1 /* $NetBSD: oakley.c,v 1.12 2008/03/06 17:00:03 vanhu Exp $ */ 2 3 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> /* XXX for subjectaltname */ 39 #include <netinet/in.h> /* XXX for subjectaltname */ 40 41 #include <openssl/pkcs7.h> 42 #include <openssl/x509.h> 43 44 #include <stdlib.h> 45 #include <stdio.h> 46 #include <string.h> 47 #include <errno.h> 48 49 #if TIME_WITH_SYS_TIME 50 # include <sys/time.h> 51 # include <time.h> 52 #else 53 # if HAVE_SYS_TIME_H 54 # include <sys/time.h> 55 # else 56 # include <time.h> 57 # endif 58 #endif 59 #ifdef ENABLE_HYBRID 60 #include <resolv.h> 61 #endif 62 63 #include "var.h" 64 #include "misc.h" 65 #include "vmbuf.h" 66 #include "str2val.h" 67 #include "plog.h" 68 #include "debug.h" 69 70 #include "isakmp_var.h" 71 #include "isakmp.h" 72 #ifdef ENABLE_HYBRID 73 #include "isakmp_xauth.h" 74 #include "isakmp_cfg.h" 75 #endif 76 #include "oakley.h" 77 #include "admin.h" 78 #include "privsep.h" 79 #include "localconf.h" 80 #include "remoteconf.h" 81 #include "policy.h" 82 #include "handler.h" 83 #include "ipsec_doi.h" 84 #include "algorithm.h" 85 #include "dhgroup.h" 86 #include "sainfo.h" 87 #include "proposal.h" 88 #include "crypto_openssl.h" 89 #include "dnssec.h" 90 #include "sockmisc.h" 91 #include "strnames.h" 92 #include "gcmalloc.h" 93 #include "rsalist.h" 94 95 #ifdef HAVE_GSSAPI 96 #include "gssapi.h" 97 #endif 98 99 #define OUTBOUND_SA 0 100 #define INBOUND_SA 1 101 102 #define INITDHVAL(a, s, d, t) \ 103 do { \ 104 vchar_t buf; \ 105 buf.v = str2val((s), 16, &buf.l); \ 106 memset(&a, 0, sizeof(struct dhgroup)); \ 107 a.type = (t); \ 108 a.prime = vdup(&buf); \ 109 a.gen1 = 2; \ 110 a.gen2 = 0; \ 111 racoon_free(buf.v); \ 112 } while(0); 113 114 struct dhgroup dh_modp768; 115 struct dhgroup dh_modp1024; 116 struct dhgroup dh_modp1536; 117 struct dhgroup dh_modp2048; 118 struct dhgroup dh_modp3072; 119 struct dhgroup dh_modp4096; 120 struct dhgroup dh_modp6144; 121 struct dhgroup dh_modp8192; 122 123 124 static int oakley_check_dh_pub __P((vchar_t *, vchar_t **)); 125 static int oakley_compute_keymat_x __P((struct ph2handle *, int, int)); 126 static int get_cert_fromlocal __P((struct ph1handle *, int)); 127 static int get_plainrsa_fromlocal __P((struct ph1handle *, int)); 128 static int oakley_check_certid __P((struct ph1handle *iph1)); 129 static int check_typeofcertname __P((int, int)); 130 static cert_t *save_certbuf __P((struct isakmp_gen *)); 131 static cert_t *save_certx509 __P((X509 *)); 132 static int oakley_padlen __P((int, int)); 133 134 int 135 oakley_get_defaultlifetime() 136 { 137 return OAKLEY_ATTR_SA_LD_SEC_DEFAULT; 138 } 139 140 int 141 oakley_dhinit() 142 { 143 /* set DH MODP */ 144 INITDHVAL(dh_modp768, OAKLEY_PRIME_MODP768, 145 OAKLEY_ATTR_GRP_DESC_MODP768, OAKLEY_ATTR_GRP_TYPE_MODP); 146 INITDHVAL(dh_modp1024, OAKLEY_PRIME_MODP1024, 147 OAKLEY_ATTR_GRP_DESC_MODP1024, OAKLEY_ATTR_GRP_TYPE_MODP); 148 INITDHVAL(dh_modp1536, OAKLEY_PRIME_MODP1536, 149 OAKLEY_ATTR_GRP_DESC_MODP1536, OAKLEY_ATTR_GRP_TYPE_MODP); 150 INITDHVAL(dh_modp2048, OAKLEY_PRIME_MODP2048, 151 OAKLEY_ATTR_GRP_DESC_MODP2048, OAKLEY_ATTR_GRP_TYPE_MODP); 152 INITDHVAL(dh_modp3072, OAKLEY_PRIME_MODP3072, 153 OAKLEY_ATTR_GRP_DESC_MODP3072, OAKLEY_ATTR_GRP_TYPE_MODP); 154 INITDHVAL(dh_modp4096, OAKLEY_PRIME_MODP4096, 155 OAKLEY_ATTR_GRP_DESC_MODP4096, OAKLEY_ATTR_GRP_TYPE_MODP); 156 INITDHVAL(dh_modp6144, OAKLEY_PRIME_MODP6144, 157 OAKLEY_ATTR_GRP_DESC_MODP6144, OAKLEY_ATTR_GRP_TYPE_MODP); 158 INITDHVAL(dh_modp8192, OAKLEY_PRIME_MODP8192, 159 OAKLEY_ATTR_GRP_DESC_MODP8192, OAKLEY_ATTR_GRP_TYPE_MODP); 160 161 return 0; 162 } 163 164 void 165 oakley_dhgrp_free(dhgrp) 166 struct dhgroup *dhgrp; 167 { 168 if (dhgrp->prime) 169 vfree(dhgrp->prime); 170 if (dhgrp->curve_a) 171 vfree(dhgrp->curve_a); 172 if (dhgrp->curve_b) 173 vfree(dhgrp->curve_b); 174 if (dhgrp->order) 175 vfree(dhgrp->order); 176 racoon_free(dhgrp); 177 } 178 179 /* 180 * RFC2409 5 181 * The length of the Diffie-Hellman public value MUST be equal to the 182 * length of the prime modulus over which the exponentiation was 183 * performed, prepending zero bits to the value if necessary. 184 */ 185 static int 186 oakley_check_dh_pub(prime, pub0) 187 vchar_t *prime, **pub0; 188 { 189 vchar_t *tmp; 190 vchar_t *pub = *pub0; 191 192 if (prime->l == pub->l) 193 return 0; 194 195 if (prime->l < pub->l) { 196 /* what should i do ? */ 197 plog(LLV_ERROR, LOCATION, NULL, 198 "invalid public information was generated.\n"); 199 return -1; 200 } 201 202 /* prime->l > pub->l */ 203 tmp = vmalloc(prime->l); 204 if (tmp == NULL) { 205 plog(LLV_ERROR, LOCATION, NULL, 206 "failed to get DH buffer.\n"); 207 return -1; 208 } 209 memcpy(tmp->v + prime->l - pub->l, pub->v, pub->l); 210 211 vfree(*pub0); 212 *pub0 = tmp; 213 214 return 0; 215 } 216 217 /* 218 * compute sharing secret of DH 219 * IN: *dh, *pub, *priv, *pub_p 220 * OUT: **gxy 221 */ 222 int 223 oakley_dh_compute(dh, pub, priv, pub_p, gxy) 224 const struct dhgroup *dh; 225 vchar_t *pub, *priv, *pub_p, **gxy; 226 { 227 #ifdef ENABLE_STATS 228 struct timeval start, end; 229 #endif 230 if ((*gxy = vmalloc(dh->prime->l)) == NULL) { 231 plog(LLV_ERROR, LOCATION, NULL, 232 "failed to get DH buffer.\n"); 233 return -1; 234 } 235 236 #ifdef ENABLE_STATS 237 gettimeofday(&start, NULL); 238 #endif 239 switch (dh->type) { 240 case OAKLEY_ATTR_GRP_TYPE_MODP: 241 if (eay_dh_compute(dh->prime, dh->gen1, pub, priv, pub_p, gxy) < 0) { 242 plog(LLV_ERROR, LOCATION, NULL, 243 "failed to compute dh value.\n"); 244 return -1; 245 } 246 break; 247 case OAKLEY_ATTR_GRP_TYPE_ECP: 248 case OAKLEY_ATTR_GRP_TYPE_EC2N: 249 plog(LLV_ERROR, LOCATION, NULL, 250 "dh type %d isn't supported.\n", dh->type); 251 return -1; 252 default: 253 plog(LLV_ERROR, LOCATION, NULL, 254 "invalid dh type %d.\n", dh->type); 255 return -1; 256 } 257 258 #ifdef ENABLE_STATS 259 gettimeofday(&end, NULL); 260 syslog(LOG_NOTICE, "%s(%s%zu): %8.6f", __func__, 261 s_attr_isakmp_group(dh->type), dh->prime->l << 3, 262 timedelta(&start, &end)); 263 #endif 264 265 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n"); 266 plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l); 267 268 return 0; 269 } 270 271 /* 272 * generate values of DH 273 * IN: *dh 274 * OUT: **pub, **priv 275 */ 276 int 277 oakley_dh_generate(dh, pub, priv) 278 const struct dhgroup *dh; 279 vchar_t **pub, **priv; 280 { 281 #ifdef ENABLE_STATS 282 struct timeval start, end; 283 gettimeofday(&start, NULL); 284 #endif 285 switch (dh->type) { 286 case OAKLEY_ATTR_GRP_TYPE_MODP: 287 if (eay_dh_generate(dh->prime, dh->gen1, dh->gen2, pub, priv) < 0) { 288 plog(LLV_ERROR, LOCATION, NULL, 289 "failed to compute dh value.\n"); 290 return -1; 291 } 292 break; 293 294 case OAKLEY_ATTR_GRP_TYPE_ECP: 295 case OAKLEY_ATTR_GRP_TYPE_EC2N: 296 plog(LLV_ERROR, LOCATION, NULL, 297 "dh type %d isn't supported.\n", dh->type); 298 return -1; 299 default: 300 plog(LLV_ERROR, LOCATION, NULL, 301 "invalid dh type %d.\n", dh->type); 302 return -1; 303 } 304 305 #ifdef ENABLE_STATS 306 gettimeofday(&end, NULL); 307 syslog(LOG_NOTICE, "%s(%s%zu): %8.6f", __func__, 308 s_attr_isakmp_group(dh->type), dh->prime->l << 3, 309 timedelta(&start, &end)); 310 #endif 311 312 if (oakley_check_dh_pub(dh->prime, pub) != 0) 313 return -1; 314 315 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n"); 316 plogdump(LLV_DEBUG, (*priv)->v, (*priv)->l); 317 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n"); 318 plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l); 319 320 return 0; 321 } 322 323 /* 324 * copy pre-defined dhgroup values. 325 */ 326 int 327 oakley_setdhgroup(group, dhgrp) 328 int group; 329 struct dhgroup **dhgrp; 330 { 331 struct dhgroup *g; 332 333 *dhgrp = NULL; /* just make sure, initialize */ 334 335 g = alg_oakley_dhdef_group(group); 336 if (g == NULL) { 337 plog(LLV_ERROR, LOCATION, NULL, 338 "invalid DH parameter grp=%d.\n", group); 339 return -1; 340 } 341 342 if (!g->type || !g->prime || !g->gen1) { 343 /* unsuported */ 344 plog(LLV_ERROR, LOCATION, NULL, 345 "unsupported DH parameters grp=%d.\n", group); 346 return -1; 347 } 348 349 *dhgrp = racoon_calloc(1, sizeof(struct dhgroup)); 350 if (*dhgrp == NULL) { 351 plog(LLV_ERROR, LOCATION, NULL, 352 "failed to get DH buffer.\n"); 353 return 0; 354 } 355 356 /* set defined dh vlaues */ 357 memcpy(*dhgrp, g, sizeof(*g)); 358 (*dhgrp)->prime = vdup(g->prime); 359 360 return 0; 361 } 362 363 /* 364 * PRF 365 * 366 * NOTE: we do not support prf with different input/output bitwidth, 367 * so we do not implement RFC2409 Appendix B (DOORAK-MAC example) in 368 * oakley_compute_keymat(). If you add support for such prf function, 369 * modify oakley_compute_keymat() accordingly. 370 */ 371 vchar_t * 372 oakley_prf(key, buf, iph1) 373 vchar_t *key, *buf; 374 struct ph1handle *iph1; 375 { 376 vchar_t *res = NULL; 377 int type; 378 379 if (iph1->approval == NULL) { 380 /* 381 * it's before negotiating hash algorithm. 382 * We use md5 as default. 383 */ 384 type = OAKLEY_ATTR_HASH_ALG_MD5; 385 } else 386 type = iph1->approval->hashtype; 387 388 res = alg_oakley_hmacdef_one(type, key, buf); 389 if (res == NULL) { 390 plog(LLV_ERROR, LOCATION, NULL, 391 "invalid hmac algorithm %d.\n", type); 392 return NULL; 393 } 394 395 return res; 396 } 397 398 /* 399 * hash 400 */ 401 vchar_t * 402 oakley_hash(buf, iph1) 403 vchar_t *buf; 404 struct ph1handle *iph1; 405 { 406 vchar_t *res = NULL; 407 int type; 408 409 if (iph1->approval == NULL) { 410 /* 411 * it's before negotiating hash algorithm. 412 * We use md5 as default. 413 */ 414 type = OAKLEY_ATTR_HASH_ALG_MD5; 415 } else 416 type = iph1->approval->hashtype; 417 418 res = alg_oakley_hashdef_one(type, buf); 419 if (res == NULL) { 420 plog(LLV_ERROR, LOCATION, NULL, 421 "invalid hash algoriym %d.\n", type); 422 return NULL; 423 } 424 425 return res; 426 } 427 428 /* 429 * compute KEYMAT 430 * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05. 431 */ 432 int 433 oakley_compute_keymat(iph2, side) 434 struct ph2handle *iph2; 435 int side; 436 { 437 int error = -1; 438 439 /* compute sharing secret of DH when PFS */ 440 if (iph2->approval->pfs_group && iph2->dhpub_p) { 441 if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub, 442 iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0) 443 goto end; 444 } 445 446 /* compute keymat */ 447 if (oakley_compute_keymat_x(iph2, side, INBOUND_SA) < 0 448 || oakley_compute_keymat_x(iph2, side, OUTBOUND_SA) < 0) 449 goto end; 450 451 plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT computed.\n"); 452 453 error = 0; 454 455 end: 456 return error; 457 } 458 459 /* 460 * compute KEYMAT. 461 * KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b). 462 * If PFS is desired and KE payloads were exchanged, 463 * KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b) 464 * 465 * NOTE: we do not support prf with different input/output bitwidth, 466 * so we do not implement RFC2409 Appendix B (DOORAK-MAC example). 