1/* $NetBSD: isakmp_base.c,v 1.13 2018/05/19 19:23:15 maxv Exp $ */ 2 3/* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */ 4 5/* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34/* Base Exchange (Base Mode) */ 35 36#include "config.h" 37 38#include <sys/types.h> 39#include <sys/param.h> 40 41#include <stdlib.h> 42#include <stdio.h> 43#include <string.h> 44#include <errno.h> 45#if TIME_WITH_SYS_TIME 46# include <sys/time.h> 47# include <time.h> 48#else 49# if HAVE_SYS_TIME_H 50# include <sys/time.h> 51# else 52# include <time.h> 53# endif 54#endif 55 56#include "var.h" 57#include "misc.h" 58#include "vmbuf.h" 59#include "plog.h" 60#include "sockmisc.h" 61#include "schedule.h" 62#include "debug.h" 63 64#ifdef ENABLE_HYBRID 65#include <resolv.h> 66#endif 67 68#include "localconf.h" 69#include "remoteconf.h" 70#include "isakmp_var.h" 71#include "isakmp.h" 72#include "evt.h" 73#include "oakley.h" 74#include "handler.h" 75#include "ipsec_doi.h" 76#include "crypto_openssl.h" 77#include "pfkey.h" 78#include "isakmp_base.h" 79#include "isakmp_inf.h" 80#include "vendorid.h" 81#ifdef ENABLE_NATT 82#include "nattraversal.h" 83#endif 84#ifdef ENABLE_FRAG 85#include "isakmp_frag.h" 86#endif 87#ifdef ENABLE_HYBRID 88#include "isakmp_xauth.h" 89#include "isakmp_cfg.h" 90#endif 91 92/* %%% 93 * begin Identity Protection Mode as initiator. 94 */ 95/* 96 * send to responder 97 * psk: HDR, SA, Idii, Ni_b 98 * sig: HDR, SA, Idii, Ni_b 99 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r 100 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i 101 */ 102int 103base_i1send(iph1, msg) 104 struct ph1handle *iph1; 105 vchar_t *msg; /* must be null */ 106{ 107 struct payload_list *plist = NULL; 108 int error = -1; 109#ifdef ENABLE_NATT 110 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; 111 int i, vid_natt_i = 0; 112#endif 113#ifdef ENABLE_FRAG 114 vchar_t *vid_frag = NULL; 115#endif 116#ifdef ENABLE_HYBRID 117 vchar_t *vid_xauth = NULL; 118 vchar_t *vid_unity = NULL; 119#endif 120#ifdef ENABLE_DPD 121 vchar_t *vid_dpd = NULL; 122#endif 123 124 125 /* validity check */ 126 if (msg != NULL) { 127 plog(LLV_ERROR, LOCATION, NULL, 128 "msg has to be NULL in this function.\n"); 129 goto end; 130 } 131 if (iph1->status != PHASE1ST_START) { 132 plog(LLV_ERROR, LOCATION, NULL, 133 "status mismatched %d.\n", iph1->status); 134 goto end; 135 } 136 137 /* create isakmp index */ 138 memset(&iph1->index, 0, sizeof(iph1->index)); 139 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); 140 141 /* make ID payload into isakmp status */ 142 if (ipsecdoi_setid1(iph1) < 0) 143 goto end; 144 145 /* create SA payload for my proposal */ 146 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf, 147 iph1->rmconf->proposal); 148 if (iph1->sa == NULL) 149 goto end; 150 151 /* generate NONCE value */ 152 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 153 if (iph1->nonce == NULL) 154 goto end; 155 156#ifdef ENABLE_HYBRID 157 /* Do we need Xauth VID? */ 158 switch (iph1->rmconf->proposal->authmethod) { 159 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 160 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 161 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 162 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 163 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 164 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 165 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 166 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) 167 plog(LLV_ERROR, LOCATION, NULL, 168 "Xauth vendor ID generation failed\n"); 169 170 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) 171 plog(LLV_ERROR, LOCATION, NULL, 172 "Unity vendor ID generation failed\n"); 173 break; 174 default: 175 break; 176 } 177#endif 178#ifdef ENABLE_FRAG 179 if (iph1->rmconf->ike_frag) { 180 vid_frag = set_vendorid(VENDORID_FRAG); 181 if (vid_frag != NULL) 182 vid_frag = isakmp_frag_addcap(vid_frag, 183 VENDORID_FRAG_BASE); 184 if (vid_frag == NULL) 185 plog(LLV_ERROR, LOCATION, NULL, 186 "Frag vendorID construction failed\n"); 187 } 188#endif 189#ifdef ENABLE_NATT 190 /* Is NAT-T support allowed in the config file? */ 191 if (iph1->rmconf->nat_traversal) { 192 /* Advertise NAT-T capability */ 193 memset (vid_natt, 0, sizeof (vid_natt)); 194#ifdef VENDORID_NATT_00 195 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL) 196 vid_natt_i++; 197#endif 198#ifdef VENDORID_NATT_02 199 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL) 