1 /* $Id: ike_conf.c,v 1.161 2009/03/23 06:47:40 fukumoto Exp $ */
2
3 /*
4 * Copyright (C) 2004 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <config.h>
33
34 #include <stddef.h>
35 #include <stdlib.h>
36 #include <errno.h>
37 #include <limits.h>
38 #include <string.h>
39 #include <sys/types.h>
40 #include <sys/socket.h>
41 #include <netdb.h>
42 #include <netinet/in.h>
43 #include <assert.h>
44
45 #include "racoon.h"
46 #include "safefile.h"
47
48 #include "var.h"
49 #include "sockmisc.h"
50 #include "isakmp_impl.h"
51 #ifdef IKEV1
52 # include "ikev1_impl.h"
53 #endif
54 #include "ikev2_impl.h"
55 #include "dhgroup.h"
56 #include "ike_conf.h"
57 #ifdef IKEV1
58 # include "ikev1/algorithm.h"
59 # include "ikev1/ikev1_natt.h"
60 # include "ikev1/ipsec_doi.h"
61 #endif
62
63 #include "crypto_impl.h" /* for eay_get_x509() and such */
64
65 #include "plog.h"
66 #include "debug.h"
67 #ifdef DEBUG
68 # include <stdio.h>
69 #endif
70
71 static struct prop_pair *ikev2_ipsec_sa_to_proplist(struct ikev2_child_sa *,
72 int, struct rcf_sa *, int,
73 int, rc_type);
74 #ifdef IKEV1
75 static rc_type ikev1_id_to_rc(unsigned int);
76 #endif
77 static rc_type ikev2_id_to_rc(unsigned int);
78
79 char *script_names[SCRIPT_NUM] = {
80 "phase1_up", "phase1_down", "phase2_up", "phase2_down",
81 "phase1_rekey", "phase2_rekey", "migration"
82 };
83
84 /*
85 * default values handling for struct rcf_remote
86 */
87 #ifdef IKEV1
88 struct rcf_kmp ikev1_default_values = {
89 RCT_KMP_IKEV1, /* kmp_proto */
90 NULL, /* plog */
91 RCT_BOOL_OFF, /* passive */
92 RCT_BOOL_OFF, /* use_coa */
93 NULL, /* peers_ipaddr */
94 NULL, /* my_id */
95 NULL, /* peers_id */
96 NULL, /* my_pubkey */
97 NULL, /* peers_pubkey */
98 NULL, /* pre_shared_key */
99 RCT_BOOL_OFF, /* verify_id */
100 RCT_BOOL_ON, /* verify_pubkey */
101 RCT_BOOL_ON, /* send_cert */
102 RCT_BOOL_ON, /* send_cert_req */
103 IKEV1_DEFAULT_NONCE_SIZE, /* nonce_size */
104 RCT_BOOL_ON, /* initial_contact */
105 RCT_BOOL_OFF, /* support_proxy */
106 0, /* selector_check */
107 RCT_PCT_STRICT, /* proposal_check */
108 RCT_BOOL_ON, /* random_pad_content */
109 RCT_BOOL_OFF, /* random_padlen */
110 0, /* max_padlen */
111 IKEV1_DEFAULT_RETRY, /* max_retry_to_send */
112 IKEV1_DEFAULT_INTERVAL_TO_SEND, /* interval_to_send */
113 1, /* times_per_send */
114 IKEV1_DEFAULT_LIFETIME_TIME, /* kmp_sa_lifetime_time */
115 IKEV1_DEFAULT_LIFETIME_BYTE, /* kmp_sa_lifetime_byte */
116 IKEV1_DEFAULT_NEGOTIATION_TIMEOUT, /* kmp_sa_nego_time_limit */
117 0, /* kmp_sa_grace_period */
118 IKEV1_DEFAULT_NEGOTIATION_TIMEOUT, /* ipsec_sa_nego_time_limit */
119 NULL, /* kmp_enc_alg */
120 NULL, /* kmp_hash_alg */
121 NULL, /* kmp_prf_alg */
122 NULL, /* kmp_dh_group */
123 NULL, /* kmp_auth_method */
124 0, /* peers_kmp_port */
125 RCT_EXM_MAIN, /* exchange_mode */
126 NULL, /* my_gssapi_id */
127 RCT_BOOL_OFF, /* cookie_required */
128 RCT_BOOL_OFF, /* send_peers_id */
129 RCT_BOOL_OFF, /* need_pfs */
130 RCT_BOOL_ON, /* nat_traversal */
131 IKEV1_DEFAULT_NATK_INTERVAL, /* natk_interval */
132 NULL, /* my_principal */
133 NULL, /* peers_principal */
