1 |
|
|
/* $OpenBSD: ike_quick_mode.c,v 1.111 2017/11/08 13:33:49 patrick Exp $ */ |
2 |
|
|
/* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */ |
3 |
|
|
|
4 |
|
|
/* |
5 |
|
|
* Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. |
6 |
|
|
* Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. |
7 |
|
|
* Copyright (c) 2000, 2001, 2004 Håkan Olsson. All rights reserved. |
8 |
|
|
* |
9 |
|
|
* Redistribution and use in source and binary forms, with or without |
10 |
|
|
* modification, are permitted provided that the following conditions |
11 |
|
|
* are met: |
12 |
|
|
* 1. Redistributions of source code must retain the above copyright |
13 |
|
|
* notice, this list of conditions and the following disclaimer. |
14 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
15 |
|
|
* notice, this list of conditions and the following disclaimer in the |
16 |
|
|
* documentation and/or other materials provided with the distribution. |
17 |
|
|
* |
18 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
19 |
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
20 |
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
21 |
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
22 |
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
23 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
24 |
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
25 |
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
26 |
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
27 |
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
28 |
|
|
*/ |
29 |
|
|
|
30 |
|
|
/* |
31 |
|
|
* This code was written under funding by Ericsson Radio Systems. |
32 |
|
|
*/ |
33 |
|
|
|
34 |
|
|
#include <stdlib.h> |
35 |
|
|
#include <string.h> |
36 |
|
|
|
37 |
|
|
#include <sys/types.h> |
38 |
|
|
#include <regex.h> |
39 |
|
|
#include <keynote.h> |
40 |
|
|
|
41 |
|
|
#include "attribute.h" |
42 |
|
|
#include "conf.h" |
43 |
|
|
#include "connection.h" |
44 |
|
|
#include "dh.h" |
45 |
|
|
#include "doi.h" |
46 |
|
|
#include "exchange.h" |
47 |
|
|
#include "hash.h" |
48 |
|
|
#include "ike_quick_mode.h" |
49 |
|
|
#include "ipsec.h" |
50 |
|
|
#include "log.h" |
51 |
|
|
#include "message.h" |
52 |
|
|
#include "policy.h" |
53 |
|
|
#include "prf.h" |
54 |
|
|
#include "sa.h" |
55 |
|
|
#include "transport.h" |
56 |
|
|
#include "util.h" |
57 |
|
|
#include "key.h" |
58 |
|
|
#include "x509.h" |
59 |
|
|
|
60 |
|
|
static void gen_g_xy(struct message *); |
61 |
|
|
static int initiator_send_HASH_SA_NONCE(struct message *); |
62 |
|
|
static int initiator_recv_HASH_SA_NONCE(struct message *); |
63 |
|
|
static int initiator_send_HASH(struct message *); |
64 |
|
|
static void post_quick_mode(struct message *); |
65 |
|
|
static int responder_recv_HASH_SA_NONCE(struct message *); |
66 |
|
|
static int responder_send_HASH_SA_NONCE(struct message *); |
67 |
|
|
static int responder_recv_HASH(struct message *); |
68 |
|
|
|
69 |
|
|
static int check_policy(struct exchange *, struct sa *, struct sa *); |
70 |
|
|
|
71 |
|
|
int (*ike_quick_mode_initiator[])(struct message *) = { |
72 |
|
|
initiator_send_HASH_SA_NONCE, |
73 |
|
|
initiator_recv_HASH_SA_NONCE, |
74 |
|
|
initiator_send_HASH |
75 |
|
|
}; |
76 |
|
|
|
77 |
|
|
int (*ike_quick_mode_responder[])(struct message *) = { |
78 |
|
|
responder_recv_HASH_SA_NONCE, |
79 |
|
|
responder_send_HASH_SA_NONCE, |
80 |
|
|
responder_recv_HASH |
81 |
|
|
}; |
82 |
|
|
|
83 |
|
|
/* How many return values will policy handle -- true/false for now */ |
84 |
|
|
#define RETVALUES_NUM 2 |
85 |
|
|
|
86 |
|
|
/* |
87 |
|
|
* Given an exchange and our policy, check whether the SA and IDs are |
88 |
|
|
* acceptable. |
89 |
|
|
*/ |
90 |
|
|
static int |
91 |
|
|
check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) |
92 |
|
|
{ |
93 |
|
|
char *return_values[RETVALUES_NUM]; |
94 |
|
|
char **principal = 0; |
95 |
|
|
int i, len, result = 0, nprinc = 0; |
96 |
|
|
int *x509_ids = 0, *keynote_ids = 0; |
97 |
|
|
unsigned char hashbuf[20]; /* Set to the largest digest result */ |
98 |
|
|
struct keynote_deckey dc; |
99 |
|
|
X509_NAME *subject; |
100 |
|
|
|
101 |
|
|
/* Do we want to use keynote policies? */ |
102 |
|
|
if (ignore_policy || |
103 |
|
|
strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) |
104 |
|
|
return 1; |
105 |
|
|
|
106 |
|
|
/* Initialize if necessary -- e.g., if pre-shared key auth was used */ |
107 |
|
|
if (isakmp_sa->policy_id < 0) { |
108 |
|
|
if ((isakmp_sa->policy_id = kn_init()) == -1) { |
109 |
|
|
log_print("check_policy: " |
110 |
|
|
"failed to initialize policy session"); |
111 |
|
|
return 0; |
112 |
|
|
} |
113 |
|
|
} |
114 |
|
|
/* Add the callback that will handle attributes. */ |
115 |
|
|
if (kn_add_action(isakmp_sa->policy_id, ".*", (char *)policy_callback, |
116 |
|
|
ENVIRONMENT_FLAG_FUNC | ENVIRONMENT_FLAG_REGEX) == -1) { |
117 |
|
|
log_print("check_policy: " |
118 |
|
|
"kn_add_action (%d, \".*\", %p, FUNC | REGEX) failed", |
119 |
|
|
isakmp_sa->policy_id, policy_callback); |
120 |
|
|
kn_close(isakmp_sa->policy_id); |
121 |
|
|
isakmp_sa->policy_id = -1; |
122 |
|
|
return 0; |
123 |
|
|
} |
124 |
|
|
if (policy_asserts_num) { |
125 |
|
|
keynote_ids = calloc(policy_asserts_num, sizeof *keynote_ids); |
126 |
|
|
if (!keynote_ids) { |
127 |
|
|
log_error("check_policy: calloc (%d, %lu) failed", |
128 |
|
|
policy_asserts_num, |
129 |
|
|
(unsigned long)sizeof *keynote_ids); |
130 |
|
|
kn_close(isakmp_sa->policy_id); |
131 |
|
|
isakmp_sa->policy_id = -1; |
132 |
|
|
return 0; |
133 |
|
|
} |
134 |
|
|
} |
135 |
|
|
/* Add the policy assertions */ |
136 |
|
|
for (i = 0; i < policy_asserts_num; i++) |
137 |
|
|
keynote_ids[i] = kn_add_assertion(isakmp_sa->policy_id, |
138 |
|
|
policy_asserts[i], |
139 |
|
|
strlen(policy_asserts[i]), ASSERT_FLAG_LOCAL); |
140 |
|
|
|
141 |
|
|
/* Initialize -- we'll let the callback do all the work. */ |
142 |
|
|
policy_exchange = exchange; |
143 |
|
|
policy_sa = sa; |
144 |
|
|
policy_isakmp_sa = isakmp_sa; |
145 |
|
|
|
146 |
|
|
/* Set the return values; true/false for now at least. */ |
147 |
|
|
return_values[0] = "false"; /* Order of values in array is |
148 |
|
|
* important. */ |
149 |
|
|
return_values[1] = "true"; |
150 |
|
|
|
151 |
|
|
/* Create a principal (authorizer) for the SA/ID request. */ |
152 |
|
|
switch (isakmp_sa->recv_certtype) { |
153 |
|
|
case ISAKMP_CERTENC_NONE: |
154 |
|
|
/* |
155 |
|
|
* For shared keys, just duplicate the passphrase with the |
156 |
|
|
* appropriate prefix tag. |
157 |
|
|
*/ |
158 |
|
|
nprinc = 3; |
159 |
|
|
principal = calloc(nprinc, sizeof *principal); |
160 |
|
|
if (!principal) { |
161 |
|
|
log_error("check_policy: calloc (%d, %lu) failed", |
162 |
|
|
nprinc, (unsigned long)sizeof *principal); |
163 |
|
|
goto policydone; |
164 |
|
|
} |
165 |
|
|
len = strlen(isakmp_sa->recv_key) + sizeof "passphrase:"; |
166 |
|
|
principal[0] = calloc(len, sizeof(char)); |
167 |
|
|
if (!principal[0]) { |
168 |
|
|
log_error("check_policy: calloc (%d, %lu) failed", len, |
169 |
|
|
(unsigned long)sizeof(char)); |
170 |
|
|
goto policydone; |
171 |
|
|
} |
172 |
|
|
/* |
173 |
|
|
* XXX Consider changing the magic hash lengths with |
174 |
|
|
* constants. |
175 |
|
|
*/ |
176 |
|
|
strlcpy(principal[0], "passphrase:", len); |
177 |
|
|
memcpy(principal[0] + sizeof "passphrase:" - 1, |
178 |
|
|
isakmp_sa->recv_key, strlen(isakmp_sa->recv_key)); |
179 |
|
|
|
180 |
|
|
len = sizeof "passphrase-md5-hex:" + 2 * 16; |
181 |
|
|
principal[1] = calloc(len, sizeof(char)); |
182 |
|
|
if (!principal[1]) { |
183 |
|
|
log_error("check_policy: calloc (%d, %lu) failed", len, |
184 |
|
|
(unsigned long)sizeof(char)); |
185 |
|
|
goto policydone; |
186 |
|
|
} |
187 |
|
|
strlcpy(principal[1], "passphrase-md5-hex:", len); |
188 |
|
|
MD5(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), hashbuf); |
189 |
|
|
for (i = 0; i < 16; i++) |
190 |
|
|
snprintf(principal[1] + 2 * i + |
191 |
|
|
sizeof "passphrase-md5-hex:" - 1, 3, "%02x", |
192 |
|
|
hashbuf[i]); |
193 |
|
|
|
194 |
|
|
len = sizeof "passphrase-sha1-hex:" + 2 * 20; |
195 |
|
|
principal[2] = calloc(len, sizeof(char)); |
196 |
|
|
if (!principal[2]) { |
197 |
|
|
log_error("check_policy: calloc (%d, %lu) failed", len, |
198 |
|
|
(unsigned long)sizeof(char)); |
199 |
|
|
goto policydone; |
200 |
|
|
} |
201 |
|
|
strlcpy(principal[2], "passphrase-sha1-hex:", len); |
202 |
|
|
SHA1(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), |
203 |
|
|
hashbuf); |
204 |
|
|
for (i = 0; i < 20; i++) |
205 |
|
|
snprintf(principal[2] + 2 * i + |
206 |
|
|
sizeof "passphrase-sha1-hex:" - 1, 3, "%02x", |
207 |
|
|
hashbuf[i]); |
208 |
|
|
break; |
209 |
|
|
|
210 |
|
|
case ISAKMP_CERTENC_KEYNOTE: |
211 |
|
|
nprinc = 1; |
212 |
|
|
|
213 |
|
|
principal = calloc(nprinc, sizeof *principal); |
214 |
|
|
if (!principal) { |
215 |
|
|
log_error("check_policy: calloc (%d, %lu) failed", |
216 |
|
|
nprinc, (unsigned long)sizeof *principal); |
217 |
|
|
goto policydone; |
218 |
|
|
} |
219 |
|
|
/* Dup the keys */ |
220 |
|
|
principal[0] = strdup(isakmp_sa->keynote_key); |
221 |
|
|
if (!principal[0]) { |
222 |
|
|
log_error("check_policy: calloc (%lu, %lu) failed", |
223 |
|
|
(unsigned long)strlen(isakmp_sa->keynote_key), |
224 |
|
|
(unsigned long)sizeof(char)); |
225 |
|
|
goto policydone; |
226 |
|
|
} |
227 |
|
|
break; |
228 |
|
|
|
229 |
|
|
case ISAKMP_CERTENC_X509_SIG: |
230 |
|
|
principal = calloc(2, sizeof *principal); |
231 |
|
|
if (!principal) { |
232 |
|
|
log_error("check_policy: calloc (2, %lu) failed", |
233 |
|
|
(unsigned long)sizeof *principal); |
234 |
|
|
goto policydone; |