200 vid_natt_i++; 201#endif 202#ifdef VENDORID_NATT_02_N 203 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL) 204 vid_natt_i++; 205#endif 206#ifdef VENDORID_NATT_RFC 207 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL) 208 vid_natt_i++; 209#endif 210 } 211#endif 212 213 /* set SA payload to propose */ 214 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); 215 216 /* create isakmp ID payload */ 217 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 218 219 /* create isakmp NONCE payload */ 220 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 221 222#ifdef ENABLE_FRAG 223 if (vid_frag) 224 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); 225#endif 226#ifdef ENABLE_HYBRID 227 if (vid_xauth) 228 plist = isakmp_plist_append(plist, 229 vid_xauth, ISAKMP_NPTYPE_VID); 230 if (vid_unity) 231 plist = isakmp_plist_append(plist, 232 vid_unity, ISAKMP_NPTYPE_VID); 233#endif 234#ifdef ENABLE_DPD 235 if (iph1->rmconf->dpd) { 236 vid_dpd = set_vendorid(VENDORID_DPD); 237 if (vid_dpd != NULL) 238 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 239 } 240#endif 241#ifdef ENABLE_NATT 242 /* set VID payload for NAT-T */ 243 for (i = 0; i < vid_natt_i; i++) 244 plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID); 245#endif 246 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 247 248 249#ifdef HAVE_PRINT_ISAKMP_C 250 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 251#endif 252 253 /* send the packet, add to the schedule to resend */ 254 if (isakmp_ph1send(iph1) == -1) 255 goto end; 256 257 iph1->status = PHASE1ST_MSG1SENT; 258 259 error = 0; 260 261end: 262#ifdef ENABLE_FRAG 263 if (vid_frag) 264 vfree(vid_frag); 265#endif 266#ifdef ENABLE_NATT 267 for (i = 0; i < vid_natt_i; i++) 268 vfree(vid_natt[i]); 269#endif 270#ifdef ENABLE_HYBRID 271 if (vid_xauth != NULL) 272 vfree(vid_xauth); 273 if (vid_unity != NULL) 274 vfree(vid_unity); 275#endif 276#ifdef ENABLE_DPD 277 if (vid_dpd != NULL) 278 vfree(vid_dpd); 279#endif 280 281 return error; 282} 283 284/* 285 * receive from responder 286 * psk: HDR, SA, Idir, Nr_b 287 * sig: HDR, SA, Idir, Nr_b, [ CR ] 288 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i 289 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r 290 */ 291int 292base_i2recv(iph1, msg) 293 struct ph1handle *iph1; 294 vchar_t *msg; 295{ 296 vchar_t *pbuf = NULL; 297 struct isakmp_parse_t *pa; 298 vchar_t *satmp = NULL; 299 int error = -1; 300 301 /* validity check */ 302 if (iph1->status != PHASE1ST_MSG1SENT) { 303 plog(LLV_ERROR, LOCATION, NULL, 304 "status mismatched %d.\n", iph1->status); 305 goto end; 306 } 307 308 /* validate the type of next payload */ 309 pbuf = isakmp_parse(msg); 310 if (pbuf == NULL) 311 goto end; 312 pa = (struct isakmp_parse_t *)pbuf->v; 313 314 /* SA payload is fixed postion */ 315 if (pa->type != ISAKMP_NPTYPE_SA) { 316 plog(LLV_ERROR, LOCATION, iph1->remote, 317 "received invalid next payload type %d, " 318 "expecting %d.\n", 319 pa->type, ISAKMP_NPTYPE_SA); 320 goto end; 321 } 322 if (isakmp_p2ph(&satmp, pa->ptr) < 0) 323 goto end; 324 pa++; 325 326 for (/*nothing*/; 327 pa->type != ISAKMP_NPTYPE_NONE; 328 pa++) { 329 330 switch (pa->type) { 331 case ISAKMP_NPTYPE_NONCE: 332 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 333 goto end; 334 break; 335 case ISAKMP_NPTYPE_ID: 336 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 337 goto end; 338 break; 339 case ISAKMP_NPTYPE_VID: 340 handle_vendorid(iph1, pa->ptr); 341 break; 342 default: 343 /* don't send information, see ident_r1recv() */ 344 plog(LLV_ERROR, LOCATION, iph1->remote, 345 "ignore the packet, " 346 "received unexpecting payload type %d.\n", 347 pa->type); 348 goto end; 349 } 350 } 351 352 if (iph1->nonce_p == NULL || iph1->id_p == NULL) { 353 plog(LLV_ERROR, LOCATION, iph1->remote, 354 "few isakmp message received.\n"); 355 goto end; 356 } 357 358 /* verify identifier */ 359 if (ipsecdoi_checkid1(iph1) != 0) { 360 plog(LLV_ERROR, LOCATION, iph1->remote, 361 "invalid ID payload.\n"); 362 goto end; 363 } 364 365#ifdef ENABLE_NATT 366 if (NATT_AVAILABLE(iph1)) 367 plog(LLV_INFO, LOCATION, iph1->remote, 368 "Selected NAT-T version: %s\n", 369 vid_string_by_id(iph1->natt_options->version)); 370#endif 371 372 /* check SA payload and set approval SA for use */ 373 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { 374 plog(LLV_ERROR, LOCATION, iph1->remote, 375 "failed to get valid proposal.