467 */ 468 static int 469 oakley_compute_keymat_x(iph2, side, sa_dir) 470 struct ph2handle *iph2; 471 int side; 472 int sa_dir; 473 { 474 vchar_t *buf = NULL, *res = NULL, *bp; 475 char *p; 476 int len; 477 int error = -1; 478 int pfs = 0; 479 int dupkeymat; /* generate K[1-dupkeymat] */ 480 struct saproto *pr; 481 struct satrns *tr; 482 int encklen, authklen, l; 483 484 pfs = ((iph2->approval->pfs_group && iph2->dhgxy) ? 1 : 0); 485 486 len = pfs ? iph2->dhgxy->l : 0; 487 len += (1 488 + sizeof(u_int32_t) /* XXX SPI size */ 489 + iph2->nonce->l 490 + iph2->nonce_p->l); 491 buf = vmalloc(len); 492 if (buf == NULL) { 493 plog(LLV_ERROR, LOCATION, NULL, 494 "failed to get keymat buffer.\n"); 495 goto end; 496 } 497 498 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 499 p = buf->v; 500 501 /* if PFS */ 502 if (pfs) { 503 memcpy(p, iph2->dhgxy->v, iph2->dhgxy->l); 504 p += iph2->dhgxy->l; 505 } 506 507 p[0] = pr->proto_id; 508 p += 1; 509 510 memcpy(p, (sa_dir == INBOUND_SA ? &pr->spi : &pr->spi_p), 511 sizeof(pr->spi)); 512 p += sizeof(pr->spi); 513 514 bp = (side == INITIATOR ? iph2->nonce : iph2->nonce_p); 515 memcpy(p, bp->v, bp->l); 516 p += bp->l; 517 518 bp = (side == INITIATOR ? iph2->nonce_p : iph2->nonce); 519 memcpy(p, bp->v, bp->l); 520 p += bp->l; 521 522 /* compute IV */ 523 plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT compute with\n"); 524 plogdump(LLV_DEBUG, buf->v, buf->l); 525 526 /* res = K1 */ 527 res = oakley_prf(iph2->ph1->skeyid_d, buf, iph2->ph1); 528 if (res == NULL) 529 goto end; 530 531 /* compute key length needed */ 532 encklen = authklen = 0; 533 switch (pr->proto_id) { 534 case IPSECDOI_PROTO_IPSEC_ESP: 535 for (tr = pr->head; tr; tr = tr->next) { 536 l = alg_ipsec_encdef_keylen(tr->trns_id, 537 tr->encklen); 538 if (l > encklen) 539 encklen = l; 540 541 l = alg_ipsec_hmacdef_hashlen(tr->authtype); 542 if (l > authklen) 543 authklen = l; 544 } 545 break; 546 case IPSECDOI_PROTO_IPSEC_AH: 547 for (tr = pr->head; tr; tr = tr->next) { 548 l = alg_ipsec_hmacdef_hashlen(tr->trns_id); 549 if (l > authklen) 550 authklen = l; 551 } 552 break; 553 default: 554 break; 555 } 556 plog(LLV_DEBUG, LOCATION, NULL, "encklen=%d authklen=%d\n", 557 encklen, authklen); 558 559 dupkeymat = (encklen + authklen) / 8 / res->l; 560 dupkeymat += 2; /* safety mergin */ 561 if (dupkeymat < 3) 562 dupkeymat = 3; 563 plog(LLV_DEBUG, LOCATION, NULL, 564 "generating %zu bits of key (dupkeymat=%d)\n", 565 dupkeymat * 8 * res->l, dupkeymat); 566 if (0 < --dupkeymat) { 567 vchar_t *prev = res; /* K(n-1) */ 568 vchar_t *seed = NULL; /* seed for Kn */ 569 size_t l; 570 571 /* 572 * generating long key (isakmp-oakley-08 5.5) 573 * KEYMAT = K1 | K2 | K3 | ... 574 * where 575 * src = [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b 576 * K1 = prf(SKEYID_d, src) 577 * K2 = prf(SKEYID_d, K1 | src) 578 * K3 = prf(SKEYID_d, K2 | src) 579 * Kn = prf(SKEYID_d, K(n-1) | src) 580 */ 581 plog(LLV_DEBUG, LOCATION, NULL, 582 "generating K1...K%d for KEYMAT.\n", 583 dupkeymat + 1); 584 585 seed = vmalloc(prev->l + buf->l); 586 if (seed == NULL) { 587 plog(LLV_ERROR, LOCATION, NULL, 588 "failed to get keymat buffer.\n"); 589 if (prev && prev != res) 590 vfree(prev); 591 goto end; 592 } 593 594 while (dupkeymat--) { 595 vchar_t *this = NULL; /* Kn */ 596 int update_prev; 597 598 memcpy(seed->v, prev->v, prev->l); 599 memcpy(seed->v + prev->l, buf->v, buf->l); 600 this = oakley_prf(iph2->ph1->skeyid_d, seed, 601 iph2->ph1); 602 if (!this) { 603 plog(LLV_ERROR, LOCATION, NULL, 604 "oakley_prf memory overflow\n"); 605 if (prev && prev != res) 606 vfree(prev); 607 vfree(this); 608 vfree(seed); 609 goto end; 610 } 611 612 update_prev = (prev && prev == res) ? 1 : 0; 613 614 l = res->l; 615 res = vrealloc(res, l + this->l); 616 617 if (update_prev) 618 prev = res; 619 620 if (res == NULL) { 621 plog(LLV_ERROR, LOCATION, NULL, 622 "failed to get keymat buffer.\n"); 623 if (prev && prev != res) 624 vfree(prev); 625 vfree(this); 626 vfree(seed); 627 goto end; 628 } 629 memcpy(res->v + l, this->v, this->l); 630 631 if (prev && prev != res) 632 vfree(prev); 633 prev = this; 634 this = NULL; 635 } 636 637 if (prev && prev != res) 638 vfree(prev); 639 vfree(seed); 640 } 641 642 plogdump(LLV_DEBUG, res->v, res->l); 643 644 if (sa_dir == INBOUND_SA) 645 pr->keymat = res; 646 else 647 pr->keymat_p = res; 648 res = NULL; 649 } 650 651 error = 0; 652 653 end: 654 if (error) { 655 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { 656 if (pr->keymat) { 657 vfree(pr->keymat); 658 pr->keymat = NULL; 659 } 660 if (pr->keymat_p) { 661 vfree(pr->keymat_p); 662 pr->keymat_p = NULL; 663 } 664 } 665 } 666 667 if (buf != NULL) 668 vfree(buf); 669 if (res) 670 vfree(res); 671 672 return error; 673 } 674 675 #if notyet 676 /* 677 * NOTE: Must terminate by NULL. 678 */ 679 vchar_t * 680 oakley_compute_hashx(struct ph1handle *iph1, ...) 681 { 682 vchar_t *buf, *res; 683 vchar_t *s; 684 caddr_t p; 685 int len; 686 687 va_list ap; 688 689 /* get buffer length */ 690 va_start(ap, iph1); 691 len = 0; 692 while ((s = va_arg(ap, vchar_t *)) != NULL) { 693 len += s->l 694 } 695 va_end(ap); 696 697 buf = vmalloc(len); 698 if (buf == NULL) { 699 plog(LLV_ERROR, LOCATION, NULL, 700 "failed to get hash buffer\n"); 701 return NULL; 702 } 703 704 /* set buffer */ 705 va_start(ap, iph1); 706 p = buf->v; 707 while ((s = va_arg(ap, char *)) != NULL) { 708 memcpy(p, s->v, s->l); 709 p += s->l; 710 } 711 va_end(ap); 712 713 plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n"); 714 plogdump(LLV_DEBUG, buf->v, buf->l); 715 716 /* compute HASH */ 717 res = oakley_prf(iph1->skeyid_a, buf, iph1); 718 vfree(buf); 719 if (res == NULL) 720 return NULL; 721 722 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); 723 plogdump(LLV_DEBUG, res->v, res->l); 724 725 return res; 726 } 727 #endif 728 729 /* 730 * compute HASH(3) prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) 731 * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05. 732 */ 733 vchar_t * 734 oakley_compute_hash3(iph1, msgid, body) 735 struct ph1handle *iph1; 736 u_int32_t msgid; 737 vchar_t *body; 738 { 739 vchar_t *buf = 0, *res = 0; 740 int len; 741 int error = -1; 742 743 /* create buffer */ 744 len = 1 + sizeof(u_int32_t) + body->l; 745 buf = vmalloc(len); 746 if (buf == NULL) { 747 plog(LLV_DEBUG, LOCATION, NULL, 748 "failed to get hash buffer\n"); 749 goto end; 750 } 751 752 buf->v[0] = 0; 753 754 memcpy(buf->v + 1, (char *)&msgid, sizeof(msgid)); 755 756 memcpy(buf->v + 1 + sizeof(u_int32_t), body->v, body->l); 757 758 plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n"); 759 plogdump(LLV_DEBUG, buf->v, buf->l); 760 761 /* compute HASH */ 762 res = oakley_prf(iph1->skeyid_a, buf, iph1); 763 if (res == NULL) 764 goto end; 765 766 error = 0; 767 768 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); 769 plogdump(LLV_DEBUG, res->v, res->l); 770 771 end: 772 if (buf != NULL) 773 vfree(buf); 774 return res; 775 } 776 777 /* 778 * compute HASH type of prf(SKEYID_a, M-ID | buffer) 779 * e.g. 780 * for quick mode HASH(1): 781 * prf(SKEYID_a, M-ID | SA | Ni [ | KE ] [ | IDci | IDcr ]) 782 * for quick mode HASH(2): 783 * prf(SKEYID_a, M-ID | Ni_b | SA | Nr [ | KE ] [ | IDci | IDcr ]) 784 * for Informational exchange: 785 * prf(SKEYID_a, M-ID | N/D) 786 */ 787 vchar_t * 788 oakley_compute_hash1(iph1, msgid, body) 789 struct ph1handle *iph1; 790 u_int32_t msgid; 791 vchar_t *body; 792 { 793 vchar_t *buf = NULL, *res = NULL; 794 char *p; 795 int len; 796 int error = -1; 797 798 /* create buffer */ 799 len = sizeof(u_int32_t) + body->l; 800 buf = vmalloc(len); 801 if (buf == NULL) { 802 plog(LLV_DEBUG, LOCATION, NULL, 803 "failed to get hash buffer\n"); 804 goto end; 805 } 806 807 p = buf->v; 808 809 memcpy(buf->v, (char *)&msgid, sizeof(msgid)); 810 p += sizeof(u_int32_t); 811 812 memcpy(p, body->v, body->l); 813 814 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n"); 815 plogdump(LLV_DEBUG, buf->v, buf->l); 816 817 /* compute HASH */ 818 res = oakley_prf(iph1->skeyid_a, buf, iph1); 819 if (res == NULL) 820 goto end; 821 822 error = 0; 823 824 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); 825 plogdump(LLV_DEBUG, res->v, res->l); 826 827 end: 828 if (buf != NULL) 829 vfree(buf); 830 return res; 831 } 832 833 /* 834 * compute phase1 HASH 835 * main/aggressive 836 * I-digest = prf(SKEYID, g^i | g^r | CKY-I | CKY-R | SAi_b | ID_i1_b) 837 * R-digest = prf(SKEYID, g^r | g^i | CKY-R | CKY-I | SAi_b | ID_r1_b) 838 * for gssapi, also include all GSS tokens, and call gss_wrap on the result 839 */ 840 vchar_t * 841 oakley_ph1hash_common(iph1, sw) 842 struct ph1handle *iph1; 843 int sw; 844 { 845 vchar_t *buf = NULL, *res = NULL, *bp; 846 char *p, *bp2; 847 int len, bl; 848 int error = -1; 849 #ifdef HAVE_GSSAPI 850 vchar_t *gsstokens = NULL; 851 #endif 852 853 /* create buffer */ 854 len = iph1->dhpub->l 855 + iph1->dhpub_p->l 856 + sizeof(cookie_t) * 2 857 + iph1->sa->l 858 + (sw == GENERATE ? iph1->id->l : iph1->id_p->l); 859 860 #ifdef HAVE_GSSAPI 861 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { 862 if (iph1->gi_i != NULL && iph1->gi_r != NULL) { 863 bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r); 864 len += bp->l; 865 } 866 if (sw == GENERATE) 867 gssapi_get_itokens(iph1, &gsstokens); 868 else 869 gssapi_get_rtokens(iph1, &gsstokens); 870 if (gsstokens == NULL) 871 return NULL; 872 len += gsstokens->l; 873 } 874 #endif 875 876 buf = vmalloc(len); 877 if (buf == NULL) { 878 plog(LLV_ERROR, LOCATION, NULL, 879 "failed to get hash buffer\n"); 880 goto end; 881 } 882 883 p = buf->v; 884 885 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p); 886 memcpy(p, bp->v, bp->l); 887 p += bp->l; 888 889 bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub); 890 memcpy(p, bp->v, bp->l); 891 p += bp->l; 892 893 if (iph1->side == INITIATOR) 894 bp2 = (sw == GENERATE ? 895 (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck); 896 else 897 bp2 = (sw == GENERATE ? 898 (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck); 899 bl = sizeof(cookie_t); 900 memcpy(p, bp2, bl); 901 p += bl; 902 903 if (iph1->side == INITIATOR) 904 bp2 = (sw == GENERATE ? 905 (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck); 906 else 907 bp2 = (sw == GENERATE ? 