1 /* $Id: oakley.c,v 1.15.2.2 2005/03/01 09:51:27 vanhu Exp $ */
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include <sys/types.h>
35 #include <sys/param.h>
36 #include <sys/socket.h> /* XXX for subjectaltname */
37 #include <netinet/in.h> /* XXX for subjectaltname */
44 #if TIME_WITH_SYS_TIME
45 # include <sys/time.h>
49 # include <sys/time.h>
62 #include "isakmp_var.h"
65 #include "isakmp_xauth.h"
66 #include "isakmp_cfg.h"
69 #include "localconf.h"
70 #include "remoteconf.h"
73 #include "ipsec_doi.h"
74 #include "algorithm.h"
78 #include "crypto_openssl.h"
92 #define INITDHVAL(a, s, d, t) \
95 buf.v = str2val((s), 16, &buf.l); \
96 memset(&a, 0, sizeof(struct dhgroup)); \
98 a.prime = vdup(&buf); \
101 racoon_free(buf.v); \
104 struct dhgroup dh_modp768;
105 struct dhgroup dh_modp1024;
106 struct dhgroup dh_modp1536;
107 struct dhgroup dh_modp2048;
108 struct dhgroup dh_modp3072;
109 struct dhgroup dh_modp4096;
110 struct dhgroup dh_modp6144;
111 struct dhgroup dh_modp8192;
114 static int oakley_check_dh_pub __P((vchar_t *, vchar_t **));
115 static int oakley_compute_keymat_x __P((struct ph2handle *, int, int));
116 static int get_cert_fromlocal __P((struct ph1handle *, int));
117 static int get_plainrsa_fromlocal __P((struct ph1handle *, int));
118 static int oakley_check_certid __P((struct ph1handle *iph1));
119 static int check_typeofcertname __P((int, int));
120 static cert_t *save_certbuf __P((struct isakmp_gen *));
121 static int oakley_padlen __P((int, int));
124 oakley_get_defaultlifetime()
126 return OAKLEY_ATTR_SA_LD_SEC_DEFAULT;
133 INITDHVAL(dh_modp768, OAKLEY_PRIME_MODP768,
134 OAKLEY_ATTR_GRP_DESC_MODP768, OAKLEY_ATTR_GRP_TYPE_MODP);
135 INITDHVAL(dh_modp1024, OAKLEY_PRIME_MODP1024,
136 OAKLEY_ATTR_GRP_DESC_MODP1024, OAKLEY_ATTR_GRP_TYPE_MODP);
137 INITDHVAL(dh_modp1536, OAKLEY_PRIME_MODP1536,
138 OAKLEY_ATTR_GRP_DESC_MODP1536, OAKLEY_ATTR_GRP_TYPE_MODP);
139 INITDHVAL(dh_modp2048, OAKLEY_PRIME_MODP2048,
140 OAKLEY_ATTR_GRP_DESC_MODP2048, OAKLEY_ATTR_GRP_TYPE_MODP);
141 INITDHVAL(dh_modp3072, OAKLEY_PRIME_MODP3072,
142 OAKLEY_ATTR_GRP_DESC_MODP3072, OAKLEY_ATTR_GRP_TYPE_MODP);
143 INITDHVAL(dh_modp4096, OAKLEY_PRIME_MODP4096,
144 OAKLEY_ATTR_GRP_DESC_MODP4096, OAKLEY_ATTR_GRP_TYPE_MODP);
145 INITDHVAL(dh_modp6144, OAKLEY_PRIME_MODP6144,
146 OAKLEY_ATTR_GRP_DESC_MODP6144, OAKLEY_ATTR_GRP_TYPE_MODP);
147 INITDHVAL(dh_modp8192, OAKLEY_PRIME_MODP8192,
148 OAKLEY_ATTR_GRP_DESC_MODP8192, OAKLEY_ATTR_GRP_TYPE_MODP);
154 oakley_dhgrp_free(dhgrp)
155 struct dhgroup *dhgrp;
160 vfree(dhgrp->curve_a);
162 vfree(dhgrp->curve_b);
170 * The length of the Diffie-Hellman public value MUST be equal to the
171 * length of the prime modulus over which the exponentiation was
172 * performed, prepending zero bits to the value if necessary.
175 oakley_check_dh_pub(prime, pub0)
176 vchar_t *prime, **pub0;
179 vchar_t *pub = *pub0;
181 if (prime->l == pub->l)
184 if (prime->l < pub->l) {
185 /* what should i do ? */
186 plog(LLV_ERROR, LOCATION, NULL,
187 "invalid public information was generated.\n");
191 /* prime->l > pub->l */
192 tmp = vmalloc(prime->l);
194 plog(LLV_ERROR, LOCATION, NULL,
195 "failed to get DH buffer.\n");
198 memcpy(tmp->v + prime->l - pub->l, pub->v, pub->l);
207 * compute sharing secret of DH
208 * IN: *dh, *pub, *priv, *pub_p
212 oakley_dh_compute(dh, pub, priv, pub_p, gxy)
213 const struct dhgroup *dh;
214 vchar_t *pub, *priv, *pub_p, **gxy;
217 struct timeval start, end;
219 if ((*gxy = vmalloc(dh->prime->l)) == NULL) {
220 plog(LLV_ERROR, LOCATION, NULL,
221 "failed to get DH buffer.\n");
226 gettimeofday(&start, NULL);
229 case OAKLEY_ATTR_GRP_TYPE_MODP:
230 if (eay_dh_compute(dh->prime, dh->gen1, pub, priv, pub_p, gxy) < 0) {
231 plog(LLV_ERROR, LOCATION, NULL,
232 "failed to compute dh value.\n");
236 case OAKLEY_ATTR_GRP_TYPE_ECP:
237 case OAKLEY_ATTR_GRP_TYPE_EC2N:
238 plog(LLV_ERROR, LOCATION, NULL,
239 "dh type %d isn't supported.\n", dh->type);
242 plog(LLV_ERROR, LOCATION, NULL,
243 "invalid dh type %d.\n", dh->type);
248 gettimeofday(&end, NULL);
249 syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__,
250 s_attr_isakmp_group(dh->type), dh->prime->l << 3,
251 timedelta(&start, &end));
254 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n");
255 plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l);
261 * generate values of DH
266 oakley_dh_generate(dh, pub, priv)
267 const struct dhgroup *dh;
268 vchar_t **pub, **priv;
271 struct timeval start, end;
272 gettimeofday(&start, NULL);
275 case OAKLEY_ATTR_GRP_TYPE_MODP:
276 if (eay_dh_generate(dh->prime, dh->gen1, dh->gen2, pub, priv) < 0) {
277 plog(LLV_ERROR, LOCATION, NULL,
278 "failed to compute dh value.\n");
283 case OAKLEY_ATTR_GRP_TYPE_ECP:
284 case OAKLEY_ATTR_GRP_TYPE_EC2N:
285 plog(LLV_ERROR, LOCATION, NULL,
286 "dh type %d isn't supported.\n", dh->type);
289 plog(LLV_ERROR, LOCATION, NULL,
290 "invalid dh type %d.\n", dh->type);
295 gettimeofday(&end, NULL);
296 syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__,
297 s_attr_isakmp_group(dh->type), dh->prime->l << 3,
298 timedelta(&start, &end));
301 if (oakley_check_dh_pub(dh->prime, pub) != 0)
304 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n");
305 plogdump(LLV_DEBUG, (*priv)->v, (*priv)->l);
306 plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n");
307 plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l);
313 * copy pre-defined dhgroup values.
316 oakley_setdhgroup(group, dhgrp)
318 struct dhgroup **dhgrp;
322 *dhgrp = NULL; /* just make sure, initialize */
324 g = alg_oakley_dhdef_group(group);
326 plog(LLV_ERROR, LOCATION, NULL,
327 "invalid DH parameter grp=%d.\n", group);
331 if (!g->type || !g->prime || !g->gen1) {
333 plog(LLV_ERROR, LOCATION, NULL,
334 "unsupported DH parameters grp=%d.\n", group);
338 *dhgrp = racoon_calloc(1, sizeof(struct dhgroup));
339 if (*dhgrp == NULL) {
340 plog(LLV_ERROR, LOCATION, NULL,
341 "failed to get DH buffer.\n");
345 /* set defined dh vlaues */
346 memcpy(*dhgrp, g, sizeof(*g));
347 (*dhgrp)->prime = vdup(g->prime);
355 * NOTE: we do not support prf with different input/output bitwidth,
356 * so we do not implement RFC2409 Appendix B (DOORAK-MAC example) in
357 * oakley_compute_keymat(). If you add support for such prf function,
358 * modify oakley_compute_keymat() accordingly.
361 oakley_prf(key, buf, iph1)
363 struct ph1handle *iph1;
368 if (iph1->approval == NULL) {
370 * it's before negotiating hash algorithm.
371 * We use md5 as default.
373 type = OAKLEY_ATTR_HASH_ALG_MD5;
375 type = iph1->approval->hashtype;
377 res = alg_oakley_hmacdef_one(type, key, buf);
379 plog(LLV_ERROR, LOCATION, NULL,
380 "invalid hmac algorithm %d.\n", type);
391 oakley_hash(buf, iph1)
393 struct ph1handle *iph1;
398 if (iph1->approval == NULL) {
400 * it's before negotiating hash algorithm.
401 * We use md5 as default.
403 type = OAKLEY_ATTR_HASH_ALG_MD5;
405 type = iph1->approval->hashtype;
407 res = alg_oakley_hashdef_one(type, buf);
409 plog(LLV_ERROR, LOCATION, NULL,
410 "invalid hash algoriym %d.\n", type);
419 * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05.
422 oakley_compute_keymat(iph2, side)
423 struct ph2handle *iph2;
428 /* compute sharing secret of DH when PFS */
429 if (iph2->approval->pfs_group && iph2->dhpub_p) {
430 if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub,
431 iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0)
436 if (oakley_compute_keymat_x(iph2, side, INBOUND_SA) < 0
437 || oakley_compute_keymat_x(iph2, side, OUTBOUND_SA) < 0)
440 plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT computed.\n");
450 * KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b).
451 * If PFS is desired and KE payloads were exchanged,
452 * KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b)
454 * NOTE: we do not support prf with different input/output bitwidth,
455 * so we do not implement RFC2409 Appendix B (DOORAK-MAC example).
458 oakley_compute_keymat_x(iph2, side, sa_dir)
459 struct ph2handle *iph2;
463 vchar_t *buf = NULL, *res = NULL, *bp;
468 int dupkeymat; /* generate K[1-dupkeymat] */
471 int encklen, authklen, l;
473 pfs = ((iph2->approval->pfs_group && iph2->dhgxy) ? 1 : 0);
475 len = pfs ? iph2->dhgxy->l : 0;
477 + sizeof(u_int32_t) /* XXX SPI size */
482 plog(LLV_ERROR, LOCATION, NULL,
483 "failed to get keymat buffer.\n");
487 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
492 memcpy(p, iph2->dhgxy->v, iph2->dhgxy->l);
499 memcpy(p, (sa_dir == INBOUND_SA ? &pr->spi : &pr->spi_p),
501 p += sizeof(pr->spi);
503 bp = (side == INITIATOR ? iph2->nonce : iph2->nonce_p);
504 memcpy(p, bp->v, bp->l);
507 bp = (side == INITIATOR ? iph2->nonce_p : iph2->nonce);
508 memcpy(p, bp->v, bp->l);
512 plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT compute with\n");
513 plogdump(LLV_DEBUG, buf->v, buf->l);
516 res = oakley_prf(iph2->ph1->skeyid_d, buf, iph2->ph1);
520 /* compute key length needed */
521 encklen = authklen = 0;
522 switch (pr->proto_id) {
523 case IPSECDOI_PROTO_IPSEC_ESP:
524 for (tr = pr->head; tr; tr = tr->next) {
525 l = alg_ipsec_encdef_keylen(tr->trns_id,
530 l = alg_ipsec_hmacdef_hashlen(tr->authtype);
535 case IPSECDOI_PROTO_IPSEC_AH:
536 for (tr = pr->head; tr; tr = tr->next) {
537 l = alg_ipsec_hmacdef_hashlen(tr->trns_id);
545 plog(LLV_DEBUG, LOCATION, NULL, "encklen=%d authklen=%d\n",
548 dupkeymat = (encklen + authklen) / 8 / res->l;
549 dupkeymat += 2; /* safety mergin */
552 plog(LLV_DEBUG, LOCATION, NULL,
553 "generating %zu bits of key (dupkeymat=%d)\n",
554 dupkeymat * 8 * res->l, dupkeymat);
555 if (0 < --dupkeymat) {
556 vchar_t *prev = res; /* K(n-1) */
557 vchar_t *seed = NULL; /* seed for Kn */
561 * generating long key (isakmp-oakley-08 5.5)
562 * KEYMAT = K1 | K2 | K3 | ...
564 * src = [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b
565 * K1 = prf(SKEYID_d, src)
566 * K2 = prf(SKEYID_d, K1 | src)
567 * K3 = prf(SKEYID_d, K2 | src)
568 * Kn = prf(SKEYID_d, K(n-1) | src)
570 plog(LLV_DEBUG, LOCATION, NULL,
571 "generating K1...K%d for KEYMAT.\n",
574 seed = vmalloc(prev->l + buf->l);
576 plog(LLV_ERROR, LOCATION, NULL,
577 "failed to get keymat buffer.\n");
578 if (prev && prev != res)
583 while (dupkeymat--) {
584 vchar_t *this = NULL; /* Kn */
586 memcpy(seed->v, prev->v, prev->l);
587 memcpy(seed->v + prev->l, buf->v, buf->l);
588 this = oakley_prf(iph2->ph1->skeyid_d, seed,
591 plog(LLV_ERROR, LOCATION, NULL,
592 "oakley_prf memory overflow\n");
593 if (prev && prev != res)
601 res = vrealloc(res, l + this->l);
603 plog(LLV_ERROR, LOCATION, NULL,
604 "failed to get keymat buffer.\n");
605 if (prev && prev != res)
611 memcpy(res->v + l, this->v, this->l);
613 if (prev && prev != res)
619 if (prev && prev != res)
624 plogdump(LLV_DEBUG, res->v, res->l);
626 if (sa_dir == INBOUND_SA)
637 for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
659 * NOTE: Must terminate by NULL.
662 oakley_compute_hashx(struct ph1handle *iph1, ...)
671 /* get buffer length */
674 while ((s = va_arg(ap, vchar_t *)) != NULL) {
681 plog(LLV_ERROR, LOCATION, NULL,
682 "failed to get hash buffer\n");
689 while ((s = va_arg(ap, char *)) != NULL) {
690 memcpy(p, s->v, s->l);
695 plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
696 plogdump(LLV_DEBUG, buf->v, buf->l);
699 res = oakley_prf(iph1->skeyid_a, buf, iph1);
704 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
705 plogdump(LLV_DEBUG, res->v, res->l);
712 * compute HASH(3) prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
713 * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05.
716 oakley_compute_hash3(iph1, msgid, body)
717 struct ph1handle *iph1;
721 vchar_t *buf = 0, *res = 0;
726 len = 1 + sizeof(u_int32_t) + body->l;
729 plog(LLV_DEBUG, LOCATION, NULL,
730 "failed to get hash buffer\n");
736 memcpy(buf->v + 1, (char *)&msgid, sizeof(msgid));
738 memcpy(buf->v + 1 + sizeof(u_int32_t), body->v, body->l);
740 plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
741 plogdump(LLV_DEBUG, buf->v, buf->l);
744 res = oakley_prf(iph1->skeyid_a, buf, iph1);
750 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
751 plogdump(LLV_DEBUG, res->v, res->l);
760 * compute HASH type of prf(SKEYID_a, M-ID | buffer)
762 * for quick mode HASH(1):
763 * prf(SKEYID_a, M-ID | SA | Ni [ | KE ] [ | IDci | IDcr ])
764 * for quick mode HASH(2):
765 * prf(SKEYID_a, M-ID | Ni_b | SA | Nr [ | KE ] [ | IDci | IDcr ])
766 * for Informational exchange:
767 * prf(SKEYID_a, M-ID | N/D)
770 oakley_compute_hash1(iph1, msgid, body)
771 struct ph1handle *iph1;
775 vchar_t *buf = NULL, *res = NULL;
781 len = sizeof(u_int32_t) + body->l;
784 plog(LLV_DEBUG, LOCATION, NULL,
785 "failed to get hash buffer\n");
791 memcpy(buf->v, (char *)&msgid, sizeof(msgid));
792 p += sizeof(u_int32_t);
794 memcpy(p, body->v, body->l);
796 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
797 plogdump(LLV_DEBUG, buf->v, buf->l);
800 res = oakley_prf(iph1->skeyid_a, buf, iph1);
806 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
807 plogdump(LLV_DEBUG, res->v, res->l);
816 * compute phase1 HASH
818 * I-digest = prf(SKEYID, g^i | g^r | CKY-I | CKY-R | SAi_b | ID_i1_b)
819 * R-digest = prf(SKEYID, g^r | g^i | CKY-R | CKY-I | SAi_b | ID_r1_b)
820 * for gssapi, also include all GSS tokens, and call gss_wrap on the result
823 oakley_ph1hash_common(iph1, sw)
824 struct ph1handle *iph1;
827 vchar_t *buf = NULL, *res = NULL, *bp;
832 vchar_t *gsstokens = NULL;
838 + sizeof(cookie_t) * 2
840 + (sw == GENERATE ? iph1->id->l : iph1->id_p->l);
843 if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
844 if (iph1->gi_i != NULL && iph1->gi_r != NULL) {
845 bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r);
849 gssapi_get_itokens(iph1, &gsstokens);
851 gssapi_get_rtokens(iph1, &gsstokens);
852 if (gsstokens == NULL)
860 plog(LLV_ERROR, LOCATION, NULL,
861 "failed to get hash buffer\n");
867 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
868 memcpy(p, bp->v, bp->l);
871 bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub);
872 memcpy(p, bp->v, bp->l);
875 if (iph1->side == INITIATOR)
876 bp2 = (sw == GENERATE ?
877 (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck);
879 bp2 = (sw == GENERATE ?
880 (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck);
881 bl = sizeof(cookie_t);
885 if (iph1->side == INITIATOR)
886 bp2 = (sw == GENERATE ?
887 (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck);
889 bp2 = (sw == GENERATE ?
890 (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck);
891 bl = sizeof(cookie_t);
896 memcpy(p, bp->v, bp->l);
899 bp = (sw == GENERATE ? iph1->id : iph1->id_p);
900 memcpy(p, bp->v, bp->l);
904 if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
905 if (iph1->gi_i != NULL && iph1->gi_r != NULL) {
906 bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r);
907 memcpy(p, bp->v, bp->l);
910 memcpy(p, gsstokens->v, gsstokens->l);
915 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
916 plogdump(LLV_DEBUG, buf->v, buf->l);
919 res = oakley_prf(iph1->skeyid, buf, iph1);
925 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
926 plogdump(LLV_DEBUG, res->v, res->l);
932 if (gsstokens != NULL)
939 * compute HASH_I on base mode.
941 * HASH_I = prf(SKEYID, g^xi | CKY-I | CKY-R | SAi_b | IDii_b)
943 * HASH_I = prf(hash(Ni_b | Nr_b), g^xi | CKY-I | CKY-R | SAi_b | IDii_b)
946 oakley_ph1hash_base_i(iph1, sw)
947 struct ph1handle *iph1;
950 vchar_t *buf = NULL, *res = NULL, *bp;
951 vchar_t *hashkey = NULL;
952 vchar_t *hash = NULL; /* for signature mode */
958 if (iph1->etype != ISAKMP_ETYPE_BASE) {
959 plog(LLV_ERROR, LOCATION, NULL,
960 "invalid etype for this hash function\n");
964 switch (iph1->approval->authmethod) {
965 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
966 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
967 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
968 if (iph1->skeyid == NULL) {
969 plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n");
972 hashkey = iph1->skeyid;
975 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
976 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
977 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
979 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
980 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
981 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
982 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
984 /* make hash for seed */
985 len = iph1->nonce->l + iph1->nonce_p->l;
988 plog(LLV_ERROR, LOCATION, NULL,
989 "failed to get hash buffer\n");
994 bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce);
995 memcpy(p, bp->v, bp->l);
998 bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p);
999 memcpy(p, bp->v, bp->l);
1002 hash = oakley_hash(buf, iph1);
1012 plog(LLV_ERROR, LOCATION, NULL,
1013 "not supported authentication method %d\n",
1014 iph1->approval->authmethod);
1019 len = (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l)
1020 + sizeof(cookie_t) * 2
1022 + (sw == GENERATE ? iph1->id->l : iph1->id_p->l);
1025 plog(LLV_ERROR, LOCATION, NULL,
1026 "failed to get hash buffer\n");
1031 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
1032 memcpy(p, bp->v, bp->l);
1035 memcpy(p, &iph1->index.i_ck, sizeof(cookie_t));
1036 p += sizeof(cookie_t);
1037 memcpy(p, &iph1->index.r_ck, sizeof(cookie_t));
1038 p += sizeof(cookie_t);
1040 memcpy(p, iph1->sa->v, iph1->sa->l);
1043 bp = (sw == GENERATE ? iph1->id : iph1->id_p);
1044 memcpy(p, bp->v, bp->l);
1047 plog(LLV_DEBUG, LOCATION, NULL, "HASH_I with:\n");
1048 plogdump(LLV_DEBUG, buf->v, buf->l);
1051 res = oakley_prf(hashkey, buf, iph1);
1057 plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n");
1058 plogdump(LLV_DEBUG, res->v, res->l);
1069 * compute HASH_R on base mode for signature method.
1071 * HASH_R = prf(hash(Ni_b | Nr_b), g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b)
1074 oakley_ph1hash_base_r(iph1, sw)
1075 struct ph1handle *iph1;
1078 vchar_t *buf = NULL, *res = NULL, *bp;
1079 vchar_t *hash = NULL;
1085 if (iph1->etype != ISAKMP_ETYPE_BASE) {
1086 plog(LLV_ERROR, LOCATION, NULL,
1087 "invalid etype for this hash function\n");
1090 if (iph1->approval->authmethod != OAKLEY_ATTR_AUTH_METHOD_DSSSIG
1091 #ifdef ENABLE_HYBRID
1092 && iph1->approval->authmethod != OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I
1093 && iph1->approval->authmethod != OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I
1095 && iph1->approval->authmethod != OAKLEY_ATTR_AUTH_METHOD_RSASIG) {
1096 plog(LLV_ERROR, LOCATION, NULL,
1097 "not supported authentication method %d\n",
1098 iph1->approval->authmethod);
1102 /* make hash for seed */
1103 len = iph1->nonce->l + iph1->nonce_p->l;
1106 plog(LLV_ERROR, LOCATION, NULL,
1107 "failed to get hash buffer\n");
1112 bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce);
1113 memcpy(p, bp->v, bp->l);
1116 bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p);
1117 memcpy(p, bp->v, bp->l);
1120 hash = oakley_hash(buf, iph1);
1126 /* make really hash */
1127 len = (sw == GENERATE ? iph1->dhpub_p->l : iph1->dhpub->l)
1128 + (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l)
1129 + sizeof(cookie_t) * 2
1131 + (sw == GENERATE ? iph1->id_p->l : iph1->id->l);
1134 plog(LLV_ERROR, LOCATION, NULL,
1135 "failed to get hash buffer\n");
1141 bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub);
1142 memcpy(p, bp->v, bp->l);
1145 bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
1146 memcpy(p, bp->v, bp->l);
1149 memcpy(p, &iph1->index.i_ck, sizeof(cookie_t));
1150 p += sizeof(cookie_t);
1151 memcpy(p, &iph1->index.r_ck, sizeof(cookie_t));
1152 p += sizeof(cookie_t);
1154 memcpy(p, iph1->sa->v, iph1->sa->l);
1157 bp = (sw == GENERATE ? iph1->id_p : iph1->id);
1158 memcpy(p, bp->v, bp->l);
1161 plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
1162 plogdump(LLV_DEBUG, buf->v, buf->l);
1165 res = oakley_prf(hash, buf, iph1);
1171 plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
1172 plogdump(LLV_DEBUG, res->v, res->l);
1183 * compute each authentication method in phase 1.
1187 * other: error to be reply with notification.
1188 * the value is notification type.
