1 /* $OpenBSD: ikev2_msg.c,v 1.46 2016/09/04 10:26:02 vgross Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> /* roundup */ 20 #include <sys/queue.h> 21 #include <sys/socket.h> 22 #include <sys/wait.h> 23 #include <sys/uio.h> 24 25 #include <netinet/in.h> 26 #include <arpa/inet.h> 27 28 #include <stdlib.h> 29 #include <stdio.h> 30 #include <unistd.h> 31 #include <string.h> 32 #include <signal.h> 33 #include <errno.h> 34 #include <err.h> 35 #include <pwd.h> 36 #include <event.h> 37 38 #include <openssl/sha.h> 39 #include <openssl/evp.h> 40 41 #include "iked.h" 42 #include "ikev2.h" 43 #include "eap.h" 44 #include "dh.h" 45 46 void ikev1_recv(struct iked *, struct iked_message *); 47 void ikev2_msg_response_timeout(struct iked *, void *); 48 void ikev2_msg_retransmit_timeout(struct iked *, void *); 49 50 void 51 ikev2_msg_cb(int fd, short event, void *arg) 52 { 53 struct iked_socket *sock = arg; 54 struct iked *env = sock->sock_env; 55 struct iked_message msg; 56 struct ike_header hdr; 57 uint32_t natt = 0x00000000; 58 uint8_t buf[IKED_MSGBUF_MAX]; 59 ssize_t len; 60 off_t off; 61 62 bzero(&msg, sizeof(msg)); 63 bzero(buf, sizeof(buf)); 64 65 msg.msg_peerlen = sizeof(msg.msg_peer); 66 msg.msg_locallen = sizeof(msg.msg_local); 67 msg.msg_parent = &msg; 68 memcpy(&msg.msg_local, &sock->sock_addr, sizeof(sock->sock_addr)); 69 70 if ((len = recvfromto(fd, buf, sizeof(buf), 0, 71 (struct sockaddr *)&msg.msg_peer, &msg.msg_peerlen, 72 (struct sockaddr *)&msg.msg_local, &msg.msg_locallen)) < 73 (ssize_t)sizeof(natt)) 74 return; 75 76 if (socket_getport((struct sockaddr *)&msg.msg_local) == 77 IKED_NATT_PORT) { 78 if (memcmp(&natt, buf, sizeof(natt)) != 0) 79 return; 80 msg.msg_natt = 1; 81 off = sizeof(natt); 82 } else 83 off = 0; 84 85 if ((size_t)(len - off) <= sizeof(hdr)) 86 return; 87 memcpy(&hdr, buf + off, sizeof(hdr)); 88 89 if ((msg.msg_data = ibuf_new(buf + off, len - off)) == NULL) 90 return; 91 92 TAILQ_INIT(&msg.msg_proposals); 93 msg.msg_fd = fd; 94 95 if (hdr.ike_version == IKEV1_VERSION) 96 ikev1_recv(env, &msg); 97 else 98 ikev2_recv(env, &msg); 99 100 ikev2_msg_cleanup(env, &msg); 101 } 102 103 void 104 ikev1_recv(struct iked *env, struct iked_message *msg) 105 { 106 struct ike_header *hdr; 107 108 if (ibuf_size(msg->msg_data) <= sizeof(*hdr)) { 109 log_debug("%s: short message", __func__); 110 return; 111 } 112 113 hdr = (struct ike_header *)ibuf_data(msg->msg_data); 114 115 log_debug("%s: header ispi %s rspi %s" 116 " nextpayload %u version 0x%02x exchange %u flags 0x%02x" 117 " msgid %u length %u", __func__, 118 print_spi(betoh64(hdr->ike_ispi), 8), 119 print_spi(betoh64(hdr->ike_rspi), 8), 120 hdr->ike_nextpayload, 121 hdr->ike_version, 122 hdr->ike_exchange, 123 hdr->ike_flags, 124 betoh32(hdr->ike_msgid), 125 betoh32(hdr->ike_length)); 126 127 log_debug("%s: IKEv1 not supported", __func__); 128 } 129 130 struct ibuf * 131 ikev2_msg_init(struct iked *env, struct iked_message *msg, 132 struct sockaddr_storage *peer, socklen_t peerlen, 133 struct sockaddr_storage *local, socklen_t locallen, int response) 134 { 135 bzero(msg, sizeof(*msg)); 136 memcpy(&msg->msg_peer, peer, peerlen); 137 msg->msg_peerlen = peerlen; 138 memcpy(&msg->msg_local, local, locallen); 139 msg->msg_locallen = locallen; 140 msg->msg_response = response ? 