GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: sbin/isakmpd/ike_quick_mode.c Lines: 0 896 0.0 %
Date: 2016-12-06 Branches: 0 421 0.0 %

Line Branch Exec Source
1
/* $OpenBSD: ike_quick_mode.c,v 1.110 2015/12/10 17:27:00 mmcc Exp $	 */
2
/* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $	 */
3
4
/*
5
 * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist.  All rights reserved.
6
 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis.  All rights reserved.
7
 * Copyright (c) 2000, 2001, 2004 Håkan Olsson.  All rights reserved.
8
 *
9
 * Redistribution and use in source and binary forms, with or without
10
 * modification, are permitted provided that the following conditions
11
 * are met:
12
 * 1. Redistributions of source code must retain the above copyright
13
 *    notice, this list of conditions and the following disclaimer.
14
 * 2. Redistributions in binary form must reproduce the above copyright
15
 *    notice, this list of conditions and the following disclaimer in the
16
 *    documentation and/or other materials provided with the distribution.
17
 *
18
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
 */
29
30
/*
31
 * This code was written under funding by Ericsson Radio Systems.
32
 */
33
34
#include <stdlib.h>
35
#include <string.h>
36
37
#include <sys/types.h>
38
#include <regex.h>
39
#include <keynote.h>
40
41
#include "attribute.h"
42
#include "conf.h"
43
#include "connection.h"
44
#include "dh.h"
45
#include "doi.h"
46
#include "exchange.h"
47
#include "hash.h"
48
#include "ike_quick_mode.h"
49
#include "ipsec.h"
50
#include "log.h"
51
#include "message.h"
52
#include "policy.h"
53
#include "prf.h"
54
#include "sa.h"
55
#include "transport.h"
56
#include "util.h"
57
#include "key.h"
58
#include "x509.h"
59
60
static void     gen_g_xy(struct message *);
61
static int      initiator_send_HASH_SA_NONCE(struct message *);
62
static int      initiator_recv_HASH_SA_NONCE(struct message *);
63
static int      initiator_send_HASH(struct message *);
64
static void     post_quick_mode(struct message *);
65
static int      responder_recv_HASH_SA_NONCE(struct message *);
66
static int      responder_send_HASH_SA_NONCE(struct message *);
67
static int      responder_recv_HASH(struct message *);
68
69
static int      check_policy(struct exchange *, struct sa *, struct sa *);
70
71
int	(*ike_quick_mode_initiator[])(struct message *) = {
72
	initiator_send_HASH_SA_NONCE,
73
	initiator_recv_HASH_SA_NONCE,
74
	initiator_send_HASH
75
};
76
77
int	(*ike_quick_mode_responder[])(struct message *) = {
78
	responder_recv_HASH_SA_NONCE,
79
	responder_send_HASH_SA_NONCE,
80
	responder_recv_HASH
81
};
82
83
/* How many return values will policy handle -- true/false for now */
84
#define RETVALUES_NUM 2
85
86
/*
87
 * Given an exchange and our policy, check whether the SA and IDs are
88
 * acceptable.
89
 */
90
static int
91
check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa)
92
{
93
	char           *return_values[RETVALUES_NUM];
94
	char          **principal = 0;
95
	int             i, len, result = 0, nprinc = 0;
96
	int            *x509_ids = 0, *keynote_ids = 0;
97
	unsigned char   hashbuf[20];	/* Set to the largest digest result */
98
	struct keynote_deckey dc;
99
	X509_NAME      *subject;
100
101
	/* Do we want to use keynote policies? */
102
	if (ignore_policy ||
103
	    strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
104
		return 1;
105
106
	/* Initialize if necessary -- e.g., if pre-shared key auth was used */
107
	if (isakmp_sa->policy_id < 0) {
108
		if ((isakmp_sa->policy_id = kn_init()) == -1) {
109
			log_print("check_policy: "
110
			    "failed to initialize policy session");
111
			return 0;
112
		}
113
	}
114
	/* Add the callback that will handle attributes.  */
115
	if (kn_add_action(isakmp_sa->policy_id, ".*", (char *)policy_callback,
116
	    ENVIRONMENT_FLAG_FUNC | ENVIRONMENT_FLAG_REGEX) == -1) {
117
		log_print("check_policy: "
118
		    "kn_add_action (%d, \".*\", %p, FUNC | REGEX) failed",
119
		    isakmp_sa->policy_id, policy_callback);
120
		kn_close(isakmp_sa->policy_id);
121
		isakmp_sa->policy_id = -1;
122
		return 0;
123
	}
124
	if (policy_asserts_num) {
125
		keynote_ids = calloc(policy_asserts_num, sizeof *keynote_ids);
126
		if (!keynote_ids) {
127
			log_error("check_policy: calloc (%d, %lu) failed",
128
			    policy_asserts_num,
129
			    (unsigned long)sizeof *keynote_ids);
130
			kn_close(isakmp_sa->policy_id);
131
			isakmp_sa->policy_id = -1;
132
			return 0;
133
		}
134
	}
135
	/* Add the policy assertions */
136
	for (i = 0; i < policy_asserts_num; i++)
137
		keynote_ids[i] = kn_add_assertion(isakmp_sa->policy_id,
138
		    policy_asserts[i],
139
		    strlen(policy_asserts[i]), ASSERT_FLAG_LOCAL);
140
141
	/* Initialize -- we'll let the callback do all the work.  */
142
	policy_exchange = exchange;
143
	policy_sa = sa;
144
	policy_isakmp_sa = isakmp_sa;
145
146
	/* Set the return values; true/false for now at least.  */
147
	return_values[0] = "false";	/* Order of values in array is
148
					 * important.  */
149
	return_values[1] = "true";
150
151
	/* Create a principal (authorizer) for the SA/ID request.  */
152
	switch (isakmp_sa->recv_certtype) {
153
	case ISAKMP_CERTENC_NONE:
154
		/*
155
		 * For shared keys, just duplicate the passphrase with the
156
		 * appropriate prefix tag.
157
		 */
158
		nprinc = 3;
159
		principal = calloc(nprinc, sizeof *principal);
160
		if (!principal) {
161
			log_error("check_policy: calloc (%d, %lu) failed",
162
			    nprinc, (unsigned long)sizeof *principal);
163
			goto policydone;
164
		}
165
		len = strlen(isakmp_sa->recv_key) + sizeof "passphrase:";
166
		principal[0] = calloc(len, sizeof(char));
167
		if (!principal[0]) {
168
			log_error("check_policy: calloc (%d, %lu) failed", len,
169
			    (unsigned long)sizeof(char));
170
			goto policydone;
171
		}
172
		/*
173
		 * XXX Consider changing the magic hash lengths with
174
		 * constants.
175
		 */
176
		strlcpy(principal[0], "passphrase:", len);
177
		memcpy(principal[0] + sizeof "passphrase:" - 1,
178
		    isakmp_sa->recv_key, strlen(isakmp_sa->recv_key));
179
180
		len = sizeof "passphrase-md5-hex:" + 2 * 16;
181
		principal[1] = calloc(len, sizeof(char));
182
		if (!principal[1]) {
183
			log_error("check_policy: calloc (%d, %lu) failed", len,
184
			    (unsigned long)sizeof(char));
185
			goto policydone;
186
		}
187
		strlcpy(principal[1], "passphrase-md5-hex:", len);
188
		MD5(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), hashbuf);
189
		for (i = 0; i < 16; i++)
190
			snprintf(principal[1] + 2 * i +
191
			    sizeof "passphrase-md5-hex:" - 1, 3, "%02x",
192
			    hashbuf[i]);
193
194
		len = sizeof "passphrase-sha1-hex:" + 2 * 20;
195
		principal[2] = calloc(len, sizeof(char));
196
		if (!principal[2]) {
197
			log_error("check_policy: calloc (%d, %lu) failed", len,
198
			    (unsigned long)sizeof(char));
199
			goto policydone;
200
		}
201
		strlcpy(principal[2], "passphrase-sha1-hex:", len);
202
		SHA1(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key),
203
		    hashbuf);
204
		for (i = 0; i < 20; i++)
205
			snprintf(principal[2] + 2 * i +
206
			    sizeof "passphrase-sha1-hex:" - 1, 3, "%02x",
207
			    hashbuf[i]);
208
		break;
209
210
	case ISAKMP_CERTENC_KEYNOTE:
211
		nprinc = 1;
212
213
		principal = calloc(nprinc, sizeof *principal);
214
		if (!principal) {
215
			log_error("check_policy: calloc (%d, %lu) failed",
216
			    nprinc, (unsigned long)sizeof *principal);
217
			goto policydone;
218
		}
219
		/* Dup the keys */
220
		principal[0] = strdup(isakmp_sa->keynote_key);
221
		if (!principal[0]) {
222
			log_error("check_policy: calloc (%lu, %lu) failed",
223
			    (unsigned long)strlen(isakmp_sa->keynote_key),
224
			    (unsigned long)sizeof(char));
225
			goto policydone;
226
		}
227
		break;
228
229
	case ISAKMP_CERTENC_X509_SIG:
230
		principal = calloc(2, sizeof *principal);
231
		if (!principal) {
232
			log_error("check_policy: calloc (2, %lu) failed",
233
			    (unsigned long)sizeof *principal);
234
			goto policydone;
235
		}
236
		if (isakmp_sa->recv_keytype == ISAKMP_KEY_RSA)
237
			dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA;
238
		else {
239
			log_error("check_policy: "
240
			    "unknown/unsupported public key algorithm %d",
241
			    isakmp_sa->recv_keytype);
242
			goto policydone;
243
		}
244
245
		dc.dec_key = isakmp_sa->recv_key;
246
		principal[0] = kn_encode_key(&dc, INTERNAL_ENC_PKCS1,
247
		    ENCODING_HEX, KEYNOTE_PUBLIC_KEY);
248
		if (keynote_errno == ERROR_MEMORY) {
249
			log_print("check_policy: "
250
			    "failed to get memory for public key");
251
			goto policydone;
252
		}
253
		if (!principal[0]) {
254
			log_print("check_policy: "
255
			    "failed to allocate memory for principal");
256
			goto policydone;
257
		}
258
		if (asprintf(&principal[1], "rsa-hex:%s", principal[0]) == -1) {
259
			log_error("check_policy: asprintf() failed");
260
			goto policydone;
261
		}
262
		free(principal[0]);
263
		principal[0] = principal[1];
264
		principal[1] = 0;
265
266
		/* Generate a "DN:" principal.  */
267
		subject = X509_get_subject_name(isakmp_sa->recv_cert);
268
		if (subject) {
269
			principal[1] = calloc(259, sizeof(char));
270
			if (!principal[1]) {
271
				log_error("check_policy: "
272
				    "calloc (259, %lu) failed",
273
				    (unsigned long)sizeof(char));
274
				goto policydone;
275
			}
276
			strlcpy(principal[1], "DN:", 259);
277
			X509_NAME_oneline(subject, principal[1] + 3, 256);
278
			nprinc = 2;
279
		} else {
280
			nprinc = 1;
281
		}
282
		break;
283
284
		/* XXX Eventually handle these.  */
285
	case ISAKMP_CERTENC_PKCS:
286
	case ISAKMP_CERTENC_PGP:
287
	case ISAKMP_CERTENC_DNS:
288
	case ISAKMP_CERTENC_X509_KE:
289
	case ISAKMP_CERTENC_KERBEROS:
290
	case ISAKMP_CERTENC_CRL:
291
	case ISAKMP_CERTENC_ARL:
292
	case ISAKMP_CERTENC_SPKI:
293
	case ISAKMP_CERTENC_X509_ATTR:
294
	default:
295
		log_print("check_policy: "
296
		    "unknown/unsupported certificate/authentication method %d",
297
		    isakmp_sa->recv_certtype);
298
		goto policydone;
299
	}
300
301
	/*
302
	 * Add the authorizer (who is requesting the SA/ID);
303
	 * this may be a public or a secret key, depending on
304
	 * what mode of authentication we used in Phase 1.