1191 oakley_validate_auth(iph1)
1192 struct ph1handle *iph1;
1194 vchar_t *my_hash = NULL;
1197 vchar_t *gsshash = NULL;
1200 struct timeval start, end;
1204 gettimeofday(&start, NULL);
1206 switch (iph1->approval->authmethod) {
1207 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
1212 if (iph1->id_p == NULL || iph1->pl_hash == NULL) {
1213 plog(LLV_ERROR, LOCATION, iph1->remote,
1214 "few isakmp message received.\n");
1215 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1218 r_hash = (caddr_t)(iph1->pl_hash + 1);
1220 plog(LLV_DEBUG, LOCATION, NULL, "HASH received:");
1221 plogdump(LLV_DEBUG, r_hash,
1222 ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash));
1224 switch (iph1->etype) {
1225 case ISAKMP_ETYPE_IDENT:
1226 case ISAKMP_ETYPE_AGG:
1227 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1229 case ISAKMP_ETYPE_BASE:
1230 if (iph1->side == INITIATOR)
1231 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1233 my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
1236 plog(LLV_ERROR, LOCATION, NULL,
1237 "invalid etype %d\n", iph1->etype);
1238 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1240 if (my_hash == NULL)
1241 return ISAKMP_INTERNAL_ERROR;
1243 result = memcmp(my_hash->v, r_hash, my_hash->l);
1247 plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n");
1248 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1251 plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n");
1254 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
1255 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
1256 #ifdef ENABLE_HYBRID
1257 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1258 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1265 if (iph1->id_p == NULL) {
1266 plog(LLV_ERROR, LOCATION, iph1->remote,
1267 "no ID payload was passed.\n");
1268 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1270 if (iph1->sig_p == NULL) {
1271 plog(LLV_ERROR, LOCATION, iph1->remote,
1272 "no SIG payload was passed.\n");
1273 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1276 plog(LLV_DEBUG, LOCATION, NULL, "SIGN passed:\n");
1277 plogdump(LLV_DEBUG, iph1->sig_p->v, iph1->sig_p->l);
1279 /* get peer's cert */
1280 switch (iph1->rmconf->getcert_method) {
1281 case ISAKMP_GETCERT_PAYLOAD:
1282 if (iph1->cert_p == NULL) {
1283 plog(LLV_ERROR, LOCATION, NULL,
1284 "no peer's CERT payload found.\n");
1285 return ISAKMP_INTERNAL_ERROR;
1288 case ISAKMP_GETCERT_LOCALFILE:
1289 switch (iph1->rmconf->certtype) {
1290 case ISAKMP_CERT_X509SIGN:
1291 if (iph1->rmconf->peerscertfile == NULL) {
1292 plog(LLV_ERROR, LOCATION, NULL,
1293 "no peer's CERT file found.\n");
1294 return ISAKMP_INTERNAL_ERROR;
1297 /* don't use cached cert */
1298 if (iph1->cert_p != NULL) {
1299 oakley_delcert(iph1->cert_p);
1300 iph1->cert_p = NULL;
1303 error = get_cert_fromlocal(iph1, 0);
1306 case ISAKMP_CERT_PLAINRSA:
1307 error = get_plainrsa_fromlocal(iph1, 0);
1311 return ISAKMP_INTERNAL_ERROR;
1313 case ISAKMP_GETCERT_DNS:
1314 if (iph1->rmconf->peerscertfile != NULL) {
1315 plog(LLV_ERROR, LOCATION, NULL,
1316 "why peer's CERT file is defined "
1317 "though getcert method is dns ?\n");
1318 return ISAKMP_INTERNAL_ERROR;
1321 /* don't use cached cert */
1322 if (iph1->cert_p != NULL) {
1323 oakley_delcert(iph1->cert_p);
1324 iph1->cert_p = NULL;
1327 iph1->cert_p = dnssec_getcert(iph1->id_p);
1328 if (iph1->cert_p == NULL) {
1329 plog(LLV_ERROR, LOCATION, NULL,
1330 "no CERT RR found.\n");
1331 return ISAKMP_INTERNAL_ERROR;
1335 plog(LLV_ERROR, LOCATION, NULL,
1336 "invalid getcert_mothod: %d\n",
1337 iph1->rmconf->getcert_method);
1338 return ISAKMP_INTERNAL_ERROR;
1341 /* compare ID payload and certificate name */
1342 if (iph1->rmconf->verify_cert &&
1343 (error = oakley_check_certid(iph1)) != 0)
1346 /* verify certificate */
1347 if (iph1->rmconf->verify_cert
1348 && iph1->rmconf->getcert_method == ISAKMP_GETCERT_PAYLOAD) {
1349 certtype = iph1->rmconf->certtype;
1350 #ifdef ENABLE_HYBRID
1351 switch (iph1->approval->authmethod) {
1352 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1353 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1354 certtype = iph1->cert_p->type;
1361 case ISAKMP_CERT_X509SIGN: {
1362 char path[MAXPATHLEN];
1365 if (iph1->rmconf->cacertfile != NULL) {
1366 getpathname(path, sizeof(path),
1368 iph1->rmconf->cacertfile);
1374 error = eay_check_x509cert(&iph1->cert_p->cert,
1375 lcconf->pathinfo[LC_PATHTYPE_CERT],
1381 plog(LLV_ERROR, LOCATION, NULL,
1382 "no supported certtype %d\n", certtype);
1383 return ISAKMP_INTERNAL_ERROR;
1386 plog(LLV_ERROR, LOCATION, NULL,
1387 "the peer's certificate is not verified.\n");
1388 return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
1392 plog(LLV_DEBUG, LOCATION, NULL, "CERT validated\n");
1395 switch (iph1->etype) {
1396 case ISAKMP_ETYPE_IDENT:
1397 case ISAKMP_ETYPE_AGG:
1398 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1400 case ISAKMP_ETYPE_BASE:
1401 if (iph1->side == INITIATOR)
1402 my_hash = oakley_ph1hash_base_r(iph1, VALIDATE);
1404 my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
1407 plog(LLV_ERROR, LOCATION, NULL,
1408 "invalid etype %d\n", iph1->etype);
1409 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1411 if (my_hash == NULL)
1412 return ISAKMP_INTERNAL_ERROR;
1415 certtype = iph1->rmconf->certtype;
1416 #ifdef ENABLE_HYBRID
1417 switch (iph1->approval->authmethod) {
1418 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1419 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1420 certtype = iph1->cert_p->type;
1426 /* check signature */
1428 case ISAKMP_CERT_X509SIGN:
1429 case ISAKMP_CERT_DNS:
1430 error = eay_check_x509sign(my_hash,
1432 &iph1->cert_p->cert);
1434 case ISAKMP_CERT_PLAINRSA:
1435 iph1->rsa_p = rsa_try_check_rsasign(my_hash,
1436 iph1->sig_p, iph1->rsa_candidates);
1437 error = iph1->rsa_p ? 0 : -1;
1441 plog(LLV_ERROR, LOCATION, NULL,
1442 "no supported certtype %d\n",
1445 return ISAKMP_INTERNAL_ERROR;
1450 plog(LLV_ERROR, LOCATION, NULL,
1452 return ISAKMP_NTYPE_INVALID_SIGNATURE;
1454 plog(LLV_DEBUG, LOCATION, NULL, "SIG authenticated\n");
1457 #ifdef ENABLE_HYBRID
1458 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1459 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1461 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1462 plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, "
1463 "hybrid auth is enabled, "
1464 "but peer is no Xauth compliant\n");
1465 return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED;
1468 plog(LLV_INFO, LOCATION, NULL, "No SIG was passed, "
1469 "but hybrid auth is enabled\n");
1476 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
1477 switch (iph1->etype) {
1478 case ISAKMP_ETYPE_IDENT:
1479 case ISAKMP_ETYPE_AGG:
1480 my_hash = oakley_ph1hash_common(iph1, VALIDATE);
1483 plog(LLV_ERROR, LOCATION, NULL,
1484 "invalid etype %d\n", iph1->etype);
1485 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1488 if (my_hash == NULL) {
1489 if (gssapi_more_tokens(iph1))
1490 return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
1492 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1495 gsshash = gssapi_unwraphash(iph1);
1496 if (gsshash == NULL) {
1498 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1501 result = memcmp(my_hash->v, gsshash->v, my_hash->l);
1506 plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n");
1507 return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1509 plog(LLV_DEBUG, LOCATION, NULL, "hash compared OK\n");
1512 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
1513 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
1514 if (iph1->id_p == NULL || iph1->pl_hash == NULL) {
1515 plog(LLV_ERROR, LOCATION, iph1->remote,
1516 "few isakmp message received.\n");
1517 return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1519 plog(LLV_ERROR, LOCATION, iph1->remote,
1520 "not supported authmethod type %s\n",
1521 s_oakley_attr_method(iph1->approval->authmethod));
1522 return ISAKMP_INTERNAL_ERROR;
1524 plog(LLV_ERROR, LOCATION, iph1->remote,
1525 "invalid authmethod %d why ?\n",
1526 iph1->approval->authmethod);
1527 return ISAKMP_INTERNAL_ERROR;
1530 gettimeofday(&end, NULL);
1531 syslog(LOG_NOTICE, "%s(%s): %8.6f", __func__,
1532 s_oakley_attr_method(iph1->approval->authmethod),
1533 timedelta(&start, &end));
1539 /* get my certificate
1540 * NOTE: include certificate type.
1543 oakley_getmycert(iph1)
1544 struct ph1handle *iph1;
1546 switch (iph1->rmconf->certtype) {
1547 case ISAKMP_CERT_X509SIGN:
1550 return get_cert_fromlocal(iph1, 1);
1552 case ISAKMP_CERT_PLAINRSA:
1555 return get_plainrsa_fromlocal(iph1, 1);
1558 plog(LLV_ERROR, LOCATION, NULL,
1559 "Unknown certtype #%d\n",
1560 iph1->rmconf->certtype);
1567 * get a CERT from local file.
1570 * my == 0 peer's cert.
1573 get_cert_fromlocal(iph1, my)
1574 struct ph1handle *iph1;
1577 char path[MAXPATHLEN];
1578 vchar_t *cert = NULL;
1584 certfile = iph1->rmconf->mycertfile;
1585 certpl = &iph1->cert;
1587 certfile = iph1->rmconf->peerscertfile;
1588 certpl = &iph1->cert_p;
1591 plog(LLV_ERROR, LOCATION, NULL, "no CERT defined.\n");
1595 switch (iph1->rmconf->certtype) {
1596 case ISAKMP_CERT_X509SIGN:
1597 case ISAKMP_CERT_DNS:
1598 /* make public file name */
1599 getpathname(path, sizeof(path), LC_PATHTYPE_CERT, certfile);
1600 cert = eay_get_x509cert(path);
1603 p = eay_get_x509text(cert);
1604 plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
1610 plog(LLV_ERROR, LOCATION, NULL,
1611 "not supported certtype %d\n",
1612 iph1->rmconf->certtype);
1617 plog(LLV_ERROR, LOCATION, NULL,
1618 "failed to get %s CERT.\n",
1619 my ? "my" : "peers");
1623 *certpl = oakley_newcert();
1625 plog(LLV_ERROR, LOCATION, NULL,
1626 "failed to get cert buffer.\n");
1629 (*certpl)->pl = vmalloc(cert->l + 1);
1630 if ((*certpl)->pl == NULL) {
1631 plog(LLV_ERROR, LOCATION, NULL,
1632 "failed to get cert buffer\n");
1633 oakley_delcert(*certpl);
1637 memcpy((*certpl)->pl->v + 1, cert->v, cert->l);
1638 (*certpl)->pl->v[0] = iph1->rmconf->certtype;
1639 (*certpl)->type = iph1->rmconf->certtype;
1640 (*certpl)->cert.v = (*certpl)->pl->v + 1;
1641 (*certpl)->cert.l = (*certpl)->pl->l - 1;
1643 plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n");
1644 plogdump(LLV_DEBUG, (*certpl)->pl->v, (*certpl)->pl->l);
1656 get_plainrsa_fromlocal(iph1, my)
1657 struct ph1handle *iph1;
1660 char path[MAXPATHLEN];
1661 vchar_t *cert = NULL;
1665 iph1->rsa_candidates = rsa_lookup_keys(iph1, my);
1666 if (!iph1->rsa_candidates || rsa_list_count(iph1->rsa_candidates) == 0) {
1667 plog(LLV_ERROR, LOCATION, NULL,
1668 "%s RSA key not found for %s\n",
1669 my ? "Private" : "Public",
1670 saddr2str_fromto("%s <-> %s", iph1->local, iph1->remote));
1674 if (my && rsa_list_count(iph1->rsa_candidates) > 1) {
1675 plog(LLV_WARNING, LOCATION, NULL,
1676 "More than one (=%lu) private PlainRSA key found for %s\n",
1677 rsa_list_count(iph1->rsa_candidates),
1678 saddr2str_fromto("%s <-> %s", iph1->local, iph1->remote));
1679 plog(LLV_WARNING, LOCATION, NULL,
1680 "This may have unpredictable results, i.e. wrong key could be used!\n");
1681 plog(LLV_WARNING, LOCATION, NULL,
1682 "Consider using only one single private key for all peers...\n");
1685 iph1->rsa = ((struct rsa_key *)genlist_next(iph1->rsa_candidates, NULL))->rsa;
1686 genlist_free(iph1->rsa_candidates, NULL);
1687 iph1->rsa_candidates = NULL;
1698 oakley_getsign(iph1)
1699 struct ph1handle *iph1;
1701 char path[MAXPATHLEN];
1702 vchar_t *privkey = NULL;
1705 switch (iph1->rmconf->certtype) {
1706 case ISAKMP_CERT_X509SIGN:
1707 case ISAKMP_CERT_DNS:
1708 if (iph1->rmconf->myprivfile == NULL) {
1709 plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n");
1713 /* make private file name */
1714 getpathname(path, sizeof(path),
1716 iph1->rmconf->myprivfile);
1717 privkey = eay_get_pkcs1privkey(path);
1718 if (privkey == NULL) {
1719 plog(LLV_ERROR, LOCATION, NULL,
1720 "failed to get private key.\n");
1723 plog(LLV_DEBUG2, LOCATION, NULL, "private key:\n");
1724 plogdump(LLV_DEBUG2, privkey->v, privkey->l);
1726 iph1->sig = eay_get_x509sign(iph1->hash, privkey);
1728 case ISAKMP_CERT_PLAINRSA:
1729 iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa);
1732 plog(LLV_ERROR, LOCATION, NULL,
1733 "Unknown certtype #%d\n",
1734 iph1->rmconf->certtype);
1738 if (iph1->sig == NULL) {
1739 plog(LLV_ERROR, LOCATION, NULL, "failed to sign.\n");
1743 plog(LLV_DEBUG, LOCATION, NULL, "SIGN computed:\n");
1744 plogdump(LLV_DEBUG, iph1->sig->v, iph1->sig->l);
1749 if (privkey != NULL)
1756 * compare certificate name and ID value.
1759 oakley_check_certid(iph1)
1760 struct ph1handle *iph1;
1762 struct ipsecdoi_id_b *id_b;
1763 vchar_t *name = NULL;
1764 char *altname = NULL;
1768 if (iph1->id_p == NULL || iph1->cert_p == NULL) {
1769 plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n");
1770 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1773 id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
1774 idlen = iph1->id_p->l - sizeof(*id_b);
1776 switch (id_b->type) {
1777 case IPSECDOI_ID_DER_ASN1_DN:
1778 name = eay_get_x509asn1subjectname(&iph1->cert_p->cert);
1780 plog(LLV_ERROR, LOCATION, NULL,
1781 "failed to get subjectName\n");
1782 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1784 if (idlen != name->l) {
1785 plog(LLV_ERROR, LOCATION, NULL,
1786 "Invalid ID length in phase 1.\n");
1788 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1790 error = memcmp(id_b + 1, name->v, idlen);
1793 plog(LLV_ERROR, LOCATION, NULL,
1794 "ID mismatched with subjectAltName.\n");
1795 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1798 case IPSECDOI_ID_IPV4_ADDR:
1799 case IPSECDOI_ID_IPV6_ADDR:
1802 * converting to binary from string because openssl return
1803 * a string even if object is a binary.
1804 * XXX fix it ! access by ASN.1 directly without.
1806 struct addrinfo hints, *res;
1810 for (pos = 1; ; pos++) {
1811 if (eay_get_x509subjectaltname(&iph1->cert_p->cert,
1812 &altname, &type, pos) !=0) {
1813 plog(LLV_ERROR, LOCATION, NULL,
1814 "failed to get subjectAltName\n");
1815 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1818 /* it's the end condition of the loop. */
1820 plog(LLV_ERROR, LOCATION, NULL,
1821 "no proper subjectAltName.\n");
1822 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1825 if (check_typeofcertname(id_b->type, type) == 0)
1829 racoon_free(altname);
1832 memset(&hints, 0, sizeof(hints));
1833 hints.ai_family = PF_UNSPEC;
1834 hints.ai_socktype = SOCK_RAW;
1835 hints.ai_flags = AI_NUMERICHOST;
1836 error = getaddrinfo(altname, NULL, &hints, &res);
1838 plog(LLV_ERROR, LOCATION, NULL,
1839 "no proper subjectAltName.\n");
1840 racoon_free(altname);
1841 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1843 switch (res->ai_family) {
1845 a = (caddr_t)&((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr;
1849 a = (caddr_t)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr;
1853 plog(LLV_ERROR, LOCATION, NULL,
1854 "family not supported: %d.\n", res->ai_family);
1855 racoon_free(altname);
1857 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1859 error = memcmp(id_b + 1, a, idlen);
1863 plog(LLV_ERROR, LOCATION, NULL,
1864 "ID mismatched with subjectAltName.\n");
1865 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1869 case IPSECDOI_ID_FQDN:
1870 case IPSECDOI_ID_USER_FQDN:
1874 for (pos = 1; ; pos++) {
1875 if (eay_get_x509subjectaltname(&iph1->cert_p->cert,
1876 &altname, &type, pos) != 0){
1877 plog(LLV_ERROR, LOCATION, NULL,
1878 "failed to get subjectAltName\n");
1879 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1882 /* it's the end condition of the loop. */
1884 plog(LLV_ERROR, LOCATION, NULL,
1885 "no proper subjectAltName.\n");
1886 return ISAKMP_NTYPE_INVALID_CERTIFICATE;
1889 if (check_typeofcertname(id_b->type, type) == 0)
1893 racoon_free(altname);
1896 if (idlen != strlen(altname)) {
1897 plog(LLV_ERROR, LOCATION, NULL,
1898 "Invalid ID length in phase 1.\n");
1899 racoon_free(altname);
1900 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1902 if (check_typeofcertname(id_b->type, type) != 0) {
1903 plog(LLV_ERROR, LOCATION, NULL,
1904 "ID type mismatched. ID: %s CERT: %s.\n",
1905 s_ipsecdoi_ident(id_b->type),
1906 s_ipsecdoi_ident(type));
1907 racoon_free(altname);
1908 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1910 error = memcmp(id_b + 1, altname, idlen);
1912 plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n");
1913 racoon_free(altname);
1914 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1916 racoon_free(altname);
1920 plog(LLV_ERROR, LOCATION, NULL,
1921 "Inpropper ID type passed: %s.\n",
1922 s_ipsecdoi_ident(id_b->type));
1923 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1929 check_typeofcertname(doi, genid)
1933 case IPSECDOI_ID_IPV4_ADDR:
1934 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
1935 case IPSECDOI_ID_IPV6_ADDR:
1936 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
1937 case IPSECDOI_ID_IPV4_ADDR_RANGE:
1938 case IPSECDOI_ID_IPV6_ADDR_RANGE:
1939 if (genid != GENT_IPADD)
1942 case IPSECDOI_ID_FQDN:
1943 if (genid != GENT_DNS)
1946 case IPSECDOI_ID_USER_FQDN:
1947 if (genid != GENT_EMAIL)
1950 case IPSECDOI_ID_DER_ASN1_DN: /* should not be passed to this function*/
1951 case IPSECDOI_ID_DER_ASN1_GN:
1952 case IPSECDOI_ID_KEY_ID:
1960 * save certificate including certificate type.
1963 oakley_savecert(iph1, gen)
1964 struct ph1handle *iph1;
1965 struct isakmp_gen *gen;
1970 type = *(u_int8_t *)(gen + 1) & 0xff;
1973 case ISAKMP_CERT_DNS:
1974 plog(LLV_WARNING, LOCATION, NULL,
1975 "CERT payload is unnecessary in DNSSEC. "
1976 "ignore this CERT payload.\n");
1978 case ISAKMP_CERT_PKCS7:
1979 case ISAKMP_CERT_PGP:
1980 case ISAKMP_CERT_X509SIGN:
1981 case ISAKMP_CERT_KERBEROS:
1982 case ISAKMP_CERT_SPKI:
1985 case ISAKMP_CERT_CRL:
1988 case ISAKMP_CERT_X509KE:
1989 case ISAKMP_CERT_X509ATTR:
1990 case ISAKMP_CERT_ARL:
1991 plog(LLV_ERROR, LOCATION, NULL,
1992 "No supported such CERT type %d\n", type);
1995 plog(LLV_ERROR, LOCATION, NULL,
1996 "Invalid CERT type %d\n", type);
2000 /* XXX choice the 1th cert, ignore after the cert. */
2001 /* XXX should be processed. */
2003 plog(LLV_WARNING, LOCATION, NULL,
2004 "ignore 2nd CERT payload.\n");
2008 *c = save_certbuf(gen);
2010 plog(LLV_ERROR, LOCATION, NULL,
2011 "Failed to get CERT buffer.\n");
2015 switch ((*c)->type) {
2016 case ISAKMP_CERT_DNS:
2017 plog(LLV_WARNING, LOCATION, NULL,
2018 "CERT payload is unnecessary in DNSSEC. "
2021 case ISAKMP_CERT_PKCS7:
2022 case ISAKMP_CERT_PGP:
2023 case ISAKMP_CERT_X509SIGN:
2024 case ISAKMP_CERT_KERBEROS:
2025 case ISAKMP_CERT_SPKI:
2026 /* Ignore cert if it doesn't match identity
2027 * XXX If verify cert is disabled, we still just take
2028 * the first certificate....
2030 if(iph1->rmconf->verify_cert &&
2031 oakley_check_certid(iph1)){
2032 plog(LLV_DEBUG, LOCATION, NULL,
2033 "Discarding CERT: does not match ID.\n");
2034 oakley_delcert((*c));
2038 plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
2039 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
2041 char *p = eay_get_x509text(&(*c)->cert);
2042 plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
2046 case ISAKMP_CERT_CRL:
2047 plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n");
2048 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
2050 case ISAKMP_CERT_X509KE:
2051 case ISAKMP_CERT_X509ATTR:
2052 case ISAKMP_CERT_ARL:
2055 oakley_delcert((*c));
2064 * save certificate including certificate type.
2067 oakley_savecr(iph1, gen)
2068 struct ph1handle *iph1;
2069 struct isakmp_gen *gen;
2074 type = *(u_int8_t *)(gen + 1) & 0xff;
2077 case ISAKMP_CERT_DNS:
2078 plog(LLV_WARNING, LOCATION, NULL,
2079 "CERT payload is unnecessary in DNSSEC\n");
2081 case ISAKMP_CERT_PKCS7:
2082 case ISAKMP_CERT_PGP:
2083 case ISAKMP_CERT_X509SIGN:
2084 case ISAKMP_CERT_KERBEROS:
2085 case ISAKMP_CERT_SPKI:
2088 case ISAKMP_CERT_X509KE:
2089 case ISAKMP_CERT_X509ATTR:
2090 case ISAKMP_CERT_ARL:
2091 plog(LLV_ERROR, LOCATION, NULL,
2092 "No supported such CR type %d\n", type);
2094 case ISAKMP_CERT_CRL:
2096 plog(LLV_ERROR, LOCATION, NULL,
2097 "Invalid CR type %d\n", type);
2101 *c = save_certbuf(gen);
2103 plog(LLV_ERROR, LOCATION, NULL,
2104 "Failed to get CR buffer.\n");
2108 plog(LLV_DEBUG, LOCATION, NULL, "CR saved:\n");
2109 plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
2116 struct isakmp_gen *gen;
2120 new = oakley_newcert();
2122 plog(LLV_ERROR, LOCATION, NULL,
2123 "Failed to get CERT buffer.\n");
2127 new->pl = vmalloc(ntohs(gen->len) - sizeof(*gen));
2128 if (new->pl == NULL) {
2129 plog(LLV_ERROR, LOCATION, NULL,
2130 "Failed to copy CERT from packet.\n");
2131 oakley_delcert(new);
2135 memcpy(new->pl->v, gen + 1, new->pl->l);
2136 new->type = new->pl->v[0] & 0xff;
2137 new->cert.v = new->pl->v + 1;
2138 new->cert.l = new->pl->l - 1;
2145 * NOTE: No Certificate Authority field is included to CR payload at the
2146 * moment. Becuase any certificate authority are accepted without any check.
2147 * The section 3.10 in RFC2408 says that this field SHOULD not be included,
2148 * if there is no specific certificate authority requested.
2152 struct ph1handle *iph1;
2158 plog(LLV_ERROR, LOCATION, NULL,
2159 "failed to get cr buffer\n");
2162 buf->v[0] = iph1->rmconf->certtype;
2164 plog(LLV_DEBUG, LOCATION, NULL, "create my CR: %s\n",
2165 s_isakmp_certtype(iph1->rmconf->certtype));
2167 plogdump(LLV_DEBUG, buf->v, buf->l);
2176 oakley_checkcr(iph1)
2177 struct ph1handle *iph1;
2179 if (iph1->cr_p == NULL)
2182 plog(LLV_DEBUG, LOCATION, iph1->remote,
2183 "peer transmitted CR: %s\n",
2184 s_isakmp_certtype(iph1->cr_p->type));
2186 if (iph1->cr_p->type != iph1->rmconf->certtype) {
2187 plog(LLV_ERROR, LOCATION, iph1->remote,
2188 "such a cert type isn't supported: %d\n",
2189 (char)iph1->cr_p->type);
2197 * check to need CR payload.
2204 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2205 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2206 #ifdef ENABLE_HYBRID
2207 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2208 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
2219 * see seciton 5. Exchanges in RFC 2409
2220 * psk: SKEYID = prf(pre-shared-key, Ni_b | Nr_b)
2221 * sig: SKEYID = prf(Ni_b | Nr_b, g^ir)
2222 * enc: SKEYID = prf(H(Ni_b | Nr_b), CKY-I | CKY-R)
2226 struct ph1handle *iph1;
2228 vchar_t *buf = NULL, *bp;
2234 switch(iph1->approval->authmethod) {
2235 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
2236 if (iph1->etype != ISAKMP_ETYPE_IDENT) {
2237 iph1->authstr = getpskbyname(iph1->id_p);
2238 if (iph1->authstr == NULL) {
2239 if (iph1->rmconf->verify_identifier) {
2240 plog(LLV_ERROR, LOCATION, iph1->remote,
2241 "couldn't find the pskey.\n");
2244 plog(LLV_NOTIFY, LOCATION, iph1->remote,
2245 "couldn't find the proper pskey, "
2246 "try to get one by the peer's address.\n");
2249 if (iph1->authstr == NULL) {
2251 * If the exchange type is the main mode or if it's
2252 * failed to get the psk by ID, racoon try to get
2253 * the psk by remote IP address.
2254 * It may be nonsense.
