1 /* $NetBSD: isakmp_agg.c,v 1.12 2008/07/21 06:26:06 tteras Exp $ */ 2 3 /* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* Aggressive Exchange (Aggressive Mode) */ 35 36 #include "config.h" 37 38 #include <sys/types.h> 39 #include <sys/param.h> 40 41 #include <stdlib.h> 42 #include <stdio.h> 43 #include <string.h> 44 #include <errno.h> 45 #if TIME_WITH_SYS_TIME 46 # include <sys/time.h> 47 # include <time.h> 48 #else 49 # if HAVE_SYS_TIME_H 50 # include <sys/time.h> 51 # else 52 # include <time.h> 53 # endif 54 #endif 55 56 #include "var.h" 57 #include "misc.h" 58 #include "vmbuf.h" 59 #include "plog.h" 60 #include "sockmisc.h" 61 #include "schedule.h" 62 #include "debug.h" 63 64 #ifdef ENABLE_HYBRID 65 #include <resolv.h> 66 #endif 67 68 #include "localconf.h" 69 #include "remoteconf.h" 70 #include "isakmp_var.h" 71 #include "isakmp.h" 72 #include "evt.h" 73 #include "oakley.h" 74 #include "handler.h" 75 #include "ipsec_doi.h" 76 #include "crypto_openssl.h" 77 #include "pfkey.h" 78 #include "isakmp_agg.h" 79 #include "isakmp_inf.h" 80 #ifdef ENABLE_HYBRID 81 #include "isakmp_xauth.h" 82 #include "isakmp_cfg.h" 83 #endif 84 #ifdef ENABLE_FRAG 85 #include "isakmp_frag.h" 86 #endif 87 #include "vendorid.h" 88 #include "strnames.h" 89 90 #ifdef ENABLE_NATT 91 #include "nattraversal.h" 92 #endif 93 94 #ifdef HAVE_GSSAPI 95 #include "gssapi.h" 96 #endif 97 98 /* 99 * begin Aggressive Mode as initiator. 100 */ 101 /* 102 * send to responder 103 * psk: HDR, SA, KE, Ni, IDi1 104 * sig: HDR, SA, KE, Ni, IDi1 [, CR ] 105 * gssapi: HDR, SA, KE, Ni, IDi1, GSSi 106 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r 107 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, 108 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] 109 */ 110 int 111 agg_i1send(iph1, msg) 112 struct ph1handle *iph1; 113 vchar_t *msg; /* must be null */ 114 { 115 struct payload_list *plist = NULL; 116 int need_cr = 0; 117 vchar_t *cr = NULL; 118 int error = -1; 119 #ifdef ENABLE_NATT 120 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; 121 int i; 122 #endif 123 #ifdef ENABLE_HYBRID 124 vchar_t *vid_xauth = NULL; 125 vchar_t *vid_unity = NULL; 126 #endif 127 #ifdef ENABLE_FRAG 128 vchar_t *vid_frag = NULL; 129 #endif 130 #ifdef HAVE_GSSAPI 131 vchar_t *gsstoken = NULL; 132 int len; 133 #endif 134 #ifdef ENABLE_DPD 135 vchar_t *vid_dpd = NULL; 136 #endif 137 138 139 /* validity check */ 140 if (msg != NULL) { 141 plog(LLV_ERROR, LOCATION, NULL, 142 "msg has to be NULL in this function.\n"); 143 goto end; 144 } 145 if (iph1->status != PHASE1ST_START) { 146 plog(LLV_ERROR, LOCATION, NULL, 147 "status mismatched %d.\n", iph1->status); 148 goto end; 149 } 150 151 /* create isakmp index */ 152 memset(&iph1->index, 0, sizeof(iph1->index)); 153 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); 154 155 /* make ID payload into isakmp status */ 156 if (ipsecdoi_setid1(iph1) < 0) 157 goto end; 158 159 /* create SA payload for my proposal */ 160 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); 161 if (iph1->sa == NULL) 162 goto end; 163 164 /* consistency check of proposals */ 165 if (iph1->rmconf->dhgrp == NULL) { 166 plog(LLV_ERROR, LOCATION, NULL, 167 "configuration failure about DH group.\n"); 168 goto end; 169 } 170 171 /* generate DH public value */ 172 if (oakley_dh_generate(iph1->rmconf->dhgrp, 173 &iph1->dhpub, &iph1->dhpriv) < 0) 174 goto end; 175 176 /* generate NONCE value */ 177 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 178 if (iph1->nonce == NULL) 179 goto end; 180 181 #ifdef ENABLE_HYBRID 182 /* Do we need Xauth VID? */ 183 switch (RMAUTHMETHOD(iph1)) { 184 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 185 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 186 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 187 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 188 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 189 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 190 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 191 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) 192 plog(LLV_ERROR, LOCATION, NULL, 193 "Xauth vendor ID generation failed\n"); 194 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) 195 plog(LLV_ERROR, LOCATION, NULL, 196 "Unity vendor ID generation failed\n"); 197 break; 198 default: 199 break; 200 } 201 #endif 202 203 #ifdef ENABLE_FRAG 204 if (iph1->rmconf->ike_frag) { 205 vid_frag = set_vendorid(VENDORID_FRAG); 206 if (vid_frag != NULL) 207 vid_frag = isakmp_frag_addcap(vid_frag, 208 VENDORID_FRAG_AGG); 209 if (vid_frag == NULL) 210 plog(LLV_ERROR, LOCATION, NULL, 211 "Frag vendorID construction failed\n"); 212 } 213 #endif 214 215 /* create CR if need */ 216 if (iph1->rmconf->send_cr 217 && oakley_needcr(iph1->rmconf->proposal->authmethod) 218 && iph1->rmconf->peerscertfile == NULL) { 219 need_cr = 1; 220 cr = oakley_getcr(iph1); 221 if (cr == NULL) { 222 plog(LLV_ERROR, LOCATION, NULL, 223 "failed to get cr buffer.