Return to isakmp_newg.c CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon

ipsec-tools

    1: /*	$NetBSD: isakmp_newg.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
    2: 
    3: /*	$KAME: isakmp_newg.c,v 1.10 2002/09/27 05:55:52 itojun Exp $	*/
    4: 
    5: /*
    6:  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    7:  * All rights reserved.
    8:  * 
    9:  * Redistribution and use in source and binary forms, with or without
   10:  * modification, are permitted provided that the following conditions
   11:  * are met:
   12:  * 1. Redistributions of source code must retain the above copyright
   13:  *    notice, this list of conditions and the following disclaimer.
   14:  * 2. Redistributions in binary form must reproduce the above copyright
   15:  *    notice, this list of conditions and the following disclaimer in the
   16:  *    documentation and/or other materials provided with the distribution.
   17:  * 3. Neither the name of the project nor the names of its contributors
   18:  *    may be used to endorse or promote products derived from this software
   19:  *    without specific prior written permission.
   20:  * 
   21:  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   22:  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   23:  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   24:  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   25:  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   26:  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   27:  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   28:  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   29:  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   30:  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   31:  * SUCH DAMAGE.
   32:  */
   33: 
   34: #include "config.h"
   35: 
   36: #include <sys/types.h>
   37: #include <sys/param.h>
   38: 
   39: #include <stdlib.h>
   40: #include <stdio.h>
   41: #include <string.h>
   42: #include <errno.h>
   43: 
   44: #include "var.h"
   45: #include "misc.h"
   46: #include "vmbuf.h"
   47: #include "plog.h"
   48: #include "sockmisc.h"
   49: #include "debug.h"
   50: 
   51: #include "schedule.h"
   52: #include "cfparse_proto.h"
   53: #include "isakmp_var.h"
   54: #include "isakmp.h"
   55: #include "isakmp_newg.h"
   56: #include "oakley.h"
   57: #include "ipsec_doi.h"
   58: #include "crypto_openssl.h"
   59: #include "handler.h"
   60: #include "pfkey.h"
   61: #include "admin.h"
   62: #include "str2val.h"
   63: #include "vendorid.h"
   64: 
   65: /*
   66:  * New group mode as responder
   67:  */
   68: int
   69: isakmp_newgroup_r(iph1, msg)
   70: 	struct ph1handle *iph1;
   71: 	vchar_t *msg;
   72: {
   73: #if 0
   74: 	struct isakmp *isakmp = (struct isakmp *)msg->v;
   75: 	struct isakmp_pl_hash *hash = NULL;
   76: 	struct isakmp_pl_sa *sa = NULL;
   77: 	int error = -1;
   78: 	vchar_t *buf;
   79: 	struct oakley_sa *osa;
   80: 	int len;
   81: 
   82: 	/* validate the type of next payload */
   83: 	/*
   84: 	 * ISAKMP_ETYPE_NEWGRP,
   85: 	 * ISAKMP_NPTYPE_HASH, (ISAKMP_NPTYPE_VID), ISAKMP_NPTYPE_SA,
   86: 	 * ISAKMP_NPTYPE_NONE
   87: 	 */
   88:     {
   89: 	vchar_t *pbuf = NULL;
   90: 	struct isakmp_parse_t *pa;
   91: 
   92: 	if ((pbuf = isakmp_parse(msg)) == NULL)
   93: 		goto end;
   94: 
   95: 	for (pa = (struct isakmp_parse_t *)pbuf->v;
   96: 	     pa->type != ISAKMP_NPTYPE_NONE;
   97: 	     pa++) {
   98: 
   99: 		switch (pa->type) {
  100: 		case ISAKMP_NPTYPE_HASH:
  101: 			if (hash) {
  102: 				isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
  103: 				plog(LLV_ERROR, LOCATION, iph1->remote,
  104: 					"received multiple payload type %d.\n",
  105: 					pa->type);
  106: 				vfree(pbuf);