235 |
|
|
} |
236 |
|
|
if (isakmp_sa->recv_keytype == ISAKMP_KEY_RSA) |
237 |
|
|
dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; |
238 |
|
|
else { |
239 |
|
|
log_error("check_policy: " |
240 |
|
|
"unknown/unsupported public key algorithm %d", |
241 |
|
|
isakmp_sa->recv_keytype); |
242 |
|
|
goto policydone; |
243 |
|
|
} |
244 |
|
|
|
245 |
|
|
dc.dec_key = isakmp_sa->recv_key; |
246 |
|
|
principal[0] = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, |
247 |
|
|
ENCODING_HEX, KEYNOTE_PUBLIC_KEY); |
248 |
|
|
if (keynote_errno == ERROR_MEMORY) { |
249 |
|
|
log_print("check_policy: " |
250 |
|
|
"failed to get memory for public key"); |
251 |
|
|
goto policydone; |
252 |
|
|
} |
253 |
|
|
if (!principal[0]) { |
254 |
|
|
log_print("check_policy: " |
255 |
|
|
"failed to allocate memory for principal"); |
256 |
|
|
goto policydone; |
257 |
|
|
} |
258 |
|
|
if (asprintf(&principal[1], "rsa-hex:%s", principal[0]) == -1) { |
259 |
|
|
log_error("check_policy: asprintf() failed"); |
260 |
|
|
goto policydone; |
261 |
|
|
} |
262 |
|
|
free(principal[0]); |
263 |
|
|
principal[0] = principal[1]; |
264 |
|
|
principal[1] = 0; |
265 |
|
|
|
266 |
|
|
/* Generate a "DN:" principal. */ |
267 |
|
|
subject = X509_get_subject_name(isakmp_sa->recv_cert); |
268 |
|
|
if (subject) { |
269 |
|
|
principal[1] = calloc(259, sizeof(char)); |
270 |
|
|
if (!principal[1]) { |
271 |
|
|
log_error("check_policy: " |
272 |
|
|
"calloc (259, %lu) failed", |
273 |
|
|
(unsigned long)sizeof(char)); |
274 |
|
|
goto policydone; |
275 |
|
|
} |
276 |
|
|
strlcpy(principal[1], "DN:", 259); |
277 |
|
|
X509_NAME_oneline(subject, principal[1] + 3, 256); |
278 |
|
|
nprinc = 2; |
279 |
|
|
} else { |
280 |
|
|
nprinc = 1; |
281 |
|
|
} |
282 |
|
|
break; |
283 |
|
|
|
284 |
|
|
/* XXX Eventually handle these. */ |
285 |
|
|
case ISAKMP_CERTENC_PKCS: |
286 |
|
|
case ISAKMP_CERTENC_PGP: |
287 |
|
|
case ISAKMP_CERTENC_DNS: |
288 |
|
|
case ISAKMP_CERTENC_X509_KE: |
289 |
|
|
case ISAKMP_CERTENC_KERBEROS: |
290 |
|
|
case ISAKMP_CERTENC_CRL: |
291 |
|
|
case ISAKMP_CERTENC_ARL: |
292 |
|
|
case ISAKMP_CERTENC_SPKI: |
293 |
|
|
case ISAKMP_CERTENC_X509_ATTR: |
294 |
|
|
default: |
295 |
|
|
log_print("check_policy: " |
296 |
|
|
"unknown/unsupported certificate/authentication method %d", |
297 |
|
|
isakmp_sa->recv_certtype); |
298 |
|
|
goto policydone; |
299 |
|
|
} |
300 |
|
|
|
301 |
|
|
/* |
302 |
|
|
* Add the authorizer (who is requesting the SA/ID); |
303 |
|
|
* this may be a public or a secret key, depending on |
304 |
|
|
* what mode of authentication we used in Phase 1. |
305 |
|
|
*/ |
306 |
|
|
for (i = 0; i < nprinc; i++) { |
307 |
|
|
LOG_DBG((LOG_POLICY, 40, "check_policy: " |
308 |
|
|
"adding authorizer [%s]", principal[i])); |
309 |
|
|
|
310 |
|
|
if (kn_add_authorizer(isakmp_sa->policy_id, principal[i]) |
311 |
|
|
== -1) { |
312 |
|
|
int j; |
313 |
|
|
|
314 |
|
|
for (j = 0; j < i; j++) |
315 |
|
|
kn_remove_authorizer(isakmp_sa->policy_id, |
316 |
|
|
principal[j]); |
317 |
|
|
log_print("check_policy: kn_add_authorizer failed"); |
318 |
|
|
goto policydone; |
319 |
|
|
} |
320 |
|
|
} |
321 |
|
|
|
322 |
|
|
/* Ask policy */ |
323 |
|
|
result = kn_do_query(isakmp_sa->policy_id, return_values, |
324 |
|
|
RETVALUES_NUM); |
325 |
|
|
LOG_DBG((LOG_POLICY, 40, "check_policy: kn_do_query returned %d", |
326 |
|
|
result)); |
327 |
|
|
|
328 |
|
|
/* Cleanup environment */ |
329 |
|
|
kn_cleanup_action_environment(isakmp_sa->policy_id); |
330 |
|
|
|
331 |
|
|
/* Remove authorizers from the session */ |
332 |
|
|
for (i = 0; i < nprinc; i++) { |
333 |
|
|
kn_remove_authorizer(isakmp_sa->policy_id, principal[i]); |
334 |
|
|
free(principal[i]); |
335 |
|
|
} |
336 |
|
|
|
337 |
|
|
free(principal); |
338 |
|
|
principal = 0; |
339 |
|
|
nprinc = 0; |
340 |
|
|
|
341 |
|
|
/* Check what policy said. */ |
342 |
|
|
if (result < 0) { |
343 |
|
|
LOG_DBG((LOG_POLICY, 40, "check_policy: proposal refused")); |
344 |
|
|
result = 0; |
345 |
|
|
goto policydone; |
346 |
|
|
} |
347 |
|
|
policydone: |
348 |
|
|
for (i = 0; i < nprinc; i++) |
349 |
|
|
if (principal && principal[i]) |
350 |
|
|
free(principal[i]); |
351 |
|
|
|
352 |
|
|
free(principal); |
353 |
|
|
|
354 |
|
|
/* Remove the policies */ |
355 |
|
|
for (i = 0; i < policy_asserts_num; i++) { |
356 |
|
|
if (keynote_ids[i] != -1) |
357 |
|
|
kn_remove_assertion(isakmp_sa->policy_id, |
358 |
|
|
keynote_ids[i]); |
359 |
|
|
} |
360 |
|
|
|
361 |
|
|
free(keynote_ids); |
362 |
|
|
|
363 |
|
|
free(x509_ids); |
364 |
|
|
|
365 |
|
|
/* |
366 |
|
|
* XXX Currently, check_policy() is only called from |
367 |
|
|
* message_negotiate_sa(), and so this log message reflects this. |
368 |
|
|
* Change to something better? |
369 |
|
|
*/ |
370 |
|
|
if (result == 0) |
371 |
|
|
log_print("check_policy: negotiated SA failed policy check"); |
372 |
|
|
|
373 |
|
|
/* |
374 |
|
|
* Given that we have only 2 return values from policy (true/false) |
375 |
|
|
* we can just return the query result directly (no pre-processing |
376 |
|
|
* needed). |
377 |
|
|
*/ |
378 |
|
|
return result; |
379 |
|
|
} |
380 |
|
|
|
381 |
|
|
/* |
382 |
|
|
* Offer several sets of transforms to the responder. |
383 |
|
|
* XXX Split this huge function up and look for common code with main mode. |
384 |
|
|
*/ |
385 |
|
|
static int |
386 |
|
|
initiator_send_HASH_SA_NONCE(struct message *msg) |
387 |
|
|
{ |
388 |
|
|
struct exchange *exchange = msg->exchange; |
389 |
|
|
struct doi *doi = exchange->doi; |
390 |
|
|
struct ipsec_exch *ie = exchange->data; |
391 |
|
|
u_int8_t ***transform = 0, ***new_transform; |
392 |
|
|
u_int8_t **proposal = 0, **new_proposal; |
393 |
|
|
u_int8_t *sa_buf = 0, *attr, *saved_nextp_sa, *saved_nextp_prop, |
394 |
|
|
*id, *spi; |
395 |
|
|
size_t spi_sz, sz; |
396 |
|
|
size_t proposal_len = 0, proposals_len = 0, sa_len; |
397 |
|
|
size_t **transform_len = 0, **new_transform_len; |
398 |
|
|
size_t *transforms_len = 0, *new_transforms_len; |
399 |
|
|
u_int32_t *transform_cnt = 0, *new_transform_cnt; |
400 |
|
|
u_int32_t suite_no, prop_no, prot_no, xf_no, prop_cnt = 0; |
401 |
|
|
u_int32_t i; |
402 |
|
|
int value, update_nextp, protocol_num, proto_id; |
403 |
|
|
struct proto *proto; |
404 |
|
|
struct conf_list *suite_conf, *prot_conf = 0, *xf_conf = 0, *life_conf; |
405 |
|
|
struct conf_list_node *suite, *prot, *xf, *life; |
406 |
|
|
struct constant_map *id_map; |
407 |
|
|
char *protocol_id, *transform_id; |
408 |
|
|
char *local_id, *remote_id; |
409 |
|
|
int group_desc = -1, new_group_desc; |
410 |
|
|
struct ipsec_sa *isa = msg->isakmp_sa->data; |
411 |
|
|
struct hash *hash = hash_get(isa->hash); |
412 |
|
|
struct sockaddr *src; |
413 |
|
|
struct proto_attr *pa; |
414 |
|
|
|
415 |
|
|
if (!ipsec_add_hash_payload(msg, hash->hashsize)) |
416 |
|
|
return -1; |
417 |
|
|
|
418 |
|
|
/* Get the list of protocol suites. */ |
419 |
|
|
suite_conf = conf_get_list(exchange->policy, "Suites"); |
420 |
|
|
if (!suite_conf) |
421 |
|
|
return -1; |
422 |
|
|
|
423 |
|
|
for (suite = TAILQ_FIRST(&suite_conf->fields), suite_no = prop_no = 0; |
424 |
|
|
suite_no < suite_conf->cnt; |
425 |
|
|
suite_no++, suite = TAILQ_NEXT(suite, link)) { |
426 |
|
|
/* Now get each protocol in this specific protocol suite. */ |
427 |
|
|
prot_conf = conf_get_list(suite->field, "Protocols"); |
428 |
|
|
if (!prot_conf) |
429 |
|
|
goto bail_out; |
430 |
|
|
|
431 |
|
|
for (prot = TAILQ_FIRST(&prot_conf->fields), prot_no = 0; |
432 |
|
|
prot_no < prot_conf->cnt; |
433 |
|
|
prot_no++, prot = TAILQ_NEXT(prot, link)) { |
434 |
|
|
/* Make sure we have a proposal/transform vectors. */ |
435 |
|
|
if (prop_no >= prop_cnt) { |
436 |
|
|
/* |
437 |
|
|
* This resize algorithm is completely |
438 |
|
|
* arbitrary. |
439 |
|
|
*/ |
440 |
|
|
prop_cnt = 2 * prop_cnt + 10; |
441 |
|
|
new_proposal = reallocarray(proposal, |
442 |
|
|
prop_cnt, sizeof *proposal); |
443 |
|
|
if (!new_proposal) { |
444 |
|
|
log_error( |
445 |
|
|
"initiator_send_HASH_SA_NONCE: " |
446 |
|
|
"realloc (%p, %lu) failed", |
447 |
|
|
proposal, |
448 |
|
|
prop_cnt * (unsigned long)sizeof *proposal); |
449 |
|
|
goto bail_out; |
450 |
|
|
} |
451 |
|
|
proposal = new_proposal; |
452 |
|
|
|
453 |
|
|
new_transforms_len = reallocarray(transforms_len, |
454 |
|
|
prop_cnt, sizeof *transforms_len); |
455 |
|
|
if (!new_transforms_len) { |
456 |
|
|
log_error( |
457 |
|
|
"initiator_send_HASH_SA_NONCE: " |
458 |
|
|
"realloc (%p, %lu) failed", |
459 |
|
|
transforms_len, |
460 |
|
|
prop_cnt * (unsigned long)sizeof *transforms_len); |
461 |
|
|
goto bail_out; |
462 |
|
|
} |
463 |
|
|
transforms_len = new_transforms_len; |
464 |
|
|
|
465 |
|
|
new_transform = reallocarray(transform, |
466 |
|
|
prop_cnt, sizeof *transform); |
467 |
|
|
if (!new_transform) { |
468 |
|
|
log_error( |
469 |
|
|
"initiator_send_HASH_SA_NONCE: " |
470 |
|
|
"realloc (%p, %lu) failed", |
471 |
|
|
transform, |
472 |
|
|
prop_cnt * (unsigned long)sizeof *transform); |
473 |
|
|
goto bail_out; |
474 |
|
|
} |
475 |
|
|
transform = new_transform; |
476 |
|
|
|
477 |
|
|
new_transform_cnt = reallocarray(transform_cnt, |
478 |
|
|
prop_cnt, sizeof *transform_cnt); |
479 |
|
|
if (!new_transform_cnt) { |
480 |
|
|
log_error( |
481 |
|
|
"initiator_send_HASH_SA_NONCE: " |
482 |
|
|
"realloc (%p, %lu) failed", |
483 |
|
|
transform_cnt, |
484 |
|
|
prop_cnt * (unsigned long)sizeof *transform_cnt); |
485 |
|
|
goto bail_out; |
486 |
|
|
} |
487 |
|
|
transform_cnt = new_transform_cnt; |
488 |
|
|
|
489 |
|
|
new_transform_len = reallocarray(transform_len, |
490 |
|
|
prop_cnt, sizeof *transform_len); |
