diff options
Diffstat (limited to 'ipsec-tools/src/racoon/isakmp_newg.c')
-rw-r--r-- | ipsec-tools/src/racoon/isakmp_newg.c | 232 |
1 files changed, 232 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/isakmp_newg.c b/ipsec-tools/src/racoon/isakmp_newg.c new file mode 100644 index 00000000..211e632e --- /dev/null +++ b/ipsec-tools/src/racoon/isakmp_newg.c @@ -0,0 +1,232 @@ +/* $NetBSD: isakmp_newg.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */ + +/* $KAME: isakmp_newg.c,v 1.10 2002/09/27 05:55:52 itojun Exp $ */ + +/* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#include <sys/types.h> +#include <sys/param.h> + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <errno.h> + +#include "var.h" +#include "misc.h" +#include "vmbuf.h" +#include "plog.h" +#include "sockmisc.h" +#include "debug.h" + +#include "schedule.h" +#include "cfparse_proto.h" +#include "isakmp_var.h" +#include "isakmp.h" +#include "isakmp_newg.h" +#include "oakley.h" +#include "ipsec_doi.h" +#include "crypto_openssl.h" +#include "handler.h" +#include "pfkey.h" +#include "admin.h" +#include "str2val.h" +#include "vendorid.h" + +/* + * New group mode as responder + */ +int +isakmp_newgroup_r(iph1, msg) + struct ph1handle *iph1; + vchar_t *msg; +{ +#if 0 + struct isakmp *isakmp = (struct isakmp *)msg->v; + struct isakmp_pl_hash *hash = NULL; + struct isakmp_pl_sa *sa = NULL; + int error = -1; + vchar_t *buf; + struct oakley_sa *osa; + int len; + + /* validate the type of next payload */ + /* + * ISAKMP_ETYPE_NEWGRP, + * ISAKMP_NPTYPE_HASH, (ISAKMP_NPTYPE_VID), ISAKMP_NPTYPE_SA, + * ISAKMP_NPTYPE_NONE + */ + { + vchar_t *pbuf = NULL; + struct isakmp_parse_t *pa; + + if ((pbuf = isakmp_parse(msg)) == NULL) + goto end; + + for (pa = (struct isakmp_parse_t *)pbuf->v; + pa->type != ISAKMP_NPTYPE_NONE; + pa++) { + + switch (pa->type) { + case ISAKMP_NPTYPE_HASH: + if (hash) { + isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); + plog(LLV_ERROR, LOCATION, iph1->remote, + "received multiple payload type %d.\n", + pa->type); + vfree(pbuf); + goto end; + } + hash = (struct isakmp_pl_hash *)pa->ptr; + break; + case ISAKMP_NPTYPE_SA: + if (sa) { + isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); + plog(LLV_ERROR, LOCATION, iph1->remote, + "received multiple payload type %d.\n", + pa->type); + vfree(pbuf); + goto end; + } + sa = (struct isakmp_pl_sa *)pa->ptr; + break; + case ISAKMP_NPTYPE_VID: + (void)check_vendorid(pa->ptr); + break; + default: + isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); + plog(LLV_ERROR, LOCATION, iph1->remote, + "ignore the packet, " + "received unexpecting payload type %d.\n", + pa->type); + vfree(pbuf); + goto end; + } + } + vfree(pbuf); + + if (!hash || !sa) { + isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); + plog(LLV_ERROR, LOCATION, iph1->remote, + "no HASH, or no SA payload.\n"); + goto end; + } + } + + /* validate HASH */ + { + char *r_hash; + vchar_t *my_hash = NULL; + int result; + + plog(LLV_DEBUG, LOCATION, NULL, "validate HASH\n"); + + len = sizeof(isakmp->msgid) + ntohs(sa->h.len); + buf = vmalloc(len); + if (buf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to get buffer to send.\n"); + goto end; + } + memcpy(buf->v, &isakmp->msgid, sizeof(isakmp->msgid)); + memcpy(buf->v + sizeof(isakmp->msgid), sa, ntohs(sa->h.len)); + + plog(LLV_DEBUG, LOCATION, NULL, "hash source\n"); + plogdump(LLV_DEBUG, buf->v, buf->l); + + my_hash = isakmp_prf(iph1->skeyid_a, buf, iph1); + vfree(buf); + if (my_hash == NULL) + goto end; + + plog(LLV_DEBUG, LOCATION, NULL, "hash result\n"); + plogdump(LLV_DEBUG, my_hash->v, my_hash->l); + + r_hash = (char *)hash + sizeof(*hash); + + plog(LLV_DEBUG, LOCATION, NULL, "original hash\n")); + plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash))); + + result = memcmp(my_hash->v, r_hash, my_hash->l); + vfree(my_hash); + + if (result) { + plog(LLV_ERROR, LOCATION, iph1->remote, + "HASH mismatch.\n"); + isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_HASH_INFORMATION, NULL); + goto end; + } + } + + /* check SA payload and get new one for use */ + buf = ipsecdoi_get_proposal((struct ipsecdoi_sa *)sa, + OAKLEY_NEWGROUP_MODE); + if (buf == NULL) { + isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL); + goto end; + } + + /* save sa parameters */ + osa = ipsecdoi_get_oakley(buf); + if (osa == NULL) { + isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL); + goto end; + } + vfree(buf); + + switch (osa->dhgrp) { + case OAKLEY_ATTR_GRP_DESC_MODP768: + case OAKLEY_ATTR_GRP_DESC_MODP1024: + case OAKLEY_ATTR_GRP_DESC_MODP1536: + /*XXX*/ + default: + isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL); + plog(LLV_ERROR, LOCATION, NULL, + "dh group %d isn't supported.\n", osa->dhgrp); + goto end; + } + + plog(LLV_INFO, LOCATION, iph1->remote, + "got new dh group %s.\n", isakmp_pindex(&iph1->index, 0)); + + error = 0; + +end: + if (error) { + if (iph1 != NULL) + (void)isakmp_free_ph1(iph1); + } + return error; +#endif + return 0; +} + |