\n"); 376 /* XXX send information */ 377 goto end; 378 } 379 VPTRINIT(iph1->sa_ret); 380 381 iph1->status = PHASE1ST_MSG2RECEIVED; 382 383 error = 0; 384 385end: 386 if (pbuf) 387 vfree(pbuf); 388 if (satmp) 389 vfree(satmp); 390 391 if (error) { 392 VPTRINIT(iph1->nonce_p); 393 VPTRINIT(iph1->id_p); 394 } 395 396 return error; 397} 398 399/* 400 * send to responder 401 * psk: HDR, KE, HASH_I 402 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I 403 * rsa: HDR, KE, HASH_I 404 * rev: HDR, <KE>Ke_i, HASH_I 405 */ 406int 407base_i2send(iph1, msg) 408 struct ph1handle *iph1; 409 vchar_t *msg; 410{ 411 struct payload_list *plist = NULL; 412 vchar_t *vid = NULL; 413 int need_cert = 0; 414 int error = -1; 415 416 /* validity check */ 417 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 418 plog(LLV_ERROR, LOCATION, NULL, 419 "status mismatched %d.\n", iph1->status); 420 goto end; 421 } 422 423 /* fix isakmp index */ 424 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, 425 sizeof(cookie_t)); 426 427 /* generate DH public value */ 428 if (oakley_dh_generate(iph1->approval->dhgrp, 429 &iph1->dhpub, &iph1->dhpriv) < 0) 430 goto end; 431 432 /* generate SKEYID to compute hash if not signature mode */ 433 switch (iph1->approval->authmethod) { 434 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 435 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 436#ifdef ENABLE_HYBRID 437 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 438 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 439 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 440 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 441 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 442#endif 443 break; 444 default: 445 if (oakley_skeyid(iph1) < 0) 446 goto end; 447 break; 448 } 449 450 /* generate HASH to send */ 451 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 452 iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE); 453 if (iph1->hash == NULL) 454 goto end; 455 switch (iph1->approval->authmethod) { 456 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 457#ifdef ENABLE_HYBRID 458 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 459 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 460 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 461#endif 462 vid = set_vendorid(iph1->approval->vendorid); 463 464 /* create isakmp KE payload */ 465 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); 466 467 /* create isakmp HASH payload */ 468 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH); 469 470 /* append vendor id, if needed */ 471 if (vid) 472 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID); 473 break; 474 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 475 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 476#ifdef ENABLE_HYBRID 477 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 478 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 479#endif 480 /* XXX if there is CR or not ? */ 481 482 if (oakley_getmycert(iph1) < 0) 483 goto end; 484 485 if (oakley_getsign(iph1) < 0) 486 goto end; 487 488 if (iph1->cert && iph1->rmconf->send_cert) 489 need_cert = 1; 490 491 /* create isakmp KE payload */ 492 plist = isakmp_plist_append(plist, iph1->dhpub, 493 ISAKMP_NPTYPE_KE); 494 495 /* add CERT payload if there */ 496 if (need_cert) 497 plist = isakmp_plist_append(plist, iph1->cert, 498 ISAKMP_NPTYPE_CERT); 499 500 /* add SIG payload */ 501 plist = isakmp_plist_append(plist, 502 iph1->sig, ISAKMP_NPTYPE_SIG); 503 504 break; 505#ifdef HAVE_GSSAPI 506 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 507 /* ... */ 508 break; 509#endif 510 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 511 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 512#ifdef ENABLE_HYBRID 513 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 514 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 515#endif 516 break; 517 } 518 519#ifdef ENABLE_NATT 520 /* generate NAT-D payloads */ 521 if (NATT_AVAILABLE(iph1)) 522 { 523 vchar_t *natd[2] = { NULL, NULL }; 524 525 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); 526 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 527 plog(LLV_ERROR, LOCATION, NULL, 528 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); 529 goto end; 530 } 531 532 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 533 plog(LLV_ERROR, LOCATION, NULL, 534 "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); 535 goto end; 536 } 537 538 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); 539 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); 540 } 541#endif 542 543 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 544 545#ifdef HAVE_PRINT_ISAKMP_C 546 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 547#endif 548 549 /* send the packet, add to the schedule to resend */ 550 if (isakmp_ph1send(iph1) == -1) 551 goto end; 552 553 /* the sending message is added to the received-list. */ 554 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 555 plog(LLV_ERROR , LOCATION, NULL, 556 "failed to add a response packet to the tree.\n"); 557 goto end; 558 } 559 560 iph1->status = PHASE1ST_MSG2SENT; 561 562 error = 0; 563 564end: 565 if (vid) 566 vfree(vid); 567 return error; 568} 569 570/* 571 * receive from responder 572 * psk: HDR, KE, HASH_R 573 * sig: HDR, KE, [CERT,] SIG_R 574 * rsa: HDR, KE, HASH_R 575 * rev: HDR, <KE>_Ke_r, HASH_R 576 */ 577int 578base_i3recv(iph1, msg) 579 struct ph1handle *iph1; 580 vchar_t *msg; 581{ 582 vchar_t *pbuf = NULL; 583 struct isakmp_parse_t *pa; 584 int error = -1, ptype; 585#ifdef ENABLE_NATT 586 vchar_t *natd_received; 587 int natd_seq = 0, natd_verified; 588#endif 589 590 /* validity check */ 591 if (iph1->status != PHASE1ST_MSG2SENT) { 592 plog(LLV_ERROR, LOCATION, NULL, 593 "status mismatched %d.\n", iph1->status); 594 goto end; 595 } 596 597 /* validate the type of next payload */ 598 pbuf = isakmp_parse(msg); 599 if (pbuf == NULL) 600 goto end; 601 602 for (pa = (struct isakmp_parse_t *)pbuf->v; 603 pa->type != ISAKMP_NPTYPE_NONE; 604 pa++) { 605 606 switch (pa->type) { 607 case ISAKMP_NPTYPE_KE: 608 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 609 goto end; 610 break; 611 case ISAKMP_NPTYPE_HASH: 612 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 613 break; 614 case ISAKMP_NPTYPE_CERT: 615 if (oakley_savecert(iph1, pa->ptr) < 0) 616 goto end; 617 break; 618 case ISAKMP_NPTYPE_SIG: 619 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 620 goto end; 621 break; 622 case ISAKMP_NPTYPE_VID: 623 handle_vendorid(iph1, pa->ptr); 624 break; 625 626#ifdef ENABLE_NATT 627 case ISAKMP_NPTYPE_NATD_DRAFT: 628 case ISAKMP_NPTYPE_NATD_RFC: 629 if (NATT_AVAILABLE(iph1) && iph1->natt_options && 630 pa->type == iph1->natt_options->payload_nat_d) { 631 natd_received = NULL; 632 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 633 goto end; 634 635 /* set both bits first so that we can clear them 636 upon verifying hashes */ 637 if (natd_seq == 0) 638 iph1->natt_flags |= NAT_DETECTED; 639 640 /* this function will clear appropriate bits bits 641 from iph1->natt_flags */ 642 natd_verified = natt_compare_addr_hash (iph1, 643 natd_received, natd_seq++); 644 645 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 646 natd_seq - 1, 647 natd_verified ? "verified" : "doesn't match"); 648 649 vfree (natd_received); 650 break; 651 } 652 /* passthrough to default... */ 653#endif 654 655 default: 656 /* don't send information, see ident_r1recv() */ 657 plog(LLV_ERROR, LOCATION, iph1->remote, 658 "ignore the packet, " 659 "received unexpecting payload type %d.\n", 660 pa->type); 661 goto end; 662 } 663 } 664 665#ifdef ENABLE_NATT 666 if (NATT_AVAILABLE(iph1)) { 667 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 668 iph1->natt_flags & NAT_DETECTED ? 669 "detected:" : "not detected", 670 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 671 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 672 if (iph1->natt_flags & NAT_DETECTED) 673 natt_float_ports (iph1); 674 } 675#endif 676 677 /* payload existency check */ 678 /* validate authentication value */ 679 ptype = oakley_validate_auth(iph1); 680 if (ptype != 0) { 681 if (ptype == -1) { 682 /* message printed inner oakley_validate_auth() */ 683 goto end; 684 } 685 evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); 686 isakmp_info_send_n1(iph1, ptype, NULL); 687 goto end; 688 } 689 690 /* compute sharing secret of DH */ 691 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 692 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 693 goto end; 694 695 /* generate SKEYID to compute hash if signature mode */ 696 switch (iph1->approval->authmethod) { 697 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 698 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 699#ifdef ENABLE_HYBRID 700 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 701 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 702 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 703 