1/* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */ 2 3/* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */ 4 5/* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34/* Identity Protecion Exchange (Main Mode) */ 35 36#include "config.h" 37 38#include <sys/types.h> 39#include <sys/param.h> 40 41#include <stdlib.h> 42#include <stdio.h> 43#include <string.h> 44#include <errno.h> 45#if TIME_WITH_SYS_TIME 46# include <sys/time.h> 47# include <time.h> 48#else 49# if HAVE_SYS_TIME_H 50# include <sys/time.h> 51# else 52# include <time.h> 53# endif 54#endif 55 56#include "var.h" 57#include "misc.h" 58#include "vmbuf.h" 59#include "plog.h" 60#include "sockmisc.h" 61#include "schedule.h" 62#include "debug.h" 63#include "fsm.h" 64 65#include "localconf.h" 66#include "remoteconf.h" 67#include "isakmp_var.h" 68#include "isakmp.h" 69#include "oakley.h" 70#include "handler.h" 71#include "ipsec_doi.h" 72#include "crypto_openssl.h" 73#include "pfkey.h" 74#include "isakmp_ident.h" 75#include "isakmp_inf.h" 76#include "vendorid.h" 77 78#ifdef ENABLE_NATT 79#include "nattraversal.h" 80#endif 81#ifdef ENABLE_HYBRID 82#include <resolv.h> 83#include "isakmp_xauth.h" 84#include "isakmp_cfg.h" 85#endif 86#ifdef ENABLE_FRAG 87#include "isakmp_frag.h" 88#endif 89 90#include "vpn_control.h" 91#include "vpn_control_var.h" 92#include "ipsecSessionTracer.h" 93#include "ipsecMessageTracer.h" 94#ifndef HAVE_OPENSSL 95#include <Security/SecDH.h> 96#endif 97 98static vchar_t *ident_ir2mx (phase1_handle_t *); 99static vchar_t *ident_ir3mx (phase1_handle_t *); 100 101/* %%% 102 * begin Identity Protection Mode as initiator. 103 */ 104/* 105 * send to responder 106 * psk: HDR, SA 107 * sig: HDR, SA 108 * rsa: HDR, SA 109 * rev: HDR, SA 110 */ 111int 112ident_i1send(iph1, msg) 113 phase1_handle_t *iph1; 114 vchar_t *msg; /* must be null */ 115{ 116 struct payload_list *plist = NULL; 117 int error = -1; 118#ifdef ENABLE_NATT 119 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; 120 int i; 121#endif 122#ifdef ENABLE_HYBRID 123 vchar_t *vid_xauth = NULL; 124 vchar_t *vid_unity = NULL; 125#endif 126#ifdef ENABLE_FRAG 127 vchar_t *vid_frag = NULL; 128#endif 129#ifdef ENABLE_DPD 130 vchar_t *vid_dpd = NULL; 131#endif 132 133 /* validity check */ 134 if (iph1->status != IKEV1_STATE_IDENT_I_START) { 135 plog(ASL_LEVEL_ERR, 136 "status mismatched %d.\n", iph1->status); 137 goto end; 138 } 139 140 /* validity check */ 141 if (msg != NULL) { 142 plog(ASL_LEVEL_ERR, 143 "msg has to be NULL in this function.\n"); 144 goto end; 145 } 146 147 /* create isakmp index */ 148 memset(&iph1->index, 0, sizeof(iph1->index)); 149 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); 150 151 /* create SA payload for my proposal */ 152 iph1->sa = ipsecdoi_setph1proposal(iph1); 153 if (iph1->sa == NULL) { 154 plog(ASL_LEVEL_ERR, 155 "failed to set proposal"); 156 goto end; 157 } 158 159 /* set SA payload to propose */ 160 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); 161 162#ifdef ENABLE_NATT 163 /* set VID payload for NAT-T if NAT-T support allowed in the config file */ 164 if (iph1->rmconf->nat_traversal) 165 plist = isakmp_plist_append_natt_vids(plist, vid_natt); 166#endif 167#ifdef ENABLE_HYBRID 168 /* Do we need Xauth VID? */ 169 switch (RMAUTHMETHOD(iph1)) { 170 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 171 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 172 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 173 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 174 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 175 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) 176 plog(ASL_LEVEL_ERR, 177 "Xauth vendor ID generation failed\n"); 178 else 179 plist = isakmp_plist_append(plist, 180 vid_xauth, ISAKMP_NPTYPE_VID); 181 182 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) 183 plog(ASL_LEVEL_ERR, 184 "Unity vendor ID generation failed\n"); 185 else 186 plist = isakmp_plist_append(plist, 187 vid_unity, ISAKMP_NPTYPE_VID); 188 break; 189 default: 190 break; 191 } 192#endif 193#ifdef ENABLE_FRAG 194 if (iph1->rmconf->ike_frag) { 195 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) { 196 plog(ASL_LEVEL_ERR, 197 "Frag vendorID construction failed\n"); 198 } else { 199 vid_frag = isakmp_frag_addcap(vid_frag, 200 VENDORID_FRAG_IDENT); 201 plist = isakmp_plist_append(plist, 202 vid_frag, ISAKMP_NPTYPE_VID); 203 } 204 } 205#endif 206#ifdef ENABLE_DPD 207 if(iph1->rmconf->dpd){ 208 vid_dpd = set_vendorid(VENDORID_DPD); 209 if (vid_dpd != NULL) 210 plist = isakmp_plist_append(plist, vid_dpd, 211 ISAKMP_NPTYPE_VID); 212 } 213#endif 214 215 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 216 217#ifdef HAVE_PRINT_ISAKMP_C 218 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 219#endif 220 221 /* send the packet, add to the schedule to resend */ 222 iph1->retry_counter = iph1->rmconf->retry_counter; 223 if (isakmp_ph1resend(iph1) == -1) { 224 plog(ASL_LEVEL_ERR, 225 "failed to send packet"); 226 goto end; 227 } 228 229 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG1SENT); 230 231 error = 0; 232 233 IPSECSESSIONTRACEREVENT(iph1->parent_session, 234 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC, 235 CONSTSTR("Initiator, Main-Mode message 1"), 236 CONSTSTR(NULL)); 237 238end: 239 if (error) { 240 IPSECSESSIONTRACEREVENT(iph1->parent_session, 241 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, 242 CONSTSTR("Initiator, Main-Mode Message 1"), 243 CONSTSTR("Failed to transmit Main-Mode Message 1")); 244 } 245#ifdef ENABLE_FRAG 246 if (vid_frag) 247 vfree(vid_frag); 248#endif 249#ifdef ENABLE_NATT 250 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++) 251 vfree(vid_natt[i]); 252#endif 253#ifdef ENABLE_HYBRID 254 if (vid_xauth != NULL) 255 vfree(vid_xauth); 256 if (vid_unity != NULL) 257 vfree(vid_unity); 258#endif 259#ifdef ENABLE_DPD 260 if (vid_dpd != NULL) 261 vfree(vid_dpd); 262#endif 263 264 return error; 265} 266 267/* 268 * receive from responder 269 * psk: HDR, SA 270 * sig: HDR, SA 271 * rsa: HDR, SA 272 * rev: HDR, SA 273 */ 274int 275ident_i2recv(iph1, msg) 276 phase1_handle_t *iph1; 277 vchar_t *msg; 278{ 279 vchar_t *pbuf = NULL; 280 struct isakmp_parse_t *pa; 281 vchar_t *satmp = NULL; 282 int error = -1; 283 int vid_numeric; 284 285 /* validity check */ 286 if (iph1->status != IKEV1_STATE_IDENT_I_MSG1SENT) { 287 plog(ASL_LEVEL_ERR, 288 "status mismatched %d.\n", iph1->status); 289 goto end; 290 } 291 292 /* validate the type of next payload */ 293 /* 294 * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here, 295 * if proposal-lifetime > lifetime-redcreek-wants. 296 * (see doi-08 4.5.4) 297 * => According to the seciton 4.6.3 in RFC 2407, This is illegal. 298 * NOTE: we do not really care about ordering of VID and N. 299 * does it matters? 300 * NOTE: even if there's multiple VID/N, we'll ignore them. 301 */ 302 pbuf = isakmp_parse(msg); 303 if (pbuf == NULL) { 304 plog(ASL_LEVEL_ERR, 305 "failed to parse msg"); 306 goto end; 307 } 308 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; 309 310 /* SA payload is fixed postion */ 311 if (pa->type != ISAKMP_NPTYPE_SA) { 312 plog(ASL_LEVEL_ERR, 313 "received invalid next payload type %d, " 314 "expecting %d.