1 /* $NetBSD: oakley.c,v 1.9.6.4 2009/08/13 09:18:45 vanhu Exp $ */
2
3 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h> /* XXX for subjectaltname */
39 #include <netinet/in.h> /* XXX for subjectaltname */
40
41 #include <openssl/x509.h>
42 #include <openssl/err.h>
43
44 #if !defined(OPENSSL_IS_BORINGSSL)
45 #include <openssl/engine.h>
46 #include <openssl/pkcs7.h>
47 #else
48 #include <openssl/bytestring.h>
49 #endif
50
51 #include <stdlib.h>
52 #include <stdio.h>
53 #include <string.h>
54 #include <errno.h>
55
56 #if TIME_WITH_SYS_TIME
57 # include <sys/time.h>
58 # include <time.h>
59 #else
60 # if HAVE_SYS_TIME_H
61 # include <sys/time.h>
62 # else
63 # include <time.h>
64 # endif
65 #endif
66 #ifdef ENABLE_HYBRID
67 #include <resolv.h>
68 #endif
69
70 #include "var.h"
71 #include "misc.h"
72 #include "vmbuf.h"
73 #include "str2val.h"
74 #include "plog.h"
75 #include "debug.h"
76
77 #include "isakmp_var.h"
78 #include "isakmp.h"
79 #ifdef ENABLE_HYBRID
80 #include "isakmp_xauth.h"
81 #include "isakmp_cfg.h"
82 #endif
83 #include "oakley.h"
84 #include "admin.h"
85 #include "privsep.h"
86 #include "localconf.h"
87 #include "remoteconf.h"
88 #include "policy.h"
89 #include "handler.h"
90 #include "ipsec_doi.h"
91 #include "algorithm.h"
92 #include "dhgroup.h"
93 #include "sainfo.h"
94 #include "proposal.h"
95 #include "crypto_openssl.h"
96 #include "dnssec.h"
97 #include "sockmisc.h"
98 #include "strnames.h"
99 #include "gcmalloc.h"
100 #include "rsalist.h"
101
102 #ifdef HAVE_GSSAPI
103 #include "gssapi.h"
104 #endif
105
106 #define OUTBOUND_SA 0
107 #define INBOUND_SA 1
108
109 #define INITDHVAL(a, s, d, t) \
110 do { \
111 vchar_t buf; \
112 buf.v = str2val((s), 16, &buf.l); \
113 memset(&a, 0, sizeof(struct dhgroup)); \
114 a.type = (t); \
115 a.prime = vdup(&buf); \
116 a.gen1 = 2; \
117 a.gen2 = 0; \
118 racoon_free(buf.v); \
119 } while(0);
120
121 struct dhgroup dh_modp768;
122 struct dhgroup dh_modp1024;
123 struct dhgroup dh_modp1536;
124 struct dhgroup dh_modp2048;
125 struct dhgroup dh_modp3072;
126 struct dhgroup dh_modp4096;
127 struct dhgroup dh_modp6144;
128 struct dhgroup dh_modp8192;
129
130
131 static int oakley_check_dh_pub __P((vchar_t *, vchar_t **));
132 static int oakley_compute_keymat_x __P((struct ph2handle *, int, int));
133 static int get_cert_fromlocal __P((struct ph1handle *, int));
134 static int get_plainrsa_fromlocal __P((struct ph1handle *, int));
135 static int oakley_check_certid __P((struct ph1handle *iph1));
136 static int check_typeofcertname __P((int, int));
137 static cert_t *save_certbuf __P((struct isakmp_gen *));
138 static cert_t *save_certx509 __P((X509 *));
139 static int oakley_padlen __P((int, int));
140
141 int
oakley_get_defaultlifetime()142 oakley_get_defaultlifetime()
143 {
144 return OAKLEY_ATTR_SA_LD_SEC_DEFAULT;
145 }
146
147 int
oakley_dhinit()148 oakley_dhinit()
149 {
150 /* set DH MODP */
151 INITDHVAL(dh_modp768, OAKLEY_PRIME_MODP768,
152 OAKLEY_ATTR_GRP_DESC_MODP768, OAKLEY_ATTR_GRP_TYPE_MODP);
153 INITDHVAL(dh_modp1024, OAKLEY_PRIME_MODP1024,
154 OAKLEY_ATTR_GRP_DESC_MODP1024, OAKLEY_ATTR_GRP_TYPE_MODP);
155 INITDHVAL(dh_modp1536, OAKLEY_PRIME_MODP1536,
156 OAKLEY_ATTR_GRP_DESC_MODP1536, OAKLEY_ATTR_GRP_TYPE_MODP);
157 INITDHVAL(dh_modp2048, OAKLEY_PRIME_MODP2048,
158 OAKLEY_ATTR_GRP_DESC_MODP2048, OAKLEY_ATTR_GRP_TYPE_MODP);
159 INITDHVAL(dh_modp3072, OAKLEY_PRIME_MODP3072,
160 OAKLEY_ATTR_GRP_DESC_MODP3072, OAKLEY_ATTR_GRP_TYPE_MODP);
161 INITDHVAL(dh_modp4096, OAKLEY_PRIME_MODP4096,
162 OAKLEY_ATTR_GRP_DESC_MODP4096, OAKLEY_ATTR_GRP_TYPE_MODP);
163 INITDHVAL(dh_modp6144, OAKLEY_PRIME_MODP6144,
164 OAKLEY_ATTR_GRP_DESC_MODP6144, OAKLEY_ATTR_GRP_TYPE_MODP);
165 INITDHVAL(dh_modp8192, OAKLEY_PRIME_MODP8192,
166 OAKLEY_ATTR_GRP_DESC_MODP8192, OAKLEY_ATTR_GRP_TYPE_MODP);
167
168 return 0;
169 }
170
171 void
oakley_dhgrp_free(dhgrp)172 oakley_dhgrp_free(dhgrp)
173 struct dhgroup *dhgrp;
174 {
175 if (dhgrp->prime)
176 vfree(dhgrp->prime);
177 if (dhgrp->curve_a)
178 vfree(dhgrp->curve_a);
179 if (dhgrp->curve_b)
180 vfree(dhgrp->curve_b);
181 if (dhgrp->order)
182 vfree(dhgrp->order);
183 racoon_free(dhgrp);
184 }
185
186 /*
187 * RFC2409 5
188 * The length of the Diffie-Hellman public value MUST be equal to the
189 * length of the prime modulus over which the exponentiation was
190 * performed, prepending zero bits to the value if necessary.
191 */
192 static int
oakley_check_dh_pub(prime,pub0)193 oakley_check_dh_pub(prime, pub0)
194 vchar_t *prime, **pub0;
195 {
196 vchar_t *tmp;
197 vchar_t *pub = *pub0;
198
199 if (prime->l == pub->l)
200 return 0;
201
202 if (prime->l < pub->l) {
203 /* what should i do ? */
204 plog(LLV_ERROR, LOCATION, NULL,
205 "invalid public information was generated.\n");
206 return -1;
207 }
208
209 /* prime->l > pub->l */
210 tmp = vmalloc(prime->l);
211 if (tmp == NULL) {
212 plog(LLV_ERROR, LOCATION, NULL,
213 "failed to get DH buffer.\n");
214 return -1;
215 }
216 memcpy(tmp->v + prime->l - pub->l, pub->v, pub->l);
217
218 vfree(*pub0);
219 *pub0 = tmp;
220
221 return 0;
222 }
223
224 /*
225 * compute sharing secret of DH
226 * IN: *dh, *pub, *priv, *pub_p
227 * OUT: **gxy
228 */
229 int
oakley_dh_compute(dh,pub,priv,pub_p,gxy)230 oakley_dh_compute(dh, pub, priv, pub_p, gxy)
231 const struct dhgroup *dh;
232 vchar_t *pub, *priv, *pub_p, **gxy;
233 {
234 #ifdef ENABLE_STATS
235 struct timeval start, end;
236 #endif
237 if ((*gxy = vmalloc(dh->prime->l)) == NULL) {
238 plog(LLV_ERROR, LOCATION, NULL,
239 "failed to get DH buffer.\n");
240 return -1;
241 }
242
243 #ifdef ENABLE_STATS
244 gettimeofday(&start, NULL);
245 #endif
246 switch (dh->type) {
247 case OAKLEY_ATTR_GRP_TYPE_MODP:
248 if (eay_dh_compute(dh->prime, dh->gen1, pub, priv, pub_p, gxy) < 0) {
249 plog(LLV_ERROR, LOCATION, NULL,
250 "failed to compute dh value.\n");
251 return -1;
252 }
253 break;
254 case OAKLEY_ATTR_GRP_TYPE_ECP:
255 case OAKLEY_ATTR_GRP_TYPE_EC2N:
256 plog(LLV_ERROR, LOCATION, NULL,
257 "dh type %d isn't supported.\n", dh->type);
258 return -1;
259 default:
260 plog(LLV_ERROR, LOCATION, NULL,
261 "invalid dh type %d.\n", dh->type);
262 return -1;
263 }
264
265 #ifdef ENABLE_STATS
266 gettimeofday(&end, NULL);
267 syslog(LOG_NOTICE, "%s(%s%zu): %8.6f", __func__,
268 s_attr_isakmp_group(dh->type), dh->prime->l << 3,
269 timedelta(&start, &end));
270 #endif
271
272 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n");
273 plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l);
274
275 return 0;
276 }
277
278 /*
279 * generate values of DH
280 * IN: *dh
281 * OUT: **pub, **priv
282 */
283 int
oakley_dh_generate(dh,pub,priv)284 oakley_dh_generate(dh, pub, priv)
285 const struct dhgroup *dh;
286 vchar_t **pub, **priv;
287 {
288 #ifdef ENABLE_STATS
289 struct timeval start, end;
290 gettimeofday(&start, NULL);
291 #endif
292 switch (dh->type) {
293 case OAKLEY_ATTR_GRP_TYPE_MODP:
294 if (eay_dh_generate(dh->prime, dh->gen1, dh->gen2, pub, priv) < 0) {
295 plog(LLV_ERROR, LOCATION, NULL,
296 "failed to compute dh value.\n");
297 return -1;
298 }
299 break;
300
301 case OAKLEY_ATTR_GRP_TYPE_ECP:
302 case OAKLEY_ATTR_GRP_TYPE_EC2N:
303 plog(LLV_ERROR, LOCATION, NULL,
304 "dh type %d isn't supported.\n", dh->type);
305 return -1;
306 default:
307 plog(LLV_ERROR, LOCATION, NULL,
308 "invalid dh type %d.\n", dh->type);
309 return -1;
310 }
311
312 #ifdef ENABLE_STATS
313 gettimeofday(&end, NULL);
314 syslog(LOG_NOTICE, "%s(%s%zu): %8.6f", __func__,
315 s_attr_isakmp_group(dh->type), dh->prime->l << 3,
316 timedelta(&start, &end));
317 #endif
318
319 if (oakley_check_dh_pub(dh->prime, pub) != 0)
320 return -1;
321
322 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n");
323 plogdump(LLV_DEBUG, (*priv)->v, (*priv)->l);
324 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n");
325 plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l);
326
327 return 0;
328 }
329
330 /*
331 * copy pre-defined dhgroup values.
332 */
333 int
oakley_setdhgroup(group,dhgrp)334 oakley_setdhgroup(group, dhgrp)
335 int group;
336 struct dhgroup **dhgrp;
337 {
338 struct dhgroup *g;
339
340 *dhgrp = NULL; /* just make sure, initialize */
341
342 g = alg_oakley_dhdef_group(group);
343 if (g == NULL) {
344 plog(LLV_ERROR, LOCATION, NULL,
345 "invalid DH parameter grp=%d.\n", group);
346 return -1;
347 }
348
349 if (!g->type || !g->prime || !g->gen1) {
350 /* unsuported */
351 plog(LLV_ERROR, LOCATION, NULL,
352 "unsupported DH parameters grp=%d.\n", group);
353 return -1;
354 }
355
356 *dhgrp = racoon_calloc(1, sizeof(struct dhgroup));
357 if (*dhgrp == NULL) {
358 plog(LLV_ERROR, LOCATION, NULL,
359 "failed to get DH buffer.\n");
360 return 0;
361 }
362
363 /* set defined dh vlaues */
364 memcpy(*dhgrp, g, sizeof(*g));
365 (*dhgrp)->prime = vdup(g->prime);
366
367 return 0;
368 }
369
370 /*
371 * PRF
372 *
373 * NOTE: we do not support prf with different input/output bitwidth,
374 * so we do not implement RFC2409 Appendix B (DOORAK-MAC example) in
375 * oakley_compute_keymat(). If you add support for such prf function,
376 * modify oakley_compute_keymat() accordingly.
377 */
378 vchar_t *
oakley_prf(key,buf,iph1)379 oakley_prf(key, buf, iph1)
380 vchar_t *key, *buf;
381 struct ph1handle *iph1;
382 {
383 vchar_t *res = NULL;
384 int type;
385
386 if (iph1->approval == NULL) {
387 /*
388 * it's before negotiating hash algorithm.
389 * We use md5 as default.
390 */
391 type = OAKLEY_ATTR_HASH_ALG_MD5;
392 } else
393 type = iph1->approval->hashtype;
394
395 res = alg_oakley_hmacdef_one(type, key, buf);
396 if (res == NULL) {
397 plog(LLV_ERROR, LOCATION, NULL,
398 "invalid hmac algorithm %d.\n", type);
399 return NULL;
400 }
401
402 return res;
403 }
404
405 /*
406 * hash
407 */
408 vchar_t *
oakley_hash(buf,iph1)409 oakley_hash(buf, iph1)
410 vchar_t *buf;
411 struct ph1handle *iph1;
412 {
413 vchar_t *res = NULL;
414 int type;
415
416 if (iph1->approval == NULL) {
417 /*
418 * it's before negotiating hash algorithm.
419 * We use md5 as default.
420 */
421 type = OAKLEY_ATTR_HASH_ALG_MD5;
422 } else
423 type = iph1->approval->hashtype;
424
425 res = alg_oakley_hashdef_one(type, buf);
426 if (res == NULL) {
427 plog(LLV_ERROR, LOCATION, NULL,
428 "invalid hash algoriym %d.\n", type);
429 return NULL;
430 }
431
432 return res;
433 }
434
435 /*
436 * compute KEYMAT
437 * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05.
438 */
439 int
oakley_compute_keymat(iph2,side)440 oakley_compute_keymat(iph2, side)
441 struct ph2handle *iph2;
442 int side;
443 {
444 int error = -1;
445
446 /* compute sharing secret of DH when PFS */
447 if (iph2->approval->pfs_group && iph2->dhpub_p) {
448 if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub,
449 iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0)
450 goto end;
451 }
452
453 /* compute keymat */
454 if (oakley_compute_keymat_x(iph2, side, INBOUND_SA) < 0
455 || oakley_compute_keymat_x(iph2, side, OUTBOUND_SA) < 0)
456 goto end;
457
458 plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT computed.\n");
459
460 error = 0;
461
462 end:
463 return error;
464 }
465
466 /*
467 * compute KEYMAT.
468 * KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b).
469 * If PFS is desired and KE payloads were exchanged,
470 * KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b)
471 *
472 * NOTE: we do not support prf with different input/output bitwidth,
473 * so we do not implement RFC2409 Appendix B (DOORAK-MAC example).
474 */
475 static int
oakley_compute_keymat_x(iph2,side,sa_dir)476 oakley_compute_keymat_x(iph2, side, sa_dir)
477 struct ph2handle *iph2;
478 int side;
479 int sa_dir;
480 {
481 vchar_t *buf = NULL, *res = NULL, *bp;
482 char *p;
483 int len;
484 int error = -1;
485 int pfs = 0;
486 int dupkeymat; /* generate K[1-dupkeymat] */
487 struct saproto *pr;
488 struct satrns *tr;
489 int encklen, authklen, l;
490
491 pfs = ((iph2->approval->pfs_group && iph2->dhgxy) ? 1 : 0);
492
493 len = pfs ? iph2->dhgxy->l : 0;
494 len += (1
495 + sizeof(u_int32_t) /* XXX SPI size */
496 + iph2->nonce->l
497 + iph2->nonce_p->l);
498 buf = vmalloc(len);
499 if (buf == NULL) {
500 plog(LLV_ERROR, LOCATION, NULL,
501 "failed to get keymat buffer.\n");
502 goto end;
503 }
504
505 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
506 p = buf->v;
507
508 /* if PFS */
509 if (pfs) {
510 memcpy(p, iph2->dhgxy->v, iph2->dhgxy->l);
511 p += iph2->dhgxy->l;
512 }
513
514 p[0] = pr->proto_id;
515 p += 1;
516
517 memcpy(p, (sa_dir == INBOUND_SA ? &pr->spi : &pr->spi_p),
518 sizeof(pr->spi));
519 p += sizeof(pr->spi);
520
521 bp = (side == INITIATOR ? iph2->nonce : iph2->nonce_p);
522 memcpy(p, bp->v, bp->l);
523 p += bp->l;
524
525 bp = (side == INITIATOR ? iph2->nonce_p : iph2->nonce);
526 memcpy(p, bp->v, bp->l);
527 p += bp->l;
528
529 /* compute IV */
530 plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT compute with\n");
531 plogdump(LLV_DEBUG, buf->v, buf->l);
532
533 /* res = K1 */
534 res = oakley_prf(iph2->ph1->skeyid_d, buf, iph2->ph1);
535 if (res == NULL)
536 goto end;
537
538 /* compute key length needed */
539 encklen = authklen = 0;
540 switch (pr->proto_id) {
541 case IPSECDOI_PROTO_IPSEC_ESP:
542 for (tr = pr->head; tr; tr = tr->next) {
543 l = alg_ipsec_encdef_keylen(tr->trns_id,
544 tr->encklen);
545 if (l > encklen)
546 encklen = l;
547
548 l = alg_ipsec_hmacdef_hashlen(tr->authtype);
549 if (l > authklen)
550 authklen = l;
551 }
552 break;
553 case IPSECDOI_PROTO_IPSEC_AH:
554 for (tr = pr->head; tr; tr = tr->next) {
555 l = alg_ipsec_hmacdef_hashlen(tr->trns_id);
556 if (l > authklen)
557 authklen = l;
558 }
559 break;
560 default:
561 break;
562 }
563 plog(LLV_DEBUG, LOCATION, NULL, "encklen=%d authklen=%d\n",
564 encklen, authklen);
565
566 dupkeymat = (encklen + authklen) / 8 / res->l;
567 dupkeymat += 2; /* safety mergin */
568 if (dupkeymat < 3)
569 dupkeymat = 3;
570 plog(LLV_DEBUG, LOCATION, NULL,
571 "generating %zu bits of key (dupkeymat=%d)\n",
572 dupkeymat * 8 * res->l, dupkeymat);
573 if (0 < --dupkeymat) {
574 vchar_t *prev = res; /* K(n-1) */
575 vchar_t *seed = NULL; /* seed for Kn */
576 size_t l;
577
578 /*
579 * generating long key (isakmp-oakley-08 5.5)
580 * KEYMAT = K1 | K2 | K3 | ...
581 * where
582 * src = [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b
583 * K1 = prf(SKEYID_d, src)
584 * K2 = prf(SKEYID_d, K1 | src)
585 * K3 = prf(SKEYID_d, K2 | src)
586 * Kn = prf(SKEYID_d, K(n-1) | src)
587 */
588 plog(LLV_DEBUG, LOCATION, NULL,
589 "generating K1...K%d for KEYMAT.\n",
590 dupkeymat + 1);
591
592 seed = vmalloc(prev->l + buf->l);
593 if (seed == NULL) {
594 plog(LLV_ERROR, LOCATION, NULL,
595 "failed to get keymat buffer.\n");
596 if (prev && prev != res)
597 vfree(prev);
598 goto end;
599 }
600
601 while (dupkeymat--) {
602 vchar_t *this = NULL; /* Kn */
603 int update_prev;
604
605 memcpy(seed->v, prev->v, prev->l);
606 memcpy(seed->v + prev->l, buf->v, buf->l);
607 this = oakley_prf(iph2->ph1->skeyid_d, seed,
608 iph2->ph1);
609 if (!this) {
610 plog(LLV_ERROR, LOCATION, NULL,
611 "oakley_prf memory overflow\n");
612 if (prev && prev != res)
613 vfree(prev);
614 vfree(this);
615 vfree(seed);
616 goto end;
617 }
618
619 update_prev = (prev && prev == res) ? 1 : 0;
620
621 l = res->l;
622 res = vrealloc(res, l + this->l);
623
624 if (update_prev)
625 prev = res;
626
627 if (res == NULL) {
628 plog(LLV_ERROR, LOCATION, NULL,
629 "failed to get keymat buffer.\n");
630 if (prev && prev != res)
631 vfree(prev);
632 vfree(this);
633 vfree(seed);
634 goto end;
635 }
636 memcpy(res->v + l, this->v, this->l);
637
638 if (prev && prev != res)
639 vfree(prev);
640 prev = this;
641 this = NULL;
642 }
643
644 if (prev && prev != res)
645 vfree(prev);
646 vfree(seed);
647 }
648
649 plogdump(LLV_DEBUG, res->v, res->l);
650
651 if (sa_dir == INBOUND_SA)
652 pr->keymat = res;
653 else
654 pr->keymat_p = res;
655 res = NULL;
656 }
657
658 error = 0;
659
660 end:
661 if (error) {
662 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
663 if (pr->keymat) {
664 vfree(pr->keymat);
665 pr->keymat = NULL;
666 }
667 if (pr->keymat_p) {
668 vfree(pr->keymat_p);
669 pr->keymat_p = NULL;
670 }
671 }
672 }
673
674 if (buf != NULL)
675 vfree(buf);
676 if (res)
677 vfree(res);
678
679 return error;
680 }
681
682 #if notyet
683 /*
684 * NOTE: Must terminate by NULL.
685 */
686 vchar_t *
oakley_compute_hashx(struct ph1handle * iph1,...)687 oakley_compute_hashx(struct ph1handle *iph1, ...)
688 {
689 vchar_t *buf, *res;
690 vchar_t *s;
691 caddr_t p;
692 int len;
693
694 va_list ap;
695
696 /* get buffer length */
697 va_start(ap, iph1);
698 len = 0;
699 while ((s = va_arg(ap, vchar_t *)) != NULL) {
700 len += s->l
701 }
702 va_end(ap);
703
704 buf = vmalloc(len);
705 if (buf == NULL) {
706 plog(LLV_ERROR, LOCATION, NULL,
707 "failed to get hash buffer\n");
708 return NULL;
709 }
710
711 /* set buffer */
712 va_start(ap, iph1);
713 p = buf->v;
714 while ((s = va_arg(ap, char *)) != NULL) {
715 memcpy(p, s->v, s->l);
716 p += s->l;
717 }
718 va_end(ap);
719
720 plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
721 plogdump(LLV_DEBUG, buf->v, buf->l);
722
723 /* compute HASH */
724 res = oakley_prf(iph1->skeyid_a, buf, iph1);
725 vfree(buf);
726 if (res == NULL)
727 return NULL;
728
729 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
730 plogdump(LLV_DEBUG, res->v, res->l);
731
732 return res;
733 }
734 #endif
735
736 /*
737 * compute HASH(3) prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
738 * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05.
739 */
740 vchar_t *
oakley_compute_hash3(iph1,msgid,body)741 oakley_compute_hash3(iph1, msgid, body)
742 struct ph1handle *iph1;
743 u_int32_t msgid;
744 vchar_t *body;
745 {
746 vchar_t *buf = 0, *res = 0;
747 int len;
748 int error = -1;
749
750 /* create buffer */
751 len = 1 + sizeof(u_int32_t) + body->l;
752 buf = vmalloc(len);
753 if (buf == NULL) {
754 plog(LLV_DEBUG, LOCATION, NULL,
755 "failed to get hash buffer\n");
756 goto end;
757 }
758
759 buf->v[0] = 0;
760
761 memcpy(buf->v + 1, (char *)&msgid, sizeof(msgid));
762
763 memcpy(buf->v + 1 + sizeof(u_int32_t), body->v, body->l);
764
765 plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
766 plogdump(LLV_DEBUG, buf->v, buf->l);
767
768 /* compute HASH */
769 res = oakley_prf(iph1->skeyid_a, buf, iph1);
770 if (res == NULL)
771 goto end;
772
773 error = 0;
774
775 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
776 plogdump(LLV_DEBUG, res->v, res->l);
777
778 end:
779 if (buf != NULL)
780 vfree(buf);
781 return res;
782 }
783
784 /*
785 * compute HASH type of prf(SKEYID_a, M-ID | buffer)
786 * e.g.
787 * for quick mode HASH(1):
788 * prf(SKEYID_a, M-ID | SA | Ni [ | KE ] [ | IDci | IDcr ])
789 * for quick mode HASH(2):
790 * prf(SKEYID_a, M-ID | Ni_b | SA | Nr [ | KE ] [ | IDci | IDcr ])
791 * for Informational exchange:
792 * prf(SKEYID_a, M-ID | N/D)
793 */
794 vchar_t *
oakley_compute_hash1(iph1,msgid,body)795 oakley_compute_hash1(iph1, msgid, body)
796 struct ph1handle *iph1;
797 u_int32_t msgid;
798 vchar_t *body;
799 {
800 vchar_t *buf = NULL, *res = NULL;
801 char *p;
802 int len;
803 int error = -1;
804
805 /* create buffer */
806 len = sizeof(u_int32_t) + body->l;
807 buf = vmalloc(len);
808 if (buf == NULL) {
809 plog(LLV_DEBUG, LOCATION, NULL,
810 "failed to get hash buffer\n");
811 goto end;
812 }
813
814 p = buf->v;
815
816 memcpy(buf->v, (char *)&msgid, sizeof(msgid));
817 p += sizeof(u_int32_t);
818
819 memcpy(p, body->v, body->l);
820
821 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
822 plogdump(LLV_DEBUG, buf->v, buf->l);
823
824 /* compute HASH */
825 res = oakley_prf(iph1->skeyid_a, buf, iph1);
826 if (res == NULL)
827 goto end;
828
829 error = 0;
830
831 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
832 plogdump(LLV_DEBUG, res->v, res->l);
833
834 end:
835 if (buf != NULL)
836 vfree(buf);
837 return res;
838 }
839
840 /*
841 * compute phase1 HASH
842 * main/aggressive
843 * I-digest = prf(SKEYID, g^i | g^r | CKY-I | CKY-R | SAi_b | ID_i1_b)
844 * R-digest = prf(SKEYID, g^r | g^i | CKY-R | CKY-I | SAi_b | ID_r1_b)
845 * for gssapi, also include all GSS tokens, and call gss_wrap on the result
846 */
847 vchar_t *
oakley_ph1hash_common(iph1,sw)848 oakley_ph1hash_common(iph1, sw)
849 struct ph1handle *iph1;
850 int sw;
851 {
852 vchar_t *buf = NULL, *res = NULL, *bp;
853 char *p, *bp2;
854 int len, bl;
855 int error = -1;
856 #ifdef HAVE_GSSAPI
857 vchar_t *gsstokens = NULL;
858 #endif
859
860 /* create buffer */
861 len = iph1->dhpub->l
862 + iph1->dhpub_p->l
863 + sizeof(cookie_t) * 2
864 + iph1->sa->l
865 + (sw == GENERATE ? iph1->id->l : iph1->id_p->l);
866
867 #ifdef HAVE_GSSAPI
868 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
869 if (iph1->gi_i != NULL && iph1->gi_r != NULL) {
870 bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r);
871 len += bp->l;
872 }
873 if (sw == GENERATE)
874 gssapi_get_itokens(iph1, &gsstokens);
875 else
876 gssapi_get_rtokens(iph1, &gsstokens);
877 if (gsstokens == NULL)
878 return NULL;
879 len += gsstokens->l;
880 }
881 #endif
882
883 buf = vmalloc(len);
884 if (buf == NULL) {
885 plog(LLV_ERROR, LOCATION, NULL,
886 "failed to get hash buffer\n");
887 goto end;
888 }
889
890 p = buf->v;
891
892 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
893 memcpy(p, bp->v, bp->l);
894 p += bp->l;
895
896 bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub);
897 memcpy(p, bp->v, bp->l);
898 p += bp->l;
899
900 if (iph1->side == INITIATOR)
901 bp2 = (sw == GENERATE ?
902 (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck);
903 else
904 bp2 = (sw == GENERATE ?
905 (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck);
906 bl = sizeof(cookie_t);
907 memcpy(p, bp2, bl);
908 p += bl;
909
910 if (iph1->side == INITIATOR)
911 bp2 = (sw == GENERATE ?
912 (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck);
913 else
914 bp2 = (sw == GENERATE ?
915 (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck);
916 bl = sizeof(cookie_t);
917 memcpy(p, bp2, bl);
918 p += bl;
919
920 bp = iph1->sa;
921 memcpy(p, bp->v, bp->l);
922 p += bp->l;
923
924 bp = (sw == GENERATE ? iph1->id : iph1->id_p);
925 memcpy(p, bp->v, bp->l);
926 p += bp->l;
927
928 #ifdef HAVE_GSSAPI
929 if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
930 if (iph1->gi_i != NULL && iph1->gi_r != NULL) {
931 bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r);
932 memcpy(p, bp->v, bp->l);
933 p += bp->l;
934 }
935 memcpy(p, gsstokens->v, gsstokens->l);
936 p += gsstokens->l;
937 }
938 #endif
939
940 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
941 plogdump(LLV_DEBUG, buf->v, buf->l);
942
943 /* compute HASH */
944 res = oakley_prf(iph1->skeyid, buf, iph1);
945 if (res == NULL)
946 goto end;
947
948 error = 0;
949
950 plog(LLV_DEBUG, LOCATION, NULL, "HASH (%s) computed:\n",
951 iph1->side == INITIATOR ? "init" : "resp");
952 plogdump(LLV_DEBUG, res->v, res->l);
953
954 end:
955 if (buf != NULL)
956 vfree(buf);
957 #ifdef HAVE_GSSAPI
958 if (gsstokens != NULL)
959 vfree(gsstokens);
960 #endif
961 return res;
962 }
963
964 /*
965 * compute HASH_I on base mode.
966 * base:psk,rsa
967 * HASH_I = prf(SKEYID, g^xi | CKY-I | CKY-R | SAi_b | IDii_b)
968 * base:sig
969 * HASH_I = prf(hash(Ni_b | Nr_b), g^xi | CKY-I | CKY-R | SAi_b | IDii_b)
970 */
971 vchar_t *
oakley_ph1hash_base_i(iph1,sw)972 oakley_ph1hash_base_i(iph1, sw)
973 struct ph1handle *iph1;
974 int sw;
975 {
976 vchar_t *buf = NULL, *res = NULL, *bp;
977 vchar_t *hashkey = NULL;
978 vchar_t *hash = NULL; /* for signature mode */
979 char *p;
980 int len;
981 int error = -1;
982
983 /* sanity check */
984 if (iph1->etype != ISAKMP_ETYPE_BASE) {
985 plog(LLV_ERROR, LOCATION, NULL,
986 "invalid etype for this hash function\n");
987 return NULL;
988 }
989
990 switch (AUTHMETHOD(iph1)) {
991 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
992 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
993 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
994 #ifdef ENABLE_HYBRID
995 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
996 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
997 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
998 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
999 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
1000 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1001 #endif
1002 if (iph1->skeyid == NULL) {
1003 plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n");
1004 return NULL;
1005 }
1006 hashkey = iph1->skeyid;
1007 break;
1008
1009 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1010 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1011 #ifdef HAVE_GSSAPI
1012 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1013 #endif
1014 #ifdef ENABLE_HYBRID
1015 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1016 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1017 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1018 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1019 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1020 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1021 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1022 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1023 #endif
1024 /* make hash for seed */
1025 len = iph1->nonce->l + iph1->nonce_p->l;
1026 buf = vmalloc(len);
1027 if (buf == NULL) {
1028 plog(LLV_ERROR, LOCATION, NULL,
1029 "failed to get hash buffer\n");
1030 goto end;
1031 }
1032 p = buf->v;
1033
1034 bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce);
1035 memcpy(p, bp->v, bp->l);
1036 p += bp->l;
1037
1038 bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p);
1039 memcpy(p, bp->v, bp->l);
1040 p += bp->l;
1041
1042 hash = oakley_hash(buf, iph1);
1043 if (hash == NULL)
1044 goto end;
1045 vfree(buf);
1046 buf = NULL;
1047
1048 hashkey = hash;
1049 break;
1050
1051 default:
1052 plog(LLV_ERROR, LOCATION, NULL,
1053 "not supported authentication method %d\n",
1054 iph1->approval->authmethod);
1055 return NULL;
1056
1057 }
1058
1059 len = (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l)
1060 + sizeof(cookie_t) * 2
1061 + iph1->sa->l
1062 + (sw == GENERATE ? iph1->id->l : iph1->id_p->l);
1063 buf = vmalloc(len);
1064 if (buf == NULL) {
1065 plog(LLV_ERROR, LOCATION, NULL,
1066 "failed to get hash buffer\n");
1067 goto end;
1068 }
1069 p = buf->v;
1070
1071 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
1072 memcpy(p, bp->v, bp->l);
1073 p += bp->l;
1074
1075 memcpy(p, &iph1->index.i_ck, sizeof(cookie_t));
1076 p += sizeof(cookie_t);
1077 memcpy(p, &iph1->index.r_ck, sizeof(cookie_t));
1078 p += sizeof(cookie_t);
1079
1080 memcpy(p, iph1->sa->v, iph1->sa->l);
1081 p += iph1->sa->l;
1082
1083 bp = (sw == GENERATE ? iph1->id : iph1->id_p);
1084 memcpy(p, bp->v, bp->l);
1085 p += bp->l;
1086
1087 plog(LLV_DEBUG, LOCATION, NULL, "HASH_I with:\n");
1088 plogdump(LLV_DEBUG, buf->v, buf->l);
1089
1090 /* compute HASH */
1091 res = oakley_prf(hashkey, buf, iph1);
1092 if (res == NULL)
1093 goto end;
1094
1095 error = 0;
1096
1097 plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n");
1098 plogdump(LLV_DEBUG, res->v, res->l);
1099
1100 end:
1101 if (hash != NULL)
1102 vfree(hash);
1103 if (buf != NULL)
1104 vfree(buf);
1105 return res;
1106 }
1107
1108 /*
1109 * compute HASH_R on base mode for signature method.
1110 * base:
1111 * HASH_R = prf(hash(Ni_b | Nr_b), g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b)
1112 */
1113 vchar_t *
oakley_ph1hash_base_r(iph1,sw)1114 oakley_ph1hash_base_r(iph1, sw)
1115 struct ph1handle *iph1;
1116 int sw;
1117 {
1118 vchar_t *buf = NULL, *res = NULL, *bp;
1119 vchar_t *hash = NULL;
1120 char *p;
1121 int len;
1122 int error = -1;
1123
1124 /* sanity check */
1125 if (iph1->etype != ISAKMP_ETYPE_BASE) {
1126 plog(LLV_ERROR, LOCATION, NULL,
1127 "invalid etype for this hash function\n");
1128 return NULL;
1129 }
1130
1131 switch(AUTHMETHOD(iph1)) {
1132 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1133 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1134 #ifdef ENABLE_HYBRID
1135 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1136 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1137 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1138 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1139 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1140 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1141 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1142 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1143 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
1144 #endif
1145 break;
1146 default:
1147 plog(LLV_ERROR, LOCATION, NULL,
1148 "not supported authentication method %d\n",
1149 iph1->approval->authmethod);
1150 return NULL;
1151 break;
1152 }
1153
1154 /* make hash for seed */
1155 len = iph1->nonce->l + iph1->nonce_p->l;
1156 buf = vmalloc(len);
1157 if (buf == NULL) {
1158 plog(LLV_ERROR, LOCATION, NULL,
1159 "failed to get hash buffer\n");
1160 goto end;
1161 }
1162 p = buf->v;
1163
1164 bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce);
1165 memcpy(p, bp->v, bp->l);
1166 p += bp->l;
1167
1168 bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p);
1169 memcpy(p, bp->v, bp->l);
1170 p += bp->l;
1171
1172 hash = oakley_hash(buf, iph1);
1173 if (hash == NULL)
1174 goto end;
1175 vfree(buf);
1176 buf = NULL;
1177
1178 /* make really hash */
1179 len = (sw == GENERATE ? iph1->dhpub_p->l : iph1->dhpub->l)
1180 + (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l)
1181 + sizeof(cookie_t) * 2
1182 + iph1->sa->l
1183 + (sw == GENERATE ? iph1->id_p->l : iph1->id->l);
1184 buf = vmalloc(len);
1185 if (buf == NULL) {
1186 plog(LLV_ERROR, LOCATION, NULL,
1187 "failed to get hash buffer\n");
1188 goto end;
1189 }
1190 p = buf->v;
1191
1192
1193 bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub);
1194 memcpy(p, bp->v, bp->l);
1195 p += bp->l;
1196
1197 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
1198 memcpy(p, bp->v, bp->l);
1199 p += bp->l;
1200
1201 memcpy(p, &iph1->index.i_ck, sizeof(cookie_t));
1202 p += sizeof(cookie_t);
1203 memcpy(p, &iph1->index.r_ck, sizeof(cookie_t));
1204 p += sizeof(cookie_t);
1205
1206 memcpy(p, iph1->sa->v, iph1->sa->l);
1207 p += iph1->sa->l;
1208
1209 bp = (sw == GENERATE ? iph1->id_p : iph1->id);
1210 memcpy(p, bp->v, bp->l);
1211 p += bp->l;
1212
1213 plog(LLV_DEBUG, LOCATION, NULL, "HASH_R with:\n");
1214 plogdump(LLV_DEBUG, buf->v, buf->l);
1215
1216 /* compute HASH */
1217 res = oakley_prf(hash, buf, iph1);
1218 if (res == NULL)
1219 goto end;
1220
1221 error = 0;
1222
1223 plog(LLV_DEBUG, LOCATION, NULL, "HASH_R computed:\n");
1224 plogdump(LLV_DEBUG, res->v, res->l);
1225
1226 end:
1227 if (buf != NULL)
1228 vfree(buf);
1229 if (hash)
1230 vfree(hash);
1231 return res;
1232 }
1233
1234 /*
1235 * compute each authentication method in phase 1.
1236 * OUT:
1237 * 0: OK
1238 * -1: error
1239 * other: error to be reply with notification.
1240 * the value is notification type.