491 |
|
|
if (!new_transform_len) { |
492 |
|
|
log_error( |
493 |
|
|
"initiator_send_HASH_SA_NONCE: " |
494 |
|
|
"realloc (%p, %lu) failed", |
495 |
|
|
transform_len, |
496 |
|
|
prop_cnt * (unsigned long)sizeof *transform_len); |
497 |
|
|
goto bail_out; |
498 |
|
|
} |
499 |
|
|
transform_len = new_transform_len; |
500 |
|
|
} |
501 |
|
|
protocol_id = conf_get_str(prot->field, "PROTOCOL_ID"); |
502 |
|
|
if (!protocol_id) |
503 |
|
|
goto bail_out; |
504 |
|
|
|
505 |
|
|
proto_id = constant_value(ipsec_proto_cst, |
506 |
|
|
protocol_id); |
507 |
|
|
switch (proto_id) { |
508 |
|
|
case IPSEC_PROTO_IPSEC_AH: |
509 |
|
|
id_map = ipsec_ah_cst; |
510 |
|
|
break; |
511 |
|
|
|
512 |
|
|
case IPSEC_PROTO_IPSEC_ESP: |
513 |
|
|
id_map = ipsec_esp_cst; |
514 |
|
|
break; |
515 |
|
|
|
516 |
|
|
case IPSEC_PROTO_IPCOMP: |
517 |
|
|
id_map = ipsec_ipcomp_cst; |
518 |
|
|
break; |
519 |
|
|
|
520 |
|
|
default: |
521 |
|
|
{ |
522 |
|
|
log_print("initiator_send_HASH_SA_NONCE: " |
523 |
|
|
"invalid PROTCOL_ID: %s", protocol_id); |
524 |
|
|
goto bail_out; |
525 |
|
|
} |
526 |
|
|
} |
527 |
|
|
|
528 |
|
|
/* Now get each transform we offer for this protocol.*/ |
529 |
|
|
xf_conf = conf_get_list(prot->field, "Transforms"); |
530 |
|
|
if (!xf_conf) |
531 |
|
|
goto bail_out; |
532 |
|
|
transform_cnt[prop_no] = xf_conf->cnt; |
533 |
|
|
|
534 |
|
|
transform[prop_no] = calloc(transform_cnt[prop_no], |
535 |
|
|
sizeof **transform); |
536 |
|
|
if (!transform[prop_no]) { |
537 |
|
|
log_error("initiator_send_HASH_SA_NONCE: " |
538 |
|
|
"calloc (%d, %lu) failed", |
539 |
|
|
transform_cnt[prop_no], |
540 |
|
|
(unsigned long)sizeof **transform); |
541 |
|
|
goto bail_out; |
542 |
|
|
} |
543 |
|
|
transform_len[prop_no] = calloc(transform_cnt[prop_no], |
544 |
|
|
sizeof **transform_len); |
545 |
|
|
if (!transform_len[prop_no]) { |
546 |
|
|
log_error("initiator_send_HASH_SA_NONCE: " |
547 |
|
|
"calloc (%d, %lu) failed", |
548 |
|
|
transform_cnt[prop_no], |
549 |
|
|
(unsigned long)sizeof **transform_len); |
550 |
|
|
goto bail_out; |
551 |
|
|
} |
552 |
|
|
transforms_len[prop_no] = 0; |
553 |
|
|
for (xf = TAILQ_FIRST(&xf_conf->fields), xf_no = 0; |
554 |
|
|
xf_no < transform_cnt[prop_no]; |
555 |
|
|
xf_no++, xf = TAILQ_NEXT(xf, link)) { |
556 |
|
|
|
557 |
|
|
/* XXX The sizing needs to be dynamic. */ |
558 |
|
|
transform[prop_no][xf_no] = |
559 |
|
|
calloc(ISAKMP_TRANSFORM_SA_ATTRS_OFF + |
560 |
|
|
9 * ISAKMP_ATTR_VALUE_OFF, 1); |
561 |
|
|
if (!transform[prop_no][xf_no]) { |
562 |
|
|
log_error( |
563 |
|
|
"initiator_send_HASH_SA_NONCE: " |
564 |
|
|
"calloc (%d, 1) failed", |
565 |
|
|
ISAKMP_TRANSFORM_SA_ATTRS_OFF + |
566 |
|
|
9 * ISAKMP_ATTR_VALUE_OFF); |
567 |
|
|
goto bail_out; |
568 |
|
|
} |
569 |
|
|
SET_ISAKMP_TRANSFORM_NO(transform[prop_no][xf_no], |
570 |
|
|
xf_no + 1); |
571 |
|
|
|
572 |
|
|
transform_id = conf_get_str(xf->field, |
573 |
|
|
"TRANSFORM_ID"); |
574 |
|
|
if (!transform_id) |
575 |
|
|
goto bail_out; |
576 |
|
|
SET_ISAKMP_TRANSFORM_ID(transform[prop_no][xf_no], |
577 |
|
|
constant_value(id_map, transform_id)); |
578 |
|
|
SET_ISAKMP_TRANSFORM_RESERVED(transform[prop_no][xf_no], 0); |
579 |
|
|
|
580 |
|
|
attr = transform[prop_no][xf_no] + |
581 |
|
|
ISAKMP_TRANSFORM_SA_ATTRS_OFF; |
582 |
|
|
|
583 |
|
|
/* |
584 |
|
|
* Life durations are special, we should be |
585 |
|
|
* able to specify several, one per type. |
586 |
|
|
*/ |
587 |
|
|
life_conf = conf_get_list(xf->field, "Life"); |
588 |
|
|
if (life_conf) { |
589 |
|
|
for (life = TAILQ_FIRST(&life_conf->fields); |
590 |
|
|
life; life = TAILQ_NEXT(life, link)) { |
591 |
|
|
attribute_set_constant( |
592 |
|
|
life->field, "LIFE_TYPE", |
593 |
|
|
ipsec_duration_cst, |
594 |
|
|
IPSEC_ATTR_SA_LIFE_TYPE, |
595 |
|
|
&attr); |
596 |
|
|
|
597 |
|
|
/* |
598 |
|
|
* XXX Deals with 16 and 32 |
599 |
|
|
* bit lifetimes only |
600 |
|
|
*/ |
601 |
|
|
value = |
602 |
|
|
conf_get_num(life->field, |
603 |
|
|
"LIFE_DURATION", 0); |
604 |
|
|
if (value) { |
605 |
|
|
if (value <= 0xffff) |
606 |
|
|
attr = |
607 |
|
|
attribute_set_basic( |
608 |
|
|
attr, |
609 |
|
|
IPSEC_ATTR_SA_LIFE_DURATION, |
610 |
|
|
value); |
611 |
|
|
else { |
612 |
|
|
value = htonl(value); |
613 |
|
|
attr = |
614 |
|
|
attribute_set_var( |
615 |
|
|
attr, |
616 |
|
|
IPSEC_ATTR_SA_LIFE_DURATION, |
617 |
|
|
(u_int8_t *)&value, |
618 |
|
|
sizeof value); |
619 |
|
|
} |
620 |
|
|
} |
621 |
|
|
} |
622 |
|
|
conf_free_list(life_conf); |
623 |
|
|
} |
624 |
|
|
attribute_set_constant(xf->field, |
625 |
|
|
"ENCAPSULATION_MODE", ipsec_encap_cst, |
626 |
|
|
IPSEC_ATTR_ENCAPSULATION_MODE, &attr); |
627 |
|
|
|
628 |
|
|
if (proto_id != IPSEC_PROTO_IPCOMP) { |
629 |
|
|
attribute_set_constant(xf->field, |
630 |
|
|
"AUTHENTICATION_ALGORITHM", |
631 |
|
|
ipsec_auth_cst, |
632 |
|
|
IPSEC_ATTR_AUTHENTICATION_ALGORITHM, |
633 |
|
|
&attr); |
634 |
|
|
|
635 |
|
|
attribute_set_constant(xf->field, |
636 |
|
|
"GROUP_DESCRIPTION", |
637 |
|
|
ike_group_desc_cst, |
638 |
|
|
IPSEC_ATTR_GROUP_DESCRIPTION, &attr); |
639 |
|
|
|
640 |
|
|
value = conf_get_num(xf->field, |
641 |
|
|
"KEY_LENGTH", 0); |
642 |
|
|
if (value) |
643 |
|
|
attr = attribute_set_basic( |
644 |
|
|
attr, |
645 |
|
|
IPSEC_ATTR_KEY_LENGTH, |
646 |
|
|
value); |
647 |
|
|
|
648 |
|
|
value = conf_get_num(xf->field, |
649 |
|
|
"KEY_ROUNDS", 0); |
650 |
|
|
if (value) |
651 |
|
|
attr = attribute_set_basic( |
652 |
|
|
attr, |
653 |
|
|
IPSEC_ATTR_KEY_ROUNDS, |
654 |
|
|
value); |
655 |
|
|
} else { |
656 |
|
|
value = conf_get_num(xf->field, |
657 |
|
|
"COMPRESS_DICTIONARY_SIZE", 0); |
658 |
|
|
if (value) |
659 |
|
|
attr = attribute_set_basic( |
660 |
|
|
attr, |
661 |
|
|
IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE, |
662 |
|
|
value); |
663 |
|
|
|
664 |
|
|
value = conf_get_num(xf->field, |
665 |
|
|
"COMPRESS_PRIVATE_ALGORITHM", 0); |
666 |
|
|
if (value) |
667 |
|
|
attr = attribute_set_basic( |
668 |
|
|
attr, |
669 |
|
|
IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM, |
670 |
|
|
value); |
671 |
|
|
} |
672 |
|
|
|
673 |
|
|
value = conf_get_num(xf->field, "ECN_TUNNEL", |
674 |
|
|
0); |
675 |
|
|
if (value) |
676 |
|
|
attr = attribute_set_basic(attr, |
677 |
|
|
IPSEC_ATTR_ECN_TUNNEL, value); |
678 |
|
|
|
679 |
|
|
/* Record the real transform size. */ |
680 |
|
|
transforms_len[prop_no] += |
681 |
|
|
(transform_len[prop_no][xf_no] |
682 |
|
|
= attr - transform[prop_no][xf_no]); |
683 |
|
|
|
684 |
|
|
if (proto_id != IPSEC_PROTO_IPCOMP) { |
685 |
|
|
/* |
686 |
|
|
* Make sure that if a group |
687 |
|
|
* description is specified, it is |
688 |
|
|
* specified for all transforms |
689 |
|
|
* equally. |
690 |
|
|
*/ |
691 |
|
|
attr = |
692 |
|
|
(u_int8_t *)conf_get_str(xf->field, |
693 |
|
|
"GROUP_DESCRIPTION"); |
694 |
|
|
new_group_desc |
695 |
|
|
= attr ? constant_value(ike_group_desc_cst, |
696 |
|
|
(char *)attr) : 0; |
697 |
|
|
if (group_desc == -1) |
698 |
|
|
group_desc = new_group_desc; |
699 |
|
|
else if (group_desc != new_group_desc) { |
700 |
|
|
log_print("initiator_send_HASH_SA_NONCE: " |
701 |
|
|
"differing group descriptions in a proposal"); |
702 |
|
|
goto bail_out; |
703 |
|
|
} |
704 |
|
|
} |
705 |
|
|
} |
706 |
|
|
conf_free_list(xf_conf); |
707 |
|
|
xf_conf = 0; |
708 |
|
|
|
709 |
|
|
/* |
710 |
|
|
* Get SPI from application. |
711 |
|
|
* XXX Should we care about unknown constants? |
712 |
|
|
*/ |
713 |
|
|
protocol_num = constant_value(ipsec_proto_cst, |
714 |
|
|
protocol_id); |
715 |
|
|
spi = doi->get_spi(&spi_sz, protocol_num, msg); |
716 |
|
|
if (spi_sz && !spi) { |
717 |
|
|
log_print("initiator_send_HASH_SA_NONCE: " |
718 |
|
|
"doi->get_spi failed"); |
719 |
|
|
goto bail_out; |
720 |
|
|
} |
721 |
|
|
proposal_len = ISAKMP_PROP_SPI_OFF + spi_sz; |
722 |
|
|
proposals_len += |
723 |
|
|
proposal_len + transforms_len[prop_no]; |
724 |
|
|
proposal[prop_no] = malloc(proposal_len); |
725 |
|
|
if (!proposal[prop_no]) { |
726 |
|
|
log_error("initiator_send_HASH_SA_NONCE: " |
727 |
|
|
"malloc (%lu) failed", |
728 |
|
|
(unsigned long)proposal_len); |
729 |
|
|
goto bail_out; |
730 |
|
|
} |
731 |
|
|
SET_ISAKMP_PROP_NO(proposal[prop_no], suite_no + 1); |
732 |
|
|
SET_ISAKMP_PROP_PROTO(proposal[prop_no], protocol_num); |
733 |
|
|
|
734 |
|
|
/* XXX I would like to see this factored out. */ |
735 |
|
|
proto = calloc(1, sizeof *proto); |
736 |
|
|
if (!proto) { |
737 |
|
|
log_error("initiator_send_HASH_SA_NONCE: " |
738 |
|
|
"calloc (1, %lu) failed", |
739 |
|
|
(unsigned long)sizeof *proto); |
740 |
|
|
goto bail_out; |
741 |
|
|
} |
742 |
|
|
if (doi->proto_size) { |
743 |
|
|
proto->data = calloc(1, doi->proto_size); |
744 |
|
|
if (!proto->data) { |
745 |
|
|
free(proto); |
746 |
|
|
log_error( |
747 |
|
|
"initiator_send_HASH_SA_NONCE: " |
748 |
|
|
"calloc (1, %lu) failed", |
749 |
|
|
(unsigned long)doi->proto_size); |
750 |
|
|
goto bail_out; |
751 |
|
|
} |
752 |
|
|
} |
753 |
|
|
proto->no = suite_no + 1; |
754 |
|
|
proto->proto = protocol_num; |
755 |
|
|
proto->sa = TAILQ_FIRST(&exchange->sa_list); |
756 |
|
|
proto->xf_cnt = transform_cnt[prop_no]; |
757 |
|
|
TAILQ_INIT(&proto->xfs); |
758 |
|
|
for (xf_no = 0; xf_no < proto->xf_cnt; xf_no++) { |
759 |
|
|
pa = calloc(1, sizeof *pa); |
760 |
|
|
if (!pa) { |
761 |
|
|
free(proto->data); |
762 |
|
|
free(proto); |
763 |
|
|
goto bail_out; |
764 |
|
|
} |
765 |
|
|
pa->len = transform_len[prop_no][xf_no]; |
766 |
|
|
pa->attrs = malloc(pa->len); |
767 |
|
|
if (!pa->attrs) { |
768 |
|
|
free(proto->data); |
769 |
|
|
free(proto); |
770 |
|
|
free(pa); |
771 |
|
|
goto bail_out; |
772 |
|
|
} |
773 |
|
|
