/* Generate the NAT-D payload hash : HASH(CKY-I | CKY-R | IP | Port). */
static u_int8_t *
nat_t_generate_nat_d_hash(struct message *msg, struct sockaddr *sa,
size_t *hashlen)
{
struct ipsec_exch *ie = (struct ipsec_exch *)msg->exchange->data;
struct hash *hash;
u_int8_t *res;
in_port_t port;
hash = hash_get(ie->hash->type);
if (hash == NULL) {
log_print ("nat_t_generate_nat_d_hash: no hash");
return NULL;
}
*hashlen = hash->hashsize;
res = malloc(*hashlen);
if (!res) {
log_print("nat_t_generate_nat_d_hash: malloc (%lu) failed",
(unsigned long)*hashlen);
*hashlen = 0;
return NULL;
}
port = sockaddr_port(sa);
bzero(res, *hashlen);
hash->Init(hash->ctx);
hash->Update(hash->ctx, msg->exchange->cookies,
sizeof msg->exchange->cookies);
hash->Update(hash->ctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
hash->Update(hash->ctx, (unsigned char *)&port, sizeof port);
hash->Final(res, hash->ctx);
return res;
}
/* Receive ID. */
int
ike_phase_1_recv_ID (struct message *msg)
{
struct exchange *exchange = msg->exchange;
struct payload *payload;
char header[80], *rs = 0, *rid = 0, *p;
int initiator = exchange->initiator;
u_int8_t **id, id_type;
size_t *id_len, sz;
struct sockaddr *sa;
payload = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_ID]);
if (exchange->name)
rs = conf_get_str (exchange->name, "Remote-ID");
if (rs)
{
sz = ipsec_id_size (rs, &id_type);
if (sz == -1)
{
log_print ("ike_phase_1_recv_ID: could not handle specified "
"Remote-ID [%s]", rs);
return -1;
}
rid = malloc (sz);
if (!rid)
{
log_error ("ike_phase_1_recv_ID: malloc (%lu) failed",
(unsigned long)sz);
return -1;
}
switch (id_type)
{
case IPSEC_ID_IPV4_ADDR:
case IPSEC_ID_IPV6_ADDR:
p = conf_get_str (rs, "Address");
if (!p)
{
log_print ("ike_phase_1_recv_ID: "
"failed to get Address in Remote-ID section [%s]",
rs);
free (rid);
return -1;
}
if (text2sockaddr (p, 0, &sa) == -1)
{
log_print ("ike_phase_1_recv_ID: failed to parse address %s", p);
free (rid);
return -1;
}
if ((id_type == IPSEC_ID_IPV4_ADDR && sa->sa_family != AF_INET)
|| (id_type == IPSEC_ID_IPV6_ADDR && sa->sa_family != AF_INET6))
{
log_print ("ike_phase_1_recv_ID: "
"address %s not of expected family", p);
free (rid);
free (sa);
return -1;
}
memcpy (rid, sockaddr_addrdata (sa), sockaddr_addrlen (sa));
free (sa);
break;
case IPSEC_ID_FQDN:
case IPSEC_ID_USER_FQDN:
case IPSEC_ID_KEY_ID:
p = conf_get_str (rs, "Name");
if (!p)
{
log_print ("ike_phase_1_recv_ID: "
"failed to get Name in Remote-ID section [%s]", rs);
free (rid);
return -1;
}
memcpy (rid, p, sz);
break;
default:
log_print ("ike_phase_1_recv_ID: unsupported ID type %d", id_type);
free (rid);
return -1;
}
/* Compare expected/desired and received remote ID */
if (bcmp (rid, payload->p + ISAKMP_ID_DATA_OFF, sz))
{
free (rid);
log_print ("ike_phase_1_recv_ID: "
"received remote ID other than expected %s", p);
return -1;
}
free (rid);
}
/* Choose the right fields to fill in */
id = initiator ? &exchange->id_r : &exchange->id_i;
