1 | /* $NetBSD: isakmp_agg.c,v 1.16 2009/09/18 10:31:11 tteras Exp $ */ |
---|
2 | |
---|
3 | /* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */ |
---|
4 | |
---|
5 | /* |
---|
6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
---|
7 | * All rights reserved. |
---|
8 | * |
---|
9 | * Redistribution and use in source and binary forms, with or without |
---|
10 | * modification, are permitted provided that the following conditions |
---|
11 | * are met: |
---|
12 | * 1. Redistributions of source code must retain the above copyright |
---|
13 | * notice, this list of conditions and the following disclaimer. |
---|
14 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
15 | * notice, this list of conditions and the following disclaimer in the |
---|
16 | * documentation and/or other materials provided with the distribution. |
---|
17 | * 3. Neither the name of the project nor the names of its contributors |
---|
18 | * may be used to endorse or promote products derived from this software |
---|
19 | * without specific prior written permission. |
---|
20 | * |
---|
21 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
---|
22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
---|
25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
31 | * SUCH DAMAGE. |
---|
32 | */ |
---|
33 | |
---|
34 | /* Aggressive Exchange (Aggressive Mode) */ |
---|
35 | |
---|
36 | #include "config.h" |
---|
37 | |
---|
38 | #include <sys/types.h> |
---|
39 | #include <sys/param.h> |
---|
40 | |
---|
41 | #include <stdlib.h> |
---|
42 | #include <stdio.h> |
---|
43 | #include <string.h> |
---|
44 | #include <errno.h> |
---|
45 | #if TIME_WITH_SYS_TIME |
---|
46 | # include <sys/time.h> |
---|
47 | # include <time.h> |
---|
48 | #else |
---|
49 | # if HAVE_SYS_TIME_H |
---|
50 | # include <sys/time.h> |
---|
51 | # else |
---|
52 | # include <time.h> |
---|
53 | # endif |
---|
54 | #endif |
---|
55 | |
---|
56 | #include "var.h" |
---|
57 | #include "misc.h" |
---|
58 | #include "vmbuf.h" |
---|
59 | #include "plog.h" |
---|
60 | #include "sockmisc.h" |
---|
61 | #include "schedule.h" |
---|
62 | #include "debug.h" |
---|
63 | |
---|
64 | #ifdef ENABLE_HYBRID |
---|
65 | #include <resolv.h> |
---|
66 | #endif |
---|
67 | |
---|
68 | #include "localconf.h" |
---|
69 | #include "remoteconf.h" |
---|
70 | #include "isakmp_var.h" |
---|
71 | #include "isakmp.h" |
---|
72 | #include "evt.h" |
---|
73 | #include "oakley.h" |
---|
74 | #include "handler.h" |
---|
75 | #include "ipsec_doi.h" |
---|
76 | #include "crypto_openssl.h" |
---|
77 | #include "pfkey.h" |
---|
78 | #include "isakmp_agg.h" |
---|
79 | #include "isakmp_inf.h" |
---|
80 | #ifdef ENABLE_HYBRID |
---|
81 | #include "isakmp_xauth.h" |
---|
82 | #include "isakmp_cfg.h" |
---|
83 | #endif |
---|
84 | #ifdef ENABLE_FRAG |
---|
85 | #include "isakmp_frag.h" |
---|
86 | #endif |
---|
87 | #include "vendorid.h" |
---|
88 | #include "strnames.h" |
---|
89 | |
---|
90 | #ifdef ENABLE_NATT |
---|
91 | #include "nattraversal.h" |
---|
92 | #endif |
---|
93 | |
---|
94 | #ifdef HAVE_GSSAPI |
---|
95 | #include "gssapi.h" |
---|
96 | #endif |
---|
97 | |
---|
98 | /* |
---|
99 | * begin Aggressive Mode as initiator. |
---|
100 | */ |
---|
101 | /* |
---|
102 | * send to responder |
---|
103 | * psk: HDR, SA, KE, Ni, IDi1 |
---|
104 | * sig: HDR, SA, KE, Ni, IDi1 [, CR ] |
---|
105 | * gssapi: HDR, SA, KE, Ni, IDi1, GSSi |
---|
106 | * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r |
---|
107 | * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, |
---|
108 | * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] |
---|
109 | */ |
---|
110 | int |
---|
111 | agg_i1send(iph1, msg) |
---|
112 | struct ph1handle *iph1; |
---|
113 | vchar_t *msg; /* must be null */ |
---|
114 | { |
---|
115 | struct payload_list *plist = NULL; |
---|
116 | int error = -1; |
---|
117 | #ifdef ENABLE_NATT |
---|
118 | vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL }; |
---|
119 | int i; |
---|
120 | #endif |
---|
121 | #ifdef ENABLE_HYBRID |
---|
122 | vchar_t *vid_xauth = NULL; |
---|
123 | vchar_t *vid_unity = NULL; |
---|
124 | #endif |
---|
125 | #ifdef ENABLE_FRAG |
---|
126 | vchar_t *vid_frag = NULL; |
---|
127 | #endif |
---|
128 | #ifdef HAVE_GSSAPI |
---|
129 | vchar_t *gsstoken = NULL; |
---|
130 | int len; |
---|
131 | #endif |
---|
132 | #ifdef ENABLE_DPD |
---|
133 | vchar_t *vid_dpd = NULL; |
---|
134 | #endif |
---|
135 | |
---|
136 | /* validity check */ |
---|
137 | if (msg != NULL) { |
---|
138 | plog(LLV_ERROR, LOCATION, NULL, |
---|
139 | "msg has to be NULL in this function.\n"); |
---|
140 | goto end; |
---|
141 | } |
---|
142 | if (iph1->status != PHASE1ST_START) { |
---|
143 | plog(LLV_ERROR, LOCATION, NULL, |
---|
144 | "status mismatched %d.\n", iph1->status); |
---|
145 | goto end; |
---|
146 | } |
---|
147 | |
---|
148 | /* create isakmp index */ |
---|
149 | memset(&iph1->index, 0, sizeof(iph1->index)); |
---|
150 | isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); |
---|
151 | |
---|
152 | /* make ID payload into isakmp status */ |
---|
153 | if (ipsecdoi_setid1(iph1) < 0) |
---|
154 | goto end; |
---|
155 | |
---|
156 | /* create SA payload for my proposal */ |
---|
157 | iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf, iph1->rmconf->proposal); |
---|
158 | if (iph1->sa == NULL) |
---|
159 | goto end; |
---|
160 | |
---|
161 | /* consistency check of proposals */ |
---|
162 | if (iph1->rmconf->dhgrp == NULL) { |
---|
163 | plog(LLV_ERROR, LOCATION, NULL, |
---|
164 | "configuration failure about DH group.\n"); |
---|
165 | goto end; |
---|
166 | } |
---|
167 | |
---|
168 | /* generate DH public value */ |
---|
169 | if (oakley_dh_generate(iph1->rmconf->dhgrp, |
---|
170 | &iph1->dhpub, &iph1->dhpriv) < 0) |
---|
171 | goto end; |
---|
172 | |
---|
173 | /* generate NONCE value */ |
---|
174 | iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); |
---|
175 | if (iph1->nonce == NULL) |
---|
176 | goto end; |
---|
177 | |
---|
178 | #ifdef ENABLE_HYBRID |
---|
179 | /* Do we need Xauth VID? */ |
---|
180 | switch (iph1->rmconf->proposal->authmethod) { |
---|
181 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: |
---|
182 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: |
---|
183 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: |
---|
184 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: |
---|
185 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: |
---|
186 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: |
---|
187 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: |
---|
188 | if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) |
---|
189 | plog(LLV_ERROR, LOCATION, NULL, |
---|
190 | "Xauth vendor ID generation failed\n"); |
---|
191 | if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) |
---|
192 | plog(LLV_ERROR, LOCATION, NULL, |
---|
193 | "Unity vendor ID generation failed\n"); |
---|
194 | break; |
---|
195 | default: |
---|
196 | break; |
---|
197 | } |
---|
198 | #endif |
---|
199 | |
---|
200 | #ifdef ENABLE_FRAG |
---|
201 | if (iph1->rmconf->ike_frag) { |
---|
202 | vid_frag = set_vendorid(VENDORID_FRAG); |
---|
203 | if (vid_frag != NULL) |
---|
204 | vid_frag = isakmp_frag_addcap(vid_frag, |
---|
205 | VENDORID_FRAG_AGG); |
---|
206 | if (vid_frag == NULL) |
---|
207 | plog(LLV_ERROR, LOCATION, NULL, |
---|
208 | "Frag vendorID construction failed\n"); |
---|
209 | } |
---|
210 | #endif |
---|
211 | |
---|
212 | plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n", |
---|
213 | s_oakley_attr_method(iph1->rmconf->proposal->authmethod)); |
---|
214 | #ifdef HAVE_GSSAPI |
---|
215 | if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) |
---|
216 | gssapi_get_itoken(iph1, &len); |
---|
217 | #endif |
---|
218 | |
---|
219 | /* set SA payload to propose */ |
---|
220 | plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA); |
---|
221 | |
---|
222 | /* create isakmp KE payload */ |
---|
223 | plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE); |
---|
224 | |
---|
225 | /* create isakmp NONCE payload */ |
---|
226 | plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE); |
---|
227 | |
---|
228 | /* create isakmp ID payload */ |
---|
229 | plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID); |
---|
230 | |
---|
231 | #ifdef HAVE_GSSAPI |
---|
232 | if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { |
---|
233 | if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) { |
---|
234 | plog(LLV_ERROR, LOCATION, NULL, |
---|
235 | "Failed to get gssapi token.\n"); |
---|
236 | goto end; |
---|
237 | } |
---|
238 | plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS); |
---|
239 | } |
---|
240 | #endif |
---|
241 | /* create isakmp CR payload */ |
---|
242 | if (oakley_needcr(iph1->rmconf->proposal->authmethod)) |
---|
243 | plist = oakley_append_cr(plist, iph1); |
---|
244 | |
---|
245 | #ifdef ENABLE_FRAG |
---|
246 | if (vid_frag) |
---|
247 | plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); |
---|
248 | #endif |
---|
249 | #ifdef ENABLE_NATT |
---|
250 | /* |
---|
251 | * set VID payload for NAT-T if NAT-T |
---|
252 | * support allowed in the config file |
---|
253 | */ |
---|
254 | if (iph1->rmconf->nat_traversal) |
---|
255 | plist = isakmp_plist_append_natt_vids(plist, vid_natt); |
---|
256 | #endif |
---|
257 | #ifdef ENABLE_HYBRID |
---|
258 | if (vid_xauth) |
---|
259 | plist = isakmp_plist_append(plist, |
---|
260 | vid_xauth, ISAKMP_NPTYPE_VID); |
---|
261 | if (vid_unity) |
---|
262 | plist = isakmp_plist_append(plist, |
---|
263 | vid_unity, ISAKMP_NPTYPE_VID); |
---|
264 | #endif |
---|
265 | #ifdef ENABLE_DPD |
---|
266 | if(iph1->rmconf->dpd){ |
---|
267 | vid_dpd = set_vendorid(VENDORID_DPD); |
---|
268 | if (vid_dpd != NULL) |
---|
269 | plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); |
---|
270 | } |
---|
271 | #endif |
---|
272 | |
---|
273 | iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); |
---|
274 | |
---|
275 | #ifdef HAVE_PRINT_ISAKMP_C |
---|
276 | isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); |
---|
277 | #endif |
---|
278 | |
---|
279 | /* send the packet, add to the schedule to resend */ |
---|
280 | if (isakmp_ph1send(iph1) == -1) |
---|
281 | goto end; |
---|
282 | |
---|
283 | iph1->status = PHASE1ST_MSG1SENT; |
---|
284 | |
---|
285 | error = 0; |
---|
286 | |
---|
287 | end: |
---|
288 | #ifdef HAVE_GSSAPI |
---|
289 | if (gsstoken) |
---|
290 | vfree(gsstoken); |
---|
291 | #endif |
---|
292 | #ifdef ENABLE_FRAG |
---|
293 | if (vid_frag) |
---|
294 | vfree(vid_frag); |
---|
295 | #endif |
---|
296 | #ifdef ENABLE_NATT |
---|
297 | for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++) |
---|
298 | vfree(vid_natt[i]); |
---|
299 | #endif |
---|
300 | #ifdef ENABLE_HYBRID |
---|
301 | if (vid_xauth != NULL) |
---|
302 | vfree(vid_xauth); |
---|
303 | if (vid_unity != NULL) |
---|
304 | vfree(vid_unity); |
---|
305 | #endif |
---|
306 | #ifdef ENABLE_DPD |
---|
307 | if (vid_dpd != NULL) |
---|
308 | vfree(vid_dpd); |
---|
309 | #endif |
---|
310 | |
---|
311 | return error; |
---|
312 | } |
---|
313 | |
---|
314 | /* |
---|
315 | * receive from responder |
---|
316 | * psk: HDR, SA, KE, Nr, IDr1, HASH_R |
---|
317 | * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R |
---|
318 | * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R |
---|
319 | * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R |
---|
320 | * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R |
---|
321 | */ |
---|
322 | int |
---|
323 | agg_i2recv(iph1, msg) |
---|
324 | struct ph1handle *iph1; |
---|
325 | vchar_t *msg; |
---|
326 | { |
---|
327 | vchar_t *pbuf = NULL; |
---|
328 | struct isakmp_parse_t *pa; |
---|
329 | vchar_t *satmp = NULL; |
---|
330 | int error = -1; |
---|
331 | int ptype; |
---|
332 | #ifdef ENABLE_HYBRID |
---|
333 | vchar_t *unity_vid; |
---|
334 | vchar_t *xauth_vid; |
---|
335 | #endif |
---|
336 | #ifdef HAVE_GSSAPI |
---|
337 | vchar_t *gsstoken = NULL; |
---|
338 | #endif |
---|
339 | |
---|
340 | #ifdef ENABLE_NATT |
---|
341 | int natd_seq = 0; |
---|
342 | struct natd_payload { |
---|
343 | int seq; |
---|
344 | vchar_t *payload; |
---|
345 | TAILQ_ENTRY(natd_payload) chain; |
---|
346 | }; |
---|
347 | TAILQ_HEAD(_natd_payload, natd_payload) natd_tree; |
---|
348 | TAILQ_INIT(&natd_tree); |
---|
349 | #endif |
---|
350 | |
---|
351 | /* validity check */ |
---|
352 | if (iph1->status != PHASE1ST_MSG1SENT) { |
---|
353 | plog(LLV_ERROR, LOCATION, NULL, |
---|
354 | "status mismatched %d.\n", iph1->status); |
---|
355 | goto end; |
---|
356 | } |
---|
357 | |
---|
358 | /* validate the type of next payload */ |
---|
359 | pbuf = isakmp_parse(msg); |
---|
360 | if (pbuf == NULL) |
---|
361 | goto end; |
---|
362 | pa = (struct isakmp_parse_t *)pbuf->v; |
---|
363 | |
---|
364 | iph1->pl_hash = NULL; |
---|
365 | |
---|
366 | /* SA payload is fixed postion */ |
---|
367 | if (pa->type != ISAKMP_NPTYPE_SA) { |
---|
368 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
369 | "received invalid next payload type %d, " |
---|
370 | "expecting %d.\n", |
---|
371 | pa->type, ISAKMP_NPTYPE_SA); |
---|
372 | goto end; |
---|
373 | } |
---|
374 | |
---|
375 | if (isakmp_p2ph(&satmp, pa->ptr) < 0) |
---|
376 | goto end; |
---|
377 | pa++; |
---|
378 | |
---|
379 | for (/*nothing*/; |
---|
380 | pa->type != ISAKMP_NPTYPE_NONE; |
---|
381 | pa++) { |
---|
382 | |
---|
383 | switch (pa->type) { |
---|
384 | case ISAKMP_NPTYPE_KE: |
---|
385 | if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) |
---|
386 | goto end; |
---|
387 | break; |
---|
388 | case ISAKMP_NPTYPE_NONCE: |
---|
389 | if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) |
---|
390 | goto end; |
---|
391 | break; |
---|
392 | case ISAKMP_NPTYPE_ID: |
---|
393 | if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) |
---|
394 | goto end; |
---|
395 | break; |
---|
396 | case ISAKMP_NPTYPE_HASH: |
---|
397 | iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; |
---|
398 | break; |
---|
399 | case ISAKMP_NPTYPE_CR: |
---|
400 | if (oakley_savecr(iph1, pa->ptr) < 0) |
---|
401 | goto end; |
---|
402 | break; |
---|
403 | case ISAKMP_NPTYPE_CERT: |
---|
404 | if (oakley_savecert(iph1, pa->ptr) < 0) |
---|
405 | goto end; |
---|
406 | break; |
---|
407 | case ISAKMP_NPTYPE_SIG: |
---|
408 | if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) |
---|
409 | goto end; |
---|
410 | break; |
---|
411 | case ISAKMP_NPTYPE_VID: |
---|
412 | handle_vendorid(iph1, pa->ptr); |
---|
413 | break; |
---|
414 | case ISAKMP_NPTYPE_N: |
---|
415 | isakmp_log_notify(iph1, |
---|
416 | (struct isakmp_pl_n *) pa->ptr, |
---|
417 | "aggressive exchange"); |
---|
418 | break; |
---|
419 | #ifdef HAVE_GSSAPI |
---|
420 | case ISAKMP_NPTYPE_GSS: |
---|
421 | if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) |
---|
422 | goto end; |
---|
423 | gssapi_save_received_token(iph1, gsstoken); |
---|
424 | break; |
---|
425 | #endif |
---|
426 | |
---|
427 | #ifdef ENABLE_NATT |
---|
428 | case ISAKMP_NPTYPE_NATD_DRAFT: |
---|
429 | case ISAKMP_NPTYPE_NATD_RFC: |
---|
430 | if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && |
---|
431 | pa->type == iph1->natt_options->payload_nat_d) { |
---|
432 | struct natd_payload *natd; |
---|
433 | natd = (struct natd_payload *)racoon_malloc(sizeof(*natd)); |
---|
434 | if (!natd) |
---|
435 | goto end; |
---|
436 | |
---|
437 | natd->payload = NULL; |
---|
438 | |
---|
439 | if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) |
---|
440 | goto end; |
---|
441 | |
---|
442 | natd->seq = natd_seq++; |
---|
443 | |
---|
444 | TAILQ_INSERT_TAIL(&natd_tree, natd, chain); |
---|
445 | break; |
---|
446 | } |
---|
447 | /* passthrough to default... */ |
---|
448 | #endif |
---|
449 | |
---|
450 | default: |
---|
451 | /* don't send information, see isakmp_ident_r1() */ |
---|
452 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
453 | "ignore the packet, " |
---|
454 | "received unexpecting payload type %d.\n", |
---|
455 | pa->type); |
---|
456 | goto end; |
---|
457 | } |
---|
458 | } |
---|
459 | |
---|
460 | /* payload existency check */ |
---|
461 | if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { |
---|
462 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
463 | "few isakmp message received.\n"); |
---|
464 | goto end; |
---|
465 | } |
---|
466 | |
---|
467 | /* verify identifier */ |
---|
468 | if (ipsecdoi_checkid1(iph1) != 0) { |
---|
469 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
470 | "invalid ID payload.\n"); |
---|
471 | goto end; |
---|
472 | } |
---|
473 | |
---|
474 | /* check SA payload and set approval SA for use */ |
---|
475 | if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { |
---|
476 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
477 | "failed to get valid proposal.\n"); |
---|
478 | /* XXX send information */ |
---|
479 | goto end; |
---|
480 | } |
---|
481 | VPTRINIT(iph1->sa_ret); |
---|
482 | |
---|
483 | /* fix isakmp index */ |
---|
484 | memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, |
---|
485 | sizeof(cookie_t)); |
---|
486 | |
---|
487 | #ifdef ENABLE_NATT |
---|
488 | if (NATT_AVAILABLE(iph1)) { |
---|
489 | struct natd_payload *natd = NULL; |
---|
490 | int natd_verified; |
---|
491 | |
---|
492 | plog(LLV_INFO, LOCATION, iph1->remote, |
---|
493 | "Selected NAT-T version: %s\n", |
---|
494 | vid_string_by_id(iph1->natt_options->version)); |
---|
495 | |
---|
496 | /* set both bits first so that we can clear them |
---|
497 | upon verifying hashes */ |
---|
498 | iph1->natt_flags |= NAT_DETECTED; |
---|
499 | |
---|
500 | while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) { |
---|
501 | /* this function will clear appropriate bits bits |
---|
502 | from iph1->natt_flags */ |
---|
503 | natd_verified = natt_compare_addr_hash (iph1, |
---|
504 | natd->payload, natd->seq); |
---|
505 | |
---|
506 | plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", |
---|
507 | natd->seq - 1, |
---|
508 | natd_verified ? "verified" : "doesn't match"); |
---|
509 | |
---|
510 | vfree (natd->payload); |
---|
511 | |
---|
512 | TAILQ_REMOVE(&natd_tree, natd, chain); |
---|
513 | racoon_free (natd); |
---|
514 | } |
---|
515 | |
---|
516 | plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", |
---|
517 | iph1->natt_flags & NAT_DETECTED ? |
---|
518 | "detected:" : "not detected", |
---|
519 | iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", |
---|
520 | iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); |
---|
521 | |
---|
522 | if (iph1->natt_flags & NAT_DETECTED) |
---|
523 | natt_float_ports (iph1); |
---|
524 | } |
---|
525 | #endif |
---|
526 | |
---|
527 | /* compute sharing secret of DH */ |
---|
528 | if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub, |
---|
529 | iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) |
---|
530 | goto end; |
---|
531 | |
---|
532 | /* generate SKEYIDs & IV & final cipher key */ |
---|
533 | if (oakley_skeyid(iph1) < 0) |
---|
534 | goto end; |
---|
535 | if (oakley_skeyid_dae(iph1) < 0) |
---|
536 | goto end; |
---|
537 | if (oakley_compute_enckey(iph1) < 0) |
---|
538 | goto end; |
---|
539 | if (oakley_newiv(iph1) < 0) |
---|
540 | goto end; |
---|
541 | |
---|
542 | /* validate authentication value */ |
---|
543 | ptype = oakley_validate_auth(iph1); |
---|
544 | if (ptype != 0) { |
---|
545 | if (ptype == -1) { |
---|
546 | /* message printed inner oakley_validate_auth() */ |
---|
547 | goto end; |
---|
548 | } |
---|
549 | evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); |
---|
550 | isakmp_info_send_n1(iph1, ptype, NULL); |
---|
551 | goto end; |
---|
552 | } |
---|
553 | |
---|
554 | if (oakley_checkcr(iph1) < 0) { |
---|
555 | /* Ignore this error in order to be interoperability. */ |
---|
556 | ; |
---|
557 | } |
---|
558 | |
---|
559 | /* change status of isakmp status entry */ |
---|
560 | iph1->status = PHASE1ST_MSG2RECEIVED; |
---|
561 | |
---|
562 | error = 0; |
---|
563 | |
---|
564 | end: |
---|
565 | #ifdef HAVE_GSSAPI |
---|
566 | if (gsstoken) |
---|
567 | vfree(gsstoken); |
---|
568 | #endif |
---|
569 | if (pbuf) |
---|
570 | vfree(pbuf); |
---|
571 | if (satmp) |
---|
572 | vfree(satmp); |
---|
573 | if (error) { |
---|
574 | VPTRINIT(iph1->dhpub_p); |
---|
575 | VPTRINIT(iph1->nonce_p); |
---|
576 | VPTRINIT(iph1->id_p); |
---|
577 | VPTRINIT(iph1->cert_p); |
---|
578 | VPTRINIT(iph1->crl_p); |
---|
579 | VPTRINIT(iph1->sig_p); |
---|
580 | VPTRINIT(iph1->cr_p); |
---|
581 | } |
---|
582 | |
---|
583 | return error; |
---|
584 | } |
---|
585 | |
---|
586 | /* |
---|
587 | * send to responder |
---|
588 | * psk: HDR, HASH_I |
---|
589 | * gssapi: HDR, HASH_I |
---|
590 | * sig: HDR, [ CERT, ] SIG_I |
---|
591 | * rsa: HDR, HASH_I |
---|
592 | * rev: HDR, HASH_I |
---|
593 | */ |
---|
594 | int |
---|
595 | agg_i2send(iph1, msg) |
---|
596 | struct ph1handle *iph1; |
---|
597 | vchar_t *msg; |
---|
598 | { |
---|
599 | struct payload_list *plist = NULL; |
---|
600 | int need_cert = 0; |
---|
601 | int error = -1; |
---|
602 | vchar_t *gsshash = NULL; |
---|
603 | |
---|
604 | /* validity check */ |
---|
605 | if (iph1->status != PHASE1ST_MSG2RECEIVED) { |
---|
606 | plog(LLV_ERROR, LOCATION, NULL, |
---|
607 | "status mismatched %d.\n", iph1->status); |
---|
608 | goto end; |
---|
609 | } |
---|
610 | |
---|
611 | /* generate HASH to send */ |
---|
612 | plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); |
---|
613 | iph1->hash = oakley_ph1hash_common(iph1, GENERATE); |
---|
614 | if (iph1->hash == NULL) { |
---|
615 | #ifdef HAVE_GSSAPI |
---|
616 | if (gssapi_more_tokens(iph1) && |
---|
617 | #ifdef ENABLE_HYBRID |
---|
618 | !iph1->rmconf->xauth && |
---|
619 | #endif |
---|
620 | 1) |
---|
621 | isakmp_info_send_n1(iph1, |
---|
622 | ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); |
---|
623 | #endif |
---|
624 | goto end; |
---|
625 | } |
---|
626 | |
---|
627 | switch (iph1->approval->authmethod) { |
---|
628 | case OAKLEY_ATTR_AUTH_METHOD_PSKEY: |
---|
629 | #ifdef ENABLE_HYBRID |
---|
630 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: |
---|
631 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: |
---|
632 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: |
---|
633 | #endif |
---|
634 | /* set HASH payload */ |
---|
635 | plist = isakmp_plist_append(plist, |
---|
636 | iph1->hash, ISAKMP_NPTYPE_HASH); |
---|
637 | break; |
---|
638 | |
---|
639 | case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: |
---|
640 | case OAKLEY_ATTR_AUTH_METHOD_RSASIG: |
---|
641 | #ifdef ENABLE_HYBRID |
---|
642 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: |
---|
643 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: |
---|
644 | #endif |
---|
645 | /* XXX if there is CR or not ? */ |
---|
646 | |
---|
647 | if (oakley_getmycert(iph1) < 0) |
---|
648 | goto end; |
---|
649 | |
---|
650 | if (oakley_getsign(iph1) < 0) |
---|
651 | goto end; |
---|
652 | |
---|
653 | if (iph1->cert != NULL && iph1->rmconf->send_cert) |
---|
654 | need_cert = 1; |
---|
655 | |
---|
656 | /* add CERT payload if there */ |
---|
657 | if (need_cert) |
---|
658 | plist = isakmp_plist_append(plist, iph1->cert, |
---|
659 | ISAKMP_NPTYPE_CERT); |
---|
660 | |
---|
661 | /* add SIG payload */ |
---|
662 | plist = isakmp_plist_append(plist, |
---|
663 | iph1->sig, ISAKMP_NPTYPE_SIG); |
---|
664 | break; |
---|
665 | |
---|
666 | case OAKLEY_ATTR_AUTH_METHOD_RSAENC: |
---|
667 | case OAKLEY_ATTR_AUTH_METHOD_RSAREV: |
---|
668 | #ifdef ENABLE_HYBRID |
---|
669 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: |
---|
670 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: |
---|
671 | #endif |
---|
672 | break; |
---|
673 | #ifdef HAVE_GSSAPI |
---|
674 | case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: |
---|
675 | gsshash = gssapi_wraphash(iph1); |
---|
676 | if (gsshash == NULL) { |
---|
677 | plog(LLV_ERROR, LOCATION, NULL, |
---|
678 | "failed to wrap hash\n"); |
---|
679 | isakmp_info_send_n1(iph1, |
---|
680 | ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); |
---|
681 | goto end; |
---|
682 | } |
---|
683 | |
---|
684 | plist = isakmp_plist_append(plist, |
---|
685 | gsshash, ISAKMP_NPTYPE_HASH); |
---|
686 | break; |
---|
687 | #endif |
---|
688 | } |
---|
689 | |
---|
690 | #ifdef ENABLE_NATT |
---|
691 | /* generate NAT-D payloads */ |
---|
692 | if (NATT_AVAILABLE(iph1)) { |
---|
693 | vchar_t *natd[2] = { NULL, NULL }; |
---|
694 | |
---|
695 | plog(LLV_INFO, LOCATION, |
---|
696 | NULL, "Adding remote and local NAT-D payloads.\n"); |
---|
697 | |
---|
698 | if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { |
---|
699 | plog(LLV_ERROR, LOCATION, NULL, |
---|
700 | "NAT-D hashing failed for %s\n", |
---|
701 | saddr2str(iph1->remote)); |
---|
702 | goto end; |
---|
703 | } |
---|
704 | |
---|
705 | if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { |
---|
706 | plog(LLV_ERROR, LOCATION, NULL, |
---|
707 | "NAT-D hashing failed for %s\n", |
---|
708 | saddr2str(iph1->local)); |
---|
709 | goto end; |
---|
710 | } |
---|
711 | |
---|
712 | plist = isakmp_plist_append(plist, |
---|
713 | natd[0], iph1->natt_options->payload_nat_d); |
---|
714 | plist = isakmp_plist_append(plist, |
---|
715 | natd[1], iph1->natt_options->payload_nat_d); |
---|
716 | } |
---|
717 | #endif |
---|
718 | |
---|
719 | iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); |
---|
720 | |
---|
721 | #ifdef HAVE_PRINT_ISAKMP_C |
---|
722 | isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); |
---|
723 | #endif |
---|
724 | |
---|
725 | /* send to responder */ |
---|
726 | if (isakmp_send(iph1, iph1->sendbuf) < 0) |
---|
727 | goto end; |
---|
728 | |
---|
729 | /* the sending message is added to the received-list. */ |
---|
730 | if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { |
---|
731 | plog(LLV_ERROR , LOCATION, NULL, |
---|
732 | "failed to add a response packet to the tree.\n"); |
---|
733 | goto end; |
---|
734 | } |
---|
735 | |
---|
736 | /* set encryption flag */ |
---|
737 | iph1->flags |= ISAKMP_FLAG_E; |
---|
738 | |
---|
739 | iph1->status = PHASE1ST_ESTABLISHED; |
---|
740 | |
---|
741 | error = 0; |
---|
742 | |
---|
743 | end: |
---|
744 | if (gsshash) |
---|
745 | vfree(gsshash); |
---|
746 | return error; |
---|
747 | } |
---|
748 | |
---|
749 | /* |
---|
750 | * receive from initiator |
---|
751 | * psk: HDR, SA, KE, Ni, IDi1 |
---|
752 | * sig: HDR, SA, KE, Ni, IDi1 [, CR ] |
---|
753 | * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi |
---|
754 | * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r |
---|
755 | * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, |
---|
756 | * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] |
---|
757 | */ |
---|
758 | int |
---|
759 | agg_r1recv(iph1, msg) |
---|
760 | struct ph1handle *iph1; |
---|
761 | vchar_t *msg; |
---|
762 | { |
---|
763 | int error = -1; |
---|
764 | vchar_t *pbuf = NULL; |
---|
765 | struct isakmp_parse_t *pa; |
---|
766 | int vid_numeric; |
---|
767 | #ifdef HAVE_GSSAPI |
---|
768 | vchar_t *gsstoken = NULL; |
---|
769 | #endif |
---|
770 | |
---|
771 | /* validity check */ |
---|
772 | if (iph1->status != PHASE1ST_START) { |
---|
773 | plog(LLV_ERROR, LOCATION, NULL, |
---|
774 | "status mismatched %d.\n", iph1->status); |
---|
775 | goto end; |
---|
776 | } |
---|
777 | |
---|
778 | /* validate the type of next payload */ |
---|
779 | pbuf = isakmp_parse(msg); |
---|
780 | if (pbuf == NULL) |
---|
781 | goto end; |
---|
782 | pa = (struct isakmp_parse_t *)pbuf->v; |
---|
783 | |
---|
784 | /* SA payload is fixed postion */ |
---|
785 | if (pa->type != ISAKMP_NPTYPE_SA) { |
---|
786 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
787 | "received invalid next payload type %d, " |
---|
788 | "expecting %d.\n", |
---|
789 | pa->type, ISAKMP_NPTYPE_SA); |
---|
790 | goto end; |
---|
791 | } |
---|
792 | if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) |
---|
793 | goto end; |
---|
794 | pa++; |
---|
795 | |
---|
796 | for (/*nothing*/; |
---|
797 | pa->type != ISAKMP_NPTYPE_NONE; |
---|
798 | pa++) { |
---|
799 | |
---|
800 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
801 | "received payload of type %s\n", |
---|
802 | s_isakmp_nptype(pa->type)); |
---|
803 | |
---|
804 | switch (pa->type) { |
---|
805 | case ISAKMP_NPTYPE_KE: |
---|
806 | if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) |
---|
807 | goto end; |
---|
808 | break; |
---|
809 | case ISAKMP_NPTYPE_NONCE: |
---|
810 | if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) |
---|
811 | goto end; |
---|
812 | break; |
---|
813 | case ISAKMP_NPTYPE_ID: |
---|
814 | if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) |
---|
815 | goto end; |
---|
816 | break; |
---|
817 | case ISAKMP_NPTYPE_VID: |
---|
818 | vid_numeric = handle_vendorid(iph1, pa->ptr); |
---|
819 | #ifdef ENABLE_FRAG |
---|
820 | if ((vid_numeric == VENDORID_FRAG) && |
---|
821 | (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) |
---|
822 | iph1->frag = 1; |
---|
823 | #endif |
---|
824 | break; |
---|
825 | |
---|
826 | case ISAKMP_NPTYPE_CR: |
---|
827 | if (oakley_savecr(iph1, pa->ptr) < 0) |
---|
828 | goto end; |
---|
829 | break; |
---|
830 | |
---|
831 | #ifdef HAVE_GSSAPI |
---|
832 | case ISAKMP_NPTYPE_GSS: |
---|
833 | if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) |
---|
834 | goto end; |
---|
835 | gssapi_save_received_token(iph1, gsstoken); |
---|
836 | break; |
---|
837 | #endif |
---|
838 | default: |
---|
839 | /* don't send information, see isakmp_ident_r1() */ |
---|
840 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
841 | "ignore the packet, " |
---|
842 | "received unexpecting payload type %d.\n", |
---|
843 | pa->type); |
---|
844 | goto end; |
---|
845 | } |
---|
846 | } |
---|
847 | |
---|
848 | /* payload existency check */ |
---|
849 | if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { |
---|
850 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
851 | "few isakmp message received.\n"); |
---|
852 | goto end; |
---|
853 | } |
---|
854 | |
---|
855 | /* verify identifier */ |
---|
856 | if (ipsecdoi_checkid1(iph1) != 0) { |
---|
857 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
858 | "invalid ID payload.\n"); |
---|
859 | goto end; |
---|
860 | } |
---|
861 | |
---|
862 | #ifdef ENABLE_NATT |
---|
863 | if (NATT_AVAILABLE(iph1)) |
---|
864 | plog(LLV_INFO, LOCATION, iph1->remote, |
---|
865 | "Selected NAT-T version: %s\n", |
---|
866 | vid_string_by_id(iph1->natt_options->version)); |
---|
867 | #endif |
---|
868 | |
---|
869 | /* check SA payload and set approval SA for use */ |
---|
870 | if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { |
---|
871 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
872 | "failed to get valid proposal.\n"); |
---|
873 | /* XXX send information */ |
---|
874 | goto end; |
---|
875 | } |
---|
876 | |
---|
877 | if (oakley_checkcr(iph1) < 0) { |
---|
878 | /* Ignore this error in order to be interoperability. */ |
---|
879 | ; |
---|
880 | } |
---|
881 | |
---|
882 | iph1->status = PHASE1ST_MSG1RECEIVED; |
---|
883 | |
---|
884 | error = 0; |
---|
885 | |
---|
886 | end: |
---|
887 | #ifdef HAVE_GSSAPI |
---|
888 | if (gsstoken) |
---|
889 | vfree(gsstoken); |
---|
890 | #endif |
---|
891 | if (pbuf) |
---|
892 | vfree(pbuf); |
---|
893 | if (error) { |
---|
894 | VPTRINIT(iph1->sa); |
---|
895 | VPTRINIT(iph1->dhpub_p); |
---|
896 | VPTRINIT(iph1->nonce_p); |
---|
897 | VPTRINIT(iph1->id_p); |
---|
898 | VPTRINIT(iph1->cr_p); |
---|
899 | } |
---|
900 | |
---|
901 | return error; |
---|
902 | } |
---|
903 | |
---|
904 | /* |
---|
905 | * send to initiator |
---|
906 | * psk: HDR, SA, KE, Nr, IDr1, HASH_R |
---|
907 | * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R |
---|
908 | * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R |
---|
909 | * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R |
---|
910 | * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R |
---|
911 | */ |
---|
912 | int |
---|
913 | agg_r1send(iph1, msg) |
---|
914 | struct ph1handle *iph1; |
---|
915 | vchar_t *msg; |
---|
916 | { |
---|
917 | struct payload_list *plist = NULL; |
---|
918 | int need_cert = 0; |
---|
919 | int error = -1; |
---|
920 | #ifdef ENABLE_HYBRID |
---|
921 | vchar_t *xauth_vid = NULL; |
---|
922 | vchar_t *unity_vid = NULL; |
---|
923 | #endif |
---|
924 | #ifdef ENABLE_NATT |
---|
925 | vchar_t *vid_natt = NULL; |
---|
926 | vchar_t *natd[2] = { NULL, NULL }; |
---|
927 | #endif |
---|
928 | #ifdef ENABLE_DPD |
---|
929 | vchar_t *vid_dpd = NULL; |
---|
930 | #endif |
---|
931 | #ifdef ENABLE_FRAG |
---|
932 | vchar_t *vid_frag = NULL; |
---|
933 | #endif |
---|
934 | |
---|
935 | #ifdef HAVE_GSSAPI |
---|
936 | int gsslen; |
---|
937 | vchar_t *gsstoken = NULL, *gsshash = NULL; |
---|
938 | vchar_t *gss_sa = NULL; |
---|
939 | int free_gss_sa = 0; |
---|
940 | #endif |
---|
941 | |
---|
942 | /* validity check */ |
---|
943 | if (iph1->status != PHASE1ST_MSG1RECEIVED) { |
---|
944 | plog(LLV_ERROR, LOCATION, NULL, |
---|
945 | "status mismatched %d.\n", iph1->status); |
---|
946 | goto end; |
---|
947 | } |
---|
948 | |
---|
949 | /* set responder's cookie */ |
---|
950 | isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); |
---|
951 | |
---|
952 | /* make ID payload into isakmp status */ |
---|
953 | if (ipsecdoi_setid1(iph1) < 0) |
---|
954 | goto end; |
---|
955 | |
---|
956 | /* generate DH public value */ |
---|
957 | if (oakley_dh_generate(iph1->rmconf->dhgrp, |
---|
958 | &iph1->dhpub, &iph1->dhpriv) < 0) |
---|
959 | goto end; |
---|
960 | |
---|
961 | /* generate NONCE value */ |
---|
962 | iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); |
---|
963 | if (iph1->nonce == NULL) |
---|
964 | goto end; |
---|
965 | |
---|
966 | /* compute sharing secret of DH */ |
---|
967 | if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, |
---|
968 | iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) |
---|
969 | goto end; |
---|
970 | |
---|
971 | /* generate SKEYIDs & IV & final cipher key */ |
---|
972 | if (oakley_skeyid(iph1) < 0) |
---|
973 | goto end; |
---|
974 | if (oakley_skeyid_dae(iph1) < 0) |
---|
975 | goto end; |
---|
976 | if (oakley_compute_enckey(iph1) < 0) |
---|
977 | goto end; |
---|
978 | if (oakley_newiv(iph1) < 0) |
---|
979 | goto end; |
---|
980 | |
---|
981 | #ifdef HAVE_GSSAPI |
---|
982 | if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) |
---|
983 | gssapi_get_rtoken(iph1, &gsslen); |
---|
984 | #endif |
---|
985 | |
---|
986 | /* generate HASH to send */ |
---|
987 | plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n"); |
---|
988 | iph1->hash = oakley_ph1hash_common(iph1, GENERATE); |
---|
989 | if (iph1->hash == NULL) { |
---|
990 | #ifdef HAVE_GSSAPI |
---|
991 | if (gssapi_more_tokens(iph1)) |
---|
992 | isakmp_info_send_n1(iph1, |
---|
993 | ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); |
---|
994 | #endif |
---|
995 | goto end; |
---|
996 | } |
---|
997 | |
---|
998 | #ifdef ENABLE_NATT |
---|
999 | /* Has the peer announced NAT-T? */ |
---|
1000 | if (NATT_AVAILABLE(iph1)) { |
---|
1001 | /* set chosen VID */ |
---|
1002 | vid_natt = set_vendorid(iph1->natt_options->version); |
---|
1003 | |
---|
1004 | /* generate NAT-D payloads */ |
---|
1005 | plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n"); |
---|
1006 | if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) { |
---|
1007 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1008 | "NAT-D hashing failed for %s\n", saddr2str(iph1->remote)); |
---|
1009 | goto end; |
---|
1010 | } |
---|
1011 | |
---|
1012 | if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) { |
---|
1013 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1014 | "NAT-D hashing failed for %s\n", saddr2str(iph1->local)); |
---|
1015 | goto end; |
---|
1016 | } |
---|
1017 | } |
---|
1018 | #endif |
---|
1019 | #ifdef ENABLE_DPD |
---|
1020 | /* Only send DPD support if remote announced DPD and if DPD support is active */ |
---|
1021 | if (iph1->dpd_support && iph1->rmconf->dpd) |
---|
1022 | vid_dpd = set_vendorid(VENDORID_DPD); |
---|
1023 | #endif |
---|
1024 | #ifdef ENABLE_FRAG |
---|
1025 | if (iph1->frag) { |
---|
1026 | vid_frag = set_vendorid(VENDORID_FRAG); |
---|
1027 | if (vid_frag != NULL) |
---|
1028 | vid_frag = isakmp_frag_addcap(vid_frag, |
---|
1029 | VENDORID_FRAG_AGG); |
---|
1030 | if (vid_frag == NULL) |
---|
1031 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1032 | "Frag vendorID construction failed\n"); |
---|
1033 | } |
---|
1034 | #endif |
---|
1035 | |
---|
1036 | switch (iph1->approval->authmethod) { |
---|
1037 | case OAKLEY_ATTR_AUTH_METHOD_PSKEY: |
---|
1038 | #ifdef ENABLE_HYBRID |
---|
1039 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: |
---|
1040 | #endif |
---|
1041 | /* set SA payload to reply */ |
---|
1042 | plist = isakmp_plist_append(plist, |
---|
1043 | iph1->sa_ret, ISAKMP_NPTYPE_SA); |
---|
1044 | |
---|
1045 | /* create isakmp KE payload */ |
---|
1046 | plist = isakmp_plist_append(plist, |
---|
1047 | iph1->dhpub, ISAKMP_NPTYPE_KE); |
---|
1048 | |
---|
1049 | /* create isakmp NONCE payload */ |
---|
1050 | plist = isakmp_plist_append(plist, |
---|
1051 | iph1->nonce, ISAKMP_NPTYPE_NONCE); |
---|
1052 | |
---|
1053 | /* create isakmp ID payload */ |
---|
1054 | plist = isakmp_plist_append(plist, |
---|
1055 | iph1->id, ISAKMP_NPTYPE_ID); |
---|
1056 | |
---|
1057 | /* create isakmp HASH payload */ |
---|
1058 | plist = isakmp_plist_append(plist, |
---|
1059 | iph1->hash, ISAKMP_NPTYPE_HASH); |
---|
1060 | |
---|
1061 | /* create isakmp CR payload if needed */ |
---|
1062 | if (oakley_needcr(iph1->approval->authmethod)) |
---|
1063 | plist = oakley_append_cr(plist, iph1); |
---|
1064 | break; |
---|
1065 | case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: |
---|
1066 | case OAKLEY_ATTR_AUTH_METHOD_RSASIG: |
---|
1067 | #ifdef ENABLE_HYBRID |
---|
1068 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: |
---|
1069 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: |
---|
1070 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: |
---|
1071 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: |
---|
1072 | #endif |
---|
1073 | /* XXX if there is CR or not ? */ |
---|
1074 | |
---|
1075 | if (oakley_getmycert(iph1) < 0) |
---|
1076 | goto end; |
---|
1077 | |
---|
1078 | if (oakley_getsign(iph1) < 0) |
---|
1079 | goto end; |
---|
1080 | |
---|
1081 | if (iph1->cert != NULL && iph1->rmconf->send_cert) |
---|
1082 | need_cert = 1; |
---|
1083 | |
---|
1084 | /* set SA payload to reply */ |
---|
1085 | plist = isakmp_plist_append(plist, |
---|
1086 | iph1->sa_ret, ISAKMP_NPTYPE_SA); |
