1 /* $NetBSD: oakley.c,v 1.28 2021/12/05 08:19:57 msaitoh Exp $ */ 2 3 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> /* XXX for subjectaltname */ 39 #include <netinet/in.h> /* XXX for subjectaltname */ 40 41 #include <openssl/pkcs7.h> 42 #include <openssl/x509.h> 43 44 #include <stdlib.h> 45 #include <stdio.h> 46 #include <string.h> 47 #include <errno.h> 48 49 #if TIME_WITH_SYS_TIME 50 # include <sys/time.h> 51 # include <time.h> 52 #else 53 # if HAVE_SYS_TIME_H 54 # include <sys/time.h> 55 # else 56 # include <time.h> 57 # endif 58 #endif 59 #ifdef ENABLE_HYBRID 60 #include <resolv.h> 61 #endif 62 63 #include "var.h" 64 #include "misc.h" 65 #include "vmbuf.h" 66 #include "str2val.h" 67 #include "plog.h" 68 #include "debug.h" 69 70 #include "isakmp_var.h" 71 #include "isakmp.h" 72 #ifdef ENABLE_HYBRID 73 #include "isakmp_xauth.h" 74 #include "isakmp_cfg.h" 75 #endif 76 #include "oakley.h" 77 #include "admin.h" 78 #include "privsep.h" 79 #include "localconf.h" 80 #include "remoteconf.h" 81 #include "policy.h" 82 #include "handler.h" 83 #include "ipsec_doi.h" 84 #include "algorithm.h" 85 #include "dhgroup.h" 86 #include "sainfo.h" 87 #include "proposal.h" 88 #include "crypto_openssl.h" 89 #include "dnssec.h" 90 #include "sockmisc.h" 91 #include "strnames.h" 92 #include "gcmalloc.h" 93 #include "rsalist.h" 94 95 #ifdef HAVE_GSSAPI 96 #include "gssapi.h" 97 #endif 98 99 #define OUTBOUND_SA 0 100 #define INBOUND_SA 1 101 102 #define INITDHVAL(a, s, d, t) \ 103 do { \ 104 vchar_t buf; \ 105 buf.v = str2val((s), 16, &buf.l); \ 106 memset(&a, 0, sizeof(struct dhgroup)); \ 107 a.type = (t); \ 108 a.prime = vdup(&buf); \ 109 a.gen1 = 2; \ 110 a.gen2 = 0; \ 111 racoon_free(buf.v); \ 112 } while(0); 113 114 struct dhgroup dh_modp768; 115 struct dhgroup dh_modp1024; 116 struct dhgroup dh_modp1536; 117 struct dhgroup dh_modp2048; 118 struct dhgroup dh_modp3072; 119 struct dhgroup dh_modp4096; 120 struct dhgroup dh_modp6144; 121 struct dhgroup dh_modp8192; 122 123 124 static int oakley_check_dh_pub __P((vchar_t *, vchar_t **)); 125 static int oakley_compute_keymat_x __P((struct ph2handle *, int, int)); 126 static int oakley_check_certid __P((struct ph1handle *iph1)); 127 static int check_typeofcertname __P((int, int)); 128 static int oakley_padlen __P((int, int)); 129 static int get_plainrsa_fromlocal __P((struct ph1handle *, int)); 130 131 int oakley_get_certtype(cert) 132 vchar_t *cert; 133 { 134 if (cert == NULL) 135 return ISAKMP_CERT_NONE; 136 137 return cert->v[0]; 138 } 139 140 static vchar_t * 141 dump_isakmp_payload(struct isakmp_gen *gen) 142 { 143 vchar_t p; 144 145 if (ntohs(gen->len) <= sizeof(*gen)) { 146 plog(LLV_ERROR, LOCATION, NULL, 147 "Len is too small !!.\n"); 148 return NULL; 149 } 150 151 p.v = (caddr_t) (gen + 1); 152 p.l = ntohs(gen->len) - sizeof(*gen); 153 154 return vdup(&p); 155 } 156 157 static vchar_t * 158 dump_x509(X509 *cert) 159 { 160 vchar_t *pl; 161 u_char *bp; 162 int len; 163 164 len = i2d_X509(cert, NULL); 165 166 pl = vmalloc(len + 1); 167 if (pl == NULL) { 168 plog(LLV_ERROR, LOCATION, NULL, 169 "Failed to copy CERT from packet.\n"); 170 return NULL; 171 } 172 173 pl->v[0] = ISAKMP_CERT_X509SIGN; 174 bp = (u_char *) &pl->v[1]; 175 i2d_X509(cert, &bp); 176 177 return pl; 178 } 179 180 181 182 int 183 oakley_get_defaultlifetime() 184 { 185 return OAKLEY_ATTR_SA_LD_SEC_DEFAULT; 186 } 187 188 int 189 oakley_dhinit() 190 { 191 /* set DH MODP */ 192 INITDHVAL(dh_modp768, OAKLEY_PRIME_MODP768, 193 OAKLEY_ATTR_GRP_DESC_MODP768, OAKLEY_ATTR_GRP_TYPE_MODP); 194 INITDHVAL(dh_modp1024, OAKLEY_PRIME_MODP1024, 195 OAKLEY_ATTR_GRP_DESC_MODP1024, OAKLEY_ATTR_GRP_TYPE_MODP); 196 INITDHVAL(dh_modp1536, OAKLEY_PRIME_MODP1536, 197 OAKLEY_ATTR_GRP_DESC_MODP1536, OAKLEY_ATTR_GRP_TYPE_MODP); 198 INITDHVAL(dh_modp2048, OAKLEY_PRIME_MODP2048, 199 OAKLEY_ATTR_GRP_DESC_MODP2048, OAKLEY_ATTR_GRP_TYPE_MODP); 200 INITDHVAL(dh_modp3072, OAKLEY_PRIME_MODP3072, 201 OAKLEY_ATTR_GRP_DESC_MODP3072, OAKLEY_ATTR_GRP_TYPE_MODP); 202 INITDHVAL(dh_modp4096, OAKLEY_PRIME_MODP4096, 203 OAKLEY_ATTR_GRP_DESC_MODP4096, OAKLEY_ATTR_GRP_TYPE_MODP); 204 INITDHVAL(dh_modp6144, OAKLEY_PRIME_MODP6144, 205 OAKLEY_ATTR_GRP_DESC_MODP6144, OAKLEY_ATTR_GRP_TYPE_MODP); 206 INITDHVAL(dh_modp8192, OAKLEY_PRIME_MODP8192, 207 OAKLEY_ATTR_GRP_DESC_MODP8192, OAKLEY_ATTR_GRP_TYPE_MODP); 208 209 return 0; 210 } 211 212 void 213 oakley_dhgrp_free(dhgrp) 214 struct dhgroup *dhgrp; 215 { 216 if (dhgrp->prime) 217 vfree(dhgrp->prime); 218 if (dhgrp->curve_a) 219 vfree(dhgrp->curve_a); 220 if (dhgrp->curve_b) 221 vfree(dhgrp->curve_b); 222 if (dhgrp->order) 223 vfree(dhgrp->order); 224 racoon_free(dhgrp); 225 } 226 227 /* 228 * RFC2409 5 229 * The length of the Diffie-Hellman public value MUST be equal to the 230 * length of the prime modulus over which the exponentiation was 231 * performed, prepending zero bits to the value if necessary. 232 */ 233 static int 234 oakley_check_dh_pub(prime, pub0) 235 vchar_t *prime, **pub0; 236 { 237 vchar_t *tmp; 238 vchar_t *pub = *pub0; 239 240 if (prime->l == pub->l) 241 return 0; 242 243 if (prime->l < pub->l) { 244 /* what should i do ? */ 245 plog(LLV_ERROR, LOCATION, NULL, 246 "invalid public information was generated.\n"); 247 return -1; 248 } 249 250 /* prime->l > pub->l */ 251 tmp = vmalloc(prime->l); 252 if (tmp == NULL) { 253 plog(LLV_ERROR, LOCATION, NULL, 254 "failed to get DH buffer.\n"); 255 return -1; 256 } 257 memcpy(tmp->v + prime->l - pub->l, pub->v, pub->l); 258 259 vfree(*pub0); 260 *pub0 = tmp; 261 262 return 0; 263 } 264 265 /* 266 * compute sharing secret of DH 267 * IN: *dh, *pub, *priv, *pub_p 268 * OUT: **gxy 269 */ 270 int 271 oakley_dh_compute(dh, pub, priv, pub_p, gxy) 272 const struct dhgroup *dh; 273 vchar_t *pub, *priv, *pub_p, **gxy; 274 { 275 #ifdef ENABLE_STATS 276 struct timeval start, end; 277 #endif 278 if ((*gxy = vmalloc(dh->prime->l)) == NULL) { 279 plog(LLV_ERROR, LOCATION, NULL, 280 "failed to get DH buffer.\n"); 281 return -1; 282 } 283 284 #ifdef ENABLE_STATS 285 gettimeofday(&start, NULL); 286 #endif 287 switch (dh->type) { 288 case OAKLEY_ATTR_GRP_TYPE_MODP: 289 if (eay_dh_compute(dh->prime, dh->gen1, pub, priv, pub_p, gxy) < 0) { 290 plog(LLV_ERROR, LOCATION, NULL, 291 "failed to compute dh value.\n"); 292 return -1; 293 } 294 break; 295 case OAKLEY_ATTR_GRP_TYPE_ECP: 296 case OAKLEY_ATTR_GRP_TYPE_EC2N: 297 plog(LLV_ERROR, LOCATION, NULL, 298 "dh type %d isn't supported.\n", dh->type); 299 return -1; 300 default: 301 plog(LLV_ERROR, LOCATION, NULL, 302 "invalid dh type %d.\n", dh->type); 303 return -1; 304 } 305 306 #ifdef ENABLE_STATS 307 gettimeofday(&end, NULL); 308 syslog(LOG_NOTICE, "%s(%s%zu): %8.6f", __func__, 309 s_attr_isakmp_group(dh->type), dh->prime->l << 3, 310 timedelta(&start, &end)); 311 #endif 312 313 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n"); 314 plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l); 315 316 return 0; 317 } 318 319 /* 320 * generate values of DH 321 * IN: *dh 322 * OUT: **pub, **priv 323 */ 324 int 325 oakley_dh_generate(dh, pub, priv) 326 const struct dhgroup *dh; 327 vchar_t **pub, **priv; 328 { 329 #ifdef ENABLE_STATS 330 struct timeval start, end; 331 gettimeofday(&start, NULL); 332 #endif 333 switch (dh->type) { 334 case OAKLEY_ATTR_GRP_TYPE_MODP: 335 if (eay_dh_generate(dh->prime, dh->gen1, dh->gen2, pub, priv) < 0) { 336 plog(LLV_ERROR, LOCATION, NULL, 337 "failed to compute dh value.\n"); 338 return -1; 339 } 340 break; 341 342 case OAKLEY_ATTR_GRP_TYPE_ECP: 343 case OAKLEY_ATTR_GRP_TYPE_EC2N: 344 plog(LLV_ERROR, LOCATION, NULL, 345 "dh type %d isn't supported.\n", dh->type); 346 return -1; 347 default: 348 plog(LLV_ERROR, LOCATION, NULL, 349 "invalid dh type %d.\n", dh->type); 350 return -1; 351 } 352 353 #ifdef ENABLE_STATS 354 gettimeofday(&end, NULL); 355 syslog(LOG_NOTICE, "%s(%s%zu): %8.6f", __func__, 356 s_attr_isakmp_group(dh->type), dh->prime->l << 3, 357 timedelta(&start, &end)); 358 #endif 359 360 if (oakley_check_dh_pub(dh->prime, pub) != 0) 361 return -1; 362 363 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n"); 364 plogdump(LLV_DEBUG, (*priv)->v, (*priv)->l); 365 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n"); 366 plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l); 367 368 return 0; 369 } 370 371 /* 372 * copy pre-defined dhgroup values. 373 */ 374 int 375 oakley_setdhgroup(group, dhgrp) 376 int group; 377 struct dhgroup **dhgrp; 378 { 379 struct dhgroup *g; 380 381 *dhgrp = NULL; /* just make sure, initialize */ 382 383 g = alg_oakley_dhdef_group(group); 384 if (g == NULL) { 385 plog(LLV_ERROR, LOCATION, NULL, 386 "invalid DH parameter grp=%d.\n", group); 387 return -1; 388 } 389 390 if (!g->type || !g->prime || !g->gen1) { 391 /* unsuported */ 392 plog(LLV_ERROR, LOCATION, NULL, 393 "unsupported DH parameters grp=%d.\n", group); 394 return -1; 395 } 396 397 *dhgrp = racoon_calloc(1, sizeof(struct dhgroup)); 398 if (*dhgrp == NULL) { 399 plog(LLV_ERROR, LOCATION, NULL, 400 "failed to get DH buffer.\n"); 401 return 0; 402 } 403 404 /* set defined dh values */ 405 memcpy(*dhgrp, g, sizeof(*g)); 406 (*dhgrp)->prime = vdup(g->prime); 407 408 return 0; 409 } 410 411 /* 412 * PRF 413 * 414 * NOTE: we do not support prf with different input/output bitwidth, 415 * so we do not implement RFC2409 Appendix B (DOORAK-MAC example) in 416 * oakley_compute_keymat(). If you add support for such prf function, 417 * modify oakley_compute_keymat() accordingly. 418 */ 419 vchar_t * 420 oakley_prf(key, buf, iph1) 421 vchar_t *key, *buf; 422 struct ph1handle *iph1; 423 { 424 vchar_t *res = NULL; 425 int type; 426 427 if (iph1->approval == NULL) { 428 /* 429 * it's before negotiating hash algorithm. 430 * We use md5 as default. 431 */ 432 type = OAKLEY_ATTR_HASH_ALG_MD5; 433 } else 434 type = iph1->approval->hashtype; 435 436 res = alg_oakley_hmacdef_one(type, key, buf); 437 if (res == NULL) { 438 plog(LLV_ERROR, LOCATION, NULL, 439 "invalid hmac algorithm %d.\n", type); 440 return NULL; 441 } 442 443 return res; 444 } 445 446 /* 447 * hash 448 */ 449 vchar_t * 450 oakley_hash(buf, iph1) 451 vchar_t *buf; 452 struct ph1handle *iph1; 453 { 454 vchar_t *res = NULL; 455 int type; 456 457 if (iph1->approval == NULL) { 458 /* 459 * it's before negotiating hash algorithm. 460 * We use md5 as default. 461 */ 462 type = OAKLEY_ATTR_HASH_ALG_MD5; 463 } else 464 type = iph1->approval->hashtype; 465 466 res = alg_oakley_hashdef_one(type, buf); 467 if (res == NULL) { 468 plog(LLV_ERROR, LOCATION, NULL, 469 "invalid hash algorithm %d.