1 /* $NetBSD: oakley.c,v 1.28 2021/12/05 08:19:57 msaitoh Exp $ */
2
3 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h> /* XXX for subjectaltname */
39 #include <netinet/in.h> /* XXX for subjectaltname */
40
41 #include <openssl/pkcs7.h>
42 #include <openssl/x509.h>
43
44 #include <stdlib.h>
45 #include <stdio.h>
46 #include <string.h>
47 #include <errno.h>
48
49 #if TIME_WITH_SYS_TIME
50 # include <sys/time.h>
51 # include <time.h>
52 #else
53 # if HAVE_SYS_TIME_H
54 # include <sys/time.h>
55 # else
56 # include <time.h>
57 # endif
58 #endif
59 #ifdef ENABLE_HYBRID
60 #include <resolv.h>
61 #endif
62
63 #include "var.h"
64 #include "misc.h"
65 #include "vmbuf.h"
66 #include "str2val.h"
67 #include "plog.h"
68 #include "debug.h"
69
70 #include "isakmp_var.h"
71 #include "isakmp.h"
72 #ifdef ENABLE_HYBRID
73 #include "isakmp_xauth.h"
74 #include "isakmp_cfg.h"
75 #endif
76 #include "oakley.h"
77 #include "admin.h"
78 #include "privsep.h"
79 #include "localconf.h"
80 #include "remoteconf.h"
81 #include "policy.h"
82 #include "handler.h"
83 #include "ipsec_doi.h"
84 #include "algorithm.h"
85 #include "dhgroup.h"
86 #include "sainfo.h"
87 #include "proposal.h"
88 #include "crypto_openssl.h"
89 #include "dnssec.h"
90 #include "sockmisc.h"
91 #include "strnames.h"
92 #include "gcmalloc.h"
93 #include "rsalist.h"
94
95 #ifdef HAVE_GSSAPI
96 #include "gssapi.h"
97 #endif
98
99 #define OUTBOUND_SA 0
100 #define INBOUND_SA 1
101
102 #define INITDHVAL(a, s, d, t) \
103 do { \
104 vchar_t buf; \
105 buf.v = str2val((s), 16, &buf.l); \
106 memset(&a, 0, sizeof(struct dhgroup)); \
107 a.type = (t); \
108 a.prime = vdup(&buf); \
109 a.gen1 = 2; \
110 a.gen2 = 0; \
111 racoon_free(buf.v); \
112 } while(0);
113
114 struct dhgroup dh_modp768;
115 struct dhgroup dh_modp1024;
116 struct dhgroup dh_modp1536;
117 struct dhgroup dh_modp2048;
118 struct dhgroup dh_modp3072;
119 struct dhgroup dh_modp4096;
120 struct dhgroup dh_modp6144;
121 struct dhgroup dh_modp8192;
122
123
124 static int oakley_check_dh_pub __P((vchar_t *, vchar_t **));
125 static int oakley_compute_keymat_x __P((struct ph2handle *, int, int));
126 static int oakley_check_certid __P((struct ph1handle *iph1));
127 static int check_typeofcertname __P((int, int));
128 static int oakley_padlen __P((int, int));
129 static int get_plainrsa_fromlocal __P((struct ph1handle *, int));
130
oakley_get_certtype(cert)131 int oakley_get_certtype(cert)
132 vchar_t *cert;
133 {
134 if (cert == NULL)
135 return ISAKMP_CERT_NONE;
136
137 return cert->v[0];
138 }
139
140 static vchar_t *
dump_isakmp_payload(struct isakmp_gen * gen)141 dump_isakmp_payload(struct isakmp_gen *gen)
142 {
143 vchar_t p;
144
145 if (ntohs(gen->len) <= sizeof(*gen)) {
146 plog(LLV_ERROR, LOCATION, NULL,
147 "Len is too small !!.\n");
148 return NULL;
149 }
150
151 p.v = (caddr_t) (gen + 1);
152 p.l = ntohs(gen->len) - sizeof(*gen);
153
154 return vdup(&p);
155 }
156
157 static vchar_t *
dump_x509(X509 * cert)158 dump_x509(X509 *cert)
159 {
160 vchar_t *pl;
161 u_char *bp;
162 int len;
163
164 len = i2d_X509(cert, NULL);
165
166 pl = vmalloc(len + 1);
167 if (pl == NULL) {
168 plog(LLV_ERROR, LOCATION, NULL,
169 "Failed to copy CERT from packet.\n");
170 return NULL;
171 }
172
173 pl->v[0] = ISAKMP_CERT_X509SIGN;
174 bp = (u_char *) &pl->v[1];
175 i2d_X509(cert, &bp);
176
177 return pl;
178 }
179
180
181
182 int
oakley_get_defaultlifetime()183 oakley_get_defaultlifetime()
184 {
185 return OAKLEY_ATTR_SA_LD_SEC_DEFAULT;
186 }
187
188 int
oakley_dhinit()189 oakley_dhinit()
190 {
191 /* set DH MODP */
192 INITDHVAL(dh_modp768, OAKLEY_PRIME_MODP768,
193 OAKLEY_ATTR_GRP_DESC_MODP768, OAKLEY_ATTR_GRP_TYPE_MODP);
194 INITDHVAL(dh_modp1024, OAKLEY_PRIME_MODP1024,
195 OAKLEY_ATTR_GRP_DESC_MODP1024, OAKLEY_ATTR_GRP_TYPE_MODP);
196 INITDHVAL(dh_modp1536, OAKLEY_PRIME_MODP1536,
197 OAKLEY_ATTR_GRP_DESC_MODP1536, OAKLEY_ATTR_GRP_TYPE_MODP);
198 INITDHVAL(dh_modp2048, OAKLEY_PRIME_MODP2048,
199 OAKLEY_ATTR_GRP_DESC_MODP2048, OAKLEY_ATTR_GRP_TYPE_MODP);
200 INITDHVAL(dh_modp3072, OAKLEY_PRIME_MODP3072,
201 OAKLEY_ATTR_GRP_DESC_MODP3072, OAKLEY_ATTR_GRP_TYPE_MODP);
202 INITDHVAL(dh_modp4096, OAKLEY_PRIME_MODP4096,
203 OAKLEY_ATTR_GRP_DESC_MODP4096, OAKLEY_ATTR_GRP_TYPE_MODP);
204 INITDHVAL(dh_modp6144, OAKLEY_PRIME_MODP6144,
205 OAKLEY_ATTR_GRP_DESC_MODP6144, OAKLEY_ATTR_GRP_TYPE_MODP);
206 INITDHVAL(dh_modp8192, OAKLEY_PRIME_MODP8192,
207 OAKLEY_ATTR_GRP_DESC_MODP8192, OAKLEY_ATTR_GRP_TYPE_MODP);
208
209 return 0;
210 }
211
212 void
oakley_dhgrp_free(dhgrp)213 oakley_dhgrp_free(dhgrp)
214 struct dhgroup *dhgrp;
215 {
216 if (dhgrp->prime)
217 vfree(dhgrp->prime);
218 if (dhgrp->curve_a)
219 vfree(dhgrp->curve_a);
220 if (dhgrp->curve_b)
221 vfree(dhgrp->curve_b);
222 if (dhgrp->order)
223 vfree(dhgrp->order);
224 racoon_free(dhgrp);
225 }
226
227 /*
228 * RFC2409 5
229 * The length of the Diffie-Hellman public value MUST be equal to the
230 * length of the prime modulus over which the exponentiation was
231 * performed, prepending zero bits to the value if necessary.
232 */
233 static int
oakley_check_dh_pub(prime,pub0)234 oakley_check_dh_pub(prime, pub0)
235 vchar_t *prime, **pub0;
236 {
237 vchar_t *tmp;
238 vchar_t *pub = *pub0;
239
240 if (prime->l == pub->l)
241 return 0;
242
243 if (prime->l < pub->l) {
244 /* what should i do ? */
245 plog(LLV_ERROR, LOCATION, NULL,
246 "invalid public information was generated.\n");
247 return -1;
248 }
249
250 /* prime->l > pub->l */
251 tmp = vmalloc(prime->l);
252 if (tmp == NULL) {
253 plog(LLV_ERROR, LOCATION, NULL,
254 "failed to get DH buffer.\n");
255 return -1;
256 }
257 memcpy(tmp->v + prime->l - pub->l, pub->v, pub->l);
258
259 vfree(*pub0);
260 *pub0 = tmp;
261
262 return 0;
263 }
264
265 /*
266 * compute sharing secret of DH
267 * IN: *dh, *pub, *priv, *pub_p
268 * OUT: **gxy
269 */
270 int
oakley_dh_compute(dh,pub,priv,pub_p,gxy)271 oakley_dh_compute(dh, pub, priv, pub_p, gxy)
272 const struct dhgroup *dh;
273 vchar_t *pub, *priv, *pub_p, **gxy;
274 {
275 #ifdef ENABLE_STATS
276 struct timeval start, end;
277 #endif
278 if ((*gxy = vmalloc(dh->prime->l)) == NULL) {
279 plog(LLV_ERROR, LOCATION, NULL,
280 "failed to get DH buffer.\n");
281 return -1;
282 }
283
284 #ifdef ENABLE_STATS
285 gettimeofday(&start, NULL);
286 #endif
287 switch (dh->type) {
288 case OAKLEY_ATTR_GRP_TYPE_MODP:
289 if (eay_dh_compute(dh->prime, dh->gen1, pub, priv, pub_p, gxy) < 0) {
290 plog(LLV_ERROR, LOCATION, NULL,
291 "failed to compute dh value.\n");
292 return -1;
293 }
294 break;
295 case OAKLEY_ATTR_GRP_TYPE_ECP:
296 case OAKLEY_ATTR_GRP_TYPE_EC2N:
297 plog(LLV_ERROR, LOCATION, NULL,
298 "dh type %d isn't supported.\n", dh->type);
299 return -1;
300 default:
301 plog(LLV_ERROR, LOCATION, NULL,
302 "invalid dh type %d.\n", dh->type);
303 return -1;
304 }
305
306 #ifdef ENABLE_STATS
307 gettimeofday(&end, NULL);
308 syslog(LOG_NOTICE, "%s(%s%zu): %8.6f", __func__,
309 s_attr_isakmp_group(dh->type), dh->prime->l << 3,
310 timedelta(&start, &end));
311 #endif
312
313 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n");
314 plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l);
315
316 return 0;
317 }
318
319 /*
320 * generate values of DH
321 * IN: *dh
322 * OUT: **pub, **priv
323 */
324 int
oakley_dh_generate(dh,pub,priv)325 oakley_dh_generate(dh, pub, priv)
326 const struct dhgroup *dh;
327 vchar_t **pub, **priv;
328 {
329 #ifdef ENABLE_STATS
330 struct timeval start, end;
331 gettimeofday(&start, NULL);
332 #endif
333 switch (dh->type) {
334 case OAKLEY_ATTR_GRP_TYPE_MODP:
335 if (eay_dh_generate(dh->prime, dh->gen1, dh->gen2, pub, priv) < 0) {
336 plog(LLV_ERROR, LOCATION, NULL,
337 "failed to compute dh value.\n");
338 return -1;
339 }
340 break;
341
342 case OAKLEY_ATTR_GRP_TYPE_ECP:
343 case OAKLEY_ATTR_GRP_TYPE_EC2N:
344 plog(LLV_ERROR, LOCATION, NULL,
345 "dh type %d isn't supported.\n", dh->type);
346 return -1;
347 default:
348 plog(LLV_ERROR, LOCATION, NULL,
349 "invalid dh type %d.\n", dh->type);
350 return -1;
351 }
352
353 #ifdef ENABLE_STATS
354 gettimeofday(&end, NULL);
355 syslog(LOG_NOTICE, "%s(%s%zu): %8.6f", __func__,
356 s_attr_isakmp_group(dh->type), dh->prime->l << 3,
357 timedelta(&start, &end));
358 #endif
359
360 if (oakley_check_dh_pub(dh->prime, pub) != 0)
361 return -1;
362
363 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n");
364 plogdump(LLV_DEBUG, (*priv)->v, (*priv)->l);
365 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n");
366 plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l);
367
368 return 0;
369 }
370
371 /*
372 * copy pre-defined dhgroup values.
373 */
374 int
oakley_setdhgroup(group,dhgrp)375 oakley_setdhgroup(group, dhgrp)
376 int group;
377 struct dhgroup **dhgrp;
378 {
379 struct dhgroup *g;
380
381 *dhgrp = NULL; /* just make sure, initialize */
382
383 g = alg_oakley_dhdef_group(group);
384 if (g == NULL) {
385 plog(LLV_ERROR, LOCATION, NULL,
386 "invalid DH parameter grp=%d.\n", group);
387 return -1;
388 }
389
390 if (!g->type || !g->prime || !g->gen1) {
391 /* unsuported */
392 plog(LLV_ERROR, LOCATION, NULL,
393 "unsupported DH parameters grp=%d.\n", group);
394 return -1;
395 }
396
397 *dhgrp = racoon_calloc(1, sizeof(struct dhgroup));
398 if (*dhgrp == NULL) {
399 plog(LLV_ERROR, LOCATION, NULL,
400 "failed to get DH buffer.\n");
401 return 0;
402 }
403
404 /* set defined dh values */
405 memcpy(*dhgrp, g, sizeof(*g));
406 (*dhgrp)->prime = vdup(g->prime);
407
408 return 0;
409 }
410
411 /*
412 * PRF
413 *
414 * NOTE: we do not support prf with different input/output bitwidth,
415 * so we do not implement RFC2409 Appendix B (DOORAK-MAC example) in
416 * oakley_compute_keymat(). If you add support for such prf function,
417 * modify oakley_compute_keymat() accordingly.