305
         */
306
	for (i = 0; i < nprinc; i++) {
307
		LOG_DBG((LOG_POLICY, 40, "check_policy: "
308
		    "adding authorizer [%s]", principal[i]));
309
310
		if (kn_add_authorizer(isakmp_sa->policy_id, principal[i])
311
		    == -1) {
312
			int	j;
313
314
			for (j = 0; j < i; j++)
315
				kn_remove_authorizer(isakmp_sa->policy_id,
316
				    principal[j]);
317
			log_print("check_policy: kn_add_authorizer failed");
318
			goto policydone;
319
		}
320
	}
321
322
	/* Ask policy */
323
	result = kn_do_query(isakmp_sa->policy_id, return_values,
324
	    RETVALUES_NUM);
325
	LOG_DBG((LOG_POLICY, 40, "check_policy: kn_do_query returned %d",
326
	    result));
327
328
	/* Cleanup environment */
329
	kn_cleanup_action_environment(isakmp_sa->policy_id);
330
331
	/* Remove authorizers from the session */
332
	for (i = 0; i < nprinc; i++) {
333
		kn_remove_authorizer(isakmp_sa->policy_id, principal[i]);
334
		free(principal[i]);
335
	}
336
337
	free(principal);
338
	principal = 0;
339
	nprinc = 0;
340
341
	/* Check what policy said.  */
342
	if (result < 0) {
343
		LOG_DBG((LOG_POLICY, 40, "check_policy: proposal refused"));
344
		result = 0;
345
		goto policydone;
346
	}
347
policydone:
348
	for (i = 0; i < nprinc; i++)
349
		if (principal && principal[i])
350
			free(principal[i]);
351
352
	free(principal);
353
354
	/* Remove the policies */
355
	for (i = 0; i < policy_asserts_num; i++) {
356
		if (keynote_ids[i] != -1)
357
			kn_remove_assertion(isakmp_sa->policy_id,
358
			    keynote_ids[i]);
359
	}
360
361
	free(keynote_ids);
362
363
	free(x509_ids);
364
365
	/*
366
	 * XXX Currently, check_policy() is only called from
367
	 * message_negotiate_sa(), and so this log message reflects this.
368
	 * Change to something better?
369
         */
370
	if (result == 0)
371
		log_print("check_policy: negotiated SA failed policy check");
372
373
	/*
374
	 * Given that we have only 2 return values from policy (true/false)
375
	 * we can just return the query result directly (no pre-processing
376
	 * needed).
377
         */
378
	return result;
379
}
380
381
/*
382
 * Offer several sets of transforms to the responder.
383
 * XXX Split this huge function up and look for common code with main mode.
384
 */
385
static int
386
initiator_send_HASH_SA_NONCE(struct message *msg)
387
{
388
	struct exchange *exchange = msg->exchange;
389
	struct doi     *doi = exchange->doi;
390
	struct ipsec_exch *ie = exchange->data;
391
	u_int8_t     ***transform = 0, ***new_transform;
392
	u_int8_t      **proposal = 0, **new_proposal;
393
	u_int8_t       *sa_buf = 0, *attr, *saved_nextp_sa, *saved_nextp_prop,
394
	               *id, *spi;
395
	size_t          spi_sz, sz;
396
	size_t          proposal_len = 0, proposals_len = 0, sa_len;
397
	size_t        **transform_len = 0, **new_transform_len;
398
	size_t         *transforms_len = 0, *new_transforms_len;
399
	u_int32_t      *transform_cnt = 0, *new_transform_cnt;
400
	u_int32_t       suite_no, prop_no, prot_no, xf_no, prop_cnt = 0;
401
	u_int32_t       i;
402
	int             value, update_nextp, protocol_num, proto_id;
403
	struct proto   *proto;
404
	struct conf_list *suite_conf, *prot_conf = 0, *xf_conf = 0, *life_conf;
405
	struct conf_list_node *suite, *prot, *xf, *life;
406
	struct constant_map *id_map;
407
	char           *protocol_id, *transform_id;
408
	char           *local_id, *remote_id;
409
	int             group_desc = -1, new_group_desc;
410
	struct ipsec_sa *isa = msg->isakmp_sa->data;
411
	struct hash    *hash = hash_get(isa->hash);
412
	struct sockaddr *src;
413
	struct proto_attr *pa;
414
415
	if (!ipsec_add_hash_payload(msg, hash->hashsize))
416
		return -1;
417
418
	/* Get the list of protocol suites.  */
419
	suite_conf = conf_get_list(exchange->policy, "Suites");
420
	if (!suite_conf)
421
		return -1;
422
423
	for (suite = TAILQ_FIRST(&suite_conf->fields), suite_no = prop_no = 0;
424
	    suite_no < suite_conf->cnt;
425
	    suite_no++, suite = TAILQ_NEXT(suite, link)) {
426
		/* Now get each protocol in this specific protocol suite.  */
427
		prot_conf = conf_get_list(suite->field, "Protocols");
428
		if (!prot_conf)
429
			goto bail_out;
430
431
		for (prot = TAILQ_FIRST(&prot_conf->fields), prot_no = 0;
432
		    prot_no < prot_conf->cnt;
433
		    prot_no++, prot = TAILQ_NEXT(prot, link)) {
434
			/* Make sure we have a proposal/transform vectors.  */
435
			if (prop_no >= prop_cnt) {
436
				/*
437
				 * This resize algorithm is completely
438
				 * arbitrary.