\n", 315 pa->type, ISAKMP_NPTYPE_SA); 316 goto end; 317 } 318 if (isakmp_p2ph(&satmp, pa->ptr) < 0) { 319 plog(ASL_LEVEL_ERR, 320 "failed to process SA payload"); 321 goto end; 322 } 323 pa++; 324 325 for (/*nothing*/; 326 pa->type != ISAKMP_NPTYPE_NONE; 327 pa++) { 328 329 switch (pa->type) { 330 case ISAKMP_NPTYPE_VID: 331 vid_numeric = check_vendorid(pa->ptr); 332#ifdef ENABLE_NATT 333 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric)) 334 natt_handle_vendorid(iph1, vid_numeric); 335#endif 336#ifdef ENABLE_HYBRID 337 switch (vid_numeric) { 338 case VENDORID_XAUTH: 339 iph1->mode_cfg->flags |= 340 ISAKMP_CFG_VENDORID_XAUTH; 341 break; 342 343 case VENDORID_UNITY: 344 iph1->mode_cfg->flags |= 345 ISAKMP_CFG_VENDORID_UNITY; 346 break; 347 348 default: 349 break; 350 } 351#endif 352#ifdef ENABLE_DPD 353 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) 354 iph1->dpd_support=1; 355#endif 356#ifdef ENABLE_FRAG 357 if ((vid_numeric == VENDORID_FRAG) && 358 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) { 359 plog(ASL_LEVEL_DEBUG, 360 "remote supports FRAGMENTATION\n"); 361 iph1->frag = 1; 362 } 363#endif 364 break; 365 default: 366 /* don't send information, see ident_r1recv() */ 367 plog(ASL_LEVEL_ERR, 368 "ignore the packet, " 369 "received unexpecting payload type %d.\n", 370 pa->type); 371 goto end; 372 } 373 } 374 375#ifdef ENABLE_NATT 376 if (NATT_AVAILABLE(iph1)) { 377 plog(ASL_LEVEL_INFO, 378 "Selected NAT-T version: %s\n", 379 vid_string_by_id(iph1->natt_options->version)); 380 ike_session_update_natt_version(iph1); 381 } 382#endif 383 384 /* check SA payload and set approval SA for use */ 385 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { 386 plog(ASL_LEVEL_ERR, 387 "failed to get valid proposal.\n"); 388 /* XXX send information */ 389 goto end; 390 } 391 VPTRINIT(iph1->sa_ret); 392 393 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG2RCVD); 394 395#ifdef ENABLE_VPNCONTROL_PORT 396 vpncontrol_notify_phase_change(1, FROM_REMOTE, iph1, NULL); 397#endif 398 399 error = 0; 400 401 IPSECSESSIONTRACEREVENT(iph1->parent_session, 402 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC, 403 CONSTSTR("Initiator, Main-Mode message 2"), 404 CONSTSTR(NULL)); 405 406end: 407 if (error) { 408 IPSECSESSIONTRACEREVENT(iph1->parent_session, 409 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, 410 CONSTSTR("Initiator, Main-Mode Message 2"), 411 CONSTSTR("Failed to process Main-Mode Message 2")); 412 } 413 if (pbuf) 414 vfree(pbuf); 415 if (satmp) 416 vfree(satmp); 417 return error; 418} 419 420/* 421 * send to responder 422 * psk: HDR, KE, Ni 423 * sig: HDR, KE, Ni 424 * gssapi: HDR, KE, Ni, GSSi 425 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r 426 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, 427 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i] 428 */ 429int 430ident_i3send(iph1, msg) 431 phase1_handle_t *iph1; 432 vchar_t *msg; 433{ 434 int error = -1; 435 436 /* validity check */ 437 if (iph1->status != IKEV1_STATE_IDENT_I_MSG2RCVD) { 438 plog(ASL_LEVEL_ERR, 439 "status mismatched %d.\n", iph1->status); 440 goto end; 441 } 442 443 /* fix isakmp index */ 444 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, 445 sizeof(cookie_t)); 446 447 /* generate DH public value */ 448#ifdef HAVE_OPENSSL 449 if (oakley_dh_generate(iph1->approval->dhgrp, 450 &iph1->dhpub, &iph1->dhpriv) < 0) { 451#else 452 if (oakley_dh_generate(iph1->approval->dhgrp, 453 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) { 454#endif 455 plog(ASL_LEVEL_ERR, 456 "failed to generate DH"); 457 goto end; 458 } 459 460 /* generate NONCE value */ 461 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 462 if (iph1->nonce == NULL) { 463 plog(ASL_LEVEL_ERR, 464 "failed to generate NONCE"); 465 goto end; 466 } 467 468 /* create buffer to send isakmp payload */ 469 iph1->sendbuf = ident_ir2mx(iph1); 470 if (iph1->sendbuf == NULL) { 471 plog(ASL_LEVEL_ERR, 472 "failed to create send buffer"); 473 goto end; 474 } 475 476#ifdef HAVE_PRINT_ISAKMP_C 477 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 478#endif 479 480 /* send the packet, add to the schedule to resend */ 481 iph1->retry_counter = iph1->rmconf->retry_counter; 482 if (isakmp_ph1resend(iph1) == -1) { 483 plog(ASL_LEVEL_ERR, 484 "failed to send packet"); 485 goto end; 486 } 487 488 /* the sending message is added to the received-list. */ 489 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, 490 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { 491 plog(ASL_LEVEL_ERR , 492 "failed to add a response packet to the tree.\n"); 493 goto end; 494 } 495 496 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG3SENT); 497 498 error = 0; 499 500 IPSECSESSIONTRACEREVENT(iph1->parent_session, 501 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC, 502 CONSTSTR("Initiator, Main-Mode message 3"), 503 CONSTSTR(NULL)); 504 505end: 506 if (error) { 507 IPSECSESSIONTRACEREVENT(iph1->parent_session, 508 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, 509 CONSTSTR("Initiator, Main-Mode Message 3"), 510 CONSTSTR("Failed to transmit Main-Mode Message 3")); 511 } 512 return error; 513} 514 515/* 516 * receive from responder 517 * psk: HDR, KE, Nr 518 * sig: HDR, KE, Nr [, CR ] 519 * gssapi: HDR, KE, Nr, GSSr 520 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i 521 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r, 522 */ 523int 524ident_i4recv(iph1, msg) 525 phase1_handle_t *iph1; 526 vchar_t *msg; 527{ 528 vchar_t *pbuf = NULL; 529 struct isakmp_parse_t *pa; 530 int error = -1; 531 int vid_numeric; 532#ifdef ENABLE_NATT 533 vchar_t *natd_received; 534 int natd_seq = 0, natd_verified; 535#endif 536 537 /* validity check */ 538 if (iph1->status != IKEV1_STATE_IDENT_I_MSG3SENT) { 539 plog(ASL_LEVEL_ERR, 540 "status mismatched %d.\n", iph1->status); 541 goto end; 542 } 543 544 /* validate the type of next payload */ 545 pbuf = isakmp_parse(msg); 546 if (pbuf == NULL) { 547 plog(ASL_LEVEL_ERR, 548 "failed to parse msg"); 549 goto end; 550 } 551 552 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; 553 pa->type != ISAKMP_NPTYPE_NONE; 554 pa++) { 555 556 switch (pa->type) { 557 case ISAKMP_NPTYPE_KE: 558 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) { 559 plog(ASL_LEVEL_ERR, 560 "failed to process KE payload"); 561 goto end; 562 } 563 break; 564 case ISAKMP_NPTYPE_NONCE: 565 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) { 566 plog(ASL_LEVEL_ERR, 567 "failed to process NONCE payload"); 568 goto end; 569 } 570 break; 571 case ISAKMP_NPTYPE_VID: 572 vid_numeric = check_vendorid(pa->ptr); 573#ifdef ENABLE_HYBRID 574 switch (vid_numeric) { 575 case VENDORID_XAUTH: 576 iph1->mode_cfg->flags |= 577 ISAKMP_CFG_VENDORID_XAUTH; 578 break; 579 580 case VENDORID_UNITY: 581 iph1->mode_cfg->flags |= 582 ISAKMP_CFG_VENDORID_UNITY; 583 break; 584 585 default: 586 break; 587 } 588#endif 589#ifdef ENABLE_DPD 590 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) 591 iph1->dpd_support=1; 592#endif 593 594 break; 