418 */
419 vchar_t *
oakley_prf(key,buf,iph1)420 oakley_prf(key, buf, iph1)
421 vchar_t *key, *buf;
422 struct ph1handle *iph1;
423 {
424 vchar_t *res = NULL;
425 int type;
426
427 if (iph1->approval == NULL) {
428 /*
429 * it's before negotiating hash algorithm.
430 * We use md5 as default.
431 */
432 type = OAKLEY_ATTR_HASH_ALG_MD5;
433 } else
434 type = iph1->approval->hashtype;
435
436 res = alg_oakley_hmacdef_one(type, key, buf);
437 if (res == NULL) {
438 plog(LLV_ERROR, LOCATION, NULL,
439 "invalid hmac algorithm %d.\n", type);
440 return NULL;
441 }
442
443 return res;
444 }
445
446 /*
447 * hash
448 */
449 vchar_t *
oakley_hash(buf,iph1)450 oakley_hash(buf, iph1)
451 vchar_t *buf;
452 struct ph1handle *iph1;
453 {
454 vchar_t *res = NULL;
455 int type;
456
457 if (iph1->approval == NULL) {
458 /*
459 * it's before negotiating hash algorithm.
460 * We use md5 as default.
461 */
462 type = OAKLEY_ATTR_HASH_ALG_MD5;
463 } else
464 type = iph1->approval->hashtype;
465
466 res = alg_oakley_hashdef_one(type, buf);
467 if (res == NULL) {
468 plog(LLV_ERROR, LOCATION, NULL,
469 "invalid hash algorithm %d.\n", type);
470 return NULL;
471 }
472
473 return res;
474 }
475
476 /*
477 * compute KEYMAT
478 * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05.
479 */
480 int
oakley_compute_keymat(iph2,side)481 oakley_compute_keymat(iph2, side)
482 struct ph2handle *iph2;
483 int side;
484 {
485 int error = -1;
486
487 /* compute sharing secret of DH when PFS */
488 if (iph2->approval->pfs_group && iph2->dhpub_p) {
489 if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub,
490 iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0)
491 goto end;
492 }
493
494 /* compute keymat */
495 if (oakley_compute_keymat_x(iph2, side, INBOUND_SA) < 0
496 || oakley_compute_keymat_x(iph2, side, OUTBOUND_SA) < 0)
497 goto end;
498
499 plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT computed.\n");
500
501 error = 0;
502
503 end:
504 return error;
505 }
506
507 /*
508 * compute KEYMAT.
509 * KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b).
510 * If PFS is desired and KE payloads were exchanged,
511 * KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b)
512 *
513 * NOTE: we do not support prf with different input/output bitwidth,
514 * so we do not implement RFC2409 Appendix B (DOORAK-MAC example).
515 */
516 static int
oakley_compute_keymat_x(iph2,side,sa_dir)517 oakley_compute_keymat_x(iph2, side, sa_dir)
518 struct ph2handle *iph2;
519 int side;
520 int sa_dir;
521 {
522 vchar_t *buf = NULL, *res = NULL, *bp;
523 char *p;
524 int len;
525 int error = -1;
526 int pfs = 0;
527 int dupkeymat; /* generate K[1-dupkeymat] */
528 struct saproto *pr;
529 struct satrns *tr;
530 int encklen, authklen, l;
531
532 pfs = ((iph2->approval->pfs_group && iph2->dhgxy) ? 1 : 0);
533
534 len = pfs ? iph2->dhgxy->l : 0;
535 len += (1
536 + sizeof(u_int32_t) /* XXX SPI size */
537 + iph2->nonce->l
538 + iph2->nonce_p->l);
539 buf = vmalloc(len);
540 if (buf == NULL) {
541 plog(LLV_ERROR, LOCATION, NULL,
542 "failed to get keymat buffer.\n");
543 goto end;
544 }
545
546 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
547 p = buf->v;
548
549 /* if PFS */
550 if (pfs) {
551 memcpy(p, iph2->dhgxy->v, iph2->dhgxy->l);
552 p += iph2->dhgxy->l;
553 }
554
555 p[0] = pr->proto_id;
556 p += 1;
557
558 memcpy(p, (sa_dir == INBOUND_SA ? &pr->spi : &pr->spi_p),
559 sizeof(pr->spi));
560 p += sizeof(pr->spi);
561
562 bp = (side == INITIATOR ? iph2->nonce : iph2->nonce_p);
563 memcpy(p, bp->v, bp->l);
564 p += bp->l;
565
566 bp = (side == INITIATOR ? iph2->nonce_p : iph2->nonce);
567 memcpy(p, bp->v, bp->l);
568 p += bp->l;
569
570 /* compute IV */
571 plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT compute with\n");
572 plogdump(LLV_DEBUG, buf->v, buf->l);
573
574 /* res = K1 */
575 res = oakley_prf(iph2->ph1->skeyid_d, buf, iph2->ph1);
576 if (res == NULL)
577 goto end;
578
579 /* compute key length needed */
580 encklen = authklen = 0;
581 switch (pr->proto_id) {
582 case IPSECDOI_PROTO_IPSEC_ESP:
583 for (tr = pr->head; tr; tr = tr->next) {
584 l = alg_ipsec_encdef_keylen(tr->trns_id,
585 tr->encklen);
586 if (l > encklen)
587 encklen = l;
588
589 l = alg_ipsec_hmacdef_hashlen(tr->authtype);
590 if (l > authklen)
591 authklen = l;
592 }
593 break;
594 case IPSECDOI_PROTO_IPSEC_AH:
595 for (tr = pr->head; tr; tr = tr->next) {
596 l = alg_ipsec_hmacdef_hashlen(tr->trns_id);
597 if (l > authklen)
598 authklen = l;
599 }
600 break;
601 default:
602 break;
603 }
604 plog(LLV_DEBUG, LOCATION, NULL, "encklen=%d authklen=%d\n",
605 encklen, authklen);
606
607 dupkeymat = (encklen + authklen) / 8 / res->l;
608 dupkeymat += 2; /* safety mergin */
609 if (dupkeymat < 3)
610 dupkeymat = 3;
611 plog(LLV_DEBUG, LOCATION, NULL,
612 "generating %zu bits of key (dupkeymat=%d)\n",
613 dupkeymat * 8 * res->l, dupkeymat);
614 if (0 < --dupkeymat) {
615 vchar_t *prev = res; /* K(n-1) */
616 vchar_t *seed = NULL; /* seed for Kn */
617 size_t l;
618
619 /*
620 * generating long key (isakmp-oakley-08 5.5)
621 * KEYMAT = K1 | K2 | K3 | ...
622 * where
623 * src = [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b
624 * K1 = prf(SKEYID_d, src)
625 * K2 = prf(SKEYID_d, K1 | src)
626 * K3 = prf(SKEYID_d, K2 | src)
627 * Kn = prf(SKEYID_d, K(n-1) | src)
628 */
629 plog(LLV_DEBUG, LOCATION, NULL,
630 "generating K1...K%d for KEYMAT.\n",
631 dupkeymat + 1);
632
633 seed = vmalloc(prev->l + buf->l);
634 if (seed == NULL) {
635 plog(LLV_ERROR, LOCATION, NULL,
636 "failed to get keymat buffer.\n");
637 if (prev && prev != res)
638 vfree(prev);
639 goto end;
640 }
641
642 while (dupkeymat--) {
643 vchar_t *this = NULL; /* Kn */
644 int update_prev;
645
646 memcpy(seed->v, prev->v, prev->l);
647 memcpy(seed->v + prev->l, buf->v, buf->l);
648 this = oakley_prf(iph2->ph1->skeyid_d, seed,
649 iph2->ph1);
650 if (!this) {
651 plog(LLV_ERROR, LOCATION, NULL,
652 "oakley_prf memory overflow\n");
653 if (prev && prev != res)
654 vfree(prev);
655 vfree(this);
656 vfree(seed);
657 goto end;
658 }
659
660 update_prev = (prev && prev == res) ? 1 : 0;
661
662 l = res->l;
663 res = vrealloc(res, l + this->l);
664
665 if (update_prev)
666 prev = res;
667
668 if (res == NULL) {
669 plog(LLV_ERROR, LOCATION, NULL,
670 "failed to get keymat buffer.\n");
671 if (prev && prev != res)
672 vfree(prev);
673 vfree(this);
674 vfree(seed);
675 goto end;
676 }
677 memcpy(res->v + l, this->v, this->l);
678
679 if (prev && prev != res)
680 vfree(prev);
681 prev = this;
682 this = NULL;
683 }
684
685 if (prev && prev != res)
686 vfree(prev);
687 vfree(seed);
688 }
689
690 plogdump(LLV_DEBUG, res->v, res->l);
691
692 if (sa_dir == INBOUND_SA)
693 pr->keymat = res;
694 else
695 pr->keymat_p = res;
696 res = NULL;
697 }
698
699 error = 0;
700
701 end:
702 if (error) {
703 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
704 if (pr->keymat) {
705 vfree(pr->keymat);
706 pr->keymat = NULL;
707 }
708 if (pr->keymat_p) {
709 vfree(pr->keymat_p);
710 pr->keymat_p = NULL;
711 }
712 }
713 }
714
715 if (buf != NULL)
716 vfree(buf);
717 if (res)
718 vfree(res);
719
720 return error;
721 }
722
723 #if notyet
724 /*
725 * NOTE: Must terminate by NULL.
726 */
727 vchar_t *
oakley_compute_hashx(struct ph1handle * iph1,...)728 oakley_compute_hashx(struct ph1handle *iph1, ...)
729 {
730 vchar_t *buf, *res;
731 vchar_t *s;
732 caddr_t p;
733 int len;
734
735 va_list ap;
736
737 /* get buffer length */
738 va_start(ap, iph1);
739 len = 0;
740 while ((s = va_arg(ap, vchar_t *)) != NULL) {
741 len += s->l
742 }
743 va_end(ap);
744
745 buf = vmalloc(len);
746 if (buf == NULL) {
747 plog(LLV_ERROR, LOCATION, NULL,
748 "failed to get hash buffer\n");
749 return NULL;
750 }
751
752 /* set buffer */
753 va_start(ap, iph1);
754 p = buf->v;
755 while ((s = va_arg(ap, char *)) != NULL) {
756 memcpy(p, s->v, s->l);
757 p += s->l;
758 }
759 va_end(ap);
760
761 plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
762 plogdump(LLV_DEBUG, buf->v, buf->l);
763
764 /* compute HASH */
765 res = oakley_prf(iph1->skeyid_a, buf, iph1);
766 vfree(buf);
767 if (res == NULL)
768 return NULL;
769
770 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
771 plogdump(LLV_DEBUG, res->v, res->l);
772
773 return res;
774 }
775 #endif
776
777 /*
778 * compute HASH(3) prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
779 * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05.
780 */
781 vchar_t *
oakley_compute_hash3(iph1,msgid,body)782 oakley_compute_hash3(iph1, msgid, body)
783 struct ph1handle *iph1;
784 u_int32_t msgid;
785 vchar_t *body;
786 {
787 vchar_t *buf = 0, *res = 0;
788 int len;
789
790 /* create buffer */
791 len = 1 + sizeof(u_int32_t) + body->l;
792 buf = vmalloc(len);
793 if (buf == NULL) {
794 plog(LLV_DEBUG, LOCATION, NULL,
795 "failed to get hash buffer\n");
796 goto end;
797 }
798
799 buf->v[0] = 0;
800
801 memcpy(buf->v + 1, (char *)&msgid, sizeof(msgid));
802
803 memcpy(buf->v + 1 + sizeof(u_int32_t), body->v, body->l);
804
805 plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
806 plogdump(LLV_DEBUG, buf->v, buf->l);
807
808 /* compute HASH */
809 res = oakley_prf(iph1->skeyid_a, buf, iph1);
810 if (res == NULL)
811 goto end;
812
813 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
814 plogdump(LLV_DEBUG, res->v, res->l);
815
816 end:
817 if (buf != NULL)
818 vfree(buf);
819 return res;
820 }
821
822 /*
823 * compute HASH type of prf(SKEYID_a, M-ID | buffer)
824 * e.g.
