1 /* $OpenBSD: ikev2_msg.c,v 1.35 2014/05/07 13:04:01 markus Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> 20 #include <sys/queue.h> 21 #include <sys/socket.h> 22 #include <sys/wait.h> 23 #include <sys/uio.h> 24 25 #include <netinet/in.h> 26 #include <netinet/ip_ipsp.h> 27 #include <arpa/inet.h> 28 29 #include <stdlib.h> 30 #include <stdio.h> 31 #include <unistd.h> 32 #include <string.h> 33 #include <getopt.h> 34 #include <signal.h> 35 #include <errno.h> 36 #include <err.h> 37 #include <pwd.h> 38 #include <event.h> 39 40 #include <openssl/sha.h> 41 #include <openssl/evp.h> 42 43 #include "iked.h" 44 #include "ikev2.h" 45 #include "eap.h" 46 #include "dh.h" 47 48 void ikev2_msg_response_timeout(struct iked *, void *); 49 void ikev2_msg_retransmit_timeout(struct iked *, void *); 50 51 void 52 ikev2_msg_cb(int fd, short event, void *arg) 53 { 54 struct iked_socket *sock = arg; 55 struct iked *env = sock->sock_env; 56 struct iked_message msg; 57 struct ike_header hdr; 58 u_int32_t natt = 0x00000000; 59 u_int8_t buf[IKED_MSGBUF_MAX]; 60 ssize_t len; 61 off_t off; 62 struct iovec iov[2]; 63 64 bzero(&msg, sizeof(msg)); 65 bzero(buf, sizeof(buf)); 66 67 msg.msg_peerlen = sizeof(msg.msg_peer); 68 msg.msg_locallen = sizeof(msg.msg_local); 69 msg.msg_parent = &msg; 70 memcpy(&msg.msg_local, &sock->sock_addr, sizeof(sock->sock_addr)); 71 72 if ((len = recvfromto(fd, buf, sizeof(buf), 0, 73 (struct sockaddr *)&msg.msg_peer, &msg.msg_peerlen, 74 (struct sockaddr *)&msg.msg_local, &msg.msg_locallen)) < 75 (ssize_t)sizeof(natt)) 76 return; 77 78 if (socket_getport((struct sockaddr *)&msg.msg_local) == 79 IKED_NATT_PORT) { 80 if (bcmp(&natt, buf, sizeof(natt)) != 0) 81 return; 82 msg.msg_natt = 1; 83 off = sizeof(natt); 84 } else 85 off = 0; 86 87 if ((size_t)(len - off) <= sizeof(hdr)) 88 return; 89 memcpy(&hdr, buf + off, sizeof(hdr)); 90 91 if ((msg.msg_data = ibuf_new(buf + off, len - off)) == NULL) 92 return; 93 94 if (hdr.ike_version == IKEV1_VERSION) { 95 iov[0].iov_base = &msg; 96 iov[0].iov_len = sizeof(msg); 97 iov[1].iov_base = buf; 98 iov[1].iov_len = len; 99 100 proc_composev_imsg(&env->sc_ps, PROC_IKEV1, -1, 101 IMSG_IKE_MESSAGE, -1, iov, 2); 102 goto done; 103 } 104 TAILQ_INIT(&msg.msg_proposals); 105 106 msg.msg_fd = fd; 107 ikev2_recv(env, &msg); 108 109 done: 110 ikev2_msg_cleanup(env, &msg); 111 } 112 113 struct ibuf * 114 ikev2_msg_init(struct iked *env, struct iked_message *msg, 115 struct sockaddr_storage *peer, socklen_t peerlen, 116 struct sockaddr_storage *local, socklen_t locallen, int response) 117 { 118 bzero(msg, sizeof(*msg)); 119 memcpy(&msg->msg_peer, peer, peerlen); 120 msg->msg_peerlen = peerlen; 121 memcpy(&msg->msg_local, local, locallen); 122 msg->msg_locallen = locallen; 123 msg->msg_response = response ? 1 : 0; 124 msg->msg_fd = -1; 125 msg->msg_data = ibuf_static(); 126 msg->msg_e = 0; 127 msg->msg_parent = msg; /* has to be set */ 128 TAILQ_INIT(&msg->msg_proposals); 129 130 return (msg->msg_data); 131 } 132 133 struct iked_message * 134 ikev2_msg_copy(struct iked *env, struct iked_message *msg) 135 { 136 struct iked_message *m = NULL; 137 struct ibuf *buf; 138 size_t len; 139 void *ptr; 140 141 if (ibuf_size(msg->msg_data) < msg->msg_offset) 142 return (NULL); 143 len = ibuf_size(msg->msg_data) - msg->msg_offset; 144 145 if ((ptr = ibuf_seek(msg->msg_data, msg->msg_offset, len)) == NULL || 146 (m = malloc(sizeof(*m))) == NULL || 147 (buf = ikev2_msg_init(env, m, &msg->msg_peer, msg->msg_peerlen, 148 &msg->msg_local, msg->msg_locallen, msg->msg_response)) == NULL || 149 ibuf_add(buf, ptr, len)) 150 return (NULL); 151 152 m->msg_fd = msg->msg_fd; 153 m->msg_msgid = msg->msg_msgid; 154 m->msg_offset = msg->msg_offset; 155 m->msg_sa = msg->msg_sa; 156 157 return (m); 158 } 159 160 void 161 ikev2_msg_cleanup(struct iked *env, struct iked_message *msg) 162 { 163 if (msg == msg->msg_parent) { 164 ibuf_release(msg->msg_nonce); 165 ibuf_release(msg->msg_ke); 166 ibuf_release(msg->msg_auth.id_buf); 167 ibuf_release(msg->msg_id.id_buf); 168 ibuf_release(msg->msg_cert.id_buf); 169 170 config_free_proposals(&msg->msg_proposals, 0); 171 } 172 173 if (msg->msg_data != NULL) { 174 ibuf_release(msg->msg_data); 175 msg->msg_data = NULL; 176 } 177 } 178 179 int 180 ikev2_msg_valid_ike_sa(struct iked *env, struct ike_header *oldhdr, 181 struct iked_message *msg) 182 { 183 #if 0 184 /* XXX Disabled, see comment below */ 185 struct iked_message resp; 186 struct ike_header *hdr; 187 struct ikev2_payload *pld; 188 struct ikev2_notify *n; 189 struct ibuf *buf; 190 struct iked_sa sa; 191 #endif 192 193 if (msg->msg_sa != NULL && msg->msg_policy != NULL) { 194 /* 195 * Only permit informational requests from initiator 196 * on closing SAs (for DELETE). 197 */ 198 if (msg->msg_sa->sa_state == IKEV2_STATE_CLOSING) { 199 if (((oldhdr->ike_flags & 200 (IKEV2_FLAG_INITIATOR|IKEV2_FLAG_RESPONSE)) == 201 IKEV2_FLAG_INITIATOR) && 202 (oldhdr->ike_exchange == 203 IKEV2_EXCHANGE_INFORMATIONAL)) 204 return (0); 205 return (-1); 206 } 207 return (0); 208 } 209 210 #if 0 211 /* 212 * XXX Sending INVALID_IKE_SPIs notifications is disabled 213 * XXX because it is not mandatory and ignored by most 214 * XXX implementations. We might want to enable it in 215 * XXX combination with a rate-limitation to avoid DoS situations. 216 */ 217 218 /* Fail without error message */ 219 if (msg->msg_response || msg->msg_policy == NULL) 220 return (-1); 221 222 /* Invalid IKE SA, return notification */ 223 if ((buf = ikev2_msg_init(env, &resp, 224 &msg->msg_peer, msg->msg_peerlen, 225 &msg->msg_local, msg->msg_locallen, 1)) == NULL) 226 goto done; 227 228 resp.msg_fd = msg->msg_fd; 229 230 bzero(&sa, sizeof(sa)); 231 if ((oldhdr->ike_flags & IKEV2_FLAG_INITIATOR) == 0) 232 sa.sa_hdr.sh_initiator = 1; 233 sa.sa_hdr.sh_ispi = betoh64(oldhdr->ike_ispi); 234 sa.sa_hdr.sh_rspi = betoh64(oldhdr->ike_rspi); 235 236 resp.msg_msgid = betoh32(oldhdr->ike_msgid); 237 238 /* IKE header */ 239 if ((hdr = ikev2_add_header(buf, &sa, resp.msg_msgid, 240 IKEV2_PAYLOAD_NOTIFY, IKEV2_EXCHANGE_INFORMATIONAL, 241 IKEV2_FLAG_RESPONSE)) == NULL) 242 goto done; 243 244 /* SA payload */ 245 if ((pld = ikev2_add_payload(buf)) == NULL) 246 goto done; 247 if ((n = ibuf_advance(buf, sizeof(*n))) == NULL) 248 goto done; 249 n->n_protoid = IKEV2_SAPROTO_IKE; 250 n->n_spisize = 0; 251 n->n_type = htobe16(IKEV2_N_INVALID_IKE_SPI); 252 253 if (ikev2_next_payload(pld, sizeof(*n), IKEV2_PAYLOAD_NONE) == -1) 254 goto done; 255 256 if (ikev2_set_header(hdr, ibuf_size(buf) - sizeof(*hdr)) == -1) 257 goto done; 258 259 (void)ikev2_pld_parse(env, hdr, &resp, 0); 260 (void)ikev2_msg_send(env, &resp); 261 262 done: 263 ikev2_msg_cleanup(env, &resp); 264 #endif 265 266 /* Always fail */ 267 return (-1); 268 } 269 270 int 271 ikev2_msg_send(struct iked *env, struct iked_message *msg) 272 { 273 struct iked_sa *sa = msg->msg_sa; 274 struct ibuf *buf = msg->msg_data; 275 u_int32_t natt = 0x00000000; 276 int isnatt = 0; 277 u_int8_t exchange, flags; 278 struct ike_header *hdr; 279 struct iked_message *m; 280 281 if (buf == NULL || (hdr = ibuf_seek(msg->msg_data, 282 msg->msg_offset, sizeof(*hdr))) == NULL) 283 return (-1); 284 285 isnatt = (msg->msg_natt || (msg->msg_sa && msg->msg_sa->sa_natt)); 286 287 exchange = hdr->ike_exchange; 288 flags = hdr->ike_flags; 289 log_info("%s: %s %s from %s to %s msgid %u, %ld bytes%s", __func__, 290 print_map(exchange, ikev2_exchange_map), 291 (flags & IKEV2_FLAG_RESPONSE) ? "response" : "request", 292 print_host((struct sockaddr *)&msg->msg_local, NULL, 0), 293 print_host((struct sockaddr *)&msg->msg_peer, NULL, 0), 294 betoh32(hdr->ike_msgid), 295 ibuf_length(buf), isnatt ? ", NAT-T" : ""); 296 297 if (isnatt) { 298 if (ibuf_prepend(buf, &natt, sizeof(natt)) == -1) { 299 log_debug("%s: failed to set NAT-T", __func__); 300 return (-1); 301 } 302 msg->msg_offset += sizeof(natt); 303 } 304 305 if ((sendto(msg->msg_fd, ibuf_data(buf), ibuf_size(buf), 0, 306 (struct sockaddr *)&msg->msg_peer, msg->msg_peerlen)) == -1) { 307 log_warn("%s: sendto", __func__); 308 return (-1); 309 } 310 311 if (!sa) 312 return (0); 313 314 if ((m = ikev2_msg_copy(env, msg)) == NULL) { 315 log_debug("%s: failed to copy a message", __func__); 316 return (-1); 317 } 318 m->msg_exchange = exchange; 319 320 if (flags & IKEV2_FLAG_RESPONSE) { 321 TAILQ_INSERT_TAIL(&sa->sa_responses, m, msg_entry); 322 timer_set(env, &m->msg_timer, ikev2_msg_response_timeout, m); 323 timer_add(env, &m->msg_timer, IKED_RESPONSE_TIMEOUT); 324 } else { 325 TAILQ_INSERT_TAIL(&sa->sa_requests, m, msg_entry); 326 timer_set(env, &m->msg_timer, ikev2_msg_retransmit_timeout, m); 327 timer_add(env, &m->msg_timer, IKED_RETRANSMIT_TIMEOUT); 328 } 329 330 return (0); 331 } 332 333 u_int32_t 334 ikev2_msg_id(struct iked *env, struct iked_sa *sa) 335 { 336 u_int32_t id = sa->sa_reqid; 337 338 if (++sa->sa_reqid == UINT32_MAX) { 339 /* XXX we should close and renegotiate the connection now */ 340 log_debug("%s: IKEv2 message sequence overflow", __func__); 341 } 342 return (id); 343 } 344 345 struct ibuf * 346 ikev2_msg_encrypt(struct iked *env, struct iked_sa *sa, struct ibuf *src) 347 { 348 size_t len, ivlen, encrlen, integrlen, blocklen, 349 outlen; 350 u_int8_t *buf, pad = 0, *ptr; 351 struct ibuf *encr, *dst = NULL, *out = NULL; 352 353 buf = ibuf_data(src); 354 len = ibuf_size(src); 355 356 log_debug("%s: decrypted length %zu", __func__, len); 357 print_hex(buf, 0, len); 358 359 if (sa == NULL || 360 sa->sa_encr == NULL || 361 sa->sa_integr == NULL) { 362 log_debug("%s: invalid SA", __func__); 363 goto done; 364 } 365 366 if (sa->sa_hdr.sh_initiator) 367 encr = sa->sa_key_iencr; 368 else 369 encr = sa->sa_key_rencr; 370 371 blocklen = cipher_length(sa->sa_encr); 372 ivlen = cipher_ivlength(sa->sa_encr); 373 integrlen = hash_length(sa->sa_integr); 374 encrlen = roundup(len + sizeof(pad), blocklen); 375 pad = encrlen - (len + sizeof(pad)); 376 377 /* 378 * Pad