  107: 				goto end;
  108: 			}
  109: 			hash = (struct isakmp_pl_hash *)pa->ptr;
  110: 			break;
  111: 		case ISAKMP_NPTYPE_SA:
  112: 			if (sa) {
  113: 				isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
  114: 				plog(LLV_ERROR, LOCATION, iph1->remote,
  115: 					"received multiple payload type %d.\n",
  116: 					pa->type);
  117: 				vfree(pbuf);
  118: 				goto end;
  119: 			}
  120: 			sa = (struct isakmp_pl_sa *)pa->ptr;
  121: 			break;
  122: 		case ISAKMP_NPTYPE_VID:
  123: 			(void)check_vendorid(pa->ptr);
  124: 			break;
  125: 		default:
  126: 			isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
  127: 			plog(LLV_ERROR, LOCATION, iph1->remote,
  128: 				"ignore the packet, "
  129: 				"received unexpecting payload type %d.\n",
  130: 				pa->type);
  131: 			vfree(pbuf);
  132: 			goto end;
  133: 		}
  134: 	}
  135: 	vfree(pbuf);
  136: 
  137: 	if (!hash || !sa) {
  138: 		isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
  139: 		plog(LLV_ERROR, LOCATION, iph1->remote,
  140: 			"no HASH, or no SA payload.\n");
  141: 		goto end;
  142: 	}
  143:     }
  144: 
  145: 	/* validate HASH */
  146:     {
  147: 	char *r_hash;
  148: 	vchar_t *my_hash = NULL;
  149: 	int result;
  150: 
  151: 	plog(LLV_DEBUG, LOCATION, NULL, "validate HASH\n");
  152: 
  153: 	len = sizeof(isakmp->msgid) + ntohs(sa->h.len);
  154: 	buf = vmalloc(len);
  155: 	if (buf == NULL) {
  156: 		plog(LLV_ERROR, LOCATION, NULL,
  157: 			"failed to get buffer to send.\n");
  158: 		goto end;
  159: 	}
  160: 	memcpy(buf->v, &isakmp->msgid, sizeof(isakmp->msgid));
  161: 	memcpy(buf->v + sizeof(isakmp->msgid), sa, ntohs(sa->h.len));
  162: 
  163: 	plog(LLV_DEBUG, LOCATION, NULL, "hash source\n");
  164: 	plogdump(LLV_DEBUG, buf->v, buf->l);
  165: 
  166: 	my_hash = isakmp_prf(iph1->skeyid_a, buf, iph1);
  167: 	vfree(buf);
  168: 	if (my_hash == NULL)
  169: 		goto end;
  170: 
  171: 	plog(LLV_DEBUG, LOCATION, NULL, "hash result\n");
  172: 	plogdump(LLV_DEBUG, my_hash->v, my_hash->l);
  173: 
  174: 	r_hash = (char *)hash + sizeof(*hash);
  175: 
  176: 	plog(LLV_DEBUG, LOCATION, NULL, "original hash\n"));
  177: 	plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)));
  178: 
  179: 	result = memcmp(my_hash->v, r_hash, my_hash->l);
  180: 	vfree(my_hash);
  181: 
  182: 	if (result) {
  183: 		plog(LLV_ERROR, LOCATION, iph1->remote,
  184: 			"HASH mismatch.\n");
  185: 		isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_HASH_INFORMATION, NULL);
  186: 		goto end;
  187: 	}
  188:     }
  189: 
  190: 	/* check SA payload and get new one for use */
  191: 	buf = ipsecdoi_get_proposal((struct ipsecdoi_sa *)sa,
  192: 					OAKLEY_NEWGROUP_MODE);
  193: 	if (buf == NULL) {
  194: 		isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL);
  195: 		goto end;
  196: 	}
  197: 
  198: 	/* save sa parameters */
  199: 	osa = ipsecdoi_get_oakley(buf);
  200: 	if (osa == NULL) {
  201: 		isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL);
  202: 		goto end;
  203: 	}
  204: 	vfree(buf);
  205: 
  206: 	switch (osa->dhgrp) {
  207: 	case OAKLEY_ATTR_GRP_DESC_MODP768:
  208: 	case OAKLEY_ATTR_GRP_DESC_MODP1024:
  209: 	case OAKLEY_ATTR_GRP_DESC_MODP1536:
  210: 		/*XXX*/
  211: 	default:
  212: 		isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL);
  213: 		plog(LLV_ERROR, LOCATION, NULL,
  214: 			"dh group %d isn't supported.\n", osa->dhgrp);
  215: 		goto end;
  216: 	}
  217: 
  218: 	plog(LLV_INFO, LOCATION, iph1->remote,
  219: 		"got new dh group %s.\n", isakmp_pindex(&iph1->index, 0));
  220: 
  221: 	error = 0;
  222: 
  223: end:
  224: 	if (error) {
  225: 		if (iph1 != NULL)
  226: 			(void)isakmp_free_ph1(iph1);
  227: 	}
  228: 	return error;
  229: #endif
  230: 	return 0;
  231: }
  232: