1/* $NetBSD: isakmp_base.c,v 1.7 2006/10/02 21:51:33 manu Exp $ */ 2 3/* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */ 4 5/* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34/* Base Exchange (Base Mode) */ 35 36#include "config.h" 37 38#include <sys/types.h> 39#include <sys/param.h> 40 41#include <stdlib.h> 42#include <stdio.h> 43#include <string.h> 44#include <errno.h> 45#if TIME_WITH_SYS_TIME 46# include <sys/time.h> 47# include <time.h> 48#else 49# if HAVE_SYS_TIME_H 50# include <sys/time.h> 51# else 52# include <time.h> 53# endif 54#endif 55 56#include "var.h" 57#include "misc.h" 58#include "vmbuf.h" 59#include "plog.h" 60#include "sockmisc.h" 61#include "schedule.h" 62#include "debug.h" 63 64#ifdef ENABLE_HYBRID 65#include <resolv.h> 66#endif 67 68#include "localconf.h" 69#include "remoteconf.h" 70#include "isakmp_var.h" 71#include "isakmp.h" 72#include "evt.h" 73#include "oakley.h" 74#include "handler.h" 75#include "ipsec_doi.h" 76#include "crypto_openssl.h" 77#include "pfkey.h" 78#include "isakmp_base.h" 79#include "isakmp_inf.h" 80#include "vendorid.h" 81#ifdef ENABLE_NATT 82#include "nattraversal.h" 83#endif 84#ifdef ENABLE_FRAG 85#include "isakmp_frag.h" 86#endif 87#ifdef ENABLE_HYBRID 88#include "isakmp_xauth.h" 89#include "isakmp_cfg.h" 90#endif 91 92/* %%% 93 * begin Identity Protection Mode as initiator. 94 */ 95/* 96 * send to responder 97 * psk: HDR, SA, Idii, Ni_b 98 * sig: HDR, SA, Idii, Ni_b 99 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r 100 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i 101 */ 102int 103base_i1send(iph1, msg) 104 struct ph1handle *iph1; 105 vchar_t *msg; /* must be null */ 106{ 107 struct payload_list *plist = NULL; 108 int error = -1; 109#ifdef ENABLE_NATT 110 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; 111 int i, vid_natt_i = 0; 112#endif 113#ifdef ENABLE_FRAG 114 vchar_t *vid_frag = NULL; 115#endif 116#ifdef ENABLE_HYBRID 117 vchar_t *vid_xauth = NULL; 118 vchar_t *vid_unity = NULL; 119#endif 120#ifdef ENABLE_DPD 121 vchar_t *vid_dpd = NULL; 122#endif 123 124 125 /* validity check */ 126 if (msg != NULL) { 127 plog(LLV_ERROR, LOCATION, NULL, 128 "msg has to be NULL in this function.\n"); 129 goto end; 130 } 131 if (iph1->status != PHASE1ST_START) { 132 plog(LLV_ERROR, LOCATION, NULL, 133 "status mismatched %d.\n", iph1->status); 134 goto end; 135 } 136 137 /* create isakmp index */ 138 memset(&iph1->index, 0, sizeof(iph1->index)); 139 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); 140 141 /* make ID payload into isakmp status */ 142 if (ipsecdoi_setid1(iph1) < 0) 143 goto end; 144 145 /* create SA payload for my proposal */ 146 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); 147 if (iph1->sa == NULL) 148 goto end; 149 150 /* generate NONCE value */ 151 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 152 if (iph1->nonce == NULL) 153 goto end; 154 155#ifdef ENABLE_HYBRID 156 /* Do we need Xauth VID? */ 157 switch (RMAUTHMETHOD(iph1)) { 158 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 159 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 160 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 161 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 162 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 163 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 164 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 165 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) 166 plog(LLV_ERROR, LOCATION, NULL, 167 "Xauth vendor ID generation failed\n"); 168 169 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) 170 plog(LLV_ERROR, LOCATION, NULL, 171 "Unity vendor ID generation failed\n"); 172 break; 173 default: 174 break; 175 } 176#endif 177#ifdef ENABLE_FRAG 178 if (iph1->rmconf->ike_frag) { 179 vid_frag = set_vendorid(VENDORID_FRAG); 180 if (vid_frag != NULL) 181 vid_frag = isakmp_frag_addcap(vid_frag, 182 VENDORID_FRAG_BASE); 183 if (vid_frag == NULL) 184 plog(LLV_ERROR, LOCATION, NULL, 185 "Frag vendorID construction failed\n"); 186 } 187#endif 188#ifdef ENABLE_NATT 189 /* Is NAT-T support allowed in the config file? */ 190 if (iph1->rmconf->nat_traversal) { 191 /* Advertise NAT-T capability */ 192 memset (vid_natt, 0, sizeof (vid_natt)); 193#ifdef VENDORID_NATT_00 194 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL) 195 vid_natt_i++; 196#endif 197#ifdef VENDORID_NATT_02 198 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL) 199 vid_natt_i++; 200#endif 201#ifdef VENDORID_NATT_02_N 202 