![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to isakmp_ident.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon|
Return to isakmp_ident.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon |
1.1 misho 1: /* $NetBSD: isakmp_ident.c,v 1.13 2009/09/18 10:31:11 tteras Exp $ */
2:
3: /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
4:
5: /*
6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7: * All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: * 3. Neither the name of the project nor the names of its contributors
18: * may be used to endorse or promote products derived from this software
19: * without specific prior written permission.
20: *
21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31: * SUCH DAMAGE.
32: */
33:
34: /* Identity Protecion Exchange (Main Mode) */
35:
36: #include "config.h"
37:
38: #include <sys/types.h>
39: #include <sys/param.h>
40:
41: #include <stdlib.h>
42: #include <stdio.h>
43: #include <string.h>
44: #include <errno.h>
45: #if TIME_WITH_SYS_TIME
46: # include <sys/time.h>
47: # include <time.h>
48: #else
49: # if HAVE_SYS_TIME_H
50: # include <sys/time.h>
51: # else
52: # include <time.h>
53: # endif
54: #endif
55:
56: #include "var.h"
57: #include "misc.h"
58: #include "vmbuf.h"
59: #include "plog.h"
60: #include "sockmisc.h"
61: #include "schedule.h"
62: #include "debug.h"
63:
64: #include "localconf.h"
65: #include "remoteconf.h"
66: #include "isakmp_var.h"
67: #include "isakmp.h"
68: #include "evt.h"
69: #include "oakley.h"
70: #include "handler.h"
71: #include "ipsec_doi.h"
72: #include "crypto_openssl.h"
73: #include "pfkey.h"
74: #include "isakmp_ident.h"
75: #include "isakmp_inf.h"
76: #include "vendorid.h"
77:
78: #ifdef ENABLE_NATT
79: #include "nattraversal.h"
80: #endif
81: #ifdef HAVE_GSSAPI
82: #include "gssapi.h"
83: #endif
84: #ifdef ENABLE_HYBRID
85: #include <resolv.h>
86: #include "isakmp_xauth.h"
87: #include "isakmp_cfg.h"
88: #endif
89: #ifdef ENABLE_FRAG
90: #include "isakmp_frag.h"
91: #endif
92:
93: static vchar_t *ident_ir2mx __P((struct ph1handle *));
94: static vchar_t *ident_ir3mx __P((struct ph1handle *));
95: static int ident_recv_n __P((struct ph1handle *, struct isakmp_gen *));
96:
97: /* %%%
98: * begin Identity Protection Mode as initiator.
99: */
100: /*
101: * send to responder
102: * psk: HDR, SA
103: * sig: HDR, SA
104: * rsa: HDR, SA
105: * rev: HDR, SA
106: */
107: int
108: ident_i1send(iph1, msg)
109: struct ph1handle *iph1;
110: vchar_t *msg; /* must be null */
111: {
112: struct payload_list *plist = NULL;
113: int error = -1;
114: #ifdef ENABLE_NATT
115: vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
116: int i;
117: #endif
118: #ifdef ENABLE_HYBRID
119: vchar_t *vid_xauth = NULL;
120: vchar_t *vid_unity = NULL;
121: #endif
122: #ifdef ENABLE_FRAG
123: vchar_t *vid_frag = NULL;
124: #endif
125: #ifdef ENABLE_DPD
126: vchar_t *vid_dpd = NULL;
127: #endif
128: /* validity check */
129: if (msg != NULL) {
130: plog(LLV_ERROR, LOCATION, NULL,
131: "msg has to be NULL in this function.\n");
132: goto end;
133: }
134: if (iph1->status != PHASE1ST_START) {
135: plog(LLV_ERROR, LOCATION, NULL,
136: "status mismatched %d.\n", iph1->status);
137: goto end;
138: }
139:
140: /* create isakmp index */
141: memset(&iph1->index, 0, sizeof(iph1->index));
142: isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
143:
144: /* create SA payload for my proposal */
145: iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf,
146: iph1->rmconf->proposal);
147: if (iph1->sa == NULL)
148: goto end;
149:
150: /* set SA payload to propose */
151: plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
152:
153: #ifdef ENABLE_NATT
154: /* set VID payload for NAT-T if NAT-T support allowed in the config file */
155: if (iph1->rmconf->nat_traversal)
156: plist = isakmp_plist_append_natt_vids(plist, vid_natt);
157: #endif
158: #ifdef ENABLE_HYBRID
159: /* Do we need Xauth VID? */
160: switch (iph1->rmconf->proposal->authmethod) {
161: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
162: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
163: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
164: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
165: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
166: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
167: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
168: if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
169: plog(LLV_ERROR, LOCATION, NULL,
170: "Xauth vendor ID generation failed\n");
171: else
172: plist = isakmp_plist_append(plist,
173: vid_xauth, ISAKMP_NPTYPE_VID);
174:
175: if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
176: plog(LLV_ERROR, LOCATION, NULL,
177: "Unity vendor ID generation failed\n");
178: else
179: plist = isakmp_plist_append(plist,
180: vid_unity, ISAKMP_NPTYPE_VID);
181: break;
182: default:
183: break;
184: }
185: #endif
186: #ifdef ENABLE_FRAG
187: if (iph1->rmconf->ike_frag) {
188: if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
189: plog(LLV_ERROR, LOCATION, NULL,
190: "Frag vendorID construction failed\n");
191: } else {
192: vid_frag = isakmp_frag_addcap(vid_frag,
193: VENDORID_FRAG_IDENT);
194: plist = isakmp_plist_append(plist,
195: vid_frag, ISAKMP_NPTYPE_VID);
196: }
197: }
198: #endif
199: #ifdef ENABLE_DPD
200: if(iph1->rmconf->dpd){
201: vid_dpd = set_vendorid(VENDORID_DPD);
202: if (vid_dpd != NULL)
203: plist = isakmp_plist_append(plist, vid_dpd,
204: ISAKMP_NPTYPE_VID);
205: }
206: #endif
207:
208: iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
209:
210: #ifdef HAVE_PRINT_ISAKMP_C
211: isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
212: #endif
213:
214: /* send the packet, add to the schedule to resend */
215: if (isakmp_ph1send(iph1) == -1)
216: goto end;
217:
218: iph1->status = PHASE1ST_MSG1SENT;
219:
220: error = 0;
221:
222: end:
223: #ifdef ENABLE_FRAG
224: if (vid_frag)
225: vfree(vid_frag);
226: #endif
227: #ifdef ENABLE_NATT
228: for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
229: vfree(vid_natt[i]);
230: #endif
231: #ifdef ENABLE_HYBRID
232: if (vid_xauth != NULL)
233: vfree(vid_xauth);
234: if (vid_unity != NULL)
235: vfree(vid_unity);
236: #endif
237: #ifdef ENABLE_DPD
238: if (vid_dpd != NULL)
239: vfree(vid_dpd);
240: #endif
241:
242: return error;
243: }
244:
245: /*
246: * receive from responder
247: * psk: HDR, SA
248: * sig: HDR, SA
249: * rsa: HDR, SA
250: * rev: HDR, SA
251: */
252: int
253: ident_i2recv(iph1, msg)
254: struct ph1handle *iph1;
255: vchar_t *msg;
256: {
257: vchar_t *pbuf = NULL;
258: struct isakmp_parse_t *pa;
259: vchar_t *satmp = NULL;
260: int error = -1;
261:
262: /* validity check */
263: if (iph1->status != PHASE1ST_MSG1SENT) {
264: plog(LLV_ERROR, LOCATION, NULL,
265: "status mismatched %d.\n", iph1->status);
266: goto end;
267: }
268:
269: /* validate the type of next payload */
270: /*
271: * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here,
272: * if proposal-lifetime > lifetime-redcreek-wants.