595 case ISAKMP_NPTYPE_CR: 596 if (oakley_savecr(iph1, pa->ptr) < 0) { 597 plog(ASL_LEVEL_ERR, 598 "failed to process CR payload"); 599 goto end; 600 } 601 break; 602 603#ifdef ENABLE_NATT 604 case ISAKMP_NPTYPE_NATD_DRAFT: 605 case ISAKMP_NPTYPE_NATD_RFC: 606 case ISAKMP_NPTYPE_NATD_BADDRAFT: 607 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && 608 pa->type == iph1->natt_options->payload_nat_d) { 609 natd_received = NULL; 610 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) { 611 plog(ASL_LEVEL_ERR, 612 "failed to process NATD payload"); 613 goto end; 614 } 615 616 /* set both bits first so that we can clear them 617 upon verifying hashes */ 618 if (natd_seq == 0) 619 iph1->natt_flags |= NAT_DETECTED; 620 621 /* this function will clear appropriate bits bits 622 from iph1->natt_flags */ 623 natd_verified = natt_compare_addr_hash (iph1, 624 natd_received, natd_seq++); 625 626 plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n", 627 natd_seq - 1, 628 natd_verified ? "verified" : "doesn't match"); 629 630 vfree (natd_received); 631 break; 632 } 633 /* %%%% Be lenient here - some servers send natd payloads */ 634 /* when no nat is detected */ 635 break; 636#endif 637 638 default: 639 /* don't send information, see ident_r1recv() */ 640 plog(ASL_LEVEL_ERR, 641 "ignore the packet, " 642 "received unexpecting payload type %d.\n", 643 pa->type); 644 goto end; 645 } 646 } 647 648#ifdef ENABLE_NATT 649 if (NATT_AVAILABLE(iph1)) { 650 plog (ASL_LEVEL_INFO, "NAT %s %s%s\n", 651 iph1->natt_flags & NAT_DETECTED ? 652 "detected:" : "not detected", 653 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 654 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 655 if (iph1->natt_flags & NAT_DETECTED) 656 natt_float_ports (iph1); 657 } 658#endif 659 660 /* payload existency check */ 661 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { 662 plog(ASL_LEVEL_ERR, 663 "few isakmp message received.\n"); 664 goto end; 665 } 666 667 if (oakley_checkcr(iph1) < 0) { 668 /* Ignore this error in order to be interoperability. */ 669 ; 670 } 671 672 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG4RCVD); 673 674 error = 0; 675 676 IPSECSESSIONTRACEREVENT(iph1->parent_session, 677 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC, 678 CONSTSTR("Initiator, Main-Mode message 4"), 679 CONSTSTR(NULL)); 680 681end: 682 if (error) { 683 IPSECSESSIONTRACEREVENT(iph1->parent_session, 684 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, 685 CONSTSTR("Initiator, Main-Mode Message 4"), 686 CONSTSTR("Failed to process Main-Mode Message 4")); 687 } 688 if (pbuf) 689 vfree(pbuf); 690 if (error) { 691 VPTRINIT(iph1->dhpub_p); 692 VPTRINIT(iph1->nonce_p); 693 VPTRINIT(iph1->id_p); 694 oakley_delcert(iph1->cr_p); 695 iph1->cr_p = NULL; 696 } 697 698 return error; 699} 700 701/* 702 * send to responder 703 * psk: HDR*, IDi1, HASH_I 704 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I 705 * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I > 706 * rsa: HDR*, HASH_I 707 * rev: HDR*, HASH_I 708 */ 709int 710ident_i5send(iph1, msg0) 711 phase1_handle_t *iph1; 712 vchar_t *msg0; 713{ 714 int error = -1; 715 int dohash = 1; 716 717 /* validity check */ 718 if (iph1->status != IKEV1_STATE_IDENT_I_MSG4RCVD) { 719 plog(ASL_LEVEL_ERR, 720 "status mismatched %d.\n", iph1->status); 721 goto end; 722 } 723 724 /* compute sharing secret of DH */ 725#ifdef HAVE_OPENSSL 726 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 727 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { 728#else 729 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) { 730#endif 731 plog(ASL_LEVEL_ERR, 732 "failed to compute DH"); 733 goto end; 734 } 735 736 /* generate SKEYIDs & IV & final cipher key */ 737 if (oakley_skeyid(iph1) < 0) { 738 plog(ASL_LEVEL_ERR, 739 "failed to generate SKEYID"); 740 goto end; 741 } 742 if (oakley_skeyid_dae(iph1) < 0) { 743 plog(ASL_LEVEL_ERR, 744 "failed to generate SKEYID-DAE"); 745 goto end; 746 } 747 if (oakley_compute_enckey(iph1) < 0) { 748 plog(ASL_LEVEL_ERR, 749 "failed to generate ENCKEY"); 750 goto end; 751 } 752 if (oakley_newiv(iph1) < 0) { 753 plog(ASL_LEVEL_ERR, 754 "failed to generate IV"); 755 goto end; 756 } 757 758 /* make ID payload into isakmp status */ 759 if (ipsecdoi_setid1(iph1) < 0) { 760 plog(ASL_LEVEL_ERR, 761 "failed to set ID"); 762 goto end; 763 } 764 765 /* generate HASH to send */ 766 if (dohash) { 767 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 768 if (iph1->hash == NULL) { 769 plog(ASL_LEVEL_ERR, 770 "failed to generate HASH"); 771 goto end; 772 } 773 } else 774 iph1->hash = NULL; 775 776 /* set encryption flag */ 777 iph1->flags |= ISAKMP_FLAG_E; 778 779 /* create HDR;ID;HASH payload */ 780 iph1->sendbuf = ident_ir3mx(iph1); 781 if (iph1->sendbuf == NULL) { 782 plog(ASL_LEVEL_ERR, 783 "failed to allocate send buffer"); 784 goto end; 785 } 786 787 /* send the packet, add to the schedule to resend */ 788 iph1->retry_counter = iph1->rmconf->retry_counter; 789 if (isakmp_ph1resend(iph1) == -1) { 790 plog(ASL_LEVEL_ERR, 791 "failed to send packet"); 792 goto end; 793 } 794 795 /* the sending message is added to the received-list. */ 796 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0, 797 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { 798 plog(ASL_LEVEL_ERR , 799 "failed to add a response packet to the tree.\n"); 800 goto end; 801 } 802 803 /* see handler.h about IV synchronization. */ 804 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l); 805 806 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG5SENT); 807 808 error = 0; 809 810 IPSECSESSIONTRACEREVENT(iph1->parent_session, 811 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC, 812 CONSTSTR("Initiator, Main-Mode message 5"), 813 CONSTSTR(NULL)); 814 815end: 816 if (error) { 817 IPSECSESSIONTRACEREVENT(iph1->parent_session, 818 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, 819 CONSTSTR("Initiator, Main-Mode Message 5"), 820 CONSTSTR("Failed to transmit Main-Mode Message 5")); 821 } 822 return error; 823} 824 825/* 826 * receive from responder 827 * psk: HDR*, IDr1, HASH_R 828 * sig: HDR*, IDr1, [ CERT, ] SIG_R 829 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R > 830 * rsa: HDR*, HASH_R 831 * rev: HDR*, HASH_R 832 */ 833int 834ident_i6recv(iph1, msg0) 835 phase1_handle_t *iph1; 836 vchar_t *msg0; 837{ 838 vchar_t *pbuf = NULL; 839 struct isakmp_parse_t *pa; 840 vchar_t *msg = NULL; 841 int error = -1; 842 int type; 843 int vid_numeric; 844 int received_cert = 0; 845 846 /* validity check */ 847 if (iph1->status != IKEV1_STATE_IDENT_I_MSG5SENT) { 848 plog(ASL_LEVEL_ERR, 849 "status mismatched %d.\n", iph1->status); 850 goto end; 851 } 852 853 /* decrypting */ 854 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 855 plog(ASL_LEVEL_ERR, 856 "ignore the packet, " 857 "expecting the packet encrypted.