908 (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck); 909 bl = sizeof(cookie_t); 910 memcpy(p, bp2, bl); 911 p += bl; 912 913 bp = iph1->sa; 914 memcpy(p, bp->v, bp->l); 915 p += bp->l; 916 917 bp = (sw == GENERATE ? iph1->id : iph1->id_p); 918 memcpy(p, bp->v, bp->l); 919 p += bp->l; 920 921 #ifdef HAVE_GSSAPI 922 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { 923 if (iph1->gi_i != NULL && iph1->gi_r != NULL) { 924 bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r); 925 memcpy(p, bp->v, bp->l); 926 p += bp->l; 927 } 928 memcpy(p, gsstokens->v, gsstokens->l); 929 p += gsstokens->l; 930 } 931 #endif 932 933 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n"); 934 plogdump(LLV_DEBUG, buf->v, buf->l); 935 936 /* compute HASH */ 937 res = oakley_prf(iph1->skeyid, buf, iph1); 938 if (res == NULL) 939 goto end; 940 941 error = 0; 942 943 plog(LLV_DEBUG, LOCATION, NULL, "HASH (%s) computed:\n", 944 iph1->side == INITIATOR ? "init" : "resp"); 945 plogdump(LLV_DEBUG, res->v, res->l); 946 947 end: 948 if (buf != NULL) 949 vfree(buf); 950 #ifdef HAVE_GSSAPI 951 if (gsstokens != NULL) 952 vfree(gsstokens); 953 #endif 954 return res; 955 } 956 957 /* 958 * compute HASH_I on base mode. 959 * base:psk,rsa 960 * HASH_I = prf(SKEYID, g^xi | CKY-I | CKY-R | SAi_b | IDii_b) 961 * base:sig 962 * HASH_I = prf(hash(Ni_b | Nr_b), g^xi | CKY-I | CKY-R | SAi_b | IDii_b) 963 */ 964 vchar_t * 965 oakley_ph1hash_base_i(iph1, sw) 966 struct ph1handle *iph1; 967 int sw; 968 { 969 vchar_t *buf = NULL, *res = NULL, *bp; 970 vchar_t *hashkey = NULL; 971 vchar_t *hash = NULL; /* for signature mode */ 972 char *p; 973 int len; 974 int error = -1; 975 976 /* sanity check */ 977 if (iph1->etype != ISAKMP_ETYPE_BASE) { 978 plog(LLV_ERROR, LOCATION, NULL, 979 "invalid etype for this hash function\n"); 980 return NULL; 981 } 982 983 switch (AUTHMETHOD(iph1)) { 984 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 985 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 986 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 987 #ifdef ENABLE_HYBRID 988 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 989 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 990 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 991 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 992 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 993 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 994 #endif 995 if (iph1->skeyid == NULL) { 996 plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n"); 997 return NULL; 998 } 999 hashkey = iph1->skeyid; 1000 break; 1001 1002 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1003 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1004 #ifdef HAVE_GSSAPI 1005 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1006 #endif 1007 #ifdef ENABLE_HYBRID 1008 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1009 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1010 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1011 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1012 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1013 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1014 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1015 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1016 #endif 1017 /* make hash for seed */ 1018 len = iph1->nonce->l + iph1->nonce_p->l; 1019 buf = vmalloc(len); 1020 if (buf == NULL) { 1021 plog(LLV_ERROR, LOCATION, NULL, 1022 "failed to get hash buffer\n"); 1023 goto end; 1024 } 1025 p = buf->v; 1026 1027 bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce); 1028 memcpy(p, bp->v, bp->l); 1029 p += bp->l; 1030 1031 bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p); 1032 memcpy(p, bp->v, bp->l); 1033 p += bp->l; 1034 1035 hash = oakley_hash(buf, iph1); 1036 if (hash == NULL) 1037 goto end; 1038 vfree(buf); 1039 buf = NULL; 1040 1041 hashkey = hash; 1042 break; 1043 1044 default: 1045 plog(LLV_ERROR, LOCATION, NULL, 1046 "not supported authentication method %d\n", 1047 iph1->approval->authmethod); 1048 return NULL; 1049 1050 } 1051 1052 len = (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l) 1053 + sizeof(cookie_t) * 2 1054 + iph1->sa->l 1055 + (sw == GENERATE ? iph1->id->l : iph1->id_p->l); 1056 buf = vmalloc(len); 1057 if (buf == NULL) { 1058 plog(LLV_ERROR, LOCATION, NULL, 1059 "failed to get hash buffer\n"); 1060 goto end; 1061 } 1062 p = buf->v; 1063 1064 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p); 1065 memcpy(p, bp->v, bp->l); 1066 p += bp->l; 1067 1068 memcpy(p, &iph1->index.i_ck, sizeof(cookie_t)); 1069 p += sizeof(cookie_t); 1070 memcpy(p, &iph1->index.r_ck, sizeof(cookie_t)); 1071 p += sizeof(cookie_t); 1072 1073 memcpy(p, iph1->sa->v, iph1->sa->l); 1074 p += iph1->sa->l; 1075 1076 bp = (sw == GENERATE ? iph1->id : iph1->id_p); 1077 memcpy(p, bp->v, bp->l); 1078 p += bp->l; 1079 1080 plog(LLV_DEBUG, LOCATION, NULL, "HASH_I with:\n"); 1081 plogdump(LLV_DEBUG, buf->v, buf->l); 1082 1083 /* compute HASH */ 1084 res = oakley_prf(hashkey, buf, iph1); 1085 if (res == NULL) 1086 goto end; 1087 1088 error = 0; 1089 1090 plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n"); 1091 plogdump(LLV_DEBUG, res->v, res->l); 1092 1093 end: 1094 if (hash != NULL) 1095 vfree(hash); 1096 if (buf != NULL) 1097 vfree(buf); 1098 return res; 1099 } 1100 1101 /* 1102 * compute HASH_R on base mode for signature method. 1103 * base: 1104 * HASH_R = prf(hash(Ni_b | Nr_b), g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b) 1105 */ 1106 vchar_t * 1107 oakley_ph1hash_base_r(iph1, sw) 1108 struct ph1handle *iph1; 1109 int sw; 1110 { 1111 vchar_t *buf = NULL, *res = NULL, *bp; 1112 vchar_t *hash = NULL; 1113 char *p; 1114 int len; 1115 int error = -1; 1116 1117 /* sanity check */ 1118 if (iph1->etype != ISAKMP_ETYPE_BASE) { 1119 plog(LLV_ERROR, LOCATION, NULL, 1120 "invalid etype for this hash function\n"); 1121 return NULL; 1122 } 1123 1124 switch(AUTHMETHOD(iph1)) { 1125 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1126 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1127 #ifdef ENABLE_HYBRID 1128 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1129 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1130 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1131 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1132 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1133 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1134 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1135 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1136 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 1137 #endif 1138 break; 1139 default: 1140 plog(LLV_ERROR, LOCATION, NULL, 1141 "not supported authentication method %d\n", 1142 iph1->approval->authmethod); 1143 return NULL; 1144 break; 1145 } 1146 1147 /* make hash for seed */ 1148 len = iph1->nonce->l + iph1->nonce_p->l; 1149 buf = vmalloc(len); 1150 if (buf == NULL) { 1151 plog(LLV_ERROR, LOCATION, NULL, 1152 "failed to get hash buffer\n"); 1153 goto end; 1154 } 1155 p = buf->v; 1156 1157 bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce); 1158 memcpy(p, bp->v, bp->l); 1159 p += bp->l; 1160 1161 bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p); 1162 memcpy(p, bp->v, bp->l); 1163 p += bp->l; 1164 1165 hash = oakley_hash(buf, iph1); 1166 if (hash == NULL) 1167 goto end; 1168 vfree(buf); 1169 buf = NULL; 1170 1171 /* make really hash */ 1172 len = (sw == GENERATE ? iph1->dhpub_p->l : iph1->dhpub->l) 1173 + (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l) 1174 + sizeof(cookie_t) * 2 1175 + iph1->sa->l 1176 + (sw == GENERATE ? iph1->id_p->l : iph1->id->l); 1177 buf = vmalloc(len); 1178 if (buf == NULL) { 1179 plog(LLV_ERROR, LOCATION, NULL, 1180 "failed to get hash buffer\n"); 1181 goto end; 1182 } 1183 p = buf->v; 1184 1185 1186 bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub); 1187 memcpy(p, bp->v, bp->l); 1188 p += bp->l; 1189 1190 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p); 1191 memcpy(p, bp->v, bp->l); 1192 p += bp->l; 1193 1194 memcpy(p, &iph1->index.i_ck, sizeof(cookie_t)); 1195 p += sizeof(cookie_t); 1196 memcpy(p, &iph1->index.r_ck, sizeof(cookie_t)); 1197 p += sizeof(cookie_t); 1198 1199 memcpy(p, iph1->sa->v, iph1->sa->l); 1200 p += iph1->sa->l; 1201 1202 bp = (sw == GENERATE ? iph1->id_p : iph1->id); 1203 memcpy(p, bp->v, bp->l); 1204 p += bp->l; 1205 1206 plog(LLV_DEBUG, LOCATION, NULL, "HASH_R with:\n"); 1207 plogdump(LLV_DEBUG, buf->v, buf->l); 1208 1209 /* compute HASH */ 1210 res = oakley_prf(hash, buf, iph1); 1211 if (res == NULL) 1212 goto end; 1213 1214 error = 0; 1215 1216 plog(LLV_DEBUG, LOCATION, NULL, "HASH_R computed:\n"); 1217 plogdump(LLV_DEBUG, res->v, res->l); 1218 1219 end: 1220 if (buf != NULL) 1221 vfree(buf); 1222 if (hash) 1223 vfree(hash); 1224 return res; 1225 } 1226 1227 /* 1228 * compute each authentication method in phase 1. 1229 * OUT: 1230 * 0: OK 1231 * -1: error 1232 * other: error to be reply with notification. 1233 * the value is notification type. 1234 */ 1235 int 1236 oakley_validate_auth(iph1) 1237 struct ph1handle *iph1; 1238 { 1239 vchar_t *my_hash = NULL; 1240 int result; 1241 #ifdef HAVE_GSSAPI 1242 vchar_t *gsshash = NULL; 1243 #endif 1244 #ifdef ENABLE_STATS 1245 struct timeval start, end; 1246 #endif 1247 1248 #ifdef ENABLE_STATS 1249 gettimeofday(&start, NULL); 1250 #endif 1251 1252 switch (AUTHMETHOD(iph1)) { 1253 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1254 #ifdef ENABLE_HYBRID 1255 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 1256 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1257 #endif 1258 /* validate HASH */ 1259 { 1260 char *r_hash; 1261 1262 if (iph1->id_p == NULL || iph1->pl_hash == NULL) { 1263 plog(LLV_ERROR, LOCATION, iph1->remote, 1264 "few isakmp message received.\n"); 1265 return ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1266 } 1267 #ifdef ENABLE_HYBRID 1268 if (AUTHMETHOD(iph1) == FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I && 1269 ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0)) 1270 { 1271 plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, " 1272 "hybrid auth is enabled, " 1273 "but peer is no Xauth compliant\n"); 1274 return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED; 1275 break; 1276 } 1277 #endif 1278 r_hash = (caddr_t)(iph1->pl_hash + 1); 1279 1280 plog(LLV_DEBUG, LOCATION, NULL, "HASH received:\n"); 1281 plogdump(LLV_DEBUG, r_hash, 1282 ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash)); 1283 1284 switch (iph1->etype) { 1285 case ISAKMP_ETYPE_IDENT: 1286 case ISAKMP_ETYPE_AGG: 1287 my_hash = oakley_ph1hash_common(iph1, VALIDATE); 1288 break; 1289 case ISAKMP_ETYPE_BASE: 1290 if (iph1->side == INITIATOR) 1291 my_hash = oakley_ph1hash_common(iph1, VALIDATE); 1292 else 1293 my_hash = oakley_ph1hash_base_i(iph1, VALIDATE); 1294 break; 1295 default: 1296 plog(LLV_ERROR, LOCATION, NULL, 1297 "invalid etype %d\n", iph1->etype); 1298 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; 1299 } 1300 if (my_hash == NULL) 1301 return ISAKMP_INTERNAL_ERROR; 1302 1303 result = memcmp(my_hash->v, r_hash, my_hash->l); 1304 vfree(my_hash); 1305 1306 if (result) { 1307 plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n"); 1308 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1309 } 1310 1311 plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n"); 1312 } 1313 break; 1314 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1315 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1316 #ifdef ENABLE_HYBRID 1317 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1318 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1319 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1320 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1321 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1322 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1323 #endif 1324 { 1325 int error = 0; 1326 int certtype = 0; 1327 1328 /* validation */ 1329 if (iph1->id_p == NULL) { 1330 plog(LLV_ERROR, LOCATION, iph1->remote, 1331 "no ID payload was passed.