\n"); 224 goto end; 225 } 226 } 227 228 plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n", 229 s_oakley_attr_method(iph1->rmconf->proposal->authmethod)); 230 #ifdef HAVE_GSSAPI 231 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) 232 gssapi_get_itoken(iph1, &len); 233 #endif 234 235 /* set SA payload to propose */ 236 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); 237 238 /* create isakmp KE payload */ 239 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); 240 241 /* create isakmp NONCE payload */ 242 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 243 244 /* create isakmp ID payload */ 245 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 246 247 #ifdef HAVE_GSSAPI 248 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { 249 gssapi_get_token_to_send(iph1, &gsstoken); 250 plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS); 251 } 252 #endif 253 /* create isakmp CR payload */ 254 if (need_cr) 255 plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR); 256 257 #ifdef ENABLE_FRAG 258 if (vid_frag) 259 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); 260 #endif 261 #ifdef ENABLE_NATT 262 /* 263 * set VID payload for NAT-T if NAT-T 264 * support allowed in the config file 265 */ 266 if (iph1->rmconf->nat_traversal) 267 plist = isakmp_plist_append_natt_vids(plist, vid_natt); 268 #endif 269 #ifdef ENABLE_HYBRID 270 if (vid_xauth) 271 plist = isakmp_plist_append(plist, 272 vid_xauth, ISAKMP_NPTYPE_VID); 273 if (vid_unity) 274 plist = isakmp_plist_append(plist, 275 vid_unity, ISAKMP_NPTYPE_VID); 276 #endif 277 #ifdef ENABLE_DPD 278 if(iph1->rmconf->dpd){ 279 vid_dpd = set_vendorid(VENDORID_DPD); 280 if (vid_dpd != NULL) 281 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 282 } 283 #endif 284 285 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 286 287 #ifdef HAVE_PRINT_ISAKMP_C 288 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 289 #endif 290 291 /* send the packet, add to the schedule to resend */ 292 iph1->retry_counter = iph1->rmconf->retry_counter; 293 if (isakmp_ph1resend(iph1) == -1) 294 goto end; 295 296 iph1->status = PHASE1ST_MSG1SENT; 297 298 error = 0; 299 300 end: 301 if (cr) 302 vfree(cr); 303 #ifdef HAVE_GSSAPI 304 if (gsstoken) 305 vfree(gsstoken); 306 #endif 307 #ifdef ENABLE_FRAG 308 if (vid_frag) 309 vfree(vid_frag); 310 #endif 311 #ifdef ENABLE_NATT 312 for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++) 313 vfree(vid_natt[i]); 314 #endif 315 #ifdef ENABLE_HYBRID 316 if (vid_xauth != NULL) 317 vfree(vid_xauth); 318 if (vid_unity != NULL) 319 vfree(vid_unity); 320 #endif 321 #ifdef ENABLE_DPD 322 if (vid_dpd != NULL) 323 vfree(vid_dpd); 324 #endif 325 326 return error; 327 } 328 329 /* 330 * receive from responder 331 * psk: HDR, SA, KE, Nr, IDr1, HASH_R 332 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R 333 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R 334 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R 335 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R 336 */ 337 int 338 agg_i2recv(iph1, msg) 339 struct ph1handle *iph1; 340 vchar_t *msg; 341 { 342 vchar_t *pbuf = NULL; 343 struct isakmp_parse_t *pa; 344 vchar_t *satmp = NULL; 345 int error = -1; 346 int vid_numeric; 347 int ptype; 348 #ifdef ENABLE_HYBRID 349 vchar_t *unity_vid; 350 vchar_t *xauth_vid; 351 #endif 352 #ifdef HAVE_GSSAPI 353 vchar_t *gsstoken = NULL; 354 #endif 355 356 #ifdef ENABLE_NATT 357 int natd_seq = 0; 358 struct natd_payload { 359 int seq; 360 vchar_t *payload; 361 TAILQ_ENTRY(natd_payload) chain; 362 }; 363 TAILQ_HEAD(_natd_payload, natd_payload) natd_tree; 364 TAILQ_INIT(&natd_tree); 365 #endif 366 367 /* validity check */ 368 if (iph1->status != PHASE1ST_MSG1SENT) { 369 plog(LLV_ERROR, LOCATION, NULL, 370 "status mismatched %d.\n", iph1->status); 371 goto end; 372 } 373 374 /* validate the type of next payload */ 375 pbuf = isakmp_parse(msg); 376 if (pbuf == NULL) 377 goto end; 378 pa = (struct isakmp_parse_t *)pbuf->v; 379 380 iph1->pl_hash = NULL; 381 382 /* SA payload is fixed postion */ 383 if (pa->type != ISAKMP_NPTYPE_SA) { 384 plog(LLV_ERROR, LOCATION, iph1->remote, 385 "received invalid next payload type %d, " 386 "expecting %d.