\n"); 858 goto end; 859 } 860 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive); 861 if (msg == NULL) { 862 plog(ASL_LEVEL_ERR, 863 "failed to decrypt"); 864 goto end; 865 } 866 867 /* validate the type of next payload */ 868 pbuf = isakmp_parse(msg); 869 if (pbuf == NULL) { 870 plog(ASL_LEVEL_ERR, 871 "failed to parse msg"); 872 goto end; 873 } 874 875 iph1->pl_hash = NULL; 876 877 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; 878 pa->type != ISAKMP_NPTYPE_NONE; 879 pa++) { 880 881 switch (pa->type) { 882 case ISAKMP_NPTYPE_ID: 883 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) { 884 plog(ASL_LEVEL_ERR, 885 "failed to process ID payload"); 886 goto end; 887 } 888 break; 889 case ISAKMP_NPTYPE_HASH: 890 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 891 break; 892 case ISAKMP_NPTYPE_CERT: 893 if (oakley_savecert(iph1, pa->ptr) < 0) { 894 plog(ASL_LEVEL_ERR, 895 "failed to process CERT payload"); 896 goto end; 897 } 898 received_cert = 1; 899 break; 900 case ISAKMP_NPTYPE_SIG: 901 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) { 902 plog(ASL_LEVEL_ERR, 903 "failed to process SIG payload"); 904 goto end; 905 } 906 break; 907 908 case ISAKMP_NPTYPE_VID: 909 vid_numeric = check_vendorid(pa->ptr); 910#ifdef ENABLE_DPD 911 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) 912 iph1->dpd_support=1; 913#endif 914 break; 915 case ISAKMP_NPTYPE_N: 916 isakmp_check_notify(pa->ptr, iph1); 917 break; 918 default: 919 /* don't send information, see ident_r1recv() */ 920 plog(ASL_LEVEL_ERR, 921 "ignore the packet, " 922 "received unexpecting payload type %d.\n", 923 pa->type); 924 goto end; 925 } 926 } 927 928 if (received_cert) { 929 oakley_verify_certid(iph1); 930 } 931 932 /* payload existency check */ 933 934 /* verify identifier */ 935 if (ipsecdoi_checkid1(iph1) != 0) { 936 plog(ASL_LEVEL_ERR, 937 "invalid ID payload.\n"); 938 goto end; 939 } 940 941 /* validate authentication value */ 942 type = oakley_validate_auth(iph1); 943 if (type != 0) { 944 IPSECSESSIONTRACEREVENT(iph1->parent_session, 945 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL, 946 CONSTSTR("Initiator, Main-Mode Message 6"), 947 CONSTSTR("Failed to authenticate Main-Mode Message 6")); 948 if (type == -1) { 949 /* msg printed inner oakley_validate_auth() */ 950 goto end; 951 } 952 isakmp_info_send_n1(iph1, type, NULL); 953 goto end; 954 } 955 IPSECSESSIONTRACEREVENT(iph1->parent_session, 956 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC, 957 CONSTSTR("Initiator, Main-Mode Message 6"), 958 CONSTSTR(NULL)); 959 960 961 /* 962 * XXX: Should we do compare two addresses, ph1handle's and ID 963 * payload's. 964 */ 965 966 plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID:"); 967 968 /* see handler.h about IV synchronization. */ 969 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l); 970 971 /* 972 * If we got a GSS token, we need to this roundtrip again. 973 */ 974 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG6RCVD); 975 976 error = 0; 977 978 IPSECSESSIONTRACEREVENT(iph1->parent_session, 979 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC, 980 CONSTSTR("Initiator, Main-Mode message 6"), 981 CONSTSTR(NULL)); 982 983end: 984 if (error) { 985 IPSECSESSIONTRACEREVENT(iph1->parent_session, 986 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, 987 CONSTSTR("Initiator, Main-Mode Message 6"), 988 CONSTSTR("Failed to transmit Main-Mode Message 6")); 989 } 990 if (pbuf) 991 vfree(pbuf); 992 if (msg) 993 vfree(msg); 994 995 if (error) { 996 VPTRINIT(iph1->id_p); 997 oakley_delcert(iph1->cert_p); 998 iph1->cert_p = NULL; 999 oakley_delcert(iph1->crl_p); 1000 iph1->crl_p = NULL; 1001 VPTRINIT(iph1->sig_p); 1002 } 1003 1004 return error; 1005} 1006 1007/* 1008 * status update and establish isakmp sa. 1009 */ 1010int 1011ident_ifinalize(iph1, msg) 1012 phase1_handle_t *iph1; 1013 vchar_t *msg; 1014{ 1015 int error = -1; 1016 1017 /* validity check */ 1018 if (iph1->status != IKEV1_STATE_IDENT_I_MSG6RCVD) { 1019 plog(ASL_LEVEL_ERR, 1020 "status mismatched %d.\n", iph1->status); 1021 goto end; 1022 } 1023 1024 /* see handler.h about IV synchronization. */ 1025 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); 1026 1027 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED); 1028 1029 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1030 IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC, 1031 CONSTSTR("Initiator, Main-Mode"), 1032 CONSTSTR(NULL)); 1033 1034 error = 0; 1035 1036end: 1037 return error; 1038} 1039 1040/* 1041 * receive from initiator 1042 * psk: HDR, SA 1043 * sig: HDR, SA 1044 * rsa: HDR, SA 1045 * rev: HDR, SA 1046 */ 1047int 1048ident_r1recv(iph1, msg) 1049 phase1_handle_t *iph1; 1050 vchar_t *msg; 1051{ 1052 vchar_t *pbuf = NULL; 1053 struct isakmp_parse_t *pa; 1054 int error = -1; 1055 int vid_numeric; 1056 1057 /* validity check */ 1058 if (iph1->status != IKEV1_STATE_IDENT_R_START) { 1059 plog(ASL_LEVEL_ERR, 1060 "status mismatched %d.\n", iph1->status); 1061 goto end; 1062 } 1063 1064 /* validate the type of next payload */ 1065 /* 1066 * NOTE: XXX even if multiple VID, we'll silently ignore those. 1067 */ 1068 pbuf = isakmp_parse(msg); 1069 if (pbuf == NULL) { 1070 plog(ASL_LEVEL_ERR, 1071 "failed to parse msg"); 1072 goto end; 1073 } 1074 pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; 1075 1076 /* check the position of SA payload */ 1077 if (pa->type != ISAKMP_NPTYPE_SA) { 1078 plog(ASL_LEVEL_ERR, 1079 "received invalid next payload type %d, " 1080 "expecting %d.\n", 1081 pa->type, ISAKMP_NPTYPE_SA); 1082 goto end; 1083 } 1084 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) { 1085 plog(ASL_LEVEL_ERR, 1086 "failed to process SA payload"); 1087 goto end; 1088 } 1089 pa++; 1090 1091 for (/*nothing*/; 1092 pa->type != ISAKMP_NPTYPE_NONE; 1093 pa++) { 1094 1095 switch (pa->type) { 1096 case ISAKMP_NPTYPE_VID: 1097 vid_numeric = check_vendorid(pa->ptr); 1098#ifdef ENABLE_NATT 1099 if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric)) 1100 natt_handle_vendorid(iph1, vid_numeric); 1101#endif 1102#ifdef ENABLE_HYBRID 1103 switch (vid_numeric) { 1104 case VENDORID_XAUTH: 1105 iph1->mode_cfg->flags |= 1106 ISAKMP_CFG_VENDORID_XAUTH; 1107 break; 1108 1109 case VENDORID_UNITY: 1110 iph1->mode_cfg->flags |= 1111 ISAKMP_CFG_VENDORID_UNITY; 1112 break; 1113 1114 default: 1115 break; 1116 } 1117#endif 1118#ifdef ENABLE_DPD 1119 if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd) 1120 iph1->dpd_support=1; 1121#endif 1122#ifdef ENABLE_FRAG 1123 if ((vid_numeric == VENDORID_FRAG) && 1124 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) { 1125 plog(ASL_LEVEL_DEBUG, 1126 "remote supports FRAGMENTATION\n"); 1127 iph1->frag = 1; 1128 } 1129#endif 1130 break; 1131 default: 1132 /* 1133 * We don't send information to the peer even 1134 * if we received malformed packet. Because we 1135 * can't distinguish the malformed packet and 1136 * the re-sent packet. And we do same behavior 1137 * when we expect encrypted packet. 1138 */ 1139 plog(ASL_LEVEL_ERR, 1140 "ignore the packet, " 1141 "received unexpecting payload type %d.\n", 1142 pa->type); 1143 goto end; 1144 } 1145 } 1146 1147#ifdef ENABLE_NATT 1148 if (NATT_AVAILABLE(iph1)) { 1149 plog(ASL_LEVEL_INFO, 1150 "Selected NAT-T version: %s\n", 1151 vid_string_by_id(iph1->natt_options->version)); 1152 ike_session_update_natt_version(iph1); 1153 } 1154#endif 1155 1156 /* check SA payload and set approval SA for use */ 1157 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { 1158 plog(ASL_LEVEL_ERR, 1159 "failed to get valid proposal.