134 0, /* mobility_role */
135 NULL, /* addresspool */
136 0, /* config_request */
137 NULL, /* cfg_dns */
138 NULL, /* cfg_dhcp */
139 NULL, /* application_version */
140 NULL, /* mip6_home_prefix */
141 RCT_BOOL_ON, /* dpd */
142 0, /* dpd_interval */
143 5, /* dpd_retry */
144 5 /* dpd_maxfails */
145 };
146 #endif
147
148 struct rcf_kmp ikev2_default_values = {
149 RCT_KMP_IKEV2, /* kmp_proto */
150 NULL, /* plog */
151 RCT_BOOL_OFF, /* passive */
152 RCT_BOOL_OFF, /* use_coa */
153 NULL, /* peers_ipaddr */
154 NULL, /* my_id */
155 NULL, /* peers_id */
156 NULL, /* my_pubkey */
157 NULL, /* peers_pubkey */
158 NULL, /* pre_shared_key */
159 RCT_BOOL_ON, /* verify_id */
160 RCT_BOOL_OFF, /* verify_pubkey */
161 RCT_BOOL_OFF, /* send_cert */
162 RCT_BOOL_OFF, /* send_cert_req */
163 IKEV2_DEFAULT_NONCE_SIZE, /* nonce_size */
164 RCT_BOOL_OFF, /* initial_contact */
165 RCT_BOOL_OFF, /* support_proxy */
166 RCT_PCT_EXACT, /* selector_check */
167 RCT_PCT_OBEY, /* proposal_check */
168 RCT_BOOL_OFF, /* random_pad_content */
169 RCT_BOOL_OFF, /* random_padlen */
170 0, /* max_padlen */
171 IKEV2_DEFAULT_RETRY, /* max_retry_to_send */
172 1, /* interval_to_send */
173 1, /* times_per_send */
174 IKEV2_DEFAULT_LIFETIME_TIME, /* kmp_sa_lifetime_time */
175 IKEV2_DEFAULT_LIFETIME_BYTE, /* kmp_sa_lifetime_byte */
176 IKEV2_DEFAULT_NEGOTIATION_TIMEOUT, /* kmp_sa_nego_time_limit */
177 IKEV2_DEFAULT_GRACE_PERIOD, /* kmp_sa_grace_period */
178 IKEV2_DEFAULT_NEGOTIATION_TIMEOUT, /* ipsec_sa_nego_time_limit */
179 NULL, /* kmp_enc_alg */
180 NULL, /* kmp_hash_alg */
181 NULL, /* kmp_prf_alg */
182 NULL, /* kmp_dh_group */
183 NULL, /* kmp_auth_method */
184 0, /* peers_kmp_port */
185 0, /* exchange_mode */
186 NULL, /* my_gssapi_id */
187 RCT_BOOL_OFF, /* cookie_required */
188 RCT_BOOL_OFF, /* send_peers_id */
189 RCT_BOOL_OFF, /* need_pfs */
190 RCT_BOOL_ON, /* nat_traversal */
191 IKEV2_DEFAULT_NATK_INTERVAL, /* natk_interval */
192 NULL, /* my_principal */
193 NULL, /* peers_principal */
194 0, /* mobility_role */
195 NULL, /* addresspool */
196 0, /* config_request */
197 NULL, /* cfg_dns */
198 NULL, /* cfg_dhcp */
199 NULL, /* application_version */
200 NULL, /* mip6_home_prefix */
201 RCT_BOOL_ON, /* dpd */
202 IKEV2_DEFAULT_POLLING_INTERVAL, /* dpd_interval */
203 0, /* dpd_retry */
204 0 /* dpd_maxfails */
205 };
206
207 #ifdef IKEV1
208 struct rcf_kmp *
209 ikev1_default(void)
210 {
211 extern struct rcf_default *rcf_default_head;
212
213 if (rcf_default_head &&
214 rcf_default_head->remote &&
215 rcf_default_head->remote->ikev1)
216 return rcf_default_head->remote->ikev1;
217 else
218 return 0;
219 }
220
221 #define IKEV1_CONF_ATTR(type_, field_) \
222 type_ \
223 ikev1_ ## field_(struct rcf_remote *conf) \
224 { \
225 type_ retval; \
226 IKEV1_CONF(retval, conf, field_, ikev1_default_values.field_); \
227 return retval; \
228 }
229
230 IKEV1_CONF_ATTR(struct rc_log *, plog)
231 IKEV1_CONF_ATTR(rc_type, passive)
232 IKEV1_CONF_ATTR(struct rc_idlist *, my_id)
233 IKEV1_CONF_ATTR(struct rc_idlist *, peers_id)
234 IKEV1_CONF_ATTR(struct rc_pklist *, my_pubkey)