id_len = initiator ? &exchange->id_r_len : &exchange->id_i_len;
*id_len = GET_ISAKMP_GEN_LENGTH (payload->p) - ISAKMP_GEN_SZ;
*id = malloc (*id_len);
if (!*id)
{
log_error ("ike_phase_1_recv_ID: malloc (%lu) failed",
(unsigned long)*id_len);
return -1;
}
memcpy (*id, payload->p + ISAKMP_GEN_SZ, *id_len);
snprintf (header, sizeof header, "ike_phase_1_recv_ID: %s",
constant_name (ipsec_id_cst, GET_ISAKMP_ID_TYPE (payload->p)));
LOG_DBG_BUF ((LOG_NEGOTIATION, 40, header, payload->p + ISAKMP_ID_DATA_OFF,
*id_len + ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF));
payload->flags |= PL_MARK;
return 0;
}
int
ike_phase_1_send_ID (struct message *msg)
{
struct exchange *exchange = msg->exchange;
u_int8_t *buf;
char header[80];
ssize_t sz;
struct sockaddr *src;
int initiator = exchange->initiator;
u_int8_t **id;
size_t *id_len;
char *my_id = 0;
u_int8_t id_type;
/* Choose the right fields to fill-in. */
id = initiator ? &exchange->id_i : &exchange->id_r;
id_len = initiator ? &exchange->id_i_len : &exchange->id_r_len;
if (exchange->name)
my_id = conf_get_str (exchange->name, "ID");
if (!my_id)
my_id = conf_get_str ("General", "Default-phase-1-ID");
msg->transport->vtbl->get_src (msg->transport, &src);
sz = my_id ? ipsec_id_size (my_id, &id_type) : sockaddr_addrlen (src);
if (sz == -1)
return -1;
sz += ISAKMP_ID_DATA_OFF;
buf = malloc (sz);
if (!buf)
{
log_error ("ike_phase_1_send_ID: malloc (%lu) failed",
(unsigned long)sz);
return -1;
}
SET_IPSEC_ID_PROTO (buf + ISAKMP_ID_DOI_DATA_OFF, 0);
SET_IPSEC_ID_PORT (buf + ISAKMP_ID_DOI_DATA_OFF, 0);
if (my_id)
{
SET_ISAKMP_ID_TYPE (buf, id_type);
switch (id_type)
{
case IPSEC_ID_IPV4_ADDR:
case IPSEC_ID_IPV6_ADDR:
/* Already in network byteorder. */
memcpy (buf + ISAKMP_ID_DATA_OFF, sockaddr_addrdata (src),
sockaddr_addrlen (src));
break;
case IPSEC_ID_FQDN:
case IPSEC_ID_USER_FQDN:
case IPSEC_ID_KEY_ID:
memcpy (buf + ISAKMP_ID_DATA_OFF, conf_get_str (my_id, "Name"),
sz - ISAKMP_ID_DATA_OFF);
break;
default:
log_print ("ike_phase_1_send_ID: unsupported ID type %d", id_type);
free (buf);
return -1;
}
}
else
{
switch (src->sa_family)
{
case AF_INET:
SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV4_ADDR);
break;
case AF_INET6:
SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV6_ADDR);
break;
}
/* Already in network byteorder. */
memcpy (buf + ISAKMP_ID_DATA_OFF, sockaddr_addrdata (src),
sockaddr_addrlen (src));
}
if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, buf, sz, 1))
{
free (buf);
return -1;
}
*id_len = sz - ISAKMP_GEN_SZ;
*id = malloc (*id_len);
if (!*id)
{
log_error ("ike_phase_1_send_ID: malloc (%lu) failed",
(unsigned long)*id_len);
return -1;
}
memcpy (*id, buf + ISAKMP_GEN_SZ, *id_len);
snprintf (header, sizeof header, "ike_phase_1_send_ID: %s",
constant_name (ipsec_id_cst, GET_ISAKMP_ID_TYPE (buf)));
LOG_DBG_BUF ((LOG_NEGOTIATION, 40, header, buf + ISAKMP_ID_DATA_OFF,
sz - ISAKMP_ID_DATA_OFF));
return 0;
}
