1c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh/* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */ 20a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 30a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */ 40a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 50a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 60a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 70a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * All rights reserved. 8c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh * 90a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Redistribution and use in source and binary forms, with or without 100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * modification, are permitted provided that the following conditions 110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * are met: 120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 1. Redistributions of source code must retain the above copyright 130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * notice, this list of conditions and the following disclaimer. 140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 2. Redistributions in binary form must reproduce the above copyright 150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * notice, this list of conditions and the following disclaimer in the 160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * documentation and/or other materials provided with the distribution. 170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 3. Neither the name of the project nor the names of its contributors 180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * may be used to endorse or promote products derived from this software 190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * without specific prior written permission. 20c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh * 210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * SUCH DAMAGE. 320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* Identity Protecion Exchange (Main Mode) */ 350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "config.h" 370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <sys/types.h> 390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <sys/param.h> 400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <stdlib.h> 420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <stdio.h> 430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <string.h> 440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <errno.h> 450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#if TIME_WITH_SYS_TIME 460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang# include <sys/time.h> 470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang# include <time.h> 480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#else 490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang# if HAVE_SYS_TIME_H 500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang# include <sys/time.h> 510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang# else 520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang# include <time.h> 530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang# endif 540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "var.h" 570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "misc.h" 580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "vmbuf.h" 590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "plog.h" 600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "sockmisc.h" 610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "schedule.h" 620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "debug.h" 630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "localconf.h" 650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "remoteconf.h" 660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp_var.h" 670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp.h" 680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "evt.h" 690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "oakley.h" 700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "handler.h" 710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "ipsec_doi.h" 720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "crypto_openssl.h" 730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "pfkey.h" 740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp_ident.h" 750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp_inf.h" 760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "vendorid.h" 770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "nattraversal.h" 800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "gssapi.h" 830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <resolv.h> 860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp_xauth.h" 870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp_cfg.h" 880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 89c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#ifdef ENABLE_FRAG 900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp_frag.h" 910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic vchar_t *ident_ir2mx __P((struct ph1handle *)); 940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic vchar_t *ident_ir3mx __P((struct ph1handle *)); 950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* %%% 970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * begin Identity Protection Mode as initiator. 980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 1000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * send to responder 1010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR, SA 1020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR, SA 1030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR, SA 1040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR, SA 1050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 1060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 1070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_i1send(iph1, msg) 1080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 1090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg; /* must be null */ 1100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 1110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct payload_list *plist = NULL; 1120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 1130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 1140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; 1150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int i; 1160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 117c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#ifdef ENABLE_HYBRID 1180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid_xauth = NULL; 1190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid_unity = NULL; 1200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 121c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#ifdef ENABLE_FRAG 1220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid_frag = NULL; 123c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#endif 1240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_DPD 1250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid_dpd = NULL; 1260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 1270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 1280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (msg != NULL) { 1290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 1300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "msg has to be NULL in this function.\n"); 1310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 1320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_START) { 1340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 1350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 1360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 1370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create isakmp index */ 1400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memset(&iph1->index, 0, sizeof(iph1->index)); 1410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); 1420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create SA payload for my proposal */ 144c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); 1450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->sa == NULL) 1460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 1470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* set SA payload to propose */ 1490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); 1500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 1520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* set VID payload for NAT-T if NAT-T support allowed in the config file */ 153c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (iph1->rmconf->nat_traversal) 1540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append_natt_vids(plist, vid_natt); 1550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 1560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 1570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* Do we need Xauth VID? */ 158c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh switch (RMAUTHMETHOD(iph1)) { 159c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 1600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) 1670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 1680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Xauth vendor ID generation failed\n"); 1690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang else 1700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, 1710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_xauth, ISAKMP_NPTYPE_VID); 172c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 1730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) 1740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 1750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Unity vendor ID generation failed\n"); 1760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang else 177c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh plist = isakmp_plist_append(plist, 1780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_unity, ISAKMP_NPTYPE_VID); 1790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 1800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang default: 1810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 1820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 1840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_FRAG 1850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->rmconf->ike_frag) { 1860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) { 1870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 1880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Frag vendorID construction failed\n"); 1890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } else { 1900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_frag = isakmp_frag_addcap(vid_frag, 1910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VENDORID_FRAG_IDENT); 192c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh plist = isakmp_plist_append(plist, 1930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_frag, ISAKMP_NPTYPE_VID); 1940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 1970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_DPD 1980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if(iph1->rmconf->dpd){ 1990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_dpd = set_vendorid(VENDORID_DPD); 2000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_dpd != NULL) 2010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, vid_dpd, 2020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ISAKMP_NPTYPE_VID); 2030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 2050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 2070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_PRINT_ISAKMP_C 2090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 2100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 2110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* send the packet, add to the schedule to resend */ 213c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->retry_counter = iph1->rmconf->retry_counter; 214c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (isakmp_ph1resend(iph1) == -1) 2150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 2160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG1SENT; 2180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 2200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 2220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_FRAG 223c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (vid_frag) 2240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid_frag); 225c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#endif 2260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 2270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++) 2280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid_natt[i]); 2290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 2300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 2310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_xauth != NULL) 2320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid_xauth); 2330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_unity != NULL) 2340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid_unity); 2350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 2360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_DPD 2370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_dpd != NULL) 2380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid_dpd); 2390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 2400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 2420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 2430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 2450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * receive from responder 2460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR, SA 2470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR, SA 2480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR, SA 2490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR, SA 2500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 2510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 2520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_i2recv(iph1, msg) 2530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 2540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg; 2550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 2560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *pbuf = NULL; 2570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_parse_t *pa; 2580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *satmp = NULL; 2590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 260c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh int vid_numeric; 2610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 2630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG1SENT) { 2640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 2650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 2660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 2670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validate the type of next payload */ 2700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 2710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here, 2720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * if proposal-lifetime > lifetime-redcreek-wants. 