\n", 387 pa->type, ISAKMP_NPTYPE_SA); 388 goto end; 389 } 390 391 if (isakmp_p2ph(&satmp, pa->ptr) < 0) 392 goto end; 393 pa++; 394 395 for (/*nothing*/; 396 pa->type != ISAKMP_NPTYPE_NONE; 397 pa++) { 398 399 switch (pa->type) { 400 case ISAKMP_NPTYPE_KE: 401 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 402 goto end; 403 break; 404 case ISAKMP_NPTYPE_NONCE: 405 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 406 goto end; 407 break; 408 case ISAKMP_NPTYPE_ID: 409 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 410 goto end; 411 break; 412 case ISAKMP_NPTYPE_HASH: 413 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 414 break; 415 case ISAKMP_NPTYPE_CR: 416 if (oakley_savecr(iph1, pa->ptr) < 0) 417 goto end; 418 break; 419 case ISAKMP_NPTYPE_CERT: 420 if (oakley_savecert(iph1, pa->ptr) < 0) 421 goto end; 422 break; 423 case ISAKMP_NPTYPE_SIG: 424 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 425 goto end; 426 break; 427 case ISAKMP_NPTYPE_VID: 428 vid_numeric = check_vendorid(pa->ptr); 429 handle_vendorid(iph1, vid_numeric); 430 break; 431 case ISAKMP_NPTYPE_N: 432 isakmp_log_notify(iph1, 433 (struct isakmp_pl_n *) pa->ptr, 434 "aggressive exchange"); 435 break; 436 #ifdef HAVE_GSSAPI 437 case ISAKMP_NPTYPE_GSS: 438 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) 439 goto end; 440 gssapi_save_received_token(iph1, gsstoken); 441 break; 442 #endif 443 444 #ifdef ENABLE_NATT 445 case ISAKMP_NPTYPE_NATD_DRAFT: 446 case ISAKMP_NPTYPE_NATD_RFC: 447 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && 448 pa->type == iph1->natt_options->payload_nat_d) { 449 struct natd_payload *natd; 450 natd = (struct natd_payload *)racoon_malloc(sizeof(*natd)); 451 if (!natd) 452 goto end; 453 454 natd->payload = NULL; 455 456 if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) 457 goto end; 458 459 natd->seq = natd_seq++; 460 461 TAILQ_INSERT_TAIL(&natd_tree, natd, chain); 462 break; 463 } 464 /* passthrough to default... */ 465 #endif 466 467 default: 468 /* don't send information, see isakmp_ident_r1() */ 469 plog(LLV_ERROR, LOCATION, iph1->remote, 470 "ignore the packet, " 471 "received unexpecting payload type %d.\n", 472 pa->type); 473 goto end; 474 } 475 } 476 477 /* payload existency check */ 478 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { 479 plog(LLV_ERROR, LOCATION, iph1->remote, 480 "few isakmp message received.\n"); 481 goto end; 482 } 483 484 /* verify identifier */ 485 if (ipsecdoi_checkid1(iph1) != 0) { 486 plog(LLV_ERROR, LOCATION, iph1->remote, 487 "invalid ID payload.\n"); 488 goto end; 489 } 490 491 /* check SA payload and set approval SA for use */ 492 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { 493 plog(LLV_ERROR, LOCATION, iph1->remote, 494 "failed to get valid proposal.\n"); 495 /* XXX send information */ 496 goto end; 497 } 498 VPTRINIT(iph1->sa_ret); 499 500 /* fix isakmp index */ 501 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, 502 sizeof(cookie_t)); 503 504 #ifdef ENABLE_NATT 505 if (NATT_AVAILABLE(iph1)) { 506 struct natd_payload *natd = NULL; 507 int natd_verified; 508 509 plog(LLV_INFO, LOCATION, iph1->remote, 510 "Selected NAT-T version: %s\n", 511 vid_string_by_id(iph1->natt_options->version)); 512 513 /* set both bits first so that we can clear them 514 upon verifying hashes */ 515 iph1->natt_flags |= NAT_DETECTED; 516 517 while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) { 518 /* this function will clear appropriate bits bits 519 from iph1->natt_flags */ 520 natd_verified = natt_compare_addr_hash (iph1, 521 natd->payload, natd->seq); 522 523 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 524 natd->seq - 1, 525 natd_verified ? "verified" : "doesn't match"); 526 527 vfree (natd->payload); 528 529 TAILQ_REMOVE(&natd_tree, natd, chain); 530 racoon_free (natd); 531 } 532 533 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 534 iph1->natt_flags & NAT_DETECTED ? 535 "detected:" : "not detected", 536 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 537 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 538 539 if (iph1->natt_flags & NAT_DETECTED) 540 natt_float_ports (iph1); 541 } 542 #endif 543 544 /* compute sharing secret of DH */ 545 if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub, 546 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 547 goto end; 548 549 /* generate SKEYIDs & IV & final cipher key */ 550 if (oakley_skeyid(iph1) < 0) 551 goto end; 552 if (oakley_skeyid_dae(iph1) < 0) 553 goto end; 554 if (oakley_compute_enckey(iph1) < 0) 555 goto end; 556 if (oakley_newiv(iph1) < 0) 557 goto end; 558 559 /* validate authentication value */ 560 ptype = oakley_validate_auth(iph1); 561 if (ptype != 0) { 562 if (ptype == -1) { 563 /* message printed inner oakley_validate_auth() */ 564 goto end; 565 } 566 evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); 567 isakmp_info_send_n1(iph1, ptype, NULL); 568 goto end; 569 } 570 571 if (oakley_checkcr(iph1) < 0) { 572 /* Ignore this error in order to be interoperability. */ 573 ; 574 } 575 576 /* change status of isakmp status entry */ 577 iph1->status = PHASE1ST_MSG2RECEIVED; 578 579 error = 0; 580 581 end: 582 #ifdef HAVE_GSSAPI 583 if (gsstoken) 584 vfree(gsstoken); 585 #endif 586 if (pbuf) 587 vfree(pbuf); 588 if (satmp) 589 vfree(satmp); 590 if (error) { 591 VPTRINIT(iph1->dhpub_p); 592 VPTRINIT(iph1->nonce_p); 593 VPTRINIT(iph1->id_p); 594 oakley_delcert(iph1->cert_p); 595 iph1->cert_p = NULL; 596 oakley_delcert(iph1->crl_p); 597 iph1->crl_p = NULL; 598 VPTRINIT(iph1->sig_p); 599 oakley_delcert(iph1->cr_p); 600 iph1->cr_p = NULL; 601 } 602 603 return error; 604 } 605 606 /* 607 * send to responder 608 * psk: HDR, HASH_I 609 * gssapi: HDR, HASH_I 610 * sig: HDR, [ CERT, ] SIG_I 611 * rsa: HDR, HASH_I 612 * rev: HDR, HASH_I 613 */ 614 int 615 agg_i2send(iph1, msg) 616 struct ph1handle *iph1; 617 vchar_t *msg; 618 { 619 struct payload_list *plist = NULL; 620 int need_cert = 0; 621 int error = -1; 622 vchar_t *gsshash = NULL; 623 624 /* validity check */ 625 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 626 plog(LLV_ERROR, LOCATION, NULL, 627 "status mismatched %d.\n", iph1->status); 628 goto end; 629 } 630 631 /* generate HASH to send */ 632 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 633 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 634 if (iph1->hash == NULL) { 635 #ifdef HAVE_GSSAPI 636 if (gssapi_more_tokens(iph1) && 637 #ifdef ENABLE_HYBRID 638 !iph1->rmconf->xauth && 639 #endif 640 1) 641 isakmp_info_send_n1(iph1, 642 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 643 #endif 644 goto end; 645 } 646 647 switch (AUTHMETHOD(iph1)) { 648 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 649 #ifdef ENABLE_HYBRID 650 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 651 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 652 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 653 #endif 654 /* set HASH payload */ 655 plist = isakmp_plist_append(plist, 656 iph1->hash, ISAKMP_NPTYPE_HASH); 657 break; 658 659 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 660 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 661 #ifdef ENABLE_HYBRID 662 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 663 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 664 #endif 665 /* XXX if there is CR or not ? */ 666 667 if (oakley_getmycert(iph1) < 0) 668 goto end; 669 670 if (oakley_getsign(iph1) < 0) 671 goto end; 672 673 if (iph1->cert != NULL && iph1->rmconf->send_cert) 674 need_cert = 1; 675 676 /* add CERT payload if there */ 677 if (need_cert) 678 plist = isakmp_plist_append(plist, 679 iph1->cert->pl, ISAKMP_NPTYPE_CERT); 680 681 /* add SIG payload */ 682 plist = isakmp_plist_append(plist, 683 iph1->sig, ISAKMP_NPTYPE_SIG); 684 break; 685 686 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 687 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 688 #ifdef ENABLE_HYBRID 689 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 690 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 691 #endif 692 break; 693 #ifdef HAVE_GSSAPI 694 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 695 gsshash = gssapi_wraphash(iph1); 696 if (gsshash == NULL) { 697 plog(LLV_ERROR, LOCATION, NULL, 698 "failed to wrap hash\n"); 699 isakmp_info_send_n1(iph1, 700 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 701 goto end; 702 } 703 704 plist = isakmp_plist_append(plist, 705 gsshash, ISAKMP_NPTYPE_HASH); 706 break; 707 #endif 708 } 709 710 #ifdef ENABLE_NATT 711 /* generate NAT-D payloads */ 712 if (NATT_AVAILABLE(iph1)) { 713 vchar_t *natd[2] = { NULL, NULL }; 714 715 plog(LLV_INFO, LOCATION, 716 NULL, "Adding remote and local NAT-D payloads.\n"); 717 718 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 719 plog(LLV_ERROR, LOCATION, NULL, 720 "NAT-D hashing failed for %s\n", 721 saddr2str(iph1->remote)); 722 goto end; 723 } 724 725 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 726 plog(LLV_ERROR, LOCATION, NULL, 727 "NAT-D hashing failed for %s\n", 728 saddr2str(iph1->local)); 729 goto end; 730 } 731 732 plist = isakmp_plist_append(plist, 733 natd[0], iph1->natt_options->payload_nat_d); 734 plist = isakmp_plist_append(plist, 735 natd[1], iph1->natt_options->payload_nat_d); 736 } 737 #endif 738 739 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 740 741 #ifdef HAVE_PRINT_ISAKMP_C 742 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 743 #endif 744 745 /* send to responder */ 746 if (isakmp_send(iph1, iph1->sendbuf) < 0) 747 goto end; 748 749 /* the sending message is added to the received-list. */ 750 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 751 plog(LLV_ERROR , LOCATION, NULL, 752 "failed to add a response packet to the tree.