1241 */
1242 int
oakley_validate_auth(iph1)1243 oakley_validate_auth(iph1)
1244 struct ph1handle *iph1;
1245 {
1246 vchar_t *my_hash = NULL;
1247 int result;
1248 #ifdef HAVE_GSSAPI
1249 vchar_t *gsshash = NULL;
1250 #endif
1251 #ifdef ENABLE_STATS
1252 struct timeval start, end;
1253 #endif
1254
1255 #ifdef ENABLE_STATS
1256 gettimeofday(&start, NULL);
1257 #endif
1258
1259 switch (AUTHMETHOD(iph1)) {
1260 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1261 #ifdef ENABLE_HYBRID
1262 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
1263 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1264 #endif
1265 /* validate HASH */
1266 {
1267 char *r_hash;
1268
1269 if (iph1->id_p == NULL || iph1->pl_hash == NULL) {
1270 plog(LLV_ERROR, LOCATION, iph1->remote,
1271 "few isakmp message received.\n");
1272 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1273 }
1274 #ifdef ENABLE_HYBRID
1275 if (AUTHMETHOD(iph1) == FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I &&
1276 ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0))
1277 {
1278 plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, "
1279 "hybrid auth is enabled, "
1280 "but peer is no Xauth compliant\n");
1281 return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED;
1282 break;
1283 }
1284 #endif
1285 r_hash = (caddr_t)(iph1->pl_hash + 1);
1286
1287 plog(LLV_DEBUG, LOCATION, NULL, "HASH received:\n");
1288 plogdump(LLV_DEBUG, r_hash,
1289 ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash));
1290
1291 switch (iph1->etype) {
1292 case ISAKMP_ETYPE_IDENT:
1293 case ISAKMP_ETYPE_AGG:
1294 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1295 break;
1296 case ISAKMP_ETYPE_BASE:
1297 if (iph1->side == INITIATOR)
1298 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1299 else
1300 my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
1301 break;
1302 default:
1303 plog(LLV_ERROR, LOCATION, NULL,
1304 "invalid etype %d\n", iph1->etype);
1305 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1306 }
1307 if (my_hash == NULL)
1308 return ISAKMP_INTERNAL_ERROR;
1309
1310 result = memcmp(my_hash->v, r_hash, my_hash->l);
1311 vfree(my_hash);
1312
1313 if (result) {
1314 plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n");
1315 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1316 }
1317
1318 plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n");
1319 }
1320 break;
1321 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1322 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1323 #ifdef ENABLE_HYBRID
1324 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1325 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1326 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1327 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1328 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1329 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1330 #endif
1331 {
1332 int error = 0;
1333 int certtype = 0;
1334
1335 /* validation */
1336 if (iph1->id_p == NULL) {
1337 plog(LLV_ERROR, LOCATION, iph1->remote,
1338 "no ID payload was passed.\n");
1339 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1340 }
1341 if (iph1->sig_p == NULL) {
1342 plog(LLV_ERROR, LOCATION, iph1->remote,
1343 "no SIG payload was passed.\n");
1344 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1345 }
1346
1347 plog(LLV_DEBUG, LOCATION, NULL, "SIGN passed:\n");
1348 plogdump(LLV_DEBUG, iph1->sig_p->v, iph1->sig_p->l);
1349
1350 /* get peer's cert */
1351 switch (iph1->rmconf->getcert_method) {
1352 case ISAKMP_GETCERT_PAYLOAD:
1353 if (iph1->cert_p == NULL) {
1354 plog(LLV_ERROR, LOCATION, NULL,
1355 "no peer's CERT payload found.\n");
1356 return ISAKMP_INTERNAL_ERROR;
1357 }
1358 break;
1359 case ISAKMP_GETCERT_LOCALFILE:
1360 switch (iph1->rmconf->certtype) {
1361 case ISAKMP_CERT_X509SIGN:
1362 if (iph1->rmconf->peerscertfile == NULL) {
1363 plog(LLV_ERROR, LOCATION, NULL,
1364 "no peer's CERT file found.\n");
1365 return ISAKMP_INTERNAL_ERROR;
1366 }
1367
1368 /* don't use cached cert */
1369 if (iph1->cert_p != NULL) {
1370 oakley_delcert(iph1->cert_p);
1371 iph1->cert_p = NULL;
1372 }
1373
1374 error = get_cert_fromlocal(iph1, 0);
1375 #ifdef ANDROID_PATCHED
1376 if (!error)
1377 break;
1378 default:
1379 return ISAKMP_INTERNAL_ERROR;
1380 #else
1381 break;
1382
1383 case ISAKMP_CERT_PLAINRSA:
1384 error = get_plainrsa_fromlocal(iph1, 0);
1385 break;
1386 }
1387 if (error)
1388 return ISAKMP_INTERNAL_ERROR;
1389 break;
1390 case ISAKMP_GETCERT_DNS:
1391 if (iph1->rmconf->peerscertfile != NULL) {
1392 plog(LLV_ERROR, LOCATION, NULL,
1393 "why peer's CERT file is defined "
1394 "though getcert method is dns ?\n");
1395 return ISAKMP_INTERNAL_ERROR;
1396 }
1397
1398 /* don't use cached cert */
1399 if (iph1->cert_p != NULL) {
1400 oakley_delcert(iph1->cert_p);
1401 iph1->cert_p = NULL;
1402 }
1403
1404 iph1->cert_p = dnssec_getcert(iph1->id_p);
1405 if (iph1->cert_p == NULL) {
1406 plog(LLV_ERROR, LOCATION, NULL,
1407 "no CERT RR found.\n");
1408 return ISAKMP_INTERNAL_ERROR;
1409 #endif
1410 }
1411 break;
1412 default:
1413 plog(LLV_ERROR, LOCATION, NULL,
1414 "invalid getcert_mothod: %d\n",
1415 iph1->rmconf->getcert_method);
1416 return ISAKMP_INTERNAL_ERROR;
1417 }
1418
1419 /* compare ID payload and certificate name */
1420 if (iph1->rmconf->verify_cert &&
1421 (error = oakley_check_certid(iph1)) != 0)
1422 return error;
1423
1424 /* verify certificate */
1425 if (iph1->rmconf->verify_cert
1426 && iph1->rmconf->getcert_method == ISAKMP_GETCERT_PAYLOAD) {
1427 certtype = iph1->rmconf->certtype;
1428 #ifdef ENABLE_HYBRID
1429 switch (AUTHMETHOD(iph1)) {
1430 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1431 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1432 certtype = iph1->cert_p->type;
1433 break;
1434 default:
1435 break;
1436 }
1437 #endif
1438 switch (certtype) {
1439 case ISAKMP_CERT_X509SIGN: {
1440 char path[MAXPATHLEN];
1441 char *ca;
1442
1443 if (iph1->rmconf->cacertfile != NULL) {
1444 getpathname(path, sizeof(path),
1445 LC_PATHTYPE_CERT,
1446 iph1->rmconf->cacertfile);
1447 ca = path;
1448 } else {
1449 ca = NULL;
1450 }
1451
1452 error = eay_check_x509cert(&iph1->cert_p->cert,
1453 lcconf->pathinfo[LC_PATHTYPE_CERT],
1454 ca, 0);
1455 break;
1456 }
1457
1458 default:
1459 plog(LLV_ERROR, LOCATION, NULL,
1460 "no supported certtype %d\n", certtype);
1461 return ISAKMP_INTERNAL_ERROR;
1462 }
1463 if (error != 0) {
1464 plog(LLV_ERROR, LOCATION, NULL,
1465 "the peer's certificate is not verified.\n");
1466 return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
1467 }
1468 }
1469
1470 /* Generate a warning if verify_cert == 0
1471 */
1472 if (iph1->rmconf->verify_cert){
1473 plog(LLV_DEBUG, LOCATION, NULL, "CERT validated\n");
1474 }else{
1475 plog(LLV_WARNING, LOCATION, NULL,
1476 "CERT validation disabled by configuration\n");
1477 }
1478
1479 /* compute hash */
1480 switch (iph1->etype) {
1481 case ISAKMP_ETYPE_IDENT:
1482 case ISAKMP_ETYPE_AGG:
1483 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1484 break;
1485 case ISAKMP_ETYPE_BASE:
1486 if (iph1->side == INITIATOR)
1487 my_hash = oakley_ph1hash_base_r(iph1, VALIDATE);
1488 else
1489 my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
1490 break;
1491 default:
1492 plog(LLV_ERROR, LOCATION, NULL,
1493 "invalid etype %d\n", iph1->etype);
1494 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1495 }
1496 if (my_hash == NULL)
1497 return ISAKMP_INTERNAL_ERROR;
1498
1499
1500 certtype = iph1->rmconf->certtype;
1501 #ifdef ENABLE_HYBRID
1502 switch (AUTHMETHOD(iph1)) {
1503 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1504 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1505 certtype = iph1->cert_p->type;
1506 break;
1507 default:
1508 break;
1509 }
1510 #endif
1511 /* check signature */
1512 switch (certtype) {
1513 case ISAKMP_CERT_X509SIGN:
1514 case ISAKMP_CERT_DNS:
1515 error = eay_check_x509sign(my_hash,
1516 iph1->sig_p,
1517 &iph1->cert_p->cert);
1518 break;
1519 #ifndef ANDROID_PATCHED
1520 case ISAKMP_CERT_PLAINRSA:
1521 iph1->rsa_p = rsa_try_check_rsasign(my_hash,
1522 iph1->sig_p, iph1->rsa_candidates);
1523 error = iph1->rsa_p ? 0 : -1;
1524
1525 break;
1526 #endif
1527 default:
1528 plog(LLV_ERROR, LOCATION, NULL,
1529 "no supported certtype %d\n",
1530 certtype);
1531 vfree(my_hash);
1532 return ISAKMP_INTERNAL_ERROR;
1533 }
1534
1535 vfree(my_hash);
1536 if (error != 0) {
1537 plog(LLV_ERROR, LOCATION, NULL,
1538 "Invalid SIG.\n");
1539 return ISAKMP_NTYPE_INVALID_SIGNATURE;
1540 }
1541 plog(LLV_DEBUG, LOCATION, NULL, "SIG authenticated\n");
1542 }
1543 break;
1544 #ifdef ENABLE_HYBRID
1545 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1546 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1547 {
1548 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1549 plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, "
1550 "hybrid auth is enabled, "
1551 "but peer is no Xauth compliant\n");
1552 return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED;
1553 break;
1554 }
1555 plog(LLV_INFO, LOCATION, NULL, "No SIG was passed, "
1556 "but hybrid auth is enabled\n");
1557
1558 return 0;
1559 break;
1560 }
1561 #endif
1562 #ifdef HAVE_GSSAPI
1563 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1564 /* check if we're not into XAUTH_PSKEY_I instead */
1565 #ifdef ENABLE_HYBRID
1566 if (iph1->rmconf->xauth)
1567 break;
1568 #endif
1569 switch (iph1->etype) {
1570 case ISAKMP_ETYPE_IDENT:
1571 case ISAKMP_ETYPE_AGG:
1572 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1573 break;
1574 default:
1575 plog(LLV_ERROR, LOCATION, NULL,
1576 "invalid etype %d\n", iph1->etype);
1577 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1578 }
1579
1580 if (my_hash == NULL) {
1581 if (gssapi_more_tokens(iph1))
1582 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1583 else
1584 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1585 }
1586
1587 gsshash = gssapi_unwraphash(iph1);
1588 if (gsshash == NULL) {
1589 vfree(my_hash);
1590 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1591 }
1592
1593 result = memcmp(my_hash->v, gsshash->v, my_hash->l);
1594 vfree(my_hash);
1595 vfree(gsshash);
1596
1597 if (result) {
1598 plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n");
1599 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1600 }
1601 plog(LLV_DEBUG, LOCATION, NULL, "hash compared OK\n");
1602 break;
1603 #endif
1604 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1605 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1606 #ifdef ENABLE_HYBRID
1607 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1608 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1609 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1610 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1611 #endif
1612 if (iph1->id_p == NULL || iph1->pl_hash == NULL) {
1613 plog(LLV_ERROR, LOCATION, iph1->remote,
1614 "few isakmp message received.\n");
1615 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1616 }
1617 plog(LLV_ERROR, LOCATION, iph1->remote,
1618 "not supported authmethod type %s\n",
1619 s_oakley_attr_method(iph1->approval->authmethod));
1620 return ISAKMP_INTERNAL_ERROR;
1621 default:
1622 plog(LLV_ERROR, LOCATION, iph1->remote,
1623 "invalid authmethod %d why ?\n",
1624 iph1->approval->authmethod);
1625 return ISAKMP_INTERNAL_ERROR;
1626 }
1627 #ifdef ENABLE_STATS
1628 gettimeofday(&end, NULL);
1629 syslog(LOG_NOTICE, "%s(%s): %8.6f", __func__,
1630 s_oakley_attr_method(iph1->approval->authmethod),
1631 timedelta(&start, &end));
1632 #endif
1633
1634 return 0;
1635 }
1636
1637 /* get my certificate
1638 * NOTE: include certificate type.
1639 */
1640 int
oakley_getmycert(iph1)1641 oakley_getmycert(iph1)
1642 struct ph1handle *iph1;
1643 {
1644 switch (iph1->rmconf->certtype) {
1645 case ISAKMP_CERT_X509SIGN:
1646 if (iph1->cert)
1647 return 0;
1648 return get_cert_fromlocal(iph1, 1);
1649
1650 #ifndef ANDROID_PATCHED
1651 case ISAKMP_CERT_PLAINRSA:
1652 if (iph1->rsa)
1653 return 0;
1654 return get_plainrsa_fromlocal(iph1, 1);
1655 #endif
1656
1657 default:
1658 plog(LLV_ERROR, LOCATION, NULL,
1659 "Unknown certtype #%d\n",
1660 iph1->rmconf->certtype);
1661 return -1;
1662 }
1663
1664 }
1665
1666 /*
1667 * get a CERT from local file.
1668 * IN:
1669 * my != 0 my cert.
1670 * my == 0 peer's cert.