235 IKEV1_CONF_ATTR(struct rc_pklist *, peers_pubkey)
236 IKEV1_CONF_ATTR(rc_type, verify_id)
237 IKEV1_CONF_ATTR(rc_type, verify_pubkey)
238 IKEV1_CONF_ATTR(rc_type, send_cert)
239 IKEV1_CONF_ATTR(rc_type, send_cert_req)
240 IKEV1_CONF_ATTR(int, nonce_size)
241 IKEV1_CONF_ATTR(rc_type, support_proxy)
242 IKEV1_CONF_ATTR(rc_type, nat_traversal)
243 IKEV1_CONF_ATTR(rc_type, selector_check)
244 IKEV1_CONF_ATTR(rc_type, proposal_check)
245 IKEV1_CONF_ATTR(rc_type, random_pad_content)
246 IKEV1_CONF_ATTR(rc_type, random_padlen)
247 IKEV1_CONF_ATTR(int, max_padlen)
248 IKEV1_CONF_ATTR(int, max_retry_to_send)
249 IKEV1_CONF_ATTR(int, interval_to_send)
250 IKEV1_CONF_ATTR(int, times_per_send)
251 IKEV1_CONF_ATTR(int, kmp_sa_lifetime_time)
252 IKEV1_CONF_ATTR(int, kmp_sa_lifetime_byte)
253 IKEV1_CONF_ATTR(int, kmp_sa_nego_time_limit)
254 IKEV1_CONF_ATTR(int, kmp_sa_grace_period)
255 IKEV1_CONF_ATTR(int, ipsec_sa_nego_time_limit)
256 IKEV1_CONF_ATTR(struct rc_alglist *, kmp_enc_alg)
257 IKEV1_CONF_ATTR(struct rc_alglist *, kmp_hash_alg)
258 IKEV1_CONF_ATTR(struct rc_alglist *, kmp_dh_group)
259 IKEV1_CONF_ATTR(struct rc_alglist *, kmp_auth_method)
260 IKEV1_CONF_ATTR(int, peers_kmp_port)
261 IKEV1_CONF_ATTR(rc_type, exchange_mode)
262 IKEV1_CONF_ATTR(rc_vchar_t *, my_gssapi_id)
263 IKEV1_CONF_ATTR(rc_type, cookie_required)
264 IKEV1_CONF_ATTR(rc_type, need_pfs)
265 IKEV1_CONF_ATTR(rc_type, dpd)
266 IKEV1_CONF_ATTR(int, dpd_interval)
267 IKEV1_CONF_ATTR(int, dpd_retry)
268 IKEV1_CONF_ATTR(int, dpd_maxfails)
269
270
271 int
272 ikev1_conf_exmode_to_isakmp(struct rcf_remote *conf)
273 {
274 rc_type code;
275
276 code = ikev1_exchange_mode(conf);
277 switch (code) {
278 case RCT_EXM_MAIN:
279 return ISAKMP_ETYPE_IDENT;
280 case RCT_EXM_AGG:
281 return ISAKMP_ETYPE_AGG;
282 case RCT_EXM_BASE:
283 return ISAKMP_ETYPE_BASE;
284 default:
285 return 0; /* ??? */
286 }
287 }
288
289 /*
290 * reads pre_shared_key from file
291 */
292 rc_vchar_t *
293 ikev1_pre_shared_key(struct rcf_remote *rmconf)
294 {
295 const char *path = 0;
296 rc_vchar_t *retbuf = 0;
297
298 if (rmconf &&
299 rmconf->ikev1 &&
300 rmconf->ikev1->pre_shared_key)
301 path = rc_vmem2str(rmconf->ikev1->pre_shared_key);
302 /* else if default? */
303
304 if (!path)
305 return 0;
306
307 retbuf = rcf_readfile(path, PLOGLOC, 1);
308
309 return retbuf;
310 }
311
312
313 const char *
314 ikev1_mycertfile(struct rcf_remote *rmconf)
315 {
316 struct rc_pklist *p;
317
318 IKEV1_CONF(p, rmconf, my_pubkey, 0);
319 if (!p)
320 return 0;
321 if (!p->pubkey) /* unexpected */
322 return 0;
323
324 return rc_vmem2str(p->pubkey);
325 }
326
327
328 const char *
329 ikev1_myprivfile(struct rcf_remote *rmconf)
330 {
331 struct rc_pklist *p;
332
333 IKEV1_CONF(p, rmconf, my_pubkey, 0);
334 if (!p)
335 return 0;
336 if (!p->privkey) /* unexpected */
337 return 0;
338 return rc_vmem2str(p->privkey);
339 }
340
341
342 const char *
343 ikev1_peerscertfile(struct rcf_remote *rmconf)
344 {
345 struct rc_pklist *p;
346
347 IKEV1_CONF(p, rmconf, peers_pubkey, 0);
348 if (!p)
349 return 0;
350 if (!p->pubkey) /* unexpected */
