1 /* $OpenBSD: ike_quick_mode.c,v 1.108 2014/10/09 02:38:56 deraadt Exp $ */ 2 /* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */ 3 4 /* 5 * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. 7 * Copyright (c) 2000, 2001, 2004 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #include <stdlib.h> 35 #include <string.h> 36 37 #include <sys/types.h> 38 #include <regex.h> 39 #include <keynote.h> 40 41 #include "attribute.h" 42 #include "conf.h" 43 #include "connection.h" 44 #include "dh.h" 45 #include "doi.h" 46 #include "exchange.h" 47 #include "hash.h" 48 #include "ike_quick_mode.h" 49 #include "ipsec.h" 50 #include "log.h" 51 #include "message.h" 52 #include "policy.h" 53 #include "prf.h" 54 #include "sa.h" 55 #include "transport.h" 56 #include "util.h" 57 #include "key.h" 58 #include "x509.h" 59 60 static void gen_g_xy(struct message *); 61 static int initiator_send_HASH_SA_NONCE(struct message *); 62 static int initiator_recv_HASH_SA_NONCE(struct message *); 63 static int initiator_send_HASH(struct message *); 64 static void post_quick_mode(struct message *); 65 static int responder_recv_HASH_SA_NONCE(struct message *); 66 static int responder_send_HASH_SA_NONCE(struct message *); 67 static int responder_recv_HASH(struct message *); 68 69 static int check_policy(struct exchange *, struct sa *, struct sa *); 70 71 int (*ike_quick_mode_initiator[])(struct message *) = { 72 initiator_send_HASH_SA_NONCE, 73 initiator_recv_HASH_SA_NONCE, 74 initiator_send_HASH 75 }; 76 77 int (*ike_quick_mode_responder[])(struct message *) = { 78 responder_recv_HASH_SA_NONCE, 79 responder_send_HASH_SA_NONCE, 80 responder_recv_HASH 81 }; 82 83 /* How many return values will policy handle -- true/false for now */ 84 #define RETVALUES_NUM 2 85 86 /* 87 * Given an exchange and our policy, check whether the SA and IDs are 88 * acceptable. 89 */ 90 static int 91 check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) 92 { 93 char *return_values[RETVALUES_NUM]; 94 char **principal = 0; 95 int i, len, result = 0, nprinc = 0; 96 int *x509_ids = 0, *keynote_ids = 0; 97 unsigned char hashbuf[20]; /* Set to the largest digest result */ 98 struct keynote_deckey dc; 99 X509_NAME *subject; 100 101 /* Do we want to use keynote policies? */ 102 if (ignore_policy || 103 strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) 104 return 1; 105 106 /* Initialize if necessary -- e.g., if pre-shared key auth was used */ 107 if (isakmp_sa->policy_id < 0) { 108 if ((isakmp_sa->policy_id = kn_init()) == -1) { 109 log_print("check_policy: " 110 "failed to initialize policy session"); 111 return 0; 112 } 113 } 114 /* Add the callback that will handle attributes. */ 115 if (kn_add_action(isakmp_sa->policy_id, ".*", (char *)policy_callback, 116 ENVIRONMENT_FLAG_FUNC | ENVIRONMENT_FLAG_REGEX) == -1) { 117 log_print("check_policy: " 118 "kn_add_action (%d, \".*\", %p, FUNC | REGEX) failed", 119 isakmp_sa->policy_id, policy_callback); 120 kn_close(isakmp_sa->policy_id); 121 isakmp_sa->policy_id = -1; 122 return 0; 123 } 124 if (policy_asserts_num) { 125 keynote_ids = calloc(policy_asserts_num, sizeof *keynote_ids); 126 if (!keynote_ids) { 127 log_error("check_policy: calloc (%d, %lu) failed", 128 policy_asserts_num, 129 (unsigned long)sizeof *keynote_ids); 130 kn_close(isakmp_sa->policy_id); 131 isakmp_sa->policy_id = -1; 132 return 0; 133 } 134 } 135 /* Add the policy assertions */ 136 for (i = 0; i < policy_asserts_num; i++) 137 keynote_ids[i] = kn_add_assertion(isakmp_sa->policy_id, 138 policy_asserts[i], 139 strlen(policy_asserts[i]), ASSERT_FLAG_LOCAL); 140 141 /* Initialize -- we'll let the callback do all the work. */ 142 policy_exchange = exchange; 143 policy_sa = sa; 144 policy_isakmp_sa = isakmp_sa; 145 146 /* Set the return values; true/false for now at least. */ 147 return_values[0] = "false"; /* Order of values in array is 148 * important. */ 149 return_values[1] = "true"; 150 151 /* Create a principal (authorizer) for the SA/ID request. */ 152 switch (isakmp_sa->recv_certtype) { 153 case ISAKMP_CERTENC_NONE: 154 /* 155 * For shared keys, just duplicate the passphrase with the 156 * appropriate prefix tag. 157 */ 158 nprinc = 3; 159 principal = calloc(nprinc, sizeof *principal); 160 if (!principal) { 161 log_error("check_policy: calloc (%d, %lu) failed", 162 nprinc, (unsigned long)sizeof *principal); 163 goto policydone; 164 } 165 len = strlen(isakmp_sa->recv_key) + sizeof "passphrase:"; 166 principal[0] = calloc(len, sizeof(char)); 167 if (!principal[0]) { 168 log_error("check_policy: calloc (%d, %lu) failed", len, 169 (unsigned long)sizeof(char)); 170 goto policydone; 171 } 172 /* 173 * XXX Consider changing the magic hash lengths with 174 * constants. 175 */ 176 strlcpy(principal[0], "passphrase:", len); 177 memcpy(principal[0] + sizeof "passphrase:" - 1, 178 isakmp_sa->recv_key, strlen(isakmp_sa->recv_key)); 179 180 len = sizeof "passphrase-md5-hex:" + 2 * 16; 181 principal[1] = calloc(len, sizeof(char)); 182 if (!principal[1]) { 183 log_error("check_policy: calloc (%d, %lu) failed", len, 184 (unsigned long)sizeof(char)); 185 goto policydone; 186 } 187 strlcpy(principal[1], "passphrase-md5-hex:", len); 188 MD5(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), hashbuf); 189 for (i = 0; i < 16; i++) 190 snprintf(principal[1] + 2 * i + 191 sizeof "passphrase-md5-hex:" - 1, 3, "%02x", 192 hashbuf[i]); 193 194 len = sizeof "passphrase-sha1-hex:" + 2 * 20; 195 principal[2] = calloc(len, sizeof(char)); 196 if (!principal[2]) { 197 log_error("check_policy: calloc (%d, %lu) failed", len, 198 (unsigned long)sizeof(char)); 199 goto policydone; 200 } 201 strlcpy(principal[2], "passphrase-sha1-hex:", len); 202 SHA1(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), 203 hashbuf); 204 for (i = 0; i < 20; i++) 205 snprintf(principal[2] + 2 * i + 206 sizeof "passphrase-sha1-hex:" - 1, 3, "%02x", 207 hashbuf[i]); 208 break; 209 210 case ISAKMP_CERTENC_KEYNOTE: 211 nprinc = 1; 212 213 principal = calloc(nprinc, sizeof *principal); 214 if (!principal) { 215 log_error("check_policy: calloc (%d, %lu) failed", 216 nprinc, (unsigned long)sizeof *principal); 217 goto policydone; 218 } 219 /* Dup the keys */ 220 principal[0] = strdup(isakmp_sa->keynote_key); 221 if (!principal[0]) { 222 log_error("check_policy: calloc (%lu, %lu) failed", 223 (unsigned long)strlen(isakmp_sa->keynote_key), 224 (unsigned long)sizeof(char)); 225 goto policydone; 226 } 227 break; 228 229 case ISAKMP_CERTENC_X509_SIG: 230 principal = calloc(2, sizeof *principal); 231 if (!principal) { 232 log_error("check_policy: calloc (2, %lu) failed", 233 (unsigned long)sizeof *principal); 234 goto policydone; 235 } 236 if (isakmp_sa->recv_keytype == ISAKMP_KEY_RSA) 237 dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; 238 else { 239 log_error("check_policy: " 240 "unknown/unsupported public key algorithm %d", 241 isakmp_sa->recv_keytype); 242 goto policydone; 243 } 244 245 dc.dec_key = isakmp_sa->recv_key; 246 principal[0] = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, 247 ENCODING_HEX, KEYNOTE_PUBLIC_KEY); 248 if (keynote_errno == ERROR_MEMORY) { 249 log_print("check_policy: " 250 "failed to get memory for public key"); 251 goto policydone; 252 } 253 if (!principal[0]) { 254 log_print("check_policy: " 255 "failed to allocate memory for principal"); 256 goto policydone; 257 } 258 if (asprintf(&principal[1], "rsa-hex:%s", principal[0]) == -1) { 259 log_error("check_policy: asprintf() failed"); 260 goto policydone; 261 } 262 free(principal[0]); 263 principal[0] = principal[1]; 264 principal[1] = 0; 265 266 /* Generate a "DN:" principal. */ 267 subject = X509_get_subject_name(isakmp_sa->recv_cert); 268 if (subject) { 269 principal[1] = calloc(259, sizeof(char)); 270 if (!principal[1]) { 271 log_error("check_policy: " 272 "calloc (259, %lu) failed", 273 (unsigned long)sizeof(char)); 274 goto policydone; 275 } 276 strlcpy(principal[1], "DN:", 259); 277 X509_NAME_oneline(subject, principal[1] + 3, 256); 278 nprinc = 2; 279 } else { 280 nprinc = 1; 281 } 282 break; 283 284 /* XXX Eventually handle these. */ 285 case ISAKMP_CERTENC_PKCS: 286 case ISAKMP_CERTENC_PGP: 287 case ISAKMP_CERTENC_DNS: 288 case ISAKMP_CERTENC_X509_KE: 289 case ISAKMP_CERTENC_KERBEROS: 290 case ISAKMP_CERTENC_CRL: 291 case ISAKMP_CERTENC_ARL: 292 case ISAKMP_CERTENC_SPKI: 293 case ISAKMP_CERTENC_X509_ATTR: 294 default: 295 log_print("check_policy: " 296 "unknown/unsupported certificate/authentication method %d", 297 isakmp_sa->recv_certtype); 298 goto policydone; 299 } 300 301 /* 302 * Add the authorizer (who is requesting the SA/ID); 303 * this may be a public or a secret key, depending on 304 * what mode of authentication we used in Phase 1. 305 */ 306 for (i = 0; i < nprinc; i++) { 307 LOG_DBG((LOG_POLICY, 40, "check_policy: " 308 "adding authorizer [%s]", principal[i])); 309 310 if (kn_add_authorizer(isakmp_sa->policy_id, principal[i]) 311 == -1) { 312 int j; 313 314 for (j = 0; j < i; j++) 315 kn_remove_authorizer(isakmp_sa->policy_id, 316 principal[j]); 317 log_print("check_policy: kn_add_authorizer failed"); 318 goto policydone; 319 } 320 } 321 322 /* Ask policy */ 323 result = kn_do_query(isakmp_sa->policy_id, return_values, 324 RETVALUES_NUM); 325 LOG_DBG((LOG_POLICY, 40, "check_policy: kn_do_query returned %d", 326 result)); 327 328 /* Cleanup environment */ 329 kn_cleanup_action_environment(isakmp_sa->policy_id); 330 331 /* Remove authorizers from the session */ 332 for (i = 0; i < nprinc; i++) { 333 kn_remove_authorizer(isakmp_sa->policy_id, principal[i]); 334 free(principal[i]); 335 } 336 337 free(principal); 338 principal = 0; 339 nprinc = 0; 340 341 /* Check what policy said. */ 342 if (result < 0) { 343 LOG_DBG((LOG_POLICY, 40, "check_policy: proposal refused")); 344 result = 0; 345 goto policydone; 346 } 347 policydone: 348 for (i = 0; i < nprinc; i++) 349 if (principal && principal[i]) 350 free(principal[i]); 351 352 free(principal); 353 354 /* Remove the policies */ 355 for (i = 0; i < policy_asserts_num; i++) { 356 if (keynote_ids[i] != -1) 357 kn_remove_assertion(isakmp_sa->policy_id, 358 keynote_ids[i]); 359 } 360 361 free(keynote_ids); 362 363 free(x509_ids); 364 365 /* 366 * XXX Currently, check_policy() is only called from 367 * message_negotiate_sa(), and so this log message reflects this. 368 * Change to something better? 369 */ 370 if (result == 0) 371 log_print("check_policy: negotiated SA failed policy check"); 372 373 /* 374 * Given that we have only 2 return values from policy (true/false) 375 * we can just return the query result directly (no pre-processing 376 * needed). 377 */ 378 return result; 379 } 380 381 /* 382 * Offer several sets of transforms to the responder. 383 * XXX Split this huge function up and look for common code with main mode. 384 */ 385 static int 386 initiator_send_HASH_SA_NONCE(struct message *msg) 387 { 388 struct exchange *exchange = msg->exchange; 389 struct doi *doi = exchange->doi; 390 struct ipsec_exch *ie = exchange->data; 391 u_int8_t ***transform = 0, ***new_transform; 392 u_int8_t **proposal = 0, **new_proposal; 393 u_int8_t *sa_buf = 0, *attr, *saved_nextp_sa, *saved_nextp_prop, 394 *id, *spi; 395 size_t spi_sz, sz; 396 size_t proposal_len = 0, proposals_len = 0, sa_len; 397 size_t **transform_len = 0, **new_transform_len; 398 size_t *transforms_len = 0, *new_transforms_len; 399 u_int32_t *transform_cnt = 0, *new_transform_cnt; 400 u_int32_t suite_no, prop_no, prot_no, xf_no, prop_cnt = 0; 401 u_int32_t i; 402 int value, update_nextp, protocol_num, proto_id; 403 struct proto *proto; 404 struct conf_list *suite_conf, *prot_conf = 0, *xf_conf = 0, *life_conf; 405 struct conf_list_node *suite, *prot, *xf, *life; 406 struct constant_map *id_map; 407 char *protocol_id, *transform_id; 408 char *local_id, *remote_id; 409 int group_desc = -1, new_group_desc; 410 struct ipsec_sa *isa = msg->isakmp_sa->data; 411 struct hash *hash = hash_get(isa->hash); 412 struct sockaddr *src; 413 struct proto_attr *pa; 414 415 if (!ipsec_add_hash_payload(msg, hash->hashsize)) 416 return -1; 417 418 /* Get the list of protocol suites. */ 419 suite_conf = conf_get_list(exchange->policy, "Suites"); 420 if (!suite_conf) 421 return -1; 422 423 for (suite = TAILQ_FIRST(&suite_conf->fields), suite_no = prop_no = 0; 424 suite_no < suite_conf->cnt; 425 suite_no++, suite = TAILQ_NEXT(suite, link)) { 426 /* Now get each protocol in this specific protocol suite. */ 427 prot_conf = conf_get_list(suite->field, "Protocols"); 428 if (!prot_conf) 429 goto bail_out; 430 431 for (prot = TAILQ_FIRST(&prot_conf->fields), prot_no = 0; 432 prot_no < prot_conf->cnt; 433 prot_no++, prot = TAILQ_NEXT(prot, link)) { 434 /* Make sure we have a proposal/transform vectors. */ 435 if (prop_no >= prop_cnt) { 436 /* 437 * This resize algorithm is completely 438 * arbitrary. 439 */ 440 prop_cnt = 2 * prop_cnt + 10; 441 new_proposal = reallocarray(proposal, 442 prop_cnt, sizeof *proposal); 443 if (!new_proposal) { 444 log_error( 445 "initiator_send_HASH_SA_NONCE: " 446 "realloc (%p, %lu) failed", 447 proposal, 448 prop_cnt * (unsigned long)sizeof *proposal); 449 goto bail_out; 450 } 451 proposal = new_proposal; 452 453 new_transforms_len = reallocarray(transforms_len, 454 prop_cnt, sizeof *transforms_len); 455 if (!new_transforms_len) { 456 log_error( 457 "initiator_send_HASH_SA_NONCE: " 458 "realloc (%p, %lu) failed", 459 transforms_len, 460 prop_cnt * (unsigned long)sizeof *transforms_len); 461 goto bail_out; 462 } 463 transforms_len = new_transforms_len; 464 465 new_transform = reallocarray(transform, 466 prop_cnt, sizeof *transform); 467 if (!new_transform) { 468 log_error( 469 "initiator_send_HASH_SA_NONCE: " 470 "realloc (%p, %lu) failed", 471 transform, 472 prop_cnt * (unsigned long)sizeof *transform); 473 goto bail_out; 474 } 475 transform = new_transform; 476 477 new_transform_cnt = reallocarray(transform_cnt, 478 prop_cnt, sizeof *transform_cnt); 479 if (!new_transform_cnt) { 480 log_error( 481 "initiator_send_HASH_SA_NONCE: " 482 "realloc (%p, %lu) failed", 483 transform_cnt, 484 prop_cnt * (unsigned long)sizeof *transform_cnt); 485 goto bail_out; 486 } 487 transform_cnt = new_transform_cnt; 488 489 new_transform_len = reallocarray(transform_len, 490 prop_cnt, sizeof *transform_len); 491 if (!new_transform_len) { 492 log_error( 493 "initiator_send_HASH_SA_NONCE: " 494 "realloc (%p, %lu) failed", 495 transform_len, 496 prop_cnt * (unsigned long)sizeof *transform_len); 497 goto bail_out; 498 } 499 transform_len = new_transform_len; 500 } 501 protocol_id = conf_get_str(prot->field, "PROTOCOL_ID"); 502 if (!protocol_id) 503 goto bail_out; 504 505 proto_id = constant_value(ipsec_proto_cst, 506 protocol_id); 507 switch (proto_id) { 508 case IPSEC_PROTO_IPSEC_AH: 509 id_map = ipsec_ah_cst; 510 break; 511 512 case IPSEC_PROTO_IPSEC_ESP: 513 id_map = ipsec_esp_cst; 514 break; 515 516 case IPSEC_PROTO_IPCOMP: 517 id_map = ipsec_ipcomp_cst; 518 break; 519 520 default: 521 { 522 log_print("initiator_send_HASH_SA_NONCE: " 523 "invalid PROTCOL_ID: %s", protocol_id); 524 goto bail_out; 525 } 526 } 527 528 /* Now get each transform we offer for this protocol.*/ 529 xf_conf = conf_get_list(prot->field, "Transforms"); 530 if (!xf_conf) 531 goto bail_out; 532 transform_cnt[prop_no] = xf_conf->cnt; 533 534 transform[prop_no] = calloc(transform_cnt[prop_no], 535 sizeof **transform); 536 if (!transform[prop_no]) { 537 log_error("initiator_send_HASH_SA_NONCE: " 538 "calloc (%d, %lu) failed", 539 transform_cnt[prop_no], 540 (unsigned long)sizeof **transform); 541 goto bail_out; 542 } 543 transform_len[prop_no] = calloc(transform_cnt[prop_no], 544 sizeof **transform_len); 545 if (!transform_len[prop_no]) { 546 log_error("initiator_send_HASH_SA_NONCE: " 547 "calloc (%d, %lu) failed", 548 transform_cnt[prop_no], 549 (unsigned long)sizeof **transform_len); 550 goto bail_out; 551 } 552 transforms_len[prop_no] = 0; 553 for (xf = TAILQ_FIRST(&xf_conf->fields), xf_no = 0; 554 xf_no < transform_cnt[prop_no]; 555 xf_no++, xf = TAILQ_NEXT(xf, link)) { 556 557 /* XXX The sizing needs to be dynamic. */ 558 transform[prop_no][xf_no] = 559 calloc(ISAKMP_TRANSFORM_SA_ATTRS_OFF + 560 9 * ISAKMP_ATTR_VALUE_OFF, 1); 561 if (!transform[prop_no][xf_no]) { 562 log_error( 563 "initiator_send_HASH_SA_NONCE: " 564 "calloc (%d, 1) failed", 565 ISAKMP_TRANSFORM_SA_ATTRS_OFF + 566 9 * ISAKMP_ATTR_VALUE_OFF); 567 goto bail_out; 568 } 569 SET_ISAKMP_TRANSFORM_NO(transform[prop_no][xf_no], 570 xf_no + 1); 571 572 transform_id = conf_get_str(xf->field, 573 "TRANSFORM_ID"); 574 if (!transform_id) 575 goto bail_out; 576 SET_ISAKMP_TRANSFORM_ID(transform[prop_no][xf_no], 577 constant_value(id_map, transform_id)); 578 SET_ISAKMP_TRANSFORM_RESERVED(transform[prop_no][xf_no], 0); 579 580 attr = transform[prop_no][xf_no] + 581 ISAKMP_TRANSFORM_SA_ATTRS_OFF; 582 583 /* 584 * Life durations are special, we should be 585 * able to specify several, one per type. 586 */ 587 life_conf = conf_get_list(xf->field, "Life"); 588 if (life_conf) { 589 for (life = TAILQ_FIRST(&life_conf->fields); 590 life; life = TAILQ_NEXT(life, link)) { 591 attribute_set_constant( 592 life->field, "LIFE_TYPE", 593 ipsec_duration_cst, 594 IPSEC_ATTR_SA_LIFE_TYPE, 595 &attr); 596 597 /* 598 * XXX Deals with 16 and 32 599 * bit lifetimes only 600 */ 601 value = 602 conf_get_num(life->field, 603 "LIFE_DURATION", 0); 604 if (value) { 605 if (value <= 0xffff) 606 attr = 607 attribute_set_basic( 608 attr, 609 IPSEC_ATTR_SA_LIFE_DURATION, 610 value); 611 else { 612 value = htonl(value); 613 attr = 614 attribute_set_var( 615 attr, 616 IPSEC_ATTR_SA_LIFE_DURATION, 617 (u_int8_t *)&value, 618 sizeof value); 619 } 620 } 621 } 622 conf_free_list(life_conf); 623 } 624 attribute_set_constant(xf->field, 625 "ENCAPSULATION_MODE", ipsec_encap_cst, 626 IPSEC_ATTR_ENCAPSULATION_MODE, &attr); 627 628 if (proto_id != IPSEC_PROTO_IPCOMP) { 629 attribute_set_constant(xf->field, 630 "AUTHENTICATION_ALGORITHM", 631 ipsec_auth_cst, 632 IPSEC_ATTR_AUTHENTICATION_ALGORITHM, 633 &attr); 634 635 attribute_set_constant(xf->field, 636 "GROUP_DESCRIPTION", 637 ike_group_desc_cst, 638 IPSEC_ATTR_GROUP_DESCRIPTION, &attr); 639 640 value = conf_get_num(xf->field, 641 "KEY_LENGTH", 0); 642 if (value) 643 attr = attribute_set_basic( 644 attr, 645 IPSEC_ATTR_KEY_LENGTH, 646 value); 647 648 value = conf_get_num(xf->field, 649 "KEY_ROUNDS", 0); 650 if (value) 651 attr = attribute_set_basic( 652 attr, 653 IPSEC_ATTR_KEY_ROUNDS, 654 value); 655 } else { 656 value = conf_get_num(xf->field, 657 "COMPRESS_DICTIONARY_SIZE", 0); 658 if (value) 659 attr = attribute_set_basic( 660 attr, 661 IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE, 662 value); 663 664 value = conf_get_num(xf->field, 665 "COMPRESS_PRIVATE_ALGORITHM", 0); 666 if (value) 667 attr = attribute_set_basic( 668 attr, 669 IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM, 670 value); 671 } 672 673 value = conf_get_num(xf->field, "ECN_TUNNEL", 674 0); 675 if (value) 676 attr = attribute_set_basic(attr, 677 IPSEC_ATTR_ECN_TUNNEL, value); 678 679 /* Record the real transform size. */ 680 transforms_len[prop_no] += 681 (transform_len[prop_no][xf_no] 682 = attr - transform[prop_no][xf_no]); 683 684 if (proto_id != IPSEC_PROTO_IPCOMP) { 685 /* 686 * Make sure that if a group 687 * description is specified, it is 688 * specified for all transforms 689 * equally. 690 */ 691 attr = 692 (u_int8_t *)conf_get_str(xf->field, 693 "GROUP_DESCRIPTION"); 694 new_group_desc 695 = attr ? constant_value(ike_group_desc_cst, 696 (char *)attr) : 0; 697 if (group_desc == -1) 698 group_desc = new_group_desc; 699 else if (group_desc != new_group_desc) { 700 log_print("initiator_send_HASH_SA_NONCE: " 701 "differing group descriptions in a proposal"); 702 goto bail_out; 703 } 704 } 705 } 706 conf_free_list(xf_conf); 707 xf_conf = 0; 708 709 /* 710 * Get SPI from application. 711 * XXX Should we care about unknown constants? 712 */ 713 protocol_num = constant_value(ipsec_proto_cst, 714 protocol_id); 715 spi = doi->get_spi(&spi_sz, protocol_num, msg); 716 if (spi_sz && !spi) { 717 log_print("initiator_send_HASH_SA_NONCE: " 718 "doi->get_spi failed"); 719 goto bail_out; 720 } 721 proposal_len = ISAKMP_PROP_SPI_OFF + spi_sz; 722 proposals_len += 723 proposal_len + transforms_len[prop_no]; 724 proposal[prop_no] = malloc(proposal_len); 725 if (!proposal[prop_no]) { 726 log_error("initiator_send_HASH_SA_NONCE: " 727 "malloc (%lu) failed", 728 (unsigned long)proposal_len); 729 goto bail_out; 730 } 731 SET_ISAKMP_PROP_NO(proposal[prop_no], suite_no + 1); 732 SET_ISAKMP_PROP_PROTO(proposal[prop_no], protocol_num); 733 734 /* XXX I would like to see this factored out. */ 735 proto = calloc(1, sizeof *proto); 736 if (!proto) { 737 log_error("initiator_send_HASH_SA_NONCE: " 738 "calloc (1, %lu) failed", 739 (unsigned long)sizeof *proto); 740 goto bail_out; 741 } 742 if (doi->proto_size) { 743 proto->data = calloc(1, doi->proto_size); 744 if (!proto->data) { 745 free(proto); 746 log_error( 747 "initiator_send_HASH_SA_NONCE: " 748 "calloc (1, %lu) failed", 749 (unsigned long)doi->proto_size); 750 goto bail_out; 751 } 752 } 753 proto->no = suite_no + 1; 754 proto->proto = protocol_num; 755 proto->sa = TAILQ_FIRST(&exchange->sa_list); 756 proto->xf_cnt = transform_cnt[prop_no]; 757 TAILQ_INIT(&proto->xfs); 758 for (xf_no = 0; xf_no < proto->xf_cnt; xf_no++) { 759 pa = (struct proto_attr *)calloc(1, 760 sizeof *pa); 761 if (!pa) { 762 if (proto->data) 763 free(proto->data); 764 free(proto); 765 goto bail_out; 766 } 767 pa->len = transform_len[prop_no][xf_no]; 768 pa->attrs = (u_int8_t *)malloc(pa->len); 769 if (!pa->attrs) { 770 if (proto->data) 771 free(proto->data); 772 free(proto); 773 free(pa); 774 goto bail_out; 775 } 776 memcpy(pa->attrs, transform[prop_no][xf_no], 777 pa->len); 778 TAILQ_INSERT_TAIL(&proto->xfs, pa, next); 779 } 780 TAILQ_INSERT_TAIL(&TAILQ_FIRST(&exchange->sa_list)->protos, 781 proto, link); 782 783 /* Setup the incoming SPI. */ 784 SET_ISAKMP_PROP_SPI_SZ(proposal[prop_no], spi_sz); 785 memcpy(proposal[prop_no] + ISAKMP_PROP_SPI_OFF, spi, 786 spi_sz); 787 proto->spi_sz[1] = spi_sz; 788 proto->spi[1] = spi; 789 790 /* 791 * Let the DOI get at proto for initializing its own 792 * data. 793 */ 794 if (doi->proto_init) 795 doi->proto_init(proto, prot->field); 796 797 SET_ISAKMP_PROP_NTRANSFORMS(proposal[prop_no], 798 transform_cnt[prop_no]); 799 prop_no++; 800 } 801 conf_free_list(prot_conf); 802 prot_conf = 0; 803 } 804 805 sa_len = ISAKMP_SA_SIT_OFF + IPSEC_SIT_SIT_LEN; 806 sa_buf = malloc(sa_len); 807 if (!sa_buf) { 808 log_error("initiator_send_HASH_SA_NONCE: malloc (%lu) failed", 809 (unsigned long)sa_len); 810 goto bail_out; 811 } 812 SET_ISAKMP_SA_DOI(sa_buf, IPSEC_DOI_IPSEC); 813 SET_IPSEC_SIT_SIT(sa_buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY); 814 815 /* 816 * Add the payloads. As this is a SA, we need to recompute the 817 * lengths of the payloads containing others. We also need to 818 * reset these payload's "next payload type" field. 819 */ 820 if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1)) 821 goto bail_out; 822 SET_ISAKMP_GEN_LENGTH(sa_buf, sa_len + proposals_len); 823 sa_buf = 0; 824 825 update_nextp = 0; 826 saved_nextp_sa = msg->nextp; 827 for (i = 0; i < prop_no; i++) { 828 if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, 829 proposal[i], proposal_len, update_nextp)) 830 goto bail_out; 831 SET_ISAKMP_GEN_LENGTH(proposal[i], 832 proposal_len + transforms_len[i]); 833 proposal[i] = 0; 834 835 update_nextp = 0; 836 saved_nextp_prop = msg->nextp; 837 for (xf_no = 0; xf_no < transform_cnt[i]; xf_no++) { 838 if (message_add_payload(msg, ISAKMP_PAYLOAD_TRANSFORM, 839 transform[i][xf_no], 840 transform_len[i][xf_no], update_nextp)) 841 goto bail_out; 842 update_nextp = 1; 843 transform[i][xf_no] = 0; 844 } 845 msg->nextp = saved_nextp_prop; 846 update_nextp = 1; 847 } 848 msg->nextp = saved_nextp_sa; 849 850 /* 851 * Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len. 852 */ 853 ie->sa_i_b = message_copy(msg, ISAKMP_GEN_SZ, &ie->sa_i_b_len); 854 if (!ie->sa_i_b) 855 goto bail_out; 856 857 /* 858 * Generate a nonce, and add it to the message. 859 * XXX I want a better way to specify the nonce's size. 860 */ 861 if (exchange_gen_nonce(msg, 16)) 862 return -1; 863 864 /* Generate optional KEY_EXCH payload. */ 865 if (group_desc > 0) { 866 ie->group = group_get(group_desc); 867 ie->g_x_len = dh_getlen(ie->group); 868 869 if (ipsec_gen_g_x(msg)) { 870 group_free(ie->group); 871 ie->group = 0; 872 return -1; 873 } 874 } 875 /* Generate optional client ID payloads. XXX Share with responder. */ 876 local_id = conf_get_str(exchange->name, "Local-ID"); 877 remote_id = conf_get_str(exchange->name, "Remote-ID"); 878 if (local_id && remote_id) { 879 id = ipsec_build_id(local_id, &sz); 880 if (!id) 881 return -1; 882 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 883 "initiator_send_HASH_SA_NONCE: IDic", id, sz)); 884 if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { 885 free(id); 886 return -1; 887 } 888 id = ipsec_build_id(remote_id, &sz); 889 if (!id) 890 return -1; 891 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 892 "initiator_send_HASH_SA_NONCE: IDrc", id, sz)); 893 if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { 894 free(id); 895 return -1; 896 } 897 } 898 /* XXX I do not judge these as errors, are they? */ 899 else if (local_id) 900 log_print("initiator_send_HASH_SA_NONCE: " 901 "Local-ID given without Remote-ID for \"%s\"", 902 exchange->name); 903 else if (remote_id) 904 /* 905 * This code supports the "road warrior" case, where the 906 * initiator doesn't have a fixed IP address, but wants to 907 * specify a particular remote network to talk to. -- Adrian 908 * Close <adrian@esec.com.au> 909 */ 910 { 911 log_print("initiator_send_HASH_SA_NONCE: " 912 "Remote-ID given without Local-ID for \"%s\"", 913 exchange->name); 914 915 /* 916 * If we're here, then we are the initiator, so use initiator 917 * address for local ID 918 */ 919 msg->transport->vtbl->get_src(msg->transport, &src); 920 sz = ISAKMP_ID_SZ + sockaddr_addrlen(src); 921 922 id = calloc(sz, sizeof(char)); 923 if (!id) { 924 log_error("initiator_send_HASH_SA_NONCE: " 925 "calloc (%lu, %lu) failed", (unsigned long)sz, 926 (unsigned long)sizeof(char)); 927 return -1; 928 } 929 switch (src->sa_family) { 930 case AF_INET6: 931 SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV6_ADDR); 932 break; 933 case AF_INET: 934 SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV4_ADDR); 935 break; 936 default: 937 log_error("initiator_send_HASH_SA_NONCE: " 938 "unknown sa_family %d", src->sa_family); 939 free(id); 940 return -1; 941 } 942 memcpy(id + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), 943 sockaddr_addrlen(src)); 944 945 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 946 "initiator_send_HASH_SA_NONCE: IDic", id, sz)); 947 if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { 948 free(id); 949 return -1; 950 } 951 /* Send supplied remote_id */ 952 id = ipsec_build_id(remote_id, &sz); 953 if (!id) 954 return -1; 955 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 956 "initiator_send_HASH_SA_NONCE: IDrc", id, sz)); 957 if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { 958 free(id); 959 return -1; 960 } 961 } 962 if (ipsec_fill_in_hash(msg)) 963 goto bail_out; 964 965 conf_free_list(suite_conf); 966 for (i = 0; i < prop_no; i++) { 967 free(transform[i]); 968 free(transform_len[i]); 969 } 970 free(proposal); 971 free(transform); 972 free(transforms_len); 973 free(transform_len); 974 free(transform_cnt); 975 return 0; 976 977 bail_out: 978 free(sa_buf); 979 if (proposal) { 980 for (i = 0; i < prop_no; i++) { 981 free(proposal[i]); 982 if (transform[i]) { 983 for (xf_no = 0; xf_no < transform_cnt[i]; 984 xf_no++) 985 free(transform[i][xf_no]); 986 free(transform[i]); 987 } 988 free(transform_len[i]); 989 } 990 free(proposal); 991 free(transforms_len); 992 free(transform); 993 free(transform_len); 994 free(transform_cnt); 995 } 996 if (xf_conf) 997 conf_free_list(xf_conf); 998 if (prot_conf) 999 conf_free_list(prot_conf); 1000 conf_free_list(suite_conf); 1001 return -1; 1002 } 1003 1004 /* Figure out what transform the responder chose. */ 1005 static int 1006 initiator_recv_HASH_SA_NONCE(struct message *msg) 1007 { 1008 struct exchange *exchange = msg->exchange; 1009 struct ipsec_exch *ie = exchange->data; 1010 struct sa *sa; 1011 struct proto *proto, *next_proto; 1012 struct payload *sa_p = payload_first(msg, ISAKMP_PAYLOAD_SA); 1013 struct payload *xf, *idp; 1014 struct payload *hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); 1015 struct payload *kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH); 1016 struct prf *prf; 1017 struct sa *isakmp_sa = msg->isakmp_sa; 1018 struct ipsec_sa *isa = isakmp_sa->data; 1019 struct hash *hash = hash_get(isa->hash); 1020 u_int8_t *rest; 1021 size_t rest_len; 1022 struct sockaddr *src, *dst; 1023 1024 /* Allocate the prf and start calculating our HASH(1). XXX Share? */ 1025 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " 1026 "SKEYID_a", (u_int8_t *)isa->skeyid_a, isa->skeyid_len)); 1027 prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, 1028 isa->skeyid_len); 1029 if (!prf) 1030 return -1; 1031 1032 prf->Init(prf->prfctx); 1033 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1034 "initiator_recv_HASH_SA_NONCE: message_id", 1035 exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); 1036 prf->Update(prf->prfctx, exchange->message_id, 1037 ISAKMP_HDR_MESSAGE_ID_LEN); 1038 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " 1039 "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); 1040 prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); 1041 rest = hashp->p + GET_ISAKMP_GEN_LENGTH(hashp->p); 1042 rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) 1043 - (rest - (u_int8_t *)msg->iov[0].iov_base)); 1044 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1045 "initiator_recv_HASH_SA_NONCE: payloads after HASH(2)", rest, 1046 rest_len)); 1047 prf->Update(prf->prfctx, rest, rest_len); 1048 prf->Final(hash->digest, prf->prfctx); 1049 prf_free(prf); 1050 LOG_DBG_BUF((LOG_NEGOTIATION, 80, 1051 "initiator_recv_HASH_SA_NONCE: computed HASH(2)", hash->digest, 1052 hash->hashsize)); 1053 if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, hash->digest, 1054 hash->hashsize) != 0) { 1055 message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1056 0); 1057 return -1; 1058 } 1059 /* Mark the HASH as handled. */ 1060 hashp->flags |= PL_MARK; 1061 1062 /* Mark message as authenticated. */ 1063 msg->flags |= MSG_AUTHENTICATED; 1064 1065 /* 1066 * As we are getting an answer on our transform offer, only one 1067 * transform should be given. 1068 * 1069 * XXX Currently we only support negotiating one SA per quick mode run. 1070 */ 1071 if (TAILQ_NEXT(sa_p, link)) { 1072 log_print("initiator_recv_HASH_SA_NONCE: " 1073 "multiple SA payloads in quick mode not supported yet"); 1074 return -1; 1075 } 1076 sa = TAILQ_FIRST(&exchange->sa_list); 1077 1078 /* This is here for the policy check */ 1079 if (kep) 1080 ie->pfs = 1; 1081 1082 /* Drop message when it contains ID types we do not implement yet. */ 1083 TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link) { 1084 switch (GET_ISAKMP_ID_TYPE(idp->p)) { 1085 case IPSEC_ID_IPV4_ADDR: 1086 case IPSEC_ID_IPV4_ADDR_SUBNET: 1087 case IPSEC_ID_IPV6_ADDR: 1088 case IPSEC_ID_IPV6_ADDR_SUBNET: 1089 break; 1090 1091 case IPSEC_ID_FQDN: 1092 /* 1093 * FQDN may be used for in NAT-T with transport mode. 1094 * We can handle the message in this case. In the 1095 * other cases we'll drop the message later. 1096 */ 1097 break; 1098 1099 default: 1100 message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 1101 0, 1, 0); 1102 return -1; 1103 } 1104 } 1105 1106 /* Handle optional client ID payloads. */ 1107 idp = payload_first(msg, ISAKMP_PAYLOAD_ID); 1108 if (idp) { 1109 /* If IDci is there, IDcr must be too. */ 1110 if (!TAILQ_NEXT(idp, link)) { 1111 /* XXX Is this a good notify type? */ 1112 message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1113 1, 0); 1114 return -1; 1115 } 1116 /* XXX We should really compare, not override. */ 1117 ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p); 1118 ie->id_ci = malloc(ie->id_ci_sz); 1119 if (!ie->id_ci) { 1120 log_error("initiator_recv_HASH_SA_NONCE: " 1121 "malloc (%lu) failed", 1122 (unsigned long)ie->id_ci_sz); 1123 return -1; 1124 } 1125 memcpy(ie->id_ci, idp->p, ie->id_ci_sz); 1126 idp->flags |= PL_MARK; 1127 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1128 "initiator_recv_HASH_SA_NONCE: IDci", 1129 ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ)); 1130 1131 idp = TAILQ_NEXT(idp, link); 1132 ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p); 1133 ie->id_cr = malloc(ie->id_cr_sz); 1134 if (!ie->id_cr) { 1135 log_error("initiator_recv_HASH_SA_NONCE: " 1136 "malloc (%lu) failed", 1137 (unsigned long)ie->id_cr_sz); 1138 return -1; 1139 } 1140 memcpy(ie->id_cr, idp->p, ie->id_cr_sz); 1141 idp->flags |= PL_MARK; 1142 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1143 "initiator_recv_HASH_SA_NONCE: IDcr", 1144 ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ)); 1145 } else { 1146 /* 1147 * If client identifiers are not present in the exchange, 1148 * we fake them. RFC 2409 states: 1149 * The identities of the SAs negotiated in Quick Mode are 1150 * implicitly assumed to be the IP addresses of the ISAKMP 1151 * peers, without any constraints on the protocol or port 1152 * numbers allowed, unless client identifiers are specified 1153 * in Quick Mode. 1154 * 1155 * -- Michael Paddon (mwp@aba.net.au) 1156 */ 1157 1158 ie->flags = IPSEC_EXCH_FLAG_NO_ID; 1159 1160 /* Get initiator and responder addresses. */ 1161 msg->transport->vtbl->get_src(msg->transport, &src); 1162 msg->transport->vtbl->get_dst(msg->transport, &dst); 1163 ie->id_ci_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(src); 1164 ie->id_cr_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(dst); 1165 ie->id_ci = calloc(ie->id_ci_sz, sizeof(char)); 1166 ie->id_cr = calloc(ie->id_cr_sz, sizeof(char)); 1167 1168 if (!ie->id_ci || !ie->id_cr) { 1169 log_error("initiator_recv_HASH_SA_NONCE: " 1170 "calloc (%lu, %lu) failed", 1171 (unsigned long)ie->id_cr_sz, 1172 (unsigned long)sizeof(char)); 1173 free(ie->id_ci); 1174 ie->id_ci = 0; 1175 free(ie->id_cr); 1176 ie->id_cr = 0; 1177 return -1; 1178 } 1179 if (src->sa_family != dst->sa_family) { 1180 log_error("initiator_recv_HASH_SA_NONCE: " 1181 "sa_family mismatch"); 1182 free(ie->id_ci); 1183 ie->id_ci = 0; 1184 free(ie->id_cr); 1185 ie->id_cr = 0; 1186 return -1; 1187 } 1188 switch (src->sa_family) { 1189 case AF_INET: 1190 SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV4_ADDR); 1191 SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV4_ADDR); 1192 break; 1193 1194 case AF_INET6: 1195 SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV6_ADDR); 1196 SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV6_ADDR); 1197 break; 1198 1199 default: 1200 log_error("initiator_recv_HASH_SA_NONCE: " 1201 "unknown sa_family %d", src->sa_family); 1202 free(ie->id_ci); 1203 ie->id_ci = 0; 1204 free(ie->id_cr); 1205 ie->id_cr = 0; 1206 return -1; 1207 } 1208 memcpy(ie->id_ci + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), 1209 sockaddr_addrlen(src)); 1210 memcpy(ie->id_cr + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(dst), 1211 sockaddr_addrlen(dst)); 1212 } 1213 1214 /* Build the protection suite in our SA. */ 1215 TAILQ_FOREACH(xf, &msg->payload[ISAKMP_PAYLOAD_TRANSFORM], link) { 1216 /* 1217 * XXX We could check that the proposal each transform 1218 * belongs to is unique. 1219 */ 1220 1221 if (sa_add_transform(sa, xf, exchange->initiator, &proto)) 1222 return -1; 1223 1224 /* XXX Check that the chosen transform matches an offer. */ 1225 1226 ipsec_decode_transform(msg, sa, proto, xf->p); 1227 } 1228 1229 /* Now remove offers that we don't need anymore. */ 1230 for (proto = TAILQ_FIRST(&sa->protos); proto; proto = next_proto) { 1231 next_proto = TAILQ_NEXT(proto, link); 1232 if (!proto->chosen) 1233 proto_free(proto); 1234 } 1235 1236 if (!check_policy(exchange, sa, msg->isakmp_sa)) { 1237 message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); 1238 log_print("initiator_recv_HASH_SA_NONCE: policy check failed"); 1239 return -1; 1240 } 1241 1242 /* Mark the SA as handled. */ 1243 sa_p->flags |= PL_MARK; 1244 1245 isa = sa->data; 1246 if ((isa->group_desc && 1247 (!ie->group || ie->group->id != isa->group_desc)) || 1248 (!isa->group_desc && ie->group)) { 1249 log_print("initiator_recv_HASH_SA_NONCE: disagreement on PFS"); 1250 return -1; 1251 } 1252 /* Copy out the initiator's nonce. */ 1253 if (exchange_save_nonce(msg)) 1254 return -1; 1255 1256 /* Handle the optional KEY_EXCH payload. */ 1257 if (kep && ipsec_save_g_x(msg)) 1258 return -1; 1259 1260 return 0; 1261 } 1262 1263 static int 1264 initiator_send_HASH(struct message *msg) 1265 { 1266 struct exchange *exchange = msg->exchange; 1267 struct ipsec_exch *ie = exchange->data; 1268 struct sa *isakmp_sa = msg->isakmp_sa; 1269 struct ipsec_sa *isa = isakmp_sa->data; 1270 struct prf *prf; 1271 u_int8_t *buf; 1272 struct hash *hash = hash_get(isa->hash); 1273 1274 /* 1275 * We want a HASH payload to start with. XXX Share with 1276 * ike_main_mode.c? 1277 */ 1278 buf = malloc(ISAKMP_HASH_SZ + hash->hashsize); 1279 if (!buf) { 1280 log_error("initiator_send_HASH: malloc (%lu) failed", 1281 ISAKMP_HASH_SZ + (unsigned long)hash->hashsize); 1282 return -1; 1283 } 1284 if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf, 1285 ISAKMP_HASH_SZ + hash->hashsize, 1)) { 1286 free(buf); 1287 return -1; 1288 } 1289 /* Allocate the prf and start calculating our HASH(3). XXX Share? */ 1290 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: SKEYID_a", 1291 isa->skeyid_a, isa->skeyid_len)); 1292 prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, 1293 isa->skeyid_len); 1294 if (!prf) 1295 return -1; 1296 prf->Init(prf->prfctx); 1297 prf->Update(prf->prfctx, (unsigned char *)"\0", 1); 1298 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: message_id", 1299 exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); 1300 prf->Update(prf->prfctx, exchange->message_id, 1301 ISAKMP_HDR_MESSAGE_ID_LEN); 1302 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_I_b", 1303 exchange->nonce_i, exchange->nonce_i_len)); 1304 prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); 1305 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_R_b", 1306 exchange->nonce_r, exchange->nonce_r_len)); 1307 prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); 1308 prf->Final(buf + ISAKMP_GEN_SZ, prf->prfctx); 1309 prf_free(prf); 1310 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: HASH(3)", 1311 buf + ISAKMP_GEN_SZ, hash->hashsize)); 1312 1313 if (ie->group) 1314 message_register_post_send(msg, gen_g_xy); 1315 1316 message_register_post_send(msg, post_quick_mode); 1317 1318 return 0; 1319 } 1320 1321 static void 1322 post_quick_mode(struct message *msg) 1323 { 1324 struct sa *isakmp_sa = msg->isakmp_sa; 1325 struct ipsec_sa *isa = isakmp_sa->data; 1326 struct exchange *exchange = msg->exchange; 1327 struct ipsec_exch *ie = exchange->data; 1328 struct prf *prf; 1329 struct sa *sa; 1330 struct proto *proto; 1331 struct ipsec_proto *iproto; 1332 u_int8_t *keymat; 1333 int i; 1334 1335 /* 1336 * Loop over all SA negotiations and do both an in- and an outgoing SA 1337 * per protocol. 1338 */ 1339 for (sa = TAILQ_FIRST(&exchange->sa_list); sa; 1340 sa = TAILQ_NEXT(sa, next)) { 1341 for (proto = TAILQ_FIRST(&sa->protos); proto; 1342 proto = TAILQ_NEXT(proto, link)) { 1343 if (proto->proto == IPSEC_PROTO_IPCOMP) 1344 continue; 1345 1346 iproto = proto->data; 1347 1348 /* 1349 * There are two SAs for each SA negotiation, 1350 * incoming and outgoing. 1351 */ 1352 for (i = 0; i < 2; i++) { 1353 prf = prf_alloc(isa->prf_type, isa->hash, 1354 isa->skeyid_d, isa->skeyid_len); 1355 if (!prf) { 1356 /* XXX What to do? */ 1357 continue; 1358 } 1359 ie->keymat_len = ipsec_keymat_length(proto); 1360 1361 /* 1362 * We need to roundup the length of the key 1363 * material buffer to a multiple of the PRF's 1364 * blocksize as it is generated in chunks of 1365 * that blocksize. 1366 */ 1367 iproto->keymat[i] 1368 = malloc(((ie->keymat_len + prf->blocksize - 1) 1369 / prf->blocksize) * prf->blocksize); 1370 if (!iproto->keymat[i]) { 1371 log_error("post_quick_mode: " 1372 "malloc (%lu) failed", 1373 (((unsigned long)ie->keymat_len + 1374 prf->blocksize - 1) / prf->blocksize) * 1375 prf->blocksize); 1376 /* XXX What more to do? */ 1377 free(prf); 1378 continue; 1379 } 1380 for (keymat = iproto->keymat[i]; 1381 keymat < iproto->keymat[i] + ie->keymat_len; 1382 keymat += prf->blocksize) { 1383 prf->Init(prf->prfctx); 1384 1385 if (keymat != iproto->keymat[i]) { 1386 /* 1387 * Hash in last round's 1388 * KEYMAT. 1389 */ 1390 LOG_DBG_BUF((LOG_NEGOTIATION, 1391 90, "post_quick_mode: " 1392 "last KEYMAT", 1393 keymat - prf->blocksize, 1394 prf->blocksize)); 1395 prf->Update(prf->prfctx, 1396 keymat - prf->blocksize, 1397 prf->blocksize); 1398 } 1399 /* If PFS is used hash in g^xy. */ 1400 if (ie->g_xy) { 1401 LOG_DBG_BUF((LOG_NEGOTIATION, 1402 90, "post_quick_mode: " 1403 "g^xy", ie->g_xy, 1404 ie->g_x_len)); 1405 prf->Update(prf->prfctx, 1406 ie->g_xy, ie->g_x_len); 1407 } 1408 LOG_DBG((LOG_NEGOTIATION, 90, 1409 "post_quick_mode: " 1410 "suite %d proto %d", proto->no, 1411 proto->proto)); 1412 prf->Update(prf->prfctx, &proto->proto, 1413 1); 1414 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1415 "post_quick_mode: SPI", 1416 proto->spi[i], proto->spi_sz[i])); 1417 prf->Update(prf->prfctx, 1418 proto->spi[i], proto->spi_sz[i]); 1419 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1420 "post_quick_mode: Ni_b", 1421 exchange->nonce_i, 1422 exchange->nonce_i_len)); 1423 prf->Update(prf->prfctx, 1424 exchange->nonce_i, 1425 exchange->nonce_i_len); 1426 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1427 "post_quick_mode: Nr_b", 1428 exchange->nonce_r, 1429 exchange->nonce_r_len)); 1430 prf->Update(prf->prfctx, 1431 exchange->nonce_r, 1432 exchange->nonce_r_len); 1433 prf->Final(keymat, prf->prfctx); 1434 } 1435 prf_free(prf); 1436 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1437 "post_quick_mode: KEYMAT", 1438 iproto->keymat[i], ie->keymat_len)); 1439 } 1440 } 1441 } 1442 1443 log_verbose("isakmpd: quick mode done%s: %s", 1444 (exchange->initiator == 0) ? " (as responder)" : "", 1445 !msg->isakmp_sa || !msg->isakmp_sa->transport ? "<no transport>" 1446 : msg->isakmp_sa->transport->vtbl->decode_ids 1447 (msg->isakmp_sa->transport)); 1448 } 1449 1450 /* 1451 * Accept a set of transforms offered by the initiator and chose one we can 1452 * handle. 1453 * XXX Describe in more detail. 1454 */ 1455 static int 1456 responder_recv_HASH_SA_NONCE(struct message *msg) 1457 { 1458 struct payload *hashp, *kep, *idp; 1459 struct sa *sa; 1460 struct sa *isakmp_sa = msg->isakmp_sa; 1461 struct ipsec_sa *isa = isakmp_sa->data; 1462 struct exchange *exchange = msg->exchange; 1463 struct ipsec_exch *ie = exchange->data; 1464 struct prf *prf; 1465 u_int8_t *hash, *my_hash = 0; 1466 size_t hash_len; 1467 u_int8_t *pkt = msg->iov[0].iov_base; 1468 u_int8_t group_desc = 0; 1469 int retval = -1; 1470 struct proto *proto; 1471 struct sockaddr *src, *dst; 1472 char *name; 1473 1474 hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); 1475 hash = hashp->p; 1476 hashp->flags |= PL_MARK; 1477 1478 /* The HASH payload should be the first one. */ 1479 if (hash != pkt + ISAKMP_HDR_SZ) { 1480 /* XXX Is there a better notification type? */ 1481 message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); 1482 goto cleanup; 1483 } 1484 hash_len = GET_ISAKMP_GEN_LENGTH(hash); 1485 my_hash = malloc(hash_len - ISAKMP_GEN_SZ); 1486 if (!my_hash) { 1487 log_error("responder_recv_HASH_SA_NONCE: malloc (%lu) failed", 1488 (unsigned long)hash_len - ISAKMP_GEN_SZ); 1489 goto cleanup; 1490 } 1491 /* 1492 * Check the payload's integrity. 1493 * XXX Share with ipsec_fill_in_hash? 1494 */ 1495 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: " 1496 "SKEYID_a", isa->skeyid_a, isa->skeyid_len)); 1497 prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, 1498 isa->skeyid_len); 1499 if (!prf) 1500 goto cleanup; 1501 prf->Init(prf->prfctx); 1502 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1503 "responder_recv_HASH_SA_NONCE: message_id", 1504 exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); 1505 prf->Update(prf->prfctx, exchange->message_id, 1506 ISAKMP_HDR_MESSAGE_ID_LEN); 1507 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1508 "responder_recv_HASH_SA_NONCE: message after HASH", 1509 hash + hash_len, 1510 msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len)); 1511 prf->Update(prf->prfctx, hash + hash_len, 1512 msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len); 1513 prf->Final(my_hash, prf->prfctx); 1514 prf_free(prf); 1515 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1516 "responder_recv_HASH_SA_NONCE: computed HASH(1)", my_hash, 1517 hash_len - ISAKMP_GEN_SZ)); 1518 if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) 1519 != 0) { 1520 message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1521 1, 0); 1522 goto cleanup; 1523 } 1524 free(my_hash); 1525 my_hash = 0; 1526 1527 /* Mark message as authenticated. */ 1528 msg->flags |= MSG_AUTHENTICATED; 1529 1530 kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH); 1531 if (kep) 1532 ie->pfs = 1; 1533 1534 /* Drop message when it contains ID types we do not implement yet. */ 1535 TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link) { 1536 switch (GET_ISAKMP_ID_TYPE(idp->p)) { 1537 case IPSEC_ID_IPV4_ADDR: 1538 case IPSEC_ID_IPV4_ADDR_SUBNET: 1539 case IPSEC_ID_IPV6_ADDR: 1540 case IPSEC_ID_IPV6_ADDR_SUBNET: 1541 break; 1542 1543 case IPSEC_ID_FQDN: 1544 /* 1545 * FQDN may be used for in NAT-T with transport mode. 1546 * We can handle the message in this case. In the 1547 * other cases we'll drop the message later. 