memcpy(pa->attrs, transform[prop_no][xf_no], |
774 |
|
|
pa->len); |
775 |
|
|
TAILQ_INSERT_TAIL(&proto->xfs, pa, next); |
776 |
|
|
} |
777 |
|
|
TAILQ_INSERT_TAIL(&TAILQ_FIRST(&exchange->sa_list)->protos, |
778 |
|
|
proto, link); |
779 |
|
|
|
780 |
|
|
/* Setup the incoming SPI. */ |
781 |
|
|
SET_ISAKMP_PROP_SPI_SZ(proposal[prop_no], spi_sz); |
782 |
|
|
memcpy(proposal[prop_no] + ISAKMP_PROP_SPI_OFF, spi, |
783 |
|
|
spi_sz); |
784 |
|
|
proto->spi_sz[1] = spi_sz; |
785 |
|
|
proto->spi[1] = spi; |
786 |
|
|
|
787 |
|
|
/* |
788 |
|
|
* Let the DOI get at proto for initializing its own |
789 |
|
|
* data. |
790 |
|
|
*/ |
791 |
|
|
if (doi->proto_init) |
792 |
|
|
doi->proto_init(proto, prot->field); |
793 |
|
|
|
794 |
|
|
SET_ISAKMP_PROP_NTRANSFORMS(proposal[prop_no], |
795 |
|
|
transform_cnt[prop_no]); |
796 |
|
|
prop_no++; |
797 |
|
|
} |
798 |
|
|
conf_free_list(prot_conf); |
799 |
|
|
prot_conf = 0; |
800 |
|
|
} |
801 |
|
|
|
802 |
|
|
sa_len = ISAKMP_SA_SIT_OFF + IPSEC_SIT_SIT_LEN; |
803 |
|
|
sa_buf = malloc(sa_len); |
804 |
|
|
if (!sa_buf) { |
805 |
|
|
log_error("initiator_send_HASH_SA_NONCE: malloc (%lu) failed", |
806 |
|
|
(unsigned long)sa_len); |
807 |
|
|
goto bail_out; |
808 |
|
|
} |
809 |
|
|
SET_ISAKMP_SA_DOI(sa_buf, IPSEC_DOI_IPSEC); |
810 |
|
|
SET_IPSEC_SIT_SIT(sa_buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY); |
811 |
|
|
|
812 |
|
|
/* |
813 |
|
|
* Add the payloads. As this is a SA, we need to recompute the |
814 |
|
|
* lengths of the payloads containing others. We also need to |
815 |
|
|
* reset these payload's "next payload type" field. |
816 |
|
|
*/ |
817 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1)) |
818 |
|
|
goto bail_out; |
819 |
|
|
SET_ISAKMP_GEN_LENGTH(sa_buf, sa_len + proposals_len); |
820 |
|
|
sa_buf = 0; |
821 |
|
|
|
822 |
|
|
update_nextp = 0; |
823 |
|
|
saved_nextp_sa = msg->nextp; |
824 |
|
|
for (i = 0; i < prop_no; i++) { |
825 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, |
826 |
|
|
proposal[i], proposal_len, update_nextp)) |
827 |
|
|
goto bail_out; |
828 |
|
|
SET_ISAKMP_GEN_LENGTH(proposal[i], |
829 |
|
|
proposal_len + transforms_len[i]); |
830 |
|
|
proposal[i] = 0; |
831 |
|
|
|
832 |
|
|
update_nextp = 0; |
833 |
|
|
saved_nextp_prop = msg->nextp; |
834 |
|
|
for (xf_no = 0; xf_no < transform_cnt[i]; xf_no++) { |
835 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_TRANSFORM, |
836 |
|
|
transform[i][xf_no], |
837 |
|
|
transform_len[i][xf_no], update_nextp)) |
838 |
|
|
goto bail_out; |
839 |
|
|
update_nextp = 1; |
840 |
|
|
transform[i][xf_no] = 0; |
841 |
|
|
} |
842 |
|
|
msg->nextp = saved_nextp_prop; |
843 |
|
|
update_nextp = 1; |
844 |
|
|
} |
845 |
|
|
msg->nextp = saved_nextp_sa; |
846 |
|
|
|
847 |
|
|
/* |
848 |
|
|
* Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len. |
849 |
|
|
*/ |
850 |
|
|
ie->sa_i_b = message_copy(msg, ISAKMP_GEN_SZ, &ie->sa_i_b_len); |
851 |
|
|
if (!ie->sa_i_b) |
852 |
|
|
goto bail_out; |
853 |
|
|
|
854 |
|
|
/* |
855 |
|
|
* Generate a nonce, and add it to the message. |
856 |
|
|
* XXX I want a better way to specify the nonce's size. |
857 |
|
|
*/ |
858 |
|
|
if (exchange_gen_nonce(msg, 16)) |
859 |
|
|
return -1; |
860 |
|
|
|
861 |
|
|
/* Generate optional KEY_EXCH payload. */ |
862 |
|
|
if (group_desc > 0) { |
863 |
|
|
ie->group = group_get(group_desc); |
864 |
|
|
ie->g_x_len = dh_getlen(ie->group); |
865 |
|
|
|
866 |
|
|
if (ipsec_gen_g_x(msg)) { |
867 |
|
|
group_free(ie->group); |
868 |
|
|
ie->group = 0; |
869 |
|
|
return -1; |
870 |
|
|
} |
871 |
|
|
} |
872 |
|
|
/* Generate optional client ID payloads. XXX Share with responder. */ |
873 |
|
|
local_id = conf_get_str(exchange->name, "Local-ID"); |
874 |
|
|
remote_id = conf_get_str(exchange->name, "Remote-ID"); |
875 |
|
|
if (local_id && remote_id) { |
876 |
|
|
id = ipsec_build_id(local_id, &sz); |
877 |
|
|
if (!id) |
878 |
|
|
return -1; |
879 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
880 |
|
|
"initiator_send_HASH_SA_NONCE: IDic", id, sz)); |
881 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { |
882 |
|
|
free(id); |
883 |
|
|
return -1; |
884 |
|
|
} |
885 |
|
|
id = ipsec_build_id(remote_id, &sz); |
886 |
|
|
if (!id) |
887 |
|
|
return -1; |
888 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
889 |
|
|
"initiator_send_HASH_SA_NONCE: IDrc", id, sz)); |
890 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { |
891 |
|
|
free(id); |
892 |
|
|
return -1; |
893 |
|
|
} |
894 |
|
|
} |
895 |
|
|
/* XXX I do not judge these as errors, are they? */ |
896 |
|
|
else if (local_id) |
897 |
|
|
log_print("initiator_send_HASH_SA_NONCE: " |
898 |
|
|
"Local-ID given without Remote-ID for \"%s\"", |
899 |
|
|
exchange->name); |
900 |
|
|
else if (remote_id) |
901 |
|
|
/* |
902 |
|
|
* This code supports the "road warrior" case, where the |
903 |
|
|
* initiator doesn't have a fixed IP address, but wants to |
904 |
|
|
* specify a particular remote network to talk to. -- Adrian |
905 |
|
|
* Close <adrian@esec.com.au> |
906 |
|
|
*/ |
907 |
|
|
{ |
908 |
|
|
log_print("initiator_send_HASH_SA_NONCE: " |
909 |
|
|
"Remote-ID given without Local-ID for \"%s\"", |
910 |
|
|
exchange->name); |
911 |
|
|
|
912 |
|
|
/* |
913 |
|
|
* If we're here, then we are the initiator, so use initiator |
914 |
|
|
* address for local ID |
915 |
|
|
*/ |
916 |
|
|
msg->transport->vtbl->get_src(msg->transport, &src); |
917 |
|
|
sz = ISAKMP_ID_SZ + sockaddr_addrlen(src); |
918 |
|
|
|
919 |
|
|
id = calloc(sz, sizeof(char)); |
920 |
|
|
if (!id) { |
921 |
|
|
log_error("initiator_send_HASH_SA_NONCE: " |
922 |
|
|
"calloc (%lu, %lu) failed", (unsigned long)sz, |
923 |
|
|
(unsigned long)sizeof(char)); |
924 |
|
|
return -1; |
925 |
|
|
} |
926 |
|
|
switch (src->sa_family) { |
927 |
|
|
case AF_INET6: |
928 |
|
|
SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV6_ADDR); |
929 |
|
|
break; |
930 |
|
|
case AF_INET: |
931 |
|
|
SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV4_ADDR); |
932 |
|
|
break; |
933 |
|
|
default: |
934 |
|
|
log_error("initiator_send_HASH_SA_NONCE: " |
935 |
|
|
"unknown sa_family %d", src->sa_family); |
936 |
|
|
free(id); |
937 |
|
|
return -1; |
938 |
|
|
} |
939 |
|
|
memcpy(id + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), |
940 |
|
|
sockaddr_addrlen(src)); |
941 |
|
|
|
942 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
943 |
|
|
"initiator_send_HASH_SA_NONCE: IDic", id, sz)); |
944 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { |
945 |
|
|
free(id); |
946 |
|
|
return -1; |
947 |
|
|
} |
948 |
|
|
/* Send supplied remote_id */ |
949 |
|
|
id = ipsec_build_id(remote_id, &sz); |
950 |
|
|
if (!id) |
951 |
|
|
return -1; |
952 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
953 |
|
|
"initiator_send_HASH_SA_NONCE: IDrc", id, sz)); |
954 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { |
955 |
|
|
free(id); |
956 |
|
|
return -1; |
957 |
|
|
} |
958 |
|
|
} |
959 |
|
|
if (ipsec_fill_in_hash(msg)) |
960 |
|
|
goto bail_out; |
961 |
|
|
|
962 |
|
|
conf_free_list(suite_conf); |
963 |
|
|
for (i = 0; i < prop_no; i++) { |
964 |
|
|
free(transform[i]); |
965 |
|
|
free(transform_len[i]); |
966 |
|
|
} |
967 |
|
|
free(proposal); |
968 |
|
|
free(transform); |
969 |
|
|
free(transforms_len); |
970 |
|
|
free(transform_len); |
971 |
|
|
free(transform_cnt); |
972 |
|
|
return 0; |
973 |
|
|
|
974 |
|
|
bail_out: |
975 |
|
|
free(sa_buf); |
976 |
|
|
if (proposal) { |
977 |
|
|
for (i = 0; i < prop_no; i++) { |
978 |
|
|
free(proposal[i]); |
979 |
|
|
if (transform[i]) { |
980 |
|
|
for (xf_no = 0; xf_no < transform_cnt[i]; |
981 |
|
|
xf_no++) |
982 |
|
|
free(transform[i][xf_no]); |
983 |
|
|
free(transform[i]); |
984 |
|
|
} |
985 |
|
|
free(transform_len[i]); |
986 |
|
|
} |
987 |
|
|
free(proposal); |
988 |
|
|
free(transforms_len); |
989 |
|
|
free(transform); |
990 |
|
|
free(transform_len); |
991 |
|
|
free(transform_cnt); |
992 |
|
|
} |
993 |
|
|
if (xf_conf) |
994 |
|
|
conf_free_list(xf_conf); |
995 |
|
|
if (prot_conf) |
996 |
|
|
conf_free_list(prot_conf); |
997 |
|
|
conf_free_list(suite_conf); |
998 |
|
|
return -1; |
999 |
|
|
} |
1000 |
|
|
|
1001 |
|
|
/* Figure out what transform the responder chose. */ |
1002 |
|
|
static int |
1003 |
|
|
initiator_recv_HASH_SA_NONCE(struct message *msg) |
1004 |
|
|
{ |
1005 |
|
|
struct exchange *exchange = msg->exchange; |
1006 |
|
|
struct ipsec_exch *ie = exchange->data; |
1007 |
|
|
struct sa *sa; |
1008 |
|
|
struct proto *proto, *next_proto; |
1009 |
|
|
struct payload *sa_p = payload_first(msg, ISAKMP_PAYLOAD_SA); |
1010 |
|
|
struct payload *xf, *idp; |
1011 |
|
|
struct payload *hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); |
1012 |
|
|
struct payload *kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH); |
1013 |
|
|
struct prf *prf; |
1014 |
|
|
struct sa *isakmp_sa = msg->isakmp_sa; |
1015 |
|
|
struct ipsec_sa *isa = isakmp_sa->data; |
1016 |
|
|
struct hash *hash = hash_get(isa->hash); |
1017 |
|
|
u_int8_t *rest; |
1018 |
|
|
size_t rest_len; |
1019 |
|
|
struct sockaddr *src, *dst; |
1020 |
|
|
|
1021 |
|
|
/* Allocate the prf and start calculating our HASH(1). XXX Share? */ |
1022 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " |
1023 |
|
|
"SKEYID_a", (u_int8_t *)isa->skeyid_a, isa->skeyid_len)); |
1024 |
|
|
prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, |
1025 |
|
|
isa->skeyid_len); |
1026 |
|
|
if (!prf) |
1027 |
|
|
return -1; |
1028 |
|
|
|
1029 |
|
|
prf->Init(prf->prfctx); |
1030 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1031 |
|
|
"initiator_recv_HASH_SA_NONCE: message_id", |
