1 | #include <machine/rtems-bsd-user-space.h> |
---|
2 | #ifdef __rtems__ |
---|
3 | #include <machine/rtems-bsd-program.h> |
---|
4 | #include "rtems-bsd-racoon-namespace.h" |
---|
5 | #endif /* __rtems__ */ |
---|
6 | |
---|
7 | /* $NetBSD: isakmp_agg.c,v 1.16 2009/09/18 10:31:11 tteras Exp $ */ |
---|
8 | |
---|
9 | /* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */ |
---|
10 | |
---|
11 | /* |
---|
12 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
---|
13 | * All rights reserved. |
---|
14 | * |
---|
15 | * Redistribution and use in source and binary forms, with or without |
---|
16 | * modification, are permitted provided that the following conditions |
---|
17 | * are met: |
---|
18 | * 1. Redistributions of source code must retain the above copyright |
---|
19 | * notice, this list of conditions and the following disclaimer. |
---|
20 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
21 | * notice, this list of conditions and the following disclaimer in the |
---|
22 | * documentation and/or other materials provided with the distribution. |
---|
23 | * 3. Neither the name of the project nor the names of its contributors |
---|
24 | * may be used to endorse or promote products derived from this software |
---|
25 | * without specific prior written permission. |
---|
26 | * |
---|
27 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
---|
28 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
29 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
30 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
---|
31 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
32 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
33 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
34 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
35 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
36 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
37 | * SUCH DAMAGE. |
---|
38 | */ |
---|
39 | |
---|
40 | /* Aggressive Exchange (Aggressive Mode) */ |
---|
41 | |
---|
42 | #include "config.h" |
---|
43 | |
---|
44 | #include <sys/types.h> |
---|
45 | #include <sys/param.h> |
---|
46 | |
---|
47 | #include <stdlib.h> |
---|
48 | #include <stdio.h> |
---|
49 | #include <string.h> |
---|
50 | #include <errno.h> |
---|
51 | #if TIME_WITH_SYS_TIME |
---|
52 | # include <sys/time.h> |
---|
53 | # include <time.h> |
---|
54 | #else |
---|
55 | # if HAVE_SYS_TIME_H |
---|
56 | # include <sys/time.h> |
---|
57 | # else |
---|
58 | # include <time.h> |
---|
59 | # endif |
---|
60 | #endif |
---|
61 | |
---|
62 | #include "var.h" |
---|
63 | #include "misc.h" |
---|
64 | #include "vmbuf.h" |
---|
65 | #include "plog.h" |
---|
66 | #include "sockmisc.h" |
---|
67 | #include "schedule.h" |
---|
68 | #include "debug.h" |
---|
69 | |
---|
70 | #ifdef ENABLE_HYBRID |
---|
71 | #include <resolv.h> |
---|
72 | #endif |
---|
73 | |
---|
74 | #include "localconf.h" |
---|
75 | #include "remoteconf.h" |
---|
76 | #include "isakmp_var.h" |
---|
77 | #include "isakmp.h" |
---|
78 | #include "evt.h" |
---|
79 | #include "oakley.h" |
---|
80 | #include "handler.h" |
---|
81 | #include "ipsec_doi.h" |
---|
82 | #include "crypto_openssl.h" |
---|
83 | #include "pfkey.h" |
---|
84 | #include "isakmp_agg.h" |
---|
85 | #include "isakmp_inf.h" |
---|
86 | #ifdef ENABLE_HYBRID |
---|
87 | #include "isakmp_xauth.h" |
---|
88 | #include "isakmp_cfg.h" |
---|
89 | #endif |
---|
90 | #ifdef ENABLE_FRAG |
---|
91 | #include "isakmp_frag.h" |
---|
92 | #endif |
---|
93 | #include "vendorid.h" |
---|
94 | #include "strnames.h" |
---|
95 | |
---|
96 | #ifdef ENABLE_NATT |
---|
97 | #include "nattraversal.h" |
---|
98 | #endif |
---|
99 | |
---|
100 | #ifdef HAVE_GSSAPI |
---|
101 | #include "gssapi.h" |
---|
102 | #endif |
---|
103 | |
---|
104 | /* |
---|
105 | * begin Aggressive Mode as initiator. |
---|
106 | */ |
---|
107 | /* |
---|
108 | * send to responder |
---|
109 | * psk: HDR, SA, KE, Ni, IDi1 |
---|
110 | * sig: HDR, SA, KE, Ni, IDi1 [, CR ] |
---|
111 | * gssapi: HDR, SA, KE, Ni, IDi1, GSSi |
---|
112 | * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r |
---|
113 | * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, |
---|
114 | * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] |
---|
115 | */ |
---|
116 | int |
---|
117 | agg_i1send(iph1, msg) |
---|
118 | struct ph1handle *iph1; |
---|
119 | vchar_t *msg; /* must be null */ |
---|
120 | { |
---|
121 | struct payload_list *plist = NULL; |
---|
122 | int error = -1; |
---|
123 | #ifdef ENABLE_NATT |
---|
124 | vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; |
---|
125 | int i; |
---|
126 | #endif |
---|
127 | #ifdef ENABLE_HYBRID |
---|
128 | vchar_t *vid_xauth = NULL; |
---|
129 | vchar_t *vid_unity = NULL; |
---|
130 | #endif |
---|
131 | #ifdef ENABLE_FRAG |
---|
132 | vchar_t *vid_frag = NULL; |
---|
133 | #endif |
---|
134 | #ifdef HAVE_GSSAPI |
---|
135 | vchar_t *gsstoken = NULL; |
---|
136 | int len; |
---|
137 | #endif |
---|
138 | #ifdef ENABLE_DPD |
---|
139 | vchar_t *vid_dpd = NULL; |
---|
140 | #endif |
---|
141 | |
---|
142 | /* validity check */ |
---|
143 | if (msg != NULL) { |
---|
144 | plog(LLV_ERROR, LOCATION, NULL, |
---|
145 | "msg has to be NULL in this function.\n"); |
---|
146 | goto end; |
---|
147 | } |
---|
148 | if (iph1->status != PHASE1ST_START) { |
---|
149 | plog(LLV_ERROR, LOCATION, NULL, |
---|
150 | "status mismatched %d.\n", iph1->status); |
---|
151 | goto end; |
---|
152 | } |
---|
153 | |
---|
154 | /* create isakmp index */ |
---|
155 | memset(&iph1->index, 0, sizeof(iph1->index)); |
---|
156 | isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); |
---|
157 | |
---|
158 | /* make ID payload into isakmp status */ |
---|
159 | if (ipsecdoi_setid1(iph1) < 0) |
---|
160 | goto end; |
---|
161 | |
---|
162 | /* create SA payload for my proposal */ |
---|
163 | iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf, iph1->rmconf->proposal); |
---|
164 | if (iph1->sa == NULL) |
---|
165 | goto end; |
---|
166 | |
---|
167 | /* consistency check of proposals */ |
---|
168 | if (iph1->rmconf->dhgrp == NULL) { |
---|
169 | plog(LLV_ERROR, LOCATION, NULL, |
---|
170 | "configuration failure about DH group.\n"); |
---|
171 | goto end; |
---|
172 | } |
---|
173 | |
---|
174 | /* generate DH public value */ |
---|
175 | if (oakley_dh_generate(iph1->rmconf->dhgrp, |
---|
176 | &iph1->dhpub, &iph1->dhpriv) < 0) |
---|
177 | goto end; |
---|
178 | |
---|
179 | /* generate NONCE value */ |
---|
180 | iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); |