351 return 0;
352
353 return rc_vmem2str(p->pubkey);
354 }
355
356
357 const char *
358 ikev1_script(struct rcf_remote *rmconf, int script)
359 {
360 char *s;
361 struct rcf_kmp *def;
362
363 if (rmconf &&
364 rmconf->ikev1 &&
365 rmconf->ikev1->script[script]) {
366 s = rmconf->ikev1->script[script];
367 } else {
368 def = ikev1_default();
369 if (!def)
370 return NULL;
371 s = def->script[script];
372 }
373 return s;
374 }
375 #endif /* IKEV1 */
376
377 struct rcf_kmp *
378 ikev2_default(void)
379 {
380 extern struct rcf_default *rcf_default_head;
381
382 if (rcf_default_head &&
383 rcf_default_head->remote &&
384 rcf_default_head->remote->ikev2)
385 return rcf_default_head->remote->ikev2;
386 else
387 return 0;
388 }
389
390 #define IKEV2_CONF_ATTR(type_, field_) \
391 type_ \
392 ikev2_ ## field_(struct rcf_remote *conf) \
393 { \
394 type_ retval; \
395 IKEV2_CONF(retval, conf, field_, ikev2_default_values.field_); \
396 return retval; \
397 }
398
399 IKEV2_CONF_ATTR(struct rc_log *, plog)
400 IKEV2_CONF_ATTR(rc_type, passive)
401 IKEV2_CONF_ATTR(struct rc_idlist *, my_id)
402 IKEV2_CONF_ATTR(struct rc_idlist *, peers_id)
403 IKEV2_CONF_ATTR(struct rc_pklist *, my_pubkey)
404 IKEV2_CONF_ATTR(struct rc_pklist *, peers_pubkey)
405 IKEV2_CONF_ATTR(rc_type, verify_id)
406 IKEV2_CONF_ATTR(int, nonce_size)
407 IKEV2_CONF_ATTR(rc_type, selector_check)
408 IKEV2_CONF_ATTR(rc_type, random_pad_content)
409 IKEV2_CONF_ATTR(rc_type, random_padlen)
410 IKEV2_CONF_ATTR(int, max_padlen)
411 IKEV2_CONF_ATTR(int, max_retry_to_send)
412 IKEV2_CONF_ATTR(int, interval_to_send)
413 IKEV2_CONF_ATTR(int, times_per_send)
414 IKEV2_CONF_ATTR(int, kmp_sa_lifetime_time)
415 IKEV2_CONF_ATTR(int, kmp_sa_lifetime_byte)
416 IKEV2_CONF_ATTR(int, kmp_sa_nego_time_limit)
417 IKEV2_CONF_ATTR(int, kmp_sa_grace_period)
418 IKEV2_CONF_ATTR(int, ipsec_sa_nego_time_limit)
419 IKEV2_CONF_ATTR(struct rc_alglist *, kmp_enc_alg)
420 IKEV2_CONF_ATTR(struct rc_alglist *, kmp_hash_alg)
421 IKEV2_CONF_ATTR(struct rc_alglist *, kmp_prf_alg)
422 IKEV2_CONF_ATTR(struct rc_alglist *, kmp_dh_group)
423 IKEV2_CONF_ATTR(struct rc_alglist *, kmp_auth_method)
424 IKEV2_CONF_ATTR(int, peers_kmp_port)
425 IKEV2_CONF_ATTR(rc_type, cookie_required)
426 IKEV2_CONF_ATTR(rc_type, send_peers_id)
427 IKEV2_CONF_ATTR(rc_type, nat_traversal)
428 IKEV2_CONF_ATTR(int, natk_interval)
429 IKEV2_CONF_ATTR(rc_type, need_pfs)
430 IKEV2_CONF_ATTR(rc_vchar_t *, application_version)
431 IKEV2_CONF_ATTR(int, dpd_interval)
432
433 rc_type ikev2_config_required(struct rcf_remote *conf)
434 {
435 return RCT_BOOL_OFF;
436 }
437
438 int
439 rcf_get_addresspool(rc_vchar_t *name, struct rcf_addresspool **pool)
440 {
441 int retval = -1;
442 struct rcf_addresspool *p;
443 extern struct rcf_addresspool *rcf_addresspool_head;
444
445 for (p = rcf_addresspool_head; p; p = p->next) {
446 if (rc_vmemcmp(p->index, name) == 0) {
447 *pool = p;
448 retval = 0;
449 break;
450 }
451 }
452 return retval;
453 }
454
455 struct rcf_addresspool *
456 ikev2_addresspool(struct rcf_remote *conf)
457 {
458 rc_vchar_t *pool_name;
459 struct rcf_addresspool *pool;
460
461 IKEV2_CONF(pool_name, conf, addresspool, NULL);
462 if (!pool_name)
463 return 0;
464
465 if (rcf_get_addresspool(pool_name, &pool) == 0)
466 return pool;
467 return 0;
468 }
469
470 #define IKEV2_CFG(fname, bit) \
471 rc_type \
472 fname(struct rcf_remote *conf) \
473 { \
474 int val; \
475 \
476 IKEV2_CONF(val, conf, config_request, \
477 ikev2_default_values.config_request); \
478 if (val & bit) \
479 return RCT_BOOL_ON; \
480 else \
481 return RCT_BOOL_OFF; \
482 }
483
484 IKEV2_CFG(ikev2_cfg_application_version, RCF_REQ_APPLICATION_VERSION)
485 IKEV2_CFG(ikev2_cfg_ip4_dns, RCF_REQ_IP4_DNS)
486 IKEV2_CFG(ikev2_cfg_ip6_dns, RCF_REQ_IP6_DNS)
487 IKEV2_CFG(ikev2_cfg_ip4_dhcp, RCF_REQ_IP4_DHCP)
488 IKEV2_CFG(ikev2_cfg_ip6_dhcp, RCF_REQ_IP6_DHCP)
489 IKEV2_CFG(ikev2_cfg_mip6prefix, RCF_REQ_MIP6_HOME_PREFIX)
490 IKEV2_CFG(ikev2_cfg_ip4_address, RCF_REQ_IP4_ADDRESS)
491 IKEV2_CFG(ikev2_cfg_ip6_address, RCF_REQ_IP6_ADDRESS)
492
493 #undef IKEV2_CFG
494
495 struct rc_addrlist *
496 ikev2_dns(struct rcf_remote *conf)
497 {
498 struct rc_addrlist *val;
499
500 IKEV2_CONF(val, conf, cfg_dns, ikev2_default_values.cfg_dns);
501 return val;
502 }
503
504 struct rc_addrlist *
505 ikev2_dhcp(struct rcf_remote *conf)
506 {
507 struct rc_addrlist *val;
508
509 IKEV2_CONF(val, conf, cfg_dhcp, ikev2_default_values.cfg_dhcp);
510 return val;
511 }
512
513 struct rc_addrlist *
514 ikev2_mip6_home_prefix(struct rcf_remote *conf)
515 {
516 struct rc_addrlist *val;
517
518 IKEV2_CONF(val, conf, cfg_mip6prefix, ikev2_default_values.cfg_mip6prefix);
519 return val;
520 }
521
522 int
523 ike_max_ip4_alloc(struct rcf_remote *conf)
524 {
525 /* stub */
526 return 0;
527 }
528
529 int
530 ike_max_ip6_alloc(struct rcf_remote *conf)
531 {
532 /* stub */
533 return 0;
534 }
535
536 const char *
537 ikev2_script(struct rcf_remote *rmconf, int script)
538 {
539 char *s;
540 struct rcf_kmp *def;
541
542 if (rmconf &&
543 rmconf->ikev2 &&
544 rmconf->ikev2->script[script]) {
545 s = rmconf->ikev2->script[script];
546 } else {
547 def = ikev2_default();
548 if (!def)
549 return NULL;
550 s = def->script[script];
551 }
552 return s;
553 }
554
555 /*
556 * default values for struct rcf_sa
557 */
558 struct rcf_sa *
559 sa_default(void)
560 {
561 extern struct rcf_default *rcf_default_head;
562 if (rcf_default_head &&
563 rcf_default_head->sa)
564 return rcf_default_head->sa;
565 else
566 return 0;
567 }
568
569 /*
570 * default values for struct rcf_ipsec
571 */
572 struct rcf_ipsec *
573 ipsec_default(void)
574 {
575 extern struct rcf_default *rcf_default_head;
576 if (rcf_default_head &&
577 rcf_default_head->ipsec)
578 return rcf_default_head->ipsec;
579 else
580 return 0;
581 }
582
583 /*
584 * default values for struct rcf_policy
585 */
586 struct rcf_policy *
587 policy_default(void)
588 {
589 extern struct rcf_default *rcf_default_head;
590 if (rcf_default_head &&
591 rcf_default_head->policy)
592 return rcf_default_head->policy;
593 else
594 return 0;
595 }
596
597 rc_type
598 ike_ipsec_mode(struct rcf_policy *pl)
599 {
600 rc_type retval;
601