\n"); 753 goto end; 754 } 755 756 /* set encryption flag */ 757 iph1->flags |= ISAKMP_FLAG_E; 758 759 iph1->status = PHASE1ST_ESTABLISHED; 760 761 error = 0; 762 763 end: 764 if (gsshash) 765 vfree(gsshash); 766 return error; 767 } 768 769 /* 770 * receive from initiator 771 * psk: HDR, SA, KE, Ni, IDi1 772 * sig: HDR, SA, KE, Ni, IDi1 [, CR ] 773 * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi 774 * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r 775 * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, 776 * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] 777 */ 778 int 779 agg_r1recv(iph1, msg) 780 struct ph1handle *iph1; 781 vchar_t *msg; 782 { 783 int error = -1; 784 vchar_t *pbuf = NULL; 785 struct isakmp_parse_t *pa; 786 int vid_numeric; 787 #ifdef HAVE_GSSAPI 788 vchar_t *gsstoken = NULL; 789 #endif 790 791 /* validity check */ 792 if (iph1->status != PHASE1ST_START) { 793 plog(LLV_ERROR, LOCATION, NULL, 794 "status mismatched %d.\n", iph1->status); 795 goto end; 796 } 797 798 /* validate the type of next payload */ 799 pbuf = isakmp_parse(msg); 800 if (pbuf == NULL) 801 goto end; 802 pa = (struct isakmp_parse_t *)pbuf->v; 803 804 /* SA payload is fixed postion */ 805 if (pa->type != ISAKMP_NPTYPE_SA) { 806 plog(LLV_ERROR, LOCATION, iph1->remote, 807 "received invalid next payload type %d, " 808 "expecting %d.\n", 809 pa->type, ISAKMP_NPTYPE_SA); 810 goto end; 811 } 812 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) 813 goto end; 814 pa++; 815 816 for (/*nothing*/; 817 pa->type != ISAKMP_NPTYPE_NONE; 818 pa++) { 819 820 plog(LLV_DEBUG, LOCATION, NULL, 821 "received payload of type %s\n", 822 s_isakmp_nptype(pa->type)); 823 824 switch (pa->type) { 825 case ISAKMP_NPTYPE_KE: 826 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 827 goto end; 828 break; 829 case ISAKMP_NPTYPE_NONCE: 830 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 831 goto end; 832 break; 833 case ISAKMP_NPTYPE_ID: 834 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 835 goto end; 836 break; 837 case ISAKMP_NPTYPE_VID: 838 vid_numeric = check_vendorid(pa->ptr); 839 handle_vendorid(iph1, vid_numeric); 840 #ifdef ENABLE_FRAG 841 if ((vid_numeric == VENDORID_FRAG) && 842 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) 843 iph1->frag = 1; 844 #endif 845 break; 846 847 case ISAKMP_NPTYPE_CR: 848 if (oakley_savecr(iph1, pa->ptr) < 0) 849 goto end; 850 break; 851 852 #ifdef HAVE_GSSAPI 853 case ISAKMP_NPTYPE_GSS: 854 if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) 855 goto end; 856 gssapi_save_received_token(iph1, gsstoken); 857 break; 858 #endif 859 default: 860 /* don't send information, see isakmp_ident_r1() */ 861 plog(LLV_ERROR, LOCATION, iph1->remote, 862 "ignore the packet, " 863 "received unexpecting payload type %d.\n", 864 pa->type); 865 goto end; 866 } 867 } 868 869 /* payload existency check */ 870 if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { 871 plog(LLV_ERROR, LOCATION, iph1->remote, 872 "few isakmp message received.\n"); 873 goto end; 874 } 875 876 /* verify identifier */ 877 if (ipsecdoi_checkid1(iph1) != 0) { 878 plog(LLV_ERROR, LOCATION, iph1->remote, 879 "invalid ID payload.\n"); 880 goto end; 881 } 882 883 #ifdef ENABLE_NATT 884 if (NATT_AVAILABLE(iph1)) 885 plog(LLV_INFO, LOCATION, iph1->remote, 886 "Selected NAT-T version: %s\n", 887 vid_string_by_id(iph1->natt_options->version)); 888 #endif 889 890 /* check SA payload and set approval SA for use */ 891 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { 892 plog(LLV_ERROR, LOCATION, iph1->remote, 893 "failed to get valid proposal.\n"); 894 /* XXX send information */ 895 goto end; 896 } 897 898 if (oakley_checkcr(iph1) < 0) { 899 /* Ignore this error in order to be interoperability. */ 900 ; 901 } 902 903 iph1->status = PHASE1ST_MSG1RECEIVED; 904 905 error = 0; 906 907 end: 908 #ifdef HAVE_GSSAPI 909 if (gsstoken) 910 vfree(gsstoken); 911 #endif 912 if (pbuf) 913 vfree(pbuf); 914 if (error) { 915 VPTRINIT(iph1->sa); 916 VPTRINIT(iph1->dhpub_p); 917 VPTRINIT(iph1->nonce_p); 918 VPTRINIT(iph1->id_p); 919 oakley_delcert(iph1->cr_p); 920 iph1->cr_p = NULL; 921 } 922 923 return error; 924 } 925 926 /* 927 * send to initiator 928 * psk: HDR, SA, KE, Nr, IDr1, HASH_R 929 * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R 930 * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R 931 * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R 932 * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R 933 */ 934 int 935 agg_r1send(iph1, msg) 936 struct ph1handle *iph1; 937 vchar_t *msg; 938 { 939 struct payload_list *plist = NULL; 940 int need_cr = 0; 941 int need_cert = 0; 942 vchar_t *cr = NULL; 943 int error = -1; 944 #ifdef ENABLE_HYBRID 945 vchar_t *xauth_vid = NULL; 946 vchar_t *unity_vid = NULL; 947 #endif 948 #ifdef ENABLE_NATT 949 vchar_t *vid_natt = NULL; 950 vchar_t *natd[2] = { NULL, NULL }; 951 #endif 952 #ifdef ENABLE_DPD 953 vchar_t *vid_dpd = NULL; 954 #endif 955 #ifdef ENABLE_FRAG 956 vchar_t *vid_frag = NULL; 957 #endif 958 959 #ifdef HAVE_GSSAPI 960 int gsslen; 961 vchar_t *gsstoken = NULL, *gsshash = NULL; 962 vchar_t *gss_sa = NULL; 963 int free_gss_sa = 0; 964 #endif 965 966 /* validity check */ 967 if (iph1->status != PHASE1ST_MSG1RECEIVED) { 968 plog(LLV_ERROR, LOCATION, NULL, 969 "status mismatched %d.