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 704 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 705#endif 706 if (oakley_skeyid(iph1) < 0) 707 goto end; 708 break; 709 default: 710 break; 711 } 712 713 /* generate SKEYIDs & IV & final cipher key */ 714 if (oakley_skeyid_dae(iph1) < 0) 715 goto end; 716 if (oakley_compute_enckey(iph1) < 0) 717 goto end; 718 if (oakley_newiv(iph1) < 0) 719 goto end; 720 721 /* see handler.h about IV synchronization. */ 722 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); 723 724 /* set encryption flag */ 725 iph1->flags |= ISAKMP_FLAG_E; 726 727 iph1->status = PHASE1ST_MSG3RECEIVED; 728 729 error = 0; 730 731end: 732 if (pbuf) 733 vfree(pbuf); 734 735 if (error) { 736 VPTRINIT(iph1->dhpub_p); 737 VPTRINIT(iph1->cert_p); 738 VPTRINIT(iph1->crl_p); 739 VPTRINIT(iph1->sig_p); 740 } 741 742 return error; 743} 744 745/* 746 * status update and establish isakmp sa. 747 */ 748int 749base_i3send(iph1, msg) 750 struct ph1handle *iph1; 751 vchar_t *msg; 752{ 753 int error = -1; 754 755 /* validity check */ 756 if (iph1->status != PHASE1ST_MSG3RECEIVED) { 757 plog(LLV_ERROR, LOCATION, NULL, 758 "status mismatched %d.\n", iph1->status); 759 goto end; 760 } 761 762 iph1->status = PHASE1ST_ESTABLISHED; 763 764 error = 0; 765 766end: 767 return error; 768} 769 770/* 771 * receive from initiator 772 * psk: HDR, SA, Idii, Ni_b 773 * sig: HDR, SA, Idii, Ni_b 774 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r 775 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i 776 */ 777int 778base_r1recv(iph1, msg) 779 struct ph1handle *iph1; 780 vchar_t *msg; 781{ 782 vchar_t *pbuf = NULL; 783 struct isakmp_parse_t *pa; 784 int error = -1; 785 int vid_numeric; 786 787 /* validity check */ 788 if (iph1->status != PHASE1ST_START) { 789 plog(LLV_ERROR, LOCATION, NULL, 790 "status mismatched %d.\n", iph1->status); 791 goto end; 792 } 793 794 /* validate the type of next payload */ 795 pbuf = isakmp_parse(msg); 796 if (pbuf == NULL) 797 goto end; 798 pa = (struct isakmp_parse_t *)pbuf->v; 799 800 /* check the position of SA payload */ 801 if (pa->type != ISAKMP_NPTYPE_SA) { 802 plog(LLV_ERROR, LOCATION, iph1->remote, 803 "received invalid next payload type %d, " 804 "expecting %d.\n", 805 pa->type, ISAKMP_NPTYPE_SA); 806 goto end; 807 } 808 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) 809 goto end; 810 pa++; 811 812 for (/*nothing*/; 813 pa->type != ISAKMP_NPTYPE_NONE; 814 pa++) { 815 816 switch (pa->type) { 817 case ISAKMP_NPTYPE_NONCE: 818 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 819 goto end; 820 break; 821 case ISAKMP_NPTYPE_ID: 822 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 823 goto end; 824 break; 825 case ISAKMP_NPTYPE_VID: 826 vid_numeric = handle_vendorid(iph1, pa->ptr); 827#ifdef ENABLE_FRAG 828 if ((vid_numeric == VENDORID_FRAG) && 829 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) 830 iph1->frag = 1; 831#endif 832 break; 833 default: 834 /* don't send information, see ident_r1recv() */ 835 plog(LLV_ERROR, LOCATION, iph1->remote, 836 "ignore the packet, " 837 "received unexpecting payload type %d.\n", 838 pa->type); 839 goto end; 840 } 841 } 842 843 if (iph1->nonce_p == NULL || iph1->id_p == NULL) { 844 plog(LLV_ERROR, LOCATION, iph1->remote, 845 "few isakmp message received.\n"); 846 goto end; 847 } 848 849 /* verify identifier */ 850 if (ipsecdoi_checkid1(iph1) != 0) { 851 plog(LLV_ERROR, LOCATION, iph1->remote, 852 "invalid ID payload.\n"); 853 goto end; 854 } 855 856#ifdef ENABLE_NATT 857 if (NATT_AVAILABLE(iph1)) 858 plog(LLV_INFO, LOCATION, iph1->remote, 859 "Selected NAT-T version: %s\n", 860 vid_string_by_id(iph1->natt_options->version)); 861#endif 862 863 /* check SA payload and set approval SA for use */ 864 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { 865 plog(LLV_ERROR, LOCATION, iph1->remote, 866 "failed to get valid proposal.\n"); 867 /* XXX send information */ 868 goto end; 869 } 870 871 iph1->status = PHASE1ST_MSG1RECEIVED; 872 873 error = 0; 874 875end: 876 if (pbuf) 877 vfree(pbuf); 878 879 if (error) { 880 VPTRINIT(iph1->sa); 881 VPTRINIT(iph1->nonce_p); 882 VPTRINIT(iph1->id_p); 883 } 884 885 return error; 886} 887 888/* 889 * send to initiator 890 * psk: HDR, SA, Idir, Nr_b 891 * sig: HDR, SA, Idir, Nr_b, [ CR ] 892 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i 893 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r 894 */ 895int 896base_r1send(iph1, msg) 897 struct ph1handle *iph1; 898 vchar_t *msg; 899{ 900 struct payload_list *plist = NULL; 901 int error = -1; 902#ifdef ENABLE_NATT 903 vchar_t *vid_natt = NULL; 904#endif 905#ifdef ENABLE_HYBRID 906 vchar_t *vid_xauth = NULL; 907 vchar_t *vid_unity = NULL; 908#endif 909#ifdef ENABLE_FRAG 910 vchar_t *vid_frag = NULL; 911#endif 912#ifdef ENABLE_DPD 913 vchar_t *vid_dpd = NULL; 914#endif 915 916 /* validity check */ 917 if (iph1->status != PHASE1ST_MSG1RECEIVED) { 918 plog(LLV_ERROR, LOCATION, NULL, 919 "status mismatched %d.