---|
181 | if (iph1->nonce == NULL) |
---|
182 | goto end; |
---|
183 | |
---|
184 | #ifdef ENABLE_HYBRID |
---|
185 | /* Do we need Xauth VID? */ |
---|
186 | switch (iph1->rmconf->proposal->authmethod) { |
---|
187 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: |
---|
188 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: |
---|
189 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: |
---|
190 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: |
---|
191 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: |
---|
192 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: |
---|
193 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: |
---|
194 | if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) |
---|
195 | plog(LLV_ERROR, LOCATION, NULL, |
---|
196 | "Xauth vendor ID generation failed\n"); |
---|
197 | if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) |
---|
198 | plog(LLV_ERROR, LOCATION, NULL, |
---|
199 | "Unity vendor ID generation failed\n"); |
---|
200 | break; |
---|
201 | default: |
---|
202 | break; |
---|
203 | } |
---|
204 | #endif |
---|
205 | |
---|
206 | #ifdef ENABLE_FRAG |
---|
207 | if (iph1->rmconf->ike_frag) { |
---|
208 | vid_frag = set_vendorid(VENDORID_FRAG); |
---|
209 | if (vid_frag != NULL) |
---|
210 | vid_frag = isakmp_frag_addcap(vid_frag, |
---|
211 | VENDORID_FRAG_AGG); |
---|
212 | if (vid_frag == NULL) |
---|
213 | plog(LLV_ERROR, LOCATION, NULL, |
---|
214 | "Frag vendorID construction failed\n"); |
---|
215 | } |
---|
216 | #endif |
---|
217 | |
---|
218 | plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n", |
---|
219 | s_oakley_attr_method(iph1->rmconf->proposal->authmethod)); |
---|
220 | #ifdef HAVE_GSSAPI |
---|
221 | if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) |
---|
222 | gssapi_get_itoken(iph1, &len); |
---|
223 | #endif |
---|
224 | |
---|
225 | /* set SA payload to propose */ |
---|
226 | plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); |
---|
227 | |
---|
228 | /* create isakmp KE payload */ |
---|
229 | plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); |
---|
230 | |
---|
231 | /* create isakmp NONCE payload */ |
---|
232 | plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); |
---|
233 | |
---|
234 | /* create isakmp ID payload */ |
---|
235 | plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); |
---|
236 | |
---|
237 | #ifdef HAVE_GSSAPI |
---|
238 | if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { |
---|
239 | if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) { |
---|
240 | plog(LLV_ERROR, LOCATION, NULL, |
---|
241 | "Failed to get gssapi token.\n"); |
---|
242 | goto end; |
---|
243 | } |
---|
244 | plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS); |
---|
245 | } |
---|
246 | #endif |
---|
247 | /* create isakmp CR payload */ |
---|
248 | if (oakley_needcr(iph1->rmconf->proposal->authmethod)) |
---|
249 | plist = oakley_append_cr(plist, iph1); |
---|
250 | |
---|
251 | #ifdef ENABLE_FRAG |
---|
252 | if (vid_frag) |
---|
253 | plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); |
---|
254 | #endif |
---|
255 | #ifdef ENABLE_NATT |
---|
256 | /* |
---|
257 | * set VID payload for NAT-T if NAT-T |
---|
258 | * support allowed in the config file |
---|
259 | */ |
---|
260 | if (iph1->rmconf->nat_traversal) |
---|
261 | plist = isakmp_plist_append_natt_vids(plist, vid_natt); |
---|
262 | #endif |
---|
263 | #ifdef ENABLE_HYBRID |
---|
264 | if (vid_xauth) |
---|
265 | plist = isakmp_plist_append(plist, |
---|
266 | vid_xauth, ISAKMP_NPTYPE_VID); |
---|
267 | if (vid_unity) |
---|
268 | plist = isakmp_plist_append(plist, |
---|
269 | vid_unity, ISAKMP_NPTYPE_VID); |
---|
270 | #endif |
---|
271 | #ifdef ENABLE_DPD |
---|
272 | if(iph1->rmconf->dpd){ |
---|
273 | vid_dpd = set_vendorid(VENDORID_DPD); |
---|
274 | if (vid_dpd != NULL) |
---|
275 | plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); |
---|
276 | } |
---|
277 | #endif |
---|
278 | |
---|
279 | iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); |
---|
280 | |
---|
281 | #ifdef HAVE_PRINT_ISAKMP_C |
---|
282 | isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); |
---|
283 | #endif |
---|
284 | |
---|
285 | /* send the packet, add to the schedule to resend */ |
---|
286 | if (isakmp_ph1send(iph1) == -1) |
---|
287 | goto end; |
---|
288 | |
---|
289 | iph1->status = PHASE1ST_MSG1SENT; |
---|
290 | |
---|
291 | error = 0; |
---|
292 | |
---|
293 | end: |
---|
294 | #ifdef HAVE_GSSAPI |
---|
295 | if (gsstoken) |
---|
296 | vfree(gsstoken); |
---|
297 | #endif |
---|
298 | #ifdef ENABLE_FRAG |
---|
299 | if (vid_frag) |
---|
300 | vfree(vid_frag); |
---|
301 | #endif |
---|
302 | #ifdef ENABLE_NATT |
---|
303 | for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++) |
---|
304 | vfree(vid_natt[i]); |
---|
305 | #endif |
---|
306 | #ifdef ENABLE_HYBRID |
---|
307 | if (vid_xauth != NULL) |
---|
308 | vfree(vid_xauth); |
---|
309 | if (vid_unity != NULL) |
---|
310 | vfree(vid_unity); |
---|
311 | #endif |
---|
312 | #ifdef ENABLE_DPD |
---|
313 | if (vid_dpd != NULL) |
---|
314 | vfree(vid_dpd); |
---|
315 | #endif |
---|
316 | |
---|
317 | return error; |
---|
318 | } |
---|
319 | |
---|
320 | /* |
---|
321 | * receive from responder |
---|
322 | * psk: HDR, SA, KE, Nr, IDr1, HASH_R |
---|
323 | * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R |
---|
324 | * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R |
---|
325 | * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R |
---|
326 | * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R |
---|
327 | */ |
---|
328 | int |
---|
329 | agg_i2recv(iph1, msg) |
---|
330 | struct ph1handle *iph1; |
---|
331 | vchar_t *msg; |
---|
332 | { |
---|
333 | vchar_t *pbuf = NULL; |
---|
334 | struct isakmp_parse_t *pa; |
---|
335 | vchar_t *satmp = NULL; |
---|
336 | int error = -1; |
---|
337 | int ptype; |
---|
338 | #ifdef ENABLE_HYBRID |
---|
339 | vchar_t *unity_vid; |
---|
340 | vchar_t *xauth_vid; |
---|
341 | #endif |
---|
342 | #ifdef HAVE_GSSAPI |
---|
343 | vchar_t *gsstoken = NULL; |
---|
344 | #endif |
---|
345 | |
---|
346 | #ifdef ENABLE_NATT |
---|
347 | int natd_seq = 0; |
---|
348 | struct natd_payload { |
---|
349 | int seq; |
---|
350 | vchar_t *payload; |
---|
351 | TAILQ_ENTRY(natd_payload) chain; |
---|
352 | }; |
---|
353 | TAILQ_HEAD(_natd_payload, natd_payload) natd_tree; |
---|
354 | TAILQ_INIT(&natd_tree); |
---|
355 | #endif |
---|
356 | |
---|
357 | /* validity check */ |
---|
358 | if (iph1->status != PHASE1ST_MSG1SENT) { |