\n"); 1160 /* XXX send information */ 1161 goto end; 1162 } 1163 1164 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG1RCVD); 1165 1166 error = 0; 1167 1168 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1169 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC, 1170 CONSTSTR("Responder, Main-Mode message 1"), 1171 CONSTSTR(NULL)); 1172 1173end: 1174 if (error) { 1175 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1176 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, 1177 CONSTSTR("Responder, Main-Mode Message 1"), 1178 CONSTSTR("Failed to process Main-Mode Message 1")); 1179 } 1180 if (pbuf) 1181 vfree(pbuf); 1182 if (error) { 1183 VPTRINIT(iph1->sa); 1184 } 1185 1186 return error; 1187} 1188 1189/* 1190 * send to initiator 1191 * psk: HDR, SA 1192 * sig: HDR, SA 1193 * rsa: HDR, SA 1194 * rev: HDR, SA 1195 */ 1196int 1197ident_r2send(iph1, msg) 1198 phase1_handle_t *iph1; 1199 vchar_t *msg; 1200{ 1201 struct payload_list *plist = NULL; 1202 int error = -1; 1203 vchar_t *gss_sa = NULL; 1204#ifdef ENABLE_NATT 1205 vchar_t *vid_natt = NULL; 1206#endif 1207#ifdef ENABLE_HYBRID 1208 vchar_t *vid_xauth = NULL; 1209 vchar_t *vid_unity = NULL; 1210#endif 1211#ifdef ENABLE_DPD 1212 vchar_t *vid_dpd = NULL; 1213#endif 1214#ifdef ENABLE_FRAG 1215 vchar_t *vid_frag = NULL; 1216#endif 1217 1218 /* validity check */ 1219 if (iph1->status != IKEV1_STATE_IDENT_R_MSG1RCVD) { 1220 plog(ASL_LEVEL_ERR, 1221 "status mismatched %d.\n", iph1->status); 1222 goto end; 1223 } 1224 1225 /* set responder's cookie */ 1226 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); 1227 gss_sa = iph1->sa_ret; 1228 1229 /* set SA payload to reply */ 1230 plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA); 1231 1232#ifdef ENABLE_HYBRID 1233 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 1234 plog (ASL_LEVEL_INFO, "Adding xauth VID payload.\n"); 1235 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) { 1236 plog(ASL_LEVEL_ERR, 1237 "Cannot create Xauth vendor ID\n"); 1238 goto end; 1239 } 1240 plist = isakmp_plist_append(plist, 1241 vid_xauth, ISAKMP_NPTYPE_VID); 1242 } 1243 1244 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { 1245 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) { 1246 plog(ASL_LEVEL_ERR, 1247 "Cannot create Unity vendor ID\n"); 1248 goto end; 1249 } 1250 plist = isakmp_plist_append(plist, 1251 vid_unity, ISAKMP_NPTYPE_VID); 1252 } 1253#endif 1254#ifdef ENABLE_NATT 1255 /* Has the peer announced NAT-T? */ 1256 if (NATT_AVAILABLE(iph1)) 1257 vid_natt = set_vendorid(iph1->natt_options->version); 1258 1259 if (vid_natt) 1260 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); 1261#endif 1262#ifdef ENABLE_DPD 1263 /* XXX only send DPD VID if remote sent it ? */ 1264 if(iph1->rmconf->dpd){ 1265 vid_dpd = set_vendorid(VENDORID_DPD); 1266 if (vid_dpd != NULL) 1267 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 1268 } 1269#endif 1270#ifdef ENABLE_FRAG 1271 if (iph1->frag) { 1272 vid_frag = set_vendorid(VENDORID_FRAG); 1273 if (vid_frag != NULL) 1274 vid_frag = isakmp_frag_addcap(vid_frag, 1275 VENDORID_FRAG_IDENT); 1276 if (vid_frag == NULL) 1277 plog(ASL_LEVEL_ERR, 1278 "Frag vendorID construction failed\n"); 1279 else 1280 plist = isakmp_plist_append(plist, 1281 vid_frag, ISAKMP_NPTYPE_VID); 1282 } 1283#endif 1284 1285 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 1286 1287#ifdef HAVE_PRINT_ISAKMP_C 1288 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 1289#endif 1290 1291 /* send the packet, add to the schedule to resend */ 1292 iph1->retry_counter = iph1->rmconf->retry_counter; 1293 if (isakmp_ph1resend(iph1) == -1) { 1294 plog(ASL_LEVEL_ERR, 1295 "failed to send packet"); 1296 goto end; 1297 } 1298 1299 /* the sending message is added to the received-list. */ 1300 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, 1301 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { 1302 plog(ASL_LEVEL_ERR , 1303 "failed to add a response packet to the tree.\n"); 1304 goto end; 1305 } 1306 1307 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG2SENT); 1308 1309#ifdef ENABLE_VPNCONTROL_PORT 1310 vpncontrol_notify_phase_change(1, FROM_LOCAL, iph1, NULL); 1311#endif 1312 1313 error = 0; 1314 1315 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1316 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC, 1317 CONSTSTR("Responder, Main-Mode message 2"), 1318 CONSTSTR(NULL)); 1319 1320end: 1321 if (error) { 1322 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1323 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, 1324 CONSTSTR("Responder, Main-Mode Message 2"), 1325 CONSTSTR("Failed to transmit Main-Mode Message 2")); 1326 } 1327#ifdef ENABLE_NATT 1328 if (vid_natt) 1329 vfree(vid_natt); 1330#endif 1331#ifdef ENABLE_HYBRID 1332 if (vid_xauth != NULL) 1333 vfree(vid_xauth); 1334 if (vid_unity != NULL) 1335 vfree(vid_unity); 1336#endif 1337#ifdef ENABLE_DPD 1338 if (vid_dpd != NULL) 1339 vfree(vid_dpd); 1340#endif 1341#ifdef ENABLE_FRAG 1342 if (vid_frag != NULL) 1343 vfree(vid_frag); 1344#endif 1345 1346 return error; 1347} 1348 1349/* 1350 * receive from initiator 1351 * psk: HDR, KE, Ni 1352 * sig: HDR, KE, Ni 1353 * gssapi: HDR, KE, Ni, GSSi 1354 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r 1355 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, 1356 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i] 1357 */ 1358int 1359ident_r3recv(iph1, msg) 1360 phase1_handle_t *iph1; 1361 vchar_t *msg; 1362{ 1363 vchar_t *pbuf = NULL; 1364 struct isakmp_parse_t *pa; 1365 int error = -1; 1366#ifdef ENABLE_NATT 1367 int natd_seq = 0; 1368#endif 1369 1370 /* validity check */ 1371 if (iph1->status != IKEV1_STATE_IDENT_R_MSG2SENT) { 1372 plog(ASL_LEVEL_ERR, 1373 "status mismatched %d.\n", iph1->status); 1374 goto end; 1375 } 1376 1377 /* validate the type of next payload */ 1378 pbuf = isakmp_parse(msg); 1379 if (pbuf == NULL) { 1380 plog(ASL_LEVEL_ERR, 1381 "failed to parse msg"); 1382 goto end; 1383 } 1384 1385 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; 1386 pa->type != ISAKMP_NPTYPE_NONE; 1387 pa++) { 1388 switch (pa->type) { 1389 case ISAKMP_NPTYPE_KE: 1390 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) { 1391 plog(ASL_LEVEL_ERR, 1392 "failed to process KE payload"); 1393 goto end; 1394 } 1395 break; 1396 case ISAKMP_NPTYPE_NONCE: 1397 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) { 1398 plog(ASL_LEVEL_ERR, 1399 "failed to process NONCE payload"); 1400 goto end; 1401 } 1402 break; 1403 case ISAKMP_NPTYPE_VID: 1404 (void)check_vendorid(pa->ptr); 1405 break; 1406 case ISAKMP_NPTYPE_CR: 1407 plog(ASL_LEVEL_WARNING, 1408 "CR received, ignore it. " 1409 "It should be in other exchange.