1548 */ 1549 break; 1550 1551 default: 1552 message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 1553 0, 1, 0); 1554 goto cleanup; 1555 } 1556 } 1557 1558 /* Handle optional client ID payloads. */ 1559 idp = payload_first(msg, ISAKMP_PAYLOAD_ID); 1560 if (idp) { 1561 /* If IDci is there, IDcr must be too. */ 1562 if (!TAILQ_NEXT(idp, link)) { 1563 /* XXX Is this a good notify type? */ 1564 message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1565 1, 0); 1566 goto cleanup; 1567 } 1568 ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p); 1569 ie->id_ci = malloc(ie->id_ci_sz); 1570 if (!ie->id_ci) { 1571 log_error("responder_recv_HASH_SA_NONCE: " 1572 "malloc (%lu) failed", 1573 (unsigned long)ie->id_ci_sz); 1574 goto cleanup; 1575 } 1576 memcpy(ie->id_ci, idp->p, ie->id_ci_sz); 1577 idp->flags |= PL_MARK; 1578 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1579 "responder_recv_HASH_SA_NONCE: IDci", 1580 ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ)); 1581 1582 idp = TAILQ_NEXT(idp, link); 1583 ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p); 1584 ie->id_cr = malloc(ie->id_cr_sz); 1585 if (!ie->id_cr) { 1586 log_error("responder_recv_HASH_SA_NONCE: " 1587 "malloc (%lu) failed", 1588 (unsigned long)ie->id_cr_sz); 1589 goto cleanup; 1590 } 1591 memcpy(ie->id_cr, idp->p, ie->id_cr_sz); 1592 idp->flags |= PL_MARK; 1593 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1594 "responder_recv_HASH_SA_NONCE: IDcr", 1595 ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ)); 1596 } else { 1597 /* 1598 * If client identifiers are not present in the exchange, 1599 * we fake them. RFC 2409 states: 1600 * The identities of the SAs negotiated in Quick Mode are 1601 * implicitly assumed to be the IP addresses of the ISAKMP 1602 * peers, without any constraints on the protocol or port 1603 * numbers allowed, unless client identifiers are specified 1604 * in Quick Mode. 1605 * 1606 * -- Michael Paddon (mwp@aba.net.au) 1607 */ 1608 1609 ie->flags = IPSEC_EXCH_FLAG_NO_ID; 1610 1611 /* Get initiator and responder addresses. */ 1612 msg->transport->vtbl->get_src(msg->transport, &src); 1613 msg->transport->vtbl->get_dst(msg->transport, &dst); 1614 ie->id_ci_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(src); 1615 ie->id_cr_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(dst); 1616 ie->id_ci = calloc(ie->id_ci_sz, sizeof(char)); 1617 ie->id_cr = calloc(ie->id_cr_sz, sizeof(char)); 1618 1619 if (!ie->id_ci || !ie->id_cr) { 1620 log_error("responder_recv_HASH_SA_NONCE: " 1621 "calloc (%lu, %lu) failed", 1622 (unsigned long)ie->id_ci_sz, 1623 (unsigned long)sizeof(char)); 1624 goto cleanup; 1625 } 1626 if (src->sa_family != dst->sa_family) { 1627 log_error("initiator_recv_HASH_SA_NONCE: " 1628 "sa_family mismatch"); 1629 goto cleanup; 1630 } 1631 switch (src->sa_family) { 1632 case AF_INET: 1633 SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV4_ADDR); 1634 SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV4_ADDR); 1635 break; 1636 1637 case AF_INET6: 1638 SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV6_ADDR); 1639 SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV6_ADDR); 1640 break; 1641 1642 default: 1643 log_error("initiator_recv_HASH_SA_NONCE: " 1644 "unknown sa_family %d", src->sa_family); 1645 goto cleanup; 1646 } 1647 1648 memcpy(ie->id_cr + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), 1649 sockaddr_addrlen(src)); 1650 memcpy(ie->id_ci + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(dst), 1651 sockaddr_addrlen(dst)); 1652 } 1653 1654 if (message_negotiate_sa(msg, check_policy)) 1655 goto cleanup; 1656 1657 for (sa = TAILQ_FIRST(&exchange->sa_list); sa; 1658 sa = TAILQ_NEXT(sa, next)) { 1659 for (proto = TAILQ_FIRST(&sa->protos); proto; 1660 proto = TAILQ_NEXT(proto, link)) { 1661 /* 1662 * XXX we need to have some attributes per proto, not 1663 * all per SA. 1664 */ 1665 ipsec_decode_transform(msg, sa, proto, 1666 proto->chosen->p); 1667 if (proto->proto == IPSEC_PROTO_IPSEC_AH && 1668 !((struct ipsec_proto *)proto->data)->auth) { 1669 log_print("responder_recv_HASH_SA_NONCE: " 1670 "AH proposed without an algorithm " 1671 "attribute"); 1672 message_drop(msg, 1673 ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); 1674 goto next_sa; 1675 } 1676 } 1677 1678 isa = sa->data; 1679 1680 /* 1681 * The group description is mandatory if we got a KEY_EXCH 1682 * payload. 1683 */ 1684 if (kep) { 1685 if (!isa->group_desc) { 1686 log_print("responder_recv_HASH_SA_NONCE: " 1687 "KEY_EXCH payload without a group " 1688 "desc. attribute"); 1689 message_drop(msg, 1690 ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); 1691 continue; 1692 } 1693 /* Also, all SAs must have equal groups. */ 1694 if (!group_desc) 1695 group_desc = isa->group_desc; 1696 else if (group_desc != isa->group_desc) { 1697 log_print("responder_recv_HASH_SA_NONCE: " 1698 "differing group descriptions in one QM"); 1699 message_drop(msg, 1700 ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); 1701 continue; 1702 } 1703 } 1704 /* At least one SA was accepted. */ 1705 retval = 0; 1706 1707 next_sa: 1708 ; /* XXX gcc3 wants this. */ 1709 } 1710 1711 if (kep) { 1712 ie->group = group_get(group_desc); 1713 if (!ie->group) { 1714 /* 1715 * XXX If the error was due to an out-of-range group 1716 * description we should notify our peer, but this 1717 * should probably be done by the attribute 1718 * validation. Is it? 1719 */ 1720 goto cleanup; 1721 } 1722 } 1723 /* Copy out the initiator's nonce. */ 1724 if (exchange_save_nonce(msg)) 1725 goto cleanup; 1726 1727 /* Handle the optional KEY_EXCH payload. */ 1728 if (kep && ipsec_save_g_x(msg)) 1729 goto cleanup; 1730 1731 /* 1732 * Try to find and set the connection name on the exchange. 1733 */ 1734 1735 /* 1736 * Check for accepted identities as well as lookup the connection 1737 * name and set it on the exchange. 1738 * 1739 * When not using policies make sure the peer proposes sane IDs. 1740 * Otherwise this is done by KeyNote. 1741 */ 1742 name = connection_passive_lookup_by_ids(ie->id_ci, ie->id_cr); 1743 if (name) { 1744 exchange->name = strdup(name); 1745 if (!exchange->name) { 1746 log_error("responder_recv_HASH_SA_NONCE: " 1747 "strdup (\"%s\") failed", name); 1748 goto cleanup; 1749 } 1750 } else if ( 1751 ignore_policy || 1752 strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) { 1753 log_print("responder_recv_HASH_SA_NONCE: peer proposed " 1754 "invalid phase 2 IDs: %s", 1755 (exchange->doi->decode_ids("initiator id %s, responder" 1756 " id %s", ie->id_ci, ie->id_ci_sz, ie->id_cr, 1757 ie->id_cr_sz, 1))); 1758 message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1, 1759 0); 1760 goto cleanup; 1761 } 1762 1763 return retval; 1764 1765 cleanup: 1766 /* Remove all potential protocols that have been added to the SAs. */ 1767 for (sa = TAILQ_FIRST(&exchange->sa_list); sa; 1768 sa = TAILQ_NEXT(sa, next)) 1769 while ((proto = TAILQ_FIRST(&sa->protos)) != 0) 1770 proto_free(proto); 1771 free(my_hash); 1772 free(ie->id_ci); 1773 ie->id_ci = 0; 1774 free(ie->id_cr); 1775 ie->id_cr = 0; 1776 return -1; 1777 } 1778 1779 /* Reply with the transform we chose. */ 1780 static int 1781 responder_send_HASH_SA_NONCE(struct message *msg) 1782 { 1783 struct exchange *exchange = msg->exchange; 1784 struct ipsec_exch *ie = exchange->data; 1785 struct sa *isakmp_sa = msg->isakmp_sa; 1786 struct ipsec_sa *isa = isakmp_sa->data; 1787 struct prf *prf; 1788 struct hash *hash = hash_get(isa->hash); 1789 size_t nonce_sz = exchange->nonce_i_len; 1790 u_int8_t *buf; 1791 int initiator = exchange->initiator; 1792 char header[80]; 1793 u_int32_t i; 1794 u_int8_t *id; 1795 size_t sz; 1796 1797 /* 1798 * We want a HASH payload to start with. XXX Share with 1799 * ike_main_mode.c? 1800 */ 1801 buf = malloc(ISAKMP_HASH_SZ + hash->hashsize); 1802 if (!buf) { 1803 log_error("responder_send_HASH_SA_NONCE: malloc (%lu) failed", 1804 ISAKMP_HASH_SZ + (unsigned long)hash->hashsize); 1805 return -1; 1806 } 1807 if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf, 1808 ISAKMP_HASH_SZ + hash->hashsize, 1)) { 1809 free(buf); 1810 return -1; 1811 } 1812 /* Add the SA payload(s) with the transform(s) that was/were chosen. */ 1813 if (message_add_sa_payload(msg)) 1814 return -1; 1815 1816 /* Generate a nonce, and add it to the message. */ 1817 if (exchange_gen_nonce(msg, nonce_sz)) 1818 return -1; 1819 1820 /* Generate optional KEY_EXCH payload. This is known as PFS. */ 1821 if (ie->group && ipsec_gen_g_x(msg)) 1822 return -1; 1823 1824 /* 1825 * If the initiator client ID's were acceptable, just mirror them 1826 * back. 1827 */ 1828 if (!(ie->flags & IPSEC_EXCH_FLAG_NO_ID)) { 1829 sz = ie->id_ci_sz; 1830 id = malloc(sz); 1831 if (!id) { 1832 log_error("responder_send_HASH_SA_NONCE: " 1833 "malloc (%lu) failed", (unsigned long)sz); 1834 return -1; 1835 } 1836 memcpy(id, ie->id_ci, sz); 1837 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1838 "responder_send_HASH_SA_NONCE: IDic", id, sz)); 1839 if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { 1840 free(id); 1841 return -1; 1842 } 1843 sz = ie->id_cr_sz; 1844 id = malloc(sz); 1845 if (!id) { 1846 log_error("responder_send_HASH_SA_NONCE: " 1847 "malloc (%lu) failed", (unsigned long)sz); 1848 return -1; 1849 } 1850 memcpy(id, ie->id_cr, sz); 1851 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1852 "responder_send_HASH_SA_NONCE: IDrc", id, sz)); 1853 if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { 1854 free(id); 1855 return -1; 1856 } 1857 } 1858 /* Allocate the prf and start calculating our HASH(2). XXX Share? */ 1859 LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: " 1860 "isakmp_sa %p isa %p", isakmp_sa, isa)); 1861 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " 1862 "SKEYID_a", isa->skeyid_a, isa->skeyid_len)); 1863 prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, 1864 isa->skeyid_len); 1865 if (!prf) 1866 return -1; 1867 prf->Init(prf->prfctx); 1868 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1869 "responder_send_HASH_SA_NONCE: message_id", 1870 exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); 1871 prf->Update(prf->prfctx, exchange->message_id, 1872 ISAKMP_HDR_MESSAGE_ID_LEN); 1873 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " 1874 "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); 1875 prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); 1876 1877 /* Loop over all payloads after HASH(2). */ 1878 for (i = 2; i < msg->iovlen; i++) { 1879 /* XXX Misleading payload type printouts. */ 1880 snprintf(header, sizeof header, 1881 "responder_send_HASH_SA_NONCE: payload %d after HASH(2)", 1882 i - 1); 1883 LOG_DBG_BUF((LOG_NEGOTIATION, 90, header, msg->iov[i].iov_base, 1884 msg->iov[i].iov_len)); 1885 prf->Update(prf->prfctx, msg->iov[i].iov_base, 1886 msg->iov[i].iov_len); 1887 } 1888 prf->Final(buf + ISAKMP_HASH_DATA_OFF, prf->prfctx); 1889 prf_free(prf); 1890 snprintf(header, sizeof header, "responder_send_HASH_SA_NONCE: " 1891 "HASH_%c", initiator ? 'I' : 'R'); 1892 LOG_DBG_BUF((LOG_NEGOTIATION, 80, header, buf + ISAKMP_HASH_DATA_OFF, 1893 hash->hashsize)); 1894 1895 if (ie->group) 1896 message_register_post_send(msg, gen_g_xy); 1897 1898 return 0; 1899 } 1900 1901 static void 1902 gen_g_xy(struct message *msg) 1903 { 1904 struct exchange *exchange = msg->exchange; 1905 struct ipsec_exch *ie = exchange->data; 1906 1907 /* Compute Diffie-Hellman shared value. */ 1908 ie->g_xy = malloc(ie->g_x_len); 1909 if (!ie->g_xy) { 1910 log_error("gen_g_xy: malloc (%lu) failed", 1911 (unsigned long)ie->g_x_len); 1912 return; 1913 } 1914 if (dh_create_shared(ie->group, ie->g_xy, 1915 exchange->initiator ? ie->g_xr : ie->g_xi)) { 1916 log_print("gen_g_xy: dh_create_shared failed"); 1917 return; 1918 } 1919 LOG_DBG_BUF((LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie->g_xy, 1920 ie->g_x_len)); 1921 } 1922 1923 static int 1924 responder_recv_HASH(struct message *msg) 1925 { 1926 struct exchange *exchange = msg->exchange; 1927 struct sa *isakmp_sa = msg->isakmp_sa; 1928 struct ipsec_sa *isa = isakmp_sa->data; 1929 struct prf *prf; 1930 u_int8_t *hash, *my_hash = 0; 1931 size_t hash_len; 1932 struct payload *hashp; 1933 1934 /* Find HASH(3) and create our own hash, just as big. */ 1935 hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); 1936 hash = hashp->p; 1937 hashp->flags |= PL_MARK; 1938 hash_len = GET_ISAKMP_GEN_LENGTH(hash); 1939 my_hash = malloc(hash_len - ISAKMP_GEN_SZ); 1940 if (!my_hash) { 1941 log_error("responder_recv_HASH: malloc (%lu) failed", 1942 (unsigned long)hash_len - ISAKMP_GEN_SZ); 1943 goto cleanup; 1944 } 1945 /* Allocate the prf and start calculating our HASH(3). XXX Share? */ 1946 LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: " 1947 "isakmp_sa %p isa %p", isakmp_sa, isa)); 1948 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: SKEYID_a", 1949 isa->skeyid_a, isa->skeyid_len)); 1950 prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, 1951 isa->skeyid_len); 1952 if (!prf) 1953 goto cleanup; 1954 prf->Init(prf->prfctx); 1955 prf->Update(prf->prfctx, (unsigned char *)"\0", 1); 1956 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: message_id", 1957 exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); 1958 prf->Update(prf->prfctx, exchange->message_id, 1959 ISAKMP_HDR_MESSAGE_ID_LEN); 1960 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_I_b", 1961 exchange->nonce_i, exchange->nonce_i_len)); 1962 prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); 1963 LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_R_b", 1964 exchange->nonce_r, exchange->nonce_r_len)); 1965 prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); 1966 prf->Final(my_hash, prf->prfctx); 1967 prf_free(prf); 1968 LOG_DBG_BUF((LOG_NEGOTIATION, 90, 1969 "responder_recv_HASH: computed HASH(3)", my_hash, 1970 hash_len - ISAKMP_GEN_SZ)); 1971 if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) 1972 != 0) { 1973 message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1974 1, 0); 1975 goto cleanup; 1976 } 1977 free(my_hash); 1978 1979 /* Mark message as authenticated. */ 1980 msg->flags |= MSG_AUTHENTICATED; 1981 1982 post_quick_mode(msg); 1983 1984 return 0; 1985 1986 cleanup: 1987 free(my_hash); 1988 return -1; 1989 } 1990