602 if (pl && pl->ipsec_mode) /* XXX */
603 return pl->ipsec_mode;
604
605 POLICY_DEFAULT(retval, ipsec_mode, RCT_IPSM_TUNNEL);
606 return retval;
607 }
608
609 uint
610 ike_acceptable_kmp(struct rcf_remote *conf)
611 {
612 extern struct rcf_default *rcf_default_head;
613
614 if (conf && conf->acceptable_kmp)
615 return conf->acceptable_kmp;
616
617 if (rcf_default_head
618 && rcf_default_head->remote
619 && rcf_default_head->remote->acceptable_kmp)
620 return rcf_default_head->remote->acceptable_kmp;
621
622 return 0;
623 }
624
625 rc_type
626 ike_initiate_kmp(struct rcf_remote *remote)
627 {
628 extern struct rcf_default *rcf_default_head;
629
630 if (remote && remote->initiate_kmp) /* XXX */
631 return remote->initiate_kmp;
632
633 if (rcf_default_head &&
634 rcf_default_head->remote &&
635 rcf_default_head->remote->initiate_kmp) /* XXX */
636 return rcf_default_head->remote->initiate_kmp;
637
638 return RCT_KMP_IKEV2;
639 }
640
641 #ifdef HAVE_SIGNING_C
642 #if 0
643 /*
644 *
645 */
646 rc_vchar_t *
647 asn1_sprint(uint8_t *id, size_t id_len)
648 {
649 size_t len;
650 rc_vchar_t *buf;
651 BIO *bio;
652
653 bio = BIO_new(BIO_mem_s());
654 ASN1_item_print(bio,, 0, id);
655 len = BIO_get_mem_data(bio, &ptr);
656 buf = rbuf_getvb(len);
657 if (!buf)
658 return 0;
659 memcpy(buf->v, ptr, len);
660 return buf;
661 }
662 #endif
663
664 /*
665 * find matching pubkey with id_data
666 */
667 /*ARGSUSED*/
668 rc_vchar_t *
669 ikev2_public_key(struct ikev2_sa *ike_sa, rc_vchar_t *id_data,
670 struct timeval *due_time)
671 {
672 struct rc_pklist *pk;
673 rc_vchar_t *cert = 0;
674 rc_vchar_t *pubkey = 0;
675 int err;
676
677 /* TRACE((PLOGLOC, "looking for public key for id %s\n", asn1_sprint(id, id_len))); */
678 #if 0
679 struct rc_idlist *id;
680 struct ikev2payl_ident_h *idh;
681 rc_vchar_t *peer_id = 0;
682 rc_type peer_id_type;
683
684 idh = (struct ikev2payl_ident_h *)id_data->v;
685 peer_id = rc_vnew((uint8_t *)(idh + 1), id_data->l - sizeof(*idh));
686 if (!peer_id)
687 goto fail_nomem;
688 peer_id_type = ikev2_id_to_rc(idh->id_type);
689 for (id = ike_sa->rmconf->ikev2->peers_id; id; id = id->next) {
690 if (ike_compare_id(peer_id_type, peer_id, id) == 0)
691 goto found;
692 }
693 plog(PLOG_PROTOERR, PLOGLOC, 0,
694 "peer ID does not match config\n");
695 goto done;
696
697 found:
698 #endif
699 for (pk = ike_sa->rmconf->ikev2->peers_pubkey; pk; pk = pk->next) {
700 switch (pk->ftype) {
701 case RCT_FTYPE_X509PEM:
702 cert = eay_get_x509cert(rc_vmem2str(pk->pubkey));
703 if (!cert) {
704 plog(PLOG_INTERR, PLOGLOC, 0,
705 "failed reading cert file (%s)\n",
706 rc_vmem2str(pk->pubkey));
707 goto next_pk;
708 }
709
710 x509cert:
711 err = eay_check_x509cert(cert, NULL);
712 if (err) {
713 plog(PLOG_INTERR, PLOGLOC, 0,
714 "failed verifying certificate authrotiy of cert (%s)\n",
715 rc_vmem2str(pk->pubkey));
716 goto next_pk;
717 }
718 TRACE((PLOGLOC, "using %s\n", rc_vmem2str(pk->pubkey)));
719 pubkey = eay_get_x509_pubkey(cert, due_time);
720 if (!pubkey) {
721 plog(PLOG_INTERR, PLOGLOC, 0,
722 "failed reading cert file (%s)\n",
723 rc_vmem2str(pk->pubkey));