1032 |
|
|
exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); |
1033 |
|
|
prf->Update(prf->prfctx, exchange->message_id, |
1034 |
|
|
ISAKMP_HDR_MESSAGE_ID_LEN); |
1035 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " |
1036 |
|
|
"NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); |
1037 |
|
|
prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); |
1038 |
|
|
rest = hashp->p + GET_ISAKMP_GEN_LENGTH(hashp->p); |
1039 |
|
|
rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) |
1040 |
|
|
- (rest - (u_int8_t *)msg->iov[0].iov_base)); |
1041 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1042 |
|
|
"initiator_recv_HASH_SA_NONCE: payloads after HASH(2)", rest, |
1043 |
|
|
rest_len)); |
1044 |
|
|
prf->Update(prf->prfctx, rest, rest_len); |
1045 |
|
|
prf->Final(hash->digest, prf->prfctx); |
1046 |
|
|
prf_free(prf); |
1047 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 80, |
1048 |
|
|
"initiator_recv_HASH_SA_NONCE: computed HASH(2)", hash->digest, |
1049 |
|
|
hash->hashsize)); |
1050 |
|
|
if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, hash->digest, |
1051 |
|
|
hash->hashsize) != 0) { |
1052 |
|
|
message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, |
1053 |
|
|
0); |
1054 |
|
|
return -1; |
1055 |
|
|
} |
1056 |
|
|
/* Mark the HASH as handled. */ |
1057 |
|
|
hashp->flags |= PL_MARK; |
1058 |
|
|
|
1059 |
|
|
/* Mark message as authenticated. */ |
1060 |
|
|
msg->flags |= MSG_AUTHENTICATED; |
1061 |
|
|
|
1062 |
|
|
/* |
1063 |
|
|
* As we are getting an answer on our transform offer, only one |
1064 |
|
|
* transform should be given. |
1065 |
|
|
* |
1066 |
|
|
* XXX Currently we only support negotiating one SA per quick mode run. |
1067 |
|
|
*/ |
1068 |
|
|
if (TAILQ_NEXT(sa_p, link)) { |
1069 |
|
|
log_print("initiator_recv_HASH_SA_NONCE: " |
1070 |
|
|
"multiple SA payloads in quick mode not supported yet"); |
1071 |
|
|
return -1; |
1072 |
|
|
} |
1073 |
|
|
sa = TAILQ_FIRST(&exchange->sa_list); |
1074 |
|
|
|
1075 |
|
|
/* This is here for the policy check */ |
1076 |
|
|
if (kep) |
1077 |
|
|
ie->pfs = 1; |
1078 |
|
|
|
1079 |
|
|
/* Drop message when it contains ID types we do not implement yet. */ |
1080 |
|
|
TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link) { |
1081 |
|
|
switch (GET_ISAKMP_ID_TYPE(idp->p)) { |
1082 |
|
|
case IPSEC_ID_IPV4_ADDR: |
1083 |
|
|
case IPSEC_ID_IPV4_ADDR_SUBNET: |
1084 |
|
|
case IPSEC_ID_IPV6_ADDR: |
1085 |
|
|
case IPSEC_ID_IPV6_ADDR_SUBNET: |
1086 |
|
|
break; |
1087 |
|
|
|
1088 |
|
|
case IPSEC_ID_FQDN: |
1089 |
|
|
/* |
1090 |
|
|
* FQDN may be used for in NAT-T with transport mode. |
1091 |
|
|
* We can handle the message in this case. In the |
1092 |
|
|
* other cases we'll drop the message later. |
1093 |
|
|
*/ |
1094 |
|
|
break; |
1095 |
|
|
|
1096 |
|
|
default: |
1097 |
|
|
message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, |
1098 |
|
|
0, 1, 0); |
1099 |
|
|
return -1; |
1100 |
|
|
} |
1101 |
|
|
} |
1102 |
|
|
|
1103 |
|
|
/* Handle optional client ID payloads. */ |
1104 |
|
|
idp = payload_first(msg, ISAKMP_PAYLOAD_ID); |
1105 |
|
|
if (idp) { |
1106 |
|
|
/* If IDci is there, IDcr must be too. */ |
1107 |
|
|
if (!TAILQ_NEXT(idp, link)) { |
1108 |
|
|
/* XXX Is this a good notify type? */ |
1109 |
|
|
message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, |
1110 |
|
|
1, 0); |
1111 |
|
|
return -1; |
1112 |
|
|
} |
1113 |
|
|
/* XXX We should really compare, not override. */ |
1114 |
|
|
ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p); |
1115 |
|
|
ie->id_ci = malloc(ie->id_ci_sz); |
1116 |
|
|
if (!ie->id_ci) { |
1117 |
|
|
log_error("initiator_recv_HASH_SA_NONCE: " |
1118 |
|
|
"malloc (%lu) failed", |
1119 |
|
|
(unsigned long)ie->id_ci_sz); |
1120 |
|
|
return -1; |
1121 |
|
|
} |
1122 |
|
|
memcpy(ie->id_ci, idp->p, ie->id_ci_sz); |
1123 |
|
|
idp->flags |= PL_MARK; |
1124 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1125 |
|
|
"initiator_recv_HASH_SA_NONCE: IDci", |
1126 |
|
|
ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ)); |
1127 |
|
|
|
1128 |
|
|
idp = TAILQ_NEXT(idp, link); |
1129 |
|
|
ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p); |
1130 |
|
|
ie->id_cr = malloc(ie->id_cr_sz); |
1131 |
|
|
if (!ie->id_cr) { |
1132 |
|
|
log_error("initiator_recv_HASH_SA_NONCE: " |
1133 |
|
|
"malloc (%lu) failed", |
1134 |
|
|
(unsigned long)ie->id_cr_sz); |
1135 |
|
|
return -1; |
1136 |
|
|
} |
1137 |
|
|
memcpy(ie->id_cr, idp->p, ie->id_cr_sz); |
1138 |
|
|
idp->flags |= PL_MARK; |
1139 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1140 |
|
|
"initiator_recv_HASH_SA_NONCE: IDcr", |
1141 |
|
|
ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ)); |
1142 |
|
|
} else { |
1143 |
|
|
/* |
1144 |
|
|
* If client identifiers are not present in the exchange, |
1145 |
|
|
* we fake them. RFC 2409 states: |
1146 |
|
|
* The identities of the SAs negotiated in Quick Mode are |
1147 |
|
|
* implicitly assumed to be the IP addresses of the ISAKMP |
1148 |
|
|
* peers, without any constraints on the protocol or port |
1149 |
|
|
* numbers allowed, unless client identifiers are specified |
1150 |
|
|
* in Quick Mode. |
1151 |
|
|
* |
1152 |
|
|
* -- Michael Paddon (mwp@aba.net.au) |
1153 |
|
|
*/ |
1154 |
|
|
|
1155 |
|
|
ie->flags = IPSEC_EXCH_FLAG_NO_ID; |
1156 |
|
|
|
1157 |
|
|
/* Get initiator and responder addresses. */ |
1158 |
|
|
msg->transport->vtbl->get_src(msg->transport, &src); |
1159 |
|
|
msg->transport->vtbl->get_dst(msg->transport, &dst); |
1160 |
|
|
ie->id_ci_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(src); |
1161 |
|
|
ie->id_cr_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(dst); |
1162 |
|
|
ie->id_ci = calloc(ie->id_ci_sz, sizeof(char)); |
1163 |
|
|
ie->id_cr = calloc(ie->id_cr_sz, sizeof(char)); |
1164 |
|
|
|
1165 |
|
|
if (!ie->id_ci || !ie->id_cr) { |
1166 |
|
|
log_error("initiator_recv_HASH_SA_NONCE: " |
1167 |
|
|
"calloc (%lu, %lu) failed", |
1168 |
|
|
(unsigned long)ie->id_cr_sz, |
1169 |
|
|
(unsigned long)sizeof(char)); |
1170 |
|
|
free(ie->id_ci); |
1171 |
|
|
ie->id_ci = 0; |
1172 |
|
|
free(ie->id_cr); |
1173 |
|
|
ie->id_cr = 0; |
1174 |
|
|
return -1; |
1175 |
|
|
} |
1176 |
|
|
if (src->sa_family != dst->sa_family) { |
1177 |
|
|
log_error("initiator_recv_HASH_SA_NONCE: " |
1178 |
|
|
"sa_family mismatch"); |
1179 |
|
|
free(ie->id_ci); |
1180 |
|
|
ie->id_ci = 0; |
1181 |
|
|
free(ie->id_cr); |
1182 |
|
|
ie->id_cr = 0; |
1183 |
|
|
return -1; |
1184 |
|
|
} |
1185 |
|
|
switch (src->sa_family) { |
1186 |
|
|
case AF_INET: |
1187 |
|
|
SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV4_ADDR); |
1188 |
|
|
SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV4_ADDR); |
1189 |
|
|
break; |
1190 |
|
|
|
1191 |
|
|
case AF_INET6: |
1192 |
|
|
SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV6_ADDR); |
1193 |
|
|
SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV6_ADDR); |
1194 |
|
|
break; |
1195 |
|
|
|
1196 |
|
|
default: |
1197 |
|
|
log_error("initiator_recv_HASH_SA_NONCE: " |
1198 |
|
|
"unknown sa_family %d", src->sa_family); |
1199 |
|
|
free(ie->id_ci); |
1200 |
|
|
ie->id_ci = 0; |
1201 |
|
|
free(ie->id_cr); |
1202 |
|
|
ie->id_cr = 0; |
1203 |
|
|
return -1; |
1204 |
|
|
} |
1205 |
|
|
memcpy(ie->id_ci + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), |
1206 |
|
|
sockaddr_addrlen(src)); |
1207 |
|
|
memcpy(ie->id_cr + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(dst), |
1208 |
|
|
sockaddr_addrlen(dst)); |
1209 |
|
|
} |
1210 |
|
|
|
1211 |
|
|
/* Build the protection suite in our SA. */ |
1212 |
|
|
TAILQ_FOREACH(xf, &msg->payload[ISAKMP_PAYLOAD_TRANSFORM], link) { |
1213 |
|
|
/* |
1214 |
|
|
* XXX We could check that the proposal each transform |
1215 |
|
|
* belongs to is unique. |
1216 |
|
|
*/ |
1217 |
|
|
|
1218 |
|
|
if (sa_add_transform(sa, xf, exchange->initiator, &proto)) |
1219 |
|
|
return -1; |
1220 |
|
|
|
1221 |
|
|
/* XXX Check that the chosen transform matches an offer. */ |
1222 |
|
|
|
1223 |
|
|
ipsec_decode_transform(msg, sa, proto, xf->p); |
1224 |
|
|
} |
1225 |
|
|
|
1226 |
|
|
/* Now remove offers that we don't need anymore. */ |
1227 |
|
|
for (proto = TAILQ_FIRST(&sa->protos); proto; proto = next_proto) { |
1228 |
|
|
next_proto = TAILQ_NEXT(proto, link); |
1229 |
|
|
if (!proto->chosen) |
1230 |
|
|
proto_free(proto); |
1231 |
|
|
} |
1232 |
|
|
|
1233 |
|
|
if (!check_policy(exchange, sa, msg->isakmp_sa)) { |
1234 |
|
|
message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); |
1235 |
|
|
log_print("initiator_recv_HASH_SA_NONCE: policy check failed"); |
1236 |
|
|
return -1; |
1237 |
|
|
} |
1238 |
|
|
|
1239 |
|
|
/* Mark the SA as handled. */ |
1240 |
|
|
sa_p->flags |= PL_MARK; |
1241 |
|
|
|
1242 |
|
|
isa = sa->data; |
1243 |
|
|
if ((isa->group_desc && |
1244 |
|
|
(!ie->group || ie->group->id != isa->group_desc)) || |
1245 |
|
|
(!isa->group_desc && ie->group)) { |
1246 |
|
|
log_print("initiator_recv_HASH_SA_NONCE: disagreement on PFS"); |
1247 |
|
|
return -1; |
1248 |
|
|
} |
1249 |
|
|
/* Copy out the initiator's nonce. */ |
1250 |
|
|
if (exchange_save_nonce(msg)) |
1251 |
|
|
return -1; |
1252 |
|
|
|
1253 |
|
|
/* Handle the optional KEY_EXCH payload. */ |
1254 |
|
|
if (kep && ipsec_save_g_x(msg)) |
1255 |
|
|
return -1; |
1256 |
|
|
|
1257 |
|
|
return 0; |
1258 |
|
|
} |
1259 |
|
|
|
1260 |
|
|
static int |
1261 |
|
|
initiator_send_HASH(struct message *msg) |
1262 |
|
|
{ |
1263 |
|
|
struct exchange *exchange = msg->exchange; |
1264 |
|
|
struct ipsec_exch *ie = exchange->data; |
1265 |
|
|
struct sa *isakmp_sa = msg->isakmp_sa; |
1266 |
|
|
struct ipsec_sa *isa = isakmp_sa->data; |
1267 |
|
|
struct prf *prf; |
1268 |
|
|
u_int8_t *buf; |
1269 |
|
|
struct hash *hash = hash_get(isa->hash); |
1270 |
|
|
|
1271 |
|
|
/* |
1272 |
|
|
* We want a HASH payload to start with. XXX Share with |
1273 |
|
|
* ike_main_mode.c? |
1274 |
|
|
*/ |
1275 |
|
|
buf = malloc(ISAKMP_HASH_SZ + hash->hashsize); |
1276 |
|
|
if (!buf) { |
1277 |
|
|
log_error("initiator_send_HASH: malloc (%lu) failed", |
1278 |
|
|
ISAKMP_HASH_SZ + (unsigned long)hash->hashsize); |
1279 |
|
|
return -1; |
1280 |
|
|
} |
1281 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf, |
1282 |
|
|
ISAKMP_HASH_SZ + hash->hashsize, 1)) { |
1283 |
|
|
free(buf); |
1284 |
|
|
return -1; |
1285 |
|
|
} |
1286 |
|
|
/* Allocate the prf and start calculating our HASH(3). XXX Share? */ |
1287 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: SKEYID_a", |
1288 |
|
|
isa->skeyid_a, isa->skeyid_len)); |
1289 |
|
|
prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, |
1290 |
|
|
isa->skeyid_len); |
1291 |
|
|
if (!prf) |
1292 |
|
|
return -1; |
1293 |
|
|
prf->Init(prf->prfctx); |
1294 |
|
|
prf->Update(prf->prfctx, (unsigned char *)"\0", 1); |
1295 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: message_id", |
1296 |
|
|
exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); |
1297 |
|
|
prf->Update(prf->prfctx, exchange->message_id, |
1298 |
|
|
ISAKMP_HDR_MESSAGE_ID_LEN); |
1299 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_I_b", |
1300 |
|
|
exchange->nonce_i, exchange->nonce_i_len)); |
1301 |
|
|
prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); |
1302 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_R_b", |
1303 |
|
|
exchange->nonce_r, exchange->nonce_r_len)); |
1304 |
|
|
prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); |
1305 |
|
|
prf->Final(buf + ISAKMP_GEN_SZ, prf->prfctx); |
1306 |
|
|
prf_free(prf); |
1307 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: HASH(3)", |
1308 |
|
|
buf + ISAKMP_GEN_SZ, hash->hashsize)); |
1309 |
|
|
|
1310 |
|
|
if (ie->group) |
1311 |
|
|
message_register_post_send(msg, gen_g_xy); |
1312 |
|
|
|
1313 |
|
|
message_register_post_send(msg, post_quick_mode); |
1314 |
|
|
|
1315 |
|
|
return 0; |
1316 |
|
|
} |
1317 |
|
|
|
1318 |
|
|
static void |
1319 |
|
|
post_quick_mode(struct message *msg) |
1320 |
|
|
{ |
1321 |
|
|
struct sa *isakmp_sa = msg->isakmp_sa; |
1322 |
|
|
struct ipsec_sa *isa = isakmp_sa->data; |
1323 |
|
|
struct exchange *exchange = msg->exchange; |
1324 |
|
|
struct ipsec_exch *ie = exchange->data; |
1325 |
|
|
struct prf *prf; |
1326 |
|
|
struct sa *sa; |
1327 |
|
|
struct proto *proto; |
1328 |
|
|
struct ipsec_proto *iproto; |
1329 |
|
|
u_int8_t *keymat; |
1330 |
|
|
int i; |
1331 |
|
|
|
1332 |
|
|
/* |
1333 |
|
|
* Loop over all SA negotiations and do both an in- and an outgoing SA |
1334 |
|
|
* per protocol. |
1335 |
|
|
*/ |
1336 |
|
|
for (sa = TAILQ_FIRST(&exchange->sa_list); sa; |
1337 |
|
|
sa = TAILQ_NEXT(sa, next)) { |
1338 |
|
|
for (proto = TAILQ_FIRST(&sa->protos); proto; |
1339 |
|
|
proto = TAILQ_NEXT(proto, link)) { |
1340 |
|
|
if (proto->proto == IPSEC_PROTO_IPCOMP) |
1341 |
|
|
continue; |
1342 |
|
|
|
1343 |
|
|
iproto = proto->data; |
1344 |
|
|
|
1345 |
|
|
/* |
1346 |
|
|
* There are two SAs for each SA negotiation, |
1347 |
|
|
* incoming and outgoing. |
1348 |
|
|
*/ |
1349 |
|
|
for (i = 0; i < 2; i++) { |
1350 |
|
|
prf = prf_alloc(isa->prf_type, isa->hash, |
1351 |
|
|
isa->skeyid_d, isa->skeyid_len); |
1352 |
|
|
if (!prf) { |
1353 |
|
|
/* XXX What to do? */ |
1354 |
|
|
continue; |
1355 |
|
|
} |
1356 |
|
|
ie->keymat_len = ipsec_keymat_length(proto); |
1357 |
|
|
|
1358 |
|
|
/* |
1359 |
|
|
* We need to roundup the length of the key |
1360 |
|
|
* material buffer to a multiple of the PRF's |
1361 |
|
|
* blocksize as it is generated in chunks of |
1362 |
|
|
* that blocksize. |
1363 |
|
|
*/ |
1364 |
|
|
iproto->keymat[i] |
1365 |
|
|
= malloc(((ie->keymat_len + prf->blocksize - 1) |
1366 |
|
|
/ prf->blocksize) * prf->blocksize); |
1367 |
|
|
if (!iproto->keymat[i]) { |
1368 |
|
|
log_error("post_quick_mode: " |
1369 |
|
|
"malloc (%lu) failed", |
1370 |
|
|
(((unsigned long)ie->keymat_len + |
1371 |
|
|
prf->blocksize - 1) / prf->blocksize) * |
1372 |
|
|
prf->blocksize); |
1373 |
|
|
/* XXX What more to do? */ |
1374 |
|
|
free(prf); |
1375 |
|
|
continue; |
1376 |
|
|
} |
1377 |
|
|
for (keymat = iproto->keymat[i]; |
1378 |
|
|
keymat < iproto->keymat[i] + ie->keymat_len; |
1379 |
|
|
keymat += prf->blocksize) { |
1380 |
|
|
prf->Init(prf->prfctx); |
1381 |
|
|
|
1382 |
|
|
if (keymat != iproto->keymat[i]) { |
1383 |
|
|
/* |
1384 |
|
|
* Hash in last round's |
1385 |
|
|
* KEYMAT. |
1386 |
|
|
*/ |
1387 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, |
1388 |
|
|
90, "post_quick_mode: " |
1389 |
|
|
"last KEYMAT", |
1390 |
|
|
keymat - prf->blocksize, |
1391 |
|
|
prf->blocksize)); |
1392 |
|
|
prf->Update(prf->prfctx, |
1393 |
|
|
keymat - prf->blocksize, |
1394 |
|
|
prf->blocksize); |
1395 |
|
|
} |
1396 |
|
|
/* If PFS is used hash in g^xy. */ |
1397 |
|
|
if (ie->g_xy) { |
1398 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, |
1399 |
|
|
90, "post_quick_mode: " |
1400 |
|
|
"g^xy", ie->g_xy, |
1401 |
|
|
ie->g_xy_len)); |
1402 |
|
|
prf->Update(prf->prfctx, |
1403 |
|
|
ie->g_xy, ie->g_xy_len); |
1404 |
|
|
} |
1405 |
|
|
LOG_DBG((LOG_NEGOTIATION, 90, |
1406 |
|
|
"post_quick_mode: " |
1407 |
|
|
"suite %d proto %d", proto->no, |
1408 |
|
|
proto->proto)); |
1409 |
|
|
prf->Update(prf->prfctx, &proto->proto, |
1410 |
|
|
1); |
1411 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1412 |
|
|
"post_quick_mode: SPI", |
1413 |
|
|
proto->spi[i], proto->spi_sz[i])); |
1414 |
|
|
prf->Update(prf->prfctx, |
1415 |
|
|
proto->spi[i], proto->spi_sz[i]); |
1416 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1417 |
|
|
"post_quick_mode: Ni_b", |
1418 |
|
|
exchange->nonce_i, |
1419 |
|
|
exchange->nonce_i_len)); |
1420 |
|
|
prf->Update(prf->prfctx, |
1421 |
|
|
exchange->nonce_i, |
1422 |
|
|
exchange->nonce_i_len); |
1423 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1424 |
|
|
"post_quick_mode: Nr_b", |
1425 |
|
|
exchange->nonce_r, |
1426 |
|
|
exchange->nonce_r_len)); |
1427 |
|
|
prf->Update(prf->prfctx, |
1428 |
|
|
exchange->nonce_r, |
1429 |
|
|
exchange->nonce_r_len); |
1430 |
|
|
prf->Final(keymat, prf->prfctx); |
1431 |
|
|
} |
1432 |
|
|
prf_free(prf); |
1433 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1434 |
|
|
"post_quick_mode: KEYMAT", |
1435 |
|
|
iproto->keymat[i], ie->keymat_len)); |
1436 |
|
|
} |
1437 |
|
|
} |
1438 |
|
|
} |
1439 |
|
|
|
1440 |
|
|
log_verbose("isakmpd: quick mode done%s: %s", |
1441 |
|
|
(exchange->initiator == 0) ? " (as responder)" : "", |
1442 |
|
|
!msg->isakmp_sa || !msg->isakmp_sa->transport ? "<no transport>" |
1443 |
|
|
: msg->isakmp_sa->transport->vtbl->decode_ids |
1444 |
|
|
(msg->isakmp_sa->transport)); |
1445 |
|
|
} |
1446 |
|
|
|
1447 |
|
|
/* |
1448 |
|
|
* Accept a set of transforms offered by the initiator and chose one we can |
1449 |
|
|
* handle. |
1450 |
|
|
* XXX Describe in more detail. |
1451 |
|
|
*/ |
1452 |
|
|
static int |
1453 |
|
|
responder_recv_HASH_SA_NONCE(struct message *msg) |
1454 |
|
|
{ |
1455 |
|
|
struct payload *hashp, *kep, *idp; |
1456 |
|
|
struct sa *sa; |
1457 |
|
|
struct sa *isakmp_sa = msg->isakmp_sa; |
1458 |
|
|
struct ipsec_sa *isa = isakmp_sa->data; |
1459 |
|
|
struct exchange *exchange = msg->exchange; |
1460 |
|
|
struct ipsec_exch *ie = exchange->data; |
1461 |
|
|
struct prf *prf; |
1462 |
|
|
u_int8_t *hash, *my_hash = 0; |
1463 |
|
|
size_t hash_len; |
1464 |
|
|
u_int8_t *pkt = msg->iov[0].iov_base; |
1465 |
|
|
u_int8_t group_desc = 0; |
1466 |
|
|
int retval = -1; |
1467 |
|
|
struct proto *proto; |
1468 |
|
|
struct sockaddr *src, *dst; |
1469 |
|
|
char *name; |
1470 |
|
|
|
1471 |
|
|
hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); |
1472 |
|
|
hash = hashp->p; |
1473 |
|
|
hashp->flags |= PL_MARK; |
1474 |
|
|
|
1475 |
|
|
/* The HASH payload should be the first one. */ |
1476 |
|
|
if (hash != pkt + ISAKMP_HDR_SZ) { |
1477 |
|
|
/* XXX Is there a better notification type? */ |
1478 |
|
|
message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); |
1479 |
|
|
goto cleanup; |
1480 |
|
|
} |
1481 |
|
|
hash_len = GET_ISAKMP_GEN_LENGTH(hash); |
1482 |
|
|
my_hash = malloc(hash_len - ISAKMP_GEN_SZ); |
1483 |
|
|
if (!my_hash) { |
1484 |
|
|
log_error("responder_recv_HASH_SA_NONCE: malloc (%lu) failed", |
1485 |
|
|
(unsigned long)hash_len - ISAKMP_GEN_SZ); |
1486 |
|
|
goto cleanup; |
1487 |
|
|
} |
1488 |
|
|
/* |
1489 |
|
|
* Check the payload's integrity. |
1490 |
|
|
* XXX Share with ipsec_fill_in_hash? |
1491 |
|
|
*/ |
1492 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: " |
1493 |
|
|
"SKEYID_a", isa->skeyid_a, isa->skeyid_len)); |
1494 |
|
|
prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, |
1495 |
|
|
isa->skeyid_len); |
1496 |
|
|
if (!prf) |
1497 |
|
|
goto cleanup; |
1498 |
|
|
prf->Init(prf->prfctx); |
1499 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1500 |
|
|
"responder_recv_HASH_SA_NONCE: message_id", |
1501 |
|
|
exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); |
1502 |
|
|
prf->Update(prf->prfctx, exchange->message_id, |
1503 |
|
|
ISAKMP_HDR_MESSAGE_ID_LEN); |
1504 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1505 |
|
|
"responder_recv_HASH_SA_NONCE: message after HASH", |
1506 |
|
|
hash + hash_len, |
1507 |
|
|
msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len)); |
1508 |
|
|
prf->Update(prf->prfctx, hash + hash_len, |