2730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * (see doi-08 4.5.4) 2740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * => According to the seciton 4.6.3 in RFC 2407, This is illegal. 2750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * NOTE: we do not really care about ordering of VID and N. 2760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * does it matters? 2770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * NOTE: even if there's multiple VID/N, we'll ignore them. 2780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 2790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pbuf = isakmp_parse(msg); 2800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf == NULL) 2810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 2820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa = (struct isakmp_parse_t *)pbuf->v; 2830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* SA payload is fixed postion */ 2850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pa->type != ISAKMP_NPTYPE_SA) { 2860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 2870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "received invalid next payload type %d, " 2880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "expecting %d.\n", 2890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type, ISAKMP_NPTYPE_SA); 2900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 2910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&satmp, pa->ptr) < 0) 2930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 2940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa++; 2950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang for (/*nothing*/; 2970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type != ISAKMP_NPTYPE_NONE; 2980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa++) { 2990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang switch (pa->type) { 3010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_VID: 302adfbc90a9f63d1e0c87b4b17689c07cd3c781a0eChia-chi Yeh handle_vendorid(iph1, pa->ptr); 3030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 3040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang default: 3050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* don't send information, see ident_r1recv() */ 3060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 3070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "ignore the packet, " 3080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "received unexpecting payload type %d.\n", 3090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type); 3100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 3110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 3150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (NATT_AVAILABLE(iph1)) 3160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_INFO, LOCATION, iph1->remote, 3170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Selected NAT-T version: %s\n", 3180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_string_by_id(iph1->natt_options->version)); 3190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 3200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* check SA payload and set approval SA for use */ 3220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { 3230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 3240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "failed to get valid proposal.\n"); 3250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* XXX send information */ 3260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 3270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->sa_ret); 3290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG2RECEIVED; 3310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 3330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 3350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf) 3360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(pbuf); 3370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (satmp) 3380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(satmp); 3390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 3400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 3410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 3430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * send to responder 3440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR, KE, Ni 3450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR, KE, Ni 3460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * gssapi: HDR, KE, Ni, GSSi 3470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r 3480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, 3490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i] 3500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 3510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 3520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_i2send(iph1, msg) 3530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 3540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg; 3550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 3560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 3570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 3590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG2RECEIVED) { 3600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 3610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 3620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 3630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* fix isakmp index */ 3660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, 3670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang sizeof(cookie_t)); 3680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* generate DH public value */ 3700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_dh_generate(iph1->approval->dhgrp, 3710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang &iph1->dhpub, &iph1->dhpriv) < 0) 3720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 3730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* generate NONCE value */ 3750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 3760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->nonce == NULL) 3770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 3780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 380c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && 3810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gssapi_get_itoken(iph1, NULL) < 0) 3820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 3830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 3840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create buffer to send isakmp payload */ 3860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->sendbuf = ident_ir2mx(iph1); 3870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->sendbuf == NULL) 3880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 3890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_PRINT_ISAKMP_C 3910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 3920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 3930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* send the packet, add to the schedule to resend */ 395c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->retry_counter = iph1->rmconf->retry_counter; 396c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (isakmp_ph1resend(iph1) == -1) 3970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 3980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* the sending message is added to the received-list. */ 4000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 4010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR , LOCATION, NULL, 4020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "failed to add a response packet to the tree.\n"); 4030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 4040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG2SENT; 4070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 4090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 4110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 4120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 4130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 4150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * receive from responder 4160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR, KE, Nr 4170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR, KE, Nr [, CR ] 4180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * gssapi: HDR, KE, Nr, GSSr 4190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i 4200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r, 4210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 4220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 4230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_i3recv(iph1, msg) 4240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 4250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg; 4260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 4270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *pbuf = NULL; 4280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_parse_t *pa; 4290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 4300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 4310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *gsstoken = NULL; 4320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 4330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 4340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *natd_received; 4350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int natd_seq = 0, natd_verified; 4360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 4370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 4390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG2SENT) { 4400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 4410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 4420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 4430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validate the type of next payload */ 4460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pbuf = isakmp_parse(msg); 4470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf == NULL) 4480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 4490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang for (pa = (struct isakmp_parse_t *)pbuf->v; 4510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type != ISAKMP_NPTYPE_NONE; 4520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa++) { 4530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang switch (pa->type) { 4550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_KE: 4560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 4570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 4580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 4590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_NONCE: 4600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 4610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 4620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 4630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_VID: 464adfbc90a9f63d1e0c87b4b17689c07cd3c781a0eChia-chi Yeh handle_vendorid(iph1, pa->ptr); 4650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 4660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_CR: 4670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_savecr(iph1, pa->ptr) < 0) 4680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 4690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 4700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 4710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_GSS: 4720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) 4730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 4740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gssapi_save_received_token(iph1, gsstoken); 4750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 4760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 4770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 4790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_NATD_DRAFT: 4800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_NATD_RFC: 4810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && 4820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type == iph1->natt_options->payload_nat_d) { 4830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang natd_received = NULL; 4840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 4850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 486c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 4870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* set both bits first so that we can clear them 4880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang upon verifying hashes */ 4890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (natd_seq == 0) 4900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->natt_flags |= NAT_DETECTED; 491c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 492c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh /* this function will clear appropriate bits bits 4930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang from iph1->natt_flags */ 4940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang natd_verified = natt_compare_addr_hash (iph1, 4950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang natd_received, natd_seq++); 496c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 4970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 4980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang natd_seq - 1, 4990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang natd_verified ? "verified" : "doesn't match"); 500c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 5010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree (natd_received); 5020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 5030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* passthrough to default... */ 5050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 5060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang default: 5080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* don't send information, see ident_r1recv() */ 5090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 5100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "ignore the packet, " 5110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "received unexpecting payload type %d.