273: * (see doi-08 4.5.4)
274: * => According to the seciton 4.6.3 in RFC 2407, This is illegal.
275: * NOTE: we do not really care about ordering of VID and N.
276: * does it matters?
277: * NOTE: even if there's multiple VID/N, we'll ignore them.
278: */
279: pbuf = isakmp_parse(msg);
280: if (pbuf == NULL)
281: goto end;
282: pa = (struct isakmp_parse_t *)pbuf->v;
283:
284: /* SA payload is fixed postion */
285: if (pa->type != ISAKMP_NPTYPE_SA) {
286: plog(LLV_ERROR, LOCATION, iph1->remote,
287: "received invalid next payload type %d, "
288: "expecting %d.\n",
289: pa->type, ISAKMP_NPTYPE_SA);
290: goto end;
291: }
292: if (isakmp_p2ph(&satmp, pa->ptr) < 0)
293: goto end;
294: pa++;
295:
296: for (/*nothing*/;
297: pa->type != ISAKMP_NPTYPE_NONE;
298: pa++) {
299:
300: switch (pa->type) {
301: case ISAKMP_NPTYPE_VID:
302: handle_vendorid(iph1, pa->ptr);
303: break;
304: default:
305: /* don't send information, see ident_r1recv() */
306: plog(LLV_ERROR, LOCATION, iph1->remote,
307: "ignore the packet, "
308: "received unexpecting payload type %d.\n",
309: pa->type);
310: goto end;
311: }
312: }
313:
314: #ifdef ENABLE_NATT
315: if (NATT_AVAILABLE(iph1))
316: plog(LLV_INFO, LOCATION, iph1->remote,
317: "Selected NAT-T version: %s\n",
318: vid_string_by_id(iph1->natt_options->version));
319: #endif
320:
321: /* check SA payload and set approval SA for use */
322: if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
323: plog(LLV_ERROR, LOCATION, iph1->remote,
324: "failed to get valid proposal.\n");
325: /* XXX send information */
326: goto end;
327: }
328: VPTRINIT(iph1->sa_ret);
329:
330: iph1->status = PHASE1ST_MSG2RECEIVED;
331:
332: error = 0;
333:
334: end:
335: if (pbuf)
336: vfree(pbuf);
337: if (satmp)
338: vfree(satmp);
339: return error;
340: }
341:
342: /*
343: * send to responder
344: * psk: HDR, KE, Ni
345: * sig: HDR, KE, Ni
346: * gssapi: HDR, KE, Ni, GSSi
347: * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
348: * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
349: * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
350: */
351: int
352: ident_i2send(iph1, msg)
353: struct ph1handle *iph1;
354: vchar_t *msg;
355: {
356: int error = -1;
357:
358: /* validity check */
359: if (iph1->status != PHASE1ST_MSG2RECEIVED) {
360: plog(LLV_ERROR, LOCATION, NULL,
361: "status mismatched %d.\n", iph1->status);
362: goto end;
363: }
364:
365: /* fix isakmp index */
366: memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
367: sizeof(cookie_t));
368:
369: /* generate DH public value */
370: if (oakley_dh_generate(iph1->approval->dhgrp,
371: &iph1->dhpub, &iph1->dhpriv) < 0)
372: goto end;
373:
374: /* generate NONCE value */
375: iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
376: if (iph1->nonce == NULL)
377: goto end;
378:
379: #ifdef HAVE_GSSAPI
380: if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
381: gssapi_get_itoken(iph1, NULL) < 0)
382: goto end;
383: #endif
384:
385: /* create buffer to send isakmp payload */
386: iph1->sendbuf = ident_ir2mx(iph1);
387: if (iph1->sendbuf == NULL)
388: goto end;
389:
390: #ifdef HAVE_PRINT_ISAKMP_C
391: isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
392: #endif
393:
394: /* send the packet, add to the schedule to resend */
395: if (isakmp_ph1send(iph1) == -1)
396: goto end;
397:
398: /* the sending message is added to the received-list. */
399: if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
400: plog(LLV_ERROR , LOCATION, NULL,
401: "failed to add a response packet to the tree.\n");
402: goto end;
403: }
404:
405: iph1->status = PHASE1ST_MSG2SENT;
406:
407: error = 0;
408:
409: end:
410: return error;
411: }
412:
413: /*
414: * receive from responder
415: * psk: HDR, KE, Nr
416: * sig: HDR, KE, Nr [, CR ]
417: * gssapi: HDR, KE, Nr, GSSr
418: * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
419: * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
420: */
421: int
422: ident_i3recv(iph1, msg)
423: struct ph1handle *iph1;
424: vchar_t *msg;
425: {
426: vchar_t *pbuf = NULL;
427: struct isakmp_parse_t *pa;
428: int error = -1;
429: #ifdef HAVE_GSSAPI
430: vchar_t *gsstoken = NULL;
431: #endif
432: #ifdef ENABLE_NATT
433: vchar_t *natd_received;
434: int natd_seq = 0, natd_verified;
435: #endif
436:
437: /* validity check */
438: if (iph1->status != PHASE1ST_MSG2SENT) {
439: plog(LLV_ERROR, LOCATION, NULL,
440: "status mismatched %d.\n", iph1->status);
441: goto end;
442: }
443:
444: /* validate the type of next payload */
445: pbuf = isakmp_parse(msg);
446: if (pbuf == NULL)
447: goto end;
448:
449: for (pa = (struct isakmp_parse_t *)pbuf->v;
450: pa->type != ISAKMP_NPTYPE_NONE;
451: pa++) {
452:
453: switch (pa->type) {
454: case ISAKMP_NPTYPE_KE:
455: if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
456: goto end;
457: break;
458: case ISAKMP_NPTYPE_NONCE:
459: if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
460: goto end;
461: break;
462: case ISAKMP_NPTYPE_VID:
463: handle_vendorid(iph1, pa->ptr);
464: break;
465: case ISAKMP_NPTYPE_CR:
466: if (oakley_savecr(iph1, pa->ptr) < 0)
467: goto end;
468: break;
469: #ifdef HAVE_GSSAPI
470: case ISAKMP_NPTYPE_GSS:
471: if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
472: goto end;
473: gssapi_save_received_token(iph1, gsstoken);
474: break;
475: #endif
476:
477: #ifdef ENABLE_NATT
478: case ISAKMP_NPTYPE_NATD_DRAFT:
479: case ISAKMP_NPTYPE_NATD_RFC:
480: if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
481: pa->type == iph1->natt_options->payload_nat_d) {
482: natd_received = NULL;
483: if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
484: goto end;
485:
486: /* set both bits first so that we can clear them
487: upon verifying hashes */
488: if (natd_seq == 0)
489: iph1->natt_flags |= NAT_DETECTED;
490:
491: /* this function will clear appropriate bits bits
492: from iph1->natt_flags */
493: natd_verified = natt_compare_addr_hash (iph1,
494: natd_received, natd_seq++);
495:
496: plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
497: natd_seq - 1,
498: natd_verified ? "verified" : "doesn't match");
499:
500: vfree (natd_received);
501: break;
502: }
503: /* passthrough to default... */
504: #endif
505:
506: default:
507: /* don't send information, see ident_r1recv() */
508: plog(LLV_ERROR, LOCATION, iph1->remote,
509: "ignore the packet, "
510: "received unexpecting payload type %d.\n",
511: pa->type);
512: goto end;
513: }
514: }
515:
516: #ifdef ENABLE_NATT
517: if (NATT_AVAILABLE(iph1)) {
518: plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
519: iph1->natt_flags & NAT_DETECTED ?
520: "detected:" : "not detected",
521: iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
522: iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
523: if (iph1->natt_flags & NAT_DETECTED)
524: natt_float_ports (iph1);
525: }
526: #endif
527:
528: /* payload existency check */
529: if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
530: plog(LLV_ERROR, LOCATION, iph1->remote,
531: "few isakmp message received.\n");
532: goto end;
533: }
534:
535: if (oakley_checkcr(iph1) < 0) {
536: /* Ignore this error in order to be interoperability. */
537: ;
538: }
539:
540: iph1->status = PHASE1ST_MSG3RECEIVED;
541:
542: error = 0;
543:
544: end:
545: #ifdef HAVE_GSSAPI
546: if (gsstoken)
547: vfree(gsstoken);
548: #endif
549: if (pbuf)
550: vfree(pbuf);
551: if (error) {
552: VPTRINIT(iph1->dhpub_p);
553: VPTRINIT(iph1->nonce_p);
554: VPTRINIT(iph1->id_p);
555: VPTRINIT(iph1->cr_p);
556: }
557:
558: return error;
559: }
560:
561: /*
562: * send to responder
563: * psk: HDR*, IDi1, HASH_I
564: * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
565: * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I >
566: * rsa: HDR*, HASH_I
567: * rev: HDR*, HASH_I
568: */
569: int
570: ident_i3send(iph1, msg0)
571: struct ph1handle *iph1;
572: vchar_t *msg0;
573: {
574: int error = -1;
575: int dohash = 1;
576: #ifdef HAVE_GSSAPI
577: int len;
578: #endif
579:
580: /* validity check */
581: if (iph1->status != PHASE1ST_MSG3RECEIVED) {
582: plog(LLV_ERROR, LOCATION, NULL,
583: "status mismatched %d.\n", iph1->status);
584: goto end;
585: }
586:
587: /* compute sharing secret of DH */
588: if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
589: iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
590: goto end;
591:
592: /* generate SKEYIDs & IV & final cipher key */
593: if (oakley_skeyid(iph1) < 0)
594: goto end;
595: if (oakley_skeyid_dae(iph1) < 0)
596: goto end;
597: if (oakley_compute_enckey(iph1) < 0)
598: goto end;
599: if (oakley_newiv(iph1) < 0)
600: goto end;
601:
602: /* make ID payload into isakmp status */
603: if (ipsecdoi_setid1(iph1) < 0)
604: goto end;
605:
606: #ifdef HAVE_GSSAPI
607: if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
608: gssapi_more_tokens(iph1)) {
609: plog(LLV_DEBUG, LOCATION, NULL, "calling get_itoken\n");
610: if (gssapi_get_itoken(iph1, &len) < 0)
611: goto end;
612: if (len != 0)
613: dohash = 0;
614: }
615: #endif
616:
617: /* generate HASH to send */
618: if (dohash) {
619: iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
620: if (iph1->hash == NULL)
621: goto end;
622: } else
623: iph1->hash = NULL;
624:
625: /* set encryption flag */
626: iph1->flags |= ISAKMP_FLAG_E;
627:
628: /* create HDR;ID;HASH payload */
629: iph1->sendbuf = ident_ir3mx(iph1);
630: if (iph1->sendbuf == NULL)
631: goto end;
632:
633: /* send the packet, add to the schedule to resend */
634: if (isakmp_ph1send(iph1) == -1)
635: goto end;
636:
637: /* the sending message is added to the received-list. */
638: if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0) == -1) {
639: plog(LLV_ERROR , LOCATION, NULL,
640: "failed to add a response packet to the tree.\n");
641: goto end;
642: }
643:
644: /* see handler.h about IV synchronization. */
645: memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
646:
647: iph1->status = PHASE1ST_MSG3SENT;
648:
649: error = 0;
650:
651: end:
652: return error;
653: }
654:
655: /*
656: * receive from responder
657: * psk: HDR*, IDr1, HASH_R
658: * sig: HDR*, IDr1, [ CERT, ] SIG_R
659: * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
660: * rsa: HDR*, HASH_R
661: * rev: HDR*, HASH_R
662: */
663: int
664: ident_i4recv(iph1, msg0)
665: struct ph1handle *iph1;
666: vchar_t *msg0;
667: {
668: vchar_t *pbuf = NULL;
669: struct isakmp_parse_t *pa;
670: vchar_t *msg = NULL;
671: int error = -1;
672: int type;
673: #ifdef HAVE_GSSAPI
674: vchar_t *gsstoken = NULL;
675: #endif
676:
677: /* validity check */
678: if (iph1->status != PHASE1ST_MSG3SENT) {
679: plog(LLV_ERROR, LOCATION, NULL,
680: "status mismatched %d.\n", iph1->status);
681: goto end;
682: }
683:
684: /* decrypting */
685: if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
686: plog(LLV_ERROR, LOCATION, iph1->remote,
687: "ignore the packet, "
688: "expecting the packet encrypted.\n");
689: goto end;
690: }
691: msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
692: if (msg == NULL)
693: goto end;
694:
695: /* validate the type of next payload */
696: pbuf = isakmp_parse(msg);
697: if (pbuf == NULL)
698: goto end;
699:
700: iph1->pl_hash = NULL;
701:
702: for (pa = (struct isakmp_parse_t *)pbuf->v;
703: pa->type != ISAKMP_NPTYPE_NONE;
704: pa++) {
705:
706: switch (pa->type) {
707: case ISAKMP_NPTYPE_ID:
708: if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
709: goto end;
710: break;
711: case ISAKMP_NPTYPE_HASH:
712: iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
713: break;
714: case ISAKMP_NPTYPE_CERT:
715: if (oakley_savecert(iph1, pa->ptr) < 0)
716: goto end;
717: break;
718: case ISAKMP_NPTYPE_SIG:
719: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
720: goto end;
721: break;
722: #ifdef HAVE_GSSAPI
723: case ISAKMP_NPTYPE_GSS:
724: if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
725: goto end;
726: gssapi_save_received_token(iph1, gsstoken);
727: break;
728: #endif
729: case ISAKMP_NPTYPE_VID:
730: handle_vendorid(iph1, pa->ptr);
731: break;
732: case ISAKMP_NPTYPE_N:
733: ident_recv_n(iph1, pa->ptr);
734: break;
735: default:
736: /* don't send information, see ident_r1recv() */
737: plog(LLV_ERROR, LOCATION, iph1->remote,
738: "ignore the packet, "
739: "received unexpecting payload type %d.\n",
740: pa->type);
741: goto end;
742: }
743: }
744:
745: /* payload existency check */
746:
747: /* verify identifier */
748: if (ipsecdoi_checkid1(iph1) != 0) {
749: plog(LLV_ERROR, LOCATION, iph1->remote,
750: "invalid ID payload.\n");
751: goto end;
752: }
753:
754: /* validate authentication value */
755: #ifdef HAVE_GSSAPI
756: if (gsstoken == NULL) {
757: #endif
758: type = oakley_validate_auth(iph1);
759: if (type != 0) {
760: if (type == -1) {
761: /* msg printed inner oakley_validate_auth() */
762: goto end;
763: }
764: evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
765: isakmp_info_send_n1(iph1, type, NULL);
766: goto end;
767: }
768: #ifdef HAVE_GSSAPI
769: }
770: #endif
771:
772: /*
773: * XXX: Should we do compare two addresses, ph1handle's and ID
774: * payload's.
775: */
776:
777: plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID:");
778: plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
779:
780: /* see handler.h about IV synchronization. */
781: memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
782:
783: /*
784: * If we got a GSS token, we need to this roundtrip again.
785: */
786: #ifdef HAVE_GSSAPI
787: iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED :
788: PHASE1ST_MSG4RECEIVED;
789: #else
790: iph1->status = PHASE1ST_MSG4RECEIVED;
791: #endif
792:
793: error = 0;
794:
795: end:
796: if (pbuf)
797: vfree(pbuf);
798: if (msg)
799: vfree(msg);
800: #ifdef HAVE_GSSAPI
801: if (gsstoken)
802: vfree(gsstoken);
803: #endif
804:
805: if (error) {
806: VPTRINIT(iph1->id_p);
807: VPTRINIT(iph1->cert_p);
808: VPTRINIT(iph1->crl_p);
809: VPTRINIT(iph1->sig_p);
810: }
811:
812: return error;
813: }
814:
815: /*
816: * status update and establish isakmp sa.
817: */
818: int
819: ident_i4send(iph1, msg)
820: struct ph1handle *iph1;
821: vchar_t *msg;
822: {
823: int error = -1;
824:
825: /* validity check */
826: if (iph1->status != PHASE1ST_MSG4RECEIVED) {
827: plog(LLV_ERROR, LOCATION, NULL,
828: "status mismatched %d.\n", iph1->status);
829: goto end;
830: }
831:
832: /* see handler.h about IV synchronization. */
833: memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
834:
835: iph1->status = PHASE1ST_ESTABLISHED;
836:
837: error = 0;
838:
839: end:
840: return error;
841: }
842:
843: /*
844: * receive from initiator
845: * psk: HDR, SA
846: * sig: HDR, SA
847: * rsa: HDR, SA
848: * rev: HDR, SA
849: */
850: int
851: ident_r1recv(iph1, msg)
852: struct ph1handle *iph1;
853: vchar_t *msg;
854: {
855: vchar_t *pbuf = NULL;
856: struct isakmp_parse_t *pa;
857: int error = -1;
858: int vid_numeric;
859:
860: /* validity check */
861: if (iph1->status != PHASE1ST_START) {
862: plog(LLV_ERROR, LOCATION, NULL,
863: "status mismatched %d.\n", iph1->status);
864: goto end;
865: }
866:
867: /* validate the type of next payload */
868: /*
869: * NOTE: XXX even if multiple VID, we'll silently ignore those.
870: */
871: pbuf = isakmp_parse(msg);
872: if (pbuf == NULL)
873: goto end;
874: pa = (struct isakmp_parse_t *)pbuf->v;
875:
876: /* check the position of SA payload */
877: if (pa->type != ISAKMP_NPTYPE_SA) {
878: plog(LLV_ERROR, LOCATION, iph1->remote,
879: "received invalid next payload type %d, "
880: "expecting %d.\n",
881: pa->type, ISAKMP_NPTYPE_SA);
882: goto end;
883: }
884: if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
885: goto end;
886: pa++;
887:
888: for (/*nothing*/;
889: pa->type != ISAKMP_NPTYPE_NONE;
890: pa++) {
891:
892: switch (pa->type) {
893: case ISAKMP_NPTYPE_VID:
894: vid_numeric = handle_vendorid(iph1, pa->ptr);
895: #ifdef ENABLE_FRAG
896: if ((vid_numeric == VENDORID_FRAG) &&
897: (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT))
898: iph1->frag = 1;
899: #endif
900: break;
901: default:
902: /*
903: * We don't send information to the peer even
904: * if we received malformed packet. Because we
905: * can't distinguish the malformed packet and
906: * the re-sent packet. And we do same behavior
907: * when we expect encrypted packet.