439
				 */
440
				prop_cnt = 2 * prop_cnt + 10;
441
				new_proposal = reallocarray(proposal,
442
				    prop_cnt, sizeof *proposal);
443
				if (!new_proposal) {
444
					log_error(
445
					    "initiator_send_HASH_SA_NONCE: "
446
					    "realloc (%p, %lu) failed",
447
					    proposal,
448
					    prop_cnt * (unsigned long)sizeof *proposal);
449
					goto bail_out;
450
				}
451
				proposal = new_proposal;
452
453
				new_transforms_len = reallocarray(transforms_len,
454
				    prop_cnt, sizeof *transforms_len);
455
				if (!new_transforms_len) {
456
					log_error(
457
					    "initiator_send_HASH_SA_NONCE: "
458
					    "realloc (%p, %lu) failed",
459
					    transforms_len,
460
					    prop_cnt * (unsigned long)sizeof *transforms_len);
461
					goto bail_out;
462
				}
463
				transforms_len = new_transforms_len;
464
465
				new_transform = reallocarray(transform,
466
				    prop_cnt, sizeof *transform);
467
				if (!new_transform) {
468
					log_error(
469
					    "initiator_send_HASH_SA_NONCE: "
470
					    "realloc (%p, %lu) failed",
471
					    transform,
472
					    prop_cnt * (unsigned long)sizeof *transform);
473
					goto bail_out;
474
				}
475
				transform = new_transform;
476
477
				new_transform_cnt = reallocarray(transform_cnt,
478
				    prop_cnt, sizeof *transform_cnt);
479
				if (!new_transform_cnt) {
480
					log_error(
481
					    "initiator_send_HASH_SA_NONCE: "
482
					    "realloc (%p, %lu) failed",
483
					    transform_cnt,
484
					    prop_cnt * (unsigned long)sizeof *transform_cnt);
485
					goto bail_out;
486
				}
487
				transform_cnt = new_transform_cnt;
488
489
				new_transform_len = reallocarray(transform_len,
490
				    prop_cnt, sizeof *transform_len);
491
				if (!new_transform_len) {
492
					log_error(
493
					    "initiator_send_HASH_SA_NONCE: "
494
					    "realloc (%p, %lu) failed",
495
					    transform_len,
496
					    prop_cnt * (unsigned long)sizeof *transform_len);
497
					goto bail_out;
498
				}
499
				transform_len = new_transform_len;
500
			}
501
			protocol_id = conf_get_str(prot->field, "PROTOCOL_ID");
502
			if (!protocol_id)
503
				goto bail_out;
504
505
			proto_id = constant_value(ipsec_proto_cst,
506
			    protocol_id);
507
			switch (proto_id) {
508
			case IPSEC_PROTO_IPSEC_AH:
509
				id_map = ipsec_ah_cst;
510
				break;
511
512
			case IPSEC_PROTO_IPSEC_ESP:
513
				id_map = ipsec_esp_cst;
514
				break;
515
516
			case IPSEC_PROTO_IPCOMP:
517
				id_map = ipsec_ipcomp_cst;
518
				break;
519
520
			default:
521
			    {
522
				log_print("initiator_send_HASH_SA_NONCE: "
523
				    "invalid PROTCOL_ID: %s", protocol_id);
524
				goto bail_out;
525
			    }
526
			}
527
528
			/* Now get each transform we offer for this protocol.*/
529
			xf_conf = conf_get_list(prot->field, "Transforms");
530
			if (!xf_conf)
531
				goto bail_out;
532
			transform_cnt[prop_no] = xf_conf->cnt;
533
534
			transform[prop_no] = calloc(transform_cnt[prop_no],
535
			    sizeof **transform);
536
			if (!transform[prop_no]) {
537
				log_error("initiator_send_HASH_SA_NONCE: "
538
				    "calloc (%d, %lu) failed",
539
				    transform_cnt[prop_no],
540
				    (unsigned long)sizeof **transform);
541
				goto bail_out;
542
			}
543
			transform_len[prop_no] = calloc(transform_cnt[prop_no],
544
			    sizeof **transform_len);
545
			if (!transform_len[prop_no]) {
546
				log_error("initiator_send_HASH_SA_NONCE: "
547
				    "calloc (%d, %lu) failed",
548
				    transform_cnt[prop_no],
549
				    (unsigned long)sizeof **transform_len);
550
				goto bail_out;
551
			}
552
			transforms_len[prop_no] = 0;
553
			for (xf = TAILQ_FIRST(&xf_conf->fields), xf_no = 0;
554
			    xf_no < transform_cnt[prop_no];
555
			    xf_no++, xf = TAILQ_NEXT(xf, link)) {
556
557
				/* XXX The sizing needs to be dynamic.  */
558
				transform[prop_no][xf_no] =
559
				    calloc(ISAKMP_TRANSFORM_SA_ATTRS_OFF +
560
				    9 * ISAKMP_ATTR_VALUE_OFF, 1);
561
				if (!transform[prop_no][xf_no]) {
562
					log_error(
563
					    "initiator_send_HASH_SA_NONCE: "
564
					    "calloc (%d, 1) failed",
565
					    ISAKMP_TRANSFORM_SA_ATTRS_OFF +
566
					    9 * ISAKMP_ATTR_VALUE_OFF);
567
					goto bail_out;
568
				}
569
				SET_ISAKMP_TRANSFORM_NO(transform[prop_no][xf_no],
570
				    xf_no + 1);
571
572
				transform_id = conf_get_str(xf->field,
573
				    "TRANSFORM_ID");
574
				if (!transform_id)
575
					goto bail_out;
576
				SET_ISAKMP_TRANSFORM_ID(transform[prop_no][xf_no],
577
				    constant_value(id_map, transform_id));
578
				SET_ISAKMP_TRANSFORM_RESERVED(transform[prop_no][xf_no], 0);
579
580
				attr = transform[prop_no][xf_no] +
581
				    ISAKMP_TRANSFORM_SA_ATTRS_OFF;
582
583
				/*
584
				 * Life durations are special, we should be
585
				 * able to specify several, one per type.
586
				 */
587
				life_conf = conf_get_list(xf->field, "Life");
588
				if (life_conf) {
589
					for (life = TAILQ_FIRST(&life_conf->fields);
590
					    life; life = TAILQ_NEXT(life, link)) {
591
						attribute_set_constant(
592
						    life->field, "LIFE_TYPE",
593
						    ipsec_duration_cst,
594
						    IPSEC_ATTR_SA_LIFE_TYPE,
595
						    &attr);
596
597
						/*
598
						 * XXX Deals with 16 and 32
599
						 * bit lifetimes only
600
						 */
601
						value =
602
						    conf_get_num(life->field,
603
							"LIFE_DURATION", 0);
604
						if (value) {
605
							if (value <= 0xffff)
606
								attr =
607
								    attribute_set_basic(
608
									attr,
609
									IPSEC_ATTR_SA_LIFE_DURATION,
610
									value);
611
							else {
612
								value = htonl(value);
613
								attr =
614
								    attribute_set_var(
615
									attr,
616
									IPSEC_ATTR_SA_LIFE_DURATION,
617
									(u_int8_t *)&value,
618
									sizeof value);
619
							}
620
						}
621
					}
622
					conf_free_list(life_conf);
623
				}
624
				attribute_set_constant(xf->field,
625
				    "ENCAPSULATION_MODE", ipsec_encap_cst,
626
				    IPSEC_ATTR_ENCAPSULATION_MODE, &attr);
627
628
				if (proto_id != IPSEC_PROTO_IPCOMP) {
629
					attribute_set_constant(xf->field,
630
					    "AUTHENTICATION_ALGORITHM",
631
					    ipsec_auth_cst,
632
					    IPSEC_ATTR_AUTHENTICATION_ALGORITHM,
633
					    &attr);
634
635
					attribute_set_constant(xf->field,
636
					    "GROUP_DESCRIPTION",
637
					    ike_group_desc_cst,
638
					    IPSEC_ATTR_GROUP_DESCRIPTION, &attr);
639
640
					value = conf_get_num(xf->field,
641
					    "KEY_LENGTH", 0);
642
					if (value)
643
						attr = attribute_set_basic(
644
						    attr,
645
						    IPSEC_ATTR_KEY_LENGTH,
646
						    value);
647
648
					value = conf_get_num(xf->field,
649
					    "KEY_ROUNDS", 0);
650
					if (value)
651
						attr = attribute_set_basic(
652
						    attr,
653
						    IPSEC_ATTR_KEY_ROUNDS,
654
						    value);
655
				} else {
656
					value = conf_get_num(xf->field,
657
					    "COMPRESS_DICTIONARY_SIZE", 0);
658
					if (value)
659
						attr = attribute_set_basic(
660
						    attr,
661
						    IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE,
662
						    value);
663
664
					value = conf_get_num(xf->field,
665
					   "COMPRESS_PRIVATE_ALGORITHM", 0);
666
					if (value)
667
						attr = attribute_set_basic(
668
						    attr,
669
						    IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM,
670
						    value);
671
				}
672
673
				value = conf_get_num(xf->field, "ECN_TUNNEL",
674
				    0);
675
				if (value)
676
					attr = attribute_set_basic(attr,
677
					    IPSEC_ATTR_ECN_TUNNEL, value);
678
679
				/* Record the real transform size.  */
680
				transforms_len[prop_no] +=
681
				    (transform_len[prop_no][xf_no]
682
					= attr - transform[prop_no][xf_no]);
683
684
				if (proto_id != IPSEC_PROTO_IPCOMP) {
685
					/*
686
					 * Make sure that if a group
687
					 * description is specified, it is
688
					 * specified for all transforms
689
					 * equally.
690
					 */
691
					attr =
692
					    (u_int8_t *)conf_get_str(xf->field,
693
						"GROUP_DESCRIPTION");
694
					new_group_desc
695
					    = attr ? constant_value(ike_group_desc_cst,
696
						(char *)attr) : 0;
697
					if (group_desc == -1)
698
						group_desc = new_group_desc;
699
					else if (group_desc != new_group_desc) {
700
						log_print("initiator_send_HASH_SA_NONCE: "
701
						    "differing group descriptions in a proposal");
702
						goto bail_out;
703
					}
704
				}
705
			}
706
			conf_free_list(xf_conf);
707
			xf_conf = 0;
708
709
			/*
710
			 * Get SPI from application.
711
			 * XXX Should we care about unknown constants?
712
			 */
713
			protocol_num = constant_value(ipsec_proto_cst,
714
			    protocol_id);
715
			spi = doi->get_spi(&spi_sz, protocol_num, msg);
716
			if (spi_sz && !spi) {
717
				log_print("initiator_send_HASH_SA_NONCE: "
718
				    "doi->get_spi failed");
719
				goto bail_out;
720
			}
721
			proposal_len = ISAKMP_PROP_SPI_OFF + spi_sz;
722
			proposals_len +=
723
			    proposal_len + transforms_len[prop_no];
724
			proposal[prop_no] = malloc(proposal_len);
725
			if (!proposal[prop_no]) {
726
				log_error("initiator_send_HASH_SA_NONCE: "
727
				    "malloc (%lu) failed",
728
				    (unsigned long)proposal_len);
729
				goto bail_out;
730
			}
731
			SET_ISAKMP_PROP_NO(proposal[prop_no], suite_no + 1);
732
			SET_ISAKMP_PROP_PROTO(proposal[prop_no], protocol_num);
733
734
			/* XXX I would like to see this factored out.  */
735
			proto = calloc(1, sizeof *proto);
736
			if (!proto) {
737
				log_error("initiator_send_HASH_SA_NONCE: "
738
				    "calloc (1, %lu) failed",
739
				    (unsigned long)sizeof *proto);
740
				goto bail_out;
741
			}
742
			if (doi->proto_size) {
743
				proto->data = calloc(1, doi->proto_size);
744
				if (!proto->data) {
745
					free(proto);
746
					log_error(
747
					    "initiator_send_HASH_SA_NONCE: "
748
					    "calloc (1, %lu) failed",
749
					    (unsigned long)doi->proto_size);
750
					goto bail_out;
751
				}
752
			}
753
			proto->no = suite_no + 1;
754
			proto->proto = protocol_num;
755
			proto->sa = TAILQ_FIRST(&exchange->sa_list);
756
			proto->xf_cnt = transform_cnt[prop_no];
757
			TAILQ_INIT(&proto->xfs);
758
			for (xf_no = 0; xf_no < proto->xf_cnt; xf_no++) {
759
				pa = calloc(1, sizeof *pa);
760
				if (!pa) {
761
					free(proto->data);
762
					free(proto);
763
					goto bail_out;
764
				}
765
				pa->len = transform_len[prop_no][xf_no];
766
				pa->attrs = malloc(pa->len);
767
				if (!pa->attrs) {
768
					free(proto->data);
769
					free(proto);
770
					free(pa);
771
					goto bail_out;
772
				}
773
				memcpy(pa->attrs, transform[prop_no][xf_no],
774
				    pa->len);
775
				TAILQ_INSERT_TAIL(&proto->xfs, pa, next);
776
			}
777
			TAILQ_INSERT_TAIL(&TAILQ_FIRST(&exchange->sa_list)->protos,
778
			    proto, link);
779
780
			/* Setup the incoming SPI.  */
781
			SET_ISAKMP_PROP_SPI_SZ(proposal[prop_no], spi_sz);
782
			memcpy(proposal[prop_no] + ISAKMP_PROP_SPI_OFF, spi,
783
			    spi_sz);
784
			proto->spi_sz[1] = spi_sz;
785
			proto->spi[1] = spi;
786
787
			/*
788
			 * Let the DOI get at proto for initializing its own
789
			 * data.