1 : 0; 141 msg->msg_fd = -1; 142 msg->msg_data = ibuf_static(); 143 msg->msg_e = 0; 144 msg->msg_parent = msg; /* has to be set */ 145 TAILQ_INIT(&msg->msg_proposals); 146 147 return (msg->msg_data); 148 } 149 150 struct iked_message * 151 ikev2_msg_copy(struct iked *env, struct iked_message *msg) 152 { 153 struct iked_message *m = NULL; 154 struct ibuf *buf; 155 size_t len; 156 void *ptr; 157 158 if (ibuf_size(msg->msg_data) < msg->msg_offset) 159 return (NULL); 160 len = ibuf_size(msg->msg_data) - msg->msg_offset; 161 162 if ((ptr = ibuf_seek(msg->msg_data, msg->msg_offset, len)) == NULL || 163 (m = malloc(sizeof(*m))) == NULL || 164 (buf = ikev2_msg_init(env, m, &msg->msg_peer, msg->msg_peerlen, 165 &msg->msg_local, msg->msg_locallen, msg->msg_response)) == NULL || 166 ibuf_add(buf, ptr, len)) 167 return (NULL); 168 169 m->msg_fd = msg->msg_fd; 170 m->msg_msgid = msg->msg_msgid; 171 m->msg_offset = msg->msg_offset; 172 m->msg_sa = msg->msg_sa; 173 174 return (m); 175 } 176 177 void 178 ikev2_msg_cleanup(struct iked *env, struct iked_message *msg) 179 { 180 if (msg == msg->msg_parent) { 181 ibuf_release(msg->msg_nonce); 182 ibuf_release(msg->msg_ke); 183 ibuf_release(msg->msg_auth.id_buf); 184 ibuf_release(msg->msg_id.id_buf); 185 ibuf_release(msg->msg_cert.id_buf); 186 187 config_free_proposals(&msg->msg_proposals, 0); 188 } 189 190 if (msg->msg_data != NULL) { 191 ibuf_release(msg->msg_data); 192 msg->msg_data = NULL; 193 } 194 } 195 196 int 197 ikev2_msg_valid_ike_sa(struct iked *env, struct ike_header *oldhdr, 198 struct iked_message *msg) 199 { 200 #if 0 201 /* XXX Disabled, see comment below */ 202 struct iked_message resp; 203 struct ike_header *hdr; 204 struct ikev2_payload *pld; 205 struct ikev2_notify *n; 206 struct ibuf *buf; 207 struct iked_sa sa; 208 #endif 209 210 if (msg->msg_sa != NULL && msg->msg_policy != NULL) { 211 /* 212 * Only permit informational requests from initiator 213 * on closing SAs (for DELETE). 214 */ 215 if (msg->msg_sa->sa_state == IKEV2_STATE_CLOSING) { 216 if (((oldhdr->ike_flags & 217 (IKEV2_FLAG_INITIATOR|IKEV2_FLAG_RESPONSE)) == 218 IKEV2_FLAG_INITIATOR) && 219 (oldhdr->ike_exchange == 220 IKEV2_EXCHANGE_INFORMATIONAL)) 221 return (0); 222 return (-1); 223 } 224 return (0); 225 } 226 227 #if 0 228 /* 229 * XXX Sending INVALID_IKE_SPIs notifications is disabled 230 * XXX because it is not mandatory and ignored by most 231 * XXX implementations. We might want to enable it in 232 * XXX combination with a rate-limitation to avoid DoS situations. 233 */ 234 235 /* Fail without error message */ 236 if (msg->msg_response || msg->msg_policy == NULL) 237 return (-1); 238 239 /* Invalid IKE SA, return notification */ 240 if ((buf = ikev2_msg_init(env, &resp, 241 &msg->msg_peer, msg->msg_peerlen, 242 &msg->msg_local, msg->msg_locallen, 1)) == NULL) 243 goto done; 244 245 resp.msg_fd = msg->msg_fd; 246 247 bzero(&sa, sizeof(sa)); 248 if ((oldhdr->ike_flags & IKEV2_FLAG_INITIATOR) == 0) 249 sa.sa_hdr.sh_initiator = 1; 250 sa.sa_hdr.sh_ispi = betoh64(oldhdr->ike_ispi); 251 sa.sa_hdr.sh_rspi = betoh64(oldhdr->ike_rspi); 252 253 resp.msg_msgid = betoh32(oldhdr->ike_msgid); 254 255 /* IKE header */ 256 if ((hdr = ikev2_add_header(buf, &sa, resp.msg_msgid, 257 IKEV2_PAYLOAD_NOTIFY, IKEV2_EXCHANGE_INFORMATIONAL, 258 IKEV2_FLAG_RESPONSE)) == NULL) 259 goto done; 260 261 /* SA payload */ 262 if ((pld = ikev2_add_payload(buf)) == NULL) 263 goto done; 264 if ((n = ibuf_advance(buf, sizeof(*n))) == NULL) 