1671 */
1672 static int
get_cert_fromlocal(iph1,my)1673 get_cert_fromlocal(iph1, my)
1674 struct ph1handle *iph1;
1675 int my;
1676 {
1677 char path[MAXPATHLEN];
1678 vchar_t *cert = NULL;
1679 cert_t **certpl;
1680 char *certfile;
1681 int error = -1;
1682
1683 if (my) {
1684 certfile = iph1->rmconf->mycertfile;
1685 certpl = &iph1->cert;
1686 } else {
1687 certfile = iph1->rmconf->peerscertfile;
1688 certpl = &iph1->cert_p;
1689 }
1690 if (!certfile) {
1691 plog(LLV_ERROR, LOCATION, NULL, "no CERT defined.\n");
1692 return 0;
1693 }
1694
1695 switch (iph1->rmconf->certtype) {
1696 case ISAKMP_CERT_X509SIGN:
1697 case ISAKMP_CERT_DNS:
1698 /* make public file name */
1699 getpathname(path, sizeof(path), LC_PATHTYPE_CERT, certfile);
1700 cert = eay_get_x509cert(path);
1701 if (cert) {
1702 char *p = NULL;
1703 p = eay_get_x509text(cert);
1704 plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
1705 racoon_free(p);
1706 };
1707 break;
1708
1709 default:
1710 plog(LLV_ERROR, LOCATION, NULL,
1711 "not supported certtype %d\n",
1712 iph1->rmconf->certtype);
1713 goto end;
1714 }
1715
1716 if (!cert) {
1717 plog(LLV_ERROR, LOCATION, NULL,
1718 "failed to get %s CERT.\n",
1719 my ? "my" : "peers");
1720 goto end;
1721 }
1722
1723 *certpl = oakley_newcert();
1724 if (!*certpl) {
1725 plog(LLV_ERROR, LOCATION, NULL,
1726 "failed to get cert buffer.\n");
1727 goto end;
1728 }
1729 (*certpl)->pl = vmalloc(cert->l + 1);
1730 if ((*certpl)->pl == NULL) {
1731 plog(LLV_ERROR, LOCATION, NULL,
1732 "failed to get cert buffer\n");
1733 oakley_delcert(*certpl);
1734 *certpl = NULL;
1735 goto end;
1736 }
1737 memcpy((*certpl)->pl->v + 1, cert->v, cert->l);
1738 (*certpl)->pl->v[0] = iph1->rmconf->certtype;
1739 (*certpl)->type = iph1->rmconf->certtype;
1740 (*certpl)->cert.v = (*certpl)->pl->v + 1;
1741 (*certpl)->cert.l = (*certpl)->pl->l - 1;
1742
1743 plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n");
1744 plogdump(LLV_DEBUG, (*certpl)->pl->v, (*certpl)->pl->l);
1745
1746 error = 0;
1747
1748 end:
1749 if (cert != NULL)
1750 vfree(cert);
1751
1752 return error;
1753 }
1754
1755 #ifndef ANDROID_PATCHED
1756 static int
get_plainrsa_fromlocal(iph1,my)1757 get_plainrsa_fromlocal(iph1, my)
1758 struct ph1handle *iph1;
1759 int my;
1760 {
1761 char path[MAXPATHLEN];
1762 vchar_t *cert = NULL;
1763 char *certfile;
1764 int error = -1;
1765
1766 iph1->rsa_candidates = rsa_lookup_keys(iph1, my);
1767 if (!iph1->rsa_candidates ||
1768 rsa_list_count(iph1->rsa_candidates) == 0) {
1769 plog(LLV_ERROR, LOCATION, NULL,
1770 "%s RSA key not found for %s\n",
1771 my ? "Private" : "Public",
1772 saddr2str_fromto("%s <-> %s",
1773 iph1->local, iph1->remote));
1774 goto end;
1775 }
1776
1777 if (my && rsa_list_count(iph1->rsa_candidates) > 1) {
1778 plog(LLV_WARNING, LOCATION, NULL,
1779 "More than one (=%lu) private "
1780 "PlainRSA key found for %s\n",
1781 rsa_list_count(iph1->rsa_candidates),
1782 saddr2str_fromto("%s <-> %s",
1783 iph1->local, iph1->remote));
1784 plog(LLV_WARNING, LOCATION, NULL,
1785 "This may have unpredictable results, "
1786 "i.e. wrong key could be used!\n");
1787 plog(LLV_WARNING, LOCATION, NULL,
1788 "Consider using only one single private "
1789 "key for all peers...\n");
1790 }
1791 if (my) {
1792 iph1->rsa = ((struct rsa_key *)
1793 genlist_next(iph1->rsa_candidates, NULL))->rsa;
1794
1795 genlist_free(iph1->rsa_candidates, NULL);
1796 iph1->rsa_candidates = NULL;
1797
1798 if (iph1->rsa == NULL)
1799 goto end;
1800 }
1801
1802 error = 0;
1803
1804 end:
1805 return error;
1806 }
1807 #endif
1808
1809 #ifdef ANDROID_CHANGES
1810
1811 #if defined(OPENSSL_IS_BORINGSSL)
1812 /* EVP_PKEY_from_keystore is from system/security/keystore-engine. */
1813 extern EVP_PKEY* EVP_PKEY_from_keystore(const char *key_id);
1814 #endif
1815
keystore_sign(vchar_t * src,const char * path)1816 static vchar_t* keystore_sign(vchar_t* src, const char* path) {
1817 vchar_t* sig = NULL;
1818 EVP_PKEY *evp = NULL;
1819
1820 #if !defined(OPENSSL_IS_BORINGSSL)
1821 ENGINE *engine = ENGINE_by_id("keystore");
1822 if (!engine) {
1823 return NULL;
1824 }
1825 if (!ENGINE_init(engine)) {
1826 ENGINE_free(engine);
1827 return NULL;
1828 }
1829 #endif
1830
1831 const char *key_id;
1832 if (sscanf(path, pname, &key_id) != 1) {
1833 do_plog(LLV_ERROR, "couldn't read private key info\n");
1834 goto out;
1835 }
1836
1837 #if !defined(OPENSSL_IS_BORINGSSL)
1838 evp = ENGINE_load_private_key(engine, key_id, NULL, NULL);
1839 #else
1840 evp = EVP_PKEY_from_keystore(key_id);
1841 #endif
1842 if (!evp) {
1843 do_plog(LLV_ERROR, "couldn't retrieve private key");
1844 ERR_remove_thread_state(NULL);
1845 goto out;
1846 }
1847
1848 if (EVP_PKEY_id(evp) == EVP_PKEY_RSA) {
1849 sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
1850 }
1851
1852 out:
1853 if (evp) {
1854 EVP_PKEY_free(evp);
1855 }
1856
1857 #if !defined(OPENSSL_IS_BORINGSSL)
1858 ENGINE_finish(engine);
1859 ENGINE_free(engine);
1860 #endif
1861
1862 return sig;
1863 }
1864 #endif
1865
1866 /* get signature */
1867 int
oakley_getsign(iph1)1868 oakley_getsign(iph1)
1869 struct ph1handle *iph1;
1870 {
1871 char path[MAXPATHLEN];
1872 vchar_t *privkey = NULL;
1873 int error = -1;
1874
1875 switch (iph1->rmconf->certtype) {
1876 case ISAKMP_CERT_X509SIGN:
1877 case ISAKMP_CERT_DNS:
1878 if (iph1->rmconf->myprivfile == NULL) {
1879 plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n");
1880 goto end;
1881 }
1882
1883 /* make private file name */
1884 getpathname(path, sizeof(path),
1885 LC_PATHTYPE_CERT,
1886 iph1->rmconf->myprivfile);
1887 #ifdef ANDROID_CHANGES
1888 iph1->sig = keystore_sign(iph1->hash, path);
1889 #else
1890 privkey = privsep_eay_get_pkcs1privkey(path);
1891 if (privkey == NULL) {
1892 plog(LLV_ERROR, LOCATION, NULL,
1893 "failed to get private key.\n");
1894 goto end;
1895 }
1896 plog(LLV_DEBUG2, LOCATION, NULL, "private key:\n");
1897 plogdump(LLV_DEBUG2, privkey->v, privkey->l);
1898
1899 iph1->sig = eay_get_x509sign(iph1->hash, privkey);
1900 #endif
1901 break;
1902 #ifndef ANDROID_PATCHED
1903 case ISAKMP_CERT_PLAINRSA:
1904 iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa);
1905 break;
1906 #endif
1907 default:
1908 plog(LLV_ERROR, LOCATION, NULL,
1909 "Unknown certtype #%d\n",
1910 iph1->rmconf->certtype);
1911 goto end;
1912 }
1913
1914 if (iph1->sig == NULL) {
1915 plog(LLV_ERROR, LOCATION, NULL, "failed to sign.\n");
1916 goto end;
1917 }
1918
1919 plog(LLV_DEBUG, LOCATION, NULL, "SIGN computed:\n");
1920 plogdump(LLV_DEBUG, iph1->sig->v, iph1->sig->l);
1921
1922 error = 0;
1923
1924 end:
1925 if (privkey != NULL)
1926 vfree(privkey);
1927
1928 return error;
1929 }
1930
1931 /*
1932 * compare certificate name and ID value.
1933 */
1934 static int
oakley_check_certid(iph1)1935 oakley_check_certid(iph1)
1936 struct ph1handle *iph1;
1937 {
1938 struct ipsecdoi_id_b *id_b;
1939 vchar_t *name = NULL;
1940 char *altname = NULL;
1941 int idlen, type;
1942 int error;
1943
1944 if (iph1->id_p == NULL || iph1->cert_p == NULL) {
1945 plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n");
1946 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1947 }
1948
1949 id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
1950 idlen = iph1->id_p->l - sizeof(*id_b);
1951
1952 switch (id_b->type) {
1953 case IPSECDOI_ID_DER_ASN1_DN:
1954 name = eay_get_x509asn1subjectname(&iph1->cert_p->cert);
1955 if (!name) {
1956 plog(LLV_ERROR, LOCATION, NULL,
1957 "failed to get subjectName\n");
1958 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1959 }
1960 if (idlen != name->l) {
1961 plog(LLV_ERROR, LOCATION, NULL,
1962 "Invalid ID length in phase 1.\n");
1963 vfree(name);
1964 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1965 }
1966 error = memcmp(id_b + 1, name->v, idlen);
1967 vfree(name);
1968 if (error != 0) {
1969 plog(LLV_ERROR, LOCATION, NULL,
1970 "ID mismatched with ASN1 SubjectName.\n");
1971 plogdump(LLV_DEBUG, id_b + 1, idlen);
1972 plogdump(LLV_DEBUG, name->v, idlen);
1973 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1974 }
1975 return 0;
1976 case IPSECDOI_ID_IPV4_ADDR:
1977 case IPSECDOI_ID_IPV6_ADDR:
1978 {
1979 /*
1980 * converting to binary from string because openssl return
1981 * a string even if object is a binary.
1982 * XXX fix it ! access by ASN.1 directly without.
1983 */
1984 struct addrinfo hints, *res;
1985 caddr_t a = NULL;
1986 int pos;
1987
1988 for (pos = 1; ; pos++) {
1989 if (eay_get_x509subjectaltname(&iph1->cert_p->cert,
1990 &altname, &type, pos) !=0) {
1991 plog(LLV_ERROR, LOCATION, NULL,
1992 "failed to get subjectAltName\n");
1993 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1994 }
1995
1996 /* it's the end condition of the loop. */
1997 if (!altname) {
1998 plog(LLV_ERROR, LOCATION, NULL,
1999 "no proper subjectAltName.\n");
2000 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
2001 }
2002
2003 if (check_typeofcertname(id_b->type, type) == 0)
2004 break;
2005
2006 /* next name */
2007 racoon_free(altname);
2008 altname = NULL;
2009 }
2010 memset(&hints, 0, sizeof(hints));
2011 hints.ai_family = PF_UNSPEC;
2012 hints.ai_socktype = SOCK_RAW;
2013 hints.ai_flags = AI_NUMERICHOST;
2014 error = getaddrinfo(altname, NULL, &hints, &res);
2015 if (error != 0) {
2016 plog(LLV_ERROR, LOCATION, NULL,
2017 "no proper subjectAltName.\n");
2018 racoon_free(altname);
2019 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
2020 }
2021 switch (res->ai_family) {
2022 case AF_INET:
2023 a = (caddr_t)&((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr;
2024 break;
2025 #ifdef INET6
2026 case AF_INET6:
2027 a = (caddr_t)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr;
2028 break;
2029 #endif
2030 default:
2031 plog(LLV_ERROR, LOCATION, NULL,
2032 "family not supported: %d.\n", res->ai_family);
2033 racoon_free(altname);
2034 freeaddrinfo(res);
2035 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
2036 }
2037 error = memcmp(id_b + 1, a, idlen);
2038 freeaddrinfo(res);
2039 vfree(name);
2040 if (error != 0) {
2041 plog(LLV_ERROR, LOCATION, NULL,
2042 "ID mismatched with subjectAltName.\n");
2043 plogdump(LLV_DEBUG, id_b + 1, idlen);
2044 plogdump(LLV_DEBUG, a, idlen);
2045 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2046 }
2047 return 0;
2048 }
2049 case IPSECDOI_ID_FQDN:
2050 case IPSECDOI_ID_USER_FQDN:
2051 {
2052 int pos;
2053
2054 for (pos = 1; ; pos++) {
2055 if (eay_get_x509subjectaltname(&iph1->cert_p->cert,
2056 &altname, &type, pos) != 0){
2057 plog(LLV_ERROR, LOCATION, NULL,
2058 "failed to get subjectAltName\n");
2059 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
2060 }
2061
2062 /* it's the end condition of the loop. */
2063 if (!altname) {
2064 plog(LLV_ERROR, LOCATION, NULL,
2065 "no proper subjectAltName.\n");
2066 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
2067 }
2068
2069 if (check_typeofcertname(id_b->type, type) == 0)
2070 break;
2071
2072 /* next name */
2073 racoon_free(altname);
2074 altname = NULL;
2075 }
2076 if (idlen != strlen(altname)) {
2077 plog(LLV_ERROR, LOCATION, NULL,
2078 "Invalid ID length in phase 1.\n");
2079 racoon_free(altname);
2080 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2081 }
2082 if (check_typeofcertname(id_b->type, type) != 0) {
2083 plog(LLV_ERROR, LOCATION, NULL,
2084 "ID type mismatched. ID: %s CERT: %s.\n",
2085 s_ipsecdoi_ident(id_b->type),
2086 s_ipsecdoi_ident(type));
2087 racoon_free(altname);
2088 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2089 }
2090 error = memcmp(id_b + 1, altname, idlen);
2091 if (error) {
2092 plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n");
2093 plogdump(LLV_DEBUG, id_b + 1, idlen);
2094 plogdump(LLV_DEBUG, altname, idlen);
2095 racoon_free(altname);
2096 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2097 }
2098 racoon_free(altname);
2099 return 0;
2100 }
2101 default:
2102 plog(LLV_ERROR, LOCATION, NULL,
2103 "Inpropper ID type passed: %s.\n",
2104 s_ipsecdoi_ident(id_b->type));
2105 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2106 }
2107 /*NOTREACHED*/
2108 }
2109
2110 static int
check_typeofcertname(doi,genid)2111 check_typeofcertname(doi, genid)
2112 int doi, genid;
2113 {
2114 switch (doi) {
2115 case IPSECDOI_ID_IPV4_ADDR:
2116 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
2117 case IPSECDOI_ID_IPV6_ADDR:
2118 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
2119 case IPSECDOI_ID_IPV4_ADDR_RANGE:
2120 case IPSECDOI_ID_IPV6_ADDR_RANGE:
2121 if (genid != GENT_IPADD)
2122 return -1;
2123 return 0;
2124 case IPSECDOI_ID_FQDN:
2125 if (genid != GENT_DNS)
2126 return -1;
2127 return 0;
2128 case IPSECDOI_ID_USER_FQDN:
2129 if (genid != GENT_EMAIL)
2130 return -1;
2131 return 0;
2132 case IPSECDOI_ID_DER_ASN1_DN: /* should not be passed to this function*/
2133 case IPSECDOI_ID_DER_ASN1_GN:
2134 case IPSECDOI_ID_KEY_ID:
2135 default:
2136 return -1;
2137 }
2138 /*NOTREACHED*/
2139 }
2140
2141 /*
2142 * save certificate including certificate type.
