/usr/src/sbin/isakmpd/ike_quick

Bug Summary

File:	src/sbin/isakmpd/ike_quick_mode.c
Warning:	line 1646, column 15 Result of 'calloc' is converted to a pointer of type 'u_int8_t', which is incompatible with sizeof operand type 'char'

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name ike_quick_mode.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sbin/isakmpd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/sbin/isakmpd -I . -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/sbin/isakmpd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/sbin/isakmpd/ike_quick_mode.c

1	/* $OpenBSD: ike_quick_mode.c,v 1.114 2018/01/15 09:54:48 mpi Exp $ */
2	/* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */
3
4	/*
5	* Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved.
6	* Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved.
7	* Copyright (c) 2000, 2001, 2004 Håkan Olsson. All rights reserved.
8	*
9	* Redistribution and use in source and binary forms, with or without
10	* modification, are permitted provided that the following conditions
11	* are met:
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	* 2. Redistributions in binary form must reproduce the above copyright
15	* notice, this list of conditions and the following disclaimer in the
16	* documentation and/or other materials provided with the distribution.
17	*
18	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28	*/
29
30	/*
31	* This code was written under funding by Ericsson Radio Systems.
32	*/
33
34	#include <stdlib.h>
35	#include <string.h>
36
37	#include <sys/types.h>
38	#include <regex.h>
39	#include <keynote.h>
40
41	#include "attribute.h"
42	#include "conf.h"
43	#include "connection.h"
44	#include "dh.h"
45	#include "doi.h"
46	#include "exchange.h"
47	#include "hash.h"
48	#include "ike_quick_mode.h"
49	#include "ipsec.h"
50	#include "log.h"
51	#include "message.h"
52	#include "policy.h"
53	#include "prf.h"
54	#include "sa.h"
55	#include "transport.h"
56	#include "util.h"
57	#include "key.h"
58	#include "x509.h"
59
60	static void gen_g_xy(struct message *);
61	static int initiator_send_HASH_SA_NONCE(struct message *);
62	static int initiator_recv_HASH_SA_NONCE(struct message *);
63	static int initiator_send_HASH(struct message *);
64	static void post_quick_mode(struct message *);
65	static int responder_recv_HASH_SA_NONCE(struct message *);
66	static int responder_send_HASH_SA_NONCE(struct message *);
67	static int responder_recv_HASH(struct message *);
68
69	static int check_policy(struct exchange , struct sa , struct sa *);
70
71	int (ike_quick_mode_initiator[])(struct message ) = {
72	initiator_send_HASH_SA_NONCE,
73	initiator_recv_HASH_SA_NONCE,
74	initiator_send_HASH
75	};
76
77	int (ike_quick_mode_responder[])(struct message ) = {
78	responder_recv_HASH_SA_NONCE,
79	responder_send_HASH_SA_NONCE,
80	responder_recv_HASH
81	};
82
83	/* How many return values will policy handle -- true/false for now */
84	#define RETVALUES_NUM2 2
85
86	/*
87	* Given an exchange and our policy, check whether the SA and IDs are
88	* acceptable.
89	*/
90	static int
91	check_policy(struct exchange exchange, struct sa sa, struct sa *isakmp_sa)
92	{
93	char *return_values[RETVALUES_NUM2];
94	char **principal = 0;
95	int i, len, result = 0, nprinc = 0;
96	int x509_ids = 0, keynote_ids = 0;
97	unsigned char hashbuf[20]; /* Set to the largest digest result */
98	struct keynote_deckey dc;
99	X509_NAME *subject;
100
101	/* Do we want to use keynote policies? */
102	if (ignore_policy \|\|
103	strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
104	return 1;
105
106	/* Initialize if necessary -- e.g., if pre-shared key auth was used */
107	if (isakmp_sa->policy_id < 0) {
108	if ((isakmp_sa->policy_id = kn_init()) == -1) {
109	log_print("check_policy: "
110	"failed to initialize policy session");
111	return 0;
112	}
113	}
114	/* Add the callback that will handle attributes. */
115	if (kn_add_action(isakmp_sa->policy_id, ".", (char )policy_callback,
116	ENVIRONMENT_FLAG_FUNC0x0001 \| ENVIRONMENT_FLAG_REGEX0x0002) == -1) {
117	log_print("check_policy: "
118	"kn_add_action (%d, \".*\", %p, FUNC \| REGEX) failed",
119	isakmp_sa->policy_id, policy_callback);
120	kn_close(isakmp_sa->policy_id);
121	isakmp_sa->policy_id = -1;
122	return 0;
123	}
124	if (policy_asserts_num) {
125	keynote_ids = calloc(policy_asserts_num, sizeof *keynote_ids);
126	if (!keynote_ids) {
127	log_error("check_policy: calloc (%d, %lu) failed",
128	policy_asserts_num,
129	(unsigned long)sizeof *keynote_ids);
130	kn_close(isakmp_sa->policy_id);
131	isakmp_sa->policy_id = -1;
132	return 0;
133	}
134	}
135	/* Add the policy assertions */
136	for (i = 0; i < policy_asserts_num; i++)
137	keynote_ids[i] = kn_add_assertion(isakmp_sa->policy_id,
138	policy_asserts[i],
139	strlen(policy_asserts[i]), ASSERT_FLAG_LOCAL0x0001);
140
141	/* Initialize -- we'll let the callback do all the work. */
142	policy_exchange = exchange;
143	policy_sa = sa;
144	policy_isakmp_sa = isakmp_sa;
145
146	/* Set the return values; true/false for now at least. */
147	return_values[0] = "false"; /* Order of values in array is
148	* important. */
149	return_values[1] = "true";
150
151	/* Create a principal (authorizer) for the SA/ID request. */
152	switch (isakmp_sa->recv_certtype) {
153	case ISAKMP_CERTENC_NONE0:
154	/*
155	* For shared keys, just duplicate the passphrase with the
156	* appropriate prefix tag.
157	*/
158	nprinc = 3;
159	principal = calloc(nprinc, sizeof *principal);
160	if (!principal) {
161	log_error("check_policy: calloc (%d, %lu) failed",
162	nprinc, (unsigned long)sizeof *principal);
163	goto policydone;
164	}
165	len = strlen(isakmp_sa->recv_key) + sizeof "passphrase:";
166	principal[0] = calloc(len, sizeof(char));
167	if (!principal[0]) {
168	log_error("check_policy: calloc (%d, %lu) failed", len,
169	(unsigned long)sizeof(char));
170	goto policydone;
171	}
172	/*
173	* XXX Consider changing the magic hash lengths with
174	* constants.
175	*/
176	strlcpy(principal[0], "passphrase:", len);
177	memcpy(principal[0] + sizeof "passphrase:" - 1,
178	isakmp_sa->recv_key, strlen(isakmp_sa->recv_key));
179
180	len = sizeof "passphrase-md5-hex:" + 2 * 16;
181	principal[1] = calloc(len, sizeof(char));
182	if (!principal[1]) {
183	log_error("check_policy: calloc (%d, %lu) failed", len,
184	(unsigned long)sizeof(char));
185	goto policydone;
186	}
187	strlcpy(principal[1], "passphrase-md5-hex:", len);
188	MD5(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), hashbuf);
189	for (i = 0; i < 16; i++)
190	snprintf(principal[1] + 2 * i +
191	sizeof "passphrase-md5-hex:" - 1, 3, "%02x",
192	hashbuf[i]);
193
194	len = sizeof "passphrase-sha1-hex:" + 2 * 20;
195	principal[2] = calloc(len, sizeof(char));
196	if (!principal[2]) {
197	log_error("check_policy: calloc (%d, %lu) failed", len,
198	(unsigned long)sizeof(char));
199	goto policydone;
200	}
201	strlcpy(principal[2], "passphrase-sha1-hex:", len);
202	SHA1(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key),
203	hashbuf);
204	for (i = 0; i < 20; i++)
205	snprintf(principal[2] + 2 * i +
206	sizeof "passphrase-sha1-hex:" - 1, 3, "%02x",
207	hashbuf[i]);
208	break;
209
210	case ISAKMP_CERTENC_KEYNOTE11:
211	nprinc = 1;
212
213	principal = calloc(nprinc, sizeof *principal);
214	if (!principal) {
215	log_error("check_policy: calloc (%d, %lu) failed",
216	nprinc, (unsigned long)sizeof *principal);
217	goto policydone;
218	}
219	/* Dup the keys */
220	principal[0] = strdup(isakmp_sa->keynote_key);
221	if (!principal[0]) {
222	log_error("check_policy: calloc (%lu, %lu) failed",
223	(unsigned long)strlen(isakmp_sa->keynote_key),
224	(unsigned long)sizeof(char));
225	goto policydone;
226	}
227	break;
228
229	case ISAKMP_CERTENC_X509_SIG4:
230	principal = calloc(2, sizeof *principal);
231	if (!principal) {
232	log_error("check_policy: calloc (2, %lu) failed",
233	(unsigned long)sizeof *principal);
234	goto policydone;
235	}
236	if (isakmp_sa->recv_keytype == ISAKMP_KEY_RSA2)
237	dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA6;
238	else {
239	log_error("check_policy: "
240	"unknown/unsupported public key algorithm %d",
241	isakmp_sa->recv_keytype);
242	goto policydone;
243	}
244
245	dc.dec_key = isakmp_sa->recv_key;
246	principal[0] = kn_encode_key(&dc, INTERNAL_ENC_PKCS11,
247	ENCODING_HEX1, KEYNOTE_PUBLIC_KEY0);
248	if (keynote_errno == ERROR_MEMORY-1) {
249	log_print("check_policy: "
250	"failed to get memory for public key");
251	goto policydone;
252	}
253	if (!principal[0]) {
254	log_print("check_policy: "
255	"failed to allocate memory for principal");
256	goto policydone;
257	}
258	if (asprintf(&principal[1], "rsa-hex:%s", principal[0]) == -1) {
259	log_error("check_policy: asprintf() failed");
260	goto policydone;
261	}
262	free(principal[0]);
263	principal[0] = principal[1];
264	principal[1] = 0;
265
266	/* Generate a "DN:" principal. */
267	subject = X509_get_subject_name(isakmp_sa->recv_cert);
268	if (subject) {
269	principal[1] = calloc(259, sizeof(char));
270	if (!principal[1]) {
271	log_error("check_policy: "
272	"calloc (259, %lu) failed",
273	(unsigned long)sizeof(char));
274	goto policydone;
275	}
276	strlcpy(principal[1], "DN:", 259);
277	X509_NAME_oneline(subject, principal[1] + 3, 256);
278	nprinc = 2;
279	} else {
280	nprinc = 1;
281	}
282	break;
283
284	/* XXX Eventually handle these. */
285	case ISAKMP_CERTENC_PKCS1:
286	case ISAKMP_CERTENC_PGP2:
287	case ISAKMP_CERTENC_DNS3:
288	case ISAKMP_CERTENC_X509_KE5:
289	case ISAKMP_CERTENC_KERBEROS6:
290	case ISAKMP_CERTENC_CRL7:
291	case ISAKMP_CERTENC_ARL8:
292	case ISAKMP_CERTENC_SPKI9:
293	case ISAKMP_CERTENC_X509_ATTR10:
294	default:
295	log_print("check_policy: "
296	"unknown/unsupported certificate/authentication method %d",
297	isakmp_sa->recv_certtype);
298	goto policydone;
299	}
300
301	/*
302	* Add the authorizer (who is requesting the SA/ID);
303	* this may be a public or a secret key, depending on
304	* what mode of authentication we used in Phase 1.