---|
359 | plog(LLV_ERROR, LOCATION, NULL, |
---|
360 | "status mismatched %d.\n", iph1->status); |
---|
361 | goto end; |
---|
362 | } |
---|
363 | |
---|
364 | /* validate the type of next payload */ |
---|
365 | pbuf = isakmp_parse(msg); |
---|
366 | if (pbuf == NULL) |
---|
367 | goto end; |
---|
368 | pa = (struct isakmp_parse_t *)pbuf->v; |
---|
369 | |
---|
370 | iph1->pl_hash = NULL; |
---|
371 | |
---|
372 | /* SA payload is fixed postion */ |
---|
373 | if (pa->type != ISAKMP_NPTYPE_SA) { |
---|
374 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
375 | "received invalid next payload type %d, " |
---|
376 | "expecting %d.\n", |
---|
377 | pa->type, ISAKMP_NPTYPE_SA); |
---|
378 | goto end; |
---|
379 | } |
---|
380 | |
---|
381 | if (isakmp_p2ph(&satmp, pa->ptr) < 0) |
---|
382 | goto end; |
---|
383 | pa++; |
---|
384 | |
---|
385 | for (/*nothing*/; |
---|
386 | pa->type != ISAKMP_NPTYPE_NONE; |
---|
387 | pa++) { |
---|
388 | |
---|
389 | switch (pa->type) { |
---|
390 | case ISAKMP_NPTYPE_KE: |
---|
391 | if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) |
---|
392 | goto end; |
---|
393 | break; |
---|
394 | case ISAKMP_NPTYPE_NONCE: |
---|
395 | if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) |
---|
396 | goto end; |
---|
397 | break; |
---|
398 | case ISAKMP_NPTYPE_ID: |
---|
399 | if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) |
---|
400 | goto end; |
---|
401 | break; |
---|
402 | case ISAKMP_NPTYPE_HASH: |
---|
403 | iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; |
---|
404 | break; |
---|
405 | case ISAKMP_NPTYPE_CR: |
---|
406 | if (oakley_savecr(iph1, pa->ptr) < 0) |
---|
407 | goto end; |
---|
408 | break; |
---|
409 | case ISAKMP_NPTYPE_CERT: |
---|
410 | if (oakley_savecert(iph1, pa->ptr) < 0) |
---|
411 | goto end; |
---|
412 | break; |
---|
413 | case ISAKMP_NPTYPE_SIG: |
---|
414 | if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) |
---|
415 | goto end; |
---|
416 | break; |
---|
417 | case ISAKMP_NPTYPE_VID: |
---|
418 | handle_vendorid(iph1, pa->ptr); |
---|
419 | break; |
---|
420 | case ISAKMP_NPTYPE_N: |
---|
421 | isakmp_log_notify(iph1, |
---|
422 | (struct isakmp_pl_n *) pa->ptr, |
---|
423 | "aggressive exchange"); |
---|
424 | break; |
---|
425 | #ifdef HAVE_GSSAPI |
---|
426 | case ISAKMP_NPTYPE_GSS: |
---|
427 | if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) |
---|
428 | goto end; |
---|
429 | gssapi_save_received_token(iph1, gsstoken); |
---|
430 | break; |
---|
431 | #endif |
---|
432 | |
---|
433 | #ifdef ENABLE_NATT |
---|
434 | case ISAKMP_NPTYPE_NATD_DRAFT: |
---|
435 | case ISAKMP_NPTYPE_NATD_RFC: |
---|
436 | if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && |
---|
437 | pa->type == iph1->natt_options->payload_nat_d) { |
---|
438 | struct natd_payload *natd; |
---|
439 | natd = (struct natd_payload *)racoon_malloc(sizeof(*natd)); |
---|
440 | if (!natd) |
---|
441 | goto end; |
---|
442 | |
---|
443 | natd->payload = NULL; |
---|
444 | |
---|
445 | if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) |
---|
446 | goto end; |
---|
447 | |
---|
448 | natd->seq = natd_seq++; |
---|
449 | |
---|
450 | TAILQ_INSERT_TAIL(&natd_tree, natd, chain); |
---|
451 | break; |
---|
452 | } |
---|
453 | /* passthrough to default... */ |
---|
454 | #endif |
---|
455 | |
---|
456 | default: |
---|
457 | /* don't send information, see isakmp_ident_r1() */ |
---|
458 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
459 | "ignore the packet, " |
---|
460 | "received unexpecting payload type %d.\n", |
---|
461 | pa->type); |
---|
462 | goto end; |
---|
463 | } |
---|
464 | } |
---|
465 | |
---|
466 | /* payload existency check */ |
---|
467 | if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { |
---|
468 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
469 | "few isakmp message received.\n"); |
---|
470 | goto end; |
---|
471 | } |
---|
472 | |
---|
473 | /* verify identifier */ |
---|
474 | if (ipsecdoi_checkid1(iph1) != 0) { |
---|
475 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
476 | "invalid ID payload.\n"); |
---|
477 | goto end; |
---|
478 | } |
---|
479 | |
---|
480 | /* check SA payload and set approval SA for use */ |
---|
481 | if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { |
---|
482 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
483 | "failed to get valid proposal.\n"); |
---|
484 | /* XXX send information */ |
---|
485 | goto end; |
---|
486 | } |
---|
487 | VPTRINIT(iph1->sa_ret); |
---|
488 | |
---|
489 | /* fix isakmp index */ |
---|
490 | memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, |
---|
491 | sizeof(cookie_t)); |
---|
492 | |
---|
493 | #ifdef ENABLE_NATT |
---|
494 | if (NATT_AVAILABLE(iph1)) { |
---|
495 | struct natd_payload *natd = NULL; |
---|
496 | int natd_verified; |
---|
497 | |
---|
498 | plog(LLV_INFO, LOCATION, iph1->remote, |
---|
499 | "Selected NAT-T version: %s\n", |
---|
500 | vid_string_by_id(iph1->natt_options->version)); |
---|
501 | |
---|
502 | /* set both bits first so that we can clear them |
---|
503 | upon verifying hashes */ |
---|
504 | iph1->natt_flags |= NAT_DETECTED; |
---|
505 | |
---|
506 | while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) { |
---|
507 | /* this function will clear appropriate bits bits |
---|
508 | from iph1->natt_flags */ |
---|
509 | natd_verified = natt_compare_addr_hash (iph1, |
---|
510 | natd->payload, natd->seq); |
---|
511 | |
---|
512 | plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", |
---|
513 | natd->seq - 1, |
---|
514 | natd_verified ? "verified" : "doesn't match"); |
---|
515 | |
---|
516 | vfree (natd->payload); |
---|
517 | |
---|
518 | TAILQ_REMOVE(&natd_tree, natd, chain); |
---|
519 | racoon_free (natd); |
---|
520 | } |
---|
521 | |
---|
522 | plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", |
---|
523 | iph1->natt_flags & NAT_DETECTED ? |
---|
524 | "detected:" : "not detected", |
---|
525 | iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", |
---|
526 | iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); |
---|
527 | |
---|
528 | if (iph1->natt_flags & NAT_DETECTED) |
---|
529 | natt_float_ports (iph1); |
---|
530 | } |
---|
531 | #endif |
---|
532 | |
---|
533 | /* compute sharing secret of DH */ |
---|
534 | if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub, |
---|
535 | iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) |
---|
536 | goto end; |
---|
537 | |
---|
538 | /* generate SKEYIDs & IV & final cipher key */ |
---|
539 | if (oakley_skeyid(iph1) < 0) |
---|
540 | goto end; |
---|
541 | if (oakley_skeyid_dae(iph1) < 0) |
---|
542 | goto end; |
---|
543 | if (oakley_compute_enckey(iph1) < 0) |
---|
544 | goto end; |
---|
545 | if (oakley_newiv(iph1) < 0) |
---|
546 | goto end; |
---|
547 | |
---|
548 | /* validate authentication value */ |
---|
549 | ptype = oakley_validate_auth(iph1); |
---|
550 | if (ptype != 0) { |
---|
551 | if (ptype == -1) { |
---|
552 | /* message printed inner oakley_validate_auth() */ |
---|
553 | goto end; |
---|
554 | } |
---|
555 | evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); |
---|
556 | isakmp_info_send_n1(iph1, ptype, NULL); |
---|
557 | goto end; |
---|
558 | } |
---|
559 | |
---|
560 | if (oakley_checkcr(iph1) < 0) { |
---|
561 | /* Ignore this error in order to be interoperability. */ |
---|
562 | ; |
---|
563 | } |
---|
564 | |
---|
565 | /* change status of isakmp status entry */ |
---|
566 | iph1->status = PHASE1ST_MSG2RECEIVED; |
---|
567 | |
---|
568 | error = 0; |
---|
569 | |
---|
570 | end: |
---|
571 | #ifdef HAVE_GSSAPI |
---|
572 | if (gsstoken) |
---|
573 | vfree(gsstoken); |
---|
574 | #endif |
---|
575 | if (pbuf) |
---|
576 | vfree(pbuf); |
---|
577 | if (satmp) |
---|
578 | vfree(satmp); |
---|
579 | if (error) { |
---|
580 | VPTRINIT(iph1->dhpub_p); |
---|
581 | VPTRINIT(iph1->nonce_p); |
---|
582 | VPTRINIT(iph1->id_p); |
---|
583 | VPTRINIT(iph1->cert_p); |
---|
584 | VPTRINIT(iph1->crl_p); |
---|
585 | VPTRINIT(iph1->sig_p); |
---|
586 | VPTRINIT(iph1->cr_p); |
---|
587 | } |
---|
588 | |
---|
589 | return error; |
---|
590 | } |
---|
591 | |
---|
592 | /* |
---|
593 | * send to responder |
---|
594 | * psk: HDR, HASH_I |
---|
595 | * gssapi: HDR, HASH_I |
---|
596 | * sig: HDR, [ CERT, ] SIG_I |
---|
597 | * rsa: HDR, HASH_I |
---|
598 | * rev: HDR, HASH_I |
---|
599 | */ |
---|
600 | int |
---|
601 | agg_i2send(iph1, msg) |
---|
602 | struct ph1handle *iph1; |
---|
603 | vchar_t *msg; |
---|
604 | { |
---|
605 | struct payload_list *plist = NULL; |
---|
606 | int need_cert = 0; |
---|
607 | int error = -1; |
---|
608 | vchar_t *gsshash = NULL; |
---|
609 | |
---|
610 | /* validity check */ |
---|
611 | if (iph1->status != PHASE1ST_MSG2RECEIVED) { |
---|
612 | plog(LLV_ERROR, LOCATION, NULL, |
---|
613 | "status mismatched %d.\n", iph1->status); |
---|
614 | goto end; |
---|
615 | } |
---|
616 | |
---|
617 | /* generate HASH to send */ |
---|
618 | plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); |
---|
619 | iph1->hash = oakley_ph1hash_common(iph1, GENERATE); |
---|
620 | if (iph1->hash == NULL) { |
---|
621 | #ifdef HAVE_GSSAPI |
---|
622 | if (gssapi_more_tokens(iph1) && |
---|
623 | #ifdef ENABLE_HYBRID |
---|
624 | !iph1->rmconf->xauth && |
---|
625 | #endif |
---|
626 | 1) |
---|
627 | isakmp_info_send_n1(iph1, |
---|
628 | ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); |
---|
629 | #endif |
---|
630 | goto end; |
---|
631 | } |
---|
632 | |
---|
633 | switch (iph1->approval->authmethod) { |
---|
634 | case OAKLEY_ATTR_AUTH_METHOD_PSKEY: |
---|
635 | #ifdef ENABLE_HYBRID |
---|
636 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: |
---|
637 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: |
---|
638 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: |
---|
639 | #endif |
---|
640 | /* set HASH payload */ |
---|
641 | plist = isakmp_plist_append(plist, |
---|
642 | iph1->hash, ISAKMP_NPTYPE_HASH); |
---|
643 | break; |
---|
644 | |
---|
645 | case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: |
---|
646 | case OAKLEY_ATTR_AUTH_METHOD_RSASIG: |
---|
647 | #ifdef ENABLE_HYBRID |
---|
648 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: |
---|
649 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: |
---|
650 | #endif |
---|
651 | /* XXX if there is CR or not ? */ |
---|
652 | |
---|
653 | if (oakley_getmycert(iph1) < 0) |
---|
654 | goto end; |
---|
655 | |
---|
656 | if (oakley_getsign(iph1) < 0) |
---|
657 | goto end; |
---|
658 | |
---|
659 | if (iph1->cert != NULL && iph1->rmconf->send_cert) |
---|
660 | need_cert = 1; |
---|
661 | |
---|
662 | /* add CERT payload if there */ |
---|
663 | if (need_cert) |
---|
664 | plist = isakmp_plist_append(plist, iph1->cert, |
---|
665 | ISAKMP_NPTYPE_CERT); |
---|
666 | |
---|
667 | /* add SIG payload */ |
---|
668 | plist = isakmp_plist_append(plist, |
---|
669 | iph1->sig, ISAKMP_NPTYPE_SIG); |
---|
670 | break; |
---|
671 | |
---|
672 | case OAKLEY_ATTR_AUTH_METHOD_RSAENC: |
---|
673 | case OAKLEY_ATTR_AUTH_METHOD_RSAREV: |
---|
674 | #ifdef ENABLE_HYBRID |
---|
675 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: |
---|
676 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: |
---|
677 | #endif |
---|
678 | break; |
---|
679 | #ifdef HAVE_GSSAPI |
---|
680 | case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: |
---|
681 | gsshash = gssapi_wraphash(iph1); |
---|
682 | if (gsshash == NULL) { |
---|
683 | plog(LLV_ERROR, LOCATION, NULL, |
---|
684 | "failed to wrap hash\n"); |
---|
685 | isakmp_info_send_n1(iph1, |
---|
686 | ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); |
---|
687 | goto end; |
---|
688 | } |
---|
689 | |
---|
690 | plist = isakmp_plist_append(plist, |
---|
691 | gsshash, ISAKMP_NPTYPE_HASH); |
---|
692 | break; |
---|
693 | #endif |
---|
694 | } |
---|
695 | |
---|
696 | #ifdef ENABLE_NATT |
---|
697 | /* generate NAT-D payloads */ |
---|
698 | if (NATT_AVAILABLE(iph1)) { |
---|
699 | vchar_t *natd[2] = { NULL, NULL }; |
---|
700 | |
---|
701 | plog(LLV_INFO, LOCATION, |
---|
702 | NULL, "Adding remote and local NAT-D payloads.\n"); |
---|
703 | |
---|
704 | if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { |
---|
705 | plog(LLV_ERROR, LOCATION, NULL, |
---|
706 | "NAT-D hashing failed for %s\n", |
---|
707 | saddr2str(iph1->remote)); |
---|
708 | goto end; |
---|
709 | } |
---|
710 | |
---|
711 | if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { |
---|
712 | plog(LLV_ERROR, LOCATION, NULL, |
---|
713 | "NAT-D hashing failed for %s\n", |
---|
714 | saddr2str(iph1->local)); |
---|
715 | goto end; |
---|
716 | } |
---|
717 | |
---|
718 | plist = isakmp_plist_append(plist, |
---|
719 | natd[0], iph1->natt_options->payload_nat_d); |
---|
720 | plist = isakmp_plist_append(plist, |
---|
721 | natd[1], iph1->natt_options->payload_nat_d); |
---|
722 | } |
---|
723 | #endif |
---|
724 | |
---|
725 | iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); |
---|
726 | |
---|
727 | #ifdef HAVE_PRINT_ISAKMP_C |
---|
728 | isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); |
---|
729 | #endif |
---|
730 | |
---|
731 | /* send to responder */ |
---|
732 | if (isakmp_send(iph1, iph1->sendbuf) < 0) |
---|
733 | goto end; |
---|
734 | |
---|
735 | /* the sending message is added to the received-list. */ |
---|
736 | if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { |
---|
737 | plog(LLV_ERROR , LOCATION, NULL, |
---|
738 | "failed to add a response packet to the tree.\n"); |
---|
739 | goto end; |
---|
740 | } |
---|
741 | |
---|
742 | /* set encryption flag */ |
---|
743 | iph1->flags |= ISAKMP_FLAG_E; |
---|
744 | |
---|
745 | iph1->status = PHASE1ST_ESTABLISHED; |
---|
746 | |
---|
747 | error = 0; |
---|
748 | |
---|
749 | end: |
---|
750 | if (gsshash) |
---|
751 | vfree(gsshash); |
---|
752 | return error; |
---|
753 | } |
---|
754 | |
---|
755 | /* |
---|
756 | * receive from initiator |
---|
757 | * psk: HDR, SA, KE, Ni, IDi1 |
---|
758 | * sig: HDR, SA, KE, Ni, IDi1 [, CR ] |
---|
759 | * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi |
---|
760 | * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r |
---|
761 | * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, |
---|
762 | * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] |
---|
763 | */ |
---|
764 | int |
---|
765 | agg_r1recv(iph1, msg) |
---|
766 | struct ph1handle *iph1; |
---|
767 | vchar_t *msg; |
---|
768 | { |
---|
769 | int error = -1; |
---|
770 | vchar_t *pbuf = NULL; |
---|
771 | struct isakmp_parse_t *pa; |
---|
772 | int vid_numeric; |
---|
773 | #ifdef HAVE_GSSAPI |
---|
774 | vchar_t *gsstoken = NULL; |
---|
775 | #endif |
---|
776 | |
---|
777 | /* validity check */ |
---|
778 | if (iph1->status != PHASE1ST_START) { |
---|
779 | plog(LLV_ERROR, LOCATION, NULL, |
---|
780 | "status mismatched %d.\n", iph1->status); |
---|
781 | goto end; |
---|
782 | } |
---|
783 | |
---|
784 | /* validate the type of next payload */ |
---|
785 | pbuf = isakmp_parse(msg); |
---|
786 | if (pbuf == NULL) |
---|
787 | goto end; |
---|
788 | pa = (struct isakmp_parse_t *)pbuf->v; |
---|
789 | |
---|
790 | /* SA payload is fixed postion */ |
---|
791 | if (pa->type != ISAKMP_NPTYPE_SA) { |
---|
792 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
793 | "received invalid next payload type %d, " |
---|
794 | "expecting %d.\n", |
---|
795 | pa->type, ISAKMP_NPTYPE_SA); |
---|
796 | goto end; |
---|
797 | } |
---|
798 | if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) |
---|
799 | goto end; |
---|
800 | pa++; |
---|
801 | |
---|
802 | for (/*nothing*/; |
---|
803 | pa->type != ISAKMP_NPTYPE_NONE; |
---|
804 | pa++) { |
---|
805 | |
---|
806 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
807 | "received payload of type %s\n", |
---|
808 | s_isakmp_nptype(pa->type)); |
---|
809 | |
---|
810 | switch (pa->type) { |
---|
811 | case ISAKMP_NPTYPE_KE: |
---|
812 | if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) |
---|
813 | goto end; |
---|
814 | break; |
---|
815 | case ISAKMP_NPTYPE_NONCE: |
---|
816 | if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) |
---|
817 | goto end; |
---|
818 | break; |
---|
819 | case ISAKMP_NPTYPE_ID: |
---|
820 | if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) |
---|
821 | goto end; |
---|
822 | break; |
---|
823 | case ISAKMP_NPTYPE_VID: |
---|
824 | vid_numeric = handle_vendorid(iph1, pa->ptr); |
---|
825 | #ifdef ENABLE_FRAG |
---|
826 | if ((vid_numeric == VENDORID_FRAG) && |
---|
827 | (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) |
---|
828 | iph1->frag = 1; |
---|
829 | #endif |
---|
830 | break; |
---|
831 | |
---|
832 | case ISAKMP_NPTYPE_CR: |
---|
833 | if (oakley_savecr(iph1, pa->ptr) < 0) |
---|
834 | goto end; |
---|
835 | break; |
---|
836 | |
---|
837 | #ifdef HAVE_GSSAPI |
---|
838 | case ISAKMP_NPTYPE_GSS: |
---|
839 | if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) |
---|
840 | goto end; |
---|
841 | gssapi_save_received_token(iph1, gsstoken); |
---|
842 | break; |
---|
843 | #endif |
---|
844 | default: |
---|
845 | /* don't send information, see isakmp_ident_r1() */ |
---|
846 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
847 | "ignore the packet, " |
---|
848 | "received unexpecting payload type %d.\n", |
---|
849 | pa->type); |
---|
850 | goto end; |
---|
851 | } |
---|
852 | } |
---|
853 | |
---|
854 | /* payload existency check */ |
---|
855 | if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { |
---|
856 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
857 | "few isakmp message received.\n"); |
---|
858 | goto end; |
---|
859 | } |
---|
860 | |
---|
861 | /* verify identifier */ |
---|
862 | if (ipsecdoi_checkid1(iph1) != 0) { |
---|
863 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
864 | "invalid ID payload.\n"); |
---|
865 | goto end; |
---|
866 | } |
---|
867 | |
---|
868 | #ifdef ENABLE_NATT |
---|
869 | if (NATT_AVAILABLE(iph1)) |
---|
870 | plog(LLV_INFO, LOCATION, iph1->remote, |
---|
871 | "Selected NAT-T version: %s\n", |
---|
872 | vid_string_by_id(iph1->natt_options->version)); |
---|
873 | #endif |
---|
874 | |
---|
875 | /* check SA payload and set approval SA for use */ |
---|
876 | if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { |
---|
877 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
878 | "failed to get valid proposal.\n"); |
---|
879 | /* XXX send information */ |
---|
880 | goto end; |
---|
881 | } |
---|
882 | |
---|
883 | if (oakley_checkcr(iph1) < 0) { |
---|
884 | /* Ignore this error in order to be interoperability. */ |
---|
885 | ; |
---|
886 | } |
---|
887 | |
---|
888 | iph1->status = PHASE1ST_MSG1RECEIVED; |
---|
889 | |
---|
890 | error = 0; |
---|
891 | |
---|
892 | end: |
---|
893 | #ifdef HAVE_GSSAPI |
---|
894 | if (gsstoken) |
---|
895 | vfree(gsstoken); |
---|
896 | #endif |
---|
897 | if (pbuf) |
---|
898 | vfree(pbuf); |
---|
899 | if (error) { |
---|
900 | VPTRINIT(iph1->sa); |
---|
901 | VPTRINIT(iph1->dhpub_p); |
---|
902 | VPTRINIT(iph1->nonce_p); |
---|
903 | VPTRINIT(iph1->id_p); |
---|
904 | VPTRINIT(iph1->cr_p); |
---|
905 | } |
---|
906 | |
---|
907 | return error; |
---|
908 | } |
---|
909 | |
---|
910 | /* |
---|
911 | * send to initiator |
---|
912 | * psk: HDR, SA, KE, Nr, IDr1, HASH_R |
---|
913 | * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R |
---|
914 | * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R |
---|
915 | * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R |
---|
916 | * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R |
---|
917 | */ |
---|
918 | int |
---|
919 | agg_r1send(iph1, msg) |
---|
920 | struct ph1handle *iph1; |
---|
921 | vchar_t *msg; |
---|
922 | { |
---|
923 | struct payload_list *plist = NULL; |
---|
924 | int need_cert = 0; |
---|
925 | int error = -1; |
---|
926 | #ifdef ENABLE_HYBRID |
---|
927 | vchar_t *xauth_vid = NULL; |
---|
928 | vchar_t *unity_vid = NULL; |
---|
929 | #endif |
---|
930 | #ifdef ENABLE_NATT |
---|
931 | vchar_t *vid_natt = NULL; |
---|
932 | vchar_t *natd[2] = { NULL, NULL }; |
---|
933 | #endif |
---|
934 | #ifdef ENABLE_DPD |
---|
935 | vchar_t *vid_dpd = NULL; |
---|
936 | #endif |
---|
937 | #ifdef ENABLE_FRAG |
---|
938 | vchar_t *vid_frag = NULL; |
---|
939 | #endif |
---|
940 | |
---|
941 | #ifdef HAVE_GSSAPI |
---|
942 | int gsslen; |
---|
943 | vchar_t *gsstoken = NULL, *gsshash = NULL; |
---|
944 | vchar_t *gss_sa = NULL; |
---|
945 | int free_gss_sa = 0; |
---|
946 | #endif |
---|
947 | |
---|
948 | /* validity check */ |
---|
949 | if (iph1->status != PHASE1ST_MSG1RECEIVED) { |
---|
950 | plog(LLV_ERROR, LOCATION, NULL, |
---|
951 | "status mismatched %d.\n", iph1->status); |
---|
952 | goto end; |
---|
953 | } |
---|
954 | |
---|
955 | /* set responder's cookie */ |
---|
956 | isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); |
---|
957 | |
---|
958 | /* make ID payload into isakmp status */ |
---|
959 | if (ipsecdoi_setid1(iph1) < 0) |
---|
960 | goto end; |
---|
961 | |
---|
962 | /* generate DH public value */ |
---|
963 | if (oakley_dh_generate(iph1->rmconf->dhgrp, |
---|
964 | &iph1->dhpub, &iph1->dhpriv) < 0) |
---|
965 | goto end; |
---|
966 | |
---|
967 | /* generate NONCE value */ |
---|
968 | iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); |
---|
969 | if (iph1->nonce == NULL) |
---|
970 | goto end; |
---|
971 | |
---|
972 | /* compute sharing secret of DH */ |
---|
973 | if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, |
---|
974 | iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) |
---|
975 | goto end; |
---|
976 | |
---|
977 | /* generate SKEYIDs & IV & final cipher key */ |
---|
978 | if (oakley_skeyid(iph1) < 0) |
---|
979 | goto end; |
---|
980 | if (oakley_skeyid_dae(iph1) < 0) |
---|
981 | goto end; |
---|
982 | if (oakley_compute_enckey(iph1) < 0) |
---|
983 | goto end; |
---|
984 | if (oakley_newiv(iph1) < 0) |
---|
985 | goto end; |
---|
986 | |
---|
987 | #ifdef HAVE_GSSAPI |
---|
988 | if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) |
---|
989 | gssapi_get_rtoken(iph1, &gsslen); |
---|
990 | #endif |
---|
991 | |
---|
992 | /* generate HASH to send */ |
---|
993 | plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n"); |
---|
994 | iph1->hash = oakley_ph1hash_common(iph1, GENERATE); |
---|
995 | if (iph1->hash == NULL) { |
---|
996 | #ifdef HAVE_GSSAPI |
---|
997 | if (gssapi_more_tokens(iph1)) |
---|
998 | isakmp_info_send_n1(iph1, |
---|
999 | ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); |
---|
1000 | #endif |
---|
1001 | goto end; |
---|
1002 | } |
---|
1003 | |
---|
1004 | #ifdef ENABLE_NATT |
---|
1005 | /* Has the peer announced NAT-T? */ |
---|
1006 | if (NATT_AVAILABLE(iph1)) { |
---|
1007 | /* set chosen VID */ |
---|
1008 | vid_natt = set_vendorid(iph1->natt_options->version); |
---|
1009 | |
---|
1010 | /* generate NAT-D payloads */ |
---|
1011 | plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); |
---|
1012 | if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { |
---|
1013 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1014 | "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); |
---|
1015 | goto end; |
---|
1016 | } |
---|
1017 | |
---|
1018 | if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { |
---|
1019 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1020 | "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); |
---|
1021 | goto end; |
---|
1022 | } |
---|
1023 | } |
---|
1024 | #endif |
---|
1025 | #ifdef ENABLE_DPD |
---|
1026 | /* Only send DPD support if remote announced DPD and if DPD support is active */ |
---|
1027 | if (iph1->dpd_support && iph1->rmconf->dpd) |
---|
1028 | vid_dpd = set_vendorid(VENDORID_DPD); |
---|
1029 | #endif |
---|
1030 | #ifdef ENABLE_FRAG |
---|
1031 | if (iph1->frag) { |
---|
1032 | vid_frag = set_vendorid(VENDORID_FRAG); |
---|
1033 | if (vid_frag != NULL) |
---|
1034 | vid_frag = isakmp_frag_addcap(vid_frag, |
---|
1035 | VENDORID_FRAG_AGG); |
---|
1036 | if (vid_frag == NULL) |
---|
1037 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1038 | "Frag vendorID construction failed\n"); |
---|
1039 | } |
---|
1040 | #endif |
---|
1041 | |
---|
1042 | switch (iph1->approval->authmethod) { |
---|
1043 | case OAKLEY_ATTR_AUTH_METHOD_PSKEY: |
---|
1044 | #ifdef ENABLE_HYBRID |
---|
1045 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: |
---|
1046 | #endif |
---|
1047 | /* set SA payload to reply */ |
---|
1048 | plist = isakmp_plist_append(plist, |
---|
1049 | iph1->sa_ret, ISAKMP_NPTYPE_SA); |
---|
1050 | |
---|
1051 | /* create isakmp KE payload */ |
---|
1052 | plist = isakmp_plist_append(plist, |
---|
1053 | iph1->dhpub, ISAKMP_NPTYPE_KE); |
---|
1054 | |
---|
1055 | /* create isakmp NONCE payload */ |
---|
1056 | plist = isakmp_plist_append(plist, |
---|
1057 | iph1->nonce, ISAKMP_NPTYPE_NONCE); |
---|
1058 | |
---|
1059 | /* create isakmp ID payload */ |
---|
1060 | plist = isakmp_plist_append(plist, |
---|
1061 | iph1->id, ISAKMP_NPTYPE_ID); |
---|
1062 | |
---|
1063 | /* create isakmp HASH payload */ |
---|
1064 | plist = isakmp_plist_append(plist, |
---|
1065 | iph1->hash, ISAKMP_NPTYPE_HASH); |
---|
1066 | |
---|
1067 | /* create isakmp CR payload if needed */ |
---|
1068 | if (oakley_needcr(iph1->approval->authmethod)) |
---|
1069 | plist = oakley_append_cr(plist, iph1); |
---|
1070 | break; |
---|
1071 | case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: |
---|
1072 | case OAKLEY_ATTR_AUTH_METHOD_RSASIG: |
---|
1073 | #ifdef ENABLE_HYBRID |
---|
1074 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: |
---|
1075 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: |
---|
1076 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: |
---|
1077 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: |
---|
1078 | #endif |
---|
1079 | /* XXX if there is CR or not ? */ |
---|
1080 | |
---|
1081 | if (oakley_getmycert(iph1) < 0) |
---|
1082 | goto end; |
---|
1083 | |
---|
1084 | if (oakley_getsign(iph1) < 0) |
---|
1085 | goto end; |
---|
1086 | |
---|
1087 | if (iph1->cert != NULL && iph1->rmconf->send_cert) |
---|
1088 | need_cert = 1; |
---|
1089 | |
---|
1090 | /* set SA payload to reply */ |
---|
1091 | plist = isakmp_plist_append(plist, |
---|
1092 | iph1->sa_ret, ISAKMP_NPTYPE_SA); |
---|
1093 | |
---|
1094 | /* create isakmp KE payload */ |
---|
1095 | plist = isakmp_plist_append(plist, |
---|
1096 | iph1->dhpub, ISAKMP_NPTYPE_KE); |
---|
1097 | |
---|
1098 | /* create isakmp NONCE payload */ |
---|
1099 | plist = isakmp_plist_append(plist, |
---|
1100 | iph1->nonce, ISAKMP_NPTYPE_NONCE); |
---|
1101 | |
---|
1102 | /* add ID payload */ |
---|
1103 | plist = isakmp_plist_append(plist, |
---|
1104 | iph1->id, ISAKMP_NPTYPE_ID); |
---|
1105 | |
---|
1106 | /* add CERT payload if there */ |
---|
1107 | if (need_cert) |
---|
1108 | plist = isakmp_plist_append(plist, iph1->cert, |
---|
1109 | ISAKMP_NPTYPE_CERT); |
---|
1110 | |
---|
1111 | /* add SIG payload */ |
---|
1112 | plist = isakmp_plist_append(plist, |
---|
1113 | iph1->sig, ISAKMP_NPTYPE_SIG); |
---|
1114 | |
---|
1115 | /* create isakmp CR payload if needed */ |
---|
1116 | if (oakley_needcr(iph1->approval->authmethod)) |
---|
1117 | plist = oakley_append_cr(plist, iph1); |
---|
1118 | break; |
---|
1119 | |
---|
1120 | case OAKLEY_ATTR_AUTH_METHOD_RSAENC: |
---|
1121 | case OAKLEY_ATTR_AUTH_METHOD_RSAREV: |
---|
1122 | #ifdef ENABLE_HYBRID |
---|
1123 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: |
---|
1124 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: |
---|
1125 | #endif |
---|
1126 | break; |
---|
1127 | #ifdef HAVE_GSSAPI |
---|
1128 | case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: |
---|
1129 | /* create buffer to send isakmp payload */ |
---|
1130 | gsshash = gssapi_wraphash(iph1); |
---|
1131 | if (gsshash == NULL) { |
---|
1132 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1133 | "failed to wrap hash\n"); |
---|
1134 | /* |
---|
1135 | * This is probably due to the GSS |
---|
1136 | * roundtrips not being finished yet. |
---|
1137 | * Return this error in the hope that |
---|
1138 | * a fallback to main mode will be done. |
---|
1139 | */ |
---|
1140 | isakmp_info_send_n1(iph1, |
---|
1141 | ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); |
---|
1142 | goto end; |
---|
1143 | } |
---|
1144 | if (iph1->approval->gssid != NULL) |
---|
1145 | gss_sa = ipsecdoi_setph1proposal(iph1->rmconf, |
---|
1146 | iph1->approval); |
---|
1147 | else |
---|
1148 | gss_sa = iph1->sa_ret; |
---|
1149 | |
---|
1150 | if (gss_sa != iph1->sa_ret) |
---|
1151 | free_gss_sa = 1; |
---|
1152 | |
---|
1153 | /* set SA payload to reply */ |
---|
1154 | plist = isakmp_plist_append(plist, |
---|
1155 | gss_sa, ISAKMP_NPTYPE_SA); |
---|
1156 | |
---|
1157 | /* create isakmp KE payload */ |
---|
1158 | plist = isakmp_plist_append(plist, |
---|
1159 | iph1->dhpub, ISAKMP_NPTYPE_KE); |
---|
1160 | |
---|
1161 | /* create isakmp NONCE payload */ |
---|
1162 | plist = isakmp_plist_append(plist, |
---|
1163 | iph1->nonce, ISAKMP_NPTYPE_NONCE); |
---|
1164 | |
---|
1165 | /* create isakmp ID payload */ |
---|
1166 | plist = isakmp_plist_append(plist, |
---|
1167 | iph1->id, ISAKMP_NPTYPE_ID); |
---|
1168 | |
---|
1169 | /* create GSS payload */ |
---|
1170 | if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) { |
---|
1171 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1172 | "Failed to get gssapi token.\n"); |
---|
1173 | goto end; |
---|
1174 | } |
---|
1175 | plist = isakmp_plist_append(plist, |
---|
1176 | gsstoken, ISAKMP_NPTYPE_GSS); |
---|
1177 | |
---|
1178 | /* create isakmp HASH payload */ |
---|
1179 | plist = isakmp_plist_append(plist, |
---|
1180 | gsshash, ISAKMP_NPTYPE_HASH); |
---|
1181 | |
---|
1182 | /* append vendor id, if needed */ |
---|
1183 | break; |
---|
1184 | #endif |
---|
1185 | } |
---|
1186 | |
---|
1187 | #ifdef ENABLE_HYBRID |
---|
1188 | if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { |
---|
1189 | plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); |
---|
1190 | if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) { |
---|
1191 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1192 | "Cannot create Xauth vendor ID\n"); |
---|
1193 | goto end; |
---|
1194 | } |
---|
1195 | plist = isakmp_plist_append(plist, |
---|
1196 | xauth_vid, ISAKMP_NPTYPE_VID); |
---|
1197 | } |
---|
1198 | |
---|
1199 | if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { |
---|
1200 | if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) { |
---|
1201 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1202 | "Cannot create Unity vendor ID\n"); |
---|
1203 | goto end; |
---|
1204 | } |
---|
1205 | plist = isakmp_plist_append(plist, |
---|
1206 | unity_vid, ISAKMP_NPTYPE_VID); |
---|
1207 | } |
---|
1208 | #endif |
---|
1209 | |
---|
1210 | #ifdef ENABLE_NATT |
---|
1211 | /* append NAT-T payloads */ |
---|
1212 | if (vid_natt) { |
---|
1213 | /* chosen VID */ |
---|
1214 | plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); |
---|
1215 | /* NAT-D */ |
---|
1216 | plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); |
---|
1217 | plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); |
---|
1218 | } |
---|
1219 | #endif |
---|
1220 | |
---|
1221 | #ifdef ENABLE_FRAG |
---|
1222 | if (vid_frag) |
---|
1223 | plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); |
---|
1224 | #endif |
---|
1225 | |
---|
1226 | #ifdef ENABLE_DPD |
---|
1227 | if (vid_dpd) |
---|
1228 | plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); |
---|
1229 | #endif |
---|
1230 | |
---|
1231 | iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); |
---|
1232 | |
---|
1233 | #ifdef HAVE_PRINT_ISAKMP_C |
---|
1234 | isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1); |
---|
1235 | #endif |
---|
1236 | |
---|
1237 | /* send the packet, add to the schedule to resend */ |
---|
1238 | if (isakmp_ph1send(iph1) == -1) |
---|
1239 | goto end; |
---|
1240 | |
---|
1241 | /* the sending message is added to the received-list. */ |
---|
1242 | if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { |
---|
1243 | plog(LLV_ERROR , LOCATION, NULL, |
---|
1244 | "failed to add a response packet to the tree.\n"); |
---|
1245 | goto end; |
---|
1246 | } |
---|
1247 | |
---|
1248 | iph1->status = PHASE1ST_MSG1SENT; |
---|
1249 | |
---|
1250 | error = 0; |
---|
1251 | |
---|
1252 | end: |
---|
1253 | #ifdef ENABLE_HYBRID |
---|
1254 | if (xauth_vid) |
---|
1255 | vfree(xauth_vid); |
---|
1256 | if (unity_vid) |
---|
1257 | vfree(unity_vid); |
---|
1258 | #endif |
---|
1259 | #ifdef HAVE_GSSAPI |
---|
1260 | if (gsstoken) |
---|
1261 | vfree(gsstoken); |
---|
1262 | if (gsshash) |
---|
1263 | vfree(gsshash); |
---|
1264 | if (free_gss_sa) |
---|
1265 | vfree(gss_sa); |
---|
1266 | #endif |
---|
1267 | #ifdef ENABLE_DPD |
---|
1268 | if (vid_dpd) |
---|
1269 | vfree(vid_dpd); |
---|
1270 | #endif |
---|
1271 | #ifdef ENABLE_FRAG |
---|
1272 | if (vid_frag) |
---|
1273 | vfree(vid_frag); |
---|
1274 | #endif |
---|
1275 | |
---|
1276 | return error; |
---|
1277 | } |
---|
1278 | |
---|
1279 | /* |
---|
1280 | * receive from initiator |
---|
1281 | * psk: HDR, HASH_I |
---|
1282 | * gssapi: HDR, HASH_I |
---|
1283 | * sig: HDR, [ CERT, ] SIG_I |
---|
1284 | * rsa: HDR, HASH_I |
---|
1285 | * rev: HDR, HASH_I |
---|
1286 | */ |
---|
1287 | int |
---|
1288 | agg_r2recv(iph1, msg0) |
---|
1289 | struct ph1handle *iph1; |
---|
1290 | vchar_t *msg0; |
---|
1291 | { |
---|
1292 | vchar_t *msg = NULL; |
---|
1293 | vchar_t *pbuf = NULL; |
---|
1294 | struct isakmp_parse_t *pa; |
---|
1295 | int error = -1, ptype; |
---|
1296 | #ifdef ENABLE_NATT |
---|
1297 | int natd_seq = 0; |
---|
1298 | #endif |
---|
1299 | |
---|
1300 | /* validity check */ |
---|
1301 | if (iph1->status != PHASE1ST_MSG1SENT) { |
---|
1302 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1303 | "status mismatched %d.\n", iph1->status); |
---|
1304 | goto end; |
---|
1305 | } |
---|
1306 | |
---|
1307 | /* decrypting if need. */ |
---|
1308 | /* XXX configurable ? */ |
---|
1309 | if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { |
---|
1310 | msg = oakley_do_decrypt(iph1, msg0, |
---|
1311 | iph1->ivm->iv, iph1->ivm->ive); |
---|
1312 | if (msg == NULL) |
---|
1313 | goto end; |
---|
1314 | } else |
---|
1315 | msg = vdup(msg0); |
---|
1316 | |
---|
1317 | /* validate the type of next payload */ |
---|
1318 | pbuf = isakmp_parse(msg); |
---|
1319 | if (pbuf == NULL) |
---|
1320 | goto end; |
---|
1321 | |
---|
1322 | iph1->pl_hash = NULL; |
---|
1323 | |
---|
1324 | for (pa = (struct isakmp_parse_t *)pbuf->v; |
---|
1325 | pa->type != ISAKMP_NPTYPE_NONE; |
---|
1326 | pa++) { |
---|
1327 | |
---|
1328 | switch (pa->type) { |
---|
1329 | case ISAKMP_NPTYPE_HASH: |
---|
1330 | iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; |
---|
1331 | break; |
---|
1332 | case ISAKMP_NPTYPE_VID: |
---|
1333 | handle_vendorid(iph1, pa->ptr); |
---|
1334 | break; |
---|
1335 | case ISAKMP_NPTYPE_CERT: |
---|
1336 | if (oakley_savecert(iph1, pa->ptr) < 0) |
---|
1337 | goto end; |
---|
1338 | break; |
---|
1339 | case ISAKMP_NPTYPE_SIG: |
---|
1340 | if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) |
---|
1341 | goto end; |
---|
1342 | break; |
---|
1343 | case ISAKMP_NPTYPE_N: |
---|
1344 | isakmp_log_notify(iph1, |
---|
1345 | (struct isakmp_pl_n *) pa->ptr, |
---|
1346 | "aggressive exchange"); |
---|
1347 | break; |
---|
1348 | |
---|
1349 | #ifdef ENABLE_NATT |
---|
1350 | case ISAKMP_NPTYPE_NATD_DRAFT: |
---|
1351 | case ISAKMP_NPTYPE_NATD_RFC: |
---|
1352 | if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && |
---|
1353 | pa->type == iph1->natt_options->payload_nat_d) |
---|
1354 | { |
---|
1355 | vchar_t *natd_received = NULL; |
---|
1356 | int natd_verified; |
---|
1357 | |
---|
1358 | if (isakmp_p2ph (&natd_received, pa->ptr) < 0) |
---|
1359 | goto end; |
---|
1360 | |
---|
1361 | if (natd_seq == 0) |
---|
1362 | iph1->natt_flags |= NAT_DETECTED; |
---|
1363 | |
---|
1364 | natd_verified = natt_compare_addr_hash (iph1, |
---|
1365 | natd_received, natd_seq++); |
---|
1366 | |
---|
1367 | plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", |
---|
1368 | natd_seq - 1, |
---|
1369 | natd_verified ? "verified" : "doesn't match"); |
---|
1370 | |
---|
1371 | vfree (natd_received); |
---|
1372 | break; |
---|
1373 | } |
---|
1374 | /* passthrough to default... */ |
---|
1375 | #endif |
---|
1376 | |
---|
1377 | default: |
---|
1378 | /* don't send information, see isakmp_ident_r1() */ |
---|
1379 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
1380 | "ignore the packet, " |
---|
1381 | "received unexpecting payload type %d.\n", |
---|
1382 | pa->type); |
---|
1383 | goto end; |
---|
1384 | } |
---|
1385 | } |
---|
1386 | |
---|
1387 | #ifdef ENABLE_NATT |
---|
1388 | if (NATT_AVAILABLE(iph1)) |
---|
1389 | plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", |
---|
1390 | iph1->natt_flags & NAT_DETECTED ? |
---|
1391 | "detected:" : "not detected", |
---|
1392 | iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", |
---|
1393 | iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); |
---|
1394 | #endif |
---|
1395 | |
---|
1396 | /* validate authentication value */ |
---|
1397 | ptype = oakley_validate_auth(iph1); |
---|
1398 | if (ptype != 0) { |
---|
1399 | if (ptype == -1) { |
---|
1400 | /* message printed inner oakley_validate_auth() */ |
---|
1401 | goto end; |
---|
1402 | } |
---|
1403 | evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); |
---|
1404 | isakmp_info_send_n1(iph1, ptype, NULL); |
---|
1405 | goto end; |
---|
1406 | } |
---|
1407 | |
---|
1408 | iph1->status = PHASE1ST_MSG2RECEIVED; |
---|
1409 | |
---|
1410 | error = 0; |
---|
1411 | |
---|
1412 | end: |
---|
1413 | if (pbuf) |
---|
1414 | vfree(pbuf); |
---|
1415 | if (msg) |
---|
1416 | vfree(msg); |
---|
1417 | if (error) { |
---|
1418 | VPTRINIT(iph1->cert_p); |
---|
1419 | VPTRINIT(iph1->crl_p); |
---|
1420 | VPTRINIT(iph1->sig_p); |
---|
1421 | } |
---|
1422 | |
---|
1423 | return error; |
---|
1424 | } |
---|
1425 | |
---|
1426 | /* |
---|
1427 | * status update and establish isakmp sa. |
---|
1428 | */ |
---|
1429 | int |
---|
1430 | agg_r2send(iph1, msg) |
---|
1431 | struct ph1handle *iph1; |
---|
1432 | vchar_t *msg; |
---|
1433 | { |
---|
1434 | int error = -1; |
---|
1435 | |
---|
1436 | /* validity check */ |
---|
1437 | if (iph1->status != PHASE1ST_MSG2RECEIVED) { |
---|
1438 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1439 | "status mismatched %d.\n", iph1->status); |
---|
1440 | goto end; |
---|
1441 | } |
---|
1442 | |
---|
1443 | /* IV synchronized when packet encrypted. */ |
---|
1444 | /* see handler.h about IV synchronization. */ |
---|
1445 | if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E)) |
---|
1446 | memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); |
---|
1447 | |
---|
1448 | /* set encryption flag */ |
---|
1449 | iph1->flags |= ISAKMP_FLAG_E; |
---|
1450 | |
---|
1451 | iph1->status = PHASE1ST_ESTABLISHED; |
---|
1452 | |
---|
1453 | error = 0; |
---|
1454 | |
---|
1455 | end: |
---|
1456 | return error; |
---|
1457 | } |
---|
1458 | #ifdef __rtems__ |
---|
1459 | #include "rtems-bsd-racoon-isakmp_agg-data.h" |
---|
1460 | #endif /* __rtems__ */ |
---|