\n", iph1->status); 920 goto end; 921 } 922 923 /* set responder's cookie */ 924 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); 925 926 /* make ID payload into isakmp status */ 927 if (ipsecdoi_setid1(iph1) < 0) 928 goto end; 929 930 /* generate NONCE value */ 931 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 932 if (iph1->nonce == NULL) 933 goto end; 934 935 /* set SA payload to reply */ 936 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA); 937 938 /* create isakmp ID payload */ 939 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 940 941 /* create isakmp NONCE payload */ 942 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 943 944#ifdef ENABLE_NATT 945 /* has the peer announced nat-t? */ 946 if (NATT_AVAILABLE(iph1)) 947 vid_natt = set_vendorid(iph1->natt_options->version); 948 if (vid_natt) 949 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); 950#endif 951#ifdef ENABLE_HYBRID 952 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 953 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); 954 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) { 955 plog(LLV_ERROR, LOCATION, NULL, 956 "Cannot create Xauth vendor ID\n"); 957 goto end; 958 } 959 plist = isakmp_plist_append(plist, 960 vid_xauth, ISAKMP_NPTYPE_VID); 961 } 962 963 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { 964 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) { 965 plog(LLV_ERROR, LOCATION, NULL, 966 "Cannot create Unity vendor ID\n"); 967 goto end; 968 } 969 plist = isakmp_plist_append(plist, 970 vid_unity, ISAKMP_NPTYPE_VID); 971 } 972#endif 973#ifdef ENABLE_DPD 974 /* 975 * Only send DPD support if remote announced DPD 976 * and if DPD support is active 977 */ 978 if (iph1->dpd_support && iph1->rmconf->dpd) { 979 if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) { 980 plog(LLV_ERROR, LOCATION, NULL, 981 "DPD vendorID construction failed\n"); 982 } else { 983 plist = isakmp_plist_append(plist, vid_dpd, 984 ISAKMP_NPTYPE_VID); 985 } 986 } 987#endif 988#ifdef ENABLE_FRAG 989 if (iph1->rmconf->ike_frag) { 990 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) { 991 plog(LLV_ERROR, LOCATION, NULL, 992 "Frag vendorID construction failed\n"); 993 } else { 994 vid_frag = isakmp_frag_addcap(vid_frag, 995 VENDORID_FRAG_BASE); 996 plist = isakmp_plist_append(plist, 997 vid_frag, ISAKMP_NPTYPE_VID); 998 } 999 } 1000#endif 1001 1002 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 1003 1004#ifdef HAVE_PRINT_ISAKMP_C 1005 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 1006#endif 1007 1008 /* send the packet, add to the schedule to resend */ 1009 if (isakmp_ph1send(iph1) == -1) { 1010 iph1 = NULL; 1011 goto end; 1012 } 1013 1014 /* the sending message is added to the received-list. */ 1015 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1016 plog(LLV_ERROR , LOCATION, NULL, 1017 "failed to add a response packet to the tree.\n"); 1018 goto end; 1019 } 1020 1021 iph1->status = PHASE1ST_MSG1SENT; 1022 1023 error = 0; 1024 1025end: 1026#ifdef ENABLE_NATT 1027 if (vid_natt) 1028 vfree(vid_natt); 1029#endif 1030#ifdef ENABLE_HYBRID 1031 if (vid_xauth != NULL) 1032 vfree(vid_xauth); 1033 if (vid_unity != NULL) 1034 vfree(vid_unity); 1035#endif 1036#ifdef ENABLE_FRAG 1037 if (vid_frag) 1038 vfree(vid_frag); 1039#endif 1040#ifdef ENABLE_DPD 1041 if (vid_dpd) 1042 vfree(vid_dpd); 1043#endif 1044 1045 if (iph1 != NULL) 1046 VPTRINIT(iph1->sa_ret); 1047 1048 return error; 1049} 1050 1051/* 1052 * receive from initiator 1053 * psk: HDR, KE, HASH_I 1054 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I 1055 * rsa: HDR, KE, HASH_I 1056 * rev: HDR, <KE>Ke_i, HASH_I 1057 */ 1058int 1059base_r2recv(iph1, msg) 1060 struct ph1handle *iph1; 1061 vchar_t *msg; 1062{ 1063 vchar_t *pbuf = NULL; 1064 struct isakmp_parse_t *pa; 1065 int error = -1, ptype; 1066#ifdef ENABLE_NATT 1067 int natd_seq = 0; 1068#endif 1069 1070 /* validity check */ 1071 if (iph1->status != PHASE1ST_MSG1SENT) { 1072 plog(LLV_ERROR, LOCATION, NULL, 1073 "status mismatched %d.