the payload and encrypt it 379 */ 380 if (pad) { 381 if ((ptr = ibuf_advance(src, pad)) == NULL) 382 goto done; 383 arc4random_buf(ptr, pad); 384 } 385 if (ibuf_add(src, &pad, sizeof(pad)) != 0) 386 goto done; 387 388 log_debug("%s: padded length %zu", __func__, ibuf_size(src)); 389 print_hex(ibuf_data(src), 0, ibuf_size(src)); 390 391 cipher_setkey(sa->sa_encr, encr->buf, ibuf_length(encr)); 392 cipher_setiv(sa->sa_encr, NULL, 0); /* XXX ivlen */ 393 cipher_init_encrypt(sa->sa_encr); 394 395 if ((dst = ibuf_dup(sa->sa_encr->encr_iv)) == NULL) 396 goto done; 397 398 if ((out = ibuf_new(NULL, 399 cipher_outlength(sa->sa_encr, encrlen))) == NULL) 400 goto done; 401 402 outlen = ibuf_size(out); 403 cipher_update(sa->sa_encr, 404 ibuf_data(src), encrlen, ibuf_data(out), &outlen); 405 406 if (outlen && ibuf_add(dst, ibuf_data(out), outlen) != 0) 407 goto done; 408 409 if ((ptr = ibuf_advance(dst, integrlen)) == NULL) 410 goto done; 411 bzero(ptr, integrlen); 412 413 log_debug("%s: length %zu, padding %d, output length %zu", 414 __func__, len + sizeof(pad), pad, ibuf_size(dst)); 415 print_hex(ibuf_data(dst), 0, ibuf_size(dst)); 416 417 ibuf_release(src); 418 ibuf_release(out); 419 return (dst); 420 done: 421 ibuf_release(src); 422 ibuf_release(out); 423 ibuf_release(dst); 424 return (NULL); 425 } 426 427 int 428 ikev2_msg_integr(struct iked *env, struct iked_sa *sa, struct ibuf *src) 429 { 430 int ret = -1; 431 size_t integrlen, tmplen; 432 struct ibuf *integr, *tmp = NULL; 433 u_int8_t *ptr; 434 435 log_debug("%s: message length %zu", __func__, ibuf_size(src)); 436 print_hex(ibuf_data(src), 0, ibuf_size(src)); 437 438 if (sa == NULL || 439 sa->sa_integr == NULL) { 440 log_debug("%s: invalid SA", __func__); 441 return (-1); 442 } 443 444 if (sa->sa_hdr.sh_initiator) 445 integr = sa->sa_key_iauth; 446 else 447 integr = sa->sa_key_rauth; 448 449 integrlen = hash_length(sa->sa_integr); 450 451 log_debug("%s: integrity checksum length %zu", __func__, 452 integrlen); 453 454 /* 455 * Validate packet checksum 456 */ 457 if ((tmp = ibuf_new(NULL, hash_keylength(sa->sa_integr))) == NULL) 458 goto done; 459 460 hash_setkey(sa->sa_integr, ibuf_data(integr), ibuf_size(integr)); 461 hash_init(sa->sa_integr); 462 hash_update(sa->sa_integr, ibuf_data(src), 463 ibuf_size(src) - integrlen); 464 hash_final(sa->sa_integr, ibuf_data(tmp), &tmplen); 465 466 if (tmplen != integrlen) { 467 log_debug("%s: hash failure", __func__); 468 goto done; 469 } 470 471 if ((ptr = ibuf_seek(src, 472 ibuf_size(src) - integrlen, integrlen)) == NULL) 473 goto done; 474 memcpy(ptr, ibuf_data(tmp), tmplen); 475 476 print_hex(ibuf_data(tmp), 0, ibuf_size(tmp)); 477 478 ret = 0; 479 done: 480 ibuf_release(tmp); 481 482 return (ret); 483 } 484 485 struct ibuf * 486 ikev2_msg_decrypt(struct iked *env, struct iked_sa *sa, 487 struct ibuf *msg, struct ibuf *src) 488 { 489 ssize_t ivlen, encrlen, integrlen, blocklen, 490 outlen, tmplen; 491 u_int8_t pad = 0, *ptr; 492 struct ibuf *integr, *encr, *tmp = NULL, *out = NULL; 493 off_t ivoff, encroff, integroff; 494 495 if (sa == NULL || 496 sa->sa_encr == NULL || 497 sa->sa_integr == NULL) { 498 log_debug("%s: invalid SA", __func__); 499 print_hex(ibuf_data(src), 0, ibuf_size(src)); 500 goto done; 501 } 502 503 if (!sa->sa_hdr.sh_initiator) { 504 encr = sa->sa_key_iencr; 