724 goto next_pk;
725 }
726 rc_vfree(cert);
727 goto done;
728 break;
729 case RCT_FTYPE_PKCS12:
730 {
731 rc_vchar_t *pk12;
732 char *passphrase = 0; /* XXX */
733
734 pk12 = eay_get_pkcs12(rc_vmem2str(pk->pubkey));
735 if (pk12) {
736 cert = eay_get_pkcs12_x509cert(pk12,
737 passphrase);
738 rc_vfree(pk12);
739 if (cert)
740 goto x509cert;
741 plog(PLOG_INTERR, PLOGLOC, 0,
742 "failed extracting X509 cert from PKCS#12 file (%s)\n",
743 rc_vmem2str(pk->pubkey));
744 }
745 }
746 break;
747 case RCT_FTYPE_ASCII:
748 default:
749 plog(PLOG_INTERR, PLOGLOC, 0,
750 "unsupported public key type (%s)\n",
751 rct2str(pk->ftype));
752 break;
753 }
754
755 next_pk:
756 if (cert)
757 rc_vfree(cert);
758 cert = 0;
759 }
760 if (!pk) {
761 plog(PLOG_PROTOERR, PLOGLOC, 0, "no matching public key\n");
762 }
763 done:
764 #if 0
765 if (peer_id)
766 rc_vfree(peer_id);
767 #endif
768 return pubkey;
769
770 #if 0
771 fail_nomem:
772 plog(PLOG_INTERR, PLOGLOC, 0, "failed allocating memory\n");
773 goto done;
774 #endif
775 }
776
777 /*
778 * for each pubkey in my_pubkey
779 * find matching pubkey with id_data
780 * and return privkey
781 */
782 rc_vchar_t *
783 ikev2_private_key(struct ikev2_sa *ike_sa, rc_vchar_t *id_data)
784 {
785 struct rc_pklist *pk;
786 rc_vchar_t *cert;
787 rc_vchar_t *privkey = 0;
788
789 /* TRACE((PLOGLOC, "looking for private key for id %s\n", asn1_sprint(id, id_len))); */
790 for (pk = ike_sa->rmconf->ikev2->my_pubkey; pk; pk = pk->next) {
791 switch (pk->ftype) {
792 case RCT_FTYPE_X509PEM:
793 cert = eay_get_x509cert(rc_vmem2str(pk->pubkey));
794 if (!cert) {
795 plog(PLOG_INTERR, PLOGLOC, 0,
796 "failed reading pubkey (%s)\n",
797 rc_vmem2str(pk->pubkey));
798 goto done;
799 }
800 privkey = eay_get_pkcs1privkey(rc_vmem2str(pk->privkey));
801 if (!privkey)
802 isakmp_log(ike_sa, 0, 0, 0,
803 PLOG_INTERR, PLOGLOC,
804 "failed reading private key (%s)\n",
805 rc_vmem2str(pk->privkey));
806 rc_vfree(cert);
807 goto done;
808 break;
809 case RCT_FTYPE_PKCS12:
810 {
811 rc_vchar_t *pk12;
812 char *passphrase = 0; /* XXX */
813
814 pk12 = eay_get_pkcs12(rc_vmem2str(pk->pubkey));
815 if (pk12) {
816 cert = eay_get_pkcs12_x509cert(pk12,
817 passphrase);
818 if (!cert) {
819 rc_vfree(pk12);
820 continue;
821 }
822 privkey = eay_get_pkcs12_privkey(pk12,
823 passphrase);
824 rc_vfree(cert);
825 rc_vfree(pk12);
826 if (!privkey) {
827 plog(PLOG_INTERR, PLOGLOC, 0,
828 "failed extracting private key from PKCS#12 file (%s)\n",
829 rc_vmem2str(pk->pubkey));
830 continue;
831 }
832 goto done;
833 }
834 }
835 break;
836 case RCT_FTYPE_ASCII:
837 default:
838 plog(PLOG_INTERR, PLOGLOC, 0,
839 "unsupported public key type (%s)\n",
840 rct2str(pk->ftype));
841 break;
842 }
843 }
844 done:
845 return privkey;
846 }
847 #endif
848
849 /*
850 * reads pre_shared_key from file
851 */
852 rc_vchar_t *
853 ikev2_pre_shared_key(struct ikev2_sa *ike_sa)
854 {
855 const char *path = 0;
856 rc_vchar_t *retbuf = 0;
857
858 if (ike_sa->rmconf &&
859 ike_sa->rmconf->ikev2 &&
860 ike_sa->rmconf->ikev2->pre_shared_key)
861 path = rc_vmem2str(ike_sa->rmconf->ikev2->pre_shared_key);