\n", 5120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type); 5130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 5140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 5180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (NATT_AVAILABLE(iph1)) { 5190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 520c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->natt_flags & NAT_DETECTED ? 5210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "detected:" : "not detected", 5220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 5230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 5240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->natt_flags & NAT_DETECTED) 5250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang natt_float_ports (iph1); 5260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 5280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* payload existency check */ 5300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { 5310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 5320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "few isakmp message received.\n"); 5330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 5340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_checkcr(iph1) < 0) { 5370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* Ignore this error in order to be interoperability. */ 5380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ; 5390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG3RECEIVED; 5420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 5440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 5460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 5470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gsstoken) 5480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(gsstoken); 5490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 5500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf) 5510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(pbuf); 5520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (error) { 5530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->dhpub_p); 5540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->nonce_p); 5550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->id_p); 556c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh oakley_delcert(iph1->cr_p); 557c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->cr_p = NULL; 5580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 5610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 5620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 5640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * send to responder 5650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR*, IDi1, HASH_I 5660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I 5670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I > 5680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR*, HASH_I 5690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR*, HASH_I 5700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 5710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 5720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_i3send(iph1, msg0) 5730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 5740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg0; 5750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 5760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 5770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int dohash = 1; 5780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 5790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int len; 5800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 5810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 5830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG3RECEIVED) { 5840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 5850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 5860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 5870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* compute sharing secret of DH */ 5900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 5910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 5920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 5930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* generate SKEYIDs & IV & final cipher key */ 5950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_skeyid(iph1) < 0) 5960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 5970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_skeyid_dae(iph1) < 0) 5980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 5990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_compute_enckey(iph1) < 0) 6000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_newiv(iph1) < 0) 6020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* make ID payload into isakmp status */ 6050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (ipsecdoi_setid1(iph1) < 0) 6060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 609c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && 6100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gssapi_more_tokens(iph1)) { 6110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_DEBUG, LOCATION, NULL, "calling get_itoken\n"); 6120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gssapi_get_itoken(iph1, &len) < 0) 6130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (len != 0) 6150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang dohash = 0; 6160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 6170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 6180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* generate HASH to send */ 6200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (dohash) { 6210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 6220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->hash == NULL) 6230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } else 6250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->hash = NULL; 6260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* set encryption flag */ 6280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->flags |= ISAKMP_FLAG_E; 6290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create HDR;ID;HASH payload */ 6310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->sendbuf = ident_ir3mx(iph1); 6320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->sendbuf == NULL) 6330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* send the packet, add to the schedule to resend */ 636c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->retry_counter = iph1->rmconf->retry_counter; 637c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (isakmp_ph1resend(iph1) == -1) 6380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* the sending message is added to the received-list. */ 6410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0) == -1) { 6420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR , LOCATION, NULL, 6430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "failed to add a response packet to the tree.\n"); 6440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 6460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* see handler.h about IV synchronization. */ 6480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l); 6490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG3SENT; 6510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 6530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 6550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 6560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 6570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 6590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * receive from responder 6600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR*, IDr1, HASH_R 6610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR*, IDr1, [ CERT, ] SIG_R 6620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R > 6630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR*, HASH_R 6640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR*, HASH_R 6650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 6660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 6670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_i4recv(iph1, msg0) 6680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 6690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg0; 6700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 6710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *pbuf = NULL; 6720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_parse_t *pa; 6730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg = NULL; 6740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 6750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int type; 6760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 6770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *gsstoken = NULL; 6780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 6790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 6810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG3SENT) { 6820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 6830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 6840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 6860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* decrypting */ 6880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 6890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 6900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "ignore the packet, " 6910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "expecting the packet encrypted.\n"); 6920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 6940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive); 6950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (msg == NULL) 6960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 6970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validate the type of next payload */ 6990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pbuf = isakmp_parse(msg); 7000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf == NULL) 7010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 7020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->pl_hash = NULL; 7040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang for (pa = (struct isakmp_parse_t *)pbuf->v; 7060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type != ISAKMP_NPTYPE_NONE; 7070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa++) { 7080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang switch (pa->type) { 7100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_ID: 7110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 7120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 7130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 7140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_HASH: 7150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 7160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 7170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_CERT: 7180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_savecert(iph1, pa->ptr) < 0) 7190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 7200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 7210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_SIG: 7220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 7230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 7240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 7250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 7260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_GSS: 7270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) 7280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 7290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gssapi_save_received_token(iph1, gsstoken); 7300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 7310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 7320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_VID: 733adfbc90a9f63d1e0c87b4b17689c07cd3c781a0eChia-chi Yeh handle_vendorid(iph1, pa->ptr); 7340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 7350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_N: 736c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh isakmp_check_notify(pa->ptr, iph1); 7370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 7380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang default: 7390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* don't send information, see ident_r1recv() */ 7400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 7410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "ignore the packet, " 7420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "received unexpecting payload type %d.\n", 7430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type); 7440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 7450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 7460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 7470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* payload existency check */ 7490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* verify identifier */ 7510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (ipsecdoi_checkid1(iph1) != 0) { 7520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 7530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "invalid ID payload.