505 integr = sa->sa_key_iauth; 506 } else { 507 encr = sa->sa_key_rencr; 508 integr = sa->sa_key_rauth; 509 } 510 511 blocklen = cipher_length(sa->sa_encr); 512 ivlen = cipher_ivlength(sa->sa_encr); 513 ivoff = 0; 514 integrlen = hash_length(sa->sa_integr); 515 integroff = ibuf_size(src) - integrlen; 516 encroff = ivlen; 517 encrlen = ibuf_size(src) - integrlen - ivlen; 518 519 if (encrlen < 0 || integroff < 0) { 520 log_debug("%s: invalid integrity value", __func__); 521 goto done; 522 } 523 524 log_debug("%s: IV length %zd", __func__, ivlen); 525 print_hex(ibuf_data(src), 0, ivlen); 526 log_debug("%s: encrypted payload length %zd", __func__, encrlen); 527 print_hex(ibuf_data(src), encroff, encrlen); 528 log_debug("%s: integrity checksum length %zd", __func__, integrlen); 529 print_hex(ibuf_data(src), integroff, integrlen); 530 531 /* 532 * Validate packet checksum 533 */ 534 if ((tmp = ibuf_new(NULL, ibuf_length(integr))) == NULL) 535 goto done; 536 537 hash_setkey(sa->sa_integr, integr->buf, ibuf_length(integr)); 538 hash_init(sa->sa_integr); 539 hash_update(sa->sa_integr, ibuf_data(msg), 540 ibuf_size(msg) - integrlen); 541 hash_final(sa->sa_integr, tmp->buf, &tmplen); 542 543 if (memcmp(tmp->buf, ibuf_data(src) + integroff, integrlen) != 0) { 544 log_debug("%s: integrity check failed", __func__); 545 goto done; 546 } 547 548 log_debug("%s: integrity check succeeded", __func__); 549 print_hex(tmp->buf, 0, tmplen); 550 551 ibuf_release(tmp); 552 tmp = NULL; 553 554 /* 555 * Decrypt the payload and strip any padding 556 */ 557 if ((encrlen % blocklen) != 0) { 558 log_debug("%s: unaligned encrypted payload", __func__); 559 goto done; 560 } 561 562 cipher_setkey(sa->sa_encr, encr->buf, ibuf_length(encr)); 563 cipher_setiv(sa->sa_encr, ibuf_data(src) + ivoff, ivlen); 564 cipher_init_decrypt(sa->sa_encr); 565 566 if ((out = ibuf_new(NULL, cipher_outlength(sa->sa_encr, 567 encrlen))) == NULL) 568 goto done; 569 570 if ((outlen = ibuf_length(out)) != 0) { 571 cipher_update(sa->sa_encr, ibuf_data(src) + encroff, encrlen, 572 ibuf_data(out), &outlen); 573 574 ptr = ibuf_seek(out, outlen - 1, 1); 575 pad = *ptr; 576 } 577 578 log_debug("%s: decrypted payload length %zd/%zd padding %d", 579 __func__, outlen, encrlen, pad); 580 print_hex(ibuf_data(out), 0, ibuf_size(out)); 581 582 if (ibuf_setsize(out, outlen) != 0) 583 goto done; 584 585 ibuf_release(src); 586 return (out); 587 done: 588 ibuf_release(tmp); 589 ibuf_release(out); 590 ibuf_release(src); 591 return (NULL); 592 } 593 594 int 595 ikev2_msg_send_encrypt(struct iked *env, struct iked_sa *sa, struct ibuf **ep, 596 u_int8_t exchange, u_int8_t firstpayload, int response) 597 { 598 struct iked_message resp; 599 struct ike_header *hdr; 600 struct ikev2_payload *pld; 601 struct ibuf *buf, *e = *ep; 602 int ret = -1; 603 604 if ((buf = ikev2_msg_init(env, &resp, &sa->sa_peer.addr, 605 sa->sa_peer.addr.ss_len, &sa->sa_local.addr, 606 sa->sa_local.addr.ss_len, response)) == NULL) 607 goto done; 608 609 resp.msg_msgid = response ? sa->sa_msgid : ikev2_msg_id(env, sa); 610 611 /* IKE header */ 612 if ((hdr = ikev2_add_header(buf, sa, resp.msg_msgid, IKEV2_PAYLOAD_SK, 613 exchange, response ? IKEV2_FLAG_RESPONSE : 0)) == NULL) 614 goto done; 615 616 if ((pld = ikev2_add_payload(buf)) == NULL) 617 goto done; 618 