2256 iph1->authstr = getpskbyaddr(iph1->remote);
2257 if (iph1->authstr == NULL) {
2258 plog(LLV_ERROR, LOCATION, iph1->remote,
2259 "couldn't find the pskey for %s.\n",
2260 saddrwop2str(iph1->remote));
2264 plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
2265 /* should be secret PSK */
2266 plog(LLV_DEBUG2, LOCATION, NULL, "psk: ");
2267 plogdump(LLV_DEBUG2, iph1->authstr->v, iph1->authstr->l);
2269 len = iph1->nonce->l + iph1->nonce_p->l;
2272 plog(LLV_ERROR, LOCATION, NULL,
2273 "failed to get skeyid buffer\n");
2278 bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
2279 plog(LLV_DEBUG, LOCATION, NULL, "nonce 1: ");
2280 plogdump(LLV_DEBUG, bp->v, bp->l);
2281 memcpy(p, bp->v, bp->l);
2284 bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
2285 plog(LLV_DEBUG, LOCATION, NULL, "nonce 2: ");
2286 plogdump(LLV_DEBUG, bp->v, bp->l);
2287 memcpy(p, bp->v, bp->l);
2290 iph1->skeyid = oakley_prf(iph1->authstr, buf, iph1);
2291 if (iph1->skeyid == NULL)
2295 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2296 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2297 #ifdef ENABLE_HYBRID
2298 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
2299 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
2300 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
2301 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
2304 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
2306 len = iph1->nonce->l + iph1->nonce_p->l;
2309 plog(LLV_ERROR, LOCATION, NULL,
2310 "failed to get nonce buffer\n");
2315 bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
2316 plog(LLV_DEBUG, LOCATION, NULL, "nonce1: ");
2317 plogdump(LLV_DEBUG, bp->v, bp->l);
2318 memcpy(p, bp->v, bp->l);
2321 bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
2322 plog(LLV_DEBUG, LOCATION, NULL, "nonce2: ");
2323 plogdump(LLV_DEBUG, bp->v, bp->l);
2324 memcpy(p, bp->v, bp->l);
2327 iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1);
2328 if (iph1->skeyid == NULL)
2331 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2332 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
2333 plog(LLV_WARNING, LOCATION, NULL,
2334 "not supported authentication method %s\n",
2335 s_oakley_attr_method(iph1->approval->authmethod));
2338 plog(LLV_ERROR, LOCATION, NULL,
2339 "invalid authentication method %d\n",
2340 iph1->approval->authmethod);
2344 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID computed:\n");
2345 plogdump(LLV_DEBUG, iph1->skeyid->v, iph1->skeyid->l);
2356 * compute SKEYID_[dae]
2357 * see seciton 5. Exchanges in RFC 2409
2358 * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0)
2359 * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1)
2360 * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2)
2363 oakley_skeyid_dae(iph1)
2364 struct ph1handle *iph1;
2366 vchar_t *buf = NULL;
2371 if (iph1->skeyid == NULL) {
2372 plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n");
2377 /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */
2378 len = iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
2381 plog(LLV_ERROR, LOCATION, NULL,
2382 "failed to get skeyid buffer\n");
2387 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
2388 p += iph1->dhgxy->l;
2389 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
2390 p += sizeof(cookie_t);
2391 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
2392 p += sizeof(cookie_t);
2394 iph1->skeyid_d = oakley_prf(iph1->skeyid, buf, iph1);
2395 if (iph1->skeyid_d == NULL)
2401 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_d computed:\n");
2402 plogdump(LLV_DEBUG, iph1->skeyid_d->v, iph1->skeyid->l);
2405 /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */
2406 len = iph1->skeyid_d->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
2409 plog(LLV_ERROR, LOCATION, NULL,
2410 "failed to get skeyid buffer\n");
2414 memcpy(p, iph1->skeyid_d->v, iph1->skeyid_d->l);
2415 p += iph1->skeyid_d->l;
2416 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
2417 p += iph1->dhgxy->l;
2418 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
2419 p += sizeof(cookie_t);
2420 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
2421 p += sizeof(cookie_t);
2423 iph1->skeyid_a = oakley_prf(iph1->skeyid, buf, iph1);
2424 if (iph1->skeyid_a == NULL)
2430 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_a computed:\n");
2431 plogdump(LLV_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l);
2434 /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */
2435 len = iph1->skeyid_a->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
2438 plog(LLV_ERROR, LOCATION, NULL,
2439 "failed to get skeyid buffer\n");
2443 memcpy(p, iph1->skeyid_a->v, iph1->skeyid_a->l);
2444 p += iph1->skeyid_a->l;
2445 memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
2446 p += iph1->dhgxy->l;
2447 memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
2448 p += sizeof(cookie_t);
2449 memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
2450 p += sizeof(cookie_t);
2452 iph1->skeyid_e = oakley_prf(iph1->skeyid, buf, iph1);
2453 if (iph1->skeyid_e == NULL)
2459 plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_e computed:\n");
2460 plogdump(LLV_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l);
2471 * compute final encryption key.
2475 oakley_compute_enckey(iph1)
2476 struct ph1handle *iph1;
2478 u_int keylen, prflen;
2482 keylen = alg_oakley_encdef_keylen(iph1->approval->enctype,
2483 iph1->approval->encklen);
2485 plog(LLV_ERROR, LOCATION, NULL,
2486 "invalid encryption algoritym %d, "
2487 "or invalid key length %d.\n",
2488 iph1->approval->enctype,
2489 iph1->approval->encklen);
2492 iph1->key = vmalloc(keylen >> 3);
2493 if (iph1->key == NULL) {
2494 plog(LLV_ERROR, LOCATION, NULL,
2495 "failed to get key buffer\n");
2499 /* set prf length */
2500 prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype);
2502 plog(LLV_ERROR, LOCATION, NULL,
2503 "invalid hash type %d.\n", iph1->approval->hashtype);
2507 /* see isakmp-oakley-08 5.3. */
2508 if (iph1->key->l <= iph1->skeyid_e->l) {
2510 * if length(Ka) <= length(SKEYID_e)
2511 * Ka = first length(K) bit of SKEYID_e
2513 memcpy(iph1->key->v, iph1->skeyid_e->v, iph1->key->l);
2515 vchar_t *buf = NULL, *res = NULL;
2524 * K1 = prf(SKEYID_e, 0)
2525 * K2 = prf(SKEYID_e, K1)
2526 * K3 = prf(SKEYID_e, K2)
2528 plog(LLV_DEBUG, LOCATION, NULL,
2529 "len(SKEYID_e) < len(Ka) (%zu < %zu), "
2530 "generating long key (Ka = K1 | K2 | ...)\n",
2531 iph1->skeyid_e->l, iph1->key->l);
2533 if ((buf = vmalloc(prflen >> 3)) == 0) {
2534 plog(LLV_ERROR, LOCATION, NULL,
2535 "failed to get key buffer\n");
2538 p = (u_char *)iph1->key->v;
2539 ep = p + iph1->key->l;
2543 if (p == (u_char *)iph1->key->v) {
2544 /* just for computing K1 */
2548 res = oakley_prf(iph1->skeyid_e, buf, iph1);
2553 plog(LLV_DEBUG, LOCATION, NULL,
2554 "compute intermediate encryption key K%d\n",
2556 plogdump(LLV_DEBUG, buf->v, buf->l);
2557 plogdump(LLV_DEBUG, res->v, res->l);
2559 cplen = (res->l < ep - p) ? res->l : ep - p;
2560 memcpy(p, res->v, cplen);
2563 buf->l = prflen >> 3; /* to cancel K1 speciality */
2564 if (res->l != buf->l) {
2565 plog(LLV_ERROR, LOCATION, NULL,
2566 "internal error: res->l=%zu buf->l=%zu\n",
2572 memcpy(buf->v, res->v, res->l);
2581 * don't check any weak key or not.
2582 * draft-ietf-ipsec-ike-01.txt Appendix B.
2583 * draft-ietf-ipsec-ciph-aes-cbc-00.txt Section 2.3.
2587 if (iph1->approval->enctype > ARRAYLEN(oakley_encdef)
2588 || oakley_encdef[iph1->approval->enctype].weakkey == NULL) {
2589 plog(LLV_ERROR, LOCATION, NULL,
2590 "encryption algoritym %d isn't supported.\n",
2591 iph1->approval->enctype);
2594 if ((oakley_encdef[iph1->approval->enctype].weakkey)(iph1->key)) {
2595 plog(LLV_ERROR, LOCATION, NULL,
2596 "weakkey was generated.\n");
2601 plog(LLV_DEBUG, LOCATION, NULL, "final encryption key computed:\n");
2602 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
2610 /* allocated new buffer for CERT */
2616 new = racoon_calloc(1, sizeof(*new));
2618 plog(LLV_ERROR, LOCATION, NULL,
2619 "failed to get cert's buffer\n");
2628 /* delete buffer for CERT */
2630 oakley_delcert(cert)
2641 * compute IV and set to ph1handle
2642 * IV = hash(g^xi | g^xr)
2643 * see 4.1 Phase 1 state in draft-ietf-ipsec-ike.
2647 struct ph1handle *iph1;
2649 struct isakmp_ivm *newivm = NULL;
2650 vchar_t *buf = NULL, *bp;
2655 len = iph1->dhpub->l + iph1->dhpub_p->l;
2658 plog(LLV_ERROR, LOCATION, NULL,
2659 "failed to get iv buffer\n");
2665 bp = (iph1->side == INITIATOR ? iph1->dhpub : iph1->dhpub_p);
2666 memcpy(p, bp->v, bp->l);
2669 bp = (iph1->side == INITIATOR ? iph1->dhpub_p : iph1->dhpub);
2670 memcpy(p, bp->v, bp->l);
2674 newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
2675 if (newivm == NULL) {
2676 plog(LLV_ERROR, LOCATION, NULL,
2677 "failed to get iv buffer\n");
2683 newivm->iv = oakley_hash(buf, iph1);
2684 if (newivm->iv == NULL) {
2686 oakley_delivm(newivm);
2690 /* adjust length of iv */
2691 newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype);
2692 if (newivm->iv->l == -1) {
2693 plog(LLV_ERROR, LOCATION, NULL,
2694 "invalid encryption algoriym %d.\n",
2695 iph1->approval->enctype);
2697 oakley_delivm(newivm);
2701 /* create buffer to save iv */
2702 if ((newivm->ive = vdup(newivm->iv)) == NULL) {
2703 plog(LLV_ERROR, LOCATION, NULL,
2704 "vdup (%s)\n", strerror(errno));
2706 oakley_delivm(newivm);
2712 plog(LLV_DEBUG, LOCATION, NULL, "IV computed:\n");
2713 plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l);
2721 * compute IV for the payload after phase 1.
2722 * It's not limited for phase 2.
2723 * if pahse 1 was encrypted.
2724 * IV = hash(last CBC block of Phase 1 | M-ID)
2725 * if phase 1 was not encrypted.
2726 * IV = hash(phase 1 IV | M-ID)
2727 * see 4.2 Phase 2 state in draft-ietf-ipsec-ike.
2730 oakley_newiv2(iph1, msgid)
2731 struct ph1handle *iph1;
2734 struct isakmp_ivm *newivm = NULL;
2735 vchar_t *buf = NULL;
2741 len = iph1->ivm->iv->l + sizeof(msgid_t);
2744 plog(LLV_ERROR, LOCATION, NULL,
2745 "failed to get iv buffer\n");
2751 memcpy(p, iph1->ivm->iv->v, iph1->ivm->iv->l);
2752 p += iph1->ivm->iv->l;
2754 memcpy(p, &msgid, sizeof(msgid));
2756 plog(LLV_DEBUG, LOCATION, NULL, "compute IV for phase2\n");
2757 plog(LLV_DEBUG, LOCATION, NULL, "phase1 last IV:\n");
2758 plogdump(LLV_DEBUG, buf->v, buf->l);
2761 newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
2762 if (newivm == NULL) {
2763 plog(LLV_ERROR, LOCATION, NULL,
2764 "failed to get iv buffer\n");
2769 if ((newivm->iv = oakley_hash(buf, iph1)) == NULL)
2772 /* adjust length of iv */
2773 newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype);
2774 if (newivm->iv->l == -1) {
2775 plog(LLV_ERROR, LOCATION, NULL,
2776 "invalid encryption algoriym %d.\n",
2777 iph1->approval->enctype);
2781 /* create buffer to save new iv */
2782 if ((newivm->ive = vdup(newivm->iv)) == NULL) {
2783 plog(LLV_ERROR, LOCATION, NULL, "vdup (%s)\n", strerror(errno));
2789 plog(LLV_DEBUG, LOCATION, NULL, "phase2 IV computed:\n");
2790 plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l);
2793 if (error && newivm != NULL){
2794 oakley_delivm(newivm);
2804 struct isakmp_ivm *ivm;
2809 if (ivm->iv != NULL)
2811 if (ivm->ive != NULL)
2820 * save new iv and old iv.
2823 oakley_do_decrypt(iph1, msg, ivdp, ivep)
2824 struct ph1handle *iph1;
2825 vchar_t *msg, *ivdp, *ivep;
2827 vchar_t *buf = NULL, *new = NULL;
2834 plog(LLV_DEBUG, LOCATION, NULL, "begin decryption.\n");
2836 blen = alg_oakley_encdef_blocklen(iph1->approval->enctype);
2838 plog(LLV_ERROR, LOCATION, NULL,
2839 "invalid encryption algoriym %d.\n",
2840 iph1->approval->enctype);
2844 /* save IV for next, but not sync. */
2845 memset(ivep->v, 0, ivep->l);
2846 memcpy(ivep->v, (caddr_t)&msg->v[msg->l - blen], blen);
2848 plog(LLV_DEBUG, LOCATION, NULL,
2849 "IV was saved for next processing:\n");
2850 plogdump(LLV_DEBUG, ivep->v, ivep->l);
2852 pl = msg->v + sizeof(struct isakmp);
2854 len = msg->l - sizeof(struct isakmp);
2859 plog(LLV_ERROR, LOCATION, NULL,
2860 "failed to get buffer to decrypt.\n");
2863 memcpy(buf->v, pl, len);
2866 new = alg_oakley_encdef_decrypt(iph1->approval->enctype,
2867 buf, iph1->key, ivdp);
2869 plog(LLV_ERROR, LOCATION, NULL,
2870 "decryption %d failed.\n", iph1->approval->enctype);
2873 plog(LLV_DEBUG, LOCATION, NULL, "with key:\n");
2874 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
2881 plog(LLV_DEBUG, LOCATION, NULL, "decrypted payload by IV:\n");
2882 plogdump(LLV_DEBUG, ivdp->v, ivdp->l);
2884 plog(LLV_DEBUG, LOCATION, NULL,
2885 "decrypted payload, but not trimed.\n");
2886 plogdump(LLV_DEBUG, new->v, new->l);
2888 /* get padding length */
2889 if (lcconf->pad_excltail)
2890 padlen = new->v[new->l - 1] + 1;
2892 padlen = new->v[new->l - 1];
2893 plog(LLV_DEBUG, LOCATION, NULL, "padding len=%u\n", padlen);
2896 if (lcconf->pad_strict) {
2897 if (padlen > new->l) {
2898 plog(LLV_ERROR, LOCATION, NULL,
2899 "invalied padding len=%u, buflen=%zu.\n",
2901 plogdump(LLV_ERROR, new->v, new->l);
2905 plog(LLV_DEBUG, LOCATION, NULL, "trimmed padding\n");
2907 plog(LLV_DEBUG, LOCATION, NULL, "skip to trim padding.\n");
2910 /* create new buffer */
2911 len = sizeof(struct isakmp) + new->l;
2914 plog(LLV_ERROR, LOCATION, NULL,
2915 "failed to get buffer to decrypt.\n");
2918 memcpy(buf->v, msg->v, sizeof(struct isakmp));
2919 memcpy(buf->v + sizeof(struct isakmp), new->v, new->l);
2920 ((struct isakmp *)buf->v)->len = htonl(buf->l);
2922 plog(LLV_DEBUG, LOCATION, NULL, "decrypted.\n");
2923 plogdump(LLV_DEBUG, buf->v, buf->l);
2925 #ifdef HAVE_PRINT_ISAKMP_C
2926 isakmp_printpacket(buf, iph1->remote, iph1->local, 1);
2932 if (error && buf != NULL) {
2946 oakley_do_encrypt(iph1, msg, ivep, ivp)
2947 struct ph1handle *iph1;
2948 vchar_t *msg, *ivep, *ivp;
2950 vchar_t *buf = 0, *new = 0;
2957 plog(LLV_DEBUG, LOCATION, NULL, "begin encryption.\n");
2959 /* set cbc block length */
2960 blen = alg_oakley_encdef_blocklen(iph1->approval->enctype);
2962 plog(LLV_ERROR, LOCATION, NULL,
2963 "invalid encryption algoriym %d.\n",
2964 iph1->approval->enctype);
2968 pl = msg->v + sizeof(struct isakmp);
2969 len = msg->l - sizeof(struct isakmp);
2972 padlen = oakley_padlen(len, blen);
2973 plog(LLV_DEBUG, LOCATION, NULL, "pad length = %u\n", padlen);
2976 buf = vmalloc(len + padlen);
2978 plog(LLV_ERROR, LOCATION, NULL,
2979 "failed to get buffer to encrypt.\n");
2984 char *p = &buf->v[len];
2985 if (lcconf->pad_random) {
2986 for (i = 0; i < padlen; i++)
2987 *p++ = eay_random() & 0xff;
2990 memcpy(buf->v, pl, len);
2992 /* make pad into tail */
2993 if (lcconf->pad_excltail)
2994 buf->v[len + padlen - 1] = padlen - 1;
2996 buf->v[len + padlen - 1] = padlen;
2998 plogdump(LLV_DEBUG, buf->v, buf->l);
3001 new = alg_oakley_encdef_encrypt(iph1->approval->enctype,
3002 buf, iph1->key, ivep);
3004 plog(LLV_ERROR, LOCATION, NULL,
3005 "encryption %d failed.\n", iph1->approval->enctype);
3008 plog(LLV_DEBUG, LOCATION, NULL, "with key:\n");
3009 plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
3016 plog(LLV_DEBUG, LOCATION, NULL, "encrypted payload by IV:\n");
3017 plogdump(LLV_DEBUG, ivep->v, ivep->l);
3019 /* save IV for next */
3020 memset(ivp->v, 0, ivp->l);
3021 memcpy(ivp->v, (caddr_t)&new->v[new->l - blen], blen);
3023 plog(LLV_DEBUG, LOCATION, NULL, "save IV for next:\n");
3024 plogdump(LLV_DEBUG, ivp->v, ivp->l);
3026 /* create new buffer */
3027 len = sizeof(struct isakmp) + new->l;
3030 plog(LLV_ERROR, LOCATION, NULL,
3031 "failed to get buffer to encrypt.\n");
3034 memcpy(buf->v, msg->v, sizeof(struct isakmp));
3035 memcpy(buf->v + sizeof(struct isakmp), new->v, new->l);
3036 ((struct isakmp *)buf->v)->len = htonl(buf->l);
3040 plog(LLV_DEBUG, LOCATION, NULL, "encrypted.\n");
3043 if (error && buf != NULL) {
3053 /* culculate padding length */
3055 oakley_padlen(len, base)
3060 padlen = base - len % base;
3062 if (lcconf->pad_randomlen)
3063 padlen += ((eay_random() % (lcconf->pad_maxsize + 1) + 1) *