\n", type); 470 return NULL; 471 } 472 473 return res; 474 } 475 476 /* 477 * compute KEYMAT 478 * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05. 479 */ 480 int 481 oakley_compute_keymat(iph2, side) 482 struct ph2handle *iph2; 483 int side; 484 { 485 int error = -1; 486 487 /* compute sharing secret of DH when PFS */ 488 if (iph2->approval->pfs_group && iph2->dhpub_p) { 489 if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub, 490 iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0) 491 goto end; 492 } 493 494 /* compute keymat */ 495 if (oakley_compute_keymat_x(iph2, side, INBOUND_SA) < 0 496 || oakley_compute_keymat_x(iph2, side, OUTBOUND_SA) < 0) 497 goto end; 498 499 plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT computed.\n"); 500 501 error = 0; 502 503 end: 504 return error; 505 } 506 507 /* 508 * compute KEYMAT. 509 * KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b). 510 * If PFS is desired and KE payloads were exchanged, 511 * KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b) 512 * 513 * NOTE: we do not support prf with different input/output bitwidth, 514 * so we do not implement RFC2409 Appendix B (DOORAK-MAC example). 515 */ 516 static int 517 oakley_compute_keymat_x(iph2, side, sa_dir) 518 struct ph2handle *iph2; 519 int side; 520 int sa_dir; 521 { 522 vchar_t *buf = NULL, *res = NULL, *bp; 523 char *p; 524 int len; 525 int error = -1; 526 int pfs = 0; 527 int dupkeymat; /* generate K[1-dupkeymat] */ 528 struct saproto *pr; 529 struct satrns *tr; 530 int encklen, authklen, l; 531 532 pfs = ((iph2->approval->pfs_group && iph2->dhgxy) ? 1 : 0); 533 534 len = pfs ? iph2->dhgxy->l : 0; 535 len += (1 536 + sizeof(u_int32_t) /* XXX SPI size */ 537 + iph2->nonce->l 538 + iph2->nonce_p->l); 539 buf = vmalloc(len); 540 if (buf == NULL) { 541 plog(LLV_ERROR, LOCATION, NULL, 542 "failed to get keymat buffer.\n"); 543 goto end; 544 } 545 546 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 547 p = buf->v; 548 549 /* if PFS */ 550 if (pfs) { 551 memcpy(p, iph2->dhgxy->v, iph2->dhgxy->l); 552 p += iph2->dhgxy->l; 553 } 554 555 p[0] = pr->proto_id; 556 p += 1; 557 558 memcpy(p, (sa_dir == INBOUND_SA ? &pr->spi : &pr->spi_p), 559 sizeof(pr->spi)); 560 p += sizeof(pr->spi); 561 562 bp = (side == INITIATOR ? iph2->nonce : iph2->nonce_p); 563 memcpy(p, bp->v, bp->l); 564 p += bp->l; 565 566 bp = (side == INITIATOR ? iph2->nonce_p : iph2->nonce); 567 memcpy(p, bp->v, bp->l); 568 p += bp->l; 569 570 /* compute IV */ 571 plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT compute with\n"); 572 plogdump(LLV_DEBUG, buf->v, buf->l); 573 574 /* res = K1 */ 575 res = oakley_prf(iph2->ph1->skeyid_d, buf, iph2->ph1); 576 if (res == NULL) 577 goto end; 578 579 /* compute key length needed */ 580 encklen = authklen = 0; 581 switch (pr->proto_id) { 582 case IPSECDOI_PROTO_IPSEC_ESP: 583 for (tr = pr->head; tr; tr = tr->next) { 584 l = alg_ipsec_encdef_keylen(tr->trns_id, 585 tr->encklen); 586 if (l > encklen) 587 encklen = l; 588 589 l = alg_ipsec_hmacdef_hashlen(tr->authtype); 590 if (l > authklen) 591 authklen = l; 592 } 593 break; 594 case IPSECDOI_PROTO_IPSEC_AH: 595 for (tr = pr->head; tr; tr = tr->next) { 596 l = alg_ipsec_hmacdef_hashlen(tr->trns_id); 597 if (l > authklen) 598 authklen = l; 599 } 600 break; 601 default: 602 break; 603 } 604 plog(LLV_DEBUG, LOCATION, NULL, "encklen=%d authklen=%d\n", 605 encklen, authklen); 606 607 dupkeymat = (encklen + authklen) / 8 / res->l; 608 dupkeymat += 2; /* safety mergin */ 609 if (dupkeymat < 3) 610 dupkeymat = 3; 611 plog(LLV_DEBUG, LOCATION, NULL, 612 "generating %zu bits of key (dupkeymat=%d)\n", 613 dupkeymat * 8 * res->l, dupkeymat); 614 if (0 < --dupkeymat) { 615 vchar_t *prev = res; /* K(n-1) */ 616 vchar_t *seed = NULL; /* seed for Kn */ 617 size_t l; 618 619 /* 620 * generating long key (isakmp-oakley-08 5.5) 621 * KEYMAT = K1 | K2 | K3 | ... 622 * where 623 * src = [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b 624 * K1 = prf(SKEYID_d, src) 625 * K2 = prf(SKEYID_d, K1 | src) 626 * K3 = prf(SKEYID_d, K2 | src) 627 * Kn = prf(SKEYID_d, K(n-1) | src) 628 */ 629 plog(LLV_DEBUG, LOCATION, NULL, 630 "generating K1...K%d for KEYMAT.\n", 631 dupkeymat + 1); 632 633 seed = vmalloc(prev->l + buf->l); 634 if (seed == NULL) { 635 plog(LLV_ERROR, LOCATION, NULL, 636 "failed to get keymat buffer.\n"); 637 if (prev && prev != res) 638 vfree(prev); 639 goto end; 640 } 641 642 while (dupkeymat--) { 643 vchar_t *this = NULL; /* Kn */ 644 int update_prev; 645 646 memcpy(seed->v, prev->v, prev->l); 647 memcpy(seed->v + prev->l, buf->v, buf->l); 648 this = oakley_prf(iph2->ph1->skeyid_d, seed, 649 iph2->ph1); 650 if (!this) { 651 plog(LLV_ERROR, LOCATION, NULL, 652 "oakley_prf memory overflow\n"); 653 if (prev && prev != res) 654 vfree(prev); 655 vfree(this); 656 vfree(seed); 657 goto end; 658 } 659 660 update_prev = (prev && prev == res) ? 1 : 0; 661 662 l = res->l; 663 res = vrealloc(res, l + this->l); 664 665 if (update_prev) 666 prev = res; 667 668 if (res == NULL) { 669 plog(LLV_ERROR, LOCATION, NULL, 670 "failed to get keymat buffer.\n"); 671 if (prev && prev != res) 672 vfree(prev); 673 vfree(this); 674 vfree(seed); 675 goto end; 676 } 677 memcpy(res->v + l, this->v, this->l); 678 679 if (prev && prev != res) 680 vfree(prev); 681 prev = this; 682 this = NULL; 683 } 684 685 if (prev && prev != res) 686 vfree(prev); 687 vfree(seed); 688 } 689 690 plogdump(LLV_DEBUG, res->v, res->l); 691 692 if (sa_dir == INBOUND_SA) 693 pr->keymat = res; 694 else 695 pr->keymat_p = res; 696 res = NULL; 697 } 698 699 error = 0; 700 701 end: 702 if (error) { 703 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 704 if (pr->keymat) { 705 vfree(pr->keymat); 706 pr->keymat = NULL; 707 } 708 if (pr->keymat_p) { 709 vfree(pr->keymat_p); 710 pr->keymat_p = NULL; 711 } 712 } 713 } 714 715 if (buf != NULL) 716 vfree(buf); 717 if (res) 718 vfree(res); 719 720 return error; 721 } 722 723 #if notyet 724 /* 725 * NOTE: Must terminate by NULL. 726 */ 727 vchar_t * 728 oakley_compute_hashx(struct ph1handle *iph1, ...) 729 { 730 vchar_t *buf, *res; 731 vchar_t *s; 732 caddr_t p; 733 int len; 734 735 va_list ap; 736 737 /* get buffer length */ 738 va_start(ap, iph1); 739 len = 0; 740 while ((s = va_arg(ap, vchar_t *)) != NULL) { 741 len += s->l 742 } 743 va_end(ap); 744 745 buf = vmalloc(len); 746 if (buf == NULL) { 747 plog(LLV_ERROR, LOCATION, NULL, 748 "failed to get hash buffer\n"); 749 return NULL; 750 } 751 752 /* set buffer */ 753 va_start(ap, iph1); 754 p = buf->v; 755 while ((s = va_arg(ap, char *)) != NULL) { 756 memcpy(p, s->v, s->l); 757 p += s->l; 758 } 759 va_end(ap); 760 761 plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n"); 762 plogdump(LLV_DEBUG, buf->v, buf->l); 763 764 /* compute HASH */ 765 res = oakley_prf(iph1->skeyid_a, buf, iph1); 766 vfree(buf); 767 if (res == NULL) 768 return NULL; 769 770 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); 771 plogdump(LLV_DEBUG, res->v, res->l); 772 773 return res; 774 } 775 #endif 776 777 /* 778 * compute HASH(3) prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) 779 * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05. 780 */ 781 vchar_t * 782 oakley_compute_hash3(iph1, msgid, body) 783 struct ph1handle *iph1; 784 u_int32_t msgid; 785 vchar_t *body; 786 { 787 vchar_t *buf = 0, *res = 0; 788 int len; 789 790 /* create buffer */ 791 len = 1 + sizeof(u_int32_t) + body->l; 792 buf = vmalloc(len); 793 if (buf == NULL) { 794 plog(LLV_DEBUG, LOCATION, NULL, 795 "failed to get hash buffer\n"); 796 goto end; 797 } 798 799 buf->v[0] = 0; 800 801 memcpy(buf->v + 1, (char *)&msgid, sizeof(msgid)); 802 803 memcpy(buf->v + 1 + sizeof(u_int32_t), body->v, body->l); 804 805 plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n"); 806 plogdump(LLV_DEBUG, buf->v, buf->l); 807 808 /* compute HASH */ 809 res = oakley_prf(iph1->skeyid_a, buf, iph1); 810 if (res == NULL) 811 goto end; 812 813 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); 814 plogdump(LLV_DEBUG, res->v, res->l); 815 816 end: 817 if (buf != NULL) 818 vfree(buf); 819 return res; 820 } 821 822 /* 823 * compute HASH type of prf(SKEYID_a, M-ID | buffer) 824 * e.g. 825 * for quick mode HASH(1): 826 * prf(SKEYID_a, M-ID | SA | Ni [ | KE ] [ | IDci | IDcr ]) 827 * for quick mode HASH(2): 828 * prf(SKEYID_a, M-ID | Ni_b | SA | Nr [ | KE ] [ | IDci | IDcr ]) 829 * for Informational exchange: 830 * prf(SKEYID_a, M-ID | N/D) 831 */ 832 vchar_t * 833 oakley_compute_hash1(iph1, msgid, body) 834 struct ph1handle *iph1; 835 u_int32_t msgid; 836 vchar_t *body; 837 { 838 vchar_t *buf = NULL, *res = NULL; 839 char *p; 840 int len; 841 842 /* create buffer */ 843 len = sizeof(u_int32_t) + body->l; 844 buf = vmalloc(len); 845 if (buf == NULL) { 846 plog(LLV_DEBUG, LOCATION, NULL, 847 "failed to get hash buffer\n"); 848 goto end; 849 } 850 851 p = buf->v; 852 853 memcpy(buf->v, (char *)&msgid, sizeof(msgid)); 854 p += sizeof(u_int32_t); 855 856 memcpy(p, body->v, body->l); 857 858 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n"); 859 plogdump(LLV_DEBUG, buf->v, buf->l); 860 861 /* compute HASH */ 862 res = oakley_prf(iph1->skeyid_a, buf, iph1); 863 if (res == NULL) 864 goto end; 865 866 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); 867 plogdump(LLV_DEBUG, res->v, res->l); 868 869 end: 870 if (buf != NULL) 871 vfree(buf); 872 return res; 873 } 874 875 /* 876 * compute phase1 HASH 877 * main/aggressive 878 * I-digest = prf(SKEYID, g^i | g^r | CKY-I | CKY-R | SAi_b | ID_i1_b) 879 * R-digest = prf(SKEYID, g^r | g^i | CKY-R | CKY-I | SAi_b | ID_r1_b) 880 * for gssapi, also include all GSS tokens, and call gss_wrap on the result 881 */ 882 vchar_t * 883 oakley_ph1hash_common(iph1, sw) 884 struct ph1handle *iph1; 885 int sw; 886 { 887 vchar_t *buf = NULL, *res = NULL, *bp; 888 char *p, *bp2; 889 int len, bl; 890 #ifdef HAVE_GSSAPI 891 vchar_t *gsstokens = NULL; 892 #endif 893 894 /* create buffer */ 895 len = iph1->dhpub->l 896 + iph1->dhpub_p->l 897 + sizeof(cookie_t) * 2 898 + iph1->sa->l 899 + (sw == GENERATE ? iph1->id->l : iph1->id_p->l); 900 901 #ifdef HAVE_GSSAPI 902 if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { 903 if (iph1->gi_i != NULL && iph1->gi_r != NULL) { 904 bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r); 905 len += bp->l; 906 } 907 if (sw == GENERATE) 908 gssapi_get_itokens(iph1, &gsstokens); 909 else 910 gssapi_get_rtokens(iph1, &gsstokens); 911 if (gsstokens == NULL) 912 return NULL; 913 len += gsstokens->l; 914 } 915 #endif 916 917 buf = vmalloc(len); 918 if (buf == NULL) { 919 plog(LLV_ERROR, LOCATION, NULL, 920 "failed to get hash buffer\n"); 921 goto end; 922 } 923 924 p = buf->v; 925 926 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p); 927 memcpy(p, bp->v, bp->l); 928 p += bp->l; 929 930 bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub); 931 memcpy(p, bp->v, bp->l); 932 p += bp->l; 933 934 if (iph1->side == INITIATOR) 935 bp2 = (sw == GENERATE ? 