\n"); 7540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 7550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 7560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validate authentication value */ 7580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 7590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gsstoken == NULL) { 7600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 7610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang type = oakley_validate_auth(iph1); 7620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (type != 0) { 7630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (type == -1) { 7640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* msg printed inner oakley_validate_auth() */ 7650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 7660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 767c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh EVT_PUSH(iph1->local, iph1->remote, 768c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh EVTT_PEERPH1AUTH_FAILED, NULL); 7690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang isakmp_info_send_n1(iph1, type, NULL); 7700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 7710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 7720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 7730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 7740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 7750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 7770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * XXX: Should we do compare two addresses, ph1handle's and ID 7780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * payload's. 7790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 7800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID:"); 7820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l); 7830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* see handler.h about IV synchronization. */ 7850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l); 7860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 7880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * If we got a GSS token, we need to this roundtrip again. 7890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 7900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 791c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED : 7920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang PHASE1ST_MSG4RECEIVED; 7930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#else 7940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG4RECEIVED; 7950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 7960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 7980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 7990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 8000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf) 8010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(pbuf); 8020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (msg) 8030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(msg); 8040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 8050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gsstoken) 8060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(gsstoken); 8070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 8080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (error) { 8100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->id_p); 811c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh oakley_delcert(iph1->cert_p); 812c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->cert_p = NULL; 813c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh oakley_delcert(iph1->crl_p); 814c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->crl_p = NULL; 8150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->sig_p); 8160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 8170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 8190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 8200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 8220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * status update and establish isakmp sa. 8230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 8240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 8250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_i4send(iph1, msg) 8260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 8270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg; 8280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 8290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 8300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 8320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG4RECEIVED) { 8330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 8340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 8350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 8360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 8370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* see handler.h about IV synchronization. */ 8390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); 8400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_ESTABLISHED; 8420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 8440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 8460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 8470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 8480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 8500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * receive from initiator 8510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR, SA 8520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR, SA 8530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR, SA 8540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR, SA 8550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 8560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 8570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_r1recv(iph1, msg) 8580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 8590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg; 8600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 8610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *pbuf = NULL; 8620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_parse_t *pa; 8630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 8640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int vid_numeric; 8650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 8670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_START) { 8680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 8690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 8700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 8710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 8720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validate the type of next payload */ 8740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 8750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * NOTE: XXX even if multiple VID, we'll silently ignore those. 8760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 8770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pbuf = isakmp_parse(msg); 8780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf == NULL) 8790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 8800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa = (struct isakmp_parse_t *)pbuf->v; 8810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* check the position of SA payload */ 8830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pa->type != ISAKMP_NPTYPE_SA) { 8840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 8850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "received invalid next payload type %d, " 8860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "expecting %d.\n", 8870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type, ISAKMP_NPTYPE_SA); 8880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 8890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 8900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) 8910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 8920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa++; 8930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang for (/*nothing*/; 8950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type != ISAKMP_NPTYPE_NONE; 8960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa++) { 8970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 8980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang switch (pa->type) { 8990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_VID: 900adfbc90a9f63d1e0c87b4b17689c07cd3c781a0eChia-chi Yeh vid_numeric = handle_vendorid(iph1, pa->ptr); 9010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_FRAG 9020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((vid_numeric == VENDORID_FRAG) && 9030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) 9040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->frag = 1; 905c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#endif 9060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 9070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang default: 9080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 9090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * We don't send information to the peer even 9100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * if we received malformed packet. Because we 9110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * can't distinguish the malformed packet and 9120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * the re-sent packet. And we do same behavior 9130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * when we expect encrypted packet. 9140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 9150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 9160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "ignore the packet, " 9170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "received unexpecting payload type %d.\n", 9180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type); 9190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 9200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 9210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 9220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 9230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 9240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (NATT_AVAILABLE(iph1)) 9250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_INFO, LOCATION, iph1->remote, 9260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Selected NAT-T version: %s\n", 9270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_string_by_id(iph1->natt_options->version)); 9280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 9290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 9300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* check SA payload and set approval SA for use */ 9310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { 9320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 9330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "failed to get valid proposal.\n"); 9340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* XXX send information */ 9350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 9360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 9370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 9380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG1RECEIVED; 9390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 9400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 9410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 9420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 9430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf) 9440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(pbuf); 9450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (error) { 9460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->sa); 9470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 9480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 9490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 9500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 9510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 9520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 9530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * send to initiator 9540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR, SA 9550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR, SA 9560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR, SA 9570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR, SA 9580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 9590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 9600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_r1send(iph1, msg) 9610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 9620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg; 9630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 9640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct payload_list *plist = NULL; 9650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 9660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *gss_sa = NULL; 9670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 9680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int free_gss_sa = 0; 9690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 9700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 9710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid_natt = NULL; 9720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 9730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 9740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid_xauth = NULL; 9750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid_unity = NULL; 976c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#endif 9770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_DPD 9780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid_dpd = NULL; 9790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 980c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#ifdef ENABLE_FRAG 9810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid_frag = NULL; 982c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#endif 9830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 9840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 9850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG1RECEIVED) { 9860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 9870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 