908: */
909: plog(LLV_ERROR, LOCATION, iph1->remote,
910: "ignore the packet, "
911: "received unexpecting payload type %d.\n",
912: pa->type);
913: goto end;
914: }
915: }
916:
917: #ifdef ENABLE_NATT
918: if (NATT_AVAILABLE(iph1))
919: plog(LLV_INFO, LOCATION, iph1->remote,
920: "Selected NAT-T version: %s\n",
921: vid_string_by_id(iph1->natt_options->version));
922: #endif
923:
924: /* check SA payload and set approval SA for use */
925: if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
926: plog(LLV_ERROR, LOCATION, iph1->remote,
927: "failed to get valid proposal.\n");
928: /* XXX send information */
929: goto end;
930: }
931:
932: iph1->status = PHASE1ST_MSG1RECEIVED;
933:
934: error = 0;
935:
936: end:
937: if (pbuf)
938: vfree(pbuf);
939: if (error) {
940: VPTRINIT(iph1->sa);
941: }
942:
943: return error;
944: }
945:
946: /*
947: * send to initiator
948: * psk: HDR, SA
949: * sig: HDR, SA
950: * rsa: HDR, SA
951: * rev: HDR, SA
952: */
953: int
954: ident_r1send(iph1, msg)
955: struct ph1handle *iph1;
956: vchar_t *msg;
957: {
958: struct payload_list *plist = NULL;
959: int error = -1;
960: vchar_t *gss_sa = NULL;
961: #ifdef HAVE_GSSAPI
962: int free_gss_sa = 0;
963: #endif
964: #ifdef ENABLE_NATT
965: vchar_t *vid_natt = NULL;
966: #endif
967: #ifdef ENABLE_HYBRID
968: vchar_t *vid_xauth = NULL;
969: vchar_t *vid_unity = NULL;
970: #endif
971: #ifdef ENABLE_DPD
972: vchar_t *vid_dpd = NULL;
973: #endif
974: #ifdef ENABLE_FRAG
975: vchar_t *vid_frag = NULL;
976: #endif
977:
978: /* validity check */
979: if (iph1->status != PHASE1ST_MSG1RECEIVED) {
980: plog(LLV_ERROR, LOCATION, NULL,
981: "status mismatched %d.\n", iph1->status);
982: goto end;
983: }
984:
985: /* set responder's cookie */
986: isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
987:
988: #ifdef HAVE_GSSAPI
989: if (iph1->approval->gssid != NULL) {
990: gss_sa = ipsecdoi_setph1proposal(iph1->rmconf, iph1->approval);
991: if (gss_sa != iph1->sa_ret)
992: free_gss_sa = 1;
993: } else
994: #endif
995: gss_sa = iph1->sa_ret;
996:
997: /* set SA payload to reply */
998: plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
999:
1000: #ifdef ENABLE_HYBRID
1001: if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1002: plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
1003: if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
1004: plog(LLV_ERROR, LOCATION, NULL,
1005: "Cannot create Xauth vendor ID\n");
1006: goto end;
1007: }
1008: plist = isakmp_plist_append(plist,
1009: vid_xauth, ISAKMP_NPTYPE_VID);
1010: }
1011:
1012: if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1013: if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
1014: plog(LLV_ERROR, LOCATION, NULL,
1015: "Cannot create Unity vendor ID\n");
1016: goto end;
1017: }
1018: plist = isakmp_plist_append(plist,
1019: vid_unity, ISAKMP_NPTYPE_VID);
1020: }
1021: #endif
1022: #ifdef ENABLE_NATT
1023: /* Has the peer announced NAT-T? */
1024: if (NATT_AVAILABLE(iph1))
1025: vid_natt = set_vendorid(iph1->natt_options->version);
1026:
1027: if (vid_natt)
1028: plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
1029: #endif
1030: #ifdef ENABLE_DPD
1031: if (iph1->dpd_support) {
1032: vid_dpd = set_vendorid(VENDORID_DPD);
1033: if (vid_dpd != NULL)
1034: plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
1035: }
1036: #endif
1037: #ifdef ENABLE_FRAG
1038: if (iph1->frag) {
1039: vid_frag = set_vendorid(VENDORID_FRAG);
1040: if (vid_frag != NULL)
1041: vid_frag = isakmp_frag_addcap(vid_frag,
1042: VENDORID_FRAG_IDENT);
1043: if (vid_frag == NULL)
1044: plog(LLV_ERROR, LOCATION, NULL,
1045: "Frag vendorID construction failed\n");
1046: else
1047: plist = isakmp_plist_append(plist,
1048: vid_frag, ISAKMP_NPTYPE_VID);
1049: }
1050: #endif
1051:
1052: iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1053:
1054: #ifdef HAVE_PRINT_ISAKMP_C
1055: isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1056: #endif
1057:
1058: /* send the packet, add to the schedule to resend */
1059: if (isakmp_ph1send(iph1) == -1)
1060: goto end;
1061:
1062: /* the sending message is added to the received-list. */
1063: if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
1064: plog(LLV_ERROR , LOCATION, NULL,
1065: "failed to add a response packet to the tree.\n");
1066: goto end;
1067: }
1068:
1069: iph1->status = PHASE1ST_MSG1SENT;
1070:
1071: error = 0;
1072:
1073: end:
1074: #ifdef HAVE_GSSAPI
1075: if (free_gss_sa)
1076: vfree(gss_sa);
1077: #endif
1078: #ifdef ENABLE_NATT
1079: if (vid_natt)
1080: vfree(vid_natt);
1081: #endif
1082: #ifdef ENABLE_HYBRID
1083: if (vid_xauth != NULL)
1084: vfree(vid_xauth);
1085: if (vid_unity != NULL)
1086: vfree(vid_unity);
1087: #endif
1088: #ifdef ENABLE_DPD
1089: if (vid_dpd != NULL)
1090: vfree(vid_dpd);
1091: #endif
1092: #ifdef ENABLE_FRAG
1093: if (vid_frag != NULL)
1094: vfree(vid_frag);
1095: #endif
1096:
1097: return error;
1098: }
1099:
1100: /*
1101: * receive from initiator
1102: * psk: HDR, KE, Ni
1103: * sig: HDR, KE, Ni
1104: * gssapi: HDR, KE, Ni, GSSi
1105: * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1106: * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1107: * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1108: */
1109: int
1110: ident_r2recv(iph1, msg)
1111: struct ph1handle *iph1;
1112: vchar_t *msg;
1113: {
1114: vchar_t *pbuf = NULL;
1115: struct isakmp_parse_t *pa;
1116: int error = -1;
1117: #ifdef HAVE_GSSAPI
1118: vchar_t *gsstoken = NULL;
1119: #endif
1120: #ifdef ENABLE_NATT
1121: int natd_seq = 0;
1122: #endif
1123:
1124: /* validity check */
1125: if (iph1->status != PHASE1ST_MSG1SENT) {
1126: plog(LLV_ERROR, LOCATION, NULL,
1127: "status mismatched %d.\n", iph1->status);
1128: goto end;
1129: }
1130:
1131: /* validate the type of next payload */
1132: pbuf = isakmp_parse(msg);
1133: if (pbuf == NULL)
1134: goto end;
1135:
1136: for (pa = (struct isakmp_parse_t *)pbuf->v;
1137: pa->type != ISAKMP_NPTYPE_NONE;
1138: pa++) {
1139: switch (pa->type) {
1140: case ISAKMP_NPTYPE_KE:
1141: if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
1142: goto end;
1143: break;
1144: case ISAKMP_NPTYPE_NONCE:
1145: if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
1146: goto end;
1147: break;
1148: case ISAKMP_NPTYPE_VID:
1149: handle_vendorid(iph1, pa->ptr);
1150: break;
1151: case ISAKMP_NPTYPE_CR:
1152: plog(LLV_WARNING, LOCATION, iph1->remote,
1153: "CR received, ignore it. "
1154: "It should be in other exchange.\n");
1155: break;
1156: #ifdef HAVE_GSSAPI
1157: case ISAKMP_NPTYPE_GSS:
1158: if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
1159: goto end;
1160: gssapi_save_received_token(iph1, gsstoken);
1161: break;
1162: #endif
1163:
1164: #ifdef ENABLE_NATT
1165: case ISAKMP_NPTYPE_NATD_DRAFT:
1166: case ISAKMP_NPTYPE_NATD_RFC:
1167: if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1168: pa->type == iph1->natt_options->payload_nat_d)
1169: {
1170: vchar_t *natd_received = NULL;
1171: int natd_verified;
1172:
1173: if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
1174: goto end;
1175:
1176: if (natd_seq == 0)
1177: iph1->natt_flags |= NAT_DETECTED;
1178:
1179: natd_verified = natt_compare_addr_hash (iph1,
1180: natd_received, natd_seq++);
1181:
1182: plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1183: natd_seq - 1,
1184: natd_verified ? "verified" : "doesn't match");
1185:
1186: vfree (natd_received);
1187: break;
1188: }
1189: /* passthrough to default... */
1190: #endif
1191:
1192: default:
1193: /* don't send information, see ident_r1recv() */
1194: plog(LLV_ERROR, LOCATION, iph1->remote,
1195: "ignore the packet, "
1196: "received unexpecting payload type %d.\n",
1197: pa->type);
1198: goto end;
1199: }
1200: }
1201:
1202: #ifdef ENABLE_NATT
1203: if (NATT_AVAILABLE(iph1))
1204: plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1205: iph1->natt_flags & NAT_DETECTED ?