265 goto done; 266 n->n_protoid = IKEV2_SAPROTO_IKE; 267 n->n_spisize = 0; 268 n->n_type = htobe16(IKEV2_N_INVALID_IKE_SPI); 269 270 if (ikev2_next_payload(pld, sizeof(*n), IKEV2_PAYLOAD_NONE) == -1) 271 goto done; 272 273 if (ikev2_set_header(hdr, ibuf_size(buf) - sizeof(*hdr)) == -1) 274 goto done; 275 276 (void)ikev2_pld_parse(env, hdr, &resp, 0); 277 (void)ikev2_msg_send(env, &resp); 278 279 done: 280 ikev2_msg_cleanup(env, &resp); 281 #endif 282 283 /* Always fail */ 284 return (-1); 285 } 286 287 int 288 ikev2_msg_send(struct iked *env, struct iked_message *msg) 289 { 290 struct iked_sa *sa = msg->msg_sa; 291 struct ibuf *buf = msg->msg_data; 292 uint32_t natt = 0x00000000; 293 int isnatt = 0; 294 uint8_t exchange, flags; 295 struct ike_header *hdr; 296 struct iked_message *m; 297 298 if (buf == NULL || (hdr = ibuf_seek(msg->msg_data, 299 msg->msg_offset, sizeof(*hdr))) == NULL) 300 return (-1); 301 302 isnatt = (msg->msg_natt || (msg->msg_sa && msg->msg_sa->sa_natt)); 303 304 exchange = hdr->ike_exchange; 305 flags = hdr->ike_flags; 306 log_info("%s: %s %s from %s to %s msgid %u, %ld bytes%s", __func__, 307 print_map(exchange, ikev2_exchange_map), 308 (flags & IKEV2_FLAG_RESPONSE) ? "response" : "request", 309 print_host((struct sockaddr *)&msg->msg_local, NULL, 0), 310 print_host((struct sockaddr *)&msg->msg_peer, NULL, 0), 311 betoh32(hdr->ike_msgid), 312 ibuf_length(buf), isnatt ? ", NAT-T" : ""); 313 314 if (isnatt) { 315 if (ibuf_prepend(buf, &natt, sizeof(natt)) == -1) { 316 log_debug("%s: failed to set NAT-T", __func__); 317 return (-1); 318 } 319 msg->msg_offset += sizeof(natt); 320 } 321 322 if (sendtofrom(msg->msg_fd, ibuf_data(buf), ibuf_size(buf), 0, 323 (struct sockaddr *)&msg->msg_peer, msg->msg_peerlen, 324 (struct sockaddr *)&msg->msg_local, msg->msg_locallen) == -1) { 325 log_warn("%s: sendtofrom", __func__); 326 return (-1); 327 } 328 329 if (!sa) 330 return (0); 331 332 if ((m = ikev2_msg_copy(env, msg)) == NULL) { 333 log_debug("%s: failed to copy a message", __func__); 334 return (-1); 335 } 336 m->msg_exchange = exchange; 337 338 if (flags & IKEV2_FLAG_RESPONSE) { 339 TAILQ_INSERT_TAIL(&sa->sa_responses, m, msg_entry); 340 timer_set(env, &m->msg_timer, ikev2_msg_response_timeout, m); 341 timer_add(env, &m->msg_timer, IKED_RESPONSE_TIMEOUT); 342 } else { 343 TAILQ_INSERT_TAIL(&sa->sa_requests, m, msg_entry); 344 timer_set(env, &m->msg_timer, ikev2_msg_retransmit_timeout, m); 345 timer_add(env, &m->msg_timer, IKED_RETRANSMIT_TIMEOUT); 346 } 347 348 return (0); 349 } 350 351 uint32_t 352 ikev2_msg_id(struct iked *env, struct iked_sa *sa) 353 { 354 uint32_t id = sa->sa_reqid; 355 356 if (++sa->sa_reqid == UINT32_MAX) { 357 /* XXX we should close and renegotiate the connection now */ 358 log_debug("%s: IKEv2 message sequence overflow", __func__); 359 } 360 return (id); 361 } 362 363 struct ibuf * 364 ikev2_msg_encrypt(struct iked *env, struct iked_sa *sa, struct ibuf *src) 365 { 366 size_t len, ivlen, encrlen, integrlen, blocklen, 367 outlen; 368 uint8_t *buf, pad = 0, *ptr; 369 struct ibuf *encr, *dst = NULL, *out = NULL; 370 371 buf = ibuf_data(src); 372 len = ibuf_size(src); 373 374 log_debug("%s: decrypted length %zu", __func__, len); 375 print_hex(buf, 0, len); 376 377 if (sa == NULL || 378 sa->sa_encr == NULL || 379 sa->sa_integr == NULL) { 380 log_debug("%s: invalid SA", __func__); 381 goto done; 382 } 383 384 if (sa->sa_hdr.sh_initiator) 385 encr = sa->sa_key_iencr; 386 else 387 encr = sa->sa_key_rencr; 388 389 blocklen = cipher_length(sa->sa_encr); 390 ivlen = cipher_ivlength(sa->sa_encr); 391 integrlen = hash_length(sa->sa_integr); 392 encrlen = roundup(len + sizeof(pad), blocklen); 393 pad = encrlen - (len + sizeof(pad)); 394 395 /* 396 * Pad the payload and encrypt it 397 */ 398 if (pad) { 399 if ((ptr = ibuf_advance(src, pad)) == NULL) 400 goto done; 401 arc4random_buf(ptr, pad); 402 } 403 if (ibuf_add(src, &pad, sizeof(pad)) != 0) 404 goto done; 405 406 log_debug("%s: padded length %zu", __func__, ibuf_size(src)); 407 print_hex(ibuf_data(src), 0, ibuf_size(src)); 408 409 cipher_setkey(sa->sa_encr, encr->buf, ibuf_length(encr)); 410 cipher_setiv(sa->sa_encr, NULL, 0); /* XXX ivlen */ 411 cipher_init_encrypt(sa->sa_encr); 412 413 if ((dst = ibuf_dup(sa->sa_encr->encr_iv)) == NULL) 414 goto done; 415 416 if ((out = ibuf_new(NULL, 417 cipher_outlength(sa->sa_encr, encrlen))) == NULL) 418 goto done; 419 420 outlen = ibuf_size(out); 421 cipher_update(sa->sa_encr, 422 ibuf_data(src), encrlen, ibuf_data(out), &outlen); 423 424 if (outlen && ibuf_add(dst, ibuf_data(out), outlen) != 0) 425 goto done; 426 427 if ((ptr = ibuf_advance(dst, integrlen)) == NULL) 428 goto done; 429 explicit_bzero(ptr, integrlen); 430 431 log_debug("%s: length %zu, padding %d, output length %zu", 432 __func__, len + sizeof(pad), pad, ibuf_size(dst)); 433 print_hex(ibuf_data(dst), 0, ibuf_size(dst)); 434 435 ibuf_release(src); 436 ibuf_release(out); 437 return (dst); 438 done: 439 ibuf_release(src); 440 ibuf_release(out); 441 ibuf_release(dst); 442 return (NULL); 443 } 444 445 int 446 ikev2_msg_integr(struct iked *env, struct iked_sa *sa, struct ibuf *src) 447 { 448 int ret = -1; 449 size_t integrlen, tmplen; 450 struct ibuf *integr, *tmp = NULL; 451 uint8_t *ptr; 452 453 log_debug("%s: message length %zu", __func__, ibuf_size(src)); 454 print_hex(ibuf_data(src), 0, ibuf_size(src)); 455 456 if (sa == NULL || 457 sa->sa_integr == NULL) { 458 log_debug("%s: invalid SA", __func__); 459 return (-1); 460 } 461 462 if (sa->sa_hdr.sh_initiator) 463 integr = sa->sa_key_iauth; 464 else 465 integr = sa->sa_key_rauth; 466 467 integrlen = hash_length(sa->sa_integr); 468 469 log_debug("%s: integrity checksum length %zu", __func__, 470 integrlen); 471 472 /* 473 * Validate packet checksum 474 */ 475 if ((tmp = ibuf_new(NULL, hash_keylength(sa->sa_integr))) == NULL) 476 goto done; 477 478 hash_setkey(sa->sa_integr, ibuf_data(integr), ibuf_size(integr)); 479 hash_init(sa->sa_integr); 480 hash_update(sa->sa_integr, ibuf_data(src), 481 ibuf_size(src) - integrlen); 482 hash_final(sa->sa_integr, ibuf_data(tmp), &tmplen); 483 484 if (tmplen != integrlen) { 485 log_debug("%s: hash failure", __func__); 486 goto done; 487 } 488 489 if ((ptr = ibuf_seek(src, 490 ibuf_size(src) - integrlen, integrlen)) == NULL) 491 goto done; 492 memcpy(ptr, ibuf_data(tmp), tmplen); 493 494 print_hex(ibuf_data(tmp), 0, ibuf_size(tmp)); 495 496 ret = 0; 497 done: 498 ibuf_release(tmp); 499 500 return (ret); 501 } 502 503 struct ibuf * 504 ikev2_msg_decrypt(struct iked *env, struct iked_sa *sa, 505 struct ibuf *msg, struct ibuf *src) 506 { 507 ssize_t ivlen, encrlen, integrlen, blocklen, 508 outlen, tmplen; 509 uint8_t pad = 0, *ptr; 510 struct ibuf *integr, *encr, *tmp = NULL, *out = NULL; 511 off_t ivoff, encroff, integroff; 512 513 if (sa == NULL || 514 sa->sa_encr == NULL || 515 sa->sa_integr == NULL) { 516 log_debug("%s: invalid SA", __func__); 517 print_hex(ibuf_data(src), 0, ibuf_size(src)); 518 goto done; 519 } 520 521 if (!sa->sa_hdr.sh_initiator) { 522 encr = sa->sa_key_iencr; 523 integr = sa->sa_key_iauth; 524 } else { 525 encr = sa->sa_key_rencr; 526 integr = sa->sa_key_rauth; 527 } 528 529 blocklen = cipher_length(sa->sa_encr); 530 ivlen = cipher_ivlength(sa->sa_encr); 531 ivoff = 0; 532 integrlen = hash_length(sa->sa_integr); 533 integroff = ibuf_size(src) - integrlen; 534 encroff = ivlen; 535 encrlen = ibuf_size(src) - integrlen - ivlen; 536 537 if (encrlen < 0 || integroff < 0) { 538 log_debug("%s: invalid integrity value", __func__); 539 goto done; 540 } 541 542 log_debug("%s: IV length %zd", __func__, ivlen); 543 print_hex(ibuf_data(src), 0, ivlen); 544 log_debug("%s: encrypted payload length %zd", __func__, encrlen); 545 print_hex(ibuf_data(src), encroff, encrlen); 546 log_debug("%s: integrity checksum length %zd", __func__, integrlen); 547 print_hex(ibuf_data(src), integroff, integrlen); 548 549 /* 550 * Validate packet checksum 551 */ 552 if ((tmp = ibuf_new(NULL, ibuf_length(integr))) == NULL) 553 goto done; 554 555 hash_setkey(sa->sa_integr, integr->buf, ibuf_length(integr)); 556 hash_init(sa->sa_integr); 557 hash_update(sa->sa_integr, ibuf_data(msg), 558 ibuf_size(msg) - integrlen); 559 hash_final(sa->sa_integr, tmp->buf, &tmplen); 560 561 if (memcmp(tmp->buf, ibuf_data(src) + integroff, integrlen) != 0) { 562 log_debug("%s: integrity check failed", __func__); 563 goto done; 564 } 565 566 log_debug("%s: integrity check succeeded", __func__); 567 print_hex(tmp->buf, 0, tmplen); 568 569 ibuf_release(tmp); 570 tmp = NULL; 571 572 /* 573 * Decrypt the payload and strip any padding 574 */ 575 if ((encrlen % blocklen) != 0) { 576 log_debug("%s: unaligned encrypted payload", __func__); 577 goto done; 578 } 579 580 cipher_setkey(sa->sa_encr, encr->buf, ibuf_length(encr)); 581 cipher_setiv(sa->sa_encr, ibuf_data(src) + ivoff, ivlen); 582 cipher_init_decrypt(sa->sa_encr); 583 584 if ((out = ibuf_new(NULL, cipher_outlength(sa->sa_encr, 585 encrlen))) == NULL) 586 goto done; 587 588 if ((outlen = ibuf_length(out)) != 0) { 589 cipher_update(sa->sa_encr, ibuf_data(src) + encroff, encrlen, 590 ibuf_data(out), &outlen); 591 592 ptr = ibuf_seek(out, outlen - 1, 1); 593 pad = *ptr; 594 } 595 596 log_debug("%s: decrypted payload length %zd/%zd padding %d", 597 __func__, outlen, encrlen, pad); 598 print_hex(ibuf_data(out), 0, ibuf_size(out)); 599 600 if (ibuf_setsize(out, outlen) != 0) 601 goto done; 602 603 ibuf_release(src); 604 return (out); 605 done: 606 ibuf_release(tmp); 607 ibuf_release(out); 608 ibuf_release(src); 609 return (NULL); 610 } 611 612 int 613 ikev2_msg_send_encrypt(struct iked *env, struct iked_sa *sa, struct ibuf **ep, 614 uint8_t exchange, uint8_t firstpayload, int response) 615 { 616 struct iked_message resp; 617 struct ike_header *hdr; 618 struct ikev2_payload *pld; 619 struct ibuf *buf, *e = *ep; 620 int ret = -1; 621 622 if ((buf = ikev2_msg_init(env, &resp, &sa->sa_peer.addr, 623 sa->sa_peer.addr.ss_len, &sa->sa_local.addr, 624 sa->sa_local.addr.ss_len, response)) == NULL) 625 goto done; 626 627 resp.msg_msgid = response ? sa->sa_msgid : ikev2_msg_id(env, sa); 628 629 /* IKE header */ 630 if ((hdr = ikev2_add_header(buf, sa, resp.msg_msgid, IKEV2_PAYLOAD_SK, 631 exchange, response ? IKEV2_FLAG_RESPONSE : 0)) == NULL) 632 goto done; 633 634 if ((pld = ikev2_add_payload(buf)) == NULL) 635 goto done; 636 637 /* Encrypt message and add as an E payload */ 638 if ((e = ikev2_msg_encrypt(env, sa, e)) == NULL) { 639 log_debug("%s: encryption failed", __func__); 640 goto done; 641 } 642 if (ibuf_cat(buf, e) != 0) 643 goto done; 644 if (ikev2_next_payload(pld, ibuf_size(e), firstpayload) == -1) 645 goto done; 646 647 if (ikev2_set_header(hdr, ibuf_size(buf) - sizeof(*hdr)) == -1) 648 goto done; 649 650 /* Add integrity checksum (HMAC) */ 651 if (ikev2_msg_integr(env, sa, buf) != 0) { 652 log_debug("%s: integrity checksum failed", __func__); 653 goto done; 654 } 655 656 resp.msg_data = buf; 657 resp.msg_sa = sa; 658 resp.msg_fd = sa->sa_fd; 659 TAILQ_INIT(&resp.msg_proposals); 660 661 (void)ikev2_pld_parse(env, hdr, &resp, 0); 662 663 ret = ikev2_msg_send(env, &resp); 664 665 done: 666 /* e is cleaned up by the calling function */ 667 *ep = e; 668 ikev2_msg_cleanup(env, &resp); 669 670 return (ret); 671 } 672 673 struct ibuf * 674 ikev2_msg_auth(struct iked *env, struct iked_sa *sa, int response) 675 { 676 struct ibuf *authmsg = NULL, *nonce, *prfkey, *buf; 677 uint8_t *ptr; 678 struct iked_id *id; 679 size_t tmplen; 680 681 /* 682 * Create the payload to be signed/MAC'ed for AUTH 683 */ 684 685 if (!response) { 686 if ((nonce = sa->sa_rnonce) == NULL || 687 (sa->sa_iid.id_type == 0) || 688 (prfkey = sa->sa_key_iprf) == NULL || 689 (buf = sa->sa_1stmsg) == NULL) 690 return (NULL); 691 id = &sa->sa_iid; 692 } else { 693 if ((nonce = sa->sa_inonce) == NULL || 694 (sa->sa_rid.id_type == 0) || 695 (prfkey = sa->sa_key_rprf) == NULL || 696 (buf = sa->sa_2ndmsg) == NULL) 697 return (NULL); 698 id = &sa->sa_rid; 699 } 700 701 if ((authmsg = ibuf_dup(buf)) == NULL) 702 return (NULL); 703 if (ibuf_cat(authmsg, nonce) != 0) 704 goto fail; 705 706 if ((hash_setkey(sa->sa_prf, ibuf_data(prfkey), 707 ibuf_size(prfkey))) == NULL) 708 goto fail; 709 710 if ((ptr = ibuf_advance(authmsg, 711 hash_length(sa->sa_prf))) == NULL) 712 goto fail; 713 714 hash_init(sa->sa_prf); 715 hash_update(sa->sa_prf, ibuf_data(id->id_buf), ibuf_size(id->id_buf)); 716 hash_final(sa->sa_prf, ptr, &tmplen); 717 718 if (tmplen != hash_length(sa->sa_prf)) 719 goto fail; 720 721 log_debug("%s: %s auth data length %zu", 722 __func__, response ? "responder" : "initiator", 723 ibuf_size(authmsg)); 724 print_hex(ibuf_data(authmsg), 0, ibuf_size(authmsg)); 725 726 return (authmsg); 727 728 fail: 729 ibuf_release(authmsg); 730 return (NULL); 731 } 732 733 int 734 ikev2_msg_authverify(struct iked *env, struct iked_sa *sa, 735 struct iked_auth *auth, uint8_t *buf, size_t len, struct ibuf *authmsg) 736 { 737 uint8_t *key, *psk = NULL; 738 ssize_t keylen; 739 struct iked_id *id; 740 struct iked_dsa *dsa = NULL; 741 int ret = -1; 742 uint8_t keytype; 743 744 if (sa->sa_hdr.sh_initiator) 745 id = &sa->sa_rcert; 746 else 747 id = &sa->sa_icert; 748 749 if ((dsa = dsa_verify_new(auth->auth_method, sa->sa_prf)) == NULL) { 750 log_debug("%s: invalid auth method", __func__); 751 return (-1); 752 } 753 754 switch (auth->auth_method) { 755 case IKEV2_AUTH_SHARED_KEY_MIC: 756 if (!auth->auth_length) { 757 log_debug("%s: no pre-shared key found", __func__); 