\n", iph1->status); 970 goto end; 971 } 972 973 /* set responder's cookie */ 974 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); 975 976 /* make ID payload into isakmp status */ 977 if (ipsecdoi_setid1(iph1) < 0) 978 goto end; 979 980 /* generate DH public value */ 981 if (oakley_dh_generate(iph1->rmconf->dhgrp, 982 &iph1->dhpub, &iph1->dhpriv) < 0) 983 goto end; 984 985 /* generate NONCE value */ 986 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 987 if (iph1->nonce == NULL) 988 goto end; 989 990 /* compute sharing secret of DH */ 991 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 992 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 993 goto end; 994 995 /* generate SKEYIDs & IV & final cipher key */ 996 if (oakley_skeyid(iph1) < 0) 997 goto end; 998 if (oakley_skeyid_dae(iph1) < 0) 999 goto end; 1000 if (oakley_compute_enckey(iph1) < 0) 1001 goto end; 1002 if (oakley_newiv(iph1) < 0) 1003 goto end; 1004 1005 #ifdef HAVE_GSSAPI 1006 if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) 1007 gssapi_get_rtoken(iph1, &gsslen); 1008 #endif 1009 1010 /* generate HASH to send */ 1011 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n"); 1012 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 1013 if (iph1->hash == NULL) { 1014 #ifdef HAVE_GSSAPI 1015 if (gssapi_more_tokens(iph1)) 1016 isakmp_info_send_n1(iph1, 1017 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 1018 #endif 1019 goto end; 1020 } 1021 1022 /* create CR if need */ 1023 if (iph1->rmconf->send_cr 1024 && oakley_needcr(iph1->approval->authmethod) 1025 && iph1->rmconf->peerscertfile == NULL) { 1026 need_cr = 1; 1027 cr = oakley_getcr(iph1); 1028 if (cr == NULL) { 1029 plog(LLV_ERROR, LOCATION, NULL, 1030 "failed to get cr buffer.\n"); 1031 goto end; 1032 } 1033 } 1034 1035 #ifdef ENABLE_NATT 1036 /* Has the peer announced NAT-T? */ 1037 if (NATT_AVAILABLE(iph1)) { 1038 /* set chosen VID */ 1039 vid_natt = set_vendorid(iph1->natt_options->version); 1040 1041 /* generate NAT-D payloads */ 1042 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); 1043 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 1044 plog(LLV_ERROR, LOCATION, NULL, 1045 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); 1046 goto end; 1047 } 1048 1049 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 1050 plog(LLV_ERROR, LOCATION, NULL, 1051 "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); 1052 goto end; 1053 } 1054 } 1055 #endif 1056 #ifdef ENABLE_DPD 1057 /* Only send DPD support if remote announced DPD and if DPD support is active */ 1058 if (iph1->dpd_support && iph1->rmconf->dpd) 1059 vid_dpd = set_vendorid(VENDORID_DPD); 1060 #endif 1061 #ifdef ENABLE_FRAG 1062 if (iph1->frag) { 1063 vid_frag = set_vendorid(VENDORID_FRAG); 1064 if (vid_frag != NULL) 1065 vid_frag = isakmp_frag_addcap(vid_frag, 1066 VENDORID_FRAG_AGG); 1067 if (vid_frag == NULL) 1068 plog(LLV_ERROR, LOCATION, NULL, 1069 "Frag vendorID construction failed\n"); 1070 } 1071 #endif 1072 1073 switch (AUTHMETHOD(iph1)) { 1074 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1075 #ifdef ENABLE_HYBRID 1076 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1077 #endif 1078 /* set SA payload to reply */ 1079 plist = isakmp_plist_append(plist, 1080 iph1->sa_ret, ISAKMP_NPTYPE_SA); 1081 1082 /* create isakmp KE payload */ 1083 plist = isakmp_plist_append(plist, 1084 iph1->dhpub, ISAKMP_NPTYPE_KE); 1085 1086 /* create isakmp NONCE payload */ 1087 plist = isakmp_plist_append(plist, 1088 iph1->nonce, ISAKMP_NPTYPE_NONCE); 1089 1090 /* create isakmp ID payload */ 1091 plist = isakmp_plist_append(plist, 1092 iph1->id, ISAKMP_NPTYPE_ID); 1093 1094 /* create isakmp HASH payload */ 1095 plist = isakmp_plist_append(plist, 1096 iph1->hash, ISAKMP_NPTYPE_HASH); 1097 1098 /* create isakmp CR payload if needed */ 1099 if (need_cr) 1100 plist = isakmp_plist_append(plist, 1101 cr, ISAKMP_NPTYPE_CR); 1102 break; 1103 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1104 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1105 #ifdef ENABLE_HYBRID 1106 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1107 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1108 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1109 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1110 #endif 1111 /* XXX if there is CR or not ? */ 1112 1113 if (oakley_getmycert(iph1) < 0) 1114 goto end; 1115 1116 if (oakley_getsign(iph1) < 0) 1117 goto end; 1118 1119 if (iph1->cert != NULL && iph1->rmconf->send_cert) 1120 need_cert = 1; 1121 1122 /* set SA payload to reply */ 1123 plist = isakmp_plist_append(plist, 1124 iph1->sa_ret, ISAKMP_NPTYPE_SA); 1125 