1206: "detected:" : "not detected",
1207: iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1208: iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1209: #endif
1210:
1211: /* payload existency check */
1212: if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
1213: plog(LLV_ERROR, LOCATION, iph1->remote,
1214: "few isakmp message received.\n");
1215: goto end;
1216: }
1217:
1218: iph1->status = PHASE1ST_MSG2RECEIVED;
1219:
1220: error = 0;
1221:
1222: end:
1223: if (pbuf)
1224: vfree(pbuf);
1225: #ifdef HAVE_GSSAPI
1226: if (gsstoken)
1227: vfree(gsstoken);
1228: #endif
1229:
1230: if (error) {
1231: VPTRINIT(iph1->dhpub_p);
1232: VPTRINIT(iph1->nonce_p);
1233: VPTRINIT(iph1->id_p);
1234: }
1235:
1236: return error;
1237: }
1238:
1239: /*
1240: * send to initiator
1241: * psk: HDR, KE, Nr
1242: * sig: HDR, KE, Nr [, CR ]
1243: * gssapi: HDR, KE, Nr, GSSr
1244: * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1245: * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1246: */
1247: int
1248: ident_r2send(iph1, msg)
1249: struct ph1handle *iph1;
1250: vchar_t *msg;
1251: {
1252: int error = -1;
1253:
1254: /* validity check */
1255: if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1256: plog(LLV_ERROR, LOCATION, NULL,
1257: "status mismatched %d.\n", iph1->status);
1258: goto end;
1259: }
1260:
1261: /* generate DH public value */
1262: if (oakley_dh_generate(iph1->approval->dhgrp,
1263: &iph1->dhpub, &iph1->dhpriv) < 0)
1264: goto end;
1265:
1266: /* generate NONCE value */
1267: iph1->nonce = eay_set_random(RMCONF_NONCE_SIZE(iph1->rmconf));
1268: if (iph1->nonce == NULL)
1269: goto end;
1270:
1271: #ifdef HAVE_GSSAPI
1272: if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
1273: gssapi_get_rtoken(iph1, NULL);
1274: #endif
1275:
1276: /* create HDR;KE;NONCE payload */
1277: iph1->sendbuf = ident_ir2mx(iph1);
1278: if (iph1->sendbuf == NULL)
1279: goto end;
1280:
1281: #ifdef HAVE_PRINT_ISAKMP_C
1282: isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1283: #endif
1284:
1285: /* send the packet, add to the schedule to resend */
1286: if (isakmp_ph1send(iph1) == -1)
1287: goto end;
1288:
1289: /* the sending message is added to the received-list. */
1290: if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
1291: plog(LLV_ERROR , LOCATION, NULL,
1292: "failed to add a response packet to the tree.\n");
1293: goto end;
1294: }
1295:
1296: /* compute sharing secret of DH */
1297: if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1298: iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
1299: goto end;
1300:
1301: /* generate SKEYIDs & IV & final cipher key */
1302: if (oakley_skeyid(iph1) < 0)
1303: goto end;
1304: if (oakley_skeyid_dae(iph1) < 0)
1305: goto end;
1306: if (oakley_compute_enckey(iph1) < 0)
1307: goto end;
1308: if (oakley_newiv(iph1) < 0)
1309: goto end;
1310:
1311: iph1->status = PHASE1ST_MSG2SENT;
1312:
1313: error = 0;
1314:
1315: end:
1316: return error;
1317: }
1318:
1319: /*
1320: * receive from initiator
1321: * psk: HDR*, IDi1, HASH_I
1322: * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
1323: * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
1324: * rsa: HDR*, HASH_I
1325: * rev: HDR*, HASH_I
1326: */
1327: int
1328: ident_r3recv(iph1, msg0)
1329: struct ph1handle *iph1;
1330: vchar_t *msg0;
1331: {
1332: vchar_t *msg = NULL;
1333: vchar_t *pbuf = NULL;
1334: struct isakmp_parse_t *pa;
1335: int error = -1;
1336: int type;
1337: #ifdef HAVE_GSSAPI
1338: vchar_t *gsstoken = NULL;
1339: #endif
1340:
1341: /* validity check */
1342: if (iph1->status != PHASE1ST_MSG2SENT) {
1343: plog(LLV_ERROR, LOCATION, NULL,
1344: "status mismatched %d.\n", iph1->status);
1345: goto end;
1346: }
1347:
1348: /* decrypting */
1349: if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1350: plog(LLV_ERROR, LOCATION, iph1->remote,
1351: "reject the packet, "
1352: "expecting the packet encrypted.\n");
1353: goto end;
1354: }
1355: msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
1356: if (msg == NULL)
1357: goto end;
1358:
1359: /* validate the type of next payload */
1360: pbuf = isakmp_parse(msg);
1361: if (pbuf == NULL)
1362: goto end;
1363:
1364: iph1->pl_hash = NULL;
1365:
1366: for (pa = (struct isakmp_parse_t *)pbuf->v;
1367: pa->type != ISAKMP_NPTYPE_NONE;
1368: pa++) {
1369:
1370: switch (pa->type) {
1371: case ISAKMP_NPTYPE_ID:
1372: if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
1373: goto end;
1374: if (resolveph1rmconf(iph1) < 0)
1375: goto end;
1376: break;
1377: case ISAKMP_NPTYPE_HASH:
1378: iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1379: break;
1380: case ISAKMP_NPTYPE_CR:
1381: if (oakley_savecr(iph1, pa->ptr) < 0)
1382: goto end;
1383: break;
1384: case ISAKMP_NPTYPE_CERT:
1385: if (oakley_savecert(iph1, pa->ptr) < 0)
1386: goto end;
1387: break;
1388: case ISAKMP_NPTYPE_SIG:
1389: if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
1390: goto end;
1391: break;
1392: #ifdef HAVE_GSSAPI
1393: case ISAKMP_NPTYPE_GSS:
1394: if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
1395: goto end;
1396: gssapi_save_received_token(iph1, gsstoken);
1397: break;
1398: #endif
1399: case ISAKMP_NPTYPE_VID:
1400: handle_vendorid(iph1, pa->ptr);
1401: break;
1402: case ISAKMP_NPTYPE_N:
1403: ident_recv_n(iph1, pa->ptr);
1404: break;
1405: default:
1406: /* don't send information, see ident_r1recv() */
1407: plog(LLV_ERROR, LOCATION, iph1->remote,
1408: "ignore the packet, "
1409: "received unexpecting payload type %d.\n",
1410: pa->type);
1411: goto end;
1412: }
1413: }
1414:
1415: /* payload existency check */
1416: /* XXX same as ident_i4recv(), should be merged. */
1417: {
1418: int ng = 0;
1419:
1420: switch (iph1->approval->authmethod) {
1421: case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1422: #ifdef ENABLE_HYBRID
1423: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1424: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1425: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1426: #endif
1427: if (iph1->id_p == NULL || iph1->pl_hash == NULL)
1428: ng++;
1429: break;
1430: case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1431: case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1432: #ifdef ENABLE_HYBRID
1433: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1434: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1435: #endif
1436: if (iph1->id_p == NULL || iph1->sig_p == NULL)
1437: ng++;
1438: break;