790
			 */
791
			if (doi->proto_init)
792
				doi->proto_init(proto, prot->field);
793
794
			SET_ISAKMP_PROP_NTRANSFORMS(proposal[prop_no],
795
						    transform_cnt[prop_no]);
796
			prop_no++;
797
		}
798
		conf_free_list(prot_conf);
799
		prot_conf = 0;
800
	}
801
802
	sa_len = ISAKMP_SA_SIT_OFF + IPSEC_SIT_SIT_LEN;
803
	sa_buf = malloc(sa_len);
804
	if (!sa_buf) {
805
		log_error("initiator_send_HASH_SA_NONCE: malloc (%lu) failed",
806
			  (unsigned long)sa_len);
807
		goto bail_out;
808
	}
809
	SET_ISAKMP_SA_DOI(sa_buf, IPSEC_DOI_IPSEC);
810
	SET_IPSEC_SIT_SIT(sa_buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY);
811
812
	/*
813
	 * Add the payloads.  As this is a SA, we need to recompute the
814
	 * lengths of the payloads containing others.  We also need to
815
	 * reset these payload's "next payload type" field.
816
         */
817
	if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1))
818
		goto bail_out;
819
	SET_ISAKMP_GEN_LENGTH(sa_buf, sa_len + proposals_len);
820
	sa_buf = 0;
821
822
	update_nextp = 0;
823
	saved_nextp_sa = msg->nextp;
824
	for (i = 0; i < prop_no; i++) {
825
		if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL,
826
		    proposal[i], proposal_len, update_nextp))
827
			goto bail_out;
828
		SET_ISAKMP_GEN_LENGTH(proposal[i],
829
		    proposal_len + transforms_len[i]);
830
		proposal[i] = 0;
831
832
		update_nextp = 0;
833
		saved_nextp_prop = msg->nextp;
834
		for (xf_no = 0; xf_no < transform_cnt[i]; xf_no++) {
835
			if (message_add_payload(msg, ISAKMP_PAYLOAD_TRANSFORM,
836
			    transform[i][xf_no],
837
			    transform_len[i][xf_no], update_nextp))
838
				goto bail_out;
839
			update_nextp = 1;
840
			transform[i][xf_no] = 0;
841
		}
842
		msg->nextp = saved_nextp_prop;
843
		update_nextp = 1;
844
	}
845
	msg->nextp = saved_nextp_sa;
846
847
	/*
848
	 * Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len.
849
         */
850
	ie->sa_i_b = message_copy(msg, ISAKMP_GEN_SZ, &ie->sa_i_b_len);
851
	if (!ie->sa_i_b)
852
		goto bail_out;
853
854
	/*
855
	 * Generate a nonce, and add it to the message.
856
	 * XXX I want a better way to specify the nonce's size.
857
         */
858
	if (exchange_gen_nonce(msg, 16))
859
		return -1;
860
861
	/* Generate optional KEY_EXCH payload.  */
862
	if (group_desc > 0) {
863
		ie->group = group_get(group_desc);
864
		ie->g_x_len = dh_getlen(ie->group);
865
866
		if (ipsec_gen_g_x(msg)) {
867
			group_free(ie->group);
868
			ie->group = 0;
869
			return -1;
870
		}
871
	}
872
	/* Generate optional client ID payloads.  XXX Share with responder.  */
873
	local_id = conf_get_str(exchange->name, "Local-ID");
874
	remote_id = conf_get_str(exchange->name, "Remote-ID");
875
	if (local_id && remote_id) {
876
		id = ipsec_build_id(local_id, &sz);
877
		if (!id)
878
			return -1;
879
		LOG_DBG_BUF((LOG_NEGOTIATION, 90,
880
		    "initiator_send_HASH_SA_NONCE: IDic", id, sz));
881
		if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) {
882
			free(id);
883
			return -1;
884
		}
885
		id = ipsec_build_id(remote_id, &sz);
886
		if (!id)
887
			return -1;
888
		LOG_DBG_BUF((LOG_NEGOTIATION, 90,
889
		    "initiator_send_HASH_SA_NONCE: IDrc", id, sz));
890
		if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) {
891
			free(id);
892
			return -1;
893
		}
894
	}
895
	/* XXX I do not judge these as errors, are they?  */
896
	else if (local_id)
897
		log_print("initiator_send_HASH_SA_NONCE: "
898
			  "Local-ID given without Remote-ID for \"%s\"",
899
			  exchange->name);
900
	else if (remote_id)
901
		/*
902
		 * This code supports the "road warrior" case, where the
903
		 * initiator doesn't have a fixed IP address, but wants to
904
		 * specify a particular remote network to talk to. -- Adrian
905
		 * Close <adrian@esec.com.au>
906
		 */
907
	{
908
		log_print("initiator_send_HASH_SA_NONCE: "
909
			  "Remote-ID given without Local-ID for \"%s\"",
910
			  exchange->name);
911
912
		/*
913
		 * If we're here, then we are the initiator, so use initiator
914
		 * address for local ID
915
		 */
916
		msg->transport->vtbl->get_src(msg->transport, &src);
917
		sz = ISAKMP_ID_SZ + sockaddr_addrlen(src);
918
919
		id = calloc(sz, sizeof(char));
920
		if (!id) {
921
			log_error("initiator_send_HASH_SA_NONCE: "
922
			    "calloc (%lu, %lu) failed", (unsigned long)sz,
923
			    (unsigned long)sizeof(char));
924
			return -1;
925
		}
926
		switch (src->sa_family) {
927
		case AF_INET6:
928
			SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV6_ADDR);
929
			break;
930
		case AF_INET:
931
			SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV4_ADDR);
932
			break;
933
		default:
934
			log_error("initiator_send_HASH_SA_NONCE: "
935
			    "unknown sa_family %d", src->sa_family);
936
			free(id);
937
			return -1;
938
		}
939
		memcpy(id + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src),
940
		    sockaddr_addrlen(src));
941
942
		LOG_DBG_BUF((LOG_NEGOTIATION, 90,
943
		    "initiator_send_HASH_SA_NONCE: IDic", id, sz));
944
		if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) {
945
			free(id);
946
			return -1;
947
		}
948
		/* Send supplied remote_id */
949
		id = ipsec_build_id(remote_id, &sz);
950
		if (!id)
951
			return -1;
952
		LOG_DBG_BUF((LOG_NEGOTIATION, 90,
953
		    "initiator_send_HASH_SA_NONCE: IDrc", id, sz));
954
		if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) {
955
			free(id);
956
			return -1;
957
		}
958
	}
959
	if (ipsec_fill_in_hash(msg))
960
		goto bail_out;
961
962
	conf_free_list(suite_conf);
963
	for (i = 0; i < prop_no; i++) {
964
		free(transform[i]);
965
		free(transform_len[i]);
966
	}
967
	free(proposal);
968
	free(transform);
969
	free(transforms_len);
970
	free(transform_len);
971
	free(transform_cnt);
972
	return 0;
973
974
bail_out:
975
	free(sa_buf);
976
	if (proposal) {
977
		for (i = 0; i < prop_no; i++) {
978
			free(proposal[i]);
979
			if (transform[i]) {
980
				for (xf_no = 0; xf_no < transform_cnt[i];
981
				    xf_no++)
982
					free(transform[i][xf_no]);
983
				free(transform[i]);
984
			}
985
			free(transform_len[i]);
986
		}
987
		free(proposal);
988
		free(transforms_len);
989
		free(transform);
990
		free(transform_len);
991
		free(transform_cnt);
992
	}
993
	if (xf_conf)
994
		conf_free_list(xf_conf);
995
	if (prot_conf)
996
		conf_free_list(prot_conf);
997
	conf_free_list(suite_conf);
998
	return -1;
999
}
1000
1001
/* Figure out what transform the responder chose.  */
1002
static int
1003
initiator_recv_HASH_SA_NONCE(struct message *msg)
1004
{
1005
	struct exchange *exchange = msg->exchange;
1006
	struct ipsec_exch *ie = exchange->data;
1007
	struct sa      *sa;
1008
	struct proto   *proto, *next_proto;
1009
	struct payload *sa_p = payload_first(msg, ISAKMP_PAYLOAD_SA);
1010
	struct payload *xf, *idp;
1011
	struct payload *hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH);
1012
	struct payload *kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH);
1013
	struct prf     *prf;
1014
	struct sa      *isakmp_sa = msg->isakmp_sa;
1015
	struct ipsec_sa *isa = isakmp_sa->data;
1016
	struct hash    *hash = hash_get(isa->hash);
1017
	u_int8_t       *rest;
1018
	size_t          rest_len;
1019
	struct sockaddr *src, *dst;
1020
1021
	/* Allocate the prf and start calculating our HASH(1).  XXX Share?  */
1022
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: "
1023
	    "SKEYID_a", (u_int8_t *)isa->skeyid_a, isa->skeyid_len));
1024
	prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a,
1025
	    isa->skeyid_len);
1026
	if (!prf)
1027
		return -1;
1028
1029
	prf->Init(prf->prfctx);
1030
	LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1031
	    "initiator_recv_HASH_SA_NONCE: message_id",
1032
	    exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
1033
	prf->Update(prf->prfctx, exchange->message_id,
1034
	    ISAKMP_HDR_MESSAGE_ID_LEN);
1035
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: "
1036
	    "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len));
1037
	prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
1038
	rest = hashp->p + GET_ISAKMP_GEN_LENGTH(hashp->p);
1039
	rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base)
1040
	    - (rest - (u_int8_t *)msg->iov[0].iov_base));
1041
	LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1042
	    "initiator_recv_HASH_SA_NONCE: payloads after HASH(2)", rest,
1043
	    rest_len));
1044
	prf->Update(prf->prfctx, rest, rest_len);
1045
	prf->Final(hash->digest, prf->prfctx);
1046
	prf_free(prf);
1047
	LOG_DBG_BUF((LOG_NEGOTIATION, 80,
1048
	    "initiator_recv_HASH_SA_NONCE: computed HASH(2)", hash->digest,
1049
	    hash->hashsize));
1050
	if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, hash->digest,
1051
	    hash->hashsize) != 0) {
1052
		message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1,
1053
		    0);
1054
		return -1;
1055
	}
1056
	/* Mark the HASH as handled.  */
1057
	hashp->flags |= PL_MARK;
1058
1059
	/* Mark message as authenticated. */
1060
	msg->flags |= MSG_AUTHENTICATED;
1061
1062
	/*
1063
	 * As we are getting an answer on our transform offer, only one
1064
	 * transform should be given.