1509 |
|
|
msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len); |
1510 |
|
|
prf->Final(my_hash, prf->prfctx); |
1511 |
|
|
prf_free(prf); |
1512 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1513 |
|
|
"responder_recv_HASH_SA_NONCE: computed HASH(1)", my_hash, |
1514 |
|
|
hash_len - ISAKMP_GEN_SZ)); |
1515 |
|
|
if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) |
1516 |
|
|
!= 0) { |
1517 |
|
|
message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, |
1518 |
|
|
1, 0); |
1519 |
|
|
goto cleanup; |
1520 |
|
|
} |
1521 |
|
|
free(my_hash); |
1522 |
|
|
my_hash = 0; |
1523 |
|
|
|
1524 |
|
|
/* Mark message as authenticated. */ |
1525 |
|
|
msg->flags |= MSG_AUTHENTICATED; |
1526 |
|
|
|
1527 |
|
|
kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH); |
1528 |
|
|
if (kep) |
1529 |
|
|
ie->pfs = 1; |
1530 |
|
|
|
1531 |
|
|
/* Drop message when it contains ID types we do not implement yet. */ |
1532 |
|
|
TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link) { |
1533 |
|
|
switch (GET_ISAKMP_ID_TYPE(idp->p)) { |
1534 |
|
|
case IPSEC_ID_IPV4_ADDR: |
1535 |
|
|
case IPSEC_ID_IPV4_ADDR_SUBNET: |
1536 |
|
|
case IPSEC_ID_IPV6_ADDR: |
1537 |
|
|
case IPSEC_ID_IPV6_ADDR_SUBNET: |
1538 |
|
|
break; |
1539 |
|
|
|
1540 |
|
|
case IPSEC_ID_FQDN: |
1541 |
|
|
/* |
1542 |
|
|
* FQDN may be used for in NAT-T with transport mode. |
1543 |
|
|
* We can handle the message in this case. In the |
1544 |
|
|
* other cases we'll drop the message later. |
1545 |
|
|
*/ |
1546 |
|
|
break; |
1547 |
|
|
|
1548 |
|
|
default: |
1549 |
|
|
message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, |
1550 |
|
|
0, 1, 0); |
1551 |
|
|
goto cleanup; |
1552 |
|
|
} |
1553 |
|
|
} |
1554 |
|
|
|
1555 |
|
|
/* Handle optional client ID payloads. */ |
1556 |
|
|
idp = payload_first(msg, ISAKMP_PAYLOAD_ID); |
1557 |
|
|
if (idp) { |
1558 |
|
|
/* If IDci is there, IDcr must be too. */ |
1559 |
|
|
if (!TAILQ_NEXT(idp, link)) { |
1560 |
|
|
/* XXX Is this a good notify type? */ |
1561 |
|
|
message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, |
1562 |
|
|
1, 0); |
1563 |
|
|
goto cleanup; |
1564 |
|
|
} |
1565 |
|
|
ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p); |
1566 |
|
|
ie->id_ci = malloc(ie->id_ci_sz); |
1567 |
|
|
if (!ie->id_ci) { |
1568 |
|
|
log_error("responder_recv_HASH_SA_NONCE: " |
1569 |
|
|
"malloc (%lu) failed", |
1570 |
|
|
(unsigned long)ie->id_ci_sz); |
1571 |
|
|
goto cleanup; |
1572 |
|
|
} |
1573 |
|
|
memcpy(ie->id_ci, idp->p, ie->id_ci_sz); |
1574 |
|
|
idp->flags |= PL_MARK; |
1575 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1576 |
|
|
"responder_recv_HASH_SA_NONCE: IDci", |
1577 |
|
|
ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ)); |
1578 |
|
|
|
1579 |
|
|
idp = TAILQ_NEXT(idp, link); |
1580 |
|
|
ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p); |
1581 |
|
|
ie->id_cr = malloc(ie->id_cr_sz); |
1582 |
|
|
if (!ie->id_cr) { |
1583 |
|
|
log_error("responder_recv_HASH_SA_NONCE: " |
1584 |
|
|
"malloc (%lu) failed", |
1585 |
|
|
(unsigned long)ie->id_cr_sz); |
1586 |
|
|
goto cleanup; |
1587 |
|
|
} |
1588 |
|
|
memcpy(ie->id_cr, idp->p, ie->id_cr_sz); |
1589 |
|
|
idp->flags |= PL_MARK; |
1590 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1591 |
|
|
"responder_recv_HASH_SA_NONCE: IDcr", |
1592 |
|
|
ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ)); |
1593 |
|
|
} else { |
1594 |
|
|
/* |
1595 |
|
|
* If client identifiers are not present in the exchange, |
1596 |
|
|
* we fake them. RFC 2409 states: |
1597 |
|
|
* The identities of the SAs negotiated in Quick Mode are |
1598 |
|
|
* implicitly assumed to be the IP addresses of the ISAKMP |
1599 |
|
|
* peers, without any constraints on the protocol or port |
1600 |
|
|
* numbers allowed, unless client identifiers are specified |
1601 |
|
|
* in Quick Mode. |
1602 |
|
|
* |
1603 |
|
|
* -- Michael Paddon (mwp@aba.net.au) |
1604 |
|
|
*/ |
1605 |
|
|
|
1606 |
|
|
ie->flags = IPSEC_EXCH_FLAG_NO_ID; |
1607 |
|
|
|
1608 |
|
|
/* Get initiator and responder addresses. */ |
1609 |
|
|
msg->transport->vtbl->get_src(msg->transport, &src); |
1610 |
|
|
msg->transport->vtbl->get_dst(msg->transport, &dst); |
1611 |
|
|
ie->id_ci_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(src); |
1612 |
|
|
ie->id_cr_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(dst); |
1613 |
|
|
ie->id_ci = calloc(ie->id_ci_sz, sizeof(char)); |
1614 |
|
|
ie->id_cr = calloc(ie->id_cr_sz, sizeof(char)); |
1615 |
|
|
|
1616 |
|
|
if (!ie->id_ci || !ie->id_cr) { |
1617 |
|
|
log_error("responder_recv_HASH_SA_NONCE: " |
1618 |
|
|
"calloc (%lu, %lu) failed", |
1619 |
|
|
(unsigned long)ie->id_ci_sz, |
1620 |
|
|
(unsigned long)sizeof(char)); |
1621 |
|
|
goto cleanup; |
1622 |
|
|
} |
1623 |
|
|
if (src->sa_family != dst->sa_family) { |
1624 |
|
|
log_error("initiator_recv_HASH_SA_NONCE: " |
1625 |
|
|
"sa_family mismatch"); |
1626 |
|
|
goto cleanup; |
1627 |
|
|
} |
1628 |
|
|
switch (src->sa_family) { |
1629 |
|
|
case AF_INET: |
1630 |
|
|
SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV4_ADDR); |
1631 |
|
|
SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV4_ADDR); |
1632 |
|
|
break; |
1633 |
|
|
|
1634 |
|
|
case AF_INET6: |
1635 |
|
|
SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV6_ADDR); |
1636 |
|
|
SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV6_ADDR); |
1637 |
|
|
break; |
1638 |
|
|
|
1639 |
|
|
default: |
1640 |
|
|
log_error("initiator_recv_HASH_SA_NONCE: " |
1641 |
|
|
"unknown sa_family %d", src->sa_family); |
1642 |
|
|
goto cleanup; |
1643 |
|
|
} |
1644 |
|
|
|
1645 |
|
|
memcpy(ie->id_cr + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), |
1646 |
|
|
sockaddr_addrlen(src)); |
1647 |
|
|
memcpy(ie->id_ci + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(dst), |
1648 |
|
|
sockaddr_addrlen(dst)); |
1649 |
|
|
} |
1650 |
|
|
|
1651 |
|
|
if (message_negotiate_sa(msg, check_policy)) |
1652 |
|
|
goto cleanup; |
1653 |
|
|
|
1654 |
|
|
for (sa = TAILQ_FIRST(&exchange->sa_list); sa; |
1655 |
|
|
sa = TAILQ_NEXT(sa, next)) { |
1656 |
|
|
for (proto = TAILQ_FIRST(&sa->protos); proto; |
1657 |
|
|
proto = TAILQ_NEXT(proto, link)) { |
1658 |
|
|
/* |
1659 |
|
|
* XXX we need to have some attributes per proto, not |
1660 |
|
|
* all per SA. |
1661 |
|
|
*/ |
1662 |
|
|
ipsec_decode_transform(msg, sa, proto, |
1663 |
|
|
proto->chosen->p); |
1664 |
|
|
if (proto->proto == IPSEC_PROTO_IPSEC_AH && |
1665 |
|
|
!((struct ipsec_proto *)proto->data)->auth) { |
1666 |
|
|
log_print("responder_recv_HASH_SA_NONCE: " |
1667 |
|
|
"AH proposed without an algorithm " |
1668 |
|
|
"attribute"); |
1669 |
|
|
message_drop(msg, |
1670 |
|
|
ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); |
1671 |
|
|
goto next_sa; |
1672 |
|
|
} |
1673 |
|
|
} |
1674 |
|
|
|
1675 |
|
|
isa = sa->data; |
1676 |
|
|
|
1677 |
|
|
/* |
1678 |
|
|
* The group description is mandatory if we got a KEY_EXCH |
1679 |
|
|
* payload. |
1680 |
|
|
*/ |
1681 |
|
|
if (kep) { |
1682 |
|
|
if (!isa->group_desc) { |
1683 |
|
|
log_print("responder_recv_HASH_SA_NONCE: " |
1684 |
|
|
"KEY_EXCH payload without a group " |
1685 |
|
|
"desc. attribute"); |
1686 |
|
|
message_drop(msg, |
1687 |
|
|
ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); |
1688 |
|
|
continue; |
1689 |
|
|
} |
1690 |
|
|
/* Also, all SAs must have equal groups. */ |
1691 |
|
|
if (!group_desc) |
1692 |
|
|
group_desc = isa->group_desc; |
1693 |
|
|
else if (group_desc != isa->group_desc) { |
1694 |
|
|
log_print("responder_recv_HASH_SA_NONCE: " |
1695 |
|
|
"differing group descriptions in one QM"); |
1696 |
|
|
message_drop(msg, |
1697 |
|
|
ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); |
1698 |
|
|
continue; |
1699 |
|
|
} |
1700 |
|
|
} |
1701 |
|
|
/* At least one SA was accepted. */ |
1702 |
|
|
retval = 0; |
1703 |
|
|
|
1704 |
|
|
next_sa: |
1705 |
|
|
; /* XXX gcc3 wants this. */ |
1706 |
|
|
} |
1707 |
|
|
|
1708 |
|
|
if (kep) { |
1709 |
|
|
ie->group = group_get(group_desc); |
1710 |
|
|
if (!ie->group) { |
1711 |
|
|
/* |
1712 |
|
|
* XXX If the error was due to an out-of-range group |
1713 |
|
|
* description we should notify our peer, but this |
1714 |
|
|
* should probably be done by the attribute |
1715 |
|
|
* validation. Is it? |
1716 |
|
|
*/ |
1717 |
|
|
goto cleanup; |
1718 |
|
|
} |
1719 |
|
|
} |
1720 |
|
|
/* Copy out the initiator's nonce. */ |
1721 |
|
|
if (exchange_save_nonce(msg)) |
1722 |
|
|
goto cleanup; |
1723 |
|
|
|
1724 |
|
|
/* Handle the optional KEY_EXCH payload. */ |
1725 |
|
|
if (kep && ipsec_save_g_x(msg)) |
1726 |
|
|
goto cleanup; |
1727 |
|
|
|
1728 |
|
|
/* |
1729 |
|
|
* Try to find and set the connection name on the exchange. |
1730 |
|
|
*/ |
1731 |
|
|
|
1732 |
|
|
/* |
1733 |
|
|
* Check for accepted identities as well as lookup the connection |
1734 |
|
|
* name and set it on the exchange. |
1735 |
|
|
* |
1736 |
|
|
* When not using policies make sure the peer proposes sane IDs. |
1737 |
|
|
* Otherwise this is done by KeyNote. |
1738 |
|
|
*/ |
1739 |
|
|
name = connection_passive_lookup_by_ids(ie->id_ci, ie->id_cr); |
1740 |
|
|
if (name) { |
1741 |
|
|
exchange->name = strdup(name); |
1742 |
|
|
if (!exchange->name) { |
1743 |
|
|
log_error("responder_recv_HASH_SA_NONCE: " |
1744 |
|
|
"strdup (\"%s\") failed", name); |
1745 |
|
|
goto cleanup; |
1746 |
|
|
} |
1747 |
|
|
} else if ( |
1748 |
|
|
ignore_policy || |
1749 |
|
|
strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) { |
1750 |
|
|
log_print("responder_recv_HASH_SA_NONCE: peer proposed " |
1751 |
|
|
"invalid phase 2 IDs: %s", |
1752 |
|
|
(exchange->doi->decode_ids("initiator id %s, responder" |
1753 |
|
|
" id %s", ie->id_ci, ie->id_ci_sz, ie->id_cr, |
1754 |
|
|
ie->id_cr_sz, 1))); |
1755 |
|
|
message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1, |
1756 |
|
|
0); |
1757 |
|
|
goto cleanup; |
1758 |
|
|
} |
1759 |
|
|
|
1760 |
|
|
return retval; |
1761 |
|
|
|
1762 |
|
|
cleanup: |
1763 |
|
|
/* Remove all potential protocols that have been added to the SAs. */ |
1764 |
|
|
for (sa = TAILQ_FIRST(&exchange->sa_list); sa; |
1765 |
|
|
sa = TAILQ_NEXT(sa, next)) |
1766 |
|
|
while ((proto = TAILQ_FIRST(&sa->protos)) != 0) |
1767 |
|
|
proto_free(proto); |
1768 |
|
|
free(my_hash); |
1769 |
|
|
free(ie->id_ci); |
1770 |
|
|
ie->id_ci = 0; |
1771 |
|
|
free(ie->id_cr); |
1772 |
|
|
ie->id_cr = 0; |
1773 |
|
|
return -1; |
1774 |
|
|
} |
1775 |
|
|
|
1776 |
|
|
/* Reply with the transform we chose. */ |
1777 |
|
|
static int |
1778 |
|
|
responder_send_HASH_SA_NONCE(struct message *msg) |
1779 |
|
|
{ |
1780 |
|
|
struct exchange *exchange = msg->exchange; |
1781 |
|
|
struct ipsec_exch *ie = exchange->data; |
1782 |
|
|
struct sa *isakmp_sa = msg->isakmp_sa; |
1783 |
|
|
struct ipsec_sa *isa = isakmp_sa->data; |
1784 |
|
|
struct prf *prf; |
1785 |
|
|
struct hash *hash = hash_get(isa->hash); |
1786 |
|
|
size_t nonce_sz = exchange->nonce_i_len; |
1787 |
|
|
u_int8_t *buf; |
1788 |
|
|
int initiator = exchange->initiator; |
1789 |
|
|
char header[80]; |
1790 |
|
|
u_int32_t i; |
1791 |
|
|
u_int8_t *id; |
1792 |
|
|
size_t sz; |
1793 |
|
|
|
1794 |
|
|
/* |
1795 |
|
|
* We want a HASH payload to start with. XXX Share with |
1796 |
|
|
* ike_main_mode.c? |
1797 |
|
|
*/ |
1798 |
|
|
buf = malloc(ISAKMP_HASH_SZ + hash->hashsize); |
1799 |
|
|
if (!buf) { |
1800 |
|
|
log_error("responder_send_HASH_SA_NONCE: malloc (%lu) failed", |
1801 |
|
|
ISAKMP_HASH_SZ + (unsigned long)hash->hashsize); |
1802 |
|
|
return -1; |
1803 |
|
|
} |
1804 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf, |
1805 |
|
|
ISAKMP_HASH_SZ + hash->hashsize, 1)) { |
1806 |
|
|
free(buf); |
1807 |
|
|
return -1; |
1808 |
|
|
} |
1809 |
|
|
/* Add the SA payload(s) with the transform(s) that was/were chosen. */ |
1810 |
|
|
if (message_add_sa_payload(msg)) |
1811 |
|
|
return -1; |
1812 |
|
|
|
1813 |
|
|
/* Generate a nonce, and add it to the message. */ |
1814 |
|
|
if (exchange_gen_nonce(msg, nonce_sz)) |
1815 |
|
|
return -1; |
1816 |
|
|
|
1817 |
|
|
/* Generate optional KEY_EXCH payload. This is known as PFS. */ |
1818 |
|
|
if (ie->group && ipsec_gen_g_x(msg)) |
1819 |
|
|
return -1; |
1820 |
|
|
|
1821 |
|
|
/* |
1822 |
|
|
* If the initiator client ID's were acceptable, just mirror them |
1823 |
|
|
* back. |
1824 |
|
|
*/ |
1825 |
|
|
if (!(ie->flags & IPSEC_EXCH_FLAG_NO_ID)) { |
1826 |
|
|
sz = ie->id_ci_sz; |
1827 |
|
|
id = malloc(sz); |
1828 |
|
|
if (!id) { |
1829 |
|
|
log_error("responder_send_HASH_SA_NONCE: " |
1830 |
|
|
"malloc (%lu) failed", (unsigned long)sz); |
1831 |
|
|
return -1; |
1832 |
|
|
} |
1833 |
|
|
memcpy(id, ie->id_ci, sz); |
1834 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1835 |
|
|
"responder_send_HASH_SA_NONCE: IDic", id, sz)); |
1836 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { |
1837 |
|
|
free(id); |
1838 |
|
|
return -1; |
1839 |
|
|
} |
1840 |
|
|
sz = ie->id_cr_sz; |
1841 |
|
|
id = malloc(sz); |
1842 |
|
|
if (!id) { |
1843 |
|
|
log_error("responder_send_HASH_SA_NONCE: " |
1844 |
|
|
"malloc (%lu) failed", (unsigned long)sz); |
1845 |
|
|
return -1; |
1846 |
|
|
} |
1847 |
|
|
memcpy(id, ie->id_cr, sz); |
1848 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1849 |
|
|
"responder_send_HASH_SA_NONCE: IDrc", id, sz)); |
1850 |
|
|
if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { |
1851 |
|
|
free(id); |
1852 |
|
|
return -1; |
1853 |
|
|
} |
1854 |
|
|
} |
1855 |
|
|
/* Allocate the prf and start calculating our HASH(2). XXX Share? */ |
1856 |
|
|
LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: " |
1857 |
|
|
"isakmp_sa %p isa %p", isakmp_sa, isa)); |
1858 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " |
1859 |
|
|
"SKEYID_a", isa->skeyid_a, isa->skeyid_len)); |
1860 |
|
|
prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, |
1861 |
|
|
isa->skeyid_len); |
1862 |
|
|
if (!prf) |
1863 |
|
|
return -1; |
1864 |
|
|
prf->Init(prf->prfctx); |
1865 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1866 |
|
|
"responder_send_HASH_SA_NONCE: message_id", |
1867 |
|
|
exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); |
1868 |
|
|
prf->Update(prf->prfctx, exchange->message_id, |
1869 |
|
|
ISAKMP_HDR_MESSAGE_ID_LEN); |
1870 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " |
1871 |
|
|
"NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); |
1872 |
|
|
prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); |
1873 |
|
|
|
1874 |
|
|
/* Loop over all payloads after HASH(2). */ |
1875 |
|
|
for (i = 2; i < msg->iovlen; i++) { |
1876 |
|
|
/* XXX Misleading payload type printouts. */ |
1877 |
|
|
snprintf(header, sizeof header, |
1878 |
|
|
"responder_send_HASH_SA_NONCE: payload %d after HASH(2)", |
1879 |
|
|
i - 1); |
1880 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, header, msg->iov[i].iov_base, |
1881 |
|
|
msg->iov[i].iov_len)); |
1882 |
|
|
prf->Update(prf->prfctx, msg->iov[i].iov_base, |
1883 |
|
|
msg->iov[i].iov_len); |
1884 |
|
|
} |
1885 |
|
|
prf->Final(buf + ISAKMP_HASH_DATA_OFF, prf->prfctx); |
1886 |
|
|
prf_free(prf); |
1887 |
|
|
snprintf(header, sizeof header, "responder_send_HASH_SA_NONCE: " |
1888 |
|
|
"HASH_%c", initiator ? 'I' : 'R'); |
1889 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 80, header, buf + ISAKMP_HASH_DATA_OFF, |
1890 |
|
|
hash->hashsize)); |
1891 |
|
|
|
1892 |
|
|
if (ie->group) |
1893 |
|
|
message_register_post_send(msg, gen_g_xy); |
1894 |
|
|
|
1895 |
|
|
return 0; |
1896 |
|
|
} |
1897 |
|
|
|
1898 |
|
|
static void |
1899 |
|
|
gen_g_xy(struct message *msg) |
1900 |
|
|
{ |
1901 |
|
|
struct exchange *exchange = msg->exchange; |
1902 |
|
|
struct ipsec_exch *ie = exchange->data; |
1903 |
|
|
|
1904 |
|
|
/* Compute Diffie-Hellman shared value. */ |
1905 |
|
|
ie->g_xy_len = dh_secretlen(ie->group); |
1906 |
|
|
ie->g_xy = malloc(ie->g_xy_len); |
1907 |
|
|
if (!ie->g_xy) { |
1908 |
|
|
log_error("gen_g_xy: malloc (%lu) failed", |
1909 |
|
|
(unsigned long)ie->g_xy_len); |
1910 |
|
|
return; |
1911 |
|
|
} |
1912 |
|
|
if (dh_create_shared(ie->group, ie->g_xy, |
1913 |
|
|
exchange->initiator ? ie->g_xr : ie->g_xi)) { |
1914 |
|
|
log_print("gen_g_xy: dh_create_shared failed"); |
1915 |
|
|
return; |
1916 |
|
|
} |
1917 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie->g_xy, |
1918 |
|
|
ie->g_xy_len)); |
1919 |
|
|
} |
1920 |
|
|
|
1921 |
|
|
static int |
1922 |
|
|
responder_recv_HASH(struct message *msg) |
1923 |
|
|
{ |
1924 |
|
|
struct exchange *exchange = msg->exchange; |
1925 |
|
|
struct sa *isakmp_sa = msg->isakmp_sa; |
1926 |
|
|
struct ipsec_sa *isa = isakmp_sa->data; |
1927 |
|
|
struct prf *prf; |
1928 |
|
|
u_int8_t *hash, *my_hash = 0; |
1929 |
|
|
size_t hash_len; |
1930 |
|
|
struct payload *hashp; |
1931 |
|
|
|
1932 |
|
|
/* Find HASH(3) and create our own hash, just as big. */ |
1933 |
|
|
hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); |
1934 |
|
|
hash = hashp->p; |
1935 |
|
|
hashp->flags |= PL_MARK; |
1936 |
|
|
hash_len = GET_ISAKMP_GEN_LENGTH(hash); |
1937 |
|
|
my_hash = malloc(hash_len - ISAKMP_GEN_SZ); |
1938 |
|
|
if (!my_hash) { |
1939 |
|
|
log_error("responder_recv_HASH: malloc (%lu) failed", |
1940 |
|
|
(unsigned long)hash_len - ISAKMP_GEN_SZ); |
1941 |
|
|
goto cleanup; |
1942 |
|
|
} |
1943 |
|
|
/* Allocate the prf and start calculating our HASH(3). XXX Share? */ |
1944 |
|
|
LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: " |
1945 |
|
|
"isakmp_sa %p isa %p", isakmp_sa, isa)); |
1946 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: SKEYID_a", |
1947 |
|
|
isa->skeyid_a, isa->skeyid_len)); |
1948 |
|
|
prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, |
1949 |
|
|
isa->skeyid_len); |
1950 |
|
|
if (!prf) |
1951 |
|
|
goto cleanup; |
1952 |
|
|
prf->Init(prf->prfctx); |
1953 |
|
|
prf->Update(prf->prfctx, (unsigned char *)"\0", 1); |
1954 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: message_id", |
1955 |
|
|
exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); |
1956 |
|
|
prf->Update(prf->prfctx, exchange->message_id, |
1957 |
|
|
ISAKMP_HDR_MESSAGE_ID_LEN); |
1958 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_I_b", |
1959 |
|
|
exchange->nonce_i, exchange->nonce_i_len)); |
1960 |
|
|
prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); |
1961 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_R_b", |
1962 |
|
|
exchange->nonce_r, exchange->nonce_r_len)); |
1963 |
|
|
prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); |
1964 |
|
|
prf->Final(my_hash, prf->prfctx); |
1965 |
|
|
prf_free(prf); |
1966 |
|
|
LOG_DBG_BUF((LOG_NEGOTIATION, 90, |
1967 |
|
|
"responder_recv_HASH: computed HASH(3)", my_hash, |
1968 |
|
|
hash_len - ISAKMP_GEN_SZ)); |
1969 |
|
|
if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) |
1970 |
|
|
!= 0) { |
1971 |
|
|
message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, |
1972 |
|
|
1, 0); |
1973 |
|
|
goto cleanup; |
1974 |
|
|
} |
1975 |
|
|
free(my_hash); |
1976 |
|
|
|
1977 |
|
|
/* Mark message as authenticated. */ |
1978 |
|
|
msg->flags |= MSG_AUTHENTICATED; |
1979 |
|
|
|
1980 |
|
|
post_quick_mode(msg); |
1981 |
|
|
|
1982 |
|
|
return 0; |
1983 |
|
|
|
1984 |
|
|
cleanup: |
1985 |
|
|
free(my_hash); |
1986 |
|
|
return -1; |
1987 |
|
|
} |