1439: case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1440: case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1441: #ifdef ENABLE_HYBRID
1442: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1443: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1444: #endif
1445: if (iph1->pl_hash == NULL)
1446: ng++;
1447: break;
1448: #ifdef HAVE_GSSAPI
1449: case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1450: if (gsstoken == NULL && iph1->pl_hash == NULL)
1451: ng++;
1452: break;
1453: #endif
1454: default:
1455: plog(LLV_ERROR, LOCATION, iph1->remote,
1456: "invalid authmethod %d why ?\n",
1457: iph1->approval->authmethod);
1458: goto end;
1459: }
1460: if (ng) {
1461: plog(LLV_ERROR, LOCATION, iph1->remote,
1462: "few isakmp message received.\n");
1463: goto end;
1464: }
1465: }
1466:
1467: /* verify identifier */
1468: if (ipsecdoi_checkid1(iph1) != 0) {
1469: plog(LLV_ERROR, LOCATION, iph1->remote,
1470: "invalid ID payload.\n");
1471: goto end;
1472: }
1473:
1474: /* validate authentication value */
1475: #ifdef HAVE_GSSAPI
1476: if (gsstoken == NULL) {
1477: #endif
1478: type = oakley_validate_auth(iph1);
1479: if (type != 0) {
1480: if (type == -1) {
1481: /* msg printed inner oakley_validate_auth() */
1482: goto end;
1483: }
1484: evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
1485: isakmp_info_send_n1(iph1, type, NULL);
1486: goto end;
1487: }
1488: #ifdef HAVE_GSSAPI
1489: }
1490: #endif
1491:
1492: if (oakley_checkcr(iph1) < 0) {
1493: /* Ignore this error in order to be interoperability. */
1494: ;
1495: }
1496:
1497: /*
1498: * XXX: Should we do compare two addresses, ph1handle's and ID
1499: * payload's.
1500: */
1501:
1502: plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID\n");
1503: plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
1504:
1505: /* see handler.h about IV synchronization. */
1506: memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
1507:
1508: #ifdef HAVE_GSSAPI
1509: iph1->status = gsstoken != NULL ? PHASE1ST_MSG2RECEIVED :
1510: PHASE1ST_MSG3RECEIVED;
1511: #else
1512: iph1->status = PHASE1ST_MSG3RECEIVED;
1513: #endif
1514:
1515: error = 0;
1516:
1517: end:
1518: if (pbuf)
1519: vfree(pbuf);
1520: if (msg)
1521: vfree(msg);
1522: #ifdef HAVE_GSSAPI
1523: if (gsstoken)
1524: vfree(gsstoken);
1525: #endif
1526:
1527: if (error) {
1528: VPTRINIT(iph1->id_p);
1529: VPTRINIT(iph1->cert_p);
1530: VPTRINIT(iph1->crl_p);
1531: VPTRINIT(iph1->sig_p);
1532: VPTRINIT(iph1->cr_p);
1533: }
1534:
1535: return error;
1536: }
1537:
1538: /*
1539: * send to initiator
1540: * psk: HDR*, IDr1, HASH_R
1541: * sig: HDR*, IDr1, [ CERT, ] SIG_R
1542: * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
1543: * rsa: HDR*, HASH_R
1544: * rev: HDR*, HASH_R
1545: */
1546: int
1547: ident_r3send(iph1, msg)
1548: struct ph1handle *iph1;
1549: vchar_t *msg;
1550: {
1551: int error = -1;
1552: int dohash = 1;
1553: #ifdef HAVE_GSSAPI
1554: int len;
1555: #endif
1556:
1557: /* validity check */
1558: if (iph1->status != PHASE1ST_MSG3RECEIVED) {
1559: plog(LLV_ERROR, LOCATION, NULL,
1560: "status mismatched %d.\n", iph1->status);
1561: goto end;
1562: }
1563:
1564: /* make ID payload into isakmp status */
1565: if (ipsecdoi_setid1(iph1) < 0)
1566: goto end;
1567:
1568: #ifdef HAVE_GSSAPI
1569: if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
1570: gssapi_more_tokens(iph1)) {
1571: gssapi_get_rtoken(iph1, &len);
1572: if (len != 0)
1573: dohash = 0;
1574: }
1575: #endif
1576:
1577: if (dohash) {
1578: /* generate HASH to send */
1579: plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
1580: iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1581: if (iph1->hash == NULL)
1582: goto end;
1583: } else
1584: iph1->hash = NULL;
1585:
1586: /* set encryption flag */
1587: iph1->flags |= ISAKMP_FLAG_E;
1588:
1589: /* create HDR;ID;HASH payload */
1590: iph1->sendbuf = ident_ir3mx(iph1);
1591: if (iph1->sendbuf == NULL)
1592: goto end;
1593:
1594: /* send HDR;ID;HASH to responder */
1595: if (isakmp_send(iph1, iph1->sendbuf) < 0)
1596: goto end;
1597:
1598: /* the sending message is added to the received-list. */
1599: if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
1600: plog(LLV_ERROR , LOCATION, NULL,
1601: "failed to add a response packet to the tree.\n");
1602: goto end;
1603: }
1604:
1605: /* see handler.h about IV synchronization. */
1606: memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
1607:
1608: iph1->status = PHASE1ST_ESTABLISHED;
1609:
1610: error = 0;
1611:
1612: end:
1613:
1614: return error;
1615: }
1616:
1617: /*
1618: * This is used in main mode for:
1619: * initiator's 3rd exchange send to responder
1620: * psk: HDR, KE, Ni
1621: * sig: HDR, KE, Ni
1622: * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
1623: * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
1624: * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
1625: * responders 2nd exchnage send to initiator
1626: * psk: HDR, KE, Nr
1627: * sig: HDR, KE, Nr [, CR ]
1628: * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
1629: * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
1630: */
1631: static vchar_t *
1632: ident_ir2mx(iph1)
1633: struct ph1handle *iph1;
1634: {
1635: vchar_t *buf = 0;
1636: struct payload_list *plist = NULL;
1637: vchar_t *vid = NULL;
1638: int error = -1;
1639: #ifdef HAVE_GSSAPI
1640: vchar_t *gsstoken = NULL;
1641: #endif
1642: #ifdef ENABLE_NATT
1643: vchar_t *natd[2] = { NULL, NULL };
1644: #endif
1645:
1646: #ifdef HAVE_GSSAPI
1647: if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
1648: if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
1649: plog(LLV_ERROR, LOCATION, NULL,
1650: "Failed to get gssapi token.\n");
1651: goto end;
1652: }
1653: }
1654: #endif
1655:
1656: /* create isakmp KE payload */
1657: plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
1658:
1659: /* create isakmp NONCE payload */
1660: plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
1661:
1662: #ifdef HAVE_GSSAPI
1663: if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
1664: plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
1665: #endif
1666:
1667: /* append vendor id, if needed */
1668: if (vid)
1669: plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
1670:
1671: /* create CR if need */
1672: if (iph1->side == RESPONDER &&
1673: oakley_needcr(iph1->approval->authmethod))
1674: plist = oakley_append_cr(plist, iph1);
1675:
1676: #ifdef ENABLE_NATT
1677: /* generate and append NAT-D payloads */