---|
1087 | |
---|
1088 | /* create isakmp KE payload */ |
---|
1089 | plist = isakmp_plist_append(plist, |
---|
1090 | iph1->dhpub, ISAKMP_NPTYPE_KE); |
---|
1091 | |
---|
1092 | /* create isakmp NONCE payload */ |
---|
1093 | plist = isakmp_plist_append(plist, |
---|
1094 | iph1->nonce, ISAKMP_NPTYPE_NONCE); |
---|
1095 | |
---|
1096 | /* add ID payload */ |
---|
1097 | plist = isakmp_plist_append(plist, |
---|
1098 | iph1->id, ISAKMP_NPTYPE_ID); |
---|
1099 | |
---|
1100 | /* add CERT payload if there */ |
---|
1101 | if (need_cert) |
---|
1102 | plist = isakmp_plist_append(plist, iph1->cert, |
---|
1103 | ISAKMP_NPTYPE_CERT); |
---|
1104 | |
---|
1105 | /* add SIG payload */ |
---|
1106 | plist = isakmp_plist_append(plist, |
---|
1107 | iph1->sig, ISAKMP_NPTYPE_SIG); |
---|
1108 | |
---|
1109 | /* create isakmp CR payload if needed */ |
---|
1110 | if (oakley_needcr(iph1->approval->authmethod)) |
---|
1111 | plist = oakley_append_cr(plist, iph1); |
---|
1112 | break; |
---|
1113 | |
---|
1114 | case OAKLEY_ATTR_AUTH_METHOD_RSAENC: |
---|
1115 | case OAKLEY_ATTR_AUTH_METHOD_RSAREV: |
---|
1116 | #ifdef ENABLE_HYBRID |
---|
1117 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: |
---|
1118 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: |
---|
1119 | #endif |
---|
1120 | break; |
---|
1121 | #ifdef HAVE_GSSAPI |
---|
1122 | case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: |
---|
1123 | /* create buffer to send isakmp payload */ |
---|
1124 | gsshash = gssapi_wraphash(iph1); |
---|
1125 | if (gsshash == NULL) { |
---|
1126 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1127 | "failed to wrap hash\n"); |
---|
1128 | /* |
---|
1129 | * This is probably due to the GSS |
---|
1130 | * roundtrips not being finished yet. |
---|
1131 | * Return this error in the hope that |
---|
1132 | * a fallback to main mode will be done. |
---|
1133 | */ |
---|
1134 | isakmp_info_send_n1(iph1, |
---|
1135 | ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); |
---|
1136 | goto end; |
---|
1137 | } |
---|
1138 | if (iph1->approval->gssid != NULL) |
---|
1139 | gss_sa = ipsecdoi_setph1proposal(iph1->rmconf, |
---|
1140 | iph1->approval); |
---|
1141 | else |
---|
1142 | gss_sa = iph1->sa_ret; |
---|
1143 | |
---|
1144 | if (gss_sa != iph1->sa_ret) |
---|
1145 | free_gss_sa = 1; |
---|
1146 | |
---|
1147 | /* set SA payload to reply */ |
---|
1148 | plist = isakmp_plist_append(plist, |
---|
1149 | gss_sa, ISAKMP_NPTYPE_SA); |
---|
1150 | |
---|
1151 | /* create isakmp KE payload */ |
---|
1152 | plist = isakmp_plist_append(plist, |
---|
1153 | iph1->dhpub, ISAKMP_NPTYPE_KE); |
---|
1154 | |
---|
1155 | /* create isakmp NONCE payload */ |
---|
1156 | plist = isakmp_plist_append(plist, |
---|
1157 | iph1->nonce, ISAKMP_NPTYPE_NONCE); |
---|
1158 | |
---|
1159 | /* create isakmp ID payload */ |
---|
1160 | plist = isakmp_plist_append(plist, |
---|
1161 | iph1->id, ISAKMP_NPTYPE_ID); |
---|
1162 | |
---|
1163 | /* create GSS payload */ |
---|
1164 | if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) { |
---|
1165 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1166 | "Failed to get gssapi token.\n"); |
---|
1167 | goto end; |
---|
1168 | } |
---|
1169 | plist = isakmp_plist_append(plist, |
---|
1170 | gsstoken, ISAKMP_NPTYPE_GSS); |
---|
1171 | |
---|
1172 | /* create isakmp HASH payload */ |
---|
1173 | plist = isakmp_plist_append(plist, |
---|
1174 | gsshash, ISAKMP_NPTYPE_HASH); |
---|
1175 | |
---|
1176 | /* append vendor id, if needed */ |
---|
1177 | break; |
---|
1178 | #endif |
---|
1179 | } |
---|
1180 | |
---|
1181 | #ifdef ENABLE_HYBRID |
---|
1182 | if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { |
---|
1183 | plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n"); |
---|
1184 | if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) { |
---|
1185 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1186 | "Cannot create Xauth vendor ID\n"); |
---|
1187 | goto end; |
---|
1188 | } |
---|
1189 | plist = isakmp_plist_append(plist, |
---|
1190 | xauth_vid, ISAKMP_NPTYPE_VID); |
---|
1191 | } |
---|
1192 | |
---|
1193 | if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) { |
---|
1194 | if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) { |
---|
1195 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1196 | "Cannot create Unity vendor ID\n"); |
---|
1197 | goto end; |
---|
1198 | } |
---|
1199 | plist = isakmp_plist_append(plist, |
---|
1200 | unity_vid, ISAKMP_NPTYPE_VID); |
---|
1201 | } |
---|
1202 | #endif |
---|
1203 | |
---|
1204 | #ifdef ENABLE_NATT |
---|
1205 | /* append NAT-T payloads */ |
---|
1206 | if (vid_natt) { |
---|
1207 | /* chosen VID */ |
---|
1208 | plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID); |
---|
1209 | /* NAT-D */ |
---|
1210 | plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d); |
---|
1211 | plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d); |
---|
1212 | } |
---|
1213 | #endif |
---|
1214 | |
---|
1215 | #ifdef ENABLE_FRAG |
---|
1216 | if (vid_frag) |
---|
1217 | plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID); |
---|
1218 | #endif |
---|
1219 | |
---|
1220 | #ifdef ENABLE_DPD |
---|
1221 | if (vid_dpd) |
---|
1222 | plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); |
---|
1223 | #endif |
---|
1224 | |
---|
1225 | iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); |
---|
1226 | |
---|
1227 | #ifdef HAVE_PRINT_ISAKMP_C |
---|
1228 | isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1); |
---|
1229 | #endif |
---|
1230 | |
---|
1231 | /* send the packet, add to the schedule to resend */ |
---|
1232 | if (isakmp_ph1send(iph1) == -1) |
---|
1233 | goto end; |
---|
1234 | |
---|
1235 | /* the sending message is added to the received-list. */ |
---|
1236 | if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { |
---|
1237 | plog(LLV_ERROR , LOCATION, NULL, |
---|
1238 | "failed to add a response packet to the tree.\n"); |
---|
1239 | goto end; |
---|
1240 | } |
---|
1241 | |
---|
1242 | iph1->status = PHASE1ST_MSG1SENT; |
---|
1243 | |
---|
1244 | error = 0; |
---|
1245 | |
---|
1246 | end: |
---|
1247 | #ifdef ENABLE_HYBRID |
---|
1248 | if (xauth_vid) |
---|
1249 | vfree(xauth_vid); |
---|
1250 | if (unity_vid) |
---|
1251 | vfree(unity_vid); |
---|
1252 | #endif |
---|
1253 | #ifdef HAVE_GSSAPI |
---|
1254 | if (gsstoken) |
---|
1255 | vfree(gsstoken); |
---|
1256 | if (gsshash) |
---|
1257 | vfree(gsshash); |
---|
1258 | if (free_gss_sa) |
---|
1259 | vfree(gss_sa); |
---|
1260 | #endif |
---|
1261 | #ifdef ENABLE_DPD |
---|
1262 | if (vid_dpd) |
---|
1263 | vfree(vid_dpd); |
---|
1264 | #endif |
---|
1265 | #ifdef ENABLE_FRAG |
---|
1266 | if (vid_frag) |
---|
1267 | vfree(vid_frag); |
---|
1268 | #endif |
---|
1269 | |
---|
1270 | return error; |
---|
1271 | } |
---|
1272 | |
---|
1273 | /* |
---|
1274 | * receive from initiator |
---|
1275 | * psk: HDR, HASH_I |
---|
1276 | * gssapi: HDR, HASH_I |
---|
1277 | * sig: HDR, [ CERT, ] SIG_I |
---|
1278 | * rsa: HDR, HASH_I |
---|
1279 | * rev: HDR, HASH_I |
---|
1280 | */ |
---|
1281 | int |
---|
1282 | agg_r2recv(iph1, msg0) |
---|
1283 | struct ph1handle *iph1; |
---|
1284 | vchar_t *msg0; |
---|
1285 | { |
---|
1286 | vchar_t *msg = NULL; |
---|
1287 | vchar_t *pbuf = NULL; |
---|
1288 | struct isakmp_parse_t *pa; |
---|
1289 | int error = -1, ptype; |
---|
1290 | #ifdef ENABLE_NATT |
---|
1291 | int natd_seq = 0; |
---|
1292 | #endif |
---|
1293 | |
---|
1294 | /* validity check */ |
---|
1295 | if (iph1->status != PHASE1ST_MSG1SENT) { |
---|
1296 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1297 | "status mismatched %d.\n", iph1->status); |
---|
1298 | goto end; |
---|
1299 | } |
---|
1300 | |
---|
1301 | /* decrypting if need. */ |
---|
1302 | /* XXX configurable ? */ |
---|
1303 | if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { |
---|
1304 | msg = oakley_do_decrypt(iph1, msg0, |
---|
1305 | iph1->ivm->iv, iph1->ivm->ive); |
---|
1306 | if (msg == NULL) |
---|
1307 | goto end; |
---|
1308 | } else |
---|
1309 | msg = vdup(msg0); |
---|
1310 | |
---|
1311 | /* validate the type of next payload */ |
---|
1312 | pbuf = isakmp_parse(msg); |
---|
1313 | if (pbuf == NULL) |
---|
1314 | goto end; |
---|
1315 | |
---|
1316 | iph1->pl_hash = NULL; |
---|
1317 | |
---|
1318 | for (pa = (struct isakmp_parse_t *)pbuf->v; |
---|
1319 | pa->type != ISAKMP_NPTYPE_NONE; |
---|
1320 | pa++) { |
---|
1321 | |
---|
1322 | switch (pa->type) { |
---|
1323 | case ISAKMP_NPTYPE_HASH: |
---|
1324 | iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; |
---|
1325 | break; |
---|
1326 | case ISAKMP_NPTYPE_VID: |
---|
1327 | handle_vendorid(iph1, pa->ptr); |
---|
1328 | break; |
---|
1329 | case ISAKMP_NPTYPE_CERT: |
---|
1330 | if (oakley_savecert(iph1, pa->ptr) < 0) |
---|
1331 | goto end; |
---|
1332 | break; |
---|
1333 | case ISAKMP_NPTYPE_SIG: |
---|
1334 | if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) |
---|
1335 | goto end; |
---|
1336 | break; |
---|
1337 | case ISAKMP_NPTYPE_N: |
---|
1338 | isakmp_log_notify(iph1, |
---|
1339 | (struct isakmp_pl_n *) pa->ptr, |
---|
1340 | "aggressive exchange"); |
---|
1341 | break; |
---|
1342 | |
---|
1343 | #ifdef ENABLE_NATT |
---|
1344 | case ISAKMP_NPTYPE_NATD_DRAFT: |
---|
1345 | case ISAKMP_NPTYPE_NATD_RFC: |
---|
1346 | if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL && |
---|
1347 | pa->type == iph1->natt_options->payload_nat_d) |
---|
1348 | { |
---|
1349 | vchar_t *natd_received = NULL; |
---|
1350 | int natd_verified; |
---|
1351 | |
---|
1352 | if (isakmp_p2ph (&natd_received, pa->ptr) < 0) |
---|
1353 | goto end; |
---|
1354 | |
---|
1355 | if (natd_seq == 0) |
---|
1356 | iph1->natt_flags |= NAT_DETECTED; |
---|
1357 | |
---|
1358 | natd_verified = natt_compare_addr_hash (iph1, |
---|
1359 | natd_received, natd_seq++); |
---|
1360 | |
---|
1361 | plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n", |
---|
1362 | natd_seq - 1, |
---|
1363 | natd_verified ? "verified" : "doesn't match"); |
---|
1364 | |
---|
1365 | vfree (natd_received); |
---|
1366 | break; |
---|
1367 | } |
---|
1368 | /* passthrough to default... */ |
---|
1369 | #endif |
---|
1370 | |
---|
1371 | default: |
---|
1372 | /* don't send information, see isakmp_ident_r1() */ |
---|
1373 | plog(LLV_ERROR, LOCATION, iph1->remote, |
---|
1374 | "ignore the packet, " |
---|
1375 | "received unexpecting payload type %d.\n", |
---|
1376 | pa->type); |
---|
1377 | goto end; |
---|
1378 | } |
---|
1379 | } |
---|
1380 | |
---|
1381 | #ifdef ENABLE_NATT |
---|
1382 | if (NATT_AVAILABLE(iph1)) |
---|
1383 | plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n", |
---|
1384 | iph1->natt_flags & NAT_DETECTED ? |
---|
1385 | "detected:" : "not detected", |
---|
1386 | iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "", |
---|
1387 | iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); |
---|
1388 | #endif |
---|
1389 | |
---|
1390 | /* validate authentication value */ |
---|
1391 | ptype = oakley_validate_auth(iph1); |
---|
1392 | if (ptype != 0) { |
---|
1393 | if (ptype == -1) { |
---|
1394 | /* message printed inner oakley_validate_auth() */ |
---|
1395 | goto end; |
---|
1396 | } |
---|
1397 | evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL); |
---|
1398 | isakmp_info_send_n1(iph1, ptype, NULL); |
---|
1399 | goto end; |
---|
1400 | } |
---|
1401 | |
---|
1402 | iph1->status = PHASE1ST_MSG2RECEIVED; |
---|
1403 | |
---|
1404 | error = 0; |
---|
1405 | |
---|
1406 | end: |
---|
1407 | if (pbuf) |
---|
1408 | vfree(pbuf); |
---|
1409 | if (msg) |
---|
1410 | vfree(msg); |
---|
1411 | if (error) { |
---|
1412 | VPTRINIT(iph1->cert_p); |
---|
1413 | VPTRINIT(iph1->crl_p); |
---|
1414 | VPTRINIT(iph1->sig_p); |
---|
1415 | } |
---|
1416 | |
---|
1417 | return error; |
---|
1418 | } |
---|
1419 | |
---|
1420 | /* |
---|
1421 | * status update and establish isakmp sa. |
---|
1422 | */ |
---|
1423 | int |
---|
1424 | agg_r2send(iph1, msg) |
---|
1425 | struct ph1handle *iph1; |
---|
1426 | vchar_t *msg; |
---|
1427 | { |
---|
1428 | int error = -1; |
---|
1429 | |
---|
1430 | /* validity check */ |
---|
1431 | if (iph1->status != PHASE1ST_MSG2RECEIVED) { |
---|
1432 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1433 | "status mismatched %d.\n", iph1->status); |
---|
1434 | goto end; |
---|
1435 | } |
---|
1436 | |
---|
1437 | /* IV synchronized when packet encrypted. */ |
---|
1438 | /* see handler.h about IV synchronization. */ |
---|
1439 | if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E)) |
---|
1440 | memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); |
---|
1441 | |
---|
1442 | /* set encryption flag */ |
---|
1443 | iph1->flags |= ISAKMP_FLAG_E; |
---|
1444 | |
---|
1445 | iph1->status = PHASE1ST_ESTABLISHED; |
---|
1446 | |
---|
1447 | error = 0; |
---|
1448 | |
---|
1449 | end: |
---|
1450 | return error; |
---|
1451 | } |
---|