758 goto done; 759 } 760 if ((keylen = ikev2_psk(sa, auth->auth_data, 761 auth->auth_length, &psk)) == -1) { 762 log_debug("%s: failed to get PSK", __func__); 763 goto done; 764 } 765 key = psk; 766 keytype = 0; 767 break; 768 default: 769 if (!id->id_type || !ibuf_length(id->id_buf)) { 770 log_debug("%s: no cert found", __func__); 771 goto done; 772 } 773 key = ibuf_data(id->id_buf); 774 keylen = ibuf_size(id->id_buf); 775 keytype = id->id_type; 776 break; 777 } 778 779 log_debug("%s: method %s keylen %zd type %s", __func__, 780 print_map(auth->auth_method, ikev2_auth_map), keylen, 781 print_map(id->id_type, ikev2_cert_map)); 782 783 if (dsa_setkey(dsa, key, keylen, keytype) == NULL || 784 dsa_init(dsa, buf, len) != 0 || 785 dsa_update(dsa, ibuf_data(authmsg), ibuf_size(authmsg))) { 786 log_debug("%s: failed to compute digital signature", __func__); 787 goto done; 788 } 789 790 if ((ret = dsa_verify_final(dsa, buf, len)) == 0) { 791 log_debug("%s: authentication successful", __func__); 792 sa_state(env, sa, IKEV2_STATE_AUTH_SUCCESS); 793 sa_stateflags(sa, IKED_REQ_AUTHVALID); 794 } else { 795 log_debug("%s: authentication failed", __func__); 796 sa_state(env, sa, IKEV2_STATE_AUTH_REQUEST); 797 } 798 799 done: 800 free(psk); 801 dsa_free(dsa); 802 803 return (ret); 804 } 805 806 int 807 ikev2_msg_authsign(struct iked *env, struct iked_sa *sa, 808 struct iked_auth *auth, struct ibuf *authmsg) 809 { 810 uint8_t *key, *psk = NULL; 811 ssize_t keylen; 812 struct iked_hash *prf = sa->sa_prf; 813 struct iked_id *id; 814 struct iked_dsa *dsa = NULL; 815 struct ibuf *buf; 816 int ret = -1; 817 uint8_t keytype; 818 819 if (sa->sa_hdr.sh_initiator) 820 id = &sa->sa_icert; 821 else 822 id = &sa->sa_rcert; 823 824 if ((dsa = dsa_sign_new(auth->auth_method, prf)) == NULL) { 825 log_debug("%s: invalid auth method", __func__); 826 return (-1); 827 } 828 829 switch (auth->auth_method) { 830 case IKEV2_AUTH_SHARED_KEY_MIC: 831 if (!auth->auth_length) { 832 log_debug("%s: no pre-shared key found", __func__); 833 goto done; 834 } 835 if ((keylen = ikev2_psk(sa, auth->auth_data, 836 auth->auth_length, &psk)) == -1) { 837 log_debug("%s: failed to get PSK", __func__); 838 goto done; 839 } 840 key = psk; 841 keytype = 0; 842 break; 843 default: 844 if (id == NULL) { 845 log_debug("%s: no cert found", __func__); 846 goto done; 847 } 848 key = ibuf_data(id->id_buf); 849 keylen = ibuf_size(id->id_buf); 850 keytype = id->id_type; 851 break; 852 } 853 854 if (dsa_setkey(dsa, key, keylen, keytype) == NULL || 855 dsa_init(dsa, NULL, 0) != 0 || 856 dsa_update(dsa, ibuf_data(authmsg), ibuf_size(authmsg))) { 857 log_debug("%s: failed to compute digital signature", __func__); 858 goto done; 859 } 860 861 ibuf_release(sa->sa_localauth.id_buf); 862 sa->sa_localauth.id_buf = NULL; 863 864 if ((buf = ibuf_new(NULL, dsa_length(dsa))) == NULL) { 865 log_debug("%s: failed to get auth buffer", __func__); 866 goto done; 867 } 868 869 if ((ret = dsa_sign_final(dsa, 870 ibuf_data(buf), ibuf_size(buf))) == -1) { 871 log_debug("%s: failed to create auth signature", __func__); 872 ibuf_release(buf); 873 goto done; 874 } 875 876 sa->sa_localauth.id_type = auth->auth_method; 877 sa->sa_localauth.id_buf = buf; 878 879 ret = 0; 880 done: 881 free(psk); 882 dsa_free(dsa); 883 884 return (ret); 885 } 886 887 int 888 ikev2_msg_frompeer(struct iked_message *msg) 889 { 890 struct