825 * for quick mode HASH(1):
826 * prf(SKEYID_a, M-ID | SA | Ni [ | KE ] [ | IDci | IDcr ])
827 * for quick mode HASH(2):
828 * prf(SKEYID_a, M-ID | Ni_b | SA | Nr [ | KE ] [ | IDci | IDcr ])
829 * for Informational exchange:
830 * prf(SKEYID_a, M-ID | N/D)
831 */
832 vchar_t *
oakley_compute_hash1(iph1,msgid,body)833 oakley_compute_hash1(iph1, msgid, body)
834 struct ph1handle *iph1;
835 u_int32_t msgid;
836 vchar_t *body;
837 {
838 vchar_t *buf = NULL, *res = NULL;
839 char *p;
840 int len;
841
842 /* create buffer */
843 len = sizeof(u_int32_t) + body->l;
844 buf = vmalloc(len);
845 if (buf == NULL) {
846 plog(LLV_DEBUG, LOCATION, NULL,
847 "failed to get hash buffer\n");
848 goto end;
849 }
850
851 p = buf->v;
852
853 memcpy(buf->v, (char *)&msgid, sizeof(msgid));
854 p += sizeof(u_int32_t);
855
856 memcpy(p, body->v, body->l);
857
858 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
859 plogdump(LLV_DEBUG, buf->v, buf->l);
860
861 /* compute HASH */
862 res = oakley_prf(iph1->skeyid_a, buf, iph1);
863 if (res == NULL)
864 goto end;
865
866 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
867 plogdump(LLV_DEBUG, res->v, res->l);
868
869 end:
870 if (buf != NULL)
871 vfree(buf);
872 return res;
873 }
874
875 /*
876 * compute phase1 HASH
877 * main/aggressive
878 * I-digest = prf(SKEYID, g^i | g^r | CKY-I | CKY-R | SAi_b | ID_i1_b)
879 * R-digest = prf(SKEYID, g^r | g^i | CKY-R | CKY-I | SAi_b | ID_r1_b)
880 * for gssapi, also include all GSS tokens, and call gss_wrap on the result
881 */
882 vchar_t *
oakley_ph1hash_common(iph1,sw)883 oakley_ph1hash_common(iph1, sw)
884 struct ph1handle *iph1;
885 int sw;
886 {
887 vchar_t *buf = NULL, *res = NULL, *bp;
888 char *p, *bp2;
889 int len, bl;
890 #ifdef HAVE_GSSAPI
891 vchar_t *gsstokens = NULL;
892 #endif
893
894 /* create buffer */
895 len = iph1->dhpub->l
896 + iph1->dhpub_p->l
897 + sizeof(cookie_t) * 2
898 + iph1->sa->l
899 + (sw == GENERATE ? iph1->id->l : iph1->id_p->l);
900
901 #ifdef HAVE_GSSAPI
902 if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
903 if (iph1->gi_i != NULL && iph1->gi_r != NULL) {
904 bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r);
905 len += bp->l;
906 }
907 if (sw == GENERATE)
908 gssapi_get_itokens(iph1, &gsstokens);
909 else
910 gssapi_get_rtokens(iph1, &gsstokens);
911 if (gsstokens == NULL)
912 return NULL;
913 len += gsstokens->l;
914 }
915 #endif
916
917 buf = vmalloc(len);
918 if (buf == NULL) {
919 plog(LLV_ERROR, LOCATION, NULL,
920 "failed to get hash buffer\n");
921 goto end;
922 }
923
924 p = buf->v;
925
926 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
927 memcpy(p, bp->v, bp->l);
928 p += bp->l;
929
930 bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub);
931 memcpy(p, bp->v, bp->l);
932 p += bp->l;
933
934 if (iph1->side == INITIATOR)
935 bp2 = (sw == GENERATE ?
936 (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck);
937 else
938 bp2 = (sw == GENERATE ?
939 (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck);
940 bl = sizeof(cookie_t);
941 memcpy(p, bp2, bl);
942 p += bl;
943
944 if (iph1->side == INITIATOR)
945 bp2 = (sw == GENERATE ?
946 (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck);
947 else
948 bp2 = (sw == GENERATE ?
949 (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck);
950 bl = sizeof(cookie_t);
951 memcpy(p, bp2, bl);
952 p += bl;
953
954 bp = iph1->sa;
955 memcpy(p, bp->v, bp->l);
956 p += bp->l;
957
958 bp = (sw == GENERATE ? iph1->id : iph1->id_p);
959 memcpy(p, bp->v, bp->l);
960 p += bp->l;
961
962 #ifdef HAVE_GSSAPI
963 if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
964 if (iph1->gi_i != NULL && iph1->gi_r != NULL) {
965 bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r);
966 memcpy(p, bp->v, bp->l);
967 p += bp->l;
968 }
969 memcpy(p, gsstokens->v, gsstokens->l);
970 p += gsstokens->l;
971 }
972 #endif
973
974 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
975 plogdump(LLV_DEBUG, buf->v, buf->l);
976
977 /* compute HASH */
978 res = oakley_prf(iph1->skeyid, buf, iph1);
979 if (res == NULL)
980 goto end;
981
982 plog(LLV_DEBUG, LOCATION, NULL, "HASH (%s) computed:\n",
983 iph1->side == INITIATOR ? "init" : "resp");
984 plogdump(LLV_DEBUG, res->v, res->l);
985
986 end:
987 if (buf != NULL)
988 vfree(buf);
989 #ifdef HAVE_GSSAPI
990 if (gsstokens != NULL)
991 vfree(gsstokens);
992 #endif
993 return res;
994 }
995
996 /*
997 * compute HASH_I on base mode.
998 * base:psk,rsa
999 * HASH_I = prf(SKEYID, g^xi | CKY-I | CKY-R | SAi_b | IDii_b)
1000 * base:sig
1001 * HASH_I = prf(hash(Ni_b | Nr_b), g^xi | CKY-I | CKY-R | SAi_b | IDii_b)
1002 */
1003 vchar_t *
oakley_ph1hash_base_i(iph1,sw)1004 oakley_ph1hash_base_i(iph1, sw)
1005 struct ph1handle *iph1;
1006 int sw;
1007 {
1008 vchar_t *buf = NULL, *res = NULL, *bp;
1009 vchar_t *hashkey = NULL;
1010 vchar_t *hash = NULL; /* for signature mode */
1011 char *p;
1012 int len;
1013
1014 /* sanity check */
1015 if (iph1->etype != ISAKMP_ETYPE_BASE) {
1016 plog(LLV_ERROR, LOCATION, NULL,
1017 "invalid etype for this hash function\n");
1018 return NULL;
1019 }
1020
1021 switch (iph1->approval->authmethod) {
1022 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1023 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1024 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1025 #ifdef ENABLE_HYBRID
1026 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1027 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1028 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1029 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1030 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
1031 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1032 #endif
1033 if (iph1->skeyid == NULL) {
1034 plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n");
1035 return NULL;
1036 }
1037 hashkey = iph1->skeyid;
1038 break;
1039
1040 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1041 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1042 #ifdef HAVE_GSSAPI
1043 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1044 #endif
1045 #ifdef ENABLE_HYBRID
1046 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1047 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1048 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1049 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1050 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1051 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1052 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1053 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1054 #endif
1055 /* make hash for seed */
1056 len = iph1->nonce->l + iph1->nonce_p->l;
1057 buf = vmalloc(len);
1058 if (buf == NULL) {
1059 plog(LLV_ERROR, LOCATION, NULL,
1060 "failed to get hash buffer\n");
1061 goto end;
1062 }
1063 p = buf->v;
1064
1065 bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce);
1066 memcpy(p, bp->v, bp->l);
1067 p += bp->l;
1068
1069 bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p);
1070 memcpy(p, bp->v, bp->l);
1071 p += bp->l;
1072
1073 hash = oakley_hash(buf, iph1);
1074 if (hash == NULL)
1075 goto end;
1076 vfree(buf);
1077 buf = NULL;
1078
1079 hashkey = hash;
1080 break;
1081
1082 default:
1083 plog(LLV_ERROR, LOCATION, NULL,
1084 "not supported authentication method %d\n",
1085 iph1->approval->authmethod);
1086 return NULL;
1087
1088 }
1089
1090 len = (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l)
1091 + sizeof(cookie_t) * 2
1092 + iph1->sa->l
1093 + (sw == GENERATE ? iph1->id->l : iph1->id_p->l);
1094 buf = vmalloc(len);
1095 if (buf == NULL) {
1096 plog(LLV_ERROR, LOCATION, NULL,
1097 "failed to get hash buffer\n");
1098 goto end;
1099 }
1100 p = buf->v;
1101
1102 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
1103 memcpy(p, bp->v, bp->l);
1104 p += bp->l;
1105
1106 memcpy(p, &iph1->index.i_ck, sizeof(cookie_t));
1107 p += sizeof(cookie_t);
1108 memcpy(p, &iph1->index.r_ck, sizeof(cookie_t));
1109 p += sizeof(cookie_t);
1110
1111 memcpy(p, iph1->sa->v, iph1->sa->l);
1112 p += iph1->sa->l;
1113
1114 bp = (sw == GENERATE ? iph1->id : iph1->id_p);
1115 memcpy(p, bp->v, bp->l);
1116 p += bp->l;
1117
1118 plog(LLV_DEBUG, LOCATION, NULL, "HASH_I with:\n");
1119 plogdump(LLV_DEBUG, buf->v, buf->l);
1120
1121 /* compute HASH */
1122 res = oakley_prf(hashkey, buf, iph1);
1123 if (res == NULL)
1124 goto end;
1125
1126 plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n");
1127 plogdump(LLV_DEBUG, res->v, res->l);
1128
1129 end:
1130 if (hash != NULL)
1131 vfree(hash);
1132 if (buf != NULL)
1133 vfree(buf);
1134 return res;
1135 }
1136
1137 /*
1138 * compute HASH_R on base mode for signature method.
1139 * base:
1140 * HASH_R = prf(hash(Ni_b | Nr_b), g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b)
1141 */
1142 vchar_t *
oakley_ph1hash_base_r(iph1,sw)1143 oakley_ph1hash_base_r(iph1, sw)
1144 struct ph1handle *iph1;
1145 int sw;
1146 {
1147 vchar_t *buf = NULL, *res = NULL, *bp;
1148 vchar_t *hash = NULL;
1149 char *p;
1150 int len;
1151
1152 /* sanity check */
1153 if (iph1->etype != ISAKMP_ETYPE_BASE) {
1154 plog(LLV_ERROR, LOCATION, NULL,
1155 "invalid etype for this hash function\n");
1156 return NULL;
1157 }
1158
1159 switch (iph1->approval->authmethod) {
1160 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1161 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1162 #ifdef ENABLE_HYBRID
1163 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1164 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1165 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1166 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1167 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1168 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1169 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1170 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1171 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
1172 #endif
1173 break;
1174 default:
1175 plog(LLV_ERROR, LOCATION, NULL,
1176 "not supported authentication method %d\n",
1177 iph1->approval->authmethod);
1178 return NULL;
1179 break;
1180 }
1181
1182 /* make hash for seed */
1183 len = iph1->nonce->l + iph1->nonce_p->l;
1184 buf = vmalloc(len);
1185 if (buf == NULL) {
1186 plog(LLV_ERROR, LOCATION, NULL,
1187 "failed to get hash buffer\n");
1188 goto end;
1189 }
1190 p = buf->v;
1191
1192 bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce);
1193 memcpy(p, bp->v, bp->l);
1194 p += bp->l;
1195
1196 bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p);
1197 memcpy(p, bp->v, bp->l);
1198 p += bp->l;
1199
1200 hash = oakley_hash(buf, iph1);
1201 if (hash == NULL)
1202 goto end;
1203 vfree(buf);
1204 buf = NULL;
1205
1206 /* make really hash */
1207 len = (sw == GENERATE ? iph1->dhpub_p->l : iph1->dhpub->l)
1208 + (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l)
1209 + sizeof(cookie_t) * 2
1210 + iph1->sa->l
1211 + (sw == GENERATE ? iph1->id_p->l : iph1->id->l);
1212 buf = vmalloc(len);
1213 if (buf == NULL) {
1214 plog(LLV_ERROR, LOCATION, NULL,
1215 "failed to get hash buffer\n");
1216 goto end;
1217 }
1218 p = buf->v;
1219
1220
1221 bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub);
1222 memcpy(p, bp->v, bp->l);
1223 p += bp->l;
1224
1225 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
1226 memcpy(p, bp->v, bp->l);
1227 p += bp->l;
1228
1229 memcpy(p, &iph1->index.i_ck, sizeof(cookie_t));
1230 p += sizeof(cookie_t);
1231 memcpy(p, &iph1->index.r_ck, sizeof(cookie_t));
1232 p += sizeof(cookie_t);
1233
1234 memcpy(p, iph1->sa->v, iph1->sa->l);
1235 p += iph1->sa->l;
1236
1237 bp = (sw == GENERATE ? iph1->id_p : iph1->id);
1238 memcpy(p, bp->v, bp->l);
1239 p += bp->l;
1240
1241 plog(LLV_DEBUG, LOCATION, NULL, "HASH_R with:\n");
1242 plogdump(LLV_DEBUG, buf->v, buf->l);
1243
1244 /* compute HASH */
1245 res = oakley_prf(hash, buf, iph1);
1246 if (res == NULL)
1247 goto end;
1248
1249 plog(LLV_DEBUG, LOCATION, NULL, "HASH_R computed:\n");
1250 plogdump(LLV_DEBUG, res->v, res->l);
1251
1252 end:
1253 if (buf != NULL)
1254 vfree(buf);
1255 if (hash)
1256 vfree(hash);
1257 return res;
1258 }
1259
1260 /*
1261 * compute each authentication method in phase 1.
1262 * OUT:
1263 * 0: OK
1264 * -1: error
1265 * other: error to be reply with notification.
1266 * the value is notification type.
1267 */
1268 int
oakley_validate_auth(iph1)1269 oakley_validate_auth(iph1)
1270 struct ph1handle *iph1;
1271 {
1272 vchar_t *my_hash = NULL;
1273 int result;
1274 int no_verify_needed = -1;
1275 #ifdef HAVE_GSSAPI
1276 vchar_t *gsshash = NULL;
1277 #endif
1278 #ifdef ENABLE_STATS
1279 struct timeval start, end;
1280 #endif
1281
1282 #ifdef ENABLE_STATS
1283 gettimeofday(&start, NULL);
1284 #endif
1285
1286 switch (iph1->approval->authmethod) {
1287 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1288 #ifdef ENABLE_HYBRID
1289 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
1290 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1291 #endif
1292 /* validate HASH */
1293 {
1294 char *r_hash;
1295
1296 if (iph1->id_p == NULL || iph1->pl_hash == NULL) {
1297 plog(LLV_ERROR, LOCATION, iph1->remote,
1298 "few isakmp message received.\n");
1299 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1300 }
1301 #ifdef ENABLE_HYBRID
1302 if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I &&
1303 ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0))
1304 {
1305 plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, "
1306 "hybrid auth is enabled, "
1307 "but peer is no Xauth compliant\n");
1308 return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED;
1309 break;
1310 }
1311 #endif
1312 r_hash = (caddr_t)(iph1->pl_hash + 1);
1313
1314 plog(LLV_DEBUG, LOCATION, NULL, "HASH received:\n");
1315 plogdump(LLV_DEBUG, r_hash,
1316 ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash));
1317
1318 switch (iph1->etype) {
1319 case ISAKMP_ETYPE_IDENT:
1320 case ISAKMP_ETYPE_AGG:
1321 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1322 break;
1323 case ISAKMP_ETYPE_BASE:
1324 if (iph1->side == INITIATOR)
1325 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1326 else
1327 my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
1328 break;
1329 default:
1330 plog(LLV_ERROR, LOCATION, NULL,
1331 "invalid etype %d\n", iph1->etype);
1332 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1333 }
1334 if (my_hash == NULL)
1335 return ISAKMP_INTERNAL_ERROR;
1336
1337 result = memcmp(my_hash->v, r_hash, my_hash->l);
1338 vfree(my_hash);
1339
1340 if (result) {
1341 plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n");
1342 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1343 }
1344
1345 plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n");
1346 }
1347 break;
1348 #ifdef ENABLE_HYBRID
1349 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1350 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1351 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1352 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1353 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1354 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1355 no_verify_needed = 0;
1356 #endif
1357 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1358 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1359 {
1360 int error = 0;
1361 int certtype;
1362
1363 /* validation */
1364 if (iph1->id_p == NULL) {
1365 plog(LLV_ERROR, LOCATION, iph1->remote,
1366 "no ID payload was passed.\n");
1367 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1368 }
1369 if (iph1->sig_p == NULL) {
1370 plog(LLV_ERROR, LOCATION, iph1->remote,
1371 "no SIG payload was passed.\n");
1372 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1373 }
1374
1375 plog(LLV_DEBUG, LOCATION, NULL, "SIGN passed:\n");
1376 plogdump(LLV_DEBUG, iph1->sig_p->v, iph1->sig_p->l);
1377
1378 /* get peer's cert */
1379 certtype = oakley_get_certtype(iph1->rmconf->peerscert);
1380 switch (certtype) {
1381 case ISAKMP_CERT_NONE:
1382 /* expect to receive one from peer */
1383 if (iph1->cert_p == NULL) {
1384 plog(LLV_ERROR, LOCATION, NULL,
1385 "no peer's CERT payload found.\n");
1386 return ISAKMP_INTERNAL_ERROR;
1387 }
1388 /* verify the cert if needed */
1389 if (!iph1->rmconf->verify_cert)
1390 break;
1391
1392 switch (oakley_get_certtype(iph1->cert_p)) {
1393 case ISAKMP_CERT_X509SIGN: {
1394 char path[MAXPATHLEN];
1395 char *ca;
1396
1397 if (iph1->rmconf->cacertfile != NULL) {
1398 getpathname(path, sizeof(path),
1399 LC_PATHTYPE_CERT,
1400 iph1->rmconf->cacertfile);
1401 ca = path;
1402 } else {
1403 ca = NULL;
1404 }
1405
1406 error = eay_check_x509cert(
1407 iph1->cert_p,
1408 lcconf->pathinfo[LC_PATHTYPE_CERT],
1409 ca, 0);
1410 break;
1411 }
1412 default:
1413 plog(LLV_ERROR, LOCATION, NULL,
1414 "peers_cert certtype %d was not expected\n",
1415 certtype);
1416 return ISAKMP_INTERNAL_ERROR;
1417 }
1418
1419 if (error != 0) {
1420 plog(LLV_ERROR, LOCATION, iph1->remote,
1421 "the peer's certificate is not verified.\n");
1422 return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
1423 }
1424 break;
1425 case ISAKMP_CERT_X509SIGN:
1426 if (iph1->rmconf->peerscert == NULL) {
1427 plog(LLV_ERROR, LOCATION, NULL,
1428 "no peer's CERT file found.\n");
1429 return ISAKMP_INTERNAL_ERROR;
1430 }
1431 /* don't use received cert */
1432 if (iph1->cert_p != NULL) {
1433 vfree(iph1->cert_p);
1434 iph1->cert_p = NULL;
1435 }
1436 /* copy from remoteconf instead */
1437 iph1->cert_p = vdup(iph1->rmconf->peerscert);
1438 break;
1439 case ISAKMP_CERT_PLAINRSA:
1440 if (get_plainrsa_fromlocal(iph1, 0))
1441 return ISAKMP_INTERNAL_ERROR;
1442 /* suppress CERT validation warning, unless hybrid mode in use */
1443 if (no_verify_needed == -1)
1444 no_verify_needed = 1;
1445 break;
1446 case ISAKMP_CERT_DNS:
1447 /* don't use received cert */
1448 if (iph1->cert_p != NULL) {
1449 vfree(iph1->cert_p);
1450 iph1->cert_p = NULL;
1451 }
1452
1453 iph1->cert_p = dnssec_getcert(iph1->id_p);
1454 if (iph1->cert_p == NULL) {
1455 plog(LLV_ERROR, LOCATION, NULL,
1456 "no CERT RR found.\n");
1457 return ISAKMP_INTERNAL_ERROR;
1458 }
1459 break;
1460 default:
1461 plog(LLV_ERROR, LOCATION, NULL,
1462 "invalid certificate type: %d\n",
1463 oakley_get_certtype(iph1->rmconf->peerscert));
1464 return ISAKMP_INTERNAL_ERROR;
1465 }
1466
1467 /* compare ID payload and certificate name */
1468 if ((error = oakley_check_certid(iph1)) != 0)
1469 return error;
1470
1471 /* Generate a warning unless verify_cert */
1472 if (iph1->rmconf->verify_cert) {
1473 plog(LLV_DEBUG, LOCATION, iph1->remote,
1474 "CERT validated\n");
1475 } else if (no_verify_needed != 1) {
1476 plog(LLV_WARNING, LOCATION, iph1->remote,
1477 "CERT validation disabled by configuration\n");
1478 }
1479
1480 /* compute hash */
1481 switch (iph1->etype) {
1482 case ISAKMP_ETYPE_IDENT:
1483 case ISAKMP_ETYPE_AGG:
1484 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1485 break;
1486 case ISAKMP_ETYPE_BASE:
1487 if (iph1->side == INITIATOR)
1488 my_hash = oakley_ph1hash_base_r(iph1, VALIDATE);
1489 else
1490 my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
1491 break;
1492 default:
1493 plog(LLV_ERROR, LOCATION, NULL,
1494 "invalid etype %d\n", iph1->etype);
1495 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1496 }
1497 if (my_hash == NULL)
1498 return ISAKMP_INTERNAL_ERROR;
1499
1500 /* check signature */
1501 certtype = oakley_get_certtype(iph1->cert_p);
1502 if (certtype == ISAKMP_CERT_NONE)
1503 certtype = oakley_get_certtype(iph1->rmconf->peerscert);
1504 switch (certtype) {
1505 case ISAKMP_CERT_X509SIGN:
1506 case ISAKMP_CERT_DNS:
1507 error = eay_check_x509sign(my_hash,
1508 iph1->sig_p,
1509 iph1->cert_p);
1510 break;
1511 case ISAKMP_CERT_PLAINRSA:
1512 iph1->rsa_p = rsa_try_check_rsasign(my_hash,
1513 iph1->sig_p, iph1->rsa_candidates);
1514 error = iph1->rsa_p ? 0 : -1;
1515 genlist_free(iph1->rsa_candidates, NULL);
1516 iph1->rsa_candidates = NULL;
1517 break;
1518 default:
1519 plog(LLV_ERROR, LOCATION, NULL,
1520 "cannot check signature for certtype %d\n",
1521 certtype);
1522 vfree(my_hash);
1523 return ISAKMP_INTERNAL_ERROR;
1524 }
1525
1526 vfree(my_hash);
1527 if (error != 0) {
1528 plog(LLV_ERROR, LOCATION, NULL,
1529 "Invalid SIG.\n");
1530 return ISAKMP_NTYPE_INVALID_SIGNATURE;
1531 }
1532 plog(LLV_DEBUG, LOCATION, NULL, "SIG authenticated\n");
1533 }
1534 break;
1535 #ifdef ENABLE_HYBRID
1536 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1537 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1538 {
1539 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1540 plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, "
1541 "hybrid auth is enabled, "
1542 "but peer is no Xauth compliant\n");
1543 return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED;
1544 break;
1545 }
1546 plog(LLV_INFO, LOCATION, NULL, "No SIG was passed, "
1547 "but hybrid auth is enabled\n");
1548
1549 return 0;
1550 break;
1551 }
1552 #endif
1553 #ifdef HAVE_GSSAPI
1554 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1555 /* check if we're not into XAUTH_PSKEY_I instead */
1556 #ifdef ENABLE_HYBRID
1557 if (iph1->rmconf->xauth)
1558 break;
1559 #endif
1560 switch (iph1->etype) {
1561 case ISAKMP_ETYPE_IDENT:
1562 case ISAKMP_ETYPE_AGG:
1563 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1564 break;
1565 default:
1566 plog(LLV_ERROR, LOCATION, NULL,
1567 "invalid etype %d\n", iph1->etype);
1568 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1569 }
1570
1571 if (my_hash == NULL) {
1572 if (gssapi_more_tokens(iph1))
1573 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1574 else
1575 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1576 }
1577
1578 gsshash = gssapi_unwraphash(iph1);
1579 if (gsshash == NULL) {
1580 vfree(my_hash);
1581 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1582 }
1583
1584 result = memcmp(my_hash->v, gsshash->v, my_hash->l);
1585 vfree(my_hash);
1586 vfree(gsshash);
1587
1588 if (result) {
1589 plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n");
1590 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1591 }
1592 plog(LLV_DEBUG, LOCATION, NULL, "hash compared OK\n");
1593 break;
1594 #endif
1595 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1596 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1597 #ifdef ENABLE_HYBRID
1598 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1599 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1600 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1601 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1602 #endif
1603 if (iph1->id_p == NULL || iph1->pl_hash == NULL) {
1604 plog(LLV_ERROR, LOCATION, iph1->remote,
1605 "few isakmp message received.\n");
1606 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1607 }
1608 plog(LLV_ERROR, LOCATION, iph1->remote,
1609 "not supported authmethod type %s\n",
1610 s_oakley_attr_method(iph1->approval->authmethod));
1611 return ISAKMP_INTERNAL_ERROR;
1612 default:
1613 plog(LLV_ERROR, LOCATION, iph1->remote,
1614 "invalid authmethod %d why ?\n",
1615 iph1->approval->authmethod);
1616 return ISAKMP_INTERNAL_ERROR;
1617 }
1618 #ifdef ENABLE_STATS
1619 gettimeofday(&end, NULL);
1620 syslog(LOG_NOTICE, "%s(%s): %8.6f", __func__,
1621 s_oakley_attr_method(iph1->approval->authmethod),
1622 timedelta(&start, &end));
1623 #endif
1624
1625 return 0;
1626 }
1627
1628 /* get my certificate
1629 * NOTE: include certificate type.
1630 */
1631 int
oakley_getmycert(iph1)1632 oakley_getmycert(iph1)
1633 struct ph1handle *iph1;
1634 {
1635 switch (oakley_get_certtype(iph1->rmconf->mycert)) {
1636 case ISAKMP_CERT_X509SIGN:
1637 if (iph1->cert)
1638 return 0;
1639 iph1->cert = vdup(iph1->rmconf->mycert);
1640 break;
1641 case ISAKMP_CERT_PLAINRSA:
1642 if (iph1->rsa)
1643 return 0;
1644 return get_plainrsa_fromlocal(iph1, 1);
1645 default:
1646 plog(LLV_ERROR, LOCATION, NULL,
1647 "Unknown certtype #%d\n",
1648 oakley_get_certtype(iph1->rmconf->mycert));
1649 return -1;
1650 }
1651
1652 return 0;
1653 }
1654
1655 static int
get_plainrsa_fromlocal(iph1,my)1656 get_plainrsa_fromlocal(iph1, my)
1657 struct ph1handle *iph1;
1658 int my;
1659 {
1660 int error = -1;
1661
1662 iph1->rsa_candidates = rsa_lookup_keys(iph1, my);
1663 if (!iph1->rsa_candidates ||
1664 rsa_list_count(iph1->rsa_candidates) == 0) {
1665 plog(LLV_ERROR, LOCATION, NULL,
1666 "%s RSA key not found for %s\n",
1667 my ? "Private" : "Public",
1668 saddr2str_fromto("%s <-> %s",
1669 iph1->local, iph1->remote));
1670 goto end;
1671 }
1672
1673 if (my && rsa_list_count(iph1->rsa_candidates) > 1) {
1674 plog(LLV_WARNING, LOCATION, NULL,
1675 "More than one (=%lu) private "
1676 "PlainRSA key found for %s\n",
1677 rsa_list_count(iph1->rsa_candidates),
1678 saddr2str_fromto("%s <-> %s",
1679 iph1->local, iph1->remote));
1680 plog(LLV_WARNING, LOCATION, NULL,
1681 "This may have unpredictable results, "
1682 "i.e. wrong key could be used!\n");
1683 plog(LLV_WARNING, LOCATION, NULL,
1684 "Consider using only one single private "
1685 "key for all peers...\n");
1686 }
1687 if (my) {
1688 iph1->rsa = ((struct rsa_key *)
1689 genlist_next(iph1->rsa_candidates, NULL))->rsa;
1690
1691 genlist_free(iph1->rsa_candidates, NULL);
1692 iph1->rsa_candidates = NULL;
1693
1694 if (iph1->rsa == NULL)
1695 goto end;
1696 }
1697
1698 error = 0;
1699
1700 end:
1701 return error;
1702 }
1703
1704 /* get signature */
1705 int
oakley_getsign(iph1)1706 oakley_getsign(iph1)
1707 struct ph1handle *iph1;
1708 {
1709 char path[MAXPATHLEN];
1710 vchar_t *privkey = NULL;
1711 int error = -1;
1712
1713 switch (oakley_get_certtype(iph1->rmconf->mycert)) {
1714 case ISAKMP_CERT_X509SIGN:
1715 case ISAKMP_CERT_DNS:
1716 if (iph1->rmconf->myprivfile == NULL) {
1717 plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n");
1718 goto end;
1719 }
1720
1721 /* make private file name */
1722 getpathname(path, sizeof(path),
1723 LC_PATHTYPE_CERT,
1724 iph1->rmconf->myprivfile);
1725 privkey = privsep_eay_get_pkcs1privkey(path);
1726 if (privkey == NULL) {
1727 plog(LLV_ERROR, LOCATION, NULL,
1728 "failed to get private key.\n");
1729 goto end;
1730 }
1731 plog(LLV_DEBUG2, LOCATION, NULL, "private key:\n");
1732 plogdump(LLV_DEBUG2, privkey->v, privkey->l);
1733 iph1->sig = eay_get_x509sign(iph1->hash, privkey);
1734 break;
1735 case ISAKMP_CERT_PLAINRSA:
1736 iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa);
1737 break;
1738 default:
1739 plog(LLV_ERROR, LOCATION, NULL,
1740 "Unknown certtype #%d\n",
1741 oakley_get_certtype(iph1->rmconf->mycert));
1742 goto end;
1743 }
1744
1745 if (iph1->sig == NULL) {
1746 plog(LLV_ERROR, LOCATION, NULL, "failed to sign.\n");
1747 goto end;
1748 }
1749
1750 plog(LLV_DEBUG, LOCATION, NULL, "SIGN computed:\n");
1751 plogdump(LLV_DEBUG, iph1->sig->v, iph1->sig->l);
1752
1753 error = 0;
1754
1755 end:
1756 if (privkey != NULL)
1757 vfree(privkey);
1758
1759 return error;
1760 }
1761
1762 /*
1763 * compare certificate name and ID value.
1764 */
1765 static int
oakley_check_certid(iph1)1766 oakley_check_certid(iph1)
1767 struct ph1handle *iph1;
1768 {
1769 struct ipsecdoi_id_b *id_b;
1770 vchar_t *name = NULL;
1771 char *altname = NULL;
1772 int idlen, type;
1773 int error;
1774
1775 if (iph1->rmconf == NULL || iph1->rmconf->verify_cert == FALSE)
1776 return 0;
1777
1778 if (iph1->id_p == NULL || iph1->cert_p == NULL) {
1779 plog(LLV_ERROR, LOCATION, iph1->remote, "no ID nor CERT found.\n");
1780 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1781 }
1782
1783 id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
1784 idlen = iph1->id_p->l - sizeof(*id_b);
1785
1786 switch (id_b->type) {
1787 case IPSECDOI_ID_DER_ASN1_DN:
1788 name = eay_get_x509asn1subjectname(iph1->cert_p);
1789 if (!name) {
1790 plog(LLV_ERROR, LOCATION, iph1->remote,
1791 "failed to get subjectName\n");
1792 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1793 }
1794 if (idlen != name->l) {
1795 plog(LLV_ERROR, LOCATION, iph1->remote,
1796 "Invalid ID length in phase 1.\n");
1797 vfree(name);
1798 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1799 }
1800 error = memcmp(id_b + 1, name->v, idlen);
1801 if (error != 0) {
1802 plog(LLV_ERROR, LOCATION, iph1->remote,
1803 "ID mismatched with ASN1 SubjectName.\n");
1804 plogdump(LLV_DEBUG, id_b + 1, idlen);
1805 plogdump(LLV_DEBUG, name->v, idlen);
1806 if (iph1->rmconf->verify_identifier) {
1807 vfree(name);
1808 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1809 }
1810 }
1811 vfree(name);
1812 return 0;
1813 case IPSECDOI_ID_IPV4_ADDR:
1814 case IPSECDOI_ID_IPV6_ADDR:
1815 {
1816 /*
1817 * converting to binary from string because openssl return
1818 * a string even if object is a binary.
1819 * XXX fix it ! access by ASN.1 directly without.
1820 */
1821 struct addrinfo hints, *res;
1822 caddr_t a = NULL;
1823 int pos;
1824
1825 for (pos = 1; ; pos++) {
1826 if (eay_get_x509subjectaltname(iph1->cert_p,
1827 &altname, &type, pos) !=0) {
1828 plog(LLV_ERROR, LOCATION, NULL,
1829 "failed to get subjectAltName\n");
1830 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1831 }
1832
1833 /* it's the end condition of the loop. */
1834 if (!altname) {
1835 plog(LLV_ERROR, LOCATION, NULL,
1836 "no proper subjectAltName.\n");
1837 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1838 }
1839
1840 if (check_typeofcertname(id_b->type, type) == 0)
1841 break;
1842
1843 /* next name */
1844 racoon_free(altname);
1845 altname = NULL;
1846 }
1847 memset(&hints, 0, sizeof(hints));
1848 hints.ai_family = PF_UNSPEC;
1849 hints.ai_socktype = SOCK_RAW;
1850 hints.ai_flags = AI_NUMERICHOST;
1851 error = getaddrinfo(altname, NULL, &hints, &res);
1852 racoon_free(altname);
1853 altname = NULL;
1854 if (error != 0) {
1855 plog(LLV_ERROR, LOCATION, NULL,
1856 "no proper subjectAltName.\n");
1857 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1858 }
1859 switch (res->ai_family) {
1860 case AF_INET:
1861 a = (caddr_t)&((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr;
1862 break;
1863 #ifdef INET6
1864 case AF_INET6:
1865 a = (caddr_t)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr;
1866 break;
1867 #endif
1868 default:
1869 plog(LLV_ERROR, LOCATION, NULL,
1870 "family not supported: %d.\n", res->ai_family);
1871 freeaddrinfo(res);
1872 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1873 }
1874 error = memcmp(id_b + 1, a, idlen);
1875 freeaddrinfo(res);
1876 vfree(name);
1877 if (error != 0) {
1878 plog(LLV_ERROR, LOCATION, NULL,
1879 "ID mismatched with subjectAltName.\n");
1880 plogdump(LLV_DEBUG, id_b + 1, idlen);
1881 plogdump(LLV_DEBUG, a, idlen);
1882 if (iph1->rmconf->verify_identifier)
1883 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1884 }
1885 return 0;
1886 }
1887 case IPSECDOI_ID_FQDN:
1888 case IPSECDOI_ID_USER_FQDN:
1889 {
1890 int pos;
1891
1892 for (pos = 1; ; pos++) {
1893 if (eay_get_x509subjectaltname(iph1->cert_p,
1894 &altname, &type, pos) != 0){
1895 plog(LLV_ERROR, LOCATION, NULL,
1896 "failed to get subjectAltName\n");
1897 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1898 }
1899
1900 /* it's the end condition of the loop. */
1901 if (!altname) {
1902 plog(LLV_ERROR, LOCATION, NULL,
1903 "no proper subjectAltName.\n");
1904 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1905 }
1906
1907 if (check_typeofcertname(id_b->type, type) == 0)
1908 break;
1909
1910 /* next name */
1911 racoon_free(altname);
1912 altname = NULL;
1913 }
1914 if (idlen != strlen(altname)) {
1915 plog(LLV_ERROR, LOCATION, NULL,
1916 "Invalid ID length in phase 1.\n");
1917 racoon_free(altname);
1918 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1919 }
1920 if (check_typeofcertname(id_b->type, type) != 0) {
1921 plog(LLV_ERROR, LOCATION, NULL,
1922 "ID type mismatched. ID: %s CERT: %s.\n",
1923 s_ipsecdoi_ident(id_b->type),
1924 s_ipsecdoi_ident(type));
1925 racoon_free(altname);
1926 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1927 }
1928 error = memcmp(id_b + 1, altname, idlen);
1929 if (error) {
1930 plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n");
1931 plogdump(LLV_DEBUG, id_b + 1, idlen);
1932 plogdump(LLV_DEBUG, altname, idlen);
1933 racoon_free(altname);
1934 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1935 }
1936 racoon_free(altname);
1937 return 0;
1938 }
1939 default:
1940 plog(LLV_ERROR, LOCATION, NULL,
1941 "Inpropper ID type passed: %s.\n",
1942 s_ipsecdoi_ident(id_b->type));
1943 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1944 }
1945 /*NOTREACHED*/
1946 }
1947
1948 static int
check_typeofcertname(doi,genid)1949 check_typeofcertname(doi, genid)
1950 int doi, genid;
1951 {
1952 switch (doi) {
1953 case IPSECDOI_ID_IPV4_ADDR:
1954 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1955 case IPSECDOI_ID_IPV6_ADDR:
1956 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1957 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1958 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1959 if (genid != GENT_IPADD)
1960 return -1;
1961 return 0;
1962 case IPSECDOI_ID_FQDN:
1963 if (genid != GENT_DNS)
1964 return -1;
1965 return 0;
1966 case IPSECDOI_ID_USER_FQDN:
1967 if (genid != GENT_EMAIL)
1968 return -1;
1969 return 0;
1970 case IPSECDOI_ID_DER_ASN1_DN: /* should not be passed to this function*/
1971 case IPSECDOI_ID_DER_ASN1_GN:
1972 case IPSECDOI_ID_KEY_ID:
1973 default:
1974 return -1;
1975 }
1976 /*NOTREACHED*/
1977 }
1978
1979 /*
1980 * save certificate including certificate type.
1981 */
1982 int
oakley_savecert(iph1,gen)1983 oakley_savecert(iph1, gen)
1984 struct ph1handle *iph1;
1985 struct isakmp_gen *gen;
1986 {
1987 vchar_t **c;
1988 u_int8_t type;
1989 STACK_OF(X509) *certs=NULL;
1990 PKCS7 *p7;
1991
1992 type = *(u_int8_t *)(gen + 1) & 0xff;
1993
1994 switch (type) {
1995 case ISAKMP_CERT_DNS:
1996 plog(LLV_WARNING, LOCATION, NULL,
1997 "CERT payload is unnecessary in DNSSEC. "
1998 "ignore this CERT payload.\n");
1999 return 0;
2000 case ISAKMP_CERT_PKCS7:
2001 case ISAKMP_CERT_PGP:
2002 case ISAKMP_CERT_X509SIGN:
2003 case ISAKMP_CERT_KERBEROS:
2004 case ISAKMP_CERT_SPKI:
2005 c = &iph1->cert_p;
2006 break;
2007 case ISAKMP_CERT_CRL:
2008 c = &iph1->crl_p;
2009 break;
2010 case ISAKMP_CERT_X509KE:
2011 case ISAKMP_CERT_X509ATTR:
2012 case ISAKMP_CERT_ARL:
2013 plog(LLV_ERROR, LOCATION, NULL,
2014 "No supported such CERT type %d\n", type);
2015 return -1;
2016 default:
2017 plog(LLV_ERROR, LOCATION, NULL,
2018 "Invalid CERT type %d\n", type);
2019 return -1;
2020 }
2021
2022 /* XXX choice the 1th cert, ignore after the cert. */
2023 /* XXX should be processed. */
2024 if (*c) {
2025 plog(LLV_WARNING, LOCATION, NULL,
2026 "ignore 2nd CERT payload.\n");
2027 return 0;
2028 }
2029
2030 if (type == ISAKMP_CERT_PKCS7) {
2031 u_char *bp;
2032 int i;
2033
2034 /* Skip the header */
2035 bp = (u_char *)(gen + 1);
2036 /* And the first byte is the certificate type,
2037 * we know that already
2038 */
2039 bp++;
2040 p7 = d2i_PKCS7(NULL, (void *)&bp,
2041 ntohs(gen->len) - sizeof(*gen) - 1);
2042
2043 if (!p7) {
2044 plog(LLV_ERROR, LOCATION, NULL,
2045 "Failed to parse PKCS#7 CERT.\n");
2046 return -1;
2047 }
2048
2049 /* Copied this from the openssl pkcs7 application;
2050 * there"s little by way of documentation for any of
2051 * it. I can only presume it"s correct.