305	*/
306	for (i = 0; i < nprinc; i++) {
307	LOG_DBG((LOG_POLICY, 40, "check_policy: "log_debug (LOG_POLICY, 40, "check_policy: " "adding authorizer [%s]" , principal[i])
308	"adding authorizer [%s]", principal[i]))log_debug (LOG_POLICY, 40, "check_policy: " "adding authorizer [%s]" , principal[i]);
309
310	if (kn_add_authorizer(isakmp_sa->policy_id, principal[i])
311	== -1) {
312	int j;
313
314	for (j = 0; j < i; j++)
315	kn_remove_authorizer(isakmp_sa->policy_id,
316	principal[j]);
317	log_print("check_policy: kn_add_authorizer failed");
318	goto policydone;
319	}
320	}
321
322	/* Ask policy */
323	result = kn_do_query(isakmp_sa->policy_id, return_values,
324	RETVALUES_NUM2);
325	LOG_DBG((LOG_POLICY, 40, "check_policy: kn_do_query returned %d",log_debug (LOG_POLICY, 40, "check_policy: kn_do_query returned %d" , result)
326	result))log_debug (LOG_POLICY, 40, "check_policy: kn_do_query returned %d" , result);
327
328	/* Cleanup environment */
329	kn_cleanup_action_environment(isakmp_sa->policy_id);
330
331	/* Remove authorizers from the session */
332	for (i = 0; i < nprinc; i++) {
333	kn_remove_authorizer(isakmp_sa->policy_id, principal[i]);
334	free(principal[i]);
335	}
336
337	free(principal);
338	principal = 0;
339	nprinc = 0;
340
341	/* Check what policy said. */
342	if (result < 0) {
343	LOG_DBG((LOG_POLICY, 40, "check_policy: proposal refused"))log_debug (LOG_POLICY, 40, "check_policy: proposal refused");
344	result = 0;
345	goto policydone;
346	}
347	policydone:
348	for (i = 0; i < nprinc; i++)
349	if (principal && principal[i])
350	free(principal[i]);
351
352	free(principal);
353
354	/* Remove the policies */
355	for (i = 0; i < policy_asserts_num; i++) {
356	if (keynote_ids[i] != -1)
357	kn_remove_assertion(isakmp_sa->policy_id,
358	keynote_ids[i]);
359	}
360
361	free(keynote_ids);
362
363	free(x509_ids);
364
365	/*
366	* XXX Currently, check_policy() is only called from
367	* message_negotiate_sa(), and so this log message reflects this.
368	* Change to something better?
369	*/
370	if (result == 0)
371	log_print("check_policy: negotiated SA failed policy check");
372
373	/*
374	* Given that we have only 2 return values from policy (true/false)
375	* we can just return the query result directly (no pre-processing
376	* needed).
377	*/
378	return result;
379	}
380
381	/*
382	* Offer several sets of transforms to the responder.
383	* XXX Split this huge function up and look for common code with main mode.
384	*/
385	static int
386	initiator_send_HASH_SA_NONCE(struct message *msg)
387	{
388	struct exchange *exchange = msg->exchange;
389	struct doi *doi = exchange->doi;
390	struct ipsec_exch *ie = exchange->data;
391	u_int8_t *transform = 0, *new_transform;
392	u_int8_t proposal = 0, new_proposal;
393	u_int8_t sa_buf = 0, attr, saved_nextp_sa, saved_nextp_prop,
394	id, spi;
395	size_t spi_sz, sz;
396	size_t proposal_len = 0, proposals_len = 0, sa_len;
397	size_t transform_len = 0, new_transform_len;
398	size_t transforms_len = 0, new_transforms_len;
399	u_int32_t transform_cnt = 0, new_transform_cnt;
400	u_int32_t suite_no, prop_no, prot_no, xf_no, prop_cnt = 0;
401	u_int32_t i;
402	int value, update_nextp, protocol_num, proto_id;
403	struct proto *proto;
404	struct conf_list suite_conf, prot_conf = 0, xf_conf = 0, life_conf;
405	struct conf_list_node suite, prot, xf, life;
406	struct constant_map *id_map;
407	char protocol_id, transform_id;
408	char local_id, remote_id;
409	char *name;
410	int group_desc = -1, new_group_desc;
411	struct ipsec_sa *isa = msg->isakmp_sa->data;
412	struct hash *hash = hash_get(isa->hash);
413	struct sockaddr *src;
414	struct proto_attr *pa;
415
416	if (!ipsec_add_hash_payload(msg, hash->hashsize))
417	return -1;
418
419	/* Get the list of protocol suites. */
420	suite_conf = conf_get_list(exchange->policy, "Suites");
421	if (!suite_conf)
422	return -1;
423
424	for (suite = TAILQ_FIRST(&suite_conf->fields)((&suite_conf->fields)->tqh_first), suite_no = prop_no = 0;
425	suite_no < suite_conf->cnt;
426	suite_no++, suite = TAILQ_NEXT(suite, link)((suite)->link.tqe_next)) {
427	/* Now get each protocol in this specific protocol suite. */
428	prot_conf = conf_get_list(suite->field, "Protocols");
429	if (!prot_conf)
430	goto bail_out;
431
432	for (prot = TAILQ_FIRST(&prot_conf->fields)((&prot_conf->fields)->tqh_first), prot_no = 0;
433	prot_no < prot_conf->cnt;
434	prot_no++, prot = TAILQ_NEXT(prot, link)((prot)->link.tqe_next)) {
435	/* Make sure we have a proposal/transform vectors. */
436	if (prop_no >= prop_cnt) {
437	/*
438	* This resize algorithm is completely
439	* arbitrary.
440	*/
441	prop_cnt = 2 * prop_cnt + 10;
442	new_proposal = reallocarray(proposal,
443	prop_cnt, sizeof *proposal);
444	if (!new_proposal) {
445	log_error(
446	"initiator_send_HASH_SA_NONCE: "
447	"realloc (%p, %lu) failed",
448	proposal,
449	prop_cnt * (unsigned long)sizeof *proposal);
450	goto bail_out;
451	}
452	proposal = new_proposal;
453
454	new_transforms_len = reallocarray(transforms_len,
455	prop_cnt, sizeof *transforms_len);
456	if (!new_transforms_len) {
457	log_error(
458	"initiator_send_HASH_SA_NONCE: "
459	"realloc (%p, %lu) failed",
460	transforms_len,
461	prop_cnt * (unsigned long)sizeof *transforms_len);
462	goto bail_out;
463	}
464	transforms_len = new_transforms_len;
465
466	new_transform = reallocarray(transform,
467	prop_cnt, sizeof *transform);
468	if (!new_transform) {
469	log_error(
470	"initiator_send_HASH_SA_NONCE: "
471	"realloc (%p, %lu) failed",
472	transform,
473	prop_cnt * (unsigned long)sizeof *transform);
474	goto bail_out;
475	}
476	transform = new_transform;
477
478	new_transform_cnt = reallocarray(transform_cnt,
479	prop_cnt, sizeof *transform_cnt);
480	if (!new_transform_cnt) {
481	log_error(
482	"initiator_send_HASH_SA_NONCE: "
483	"realloc (%p, %lu) failed",
484	transform_cnt,
485	prop_cnt * (unsigned long)sizeof *transform_cnt);
486	goto bail_out;
487	}
488	transform_cnt = new_transform_cnt;
489
490	new_transform_len = reallocarray(transform_len,
491	prop_cnt, sizeof *transform_len);
492	if (!new_transform_len) {
493	log_error(
494	"initiator_send_HASH_SA_NONCE: "
495	"realloc (%p, %lu) failed",
496	transform_len,
497	prop_cnt * (unsigned long)sizeof *transform_len);
498	goto bail_out;
499	}
500	transform_len = new_transform_len;
501	}
502	protocol_id = conf_get_str(prot->field, "PROTOCOL_ID");
503	if (!protocol_id)
504	goto bail_out;
505
506	proto_id = constant_value(ipsec_proto_cst,
507	protocol_id);
508	switch (proto_id) {
509	case IPSEC_PROTO_IPSEC_AH2:
510	id_map = ipsec_ah_cst;
511	break;
512
513	case IPSEC_PROTO_IPSEC_ESP3:
514	id_map = ipsec_esp_cst;
515	break;
516
517	case IPSEC_PROTO_IPCOMP4:
518	id_map = ipsec_ipcomp_cst;
519	break;
520
521	default:
522	{
523	log_print("initiator_send_HASH_SA_NONCE: "
524	"invalid PROTCOL_ID: %s", protocol_id);
525	goto bail_out;
526	}
527	}
528
529	/* Now get each transform we offer for this protocol.*/
530	xf_conf = conf_get_list(prot->field, "Transforms");
531	if (!xf_conf)
532	goto bail_out;
533	transform_cnt[prop_no] = xf_conf->cnt;
534
535	transform[prop_no] = calloc(transform_cnt[prop_no],
536	sizeof **transform);
537	if (!transform[prop_no]) {
538	log_error("initiator_send_HASH_SA_NONCE: "
539	"calloc (%d, %lu) failed",
540	transform_cnt[prop_no],
541	(unsigned long)sizeof **transform);
542	goto bail_out;
543	}
544	transform_len[prop_no] = calloc(transform_cnt[prop_no],
545	sizeof **transform_len);
546	if (!transform_len[prop_no]) {
547	log_error("initiator_send_HASH_SA_NONCE: "
548	"calloc (%d, %lu) failed",
549	transform_cnt[prop_no],
550	(unsigned long)sizeof **transform_len);
551	goto bail_out;
552	}
553	transforms_len[prop_no] = 0;
554	for (xf = TAILQ_FIRST(&xf_conf->fields)((&xf_conf->fields)->tqh_first), xf_no = 0;
555	xf_no < transform_cnt[prop_no];
556	xf_no++, xf = TAILQ_NEXT(xf, link)((xf)->link.tqe_next)) {
557
558	/* XXX The sizing needs to be dynamic. */
559	transform[prop_no][xf_no] =
560	calloc(ISAKMP_TRANSFORM_SA_ATTRS_OFF8 +
561	9 * ISAKMP_ATTR_VALUE_OFF4, 1);
562	if (!transform[prop_no][xf_no]) {
563	log_error(
564	"initiator_send_HASH_SA_NONCE: "
565	"calloc (%d, 1) failed",
566	ISAKMP_TRANSFORM_SA_ATTRS_OFF8 +
567	9 * ISAKMP_ATTR_VALUE_OFF4);
568	goto bail_out;
569	}
570	SET_ISAKMP_TRANSFORM_NO(transform[prop_no][xf_no],field_set_num (isakmp_transform_fld + 0, transform[prop_no][xf_no ], xf_no + 1)
571	xf_no + 1)field_set_num (isakmp_transform_fld + 0, transform[prop_no][xf_no ], xf_no + 1);
572
573	transform_id = conf_get_str(xf->field,
574	"TRANSFORM_ID");
575	if (!transform_id)
576	goto bail_out;
577	SET_ISAKMP_TRANSFORM_ID(transform[prop_no][xf_no],field_set_num (isakmp_transform_fld + 1, transform[prop_no][xf_no ], constant_value(id_map, transform_id))
578	constant_value(id_map, transform_id))field_set_num (isakmp_transform_fld + 1, transform[prop_no][xf_no ], constant_value(id_map, transform_id));
579	SET_ISAKMP_TRANSFORM_RESERVED(transform[prop_no][xf_no], 0)field_set_num (isakmp_transform_fld + 2, transform[prop_no][xf_no ], 0);
580
581	attr = transform[prop_no][xf_no] +
582	ISAKMP_TRANSFORM_SA_ATTRS_OFF8;
583
584	/*
585	* Life durations are special, we should be
586	* able to specify several, one per type.