\n"); 1332 return ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1333 } 1334 if (iph1->sig_p == NULL) { 1335 plog(LLV_ERROR, LOCATION, iph1->remote, 1336 "no SIG payload was passed.\n"); 1337 return ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1338 } 1339 1340 plog(LLV_DEBUG, LOCATION, NULL, "SIGN passed:\n"); 1341 plogdump(LLV_DEBUG, iph1->sig_p->v, iph1->sig_p->l); 1342 1343 /* get peer's cert */ 1344 switch (iph1->rmconf->getcert_method) { 1345 case ISAKMP_GETCERT_PAYLOAD: 1346 if (iph1->cert_p == NULL) { 1347 plog(LLV_ERROR, LOCATION, NULL, 1348 "no peer's CERT payload found.\n"); 1349 return ISAKMP_INTERNAL_ERROR; 1350 } 1351 break; 1352 case ISAKMP_GETCERT_LOCALFILE: 1353 switch (iph1->rmconf->certtype) { 1354 case ISAKMP_CERT_X509SIGN: 1355 if (iph1->rmconf->peerscertfile == NULL) { 1356 plog(LLV_ERROR, LOCATION, NULL, 1357 "no peer's CERT file found.\n"); 1358 return ISAKMP_INTERNAL_ERROR; 1359 } 1360 1361 /* don't use cached cert */ 1362 if (iph1->cert_p != NULL) { 1363 oakley_delcert(iph1->cert_p); 1364 iph1->cert_p = NULL; 1365 } 1366 1367 error = get_cert_fromlocal(iph1, 0); 1368 break; 1369 1370 case ISAKMP_CERT_PLAINRSA: 1371 error = get_plainrsa_fromlocal(iph1, 0); 1372 break; 1373 } 1374 if (error) 1375 return ISAKMP_INTERNAL_ERROR; 1376 break; 1377 case ISAKMP_GETCERT_DNS: 1378 if (iph1->rmconf->peerscertfile != NULL) { 1379 plog(LLV_ERROR, LOCATION, NULL, 1380 "why peer's CERT file is defined " 1381 "though getcert method is dns ?\n"); 1382 return ISAKMP_INTERNAL_ERROR; 1383 } 1384 1385 /* don't use cached cert */ 1386 if (iph1->cert_p != NULL) { 1387 oakley_delcert(iph1->cert_p); 1388 iph1->cert_p = NULL; 1389 } 1390 1391 iph1->cert_p = dnssec_getcert(iph1->id_p); 1392 if (iph1->cert_p == NULL) { 1393 plog(LLV_ERROR, LOCATION, NULL, 1394 "no CERT RR found.\n"); 1395 return ISAKMP_INTERNAL_ERROR; 1396 } 1397 break; 1398 default: 1399 plog(LLV_ERROR, LOCATION, NULL, 1400 "invalid getcert_mothod: %d\n", 1401 iph1->rmconf->getcert_method); 1402 return ISAKMP_INTERNAL_ERROR; 1403 } 1404 1405 /* compare ID payload and certificate name */ 1406 if (iph1->rmconf->verify_cert && 1407 (error = oakley_check_certid(iph1)) != 0) 1408 return error; 1409 1410 /* verify certificate */ 1411 if (iph1->rmconf->verify_cert 1412 && iph1->rmconf->getcert_method == ISAKMP_GETCERT_PAYLOAD) { 1413 certtype = iph1->rmconf->certtype; 1414 #ifdef ENABLE_HYBRID 1415 switch (AUTHMETHOD(iph1)) { 1416 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1417 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1418 certtype = iph1->cert_p->type; 1419 break; 1420 default: 1421 break; 1422 } 1423 #endif 1424 switch (certtype) { 1425 case ISAKMP_CERT_X509SIGN: { 1426 char path[MAXPATHLEN]; 1427 char *ca; 1428 1429 if (iph1->rmconf->cacertfile != NULL) { 1430 getpathname(path, sizeof(path), 1431 LC_PATHTYPE_CERT, 1432 iph1->rmconf->cacertfile); 1433 ca = path; 1434 } else { 1435 ca = NULL; 1436 } 1437 1438 error = eay_check_x509cert(&iph1->cert_p->cert, 1439 lcconf->pathinfo[LC_PATHTYPE_CERT], 1440 ca, 0); 1441 break; 1442 } 1443 1444 default: 1445 plog(LLV_ERROR, LOCATION, NULL, 1446 "no supported certtype %d\n", certtype); 1447 return ISAKMP_INTERNAL_ERROR; 1448 } 1449 if (error != 0) { 1450 plog(LLV_ERROR, LOCATION, NULL, 1451 "the peer's certificate is not verified.\n"); 1452 return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY; 1453 } 1454 } 1455 1456 /* Generate a warning if verify_cert == 0 1457 */ 1458 if (iph1->rmconf->verify_cert){ 1459 plog(LLV_DEBUG, LOCATION, NULL, "CERT validated\n"); 1460 }else{ 1461 plog(LLV_WARNING, LOCATION, NULL, 1462 "CERT validation disabled by configuration\n"); 1463 } 1464 1465 /* compute hash */ 1466 switch (iph1->etype) { 1467 case ISAKMP_ETYPE_IDENT: 1468 case ISAKMP_ETYPE_AGG: 1469 my_hash = oakley_ph1hash_common(iph1, VALIDATE); 1470 break; 1471 case ISAKMP_ETYPE_BASE: 1472 if (iph1->side == INITIATOR) 1473 my_hash = oakley_ph1hash_base_r(iph1, VALIDATE); 1474 else 1475 my_hash = oakley_ph1hash_base_i(iph1, VALIDATE); 1476 break; 1477 default: 1478 plog(LLV_ERROR, LOCATION, NULL, 1479 "invalid etype %d\n", iph1->etype); 1480 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; 1481 } 1482 if (my_hash == NULL) 1483 return ISAKMP_INTERNAL_ERROR; 1484 1485 1486 certtype = iph1->rmconf->certtype; 1487 #ifdef ENABLE_HYBRID 1488 switch (AUTHMETHOD(iph1)) { 1489 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1490 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1491 certtype = iph1->cert_p->type; 1492 break; 1493 default: 1494 break; 1495 } 1496 #endif 1497 /* check signature */ 1498 switch (certtype) { 1499 case ISAKMP_CERT_X509SIGN: 1500 case ISAKMP_CERT_DNS: 1501 error = eay_check_x509sign(my_hash, 1502 iph1->sig_p, 1503 &iph1->cert_p->cert); 1504 break; 1505 case ISAKMP_CERT_PLAINRSA: 1506 iph1->rsa_p = rsa_try_check_rsasign(my_hash, 1507 iph1->sig_p, iph1->rsa_candidates); 1508 error = iph1->rsa_p ? 0 : -1; 1509 1510 break; 1511 default: 1512 plog(LLV_ERROR, LOCATION, NULL, 1513 "no supported certtype %d\n", 1514 certtype); 1515 vfree(my_hash); 1516 return ISAKMP_INTERNAL_ERROR; 1517 } 1518 1519 vfree(my_hash); 1520 if (error != 0) { 1521 plog(LLV_ERROR, LOCATION, NULL, 1522 "Invalid SIG.\n"); 1523 return ISAKMP_NTYPE_INVALID_SIGNATURE; 1524 } 1525 plog(LLV_DEBUG, LOCATION, NULL, "SIG authenticated\n"); 1526 } 1527 break; 1528 #ifdef ENABLE_HYBRID 1529 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1530 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1531 { 1532 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1533 plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, " 1534 "hybrid auth is enabled, " 1535 "but peer is no Xauth compliant\n"); 1536 return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED; 1537 break; 1538 } 1539 plog(LLV_INFO, LOCATION, NULL, "No SIG was passed, " 1540 "but hybrid auth is enabled\n"); 1541 1542 return 0; 1543 break; 1544 } 1545 #endif 1546 #ifdef HAVE_GSSAPI 1547 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1548 /* check if we're not into XAUTH_PSKEY_I instead */ 1549 #ifdef ENABLE_HYBRID 1550 if (iph1->rmconf->xauth) 1551 break; 1552 #endif 1553 switch (iph1->etype) { 1554 case ISAKMP_ETYPE_IDENT: 1555 case ISAKMP_ETYPE_AGG: 1556 my_hash = oakley_ph1hash_common(iph1, VALIDATE); 1557 break; 1558 default: 1559 plog(LLV_ERROR, LOCATION, NULL, 1560 "invalid etype %d\n", iph1->etype); 1561 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; 1562 } 1563 1564 if (my_hash == NULL) { 1565 if (gssapi_more_tokens(iph1)) 1566 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; 1567 else 1568 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1569 } 1570 1571 gsshash = gssapi_unwraphash(iph1); 1572 if (gsshash == NULL) { 1573 vfree(my_hash); 1574 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1575 } 1576 1577 result = memcmp(my_hash->v, gsshash->v, my_hash->l); 1578 vfree(my_hash); 1579 vfree(gsshash); 1580 1581 if (result) { 1582 plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n"); 1583 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; 1584 } 1585 plog(LLV_DEBUG, LOCATION, NULL, "hash compared OK\n"); 1586 break; 1587 #endif 1588 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1589 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1590 #ifdef ENABLE_HYBRID 1591 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1592 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1593 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1594 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1595 #endif 1596 if (iph1->id_p == NULL || iph1->pl_hash == NULL) { 1597 plog(LLV_ERROR, LOCATION, iph1->remote, 1598 "few isakmp message received.\n"); 1599 return ISAKMP_NTYPE_PAYLOAD_MALFORMED; 1600 } 1601 plog(LLV_ERROR, LOCATION, iph1->remote, 1602 "not supported authmethod type %s\n", 1603 s_oakley_attr_method(iph1->approval->authmethod)); 1604 return ISAKMP_INTERNAL_ERROR; 1605 default: 1606 plog(LLV_ERROR, LOCATION, iph1->remote, 1607 "invalid authmethod %d why ?\n", 1608 iph1->approval->authmethod); 1609 return ISAKMP_INTERNAL_ERROR; 1610 } 1611 #ifdef ENABLE_STATS 1612 gettimeofday(&end, NULL); 1613 syslog(LOG_NOTICE, "%s(%s): %8.6f", __func__, 1614 s_oakley_attr_method(iph1->approval->authmethod), 1615 timedelta(&start, &end)); 1616 #endif 1617 1618 return 0; 1619 } 1620 1621 /* get my certificate 1622 * NOTE: include certificate type. 1623 */ 1624 int 1625 oakley_getmycert(iph1) 1626 struct ph1handle *iph1; 1627 { 1628 switch (iph1->rmconf->certtype) { 1629 case ISAKMP_CERT_X509SIGN: 1630 if (iph1->cert) 1631 return 0; 1632 return get_cert_fromlocal(iph1, 1); 1633 1634 case ISAKMP_CERT_PLAINRSA: 1635 if (iph1->rsa) 1636 return 0; 1637 return get_plainrsa_fromlocal(iph1, 1); 1638 1639 default: 1640 plog(LLV_ERROR, LOCATION, NULL, 1641 "Unknown certtype #%d\n", 1642 iph1->rmconf->certtype); 1643 return -1; 1644 } 1645 1646 } 1647 1648 /* 1649 * get a CERT from local file. 1650 * IN: 1651 * my != 0 my cert. 1652 * my == 0 peer's cert. 1653 */ 1654 static int 1655 get_cert_fromlocal(iph1, my) 1656 struct ph1handle *iph1; 1657 int my; 1658 { 1659 char path[MAXPATHLEN]; 1660 vchar_t *cert = NULL; 1661 cert_t **certpl; 1662 char *certfile; 1663 int error = -1; 1664 1665 if (my) { 1666 certfile = iph1->rmconf->mycertfile; 1667 certpl = &iph1->cert; 1668 } else { 1669 certfile = iph1->rmconf->peerscertfile; 1670 certpl = &iph1->cert_p; 1671 } 1672 if (!certfile) { 1673 plog(LLV_ERROR, LOCATION, NULL, "no CERT defined.\n"); 1674 return 0; 1675 } 1676 1677 switch (iph1->rmconf->certtype) { 1678 case ISAKMP_CERT_X509SIGN: 1679 case ISAKMP_CERT_DNS: 1680 /* make public file name */ 1681 getpathname(path, sizeof(path), LC_PATHTYPE_CERT, certfile); 1682 cert = eay_get_x509cert(path); 1683 if (cert) { 1684 char *p = NULL; 1685 p = eay_get_x509text(cert); 1686 plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n"); 1687 racoon_free(p); 1688 }; 1689 break; 1690 1691 default: 1692 plog(LLV_ERROR, LOCATION, NULL, 1693 "not supported certtype %d\n", 1694 iph1->rmconf->certtype); 1695 goto end; 1696 } 1697 1698 if (!cert) { 1699 plog(LLV_ERROR, LOCATION, NULL, 1700 "failed to get %s CERT.