2143 */
2144 int
oakley_savecert(iph1,gen)2145 oakley_savecert(iph1, gen)
2146 struct ph1handle *iph1;
2147 struct isakmp_gen *gen;
2148 {
2149 cert_t **c;
2150 u_int8_t type;
2151 STACK_OF(X509) *certs=NULL;
2152 #if !defined(OPENSSL_IS_BORINGSSL)
2153 PKCS7 *p7;
2154 #endif
2155
2156 type = *(u_int8_t *)(gen + 1) & 0xff;
2157
2158 switch (type) {
2159 case ISAKMP_CERT_DNS:
2160 plog(LLV_WARNING, LOCATION, NULL,
2161 "CERT payload is unnecessary in DNSSEC. "
2162 "ignore this CERT payload.\n");
2163 return 0;
2164 case ISAKMP_CERT_PKCS7:
2165 case ISAKMP_CERT_PGP:
2166 case ISAKMP_CERT_X509SIGN:
2167 case ISAKMP_CERT_KERBEROS:
2168 case ISAKMP_CERT_SPKI:
2169 c = &iph1->cert_p;
2170 break;
2171 case ISAKMP_CERT_CRL:
2172 c = &iph1->crl_p;
2173 break;
2174 case ISAKMP_CERT_X509KE:
2175 case ISAKMP_CERT_X509ATTR:
2176 case ISAKMP_CERT_ARL:
2177 plog(LLV_ERROR, LOCATION, NULL,
2178 "No supported such CERT type %d\n", type);
2179 return -1;
2180 default:
2181 plog(LLV_ERROR, LOCATION, NULL,
2182 "Invalid CERT type %d\n", type);
2183 return -1;
2184 }
2185
2186 /* XXX choice the 1th cert, ignore after the cert. */
2187 /* XXX should be processed. */
2188 if (*c) {
2189 plog(LLV_WARNING, LOCATION, NULL,
2190 "ignore 2nd CERT payload.\n");
2191 return 0;
2192 }
2193
2194 if (type == ISAKMP_CERT_PKCS7) {
2195 u_char *bp;
2196 #if defined(OPENSSL_IS_BORINGSSL)
2197 size_t i;
2198 STACK_OF(X509) *certs = sk_X509_new_null();
2199 CBS cbs;
2200 #else
2201 int i;
2202 #endif
2203
2204 /* Skip the header */
2205 bp = (u_char *)(gen + 1);
2206 /* And the first byte is the certificate type,
2207 * we know that already
2208 */
2209 bp++;
2210 #if defined(OPENSSL_IS_BORINGSSL)
2211 CBS_init(&cbs, bp, ntohs(gen->len) - sizeof(*gen) - 1);
2212 if (!PKCS7_get_certificates(certs, &cbs)) {
2213 plog(LLV_ERROR, LOCATION, NULL,
2214 "Failed to parse PKCS#7 CERT.\n");
2215 sk_X509_pop_free(certs, X509_free);
2216 return -1;
2217 }
2218
2219 if (sk_X509_num(certs) == 0) {
2220 plog(LLV_ERROR, LOCATION, NULL,
2221 "CERT PKCS#7 bundle contains no certs.\n");
2222 sk_X509_pop_free(certs, X509_free);
2223 return -1;
2224 }
2225 #else
2226 p7 = d2i_PKCS7(NULL, (void *)&bp,
2227 ntohs(gen->len) - sizeof(*gen) - 1);
2228
2229 if (!p7) {
2230 plog(LLV_ERROR, LOCATION, NULL,
2231 "Failed to parse PKCS#7 CERT.\n");
2232 return -1;
2233 }
2234
2235 /* Copied this from the openssl pkcs7 application;
2236 * there"s little by way of documentation for any of
2237 * it. I can only presume it"s correct.
2238 */
2239
2240 i = OBJ_obj2nid(p7->type);
2241 switch (i) {
2242 case NID_pkcs7_signed:
2243 certs=p7->d.sign->cert;
2244 break;
2245 case NID_pkcs7_signedAndEnveloped:
2246 certs=p7->d.signed_and_enveloped->cert;
2247 break;
2248 default:
2249 break;
2250 }
2251
2252 if (!certs) {
2253 plog(LLV_ERROR, LOCATION, NULL,
2254 "CERT PKCS#7 bundle contains no certs.\n");
2255 PKCS7_free(p7);
2256 return -1;
2257 }
2258 #endif
2259
2260 for (i = 0; i < sk_X509_num(certs); i++) {
2261 int len;
2262 u_char *bp;
2263 X509 *cert = sk_X509_value(certs,i);
2264
2265 plog(LLV_DEBUG, LOCATION, NULL,
2266 "Trying PKCS#7 cert %d.\n", i);
2267
2268 /* We'll just try each cert in turn */
2269 *c = save_certx509(cert);
2270
2271 if (!*c) {
2272 plog(LLV_ERROR, LOCATION, NULL,
2273 "Failed to get CERT buffer.\n");
2274 continue;
2275 }
2276
2277 /* Ignore cert if it doesn't match identity
2278 * XXX If verify cert is disabled, we still just take
2279 * the first certificate....
2280 */
2281 if(iph1->rmconf->verify_cert &&
2282 oakley_check_certid(iph1)) {
2283 plog(LLV_DEBUG, LOCATION, NULL,
2284 "Discarding CERT: does not match ID.\n");
2285 oakley_delcert((*c));
2286 *c = NULL;
2287 continue;
2288 }
2289
2290 {
2291 char *p = eay_get_x509text(&(*c)->cert);
2292 plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
2293 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
2294 plog(LLV_DEBUG, LOCATION, NULL, "%s",
2295 p ? p : "\n");
2296 racoon_free(p);
2297 }
2298 break;
2299 }
2300
2301 #if defined(OPENSSL_IS_BORINGSSL)
2302 sk_X509_pop_free(certs, X509_free);
2303 #else
2304 PKCS7_free(p7);
2305 #endif
2306
2307 } else {
2308 *c = save_certbuf(gen);
2309 if (!*c) {
2310 plog(LLV_ERROR, LOCATION, NULL,
2311 "Failed to get CERT buffer.\n");
2312 return -1;
2313 }
2314
2315 switch ((*c)->type) {
2316 case ISAKMP_CERT_DNS:
2317 plog(LLV_WARNING, LOCATION, NULL,
2318 "CERT payload is unnecessary in DNSSEC. "
2319 "ignore it.\n");
2320 return 0;
2321 case ISAKMP_CERT_PGP:
2322 case ISAKMP_CERT_X509SIGN:
2323 case ISAKMP_CERT_KERBEROS:
2324 case ISAKMP_CERT_SPKI:
2325 /* Ignore cert if it doesn't match identity
2326 * XXX If verify cert is disabled, we still just take
2327 * the first certificate....
2328 */
2329 if(iph1->rmconf->verify_cert &&
2330 oakley_check_certid(iph1)){
2331 plog(LLV_DEBUG, LOCATION, NULL,
2332 "Discarding CERT: does not match ID.\n");
2333 oakley_delcert((*c));
2334 *c = NULL;
2335 return 0;
2336 }
2337
2338 {
2339 char *p = eay_get_x509text(&(*c)->cert);
2340 plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
2341 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
2342 plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
2343 racoon_free(p);
2344 }
2345 break;
2346 case ISAKMP_CERT_CRL:
2347 plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n");
2348 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
2349 break;
2350 case ISAKMP_CERT_X509KE:
2351 case ISAKMP_CERT_X509ATTR:
2352 case ISAKMP_CERT_ARL:
2353 default:
2354 /* XXX */
2355 oakley_delcert((*c));
2356 *c = NULL;
2357 return 0;
2358 }
2359 }
2360
2361 return 0;
2362 }
2363
2364 /*
2365 * save certificate including certificate type.
2366 */
2367 int
oakley_savecr(iph1,gen)2368 oakley_savecr(iph1, gen)
2369 struct ph1handle *iph1;
2370 struct isakmp_gen *gen;
2371 {
2372 cert_t **c;
2373 u_int8_t type;
2374
2375 type = *(u_int8_t *)(gen + 1) & 0xff;
2376
2377 switch (type) {
2378 case ISAKMP_CERT_DNS:
2379 plog(LLV_WARNING, LOCATION, NULL,
2380 "CERT payload is unnecessary in DNSSEC\n");
2381 /*FALLTHRU*/
2382 case ISAKMP_CERT_PKCS7:
2383 case ISAKMP_CERT_PGP:
2384 case ISAKMP_CERT_X509SIGN:
2385 case ISAKMP_CERT_KERBEROS:
2386 case ISAKMP_CERT_SPKI:
2387 c = &iph1->cr_p;
2388 break;
2389 case ISAKMP_CERT_X509KE:
2390 case ISAKMP_CERT_X509ATTR:
2391 case ISAKMP_CERT_ARL:
2392 plog(LLV_ERROR, LOCATION, NULL,
2393 "No supported such CR type %d\n", type);
2394 return -1;
2395 case ISAKMP_CERT_CRL:
2396 default:
2397 plog(LLV_ERROR, LOCATION, NULL,
2398 "Invalid CR type %d\n", type);
2399 return -1;
2400 }
2401
2402 *c = save_certbuf(gen);
2403 if (!*c) {
2404 plog(LLV_ERROR, LOCATION, NULL,
2405 "Failed to get CR buffer.\n");
2406 return -1;
2407 }
2408
2409 plog(LLV_DEBUG, LOCATION, NULL, "CR saved:\n");
2410 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
2411
2412 return 0;
2413 }
2414
2415 static cert_t *
save_certbuf(gen)2416 save_certbuf(gen)
2417 struct isakmp_gen *gen;
2418 {
2419 cert_t *new;
2420
2421 if(ntohs(gen->len) <= sizeof(*gen)){
2422 plog(LLV_ERROR, LOCATION, NULL,
2423 "Len is too small !!.\n");
2424 return NULL;
2425 }
2426
2427 new = oakley_newcert();
2428 if (!new) {
2429 plog(LLV_ERROR, LOCATION, NULL,
2430 "Failed to get CERT buffer.\n");
2431 return NULL;
2432 }
2433
2434 new->pl = vmalloc(ntohs(gen->len) - sizeof(*gen));
2435 if (new->pl == NULL) {
2436 plog(LLV_ERROR, LOCATION, NULL,
2437 "Failed to copy CERT from packet.\n");
2438 oakley_delcert(new);
2439 new = NULL;
2440 return NULL;
2441 }
2442 memcpy(new->pl->v, gen + 1, new->pl->l);
2443 new->type = new->pl->v[0] & 0xff;
2444 new->cert.v = new->pl->v + 1;
2445 new->cert.l = new->pl->l - 1;
2446
2447 return new;
2448 }
2449
2450 static cert_t *
save_certx509(cert)2451 save_certx509(cert)
2452 X509 *cert;
2453 {
2454 cert_t *new;
2455 int len;
2456 u_char *bp;
2457
2458 new = oakley_newcert();
2459 if (!new) {
2460 plog(LLV_ERROR, LOCATION, NULL,
2461 "Failed to get CERT buffer.\n");
2462 return NULL;
2463 }
2464
2465 len = i2d_X509(cert, NULL);
2466 new->pl = vmalloc(len);
2467 if (new->pl == NULL) {
2468 plog(LLV_ERROR, LOCATION, NULL,
2469 "Failed to copy CERT from packet.\n");
2470 oakley_delcert(new);
2471 new = NULL;
2472 return NULL;
2473 }
2474 bp = (u_char *) new->pl->v;
2475 len = i2d_X509(cert, &bp);
2476 new->type = ISAKMP_CERT_X509SIGN;
2477 new->cert.v = new->pl->v;
2478 new->cert.l = new->pl->l;
2479
2480 return new;
2481 }
2482
2483 /*
2484 * get my CR.
2485 * NOTE: No Certificate Authority field is included to CR payload at the
2486 * moment. Becuase any certificate authority are accepted without any check.
2487 * The section 3.10 in RFC2408 says that this field SHOULD not be included,
2488 * if there is no specific certificate authority requested.
2489 */
2490 vchar_t *
oakley_getcr(iph1)2491 oakley_getcr(iph1)
2492 struct ph1handle *iph1;
2493 {
2494 vchar_t *buf;
2495
2496 buf = vmalloc(1);
2497 if (buf == NULL) {
2498 plog(LLV_ERROR, LOCATION, NULL,
2499 "failed to get cr buffer\n");
2500 return NULL;
2501 }
2502 if(iph1->rmconf->certtype == ISAKMP_CERT_NONE) {
2503 buf->v[0] = iph1->rmconf->cacerttype;
2504 plog(LLV_DEBUG, LOCATION, NULL, "create my CR: NONE, using %s instead\n",
2505 s_isakmp_certtype(iph1->rmconf->cacerttype));
2506 } else {
2507 buf->v[0] = iph1->rmconf->certtype;
2508 plog(LLV_DEBUG, LOCATION, NULL, "create my CR: %s\n",
2509 s_isakmp_certtype(iph1->rmconf->certtype));
2510 }
2511 if (buf->l > 1) {
2512 plogdump(LLV_DEBUG, buf->v, buf->l);
2513 }
2514
2515 return buf;
2516 }
2517
2518 /*
2519 * check peer's CR.
2520 */
2521 int
oakley_checkcr(iph1)2522 oakley_checkcr(iph1)
2523 struct ph1handle *iph1;
2524 {
2525 if (iph1->cr_p == NULL)
2526 return 0;
2527
2528 plog(LLV_DEBUG, LOCATION, iph1->remote,
2529 "peer transmitted CR: %s\n",
2530 s_isakmp_certtype(iph1->cr_p->type));
2531
2532 if (iph1->cr_p->type != iph1->rmconf->certtype) {
2533 plog(LLV_ERROR, LOCATION, iph1->remote,
2534 "such a cert type isn't supported: %d\n",
2535 (char)iph1->cr_p->type);
2536 return -1;
2537 }
2538
2539 return 0;
2540 }
2541
2542 /*
2543 * check to need CR payload.
2544 */
2545 int
oakley_needcr(type)2546 oakley_needcr(type)
2547 int type;
2548 {
2549 switch (type) {
2550 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2551 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2552 #ifdef ENABLE_HYBRID
2553 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2554 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
2555 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2556 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
2557 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
2558 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
2559 #endif
2560 return 1;
2561 default:
2562 return 0;
2563 }
2564 /*NOTREACHED*/
2565 }
2566
2567 /*
2568 * compute SKEYID
2569 * see seciton 5. Exchanges in RFC 2409
2570 * psk: SKEYID = prf(pre-shared-key, Ni_b | Nr_b)
2571 * sig: SKEYID = prf(Ni_b | Nr_b, g^ir)
2572 * enc: SKEYID = prf(H(Ni_b | Nr_b), CKY-I | CKY-R)
2573 */
2574 int
oakley_skeyid(iph1)2575 oakley_skeyid(iph1)
2576 struct ph1handle *iph1;
2577 {
2578 vchar_t *buf = NULL, *bp;
2579 char *p;
2580 int len;
2581 int error = -1;
2582
2583 /* SKEYID */
2584 switch (AUTHMETHOD(iph1)) {
2585 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
2586 #ifdef ENABLE_HYBRID
2587 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
2588 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
2589 #endif
2590 if (iph1->etype != ISAKMP_ETYPE_IDENT) {
2591 iph1->authstr = getpskbyname(iph1->id_p);
2592 if (iph1->authstr == NULL) {
2593 if (iph1->rmconf->verify_identifier) {
2594 plog(LLV_ERROR, LOCATION, iph1->remote,
2595 "couldn't find the pskey.\n");
2596 goto end;
2597 }
2598 plog(LLV_NOTIFY, LOCATION, iph1->remote,
2599 "couldn't find the proper pskey, "
2600 "try to get one by the peer's address.\n");
2601 }
2602 }
2603 if (iph1->authstr == NULL) {
2604 /*
2605 * If the exchange type is the main mode or if it's
2606 * failed to get the psk by ID, racoon try to get
2607 * the psk by remote IP address.