619 /* Encrypt message and add as an E payload */ 620 if ((e = ikev2_msg_encrypt(env, sa, e)) == NULL) { 621 log_debug("%s: encryption failed", __func__); 622 goto done; 623 } 624 if (ibuf_cat(buf, e) != 0) 625 goto done; 626 if (ikev2_next_payload(pld, ibuf_size(e), firstpayload) == -1) 627 goto done; 628 629 if (ikev2_set_header(hdr, ibuf_size(buf) - sizeof(*hdr)) == -1) 630 goto done; 631 632 /* Add integrity checksum (HMAC) */ 633 if (ikev2_msg_integr(env, sa, buf) != 0) { 634 log_debug("%s: integrity checksum failed", __func__); 635 goto done; 636 } 637 638 resp.msg_data = buf; 639 resp.msg_sa = sa; 640 resp.msg_fd = sa->sa_fd; 641 TAILQ_INIT(&resp.msg_proposals); 642 643 (void)ikev2_pld_parse(env, hdr, &resp, 0); 644 645 ret = ikev2_msg_send(env, &resp); 646 647 done: 648 /* e is cleaned up by the calling function */ 649 *ep = e; 650 ikev2_msg_cleanup(env, &resp); 651 652 return (ret); 653 } 654 655 struct ibuf * 656 ikev2_msg_auth(struct iked *env, struct iked_sa *sa, int response) 657 { 658 struct ibuf *authmsg = NULL, *nonce, *prfkey, *buf; 659 u_int8_t *ptr; 660 struct iked_id *id; 661 size_t tmplen; 662 663 /* 664 * Create the payload to be signed/MAC'ed for AUTH 665 */ 666 667 if (!response) { 668 if ((nonce = sa->sa_rnonce) == NULL || 669 (sa->sa_iid.id_type == 0) || 670 (prfkey = sa->sa_key_iprf) == NULL || 671 (buf = sa->sa_1stmsg) == NULL) 672 return (NULL); 673 id = &sa->sa_iid; 674 } else { 675 if ((nonce = sa->sa_inonce) == NULL || 676 (sa->sa_rid.id_type == 0) || 677 (prfkey = sa->sa_key_rprf) == NULL || 678 (buf = sa->sa_2ndmsg) == NULL) 679 return (NULL); 680 id = &sa->sa_rid; 681 } 682 683 if ((authmsg = ibuf_dup(buf)) == NULL) 684 return (NULL); 685 if (ibuf_cat(authmsg, nonce) != 0) 686 goto fail; 687 688 if ((hash_setkey(sa->sa_prf, ibuf_data(prfkey), 689 ibuf_size(prfkey))) == NULL) 690 goto fail; 691 692 if ((ptr = ibuf_advance(authmsg, 693 hash_length(sa->sa_prf))) == NULL) 694 goto fail; 695 696 hash_init(sa->sa_prf); 697 hash_update(sa->sa_prf, ibuf_data(id->id_buf), ibuf_size(id->id_buf)); 698 hash_final(sa->sa_prf, ptr, &tmplen); 699 700 if (tmplen != hash_length(sa->sa_prf)) 701 goto fail; 702 703 log_debug("%s: %s auth data length %zu", 704 __func__, response ? "responder" : "initiator", 705 ibuf_size(authmsg)); 706 print_hex(ibuf_data(authmsg), 0, ibuf_size(authmsg)); 707 708 return (authmsg); 709 710 fail: 711 ibuf_release(authmsg); 712 return (NULL); 713 } 714 715 int 716 ikev2_msg_authverify(struct iked *env, struct iked_sa *sa, 717 struct iked_auth *auth, u_int8_t *buf, size_t len, struct ibuf *authmsg) 718 { 719 u_int8_t *key, *psk = NULL; 720 ssize_t keylen; 721 struct iked_id *id; 722 struct iked_dsa *dsa = NULL; 723 int ret = -1; 724 u_int8_t keytype; 725 726 if (sa->sa_hdr.sh_initiator) 727 id = &sa->sa_rcert; 728 else 729 id = &sa->sa_icert; 730 731 if ((dsa = dsa_verify_new(auth->auth_method, sa->sa_prf)) == NULL) { 732 log_debug("%s: invalid auth method", __func__); 733 return (-1); 734 } 735 736 switch (auth->auth_method) { 737 case IKEV2_AUTH_SHARED_KEY_MIC: 738 if (!auth->auth_length) { 739 log_debug("%s: no pre-shared key found", __func__); 740 goto done; 741 } 742 if ((keylen = ikev2_psk(sa, auth->auth_data, 743 auth->auth_length, &psk)) == -1) { 744 log_debug("%s: failed to get PSK", __func__); 745 goto