\n", 1701 my ? "my" : "peers"); 1702 goto end; 1703 } 1704 1705 *certpl = oakley_newcert(); 1706 if (!*certpl) { 1707 plog(LLV_ERROR, LOCATION, NULL, 1708 "failed to get cert buffer.\n"); 1709 goto end; 1710 } 1711 (*certpl)->pl = vmalloc(cert->l + 1); 1712 if ((*certpl)->pl == NULL) { 1713 plog(LLV_ERROR, LOCATION, NULL, 1714 "failed to get cert buffer\n"); 1715 oakley_delcert(*certpl); 1716 *certpl = NULL; 1717 goto end; 1718 } 1719 memcpy((*certpl)->pl->v + 1, cert->v, cert->l); 1720 (*certpl)->pl->v[0] = iph1->rmconf->certtype; 1721 (*certpl)->type = iph1->rmconf->certtype; 1722 (*certpl)->cert.v = (*certpl)->pl->v + 1; 1723 (*certpl)->cert.l = (*certpl)->pl->l - 1; 1724 1725 plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n"); 1726 plogdump(LLV_DEBUG, (*certpl)->pl->v, (*certpl)->pl->l); 1727 1728 error = 0; 1729 1730 end: 1731 if (cert != NULL) 1732 vfree(cert); 1733 1734 return error; 1735 } 1736 1737 static int 1738 get_plainrsa_fromlocal(iph1, my) 1739 struct ph1handle *iph1; 1740 int my; 1741 { 1742 char path[MAXPATHLEN]; 1743 vchar_t *cert = NULL; 1744 char *certfile; 1745 int error = -1; 1746 1747 iph1->rsa_candidates = rsa_lookup_keys(iph1, my); 1748 if (!iph1->rsa_candidates || 1749 rsa_list_count(iph1->rsa_candidates) == 0) { 1750 plog(LLV_ERROR, LOCATION, NULL, 1751 "%s RSA key not found for %s\n", 1752 my ? "Private" : "Public", 1753 saddr2str_fromto("%s <-> %s", 1754 iph1->local, iph1->remote)); 1755 goto end; 1756 } 1757 1758 if (my && rsa_list_count(iph1->rsa_candidates) > 1) { 1759 plog(LLV_WARNING, LOCATION, NULL, 1760 "More than one (=%lu) private " 1761 "PlainRSA key found for %s\n", 1762 rsa_list_count(iph1->rsa_candidates), 1763 saddr2str_fromto("%s <-> %s", 1764 iph1->local, iph1->remote)); 1765 plog(LLV_WARNING, LOCATION, NULL, 1766 "This may have unpredictable results, " 1767 "i.e. wrong key could be used!\n"); 1768 plog(LLV_WARNING, LOCATION, NULL, 1769 "Consider using only one single private " 1770 "key for all peers...\n"); 1771 } 1772 if (my) { 1773 iph1->rsa = ((struct rsa_key *) 1774 genlist_next(iph1->rsa_candidates, NULL))->rsa; 1775 1776 genlist_free(iph1->rsa_candidates, NULL); 1777 iph1->rsa_candidates = NULL; 1778 1779 if (iph1->rsa == NULL) 1780 goto end; 1781 } 1782 1783 error = 0; 1784 1785 end: 1786 return error; 1787 } 1788 1789 /* get signature */ 1790 int 1791 oakley_getsign(iph1) 1792 struct ph1handle *iph1; 1793 { 1794 char path[MAXPATHLEN]; 1795 vchar_t *privkey = NULL; 1796 int error = -1; 1797 1798 switch (iph1->rmconf->certtype) { 1799 case ISAKMP_CERT_X509SIGN: 1800 case ISAKMP_CERT_DNS: 1801 if (iph1->rmconf->myprivfile == NULL) { 1802 plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n"); 1803 goto end; 1804 } 1805 1806 /* make private file name */ 1807 getpathname(path, sizeof(path), 1808 LC_PATHTYPE_CERT, 1809 iph1->rmconf->myprivfile); 1810 privkey = privsep_eay_get_pkcs1privkey(path); 1811 if (privkey == NULL) { 1812 plog(LLV_ERROR, LOCATION, NULL, 1813 "failed to get private key.\n"); 1814 goto end; 1815 } 1816 plog(LLV_DEBUG2, LOCATION, NULL, "private key:\n"); 1817 plogdump(LLV_DEBUG2, privkey->v, privkey->l); 1818 1819 iph1->sig = eay_get_x509sign(iph1->hash, privkey); 1820 break; 1821 case ISAKMP_CERT_PLAINRSA: 1822 iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa); 1823 break; 1824 default: 1825 plog(LLV_ERROR, LOCATION, NULL, 1826 "Unknown certtype #%d\n", 1827 iph1->rmconf->certtype); 1828 goto end; 1829 } 1830 1831 if (iph1->sig == NULL) { 1832 plog(LLV_ERROR, LOCATION, NULL, "failed to sign.\n"); 1833 goto end; 1834 } 1835 1836 plog(LLV_DEBUG, LOCATION, NULL, "SIGN computed:\n"); 1837 plogdump(LLV_DEBUG, iph1->sig->v, iph1->sig->l); 1838 1839 error = 0; 1840 1841 end: 1842 if (privkey != NULL) 1843 vfree(privkey); 1844 1845 return error; 1846 } 1847 1848 /* 1849 * compare certificate name and ID value. 1850 */ 1851 static int 1852 oakley_check_certid(iph1) 1853 struct ph1handle *iph1; 1854 { 1855 struct ipsecdoi_id_b *id_b; 1856 vchar_t *name = NULL; 1857 char *altname = NULL; 1858 int idlen, type; 1859 int error; 1860 1861 if (iph1->id_p == NULL || iph1->cert_p == NULL) { 1862 plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n"); 1863 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1864 } 1865 1866 id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; 1867 idlen = iph1->id_p->l - sizeof(*id_b); 1868 1869 switch (id_b->type) { 1870 case IPSECDOI_ID_DER_ASN1_DN: 1871 name = eay_get_x509asn1subjectname(&iph1->cert_p->cert); 1872 if (!name) { 1873 plog(LLV_ERROR, LOCATION, NULL, 1874 "failed to get subjectName\n"); 1875 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1876 } 1877 if (idlen != name->l) { 1878 plog(LLV_ERROR, LOCATION, NULL, 1879 "Invalid ID length in phase 1.\n"); 1880 vfree(name); 1881 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1882 } 1883 error = memcmp(id_b + 1, name->v, idlen); 1884 vfree(name); 1885 if (error != 0) { 1886 plog(LLV_ERROR, LOCATION, NULL, 1887 "ID mismatched with ASN1 SubjectName.\n"); 1888 plogdump(LLV_DEBUG, id_b + 1, idlen); 1889 plogdump(LLV_DEBUG, name->v, idlen); 1890 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1891 } 1892 return 0; 1893 case IPSECDOI_ID_IPV4_ADDR: 1894 case IPSECDOI_ID_IPV6_ADDR: 1895 { 1896 /* 1897 * converting to binary from string because openssl return 1898 * a string even if object is a binary. 1899 * XXX fix it ! access by ASN.1 directly without. 1900 */ 1901 struct addrinfo hints, *res; 1902 caddr_t a = NULL; 1903 int pos; 1904 1905 for (pos = 1; ; pos++) { 1906 if (eay_get_x509subjectaltname(&iph1->cert_p->cert, 1907 &altname, &type, pos) !=0) { 1908 plog(LLV_ERROR, LOCATION, NULL, 1909 "failed to get subjectAltName\n"); 1910 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1911 } 1912 1913 /* it's the end condition of the loop. */ 1914 if (!altname) { 1915 plog(LLV_ERROR, LOCATION, NULL, 1916 "no proper subjectAltName.\n"); 1917 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1918 } 1919 1920 if (check_typeofcertname(id_b->type, type) == 0) 1921 break; 1922 1923 /* next name */ 1924 racoon_free(altname); 1925 altname = NULL; 1926 } 1927 memset(&hints, 0, sizeof(hints)); 1928 hints.ai_family = PF_UNSPEC; 1929 hints.ai_socktype = SOCK_RAW; 1930 hints.ai_flags = AI_NUMERICHOST; 1931 error = getaddrinfo(altname, NULL, &hints, &res); 1932 if (error != 0) { 1933 plog(LLV_ERROR, LOCATION, NULL, 1934 "no proper subjectAltName.\n"); 1935 racoon_free(altname); 1936 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1937 } 1938 switch (res->ai_family) { 1939 case AF_INET: 1940 a = (caddr_t)&((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr; 1941 break; 1942 #ifdef INET6 1943 case AF_INET6: 1944 a = (caddr_t)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr; 1945 break; 1946 #endif 1947 default: 1948 plog(LLV_ERROR, LOCATION, NULL, 1949 "family not supported: %d.\n", res->ai_family); 1950 racoon_free(altname); 1951 freeaddrinfo(res); 1952 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1953 } 1954 error = memcmp(id_b + 1, a, idlen); 1955 freeaddrinfo(res); 1956 vfree(name); 1957 if (error != 0) { 1958 plog(LLV_ERROR, LOCATION, NULL, 1959 "ID mismatched with subjectAltName.\n"); 1960 plogdump(LLV_DEBUG, id_b + 1, idlen); 1961 plogdump(LLV_DEBUG, a, idlen); 1962 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1963 } 1964 return 0; 1965 } 1966 case IPSECDOI_ID_FQDN: 1967 case IPSECDOI_ID_USER_FQDN: 1968 { 1969 int pos; 1970 1971 for (pos = 1; ; pos++) { 1972 if (eay_get_x509subjectaltname(&iph1->cert_p->cert, 1973 &altname, &type, pos) != 0){ 1974 plog(LLV_ERROR, LOCATION, NULL, 1975 "failed to get subjectAltName\n"); 1976 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1977 } 1978 1979 /* it's the end condition of the loop. */ 1980 if (!altname) { 1981 plog(LLV_ERROR, LOCATION, NULL, 1982 "no proper subjectAltName.\n"); 1983 return ISAKMP_NTYPE_INVALID_CERTIFICATE; 1984 } 1985 1986 if (check_typeofcertname(id_b->type, type) == 0) 1987 break; 1988 1989 /* next name */ 1990 racoon_free(altname); 1991 altname = NULL; 1992 } 1993 if (idlen != strlen(altname)) { 1994 plog(LLV_ERROR, LOCATION, NULL, 1995 "Invalid ID length in phase 1.\n"); 1996 racoon_free(altname); 1997 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 1998 } 1999 if (check_typeofcertname(id_b->type, type) != 0) { 2000 plog(LLV_ERROR, LOCATION, NULL, 2001 "ID type mismatched. ID: %s CERT: %s.\n", 2002 s_ipsecdoi_ident(id_b->type), 2003 s_ipsecdoi_ident(type)); 2004 racoon_free(altname); 2005 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 2006 } 2007 error = memcmp(id_b + 1, altname, idlen); 2008 if (error) { 2009 plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n"); 2010 plogdump(LLV_DEBUG, id_b + 1, idlen); 2011 plogdump(LLV_DEBUG, altname, idlen); 2012 racoon_free(altname); 2013 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 2014 } 2015 racoon_free(altname); 2016 return 0; 2017 } 2018 default: 2019 plog(LLV_ERROR, LOCATION, NULL, 2020 "Inpropper ID type passed: %s.\n", 2021 s_ipsecdoi_ident(id_b->type)); 2022 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 2023 } 2024 /*NOTREACHED*/ 2025 } 2026 2027 static int 2028 check_typeofcertname(doi, genid) 2029 int doi, genid; 2030 { 2031 switch (doi) { 2032 case IPSECDOI_ID_IPV4_ADDR: 2033 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 2034 case IPSECDOI_ID_IPV6_ADDR: 2035 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 2036 case IPSECDOI_ID_IPV4_ADDR_RANGE: 2037 case IPSECDOI_ID_IPV6_ADDR_RANGE: 2038 if (genid != GENT_IPADD) 2039 return -1; 2040 return 0; 2041 case IPSECDOI_ID_FQDN: 2042 if (genid != GENT_DNS) 2043 return -1; 2044 return 0; 2045 case IPSECDOI_ID_USER_FQDN: 2046 if (genid != GENT_EMAIL) 2047 return -1; 2048 return 0; 2049 case IPSECDOI_ID_DER_ASN1_DN: /* should not be passed to this function*/ 2050 case IPSECDOI_ID_DER_ASN1_GN: 2051 case IPSECDOI_ID_KEY_ID: 2052 default: 2053 return -1; 2054 } 2055 /*NOTREACHED*/ 2056 } 2057 2058 /* 2059 * save certificate including certificate type. 2060 */ 2061 int 2062 oakley_savecert(iph1, gen) 2063 struct ph1handle *iph1; 2064 struct isakmp_gen *gen; 2065 { 2066 cert_t **c; 2067 u_int8_t type; 2068 STACK_OF(X509) *certs=NULL; 2069 PKCS7 *p7; 2070 2071 type = *(u_int8_t *)(gen + 1) & 0xff; 2072 2073 switch (type) { 2074 case ISAKMP_CERT_DNS: 2075 plog(LLV_WARNING, LOCATION, NULL, 2076 "CERT payload is unnecessary in DNSSEC. " 2077 "ignore this CERT payload.\n"); 2078 return 0; 2079 case ISAKMP_CERT_PKCS7: 2080 case ISAKMP_CERT_PGP: 2081 case ISAKMP_CERT_X509SIGN: 2082 case ISAKMP_CERT_KERBEROS: 2083 case ISAKMP_CERT_SPKI: 2084 c = &iph1->cert_p; 2085 break; 2086 case ISAKMP_CERT_CRL: 2087 c = &iph1->crl_p; 2088 break; 2089 case ISAKMP_CERT_X509KE: 2090 case ISAKMP_CERT_X509ATTR: 2091 case ISAKMP_CERT_ARL: 2092 plog(LLV_ERROR, LOCATION, NULL, 2093 "No supported such CERT type %d\n", type); 2094 return -1; 2095 default: 2096 plog(LLV_ERROR, LOCATION, NULL, 2097 "Invalid CERT type %d\n", type); 2098 return -1; 2099 } 2100 2101 /* XXX choice the 1th cert, ignore after the cert. */ 2102 /* XXX should be processed. */ 2103 if (*c) { 2104 plog(LLV_WARNING, LOCATION, NULL, 2105 "ignore 2nd CERT payload.\n"); 2106 return 0; 2107 } 2108 2109 if (type == ISAKMP_CERT_PKCS7) { 2110 u_char *bp; 2111 int i; 2112 2113 /* Skip the header */ 2114 bp = (u_char *)(gen + 1); 2115 /* And the first byte is the certificate type, 2116 * we know that already 2117 */ 2118 bp++; 2119 p7 = d2i_PKCS7(NULL, (void *)&bp, 2120 ntohs(gen->len) - sizeof(*gen) - 1); 2121 2122 if (!p7) { 2123 plog(LLV_ERROR, LOCATION, NULL, 2124 "Failed to parse PKCS#7 CERT.\n"); 2125 return -1; 2126 } 2127 2128 /* Copied this from the openssl pkcs7 application; 2129 * there"s little by way of documentation for any of 2130 * it. I can only presume it"s correct. 2131 */ 2132 2133 i = OBJ_obj2nid(p7->type); 2134 switch (i) { 2135 case NID_pkcs7_signed: 2136 certs=p7->d.sign->cert; 2137 break; 2138 case NID_pkcs7_signedAndEnveloped: 2139 certs=p7->d.signed_and_enveloped->cert; 2140 break; 2141 default: 2142 break; 2143 } 2144 2145 if (!certs) { 2146 plog(LLV_ERROR, LOCATION, NULL, 2147 "CERT PKCS#7 bundle contains no certs.\n"); 2148 PKCS7_free(p7); 2149 return -1; 2150 } 2151 2152 for (i = 0; i < sk_X509_num(certs); i++) { 2153 int len; 2154 u_char *bp; 2155 X509 *cert = sk_X509_value(certs,i); 2156 2157 plog(LLV_DEBUG, LOCATION, NULL, 2158 "Trying PKCS#7 cert %d.\n", i); 2159 2160 /* We'll just try each cert in turn */ 2161 *c = save_certx509(cert); 2162 2163 if (!*c) { 2164 plog(LLV_ERROR, LOCATION, NULL, 2165 "Failed to get CERT buffer.\n"); 2166 continue; 2167 } 2168 2169 /* Ignore cert if it doesn't match identity 2170 * XXX If verify cert is disabled, we still just take 2171 * the first certificate.... 2172 */ 2173 if(iph1->rmconf->verify_cert && 2174 oakley_check_certid(iph1)) { 2175 plog(LLV_DEBUG, LOCATION, NULL, 2176 "Discarding CERT: does not match ID.\n"); 2177 oakley_delcert((*c)); 2178 *c = NULL; 2179 continue; 2180 } 2181 2182 { 2183 char *p = eay_get_x509text(&(*c)->cert); 2184 plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); 2185 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); 2186 plog(LLV_DEBUG, LOCATION, NULL, "%s", 2187 p ? p : "\n"); 2188 racoon_free(p); 2189 } 2190 break; 2191 } 2192 PKCS7_free(p7); 2193 2194 } else { 2195 *c = save_certbuf(gen); 2196 if (!*c) { 2197 plog(LLV_ERROR, LOCATION, NULL, 2198 "Failed to get CERT buffer.\n"); 2199 return -1; 2200 } 2201 2202 switch ((*c)->type) { 2203 case ISAKMP_CERT_DNS: 2204 plog(LLV_WARNING, LOCATION, NULL, 2205 "CERT payload is unnecessary in DNSSEC. " 2206 "ignore it.\n"); 2207 return 0; 2208 case ISAKMP_CERT_PGP: 2209 case ISAKMP_CERT_X509SIGN: 2210 case ISAKMP_CERT_KERBEROS: 2211 case ISAKMP_CERT_SPKI: 2212 /* Ignore cert if it doesn't match identity 2213 * XXX If verify cert is disabled, we still just take 2214 * the first certificate.... 2215 */ 2216 if(iph1->rmconf->verify_cert && 2217 oakley_check_certid(iph1)){ 2218 plog(LLV_DEBUG, LOCATION, NULL, 2219 "Discarding CERT: does not match ID.\n"); 2220 oakley_delcert((*c)); 2221 *c = NULL; 2222 return 0; 2223 } 2224 2225 { 2226 char *p = eay_get_x509text(&(*c)->cert); 2227 plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); 2228 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); 2229 plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n"); 2230 racoon_free(p); 2231 } 2232 break; 2233 case ISAKMP_CERT_CRL: 2234 plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n"); 2235 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); 2236 break; 2237 case ISAKMP_CERT_X509KE: 2238 case ISAKMP_CERT_X509ATTR: 2239 case ISAKMP_CERT_ARL: 2240 default: 2241 /* XXX */ 2242 oakley_delcert((*c)); 2243 *c = NULL; 2244 return 0; 2245 } 2246 } 2247 2248 return 0; 2249 } 2250 2251 /* 2252 * save certificate including certificate type. 2253 */ 2254 int 2255 oakley_savecr(iph1, gen) 2256 struct ph1handle *iph1; 2257 struct isakmp_gen *gen; 2258 { 2259 cert_t **c; 2260 u_int8_t type; 2261 2262 type = *(u_int8_t *)(gen + 1) & 0xff; 2263 2264 switch (type) { 2265 case ISAKMP_CERT_DNS: 2266 plog(LLV_WARNING, LOCATION, NULL, 2267 "CERT payload is unnecessary in DNSSEC\n"); 2268 /*FALLTHRU*/ 2269 case ISAKMP_CERT_PKCS7: 2270 case ISAKMP_CERT_PGP: 2271 case ISAKMP_CERT_X509SIGN: 2272 case ISAKMP_CERT_KERBEROS: 2273 case ISAKMP_CERT_SPKI: 2274 c = &iph1->cr_p; 2275 break; 2276 case ISAKMP_CERT_X509KE: 2277 case ISAKMP_CERT_X509ATTR: 2278 case ISAKMP_CERT_ARL: 2279 plog(LLV_ERROR, LOCATION, NULL, 2280 "No supported such CR type %d\n", type); 2281 return -1; 2282 case ISAKMP_CERT_CRL: 2283 default: 2284 plog(LLV_ERROR, LOCATION, NULL, 2285 "Invalid CR type %d\n", type); 2286 return -1; 2287 } 2288 2289 *c = save_certbuf(gen); 2290 if (!*c) { 2291 plog(LLV_ERROR, LOCATION, NULL, 2292 "Failed to get CR buffer.\n"); 2293 return -1; 2294 } 2295 2296 plog(LLV_DEBUG, LOCATION, NULL, "CR saved:\n"); 2297 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); 2298 2299 return 0; 2300 } 2301 2302 static cert_t * 2303 save_certbuf(gen) 2304 struct isakmp_gen *gen; 2305 { 2306 cert_t *new; 2307 2308 if(ntohs(gen->len) <= sizeof(*gen)){ 2309 plog(LLV_ERROR, LOCATION, NULL, 2310 "Len is too small !!.\n"); 2311 return NULL; 2312 } 2313 2314 new = oakley_newcert(); 2315 if (!new) { 2316 plog(LLV_ERROR, LOCATION, NULL, 2317 "Failed to get CERT buffer.\n"); 2318 return NULL; 2319 } 2320 2321 new->pl = vmalloc(ntohs(gen->len) - sizeof(*gen)); 2322 if (new->pl == NULL) { 2323 plog(LLV_ERROR, LOCATION, NULL, 2324 "Failed to copy CERT from packet.\n"); 2325 oakley_delcert(new); 2326 new = NULL; 2327 return NULL; 2328 } 2329 memcpy(new->pl->v, gen + 1, new->pl->l); 2330 new->type = new->pl->v[0] & 0xff; 2331 new->cert.v = new->pl->v + 1; 2332 new->cert.l = new->pl->l - 1; 2333 2334 return new; 2335 } 2336 2337 static cert_t * 2338 save_certx509(cert) 2339 X509 *cert; 2340 { 2341 cert_t *new; 2342 int len; 2343 u_char *bp; 2344 2345 new = oakley_newcert(); 2346 if (!new) { 2347 plog(LLV_ERROR, LOCATION, NULL, 2348 "Failed to get CERT buffer.\n"); 2349 return NULL; 2350 } 2351 2352 len = i2d_X509(cert, NULL); 2353 new->pl = vmalloc(len); 2354 if (new->pl == NULL) { 2355 plog(LLV_ERROR, LOCATION, NULL, 2356 "Failed to copy CERT from packet.\n"); 2357 oakley_delcert(new); 2358 new = NULL; 2359 return NULL; 2360 } 2361 bp = (u_char *) new->pl->v; 2362 len = i2d_X509(cert, &bp); 2363 new->type = ISAKMP_CERT_X509SIGN; 2364 new->cert.v = new->pl->v; 2365 new->cert.l = new->pl->l; 2366 2367 return new; 2368 } 2369 2370 /* 2371 * get my CR. 2372 * NOTE: No Certificate Authority field is included to CR payload at the 2373 * moment. Becuase any certificate authority are accepted without any check. 2374 * The section 3.10 in RFC2408 says that this field SHOULD not be included, 2375 * if there is no specific certificate authority requested. 2376 */ 2377 vchar_t * 2378 oakley_getcr(iph1) 2379 struct ph1handle *iph1; 2380 { 2381 vchar_t *buf; 2382 2383 buf = vmalloc(1); 2384 if (buf == NULL) { 2385 plog(LLV_ERROR, LOCATION, NULL, 2386 "failed to get cr buffer\n"); 2387 return NULL; 2388 } 2389 if(iph1->rmconf->certtype == ISAKMP_CERT_NONE) { 2390 buf->v[0] = iph1->rmconf->cacerttype; 2391 plog(LLV_DEBUG, LOCATION, NULL, "create my CR: NONE, using %s instead\n", 2392 s_isakmp_certtype(iph1->rmconf->cacerttype)); 2393 } else { 2394 buf->v[0] = iph1->rmconf->certtype; 2395 plog(LLV_DEBUG, LOCATION, NULL, "create my CR: %s\n", 2396 s_isakmp_certtype(iph1->rmconf->certtype)); 2397 } 2398 if (buf->l > 1) 2399 plogdump(LLV_DEBUG, buf->v, buf->l); 2400 2401 return buf; 2402 } 2403 2404 /* 2405 * check peer's CR. 2406 */ 2407 int 2408 oakley_checkcr(iph1) 2409 struct ph1handle *iph1; 2410 { 2411 if (iph1->cr_p == NULL) 2412 return 0; 2413 2414 plog(LLV_DEBUG, LOCATION, iph1->remote, 2415 "peer transmitted CR: %s\n", 2416 s_isakmp_certtype(iph1->cr_p->type)); 2417 2418 if (iph1->cr_p->type != iph1->rmconf->certtype) { 2419 plog(LLV_ERROR, LOCATION, iph1->remote, 2420 "such a cert type isn't supported: %d\n", 2421 (char)iph1->cr_p->type); 2422 return -1; 2423 } 2424 2425 return 0; 2426 } 2427 2428 /* 2429 * check to need CR payload. 2430 */ 2431 int 2432 oakley_needcr(type) 2433 int type; 2434 { 2435 switch (type) { 2436 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 2437 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 2438 #ifdef ENABLE_HYBRID 2439 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 2440 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 2441 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 2442 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 2443 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 2444 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 2445 #endif 2446 return 1; 2447 default: 2448 return 0; 2449 } 2450 /*NOTREACHED*/ 2451 } 2452 2453 /* 2454 * compute SKEYID 2455 * see seciton 5. Exchanges in RFC 2409 2456 * psk: SKEYID = prf(pre-shared-key, Ni_b | Nr_b) 2457 * sig: SKEYID = prf(Ni_b | Nr_b, g^ir) 2458 * enc: SKEYID = prf(H(Ni_b | Nr_b), CKY-I | CKY-R) 2459 */ 2460 int 2461 oakley_skeyid(iph1) 2462 struct ph1handle *iph1; 2463 { 2464 vchar_t *buf = NULL, *bp; 2465 char *p; 2466 int len; 2467 int error = -1; 2468 2469 /* SKEYID */ 2470 switch (AUTHMETHOD(iph1)) { 2471 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 2472 #ifdef ENABLE_HYBRID 2473 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 2474 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 2475 #endif 2476 if (iph1->etype != ISAKMP_ETYPE_IDENT) { 2477 iph1->authstr = getpskbyname(iph1->id_p); 2478 if (iph1->authstr == NULL) { 2479 if (iph1->rmconf->verify_identifier) { 2480 plog(LLV_ERROR, LOCATION, iph1->remote, 2481 "couldn't find the pskey.\n"); 2482 goto end; 2483 } 2484 plog(LLV_NOTIFY, LOCATION, iph1->remote, 2485 "couldn't find the proper pskey, " 2486 "try to get one by the peer's address.\n"); 2487 } 2488 } 2489 if (iph1->authstr == NULL) { 2490 /* 2491 * If the exchange type is the main mode or if it's 2492 * failed to get the psk by ID, racoon try to get 2493 * the psk by remote IP address. 2494 * It may be nonsense. 2495 */ 2496 iph1->authstr = getpskbyaddr(iph1->remote); 2497 if (iph1->authstr == NULL) { 2498 plog(LLV_ERROR, LOCATION, iph1->remote, 2499 "couldn't find the pskey for %s.\n", 2500 saddrwop2str(iph1->remote)); 2501 goto end; 2502 } 2503 } 2504 plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n"); 2505 /* should be secret PSK */ 2506 plog(LLV_DEBUG2, LOCATION, NULL, "psk: "); 2507 plogdump(LLV_DEBUG2, iph1->authstr->v, iph1->authstr->l); 2508 2509 len = iph1->nonce->l + iph1->nonce_p->l; 2510 buf = vmalloc(len); 2511 if (buf == NULL) { 2512 plog(LLV_ERROR, LOCATION, NULL, 2513 "failed to get skeyid buffer\n"); 2514 goto end; 2515 } 2516 p = buf->v; 2517 2518 bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p); 2519 plog(LLV_DEBUG, LOCATION, NULL, "nonce 1: "); 2520 plogdump(LLV_DEBUG, bp->v, bp->l); 2521 memcpy(p, bp->v, bp->l); 2522 p += bp->l; 2523 2524 bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce); 2525 plog(LLV_DEBUG, LOCATION, NULL, "nonce 2: "); 2526 plogdump(LLV_DEBUG, bp->v, bp->l); 2527 memcpy(p, bp->v, bp->l); 2528 p += bp->l; 2529 2530 iph1->skeyid = oakley_prf(iph1->authstr, buf, iph1); 2531 if (iph1->skeyid == NULL) 2532 goto end; 2533 break; 2534 2535 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 2536 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 2537 #ifdef ENABLE_HYBRID 2538 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 2539 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 2540 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 2541 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 2542 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 2543 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 2544 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 2545 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 2546 #endif 2547 #ifdef HAVE_GSSAPI 2548 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 2549 #endif 2550 len = iph1->nonce->l + iph1->nonce_p->l; 2551 buf = vmalloc(len); 2552 if (buf == NULL) { 2553 plog(LLV_ERROR, LOCATION, NULL, 2554 "failed to get nonce buffer\n"); 2555 goto end; 2556 } 2557 p = buf->v; 2558 2559 bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p); 2560 plog(LLV_DEBUG, LOCATION, NULL, "nonce1: "); 2561 plogdump(LLV_DEBUG, bp->v, bp->l); 2562 memcpy(p, bp->v, bp->l); 2563 p += bp->l; 2564 2565 bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce); 2566 plog(LLV_DEBUG, LOCATION, NULL, "nonce2: "); 2567 plogdump(LLV_DEBUG, bp->v, bp->l); 2568 memcpy(p, bp->v, bp->l); 2569 p += bp->l; 2570 2571 iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1); 2572 if (iph1->skeyid == NULL) 2573 goto end; 2574 break; 2575 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 2576 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 2577 #ifdef ENABLE_HYBRID 2578 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 2579 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 2580 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 2581 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 2582 #endif 2583 plog(LLV_WARNING, LOCATION, NULL, 2584 "not supported authentication method %s\n", 2585 s_oakley_attr_method(iph1->approval->authmethod)); 2586 goto end; 2587 default: 2588 plog(LLV_ERROR, LOCATION, NULL, 2589 "invalid authentication method %d\n", 2590 iph1->approval->authmethod); 2591 goto end; 2592 } 2593 2594 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID computed:\n"); 2595 plogdump(LLV_DEBUG, iph1->skeyid->v, iph1->skeyid->l); 2596 2597 error = 0; 2598 2599 end: 2600 if (buf != NULL) 2601 vfree(buf); 2602 return error; 2603 } 2604 2605 /* 2606 * compute SKEYID_[dae] 2607 * see seciton 5. Exchanges in RFC 2409 2608 * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0) 2609 * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1) 2610 * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2) 2611 */ 2612 int 2613 oakley_skeyid_dae(iph1) 2614 struct ph1handle *iph1; 2615 { 2616 vchar_t *buf = NULL; 2617 char *p; 2618 int len; 2619 int error = -1; 2620 2621 if (iph1->skeyid == NULL) { 2622 plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n"); 2623 goto end; 2624 } 2625 2626 /* SKEYID D */ 2627 /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */ 2628 len = iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; 2629 buf = vmalloc(len); 2630 if (buf == NULL) { 2631 plog(LLV_ERROR, LOCATION, NULL, 2632 "failed to get skeyid buffer\n"); 2633 goto end; 2634 } 2635 p = buf->v; 2636 2637 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l); 2638 p += iph1->dhgxy->l; 2639 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t)); 2640 p += sizeof(cookie_t); 2641 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t)); 2642 p += sizeof(cookie_t); 2643 *p = 0; 2644 iph1->skeyid_d = oakley_prf(iph1->skeyid, buf, iph1); 2645 if (iph1->skeyid_d == NULL) 2646 goto end; 2647 2648 vfree(buf); 2649 buf = NULL; 2650 2651 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_d computed:\n"); 2652 plogdump(LLV_DEBUG, iph1->skeyid_d->v, iph1->skeyid_d->l); 2653 2654 /* SKEYID A */ 2655 /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */ 2656 len = iph1->skeyid_d->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; 2657 buf = vmalloc(len); 2658 if (buf == NULL) { 2659 plog(LLV_ERROR, LOCATION, NULL, 2660 "failed to get skeyid buffer\n"); 2661 goto end; 2662 } 2663 p = buf->v; 2664 memcpy(p, iph1->skeyid_d->v, iph1->skeyid_d->l); 2665 p += iph1->skeyid_d->l; 2666 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l); 2667 p += iph1->dhgxy->l; 2668 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t)); 2669 p += sizeof(cookie_t); 2670 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t)); 2671 p += sizeof(cookie_t); 2672 *p = 1; 2673 iph1->skeyid_a = oakley_prf(iph1->skeyid, buf, iph1); 2674 if (iph1->skeyid_a == NULL) 2675 goto end; 2676 2677 vfree(buf); 2678 buf = NULL; 2679 2680 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_a computed:\n"); 2681 plogdump(LLV_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l); 2682 2683 /* SKEYID E */ 2684 /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */ 2685 len = iph1->skeyid_a->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; 2686 buf = vmalloc(len); 2687 if (buf == NULL) { 2688 plog(LLV_ERROR, LOCATION, NULL, 2689 "failed to get skeyid buffer\n"); 2690 goto end; 2691 } 2692 p = buf->v; 2693 memcpy(p, iph1->skeyid_a->v, iph1->skeyid_a->l); 2694 p += iph1->skeyid_a->l; 2695 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l); 2696 p += iph1->dhgxy->l; 2697 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t)); 2698 p += sizeof(cookie_t); 2699 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t)); 2700 p += sizeof(cookie_t); 2701 *p = 2; 2702 iph1->skeyid_e = oakley_prf(iph1->skeyid, buf, iph1); 2703 if (iph1->skeyid_e == NULL) 2704 goto end; 2705 2706 vfree(buf); 2707 buf = NULL; 2708 2709 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_e computed:\n"); 2710 plogdump(LLV_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l); 2711 2712 error = 0; 2713 2714 end: 2715 if (buf != NULL) 2716 vfree(buf); 2717 return error; 2718 } 2719 2720 /* 2721 * compute final encryption key. 2722 * see Appendix B. 2723 */ 2724 int 2725 oakley_compute_enckey(iph1) 2726 struct ph1handle *iph1; 2727 { 2728 u_int keylen, prflen; 2729 int error = -1; 2730 2731 /* RFC2409 p39 */ 2732 keylen = alg_oakley_encdef_keylen(iph1->approval->enctype, 2733 iph1->approval->encklen); 2734 if (keylen == -1) { 2735 plog(LLV_ERROR, LOCATION, NULL, 2736 "invalid encryption algoritym %d, " 2737 "or invalid key length %d.\n", 2738 iph1->approval->enctype, 2739 iph1->approval->encklen); 2740 goto end; 2741 } 2742 iph1->key = vmalloc(keylen >> 3); 2743 if (iph1->key == NULL) { 2744 plog(LLV_ERROR, LOCATION, NULL, 2745 "failed to get key buffer\n"); 2746 goto end; 2747 } 2748 2749 /* set prf length */ 2750 prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype); 2751 if (prflen == -1) { 2752 plog(LLV_ERROR, LOCATION, NULL, 2753 "invalid hash type %d.\n", iph1->approval->hashtype); 2754 goto end; 2755 } 2756 2757 /* see isakmp-oakley-08 5.3. */ 2758 if (iph1->key->l <= iph1->skeyid_e->l) { 2759 /* 2760 * if length(Ka) <= length(SKEYID_e) 2761 * Ka = first length(K) bit of SKEYID_e 2762 */ 2763 memcpy(iph1->key->v, iph1->skeyid_e->v, iph1->key->l); 2764 } else { 2765 vchar_t *buf = NULL, *res = NULL; 2766 u_char *p, *ep; 2767 int cplen; 2768 int subkey; 2769 2770 /* 2771 * otherwise, 2772 * Ka = K1 | K2 | K3 2773 * where 2774 * K1 = prf(SKEYID_e, 0) 2775 * K2 = prf(SKEYID_e, K1) 2776 * K3 = prf(SKEYID_e, K2) 2777 */ 2778 plog(LLV_DEBUG, LOCATION, NULL, 2779 "len(SKEYID_e) < len(Ka) (%zu < %zu), " 2780 "generating long key (Ka = K1 | K2 | ...)\n", 2781 iph1->skeyid_e->l, iph1->key->l); 2782 2783 if ((buf = vmalloc(prflen >> 3)) == 0) { 2784 plog(LLV_ERROR, LOCATION, NULL, 2785 "failed to get key buffer\n"); 2786 goto end; 2787 } 2788 p = (u_char *)iph1->key->v; 2789 ep = p + iph1->key->l; 2790 2791 subkey = 1; 2792 while (p < ep) { 2793 if (p == (u_char *)iph1->key->v) { 2794 /* just for computing K1 */ 2795 buf->v[0] = 0; 2796 buf->l = 1; 2797 } 2798 res = oakley_prf(iph1->skeyid_e, buf, iph1); 2799 if (res == NULL) { 2800 vfree(buf); 2801 goto end; 2802 } 2803 plog(LLV_DEBUG, LOCATION, NULL, 2804 "compute intermediate encryption key K%d\n", 2805 subkey); 2806 plogdump(LLV_DEBUG, buf->v, buf->l); 2807 plogdump(LLV_DEBUG, res->v, res->l); 2808 2809 cplen = (res->l < ep - p) ? res->l : ep - p; 2810 memcpy(p, res->v, cplen); 2811 p += cplen; 2812 2813 buf->l = prflen >> 3; /* to cancel K1 speciality */ 2814 if (res->l != buf->l) { 2815 plog(LLV_ERROR, LOCATION, NULL, 2816 "internal error: res->l=%zu buf->l=%zu\n", 2817 res->l, buf->l); 2818 vfree(res); 2819 vfree(buf); 2820 goto end; 2821 } 2822 memcpy(buf->v, res->v, res->l); 2823 vfree(res); 2824 subkey++; 2825 } 2826 2827 vfree(buf); 2828 } 2829 2830 /* 2831 * don't check any weak key or not. 2832 * draft-ietf-ipsec-ike-01.txt Appendix B. 2833 * draft-ietf-ipsec-ciph-aes-cbc-00.txt Section 2.3. 2834 */ 2835 #if 0 2836 /* weakkey check */ 2837 if (iph1->approval->enctype > ARRAYLEN(oakley_encdef) 2838 || oakley_encdef[iph1->approval->enctype].weakkey == NULL) { 2839 plog(LLV_ERROR, LOCATION, NULL, 2840 "encryption algoritym %d isn't supported.\n", 2841 iph1->approval->enctype); 2842 goto end; 2843 } 2844 if ((oakley_encdef[iph1->approval->enctype].weakkey)(iph1->key)) { 2845 plog(LLV_ERROR, LOCATION, NULL, 2846 "weakkey was generated.