\n"); 1410 break; 1411 1412#ifdef ENABLE_NATT 1413 case ISAKMP_NPTYPE_NATD_DRAFT: 1414 case ISAKMP_NPTYPE_NATD_RFC: 1415 case ISAKMP_NPTYPE_NATD_BADDRAFT: 1416 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && 1417 pa->type == iph1->natt_options->payload_nat_d) 1418 { 1419 vchar_t *natd_received = NULL; 1420 int natd_verified; 1421 1422 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) { 1423 plog(ASL_LEVEL_ERR, 1424 "failed to process NATD payload"); 1425 goto end; 1426 } 1427 1428 if (natd_seq == 0) 1429 iph1->natt_flags |= NAT_DETECTED; 1430 1431 natd_verified = natt_compare_addr_hash (iph1, 1432 natd_received, natd_seq++); 1433 1434 plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n", 1435 natd_seq - 1, 1436 natd_verified ? "verified" : "doesn't match"); 1437 1438 vfree (natd_received); 1439 break; 1440 } 1441 /* %%%% Be lenient here - some servers send natd payloads */ 1442 /* when no nat is detected */ 1443 break; 1444#endif 1445 1446 default: 1447 /* don't send information, see ident_r1recv() */ 1448 plog(ASL_LEVEL_ERR, 1449 "ignore the packet, " 1450 "received unexpecting payload type %d.\n", 1451 pa->type); 1452 goto end; 1453 } 1454 } 1455 1456#ifdef ENABLE_NATT 1457 if (NATT_AVAILABLE(iph1)) 1458 plog (ASL_LEVEL_INFO, "NAT %s %s%s\n", 1459 iph1->natt_flags & NAT_DETECTED ? 1460 "detected:" : "not detected", 1461 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 1462 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 1463#endif 1464 1465 /* payload existency check */ 1466 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { 1467 plog(ASL_LEVEL_ERR, 1468 "few isakmp message received.\n"); 1469 goto end; 1470 } 1471 1472 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG3RCVD); 1473 1474 error = 0; 1475 1476 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1477 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC, 1478 CONSTSTR("Responder, Main-Mode message 3"), 1479 CONSTSTR(NULL)); 1480 1481end: 1482 if (error) { 1483 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1484 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, 1485 CONSTSTR("Responder, Main-Mode Message 3"), 1486 CONSTSTR("Failed to process Main-Mode Message 3")); 1487 } 1488 if (pbuf) 1489 vfree(pbuf); 1490 1491 if (error) { 1492 VPTRINIT(iph1->dhpub_p); 1493 VPTRINIT(iph1->nonce_p); 1494 VPTRINIT(iph1->id_p); 1495 } 1496 1497 return error; 1498} 1499 1500/* 1501 * send to initiator 1502 * psk: HDR, KE, Nr 1503 * sig: HDR, KE, Nr [, CR ] 1504 * gssapi: HDR, KE, Nr, GSSr 1505 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i 1506 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r, 1507 */ 1508int 1509ident_r4send(iph1, msg) 1510 phase1_handle_t *iph1; 1511 vchar_t *msg; 1512{ 1513 int error = -1; 1514 1515 /* validity check */ 1516 if (iph1->status != IKEV1_STATE_IDENT_R_MSG3RCVD) { 1517 plog(ASL_LEVEL_ERR, 1518 "status mismatched %d.\n", iph1->status); 1519 goto end; 1520 } 1521 1522 /* generate DH public value */ 1523#ifdef HAVE_OPENSSL 1524 if (oakley_dh_generate(iph1->approval->dhgrp, 1525 &iph1->dhpub, &iph1->dhpriv) < 0) { 1526#else 1527 if (oakley_dh_generate(iph1->approval->dhgrp, 1528 &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) { 1529#endif 1530 plog(ASL_LEVEL_ERR, 1531 "failed to generate DH"); 1532 goto end; 1533 } 1534 1535 /* generate NONCE value */ 1536 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 1537 if (iph1->nonce == NULL) { 1538 plog(ASL_LEVEL_ERR, 1539 "failed to generate NONCE"); 1540 goto end; 1541 } 1542 1543 /* create HDR;KE;NONCE payload */ 1544 iph1->sendbuf = ident_ir2mx(iph1); 1545 if (iph1->sendbuf == NULL) { 1546 plog(ASL_LEVEL_ERR, 1547 "failed to allocate send buffer"); 1548 goto end; 1549 } 1550 1551#ifdef HAVE_PRINT_ISAKMP_C 1552 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 1553#endif 1554 1555 /* send the packet, add to the schedule to resend */ 1556 iph1->retry_counter = iph1->rmconf->retry_counter; 1557 if (isakmp_ph1resend(iph1) == -1) { 1558 plog(ASL_LEVEL_ERR, 1559 "failed to send packet"); 1560 goto end; 1561 } 1562 1563 /* the sending message is added to the received-list. */ 1564 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, 1565 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { 1566 plog(ASL_LEVEL_ERR , 1567 "failed to add a response packet to the tree.\n"); 1568 goto end; 1569 } 1570 1571 /* compute sharing secret of DH */ 1572#ifdef HAVE_OPENSSL 1573 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 1574 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) { 1575#else 1576 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, &iph1->dhC) < 0) { 1577#endif 1578 plog(ASL_LEVEL_ERR, 1579 "failed to compute DH"); 1580 goto end; 1581 } 1582 1583 /* generate SKEYIDs & IV & final cipher key */ 1584 if (oakley_skeyid(iph1) < 0) { 1585 plog(ASL_LEVEL_ERR, 1586 "failed to generate SKEYID"); 1587 goto end; 1588 } 1589 if (oakley_skeyid_dae(iph1) < 0) { 1590 plog(ASL_LEVEL_ERR, 1591 "failed to generate SKEYID-DAE"); 1592 goto end; 1593 } 1594 if (oakley_compute_enckey(iph1) < 0) { 1595 plog(ASL_LEVEL_ERR, 1596 "failed to generate ENCKEY"); 1597 goto end; 1598 } 1599 if (oakley_newiv(iph1) < 0) { 1600 plog(ASL_LEVEL_ERR, 1601 "failed to generate IV"); 1602 goto end; 1603 } 1604 1605 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG4SENT); 1606 1607 error = 0; 1608 1609 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1610 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC, 1611 CONSTSTR("Responder, Main-Mode message 4"), 1612 CONSTSTR(NULL)); 1613 1614end: 1615 if (error) { 1616 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1617 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, 1618 CONSTSTR("Responder, Main-Mode Message 4"), 1619 CONSTSTR("Failed to transmit Main-Mode Message 4")); 1620 } 1621 return error; 1622} 1623 1624/* 1625 * receive from initiator 1626 * psk: HDR*, IDi1, HASH_I 1627 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I 1628 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I > 1629 * rsa: HDR*, HASH_I 1630 * rev: HDR*, HASH_I 1631 */ 1632int 1633ident_r5recv(iph1, msg0) 1634 phase1_handle_t *iph1; 1635 vchar_t *msg0; 1636{ 1637 vchar_t *msg = NULL; 1638 vchar_t *pbuf = NULL; 1639 struct isakmp_parse_t *pa; 1640 int error = -1; 1641 int type; 1642 int received_cert = 0; 1643 1644 /* validity check */ 1645 if (iph1->status != IKEV1_STATE_IDENT_R_MSG4SENT) { 1646 plog(ASL_LEVEL_ERR, 1647 "status mismatched %d.\n", iph1->status); 1648 goto end; 1649 } 1650 1651 /* decrypting */ 1652 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1653 plog(ASL_LEVEL_ERR, 1654 "reject the packet, " 1655 "expecting the packet encrypted.