done; 746 } 747 key = psk; 748 keytype = 0; 749 break; 750 default: 751 if (!id->id_type || !ibuf_length(id->id_buf)) { 752 log_debug("%s: no cert found", __func__); 753 goto done; 754 } 755 key = ibuf_data(id->id_buf); 756 keylen = ibuf_size(id->id_buf); 757 keytype = id->id_type; 758 break; 759 } 760 761 log_debug("%s: method %s keylen %zd type %s", __func__, 762 print_map(auth->auth_method, ikev2_auth_map), keylen, 763 print_map(id->id_type, ikev2_cert_map)); 764 765 if (dsa_setkey(dsa, key, keylen, keytype) == NULL || 766 dsa_init(dsa) != 0 || 767 dsa_update(dsa, ibuf_data(authmsg), ibuf_size(authmsg))) { 768 log_debug("%s: failed to compute digital signature", __func__); 769 goto done; 770 } 771 772 if ((ret = dsa_verify_final(dsa, buf, len)) == 0) { 773 log_debug("%s: authentication successful", __func__); 774 sa_state(env, sa, IKEV2_STATE_AUTH_SUCCESS); 775 sa_stateflags(sa, IKED_REQ_AUTHVALID); 776 777 if (!sa->sa_policy->pol_auth.auth_eap && 778 auth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) 779 sa_state(env, sa, IKEV2_STATE_VALID); 780 } else { 781 log_debug("%s: authentication failed", __func__); 782 sa_state(env, sa, IKEV2_STATE_AUTH_REQUEST); 783 } 784 785 done: 786 if (psk != NULL) 787 free(psk); 788 dsa_free(dsa); 789 790 return (ret); 791 } 792 793 int 794 ikev2_msg_authsign(struct iked *env, struct iked_sa *sa, 795 struct iked_auth *auth, struct ibuf *authmsg) 796 { 797 u_int8_t *key, *psk = NULL; 798 ssize_t keylen; 799 struct iked_hash *prf = sa->sa_prf; 800 struct iked_id *id; 801 struct iked_dsa *dsa = NULL; 802 struct ibuf *buf; 803 int ret = -1; 804 u_int8_t keytype; 805 806 if (sa->sa_hdr.sh_initiator) 807 id = &sa->sa_icert; 808 else 809 id = &sa->sa_rcert; 810 811 if ((dsa = dsa_sign_new(auth->auth_method, prf)) == NULL) { 812 log_debug("%s: invalid auth method", __func__); 813 return (-1); 814 } 815 816 switch (auth->auth_method) { 817 case IKEV2_AUTH_SHARED_KEY_MIC: 818 if (!auth->auth_length) { 819 log_debug("%s: no pre-shared key found", __func__); 820 goto done; 821 } 822 if ((keylen = ikev2_psk(sa, auth->auth_data, 823 auth->auth_length, &psk)) == -1) { 824 log_debug("%s: failed to get PSK", __func__); 825 goto done; 826 } 827 key = psk; 828 keytype = 0; 829 break; 830 default: 831 if (id == NULL) { 832 log_debug("%s: no cert found", __func__); 833 goto done; 834 } 835 key = ibuf_data(id->id_buf); 836 keylen = ibuf_size(id->id_buf); 837 keytype = id->id_type; 838 break; 839 } 840 841 if (dsa_setkey(dsa, key, keylen, keytype) == NULL || 842 dsa_init(dsa) != 0 || 843 dsa_update(dsa, ibuf_data(authmsg), ibuf_size(authmsg))) { 844 log_debug("%s: failed to compute digital signature", __func__); 845 goto done; 846 } 847 848 ibuf_release(sa->sa_localauth.id_buf); 849 sa->sa_localauth.id_buf = NULL; 850 851 if ((buf = ibuf_new(NULL, dsa_length(dsa))) == NULL) { 852 log_debug("%s: failed to get auth buffer", __func__); 853 goto done; 854 } 855 856 if ((ret = dsa_sign_final(dsa, 857 ibuf_data(buf), ibuf_size(buf))) == -1) { 858 log_debug("%s: failed to create auth signature", __func__); 859 ibuf_release(buf); 860 goto done; 861 } 862 863 sa->sa_localauth.id_type = auth->auth_method; 864 sa->sa_localauth.id_buf = buf; 865 866 ret = 0; 867 done: 868 if (psk != NULL) 869 free(psk); 870 dsa_free(dsa); 871 872 return (ret); 873 } 