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL) 203 vid_natt_i++; 204#endif 205#ifdef VENDORID_NATT_RFC 206 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL) 207 vid_natt_i++; 208#endif 209 } 210#endif 211 212 /* set SA payload to propose */ 213 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); 214 215 /* create isakmp ID payload */ 216 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 217 218 /* create isakmp NONCE payload */ 219 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 220 221#ifdef ENABLE_FRAG 222 if (vid_frag) 223 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); 224#endif 225#ifdef ENABLE_HYBRID 226 if (vid_xauth) 227 plist = isakmp_plist_append(plist, 228 vid_xauth, ISAKMP_NPTYPE_VID); 229 if (vid_unity) 230 plist = isakmp_plist_append(plist, 231 vid_unity, ISAKMP_NPTYPE_VID); 232#endif 233#ifdef ENABLE_DPD 234 if (iph1->rmconf->dpd) { 235 vid_dpd = set_vendorid(VENDORID_DPD); 236 if (vid_dpd != NULL) 237 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); 238 } 239#endif 240#ifdef ENABLE_NATT 241 /* set VID payload for NAT-T */ 242 for (i = 0; i < vid_natt_i; i++) 243 plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID); 244#endif 245 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 246 247 248#ifdef HAVE_PRINT_ISAKMP_C 249 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 250#endif 251 252 /* send the packet, add to the schedule to resend */ 253 iph1->retry_counter = iph1->rmconf->retry_counter; 254 if (isakmp_ph1resend(iph1) == -1) 255 goto end; 256 257 iph1->status = PHASE1ST_MSG1SENT; 258 259 error = 0; 260 261end: 262#ifdef ENABLE_FRAG 263 if (vid_frag) 264 vfree(vid_frag); 265#endif 266#ifdef ENABLE_NATT 267 for (i = 0; i < vid_natt_i; i++) 268 vfree(vid_natt[i]); 269#endif 270#ifdef ENABLE_HYBRID 271 if (vid_xauth != NULL) 272 vfree(vid_xauth); 273 if (vid_unity != NULL) 274 vfree(vid_unity); 275#endif 276#ifdef ENABLE_DPD 277 if (vid_dpd != NULL) 278 vfree(vid_dpd); 279#endif 280 281 return error; 282} 283 284/* 285 * receive from responder 286 * psk: HDR, SA, Idir, Nr_b 287 * sig: HDR, SA, Idir, Nr_b, [ CR ] 288 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i 289 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r 290 */ 291int 292base_i2recv(iph1, msg) 293 struct ph1handle *iph1; 294 vchar_t *msg; 295{ 296 vchar_t *pbuf = NULL; 297 struct isakmp_parse_t *pa; 298 vchar_t *satmp = NULL; 299 int error = -1; 300 int vid_numeric; 301#ifdef ENABLE_HYBRID 302 vchar_t *unity_vid; 303 vchar_t *xauth_vid; 304#endif 305 306 /* validity check */ 307 if (iph1->status != PHASE1ST_MSG1SENT) { 308 plog(LLV_ERROR, LOCATION, NULL, 309 "status mismatched %d.\n", iph1->status); 310 goto end; 311 } 312 313 /* validate the type of next payload */ 314 pbuf = isakmp_parse(msg); 315 if (pbuf == NULL) 316 goto end; 317 pa = (struct isakmp_parse_t *)pbuf->v; 318 319 /* SA payload is fixed postion */ 320 if (pa->type != ISAKMP_NPTYPE_SA) { 321 plog(LLV_ERROR, LOCATION, iph1->remote, 322 "received invalid next payload type %d, " 323 "expecting %d.\n", 324 pa->type, ISAKMP_NPTYPE_SA); 325 goto end; 326 } 327 if (isakmp_p2ph(&satmp, pa->ptr) < 0) 328 goto end; 329 pa++; 330 331 for (/*nothing*/; 332 pa->type != ISAKMP_NPTYPE_NONE; 333 pa++) { 334 335 switch (pa->type) { 336 case ISAKMP_NPTYPE_NONCE: 337 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 338 goto end; 339 break; 340 case ISAKMP_NPTYPE_ID: 341 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 342 goto end; 343 break; 344 case ISAKMP_NPTYPE_VID: 345 handle_vendorid(iph1, pa->ptr); 346 break; 347 default: 348 /* don't send information, see ident_r1recv() */ 349 plog(LLV_ERROR, LOCATION, iph1->remote, 350 "ignore the packet, " 351 "received unexpecting payload type %d.\n", 352 pa->type); 353 goto end; 354 } 355 } 356 357 if (iph1->nonce_p == NULL || iph1->id_p == NULL) { 358 plog(LLV_ERROR, LOCATION, iph1->remote, 359 "few isakmp message received.\n"); 360 goto end; 361 } 362 363 /* verify identifier */ 364 if (ipsecdoi_checkid1(iph1) != 0) { 365 plog(LLV_ERROR, LOCATION, iph1->remote, 366 "invalid ID payload.\n"); 367 goto end; 368 } 369 370#ifdef ENABLE_NATT 371 if (NATT_AVAILABLE(iph1)) 372 plog(LLV_INFO, LOCATION, iph1->remote, 373 "Selected NAT-T version: %s\n", 374 vid_string_by_id(iph1->natt_options->version)); 375#endif 376 377 /* check SA payload and set approval SA for use */ 378 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { 379 plog(LLV_ERROR, LOCATION, iph1->remote, 380 "failed to get valid proposal.\n"); 381 /* XXX send information */ 382 goto end; 383 } 384 VPTRINIT(iph1->sa_ret); 385 386 iph1->status = PHASE1ST_MSG2RECEIVED; 387 388 error = 0; 389 390end: 391 if (pbuf) 392 vfree(pbuf); 393 if (satmp) 394 vfree(satmp); 395 396 if (error) { 397 VPTRINIT(iph1->nonce_p); 398 VPTRINIT(iph1->id_p); 399 } 400 401 return error; 402} 403 404/* 405 * send to responder 406 * psk: HDR, KE, HASH_I 407 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I 408 * rsa: HDR, KE, HASH_I 409 * rev: HDR, <KE>Ke_i, HASH_I 410 */ 411int 412base_i2send(iph1, msg) 413 struct ph1handle *iph1; 414 vchar_t *msg; 415{ 416 struct payload_list *plist = NULL; 417 vchar_t *vid = NULL; 418 int need_cert = 0; 419 int error = -1; 420 421 /* validity check */ 422 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 423 plog(LLV_ERROR, LOCATION, NULL, 424 "status mismatched %d.\n", iph1->status); 425 goto end; 426 } 427 428 /* fix isakmp index */ 429 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, 430 sizeof(cookie_t)); 431 432 /* generate DH public value */ 433 if (oakley_dh_generate(iph1->approval->dhgrp, 434 &iph1->dhpub, &iph1->dhpriv) < 0) 435 goto end; 436 437 /* generate SKEYID to compute hash if not signature mode */ 438 switch (AUTHMETHOD(iph1)) { 439 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 440 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 441#ifdef ENABLE_HYBRID 442 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 443 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 444 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 445 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 446 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 447#endif 448 break; 449 default: 450 if (oakley_skeyid(iph1) < 0) 451 goto end; 452 break; 453 } 454 455 /* generate HASH to send */ 456 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 457 iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE); 458 if (iph1->hash == NULL) 459 goto end; 460 switch (AUTHMETHOD(iph1)) { 461 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 462#ifdef ENABLE_HYBRID 463 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 464 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 465 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 466#endif 467 vid = set_vendorid(iph1->approval->vendorid); 468 469 /* create isakmp KE payload */ 470 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); 471 472 /* create isakmp HASH payload */ 473 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH); 474 475 /* append vendor id, if needed */ 476 if (vid) 477 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID); 478 break; 479 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 480 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 481#ifdef ENABLE_HYBRID 482 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 483 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 484#endif 485 /* XXX if there is CR or not ? */ 486 487 if (oakley_getmycert(iph1) < 0) 488 goto end; 489 490 if (oakley_getsign(iph1) < 0) 491 goto end; 492 493 if (iph1->cert && iph1->rmconf->send_cert) 494 need_cert = 1; 495 496 /* create isakmp KE payload */ 497 plist = isakmp_plist_append(plist, 498 iph1->dhpub, ISAKMP_NPTYPE_KE); 499 500 /* add CERT payload if there */ 501 if (need_cert) 502 plist = isakmp_plist_append(plist, 503 iph1->cert->pl, ISAKMP_NPTYPE_CERT); 504 505 /* add SIG payload */ 506 plist = isakmp_plist_append(plist, 507 iph1->sig, ISAKMP_NPTYPE_SIG); 508 509 break; 510#ifdef HAVE_GSSAPI 511 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 512 /* ... */ 513 break; 514#endif 515 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 516 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 517#ifdef ENABLE_HYBRID 518 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 519 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 520#endif 521 break; 522 } 523 524#ifdef ENABLE_NATT 525 /* generate NAT-D payloads */ 526 if (NATT_AVAILABLE(iph1)) 527 { 528 vchar_t *natd[2] = { NULL, NULL }; 529 530 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); 531 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { 532 plog(LLV_ERROR, LOCATION, NULL, 533 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); 534 goto end; 535 } 536 537 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { 538 plog(LLV_ERROR, LOCATION, NULL, 539 "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); 540 goto end; 541 } 542 543 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); 544 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); 545 } 546#endif 547 548 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 549 550#ifdef HAVE_PRINT_ISAKMP_C 551 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 552#endif 553 554 /* send the packet, add to the schedule to resend */ 555 iph1->retry_counter = iph1->rmconf->retry_counter; 556 if (isakmp_ph1resend(iph1) == -1) 557 goto end; 558 559 /* the sending message is added to the received-list. */ 560 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 561 plog(LLV_ERROR , LOCATION, NULL, 562 "failed to add a response packet to the tree.