\n", iph1->status); 1074 goto end; 1075 } 1076 1077 /* validate the type of next payload */ 1078 pbuf = isakmp_parse(msg); 1079 if (pbuf == NULL) 1080 goto end; 1081 1082 iph1->pl_hash = NULL; 1083 1084 for (pa = (struct isakmp_parse_t *)pbuf->v; 1085 pa->type != ISAKMP_NPTYPE_NONE; 1086 pa++) { 1087 1088 switch (pa->type) { 1089 case ISAKMP_NPTYPE_KE: 1090 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 1091 goto end; 1092 break; 1093 case ISAKMP_NPTYPE_HASH: 1094 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 1095 break; 1096 case ISAKMP_NPTYPE_CERT: 1097 if (oakley_savecert(iph1, pa->ptr) < 0) 1098 goto end; 1099 break; 1100 case ISAKMP_NPTYPE_SIG: 1101 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 1102 goto end; 1103 break; 1104 case ISAKMP_NPTYPE_VID: 1105 handle_vendorid(iph1, pa->ptr); 1106 break; 1107 1108#ifdef ENABLE_NATT 1109 case ISAKMP_NPTYPE_NATD_DRAFT: 1110 case ISAKMP_NPTYPE_NATD_RFC: 1111 if (pa->type == iph1->natt_options->payload_nat_d) 1112 { 1113 vchar_t *natd_received = NULL; 1114 int natd_verified; 1115 1116 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 1117 goto end; 1118 1119 if (natd_seq == 0) 1120 iph1->natt_flags |= NAT_DETECTED; 1121 1122 natd_verified = natt_compare_addr_hash (iph1, 1123 natd_received, natd_seq++); 1124 1125 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 1126 natd_seq - 1, 1127 natd_verified ? "verified" : "doesn't match"); 1128 1129 vfree (natd_received); 1130 break; 1131 } 1132 /* passthrough to default... */ 1133#endif 1134 1135 default: 1136 /* don't send information, see ident_r1recv() */ 1137 plog(LLV_ERROR, LOCATION, iph1->remote, 1138 "ignore the packet, " 1139 "received unexpecting payload type %d.\n", 1140 pa->type); 1141 goto end; 1142 } 1143 } 1144 1145 /* generate DH public value */ 1146 if (oakley_dh_generate(iph1->approval->dhgrp, 1147 &iph1->dhpub, &iph1->dhpriv) < 0) 1148 goto end; 1149 1150 /* compute sharing secret of DH */ 1151 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 1152 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 1153 goto end; 1154 1155 /* generate SKEYID */ 1156 if (oakley_skeyid(iph1) < 0) 1157 goto end; 1158 1159#ifdef ENABLE_NATT 1160 if (NATT_AVAILABLE(iph1)) 1161 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 1162 iph1->natt_flags & NAT_DETECTED ? 1163 "detected:" : "not detected", 1164 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 1165 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 1166#endif 1167 1168 /* payload existency check */ 1169 /* validate authentication value */ 1170 ptype = oakley_validate_auth(iph1); 1171 if (ptype != 0) { 1172 if (ptype == -1) { 1173 /* message printed inner oakley_validate_auth() */ 1174 goto end; 1175 } 1176 evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); 1177 isakmp_info_send_n1(iph1, ptype, NULL); 1178 goto end; 1179 } 1180 1181 iph1->status = PHASE1ST_MSG2RECEIVED; 1182 1183 error = 0; 1184 1185end: 1186 if (pbuf) 1187 vfree(pbuf); 1188 1189 if (error) { 1190 VPTRINIT(iph1->dhpub_p); 1191 VPTRINIT(iph1->cert_p); 1192 VPTRINIT(iph1->crl_p); 1193 VPTRINIT(iph1->sig_p); 1194 } 1195 1196 return error; 1197} 1198 1199/* 1200 * send to initiator 1201 * psk: HDR, KE, HASH_R 1202 * sig: HDR, KE, [CERT,] SIG_R 1203 * rsa: HDR, KE, HASH_R 1204 * rev: HDR, <KE>_Ke_r, HASH_R 1205 */ 1206int 1207base_r2send(iph1, msg) 1208 struct ph1handle *iph1; 1209 vchar_t *msg; 1210{ 1211 struct payload_list *plist = NULL; 1212 vchar_t *vid = NULL; 1213 int need_cert = 0; 1214 int error = -1; 1215 1216 /* validity check */ 1217 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 1218 plog(LLV_ERROR, LOCATION, NULL, 1219 "status mismatched %d.\n", iph1->status); 1220 goto end; 1221 } 1222 1223 /* generate HASH to send */ 1224 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 1225 switch (iph1->approval->authmethod) { 1226 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1227#ifdef ENABLE_HYBRID 1228 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1229#endif 1230 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1231 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1232#ifdef ENABLE_HYBRID 1233 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1234 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1235#endif 1236 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 1237 break; 1238 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1239 