2608 * It may be nonsense.
2609 */
2610 iph1->authstr = getpskbyaddr(iph1->remote);
2611 if (iph1->authstr == NULL) {
2612 plog(LLV_ERROR, LOCATION, iph1->remote,
2613 "couldn't find the pskey for %s.\n",
2614 saddrwop2str(iph1->remote));
2615 goto end;
2616 }
2617 }
2618 plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
2619 /* should be secret PSK */
2620 plog(LLV_DEBUG2, LOCATION, NULL, "psk: ");
2621 plogdump(LLV_DEBUG2, iph1->authstr->v, iph1->authstr->l);
2622
2623 len = iph1->nonce->l + iph1->nonce_p->l;
2624 buf = vmalloc(len);
2625 if (buf == NULL) {
2626 plog(LLV_ERROR, LOCATION, NULL,
2627 "failed to get skeyid buffer\n");
2628 goto end;
2629 }
2630 p = buf->v;
2631
2632 bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
2633 plog(LLV_DEBUG, LOCATION, NULL, "nonce 1: ");
2634 plogdump(LLV_DEBUG, bp->v, bp->l);
2635 memcpy(p, bp->v, bp->l);
2636 p += bp->l;
2637
2638 bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
2639 plog(LLV_DEBUG, LOCATION, NULL, "nonce 2: ");
2640 plogdump(LLV_DEBUG, bp->v, bp->l);
2641 memcpy(p, bp->v, bp->l);
2642 p += bp->l;
2643
2644 iph1->skeyid = oakley_prf(iph1->authstr, buf, iph1);
2645 if (iph1->skeyid == NULL)
2646 goto end;
2647 break;
2648
2649 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2650 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2651 #ifdef ENABLE_HYBRID
2652 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2653 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
2654 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
2655 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
2656 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2657 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
2658 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
2659 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
2660 #endif
2661 #ifdef HAVE_GSSAPI
2662 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
2663 #endif
2664 len = iph1->nonce->l + iph1->nonce_p->l;
2665 buf = vmalloc(len);
2666 if (buf == NULL) {
2667 plog(LLV_ERROR, LOCATION, NULL,
2668 "failed to get nonce buffer\n");
2669 goto end;
2670 }
2671 p = buf->v;
2672
2673 bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
2674 plog(LLV_DEBUG, LOCATION, NULL, "nonce1: ");
2675 plogdump(LLV_DEBUG, bp->v, bp->l);
2676 memcpy(p, bp->v, bp->l);
2677 p += bp->l;
2678
2679 bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
2680 plog(LLV_DEBUG, LOCATION, NULL, "nonce2: ");
2681 plogdump(LLV_DEBUG, bp->v, bp->l);
2682 memcpy(p, bp->v, bp->l);
2683 p += bp->l;
2684
2685 iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1);
2686 if (iph1->skeyid == NULL)
2687 goto end;
2688 break;
2689 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2690 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
2691 #ifdef ENABLE_HYBRID
2692 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
2693 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
2694 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
2695 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
2696 #endif
2697 plog(LLV_WARNING, LOCATION, NULL,
2698 "not supported authentication method %s\n",
2699 s_oakley_attr_method(iph1->approval->authmethod));
2700 goto end;
2701 default:
2702 plog(LLV_ERROR, LOCATION, NULL,
2703 "invalid authentication method %d\n",
2704 iph1->approval->authmethod);
2705 goto end;
2706 }
2707
2708 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID computed:\n");
2709 plogdump(LLV_DEBUG, iph1->skeyid->v, iph1->skeyid->l);
2710
2711 error = 0;
2712
2713 end:
2714 if (buf != NULL)
2715 vfree(buf);
2716 return error;
2717 }
2718
2719 /*
2720 * compute SKEYID_[dae]
2721 * see seciton 5. Exchanges in RFC 2409
2722 * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0)
2723 * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1)
2724 * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2)
2725 */
2726 int
oakley_skeyid_dae(iph1)2727 oakley_skeyid_dae(iph1)
2728 struct ph1handle *iph1;
2729 {
2730 vchar_t *buf = NULL;
2731 char *p;
2732 int len;
2733 int error = -1;
2734
2735 if (iph1->skeyid == NULL) {
2736 plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n");
2737 goto end;
2738 }
2739
2740 /* SKEYID D */
2741 /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */
2742 len = iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
2743 buf = vmalloc(len);
2744 if (buf == NULL) {
2745 plog(LLV_ERROR, LOCATION, NULL,
2746 "failed to get skeyid buffer\n");
2747 goto end;
2748 }
2749 p = buf->v;
2750
2751 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
2752 p += iph1->dhgxy->l;
2753 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
2754 p += sizeof(cookie_t);
2755 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
2756 p += sizeof(cookie_t);
2757 *p = 0;
2758 iph1->skeyid_d = oakley_prf(iph1->skeyid, buf, iph1);
2759 if (iph1->skeyid_d == NULL)
2760 goto end;
2761
2762 vfree(buf);
2763 buf = NULL;
2764
2765 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_d computed:\n");
2766 plogdump(LLV_DEBUG, iph1->skeyid_d->v, iph1->skeyid_d->l);
2767
2768 /* SKEYID A */
2769 /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */
2770 len = iph1->skeyid_d->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
2771 buf = vmalloc(len);
2772 if (buf == NULL) {
2773 plog(LLV_ERROR, LOCATION, NULL,
2774 "failed to get skeyid buffer\n");
2775 goto end;
2776 }
2777 p = buf->v;
2778 memcpy(p, iph1->skeyid_d->v, iph1->skeyid_d->l);
2779 p += iph1->skeyid_d->l;
2780 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
2781 p += iph1->dhgxy->l;
2782 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
2783 p += sizeof(cookie_t);
2784 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
2785 p += sizeof(cookie_t);
2786 *p = 1;
2787 iph1->skeyid_a = oakley_prf(iph1->skeyid, buf, iph1);
2788 if (iph1->skeyid_a == NULL)
2789 goto end;
2790
2791 vfree(buf);
2792 buf = NULL;
2793
2794 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_a computed:\n");
2795 plogdump(LLV_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l);
2796
2797 /* SKEYID E */
2798 /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */
2799 len = iph1->skeyid_a->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
2800 buf = vmalloc(len);
2801 if (buf == NULL) {
2802 plog(LLV_ERROR, LOCATION, NULL,
2803 "failed to get skeyid buffer\n");
2804 goto end;
2805 }
2806 p = buf->v;
2807 memcpy(p, iph1->skeyid_a->v, iph1->skeyid_a->l);
2808 p += iph1->skeyid_a->l;
2809 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
2810 p += iph1->dhgxy->l;
2811 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
2812 p += sizeof(cookie_t);
2813 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
2814 p += sizeof(cookie_t);
2815 *p = 2;
2816 iph1->skeyid_e = oakley_prf(iph1->skeyid, buf, iph1);
2817 if (iph1->skeyid_e == NULL)
2818 goto end;
2819
2820 vfree(buf);
2821 buf = NULL;
2822
2823 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_e computed:\n");
2824 plogdump(LLV_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l);
2825
2826 error = 0;
2827
2828 end:
2829 if (buf != NULL)
2830 vfree(buf);
2831 return error;
2832 }
2833
2834 /*
2835 * compute final encryption key.
2836 * see Appendix B.
2837 */
2838 int
oakley_compute_enckey(iph1)2839 oakley_compute_enckey(iph1)
2840 struct ph1handle *iph1;
2841 {
2842 u_int keylen, prflen;
2843 int error = -1;
2844
2845 /* RFC2409 p39 */
2846 keylen = alg_oakley_encdef_keylen(iph1->approval->enctype,
2847 iph1->approval->encklen);
2848 if (keylen == -1) {
2849 plog(LLV_ERROR, LOCATION, NULL,
2850 "invalid encryption algoritym %d, "
2851 "or invalid key length %d.\n",
2852 iph1->approval->enctype,
2853 iph1->approval->encklen);
2854 goto end;
2855 }
2856 iph1->key = vmalloc(keylen >> 3);
2857 if (iph1->key == NULL) {
2858 plog(LLV_ERROR, LOCATION, NULL,
2859 "failed to get key buffer\n");
2860 goto end;
2861 }
2862
2863 /* set prf length */
2864 prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype);
2865 if (prflen == -1) {
2866 plog(LLV_ERROR, LOCATION, NULL,
2867 "invalid hash type %d.\n", iph1->approval->hashtype);
2868 goto end;
2869 }
2870
2871 /* see isakmp-oakley-08 5.3. */
2872 if (iph1->key->l <= iph1->skeyid_e->l) {
2873 /*
2874 * if length(Ka) <= length(SKEYID_e)
2875 * Ka = first length(K) bit of SKEYID_e
2876 */
2877 memcpy(iph1->key->v, iph1->skeyid_e->v, iph1->key->l);
2878 } else {
2879 vchar_t *buf = NULL, *res = NULL;
2880 u_char *p, *ep;
2881 int cplen;
2882 int subkey;
2883
2884 /*
2885 * otherwise,
2886 * Ka = K1 | K2 | K3
2887 * where
2888 * K1 = prf(SKEYID_e, 0)
2889 * K2 = prf(SKEYID_e, K1)
2890 * K3 = prf(SKEYID_e, K2)
2891 */
2892 plog(LLV_DEBUG, LOCATION, NULL,
2893 "len(SKEYID_e) < len(Ka) (%zu < %zu), "
2894 "generating long key (Ka = K1 | K2 | ...)\n",
2895 iph1->skeyid_e->l, iph1->key->l);
2896
2897 if ((buf = vmalloc(prflen >> 3)) == 0) {
2898 plog(LLV_ERROR, LOCATION, NULL,
2899 "failed to get key buffer\n");
2900 goto end;
2901 }
2902 p = (u_char *)iph1->key->v;
2903 ep = p + iph1->key->l;
2904
2905 subkey = 1;
2906 while (p < ep) {
2907 if (p == (u_char *)iph1->key->v) {
2908 /* just for computing K1 */
2909 buf->v[0] = 0;
2910 buf->l = 1;
2911 }
2912 res = oakley_prf(iph1->skeyid_e, buf, iph1);
2913 if (res == NULL) {
2914 vfree(buf);
2915 goto end;
2916 }
2917 plog(LLV_DEBUG, LOCATION, NULL,
2918 "compute intermediate encryption key K%d\n",
2919 subkey);
2920 plogdump(LLV_DEBUG, buf->v, buf->l);
2921 plogdump(LLV_DEBUG, res->v, res->l);
2922
2923 cplen = (res->l < ep - p) ? res->l : ep - p;
2924 memcpy(p, res->v, cplen);
2925 p += cplen;
2926
2927 buf->l = prflen >> 3; /* to cancel K1 speciality */
2928 if (res->l != buf->l) {
2929 plog(LLV_ERROR, LOCATION, NULL,
2930 "internal error: res->l=%zu buf->l=%zu\n",
2931 res->l, buf->l);
2932 vfree(res);
2933 vfree(buf);
2934 goto end;
2935 }
2936 memcpy(buf->v, res->v, res->l);
2937 vfree(res);
2938 subkey++;
2939 }
2940
2941 vfree(buf);
2942 }
2943
2944 /*
2945 * don't check any weak key or not.
2946 * draft-ietf-ipsec-ike-01.txt Appendix B.
2947 * draft-ietf-ipsec-ciph-aes-cbc-00.txt Section 2.3.
2948 */
2949 #if 0
2950 /* weakkey check */
2951 if (iph1->approval->enctype > ARRAYLEN(oakley_encdef)
2952 || oakley_encdef[iph1->approval->enctype].weakkey == NULL) {
2953 plog(LLV_ERROR, LOCATION, NULL,
2954 "encryption algoritym %d isn't supported.\n",
2955 iph1->approval->enctype);
2956 goto end;
2957 }
2958 if ((oakley_encdef[iph1->approval->enctype].weakkey)(iph1->key)) {
2959 plog(LLV_ERROR, LOCATION, NULL,
2960 "weakkey was generated.\n");
2961 goto end;
2962 }
2963 #endif
2964
2965 plog(LLV_DEBUG, LOCATION, NULL, "final encryption key computed:\n");
2966 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
2967
2968 error = 0;
2969
2970 end:
2971 return error;
2972 }
2973
2974 /* allocated new buffer for CERT */
2975 cert_t *
oakley_newcert()2976 oakley_newcert()
2977 {
2978 cert_t *new;
2979
2980 new = racoon_calloc(1, sizeof(*new));
2981 if (new == NULL) {
2982 plog(LLV_ERROR, LOCATION, NULL,
2983 "failed to get cert's buffer\n");
2984 return NULL;
2985 }
2986
2987 new->pl = NULL;
2988
2989 return new;
2990 }
2991
2992 /* delete buffer for CERT */
2993 void
oakley_delcert(cert)2994 oakley_delcert(cert)
2995 cert_t *cert;
2996 {
2997 if (!cert)
2998 return;
2999 if (cert->pl)
3000 VPTRINIT(cert->pl);
3001 racoon_free(cert);
3002 }
3003
3004 /*
3005 * compute IV and set to ph1handle
3006 * IV = hash(g^xi | g^xr)
3007 * see 4.1 Phase 1 state in draft-ietf-ipsec-ike.