587	*/
588	life_conf = conf_get_list(xf->field, "Life");
589	if (life_conf) {
590	for (life = TAILQ_FIRST(&life_conf->fields)((&life_conf->fields)->tqh_first);
591	life; life = TAILQ_NEXT(life, link)((life)->link.tqe_next)) {
592	attribute_set_constant(
593	life->field, "LIFE_TYPE",
594	ipsec_duration_cst,
595	IPSEC_ATTR_SA_LIFE_TYPE1,
596	&attr);
597
598	/*
599	* XXX Deals with 16 and 32
600	* bit lifetimes only
601	*/
602	value =
603	conf_get_num(life->field,
604	"LIFE_DURATION", 0);
605	if (value) {
606	if (value <= 0xffff)
607	attr =
608	attribute_set_basic(
609	attr,
610	IPSEC_ATTR_SA_LIFE_DURATION2,
611	value);
612	else {
613	value = htonl(value)(__uint32_t)(__builtin_constant_p(value) ? (__uint32_t)(((__uint32_t )(value) & 0xff) << 24 \| ((__uint32_t)(value) & 0xff00) << 8 \| ((__uint32_t)(value) & 0xff0000) >> 8 \| ((__uint32_t)(value) & 0xff000000) >> 24) : __swap32md (value));
614	attr =
615	attribute_set_var(
616	attr,
617	IPSEC_ATTR_SA_LIFE_DURATION2,
618	(u_int8_t *)&value,
619	sizeof value);
620	}
621	}
622	}
623	conf_free_list(life_conf);
624	}
625
626	if (proto_id == IPSEC_PROTO_IPSEC_ESP3 &&
627	(exchange->flags &
628	EXCHANGE_FLAG_NAT_T_ENABLE0x0010)) {
629	name = conf_get_str(xf->field,
630	"ENCAPSULATION_MODE");
631	if (name) {
632	value = constant_value(
633	ipsec_encap_cst,
634	name);
635	switch (value) {
636	case IPSEC_ENCAP_TUNNEL1:
637	value = exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT0x0100 ?
638	IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT61443 :
639	IPSEC_ENCAP_UDP_ENCAP_TUNNEL3;
640	break;
641	case IPSEC_ENCAP_TRANSPORT2:
642	value = exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT0x0100 ?
643	IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT61444 :
644	IPSEC_ENCAP_UDP_ENCAP_TRANSPORT4;
645	break;
646	}
647	attr = attribute_set_basic(
648	attr,
649	IPSEC_ATTR_ENCAPSULATION_MODE4,
650	value);
651	}
652	} else {
653	attribute_set_constant(xf->field,
654	"ENCAPSULATION_MODE",
655	ipsec_encap_cst,
656	IPSEC_ATTR_ENCAPSULATION_MODE4,
657	&attr);
658	}
659
660	if (proto_id != IPSEC_PROTO_IPCOMP4) {
661	attribute_set_constant(xf->field,
662	"AUTHENTICATION_ALGORITHM",
663	ipsec_auth_cst,
664	IPSEC_ATTR_AUTHENTICATION_ALGORITHM5,
665	&attr);
666
667	attribute_set_constant(xf->field,
668	"GROUP_DESCRIPTION",
669	ike_group_desc_cst,
670	IPSEC_ATTR_GROUP_DESCRIPTION3, &attr);
671
672	value = conf_get_num(xf->field,
673	"KEY_LENGTH", 0);
674	if (value)
675	attr = attribute_set_basic(
676	attr,
677	IPSEC_ATTR_KEY_LENGTH6,
678	value);
679
680	value = conf_get_num(xf->field,
681	"KEY_ROUNDS", 0);
682	if (value)
683	attr = attribute_set_basic(
684	attr,
685	IPSEC_ATTR_KEY_ROUNDS7,
686	value);
687	} else {
688	value = conf_get_num(xf->field,
689	"COMPRESS_DICTIONARY_SIZE", 0);
690	if (value)
691	attr = attribute_set_basic(
692	attr,
693	IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE8,
694	value);
695
696	value = conf_get_num(xf->field,
697	"COMPRESS_PRIVATE_ALGORITHM", 0);
698	if (value)
699	attr = attribute_set_basic(
700	attr,
701	IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM9,
702	value);
703	}
704
705	value = conf_get_num(xf->field, "ECN_TUNNEL",
706	0);
707	if (value)
708	attr = attribute_set_basic(attr,
709	IPSEC_ATTR_ECN_TUNNEL10, value);
710
711	/* Record the real transform size. */
712	transforms_len[prop_no] +=
713	(transform_len[prop_no][xf_no]
714	= attr - transform[prop_no][xf_no]);
715
716	if (proto_id != IPSEC_PROTO_IPCOMP4) {
717	/*
718	* Make sure that if a group
719	* description is specified, it is
720	* specified for all transforms
721	* equally.
722	*/
723	attr =
724	(u_int8_t *)conf_get_str(xf->field,
725	"GROUP_DESCRIPTION");
726	new_group_desc
727	= attr ? constant_value(ike_group_desc_cst,
728	(char *)attr) : 0;
729	if (group_desc == -1)
730	group_desc = new_group_desc;
731	else if (group_desc != new_group_desc) {
732	log_print("initiator_send_HASH_SA_NONCE: "
733	"differing group descriptions in a proposal");
734	goto bail_out;
735	}
736	}
737	}
738	conf_free_list(xf_conf);
739	xf_conf = 0;
740
741	/*
742	* Get SPI from application.
743	* XXX Should we care about unknown constants?
744	*/
745	protocol_num = constant_value(ipsec_proto_cst,
746	protocol_id);
747	spi = doi->get_spi(&spi_sz, protocol_num, msg);
748	if (spi_sz && !spi) {
749	log_print("initiator_send_HASH_SA_NONCE: "
750	"doi->get_spi failed");
751	goto bail_out;
752	}
753	proposal_len = ISAKMP_PROP_SPI_OFF8 + spi_sz;
754	proposals_len +=
755	proposal_len + transforms_len[prop_no];
756	proposal[prop_no] = malloc(proposal_len);
757	if (!proposal[prop_no]) {
758	log_error("initiator_send_HASH_SA_NONCE: "
759	"malloc (%lu) failed",
760	(unsigned long)proposal_len);
761	goto bail_out;
762	}
763	SET_ISAKMP_PROP_NO(proposal[prop_no], suite_no + 1)field_set_num (isakmp_prop_fld + 0, proposal[prop_no], suite_no + 1);
764	SET_ISAKMP_PROP_PROTO(proposal[prop_no], protocol_num)field_set_num (isakmp_prop_fld + 1, proposal[prop_no], protocol_num );
765
766	/* XXX I would like to see this factored out. */
767	proto = calloc(1, sizeof *proto);
768	if (!proto) {
769	log_error("initiator_send_HASH_SA_NONCE: "
770	"calloc (1, %lu) failed",
771	(unsigned long)sizeof *proto);
772	goto bail_out;
773	}
774	if (doi->proto_size) {
775	proto->data = calloc(1, doi->proto_size);
776	if (!proto->data) {
777	free(proto);
778	log_error(
779	"initiator_send_HASH_SA_NONCE: "
780	"calloc (1, %lu) failed",
781	(unsigned long)doi->proto_size);
782	goto bail_out;
783	}
784	}
785	proto->no = suite_no + 1;
786	proto->proto = protocol_num;
787	proto->sa = TAILQ_FIRST(&exchange->sa_list)((&exchange->sa_list)->tqh_first);
788	proto->xf_cnt = transform_cnt[prop_no];
789	TAILQ_INIT(&proto->xfs)do { (&proto->xfs)->tqh_first = ((void*)0); (&proto ->xfs)->tqh_last = &(&proto->xfs)->tqh_first ; } while (0);
790	for (xf_no = 0; xf_no < proto->xf_cnt; xf_no++) {
791	pa = calloc(1, sizeof *pa);
792	if (!pa) {
793	free(proto->data);
794	free(proto);
795	goto bail_out;
796	}
797	pa->len = transform_len[prop_no][xf_no];
798	pa->attrs = malloc(pa->len);
799	if (!pa->attrs) {
800	free(proto->data);
801	free(proto);
802	free(pa);
803	goto bail_out;
804	}
805	memcpy(pa->attrs, transform[prop_no][xf_no],
806	pa->len);
807	TAILQ_INSERT_TAIL(&proto->xfs, pa, next)do { (pa)->next.tqe_next = ((void)0); (pa)->next.tqe_prev = (&proto->xfs)->tqh_last; (&proto->xfs)-> tqh_last = (pa); (&proto->xfs)->tqh_last = &(pa )->next.tqe_next; } while (0);
808	}
809	TAILQ_INSERT_TAIL(&TAILQ_FIRST(&exchange->sa_list)->protos,do { (proto)->link.tqe_next = ((void)0); (proto)->link .tqe_prev = (&((&exchange->sa_list)->tqh_first) ->protos)->tqh_last; (&((&exchange->sa_list )->tqh_first)->protos)->tqh_last = (proto); (&(( &exchange->sa_list)->tqh_first)->protos)->tqh_last = &(proto)->link.tqe_next; } while (0)
810	proto, link)do { (proto)->link.tqe_next = ((void)0); (proto)->link .tqe_prev = (&((&exchange->sa_list)->tqh_first) ->protos)->tqh_last; (&((&exchange->sa_list )->tqh_first)->protos)->tqh_last = (proto); (&(( &exchange->sa_list)->tqh_first)->protos)->tqh_last = &(proto)->link.tqe_next; } while (0);
811
812	/* Setup the incoming SPI. */
813	SET_ISAKMP_PROP_SPI_SZ(proposal[prop_no], spi_sz)field_set_num (isakmp_prop_fld + 2, proposal[prop_no], spi_sz );
814	memcpy(proposal[prop_no] + ISAKMP_PROP_SPI_OFF8, spi,
815	spi_sz);
816	proto->spi_sz[1] = spi_sz;
817	proto->spi[1] = spi;
818
819	/*
820	* Let the DOI get at proto for initializing its own
821	* data.
822	*/
823	if (doi->proto_init)
824	doi->proto_init(proto, prot->field);
825
826	SET_ISAKMP_PROP_NTRANSFORMS(proposal[prop_no],field_set_num (isakmp_prop_fld + 3, proposal[prop_no], transform_cnt [prop_no])
827	transform_cnt[prop_no])field_set_num (isakmp_prop_fld + 3, proposal[prop_no], transform_cnt [prop_no]);
828	prop_no++;
829	}
830	conf_free_list(prot_conf);
831	prot_conf = 0;
832	}
833
834	sa_len = ISAKMP_SA_SIT_OFF8 + IPSEC_SIT_SIT_LEN4;
835	sa_buf = malloc(sa_len);
836	if (!sa_buf) {
837	log_error("initiator_send_HASH_SA_NONCE: malloc (%lu) failed",
838	(unsigned long)sa_len);
839	goto bail_out;
840	}
841	SET_ISAKMP_SA_DOI(sa_buf, IPSEC_DOI_IPSEC)field_set_num (isakmp_sa_fld + 0, sa_buf, 1);
842	SET_IPSEC_SIT_SIT(sa_buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY)field_set_num (ipsec_sit_fld + 0, sa_buf + 8, 1);
843
844	/*
845	* Add the payloads. As this is a SA, we need to recompute the
846	* lengths of the payloads containing others. We also need to
847	* reset these payload's "next payload type" field.