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1240#ifdef ENABLE_HYBRID 1241 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1242 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1243 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1244 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1245#endif 1246#ifdef HAVE_GSSAPI 1247 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1248#endif 1249 iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE); 1250 break; 1251 default: 1252 plog(LLV_ERROR, LOCATION, NULL, 1253 "invalid authentication method %d\n", 1254 iph1->approval->authmethod); 1255 goto end; 1256 } 1257 if (iph1->hash == NULL) 1258 goto end; 1259 1260 switch (iph1->approval->authmethod) { 1261 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1262#ifdef ENABLE_HYBRID 1263 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1264#endif 1265 vid = set_vendorid(iph1->approval->vendorid); 1266 1267 /* create isakmp KE payload */ 1268 plist = isakmp_plist_append(plist, 1269 iph1->dhpub, ISAKMP_NPTYPE_KE); 1270 1271 /* create isakmp HASH payload */ 1272 plist = isakmp_plist_append(plist, 1273 iph1->hash, ISAKMP_NPTYPE_HASH); 1274 1275 /* append vendor id, if needed */ 1276 if (vid) 1277 plist = isakmp_plist_append(plist, 1278 vid, ISAKMP_NPTYPE_VID); 1279 break; 1280 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1281 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1282#ifdef ENABLE_HYBRID 1283 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1284 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1285 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1286 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1287#endif 1288 /* XXX if there is CR or not ? */ 1289 1290 if (oakley_getmycert(iph1) < 0) 1291 goto end; 1292 1293 if (oakley_getsign(iph1) < 0) 1294 goto end; 1295 1296 if (iph1->cert && iph1->rmconf->send_cert) 1297 need_cert = 1; 1298 1299 /* create isakmp KE payload */ 1300 plist = isakmp_plist_append(plist, iph1->dhpub, 1301 ISAKMP_NPTYPE_KE); 1302 1303 /* add CERT payload if there */ 1304 if (need_cert) 1305 plist = isakmp_plist_append(plist, iph1->cert, 1306 ISAKMP_NPTYPE_CERT); 1307 1308 /* add SIG payload */ 1309 plist = isakmp_plist_append(plist, iph1->sig, 1310 ISAKMP_NPTYPE_SIG); 1311 break; 1312#ifdef HAVE_GSSAPI 1313 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1314 /* ... */ 1315 break; 1316#endif 1317 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1318 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1319#ifdef ENABLE_HYBRID 1320 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1321 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1322#endif 1323 break; 1324 } 1325 1326#ifdef ENABLE_NATT 1327 /* generate NAT-D payloads */ 1328 if (NATT_AVAILABLE(iph1)) { 1329 vchar_t *natd[2] = { NULL, NULL }; 1330 1331 plog(LLV_INFO, LOCATION, 1332 NULL, "Adding remote and local NAT-D payloads.\n"); 1333 if ((natd[0] = natt_hash_addr(iph1, iph1->remote)) == NULL) { 1334 plog(LLV_ERROR, LOCATION, NULL, 1335 "NAT-D hashing failed for %s\n", 1336 saddr2str(iph1->remote)); 1337 goto end; 1338 } 1339 1340 if ((natd[1] = natt_hash_addr(iph1, iph1->local)) == NULL) { 1341 plog(LLV_ERROR, LOCATION, NULL, 1342 "NAT-D hashing failed for %s\n", 1343 saddr2str(iph1->local)); 1344 goto end; 1345 } 1346 1347 plist = isakmp_plist_append(plist, 1348 natd[0], iph1->natt_options->payload_nat_d); 1349 plist = isakmp_plist_append(plist, 1350 natd[1], iph1->natt_options->payload_nat_d); 1351 } 1352#endif 1353 1354 iph1->sendbuf = isakmp_plist_set_all(&plist, iph1); 1355 1356#ifdef HAVE_PRINT_ISAKMP_C 1357 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 1358#endif 1359 1360 /* send HDR;KE;NONCE to responder */ 1361 if (isakmp_send(iph1, iph1->sendbuf) < 0) 1362 goto end; 1363 1364 /* the sending message is added to the received-list. */ 1365 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1366 plog(LLV_ERROR , LOCATION, NULL, 1367 "failed to add a response packet to the tree.\n"); 1368 goto end; 1369 } 1370 1371 /* generate SKEYIDs & IV & final cipher key */ 1372 if (oakley_skeyid_dae(iph1) < 0) 1373 goto end; 1374 if (oakley_compute_enckey(iph1) < 0) 1375 goto end; 1376 if (oakley_newiv(iph1) < 0) 1377 goto end; 1378 1379 /* set encryption flag */ 1380 iph1->flags |= ISAKMP_FLAG_E; 1381 1382 iph1->status = PHASE1ST_ESTABLISHED; 1383 1384 error = 0; 1385 1386end: 1387 if (vid) 1388 vfree(vid); 1389 return error; 1390} 1391