iked_sa *sa = msg->msg_sa; 891 struct ike_header *hdr; 892 893 msg = msg->msg_parent; 894 895 if (sa == NULL || 896 (hdr = ibuf_seek(msg->msg_data, 0, sizeof(*hdr))) == NULL) 897 return (0); 898 899 if (!sa->sa_hdr.sh_initiator && 900 (hdr->ike_flags & IKEV2_FLAG_INITIATOR)) 901 return (1); 902 else if (sa->sa_hdr.sh_initiator && 903 (hdr->ike_flags & IKEV2_FLAG_INITIATOR) == 0) 904 return (1); 905 906 return (0); 907 } 908 909 struct iked_socket * 910 ikev2_msg_getsocket(struct iked *env, int af, int natt) 911 { 912 switch (af) { 913 case AF_INET: 914 return (env->sc_sock4[natt ? 1 : 0]); 915 case AF_INET6: 916 return (env->sc_sock6[natt ? 1 : 0]); 917 } 918 919 log_debug("%s: af socket %d not available", __func__, af); 920 return (NULL); 921 } 922 923 void 924 ikev2_msg_prevail(struct iked *env, struct iked_msgqueue *queue, 925 struct iked_message *msg) 926 { 927 struct iked_message *m, *mtmp; 928 929 TAILQ_FOREACH_SAFE(m, queue, msg_entry, mtmp) { 930 if (m->msg_msgid < msg->msg_msgid) 931 ikev2_msg_dispose(env, queue, m); 932 } 933 } 934 935 void 936 ikev2_msg_dispose(struct iked *env, struct iked_msgqueue *queue, 937 struct iked_message *msg) 938 { 939 TAILQ_REMOVE(queue, msg, msg_entry); 940 timer_del(env, &msg->msg_timer); 941 ikev2_msg_cleanup(env, msg); 942 free(msg); 943 } 944 945 void 946 ikev2_msg_flushqueue(struct iked *env, struct iked_msgqueue *queue) 947 { 948 struct iked_message *m = NULL; 949 950 while ((m = TAILQ_FIRST(queue)) != NULL) 951 ikev2_msg_dispose(env, queue, m); 952 } 953 954 struct iked_message * 955 ikev2_msg_lookup(struct iked *env, struct iked_msgqueue *queue, 956 struct iked_message *msg, struct ike_header *hdr) 957 { 958 struct iked_message *m = NULL; 959 960 TAILQ_FOREACH(m, queue, msg_entry) { 961 if (m->msg_msgid == msg->msg_msgid && 962 m->msg_exchange == hdr->ike_exchange) 963 break; 964 } 965 966 return (m); 967 } 968 969 int 970 ikev2_msg_retransmit_response(struct iked *env, struct iked_sa *sa, 971 struct iked_message *msg) 972 { 973 if (sendtofrom(msg->msg_fd, ibuf_data(msg->msg_data), 974 ibuf_size(msg->msg_data), 0, 975 (struct sockaddr *)&msg->msg_peer, msg->msg_peerlen, 976 (struct sockaddr *)&msg->msg_local, msg->msg_locallen) == -1) { 977 log_warn("%s: sendtofrom", __func__); 978 return (-1); 979 } 980 981 timer_add(env, &msg->msg_timer, IKED_RESPONSE_TIMEOUT); 982 return (0); 983 } 984 985 void 986 ikev2_msg_response_timeout(struct iked *env, void *arg) 987 { 988 struct iked_message *msg = arg; 989 struct iked_sa *sa = msg->msg_sa; 990 991 ikev2_msg_dispose(env, &sa->sa_responses, msg); 992 } 993 994 void 995 ikev2_msg_retransmit_timeout(struct iked *env, void *arg) 996 { 997 struct iked_message *msg = arg; 998 struct iked_sa *sa = msg->msg_sa; 999 1000 if (msg->msg_tries < IKED_RETRANSMIT_TRIES) { 1001 if (sendtofrom(msg->msg_fd, ibuf_data(msg->msg_data), 1002 ibuf_size(msg->msg_data), 0, 1003 (struct sockaddr *)&msg->msg_peer, msg->msg_peerlen, 1004 (struct sockaddr *)&msg->msg_local, 1005 msg->msg_locallen) == -1) { 1006 log_warn("%s: sendtofrom", __func__); 1007 sa_free(env, sa); 1008 return; 1009 } 1010 /* Exponential timeout */ 1011 timer_add(env, &msg->msg_timer, 1012 IKED_RETRANSMIT_TIMEOUT * (2 << (msg->msg_tries++))); 1013 } else { 1014 log_debug("%s: retransmit limit reached for msgid %u", 1015 __func__, msg->msg_msgid); 1016 sa_free(env, sa); 1017 } 1018 } 1019