1065
         *
1066
	 * XXX Currently we only support negotiating one SA per quick mode run.
1067
         */
1068
	if (TAILQ_NEXT(sa_p, link)) {
1069
		log_print("initiator_recv_HASH_SA_NONCE: "
1070
		    "multiple SA payloads in quick mode not supported yet");
1071
		return -1;
1072
	}
1073
	sa = TAILQ_FIRST(&exchange->sa_list);
1074
1075
	/* This is here for the policy check */
1076
	if (kep)
1077
		ie->pfs = 1;
1078
1079
	/* Drop message when it contains ID types we do not implement yet.  */
1080
	TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link) {
1081
		switch (GET_ISAKMP_ID_TYPE(idp->p)) {
1082
		case IPSEC_ID_IPV4_ADDR:
1083
		case IPSEC_ID_IPV4_ADDR_SUBNET:
1084
		case IPSEC_ID_IPV6_ADDR:
1085
		case IPSEC_ID_IPV6_ADDR_SUBNET:
1086
			break;
1087
1088
		case IPSEC_ID_FQDN:
1089
			/*
1090
			 * FQDN may be used for in NAT-T with transport mode.
1091
			 * We can handle the message in this case.  In the
1092
			 * other cases we'll drop the message later.
1093
			 */
1094
			break;
1095
1096
		default:
1097
			message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION,
1098
			    0, 1, 0);
1099
			return -1;
1100
		}
1101
	}
1102
1103
	/* Handle optional client ID payloads.  */
1104
	idp = payload_first(msg, ISAKMP_PAYLOAD_ID);
1105
	if (idp) {
1106
		/* If IDci is there, IDcr must be too.  */
1107
		if (!TAILQ_NEXT(idp, link)) {
1108
			/* XXX Is this a good notify type?  */
1109
			message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0,
1110
			    1, 0);
1111
			return -1;
1112
		}
1113
		/* XXX We should really compare, not override.  */
1114
		ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p);
1115
		ie->id_ci = malloc(ie->id_ci_sz);
1116
		if (!ie->id_ci) {
1117
			log_error("initiator_recv_HASH_SA_NONCE: "
1118
			    "malloc (%lu) failed",
1119
			    (unsigned long)ie->id_ci_sz);
1120
			return -1;
1121
		}
1122
		memcpy(ie->id_ci, idp->p, ie->id_ci_sz);
1123
		idp->flags |= PL_MARK;
1124
		LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1125
		    "initiator_recv_HASH_SA_NONCE: IDci",
1126
		    ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ));
1127
1128
		idp = TAILQ_NEXT(idp, link);
1129
		ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p);
1130
		ie->id_cr = malloc(ie->id_cr_sz);
1131
		if (!ie->id_cr) {
1132
			log_error("initiator_recv_HASH_SA_NONCE: "
1133
			    "malloc (%lu) failed",
1134
			    (unsigned long)ie->id_cr_sz);
1135
			return -1;
1136
		}
1137
		memcpy(ie->id_cr, idp->p, ie->id_cr_sz);
1138
		idp->flags |= PL_MARK;
1139
		LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1140
		    "initiator_recv_HASH_SA_NONCE: IDcr",
1141
		    ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ));
1142
	} else {
1143
		/*
1144
		 * If client identifiers are not present in the exchange,
1145
		 * we fake them. RFC 2409 states:
1146
		 *    The identities of the SAs negotiated in Quick Mode are
1147
		 *    implicitly assumed to be the IP addresses of the ISAKMP
1148
		 *    peers, without any constraints on the protocol or port
1149
		 *    numbers allowed, unless client identifiers are specified
1150
		 *    in Quick Mode.
1151
		 *
1152
		 * -- Michael Paddon (mwp@aba.net.au)
1153
		 */
1154
1155
		ie->flags = IPSEC_EXCH_FLAG_NO_ID;
1156
1157
		/* Get initiator and responder addresses.  */
1158
		msg->transport->vtbl->get_src(msg->transport, &src);
1159
		msg->transport->vtbl->get_dst(msg->transport, &dst);
1160
		ie->id_ci_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(src);
1161
		ie->id_cr_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(dst);
1162
		ie->id_ci = calloc(ie->id_ci_sz, sizeof(char));
1163
		ie->id_cr = calloc(ie->id_cr_sz, sizeof(char));
1164
1165
		if (!ie->id_ci || !ie->id_cr) {
1166
			log_error("initiator_recv_HASH_SA_NONCE: "
1167
			    "calloc (%lu, %lu) failed",
1168
			    (unsigned long)ie->id_cr_sz,
1169
			    (unsigned long)sizeof(char));
1170
			free(ie->id_ci);
1171
			ie->id_ci = 0;
1172
			free(ie->id_cr);
1173
			ie->id_cr = 0;
1174
			return -1;
1175
		}
1176
		if (src->sa_family != dst->sa_family) {
1177
			log_error("initiator_recv_HASH_SA_NONCE: "
1178
			    "sa_family mismatch");
1179
			free(ie->id_ci);
1180
			ie->id_ci = 0;
1181
			free(ie->id_cr);
1182
			ie->id_cr = 0;
1183
			return -1;
1184
		}
1185
		switch (src->sa_family) {
1186
		case AF_INET:
1187
			SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV4_ADDR);
1188
			SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV4_ADDR);
1189
			break;
1190
1191
		case AF_INET6:
1192
			SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV6_ADDR);
1193
			SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV6_ADDR);
1194
			break;
1195
1196
		default:
1197
			log_error("initiator_recv_HASH_SA_NONCE: "
1198
			    "unknown sa_family %d", src->sa_family);
1199
			free(ie->id_ci);
1200
			ie->id_ci = 0;
1201
			free(ie->id_cr);
1202
			ie->id_cr = 0;
1203
			return -1;
1204
		}
1205
		memcpy(ie->id_ci + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src),
1206
		    sockaddr_addrlen(src));
1207
		memcpy(ie->id_cr + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(dst),
1208
		    sockaddr_addrlen(dst));
1209
	}
1210
1211
	/* Build the protection suite in our SA.  */
1212
	TAILQ_FOREACH(xf, &msg->payload[ISAKMP_PAYLOAD_TRANSFORM], link) {
1213
		/*
1214
		 * XXX We could check that the proposal each transform
1215
		 * belongs to is unique.
1216
		 */
1217
1218
		if (sa_add_transform(sa, xf, exchange->initiator, &proto))
1219
			return -1;
1220
1221
		/* XXX Check that the chosen transform matches an offer.  */
1222
1223
		ipsec_decode_transform(msg, sa, proto, xf->p);
1224
	}
1225
1226
	/* Now remove offers that we don't need anymore.  */
1227
	for (proto = TAILQ_FIRST(&sa->protos); proto; proto = next_proto) {
1228
		next_proto = TAILQ_NEXT(proto, link);
1229
		if (!proto->chosen)
1230
			proto_free(proto);
1231
	}
1232
1233
	if (!check_policy(exchange, sa, msg->isakmp_sa)) {
1234
		message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
1235
		log_print("initiator_recv_HASH_SA_NONCE: policy check failed");
1236
		return -1;
1237
	}
1238
1239
	/* Mark the SA as handled.  */
1240
	sa_p->flags |= PL_MARK;
1241
1242
	isa = sa->data;
1243
	if ((isa->group_desc &&
1244
	    (!ie->group || ie->group->id != isa->group_desc)) ||
1245
	    (!isa->group_desc && ie->group)) {
1246
		log_print("initiator_recv_HASH_SA_NONCE: disagreement on PFS");
1247
		return -1;
1248
	}
1249
	/* Copy out the initiator's nonce.  */
1250
	if (exchange_save_nonce(msg))
1251
		return -1;
1252
1253
	/* Handle the optional KEY_EXCH payload.  */
1254
	if (kep && ipsec_save_g_x(msg))
1255
		return -1;
1256
1257
	return 0;
1258
}
1259
1260
static int
1261
initiator_send_HASH(struct message *msg)
1262
{
1263
	struct exchange *exchange = msg->exchange;
1264
	struct ipsec_exch *ie = exchange->data;
1265
	struct sa      *isakmp_sa = msg->isakmp_sa;
1266
	struct ipsec_sa *isa = isakmp_sa->data;
1267
	struct prf     *prf;
1268
	u_int8_t       *buf;
1269
	struct hash    *hash = hash_get(isa->hash);
1270
1271
	/*
1272
	 * We want a HASH payload to start with.  XXX Share with
1273
	 * ike_main_mode.c?
1274
	 */
1275
	buf = malloc(ISAKMP_HASH_SZ + hash->hashsize);
1276
	if (!buf) {
1277
		log_error("initiator_send_HASH: malloc (%lu) failed",
1278
		    ISAKMP_HASH_SZ + (unsigned long)hash->hashsize);
1279
		return -1;
1280
	}
1281
	if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf,
1282
	    ISAKMP_HASH_SZ + hash->hashsize, 1)) {
1283
		free(buf);
1284
		return -1;
1285
	}
1286
	/* Allocate the prf and start calculating our HASH(3).  XXX Share?  */
1287
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: SKEYID_a",
1288
	    isa->skeyid_a, isa->skeyid_len));
1289
	prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a,
1290
	    isa->skeyid_len);
1291
	if (!prf)
1292
		return -1;
1293
	prf->Init(prf->prfctx);
1294
	prf->Update(prf->prfctx, (unsigned char *)"\0", 1);
1295
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: message_id",
1296
	    exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
1297
	prf->Update(prf->prfctx, exchange->message_id,
1298
	    ISAKMP_HDR_MESSAGE_ID_LEN);
1299
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_I_b",
1300
	    exchange->nonce_i, exchange->nonce_i_len));
1301
	prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
1302
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_R_b",
1303
	    exchange->nonce_r, exchange->nonce_r_len));
1304
	prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len);
1305
	prf->Final(buf + ISAKMP_GEN_SZ, prf->prfctx);
1306
	prf_free(prf);
1307
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: HASH(3)",
1308
	    buf + ISAKMP_GEN_SZ, hash->hashsize));
1309
1310
	if (ie->group)
1311
		message_register_post_send(msg, gen_g_xy);
1312
1313
	message_register_post_send(msg, post_quick_mode);
1314
1315
	return 0;
1316
}
1317
1318
static void
1319
post_quick_mode(struct message *msg)
1320
{
1321
	struct sa      *isakmp_sa = msg->isakmp_sa;
1322
	struct ipsec_sa *isa = isakmp_sa->data;
1323
	struct exchange *exchange = msg->exchange;
1324
	struct ipsec_exch *ie = exchange->data;
1325
	struct prf     *prf;
1326
	struct sa      *sa;
1327
	struct proto   *proto;
1328
	struct ipsec_proto *iproto;
1329
	u_int8_t       *keymat;
1330
	int             i;
1331
1332
	/*
1333
	 * Loop over all SA negotiations and do both an in- and an outgoing SA
1334
	 * per protocol.
1335
         */
1336
	for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
1337
	    sa = TAILQ_NEXT(sa, next)) {
1338
		for (proto = TAILQ_FIRST(&sa->protos); proto;
1339
		    proto = TAILQ_NEXT(proto, link)) {
1340
			if (proto->proto == IPSEC_PROTO_IPCOMP)
1341
				continue;
1342
1343
			iproto = proto->data;
1344
1345
			/*
1346
			 * There are two SAs for each SA negotiation,
1347
			 * incoming and outgoing.
1348
			 */
1349
			for (i = 0; i < 2; i++) {
1350
				prf = prf_alloc(isa->prf_type, isa->hash,
1351
				    isa->skeyid_d, isa->skeyid_len);
1352
				if (!prf) {
1353
					/* XXX What to do?  */
1354
					continue;
1355
				}
1356
				ie->keymat_len = ipsec_keymat_length(proto);
1357
1358
				/*
1359
				 * We need to roundup the length of the key
1360
				 * material buffer to a multiple of the PRF's
1361
				 * blocksize as it is generated in chunks of
1362
				 * that blocksize.
1363
				 */
1364
				iproto->keymat[i]
1365
					= malloc(((ie->keymat_len + prf->blocksize - 1)
1366
					/ prf->blocksize) * prf->blocksize);
1367
				if (!iproto->keymat[i]) {
1368
					log_error("post_quick_mode: "
1369
					    "malloc (%lu) failed",
1370
					    (((unsigned long)ie->keymat_len +
1371
						prf->blocksize - 1) / prf->blocksize) *
1372
					    prf->blocksize);
1373
					/* XXX What more to do?  */
1374
					free(prf);
1375
					continue;
1376
				}
1377
				for (keymat = iproto->keymat[i];
1378
				keymat < iproto->keymat[i] + ie->keymat_len;
1379
				    keymat += prf->blocksize) {
1380
					prf->Init(prf->prfctx);
1381
1382
					if (keymat != iproto->keymat[i]) {
1383
						/*
1384
						 * Hash in last round's
1385
						 * KEYMAT.
1386
						 */
1387
						LOG_DBG_BUF((LOG_NEGOTIATION,
1388
						    90, "post_quick_mode: "
1389
						    "last KEYMAT",
1390
						    keymat - prf->blocksize,
1391
						    prf->blocksize));
1392
						prf->Update(prf->prfctx,
1393
						    keymat - prf->blocksize,
1394
						    prf->blocksize);
1395
					}
1396
					/* If PFS is used hash in g^xy.  */
1397
					if (ie->g_xy) {
1398
						LOG_DBG_BUF((LOG_NEGOTIATION,
1399
						    90, "post_quick_mode: "
1400
						    "g^xy", ie->g_xy,
1401
						    ie->g_x_len));
1402
						prf->Update(prf->prfctx,
1403
						    ie->g_xy, ie->g_x_len);
1404
					}
1405
					LOG_DBG((LOG_NEGOTIATION, 90,
1406
					    "post_quick_mode: "
1407
					    "suite %d proto %d", proto->no,
1408
					    proto->proto));
1409
					prf->Update(prf->prfctx, &proto->proto,
1410
					    1);
1411
					LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1412
					    "post_quick_mode: SPI",
1413
					    proto->spi[i], proto->spi_sz[i]));
1414
					prf->Update(prf->prfctx,
1415
					    proto->spi[i], proto->spi_sz[i]);
1416
					LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1417
					    "post_quick_mode: Ni_b",
1418
					    exchange->nonce_i,
1419
					    exchange->nonce_i_len));
1420
					prf->Update(prf->prfctx,
1421
					    exchange->nonce_i,
1422
					    exchange->nonce_i_len);
1423
					LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1424
					    "post_quick_mode: Nr_b",
1425
					    exchange->nonce_r,
1426
					    exchange->nonce_r_len));
1427
					prf->Update(prf->prfctx,
1428
					    exchange->nonce_r,
1429
					    exchange->nonce_r_len);
1430
					prf->Final(keymat, prf->prfctx);
1431
				}
1432
				prf_free(prf);
1433
				LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1434
				    "post_quick_mode: KEYMAT",
1435
				    iproto->keymat[i], ie->keymat_len));
1436
			}
1437
		}
1438
	}
1439
1440
	log_verbose("isakmpd: quick mode done%s: %s",
1441
	    (exchange->initiator == 0) ? " (as responder)" : "",
1442
	    !msg->isakmp_sa || !msg->isakmp_sa->transport ? "<no transport>"
1443
	    : msg->isakmp_sa->transport->vtbl->decode_ids
1444
	    (msg->isakmp_sa->transport));
1445
}
1446
1447
/*
1448
 * Accept a set of transforms offered by the initiator and chose one we can
1449
 * handle.
1450
 * XXX Describe in more detail.
1451
 */
1452
static int
1453
responder_recv_HASH_SA_NONCE(struct message *msg)
1454
{
1455
	struct payload *hashp, *kep, *idp;
1456
	struct sa      *sa;
1457
	struct sa      *isakmp_sa = msg->isakmp_sa;
1458
	struct ipsec_sa *isa = isakmp_sa->data;
1459
	struct exchange *exchange = msg->exchange;
1460
	struct ipsec_exch *ie = exchange->data;
1461
	struct prf     *prf;
1462
	u_int8_t       *hash, *my_hash = 0;
1463
	size_t          hash_len;
1464
	u_int8_t       *pkt = msg->iov[0].iov_base;
1465
	u_int8_t        group_desc = 0;
1466
	int             retval = -1;
1467
	struct proto   *proto;
1468
	struct sockaddr *src, *dst;
1469
	char           *name;
1470
1471
	hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH);
1472
	hash = hashp->p;
1473
	hashp->flags |= PL_MARK;
1474
1475
	/* The HASH payload should be the first one.  */
1476
	if (hash != pkt + ISAKMP_HDR_SZ) {
1477
		/* XXX Is there a better notification type?  */
1478
		message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
1479
		goto cleanup;
1480
	}
1481
	hash_len = GET_ISAKMP_GEN_LENGTH(hash);
1482
	my_hash = malloc(hash_len - ISAKMP_GEN_SZ);
1483
	if (!my_hash) {
1484
		log_error("responder_recv_HASH_SA_NONCE: malloc (%lu) failed",
1485
		    (unsigned long)hash_len - ISAKMP_GEN_SZ);
1486
		goto cleanup;
1487
	}
1488
	/*
1489
	 * Check the payload's integrity.
1490
	 * XXX Share with ipsec_fill_in_hash?
1491
         */
1492
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: "
1493
	    "SKEYID_a", isa->skeyid_a, isa->skeyid_len));
1494
	prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a,
1495
	    isa->skeyid_len);
1496
	if (!prf)
1497
		goto cleanup;
1498
	prf->Init(prf->prfctx);
1499
	LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1500
	    "responder_recv_HASH_SA_NONCE: message_id",
1501
	    exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
1502
	prf->Update(prf->prfctx, exchange->message_id,
1503
	    ISAKMP_HDR_MESSAGE_ID_LEN);
1504
	LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1505
	    "responder_recv_HASH_SA_NONCE: message after HASH",
1506
	    hash + hash_len,
1507
	    msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len));
1508
	prf->Update(prf->prfctx, hash + hash_len,
1509
	    msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len);
1510
	prf->Final(my_hash, prf->prfctx);
1511
	prf_free(prf);
1512
	LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1513
	    "responder_recv_HASH_SA_NONCE: computed HASH(1)", my_hash,
1514
	    hash_len - ISAKMP_GEN_SZ));
1515
	if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ)
1516
	    != 0) {
1517
		message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0,
1518
		    1, 0);
1519
		goto cleanup;
1520
	}
1521
	free(my_hash);
1522
	my_hash = 0;
1523
1524
	/* Mark message as authenticated. */
1525
	msg->flags |= MSG_AUTHENTICATED;
1526
1527
	kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH);
1528
	if (kep)
1529
		ie->pfs = 1;
1530
1531
	/* Drop message when it contains ID types we do not implement yet.  */
1532
	TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link) {
1533
		switch (GET_ISAKMP_ID_TYPE(idp->p)) {
1534
		case IPSEC_ID_IPV4_ADDR:
1535
		case IPSEC_ID_IPV4_ADDR_SUBNET:
1536
		case IPSEC_ID_IPV6_ADDR:
1537
		case IPSEC_ID_IPV6_ADDR_SUBNET:
1538
			break;
1539
1540
		case IPSEC_ID_FQDN:
1541
			/*
1542
			 * FQDN may be used for in NAT-T with transport mode.
1543
			 * We can handle the message in this case.  In the
1544
			 * other cases we'll drop the message later.
1545
			 */
1546
			break;
1547
1548
		default:
1549
			message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION,
1550
			    0, 1, 0);
1551
			goto cleanup;
1552
		}
1553
	}
1554
1555
	/* Handle optional client ID payloads.  */
1556
	idp = payload_first(msg, ISAKMP_PAYLOAD_ID);
1557
	if (idp) {
1558
		/* If IDci is there, IDcr must be too.  */
1559
		if (!TAILQ_NEXT(idp, link)) {
1560
			/* XXX Is this a good notify type?  */
1561
			message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0,
1562
			    1, 0);
1563
			goto cleanup;
1564
		}
1565
		ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p);
1566
		ie->id_ci = malloc(ie->id_ci_sz);
1567
		if (!ie->id_ci) {
1568
			log_error("responder_recv_HASH_SA_NONCE: "
1569
			    "malloc (%lu) failed",
1570
			    (unsigned long)ie->id_ci_sz);
1571
			goto cleanup;
1572
		}
1573
		memcpy(ie->id_ci, idp->p, ie->id_ci_sz);
1574
		idp->flags |= PL_MARK;
1575
		LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1576
		    "responder_recv_HASH_SA_NONCE: IDci",
1577
		    ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ));
1578
1579
		idp = TAILQ_NEXT(idp, link);
1580
		ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p);
1581
		ie->id_cr = malloc(ie->id_cr_sz);
1582
		if (!ie->id_cr) {
1583
			log_error("responder_recv_HASH_SA_NONCE: "
1584
			    "malloc (%lu) failed",
1585
			    (unsigned long)ie->id_cr_sz);
1586
			goto cleanup;
1587
		}
1588
		memcpy(ie->id_cr, idp->p, ie->id_cr_sz);
1589
		idp->flags |= PL_MARK;
1590
		LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1591
		    "responder_recv_HASH_SA_NONCE: IDcr",
1592
		    ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ));
1593
	} else {
1594
		/*
1595
		 * If client identifiers are not present in the exchange,
1596
		 * we fake them. RFC 2409 states:
1597
		 *    The identities of the SAs negotiated in Quick Mode are
1598
		 *    implicitly assumed to be the IP addresses of the ISAKMP
1599
		 *    peers, without any constraints on the protocol or port
1600
		 *    numbers allowed, unless client identifiers are specified
1601
		 *    in Quick Mode.
1602
		 *
1603
		 * -- Michael Paddon (mwp@aba.net.au)
1604
		 */
1605
1606
		ie->flags = IPSEC_EXCH_FLAG_NO_ID;
1607
1608
		/* Get initiator and responder addresses.  */
1609
		msg->transport->vtbl->get_src(msg->transport, &src);
1610
		msg->transport->vtbl->get_dst(msg->transport, &dst);
1611
		ie->id_ci_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(src);
1612
		ie->id_cr_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(dst);
1613
		ie->id_ci = calloc(ie->id_ci_sz, sizeof(char));
1614
		ie->id_cr = calloc(ie->id_cr_sz, sizeof(char));
1615
1616
		if (!ie->id_ci || !ie->id_cr) {
1617
			log_error("responder_recv_HASH_SA_NONCE: "
1618
			    "calloc (%lu, %lu) failed",
1619
			    (unsigned long)ie->id_ci_sz,
1620
			    (unsigned long)sizeof(char));
1621
			goto cleanup;
1622
		}
1623
		if (src->sa_family != dst->sa_family) {
1624
			log_error("initiator_recv_HASH_SA_NONCE: "
1625
			    "sa_family mismatch");
1626
			goto cleanup;
1627
		}
1628
		switch (src->sa_family) {
1629
		case AF_INET:
1630
			SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV4_ADDR);
1631
			SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV4_ADDR);
1632
			break;
1633
1634
		case AF_INET6:
1635
			SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV6_ADDR);
1636
			SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV6_ADDR);
1637
			break;
1638
1639
		default:
1640
			log_error("initiator_recv_HASH_SA_NONCE: "
1641
			    "unknown sa_family %d", src->sa_family);
1642
			goto cleanup;
1643
		}
1644
1645
		memcpy(ie->id_cr + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src),
1646
		    sockaddr_addrlen(src));
1647
		memcpy(ie->id_ci + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(dst),
1648
		    sockaddr_addrlen(dst));
1649
	}
1650
1651
	if (message_negotiate_sa(msg, check_policy))
1652
		goto cleanup;
1653
1654
	for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
1655
	    sa = TAILQ_NEXT(sa, next)) {
1656
		for (proto = TAILQ_FIRST(&sa->protos); proto;
1657
		    proto = TAILQ_NEXT(proto, link)) {
1658
			/*
1659
			 * XXX we need to have some attributes per proto, not
1660
			 * all per SA.
1661
			 */
1662
			ipsec_decode_transform(msg, sa, proto,
1663
			    proto->chosen->p);
1664
			if (proto->proto == IPSEC_PROTO_IPSEC_AH &&
1665
			    !((struct ipsec_proto *)proto->data)->auth) {
1666
				log_print("responder_recv_HASH_SA_NONCE: "
1667
				    "AH proposed without an algorithm "
1668
				    "attribute");
1669
				message_drop(msg,
1670
				    ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
1671
				goto next_sa;
1672
			}
1673
		}
1674
1675
		isa = sa->data;
1676
1677
		/*
1678
		 * The group description is mandatory if we got a KEY_EXCH
1679
		 * payload.
1680
		 */
1681
		if (kep) {
1682
			if (!isa->group_desc) {
1683
				log_print("responder_recv_HASH_SA_NONCE: "
1684
				    "KEY_EXCH payload without a group "
1685
				    "desc. attribute");
1686
				message_drop(msg,
1687
				    ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
1688
				continue;
1689
			}
1690
			/* Also, all SAs must have equal groups.  */
1691
			if (!group_desc)
1692
				group_desc = isa->group_desc;
1693
			else if (group_desc != isa->group_desc) {
1694
				log_print("responder_recv_HASH_SA_NONCE: "
1695
				  "differing group descriptions in one QM");
1696
				message_drop(msg,
1697
				    ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
1698
				continue;
1699
			}
1700
		}
1701
		/* At least one SA was accepted.  */
1702
		retval = 0;
1703
1704
next_sa:
1705
		;	/* XXX gcc3 wants this. */
1706
	}
1707
1708
	if (kep) {
1709
		ie->group = group_get(group_desc);
1710
		if (!ie->group) {
1711
			/*
1712
			 * XXX If the error was due to an out-of-range group
1713
			 * description we should notify our peer, but this
1714
			 * should probably be done by the attribute
1715
			 * validation.  Is it?
1716
			 */
1717
			goto cleanup;
1718
		}
1719
	}
1720
	/* Copy out the initiator's nonce.  */
1721
	if (exchange_save_nonce(msg))
1722
		goto cleanup;
1723
1724
	/* Handle the optional KEY_EXCH payload.  */
1725
	if (kep && ipsec_save_g_x(msg))
1726
		goto cleanup;
1727
1728
	/*
1729
	 * Try to find and set the connection name on the exchange.
1730
         */
1731
1732
	/*
1733
	 * Check for accepted identities as well as lookup the connection
1734
	 * name and set it on the exchange.
1735
	 *
1736
	 * When not using policies make sure the peer proposes sane IDs.
1737
	 * Otherwise this is done by KeyNote.