1678: if (NATT_AVAILABLE(iph1) && iph1->status == PHASE1ST_MSG2RECEIVED)
1679: {
1680: if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1681: plog(LLV_ERROR, LOCATION, NULL,
1682: "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
1683: goto end;
1684: }
1685:
1686: if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1687: plog(LLV_ERROR, LOCATION, NULL,
1688: "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
1689: goto end;
1690: }
1691:
1692: plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
1693: plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1694: plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1695: }
1696: #endif
1697:
1698: buf = isakmp_plist_set_all (&plist, iph1);
1699:
1700: error = 0;
1701:
1702: end:
1703: if (error && buf != NULL) {
1704: vfree(buf);
1705: buf = NULL;
1706: }
1707: #ifdef HAVE_GSSAPI
1708: if (gsstoken)
1709: vfree(gsstoken);
1710: #endif
1711: if (vid)
1712: vfree(vid);
1713:
1714: #ifdef ENABLE_NATT
1715: if (natd[0])
1716: vfree(natd[0]);
1717: if (natd[1])
1718: vfree(natd[1]);
1719: #endif
1720:
1721: return buf;
1722: }
1723:
1724: /*
1725: * This is used in main mode for:
1726: * initiator's 4th exchange send to responder
1727: * psk: HDR*, IDi1, HASH_I
1728: * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
1729: * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
1730: * rsa: HDR*, HASH_I
1731: * rev: HDR*, HASH_I
1732: * responders 3rd exchnage send to initiator
1733: * psk: HDR*, IDr1, HASH_R
1734: * sig: HDR*, IDr1, [ CERT, ] SIG_R
1735: * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R >
1736: * rsa: HDR*, HASH_R
1737: * rev: HDR*, HASH_R
1738: */
1739: static vchar_t *
1740: ident_ir3mx(iph1)
1741: struct ph1handle *iph1;
1742: {
1743: struct payload_list *plist = NULL;
1744: vchar_t *buf = NULL, *new = NULL;
1745: int need_cert = 0;
1746: int error = -1;
1747: #ifdef HAVE_GSSAPI
1748: int nptype;
1749: vchar_t *gsstoken = NULL;
1750: vchar_t *gsshash = NULL;
1751: #endif
1752:
1753: switch (iph1->approval->authmethod) {
1754: case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1755: #ifdef ENABLE_HYBRID
1756: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
1757: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1758: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1759: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1760: #endif
1761: /* create isakmp ID payload */
1762: plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1763:
1764: /* create isakmp HASH payload */
1765: plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
1766: break;
1767: case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1768: case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1769: #ifdef ENABLE_HYBRID
1770: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1771: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1772: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1773: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1774: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1775: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1776: #endif
1777: if (oakley_getmycert(iph1) < 0)
1778: goto end;
1779:
1780: if (oakley_getsign(iph1) < 0)
1781: goto end;
1782:
1783: if (iph1->cert != NULL && iph1->rmconf->send_cert)
1784: need_cert = 1;
1785:
1786: /* add ID payload */
1787: plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1788:
1789: /* add CERT payload if there */
1790: if (need_cert)
1791: plist = isakmp_plist_append(plist, iph1->cert,
1792: ISAKMP_NPTYPE_CERT);
1793: /* add SIG payload */
1794: plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
1795:
1796: /* create isakmp CR payload */
1797: if (iph1->side == INITIATOR &&
1798: oakley_needcr(iph1->approval->authmethod))
1799: plist = oakley_append_cr(plist, iph1);
1800: break;
1801: #ifdef HAVE_GSSAPI
1802: case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1803: if (iph1->hash != NULL) {
1804: gsshash = gssapi_wraphash(iph1);
1805: if (gsshash == NULL)
1806: goto end;
1807: } else {
1808: if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
1809: plog(LLV_ERROR, LOCATION, NULL,
1810: "Failed to get gssapi token.\n");
1811: goto end;
1812: }
1813: }
1814:
1815: if (!gssapi_id_sent(iph1)) {
1816: /* create isakmp ID payload */
1817: plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
1818: gssapi_set_id_sent(iph1);
1819: }
1820:
1821: if (iph1->hash != NULL)
1822: /* create isakmp HASH payload */
1823: plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
1824: else
1825: plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
1826: break;
1827: #endif
1828: case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1829: case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1830: #ifdef ENABLE_HYBRID
1831: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1832: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1833: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1834: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1835: #endif
1836: plog(LLV_ERROR, LOCATION, NULL,
1837: "not supported authentication type %d\n",
1838: iph1->approval->authmethod);
1839: goto end;
1840: default:
1841: plog(LLV_ERROR, LOCATION, NULL,
1842: "invalid authentication type %d\n",
1843: iph1->approval->authmethod);
1844: goto end;
1845: }
1846:
1847: buf = isakmp_plist_set_all (&plist, iph1);
1848:
1849: #ifdef HAVE_PRINT_ISAKMP_C
1850: isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
1851: #endif
1852:
1853: /* encoding */
1854: new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv);
1855: if (new == NULL)
1856: goto end;
1857:
1858: vfree(buf);
1859:
1860: buf = new;
1861:
1862: error = 0;
1863:
1864: end:
1865: #ifdef HAVE_GSSAPI
1866: if (gsstoken)
1867: vfree(gsstoken);
1868: #endif
1869: if (error && buf != NULL) {
1870: vfree(buf);
1871: buf = NULL;
1872: }
1873:
1874: return buf;
1875: }
1876:
1877: /*
1878: * handle a notification payload inside identity exchange.
1879: * called only when the packet has been verified to be encrypted.
1880: */
1881: static int
1882: ident_recv_n(iph1, gen)
1883: struct ph1handle *iph1;
1884: struct isakmp_gen *gen;
1885: {
1886: struct isakmp_pl_n *notify = (struct isakmp_pl_n *) gen;
1887: u_int type;
1888:
1889: type = ntohs(notify->type);
1890: switch (type) {
1891: case ISAKMP_NTYPE_INITIAL_CONTACT:
1892: iph1->initial_contact_received = TRUE;
1893: break;
1894: default:
1895: isakmp_log_notify(iph1, notify, "identity exchange");
1896: break;
1897: }
1898: return 0;
1899: }
1900: