1 /* $NetBSD: isakmp_base.c,v 1.7 2006/10/02 21:51:33 manu Exp $ */
2
3 /* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* Base Exchange (Base Mode) */
35
36 #include "config.h"
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40
41 #include <stdlib.h>
42 #include <stdio.h>
43 #include <string.h>
44 #include <errno.h>
45 #if TIME_WITH_SYS_TIME
46 # include <sys/time.h>
47 # include <time.h>
48 #else
49 # if HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 # else
52 # include <time.h>
53 # endif
54 #endif
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "schedule.h"
62 #include "debug.h"
63
64 #ifdef ENABLE_HYBRID
65 #include <resolv.h>
66 #endif
67
68 #include "localconf.h"
69 #include "remoteconf.h"
70 #include "isakmp_var.h"
71 #include "isakmp.h"
72 #include "evt.h"
73 #include "oakley.h"
74 #include "handler.h"
75 #include "ipsec_doi.h"
76 #include "crypto_openssl.h"
77 #include "pfkey.h"
78 #include "isakmp_base.h"
79 #include "isakmp_inf.h"
80 #include "vendorid.h"
81 #ifdef ENABLE_NATT
82 #include "nattraversal.h"
83 #endif
84 #ifdef ENABLE_FRAG
85 #include "isakmp_frag.h"
86 #endif
87 #ifdef ENABLE_HYBRID
88 #include "isakmp_xauth.h"
89 #include "isakmp_cfg.h"
90 #endif
91
92 /* %%%
93 * begin Identity Protection Mode as initiator.
94 */
95 /*
96 * send to responder
97 * psk: HDR, SA, Idii, Ni_b
98 * sig: HDR, SA, Idii, Ni_b
99 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
100 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
101 */
102 int
base_i1send(iph1,msg)103 base_i1send(iph1, msg)
104 struct ph1handle *iph1;
105 vchar_t *msg; /* must be null */
106 {
107 struct payload_list *plist = NULL;
108 int error = -1;
109 #ifdef ENABLE_NATT
110 vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
111 int i, vid_natt_i = 0;
112 #endif
113 #ifdef ENABLE_FRAG
114 vchar_t *vid_frag = NULL;
115 #endif
116 #ifdef ENABLE_HYBRID
117 vchar_t *vid_xauth = NULL;
118 vchar_t *vid_unity = NULL;
119 #endif
120 #ifdef ENABLE_DPD
121 vchar_t *vid_dpd = NULL;
122 #endif
123
124
125 /* validity check */
126 if (msg != NULL) {
127 plog(LLV_ERROR, LOCATION, NULL,
128 "msg has to be NULL in this function.\n");
129 goto end;
130 }
131 if (iph1->status != PHASE1ST_START) {
132 plog(LLV_ERROR, LOCATION, NULL,
133 "status mismatched %d.\n", iph1->status);
134 goto end;
135 }
136
137 /* create isakmp index */
138 memset(&iph1->index, 0, sizeof(iph1->index));
139 isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
140
141 /* make ID payload into isakmp status */
142 if (ipsecdoi_setid1(iph1) < 0)
143 goto end;
144
145 /* create SA payload for my proposal */
146 iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
147 if (iph1->sa == NULL)
148 goto end;
149
150 /* generate NONCE value */
151 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
152 if (iph1->nonce == NULL)
153 goto end;
154
155 #ifdef ENABLE_HYBRID
156 /* Do we need Xauth VID? */
157 switch (RMAUTHMETHOD(iph1)) {
158 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
159 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
160 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
161 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
162 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
163 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
164 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
165 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
166 plog(LLV_ERROR, LOCATION, NULL,
167 "Xauth vendor ID generation failed\n");
168
169 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
170 plog(LLV_ERROR, LOCATION, NULL,
171 "Unity vendor ID generation failed\n");
172 break;
173 default:
174 break;
175 }
176 #endif
177 #ifdef ENABLE_FRAG
178 if (iph1->rmconf->ike_frag) {
179 vid_frag = set_vendorid(VENDORID_FRAG);
180 if (vid_frag != NULL)
181 vid_frag = isakmp_frag_addcap(vid_frag,
182 VENDORID_FRAG_BASE);
183 if (vid_frag == NULL)
184 plog(LLV_ERROR, LOCATION, NULL,
185 "Frag vendorID construction failed\n");
186 }
187 #endif
188 #ifdef ENABLE_NATT
189 /* Is NAT-T support allowed in the config file? */
190 if (iph1->rmconf->nat_traversal) {
191 /* Advertise NAT-T capability */
192 memset (vid_natt, 0, sizeof (vid_natt));
193 #ifdef VENDORID_NATT_00
194 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL)
195 vid_natt_i++;
196 #endif
197 #ifdef VENDORID_NATT_02
198 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL)
199 vid_natt_i++;
200 #endif
201 #ifdef VENDORID_NATT_02_N
202 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL)
203 vid_natt_i++;
204 #endif
205 #ifdef VENDORID_NATT_RFC
206 if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL)
207 vid_natt_i++;
208 #endif
209 }
210 #endif
211
212 /* set SA payload to propose */
213 plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
214