\n"); 1656 goto end; 1657 } 1658 msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive); 1659 if (msg == NULL) { 1660 plog(ASL_LEVEL_ERR, 1661 "failed to decrypt"); 1662 goto end; 1663 } 1664 1665 /* validate the type of next payload */ 1666 pbuf = isakmp_parse(msg); 1667 if (pbuf == NULL) { 1668 plog(ASL_LEVEL_ERR, 1669 "failed to parse msg"); 1670 goto end; 1671 } 1672 1673 iph1->pl_hash = NULL; 1674 1675 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; 1676 pa->type != ISAKMP_NPTYPE_NONE; 1677 pa++) { 1678 1679 switch (pa->type) { 1680 case ISAKMP_NPTYPE_ID: 1681 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) { 1682 plog(ASL_LEVEL_ERR, 1683 "failed to process ID payload"); 1684 goto end; 1685 } 1686 break; 1687 case ISAKMP_NPTYPE_HASH: 1688 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 1689 break; 1690 case ISAKMP_NPTYPE_CR: 1691 if (oakley_savecr(iph1, pa->ptr) < 0) { 1692 plog(ASL_LEVEL_ERR, 1693 "failed to process CR payload"); 1694 goto end; 1695 } 1696 break; 1697 case ISAKMP_NPTYPE_CERT: 1698 if (oakley_savecert(iph1, pa->ptr) < 0) { 1699 plog(ASL_LEVEL_ERR, 1700 "failed to process CERT payload"); 1701 goto end; 1702 } 1703 received_cert = 1; 1704 break; 1705 case ISAKMP_NPTYPE_SIG: 1706 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) { 1707 plog(ASL_LEVEL_ERR, 1708 "failed to process SIG payload"); 1709 goto end; 1710 } 1711 break; 1712 case ISAKMP_NPTYPE_VID: 1713 (void)check_vendorid(pa->ptr); 1714 break; 1715 case ISAKMP_NPTYPE_N: 1716 isakmp_check_notify(pa->ptr, iph1); 1717 break; 1718 default: 1719 /* don't send information, see ident_r1recv() */ 1720 plog(ASL_LEVEL_ERR, 1721 "ignore the packet, " 1722 "received unexpecting payload type %d.\n", 1723 pa->type); 1724 goto end; 1725 } 1726 } 1727 1728 if (received_cert) { 1729 oakley_verify_certid(iph1); 1730 } 1731 1732 /* payload existency check */ 1733 /* XXX same as ident_i4recv(), should be merged. */ 1734 { 1735 int ng = 0; 1736 1737 switch (AUTHMETHOD(iph1)) { 1738 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1739#ifdef ENABLE_HYBRID 1740 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1741 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1742#endif 1743 if (iph1->id_p == NULL || iph1->pl_hash == NULL) 1744 ng++; 1745 break; 1746 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1747#ifdef ENABLE_HYBRID 1748 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1749#endif 1750 if (iph1->id_p == NULL || iph1->sig_p == NULL) 1751 ng++; 1752 break; 1753 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1754 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1755#ifdef ENABLE_HYBRID 1756 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1757 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1758#endif 1759 if (iph1->pl_hash == NULL) 1760 ng++; 1761 break; 1762 default: 1763 plog(ASL_LEVEL_ERR, 1764 "invalid authmethod %d why ?\n", 1765 iph1->approval->authmethod); 1766 goto end; 1767 } 1768 if (ng) { 1769 plog(ASL_LEVEL_ERR, 1770 "few isakmp message received.\n"); 1771 goto end; 1772 } 1773 } 1774 1775 /* verify identifier */ 1776 if (ipsecdoi_checkid1(iph1) != 0) { 1777 plog(ASL_LEVEL_ERR, 1778 "invalid ID payload.\n"); 1779 goto end; 1780 } 1781 1782 /* validate authentication value */ 1783 1784 type = oakley_validate_auth(iph1); 1785 if (type != 0) { 1786 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1787 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL, 1788 CONSTSTR("Responder, Main-Mode Message 5"), 1789 CONSTSTR("Failed to authenticate Main-Mode Message 5")); 1790 if (type == -1) { 1791 /* msg printed inner oakley_validate_auth() */ 1792 goto end; 1793 } 1794 isakmp_info_send_n1(iph1, type, NULL); 1795 goto end; 1796 } 1797 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1798 IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC, 1799 CONSTSTR("Responder, Main-Mode Message 5"), 1800 CONSTSTR(NULL)); 1801 1802 if (oakley_checkcr(iph1) < 0) { 1803 /* Ignore this error in order to be interoperability. */ 1804 ; 1805 } 1806 1807 /* 1808 * XXX: Should we do compare two addresses, ph1handle's and ID 1809 * payload's. 1810 */ 1811 1812 plogdump(ASL_LEVEL_DEBUG, iph1->id_p->v, iph1->id_p->l, "peer's ID\n"); 1813 1814 /* see handler.h about IV synchronization. */ 1815 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l); 1816 1817 fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG5RCVD); 1818 error = 0; 1819 1820 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1821 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC, 1822 CONSTSTR("Responder, Main-Mode message 5"), 1823 CONSTSTR(NULL)); 1824 1825end: 1826 if (error) { 1827 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1828 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, 1829 CONSTSTR("Responder, Main-Mode Message 5"), 1830 CONSTSTR("Failed to process Main-Mode Message 5")); 1831 } 1832 if (pbuf) 1833 vfree(pbuf); 1834 if (msg) 1835 vfree(msg); 1836 1837 if (error) { 1838 VPTRINIT(iph1->id_p); 1839 oakley_delcert(iph1->cert_p); 1840 iph1->cert_p = NULL; 1841 oakley_delcert(iph1->crl_p); 1842 iph1->crl_p = NULL; 1843 VPTRINIT(iph1->sig_p); 1844 oakley_delcert(iph1->cr_p); 1845 iph1->cr_p = NULL; 1846 } 1847 1848 return error; 1849} 1850 1851/* 1852 * send to initiator 1853 * psk: HDR*, IDr1, HASH_R 1854 * sig: HDR*, IDr1, [ CERT, ] SIG_R 1855 * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R > 1856 * rsa: HDR*, HASH_R 1857 * rev: HDR*, HASH_R 1858 */ 1859int 1860ident_r6send(iph1, msg) 1861 phase1_handle_t *iph1; 1862 vchar_t *msg; 1863{ 1864 int error = -1; 1865 int dohash = 1; 1866 1867 /* validity check */ 1868 if (iph1->status != IKEV1_STATE_IDENT_R_MSG5RCVD) { 1869 plog(ASL_LEVEL_ERR, 1870 "status mismatched %d.\n", iph1->status); 1871 goto end; 1872 } 1873 1874 /* make ID payload into isakmp status */ 1875 if (ipsecdoi_setid1(iph1) < 0) { 1876 plog(ASL_LEVEL_ERR, 1877 "failed to set ID"); 1878 goto end; 1879 } 1880 1881 if (dohash) { 1882 /* generate HASH to send */ 1883 plog(ASL_LEVEL_DEBUG, "generate HASH_R\n"); 1884 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 1885 if (iph1->hash == NULL) { 1886 plog(ASL_LEVEL_ERR, 1887 "failed to generate HASH"); 1888 goto end; 1889 } 1890 } else 1891 iph1->hash = NULL; 1892 1893 /* set encryption flag */ 1894 iph1->flags |= ISAKMP_FLAG_E; 1895 1896 /* create HDR;ID;HASH payload */ 1897 iph1->sendbuf = ident_ir3mx(iph1); 1898 if (iph1->sendbuf == NULL) { 1899 plog(ASL_LEVEL_ERR, 1900 "failed to create send buffer"); 1901 goto end; 1902 } 1903 1904 /* send HDR;ID;HASH to responder */ 1905 if (isakmp_send(iph1, iph1->sendbuf) < 0) { 1906 plog(ASL_LEVEL_ERR, 1907 "failed to send packet"); 1908 goto end; 1909 } 1910 1911 /* the sending message is added to the received-list. */ 1912 if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg, 1913 PH1_NON_ESP_EXTRA_LEN(iph1, iph1->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { 1914 plog(ASL_LEVEL_ERR , 1915 "failed to add a response packet to the tree.