936 (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck); 937 else 938 bp2 = (sw == GENERATE ? 939 (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck); 940 bl = sizeof(cookie_t); 941 memcpy(p, bp2, bl); 942 p += bl; 943 944 if (iph1->side == INITIATOR) 945 bp2 = (sw == GENERATE ? 946 (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck); 947 else 948 bp2 = (sw == GENERATE ? 949 (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck); 950 bl = sizeof(cookie_t); 951 memcpy(p, bp2, bl); 952 p += bl; 953 954 bp = iph1->sa; 955 memcpy(p, bp->v, bp->l); 956 p += bp->l; 957 958 bp = (sw == GENERATE ? iph1->id : iph1->id_p); 959 memcpy(p, bp->v, bp->l); 960 p += bp->l; 961 962 #ifdef HAVE_GSSAPI 963 if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { 964 if (iph1->gi_i != NULL && iph1->gi_r != NULL) { 965 bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r); 966 memcpy(p, bp->v, bp->l); 967 p += bp->l; 968 } 969 memcpy(p, gsstokens->v, gsstokens->l); 970 p += gsstokens->l; 971 } 972 #endif 973 974 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n"); 975 plogdump(LLV_DEBUG, buf->v, buf->l); 976 977 /* compute HASH */ 978 res = oakley_prf(iph1->skeyid, buf, iph1); 979 if (res == NULL) 980 goto end; 981 982 plog(LLV_DEBUG, LOCATION, NULL, "HASH (%s) computed:\n", 983 iph1->side == INITIATOR ? "init" : "resp"); 984 plogdump(LLV_DEBUG, res->v, res->l); 985 986 end: 987 if (buf != NULL) 988 vfree(buf); 989 #ifdef HAVE_GSSAPI 990 if (gsstokens != NULL) 991 vfree(gsstokens); 992 #endif 993 return res; 994 } 995 996 /* 997 * compute HASH_I on base mode. 998 * base:psk,rsa 999 * HASH_I = prf(SKEYID, g^xi | CKY-I | CKY-R | SAi_b | IDii_b) 1000 * base:sig 1001 * HASH_I = prf(hash(Ni_b | Nr_b), g^xi | CKY-I | CKY-R | SAi_b | IDii_b) 1002 */ 1003 vchar_t * 1004 oakley_ph1hash_base_i(iph1, sw) 1005 struct ph1handle *iph1; 1006 int sw; 1007 { 1008 vchar_t *buf = NULL, *res = NULL, *bp; 1009 vchar_t *hashkey = NULL; 1010 vchar_t *hash = NULL; /* for signature mode */ 1011 char *p; 1012 int len; 1013 1014 /* sanity check */ 1015 if (iph1->etype != ISAKMP_ETYPE_BASE) { 1016 plog(LLV_ERROR, LOCATION, NULL, 1017 "invalid etype for this hash function\n"); 1018 return NULL; 1019 } 1020 1021 switch (iph1->approval->authmethod) { 1022 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1023 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1024 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1025 #ifdef ENABLE_HYBRID 1026 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1027 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1028 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1029 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1030 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 1031 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1032 #endif 1033 if (iph1->skeyid == NULL) { 1034 plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n"); 1035 return NULL; 1036 } 1037 hashkey = iph1->skeyid; 1038 break; 1039 1040 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1041 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1042 #ifdef HAVE_GSSAPI 1043 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1044 #endif 1045 #ifdef ENABLE_HYBRID 1046 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1047 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1048 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1049 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1050 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1051 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1052 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1053 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1054 #endif 1055 /* make hash for seed */ 1056 len = iph1->nonce->l + iph1->nonce_p->l; 1057 buf = vmalloc(len); 1058 if (buf == NULL) { 1059 plog(LLV_ERROR, LOCATION, NULL, 1060 "failed to get hash buffer\n"); 1061 goto end; 1062 } 1063 p = buf->v; 1064 1065 bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce); 1066 memcpy(p, bp->v, bp->l); 1067 p += bp->l; 1068 1069 bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p); 1070 memcpy(p, bp->v, bp->l); 1071 p += bp->l; 1072 1073 hash = oakley_hash(buf, iph1); 1074 if (hash == NULL) 1075 goto end; 1076 vfree(buf); 1077 buf = NULL; 1078 1079 hashkey = hash; 1080 break; 1081 1082 default: 1083 plog(LLV_ERROR, LOCATION, NULL, 1084 "not supported authentication method %d\n", 1085 iph1->approval->authmethod); 1086 return NULL; 1087 1088 } 1089 1090 len = (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l) 1091 + sizeof(cookie_t) * 2 1092 + iph1->sa->l 1093 + (sw == GENERATE ? iph1->id->l : iph1->id_p->l); 1094 buf = vmalloc(len); 1095 if (buf == NULL) { 1096 plog(LLV_ERROR, LOCATION, NULL, 1097 "failed to get hash buffer\n"); 1098 goto end; 1099 } 1100 p = buf->v; 1101 1102 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p); 1103 memcpy(p, bp->v, bp->l); 1104 p += bp->l; 1105 1106 memcpy(p, &iph1->index.i_ck, sizeof(cookie_t)); 1107 p += sizeof(cookie_t); 1108 memcpy(p, &iph1->index.r_ck, sizeof(cookie_t)); 1109 p += sizeof(cookie_t); 1110 1111 memcpy(p, iph1->sa->v, iph1->sa->l); 1112 p += iph1->sa->l; 1113 1114 bp = (sw == GENERATE ? iph1->id : iph1->id_p); 1115 memcpy(p, bp->v, bp->l); 1116 p += bp->l; 1117 1118 plog(LLV_DEBUG, LOCATION, NULL, "HASH_I with:\n"); 1119 plogdump(LLV_DEBUG, buf->v, buf->l); 1120 1121 /* compute HASH */ 1122 res = oakley_prf(hashkey, buf, iph1); 1123 if (res == NULL) 1124 goto end; 1125 1126 plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n"); 1127 plogdump(LLV_DEBUG, res->v, res->l); 1128 1129 end: 1130 if (hash != NULL) 1131 vfree(hash); 1132 if (buf != NULL) 1133 vfree(buf); 1134 return res; 1135 } 1136 1137 /* 1138 * compute HASH_R on base mode for signature method. 1139 * base: 1140 * HASH_R = prf(hash(Ni_b | Nr_b), g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b) 1141 */ 1142 vchar_t * 1143 oakley_ph1hash_base_r(iph1, sw) 1144 struct ph1handle *iph1; 1145 int sw; 1146 { 1147 vchar_t *buf = NULL, *res = NULL, *bp; 1148 vchar_t *hash = NULL; 1149 char *p; 1150 int len; 1151 1152 /* sanity check */ 1153 if (iph1->etype != ISAKMP_ETYPE_BASE) { 1154 plog(LLV_ERROR, LOCATION, NULL, 1155 "invalid etype for this hash function\n"); 1156 return NULL; 1157 } 1158 1159 switch (iph1->approval->authmethod) { 1160 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1161 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1162 #ifdef ENABLE_HYBRID 1163 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1164 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1165 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1166 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1167 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1168 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1169 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1170 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1171 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 1172 #endif 1173 break; 1174 default: 1175 plog(LLV_ERROR, LOCATION, NULL, 1176 "not supported authentication method %d\n", 1177 iph1->approval->authmethod); 1178 return NULL; 1179 break; 1180 } 1181 1182 /* make hash for seed */ 1183 len = iph1->nonce->l + iph1->nonce_p->l; 1184 buf = vmalloc(len); 1185 if (buf == NULL) { 1186 plog(LLV_ERROR, LOCATION, NULL, 1187 "failed to get hash buffer\n"); 1188 goto end; 1189 } 1190 p = buf->v; 1191 1192 bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce); 1193 memcpy(p, bp->v, bp->l); 1194 p += bp->l; 1195 1196 bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p); 1197 memcpy(p, bp->v, bp->l); 1198 p += bp->l; 1199 1200 hash = oakley_hash(buf, iph1); 1201 if (hash == NULL) 1202 goto end; 1203 vfree(buf); 1204 buf = NULL; 1205 1206 /* make really hash */ 1207 len = (sw == GENERATE ? iph1->dhpub_p->l : iph1->dhpub->l) 1208 + (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l) 1209 + sizeof(cookie_t) * 2 1210 + iph1->sa->l 1211 + (sw == GENERATE ? iph1->id_p->l : iph1->id->l); 1212 buf = vmalloc(len); 1213 if (buf == NULL) { 1214 plog(LLV_ERROR, LOCATION, NULL, 1215 "failed to get hash buffer\n"); 1216 goto end; 1217 } 1218 p = buf->v; 1219 1220 1221 bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub); 1222 memcpy(p, bp->v, bp->l); 1223 p += bp->l; 1224 1225 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p); 1226 memcpy(p, bp->v, bp->l); 1227 p += bp->l; 1228 1229 memcpy(p, &iph1->index.i_ck, sizeof(cookie_t)); 1230 p += sizeof(cookie_t); 1231 memcpy(p, &iph1->index.r_ck, sizeof(cookie_t)); 1232 p += sizeof(cookie_t); 1233 1234 memcpy(p, iph1->sa->v, iph1->sa->l); 1235 p += iph1->sa->l; 1236 1237 bp = (sw == GENERATE ? iph1->id_p : iph1->id); 1238 memcpy(p, bp->v, bp->l); 1239 p += bp->l; 1240 1241 plog(LLV_DEBUG, LOCATION, NULL, "HASH_R with:\n"); 1242 plogdump(LLV_DEBUG, buf->v, buf->l); 1243 1244 /* compute HASH */ 1245 res = oakley_prf(hash, buf, iph1); 1246 if (res == NULL) 1247 goto end; 1248 1249 plog(LLV_DEBUG, LOCATION, NULL, "HASH_R computed:\n"); 1250 plogdump(LLV_DEBUG, res->v, res->l); 1251 1252 end: 1253 if (buf != NULL) 1254 vfree(buf); 1255 if (hash) 1256 vfree(hash); 1257 return res; 1258 } 1259 1260 /* 1261 * compute each authentication method in phase 1. 1262 * OUT: 1263 * 0: OK 1264 * -1: error 1265 * other: error to be reply with notification. 1266 * the value is notification type. 1267 */ 1268 int 1269 oakley_validate_auth(iph1) 1270 struct ph1handle *iph1; 1271 { 1272 vchar_t *my_hash = NULL; 1273 int result; 1274 int no_verify_needed = -1; 1275 #ifdef HAVE_GSSAPI 1276 vchar_t *gsshash = NULL; 1277 #endif 1278 #ifdef ENABLE_STATS 1279 struct timeval start, end; 1280 #endif 1281 1282 #ifdef ENABLE_STATS 1283 gettimeofday(&start, NULL); 1284 #endif 1285 1286 switch (iph1->approval->authmethod) { 1287 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1288 #ifdef ENABLE_HYBRID 1289 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 1290 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1291 #endif 1292 /* validate HASH */ 1293 { 1294 char *r_hash; 1295 1296 if (iph1->id_p == NULL || iph1->pl_hash == NULL) { 1297 plog(LLV_ERROR, LOCATION, iph1->remote, 1298 "few isakmp message received.\n"); 1299 return ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1300 } 1301 #ifdef ENABLE_HYBRID 1302 if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I && 1303 ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0)) 1304 { 1305 plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, " 1306 "hybrid auth is enabled, " 1307 "but peer is no Xauth compliant\n"); 1308 return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED; 1309 break; 1310 } 1311 #endif 1312 r_hash = (caddr_t)(iph1->pl_hash + 1); 1313 1314 plog(LLV_DEBUG, LOCATION, NULL, "HASH received:\n"); 1315 plogdump(LLV_DEBUG, r_hash, 1316 ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash)); 1317 1318 switch (iph1->etype) { 1319 case ISAKMP_ETYPE_IDENT: 1320 case ISAKMP_ETYPE_AGG: 1321 my_hash = oakley_ph1hash_common(iph1, VALIDATE); 1322 break; 1323 case ISAKMP_ETYPE_BASE: 1324 if (iph1->side == INITIATOR) 1325 my_hash = oakley_ph1hash_common(iph1, VALIDATE); 1326 else 1327 my_hash = oakley_ph1hash_base_i(iph1, VALIDATE); 1328 break; 1329 default: 1330 plog(LLV_ERROR, LOCATION, NULL, 1331 "invalid etype %d\n", iph1->etype); 1332 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; 1333 } 1334 if (my_hash == NULL) 1335 return ISAKMP_INTERNAL_ERROR; 1336 1337 result = memcmp(my_hash->v, r_hash, my_hash->l); 1338 vfree(my_hash); 1339 1340 if (result) { 1341 plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n"); 1342 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1343 } 1344 1345 plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n"); 1346 } 1347 break; 1348 #ifdef ENABLE_HYBRID 1349 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1350 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1351 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1352 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1353 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1354 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1355 no_verify_needed = 0; 1356 #endif 1357 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1358 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1359 { 1360 int error = 0; 1361 int certtype; 1362 1363 /* validation */ 1364 if (iph1->id_p == NULL) { 1365 plog(LLV_ERROR, LOCATION, iph1->remote, 1366 "no ID payload was passed.\n"); 1367 return ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1368 } 1369 if (iph1->sig_p == NULL) { 1370 plog(LLV_ERROR, LOCATION, iph1->remote, 1371 "no SIG payload was passed.\n"); 1372 return ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1373 } 1374 1375 plog(LLV_DEBUG, LOCATION, NULL, "SIGN passed:\n"); 1376 plogdump(LLV_DEBUG, iph1->sig_p->v, iph1->sig_p->l); 1377 1378 /* get peer's cert */ 1379 certtype = oakley_get_certtype(iph1->rmconf->peerscert); 1380 switch (certtype) { 1381 case ISAKMP_CERT_NONE: 1382 /* expect to receive one from peer */ 1383 if (iph1->cert_p == NULL) { 1384 plog(LLV_ERROR, LOCATION, NULL, 1385 "no peer's CERT payload found.\n"); 1386 return ISAKMP_INTERNAL_ERROR; 1387 } 1388 /* verify the cert if needed */ 1389 if (!iph1->rmconf->verify_cert) 1390 break; 1391 1392 switch (oakley_get_certtype(iph1->cert_p)) { 1393 case ISAKMP_CERT_X509SIGN: { 1394 char path[MAXPATHLEN]; 1395 char *ca; 1396 1397 if (iph1->rmconf->cacertfile != NULL) { 1398 getpathname(path, sizeof(path), 1399 LC_PATHTYPE_CERT, 1400 iph1->rmconf->cacertfile); 1401 ca = path; 1402 } else { 1403 ca = NULL; 1404 } 1405 1406 error = eay_check_x509cert( 1407 iph1->cert_p, 1408 lcconf->pathinfo[LC_PATHTYPE_CERT], 1409 ca, 0); 1410 break; 1411 } 1412 default: 1413 plog(LLV_ERROR, LOCATION, NULL, 1414 "peers_cert certtype %d was not expected\n", 1415 certtype); 1416 return ISAKMP_INTERNAL_ERROR; 1417 } 1418 1419 if (error != 0) { 1420 plog(LLV_ERROR, LOCATION, iph1->remote, 1421 "the peer's certificate is not verified.\n"); 1422 return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY; 1423 } 1424 break; 1425 case ISAKMP_CERT_X509SIGN: 1426 if (iph1->rmconf->peerscert == NULL) { 1427 plog(LLV_ERROR, LOCATION, NULL, 1428 "no peer's CERT file found.\n"); 1429 return ISAKMP_INTERNAL_ERROR; 1430 } 1431 /* don't use received cert */ 1432 if (iph1->cert_p != NULL) { 1433 vfree(iph1->cert_p); 1434 iph1->cert_p = NULL; 1435 } 1436 /* copy from remoteconf instead */ 1437 iph1->cert_p = vdup(iph1->rmconf->peerscert); 1438 break; 1439 case ISAKMP_CERT_PLAINRSA: 1440 if (get_plainrsa_fromlocal(iph1, 0)) 1441 return ISAKMP_INTERNAL_ERROR; 1442 /* suppress CERT validation warning, unless hybrid mode in use */ 1443 if (no_verify_needed == -1) 1444 no_verify_needed = 1; 1445 break; 1446 case ISAKMP_CERT_DNS: 1447 /* don't use received cert */ 1448 if (iph1->cert_p != NULL) { 1449 vfree(iph1->cert_p); 1450 iph1->cert_p = NULL; 1451 } 1452 1453 iph1->cert_p = dnssec_getcert(iph1->id_p); 1454 if (iph1->cert_p == NULL) { 1455 plog(LLV_ERROR, LOCATION, NULL, 1456 "no CERT RR found.\n"); 1457 return ISAKMP_INTERNAL_ERROR; 1458 } 1459 break; 1460 default: 1461 plog(LLV_ERROR, LOCATION, NULL, 1462 "invalid certificate type: %d\n", 1463 oakley_get_certtype(iph1->rmconf->peerscert)); 1464 return ISAKMP_INTERNAL_ERROR; 1465 } 1466 1467 /* compare ID payload and certificate name */ 1468 if ((error = oakley_check_certid(iph1)) != 0) 1469 return error; 1470 1471 /* Generate a warning unless verify_cert */ 1472 if (iph1->rmconf->verify_cert) { 1473 plog(LLV_DEBUG, LOCATION, iph1->remote, 1474 "CERT validated\n"); 1475 } else if (no_verify_needed != 1) { 1476 plog(LLV_WARNING, LOCATION, iph1->remote, 1477 "CERT validation disabled by configuration\n"); 1478 } 1479 1480 /* compute hash */ 1481 switch (iph1->etype) { 1482 case ISAKMP_ETYPE_IDENT: 1483 case ISAKMP_ETYPE_AGG: 1484 my_hash = oakley_ph1hash_common(iph1, VALIDATE); 1485 break; 1486 case ISAKMP_ETYPE_BASE: 1487 if (iph1->side == INITIATOR) 1488 my_hash = oakley_ph1hash_base_r(iph1, VALIDATE); 1489 else 1490 my_hash = oakley_ph1hash_base_i(iph1, VALIDATE); 1491 break; 1492 default: 1493 plog(LLV_ERROR, LOCATION, NULL, 1494 "invalid etype %d\n", iph1->etype); 1495 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; 1496 } 1497 if (my_hash == NULL) 1498 return ISAKMP_INTERNAL_ERROR; 1499 1500 /* check signature */ 1501 certtype = oakley_get_certtype(iph1->cert_p); 1502 if (certtype == ISAKMP_CERT_NONE) 1503 certtype = oakley_get_certtype(iph1->rmconf->peerscert); 1504 switch (certtype) { 1505 case ISAKMP_CERT_X509SIGN: 1506 case ISAKMP_CERT_DNS: 1507 error = eay_check_x509sign(my_hash, 1508 iph1->sig_p, 1509 iph1->cert_p); 1510 break; 1511 case ISAKMP_CERT_PLAINRSA: 1512 iph1->rsa_p = rsa_try_check_rsasign(my_hash, 1513 iph1->sig_p, iph1->rsa_candidates); 1514 error = iph1->rsa_p ? 0 : -1; 1515 genlist_free(iph1->rsa_candidates, NULL); 1516 iph1->rsa_candidates = NULL; 1517 break; 1518 default: 1519 plog(LLV_ERROR, LOCATION, NULL, 1520 "cannot check signature for certtype %d\n", 1521 certtype); 1522 vfree(my_hash); 1523 return ISAKMP_INTERNAL_ERROR; 1524 } 1525 1526 vfree(my_hash); 1527 if (error != 0) { 1528 plog(LLV_ERROR, LOCATION, NULL, 1529 "Invalid SIG.\n"); 1530 return ISAKMP_NTYPE_INVALID_SIGNATURE; 1531 } 1532 plog(LLV_DEBUG, LOCATION, NULL, "SIG authenticated\n"); 1533 } 1534 break; 1535 #ifdef ENABLE_HYBRID 1536 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1537 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1538 { 1539 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1540 plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, " 1541 "hybrid auth is enabled, " 1542 "but peer is no Xauth compliant\n"); 1543 return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED; 1544 break; 1545 } 1546 plog(LLV_INFO, LOCATION, NULL, "No SIG was passed, " 1547 "but hybrid auth is enabled\n"); 1548 1549 return 0; 1550 break; 1551 } 1552 #endif 1553 #ifdef HAVE_GSSAPI 1554 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1555 /* check if we're not into XAUTH_PSKEY_I instead */ 1556 #ifdef ENABLE_HYBRID 1557 if (iph1->rmconf->xauth) 1558 break; 1559 #endif 1560 switch (iph1->etype) { 1561 case ISAKMP_ETYPE_IDENT: 1562 case ISAKMP_ETYPE_AGG: 1563 my_hash = oakley_ph1hash_common(iph1, VALIDATE); 1564 break; 1565 default: 1566 plog(LLV_ERROR, LOCATION, NULL, 1567 "invalid etype %d\n", iph1->etype); 1568 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; 1569 } 1570 1571 if (my_hash == NULL) { 1572 if (gssapi_more_tokens(iph1)) 1573 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; 1574 else 1575 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1576 } 1577 1578 gsshash = gssapi_unwraphash(iph1); 1579 if (gsshash == NULL) { 1580 vfree(my_hash); 1581 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1582 } 1583 1584 result = memcmp(my_hash->v, gsshash->v, my_hash->l); 1585 vfree(my_hash); 1586 vfree(gsshash); 1587 1588 if (result) { 1589 plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n"); 1590 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1591 } 1592 plog(LLV_DEBUG, LOCATION, NULL, "hash compared OK\n"); 1593 break; 1594 #endif 1595 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1596 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1597 #ifdef ENABLE_HYBRID 1598 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1599 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1600 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1601 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1602 #endif 1603 if (iph1->id_p == NULL || iph1->pl_hash == NULL) { 1604 plog(LLV_ERROR, LOCATION, iph1->remote, 1605 "few isakmp message received.\n"); 1606 return ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1607 } 1608 plog(LLV_ERROR, LOCATION, iph1->remote, 1609 "not supported authmethod type %s\n", 1610 s_oakley_attr_method(iph1->approval->authmethod)); 1611 return ISAKMP_INTERNAL_ERROR; 1612 default: 1613 plog(LLV_ERROR, LOCATION, iph1->remote, 1614 "invalid authmethod %d why ?\n", 1615 iph1->approval->authmethod); 1616 return ISAKMP_INTERNAL_ERROR; 1617 } 1618 #ifdef ENABLE_STATS 1619 gettimeofday(&end, NULL); 1620 syslog(LOG_NOTICE, "%s(%s): %8.6f", __func__, 1621 s_oakley_attr_method(iph1->approval->authmethod), 1622 timedelta(&start, &end)); 1623 #endif 1624 1625 return 0; 1626 } 1627 1628 /* get my certificate 1629 * NOTE: include certificate type. 1630 */ 1631 int 1632 oakley_getmycert(iph1) 1633 struct ph1handle *iph1; 1634 { 1635 switch (oakley_get_certtype(iph1->rmconf->mycert)) { 1636 case ISAKMP_CERT_X509SIGN: 1637 if (iph1->cert) 1638 return 0; 1639 iph1->cert = vdup(iph1->rmconf->mycert); 1640 break; 1641 case ISAKMP_CERT_PLAINRSA: 1642 if (iph1->rsa) 1643 return 0; 1644 return get_plainrsa_fromlocal(iph1, 1); 1645 default: 1646 plog(LLV_ERROR, LOCATION, NULL, 1647 "Unknown certtype #%d\n", 1648 oakley_get_certtype(iph1->rmconf->mycert)); 1649 return -1; 1650 } 1651 1652 return 0; 1653 } 1654 1655 static int 1656 get_plainrsa_fromlocal(iph1, my) 1657 struct ph1handle *iph1; 1658 int my; 1659 { 1660 int error = -1; 1661 1662 iph1->rsa_candidates = rsa_lookup_keys(iph1, my); 1663 if (!iph1->rsa_candidates || 1664 rsa_list_count(iph1->rsa_candidates) == 0) { 1665 plog(LLV_ERROR, LOCATION, NULL, 1666 "%s RSA key not found for %s\n", 1667 my ? "Private" : "Public", 1668 saddr2str_fromto("%s <-> %s", 1669 iph1->local, iph1->remote)); 1670 goto end; 1671 } 1672 1673 if (my && rsa_list_count(iph1->rsa_candidates) > 1) { 1674 plog(LLV_WARNING, LOCATION, NULL, 1675 "More than one (=%lu) private " 1676 "PlainRSA key found for %s\n", 1677 rsa_list_count(iph1->rsa_candidates), 1678 saddr2str_fromto("%s <-> %s", 1679 iph1->local, iph1->remote)); 1680 plog(LLV_WARNING, LOCATION, NULL, 1681 "This may have unpredictable results, " 1682 "i.e. wrong key could be used!\n"); 1683 plog(LLV_WARNING, LOCATION, NULL, 1684 "Consider using only one single private " 1685 "key for all peers...\n"); 1686 } 1687 if (my) { 1688 iph1->rsa = ((struct rsa_key *) 1689 genlist_next(iph1->rsa_candidates, NULL))->rsa; 1690 1691 genlist_free(iph1->rsa_candidates, NULL); 1692 iph1->rsa_candidates = NULL; 1693 1694 if (iph1->rsa == NULL) 1695 goto end; 1696 } 1697 1698 error = 0; 1699 1700 end: 1701 return error; 1702 } 1703 1704 /* get signature */ 1705 int 1706 oakley_getsign(iph1) 1707 struct ph1handle *iph1; 1708 { 1709 char path[MAXPATHLEN]; 1710 vchar_t *privkey = NULL; 1711 int error = -1; 1712 1713 switch (oakley_get_certtype(iph1->rmconf->mycert)) { 1714 case ISAKMP_CERT_X509SIGN: 1715 case ISAKMP_CERT_DNS: 1716 if (iph1->rmconf->myprivfile == NULL) { 1717 plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n"); 1718 goto end; 1719 } 1720 1721 /* make private file name */ 1722 getpathname(path, sizeof(path), 1723 LC_PATHTYPE_CERT, 1724 iph1->rmconf->myprivfile); 1725 privkey = privsep_eay_get_pkcs1privkey(path); 1726 if (privkey == NULL) { 1727 plog(LLV_ERROR, LOCATION, NULL, 1728 "failed to get private key.\n"); 1729 goto end; 1730 } 1731 plog(LLV_DEBUG2, LOCATION, NULL, "private key:\n"); 1732 plogdump(LLV_DEBUG2, privkey->v, privkey->l); 1733 iph1->sig = eay_get_x509sign(iph1->hash, privkey); 1734 break; 1735 case ISAKMP_CERT_PLAINRSA: 1736 iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa); 1737 break; 1738 default: 1739 plog(LLV_ERROR, LOCATION, NULL, 1740 "Unknown certtype #%d\n", 1741 oakley_get_certtype(iph1->rmconf->mycert)); 1742 goto end; 1743 } 1744 1745 if (iph1->sig == NULL) { 1746 plog(LLV_ERROR, LOCATION, NULL, "failed to sign.\n"); 1747 goto end; 1748 } 1749 1750 plog(LLV_DEBUG, LOCATION, NULL, "SIGN computed:\n"); 1751 plogdump(LLV_DEBUG, iph1->sig->v, iph1->sig->l); 1752 1753 error = 0; 1754 1755 end: 1756 if (privkey != NULL) 1757 vfree(privkey); 1758 1759 return error; 1760 } 1761 1762 /* 1763 * compare certificate name and ID value. 1764 */ 1765 static int 1766 oakley_check_certid(iph1) 1767 struct ph1handle *iph1; 1768 { 1769 struct ipsecdoi_id_b *id_b; 1770 vchar_t *name = NULL; 1771 char *altname = NULL; 1772 int idlen, type; 1773 int error; 1774 1775 if (iph1->rmconf == NULL || iph1->rmconf->verify_cert == FALSE) 1776 return 0; 1777 1778 if (iph1->id_p == NULL || iph1->cert_p == NULL) { 1779 plog(LLV_ERROR, LOCATION, iph1->remote, "no ID nor CERT found.\n"); 1780 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1781 } 1782 1783 id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; 1784 idlen = iph1->id_p->l - sizeof(*id_b); 1785 1786 switch (id_b->type) { 1787 case IPSECDOI_ID_DER_ASN1_DN: 1788 name = eay_get_x509asn1subjectname(iph1->cert_p); 1789 if (!name) { 1790 plog(LLV_ERROR, LOCATION, iph1->remote, 1791 "failed to get subjectName\n"); 1792 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1793 } 1794 if (idlen != name->l) { 1795 plog(LLV_ERROR, LOCATION, iph1->remote, 1796 "Invalid ID length in phase 1.\n"); 1797 vfree(name); 1798 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1799 } 1800 error = memcmp(id_b + 1, name->v, idlen); 1801 if (error != 0) { 1802 plog(LLV_ERROR, LOCATION, iph1->remote, 1803 "ID mismatched with ASN1 SubjectName.\n"); 1804 plogdump(LLV_DEBUG, id_b + 1, idlen); 1805 plogdump(LLV_DEBUG, name->v, idlen); 1806 if (iph1->rmconf->verify_identifier) { 1807 vfree(name); 1808 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1809 } 1810 } 1811 vfree(name); 1812 return 0; 1813 case IPSECDOI_ID_IPV4_ADDR: 1814 case IPSECDOI_ID_IPV6_ADDR: 1815 { 1816 /* 1817 * converting to binary from string because openssl return 1818 * a string even if object is a binary. 1819 * XXX fix it ! access by ASN.1 directly without. 1820 */ 1821 struct addrinfo hints, *res; 1822 caddr_t a = NULL; 1823 int pos; 1824 1825 for (pos = 1; ; pos++) { 1826 if (eay_get_x509subjectaltname(iph1->cert_p, 1827 &altname, &type, pos) !=0) { 1828 plog(LLV_ERROR, LOCATION, NULL, 1829 "failed to get subjectAltName\n"); 1830 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1831 } 1832 1833 /* it's the end condition of the loop. */ 1834 if (!altname) { 1835 plog(LLV_ERROR, LOCATION, NULL, 1836 "no proper subjectAltName.\n"); 1837 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1838 } 1839 1840 if (check_typeofcertname(id_b->type, type) == 0) 1841 break; 1842 1843 /* next name */ 1844 racoon_free(altname); 1845 altname = NULL; 1846 } 1847 memset(&hints, 0, sizeof(hints)); 1848 hints.ai_family = PF_UNSPEC; 1849 hints.ai_socktype = SOCK_RAW; 1850 hints.ai_flags = AI_NUMERICHOST; 1851 error = getaddrinfo(altname, NULL, &hints, &res); 1852 racoon_free(altname); 1853 altname = NULL; 1854 if (error != 0) { 1855 plog(LLV_ERROR, LOCATION, NULL, 1856 "no proper subjectAltName.\n"); 1857 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1858 } 1859 switch (res->ai_family) { 1860 case AF_INET: 1861 a = (caddr_t)&((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr; 1862 break; 1863 #ifdef INET6 1864 case AF_INET6: 1865 a = (caddr_t)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr; 1866 break; 1867 #endif 1868 default: 1869 plog(LLV_ERROR, LOCATION, NULL, 1870 "family not supported: %d.\n", res->ai_family); 1871 freeaddrinfo(res); 1872 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1873 } 1874 error = memcmp(id_b + 1, a, idlen); 1875 freeaddrinfo(res); 1876 vfree(name); 1877 if (error != 0) { 1878 plog(LLV_ERROR, LOCATION, NULL, 1879 "ID mismatched with subjectAltName.\n"); 1880 plogdump(LLV_DEBUG, id_b + 1, idlen); 1881 plogdump(LLV_DEBUG, a, idlen); 1882 if (iph1->rmconf->verify_identifier) 1883 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1884 } 1885 return 0; 1886 } 1887 case IPSECDOI_ID_FQDN: 1888 case IPSECDOI_ID_USER_FQDN: 1889 { 1890 int pos; 1891 1892 for (pos = 1; ; pos++) { 1893 if (eay_get_x509subjectaltname(iph1->cert_p, 1894 &altname, &type, pos) != 0){ 1895 plog(LLV_ERROR, LOCATION, NULL, 1896 "failed to get subjectAltName\n"); 1897 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1898 } 1899 1900 /* it's the end condition of the loop. */ 1901 if (!altname) { 1902 plog(LLV_ERROR, LOCATION, NULL, 1903 "no proper subjectAltName.\n"); 1904 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1905 } 1906 1907 if (check_typeofcertname(id_b->type, type) == 0) 1908 break; 1909 1910 /* next name */ 1911 racoon_free(altname); 1912 altname = NULL; 1913 } 1914 if (idlen != strlen(altname)) { 1915 plog(LLV_ERROR, LOCATION, NULL, 1916 "Invalid ID length in phase 1.\n"); 1917 racoon_free(altname); 1918 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1919 } 1920 if (check_typeofcertname(id_b->type, type) != 0) { 1921 plog(LLV_ERROR, LOCATION, NULL, 1922 "ID type mismatched. ID: %s CERT: %s.\n", 1923 s_ipsecdoi_ident(id_b->type), 1924 s_ipsecdoi_ident(type)); 1925 racoon_free(altname); 1926 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1927 } 1928 error = memcmp(id_b + 1, altname, idlen); 1929 if (error) { 1930 plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n"); 1931 plogdump(LLV_DEBUG, id_b + 1, idlen); 1932 plogdump(LLV_DEBUG, altname, idlen); 1933 racoon_free(altname); 1934 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1935 } 1936 racoon_free(altname); 1937 return 0; 1938 } 1939 default: 1940 plog(LLV_ERROR, LOCATION, NULL, 1941 "Inpropper ID type passed: %s.\n", 1942 s_ipsecdoi_ident(id_b->type)); 1943 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1944 } 1945 /*NOTREACHED*/ 1946 } 1947 1948 static int 1949 check_typeofcertname(doi, genid) 1950 int doi, genid; 1951 { 1952 switch (doi) { 1953 case IPSECDOI_ID_IPV4_ADDR: 1954 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 1955 case IPSECDOI_ID_IPV6_ADDR: 1956 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 1957 case IPSECDOI_ID_IPV4_ADDR_RANGE: 1958 case IPSECDOI_ID_IPV6_ADDR_RANGE: 1959 if (genid != GENT_IPADD) 1960 return -1; 1961 return 0; 1962 case IPSECDOI_ID_FQDN: 1963 if (genid != GENT_DNS) 1964 return -1; 1965 return 0; 1966 case IPSECDOI_ID_USER_FQDN: 1967 if (genid != GENT_EMAIL) 1968 return -1; 1969 return 0; 1970 case IPSECDOI_ID_DER_ASN1_DN: /* should not be passed to this function*/ 1971 case IPSECDOI_ID_DER_ASN1_GN: 1972 case IPSECDOI_ID_KEY_ID: 1973 default: 1974 return -1; 1975 } 1976 /*NOTREACHED*/ 1977 } 1978 1979 /* 1980 * save certificate including certificate type. 1981 */ 1982 int 1983 oakley_savecert(iph1, gen) 1984 struct ph1handle *iph1; 1985 struct isakmp_gen *gen; 1986 { 1987 vchar_t **c; 1988 u_int8_t type; 1989 STACK_OF(X509) *certs=NULL; 1990 PKCS7 *p7; 1991 1992 type = *(u_int8_t *)(gen + 1) & 0xff; 1993 1994 switch (type) { 1995 case ISAKMP_CERT_DNS: 1996 plog(LLV_WARNING, LOCATION, NULL, 1997 "CERT payload is unnecessary in DNSSEC. " 1998 "ignore this CERT payload.\n"); 1999 return 0; 2000 case ISAKMP_CERT_PKCS7: 2001 case ISAKMP_CERT_PGP: 2002 case ISAKMP_CERT_X509SIGN: 2003 case ISAKMP_CERT_KERBEROS: 2004 case ISAKMP_CERT_SPKI: 2005 c = &iph1->cert_p; 2006 break; 2007 case ISAKMP_CERT_CRL: 2008 c = &iph1->crl_p; 2009 break; 2010 case ISAKMP_CERT_X509KE: 2011 case ISAKMP_CERT_X509ATTR: 2012 case ISAKMP_CERT_ARL: 2013 plog(LLV_ERROR, LOCATION, NULL, 2014 "No supported such CERT type %d\n", type); 2015 return -1; 2016 default: 2017 plog(LLV_ERROR, LOCATION, NULL, 2018 "Invalid CERT type %d\n", type); 2019 return -1; 2020 } 2021 2022 /* XXX choice the 1th cert, ignore after the cert. */ 2023 /* XXX should be processed. */ 2024 if (*c) { 2025 plog(LLV_WARNING, LOCATION, NULL, 2026 "ignore 2nd CERT payload.\n"); 2027 return 0; 2028 } 2029 2030 if (type == ISAKMP_CERT_PKCS7) { 2031 u_char *bp; 2032 int i; 2033 2034 /* Skip the header */ 2035 bp = (u_char *)(gen + 1); 2036 /* And the first byte is the certificate type, 2037 * we know that already 2038 */ 2039 bp++; 2040 p7 = d2i_PKCS7(NULL, (void *)&bp, 2041 ntohs(gen->len) - sizeof(*gen) - 1); 2042 2043 if (!p7) { 2044 plog(LLV_ERROR, LOCATION, NULL, 2045 "Failed to parse PKCS#7 CERT.\n"); 2046 return -1; 2047 } 2048 2049 /* Copied this from the openssl pkcs7 application; 2050 * there"s little by way of documentation for any of 2051 * it. I can only presume it"s correct. 2052 */ 2053 2054 i = OBJ_obj2nid(p7->type); 2055 switch (i) { 2056 case NID_pkcs7_signed: 2057 certs=p7->d.sign->cert; 2058 break; 2059 case NID_pkcs7_signedAndEnveloped: 2060 certs=p7->d.signed_and_enveloped->cert; 2061 break; 2062 default: 2063 break; 2064 } 2065 2066 if (!certs) { 2067 plog(LLV_ERROR, LOCATION, NULL, 2068 "CERT PKCS#7 bundle contains no certs.\n"); 2069 PKCS7_free(p7); 2070 return -1; 2071 } 2072 2073 for (i = 0; i < sk_X509_num(certs); i++) { 2074 X509 *cert = sk_X509_value(certs,i); 2075 2076 plog(LLV_DEBUG, LOCATION, NULL, 2077 "Trying PKCS#7 cert %d.\n", i); 2078 2079 /* We'll just try each cert in turn */ 2080 *c = dump_x509(cert); 2081 2082 if (!*c) { 2083 plog(LLV_ERROR, LOCATION, NULL, 2084 "Failed to get CERT buffer.\n"); 2085 continue; 2086 } 2087 2088 /* Ignore cert if it doesn't match identity 2089 * XXX If verify cert is disabled, we still just take 2090 * the first certificate.... 2091 */ 2092 if (oakley_check_certid(iph1)) { 2093 plog(LLV_DEBUG, LOCATION, NULL, 2094 "Discarding CERT: does not match ID.\n"); 2095 vfree((*c)); 2096 *c = NULL; 2097 continue; 2098 } 2099 2100 { 2101 char *p = eay_get_x509text(*c); 2102 plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); 2103 plogdump(LLV_DEBUG, (*c)->v, (*c)->l); 2104 plog(LLV_DEBUG, LOCATION, NULL, "%s", 2105 p ? p : "\n"); 2106 racoon_free(p); 2107 } 2108 break; 2109 } 2110 PKCS7_free(p7); 2111 } else { 2112 *c = dump_isakmp_payload(gen); 2113 if (!*c) { 2114 plog(LLV_ERROR, LOCATION, NULL, 2115 "Failed to get CERT buffer.\n"); 2116 return -1; 2117 } 2118 2119 switch (type) { 2120 case ISAKMP_CERT_PGP: 2121 case ISAKMP_CERT_X509SIGN: 2122 case ISAKMP_CERT_KERBEROS: 2123 case ISAKMP_CERT_SPKI: 2124 /* Ignore cert if it doesn't match identity 2125 * XXX If verify cert is disabled, we still just take 2126 * the first certificate.... 2127 */ 2128 if (oakley_check_certid(iph1)){ 2129 plog(LLV_DEBUG, LOCATION, NULL, 2130 "Discarding CERT: does not match ID.\n"); 2131 vfree((*c)); 2132 *c = NULL; 2133 return 0; 2134 } 2135 2136 { 2137 char *p = eay_get_x509text(*c); 2138 plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); 2139 plogdump(LLV_DEBUG, (*c)->v, (*c)->l); 2140 plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n"); 2141 racoon_free(p); 2142 } 2143 break; 2144 case ISAKMP_CERT_CRL: 2145 plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n"); 2146 plogdump(LLV_DEBUG, (*c)->v, (*c)->l); 2147 break; 2148 case ISAKMP_CERT_X509KE: 2149 case ISAKMP_CERT_X509ATTR: 2150 case ISAKMP_CERT_ARL: 2151 default: 2152 /* XXX */ 2153 vfree(*c); 2154 *c = NULL; 2155 return 0; 2156 } 2157 } 2158 2159 return 0; 2160 } 2161 2162 /* 2163 * save certificate including certificate type. 2164 */ 2165 int 2166 oakley_savecr(iph1, gen) 2167 struct ph1handle *iph1; 2168 struct isakmp_gen *gen; 2169 { 2170 vchar_t *cert; 2171 vchar_t **c; 2172 u_int8_t type; 2173 2174 type = *(u_int8_t *)(gen + 1) & 0xff; 2175 switch (type) { 2176 case ISAKMP_CERT_DNS: 2177 plog(LLV_WARNING, LOCATION, NULL, 2178 "CERT payload is unnecessary in DNSSEC\n"); 2179 /*FALLTHRU*/ 2180 case ISAKMP_CERT_PKCS7: 2181 case ISAKMP_CERT_PGP: 2182 case ISAKMP_CERT_X509SIGN: 2183 case ISAKMP_CERT_KERBEROS: 2184 case ISAKMP_CERT_SPKI: 2185 c = &iph1->cr_p; 2186 break; 2187 case ISAKMP_CERT_X509KE: 2188 case ISAKMP_CERT_X509ATTR: 2189 case ISAKMP_CERT_ARL: 2190 plog(LLV_ERROR, LOCATION, NULL, 2191 "No supported such CR type %d\n", type); 2192 return -1; 2193 case ISAKMP_CERT_CRL: 2194 default: 2195 plog(LLV_ERROR, LOCATION, NULL, 2196 "Invalid CR type %d\n", type); 2197 return -1; 2198 } 2199 2200 /* Already found an acceptable CR? */ 2201 if (*c != NULL) 2202 return 0; 2203 2204 cert = dump_isakmp_payload(gen); 2205 if (cert == NULL) { 2206 plog(LLV_ERROR, LOCATION, NULL, 2207 "Failed to get CR buffer.\n"); 2208 return -1; 2209 } 2210 2211 plog(LLV_DEBUG, LOCATION, NULL, "CR received:\n"); 2212 plogdump(LLV_DEBUG, cert->v, cert->l); 2213 2214 *c = cert; 2215 if (resolveph1rmconf(iph1) == 0) { 2216 /* Found unique match */ 2217 plog(LLV_DEBUG, LOCATION, NULL, "CR saved.\n"); 2218 } else { 2219 /* Still ambiguous or matches nothing, ignore this CR */ 2220 *c = NULL; 2221 vfree(cert); 2222 } 2223 return 0; 2224 } 2225 2226 /* 2227 * Add a single CR. 2228 */ 2229 struct append_cr_ctx { 2230 struct ph1handle *iph1; 2231 struct payload_list *plist; 2232 }; 2233 2234 static int 2235 oakley_append_rmconf_cr(struct remoteconf *rmconf, void *ctx) 2236 { 2237 struct append_cr_ctx *actx = (struct append_cr_ctx *) ctx; 2238 vchar_t *buf, *asn1dn = NULL; 2239 int type; 2240 2241 /* Do we want to send CR about this? */ 2242 if (rmconf->send_cr == FALSE) 2243 return 0; 2244 2245 if (rmconf->peerscert != NULL) { 2246 type = oakley_get_certtype(rmconf->peerscert); 2247 asn1dn = eay_get_x509asn1issuername(rmconf->peerscert); 2248 } else if (rmconf->cacert != NULL) { 2249 type = oakley_get_certtype(rmconf->cacert); 2250 asn1dn = eay_get_x509asn1subjectname(rmconf->cacert); 2251 } else 2252 return 0; 2253 2254 if (asn1dn == NULL) { 2255 plog(LLV_ERROR, LOCATION, actx->iph1->remote, 2256 "Failed to get CR ASN1 DN from certificate\n"); 2257 return 0; 2258 } 2259 2260 buf = vmalloc(1 + asn1dn->l); 2261 if (buf == NULL) 2262 goto err; 2263 2264 buf->v[0] = type; 2265 memcpy(&buf->v[1], asn1dn->v, asn1dn->l); 2266 2267 plog(LLV_DEBUG, LOCATION, actx->iph1->remote, 2268 "appending CR: %s\n", 2269 s_isakmp_certtype(buf->v[0])); 2270 plogdump(LLV_DEBUG, buf->v, buf->l); 2271 2272 actx->plist = isakmp_plist_append_full(actx->plist, buf, ISAKMP_NPTYPE_CR, 1); 2273 2274 err: 2275 vfree(asn1dn); 2276 return 0; 2277 } 2278 2279 /* 2280 * Append list of acceptable CRs. 2281 * RFC2048 3.10 2282 */ 2283 struct payload_list * 2284 oakley_append_cr(plist, iph1) 2285 struct payload_list *plist; 2286 struct ph1handle *iph1; 2287 { 2288 struct append_cr_ctx ctx; 2289 struct rmconfselector sel; 2290 2291 ctx.iph1 = iph1; 2292 ctx.plist = plist; 2293 if (iph1->rmconf == NULL) { 2294 rmconf_selector_from_ph1(&sel, iph1); 2295 enumrmconf(&sel, oakley_append_rmconf_cr, &ctx); 2296 } else { 2297 oakley_append_rmconf_cr(iph1->rmconf, &ctx); 2298 } 2299 2300 return ctx.plist; 2301 } 2302 2303 /* 2304 * check peer's CR. 2305 */ 2306 int 2307 oakley_checkcr(iph1) 2308 struct ph1handle *iph1; 2309 { 2310 int type; 2311 2312 if (iph1->cr_p == NULL) 2313 return 0; 2314 2315 plog(LLV_DEBUG, LOCATION, iph1->remote, 2316 "peer transmitted CR: %s\n", 2317 s_isakmp_certtype(oakley_get_certtype(iph1->cr_p))); 2318 2319 type = oakley_get_certtype(iph1->cr_p); 2320 if (type != oakley_get_certtype(iph1->rmconf->mycert)) { 2321 plog(LLV_ERROR, LOCATION, iph1->remote, 2322 "such a cert type isn't supported: %d\n", 2323 type); 2324 return -1; 2325 } 2326 2327 return 0; 2328 } 2329 2330 /* 2331 * check to need CR payload. 2332 */ 2333 int 2334 oakley_needcr(type) 2335 int type; 2336 { 2337 switch (type) { 2338 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 2339 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 2340 #ifdef ENABLE_HYBRID 2341 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 2342 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 2343 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 2344 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 2345 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 2346 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 2347 #endif 2348 return 1; 2349 default: 2350 return 0; 2351 } 2352 /*NOTREACHED*/ 2353 } 2354 2355 /* 2356 * compute SKEYID 2357 * see seciton 5. Exchanges in RFC 2409 2358 * psk: SKEYID = prf(pre-shared-key, Ni_b | Nr_b) 2359 * sig: SKEYID = prf(Ni_b | Nr_b, g^ir) 2360 * enc: SKEYID = prf(H(Ni_b | Nr_b), CKY-I | CKY-R) 2361 */ 2362 int 2363 oakley_skeyid(iph1) 2364 struct ph1handle *iph1; 2365 { 2366 vchar_t *buf = NULL, *bp; 2367 char *p; 2368 int len; 2369 int error = -1; 2370 2371 /* SKEYID */ 2372 switch (iph1->approval->authmethod) { 2373 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 2374 #ifdef ENABLE_HYBRID 2375 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 2376 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 2377 #endif 2378 if (iph1->etype != ISAKMP_ETYPE_IDENT) { 2379 iph1->authstr = getpskbyname(iph1->id_p); 2380 if (iph1->authstr == NULL) { 2381 if (iph1->rmconf->verify_identifier) { 2382 plog(LLV_ERROR, LOCATION, iph1->remote, 2383 "couldn't find the pskey.\n"); 2384 goto end; 2385 } 2386 plog(LLV_NOTIFY, LOCATION, iph1->remote, 2387 "couldn't find the proper pskey, " 2388 "try to get one by the peer's address.\n"); 2389 } 2390 } 2391 if (iph1->authstr == NULL) { 2392 /* 2393 * If the exchange type is the main mode or if it's 2394 * failed to get the psk by ID, racoon try to get 2395 * the psk by remote IP address. 2396 * It may be nonsense. 2397 */ 2398 iph1->authstr = getpskbyaddr(iph1->remote); 2399 if (iph1->authstr == NULL) { 2400 plog(LLV_ERROR, LOCATION, iph1->remote, 2401 "couldn't find the pskey for %s.\n", 2402 saddrwop2str(iph1->remote)); 2403 goto end; 2404 } 2405 } 2406 plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n"); 2407 /* should be secret PSK */ 2408 plog(LLV_DEBUG2, LOCATION, NULL, "psk: "); 2409 plogdump(LLV_DEBUG2, iph1->authstr->v, iph1->authstr->l); 2410 2411 len = iph1->nonce->l + iph1->nonce_p->l; 2412 buf = vmalloc(len); 2413 if (buf == NULL) { 2414 plog(LLV_ERROR, LOCATION, NULL, 2415 "failed to get skeyid buffer\n"); 2416 goto end; 2417 } 2418 p = buf->v; 2419 2420 bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p); 2421 plog(LLV_DEBUG, LOCATION, NULL, "nonce 1: "); 2422 plogdump(LLV_DEBUG, bp->v, bp->l); 2423 memcpy(p, bp->v, bp->l); 2424 p += bp->l; 2425 2426 bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce); 2427 plog(LLV_DEBUG, LOCATION, NULL, "nonce 2: "); 2428 plogdump(LLV_DEBUG, bp->v, bp->l); 2429 memcpy(p, bp->v, bp->l); 2430 p += bp->l; 2431 2432 iph1->skeyid = oakley_prf(iph1->authstr, buf, iph1); 2433 if (iph1->skeyid == NULL) 2434 goto end; 2435 break; 2436 2437 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 2438 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 2439 #ifdef ENABLE_HYBRID 2440 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 2441 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 2442 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 2443 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 2444 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 2445 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 2446 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 2447 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 2448 #endif 2449 #ifdef HAVE_GSSAPI 2450 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 2451 #endif 2452 len = iph1->nonce->l + iph1->nonce_p->l; 2453 buf = vmalloc(len); 2454 if (buf == NULL) { 2455 plog(LLV_ERROR, LOCATION, NULL, 2456 "failed to get nonce buffer\n"); 2457 goto end; 2458 } 2459 p = buf->v; 2460 2461 bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p); 2462 plog(LLV_DEBUG, LOCATION, NULL, "nonce1: "); 2463 plogdump(LLV_DEBUG, bp->v, bp->l); 2464 memcpy(p, bp->v, bp->l); 2465 p += bp->l; 2466 2467 bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce); 2468 plog(LLV_DEBUG, LOCATION, NULL, "nonce2: "); 2469 plogdump(LLV_DEBUG, bp->v, bp->l); 2470 memcpy(p, bp->v, bp->l); 2471 p += bp->l; 2472 2473 iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1); 2474 if (iph1->skeyid == NULL) 2475 goto end; 2476 break; 2477 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 2478 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 2479 #ifdef ENABLE_HYBRID 2480 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 2481 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 2482 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 2483 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 2484 #endif 2485 plog(LLV_WARNING, LOCATION, NULL, 2486 "not supported authentication method %s\n", 2487 s_oakley_attr_method(iph1->approval->authmethod)); 2488 goto end; 2489 default: 2490 plog(LLV_ERROR, LOCATION, NULL, 2491 "invalid authentication method %d\n", 2492 iph1->approval->authmethod); 2493 goto end; 2494 } 2495 2496 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID computed:\n"); 2497 plogdump(LLV_DEBUG, iph1->skeyid->v, iph1->skeyid->l); 2498 2499 error = 0; 2500 2501 end: 2502 if (buf != NULL) 2503 vfree(buf); 2504 return error; 2505 } 2506 2507 /* 2508 * compute SKEYID_[dae] 2509 * see seciton 5. Exchanges in RFC 2409 2510 * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0) 2511 * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1) 2512 * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2) 2513 */ 2514 int 2515 oakley_skeyid_dae(iph1) 2516 struct ph1handle *iph1; 2517 { 2518 vchar_t *buf = NULL; 2519 char *p; 2520 int len; 2521 int error = -1; 2522 2523 if (iph1->skeyid == NULL) { 2524 plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n"); 2525 goto end; 2526 } 2527 2528 /* SKEYID D */ 2529 /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */ 2530 len = iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; 2531 buf = vmalloc(len); 2532 if (buf == NULL) { 2533 plog(LLV_ERROR, LOCATION, NULL, 2534 "failed to get skeyid buffer\n"); 2535 goto end; 2536 } 2537 p = buf->v; 2538 2539 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l); 2540 p += iph1->dhgxy->l; 2541 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t)); 2542 p += sizeof(cookie_t); 2543 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t)); 2544 p += sizeof(cookie_t); 2545 *p = 0; 2546 iph1->skeyid_d = oakley_prf(iph1->skeyid, buf, iph1); 2547 if (iph1->skeyid_d == NULL) 2548 goto end; 2549 2550 vfree(buf); 2551 buf = NULL; 2552 2553 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_d computed:\n"); 2554 plogdump(LLV_DEBUG, iph1->skeyid_d->v, iph1->skeyid_d->l); 2555 2556 /* SKEYID A */ 2557 /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */ 2558 len = iph1->skeyid_d->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; 2559 buf = vmalloc(len); 2560 if (buf == NULL) { 2561 plog(LLV_ERROR, LOCATION, NULL, 2562 "failed to get skeyid buffer\n"); 2563 goto end; 2564 } 2565 p = buf->v; 2566 memcpy(p, iph1->skeyid_d->v, iph1->skeyid_d->l); 2567 p += iph1->skeyid_d->l; 2568 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l); 2569 p += iph1->dhgxy->l; 2570 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t)); 2571 p += sizeof(cookie_t); 2572 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t)); 2573 p += sizeof(cookie_t); 2574 *p = 1; 2575 iph1->skeyid_a = oakley_prf(iph1->skeyid, buf, iph1); 2576 if (iph1->skeyid_a == NULL) 2577 goto end; 2578 2579 vfree(buf); 2580 buf = NULL; 2581 2582 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_a computed:\n"); 2583 plogdump(LLV_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l); 2584 2585 /* SKEYID E */ 2586 /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */ 2587 len = iph1->skeyid_a->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; 2588 buf = vmalloc(len); 2589 if (buf == NULL) { 2590 plog(LLV_ERROR, LOCATION, NULL, 2591 "failed to get skeyid buffer\n"); 2592 goto end; 2593 } 2594 p = buf->v; 2595 memcpy(p, iph1->skeyid_a->v, iph1->skeyid_a->l); 2596 p += iph1->skeyid_a->l; 2597 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l); 2598 p += iph1->dhgxy->l; 2599 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t)); 2600 p += sizeof(cookie_t); 2601 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t)); 2602 p += sizeof(cookie_t); 2603 *p = 2; 2604 iph1->skeyid_e = oakley_prf(iph1->skeyid, buf, iph1); 2605 if (iph1->skeyid_e == NULL) 2606 goto end; 2607 2608 vfree(buf); 2609 buf = NULL; 2610 2611 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_e computed:\n"); 2612 plogdump(LLV_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l); 2613 2614 error = 0; 2615 2616 end: 2617 if (buf != NULL) 2618 vfree(buf); 2619 return error; 2620 } 2621 2622 /* 2623 * compute final encryption key. 2624 * see Appendix B. 2625 */ 2626 int 2627 oakley_compute_enckey(iph1) 2628 struct ph1handle *iph1; 2629 { 2630 u_int keylen, prflen; 2631 int error = -1; 2632 2633 /* RFC2409 p39 */ 2634 keylen = alg_oakley_encdef_keylen(iph1->approval->enctype, 2635 iph1->approval->encklen); 2636 if (keylen == -1) { 2637 plog(LLV_ERROR, LOCATION, NULL, 2638 "invalid encryption algorithm %d, " 2639 "or invalid key length %d.\n", 2640 iph1->approval->enctype, 2641 iph1->approval->encklen); 2642 goto end; 2643 } 2644 iph1->key = vmalloc(keylen >> 3); 2645 if (iph1->key == NULL) { 2646 plog(LLV_ERROR, LOCATION, NULL, 2647 "failed to get key buffer\n"); 2648 goto end; 2649 } 2650 2651 /* set prf length */ 2652 prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype); 2653 if (prflen == -1) { 2654 plog(LLV_ERROR, LOCATION, NULL, 2655 "invalid hash type %d.\n", iph1->approval->hashtype); 2656 goto end; 2657 } 2658 2659 /* see isakmp-oakley-08 5.3. */ 2660 if (iph1->key->l <= iph1->skeyid_e->l) { 2661 /* 2662 * if length(Ka) <= length(SKEYID_e) 2663 * Ka = first length(K) bit of SKEYID_e 2664 */ 2665 memcpy(iph1->key->v, iph1->skeyid_e->v, iph1->key->l); 2666 } else { 2667 vchar_t *buf = NULL, *res = NULL; 2668 u_char *p, *ep; 2669 int cplen; 2670 int subkey; 2671 2672 /* 2673 * otherwise, 2674 * Ka = K1 | K2 | K3 2675 * where 2676 * K1 = prf(SKEYID_e, 0) 2677 * K2 = prf(SKEYID_e, K1) 2678 * K3 = prf(SKEYID_e, K2) 2679 */ 2680 plog(LLV_DEBUG, LOCATION, NULL, 2681 "len(SKEYID_e) < len(Ka) (%zu < %zu), " 2682 "generating long key (Ka = K1 | K2 | ...)\n", 2683 iph1->skeyid_e->l, iph1->key->l); 2684 2685 if ((buf = vmalloc(prflen >> 3)) == 0) { 2686 plog(LLV_ERROR, LOCATION, NULL, 2687 "failed to get key buffer\n"); 2688 goto end; 2689 } 2690 p = (u_char *)iph1->key->v; 2691 ep = p + iph1->key->l; 2692 2693 subkey = 1; 2694 while (p < ep) { 2695 if (p == (u_char *)iph1->key->v) { 2696 /* just for computing K1 */ 2697 buf->v[0] = 0; 2698 buf->l = 1; 2699 } 2700 res = oakley_prf(iph1->skeyid_e, buf, iph1); 2701 if (res == NULL) { 2702 vfree(buf); 2703 goto end; 2704 } 2705 plog(LLV_DEBUG, LOCATION, NULL, 2706 "compute intermediate encryption key K%d\n", 2707 subkey); 2708 plogdump(LLV_DEBUG, buf->v, buf->l); 2709 plogdump(LLV_DEBUG, res->v, res->l); 2710 2711 cplen = (res->l < ep - p) ? res->l : ep - p; 2712 memcpy(p, res->v, cplen); 2713 p += cplen; 2714 2715 buf->l = prflen >> 3; /* to cancel K1 speciality */ 2716 if (res->l != buf->l) { 2717 plog(LLV_ERROR, LOCATION, NULL, 2718 "internal error: res->l=%zu buf->l=%zu\n", 2719 res->l, buf->l); 2720 vfree(res); 2721 vfree(buf); 2722 goto end; 2723 } 2724 memcpy(buf->v, res->v, res->l); 2725 vfree(res); 2726 subkey++; 2727 } 2728 2729 vfree(buf); 2730 } 2731 2732 /* 2733 * don't check any weak key or not. 2734 * draft-ietf-ipsec-ike-01.txt Appendix B. 2735 * draft-ietf-ipsec-ciph-aes-cbc-00.txt Section 2.3. 2736 */ 2737 #if 0 2738 /* weakkey check */ 2739 if (iph1->approval->enctype > ARRAYLEN(oakley_encdef) 2740 || oakley_encdef[iph1->approval->enctype].weakkey == NULL) { 2741 plog(LLV_ERROR, LOCATION, NULL, 2742 "encryption algorithm %d isn't supported.\n", 2743 iph1->approval->enctype); 2744 goto end; 2745 } 2746 if ((oakley_encdef[iph1->approval->enctype].weakkey)(iph1->key)) { 2747 plog(LLV_ERROR, LOCATION, NULL, 2748 "weakkey was generated.