1126 /* create isakmp KE payload */ 1127 plist = isakmp_plist_append(plist, 1128 iph1->dhpub, ISAKMP_NPTYPE_KE); 1129 1130 /* create isakmp NONCE payload */ 1131 plist = isakmp_plist_append(plist, 1132 iph1->nonce, ISAKMP_NPTYPE_NONCE); 1133 1134 /* add ID payload */ 1135 plist = isakmp_plist_append(plist, 1136 iph1->id, ISAKMP_NPTYPE_ID); 1137 1138 /* add CERT payload if there */ 1139 if (need_cert) 1140 plist = isakmp_plist_append(plist, 1141 iph1->cert->pl, ISAKMP_NPTYPE_CERT); 1142 1143 /* add SIG payload */ 1144 plist = isakmp_plist_append(plist, 1145 iph1->sig, ISAKMP_NPTYPE_SIG); 1146 1147 /* create isakmp CR payload if needed */ 1148 if (need_cr) 1149 plist = isakmp_plist_append(plist, 1150 cr, ISAKMP_NPTYPE_CR); 1151 break; 1152 1153 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1154 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1155 #ifdef ENABLE_HYBRID 1156 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1157 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1158 #endif 1159 break; 1160 #ifdef HAVE_GSSAPI 1161 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1162 /* create buffer to send isakmp payload */ 1163 gsshash = gssapi_wraphash(iph1); 1164 if (gsshash == NULL) { 1165 plog(LLV_ERROR, LOCATION, NULL, 1166 "failed to wrap hash\n"); 1167 /* 1168 * This is probably due to the GSS 1169 * roundtrips not being finished yet. 1170 * Return this error in the hope that 1171 * a fallback to main mode will be done. 1172 */ 1173 isakmp_info_send_n1(iph1, 1174 ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); 1175 goto end; 1176 } 1177 if (iph1->approval->gssid != NULL) 1178 gss_sa = 1179 ipsecdoi_setph1proposal(iph1->approval); 1180 else 1181 gss_sa = iph1->sa_ret; 1182 1183 if (gss_sa != iph1->sa_ret) 1184 free_gss_sa = 1; 1185 1186 /* set SA payload to reply */ 1187 plist = isakmp_plist_append(plist, 1188 gss_sa, ISAKMP_NPTYPE_SA); 1189 1190 /* create isakmp KE payload */ 1191 plist = isakmp_plist_append(plist, 1192 iph1->dhpub, ISAKMP_NPTYPE_KE); 1193 1194 /* create isakmp NONCE payload */ 1195 plist = isakmp_plist_append(plist, 1196 iph1->nonce, ISAKMP_NPTYPE_NONCE); 1197 1198 /* create isakmp ID payload */ 1199 plist = isakmp_plist_append(plist, 1200 iph1->id, ISAKMP_NPTYPE_ID); 1201 1202 /* create GSS payload */ 1203 gssapi_get_token_to_send(iph1, &gsstoken); 1204 plist = isakmp_plist_append(plist, 1205 gsstoken, ISAKMP_NPTYPE_GSS); 1206 1207 /* create isakmp HASH payload */ 1208 plist = isakmp_plist_append(plist, 1209 gsshash, ISAKMP_NPTYPE_HASH); 1210 1211 /* append vendor id, if needed */ 1212 break; 1213 #endif 1214 } 1215 1216 #ifdef ENABLE_HYBRID 1217 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 1218 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); 1219 if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) { 1220 plog(LLV_ERROR, LOCATION, NULL, 1221 "Cannot create Xauth vendor ID\n"); 1222 goto end; 1223 } 1224 plist = isakmp_plist_append(plist, 1225 xauth_vid, ISAKMP_NPTYPE_VID); 1226 } 1227 1228 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { 1229 if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) { 1230 plog(LLV_ERROR, LOCATION, NULL, 1231 "Cannot create Unity vendor ID\n"); 1232 goto end; 1233 } 1234 plist = isakmp_plist_append(plist, 1235 unity_vid, ISAKMP_NPTYPE_VID); 1236 } 1237 #endif 1238 1239 #ifdef ENABLE_NATT 1240 /* append NAT-T payloads */ 1241 if (vid_natt) { 1242 /* chosen VID */ 1243 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); 1244 /* NAT-D */ 1245 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); 1246 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); 1247 } 1248 #endif 1249 1250 #ifdef ENABLE_FRAG 1251 if (vid_frag) 1252 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); 1253 #endif 1254 1255 #ifdef ENABLE_DPD 1256 if (vid_dpd) 1257 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 1258 #endif 1259 1260 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 1261 1262 #ifdef HAVE_PRINT_ISAKMP_C 1263 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1); 1264 #endif 1265 1266 /* send the packet, add to the schedule to resend */ 1267 iph1->retry_counter = iph1->rmconf->retry_counter; 1268 if (isakmp_ph1resend(iph1) == -1) 1269 goto end; 1270 1271 /* the sending message is added to the received-list. */ 1272 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1273 plog(LLV_ERROR , LOCATION, NULL, 1274 "failed to add a response packet to the tree.