\n"); 1916 goto end; 1917 } 1918 1919 /* see handler.h about IV synchronization. */ 1920 memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l); 1921 1922 fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED); 1923 1924 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1925 IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC, 1926 CONSTSTR("Responder, Main-Mode"), 1927 CONSTSTR(NULL)); 1928 1929 error = 0; 1930 1931 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1932 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC, 1933 CONSTSTR("Responder, Main-Mode message 6"), 1934 CONSTSTR(NULL)); 1935 1936end: 1937 if (error) { 1938 IPSECSESSIONTRACEREVENT(iph1->parent_session, 1939 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL, 1940 CONSTSTR("Responder, Main-Mode Message 6"), 1941 CONSTSTR("Failed to process Main-Mode Message 6")); 1942 } 1943 1944 return error; 1945} 1946 1947/* 1948 * This is used in main mode for: 1949 * initiator's 3rd exchange send to responder 1950 * psk: HDR, KE, Ni 1951 * sig: HDR, KE, Ni 1952 * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r 1953 * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, 1954 * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i] 1955 * responders 2nd exchnage send to initiator 1956 * psk: HDR, KE, Nr 1957 * sig: HDR, KE, Nr [, CR ] 1958 * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i 1959 * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r, 1960 */ 1961static vchar_t * 1962ident_ir2mx(iph1) 1963 phase1_handle_t *iph1; 1964{ 1965 vchar_t *buf = 0; 1966 struct payload_list *plist = NULL; 1967 int need_cr = 0; 1968 vchar_t *cr = NULL; 1969 vchar_t *vid = NULL; 1970 int error = -1; 1971#ifdef ENABLE_NATT 1972 vchar_t *natd[2] = { NULL, NULL }; 1973#endif 1974 1975 /* create CR if need */ 1976 if (iph1->side == RESPONDER 1977 && iph1->rmconf->send_cr 1978 && oakley_needcr(iph1->approval->authmethod)) { 1979 need_cr = 1; 1980 cr = oakley_getcr(iph1); 1981 if (cr == NULL) { 1982 plog(ASL_LEVEL_ERR, 1983 "failed to get cr buffer.\n"); 1984 goto end; 1985 } 1986 } 1987 1988 /* create isakmp KE payload */ 1989 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); 1990 1991 /* create isakmp NONCE payload */ 1992 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 1993 1994 /* append vendor id, if needed */ 1995 if (vid) 1996 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID); 1997 1998 /* create isakmp CR payload if needed */ 1999 if (need_cr) 2000 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR); 2001 2002#ifdef ENABLE_NATT 2003 /* generate and append NAT-D payloads */ 2004 if (NATT_AVAILABLE(iph1)) 2005 { 2006 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 2007 plog(ASL_LEVEL_ERR, 2008 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote)); 2009 goto end; 2010 } 2011 2012 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 2013 plog(ASL_LEVEL_ERR, 2014 "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local)); 2015 goto end; 2016 } 2017 2018 plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n"); 2019 /* old Apple version sends natd payloads in the wrong order */ 2020 if (iph1->natt_options->version == VENDORID_NATT_APPLE) { 2021 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); 2022 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); 2023 } else 2024 { 2025 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); 2026 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); 2027 } 2028 } 2029#endif 2030 2031 buf = isakmp_plist_set_all (&plist, iph1); 2032 2033 error = 0; 2034 2035end: 2036 if (error && buf != NULL) { 2037 vfree(buf); 2038 buf = NULL; 2039 } 2040 if (cr) 2041 vfree(cr); 2042 if (vid) 2043 vfree(vid); 2044 2045#ifdef ENABLE_NATT 2046 if (natd[0]) 2047 vfree(natd[0]); 2048 if (natd[1]) 2049 vfree(natd[1]); 2050#endif 2051 2052 return buf; 2053} 2054 2055/* 2056 * This is used in main mode for: 2057 * initiator's 4th exchange send to responder 2058 * psk: HDR*, IDi1, HASH_I 2059 * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I 2060 * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I > 2061 * rsa: HDR*, HASH_I 2062 * rev: HDR*, HASH_I 2063 * responders 3rd exchnage send to initiator 2064 * psk: HDR*, IDr1, HASH_R 2065 * sig: HDR*, IDr1, [ CERT, ] SIG_R 2066 * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R > 2067 * rsa: HDR*, HASH_R 2068 * rev: HDR*, HASH_R 2069 */ 2070static vchar_t * 2071ident_ir3mx(iph1) 2072 phase1_handle_t *iph1; 2073{ 2074 struct payload_list *plist = NULL; 2075 vchar_t *buf = NULL, *new = NULL; 2076 int need_cr = 0; 2077 int need_cert = 0; 2078 vchar_t *cr = NULL; 2079 int error = -1; 2080 vchar_t *notp_ini = NULL; 2081 2082 switch (AUTHMETHOD(iph1)) { 2083 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 2084#ifdef ENABLE_HYBRID 2085 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 2086 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 2087 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 2088#endif 2089 /* create isakmp ID payload */ 2090 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 2091 2092 /* create isakmp HASH payload */ 2093 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH); 2094 break; 2095 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 2096#ifdef ENABLE_HYBRID 2097 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 2098 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 2099 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 2100#endif 2101 if (oakley_getmycert(iph1) < 0) { 2102 plog(ASL_LEVEL_ERR, 2103 "failed to get mycert"); 2104 goto end; 2105 } 2106 2107 if (oakley_getsign(iph1) < 0) { 2108 plog(ASL_LEVEL_ERR, 2109 "failed to get sign"); 2110 goto end; 2111 } 2112 2113 /* create CR if need */ 2114 if (iph1->side == INITIATOR 2115 && iph1->rmconf->send_cr 2116 && oakley_needcr(iph1->approval->authmethod)) { 2117 need_cr = 1; 2118 cr = oakley_getcr(iph1); 2119 if (cr == NULL) { 2120 plog(ASL_LEVEL_ERR, 2121 "failed to get CR"); 2122 goto end; 2123 } 2124 } 2125 2126 if (iph1->cert != NULL && iph1->rmconf->send_cert) 2127 need_cert = 1; 2128 2129 /* add ID payload */ 2130 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 2131 2132 /* add CERT payload if there */ 2133 // we don't support sending of certchains 2134 if (need_cert) 2135 plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT); 2136 /* add SIG payload */ 2137 plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG); 2138 2139 /* create isakmp CR payload */ 2140 if (need_cr) 2141 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR); 2142 break; 2143 2144 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 2145 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 2146#ifdef ENABLE_HYBRID 2147 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 2148 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 2149 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 2150 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 2151#endif 2152 plog(ASL_LEVEL_ERR, 2153 "not supported authentication type %d\n", 2154 iph1->approval->authmethod); 2155 goto end; 2156 default: 2157 plog(ASL_LEVEL_ERR, 2158 "invalid authentication type %d\n", 2159 iph1->approval->authmethod); 2160 goto end; 2161 } 2162 2163 if (iph1->side == INITIATOR) { 2164 notp_ini = isakmp_plist_append_initial_contact(iph1, plist); 2165 } 2166 2167 buf = isakmp_plist_set_all (&plist, iph1); 2168 2169#ifdef HAVE_PRINT_ISAKMP_C 2170 isakmp_printpacket(buf, iph1->local, iph1->remote, 1); 2171#endif 2172 2173 /* encoding */ 2174 new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv); 2175 if (new == NULL) { 2176 plog(ASL_LEVEL_ERR, 2177 "failed to encrypt"); 2178 goto end; 2179 } 2180 2181 vfree(buf); 2182 2183 buf = new; 2184 2185 error = 0; 2186 2187end: 2188 if (cr) 2189 vfree(cr); 2190 if (error && buf != NULL) { 2191 vfree(buf); 2192 buf = NULL; 2193 } 2194 if (notp_ini) 2195 vfree(notp_ini); 2196 2197 return buf; 2198} 2199