9880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 9890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 9900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 9910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* set responder's cookie */ 9920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); 9930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 9940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 9950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->approval->gssid != NULL) { 996c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh gss_sa = ipsecdoi_setph1proposal(iph1->approval); 9970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gss_sa != iph1->sa_ret) 9980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang free_gss_sa = 1; 999c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh } else 10000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 10010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gss_sa = iph1->sa_ret; 10020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* set SA payload to reply */ 10040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA); 10050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 10070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 10080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); 10090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) { 10100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 10110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Cannot create Xauth vendor ID\n"); 10120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 10130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 10140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, 10150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_xauth, ISAKMP_NPTYPE_VID); 10160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 10170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { 10190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) { 10200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 10210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Cannot create Unity vendor ID\n"); 10220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 10230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 10240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, 10250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_unity, ISAKMP_NPTYPE_VID); 10260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 10270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 10280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 10290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* Has the peer announced NAT-T? */ 10300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (NATT_AVAILABLE(iph1)) 10310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_natt = set_vendorid(iph1->natt_options->version); 10320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_natt) 10340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); 10350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 10360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_DPD 1037c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh /* XXX only send DPD VID if remote sent it ? */ 1038c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if(iph1->rmconf->dpd){ 10390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_dpd = set_vendorid(VENDORID_DPD); 10400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_dpd != NULL) 10410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 10420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 10430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 10440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_FRAG 10450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->frag) { 10460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_frag = set_vendorid(VENDORID_FRAG); 10470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_frag != NULL) 10480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_frag = isakmp_frag_addcap(vid_frag, 10490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VENDORID_FRAG_IDENT); 10500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_frag == NULL) 10510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 10520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Frag vendorID construction failed\n"); 10530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang else 1054c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh plist = isakmp_plist_append(plist, 10550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vid_frag, ISAKMP_NPTYPE_VID); 10560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 10570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 10580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 10600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_PRINT_ISAKMP_C 10620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 10630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 10640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* send the packet, add to the schedule to resend */ 1066c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->retry_counter = iph1->rmconf->retry_counter; 1067c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (isakmp_ph1resend(iph1) == -1) { 10680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 1069c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh } 10700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* the sending message is added to the received-list. */ 10720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 10730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR , LOCATION, NULL, 10740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "failed to add a response packet to the tree.\n"); 10750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 10760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 10770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG1SENT; 10790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 10810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 10820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 10830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 10840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (free_gss_sa) 10850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(gss_sa); 10860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 10870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 10880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_natt) 10890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid_natt); 10900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 10910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 10920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_xauth != NULL) 10930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid_xauth); 10940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_unity != NULL) 10950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid_unity); 10960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 10970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_DPD 10980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_dpd != NULL) 10990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid_dpd); 11000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 11010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_FRAG 11020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid_frag != NULL) 11030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid_frag); 11040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 11050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 11060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 11070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 11080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 11090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 11100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * receive from initiator 11110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR, KE, Ni 11120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR, KE, Ni 11130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * gssapi: HDR, KE, Ni, GSSi 11140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r 11150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, 11160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i] 11170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 11180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 11190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_r2recv(iph1, msg) 11200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 11210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg; 11220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 11230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *pbuf = NULL; 11240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_parse_t *pa; 11250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 11260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 11270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *gsstoken = NULL; 11280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 11290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 11300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int natd_seq = 0; 11310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 11320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 11330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 11340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG1SENT) { 11350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 11360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 11370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 11380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 11390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 11400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validate the type of next payload */ 11410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pbuf = isakmp_parse(msg); 11420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf == NULL) 11430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 11440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 11450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang for (pa = (struct isakmp_parse_t *)pbuf->v; 11460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type != ISAKMP_NPTYPE_NONE; 11470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa++) { 11480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang switch (pa->type) { 11490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_KE: 11500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 11510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 11520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 11530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_NONCE: 11540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 11550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 11560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 11570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_VID: 1158adfbc90a9f63d1e0c87b4b17689c07cd3c781a0eChia-chi Yeh handle_vendorid(iph1, pa->ptr); 11590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 11600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_CR: 11610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_WARNING, LOCATION, iph1->remote, 11620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "CR received, ignore it. " 11630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "It should be in other exchange.\n"); 11640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 11650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 11660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_GSS: 11670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) 11680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 11690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gssapi_save_received_token(iph1, gsstoken); 11700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 11710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 11720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 11730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 11740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_NATD_DRAFT: 11750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_NATD_RFC: 11760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && 11770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type == iph1->natt_options->payload_nat_d) 11780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 11790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *natd_received = NULL; 11800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int natd_verified; 1181c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 11820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 11830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 1184c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 11850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (natd_seq == 0) 11860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->natt_flags |= NAT_DETECTED; 1187c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 11880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang natd_verified = natt_compare_addr_hash (iph1, 11890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang natd_received, natd_seq++); 1190c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 11910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 11920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang natd_seq - 1, 11930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang natd_verified ? "verified" : "doesn't match"); 1194c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 11950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree (natd_received); 11960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 11970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 11980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* passthrough to default... */ 11990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 12000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang default: 12020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* don't send information, see ident_r1recv() */ 12030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 12040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "ignore the packet, " 12050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "received unexpecting payload type %d.\n", 12060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type); 12070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 12080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 12090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 12100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 12120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (NATT_AVAILABLE(iph1)) 12130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 1214c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->natt_flags & NAT_DETECTED ? 12150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "detected:" : "not detected", 12160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 12170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 12180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 12190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* payload existency check */ 12210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { 12220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 12230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "few isakmp message received.\n"); 12240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 12250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 12260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG2RECEIVED; 12280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 12300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 12320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf) 12330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(pbuf); 12340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 12350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gsstoken) 12360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(gsstoken); 12370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 12380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (error) { 12400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->dhpub_p); 12410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->nonce_p); 12420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->id_p); 12430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 12440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 12460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 12470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 12490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * send to initiator 12500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR, KE, Nr 12510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR, KE, Nr [, CR ] 12520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * gssapi: HDR, KE, Nr, GSSr 12530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i 12540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r, 12550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 12560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 12570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_r2send(iph1, msg) 12580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 12590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg; 12600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 12610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 12620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 12640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG2RECEIVED) { 12650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 12660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 12670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 12680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 12690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* generate DH public value */ 12710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_dh_generate(iph1->approval->dhgrp, 12720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang &iph1->dhpub, &iph1->dhpriv) < 0) 12730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 12740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* generate NONCE value */ 1276c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 12770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->nonce == NULL) 12780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 12790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 1281c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) 12820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gssapi_get_rtoken(iph1, NULL); 12830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 12840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create HDR;KE;NONCE payload */ 12860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->sendbuf = ident_ir2mx(iph1); 12870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->sendbuf == NULL) 12880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 12890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_PRINT_ISAKMP_C 12910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 12920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 12930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* send the packet, add to the schedule to resend */ 1295c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->retry_counter = iph1->rmconf->retry_counter; 1296c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (isakmp_ph1resend(iph1) == -1) 12970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 12980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 12990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* the sending message is added to the received-list. */ 13000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 13010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR , LOCATION, NULL, 13020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "failed to add a response packet to the tree.\n"); 13030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 13050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* compute sharing secret of DH */ 13070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 13080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 13090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* generate SKEYIDs & IV & final cipher key */ 13120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_skeyid(iph1) < 0) 13130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_skeyid_dae(iph1) < 0) 13150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_compute_enckey(iph1) < 0) 13170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_newiv(iph1) < 0) 13190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG2SENT; 13220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 13240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 13260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 13270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 13280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 13300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * receive from initiator 13310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR*, IDi1, HASH_I 13320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I 13330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I > 13340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR*, HASH_I 13350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR*, HASH_I 13360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 13370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 13380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_r3recv(iph1, msg0) 13390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 13400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg0; 13410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 13420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg = NULL; 13430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *pbuf = NULL; 13440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct isakmp_parse_t *pa; 13450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 13460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int type; 13470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 13480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *gsstoken = NULL; 13490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 13500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 13520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG2SENT) { 13530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 13540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 13550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 13570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* decrypting */ 13590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { 13600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 13610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "reject the packet, " 13620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "expecting the packet encrypted.\n"); 13630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 13650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive); 13660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (msg == NULL) 13670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validate the type of next payload */ 13700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pbuf = isakmp_parse(msg); 13710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf == NULL) 13720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->pl_hash = NULL; 13750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang for (pa = (struct isakmp_parse_t *)pbuf->v; 13770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type != ISAKMP_NPTYPE_NONE; 13780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa++) { 13790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 13800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang switch (pa->type) { 13810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_ID: 13820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 13830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 13850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_HASH: 13860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 13870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 13880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_CR: 13890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_savecr(iph1, pa->ptr) < 0) 13900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 13920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_CERT: 13930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_savecert(iph1, pa->ptr) < 0) 13940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 13960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_SIG: 13970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 13980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 13990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 14000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 14010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_GSS: 14020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) 14030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 14040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gssapi_save_received_token(iph1, gsstoken); 14050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 14060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 14070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_VID: 1408adfbc90a9f63d1e0c87b4b17689c07cd3c781a0eChia-chi Yeh handle_vendorid(iph1, pa->ptr); 14090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 14100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case ISAKMP_NPTYPE_N: 1411c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh isakmp_check_notify(pa->ptr, iph1); 14120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 14130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang default: 14140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* don't send information, see ident_r1recv() */ 14150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 14160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "ignore the packet, " 14170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "received unexpecting payload type %d.\n", 14180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pa->type); 14190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 14200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 14210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 14220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 14230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* payload existency check */ 14240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* XXX same as ident_i4recv(), should be merged. */ 14250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 14260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int ng = 0; 14270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1428c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh switch (AUTHMETHOD(iph1)) { 14290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 14300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 14310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 14320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 14330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 14340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 14350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->id_p == NULL || iph1->pl_hash == NULL) 14360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ng++; 14370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 14380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 14390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 14400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 14410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 14420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 14430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 14440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->id_p == NULL || iph1->sig_p == NULL) 14450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ng++; 14460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 14470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 14480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 14490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 14500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 14510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 14520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 14530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->pl_hash == NULL) 14540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ng++; 14550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 14560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 14570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 14580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gsstoken == NULL && iph1->pl_hash == NULL) 14590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ng++; 14600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 14610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 14620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang default: 14630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 14640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "invalid authmethod %d why ?\n", 14650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->approval->authmethod); 14660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 14670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 14680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (ng) { 14690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 14700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "few isakmp message received.\n"); 14710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 14720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 14730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 14740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 14750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* verify identifier */ 14760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (ipsecdoi_checkid1(iph1) != 0) { 14770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, iph1->remote, 14780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "invalid ID payload.\n"); 14790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 14800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 14810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 14820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validate authentication value */ 14830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 14840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gsstoken == NULL) { 14850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 14860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang type = oakley_validate_auth(iph1); 14870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (type != 0) { 14880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (type == -1) { 14890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* msg printed inner oakley_validate_auth() */ 14900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 14910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1492c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh EVT_PUSH(iph1->local, iph1->remote, 1493c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh EVTT_PEERPH1AUTH_FAILED, NULL); 14940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang isakmp_info_send_n1(iph1, type, NULL); 14950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 14960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 14970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 14980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 14990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 15000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_checkcr(iph1) < 0) { 15020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* Ignore this error in order to be interoperability. */ 15030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ; 15040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 15050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 15070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * XXX: Should we do compare two addresses, ph1handle's and ID 15080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * payload's. 15090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 15100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID\n"); 15120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l); 15130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* see handler.h about IV synchronization. */ 15150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l); 15160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 15180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = gsstoken != NULL ? PHASE1ST_MSG2RECEIVED : 15190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang PHASE1ST_MSG3RECEIVED; 15200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#else 15210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_MSG3RECEIVED; 15220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 15230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 15250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 15270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf) 15280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(pbuf); 15290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (msg) 15300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(msg); 15310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 15320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gsstoken) 15330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(gsstoken); 15340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 15350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (error) { 15370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->id_p); 1538c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh oakley_delcert(iph1->cert_p); 1539c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->cert_p = NULL; 1540c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh oakley_delcert(iph1->crl_p); 1541c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->crl_p = NULL; 15420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang VPTRINIT(iph1->sig_p); 1543c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh oakley_delcert(iph1->cr_p); 1544c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh iph1->cr_p = NULL; 15450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 15460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 15480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 15490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 15510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * send to initiator 15520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR*, IDr1, HASH_R 15530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR*, IDr1, [ CERT, ] SIG_R 15540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R > 15550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR*, HASH_R 15560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR*, HASH_R 15570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 15580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 15590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_r3send(iph1, msg) 15600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 15610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *msg; 15620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 15630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 15640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int dohash = 1; 15650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 15660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int len; 15670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 15680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* validity check */ 15700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->status != PHASE1ST_MSG3RECEIVED) { 15710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 15720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "status mismatched %d.\n", iph1->status); 15730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 15740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 15750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* make ID payload into isakmp status */ 15770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (ipsecdoi_setid1(iph1) < 0) 15780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 15790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 1581c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && 15820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gssapi_more_tokens(iph1)) { 15830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gssapi_get_rtoken(iph1, &len); 15840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (len != 0) 15850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang dohash = 0; 15860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 15870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 15880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (dohash) { 15900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* generate HASH to send */ 15910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n"); 15920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 15930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->hash == NULL) 15940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 15950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } else 15960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->hash = NULL; 15970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 15980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* set encryption flag */ 15990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->flags |= ISAKMP_FLAG_E; 16000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create HDR;ID;HASH payload */ 16020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->sendbuf = ident_ir3mx(iph1); 16030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->sendbuf == NULL) 16040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 16050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* send HDR;ID;HASH to responder */ 16070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_send(iph1, iph1->sendbuf) < 0) 16080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 16090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* the sending message is added to the received-list. */ 16110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 16120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR , LOCATION, NULL, 16130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "failed to add a response packet to the tree.\n"); 16140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 16150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 16160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* see handler.h about IV synchronization. */ 16180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l); 16190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->status = PHASE1ST_ESTABLISHED; 16210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 16230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 16250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return error; 16270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 16280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 16300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * This is used in main mode for: 16310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * initiator's 3rd exchange send to responder 16320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR, KE, Ni 16330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR, KE, Ni 16340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r 16350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, 16360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i] 16370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * responders 2nd exchnage send to initiator 16380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR, KE, Nr 16390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR, KE, Nr [, CR ] 16400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i 16410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r, 16420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 16430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic vchar_t * 16440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_ir2mx(iph1) 16450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 16460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 16470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *buf = 0; 16480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct payload_list *plist = NULL; 1649c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh int need_cr = 0; 1650c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh vchar_t *cr = NULL; 16510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *vid = NULL; 16520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 16530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 16540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *gsstoken = NULL; 16550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 16560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 16570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *natd[2] = { NULL, NULL }; 16580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 16590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1660c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh /* create CR if need */ 1661c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (iph1->side == RESPONDER 1662c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh && iph1->rmconf->send_cr 1663c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh && oakley_needcr(iph1->approval->authmethod) 1664c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh && iph1->rmconf->peerscertfile == NULL) { 1665c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh need_cr = 1; 1666c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh cr = oakley_getcr(iph1); 1667c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (cr == NULL) { 16680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 1669c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh "failed to get cr buffer.