215 /* create isakmp ID payload */
216 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
217
218 /* create isakmp NONCE payload */
219 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
220
221 #ifdef ENABLE_FRAG
222 if (vid_frag)
223 plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
224 #endif
225 #ifdef ENABLE_HYBRID
226 if (vid_xauth)
227 plist = isakmp_plist_append(plist,
228 vid_xauth, ISAKMP_NPTYPE_VID);
229 if (vid_unity)
230 plist = isakmp_plist_append(plist,
231 vid_unity, ISAKMP_NPTYPE_VID);
232 #endif
233 #ifdef ENABLE_DPD
234 if (iph1->rmconf->dpd) {
235 vid_dpd = set_vendorid(VENDORID_DPD);
236 if (vid_dpd != NULL)
237 plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
238 }
239 #endif
240 #ifdef ENABLE_NATT
241 /* set VID payload for NAT-T */
242 for (i = 0; i < vid_natt_i; i++)
243 plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID);
244 #endif
245 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
246
247
248 #ifdef HAVE_PRINT_ISAKMP_C
249 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
250 #endif
251
252 /* send the packet, add to the schedule to resend */
253 iph1->retry_counter = iph1->rmconf->retry_counter;
254 if (isakmp_ph1resend(iph1) == -1)
255 goto end;
256
257 iph1->status = PHASE1ST_MSG1SENT;
258
259 error = 0;
260
261 end:
262 #ifdef ENABLE_FRAG
263 if (vid_frag)
264 vfree(vid_frag);
265 #endif
266 #ifdef ENABLE_NATT
267 for (i = 0; i < vid_natt_i; i++)
268 vfree(vid_natt[i]);
269 #endif
270 #ifdef ENABLE_HYBRID
271 if (vid_xauth != NULL)
272 vfree(vid_xauth);
273 if (vid_unity != NULL)
274 vfree(vid_unity);
275 #endif
276 #ifdef ENABLE_DPD
277 if (vid_dpd != NULL)
278 vfree(vid_dpd);
279 #endif
280
281 return error;
282 }
283
284 /*
285 * receive from responder
286 * psk: HDR, SA, Idir, Nr_b
287 * sig: HDR, SA, Idir, Nr_b, [ CR ]
288 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
289 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
290 */
291 int
base_i2recv(iph1,msg)292 base_i2recv(iph1, msg)
293 struct ph1handle *iph1;
294 vchar_t *msg;
295 {
296 vchar_t *pbuf = NULL;
297 struct isakmp_parse_t *pa;
298 vchar_t *satmp = NULL;
299 int error = -1;
300 int vid_numeric;
301 #ifdef ENABLE_HYBRID
302 vchar_t *unity_vid;
303 vchar_t *xauth_vid;
304 #endif
305
306 /* validity check */
307 if (iph1->status != PHASE1ST_MSG1SENT) {
308 plog(LLV_ERROR, LOCATION, NULL,
309 "status mismatched %d.\n", iph1->status);
310 goto end;
311 }
312
313 /* validate the type of next payload */
314 pbuf = isakmp_parse(msg);
315 if (pbuf == NULL)
316 goto end;
317 pa = (struct isakmp_parse_t *)pbuf->v;
318
319 /* SA payload is fixed postion */
320 if (pa->type != ISAKMP_NPTYPE_SA) {
321 plog(LLV_ERROR, LOCATION, iph1->remote,
322 "received invalid next payload type %d, "
323 "expecting %d.\n",
324 pa->type, ISAKMP_NPTYPE_SA);
325 goto end;
326 }
327 if (isakmp_p2ph(&satmp, pa->ptr) < 0)
328 goto end;
329 pa++;
330
331 for (/*nothing*/;
332 pa->type != ISAKMP_NPTYPE_NONE;
333 pa++) {
334
335 switch (pa->type) {
336 case ISAKMP_NPTYPE_NONCE:
337 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
338 goto end;
339 break;
340 case ISAKMP_NPTYPE_ID:
341 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
342 goto end;
343 break;
344 case ISAKMP_NPTYPE_VID:
345 handle_vendorid(iph1, pa->ptr);
346 break;
347 default:
348 /* don't send information, see ident_r1recv() */
349 plog(LLV_ERROR, LOCATION, iph1->remote,
350 "ignore the packet, "
351 "received unexpecting payload type %d.\n",
352 pa->type);
353 goto end;
354 }
355 }
356
357 if (iph1->nonce_p == NULL || iph1->id_p == NULL) {
358 plog(LLV_ERROR, LOCATION, iph1->remote,
359 "few isakmp message received.\n");
360 goto end;
361 }
362
363 /* verify identifier */
364 if (ipsecdoi_checkid1(iph1) != 0) {
365 plog(LLV_ERROR, LOCATION, iph1->remote,
366 "invalid ID payload.\n");
367 goto end;
368 }
369
370 #ifdef ENABLE_NATT
371 if (NATT_AVAILABLE(iph1))
372 plog(LLV_INFO, LOCATION, iph1->remote,
373 "Selected NAT-T version: %s\n",
374 vid_string_by_id(iph1->natt_options->version));
375 #endif
376
377 /* check SA payload and set approval SA for use */
378 if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
379 plog(LLV_ERROR, LOCATION, iph1->remote,
380 "failed to get valid proposal.\n");
381 /* XXX send information */
382 goto end;
383 }
384 VPTRINIT(iph1->sa_ret);
385
386 iph1->status = PHASE1ST_MSG2RECEIVED;
387
388 error = 0;
389
390 end:
391 if (pbuf)
392 vfree(pbuf);
393 if (satmp)
394 vfree(satmp);
395
396 if (error) {
397 VPTRINIT(iph1->nonce_p);
398 VPTRINIT(iph1->id_p);
399 }
400
401 return error;
402 }
403
404 /*
405 * send to responder
406 * psk: HDR, KE, HASH_I
407 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
408 * rsa: HDR, KE, HASH_I
409 * rev: HDR, <KE>Ke_i, HASH_I
410 */
411 int
base_i2send(iph1,msg)412 base_i2send(iph1, msg)
413 struct ph1handle *iph1;
414 vchar_t *msg;
415 {
416 struct payload_list *plist = NULL;
417 vchar_t *vid = NULL;
418 int need_cert = 0;
419 int error = -1;
420
421 /* validity check */
422 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
423 plog(LLV_ERROR, LOCATION, NULL,
424 "status mismatched %d.\n", iph1->status);
425 goto end;
426 }
427
428 /* fix isakmp index */
429 memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
430 sizeof(cookie_t));
431
432 /* generate DH public value */
433 if (oakley_dh_generate(iph1->approval->dhgrp,
434 &iph1->dhpub, &iph1->dhpriv) < 0)
435 goto end;
436
437 /* generate SKEYID to compute hash if not signature mode */
438 switch (AUTHMETHOD(iph1)) {
439 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
440 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
441 #ifdef ENABLE_HYBRID
442 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
443 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
444 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
445 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
446 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
447 #endif
448 break;
449 default:
450 if (oakley_skeyid(iph1) < 0)
451 goto end;
452 break;
453 }
454
455 /* generate HASH to send */
456 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
457 iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE);
458 if (iph1->hash == NULL)
459 goto end;
460 switch (AUTHMETHOD(iph1)) {
461 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
462 #ifdef ENABLE_HYBRID
463 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
464 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
465 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
466 #endif
467 vid = set_vendorid(iph1->approval->vendorid);
468
469 /* create isakmp KE payload */
470 plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
471
472 /* create isakmp HASH payload */
473 plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
474
475 /* append vendor id, if needed */
476 if (vid)
477 plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
478 break;
479 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
480 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
481 #ifdef ENABLE_HYBRID
482 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
483 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
484 #endif
485 /* XXX if there is CR or not ? */
486
487 if (oakley_getmycert(iph1) < 0)
488 goto end;
489
490 if (oakley_getsign(iph1) < 0)
491 goto end;
492
493 if (iph1->cert && iph1->rmconf->send_cert)
494 need_cert = 1;
495
496 /* create isakmp KE payload */
497 plist = isakmp_plist_append(plist,
498 iph1->dhpub, ISAKMP_NPTYPE_KE);
499
500 /* add CERT payload if there */
501 if (need_cert)
502 plist = isakmp_plist_append(plist,
503 iph1->cert->pl, ISAKMP_NPTYPE_CERT);
504
505 /* add SIG payload */
506 plist = isakmp_plist_append(plist,
507 iph1->sig, ISAKMP_NPTYPE_SIG);
508
509 break;
510 #ifdef HAVE_GSSAPI
511 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
512 /* ... */
513 break;
514 #endif
515 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
516 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
517 #ifdef ENABLE_HYBRID
518 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
519 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
520 #endif
521 break;
522 }
523
524 #ifdef ENABLE_NATT
525 /* generate NAT-D payloads */
526 if (NATT_AVAILABLE(iph1))
527 {
528 vchar_t *natd[2] = { NULL, NULL };
529
530 plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
531 if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
532 plog(LLV_ERROR, LOCATION, NULL,
533 "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
534 goto end;
535 }
536
537 if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
538 plog(LLV_ERROR, LOCATION, NULL,
539 "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
540 goto end;
541 }
542
543 plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
544 plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
545 }
546 #endif
547
548 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
549
550 #ifdef HAVE_PRINT_ISAKMP_C
551 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
552 #endif
553
554 /* send the packet, add to the schedule to resend */
555 iph1->retry_counter = iph1->rmconf->retry_counter;
556 if (isakmp_ph1resend(iph1) == -1)
557 goto end;
558
559 /* the sending message is added to the received-list. */
560 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
561 plog(LLV_ERROR , LOCATION, NULL,
562 "failed to add a response packet to the tree.\n");
563 goto end;
564 }
565
566 iph1->status = PHASE1ST_MSG2SENT;
567
568 error = 0;
569
570 end:
571 if (vid)
572 vfree(vid);
573 return error;
574 }
575