\n"); 2749 goto end; 2750 } 2751 #endif 2752 2753 plog(LLV_DEBUG, LOCATION, NULL, "final encryption key computed:\n"); 2754 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); 2755 2756 error = 0; 2757 2758 end: 2759 return error; 2760 } 2761 2762 /* 2763 * compute IV and set to ph1handle 2764 * IV = hash(g^xi | g^xr) 2765 * see 4.1 Phase 1 state in draft-ietf-ipsec-ike. 2766 */ 2767 int 2768 oakley_newiv(iph1) 2769 struct ph1handle *iph1; 2770 { 2771 struct isakmp_ivm *newivm = NULL; 2772 vchar_t *buf = NULL, *bp; 2773 char *p; 2774 int len; 2775 2776 /* create buffer */ 2777 len = iph1->dhpub->l + iph1->dhpub_p->l; 2778 buf = vmalloc(len); 2779 if (buf == NULL) { 2780 plog(LLV_ERROR, LOCATION, NULL, 2781 "failed to get iv buffer\n"); 2782 return -1; 2783 } 2784 2785 p = buf->v; 2786 2787 bp = (iph1->side == INITIATOR ? iph1->dhpub : iph1->dhpub_p); 2788 memcpy(p, bp->v, bp->l); 2789 p += bp->l; 2790 2791 bp = (iph1->side == INITIATOR ? iph1->dhpub_p : iph1->dhpub); 2792 memcpy(p, bp->v, bp->l); 2793 p += bp->l; 2794 2795 /* allocate IVm */ 2796 newivm = racoon_calloc(1, sizeof(struct isakmp_ivm)); 2797 if (newivm == NULL) { 2798 plog(LLV_ERROR, LOCATION, NULL, 2799 "failed to get iv buffer\n"); 2800 vfree(buf); 2801 return -1; 2802 } 2803 2804 /* compute IV */ 2805 newivm->iv = oakley_hash(buf, iph1); 2806 if (newivm->iv == NULL) { 2807 vfree(buf); 2808 oakley_delivm(newivm); 2809 return -1; 2810 } 2811 2812 /* adjust length of iv */ 2813 newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype); 2814 if (newivm->iv->l == -1) { 2815 plog(LLV_ERROR, LOCATION, NULL, 2816 "invalid encryption algorithm %d.\n", 2817 iph1->approval->enctype); 2818 vfree(buf); 2819 oakley_delivm(newivm); 2820 return -1; 2821 } 2822 2823 /* create buffer to save iv */ 2824 if ((newivm->ive = vdup(newivm->iv)) == NULL) { 2825 plog(LLV_ERROR, LOCATION, NULL, 2826 "vdup (%s)\n", strerror(errno)); 2827 vfree(buf); 2828 oakley_delivm(newivm); 2829 return -1; 2830 } 2831 2832 vfree(buf); 2833 2834 plog(LLV_DEBUG, LOCATION, NULL, "IV computed:\n"); 2835 plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l); 2836 2837 iph1->ivm = newivm; 2838 2839 return 0; 2840 } 2841 2842 /* 2843 * compute IV for the payload after phase 1. 2844 * It's not limited for phase 2. 2845 * if pahse 1 was encrypted. 2846 * IV = hash(last CBC block of Phase 1 | M-ID) 2847 * if phase 1 was not encrypted. 2848 * IV = hash(phase 1 IV | M-ID) 2849 * see 4.2 Phase 2 state in draft-ietf-ipsec-ike. 2850 */ 2851 struct isakmp_ivm * 2852 oakley_newiv2(iph1, msgid) 2853 struct ph1handle *iph1; 2854 u_int32_t msgid; 2855 { 2856 struct isakmp_ivm *newivm = NULL; 2857 vchar_t *buf = NULL; 2858 char *p; 2859 int len; 2860 int error = -1; 2861 2862 /* create buffer */ 2863 len = iph1->ivm->iv->l + sizeof(msgid_t); 2864 buf = vmalloc(len); 2865 if (buf == NULL) { 2866 plog(LLV_ERROR, LOCATION, NULL, 2867 "failed to get iv buffer\n"); 2868 goto end; 2869 } 2870 2871 p = buf->v; 2872 2873 memcpy(p, iph1->ivm->iv->v, iph1->ivm->iv->l); 2874 p += iph1->ivm->iv->l; 2875 2876 memcpy(p, &msgid, sizeof(msgid)); 2877 2878 plog(LLV_DEBUG, LOCATION, NULL, "compute IV for phase2\n"); 2879 plog(LLV_DEBUG, LOCATION, NULL, "phase1 last IV:\n"); 2880 plogdump(LLV_DEBUG, buf->v, buf->l); 2881 2882 /* allocate IVm */ 2883 newivm = racoon_calloc(1, sizeof(struct isakmp_ivm)); 2884 if (newivm == NULL) { 2885 plog(LLV_ERROR, LOCATION, NULL, 2886 "failed to get iv buffer\n"); 2887 goto end; 2888 } 2889 2890 /* compute IV */ 2891 if ((newivm->iv = oakley_hash(buf, iph1)) == NULL) 2892 goto end; 2893 2894 /* adjust length of iv */ 2895 newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype); 2896 if (newivm->iv->l == -1) { 2897 plog(LLV_ERROR, LOCATION, NULL, 2898 "invalid encryption algorithm %d.\n", 2899 iph1->approval->enctype); 2900 goto end; 2901 } 2902 2903 /* create buffer to save new iv */ 2904 if ((newivm->ive = vdup(newivm->iv)) == NULL) { 2905 plog(LLV_ERROR, LOCATION, NULL, "vdup (%s)\n", strerror(errno)); 2906 goto end; 2907 } 2908 2909 error = 0; 2910 2911 plog(LLV_DEBUG, LOCATION, NULL, "phase2 IV computed:\n"); 2912 plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l); 2913 2914 end: 2915 if (error && newivm != NULL){ 2916 oakley_delivm(newivm); 2917 newivm=NULL; 2918 } 2919 if (buf != NULL) 2920 vfree(buf); 2921 return newivm; 2922 } 2923 2924 void 2925 oakley_delivm(ivm) 2926 struct isakmp_ivm *ivm; 2927 { 2928 if (ivm == NULL) 2929 return; 2930 2931 if (ivm->iv != NULL) 2932 vfree(ivm->iv); 2933 if (ivm->ive != NULL) 2934 vfree(ivm->ive); 2935 racoon_free(ivm); 2936 plog(LLV_DEBUG, LOCATION, NULL, "IV freed\n"); 2937 2938 return; 2939 } 2940 2941 /* 2942 * decrypt packet. 2943 * save new iv and old iv. 2944 */ 2945 vchar_t * 2946 oakley_do_decrypt(iph1, msg, ivdp, ivep) 2947 struct ph1handle *iph1; 2948 vchar_t *msg, *ivdp, *ivep; 2949 { 2950 vchar_t *buf = NULL, *new = NULL; 2951 char *pl; 2952 int len; 2953 u_int8_t padlen; 2954 int blen; 2955 int error = -1; 2956 2957 plog(LLV_DEBUG, LOCATION, NULL, "begin decryption.\n"); 2958 2959 blen = alg_oakley_encdef_blocklen(iph1->approval->enctype); 2960 if (blen == -1) { 2961 plog(LLV_ERROR, LOCATION, NULL, 2962 "invalid encryption algorithm %d.\n", 2963 iph1->approval->enctype); 2964 goto end; 2965 } 2966 2967 /* save IV for next, but not sync. */ 2968 memset(ivep->v, 0, ivep->l); 2969 memcpy(ivep->v, (caddr_t)&msg->v[msg->l - blen], blen); 2970 2971 plog(LLV_DEBUG, LOCATION, NULL, 2972 "IV was saved for next processing:\n"); 2973 plogdump(LLV_DEBUG, ivep->v, ivep->l); 2974 2975 pl = msg->v + sizeof(struct isakmp); 2976 2977 len = msg->l - sizeof(struct isakmp); 2978 2979 /* create buffer */ 2980 buf = vmalloc(len); 2981 if (buf == NULL) { 2982 plog(LLV_ERROR, LOCATION, NULL, 2983 "failed to get buffer to decrypt.\n"); 2984 goto end; 2985 } 2986 memcpy(buf->v, pl, len); 2987 2988 /* do decrypt */ 2989 new = alg_oakley_encdef_decrypt(iph1->approval->enctype, 2990 buf, iph1->key, ivdp); 2991 if (new == NULL || new->v == NULL || new->l == 0) { 2992 plog(LLV_ERROR, LOCATION, NULL, 2993 "decryption %d failed.\n", iph1->approval->enctype); 2994 goto end; 2995 } 2996 plog(LLV_DEBUG, LOCATION, NULL, "with key:\n"); 2997 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); 2998 2999 vfree(buf); 3000 buf = NULL; 3001 3002 plog(LLV_DEBUG, LOCATION, NULL, "decrypted payload by IV:\n"); 3003 plogdump(LLV_DEBUG, ivdp->v, ivdp->l); 3004 3005 plog(LLV_DEBUG, LOCATION, NULL, 3006 "decrypted payload, but not trimed.\n"); 3007 plogdump(LLV_DEBUG, new->v, new->l); 3008 3009 /* get padding length */ 3010 if (lcconf->pad_excltail) 3011 padlen = new->v[new->l - 1] + 1; 3012 else 3013 padlen = new->v[new->l - 1]; 3014 plog(LLV_DEBUG, LOCATION, NULL, "padding len=%u\n", padlen); 3015 3016 /* trim padding */ 3017 if (lcconf->pad_strict) { 3018 if (padlen > new->l) { 3019 plog(LLV_ERROR, LOCATION, NULL, 3020 "invalied padding len=%u, buflen=%zu.\n", 3021 padlen, new->l); 3022 plogdump(LLV_ERROR, new->v, new->l); 3023 goto end; 3024 } 3025 new->l -= padlen; 3026 plog(LLV_DEBUG, LOCATION, NULL, "trimmed padding\n"); 3027 } else { 3028 plog(LLV_DEBUG, LOCATION, NULL, "skip to trim padding.\n"); 3029 } 3030 3031 /* create new buffer */ 3032 len = sizeof(struct isakmp) + new->l; 3033 buf = vmalloc(len); 3034 if (buf == NULL) { 3035 plog(LLV_ERROR, LOCATION, NULL, 3036 "failed to get buffer to decrypt.\n"); 3037 goto end; 3038 } 3039 memcpy(buf->v, msg->v, sizeof(struct isakmp)); 3040 memcpy(buf->v + sizeof(struct isakmp), new->v, new->l); 3041 ((struct isakmp *)buf->v)->len = htonl(buf->l); 3042 3043 plog(LLV_DEBUG, LOCATION, NULL, "decrypted.\n"); 3044 plogdump(LLV_DEBUG, buf->v, buf->l); 3045 3046 #ifdef HAVE_PRINT_ISAKMP_C 3047 isakmp_printpacket(buf, iph1->remote, iph1->local, 1); 3048 #endif 3049 3050 error = 0; 3051 3052 end: 3053 if (error && buf != NULL) { 3054 vfree(buf); 3055 buf = NULL; 3056 } 3057 if (new != NULL) 3058 vfree(new); 3059 3060 return buf; 3061 } 3062 3063 /* 3064 * encrypt packet. 3065 */ 3066 vchar_t * 3067 oakley_do_encrypt(iph1, msg, ivep, ivp) 3068 struct ph1handle *iph1; 3069 vchar_t *msg, *ivep, *ivp; 3070 { 3071 vchar_t *buf = 0, *new = 0; 3072 char *pl; 3073 int len; 3074 u_int padlen; 3075 int blen; 3076 int error = -1; 3077 3078 plog(LLV_DEBUG, LOCATION, NULL, "begin encryption.\n"); 3079 3080 /* set cbc block length */ 3081 blen = alg_oakley_encdef_blocklen(iph1->approval->enctype); 3082 if (blen == -1) { 3083 plog(LLV_ERROR, LOCATION, NULL, 3084 "invalid encryption algorithm %d.\n", 3085 iph1->approval->enctype); 3086 goto end; 3087 } 3088 3089 pl = msg->v + sizeof(struct isakmp); 3090 len = msg->l - sizeof(struct isakmp); 3091 3092 /* add padding */ 3093 padlen = oakley_padlen(len, blen); 3094 plog(LLV_DEBUG, LOCATION, NULL, "pad length = %u\n", padlen); 3095 3096 /* create buffer */ 3097 buf = vmalloc(len + padlen); 3098 if (buf == NULL) { 3099 plog(LLV_ERROR, LOCATION, NULL, 3100 "failed to get buffer to encrypt.\n"); 3101 goto end; 3102 } 3103 if (padlen) { 3104 int i; 3105 char *p = &buf->v[len]; 3106 if (lcconf->pad_random) { 3107 for (i = 0; i < padlen; i++) 3108 *p++ = eay_random() & 0xff; 3109 } 3110 } 3111 memcpy(buf->v, pl, len); 3112 3113 /* make pad into tail */ 3114 if (lcconf->pad_excltail) 3115 buf->v[len + padlen - 1] = padlen - 1; 3116 else 3117 buf->v[len + padlen - 1] = padlen; 3118 3119 plogdump(LLV_DEBUG, buf->v, buf->l); 3120 3121 /* do encrypt */ 3122 new = alg_oakley_encdef_encrypt(iph1->approval->enctype, 3123 buf, iph1->key, ivep); 3124 if (new == NULL) { 3125 plog(LLV_ERROR, LOCATION, NULL, 3126 "encryption %d failed.\n", iph1->approval->enctype); 3127 goto end; 3128 } 3129 plog(LLV_DEBUG, LOCATION, NULL, "with key:\n"); 3130 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); 3131 3132 vfree(buf); 3133 buf = NULL; 3134 3135 plog(LLV_DEBUG, LOCATION, NULL, "encrypted payload by IV:\n"); 3136 plogdump(LLV_DEBUG, ivep->v, ivep->l); 3137 3138 /* save IV for next */ 3139 memset(ivp->v, 0, ivp->l); 3140 memcpy(ivp->v, (caddr_t)&new->v[new->l - blen], blen); 3141 3142 plog(LLV_DEBUG, LOCATION, NULL, "save IV for next:\n"); 3143 plogdump(LLV_DEBUG, ivp->v, ivp->l); 3144 3145 /* create new buffer */ 3146 len = sizeof(struct isakmp) + new->l; 3147 buf = vmalloc(len); 3148 if (buf == NULL) { 3149 plog(LLV_ERROR, LOCATION, NULL, 3150 "failed to get buffer to encrypt.\n"); 3151 goto end; 3152 } 3153 memcpy(buf->v, msg->v, sizeof(struct isakmp)); 3154 memcpy(buf->v + sizeof(struct isakmp), new->v, new->l); 3155 ((struct isakmp *)buf->v)->len = htonl(buf->l); 3156 3157 error = 0; 3158 3159 plog(LLV_DEBUG, LOCATION, NULL, "encrypted.\n"); 3160 3161 end: 3162 if (error && buf != NULL) { 3163 vfree(buf); 3164 buf = NULL; 3165 } 3166 if (new != NULL) 3167 vfree(new); 3168 3169 return buf; 3170 } 3171 3172 /* culculate padding length */ 3173 static int 3174 oakley_padlen(len, base) 3175 int len, base; 3176 { 3177 int padlen; 3178 3179 padlen = base - len % base; 3180 3181 if (lcconf->pad_randomlen) 3182 padlen += ((eay_random() % (lcconf->pad_maxsize + 1) + 1) * 3183 base); 3184 3185 return padlen; 3186 } 3187 3188