\n"); 16700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 16710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 16720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1673c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 1674c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#ifdef HAVE_GSSAPI 1675c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) 1676c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh gssapi_get_token_to_send(iph1, &gsstoken); 16770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 16780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create isakmp KE payload */ 16800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); 16810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create isakmp NONCE payload */ 16830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 16840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 1686c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) 16870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS); 16880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 16890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* append vendor id, if needed */ 16910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid) 16920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID); 16930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1694c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh /* create isakmp CR payload if needed */ 1695c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (need_cr) 1696c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR); 16970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 16980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 16990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* generate and append NAT-D payloads */ 17000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (NATT_AVAILABLE(iph1) && iph1->status == PHASE1ST_MSG2RECEIVED) 17010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 17020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 17030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 17040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); 17050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 17060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 17070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 17080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 17090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 17100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); 17110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 17120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 17130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 17140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); 17150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); 17160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); 17170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 17180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 1719c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 17200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang buf = isakmp_plist_set_all (&plist, iph1); 1721c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 17220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 17230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 17240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 17250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (error && buf != NULL) { 17260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(buf); 17270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang buf = NULL; 17280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1729c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (cr) 1730c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh vfree(cr); 17310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 17320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gsstoken) 17330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(gsstoken); 17340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 17350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (vid) 17360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(vid); 17370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 17380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_NATT 17390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (natd[0]) 17400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(natd[0]); 17410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (natd[1]) 17420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(natd[1]); 17430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 17440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 17450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return buf; 17460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 17470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 17480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 17490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * This is used in main mode for: 17500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * initiator's 4th exchange send to responder 17510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR*, IDi1, HASH_I 17520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I 17530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I > 17540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR*, HASH_I 17550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR*, HASH_I 17560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * responders 3rd exchnage send to initiator 17570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * psk: HDR*, IDr1, HASH_R 17580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * sig: HDR*, IDr1, [ CERT, ] SIG_R 17590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R > 17600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rsa: HDR*, HASH_R 17610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * rev: HDR*, HASH_R 17620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 17630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic vchar_t * 17640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangident_ir3mx(iph1) 17650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct ph1handle *iph1; 17660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 17670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct payload_list *plist = NULL; 17680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *buf = NULL, *new = NULL; 1769c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh int need_cr = 0; 17700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int need_cert = 0; 1771c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh vchar_t *cr = NULL; 17720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error = -1; 17730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 17740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int nptype; 17750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *gsstoken = NULL; 17760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vchar_t *gsshash = NULL; 17770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 17780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1779c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh switch (AUTHMETHOD(iph1)) { 17800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 17810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 1782c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 17830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 17840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 17850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 17860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 17870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create isakmp ID payload */ 17880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 17890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 17900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create isakmp HASH payload */ 17910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH); 17920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 17930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 17940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 17950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 17960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 17970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 17980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 17990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 18000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 18010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1802c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#endif 18030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_getmycert(iph1) < 0) 18040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 18050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (oakley_getsign(iph1) < 0) 18070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 18080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1809c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh /* create CR if need */ 1810c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (iph1->side == INITIATOR 1811c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh && iph1->rmconf->send_cr 1812c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh && oakley_needcr(iph1->approval->authmethod) 1813c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh && iph1->rmconf->peerscertfile == NULL) { 1814c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh need_cr = 1; 1815c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh cr = oakley_getcr(iph1); 1816c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (cr == NULL) { 1817c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh plog(LLV_ERROR, LOCATION, NULL, 1818c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh "failed to get cr buffer.\n"); 1819c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh goto end; 1820c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh } 1821c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh } 1822c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 18230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->cert != NULL && iph1->rmconf->send_cert) 18240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang need_cert = 1; 18250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* add ID payload */ 18270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 18280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* add CERT payload if there */ 18300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (need_cert) 1831c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT); 18320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* add SIG payload */ 18330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG); 18340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create isakmp CR payload */ 1836c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (need_cr) 1837c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR); 18380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 18390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 18400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 18410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->hash != NULL) { 18420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gsshash = gssapi_wraphash(iph1); 18430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gsshash == NULL) 18440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 18450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } else { 1846c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh gssapi_get_token_to_send(iph1, &gsstoken); 18470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 18480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (!gssapi_id_sent(iph1)) { 18500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create isakmp ID payload */ 18510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 18520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang gssapi_set_id_sent(iph1); 18530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 18540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (iph1->hash != NULL) 18560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* create isakmp HASH payload */ 18570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH); 18580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang else 18590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS); 18600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 18610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 18620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 18630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 18640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef ENABLE_HYBRID 18650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 18660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 18670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 18680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 18690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 18700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 18710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "not supported authentication type %d\n", 18720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->approval->authmethod); 18730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 18740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang default: 18750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 18760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "invalid authentication type %d\n", 18770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang iph1->approval->authmethod); 18780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 18790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 18800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang buf = isakmp_plist_set_all (&plist, iph1); 1882c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 18830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_PRINT_ISAKMP_C 18840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang isakmp_printpacket(buf, iph1->local, iph1->remote, 1); 18850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 18860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* encoding */ 18880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv); 18890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (new == NULL) 18900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto end; 18910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(buf); 18930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang buf = new; 18950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = 0; 18970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 18980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangend: 18990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_GSSAPI 19000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (gsstoken) 19010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(gsstoken); 19020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 1903c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (cr) 1904c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh vfree(cr); 19050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (error && buf != NULL) { 19060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang vfree(buf); 19070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang buf = NULL; 19080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 19090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 19100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return buf; 19110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 1912