576 /*
577 * receive from responder
578 * psk: HDR, KE, HASH_R
579 * sig: HDR, KE, [CERT,] SIG_R
580 * rsa: HDR, KE, HASH_R
581 * rev: HDR, <KE>_Ke_r, HASH_R
582 */
583 int
base_i3recv(iph1,msg)584 base_i3recv(iph1, msg)
585 struct ph1handle *iph1;
586 vchar_t *msg;
587 {
588 vchar_t *pbuf = NULL;
589 struct isakmp_parse_t *pa;
590 int error = -1;
591 int ptype;
592 #ifdef ENABLE_NATT
593 vchar_t *natd_received;
594 int natd_seq = 0, natd_verified;
595 #endif
596
597 /* validity check */
598 if (iph1->status != PHASE1ST_MSG2SENT) {
599 plog(LLV_ERROR, LOCATION, NULL,
600 "status mismatched %d.\n", iph1->status);
601 goto end;
602 }
603
604 /* validate the type of next payload */
605 pbuf = isakmp_parse(msg);
606 if (pbuf == NULL)
607 goto end;
608
609 for (pa = (struct isakmp_parse_t *)pbuf->v;
610 pa->type != ISAKMP_NPTYPE_NONE;
611 pa++) {
612
613 switch (pa->type) {
614 case ISAKMP_NPTYPE_KE:
615 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
616 goto end;
617 break;
618 case ISAKMP_NPTYPE_HASH:
619 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
620 break;
621 case ISAKMP_NPTYPE_CERT:
622 if (oakley_savecert(iph1, pa->ptr) < 0)
623 goto end;
624 break;
625 case ISAKMP_NPTYPE_SIG:
626 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
627 goto end;
628 break;
629 case ISAKMP_NPTYPE_VID:
630 handle_vendorid(iph1, pa->ptr);
631 break;
632
633 #ifdef ENABLE_NATT
634 case ISAKMP_NPTYPE_NATD_DRAFT:
635 case ISAKMP_NPTYPE_NATD_RFC:
636 if (NATT_AVAILABLE(iph1) && iph1->natt_options &&
637 pa->type == iph1->natt_options->payload_nat_d) {
638 natd_received = NULL;
639 if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
640 goto end;
641
642 /* set both bits first so that we can clear them
643 upon verifying hashes */
644 if (natd_seq == 0)
645 iph1->natt_flags |= NAT_DETECTED;
646
647 /* this function will clear appropriate bits bits
648 from iph1->natt_flags */
649 natd_verified = natt_compare_addr_hash (iph1,
650 natd_received, natd_seq++);
651
652 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
653 natd_seq - 1,
654 natd_verified ? "verified" : "doesn't match");
655
656 vfree (natd_received);
657 break;
658 }
659 /* passthrough to default... */
660 #endif
661
662 default:
663 /* don't send information, see ident_r1recv() */
664 plog(LLV_ERROR, LOCATION, iph1->remote,
665 "ignore the packet, "
666 "received unexpecting payload type %d.\n",
667 pa->type);
668 goto end;
669 }
670 }
671
672 #ifdef ENABLE_NATT
673 if (NATT_AVAILABLE(iph1)) {
674 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
675 iph1->natt_flags & NAT_DETECTED ?
676 "detected:" : "not detected",
677 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
678 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
679 if (iph1->natt_flags & NAT_DETECTED)
680 natt_float_ports (iph1);
681 }
682 #endif
683
684 /* payload existency check */
685 /* validate authentication value */
686 ptype = oakley_validate_auth(iph1);
687 if (ptype != 0) {
688 if (ptype == -1) {
689 /* message printed inner oakley_validate_auth() */
690 goto end;
691 }
692 EVT_PUSH(iph1->local, iph1->remote,
693 EVTT_PEERPH1AUTH_FAILED, NULL);
694 isakmp_info_send_n1(iph1, ptype, NULL);
695 goto end;
696 }
697
698 /* compute sharing secret of DH */
699 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
700 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
701 goto end;
702
703 /* generate SKEYID to compute hash if signature mode */
704 switch (AUTHMETHOD(iph1)) {
705 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
706 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
707 #ifdef ENABLE_HYBRID
708 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
709 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
710 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
711 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
712 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
713 #endif
714 if (oakley_skeyid(iph1) < 0)
715 goto end;
716 break;
717 default:
718 break;
719 }
720
721 /* generate SKEYIDs & IV & final cipher key */
722 if (oakley_skeyid_dae(iph1) < 0)
723 goto end;
724 if (oakley_compute_enckey(iph1) < 0)
725 goto end;
726 if (oakley_newiv(iph1) < 0)
727 goto end;
728
729 /* see handler.h about IV synchronization. */
730 memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
731
732 /* set encryption flag */
733 iph1->flags |= ISAKMP_FLAG_E;
734
735 iph1->status = PHASE1ST_MSG3RECEIVED;
736
737 error = 0;
738
739 end:
740 if (pbuf)
741 vfree(pbuf);
742
743 if (error) {
744 VPTRINIT(iph1->dhpub_p);
745 oakley_delcert(iph1->cert_p);
746 iph1->cert_p = NULL;
747 oakley_delcert(iph1->crl_p);
748 iph1->crl_p = NULL;
749 VPTRINIT(iph1->sig_p);
750 }
751
752 return error;
753 }
754
755 /*
756 * status update and establish isakmp sa.
757 */
758 int
base_i3send(iph1,msg)759 base_i3send(iph1, msg)
760 struct ph1handle *iph1;
761 vchar_t *msg;
762 {
763 int error = -1;
764
765 /* validity check */
766 if (iph1->status != PHASE1ST_MSG3RECEIVED) {
767 plog(LLV_ERROR, LOCATION, NULL,
768 "status mismatched %d.\n", iph1->status);
769 goto end;
770 }
771
772 iph1->status = PHASE1ST_ESTABLISHED;
773
774 error = 0;
775
776 end:
777 return error;
778 }
779
780 /*
781 * receive from initiator
782 * psk: HDR, SA, Idii, Ni_b
783 * sig: HDR, SA, Idii, Ni_b
784 * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
785 * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
786 */
787 int
base_r1recv(iph1,msg)788 base_r1recv(iph1, msg)
789 struct ph1handle *iph1;
790 vchar_t *msg;
791 {
792 vchar_t *pbuf = NULL;
793 struct isakmp_parse_t *pa;
794 int error = -1;
795 int vid_numeric;
796
797 /* validity check */
798 if (iph1->status != PHASE1ST_START) {
799 plog(LLV_ERROR, LOCATION, NULL,
800 "status mismatched %d.\n", iph1->status);
801 goto end;
802 }
803
804 /* validate the type of next payload */
805 /*
806 * NOTE: XXX even if multiple VID, we'll silently ignore those.
807 */
808 pbuf = isakmp_parse(msg);
809 if (pbuf == NULL)
810 goto end;
811 pa = (struct isakmp_parse_t *)pbuf->v;
812
813 /* check the position of SA payload */
814 if (pa->type != ISAKMP_NPTYPE_SA) {
815 plog(LLV_ERROR, LOCATION, iph1->remote,
816 "received invalid next payload type %d, "
817 "expecting %d.\n",
818 pa->type, ISAKMP_NPTYPE_SA);
819 goto end;
820 }
821 if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
822 goto end;
823 pa++;
824
825 for (/*nothing*/;
826 pa->type != ISAKMP_NPTYPE_NONE;
827 pa++) {
828
829 switch (pa->type) {
830 case ISAKMP_NPTYPE_NONCE:
831 if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
832 goto end;
833 break;
834 case ISAKMP_NPTYPE_ID:
835 if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
836 goto end;
837 break;
838 case ISAKMP_NPTYPE_VID:
839 vid_numeric = handle_vendorid(iph1, pa->ptr);
840 #ifdef ENABLE_FRAG
841 if ((vid_numeric == VENDORID_FRAG) &&
842 (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE))
843 iph1->frag = 1;
844 #endif
845 break;
846 default:
847 /* don't send information, see ident_r1recv() */
848 plog(LLV_ERROR, LOCATION, iph1->remote,
849 "ignore the packet, "
850 "received unexpecting payload type %d.\n",
851 pa->type);
852 goto end;
853 }
854 }
855
856 if (iph1->nonce_p == NULL || iph1->id_p == NULL) {
857 plog(LLV_ERROR, LOCATION, iph1->remote,
858 "few isakmp message received.\n");
859 goto end;
860 }
861
862 /* verify identifier */
863 if (ipsecdoi_checkid1(iph1) != 0) {
864 plog(LLV_ERROR, LOCATION, iph1->remote,
865 "invalid ID payload.\n");
866 goto end;
867 }
868
869 #ifdef ENABLE_NATT
870 if (NATT_AVAILABLE(iph1))
871 plog(LLV_INFO, LOCATION, iph1->remote,
872 "Selected NAT-T version: %s\n",
873 vid_string_by_id(iph1->natt_options->version));
874 #endif
875
876 /* check SA payload and set approval SA for use */
877 if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
878 plog(LLV_ERROR, LOCATION, iph1->remote,
879 "failed to get valid proposal.\n");
880 /* XXX send information */
881 goto end;
882 }
883
884 iph1->status = PHASE1ST_MSG1RECEIVED;
885
886 error = 0;
887
888 end:
889 if (pbuf)
890 vfree(pbuf);
891
892 if (error) {
893 VPTRINIT(iph1->sa);
894 VPTRINIT(iph1->nonce_p);
895 VPTRINIT(iph1->id_p);
896 }
897
898 return error;
899 }
900
901 /*
902 * send to initiator
903 * psk: HDR, SA, Idir, Nr_b
904 * sig: HDR, SA, Idir, Nr_b, [ CR ]
905 * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
906 * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
907 */
908 int
base_r1send(iph1,msg)909 base_r1send(iph1, msg)
910 struct ph1handle *iph1;
911 vchar_t *msg;
912 {
913 struct payload_list *plist = NULL;
914 int error = -1;
915 #ifdef ENABLE_NATT
916 vchar_t *vid_natt = NULL;
917 #endif
918 #ifdef ENABLE_HYBRID
919 vchar_t *vid_xauth = NULL;
920 vchar_t *vid_unity = NULL;
921 #endif
922 #ifdef ENABLE_FRAG
923 vchar_t *vid_frag = NULL;
924 #endif
925 #ifdef ENABLE_DPD
926 vchar_t *vid_dpd = NULL;
927 #endif
928
929 /* validity check */
930 if (iph1->status != PHASE1ST_MSG1RECEIVED) {
931 plog(LLV_ERROR, LOCATION, NULL,
932 "status mismatched %d.\n", iph1->status);
933 goto end;
934 }
935
936 /* set responder's cookie */
937 isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
938
939 /* make ID payload into isakmp status */
940 if (ipsecdoi_setid1(iph1) < 0)
941 goto end;
942
943 /* generate NONCE value */
944 iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
945 if (iph1->nonce == NULL)
946 goto end;
947
948 /* set SA payload to reply */
949 plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
950
951 /* create isakmp ID payload */
952 plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
953
954 /* create isakmp NONCE payload */
955 plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
956
957 #ifdef ENABLE_NATT
958 /* has the peer announced nat-t? */
959 if (NATT_AVAILABLE(iph1))
960 vid_natt = set_vendorid(iph1->natt_options->version);
961 if (vid_natt)
962 plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
963 #endif
964 #ifdef ENABLE_HYBRID
965 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
966 plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
967 if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
968 plog(LLV_ERROR, LOCATION, NULL,
969 "Cannot create Xauth vendor ID\n");
970 goto end;
971 }
972 plist = isakmp_plist_append(plist,
973 vid_xauth, ISAKMP_NPTYPE_VID);
974 }
975
976 if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
977 if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
978 plog(LLV_ERROR, LOCATION, NULL,
979 "Cannot create Unity vendor ID\n");
980 goto end;
981 }
982 plist = isakmp_plist_append(plist,
983 vid_unity, ISAKMP_NPTYPE_VID);
984 }
985 #endif
986 #ifdef ENABLE_DPD
987 /*
988 * Only send DPD support if remote announced DPD
989 * and if DPD support is active
990 */
991 if (iph1->dpd_support && iph1->rmconf->dpd) {
992 if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) {
993 plog(LLV_ERROR, LOCATION, NULL,
994 "DPD vendorID construction failed\n");
995 } else {
996 plist = isakmp_plist_append(plist, vid_dpd,
997 ISAKMP_NPTYPE_VID);
998 }
999 }
1000 #endif
1001 #ifdef ENABLE_FRAG
1002 if (iph1->rmconf->ike_frag) {
1003 if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
1004 plog(LLV_ERROR, LOCATION, NULL,
1005 "Frag vendorID construction failed\n");
1006 } else {
1007 vid_frag = isakmp_frag_addcap(vid_frag,
1008 VENDORID_FRAG_BASE);
1009 plist = isakmp_plist_append(plist,
1010 vid_frag, ISAKMP_NPTYPE_VID);
1011 }
1012 }
1013 #endif
1014
1015 iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1016
1017 #ifdef HAVE_PRINT_ISAKMP_C
1018 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1019 #endif
1020
1021 /* send the packet, add to the schedule to resend */
1022 iph1->retry_counter = iph1->rmconf->retry_counter;
1023 if (isakmp_ph1resend(iph1) == -1) {
1024 iph1 = NULL;
1025 goto end;
1026 }
1027
1028 /* the sending message is added to the received-list. */
1029 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
1030 plog(LLV_ERROR , LOCATION, NULL,
1031 "failed to add a response packet to the tree.\n");
1032 goto end;
1033 }
1034
1035 iph1->status = PHASE1ST_MSG1SENT;
1036
1037 error = 0;
1038
1039 end:
1040 #ifdef ENABLE_NATT
1041 if (vid_natt)
1042 vfree(vid_natt);
1043 #endif
1044 #ifdef ENABLE_HYBRID
1045 if (vid_xauth != NULL)
1046 vfree(vid_xauth);
1047 if (vid_unity != NULL)
1048 vfree(vid_unity);
1049 #endif
1050 #ifdef ENABLE_FRAG
1051 if (vid_frag)
1052 vfree(vid_frag);
1053 #endif
1054 #ifdef ENABLE_DPD
1055 if (vid_dpd)
1056 vfree(vid_dpd);
1057 #endif
1058
1059 if (iph1 != NULL)
1060 VPTRINIT(iph1->sa_ret);
1061
1062 return error;
1063 }
1064
1065 /*
1066 * receive from initiator
1067 * psk: HDR, KE, HASH_I
1068 * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
1069 * rsa: HDR, KE, HASH_I
1070 * rev: HDR, <KE>Ke_i, HASH_I
1071 */
1072 int
base_r2recv(iph1,msg)1073 base_r2recv(iph1, msg)
1074 struct ph1handle *iph1;
1075 vchar_t *msg;
1076 {
1077 vchar_t *pbuf = NULL;
1078 struct isakmp_parse_t *pa;
1079 int error = -1;
1080 int ptype;
1081 #ifdef ENABLE_NATT
1082 int natd_seq = 0;
1083 #endif
1084
1085 /* validity check */
1086 if (iph1->status != PHASE1ST_MSG1SENT) {
1087 plog(LLV_ERROR, LOCATION, NULL,
1088 "status mismatched %d.\n", iph1->status);
1089 goto end;
1090 }
1091
1092 /* validate the type of next payload */
1093 pbuf = isakmp_parse(msg);
1094 if (pbuf == NULL)
1095 goto end;
1096
1097 iph1->pl_hash = NULL;
1098
1099 for (pa = (struct isakmp_parse_t *)pbuf->v;
1100 pa->type != ISAKMP_NPTYPE_NONE;
1101 pa++) {
1102
1103 switch (pa->type) {
1104 case ISAKMP_NPTYPE_KE:
1105 if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
1106 goto end;
1107 break;
1108 case ISAKMP_NPTYPE_HASH:
1109 iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1110 break;
1111 case ISAKMP_NPTYPE_CERT:
1112 if (oakley_savecert(iph1, pa->ptr) < 0)
1113 goto end;
1114 break;
1115 case ISAKMP_NPTYPE_SIG:
1116 if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
1117 goto end;
1118 break;
1119 case ISAKMP_NPTYPE_VID:
1120 handle_vendorid(iph1, pa->ptr);
1121 break;
1122
1123 #ifdef ENABLE_NATT
1124 case ISAKMP_NPTYPE_NATD_DRAFT:
1125 case ISAKMP_NPTYPE_NATD_RFC:
1126 if (pa->type == iph1->natt_options->payload_nat_d)
1127 {
1128 vchar_t *natd_received = NULL;
1129 int natd_verified;
1130
1131 if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
1132 goto end;
1133
1134 if (natd_seq == 0)
1135 iph1->natt_flags |= NAT_DETECTED;
1136
1137 natd_verified = natt_compare_addr_hash (iph1,
1138 natd_received, natd_seq++);
1139
1140 plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
1141 natd_seq - 1,
1142 natd_verified ? "verified" : "doesn't match");
1143
1144 vfree (natd_received);
1145 break;
1146 }
1147 /* passthrough to default... */
1148 #endif
1149
1150 default:
1151 /* don't send information, see ident_r1recv() */
1152 plog(LLV_ERROR, LOCATION, iph1->remote,
1153 "ignore the packet, "
1154 "received unexpecting payload type %d.\n",
1155 pa->type);
1156 goto end;
1157 }
1158 }
1159
1160 /* generate DH public value */
1161 if (oakley_dh_generate(iph1->approval->dhgrp,
1162 &iph1->dhpub, &iph1->dhpriv) < 0)
1163 goto end;
1164
1165 /* compute sharing secret of DH */
1166 if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
1167 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
1168 goto end;
1169
1170 /* generate SKEYID */
1171 if (oakley_skeyid(iph1) < 0)
1172 goto end;
1173
1174 #ifdef ENABLE_NATT
1175 if (NATT_AVAILABLE(iph1))
1176 plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
1177 iph1->natt_flags & NAT_DETECTED ?
1178 "detected:" : "not detected",
1179 iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1180 iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1181 #endif
1182
1183 /* payload existency check */
1184 /* validate authentication value */
1185 ptype = oakley_validate_auth(iph1);
1186 if (ptype != 0) {
1187 if (ptype == -1) {
1188 /* message printed inner oakley_validate_auth() */
1189 goto end;
1190 }
1191 EVT_PUSH(iph1->local, iph1->remote,
1192 EVTT_PEERPH1AUTH_FAILED, NULL);
1193 isakmp_info_send_n1(iph1, ptype, NULL);
1194 goto end;
1195 }
1196
1197 iph1->status = PHASE1ST_MSG2RECEIVED;
1198
1199 error = 0;
1200
1201 end:
1202 if (pbuf)
1203 vfree(pbuf);
1204
1205 if (error) {
1206 VPTRINIT(iph1->dhpub_p);
1207 oakley_delcert(iph1->cert_p);
1208 iph1->cert_p = NULL;
1209 oakley_delcert(iph1->crl_p);
1210 iph1->crl_p = NULL;
1211 VPTRINIT(iph1->sig_p);
1212 }
1213
1214 return error;
1215 }
1216
1217 /*
1218 * send to initiator
1219 * psk: HDR, KE, HASH_R
1220 * sig: HDR, KE, [CERT,] SIG_R
1221 * rsa: HDR, KE, HASH_R
1222 * rev: HDR, <KE>_Ke_r, HASH_R
1223 */
1224 int
base_r2send(iph1,msg)1225 base_r2send(iph1, msg)
1226 struct ph1handle *iph1;
1227 vchar_t *msg;
1228 {
1229 struct payload_list *plist = NULL;
1230 vchar_t *vid = NULL;
1231 int need_cert = 0;
1232 int error = -1;
1233
1234 /* validity check */
1235 if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1236 plog(LLV_ERROR, LOCATION, NULL,
1237 "status mismatched %d.\n", iph1->status);
1238 goto end;
1239 }
1240
1241 /* generate HASH to send */
1242 plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
1243 switch (AUTHMETHOD(iph1)) {
1244 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1245 #ifdef ENABLE_HYBRID
1246 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1247 #endif
1248 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1249 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1250 #ifdef ENABLE_HYBRID
1251 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1252 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1253 #endif
1254 iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
1255 break;
1256 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1257 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1258 #ifdef ENABLE_HYBRID