874 875 int 876 ikev2_msg_frompeer(struct iked_message *msg) 877 { 878 struct iked_sa *sa = msg->msg_sa; 879 struct ike_header *hdr; 880 881 msg = msg->msg_parent; 882 883 if (sa == NULL || 884 (hdr = ibuf_seek(msg->msg_data, 0, sizeof(*hdr))) == NULL) 885 return (0); 886 887 if (!sa->sa_hdr.sh_initiator && 888 (hdr->ike_flags & IKEV2_FLAG_INITIATOR)) 889 return (1); 890 else if (sa->sa_hdr.sh_initiator && 891 (hdr->ike_flags & IKEV2_FLAG_INITIATOR) == 0) 892 return (1); 893 894 return (0); 895 } 896 897 struct iked_socket * 898 ikev2_msg_getsocket(struct iked *env, int af, int natt) 899 { 900 switch (af) { 901 case AF_INET: 902 return (env->sc_sock4[natt ? 1 : 0]); 903 case AF_INET6: 904 return (env->sc_sock6[natt ? 1 : 0]); 905 } 906 907 log_debug("%s: af socket %d not available", __func__, af); 908 return (NULL); 909 } 910 911 void 912 ikev2_msg_prevail(struct iked *env, struct iked_msgqueue *queue, 913 struct iked_message *msg) 914 { 915 struct iked_message *m, *mtmp; 916 917 TAILQ_FOREACH_SAFE(m, queue, msg_entry, mtmp) { 918 if (m->msg_msgid < msg->msg_msgid) 919 ikev2_msg_dispose(env, queue, m); 920 } 921 } 922 923 void 924 ikev2_msg_dispose(struct iked *env, struct iked_msgqueue *queue, 925 struct iked_message *msg) 926 { 927 TAILQ_REMOVE(queue, msg, msg_entry); 928 timer_del(env, &msg->msg_timer); 929 ikev2_msg_cleanup(env, msg); 930 free(msg); 931 } 932 933 void 934 ikev2_msg_flushqueue(struct iked *env, struct iked_msgqueue *queue) 935 { 936 struct iked_message *m = NULL; 937 938 while ((m = TAILQ_FIRST(queue)) != NULL) 939 ikev2_msg_dispose(env, queue, m); 940 } 941 942 struct iked_message * 943 ikev2_msg_lookup(struct iked *env, struct iked_msgqueue *queue, 944 struct iked_message *msg, struct ike_header *hdr) 945 { 946 struct iked_message *m = NULL; 947 948 TAILQ_FOREACH(m, queue, msg_entry) { 949 if (m->msg_msgid == msg->msg_msgid && 950 m->msg_exchange == hdr->ike_exchange) 951 break; 952 } 953 954 return (m); 955 } 956 957 int 958 ikev2_msg_retransmit_response(struct iked *env, struct iked_sa *sa, 959 struct iked_message *msg) 960 { 961 if ((sendto(msg->msg_fd, ibuf_data(msg->msg_data), 962 ibuf_size(msg->msg_data), 0, (struct sockaddr *)&msg->msg_peer, 963 msg->msg_peerlen)) == -1) { 964 log_warn("%s: sendto", __func__); 965 return (-1); 966 } 967 968 timer_add(env, &msg->msg_timer, IKED_RESPONSE_TIMEOUT); 969 return (0); 970 } 971 972 void 973 ikev2_msg_response_timeout(struct iked *env, void *arg) 974 { 975 struct iked_message *msg = arg; 976 struct iked_sa *sa = msg->msg_sa; 977 978 ikev2_msg_dispose(env, &sa->sa_responses, msg); 979 } 980 981 void 982 ikev2_msg_retransmit_timeout(struct iked *env, void *arg) 983 { 984 struct iked_message *msg = arg; 985 struct iked_sa *sa = msg->msg_sa; 986 987 if (msg->msg_tries < IKED_RETRANSMIT_TRIES) { 988 if ((sendto(msg->msg_fd, ibuf_data(msg->msg_data), 989 ibuf_size(msg->msg_data), 0, 990 (struct sockaddr *)&msg->msg_peer, 991 msg->msg_peerlen)) == -1) { 992 log_warn("%s: sendto", __func__); 993 sa_free(env, sa); 994 return; 995 } 996 /* Exponential timeout */ 997 timer_add(env, &msg->msg_timer, 998 IKED_RETRANSMIT_TIMEOUT * (2 << (msg->msg_tries++))); 999 } else { 1000 log_debug("%s: retransmit limit reached for msgid %u", 1001 __func__, msg->msg_msgid); 1002 sa_free(env, sa); 1003 } 1004 } 1005