\n"); 2847 goto end; 2848 } 2849 #endif 2850 2851 plog(LLV_DEBUG, LOCATION, NULL, "final encryption key computed:\n"); 2852 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); 2853 2854 error = 0; 2855 2856 end: 2857 return error; 2858 } 2859 2860 /* allocated new buffer for CERT */ 2861 cert_t * 2862 oakley_newcert() 2863 { 2864 cert_t *new; 2865 2866 new = racoon_calloc(1, sizeof(*new)); 2867 if (new == NULL) { 2868 plog(LLV_ERROR, LOCATION, NULL, 2869 "failed to get cert's buffer\n"); 2870 return NULL; 2871 } 2872 2873 new->pl = NULL; 2874 2875 return new; 2876 } 2877 2878 /* delete buffer for CERT */ 2879 void 2880 oakley_delcert(cert) 2881 cert_t *cert; 2882 { 2883 if (!cert) 2884 return; 2885 if (cert->pl) 2886 VPTRINIT(cert->pl); 2887 racoon_free(cert); 2888 } 2889 2890 /* 2891 * compute IV and set to ph1handle 2892 * IV = hash(g^xi | g^xr) 2893 * see 4.1 Phase 1 state in draft-ietf-ipsec-ike. 2894 */ 2895 int 2896 oakley_newiv(iph1) 2897 struct ph1handle *iph1; 2898 { 2899 struct isakmp_ivm *newivm = NULL; 2900 vchar_t *buf = NULL, *bp; 2901 char *p; 2902 int len; 2903 2904 /* create buffer */ 2905 len = iph1->dhpub->l + iph1->dhpub_p->l; 2906 buf = vmalloc(len); 2907 if (buf == NULL) { 2908 plog(LLV_ERROR, LOCATION, NULL, 2909 "failed to get iv buffer\n"); 2910 return -1; 2911 } 2912 2913 p = buf->v; 2914 2915 bp = (iph1->side == INITIATOR ? iph1->dhpub : iph1->dhpub_p); 2916 memcpy(p, bp->v, bp->l); 2917 p += bp->l; 2918 2919 bp = (iph1->side == INITIATOR ? iph1->dhpub_p : iph1->dhpub); 2920 memcpy(p, bp->v, bp->l); 2921 p += bp->l; 2922 2923 /* allocate IVm */ 2924 newivm = racoon_calloc(1, sizeof(struct isakmp_ivm)); 2925 if (newivm == NULL) { 2926 plog(LLV_ERROR, LOCATION, NULL, 2927 "failed to get iv buffer\n"); 2928 vfree(buf); 2929 return -1; 2930 } 2931 2932 /* compute IV */ 2933 newivm->iv = oakley_hash(buf, iph1); 2934 if (newivm->iv == NULL) { 2935 vfree(buf); 2936 oakley_delivm(newivm); 2937 return -1; 2938 } 2939 2940 /* adjust length of iv */ 2941 newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype); 2942 if (newivm->iv->l == -1) { 2943 plog(LLV_ERROR, LOCATION, NULL, 2944 "invalid encryption algoriym %d.\n", 2945 iph1->approval->enctype); 2946 vfree(buf); 2947 oakley_delivm(newivm); 2948 return -1; 2949 } 2950 2951 /* create buffer to save iv */ 2952 if ((newivm->ive = vdup(newivm->iv)) == NULL) { 2953 plog(LLV_ERROR, LOCATION, NULL, 2954 "vdup (%s)\n", strerror(errno)); 2955 vfree(buf); 2956 oakley_delivm(newivm); 2957 return -1; 2958 } 2959 2960 vfree(buf); 2961 2962 plog(LLV_DEBUG, LOCATION, NULL, "IV computed:\n"); 2963 plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l); 2964 2965 iph1->ivm = newivm; 2966 2967 return 0; 2968 } 2969 2970 /* 2971 * compute IV for the payload after phase 1. 2972 * It's not limited for phase 2. 2973 * if pahse 1 was encrypted. 2974 * IV = hash(last CBC block of Phase 1 | M-ID) 2975 * if phase 1 was not encrypted. 2976 * IV = hash(phase 1 IV | M-ID) 2977 * see 4.2 Phase 2 state in draft-ietf-ipsec-ike. 2978 */ 2979 struct isakmp_ivm * 2980 oakley_newiv2(iph1, msgid) 2981 struct ph1handle *iph1; 2982 u_int32_t msgid; 2983 { 2984 struct isakmp_ivm *newivm = NULL; 2985 vchar_t *buf = NULL; 2986 char *p; 2987 int len; 2988 int error = -1; 2989 2990 /* create buffer */ 2991 len = iph1->ivm->iv->l + sizeof(msgid_t); 2992 buf = vmalloc(len); 2993 if (buf == NULL) { 2994 plog(LLV_ERROR, LOCATION, NULL, 2995 "failed to get iv buffer\n"); 2996 goto end; 2997 } 2998 2999 p = buf->v; 3000 3001 memcpy(p, iph1->ivm->iv->v, iph1->ivm->iv->l); 3002 p += iph1->ivm->iv->l; 3003 3004 memcpy(p, &msgid, sizeof(msgid)); 3005 3006 plog(LLV_DEBUG, LOCATION, NULL, "compute IV for phase2\n"); 3007 plog(LLV_DEBUG, LOCATION, NULL, "phase1 last IV:\n"); 3008 plogdump(LLV_DEBUG, buf->v, buf->l); 3009 3010 /* allocate IVm */ 3011 newivm = racoon_calloc(1, sizeof(struct isakmp_ivm)); 3012 if (newivm == NULL) { 3013 plog(LLV_ERROR, LOCATION, NULL, 3014 "failed to get iv buffer\n"); 3015 goto end; 3016 } 3017 3018 /* compute IV */ 3019 if ((newivm->iv = oakley_hash(buf, iph1)) == NULL) 3020 goto end; 3021 3022 /* adjust length of iv */ 3023 newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype); 3024 if (newivm->iv->l == -1) { 3025 plog(LLV_ERROR, LOCATION, NULL, 3026 "invalid encryption algoriym %d.\n", 3027 iph1->approval->enctype); 3028 goto end; 3029 } 3030 3031 /* create buffer to save new iv */ 3032 if ((newivm->ive = vdup(newivm->iv)) == NULL) { 3033 plog(LLV_ERROR, LOCATION, NULL, "vdup (%s)\n", strerror(errno)); 3034 goto end; 3035 } 3036 3037 error = 0; 3038 3039 plog(LLV_DEBUG, LOCATION, NULL, "phase2 IV computed:\n"); 3040 plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l); 3041 3042 end: 3043 if (error && newivm != NULL){ 3044 oakley_delivm(newivm); 3045 newivm=NULL; 3046 } 3047 if (buf != NULL) 3048 vfree(buf); 3049 return newivm; 3050 } 3051 3052 void 3053 oakley_delivm(ivm) 3054 struct isakmp_ivm *ivm; 3055 { 3056 if (ivm == NULL) 3057 return; 3058 3059 if (ivm->iv != NULL) 3060 vfree(ivm->iv); 3061 if (ivm->ive != NULL) 3062 vfree(ivm->ive); 3063 racoon_free(ivm); 3064 plog(LLV_DEBUG, LOCATION, NULL, "IV freed\n"); 3065 3066 return; 3067 } 3068 3069 /* 3070 * decrypt packet. 3071 * save new iv and old iv. 3072 */ 3073 vchar_t * 3074 oakley_do_decrypt(iph1, msg, ivdp, ivep) 3075 struct ph1handle *iph1; 3076 vchar_t *msg, *ivdp, *ivep; 3077 { 3078 vchar_t *buf = NULL, *new = NULL; 3079 char *pl; 3080 int len; 3081 u_int8_t padlen; 3082 int blen; 3083 int error = -1; 3084 3085 plog(LLV_DEBUG, LOCATION, NULL, "begin decryption.\n"); 3086 3087 blen = alg_oakley_encdef_blocklen(iph1->approval->enctype); 3088 if (blen == -1) { 3089 plog(LLV_ERROR, LOCATION, NULL, 3090 "invalid encryption algoriym %d.\n", 3091 iph1->approval->enctype); 3092 goto end; 3093 } 3094 3095 /* save IV for next, but not sync. */ 3096 memset(ivep->v, 0, ivep->l); 3097 memcpy(ivep->v, (caddr_t)&msg->v[msg->l - blen], blen); 3098 3099 plog(LLV_DEBUG, LOCATION, NULL, 3100 "IV was saved for next processing:\n"); 3101 plogdump(LLV_DEBUG, ivep->v, ivep->l); 3102 3103 pl = msg->v + sizeof(struct isakmp); 3104 3105 len = msg->l - sizeof(struct isakmp); 3106 3107 /* create buffer */ 3108 buf = vmalloc(len); 3109 if (buf == NULL) { 3110 plog(LLV_ERROR, LOCATION, NULL, 3111 "failed to get buffer to decrypt.\n"); 3112 goto end; 3113 } 3114 memcpy(buf->v, pl, len); 3115 3116 /* do decrypt */ 3117 new = alg_oakley_encdef_decrypt(iph1->approval->enctype, 3118 buf, iph1->key, ivdp); 3119 if (new == NULL) { 3120 plog(LLV_ERROR, LOCATION, NULL, 3121 "decryption %d failed.\n", iph1->approval->enctype); 3122 goto end; 3123 } 3124 plog(LLV_DEBUG, LOCATION, NULL, "with key:\n"); 3125 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); 3126 3127 vfree(buf); 3128 buf = NULL; 3129 3130 plog(LLV_DEBUG, LOCATION, NULL, "decrypted payload by IV:\n"); 3131 plogdump(LLV_DEBUG, ivdp->v, ivdp->l); 3132 3133 plog(LLV_DEBUG, LOCATION, NULL, 3134 "decrypted payload, but not trimed.\n"); 3135 plogdump(LLV_DEBUG, new->v, new->l); 3136 3137 /* get padding length */ 3138 if (lcconf->pad_excltail) 3139 padlen = new->v[new->l - 1] + 1; 3140 else 3141 padlen = new->v[new->l - 1]; 3142 plog(LLV_DEBUG, LOCATION, NULL, "padding len=%u\n", padlen); 3143 3144 /* trim padding */ 3145 if (lcconf->pad_strict) { 3146 if (padlen > new->l) { 3147 plog(LLV_ERROR, LOCATION, NULL, 3148 "invalied padding len=%u, buflen=%zu.\n", 3149 padlen, new->l); 3150 plogdump(LLV_ERROR, new->v, new->l); 3151 goto end; 3152 } 3153 new->l -= padlen; 3154 plog(LLV_DEBUG, LOCATION, NULL, "trimmed padding\n"); 3155 } else { 3156 plog(LLV_DEBUG, LOCATION, NULL, "skip to trim padding.\n"); 3157 } 3158 3159 /* create new buffer */ 3160 len = sizeof(struct isakmp) + new->l; 3161 buf = vmalloc(len); 3162 if (buf == NULL) { 3163 plog(LLV_ERROR, LOCATION, NULL, 3164 "failed to get buffer to decrypt.\n"); 3165 goto end; 3166 } 3167 memcpy(buf->v, msg->v, sizeof(struct isakmp)); 3168 memcpy(buf->v + sizeof(struct isakmp), new->v, new->l); 3169 ((struct isakmp *)buf->v)->len = htonl(buf->l); 3170 3171 plog(LLV_DEBUG, LOCATION, NULL, "decrypted.\n"); 3172 plogdump(LLV_DEBUG, buf->v, buf->l); 3173 3174 #ifdef HAVE_PRINT_ISAKMP_C 3175 isakmp_printpacket(buf, iph1->remote, iph1->local, 1); 3176 #endif 3177 3178 error = 0; 3179 3180 end: 3181 if (error && buf != NULL) { 3182 vfree(buf); 3183 buf = NULL; 3184 } 3185 if (new != NULL) 3186 vfree(new); 3187 3188 return buf; 3189 } 3190 3191 /* 3192 * encrypt packet. 3193 */ 3194 vchar_t * 3195 oakley_do_encrypt(iph1, msg, ivep, ivp) 3196 struct ph1handle *iph1; 3197 vchar_t *msg, *ivep, *ivp; 3198 { 3199 vchar_t *buf = 0, *new = 0; 3200 char *pl; 3201 int len; 3202 u_int padlen; 3203 int blen; 3204 int error = -1; 3205 3206 plog(LLV_DEBUG, LOCATION, NULL, "begin encryption.\n"); 3207 3208 /* set cbc block length */ 3209 blen = alg_oakley_encdef_blocklen(iph1->approval->enctype); 3210 if (blen == -1) { 3211 plog(LLV_ERROR, LOCATION, NULL, 3212 "invalid encryption algoriym %d.\n", 3213 iph1->approval->enctype); 3214 goto end; 3215 } 3216 3217 pl = msg->v + sizeof(struct isakmp); 3218 len = msg->l - sizeof(struct isakmp); 3219 3220 /* add padding */ 3221 padlen = oakley_padlen(len, blen); 3222 plog(LLV_DEBUG, LOCATION, NULL, "pad length = %u\n", padlen); 3223 3224 /* create buffer */ 3225 buf = vmalloc(len + padlen); 3226 if (buf == NULL) { 3227 plog(LLV_ERROR, LOCATION, NULL, 3228 "failed to get buffer to encrypt.\n"); 3229 goto end; 3230 } 3231 if (padlen) { 3232 int i; 3233 char *p = &buf->v[len]; 3234 if (lcconf->pad_random) { 3235 for (i = 0; i < padlen; i++) 3236 *p++ = eay_random() & 0xff; 3237 } 3238 } 3239 memcpy(buf->v, pl, len); 3240 3241 /* make pad into tail */ 3242 if (lcconf->pad_excltail) 3243 buf->v[len + padlen - 1] = padlen - 1; 3244 else 3245 buf->v[len + padlen - 1] = padlen; 3246 3247 plogdump(LLV_DEBUG, buf->v, buf->l); 3248 3249 /* do encrypt */ 3250 new = alg_oakley_encdef_encrypt(iph1->approval->enctype, 3251 buf, iph1->key, ivep); 3252 if (new == NULL) { 3253 plog(LLV_ERROR, LOCATION, NULL, 3254 "encryption %d failed.\n", iph1->approval->enctype); 3255 goto end; 3256 } 3257 plog(LLV_DEBUG, LOCATION, NULL, "with key:\n"); 3258 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); 3259 3260 vfree(buf); 3261 buf = NULL; 3262 3263 plog(LLV_DEBUG, LOCATION, NULL, "encrypted payload by IV:\n"); 3264 plogdump(LLV_DEBUG, ivep->v, ivep->l); 3265 3266 /* save IV for next */ 3267 memset(ivp->v, 0, ivp->l); 3268 memcpy(ivp->v, (caddr_t)&new->v[new->l - blen], blen); 3269 3270 plog(LLV_DEBUG, LOCATION, NULL, "save IV for next:\n"); 3271 plogdump(LLV_DEBUG, ivp->v, ivp->l); 3272 3273 /* create new buffer */ 3274 len = sizeof(struct isakmp) + new->l; 3275 buf = vmalloc(len); 3276 if (buf == NULL) { 3277 plog(LLV_ERROR, LOCATION, NULL, 3278 "failed to get buffer to encrypt.\n"); 3279 goto end; 3280 } 3281 memcpy(buf->v, msg->v, sizeof(struct isakmp)); 3282 memcpy(buf->v + sizeof(struct isakmp), new->v, new->l); 3283 ((struct isakmp *)buf->v)->len = htonl(buf->l); 3284 3285 error = 0; 3286 3287 plog(LLV_DEBUG, LOCATION, NULL, "encrypted.\n"); 3288 3289 end: 3290 if (error && buf != NULL) { 3291 vfree(buf); 3292 buf = NULL; 3293 } 3294 if (new != NULL) 3295 vfree(new); 3296 3297 return buf; 3298 } 3299 3300 /* culculate padding length */ 3301 static int 3302 oakley_padlen(len, base) 3303 int len, base; 3304 { 3305 int padlen; 3306 3307 padlen = base - len % base; 3308 3309 if (lcconf->pad_randomlen) 3310 padlen += ((eay_random() % (lcconf->pad_maxsize + 1) + 1) * 3311 base); 3312 3313 return padlen; 3314 } 3315 3316