1259 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1260 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1261 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1262 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1263 #endif
1264 #ifdef HAVE_GSSAPI
1265 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1266 #endif
1267 iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE);
1268 break;
1269 default:
1270 plog(LLV_ERROR, LOCATION, NULL,
1271 "invalid authentication method %d\n",
1272 iph1->approval->authmethod);
1273 goto end;
1274 }
1275 if (iph1->hash == NULL)
1276 goto end;
1277
1278 switch (AUTHMETHOD(iph1)) {
1279 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1280 #ifdef ENABLE_HYBRID
1281 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1282 #endif
1283 vid = set_vendorid(iph1->approval->vendorid);
1284
1285 /* create isakmp KE payload */
1286 plist = isakmp_plist_append(plist,
1287 iph1->dhpub, ISAKMP_NPTYPE_KE);
1288
1289 /* create isakmp HASH payload */
1290 plist = isakmp_plist_append(plist,
1291 iph1->hash, ISAKMP_NPTYPE_HASH);
1292
1293 /* append vendor id, if needed */
1294 if (vid)
1295 plist = isakmp_plist_append(plist,
1296 vid, ISAKMP_NPTYPE_VID);
1297 break;
1298 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1299 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1300 #ifdef ENABLE_HYBRID
1301 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1302 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1303 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1304 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1305 #endif
1306 /* XXX if there is CR or not ? */
1307
1308 if (oakley_getmycert(iph1) < 0)
1309 goto end;
1310
1311 if (oakley_getsign(iph1) < 0)
1312 goto end;
1313
1314 if (iph1->cert && iph1->rmconf->send_cert)
1315 need_cert = 1;
1316
1317 /* create isakmp KE payload */
1318 plist = isakmp_plist_append(plist,
1319 iph1->dhpub, ISAKMP_NPTYPE_KE);
1320
1321 /* add CERT payload if there */
1322 if (need_cert)
1323 plist = isakmp_plist_append(plist,
1324 iph1->cert->pl, ISAKMP_NPTYPE_CERT);
1325 /* add SIG payload */
1326 plist = isakmp_plist_append(plist,
1327 iph1->sig, ISAKMP_NPTYPE_SIG);
1328 break;
1329 #ifdef HAVE_GSSAPI
1330 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1331 /* ... */
1332 break;
1333 #endif
1334 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1335 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1336 #ifdef ENABLE_HYBRID
1337 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1338 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1339 #endif
1340 break;
1341 }
1342
1343 #ifdef ENABLE_NATT
1344 /* generate NAT-D payloads */
1345 if (NATT_AVAILABLE(iph1)) {
1346 vchar_t *natd[2] = { NULL, NULL };
1347
1348 plog(LLV_INFO, LOCATION,
1349 NULL, "Adding remote and local NAT-D payloads.\n");
1350 if ((natd[0] = natt_hash_addr(iph1, iph1->remote)) == NULL) {
1351 plog(LLV_ERROR, LOCATION, NULL,
1352 "NAT-D hashing failed for %s\n",
1353 saddr2str(iph1->remote));
1354 goto end;
1355 }
1356
1357 if ((natd[1] = natt_hash_addr(iph1, iph1->local)) == NULL) {
1358 plog(LLV_ERROR, LOCATION, NULL,
1359 "NAT-D hashing failed for %s\n",
1360 saddr2str(iph1->local));
1361 goto end;
1362 }
1363
1364 plist = isakmp_plist_append(plist,
1365 natd[0], iph1->natt_options->payload_nat_d);
1366 plist = isakmp_plist_append(plist,
1367 natd[1], iph1->natt_options->payload_nat_d);
1368 }
1369 #endif
1370
1371 iph1->sendbuf = isakmp_plist_set_all(&plist, iph1);
1372
1373 #ifdef HAVE_PRINT_ISAKMP_C
1374 isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
1375 #endif
1376
1377 /* send HDR;KE;NONCE to responder */
1378 if (isakmp_send(iph1, iph1->sendbuf) < 0)
1379 goto end;
1380
1381 /* the sending message is added to the received-list. */
1382 if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
1383 plog(LLV_ERROR , LOCATION, NULL,
1384 "failed to add a response packet to the tree.\n");
1385 goto end;
1386 }
1387
1388 /* generate SKEYIDs & IV & final cipher key */
1389 if (oakley_skeyid_dae(iph1) < 0)
1390 goto end;
1391 if (oakley_compute_enckey(iph1) < 0)
1392 goto end;
1393 if (oakley_newiv(iph1) < 0)
1394 goto end;
1395
1396 /* set encryption flag */
1397 iph1->flags |= ISAKMP_FLAG_E;
1398
1399 iph1->status = PHASE1ST_ESTABLISHED;
1400
1401 error = 0;
1402
1403 end:
1404 if (vid)
1405 vfree(vid);
1406 return error;
1407 }
1408