2052 */
2053
2054 i = OBJ_obj2nid(p7->type);
2055 switch (i) {
2056 case NID_pkcs7_signed:
2057 certs=p7->d.sign->cert;
2058 break;
2059 case NID_pkcs7_signedAndEnveloped:
2060 certs=p7->d.signed_and_enveloped->cert;
2061 break;
2062 default:
2063 break;
2064 }
2065
2066 if (!certs) {
2067 plog(LLV_ERROR, LOCATION, NULL,
2068 "CERT PKCS#7 bundle contains no certs.\n");
2069 PKCS7_free(p7);
2070 return -1;
2071 }
2072
2073 for (i = 0; i < sk_X509_num(certs); i++) {
2074 X509 *cert = sk_X509_value(certs,i);
2075
2076 plog(LLV_DEBUG, LOCATION, NULL,
2077 "Trying PKCS#7 cert %d.\n", i);
2078
2079 /* We'll just try each cert in turn */
2080 *c = dump_x509(cert);
2081
2082 if (!*c) {
2083 plog(LLV_ERROR, LOCATION, NULL,
2084 "Failed to get CERT buffer.\n");
2085 continue;
2086 }
2087
2088 /* Ignore cert if it doesn't match identity
2089 * XXX If verify cert is disabled, we still just take
2090 * the first certificate....
2091 */
2092 if (oakley_check_certid(iph1)) {
2093 plog(LLV_DEBUG, LOCATION, NULL,
2094 "Discarding CERT: does not match ID.\n");
2095 vfree((*c));
2096 *c = NULL;
2097 continue;
2098 }
2099
2100 {
2101 char *p = eay_get_x509text(*c);
2102 plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
2103 plogdump(LLV_DEBUG, (*c)->v, (*c)->l);
2104 plog(LLV_DEBUG, LOCATION, NULL, "%s",
2105 p ? p : "\n");
2106 racoon_free(p);
2107 }
2108 break;
2109 }
2110 PKCS7_free(p7);
2111 } else {
2112 *c = dump_isakmp_payload(gen);
2113 if (!*c) {
2114 plog(LLV_ERROR, LOCATION, NULL,
2115 "Failed to get CERT buffer.\n");
2116 return -1;
2117 }
2118
2119 switch (type) {
2120 case ISAKMP_CERT_PGP:
2121 case ISAKMP_CERT_X509SIGN:
2122 case ISAKMP_CERT_KERBEROS:
2123 case ISAKMP_CERT_SPKI:
2124 /* Ignore cert if it doesn't match identity
2125 * XXX If verify cert is disabled, we still just take
2126 * the first certificate....
2127 */
2128 if (oakley_check_certid(iph1)){
2129 plog(LLV_DEBUG, LOCATION, NULL,
2130 "Discarding CERT: does not match ID.\n");
2131 vfree((*c));
2132 *c = NULL;
2133 return 0;
2134 }
2135
2136 {
2137 char *p = eay_get_x509text(*c);
2138 plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
2139 plogdump(LLV_DEBUG, (*c)->v, (*c)->l);
2140 plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
2141 racoon_free(p);
2142 }
2143 break;
2144 case ISAKMP_CERT_CRL:
2145 plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n");
2146 plogdump(LLV_DEBUG, (*c)->v, (*c)->l);
2147 break;
2148 case ISAKMP_CERT_X509KE:
2149 case ISAKMP_CERT_X509ATTR:
2150 case ISAKMP_CERT_ARL:
2151 default:
2152 /* XXX */
2153 vfree(*c);
2154 *c = NULL;
2155 return 0;
2156 }
2157 }
2158
2159 return 0;
2160 }
2161
2162 /*
2163 * save certificate including certificate type.
2164 */
2165 int
oakley_savecr(iph1,gen)2166 oakley_savecr(iph1, gen)
2167 struct ph1handle *iph1;
2168 struct isakmp_gen *gen;
2169 {
2170 vchar_t *cert;
2171 vchar_t **c;
2172 u_int8_t type;
2173
2174 type = *(u_int8_t *)(gen + 1) & 0xff;
2175 switch (type) {
2176 case ISAKMP_CERT_DNS:
2177 plog(LLV_WARNING, LOCATION, NULL,
2178 "CERT payload is unnecessary in DNSSEC\n");
2179 /*FALLTHRU*/
2180 case ISAKMP_CERT_PKCS7:
2181 case ISAKMP_CERT_PGP:
2182 case ISAKMP_CERT_X509SIGN:
2183 case ISAKMP_CERT_KERBEROS:
2184 case ISAKMP_CERT_SPKI:
2185 c = &iph1->cr_p;
2186 break;
2187 case ISAKMP_CERT_X509KE:
2188 case ISAKMP_CERT_X509ATTR:
2189 case ISAKMP_CERT_ARL:
2190 plog(LLV_ERROR, LOCATION, NULL,
2191 "No supported such CR type %d\n", type);
2192 return -1;
2193 case ISAKMP_CERT_CRL:
2194 default:
2195 plog(LLV_ERROR, LOCATION, NULL,
2196 "Invalid CR type %d\n", type);
2197 return -1;
2198 }
2199
2200 /* Already found an acceptable CR? */
2201 if (*c != NULL)
2202 return 0;
2203
2204 cert = dump_isakmp_payload(gen);
2205 if (cert == NULL) {
2206 plog(LLV_ERROR, LOCATION, NULL,
2207 "Failed to get CR buffer.\n");
2208 return -1;
2209 }
2210
2211 plog(LLV_DEBUG, LOCATION, NULL, "CR received:\n");
2212 plogdump(LLV_DEBUG, cert->v, cert->l);
2213
2214 *c = cert;
2215 if (resolveph1rmconf(iph1) == 0) {
2216 /* Found unique match */
2217 plog(LLV_DEBUG, LOCATION, NULL, "CR saved.\n");
2218 } else {
2219 /* Still ambiguous or matches nothing, ignore this CR */
2220 *c = NULL;
2221 vfree(cert);
2222 }
2223 return 0;
2224 }
2225
2226 /*
2227 * Add a single CR.
2228 */
2229 struct append_cr_ctx {
2230 struct ph1handle *iph1;
2231 struct payload_list *plist;
2232 };
2233
2234 static int
oakley_append_rmconf_cr(struct remoteconf * rmconf,void * ctx)2235 oakley_append_rmconf_cr(struct remoteconf *rmconf, void *ctx)
2236 {
2237 struct append_cr_ctx *actx = (struct append_cr_ctx *) ctx;
2238 vchar_t *buf, *asn1dn = NULL;
2239 int type;
2240
2241 /* Do we want to send CR about this? */
2242 if (rmconf->send_cr == FALSE)
2243 return 0;
2244
2245 if (rmconf->peerscert != NULL) {
2246 type = oakley_get_certtype(rmconf->peerscert);
2247 asn1dn = eay_get_x509asn1issuername(rmconf->peerscert);
2248 } else if (rmconf->cacert != NULL) {
2249 type = oakley_get_certtype(rmconf->cacert);
2250 asn1dn = eay_get_x509asn1subjectname(rmconf->cacert);
2251 } else
2252 return 0;
2253
2254 if (asn1dn == NULL) {
2255 plog(LLV_ERROR, LOCATION, actx->iph1->remote,
2256 "Failed to get CR ASN1 DN from certificate\n");
2257 return 0;
2258 }
2259
2260 buf = vmalloc(1 + asn1dn->l);
2261 if (buf == NULL)
2262 goto err;
2263
2264 buf->v[0] = type;
2265 memcpy(&buf->v[1], asn1dn->v, asn1dn->l);
2266
2267 plog(LLV_DEBUG, LOCATION, actx->iph1->remote,
2268 "appending CR: %s\n",
2269 s_isakmp_certtype(buf->v[0]));
2270 plogdump(LLV_DEBUG, buf->v, buf->l);
2271
2272 actx->plist = isakmp_plist_append_full(actx->plist, buf, ISAKMP_NPTYPE_CR, 1);
2273
2274 err:
2275 vfree(asn1dn);
2276 return 0;
2277 }
2278
2279 /*
2280 * Append list of acceptable CRs.
2281 * RFC2048 3.10
2282 */
2283 struct payload_list *
oakley_append_cr(plist,iph1)2284 oakley_append_cr(plist, iph1)
2285 struct payload_list *plist;
2286 struct ph1handle *iph1;
2287 {
2288 struct append_cr_ctx ctx;
2289 struct rmconfselector sel;
2290
2291 ctx.iph1 = iph1;
2292 ctx.plist = plist;
2293 if (iph1->rmconf == NULL) {
2294 rmconf_selector_from_ph1(&sel, iph1);
2295 enumrmconf(&sel, oakley_append_rmconf_cr, &ctx);
2296 } else {
2297 oakley_append_rmconf_cr(iph1->rmconf, &ctx);
2298 }
2299
2300 return ctx.plist;
2301 }
2302
2303 /*
2304 * check peer's CR.
2305 */
2306 int
oakley_checkcr(iph1)2307 oakley_checkcr(iph1)
2308 struct ph1handle *iph1;
2309 {
2310 int type;
2311
2312 if (iph1->cr_p == NULL)
2313 return 0;
2314
2315 plog(LLV_DEBUG, LOCATION, iph1->remote,
2316 "peer transmitted CR: %s\n",
2317 s_isakmp_certtype(oakley_get_certtype(iph1->cr_p)));
2318
2319 type = oakley_get_certtype(iph1->cr_p);
2320 if (type != oakley_get_certtype(iph1->rmconf->mycert)) {
2321 plog(LLV_ERROR, LOCATION, iph1->remote,
2322 "such a cert type isn't supported: %d\n",
2323 type);
2324 return -1;
2325 }
2326
2327 return 0;
2328 }
2329
2330 /*
2331 * check to need CR payload.
2332 */
2333 int
oakley_needcr(type)2334 oakley_needcr(type)
2335 int type;
2336 {
2337 switch (type) {
2338 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2339 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2340 #ifdef ENABLE_HYBRID
2341 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2342 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
2343 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2344 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
2345 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
2346 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
2347 #endif
2348 return 1;
2349 default:
2350 return 0;
2351 }
2352 /*NOTREACHED*/
2353 }
2354
2355 /*
2356 * compute SKEYID
2357 * see seciton 5. Exchanges in RFC 2409
2358 * psk: SKEYID = prf(pre-shared-key, Ni_b | Nr_b)
2359 * sig: SKEYID = prf(Ni_b | Nr_b, g^ir)
2360 * enc: SKEYID = prf(H(Ni_b | Nr_b), CKY-I | CKY-R)
2361 */
2362 int
oakley_skeyid(iph1)2363 oakley_skeyid(iph1)
2364 struct ph1handle *iph1;
2365 {
2366 vchar_t *buf = NULL, *bp;
2367 char *p;
2368 int len;
2369 int error = -1;
2370
2371 /* SKEYID */
2372 switch (iph1->approval->authmethod) {
2373 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
2374 #ifdef ENABLE_HYBRID
2375 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
2376 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
2377 #endif
2378 if (iph1->etype != ISAKMP_ETYPE_IDENT) {
2379 iph1->authstr = getpskbyname(iph1->id_p);
2380 if (iph1->authstr == NULL) {
2381 if (iph1->rmconf->verify_identifier) {
2382 plog(LLV_ERROR, LOCATION, iph1->remote,
2383 "couldn't find the pskey.\n");
2384 goto end;
2385 }
2386 plog(LLV_NOTIFY, LOCATION, iph1->remote,
2387 "couldn't find the proper pskey, "
2388 "try to get one by the peer's address.\n");
2389 }
2390 }
2391 if (iph1->authstr == NULL) {
2392 /*
2393 * If the exchange type is the main mode or if it's
2394 * failed to get the psk by ID, racoon try to get
2395 * the psk by remote IP address.
2396 * It may be nonsense.
2397 */
2398 iph1->authstr = getpskbyaddr(iph1->remote);
2399 if (iph1->authstr == NULL) {
2400 plog(LLV_ERROR, LOCATION, iph1->remote,
2401 "couldn't find the pskey for %s.\n",
2402 saddrwop2str(iph1->remote));
2403 goto end;
2404 }
2405 }
2406 plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
2407 /* should be secret PSK */
2408 plog(LLV_DEBUG2, LOCATION, NULL, "psk: ");
2409 plogdump(LLV_DEBUG2, iph1->authstr->v, iph1->authstr->l);
2410
2411 len = iph1->nonce->l + iph1->nonce_p->l;
2412 buf = vmalloc(len);
2413 if (buf == NULL) {
2414 plog(LLV_ERROR, LOCATION, NULL,
2415 "failed to get skeyid buffer\n");
2416 goto end;
2417 }
2418 p = buf->v;
2419
2420 bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
2421 plog(LLV_DEBUG, LOCATION, NULL, "nonce 1: ");
2422 plogdump(LLV_DEBUG, bp->v, bp->l);
2423 memcpy(p, bp->v, bp->l);
2424 p += bp->l;
2425
2426 bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
2427 plog(LLV_DEBUG, LOCATION, NULL, "nonce 2: ");
2428 plogdump(LLV_DEBUG, bp->v, bp->l);
2429 memcpy(p, bp->v, bp->l);
2430 p += bp->l;
2431
2432 iph1->skeyid = oakley_prf(iph1->authstr, buf, iph1);
2433 if (iph1->skeyid == NULL)
2434 goto end;
2435 break;
2436
2437 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2438 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2439 #ifdef ENABLE_HYBRID
2440 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2441 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
2442 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
2443 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
2444 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2445 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
2446 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
2447 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
2448 #endif
2449 #ifdef HAVE_GSSAPI
2450 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
2451 #endif
2452 len = iph1->nonce->l + iph1->nonce_p->l;
2453 buf = vmalloc(len);
2454 if (buf == NULL) {
2455 plog(LLV_ERROR, LOCATION, NULL,
2456 "failed to get nonce buffer\n");
2457 goto end;
2458 }
2459 p = buf->v;
2460
2461 bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
2462 plog(LLV_DEBUG, LOCATION, NULL, "nonce1: ");
2463 plogdump(LLV_DEBUG, bp->v, bp->l);
2464 memcpy(p, bp->v, bp->l);
2465 p += bp->l;
2466
2467 bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
2468 plog(LLV_DEBUG, LOCATION, NULL, "nonce2: ");
2469 plogdump(LLV_DEBUG, bp->v, bp->l);
2470 memcpy(p, bp->v, bp->l);
2471 p += bp->l;
2472
2473 iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1);
2474 if (iph1->skeyid == NULL)
2475 goto end;
2476 break;
2477 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2478 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
2479 #ifdef ENABLE_HYBRID
2480 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
2481 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
2482 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
2483 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
2484 #endif
2485 plog(LLV_WARNING, LOCATION, NULL,
2486 "not supported authentication method %s\n",
2487 s_oakley_attr_method(iph1->approval->authmethod));
2488 goto end;
2489 default:
2490 plog(LLV_ERROR, LOCATION, NULL,
2491 "invalid authentication method %d\n",
2492 iph1->approval->authmethod);
2493 goto end;
2494 }
2495
2496 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID computed:\n");
2497 plogdump(LLV_DEBUG, iph1->skeyid->v, iph1->skeyid->l);
2498
2499 error = 0;
2500
2501 end:
2502 if (buf != NULL)
2503 vfree(buf);
2504 return error;
2505 }
2506
2507 /*
2508 * compute SKEYID_[dae]
2509 * see seciton 5. Exchanges in RFC 2409
2510 * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0)
2511 * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1)
2512 * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2)
2513 */
2514 int
oakley_skeyid_dae(iph1)2515 oakley_skeyid_dae(iph1)
2516 struct ph1handle *iph1;
2517 {
2518 vchar_t *buf = NULL;
2519 char *p;
2520 int len;
2521 int error = -1;
2522
2523 if (iph1->skeyid == NULL) {
2524 plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n");
2525 goto end;
2526 }
2527
2528 /* SKEYID D */
2529 /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */
2530 len = iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
2531 buf = vmalloc(len);
2532 if (buf == NULL) {
2533 plog(LLV_ERROR, LOCATION, NULL,
2534 "failed to get skeyid buffer\n");
2535 goto end;
2536 }
2537 p = buf->v;
2538
2539 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
2540 p += iph1->dhgxy->l;
2541 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
2542 p += sizeof(cookie_t);
2543 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
2544 p += sizeof(cookie_t);
2545 *p = 0;
2546 iph1->skeyid_d = oakley_prf(iph1->skeyid, buf, iph1);
2547 if (iph1->skeyid_d == NULL)
2548 goto end;
2549
2550 vfree(buf);
2551 buf = NULL;
2552
2553 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_d computed:\n");
2554 plogdump(LLV_DEBUG, iph1->skeyid_d->v, iph1->skeyid_d->l);
2555
2556 /* SKEYID A */
2557 /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */
2558 len = iph1->skeyid_d->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
2559 buf = vmalloc(len);
2560 if (buf == NULL) {
2561 plog(LLV_ERROR, LOCATION, NULL,
2562 "failed to get skeyid buffer\n");
2563 goto end;
2564 }
2565 p = buf->v;
2566 memcpy(p, iph1->skeyid_d->v, iph1->skeyid_d->l);
2567 p += iph1->skeyid_d->l;
2568 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
2569 p += iph1->dhgxy->l;
2570 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
2571 p += sizeof(cookie_t);
2572 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
2573 p += sizeof(cookie_t);
2574 *p = 1;
2575 iph1->skeyid_a = oakley_prf(iph1->skeyid, buf, iph1);
2576 if (iph1->skeyid_a == NULL)
2577 goto end;
2578
2579 vfree(buf);
2580 buf = NULL;
2581
2582 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_a computed:\n");
2583 plogdump(LLV_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l);
2584
2585 /* SKEYID E */
2586 /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */
2587 len = iph1->skeyid_a->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
2588 buf = vmalloc(len);
2589 if (buf == NULL) {
2590 plog(LLV_ERROR, LOCATION, NULL,
2591 "failed to get skeyid buffer\n");
2592 goto end;
2593 }
2594 p = buf->v;
2595 memcpy(p, iph1->skeyid_a->v, iph1->skeyid_a->l);
2596 p += iph1->skeyid_a->l;
2597 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
2598 p += iph1->dhgxy->l;
2599 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
2600 p += sizeof(cookie_t);
2601 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
2602 p += sizeof(cookie_t);
2603 *p = 2;
2604 iph1->skeyid_e = oakley_prf(iph1->skeyid, buf, iph1);
2605 if (iph1->skeyid_e == NULL)
2606 goto end;
2607
2608 vfree(buf);
2609 buf = NULL;
2610
2611 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_e computed:\n");
2612 plogdump(LLV_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l);
2613
2614 error = 0;
2615
2616 end:
2617 if (buf != NULL)
2618 vfree(buf);
2619 return error;
2620 }
2621
2622 /*
2623 * compute final encryption key.
2624 * see Appendix B.
2625 */
2626 int
oakley_compute_enckey(iph1)2627 oakley_compute_enckey(iph1)
2628 struct ph1handle *iph1;
2629 {
2630 u_int keylen, prflen;
2631 int error = -1;
2632
2633 /* RFC2409 p39 */
2634 keylen = alg_oakley_encdef_keylen(iph1->approval->enctype,
2635 iph1->approval->encklen);
2636 if (keylen == -1) {
2637 plog(LLV_ERROR, LOCATION, NULL,
2638 "invalid encryption algorithm %d, "
2639 "or invalid key length %d.\n",
2640 iph1->approval->enctype,
2641 iph1->approval->encklen);
2642 goto end;
2643 }
2644 iph1->key = vmalloc(keylen >> 3);
2645 if (iph1->key == NULL) {
2646 plog(LLV_ERROR, LOCATION, NULL,
2647 "failed to get key buffer\n");
2648 goto end;
2649 }
2650
2651 /* set prf length */
2652 prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype);
2653 if (prflen == -1) {
2654 plog(LLV_ERROR, LOCATION, NULL,
2655 "invalid hash type %d.\n", iph1->approval->hashtype);
2656 goto end;
2657 }
2658
2659 /* see isakmp-oakley-08 5.3. */
2660 if (iph1->key->l <= iph1->skeyid_e->l) {
2661 /*
2662 * if length(Ka) <= length(SKEYID_e)
2663 * Ka = first length(K) bit of SKEYID_e
2664 */
2665 memcpy(iph1->key->v, iph1->skeyid_e->v, iph1->key->l);
2666 } else {
2667 vchar_t *buf = NULL, *res = NULL;
2668 u_char *p, *ep;
2669 int cplen;
2670 int subkey;
2671
2672 /*
2673 * otherwise,
2674 * Ka = K1 | K2 | K3
2675 * where
2676 * K1 = prf(SKEYID_e, 0)
2677 * K2 = prf(SKEYID_e, K1)
2678 * K3 = prf(SKEYID_e, K2)
2679 */
2680 plog(LLV_DEBUG, LOCATION, NULL,
2681 "len(SKEYID_e) < len(Ka) (%zu < %zu), "
2682 "generating long key (Ka = K1 | K2 | ...)\n",
2683 iph1->skeyid_e->l, iph1->key->l);
2684
2685 if ((buf = vmalloc(prflen >> 3)) == 0) {
2686 plog(LLV_ERROR, LOCATION, NULL,
2687 "failed to get key buffer\n");
2688 goto end;
2689 }
2690 p = (u_char *)iph1->key->v;
2691 ep = p + iph1->key->l;
2692
2693 subkey = 1;
2694 while (p < ep) {
2695 if (p == (u_char *)iph1->key->v) {
2696 /* just for computing K1 */
2697 buf->v[0] = 0;
2698 buf->l = 1;
2699 }
2700 res = oakley_prf(iph1->skeyid_e, buf, iph1);
2701 if (res == NULL) {
2702 vfree(buf);
2703 goto end;
2704 }
2705 plog(LLV_DEBUG, LOCATION, NULL,
2706 "compute intermediate encryption key K%d\n",
2707 subkey);
2708 plogdump(LLV_DEBUG, buf->v, buf->l);
2709 plogdump(LLV_DEBUG, res->v, res->l);
2710
2711 cplen = (res->l < ep - p) ? res->l : ep - p;
2712 memcpy(p, res->v, cplen);
2713 p += cplen;
2714
2715 buf->l = prflen >> 3; /* to cancel K1 speciality */
2716 if (res->l != buf->l) {
2717 plog(LLV_ERROR, LOCATION, NULL,
2718 "internal error: res->l=%zu buf->l=%zu\n",
2719 res->l, buf->l);
2720 vfree(res);
2721 vfree(buf);
2722 goto end;
2723 }
2724 memcpy(buf->v, res->v, res->l);
2725 vfree(res);
2726 subkey++;
2727 }
2728
2729 vfree(buf);
2730 }
2731
2732 /*
2733 * don't check any weak key or not.
2734 * draft-ietf-ipsec-ike-01.txt Appendix B.
2735 * draft-ietf-ipsec-ciph-aes-cbc-00.txt Section 2.3.
2736 */
2737 #if 0
2738 /* weakkey check */
2739 if (iph1->approval->enctype > ARRAYLEN(oakley_encdef)
2740 || oakley_encdef[iph1->approval->enctype].weakkey == NULL) {
2741 plog(LLV_ERROR, LOCATION, NULL,
2742 "encryption algorithm %d isn't supported.\n",
2743 iph1->approval->enctype);
2744 goto end;
2745 }
2746 if ((oakley_encdef[iph1->approval->enctype].weakkey)(iph1->key)) {
2747 plog(LLV_ERROR, LOCATION, NULL,
2748 "weakkey was generated.\n");
2749 goto end;
2750 }
2751 #endif
2752
2753 plog(LLV_DEBUG, LOCATION, NULL, "final encryption key computed:\n");
2754 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
2755
2756 error = 0;
2757
2758 end:
2759 return error;
2760 }
2761
2762 /*
2763 * compute IV and set to ph1handle
2764 * IV = hash(g^xi | g^xr)
2765 * see 4.1 Phase 1 state in draft-ietf-ipsec-ike.
2766 */
2767 int
oakley_newiv(iph1)2768 oakley_newiv(iph1)
2769 struct ph1handle *iph1;
2770 {
2771 struct isakmp_ivm *newivm = NULL;
2772 vchar_t *buf = NULL, *bp;
2773 char *p;
2774 int len;
2775
2776 /* create buffer */
2777 len = iph1->dhpub->l + iph1->dhpub_p->l;
2778 buf = vmalloc(len);
2779 if (buf == NULL) {
2780 plog(LLV_ERROR, LOCATION, NULL,
2781 "failed to get iv buffer\n");
2782 return -1;
2783 }
2784
2785 p = buf->v;
2786
2787 bp = (iph1->side == INITIATOR ? iph1->dhpub : iph1->dhpub_p);
2788 memcpy(p, bp->v, bp->l);
2789 p += bp->l;
2790
2791 bp = (iph1->side == INITIATOR ? iph1->dhpub_p : iph1->dhpub);
2792 memcpy(p, bp->v, bp->l);
2793 p += bp->l;
2794
2795 /* allocate IVm */
2796 newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
2797 if (newivm == NULL) {
2798 plog(LLV_ERROR, LOCATION, NULL,
2799 "failed to get iv buffer\n");
2800 vfree(buf);
2801 return -1;
2802 }
2803
2804 /* compute IV */
2805 newivm->iv = oakley_hash(buf, iph1);
2806 if (newivm->iv == NULL) {
2807 vfree(buf);
2808 oakley_delivm(newivm);
2809 return -1;
2810 }
2811
2812 /* adjust length of iv */
2813 newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype);
2814 if (newivm->iv->l == -1) {
2815 plog(LLV_ERROR, LOCATION, NULL,
2816 "invalid encryption algorithm %d.\n",
2817 iph1->approval->enctype);
2818 vfree(buf);
2819 oakley_delivm(newivm);
2820 return -1;
2821 }
2822
2823 /* create buffer to save iv */
2824 if ((newivm->ive = vdup(newivm->iv)) == NULL) {
2825 plog(LLV_ERROR, LOCATION, NULL,
2826 "vdup (%s)\n", strerror(errno));
2827 vfree(buf);
2828 oakley_delivm(newivm);
2829 return -1;
2830 }
2831
2832 vfree(buf);
2833
2834 plog(LLV_DEBUG, LOCATION, NULL, "IV computed:\n");
2835 plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l);
2836
2837 iph1->ivm = newivm;
2838
2839 return 0;
2840 }
2841
2842 /*
2843 * compute IV for the payload after phase 1.
2844 * It's not limited for phase 2.
2845 * if pahse 1 was encrypted.
2846 * IV = hash(last CBC block of Phase 1 | M-ID)
2847 * if phase 1 was not encrypted.
2848 * IV = hash(phase 1 IV | M-ID)
2849 * see 4.2 Phase 2 state in draft-ietf-ipsec-ike.
2850 */
2851 struct isakmp_ivm *
oakley_newiv2(iph1,msgid)2852 oakley_newiv2(iph1, msgid)
2853 struct ph1handle *iph1;
2854 u_int32_t msgid;
2855 {
2856 struct isakmp_ivm *newivm = NULL;
2857 vchar_t *buf = NULL;
2858 char *p;
2859 int len;
2860 int error = -1;
2861
2862 /* create buffer */
2863 len = iph1->ivm->iv->l + sizeof(msgid_t);
2864 buf = vmalloc(len);
2865 if (buf == NULL) {
2866 plog(LLV_ERROR, LOCATION, NULL,
2867 "failed to get iv buffer\n");
2868 goto end;
2869 }
2870
2871 p = buf->v;
2872
2873 memcpy(p, iph1->ivm->iv->v, iph1->ivm->iv->l);
2874 p += iph1->ivm->iv->l;
2875
2876 memcpy(p, &msgid, sizeof(msgid));
2877
2878 plog(LLV_DEBUG, LOCATION, NULL, "compute IV for phase2\n");
2879 plog(LLV_DEBUG, LOCATION, NULL, "phase1 last IV:\n");
2880 plogdump(LLV_DEBUG, buf->v, buf->l);
2881
2882 /* allocate IVm */
2883 newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
2884 if (newivm == NULL) {
2885 plog(LLV_ERROR, LOCATION, NULL,
2886 "failed to get iv buffer\n");
2887 goto end;
2888 }
2889
2890 /* compute IV */
2891 if ((newivm->iv = oakley_hash(buf, iph1)) == NULL)
2892 goto end;
2893
2894 /* adjust length of iv */
2895 newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype);
2896 if (newivm->iv->l == -1) {
2897 plog(LLV_ERROR, LOCATION, NULL,
2898 "invalid encryption algorithm %d.\n",
2899 iph1->approval->enctype);
2900 goto end;
2901 }
2902
2903 /* create buffer to save new iv */
2904 if ((newivm->ive = vdup(newivm->iv)) == NULL) {
2905 plog(LLV_ERROR, LOCATION, NULL, "vdup (%s)\n", strerror(errno));
2906 goto end;
2907 }
2908
2909 error = 0;
2910
2911 plog(LLV_DEBUG, LOCATION, NULL, "phase2 IV computed:\n");
2912 plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l);
2913
2914 end:
2915 if (error && newivm != NULL){
2916 oakley_delivm(newivm);
2917 newivm=NULL;
2918 }
2919 if (buf != NULL)
2920 vfree(buf);
2921 return newivm;
2922 }
2923
2924 void
oakley_delivm(ivm)2925 oakley_delivm(ivm)
2926 struct isakmp_ivm *ivm;
2927 {
2928 if (ivm == NULL)
2929 return;
2930
2931 if (ivm->iv != NULL)
2932 vfree(ivm->iv);
2933 if (ivm->ive != NULL)
2934 vfree(ivm->ive);
2935 racoon_free(ivm);
2936 plog(LLV_DEBUG, LOCATION, NULL, "IV freed\n");
2937
2938 return;
2939 }
2940
2941 /*
2942 * decrypt packet.
2943 * save new iv and old iv.
2944 */
2945 vchar_t *
oakley_do_decrypt(iph1,msg,ivdp,ivep)2946 oakley_do_decrypt(iph1, msg, ivdp, ivep)
2947 struct ph1handle *iph1;
2948 vchar_t *msg, *ivdp, *ivep;
2949 {
2950 vchar_t *buf = NULL, *new = NULL;
2951 char *pl;
2952 int len;
2953 u_int8_t padlen;
2954 int blen;
2955 int error = -1;
2956
2957 plog(LLV_DEBUG, LOCATION, NULL, "begin decryption.\n");
2958
2959 blen = alg_oakley_encdef_blocklen(iph1->approval->enctype);
2960 if (blen == -1) {
2961 plog(LLV_ERROR, LOCATION, NULL,
2962 "invalid encryption algorithm %d.\n",
2963 iph1->approval->enctype);
2964 goto end;
2965 }
2966
2967 /* save IV for next, but not sync. */
2968 memset(ivep->v, 0, ivep->l);
2969 memcpy(ivep->v, (caddr_t)&msg->v[msg->l - blen], blen);
2970
2971 plog(LLV_DEBUG, LOCATION, NULL,
2972 "IV was saved for next processing:\n");
2973 plogdump(LLV_DEBUG, ivep->v, ivep->l);
2974
2975 pl = msg->v + sizeof(struct isakmp);
2976
2977 len = msg->l - sizeof(struct isakmp);
2978
2979 /* create buffer */
2980 buf = vmalloc(len);
2981 if (buf == NULL) {
2982 plog(LLV_ERROR, LOCATION, NULL,
2983 "failed to get buffer to decrypt.\n");
2984 goto end;
2985 }
2986 memcpy(buf->v, pl, len);
2987
2988 /* do decrypt */
2989 new = alg_oakley_encdef_decrypt(iph1->approval->enctype,
2990 buf, iph1->key, ivdp);
2991 if (new == NULL || new->v == NULL || new->l == 0) {
2992 plog(LLV_ERROR, LOCATION, NULL,
2993 "decryption %d failed.\n", iph1->approval->enctype);
2994 goto end;
2995 }
2996 plog(LLV_DEBUG, LOCATION, NULL, "with key:\n");
2997 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
2998
2999 vfree(buf);
3000 buf = NULL;
3001
3002 plog(LLV_DEBUG, LOCATION, NULL, "decrypted payload by IV:\n");
3003 plogdump(LLV_DEBUG, ivdp->v, ivdp->l);
3004
3005 plog(LLV_DEBUG, LOCATION, NULL,
3006 "decrypted payload, but not trimed.\n");
3007 plogdump(LLV_DEBUG, new->v, new->l);
3008
3009 /* get padding length */
3010 if (lcconf->pad_excltail)
3011 padlen = new->v[new->l - 1] + 1;
3012 else
3013 padlen = new->v[new->l - 1];
3014 plog(LLV_DEBUG, LOCATION, NULL, "padding len=%u\n", padlen);
3015
3016 /* trim padding */
3017 if (lcconf->pad_strict) {
3018 if (padlen > new->l) {
3019 plog(LLV_ERROR, LOCATION, NULL,
3020 "invalied padding len=%u, buflen=%zu.\n",
3021 padlen, new->l);
3022 plogdump(LLV_ERROR, new->v, new->l);
3023 goto end;
3024 }
3025 new->l -= padlen;
3026 plog(LLV_DEBUG, LOCATION, NULL, "trimmed padding\n");
3027 } else {
3028 plog(LLV_DEBUG, LOCATION, NULL, "skip to trim padding.\n");
3029 }
3030
3031 /* create new buffer */
3032 len = sizeof(struct isakmp) + new->l;
3033 buf = vmalloc(len);
3034 if (buf == NULL) {
3035 plog(LLV_ERROR, LOCATION, NULL,
3036 "failed to get buffer to decrypt.\n");
3037 goto end;
3038 }
3039 memcpy(buf->v, msg->v, sizeof(struct isakmp));
3040 memcpy(buf->v + sizeof(struct isakmp), new->v, new->l);
3041 ((struct isakmp *)buf->v)->len = htonl(buf->l);
3042
3043 plog(LLV_DEBUG, LOCATION, NULL, "decrypted.\n");
3044 plogdump(LLV_DEBUG, buf->v, buf->l);
3045
3046 #ifdef HAVE_PRINT_ISAKMP_C
3047 isakmp_printpacket(buf, iph1->remote, iph1->local, 1);
3048 #endif
3049
3050 error = 0;
3051
3052 end:
3053 if (error && buf != NULL) {
3054 vfree(buf);
3055 buf = NULL;
3056 }
3057 if (new != NULL)
3058 vfree(new);
3059
3060 return buf;
3061 }
3062
3063 /*
3064 * encrypt packet.
3065 */
3066 vchar_t *
oakley_do_encrypt(iph1,msg,ivep,ivp)3067 oakley_do_encrypt(iph1, msg, ivep, ivp)
3068 struct ph1handle *iph1;
3069 vchar_t *msg, *ivep, *ivp;
3070 {
3071 vchar_t *buf = 0, *new = 0;
3072 char *pl;
3073 int len;
3074 u_int padlen;
3075 int blen;
3076 int error = -1;
3077
3078 plog(LLV_DEBUG, LOCATION, NULL, "begin encryption.\n");
3079
3080 /* set cbc block length */
3081 blen = alg_oakley_encdef_blocklen(iph1->approval->enctype);
3082 if (blen == -1) {
3083 plog(LLV_ERROR, LOCATION, NULL,
3084 "invalid encryption algorithm %d.\n",
3085 iph1->approval->enctype);
3086 goto end;
3087 }
3088
3089 pl = msg->v + sizeof(struct isakmp);
3090 len = msg->l - sizeof(struct isakmp);
3091
3092 /* add padding */
3093 padlen = oakley_padlen(len, blen);
3094 plog(LLV_DEBUG, LOCATION, NULL, "pad length = %u\n", padlen);
3095
3096 /* create buffer */
3097 buf = vmalloc(len + padlen);
3098 if (buf == NULL) {
3099 plog(LLV_ERROR, LOCATION, NULL,
3100 "failed to get buffer to encrypt.\n");
3101 goto end;
3102 }
3103 if (padlen) {
3104 int i;
3105 char *p = &buf->v[len];
3106 if (lcconf->pad_random) {
3107 for (i = 0; i < padlen; i++)
3108 *p++ = eay_random() & 0xff;
3109 }
3110 }
3111 memcpy(buf->v, pl, len);
3112
3113 /* make pad into tail */
3114 if (lcconf->pad_excltail)
3115 buf->v[len + padlen - 1] = padlen - 1;
3116 else
3117 buf->v[len + padlen - 1] = padlen;
3118
3119 plogdump(LLV_DEBUG, buf->v, buf->l);
3120
3121 /* do encrypt */
3122 new = alg_oakley_encdef_encrypt(iph1->approval->enctype,
3123 buf, iph1->key, ivep);
3124 if (new == NULL) {
3125 plog(LLV_ERROR, LOCATION, NULL,
3126 "encryption %d failed.\n", iph1->approval->enctype);
3127 goto end;
3128 }
3129 plog(LLV_DEBUG, LOCATION, NULL, "with key:\n");
3130 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
3131
3132 vfree(buf);
3133 buf = NULL;
3134
3135 plog(LLV_DEBUG, LOCATION, NULL, "encrypted payload by IV:\n");
3136 plogdump(LLV_DEBUG, ivep->v, ivep->l);
3137
3138 /* save IV for next */
3139 memset(ivp->v, 0, ivp->l);
3140 memcpy(ivp->v, (caddr_t)&new->v[new->l - blen], blen);
3141
3142 plog(LLV_DEBUG, LOCATION, NULL, "save IV for next:\n");
3143 plogdump(LLV_DEBUG, ivp->v, ivp->l);
3144
3145 /* create new buffer */
3146 len = sizeof(struct isakmp) + new->l;
3147 buf = vmalloc(len);
3148 if (buf == NULL) {
3149 plog(LLV_ERROR, LOCATION, NULL,
3150 "failed to get buffer to encrypt.\n");
3151 goto end;
3152 }
3153 memcpy(buf->v, msg->v, sizeof(struct isakmp));
3154 memcpy(buf->v + sizeof(struct isakmp), new->v, new->l);
3155 ((struct isakmp *)buf->v)->len = htonl(buf->l);
3156
3157 error = 0;
3158
3159 plog(LLV_DEBUG, LOCATION, NULL, "encrypted.\n");
3160
3161 end:
3162 if (error && buf != NULL) {
3163 vfree(buf);
3164 buf = NULL;
3165 }
3166 if (new != NULL)
3167 vfree(new);
3168
3169 return buf;
3170 }
3171
3172 /* culculate padding length */
3173 static int
oakley_padlen(len,base)3174 oakley_padlen(len, base)
3175 int len, base;
3176 {
3177 int padlen;
3178
3179 padlen = base - len % base;
3180
3181 if (lcconf->pad_randomlen)
3182 padlen += ((eay_random() % (lcconf->pad_maxsize + 1) + 1) *
3183 base);
3184
3185 return padlen;
3186 }
3187
3188