; 939 vchar_t *cr = NULL; 940 int error = -1; 941 #ifdef ENABLE_HYBRID 942 vchar_t *xauth_vid = NULL; 943 vchar_t *unity_vid = NULL; 944 #endif 945 #ifdef ENABLE_NATT 946 vchar_t *vid_natt = NULL; 947 vchar_t *natd[2] = { NULL, NULL }; 948 #endif 949 #ifdef ENABLE_DPD 950 vchar_t *vid_dpd = NULL; 951 #endif 952 #ifdef ENABLE_FRAG 953 vchar_t *vid_frag = NULL; 954 #endif 955 956 #ifdef HAVE_GSSAPI 957 int gsslen; 958 vchar_t *gsstoken = NULL, *gsshash = NULL; 959 vchar_t *gss_sa = NULL; 960 int free_gss_sa = 0; 961 #endif 962 963 /* validity check */ 964 if (iph1->status != PHASE1ST_MSG1RECEIVED) { 965 plog(LLV_ERROR, LOCATION, NULL, 966 "status mismatched %d.\n", iph1->status); 967 goto end; 968 } 969 970 /* set responder's cookie */ 971 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); 972 973 /* make ID payload into isakmp status */ 974 if (ipsecdoi_setid1(iph1) < 0) 975 goto end; 976 977 /* generate DH public value */ 978 if (oakley_dh_generate(iph1->rmconf->dhgrp, 979 &iph1->dhpub, &iph1->dhpriv) < 0) 980 goto end; 981 982 /* generate NONCE value */ 983 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 984 if (iph1->nonce == NULL) 985 goto end; 986 987 /* compute sharing secret of DH */ 988 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 989 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 990 goto end; 991 992 /* generate SKEYIDs & IV & final cipher key */ 993 if (oakley_skeyid(iph1) < 0) 994 goto end; 995 if (oakley_skeyid_dae(iph1) < 0) 996 goto end; 997 if (oakley_compute_enckey(iph1) < 0) 998 goto end; 999 if (oakley_newiv(iph1) < 0) 1000 goto end; 1001 1002 #ifdef HAVE_GSSAPI 1003 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) 1004 gssapi_get_rtoken(iph1, &gsslen); 1005 #endif 1006 1007 /* generate HASH to send */ 1008 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n"); 1009 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 1010 if (iph1->hash == NULL) { 1011 #ifdef HAVE_GSSAPI 1012 if (gssapi_more_tokens(iph1)) 1013 isakmp_info_send_n1(iph1, 1014 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 1015 #endif 1016 goto end; 1017 } 1018 1019 /* create CR if need */ 1020 if (iph1->rmconf->send_cr 1021 && oakley_needcr(iph1->approval->authmethod) 1022 && iph1->rmconf->peerscertfile == NULL) { 1023 need_cr = 1; 1024 cr = oakley_getcr(iph1); 1025 if (cr == NULL) { 1026 plog(LLV_ERROR, LOCATION, NULL, 1027 "failed to get cr buffer.\n"); 1028 goto end; 1029 } 1030 } 1031 1032 #ifdef ENABLE_NATT 1033 /* Has the peer announced NAT-T? */ 1034 if (NATT_AVAILABLE(iph1)) { 1035 /* set chosen VID */ 1036 vid_natt = set_vendorid(iph1->natt_options->version); 1037 1038 /* generate NAT-D payloads */ 1039 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); 1040 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 1041 plog(LLV_ERROR, LOCATION, NULL, 1042 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); 1043 goto end; 1044 } 1045 1046 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 1047 plog(LLV_ERROR, LOCATION, NULL, 1048 "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); 1049 goto end; 1050 } 1051 } 1052 #endif 1053 #ifdef ENABLE_DPD 1054 /* Only send DPD support if remote announced DPD and if DPD support is active */ 1055 if (iph1->dpd_support && iph1->rmconf->dpd) 1056 vid_dpd = set_vendorid(VENDORID_DPD); 1057 #endif 1058 #ifdef ENABLE_FRAG 1059 if (iph1->frag) { 1060 vid_frag = set_vendorid(VENDORID_FRAG); 1061 if (vid_frag != NULL) 1062 vid_frag = isakmp_frag_addcap(vid_frag, 1063 VENDORID_FRAG_AGG); 1064 if (vid_frag == NULL) 1065 plog(LLV_ERROR, LOCATION, NULL, 1066 "Frag vendorID construction failed\n"); 1067 } 1068 #endif 1069 1070 switch (AUTHMETHOD(iph1)) { 1071 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1072 #ifdef ENABLE_HYBRID 1073 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1074 #endif 1075 /* set SA payload to reply */ 1076 plist = isakmp_plist_append(plist, 1077 iph1->sa_ret, ISAKMP_NPTYPE_SA); 1078 1079 /* create isakmp KE payload */ 1080 plist = isakmp_plist_append(plist, 1081 iph1->dhpub, ISAKMP_NPTYPE_KE); 1082 1083 /* create isakmp NONCE payload */ 1084 plist = isakmp_plist_append(plist, 1085 iph1->nonce, ISAKMP_NPTYPE_NONCE); 1086 1087 /* create isakmp ID payload */ 1088 plist = isakmp_plist_append(plist, 1089 iph1->id, ISAKMP_NPTYPE_ID); 1090 1091 /* create isakmp HASH payload */ 1092 plist = isakmp_plist_append(plist, 1093 iph1->hash, ISAKMP_NPTYPE_HASH); 1094 1095 /* create isakmp CR payload if needed */ 1096 if (need_cr) 1097 plist = isakmp_plist_append(plist, 1098 cr, ISAKMP_NPTYPE_CR); 1099 break; 1100 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1101 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1102 #ifdef ENABLE_HYBRID 1103 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1104 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1105 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1106 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1107 #endif 1108 /* XXX if there is CR or not ? */ 1109 1110 if (oakley_getmycert(iph1) < 0) 1111 goto end; 1112 1113 if (oakley_getsign(iph1) < 0) 1114 goto end; 1115 1116 if (iph1->cert != NULL && iph1->rmconf->send_cert) 1117 need_cert = 1; 1118 1119 /* set SA payload to reply */ 1120 plist = isakmp_plist_append(plist, 1121 iph1->sa_ret, ISAKMP_NPTYPE_SA); 1122 1123 /* create isakmp KE payload */ 1124 plist = isakmp_plist_append(plist, 1125 iph1->dhpub, ISAKMP_NPTYPE_KE); 1126 1127 /* create isakmp NONCE payload */ 1128 plist = isakmp_plist_append(plist, 1129 iph1->nonce, ISAKMP_NPTYPE_NONCE); 1130 1131 /* add ID payload */ 1132 plist = isakmp_plist_append(plist, 1133 iph1->id, ISAKMP_NPTYPE_ID); 1134 1135 /* add CERT payload if there */ 1136 if (need_cert) 1137 plist = isakmp_plist_append(plist, 1138 iph1->cert->pl, ISAKMP_NPTYPE_CERT); 1139 1140 /* add SIG payload */ 1141 plist = isakmp_plist_append(plist, 1142 iph1->sig, ISAKMP_NPTYPE_SIG); 1143 1144 /* create isakmp CR payload if needed */ 1145 if (need_cr) 1146 plist = isakmp_plist_append(plist, 1147 cr, ISAKMP_NPTYPE_CR); 1148 break; 1149 1150 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1151 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1152 #ifdef ENABLE_HYBRID 1153 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1154 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1155 #endif 1156 break; 1157 #ifdef HAVE_GSSAPI 1158 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1159 /* create buffer to send isakmp payload */ 1160 gsshash = gssapi_wraphash(iph1); 1161 if (gsshash == NULL) { 1162 plog(LLV_ERROR, LOCATION, NULL, 1163 "failed to wrap hash\n"); 1164 /* 1165 * This is probably due to the GSS 1166 * roundtrips not being finished yet. 1167 * Return this error in the hope that 1168 * a fallback to main mode will be done. 1169 */ 1170 isakmp_info_send_n1(iph1, 1171 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 1172 goto end; 1173 } 1174 if (iph1->approval->gssid != NULL) 1175 gss_sa = 1176 ipsecdoi_setph1proposal(iph1->approval); 1177 else 1178 gss_sa = iph1->sa_ret; 1179 1180 if (gss_sa != iph1->sa_ret) 1181 free_gss_sa = 1; 1182 1183 /* set SA payload to reply */ 1184 plist = isakmp_plist_append(plist, 1185 gss_sa, ISAKMP_NPTYPE_SA); 1186 1187 /* create isakmp KE payload */ 1188 plist = isakmp_plist_append(plist, 1189 iph1->dhpub, ISAKMP_NPTYPE_KE); 1190 1191 /* create isakmp NONCE payload */ 1192 plist = isakmp_plist_append(plist, 1193 iph1->nonce, ISAKMP_NPTYPE_NONCE); 1194 1195 /* create isakmp ID payload */ 1196 plist = isakmp_plist_append(plist, 1197 iph1->id, ISAKMP_NPTYPE_ID); 1198 1199 /* create GSS payload */ 1200 gssapi_get_token_to_send(iph1, &gsstoken); 1201 plist = isakmp_plist_append(plist, 1202 gsstoken, ISAKMP_NPTYPE_GSS); 1203 1204 /* create isakmp HASH payload */ 1205 plist = isakmp_plist_append(plist, 1206 gsshash, ISAKMP_NPTYPE_HASH); 1207 1208 /* append vendor id, if needed */ 1209 break; 1210 #endif 1211 } 1212 1213 #ifdef ENABLE_HYBRID 1214 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 1215 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); 1216 if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) { 1217 plog(LLV_ERROR, LOCATION, NULL, 1218 "Cannot create Xauth vendor ID\n"); 1219 goto end; 1220 } 1221 plist = isakmp_plist_append(plist, 1222 xauth_vid, ISAKMP_NPTYPE_VID); 1223 } 1224 1225 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { 1226 if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) { 1227 plog(LLV_ERROR, LOCATION, NULL, 1228 "Cannot create Unity vendor ID\n"); 1229 goto end; 1230 } 1231 plist = isakmp_plist_append(plist, 1232 unity_vid, ISAKMP_NPTYPE_VID); 1233 } 1234 #endif 1235 1236 #ifdef ENABLE_NATT 1237 /* append NAT-T payloads */ 1238 if (vid_natt) { 1239 /* chosen VID */ 1240 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); 1241 /* NAT-D */ 1242 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); 1243 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); 1244 } 1245 #endif 1246 1247 #ifdef ENABLE_FRAG 1248 if (vid_frag) 1249 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); 1250 #endif 1251 1252 #ifdef ENABLE_DPD 1253 if (vid_dpd) 1254 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 1255 #endif 1256 1257 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 1258 1259 #ifdef HAVE_PRINT_ISAKMP_C 1260 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1); 1261 #endif 1262 1263 /* send the packet, add to the schedule to resend */ 1264 iph1->retry_counter = iph1->rmconf->retry_counter; 1265 if (isakmp_ph1resend(iph1) == -1) 1266 goto end; 1267 1268 /* the sending message is added to the received-list. */ 1269 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1270 plog(LLV_ERROR , LOCATION, NULL, 1271 "failed to add a response packet to the tree.\n"); 1272 goto end; 1273 } 1274 1275 iph1->status = PHASE1ST_MSG1SENT; 1276 1277 error = 0; 1278 1279 end: 1280 if (cr) 1281 vfree(cr); 1282 #ifdef ENABLE_HYBRID 1283 if (xauth_vid) 1284 vfree(xauth_vid); 1285 if (unity_vid) 1286 vfree(unity_vid); 1287 #endif 1288 #ifdef HAVE_GSSAPI 1289 if (gsstoken) 1290 vfree(gsstoken); 1291 if (gsshash) 1292 vfree(gsshash); 1293 if (free_gss_sa) 1294 vfree(gss_sa); 1295 #endif 1296 #ifdef ENABLE_DPD 1297 if (vid_dpd) 1298 vfree(vid_dpd); 1299 #endif 1300 #ifdef ENABLE_FRAG 1301 if (vid_frag) 1302 vfree(vid_frag); 1303 #endif 1304 1305 return error; 1306 } 1307 1308 /* 1309 * receive from initiator 1310 * psk: HDR, HASH_I 1311 * gssapi: HDR, HASH_I 1312 * sig: HDR, [ CERT, ] SIG_I 1313 * rsa: HDR, HASH_I 1314 * rev: HDR, HASH_I 1315 */ 1316 int 1317 agg_r2recv(iph1, msg0) 1318 struct ph1handle *iph1; 1319 vchar_t *msg0; 1320 { 1321 vchar_t *msg = NULL; 1322 vchar_t *pbuf = NULL; 1323 struct isakmp_parse_t *pa; 1324 int error = -1; 1325 int ptype; 1326 1327 #ifdef ENABLE_NATT 1328 int natd_seq = 0; 1329 #endif 1330 1331 /* validity check */ 1332 if (iph1->status != PHASE1ST_MSG1SENT) { 1333 plog(LLV_ERROR, LOCATION, NULL, 1334 "status mismatched %d.\n", iph1->status); 1335 goto end; 1336 } 1337 1338 /* decrypting if need. */ 1339 /* XXX configurable ? */ 1340 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1341 msg = oakley_do_decrypt(iph1, msg0, 1342 iph1->ivm->iv, iph1->ivm->ive); 1343 if (msg == NULL) 1344 goto end; 1345 } else 1346 msg = vdup(msg0); 1347 1348 /* validate the type of next payload */ 1349 pbuf = isakmp_parse(msg); 1350 if (pbuf == NULL) 1351 goto end; 1352 1353 iph1->pl_hash = NULL; 1354 1355 for (pa = (struct isakmp_parse_t *)pbuf->v; 1356 pa->type != ISAKMP_NPTYPE_NONE; 1357 pa++) { 1358 1359 switch (pa->type) { 1360 case ISAKMP_NPTYPE_HASH: 1361 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 1362 break; 1363 case ISAKMP_NPTYPE_VID: 1364 handle_vendorid(iph1, pa->ptr); 1365 break; 1366 case ISAKMP_NPTYPE_CERT: 1367 if (oakley_savecert(iph1, pa->ptr) < 0) 1368 goto end; 1369 break; 1370 case ISAKMP_NPTYPE_SIG: 1371 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 1372 goto end; 1373 break; 1374 case ISAKMP_NPTYPE_N: 1375 isakmp_check_notify(pa->ptr, iph1); 1376 break; 1377 1378 #ifdef ENABLE_NATT 1379 case ISAKMP_NPTYPE_NATD_DRAFT: 1380 case ISAKMP_NPTYPE_NATD_RFC: 1381 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && 1382 pa->type == iph1->natt_options->payload_nat_d) 1383 { 1384 vchar_t *natd_received = NULL; 1385 int natd_verified; 1386 1387 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 1388 goto end; 1389 1390 if (natd_seq == 0) 1391 iph1->natt_flags |= NAT_DETECTED; 1392 1393 natd_verified = natt_compare_addr_hash (iph1, 1394 natd_received, natd_seq++); 1395 1396 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 1397 natd_seq - 1, 1398 natd_verified ? "verified" : "doesn't match"); 1399 1400 vfree (natd_received); 1401 break; 1402 } 1403 /* passthrough to default... */ 1404 #endif 1405 1406 default: 1407 /* don't send information, see isakmp_ident_r1() */ 1408 plog(LLV_ERROR, LOCATION, iph1->remote, 1409 "ignore the packet, " 1410 "received unexpecting payload type %d.\n", 1411 pa->type); 1412 goto end; 1413 } 1414 } 1415 1416 #ifdef ENABLE_NATT 1417 if (NATT_AVAILABLE(iph1)) 1418 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 1419 iph1->natt_flags & NAT_DETECTED ? 1420 "detected:" : "not detected", 1421 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 1422 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 1423 #endif 1424 1425 /* validate authentication value */ 1426 ptype = oakley_validate_auth(iph1); 1427 if (ptype != 0) { 1428 if (ptype == -1) { 1429 /* message printed inner oakley_validate_auth() */ 1430 goto end; 1431 } 1432 EVT_PUSH(iph1->local, iph1->remote, 1433 EVTT_PEERPH1AUTH_FAILED, NULL); 1434 isakmp_info_send_n1(iph1, ptype, NULL); 1435 goto end; 1436 } 1437 1438 iph1->status = PHASE1ST_MSG2RECEIVED; 1439 1440 error = 0; 1441 1442 end: 1443 if (pbuf) 1444 vfree(pbuf); 1445 if (msg) 1446 vfree(msg); 1447 if (error) { 1448 oakley_delcert(iph1->cert_p); 1449 iph1->cert_p = NULL; 1450 oakley_delcert(iph1->crl_p); 1451 iph1->crl_p = NULL; 1452 VPTRINIT(iph1->sig_p); 1453 } 1454 1455 return error; 1456 } 1457 1458 /* 1459 * status update and establish isakmp sa. 1460 */ 1461 int 1462 agg_r2send(iph1, msg) 1463 struct ph1handle *iph1; 1464 vchar_t *msg; 1465 { 1466 int error = -1; 1467 1468 /* validity check */ 1469 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 1470 plog(LLV_ERROR, LOCATION, NULL, 1471 "status mismatched %d.\n", iph1->status); 1472 goto end; 1473 } 1474 1475 /* IV synchronized when packet encrypted. */ 1476 /* see handler.h about IV synchronization. */ 1477 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E)) 1478 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); 1479 1480 /* set encryption flag */ 1481 iph1->flags |= ISAKMP_FLAG_E; 1482 1483 iph1->status = PHASE1ST_ESTABLISHED; 1484 1485 error = 0; 1486 1487 end: 1488 return error; 1489 } 1490