\n"); 1275 goto end; 1276 } 1277 1278 iph1->status = PHASE1ST_MSG1SENT; 1279 1280 error = 0; 1281 1282 end: 1283 if (cr) 1284 vfree(cr); 1285 #ifdef ENABLE_HYBRID 1286 if (xauth_vid) 1287 vfree(xauth_vid); 1288 if (unity_vid) 1289 vfree(unity_vid); 1290 #endif 1291 #ifdef HAVE_GSSAPI 1292 if (gsstoken) 1293 vfree(gsstoken); 1294 if (gsshash) 1295 vfree(gsshash); 1296 if (free_gss_sa) 1297 vfree(gss_sa); 1298 #endif 1299 #ifdef ENABLE_DPD 1300 if (vid_dpd) 1301 vfree(vid_dpd); 1302 #endif 1303 #ifdef ENABLE_FRAG 1304 if (vid_frag) 1305 vfree(vid_frag); 1306 #endif 1307 1308 return error; 1309 } 1310 1311 /* 1312 * receive from initiator 1313 * psk: HDR, HASH_I 1314 * gssapi: HDR, HASH_I 1315 * sig: HDR, [ CERT, ] SIG_I 1316 * rsa: HDR, HASH_I 1317 * rev: HDR, HASH_I 1318 */ 1319 int 1320 agg_r2recv(iph1, msg0) 1321 struct ph1handle *iph1; 1322 vchar_t *msg0; 1323 { 1324 vchar_t *msg = NULL; 1325 vchar_t *pbuf = NULL; 1326 struct isakmp_parse_t *pa; 1327 int error = -1; 1328 int ptype, vid_numeric; 1329 1330 #ifdef ENABLE_NATT 1331 int natd_seq = 0; 1332 #endif 1333 1334 /* validity check */ 1335 if (iph1->status != PHASE1ST_MSG1SENT) { 1336 plog(LLV_ERROR, LOCATION, NULL, 1337 "status mismatched %d.\n", iph1->status); 1338 goto end; 1339 } 1340 1341 /* decrypting if need. */ 1342 /* XXX configurable ? */ 1343 if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 1344 msg = oakley_do_decrypt(iph1, msg0, 1345 iph1->ivm->iv, iph1->ivm->ive); 1346 if (msg == NULL) 1347 goto end; 1348 } else 1349 msg = vdup(msg0); 1350 1351 /* validate the type of next payload */ 1352 pbuf = isakmp_parse(msg); 1353 if (pbuf == NULL) 1354 goto end; 1355 1356 iph1->pl_hash = NULL; 1357 1358 for (pa = (struct isakmp_parse_t *)pbuf->v; 1359 pa->type != ISAKMP_NPTYPE_NONE; 1360 pa++) { 1361 1362 switch (pa->type) { 1363 case ISAKMP_NPTYPE_HASH: 1364 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 1365 break; 1366 case ISAKMP_NPTYPE_VID: 1367 vid_numeric = check_vendorid(pa->ptr); 1368 handle_vendorid(iph1, vid_numeric); 1369 break; 1370 case ISAKMP_NPTYPE_CERT: 1371 if (oakley_savecert(iph1, pa->ptr) < 0) 1372 goto end; 1373 break; 1374 case ISAKMP_NPTYPE_SIG: 1375 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 1376 goto end; 1377 break; 1378 case ISAKMP_NPTYPE_N: 1379 isakmp_log_notify(iph1, 1380 (struct isakmp_pl_n *) pa->ptr, 1381 "aggressive exchange"); 1382 break; 1383 1384 #ifdef ENABLE_NATT 1385 case ISAKMP_NPTYPE_NATD_DRAFT: 1386 case ISAKMP_NPTYPE_NATD_RFC: 1387 if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && 1388 pa->type == iph1->natt_options->payload_nat_d) 1389 { 1390 vchar_t *natd_received = NULL; 1391 int natd_verified; 1392 1393 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 1394 goto end; 1395 1396 if (natd_seq == 0) 1397 iph1->natt_flags |= NAT_DETECTED; 1398 1399 natd_verified = natt_compare_addr_hash (iph1, 1400 natd_received, natd_seq++); 1401 1402 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 1403 natd_seq - 1, 1404 natd_verified ? "verified" : "doesn't match"); 1405 1406 vfree (natd_received); 1407 break; 1408 } 1409 /* passthrough to default... */ 1410 #endif 1411 1412 default: 1413 /* don't send information, see isakmp_ident_r1() */ 1414 plog(LLV_ERROR, LOCATION, iph1->remote, 1415 "ignore the packet, " 1416 "received unexpecting payload type %d.\n", 1417 pa->type); 1418 goto end; 1419 } 1420 } 1421 1422 #ifdef ENABLE_NATT 1423 if (NATT_AVAILABLE(iph1)) 1424 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 1425 iph1->natt_flags & NAT_DETECTED ? 1426 "detected:" : "not detected", 1427 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 1428 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 1429 #endif 1430 1431 /* validate authentication value */ 1432 ptype = oakley_validate_auth(iph1); 1433 if (ptype != 0) { 1434 if (ptype == -1) { 1435 /* message printed inner oakley_validate_auth() */ 1436 goto end; 1437 } 1438 evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); 1439 isakmp_info_send_n1(iph1, ptype, NULL); 1440 goto end; 1441 } 1442 1443 iph1->status = PHASE1ST_MSG2RECEIVED; 1444 1445 error = 0; 1446 1447 end: 1448 if (pbuf) 1449 vfree(pbuf); 1450 if (msg) 1451 vfree(msg); 1452 if (error) { 1453 oakley_delcert(iph1->cert_p); 1454 iph1->cert_p = NULL; 1455 oakley_delcert(iph1->crl_p); 1456 iph1->crl_p = NULL; 1457 VPTRINIT(iph1->sig_p); 1458 } 1459 1460 return error; 1461 } 1462 1463 /* 1464 * status update and establish isakmp sa. 1465 */ 1466 int 1467 agg_r2send(iph1, msg) 1468 struct ph1handle *iph1; 1469 vchar_t *msg; 1470 { 1471 int error = -1; 1472 1473 /* validity check */ 1474 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 1475 plog(LLV_ERROR, LOCATION, NULL, 1476 "status mismatched %d.\n", iph1->status); 1477 goto end; 1478 } 1479 1480 /* IV synchronized when packet encrypted. */ 1481 /* see handler.h about IV synchronization. */ 1482 if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E)) 1483 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); 1484 1485 /* set encryption flag */ 1486 iph1->flags |= ISAKMP_FLAG_E; 1487 1488 iph1->status = PHASE1ST_ESTABLISHED; 1489 1490 error = 0; 1491 1492 end: 1493 return error; 1494 } 1495