848	*/
849	if (message_add_payload(msg, ISAKMP_PAYLOAD_SA1, sa_buf, sa_len, 1))
850	goto bail_out;
851	SET_ISAKMP_GEN_LENGTH(sa_buf, sa_len + proposals_len)field_set_num (isakmp_gen_fld + 2, sa_buf, sa_len + proposals_len );
852	sa_buf = 0;
853
854	update_nextp = 0;
855	saved_nextp_sa = msg->nextp;
856	for (i = 0; i < prop_no; i++) {
857	if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL2,
858	proposal[i], proposal_len, update_nextp))
859	goto bail_out;
860	SET_ISAKMP_GEN_LENGTH(proposal[i],field_set_num (isakmp_gen_fld + 2, proposal[i], proposal_len + transforms_len[i])
861	proposal_len + transforms_len[i])field_set_num (isakmp_gen_fld + 2, proposal[i], proposal_len + transforms_len[i]);
862	proposal[i] = 0;
863
864	update_nextp = 0;
865	saved_nextp_prop = msg->nextp;
866	for (xf_no = 0; xf_no < transform_cnt[i]; xf_no++) {
867	if (message_add_payload(msg, ISAKMP_PAYLOAD_TRANSFORM3,
868	transform[i][xf_no],
869	transform_len[i][xf_no], update_nextp))
870	goto bail_out;
871	update_nextp = 1;
872	transform[i][xf_no] = 0;
873	}
874	msg->nextp = saved_nextp_prop;
875	update_nextp = 1;
876	}
877	msg->nextp = saved_nextp_sa;
878
879	/*
880	* Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len.
881	*/
882	ie->sa_i_b = message_copy(msg, ISAKMP_GEN_SZ4, &ie->sa_i_b_len);
883	if (!ie->sa_i_b)
884	goto bail_out;
885
886	/*
887	* Generate a nonce, and add it to the message.
888	* XXX I want a better way to specify the nonce's size.
889	*/
890	if (exchange_gen_nonce(msg, 16))
891	return -1;
892
893	/* Generate optional KEY_EXCH payload. */
894	if (group_desc > 0) {
895	ie->group = group_get(group_desc);
896	ie->g_x_len = dh_getlen(ie->group);
897
898	if (ipsec_gen_g_x(msg)) {
899	group_free(ie->group);
900	ie->group = 0;
901	return -1;
902	}
903	}
904	/* Generate optional client ID payloads. XXX Share with responder. */
905	local_id = conf_get_str(exchange->name, "Local-ID");
906	remote_id = conf_get_str(exchange->name, "Remote-ID");
907	if (local_id && remote_id) {
908	id = ipsec_build_id(local_id, &sz);
909	if (!id)
910	return -1;
911	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDic" , id, sz)
912	"initiator_send_HASH_SA_NONCE: IDic", id, sz))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDic" , id, sz);
913	if (message_add_payload(msg, ISAKMP_PAYLOAD_ID5, id, sz, 1)) {
914	free(id);
915	return -1;
916	}
917	id = ipsec_build_id(remote_id, &sz);
918	if (!id)
919	return -1;
920	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDrc" , id, sz)
921	"initiator_send_HASH_SA_NONCE: IDrc", id, sz))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDrc" , id, sz);
922	if (message_add_payload(msg, ISAKMP_PAYLOAD_ID5, id, sz, 1)) {
923	free(id);
924	return -1;
925	}
926	}
927	/* XXX I do not judge these as errors, are they? */
928	else if (local_id)
929	log_print("initiator_send_HASH_SA_NONCE: "
930	"Local-ID given without Remote-ID for \"%s\"",
931	exchange->name);
932	else if (remote_id)
933	/*
934	* This code supports the "road warrior" case, where the
935	* initiator doesn't have a fixed IP address, but wants to
936	* specify a particular remote network to talk to. -- Adrian
937	* Close <adrian@esec.com.au>
938	*/
939	{
940	log_print("initiator_send_HASH_SA_NONCE: "
941	"Remote-ID given without Local-ID for \"%s\"",
942	exchange->name);
943
944	/*
945	* If we're here, then we are the initiator, so use initiator
946	* address for local ID
947	*/
948	msg->transport->vtbl->get_src(msg->transport, &src);
949	sz = ISAKMP_ID_SZ8 + sockaddr_addrlen(src);
950
951	id = calloc(sz, sizeof(char));
952	if (!id) {
953	log_error("initiator_send_HASH_SA_NONCE: "
954	"calloc (%lu, %lu) failed", (unsigned long)sz,
955	(unsigned long)sizeof(char));
956	return -1;
957	}
958	switch (src->sa_family) {
959	case AF_INET624:
960	SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV6_ADDR)field_set_num (isakmp_id_fld + 0, id, 5);
961	break;
962	case AF_INET2:
963	SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV4_ADDR)field_set_num (isakmp_id_fld + 0, id, 1);
964	break;
965	default:
966	log_error("initiator_send_HASH_SA_NONCE: "
967	"unknown sa_family %d", src->sa_family);
968	free(id);
969	return -1;
970	}
971	memcpy(id + ISAKMP_ID_DATA_OFF8, sockaddr_addrdata(src),
972	sockaddr_addrlen(src));
973
974	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDic" , id, sz)
975	"initiator_send_HASH_SA_NONCE: IDic", id, sz))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDic" , id, sz);
976	if (message_add_payload(msg, ISAKMP_PAYLOAD_ID5, id, sz, 1)) {
977	free(id);
978	return -1;
979	}
980	/* Send supplied remote_id */
981	id = ipsec_build_id(remote_id, &sz);
982	if (!id)
983	return -1;
984	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDrc" , id, sz)
985	"initiator_send_HASH_SA_NONCE: IDrc", id, sz))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH_SA_NONCE: IDrc" , id, sz);
986	if (message_add_payload(msg, ISAKMP_PAYLOAD_ID5, id, sz, 1)) {
987	free(id);
988	return -1;
989	}
990	}
991	if (ipsec_fill_in_hash(msg))
992	goto bail_out;
993
994	conf_free_list(suite_conf);
995	for (i = 0; i < prop_no; i++) {
996	free(transform[i]);
997	free(transform_len[i]);
998	}
999	free(proposal);
1000	free(transform);
1001	free(transforms_len);
1002	free(transform_len);
1003	free(transform_cnt);
1004	return 0;
1005
1006	bail_out:
1007	free(sa_buf);
1008	if (proposal) {
1009	for (i = 0; i < prop_no; i++) {
1010	free(proposal[i]);
1011	if (transform[i]) {
1012	for (xf_no = 0; xf_no < transform_cnt[i];
1013	xf_no++)
1014	free(transform[i][xf_no]);
1015	free(transform[i]);
1016	}
1017	free(transform_len[i]);
1018	}
1019	free(proposal);
1020	free(transforms_len);
1021	free(transform);
1022	free(transform_len);
1023	free(transform_cnt);
1024	}
1025	if (xf_conf)
1026	conf_free_list(xf_conf);
1027	if (prot_conf)
1028	conf_free_list(prot_conf);
1029	conf_free_list(suite_conf);
1030	return -1;
1031	}
1032
1033	/* Figure out what transform the responder chose. */
1034	static int
1035	initiator_recv_HASH_SA_NONCE(struct message *msg)
1036	{
1037	struct exchange *exchange = msg->exchange;
1038	struct ipsec_exch *ie = exchange->data;
1039	struct sa *sa;
1040	struct proto proto, next_proto;
1041	struct payload *sa_p = payload_first(msg, ISAKMP_PAYLOAD_SA1);
1042	struct payload xf, idp;
1043	struct payload *hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH8);
1044	struct payload *kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH4);
1045	struct prf *prf;
1046	struct sa *isakmp_sa = msg->isakmp_sa;
1047	struct ipsec_sa *isa = isakmp_sa->data;
1048	struct hash *hash = hash_get(isa->hash);
1049	u_int8_t *rest;
1050	size_t rest_len;
1051	struct sockaddr src, dst;
1052
1053	/* Allocate the prf and start calculating our HASH(1). XXX Share? */
1054	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: "log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " "SKEYID_a", (u_int8_t *)isa->skeyid_a, isa->skeyid_len )
1055	"SKEYID_a", (u_int8_t )isa->skeyid_a, isa->skeyid_len))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " "SKEYID_a", (u_int8_t )isa->skeyid_a, isa->skeyid_len );
1056	prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a,
1057	isa->skeyid_len);
1058	if (!prf)
1059	return -1;
1060
1061	prf->Init(prf->prfctx);
1062	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: message_id" , exchange->message_id, 4)
1063	"initiator_recv_HASH_SA_NONCE: message_id",log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: message_id" , exchange->message_id, 4)
1064	exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: message_id" , exchange->message_id, 4);
1065	prf->Update(prf->prfctx, exchange->message_id,
1066	ISAKMP_HDR_MESSAGE_ID_LEN4);
1067	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: "log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)
1068	"NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len);
1069	prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
1070	rest = hashp->p + GET_ISAKMP_GEN_LENGTH(hashp->p)field_get_num (isakmp_gen_fld + 2, hashp->p);
1071	rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base)field_get_num (isakmp_hdr_fld + 7, msg->iov[0].iov_base)
1072	- (rest - (u_int8_t *)msg->iov[0].iov_base));
1073	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: payloads after HASH(2)" , rest, rest_len)
1074	"initiator_recv_HASH_SA_NONCE: payloads after HASH(2)", rest,log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: payloads after HASH(2)" , rest, rest_len)
1075	rest_len))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: payloads after HASH(2)" , rest, rest_len);
1076	prf->Update(prf->prfctx, rest, rest_len);
1077	prf->Final(hash->digest, prf->prfctx);
1078	prf_free(prf);
1079	LOG_DBG_BUF((LOG_NEGOTIATION, 80,log_debug_buf (LOG_NEGOTIATION, 80, "initiator_recv_HASH_SA_NONCE: computed HASH(2)" , hash->digest, hash->hashsize)
1080	"initiator_recv_HASH_SA_NONCE: computed HASH(2)", hash->digest,log_debug_buf (LOG_NEGOTIATION, 80, "initiator_recv_HASH_SA_NONCE: computed HASH(2)" , hash->digest, hash->hashsize)
1081	hash->hashsize))log_debug_buf (LOG_NEGOTIATION, 80, "initiator_recv_HASH_SA_NONCE: computed HASH(2)" , hash->digest, hash->hashsize);
1082	if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF4, hash->digest,
1083	hash->hashsize) != 0) {
1084	message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION23, 0, 1,
1085	0);
1086	return -1;
1087	}
1088	/* Mark the HASH as handled. */
1089	hashp->flags \|= PL_MARK1;
1090
1091	/* Mark message as authenticated. */
1092	msg->flags \|= MSG_AUTHENTICATED0x10;
1093
1094	/*
1095	* As we are getting an answer on our transform offer, only one
1096	* transform should be given.
1097	*
1098	* XXX Currently we only support negotiating one SA per quick mode run.
1099	*/
1100	if (TAILQ_NEXT(sa_p, link)((sa_p)->link.tqe_next)) {
1101	log_print("initiator_recv_HASH_SA_NONCE: "
1102	"multiple SA payloads in quick mode not supported yet");
1103	return -1;
1104	}
1105	sa = TAILQ_FIRST(&exchange->sa_list)((&exchange->sa_list)->tqh_first);
1106
1107	/* This is here for the policy check */
1108	if (kep)
1109	ie->pfs = 1;
1110
1111	/* Drop message when it contains ID types we do not implement yet. */
1112	TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link)for((idp) = ((&msg->payload[5])->tqh_first); (idp) != ((void*)0); (idp) = ((idp)->link.tqe_next)) {
1113	switch (GET_ISAKMP_ID_TYPE(idp->p)field_get_num (isakmp_id_fld + 0, idp->p)) {
1114	case IPSEC_ID_IPV4_ADDR1:
1115	case IPSEC_ID_IPV4_ADDR_SUBNET4:
1116	case IPSEC_ID_IPV6_ADDR5:
1117	case IPSEC_ID_IPV6_ADDR_SUBNET6:
1118	break;
1119
1120	case IPSEC_ID_FQDN2:
1121	/*
1122	* FQDN may be used for in NAT-T with transport mode.
1123	* We can handle the message in this case. In the
1124	* other cases we'll drop the message later.
1125	*/
1126	break;
1127
1128	default:
1129	message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION18,
1130	0, 1, 0);
1131	return -1;
1132	}
1133	}
1134
1135	/* Handle optional client ID payloads. */
1136	idp = payload_first(msg, ISAKMP_PAYLOAD_ID5);
1137	if (idp) {
1138	/* If IDci is there, IDcr must be too. */
1139	if (!TAILQ_NEXT(idp, link)((idp)->link.tqe_next)) {
1140	/* XXX Is this a good notify type? */
1141	message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED16, 0,
1142	1, 0);
1143	return -1;
1144	}
1145	/* XXX We should really compare, not override. */
1146	ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p)field_get_num (isakmp_gen_fld + 2, idp->p);
1147	ie->id_ci = malloc(ie->id_ci_sz);
1148	if (!ie->id_ci) {
1149	log_error("initiator_recv_HASH_SA_NONCE: "
1150	"malloc (%lu) failed",
1151	(unsigned long)ie->id_ci_sz);
1152	return -1;
1153	}
1154	memcpy(ie->id_ci, idp->p, ie->id_ci_sz);
1155	idp->flags \|= PL_MARK1;
1156	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: IDci" , ie->id_ci + 4, ie->id_ci_sz - 4)
1157	"initiator_recv_HASH_SA_NONCE: IDci",log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: IDci" , ie->id_ci + 4, ie->id_ci_sz - 4)
1158	ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: IDci" , ie->id_ci + 4, ie->id_ci_sz - 4);
1159
1160	idp = TAILQ_NEXT(idp, link)((idp)->link.tqe_next);
1161	ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p)field_get_num (isakmp_gen_fld + 2, idp->p);
1162	ie->id_cr = malloc(ie->id_cr_sz);
1163	if (!ie->id_cr) {
1164	log_error("initiator_recv_HASH_SA_NONCE: "
1165	"malloc (%lu) failed",
1166	(unsigned long)ie->id_cr_sz);
1167	return -1;
1168	}
1169	memcpy(ie->id_cr, idp->p, ie->id_cr_sz);
1170	idp->flags \|= PL_MARK1;
1171	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: IDcr" , ie->id_cr + 4, ie->id_cr_sz - 4)
1172	"initiator_recv_HASH_SA_NONCE: IDcr",log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: IDcr" , ie->id_cr + 4, ie->id_cr_sz - 4)
1173	ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: IDcr" , ie->id_cr + 4, ie->id_cr_sz - 4);
1174	} else {
1175	/*
1176	* If client identifiers are not present in the exchange,
1177	* we fake them. RFC 2409 states:
1178	* The identities of the SAs negotiated in Quick Mode are
1179	* implicitly assumed to be the IP addresses of the ISAKMP
1180	* peers, without any constraints on the protocol or port
1181	* numbers allowed, unless client identifiers are specified
1182	* in Quick Mode.
1183	*
1184	* -- Michael Paddon (mwp@aba.net.au)
1185	*/
1186
1187	ie->flags = IPSEC_EXCH_FLAG_NO_ID1;
1188
1189	/* Get initiator and responder addresses. */
1190	msg->transport->vtbl->get_src(msg->transport, &src);
1191	msg->transport->vtbl->get_dst(msg->transport, &dst);
1192	ie->id_ci_sz = ISAKMP_ID_DATA_OFF8 + sockaddr_addrlen(src);
1193	ie->id_cr_sz = ISAKMP_ID_DATA_OFF8 + sockaddr_addrlen(dst);
1194	ie->id_ci = calloc(ie->id_ci_sz, sizeof(char));
1195	ie->id_cr = calloc(ie->id_cr_sz, sizeof(char));
1196
1197	if (!ie->id_ci \|\| !ie->id_cr) {
1198	log_error("initiator_recv_HASH_SA_NONCE: "
1199	"calloc (%lu, %lu) failed",
1200	(unsigned long)ie->id_cr_sz,
1201	(unsigned long)sizeof(char));
1202	free(ie->id_ci);
1203	ie->id_ci = 0;
1204	free(ie->id_cr);
1205	ie->id_cr = 0;
1206	return -1;
1207	}
1208	if (src->sa_family != dst->sa_family) {
1209	log_error("initiator_recv_HASH_SA_NONCE: "
1210	"sa_family mismatch");
1211	free(ie->id_ci);
1212	ie->id_ci = 0;
1213	free(ie->id_cr);
1214	ie->id_cr = 0;
1215	return -1;
1216	}
1217	switch (src->sa_family) {
1218	case AF_INET2:
1219	SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV4_ADDR)field_set_num (isakmp_id_fld + 0, ie->id_ci, 1);
1220	SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV4_ADDR)field_set_num (isakmp_id_fld + 0, ie->id_cr, 1);
1221	break;
1222
1223	case AF_INET624:
1224	SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV6_ADDR)field_set_num (isakmp_id_fld + 0, ie->id_ci, 5);
1225	SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV6_ADDR)field_set_num (isakmp_id_fld + 0, ie->id_cr, 5);
1226	break;
1227
1228	default:
1229	log_error("initiator_recv_HASH_SA_NONCE: "
1230	"unknown sa_family %d", src->sa_family);
1231	free(ie->id_ci);
1232	ie->id_ci = 0;
1233	free(ie->id_cr);
1234	ie->id_cr = 0;
1235	return -1;
1236	}
1237	memcpy(ie->id_ci + ISAKMP_ID_DATA_OFF8, sockaddr_addrdata(src),
1238	sockaddr_addrlen(src));
1239	memcpy(ie->id_cr + ISAKMP_ID_DATA_OFF8, sockaddr_addrdata(dst),
1240	sockaddr_addrlen(dst));
1241	}
1242
1243	/* Build the protection suite in our SA. */
1244	TAILQ_FOREACH(xf, &msg->payload[ISAKMP_PAYLOAD_TRANSFORM], link)for((xf) = ((&msg->payload[3])->tqh_first); (xf) != ((void*)0); (xf) = ((xf)->link.tqe_next)) {
1245	/*
1246	* XXX We could check that the proposal each transform
1247	* belongs to is unique.
1248	*/
1249
1250	if (sa_add_transform(sa, xf, exchange->initiator, &proto))
1251	return -1;
1252
1253	/* XXX Check that the chosen transform matches an offer. */
1254
1255	ipsec_decode_transform(msg, sa, proto, xf->p);
1256	}
1257
1258	/* Now remove offers that we don't need anymore. */
1259	for (proto = TAILQ_FIRST(&sa->protos)((&sa->protos)->tqh_first); proto; proto = next_proto) {
1260	next_proto = TAILQ_NEXT(proto, link)((proto)->link.tqe_next);
1261	if (!proto->chosen)
1262	proto_free(proto);
1263	}
1264
1265	if (!check_policy(exchange, sa, msg->isakmp_sa)) {
1266	message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN14, 0, 1, 0);
1267	log_print("initiator_recv_HASH_SA_NONCE: policy check failed");
1268	return -1;
1269	}
1270
1271	/* Mark the SA as handled. */
1272	sa_p->flags \|= PL_MARK1;
1273
1274	isa = sa->data;
1275	if ((isa->group_desc &&
1276	(!ie->group \|\| ie->group->id != isa->group_desc)) \|\|
1277	(!isa->group_desc && ie->group)) {
1278	log_print("initiator_recv_HASH_SA_NONCE: disagreement on PFS");
1279	return -1;
1280	}
1281	/* Copy out the initiator's nonce. */
1282	if (exchange_save_nonce(msg))
1283	return -1;
1284
1285	/* Handle the optional KEY_EXCH payload. */
1286	if (kep && ipsec_save_g_x(msg))
1287	return -1;
1288
1289	return 0;
1290	}
1291
1292	static int
1293	initiator_send_HASH(struct message *msg)
1294	{
1295	struct exchange *exchange = msg->exchange;
1296	struct ipsec_exch *ie = exchange->data;
1297	struct sa *isakmp_sa = msg->isakmp_sa;
1298	struct ipsec_sa *isa = isakmp_sa->data;
1299	struct prf *prf;
1300	u_int8_t *buf;
1301	struct hash *hash = hash_get(isa->hash);
1302
1303	/*
1304	* We want a HASH payload to start with. XXX Share with
1305	* ike_main_mode.c?
1306	*/
1307	buf = malloc(ISAKMP_HASH_SZ4 + hash->hashsize);
1308	if (!buf) {
1309	log_error("initiator_send_HASH: malloc (%lu) failed",
1310	ISAKMP_HASH_SZ4 + (unsigned long)hash->hashsize);
1311	return -1;
1312	}
1313	if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH8, buf,
1314	ISAKMP_HASH_SZ4 + hash->hashsize, 1)) {
1315	free(buf);
1316	return -1;
1317	}
1318	/* Allocate the prf and start calculating our HASH(3). XXX Share? */
1319	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: SKEYID_a",log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH: SKEYID_a" , isa->skeyid_a, isa->skeyid_len)
1320	isa->skeyid_a, isa->skeyid_len))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH: SKEYID_a" , isa->skeyid_a, isa->skeyid_len);
1321	prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a,
1322	isa->skeyid_len);
1323	if (!prf)
1324	return -1;
1325	prf->Init(prf->prfctx);
1326	prf->Update(prf->prfctx, (unsigned char *)"\0", 1);
1327	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: message_id",log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH: message_id" , exchange->message_id, 4)
1328	exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH: message_id" , exchange->message_id, 4);
1329	prf->Update(prf->prfctx, exchange->message_id,
1330	ISAKMP_HDR_MESSAGE_ID_LEN4);
1331	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_I_b",log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_I_b" , exchange->nonce_i, exchange->nonce_i_len)
1332	exchange->nonce_i, exchange->nonce_i_len))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_I_b" , exchange->nonce_i, exchange->nonce_i_len);
1333	prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
1334	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_R_b",log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_R_b" , exchange->nonce_r, exchange->nonce_r_len)
1335	exchange->nonce_r, exchange->nonce_r_len))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_R_b" , exchange->nonce_r, exchange->nonce_r_len);
1336	prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len);
1337	prf->Final(buf + ISAKMP_GEN_SZ4, prf->prfctx);
1338	prf_free(prf);
1339	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: HASH(3)",log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH: HASH(3)" , buf + 4, hash->hashsize)
1340	buf + ISAKMP_GEN_SZ, hash->hashsize))log_debug_buf (LOG_NEGOTIATION, 90, "initiator_send_HASH: HASH(3)" , buf + 4, hash->hashsize);
1341
1342	if (ie->group)
1343	message_register_post_send(msg, gen_g_xy);
1344
1345	message_register_post_send(msg, post_quick_mode);
1346
1347	return 0;
1348	}
1349
1350	static void
1351	post_quick_mode(struct message *msg)
1352	{
1353	struct sa *isakmp_sa = msg->isakmp_sa;
1354	struct ipsec_sa *isa = isakmp_sa->data;
1355	struct exchange *exchange = msg->exchange;
1356	struct ipsec_exch *ie = exchange->data;
1357	struct prf *prf;
1358	struct sa *sa;
1359	struct proto *proto;
1360	struct ipsec_proto *iproto;
1361	u_int8_t *keymat;
1362	int i;
1363
1364	/*
1365	* Loop over all SA negotiations and do both an in- and an outgoing SA
1366	* per protocol.
1367	*/
1368	for (sa = TAILQ_FIRST(&exchange->sa_list)((&exchange->sa_list)->tqh_first); sa;
1369	sa = TAILQ_NEXT(sa, next)((sa)->next.tqe_next)) {
1370	for (proto = TAILQ_FIRST(&sa->protos)((&sa->protos)->tqh_first); proto;
1371	proto = TAILQ_NEXT(proto, link)((proto)->link.tqe_next)) {
1372	if (proto->proto == IPSEC_PROTO_IPCOMP4)
1373	continue;
1374
1375	iproto = proto->data;
1376
1377	/*
1378	* There are two SAs for each SA negotiation,
1379	* incoming and outgoing.
1380	*/
1381	for (i = 0; i < 2; i++) {
1382	prf = prf_alloc(isa->prf_type, isa->hash,
1383	isa->skeyid_d, isa->skeyid_len);
1384	if (!prf) {
1385	/* XXX What to do? */
1386	continue;
1387	}
1388	ie->keymat_len = ipsec_keymat_length(proto);
1389
1390	/*
1391	* We need to roundup the length of the key
1392	* material buffer to a multiple of the PRF's
1393	* blocksize as it is generated in chunks of
1394	* that blocksize.
1395	*/
1396	iproto->keymat[i]
1397	= malloc(((ie->keymat_len + prf->blocksize - 1)
1398	/ prf->blocksize) * prf->blocksize);
1399	if (!iproto->keymat[i]) {
1400	log_error("post_quick_mode: "
1401	"malloc (%lu) failed",
1402	(((unsigned long)ie->keymat_len +
1403	prf->blocksize - 1) / prf->blocksize) *
1404	prf->blocksize);
1405	/* XXX What more to do? */
1406	free(prf);
1407	continue;
1408	}
1409	for (keymat = iproto->keymat[i];
1410	keymat < iproto->keymat[i] + ie->keymat_len;
1411	keymat += prf->blocksize) {
1412	prf->Init(prf->prfctx);
1413
1414	if (keymat != iproto->keymat[i]) {
1415	/*
1416	* Hash in last round's
1417	* KEYMAT.
1418	*/
1419	LOG_DBG_BUF((LOG_NEGOTIATION,log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: " "last KEYMAT" , keymat - prf->blocksize, prf->blocksize)
1420	90, "post_quick_mode: "log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: " "last KEYMAT" , keymat - prf->blocksize, prf->blocksize)
1421	"last KEYMAT",log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: " "last KEYMAT" , keymat - prf->blocksize, prf->blocksize)
1422	keymat - prf->blocksize,log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: " "last KEYMAT" , keymat - prf->blocksize, prf->blocksize)
1423	prf->blocksize))log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: " "last KEYMAT" , keymat - prf->blocksize, prf->blocksize);
1424	prf->Update(prf->prfctx,
1425	keymat - prf->blocksize,
1426	prf->blocksize);
1427	}
1428	/* If PFS is used hash in g^xy. */
1429	if (ie->g_xy) {
1430	LOG_DBG_BUF((LOG_NEGOTIATION,log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: " "g^xy" , ie->g_xy, ie->g_xy_len)
1431	90, "post_quick_mode: "log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: " "g^xy" , ie->g_xy, ie->g_xy_len)
1432	"g^xy", ie->g_xy,log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: " "g^xy" , ie->g_xy, ie->g_xy_len)
1433	ie->g_xy_len))log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: " "g^xy" , ie->g_xy, ie->g_xy_len);
1434	prf->Update(prf->prfctx,
1435	ie->g_xy, ie->g_xy_len);
1436	}
1437	LOG_DBG((LOG_NEGOTIATION, 90,log_debug (LOG_NEGOTIATION, 90, "post_quick_mode: " "suite %d proto %d" , proto->no, proto->proto)
1438	"post_quick_mode: "log_debug (LOG_NEGOTIATION, 90, "post_quick_mode: " "suite %d proto %d" , proto->no, proto->proto)
1439	"suite %d proto %d", proto->no,log_debug (LOG_NEGOTIATION, 90, "post_quick_mode: " "suite %d proto %d" , proto->no, proto->proto)
1440	proto->proto))log_debug (LOG_NEGOTIATION, 90, "post_quick_mode: " "suite %d proto %d" , proto->no, proto->proto);
1441	prf->Update(prf->prfctx, &proto->proto,
1442	1);
1443	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: SPI", proto ->spi[i], proto->spi_sz[i])
1444	"post_quick_mode: SPI",log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: SPI", proto ->spi[i], proto->spi_sz[i])
1445	proto->spi[i], proto->spi_sz[i]))log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: SPI", proto ->spi[i], proto->spi_sz[i]);
1446	prf->Update(prf->prfctx,
1447	proto->spi[i], proto->spi_sz[i]);
1448	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: Ni_b", exchange ->nonce_i, exchange->nonce_i_len)
1449	"post_quick_mode: Ni_b",log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: Ni_b", exchange ->nonce_i, exchange->nonce_i_len)
1450	exchange->nonce_i,log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: Ni_b", exchange ->nonce_i, exchange->nonce_i_len)
1451	exchange->nonce_i_len))log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: Ni_b", exchange ->nonce_i, exchange->nonce_i_len);
1452	prf->Update(prf->prfctx,
1453	exchange->nonce_i,
1454	exchange->nonce_i_len);
1455	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: Nr_b", exchange ->nonce_r, exchange->nonce_r_len)
1456	"post_quick_mode: Nr_b",log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: Nr_b", exchange ->nonce_r, exchange->nonce_r_len)
1457	exchange->nonce_r,log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: Nr_b", exchange ->nonce_r, exchange->nonce_r_len)
1458	exchange->nonce_r_len))log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: Nr_b", exchange ->nonce_r, exchange->nonce_r_len);
1459	prf->Update(prf->prfctx,
1460	exchange->nonce_r,
1461	exchange->nonce_r_len);
1462	prf->Final(keymat, prf->prfctx);
1463	}
1464	prf_free(prf);
1465	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: KEYMAT" , iproto->keymat[i], ie->keymat_len)
1466	"post_quick_mode: KEYMAT",log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: KEYMAT" , iproto->keymat[i], ie->keymat_len)
1467	iproto->keymat[i], ie->keymat_len))log_debug_buf (LOG_NEGOTIATION, 90, "post_quick_mode: KEYMAT" , iproto->keymat[i], ie->keymat_len);
1468	}
1469	}
1470	}
1471
1472	log_verbose("isakmpd: quick mode done%s: %s",
1473	(exchange->initiator == 0) ? " (as responder)" : "",
1474	!msg->isakmp_sa \|\| !msg->isakmp_sa->transport ? "<no transport>"
1475	: msg->isakmp_sa->transport->vtbl->decode_ids
1476	(msg->isakmp_sa->transport));
1477	}
1478
1479	/*
1480	* Accept a set of transforms offered by the initiator and chose one we can
1481	* handle.
1482	* XXX Describe in more detail.
1483	*/
1484	static int
1485	responder_recv_HASH_SA_NONCE(struct message *msg)
1486	{
1487	struct payload hashp, kep, *idp;
1488	struct sa *sa;
1489	struct sa *isakmp_sa = msg->isakmp_sa;
1490	struct ipsec_sa *isa = isakmp_sa->data;
1491	struct exchange *exchange = msg->exchange;
1492	struct ipsec_exch *ie = exchange->data;
1493	struct prf *prf;
1494	u_int8_t hash, my_hash = 0;
1495	size_t hash_len;
1496	u_int8_t *pkt = msg->iov[0].iov_base;
1497	u_int8_t group_desc = 0;
1498	int retval = -1;
1499	struct proto *proto;
1500	struct sockaddr src, dst;
1501	char *name;
1502
1503	hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH8);
1504	hash = hashp->p;
1505	hashp->flags \|= PL_MARK1;
1506
1507	/* The HASH payload should be the first one. */
1508	if (hash != pkt + ISAKMP_HDR_SZ28) {
1509	/* XXX Is there a better notification type? */
1510	message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED16, 0, 1, 0);
1511	goto cleanup;
1512	}
1513	hash_len = GET_ISAKMP_GEN_LENGTH(hash)field_get_num (isakmp_gen_fld + 2, hash);
1514	my_hash = malloc(hash_len - ISAKMP_GEN_SZ4);
1515	if (!my_hash) {
1516	log_error("responder_recv_HASH_SA_NONCE: malloc (%lu) failed",
1517	(unsigned long)hash_len - ISAKMP_GEN_SZ4);
1518	goto cleanup;
1519	}
1520	/*
1521	* Check the payload's integrity.
1522	* XXX Share with ipsec_fill_in_hash?
1523	*/
1524	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: "log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: " "SKEYID_a", isa->skeyid_a, isa->skeyid_len)
1525	"SKEYID_a", isa->skeyid_a, isa->skeyid_len))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: " "SKEYID_a", isa->skeyid_a, isa->skeyid_len);
1526	prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a,
1527	isa->skeyid_len);
1528	if (!prf)
1529	goto cleanup;
1530	prf->Init(prf->prfctx);
1531	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: message_id" , exchange->message_id, 4)
1532	"responder_recv_HASH_SA_NONCE: message_id",log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: message_id" , exchange->message_id, 4)
1533	exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: message_id" , exchange->message_id, 4);
1534	prf->Update(prf->prfctx, exchange->message_id,
1535	ISAKMP_HDR_MESSAGE_ID_LEN4);
1536	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: message after HASH" , hash + hash_len, msg->iov[0].iov_len - 28 - hash_len)
1537	"responder_recv_HASH_SA_NONCE: message after HASH",log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: message after HASH" , hash + hash_len, msg->iov[0].iov_len - 28 - hash_len)
1538	hash + hash_len,log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: message after HASH" , hash + hash_len, msg->iov[0].iov_len - 28 - hash_len)
1539	msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: message after HASH" , hash + hash_len, msg->iov[0].iov_len - 28 - hash_len);
1540	prf->Update(prf->prfctx, hash + hash_len,
1541	msg->iov[0].iov_len - ISAKMP_HDR_SZ28 - hash_len);
1542	prf->Final(my_hash, prf->prfctx);
1543	prf_free(prf);
1544	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: computed HASH(1)" , my_hash, hash_len - 4)
1545	"responder_recv_HASH_SA_NONCE: computed HASH(1)", my_hash,log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: computed HASH(1)" , my_hash, hash_len - 4)
1546	hash_len - ISAKMP_GEN_SZ))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: computed HASH(1)" , my_hash, hash_len - 4);
1547	if (memcmp(hash + ISAKMP_GEN_SZ4, my_hash, hash_len - ISAKMP_GEN_SZ4)
1548	!= 0) {
1549	message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION23, 0,
1550	1, 0);
1551	goto cleanup;
1552	}
1553	free(my_hash);
1554	my_hash = 0;
1555
1556	/* Mark message as authenticated. */
1557	msg->flags \|= MSG_AUTHENTICATED0x10;
1558
1559	kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH4);
1560	if (kep)
1561	ie->pfs = 1;
1562
1563	/* Drop message when it contains ID types we do not implement yet. */
1564	TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link)for((idp) = ((&msg->payload[5])->tqh_first); (idp) != ((void*)0); (idp) = ((idp)->link.tqe_next)) {
1565	switch (GET_ISAKMP_ID_TYPE(idp->p)field_get_num (isakmp_id_fld + 0, idp->p)) {
1566	case IPSEC_ID_IPV4_ADDR1:
1567	case IPSEC_ID_IPV4_ADDR_SUBNET4:
1568	case IPSEC_ID_IPV6_ADDR5:
1569	case IPSEC_ID_IPV6_ADDR_SUBNET6:
1570	break;
1571
1572	case IPSEC_ID_FQDN2:
1573	/*
1574	* FQDN may be used for in NAT-T with transport mode.
1575	* We can handle the message in this case. In the
1576	* other cases we'll drop the message later.
1577	*/
1578	break;
1579
1580	default:
1581	message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION18,
1582	0, 1, 0);
1583	goto cleanup;
1584	}
1585	}
1586
1587	/* Handle optional client ID payloads. */
1588	idp = payload_first(msg, ISAKMP_PAYLOAD_ID5);
1589	if (idp) {
1590	/* If IDci is there, IDcr must be too. */
1591	if (!TAILQ_NEXT(idp, link)((idp)->link.tqe_next)) {
1592	/* XXX Is this a good notify type? */
1593	message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED16, 0,
1594	1, 0);
1595	goto cleanup;
1596	}
1597	ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p)field_get_num (isakmp_gen_fld + 2, idp->p);
1598	ie->id_ci = malloc(ie->id_ci_sz);
1599	if (!ie->id_ci) {
1600	log_error("responder_recv_HASH_SA_NONCE: "
1601	"malloc (%lu) failed",
1602	(unsigned long)ie->id_ci_sz);
1603	goto cleanup;
1604	}
1605	memcpy(ie->id_ci, idp->p, ie->id_ci_sz);
1606	idp->flags \|= PL_MARK1;
1607	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: IDci" , ie->id_ci + 4, ie->id_ci_sz - 4)
1608	"responder_recv_HASH_SA_NONCE: IDci",log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: IDci" , ie->id_ci + 4, ie->id_ci_sz - 4)
1609	ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: IDci" , ie->id_ci + 4, ie->id_ci_sz - 4);
1610
1611	idp = TAILQ_NEXT(idp, link)((idp)->link.tqe_next);
1612	ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p)field_get_num (isakmp_gen_fld + 2, idp->p);
1613	ie->id_cr = malloc(ie->id_cr_sz);
1614	if (!ie->id_cr) {
1615	log_error("responder_recv_HASH_SA_NONCE: "
1616	"malloc (%lu) failed",
1617	(unsigned long)ie->id_cr_sz);
1618	goto cleanup;
1619	}
1620	memcpy(ie->id_cr, idp->p, ie->id_cr_sz);
1621	idp->flags \|= PL_MARK1;
1622	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: IDcr" , ie->id_cr + 4, ie->id_cr_sz - 4)
1623	"responder_recv_HASH_SA_NONCE: IDcr",log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: IDcr" , ie->id_cr + 4, ie->id_cr_sz - 4)
1624	ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: IDcr" , ie->id_cr + 4, ie->id_cr_sz - 4);
1625	} else {
1626	/*
1627	* If client identifiers are not present in the exchange,
1628	* we fake them. RFC 2409 states:
1629	* The identities of the SAs negotiated in Quick Mode are
1630	* implicitly assumed to be the IP addresses of the ISAKMP
1631	* peers, without any constraints on the protocol or port
1632	* numbers allowed, unless client identifiers are specified
1633	* in Quick Mode.
1634	*
1635	* -- Michael Paddon (mwp@aba.net.au)
1636	*/
1637
1638	ie->flags = IPSEC_EXCH_FLAG_NO_ID1;
1639
1640	/* Get initiator and responder addresses. */
1641	msg->transport->vtbl->get_src(msg->transport, &src);
1642	msg->transport->vtbl->get_dst(msg->transport, &dst);
1643	ie->id_ci_sz = ISAKMP_ID_DATA_OFF8 + sockaddr_addrlen(src);
1644	ie->id_cr_sz = ISAKMP_ID_DATA_OFF8 + sockaddr_addrlen(dst);
1645	ie->id_ci = calloc(ie->id_ci_sz, sizeof(char));
1646	ie->id_cr = calloc(ie->id_cr_sz, sizeof(char));
	Result of 'calloc' is converted to a pointer of type 'u_int8_t', which is incompatible with sizeof operand type 'char'
1647
1648	if (!ie->id_ci \|\| !ie->id_cr) {
1649	log_error("responder_recv_HASH_SA_NONCE: "
1650	"calloc (%lu, %lu) failed",
1651	(unsigned long)ie->id_ci_sz,
1652	(unsigned long)sizeof(char));
1653	goto cleanup;
1654	}
1655	if (src->sa_family != dst->sa_family) {
1656	log_error("initiator_recv_HASH_SA_NONCE: "
1657	"sa_family mismatch");
1658	goto cleanup;
1659	}
1660	switch (src->sa_family) {
1661	case AF_INET2:
1662	SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV4_ADDR)field_set_num (isakmp_id_fld + 0, ie->id_ci, 1);
1663	SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV4_ADDR)field_set_num (isakmp_id_fld + 0, ie->id_cr, 1);
1664	break;
1665
1666	case AF_INET624:
1667	SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV6_ADDR)field_set_num (isakmp_id_fld + 0, ie->id_ci, 5);
1668	SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV6_ADDR)field_set_num (isakmp_id_fld + 0, ie->id_cr, 5);
1669	break;
1670
1671	default:
1672	log_error("initiator_recv_HASH_SA_NONCE: "
1673	"unknown sa_family %d", src->sa_family);
1674	goto cleanup;
1675	}
1676
1677	memcpy(ie->id_cr + ISAKMP_ID_DATA_OFF8, sockaddr_addrdata(src),
1678	sockaddr_addrlen(src));
1679	memcpy(ie->id_ci + ISAKMP_ID_DATA_OFF8, sockaddr_addrdata(dst),
1680	sockaddr_addrlen(dst));
1681	}
1682
1683	if (message_negotiate_sa(msg, check_policy))
1684	goto cleanup;
1685
1686	for (sa = TAILQ_FIRST(&exchange->sa_list)((&exchange->sa_list)->tqh_first); sa;
1687	sa = TAILQ_NEXT(sa, next)((sa)->next.tqe_next)) {
1688	for (proto = TAILQ_FIRST(&sa->protos)((&sa->protos)->tqh_first); proto;
1689	proto = TAILQ_NEXT(proto, link)((proto)->link.tqe_next)) {
1690	/*
1691	* XXX we need to have some attributes per proto, not
1692	* all per SA.
1693	*/
1694	ipsec_decode_transform(msg, sa, proto,
1695	proto->chosen->p);
1696	if (proto->proto == IPSEC_PROTO_IPSEC_AH2 &&
1697	!((struct ipsec_proto *)proto->data)->auth) {
1698	log_print("responder_recv_HASH_SA_NONCE: "
1699	"AH proposed without an algorithm "
1700	"attribute");
1701	message_drop(msg,
1702	ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN14, 0, 1, 0);
1703	goto next_sa;
1704	}
1705	}
1706
1707	isa = sa->data;
1708
1709	/*
1710	* The group description is mandatory if we got a KEY_EXCH
1711	* payload.
1712	*/
1713	if (kep) {
1714	if (!isa->group_desc) {
1715	log_print("responder_recv_HASH_SA_NONCE: "
1716	"KEY_EXCH payload without a group "
1717	"desc. attribute");
1718	message_drop(msg,
1719	ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN14, 0, 1, 0);
1720	continue;
1721	}
1722	/* Also, all SAs must have equal groups. */
1723	if (!group_desc)
1724	group_desc = isa->group_desc;
1725	else if (group_desc != isa->group_desc) {
1726	log_print("responder_recv_HASH_SA_NONCE: "
1727	"differing group descriptions in one QM");
1728	message_drop(msg,
1729	ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN14, 0, 1, 0);
1730	continue;
1731	}
1732	}
1733	/* At least one SA was accepted. */
1734	retval = 0;
1735
1736	next_sa:
1737	; /* XXX gcc3 wants this. */
1738	}
1739
1740	if (kep) {
1741	ie->group = group_get(group_desc);
1742	if (!ie->group) {
1743	/*
1744	* XXX If the error was due to an out-of-range group
1745	* description we should notify our peer, but this
1746	* should probably be done by the attribute
1747	* validation. Is it?
1748	*/
1749	goto cleanup;
1750	}
1751	}
1752	/* Copy out the initiator's nonce. */
1753	if (exchange_save_nonce(msg))
1754	goto cleanup;
1755
1756	/* Handle the optional KEY_EXCH payload. */
1757	if (kep && ipsec_save_g_x(msg))
1758	goto cleanup;
1759
1760	/*
1761	* Try to find and set the connection name on the exchange.
1762	*/
1763
1764	/*
1765	* Check for accepted identities as well as lookup the connection
1766	* name and set it on the exchange.
1767	*
1768	* When not using policies make sure the peer proposes sane IDs.
1769	* Otherwise this is done by KeyNote.
1770	*/
1771	name = connection_passive_lookup_by_ids(ie->id_ci, ie->id_cr);
1772	if (name) {
1773	exchange->name = strdup(name);
1774	if (!exchange->name) {
1775	log_error("responder_recv_HASH_SA_NONCE: "
1776	"strdup (\"%s\") failed", name);
1777	goto cleanup;
1778	}
1779	} else if (
1780	ignore_policy \|\|
1781	strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) {
1782	log_print("responder_recv_HASH_SA_NONCE: peer proposed "
1783	"invalid phase 2 IDs: %s",
1784	(exchange->doi->decode_ids("initiator id %s, responder"
1785	" id %s", ie->id_ci, ie->id_ci_sz, ie->id_cr,
1786	ie->id_cr_sz, 1)));
1787	message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION18, 0, 1,
1788	0);
1789	goto cleanup;
1790	}
1791
1792	return retval;
1793
1794	cleanup:
1795	/* Remove all potential protocols that have been added to the SAs. */
1796	for (sa = TAILQ_FIRST(&exchange->sa_list)((&exchange->sa_list)->tqh_first); sa;
1797	sa = TAILQ_NEXT(sa, next)((sa)->next.tqe_next))
1798	while ((proto = TAILQ_FIRST(&sa->protos)((&sa->protos)->tqh_first)) != 0)
1799	proto_free(proto);
1800	free(my_hash);
1801	free(ie->id_ci);
1802	ie->id_ci = 0;
1803	free(ie->id_cr);
1804	ie->id_cr = 0;
1805	return -1;
1806	}
1807
1808	/* Reply with the transform we chose. */
1809	static int
1810	responder_send_HASH_SA_NONCE(struct message *msg)
1811	{
1812	struct exchange *exchange = msg->exchange;
1813	struct ipsec_exch *ie = exchange->data;
1814	struct sa *isakmp_sa = msg->isakmp_sa;
1815	struct ipsec_sa *isa = isakmp_sa->data;
1816	struct prf *prf;
1817	struct hash *hash = hash_get(isa->hash);
1818	size_t nonce_sz = exchange->nonce_i_len;
1819	u_int8_t *buf;
1820	int initiator = exchange->initiator;
1821	char header[80];
1822	u_int32_t i;
1823	u_int8_t *id;
1824	size_t sz;
1825
1826	/*
1827	* We want a HASH payload to start with. XXX Share with
1828	* ike_main_mode.c?
1829	*/
1830	buf = malloc(ISAKMP_HASH_SZ4 + hash->hashsize);
1831	if (!buf) {
1832	log_error("responder_send_HASH_SA_NONCE: malloc (%lu) failed",
1833	ISAKMP_HASH_SZ4 + (unsigned long)hash->hashsize);
1834	return -1;
1835	}
1836	if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH8, buf,
1837	ISAKMP_HASH_SZ4 + hash->hashsize, 1)) {
1838	free(buf);
1839	return -1;
1840	}
1841	/* Add the SA payload(s) with the transform(s) that was/were chosen. */
1842	if (message_add_sa_payload(msg))
1843	return -1;
1844
1845	/* Generate a nonce, and add it to the message. */
1846	if (exchange_gen_nonce(msg, nonce_sz))
1847	return -1;
1848
1849	/* Generate optional KEY_EXCH payload. This is known as PFS. */
1850	if (ie->group && ipsec_gen_g_x(msg))
1851	return -1;
1852
1853	/*
1854	* If the initiator client ID's were acceptable, just mirror them
1855	* back.
1856	*/
1857	if (!(ie->flags & IPSEC_EXCH_FLAG_NO_ID1)) {
1858	sz = ie->id_ci_sz;
1859	id = malloc(sz);
1860	if (!id) {
1861	log_error("responder_send_HASH_SA_NONCE: "
1862	"malloc (%lu) failed", (unsigned long)sz);
1863	return -1;
1864	}
1865	memcpy(id, ie->id_ci, sz);
1866	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: IDic" , id, sz)
1867	"responder_send_HASH_SA_NONCE: IDic", id, sz))log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: IDic" , id, sz);
1868	if (message_add_payload(msg, ISAKMP_PAYLOAD_ID5, id, sz, 1)) {
1869	free(id);
1870	return -1;
1871	}
1872	sz = ie->id_cr_sz;
1873	id = malloc(sz);
1874	if (!id) {
1875	log_error("responder_send_HASH_SA_NONCE: "
1876	"malloc (%lu) failed", (unsigned long)sz);
1877	return -1;
1878	}
1879	memcpy(id, ie->id_cr, sz);
1880	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: IDrc" , id, sz)
1881	"responder_send_HASH_SA_NONCE: IDrc", id, sz))log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: IDrc" , id, sz);
1882	if (message_add_payload(msg, ISAKMP_PAYLOAD_ID5, id, sz, 1)) {
1883	free(id);
1884	return -1;
1885	}
1886	}
1887	/* Allocate the prf and start calculating our HASH(2). XXX Share? */
1888	LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: "log_debug (LOG_NEGOTIATION, 90, "responder_recv_HASH: " "isakmp_sa %p isa %p" , isakmp_sa, isa)
1889	"isakmp_sa %p isa %p", isakmp_sa, isa))log_debug (LOG_NEGOTIATION, 90, "responder_recv_HASH: " "isakmp_sa %p isa %p" , isakmp_sa, isa);
1890	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: "log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " "SKEYID_a", isa->skeyid_a, isa->skeyid_len)
1891	"SKEYID_a", isa->skeyid_a, isa->skeyid_len))log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " "SKEYID_a", isa->skeyid_a, isa->skeyid_len);
1892	prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a,
1893	isa->skeyid_len);
1894	if (!prf)
1895	return -1;
1896	prf->Init(prf->prfctx);
1897	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: message_id" , exchange->message_id, 4)
1898	"responder_send_HASH_SA_NONCE: message_id",log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: message_id" , exchange->message_id, 4)
1899	exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN))log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: message_id" , exchange->message_id, 4);
1900	prf->Update(prf->prfctx, exchange->message_id,
1901	ISAKMP_HDR_MESSAGE_ID_LEN4);
1902	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: "log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)
1903	"NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len))log_debug_buf (LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len);
1904	prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
1905
1906	/* Loop over all payloads after HASH(2). */
1907	for (i = 2; i < msg->iovlen; i++) {
1908	/* XXX Misleading payload type printouts. */
1909	snprintf(header, sizeof header,
1910	"responder_send_HASH_SA_NONCE: payload %d after HASH(2)",
1911	i - 1);
1912	LOG_DBG_BUF((LOG_NEGOTIATION, 90, header, msg->iov[i].iov_base,log_debug_buf (LOG_NEGOTIATION, 90, header, msg->iov[i].iov_base , msg->iov[i].iov_len)
1913	msg->iov[i].iov_len))log_debug_buf (LOG_NEGOTIATION, 90, header, msg->iov[i].iov_base , msg->iov[i].iov_len);
1914	prf->Update(prf->prfctx, msg->iov[i].iov_base,
1915	msg->iov[i].iov_len);
1916	}
1917	prf->Final(buf + ISAKMP_HASH_DATA_OFF4, prf->prfctx);
1918	prf_free(prf);
1919	snprintf(header, sizeof header, "responder_send_HASH_SA_NONCE: "
1920	"HASH_%c", initiator ? 'I' : 'R');
1921	LOG_DBG_BUF((LOG_NEGOTIATION, 80, header, buf + ISAKMP_HASH_DATA_OFF,log_debug_buf (LOG_NEGOTIATION, 80, header, buf + 4, hash-> hashsize)
1922	hash->hashsize))log_debug_buf (LOG_NEGOTIATION, 80, header, buf + 4, hash-> hashsize);
1923
1924	if (ie->group)
1925	message_register_post_send(msg, gen_g_xy);
1926
1927	return 0;
1928	}
1929
1930	static void
1931	gen_g_xy(struct message *msg)
1932	{
1933	struct exchange *exchange = msg->exchange;
1934	struct ipsec_exch *ie = exchange->data;
1935
1936	/* Compute Diffie-Hellman shared value. */
1937	ie->g_xy_len = dh_secretlen(ie->group);
1938	ie->g_xy = malloc(ie->g_xy_len);
1939	if (!ie->g_xy) {
1940	log_error("gen_g_xy: malloc (%lu) failed",
1941	(unsigned long)ie->g_xy_len);
1942	return;
1943	}
1944	if (dh_create_shared(ie->group, ie->g_xy,
1945	exchange->initiator ? ie->g_xr : ie->g_xi)) {
1946	log_print("gen_g_xy: dh_create_shared failed");
1947	return;
1948	}
1949	LOG_DBG_BUF((LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie->g_xy,log_debug_buf (LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie-> g_xy, ie->g_xy_len)
1950	ie->g_xy_len))log_debug_buf (LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie-> g_xy, ie->g_xy_len);
1951	}
1952
1953	static int
1954	responder_recv_HASH(struct message *msg)
1955	{
1956	struct exchange *exchange = msg->exchange;
1957	struct sa *isakmp_sa = msg->isakmp_sa;
1958	struct ipsec_sa *isa = isakmp_sa->data;
1959	struct prf *prf;
1960	u_int8_t hash, my_hash = 0;
1961	size_t hash_len;
1962	struct payload *hashp;
1963
1964	/* Find HASH(3) and create our own hash, just as big. */
1965	hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH8);
1966	hash = hashp->p;
1967	hashp->flags \|= PL_MARK1;
1968	hash_len = GET_ISAKMP_GEN_LENGTH(hash)field_get_num (isakmp_gen_fld + 2, hash);
1969	my_hash = malloc(hash_len - ISAKMP_GEN_SZ4);
1970	if (!my_hash) {
1971	log_error("responder_recv_HASH: malloc (%lu) failed",
1972	(unsigned long)hash_len - ISAKMP_GEN_SZ4);
1973	goto cleanup;
1974	}
1975	/* Allocate the prf and start calculating our HASH(3). XXX Share? */
1976	LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: "log_debug (LOG_NEGOTIATION, 90, "responder_recv_HASH: " "isakmp_sa %p isa %p" , isakmp_sa, isa)
1977	"isakmp_sa %p isa %p", isakmp_sa, isa))log_debug (LOG_NEGOTIATION, 90, "responder_recv_HASH: " "isakmp_sa %p isa %p" , isakmp_sa, isa);
1978	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: SKEYID_a",log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: SKEYID_a" , isa->skeyid_a, isa->skeyid_len)
1979	isa->skeyid_a, isa->skeyid_len))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: SKEYID_a" , isa->skeyid_a, isa->skeyid_len);
1980	prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a,
1981	isa->skeyid_len);
1982	if (!prf)
1983	goto cleanup;
1984	prf->Init(prf->prfctx);
1985	prf->Update(prf->prfctx, (unsigned char *)"\0", 1);
1986	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: message_id",log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: message_id" , exchange->message_id, 4)
1987	exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: message_id" , exchange->message_id, 4);
1988	prf->Update(prf->prfctx, exchange->message_id,
1989	ISAKMP_HDR_MESSAGE_ID_LEN4);
1990	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_I_b",log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_I_b" , exchange->nonce_i, exchange->nonce_i_len)
1991	exchange->nonce_i, exchange->nonce_i_len))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_I_b" , exchange->nonce_i, exchange->nonce_i_len);
1992	prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len);
1993	LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_R_b",log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_R_b" , exchange->nonce_r, exchange->nonce_r_len)
1994	exchange->nonce_r, exchange->nonce_r_len))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_R_b" , exchange->nonce_r, exchange->nonce_r_len);
1995	prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len);
1996	prf->Final(my_hash, prf->prfctx);
1997	prf_free(prf);
1998	LOG_DBG_BUF((LOG_NEGOTIATION, 90,log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: computed HASH(3)" , my_hash, hash_len - 4)
1999	"responder_recv_HASH: computed HASH(3)", my_hash,log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: computed HASH(3)" , my_hash, hash_len - 4)
2000	hash_len - ISAKMP_GEN_SZ))log_debug_buf (LOG_NEGOTIATION, 90, "responder_recv_HASH: computed HASH(3)" , my_hash, hash_len - 4);
2001	if (memcmp(hash + ISAKMP_GEN_SZ4, my_hash, hash_len - ISAKMP_GEN_SZ4)
2002	!= 0) {
2003	message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION23, 0,
2004	1, 0);
2005	goto cleanup;
2006	}
2007	free(my_hash);
2008
2009	/* Mark message as authenticated. */
2010	msg->flags \|= MSG_AUTHENTICATED0x10;
2011
2012	post_quick_mode(msg);
2013
2014	return 0;
2015
2016	cleanup:
2017	free(my_hash);
2018	return -1;
2019	}