\n"); 563 goto end; 564 } 565 566 iph1->status = PHASE1ST_MSG2SENT; 567 568 error = 0; 569 570end: 571 if (vid) 572 vfree(vid); 573 return error; 574} 575 576/* 577 * receive from responder 578 * psk: HDR, KE, HASH_R 579 * sig: HDR, KE, [CERT,] SIG_R 580 * rsa: HDR, KE, HASH_R 581 * rev: HDR, <KE>_Ke_r, HASH_R 582 */ 583int 584base_i3recv(iph1, msg) 585 struct ph1handle *iph1; 586 vchar_t *msg; 587{ 588 vchar_t *pbuf = NULL; 589 struct isakmp_parse_t *pa; 590 int error = -1; 591 int ptype; 592#ifdef ENABLE_NATT 593 vchar_t *natd_received; 594 int natd_seq = 0, natd_verified; 595#endif 596 597 /* validity check */ 598 if (iph1->status != PHASE1ST_MSG2SENT) { 599 plog(LLV_ERROR, LOCATION, NULL, 600 "status mismatched %d.\n", iph1->status); 601 goto end; 602 } 603 604 /* validate the type of next payload */ 605 pbuf = isakmp_parse(msg); 606 if (pbuf == NULL) 607 goto end; 608 609 for (pa = (struct isakmp_parse_t *)pbuf->v; 610 pa->type != ISAKMP_NPTYPE_NONE; 611 pa++) { 612 613 switch (pa->type) { 614 case ISAKMP_NPTYPE_KE: 615 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 616 goto end; 617 break; 618 case ISAKMP_NPTYPE_HASH: 619 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 620 break; 621 case ISAKMP_NPTYPE_CERT: 622 if (oakley_savecert(iph1, pa->ptr) < 0) 623 goto end; 624 break; 625 case ISAKMP_NPTYPE_SIG: 626 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 627 goto end; 628 break; 629 case ISAKMP_NPTYPE_VID: 630 handle_vendorid(iph1, pa->ptr); 631 break; 632 633#ifdef ENABLE_NATT 634 case ISAKMP_NPTYPE_NATD_DRAFT: 635 case ISAKMP_NPTYPE_NATD_RFC: 636 if (NATT_AVAILABLE(iph1) && iph1->natt_options && 637 pa->type == iph1->natt_options->payload_nat_d) { 638 natd_received = NULL; 639 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 640 goto end; 641 642 /* set both bits first so that we can clear them 643 upon verifying hashes */ 644 if (natd_seq == 0) 645 iph1->natt_flags |= NAT_DETECTED; 646 647 /* this function will clear appropriate bits bits 648 from iph1->natt_flags */ 649 natd_verified = natt_compare_addr_hash (iph1, 650 natd_received, natd_seq++); 651 652 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 653 natd_seq - 1, 654 natd_verified ? "verified" : "doesn't match"); 655 656 vfree (natd_received); 657 break; 658 } 659 /* passthrough to default... */ 660#endif 661 662 default: 663 /* don't send information, see ident_r1recv() */ 664 plog(LLV_ERROR, LOCATION, iph1->remote, 665 "ignore the packet, " 666 "received unexpecting payload type %d.\n", 667 pa->type); 668 goto end; 669 } 670 } 671 672#ifdef ENABLE_NATT 673 if (NATT_AVAILABLE(iph1)) { 674 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 675 iph1->natt_flags & NAT_DETECTED ? 676 "detected:" : "not detected", 677 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 678 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 679 if (iph1->natt_flags & NAT_DETECTED) 680 natt_float_ports (iph1); 681 } 682#endif 683 684 /* payload existency check */ 685 /* validate authentication value */ 686 ptype = oakley_validate_auth(iph1); 687 if (ptype != 0) { 688 if (ptype == -1) { 689 /* message printed inner oakley_validate_auth() */ 690 goto end; 691 } 692 EVT_PUSH(iph1->local, iph1->remote, 693 EVTT_PEERPH1AUTH_FAILED, NULL); 694 isakmp_info_send_n1(iph1, ptype, NULL); 695 goto end; 696 } 697 698 /* compute sharing secret of DH */ 699 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 700 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 701 goto end; 702 703 /* generate SKEYID to compute hash if signature mode */ 704 switch (AUTHMETHOD(iph1)) { 705 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 706 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 707#ifdef ENABLE_HYBRID 708 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 709 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 710 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 711 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 712 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 713#endif 714 if (oakley_skeyid(iph1) < 0) 715 goto end; 716 break; 717 default: 718 break; 719 } 720 721 /* generate SKEYIDs & IV & final cipher key */ 722 if (oakley_skeyid_dae(iph1) < 0) 723 goto end; 724 if (oakley_compute_enckey(iph1) < 0) 725 goto end; 726 if (oakley_newiv(iph1) < 0) 727 goto end; 728 729 /* see handler.h about IV synchronization. */ 730 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); 731 732 /* set encryption flag */ 733 iph1->flags |= ISAKMP_FLAG_E; 734 735 iph1->status = PHASE1ST_MSG3RECEIVED; 736 737 error = 0; 738 739end: 740 if (pbuf) 741 vfree(pbuf); 742 743 if (error) { 744 VPTRINIT(iph1->dhpub_p); 745 oakley_delcert(iph1->cert_p); 746 iph1->cert_p = NULL; 747 oakley_delcert(iph1->crl_p); 748 iph1->crl_p = NULL; 749 VPTRINIT(iph1->sig_p); 750 } 751 752 return error; 753} 754 755/* 756 * status update and establish isakmp sa. 757 */ 758int 759base_i3send(iph1, msg) 760 struct ph1handle *iph1; 761 vchar_t *msg; 762{ 763 int error = -1; 764 765 /* validity check */ 766 if (iph1->status != PHASE1ST_MSG3RECEIVED) { 767 plog(LLV_ERROR, LOCATION, NULL, 768 "status mismatched %d.\n", iph1->status); 769 goto end; 770 } 771 772 iph1->status = PHASE1ST_ESTABLISHED; 773 774 error = 0; 775 776end: 777 return error; 778} 779 780/* 781 * receive from initiator 782 * psk: HDR, SA, Idii, Ni_b 783 * sig: HDR, SA, Idii, Ni_b 784 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r 785 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i 786 */ 787int 788base_r1recv(iph1, msg) 789 struct ph1handle *iph1; 790 vchar_t *msg; 791{ 792 vchar_t *pbuf = NULL; 793 struct isakmp_parse_t *pa; 794 int error = -1; 795 int vid_numeric; 796 797 /* validity check */ 798 if (iph1->status != PHASE1ST_START) { 799 plog(LLV_ERROR, LOCATION, NULL, 800 "status mismatched %d.\n", iph1->status); 801 goto end; 802 } 803 804 /* validate the type of next payload */ 805 /* 806 * NOTE: XXX even if multiple VID, we'll silently ignore those. 807 */ 808 pbuf = isakmp_parse(msg); 809 if (pbuf == NULL) 810 goto end; 811 pa = (struct isakmp_parse_t *)pbuf->v; 812 813 /* check the position of SA payload */ 814 if (pa->type != ISAKMP_NPTYPE_SA) { 815 plog(LLV_ERROR, LOCATION, iph1->remote, 816 "received invalid next payload type %d, " 817 "expecting %d.\n", 818 pa->type, ISAKMP_NPTYPE_SA); 819 goto end; 820 } 821 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) 822 goto end; 823 pa++; 824 825 for (/*nothing*/; 826 pa->type != ISAKMP_NPTYPE_NONE; 827 pa++) { 828 829 switch (pa->type) { 830 case ISAKMP_NPTYPE_NONCE: 831 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) 832 goto end; 833 break; 834 case ISAKMP_NPTYPE_ID: 835 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) 836 goto end; 837 break; 838 case ISAKMP_NPTYPE_VID: 839 vid_numeric = handle_vendorid(iph1, pa->ptr); 840#ifdef ENABLE_FRAG 841 if ((vid_numeric == VENDORID_FRAG) && 842 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) 843 iph1->frag = 1; 844#endif 845 break; 846 default: 847 /* don't send information, see ident_r1recv() */ 848 plog(LLV_ERROR, LOCATION, iph1->remote, 849 "ignore the packet, " 850 "received unexpecting payload type %d.\n", 851 pa->type); 852 goto end; 853 } 854 } 855 856 if (iph1->nonce_p == NULL || iph1->id_p == NULL) { 857 plog(LLV_ERROR, LOCATION, iph1->remote, 858 "few isakmp message received.\n"); 859 goto end; 860 } 861 862 /* verify identifier */ 863 if (ipsecdoi_checkid1(iph1) != 0) { 864 plog(LLV_ERROR, LOCATION, iph1->remote, 865 "invalid ID payload.\n"); 866 goto end; 867 } 868 869#ifdef ENABLE_NATT 870 if (NATT_AVAILABLE(iph1)) 871 plog(LLV_INFO, LOCATION, iph1->remote, 872 "Selected NAT-T version: %s\n", 873 vid_string_by_id(iph1->natt_options->version)); 874#endif 875 876 /* check SA payload and set approval SA for use */ 877 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { 878 plog(LLV_ERROR, LOCATION, iph1->remote, 879 "failed to get valid proposal.\n"); 880 /* XXX send information */ 881 goto end; 882 } 883 884 iph1->status = PHASE1ST_MSG1RECEIVED; 885 886 error = 0; 887 888end: 889 if (pbuf) 890 vfree(pbuf); 891 892 if (error) { 893 VPTRINIT(iph1->sa); 894 VPTRINIT(iph1->nonce_p); 895 VPTRINIT(iph1->id_p); 896 } 897 898 return error; 899} 900 901/* 902 * send to initiator 903 * psk: HDR, SA, Idir, Nr_b 904 * sig: HDR, SA, Idir, Nr_b, [ CR ] 905 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i 906 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r 907 */ 908int 909base_r1send(iph1, msg) 910 struct ph1handle *iph1; 911 vchar_t *msg; 912{ 913 struct payload_list *plist = NULL; 914 int error = -1; 915#ifdef ENABLE_NATT 916 vchar_t *vid_natt = NULL; 917#endif 918#ifdef ENABLE_HYBRID 919 vchar_t *vid_xauth = NULL; 920 vchar_t *vid_unity = NULL; 921#endif 922#ifdef ENABLE_FRAG 923 vchar_t *vid_frag = NULL; 924#endif 925#ifdef ENABLE_DPD 926 vchar_t *vid_dpd = NULL; 927#endif 928 929 /* validity check */ 930 if (iph1->status != PHASE1ST_MSG1RECEIVED) { 931 plog(LLV_ERROR, LOCATION, NULL, 932 "status mismatched %d.\n", iph1->status); 933 goto end; 934 } 935 936 /* set responder's cookie */ 937 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); 938 939 /* make ID payload into isakmp status */ 940 if (ipsecdoi_setid1(iph1) < 0) 941 goto end; 942 943 /* generate NONCE value */ 944 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); 945 if (iph1->nonce == NULL) 946 goto end; 947 948 /* set SA payload to reply */ 949 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA); 950 951 /* create isakmp ID payload */ 952 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); 953 954 /* create isakmp NONCE payload */ 955 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); 956 957#ifdef ENABLE_NATT 958 /* has the peer announced nat-t? */ 959 if (NATT_AVAILABLE(iph1)) 960 vid_natt = set_vendorid(iph1->natt_options->version); 961 if (vid_natt) 962 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); 963#endif 964#ifdef ENABLE_HYBRID 965 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { 966 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); 967 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) { 968 plog(LLV_ERROR, LOCATION, NULL, 969 "Cannot create Xauth vendor ID\n"); 970 goto end; 971 } 972 plist = isakmp_plist_append(plist, 973 vid_xauth, ISAKMP_NPTYPE_VID); 974 } 975 976 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { 977 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) { 978 plog(LLV_ERROR, LOCATION, NULL, 979 "Cannot create Unity vendor ID\n"); 980 goto end; 981 } 982 plist = isakmp_plist_append(plist, 983 vid_unity, ISAKMP_NPTYPE_VID); 984 } 985#endif 986#ifdef ENABLE_DPD 987 /* 988 * Only send DPD support if remote announced DPD 989 * and if DPD support is active 990 */ 991 if (iph1->dpd_support && iph1->rmconf->dpd) { 992 if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) { 993 plog(LLV_ERROR, LOCATION, NULL, 994 "DPD vendorID construction failed\n"); 995 } else { 996 plist = isakmp_plist_append(plist, vid_dpd, 997 ISAKMP_NPTYPE_VID); 998 } 999 } 1000#endif 1001#ifdef ENABLE_FRAG 1002 if (iph1->rmconf->ike_frag) { 1003 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) { 1004 plog(LLV_ERROR, LOCATION, NULL, 1005 "Frag vendorID construction failed\n"); 1006 } else { 1007 vid_frag = isakmp_frag_addcap(vid_frag, 1008 VENDORID_FRAG_BASE); 1009 plist = isakmp_plist_append(plist, 1010 vid_frag, ISAKMP_NPTYPE_VID); 1011 } 1012 } 1013#endif 1014 1015 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); 1016 1017#ifdef HAVE_PRINT_ISAKMP_C 1018 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 1019#endif 1020 1021 /* send the packet, add to the schedule to resend */ 1022 iph1->retry_counter = iph1->rmconf->retry_counter; 1023 if (isakmp_ph1resend(iph1) == -1) { 1024 iph1 = NULL; 1025 goto end; 1026 } 1027 1028 /* the sending message is added to the received-list. */ 1029 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1030 plog(LLV_ERROR , LOCATION, NULL, 1031 "failed to add a response packet to the tree.\n"); 1032 goto end; 1033 } 1034 1035 iph1->status = PHASE1ST_MSG1SENT; 1036 1037 error = 0; 1038 1039end: 1040#ifdef ENABLE_NATT 1041 if (vid_natt) 1042 vfree(vid_natt); 1043#endif 1044#ifdef ENABLE_HYBRID 1045 if (vid_xauth != NULL) 1046 vfree(vid_xauth); 1047 if (vid_unity != NULL) 1048 vfree(vid_unity); 1049#endif 1050#ifdef ENABLE_FRAG 1051 if (vid_frag) 1052 vfree(vid_frag); 1053#endif 1054#ifdef ENABLE_DPD 1055 if (vid_dpd) 1056 vfree(vid_dpd); 1057#endif 1058 1059 if (iph1 != NULL) 1060 VPTRINIT(iph1->sa_ret); 1061 1062 return error; 1063} 1064 1065/* 1066 * receive from initiator 1067 * psk: HDR, KE, HASH_I 1068 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I 1069 * rsa: HDR, KE, HASH_I 1070 * rev: HDR, <KE>Ke_i, HASH_I 1071 */ 1072int 1073base_r2recv(iph1, msg) 1074 struct ph1handle *iph1; 1075 vchar_t *msg; 1076{ 1077 vchar_t *pbuf = NULL; 1078 struct isakmp_parse_t *pa; 1079 int error = -1; 1080 int ptype; 1081#ifdef ENABLE_NATT 1082 int natd_seq = 0; 1083#endif 1084 1085 /* validity check */ 1086 if (iph1->status != PHASE1ST_MSG1SENT) { 1087 plog(LLV_ERROR, LOCATION, NULL, 1088 "status mismatched %d.\n", iph1->status); 1089 goto end; 1090 } 1091 1092 /* validate the type of next payload */ 1093 pbuf = isakmp_parse(msg); 1094 if (pbuf == NULL) 1095 goto end; 1096 1097 iph1->pl_hash = NULL; 1098 1099 for (pa = (struct isakmp_parse_t *)pbuf->v; 1100 pa->type != ISAKMP_NPTYPE_NONE; 1101 pa++) { 1102 1103 switch (pa->type) { 1104 case ISAKMP_NPTYPE_KE: 1105 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) 1106 goto end; 1107 break; 1108 case ISAKMP_NPTYPE_HASH: 1109 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; 1110 break; 1111 case ISAKMP_NPTYPE_CERT: 1112 if (oakley_savecert(iph1, pa->ptr) < 0) 1113 goto end; 1114 break; 1115 case ISAKMP_NPTYPE_SIG: 1116 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) 1117 goto end; 1118 break; 1119 case ISAKMP_NPTYPE_VID: 1120 handle_vendorid(iph1, pa->ptr); 1121 break; 1122 1123#ifdef ENABLE_NATT 1124 case ISAKMP_NPTYPE_NATD_DRAFT: 1125 case ISAKMP_NPTYPE_NATD_RFC: 1126 if (pa->type == iph1->natt_options->payload_nat_d) 1127 { 1128 vchar_t *natd_received = NULL; 1129 int natd_verified; 1130 1131 if (isakmp_p2ph (&natd_received, pa->ptr) < 0) 1132 goto end; 1133 1134 if (natd_seq == 0) 1135 iph1->natt_flags |= NAT_DETECTED; 1136 1137 natd_verified = natt_compare_addr_hash (iph1, 1138 natd_received, natd_seq++); 1139 1140 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", 1141 natd_seq - 1, 1142 natd_verified ? "verified" : "doesn't match"); 1143 1144 vfree (natd_received); 1145 break; 1146 } 1147 /* passthrough to default... */ 1148#endif 1149 1150 default: 1151 /* don't send information, see ident_r1recv() */ 1152 plog(LLV_ERROR, LOCATION, iph1->remote, 1153 "ignore the packet, " 1154 "received unexpecting payload type %d.\n", 1155 pa->type); 1156 goto end; 1157 } 1158 } 1159 1160 /* generate DH public value */ 1161 if (oakley_dh_generate(iph1->approval->dhgrp, 1162 &iph1->dhpub, &iph1->dhpriv) < 0) 1163 goto end; 1164 1165 /* compute sharing secret of DH */ 1166 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, 1167 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) 1168 goto end; 1169 1170 /* generate SKEYID */ 1171 if (oakley_skeyid(iph1) < 0) 1172 goto end; 1173 1174#ifdef ENABLE_NATT 1175 if (NATT_AVAILABLE(iph1)) 1176 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", 1177 iph1->natt_flags & NAT_DETECTED ? 1178 "detected:" : "not detected", 1179 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", 1180 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); 1181#endif 1182 1183 /* payload existency check */ 1184 /* validate authentication value */ 1185 ptype = oakley_validate_auth(iph1); 1186 if (ptype != 0) { 1187 if (ptype == -1) { 1188 /* message printed inner oakley_validate_auth() */ 1189 goto end; 1190 } 1191 EVT_PUSH(iph1->local, iph1->remote, 1192 EVTT_PEERPH1AUTH_FAILED, NULL); 1193 isakmp_info_send_n1(iph1, ptype, NULL); 1194 goto end; 1195 } 1196 1197 iph1->status = PHASE1ST_MSG2RECEIVED; 1198 1199 error = 0; 1200 1201end: 1202 if (pbuf) 1203 vfree(pbuf); 1204 1205 if (error) { 1206 VPTRINIT(iph1->dhpub_p); 1207 oakley_delcert(iph1->cert_p); 1208 iph1->cert_p = NULL; 1209 oakley_delcert(iph1->crl_p); 1210 iph1->crl_p = NULL; 1211 VPTRINIT(iph1->sig_p); 1212 } 1213 1214 return error; 1215} 1216 1217/* 1218 * send to initiator 1219 * psk: HDR, KE, HASH_R 1220 * sig: HDR, KE, [CERT,] SIG_R 1221 * rsa: HDR, KE, HASH_R 1222 * rev: HDR, <KE>_Ke_r, HASH_R 1223 */ 1224int 1225base_r2send(iph1, msg) 1226 struct ph1handle *iph1; 1227 vchar_t *msg; 1228{ 1229 struct payload_list *plist = NULL; 1230 vchar_t *vid = NULL; 1231 int need_cert = 0; 1232 int error = -1; 1233 1234 /* validity check */ 1235 if (iph1->status != PHASE1ST_MSG2RECEIVED) { 1236 plog(LLV_ERROR, LOCATION, NULL, 1237 "status mismatched %d.\n", iph1->status); 1238 goto end; 1239 } 1240 1241 /* generate HASH to send */ 1242 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); 1243 switch (AUTHMETHOD(iph1)) { 1244 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1245#ifdef ENABLE_HYBRID 1246 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1247#endif 1248 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1249 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1250#ifdef ENABLE_HYBRID 1251 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1252 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1253#endif 1254 iph1->hash = oakley_ph1hash_common(iph1, GENERATE); 1255 break; 1256 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1257 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1258#ifdef ENABLE_HYBRID 1259 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1260 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1261 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1262 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1263#endif 1264#ifdef HAVE_GSSAPI 1265 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1266#endif 1267 iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE); 1268 break; 1269 default: 1270 plog(LLV_ERROR, LOCATION, NULL, 1271 "invalid authentication method %d\n", 1272 iph1->approval->authmethod); 1273 goto end; 1274 } 1275 if (iph1->hash == NULL) 1276 goto end; 1277 1278 switch (AUTHMETHOD(iph1)) { 1279 case OAKLEY_ATTR_AUTH_METHOD_PSKEY: 1280#ifdef ENABLE_HYBRID 1281 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1282#endif 1283 vid = set_vendorid(iph1->approval->vendorid); 1284 1285 /* create isakmp KE payload */ 1286 plist = isakmp_plist_append(plist, 1287 iph1->dhpub, ISAKMP_NPTYPE_KE); 1288 1289 /* create isakmp HASH payload */ 1290 plist = isakmp_plist_append(plist, 1291 iph1->hash, ISAKMP_NPTYPE_HASH); 1292 1293 /* append vendor id, if needed */ 1294 if (vid) 1295 plist = isakmp_plist_append(plist, 1296 vid, ISAKMP_NPTYPE_VID); 1297 break; 1298 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: 1299 case OAKLEY_ATTR_AUTH_METHOD_RSASIG: 1300#ifdef ENABLE_HYBRID 1301 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1302 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1303 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1304 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1305#endif 1306 /* XXX if there is CR or not ? */ 1307 1308 if (oakley_getmycert(iph1) < 0) 1309 goto end; 1310 1311 if (oakley_getsign(iph1) < 0) 1312 goto end; 1313 1314 if (iph1->cert && iph1->rmconf->send_cert) 1315 need_cert = 1; 1316 1317 /* create isakmp KE payload */ 1318 plist = isakmp_plist_append(plist, 1319 iph1->dhpub, ISAKMP_NPTYPE_KE); 1320 1321 /* add CERT payload if there */ 1322 if (need_cert) 1323 plist = isakmp_plist_append(plist, 1324 iph1->cert->pl, ISAKMP_NPTYPE_CERT); 1325 /* add SIG payload */ 1326 plist = isakmp_plist_append(plist, 1327 iph1->sig, ISAKMP_NPTYPE_SIG); 1328 break; 1329#ifdef HAVE_GSSAPI 1330 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: 1331 /* ... */ 1332 break; 1333#endif 1334 case OAKLEY_ATTR_AUTH_METHOD_RSAENC: 1335 case OAKLEY_ATTR_AUTH_METHOD_RSAREV: 1336#ifdef ENABLE_HYBRID 1337 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1338 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1339#endif 1340 break; 1341 } 1342 1343#ifdef ENABLE_NATT 1344 /* generate NAT-D payloads */ 1345 if (NATT_AVAILABLE(iph1)) { 1346 vchar_t *natd[2] = { NULL, NULL }; 1347 1348 plog(LLV_INFO, LOCATION, 1349 NULL, "Adding remote and local NAT-D payloads.\n"); 1350 if ((natd[0] = natt_hash_addr(iph1, iph1->remote)) == NULL) { 1351 plog(LLV_ERROR, LOCATION, NULL, 1352 "NAT-D hashing failed for %s\n", 1353 saddr2str(iph1->remote)); 1354 goto end; 1355 } 1356 1357 if ((natd[1] = natt_hash_addr(iph1, iph1->local)) == NULL) { 1358 plog(LLV_ERROR, LOCATION, NULL, 1359 "NAT-D hashing failed for %s\n", 1360 saddr2str(iph1->local)); 1361 goto end; 1362 } 1363 1364 plist = isakmp_plist_append(plist, 1365 natd[0], iph1->natt_options->payload_nat_d); 1366 plist = isakmp_plist_append(plist, 1367 natd[1], iph1->natt_options->payload_nat_d); 1368 } 1369#endif 1370 1371 iph1->sendbuf = isakmp_plist_set_all(&plist, iph1); 1372 1373#ifdef HAVE_PRINT_ISAKMP_C 1374 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); 1375#endif 1376 1377 /* send HDR;KE;NONCE to responder */ 1378 if (isakmp_send(iph1, iph1->sendbuf) < 0) 1379 goto end; 1380 1381 /* the sending message is added to the received-list. */ 1382 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { 1383 plog(LLV_ERROR , LOCATION, NULL, 1384 "failed to add a response packet to the tree.\n"); 1385 goto end; 1386 } 1387 1388 /* generate SKEYIDs & IV & final cipher key */ 1389 if (oakley_skeyid_dae(iph1) < 0) 1390 goto end; 1391 if (oakley_compute_enckey(iph1) < 0) 1392 goto end; 1393 if (oakley_newiv(iph1) < 0) 1394 goto end; 1395 1396 /* set encryption flag */ 1397 iph1->flags |= ISAKMP_FLAG_E; 1398 1399 iph1->status = PHASE1ST_ESTABLISHED; 1400 1401 error = 0; 1402 1403end: 1404 if (vid) 1405 vfree(vid); 1406 return error; 1407} 1408