1738
         */
1739
	name = connection_passive_lookup_by_ids(ie->id_ci, ie->id_cr);
1740
	if (name) {
1741
		exchange->name = strdup(name);
1742
		if (!exchange->name) {
1743
			log_error("responder_recv_HASH_SA_NONCE: "
1744
			    "strdup (\"%s\") failed", name);
1745
			goto cleanup;
1746
		}
1747
	} else if (
1748
	    ignore_policy ||
1749
	    strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) {
1750
		log_print("responder_recv_HASH_SA_NONCE: peer proposed "
1751
		    "invalid phase 2 IDs: %s",
1752
		    (exchange->doi->decode_ids("initiator id %s, responder"
1753
		    " id %s", ie->id_ci, ie->id_ci_sz, ie->id_cr,
1754
		    ie->id_cr_sz, 1)));
1755
		message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1,
1756
		    0);
1757
		goto cleanup;
1758
	}
1759
1760
	return retval;
1761
1762
cleanup:
1763
	/* Remove all potential protocols that have been added to the SAs.  */
1764
	for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
1765
	    sa = TAILQ_NEXT(sa, next))
1766
		while ((proto = TAILQ_FIRST(&sa->protos)) != 0)
1767
			proto_free(proto);
1768
	free(my_hash);
1769
	free(ie->id_ci);
1770
	ie->id_ci = 0;
1771
	free(ie->id_cr);
1772
	ie->id_cr = 0;
1773
	return -1;
1774
}
1775
1776
/* Reply with the transform we chose.  */
1777
static int
1778
responder_send_HASH_SA_NONCE(struct message *msg)
1779
{
1780
	struct exchange *exchange = msg->exchange;
1781
	struct ipsec_exch *ie = exchange->data;
1782
	struct sa      *isakmp_sa = msg->isakmp_sa;
1783
	struct ipsec_sa *isa = isakmp_sa->data;
1784
	struct prf     *prf;
1785
	struct hash    *hash = hash_get(isa->hash);
1786
	size_t          nonce_sz = exchange->nonce_i_len;
1787
	u_int8_t       *buf;
1788
	int             initiator = exchange->initiator;
1789
	char            header[80];
1790
	u_int32_t       i;
1791
	u_int8_t       *id;
1792
	size_t          sz;
1793
1794
	/*
1795
	 * We want a HASH payload to start with.  XXX Share with
1796
	 * ike_main_mode.c?
1797
	 */
1798
	buf = malloc(ISAKMP_HASH_SZ + hash->hashsize);
1799
	if (!buf) {
1800
		log_error("responder_send_HASH_SA_NONCE: malloc (%lu) failed",
1801
			  ISAKMP_HASH_SZ + (unsigned long)hash->hashsize);
1802
		return -1;
1803
	}
1804
	if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf,
1805
	    ISAKMP_HASH_SZ + hash->hashsize, 1)) {
1806
		free(buf);
1807
		return -1;
1808
	}
1809
	/* Add the SA payload(s) with the transform(s) that was/were chosen. */
1810
	if (message_add_sa_payload(msg))
1811
		return -1;
1812
1813
	/* Generate a nonce, and add it to the message.  */
1814
	if (exchange_gen_nonce(msg, nonce_sz))
1815
		return -1;
1816
1817
	/* Generate optional KEY_EXCH payload.  This is known as PFS.  */
1818
	if (ie->group && ipsec_gen_g_x(msg))
1819
		return -1;
1820
1821
	/*
1822
	 * If the initiator client ID's were acceptable, just mirror them
1823
	 * back.
1824
	 */
1825
	if (!(ie->flags & IPSEC_EXCH_FLAG_NO_ID)) {
1826
		sz = ie->id_ci_sz;
1827
		id = malloc(sz);
1828
		if (!id) {
1829
			log_error("responder_send_HASH_SA_NONCE: "
1830
			    "malloc (%lu) failed", (unsigned long)sz);
1831
			return -1;
1832
		}
1833
		memcpy(id, ie->id_ci, sz);
1834
		LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1835
		    "responder_send_HASH_SA_NONCE: IDic", id, sz));
1836
		if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) {
1837
			free(id);
1838
			return -1;
1839
		}
1840
		sz = ie->id_cr_sz;
1841
		id = malloc(sz);
1842
		if (!id) {
1843
			log_error("responder_send_HASH_SA_NONCE: "
1844
			    "malloc (%lu) failed", (unsigned long)sz);
1845
			return -1;
1846
		}
1847
		memcpy(id, ie->id_cr, sz);
1848
		LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1849
		    "responder_send_HASH_SA_NONCE: IDrc", id, sz));
1850
		if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) {
1851
			free(id);
1852
			return -1;
1853
		}
1854
	}
1855
	/* Allocate the prf and start calculating our HASH(2).  XXX Share?  */
1856
	LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: "
1857
	    "isakmp_sa %p isa %p", isakmp_sa, isa));
1858
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: "
1859
	    "SKEYID_a", isa->skeyid_a, isa->skeyid_len));
1860
	prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a,
1861
	    isa->skeyid_len);
1862
	if (!prf)
1863
		return -1;
1864
	prf->Init(prf->prfctx);
1865
	LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1866
	    "responder_send_HASH_SA_NONCE: message_id",
1867
	    exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
1868
	prf->Update(prf->prfctx, exchange->message_id,
1869
	    ISAKMP_HDR_MESSAGE_ID_LEN);
1870
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: "
1871
	    "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len));
1872
	prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
1873
1874
	/* Loop over all payloads after HASH(2).  */
1875
	for (i = 2; i < msg->iovlen; i++) {
1876
		/* XXX Misleading payload type printouts.  */
1877
		snprintf(header, sizeof header,
1878
		   "responder_send_HASH_SA_NONCE: payload %d after HASH(2)",
1879
			 i - 1);
1880
		LOG_DBG_BUF((LOG_NEGOTIATION, 90, header, msg->iov[i].iov_base,
1881
		    msg->iov[i].iov_len));
1882
		prf->Update(prf->prfctx, msg->iov[i].iov_base,
1883
		    msg->iov[i].iov_len);
1884
	}
1885
	prf->Final(buf + ISAKMP_HASH_DATA_OFF, prf->prfctx);
1886
	prf_free(prf);
1887
	snprintf(header, sizeof header, "responder_send_HASH_SA_NONCE: "
1888
	    "HASH_%c", initiator ? 'I' : 'R');
1889
	LOG_DBG_BUF((LOG_NEGOTIATION, 80, header, buf + ISAKMP_HASH_DATA_OFF,
1890
	    hash->hashsize));
1891
1892
	if (ie->group)
1893
		message_register_post_send(msg, gen_g_xy);
1894
1895
	return 0;
1896
}
1897
1898
static void
1899
gen_g_xy(struct message *msg)
1900
{
1901
	struct exchange *exchange = msg->exchange;
1902
	struct ipsec_exch *ie = exchange->data;
1903
1904
	/* Compute Diffie-Hellman shared value.  */
1905
	ie->g_xy = malloc(ie->g_x_len);
1906
	if (!ie->g_xy) {
1907
		log_error("gen_g_xy: malloc (%lu) failed",
1908
		    (unsigned long)ie->g_x_len);
1909
		return;
1910
	}
1911
	if (dh_create_shared(ie->group, ie->g_xy,
1912
	    exchange->initiator ? ie->g_xr : ie->g_xi)) {
1913
		log_print("gen_g_xy: dh_create_shared failed");
1914
		return;
1915
	}
1916
	LOG_DBG_BUF((LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie->g_xy,
1917
	    ie->g_x_len));
1918
}
1919
1920
static int
1921
responder_recv_HASH(struct message *msg)
1922
{
1923
	struct exchange *exchange = msg->exchange;
1924
	struct sa      *isakmp_sa = msg->isakmp_sa;
1925
	struct ipsec_sa *isa = isakmp_sa->data;
1926
	struct prf     *prf;
1927
	u_int8_t       *hash, *my_hash = 0;
1928
	size_t          hash_len;
1929
	struct payload *hashp;
1930
1931
	/* Find HASH(3) and create our own hash, just as big.  */
1932
	hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH);
1933
	hash = hashp->p;
1934
	hashp->flags |= PL_MARK;
1935
	hash_len = GET_ISAKMP_GEN_LENGTH(hash);
1936
	my_hash = malloc(hash_len - ISAKMP_GEN_SZ);
1937
	if (!my_hash) {
1938
		log_error("responder_recv_HASH: malloc (%lu) failed",
1939
			  (unsigned long)hash_len - ISAKMP_GEN_SZ);
1940
		goto cleanup;
1941
	}
1942
	/* Allocate the prf and start calculating our HASH(3).  XXX Share?  */
1943
	LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: "
1944
	    "isakmp_sa %p isa %p", isakmp_sa, isa));
1945
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: SKEYID_a",
1946
	    isa->skeyid_a, isa->skeyid_len));
1947
	prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a,
1948
	    isa->skeyid_len);
1949
	if (!prf)
1950
		goto cleanup;
1951
	prf->Init(prf->prfctx);
1952
	prf->Update(prf->prfctx, (unsigned char *)"\0", 1);
1953
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: message_id",
1954
	    exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
1955
	prf->Update(prf->prfctx, exchange->message_id,
1956
	    ISAKMP_HDR_MESSAGE_ID_LEN);
1957
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_I_b",
1958
	    exchange->nonce_i, exchange->nonce_i_len));
1959
	prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
1960
	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_R_b",
1961
	    exchange->nonce_r, exchange->nonce_r_len));
1962
	prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len);
1963
	prf->Final(my_hash, prf->prfctx);
1964
	prf_free(prf);
1965
	LOG_DBG_BUF((LOG_NEGOTIATION, 90,
1966
	    "responder_recv_HASH: computed HASH(3)", my_hash,
1967
	    hash_len - ISAKMP_GEN_SZ));
1968
	if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ)
1969
	    != 0) {
1970
		message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0,
1971
		    1, 0);
1972
		goto cleanup;
1973
	}
1974
	free(my_hash);
1975
1976
	/* Mark message as authenticated. */
1977
	msg->flags |= MSG_AUTHENTICATED;
1978
1979
	post_quick_mode(msg);
1980
1981
	return 0;
1982
1983
cleanup:
1984
	free(my_hash);
1985
	return -1;
1986
}