3008 */
3009 int
oakley_newiv(iph1)3010 oakley_newiv(iph1)
3011 struct ph1handle *iph1;
3012 {
3013 struct isakmp_ivm *newivm = NULL;
3014 vchar_t *buf = NULL, *bp;
3015 char *p;
3016 int len;
3017
3018 /* create buffer */
3019 len = iph1->dhpub->l + iph1->dhpub_p->l;
3020 buf = vmalloc(len);
3021 if (buf == NULL) {
3022 plog(LLV_ERROR, LOCATION, NULL,
3023 "failed to get iv buffer\n");
3024 return -1;
3025 }
3026
3027 p = buf->v;
3028
3029 bp = (iph1->side == INITIATOR ? iph1->dhpub : iph1->dhpub_p);
3030 memcpy(p, bp->v, bp->l);
3031 p += bp->l;
3032
3033 bp = (iph1->side == INITIATOR ? iph1->dhpub_p : iph1->dhpub);
3034 memcpy(p, bp->v, bp->l);
3035 p += bp->l;
3036
3037 /* allocate IVm */
3038 newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
3039 if (newivm == NULL) {
3040 plog(LLV_ERROR, LOCATION, NULL,
3041 "failed to get iv buffer\n");
3042 vfree(buf);
3043 return -1;
3044 }
3045
3046 /* compute IV */
3047 newivm->iv = oakley_hash(buf, iph1);
3048 if (newivm->iv == NULL) {
3049 vfree(buf);
3050 oakley_delivm(newivm);
3051 return -1;
3052 }
3053
3054 /* adjust length of iv */
3055 newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype);
3056 if (newivm->iv->l == -1) {
3057 plog(LLV_ERROR, LOCATION, NULL,
3058 "invalid encryption algoriym %d.\n",
3059 iph1->approval->enctype);
3060 vfree(buf);
3061 oakley_delivm(newivm);
3062 return -1;
3063 }
3064
3065 /* create buffer to save iv */
3066 if ((newivm->ive = vdup(newivm->iv)) == NULL) {
3067 plog(LLV_ERROR, LOCATION, NULL,
3068 "vdup (%s)\n", strerror(errno));
3069 vfree(buf);
3070 oakley_delivm(newivm);
3071 return -1;
3072 }
3073
3074 vfree(buf);
3075
3076 plog(LLV_DEBUG, LOCATION, NULL, "IV computed:\n");
3077 plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l);
3078
3079 iph1->ivm = newivm;
3080
3081 return 0;
3082 }
3083
3084 /*
3085 * compute IV for the payload after phase 1.
3086 * It's not limited for phase 2.
3087 * if pahse 1 was encrypted.
3088 * IV = hash(last CBC block of Phase 1 | M-ID)
3089 * if phase 1 was not encrypted.
3090 * IV = hash(phase 1 IV | M-ID)
3091 * see 4.2 Phase 2 state in draft-ietf-ipsec-ike.
3092 */
3093 struct isakmp_ivm *
oakley_newiv2(iph1,msgid)3094 oakley_newiv2(iph1, msgid)
3095 struct ph1handle *iph1;
3096 u_int32_t msgid;
3097 {
3098 struct isakmp_ivm *newivm = NULL;
3099 vchar_t *buf = NULL;
3100 char *p;
3101 int len;
3102 int error = -1;
3103
3104 /* create buffer */
3105 len = iph1->ivm->iv->l + sizeof(msgid_t);
3106 buf = vmalloc(len);
3107 if (buf == NULL) {
3108 plog(LLV_ERROR, LOCATION, NULL,
3109 "failed to get iv buffer\n");
3110 goto end;
3111 }
3112
3113 p = buf->v;
3114
3115 memcpy(p, iph1->ivm->iv->v, iph1->ivm->iv->l);
3116 p += iph1->ivm->iv->l;
3117
3118 memcpy(p, &msgid, sizeof(msgid));
3119
3120 plog(LLV_DEBUG, LOCATION, NULL, "compute IV for phase2\n");
3121 plog(LLV_DEBUG, LOCATION, NULL, "phase1 last IV:\n");
3122 plogdump(LLV_DEBUG, buf->v, buf->l);
3123
3124 /* allocate IVm */
3125 newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
3126 if (newivm == NULL) {
3127 plog(LLV_ERROR, LOCATION, NULL,
3128 "failed to get iv buffer\n");
3129 goto end;
3130 }
3131
3132 /* compute IV */
3133 if ((newivm->iv = oakley_hash(buf, iph1)) == NULL)
3134 goto end;
3135
3136 /* adjust length of iv */
3137 newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype);
3138 if (newivm->iv->l == -1) {
3139 plog(LLV_ERROR, LOCATION, NULL,
3140 "invalid encryption algoriym %d.\n",
3141 iph1->approval->enctype);
3142 goto end;
3143 }
3144
3145 /* create buffer to save new iv */
3146 if ((newivm->ive = vdup(newivm->iv)) == NULL) {
3147 plog(LLV_ERROR, LOCATION, NULL, "vdup (%s)\n", strerror(errno));
3148 goto end;
3149 }
3150
3151 error = 0;
3152
3153 plog(LLV_DEBUG, LOCATION, NULL, "phase2 IV computed:\n");
3154 plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l);
3155
3156 end:
3157 if (error && newivm != NULL){
3158 oakley_delivm(newivm);
3159 newivm=NULL;
3160 }
3161 if (buf != NULL)
3162 vfree(buf);
3163 return newivm;
3164 }
3165
3166 void
oakley_delivm(ivm)3167 oakley_delivm(ivm)
3168 struct isakmp_ivm *ivm;
3169 {
3170 if (ivm == NULL)
3171 return;
3172
3173 if (ivm->iv != NULL)
3174 vfree(ivm->iv);
3175 if (ivm->ive != NULL)
3176 vfree(ivm->ive);
3177 racoon_free(ivm);
3178 plog(LLV_DEBUG, LOCATION, NULL, "IV freed\n");
3179
3180 return;
3181 }
3182
3183 /*
3184 * decrypt packet.
3185 * save new iv and old iv.
3186 */
3187 vchar_t *
oakley_do_decrypt(iph1,msg,ivdp,ivep)3188 oakley_do_decrypt(iph1, msg, ivdp, ivep)
3189 struct ph1handle *iph1;
3190 vchar_t *msg, *ivdp, *ivep;
3191 {
3192 vchar_t *buf = NULL, *new = NULL;
3193 char *pl;
3194 int len;
3195 u_int8_t padlen;
3196 int blen;
3197 int error = -1;
3198
3199 plog(LLV_DEBUG, LOCATION, NULL, "begin decryption.\n");
3200
3201 blen = alg_oakley_encdef_blocklen(iph1->approval->enctype);
3202 if (blen == -1) {
3203 plog(LLV_ERROR, LOCATION, NULL,
3204 "invalid encryption algoriym %d.\n",
3205 iph1->approval->enctype);
3206 goto end;
3207 }
3208
3209 /* save IV for next, but not sync. */
3210 memset(ivep->v, 0, ivep->l);
3211 memcpy(ivep->v, (caddr_t)&msg->v[msg->l - blen], blen);
3212
3213 plog(LLV_DEBUG, LOCATION, NULL,
3214 "IV was saved for next processing:\n");
3215 plogdump(LLV_DEBUG, ivep->v, ivep->l);
3216
3217 pl = msg->v + sizeof(struct isakmp);
3218
3219 len = msg->l - sizeof(struct isakmp);
3220
3221 /* create buffer */
3222 buf = vmalloc(len);
3223 if (buf == NULL) {
3224 plog(LLV_ERROR, LOCATION, NULL,
3225 "failed to get buffer to decrypt.\n");
3226 goto end;
3227 }
3228 memcpy(buf->v, pl, len);
3229
3230 /* do decrypt */
3231 new = alg_oakley_encdef_decrypt(iph1->approval->enctype,
3232 buf, iph1->key, ivdp);
3233 if (new == NULL || new->v == NULL || new->l == 0) {
3234 plog(LLV_ERROR, LOCATION, NULL,
3235 "decryption %d failed.\n", iph1->approval->enctype);
3236 goto end;
3237 }
3238 plog(LLV_DEBUG, LOCATION, NULL, "with key:\n");
3239 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
3240
3241 vfree(buf);
3242 buf = NULL;
3243
3244 plog(LLV_DEBUG, LOCATION, NULL, "decrypted payload by IV:\n");
3245 plogdump(LLV_DEBUG, ivdp->v, ivdp->l);
3246
3247 plog(LLV_DEBUG, LOCATION, NULL,
3248 "decrypted payload, but not trimed.\n");
3249 plogdump(LLV_DEBUG, new->v, new->l);
3250
3251 /* get padding length */
3252 if (lcconf->pad_excltail)
3253 padlen = new->v[new->l - 1] + 1;
3254 else
3255 padlen = new->v[new->l - 1];
3256 plog(LLV_DEBUG, LOCATION, NULL, "padding len=%u\n", padlen);
3257
3258 /* trim padding */
3259 if (lcconf->pad_strict) {
3260 if (padlen > new->l) {
3261 plog(LLV_ERROR, LOCATION, NULL,
3262 "invalied padding len=%u, buflen=%zu.\n",
3263 padlen, new->l);
3264 plogdump(LLV_ERROR, new->v, new->l);
3265 goto end;
3266 }
3267 new->l -= padlen;
3268 plog(LLV_DEBUG, LOCATION, NULL, "trimmed padding\n");
3269 } else {
3270 plog(LLV_DEBUG, LOCATION, NULL, "skip to trim padding.\n");
3271 }
3272
3273 /* create new buffer */
3274 len = sizeof(struct isakmp) + new->l;
3275 buf = vmalloc(len);
3276 if (buf == NULL) {
3277 plog(LLV_ERROR, LOCATION, NULL,
3278 "failed to get buffer to decrypt.\n");
3279 goto end;
3280 }
3281 memcpy(buf->v, msg->v, sizeof(struct isakmp));
3282 memcpy(buf->v + sizeof(struct isakmp), new->v, new->l);
3283 ((struct isakmp *)buf->v)->len = htonl(buf->l);
3284
3285 plog(LLV_DEBUG, LOCATION, NULL, "decrypted.\n");
3286 plogdump(LLV_DEBUG, buf->v, buf->l);
3287
3288 #ifdef HAVE_PRINT_ISAKMP_C
3289 isakmp_printpacket(buf, iph1->remote, iph1->local, 1);
3290 #endif
3291
3292 error = 0;
3293
3294 end:
3295 if (error && buf != NULL) {
3296 vfree(buf);
3297 buf = NULL;
3298 }
3299 if (new != NULL)
3300 vfree(new);
3301
3302 return buf;
3303 }
3304
3305 /*
3306 * encrypt packet.
3307 */
3308 vchar_t *
oakley_do_encrypt(iph1,msg,ivep,ivp)3309 oakley_do_encrypt(iph1, msg, ivep, ivp)
3310 struct ph1handle *iph1;
3311 vchar_t *msg, *ivep, *ivp;
3312 {
3313 vchar_t *buf = 0, *new = 0;
3314 char *pl;
3315 int len;
3316 u_int padlen;
3317 int blen;
3318 int error = -1;
3319
3320 plog(LLV_DEBUG, LOCATION, NULL, "begin encryption.\n");
3321
3322 /* set cbc block length */
3323 blen = alg_oakley_encdef_blocklen(iph1->approval->enctype);
3324 if (blen == -1) {
3325 plog(LLV_ERROR, LOCATION, NULL,
3326 "invalid encryption algoriym %d.\n",
3327 iph1->approval->enctype);
3328 goto end;
3329 }
3330
3331 pl = msg->v + sizeof(struct isakmp);
3332 len = msg->l - sizeof(struct isakmp);
3333
3334 /* add padding */
3335 padlen = oakley_padlen(len, blen);
3336 plog(LLV_DEBUG, LOCATION, NULL, "pad length = %u\n", padlen);
3337
3338 /* create buffer */
3339 buf = vmalloc(len + padlen);
3340 if (buf == NULL) {
3341 plog(LLV_ERROR, LOCATION, NULL,
3342 "failed to get buffer to encrypt.\n");
3343 goto end;
3344 }
3345 if (padlen) {
3346 int i;
3347 char *p = &buf->v[len];
3348 if (lcconf->pad_random) {
3349 for (i = 0; i < padlen; i++)
3350 *p++ = eay_random() & 0xff;
3351 }
3352 }
3353 memcpy(buf->v, pl, len);
3354
3355 /* make pad into tail */
3356 if (lcconf->pad_excltail)
3357 buf->v[len + padlen - 1] = padlen - 1;
3358 else
3359 buf->v[len + padlen - 1] = padlen;
3360
3361 plogdump(LLV_DEBUG, buf->v, buf->l);
3362
3363 /* do encrypt */
3364 new = alg_oakley_encdef_encrypt(iph1->approval->enctype,
3365 buf, iph1->key, ivep);
3366 if (new == NULL) {
3367 plog(LLV_ERROR, LOCATION, NULL,
3368 "encryption %d failed.\n", iph1->approval->enctype);
3369 goto end;
3370 }
3371 plog(LLV_DEBUG, LOCATION, NULL, "with key:\n");
3372 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
3373
3374 vfree(buf);
3375 buf = NULL;
3376
3377 plog(LLV_DEBUG, LOCATION, NULL, "encrypted payload by IV:\n");
3378 plogdump(LLV_DEBUG, ivep->v, ivep->l);
3379
3380 /* save IV for next */
3381 memset(ivp->v, 0, ivp->l);
3382 memcpy(ivp->v, (caddr_t)&new->v[new->l - blen], blen);
3383
3384 plog(LLV_DEBUG, LOCATION, NULL, "save IV for next:\n");
3385 plogdump(LLV_DEBUG, ivp->v, ivp->l);
3386
3387 /* create new buffer */
3388 len = sizeof(struct isakmp) + new->l;
3389 buf = vmalloc(len);
3390 if (buf == NULL) {
3391 plog(LLV_ERROR, LOCATION, NULL,
3392 "failed to get buffer to encrypt.\n");
3393 goto end;
3394 }
3395 memcpy(buf->v, msg->v, sizeof(struct isakmp));
3396 memcpy(buf->v + sizeof(struct isakmp), new->v, new->l);
3397 ((struct isakmp *)buf->v)->len = htonl(buf->l);
3398
3399 error = 0;
3400
3401 plog(LLV_DEBUG, LOCATION, NULL, "encrypted.\n");
3402
3403 end:
3404 if (error && buf != NULL) {
3405 vfree(buf);
3406 buf = NULL;
3407 }
3408 if (new != NULL)
3409 vfree(new);
3410
3411 return buf;
3412 }
3413
3414 /* culculate padding length */
3415 static int
oakley_padlen(len,base)3416 oakley_padlen(len, base)
3417 int len, base;
3418 {
3419 int padlen;
3420
3421 padlen = base - len % base;
3422
3423 if (lcconf->pad_randomlen)
3424 padlen += ((eay_random() % (lcconf->pad_maxsize + 1) + 1) *
3425 base);
3426
3427 return padlen;
3428 }
3429
3430