862 /* else if default? */
863
864 if (!path)
865 return 0;
866
867 retbuf = rcf_readfile(path, PLOGLOC, 1);
868
869 return retbuf;
870 }
871
872 /*
873 * find remote_info by sockaddr
874 */
875 struct rcf_remote *
876 ikev1_conf_find(struct sockaddr *addr)
877 {
878 struct rcf_remote *peer_conf;
879
880 if (rcf_get_remotebyaddr(addr, RCT_KMP_IKEV1, &peer_conf) != 0) {
881 return 0;
882 }
883 return peer_conf;
884 }
885
886 struct rcf_remote *
887 ikev2_conf_find(struct sockaddr *addr)
888 {
889 struct rcf_remote *peer_conf;
890
891 if (rcf_get_remotebyaddr(addr, RCT_KMP_IKEV2, &peer_conf) != 0) {
892 /* isakmp_log(0, 0, 0, 0, PLOG_PROTOERR, PLOGLOC,
893 "failure in finding configuration for remote host\n"); */
894 return 0;
895 }
896 return peer_conf;
897 }
898
899 #ifdef IKEV1
900 static rc_type
901 ikev1_id_to_rc(unsigned int id_type)
902 {
903 switch (id_type) {
904 case IPSECDOI_ID_IPV4_ADDR:
905 return RCT_IDT_IPADDR;
906 case IPSECDOI_ID_FQDN:
907 return RCT_IDT_FQDN;
908 case IPSECDOI_ID_USER_FQDN:
909 return RCT_IDT_USER_FQDN;
910 case IPSECDOI_ID_IPV6_ADDR:
911 return RCT_IDT_IPADDR;
912 case IPSECDOI_ID_KEY_ID:
913 return RCT_IDT_KEYID;
914 case IPSECDOI_ID_DER_ASN1_DN:
915 return RCT_IDT_X509_SUBJECT;
916 case IPSECDOI_ID_DER_ASN1_GN:
917 return 0; /* ??? */
918 default:
919 return 0; /* ??? */
920 }
921 }
922 #endif
923
924 static rc_type
925 ikev2_id_to_rc(unsigned int id_type)
926 {
927 switch (id_type) {
928 case IKEV2_ID_IPV4_ADDR:
929 return RCT_IDT_IPADDR;
930 case IKEV2_ID_FQDN:
931 return RCT_IDT_FQDN;
932 case IKEV2_ID_RFC822_ADDR:
933 return RCT_IDT_USER_FQDN;
934 case IKEV2_ID_IPV6_ADDR:
935 return RCT_IDT_IPADDR;
936 case IKEV2_ID_KEY_ID:
937 return RCT_IDT_KEYID;
938 case IKEV2_ID_DER_ASN1_DN:
939 return RCT_IDT_X509_SUBJECT;
940 case IKEV2_ID_DER_ASN1_GN:
941 return 0; /* ??? */
942 default:
943 return 0; /* ??? */
944 }
945 }
946
947 /*
948 * convert numeric notation of IP address into binary representation
949 * returns rc_vchar_t* if successful, 0 if fails
950 * assigns address family into *af if af is not NULL
951 */
952 rc_vchar_t *
953 ike_aton(rc_vchar_t *s, int *af)
954 {
955 const char *nodename;
956 struct addrinfo hint;
957 struct addrinfo *info;
958 struct addrinfo *p;
959 int err;
960 uint8_t *a;
961 size_t alen;
962 rc_vchar_t *data = 0;
963
964 nodename = rc_vmem2str(s); /* value in ring buf; no need to free here */
965 if (!nodename)
966 return 0;
967 hint.ai_flags = AI_NUMERICHOST;
968 hint.ai_family = PF_UNSPEC;
969 hint.ai_socktype = SOCK_DGRAM;
970 hint.ai_protocol = IPPROTO_UDP;
971 hint.ai_addrlen = 0;
972 hint.ai_canonname = 0;
973 hint.ai_addr = 0;
974 hint.ai_next = 0;
975 err = getaddrinfo(nodename, NULL, &hint, &info);
976 if (err) {
977 isakmp_log(0, 0, 0, 0,
978 PLOG_INTERR, PLOGLOC,
979 "getaddrinfo(%s): %s\n",
980 nodename, gai_strerror(err));
981 return 0;
982 } else if (info == 0) {
983 isakmp_log(0, 0, 0, 0,
984 PLOG_INTERR, PLOGLOC,
985 "getaddrinfo(%s) returned null list\n",
986 nodename);
987 return 0;
988 }
989 for (p = info; p; p = p->ai_next) {
990 if (p->ai_addr) {
991 switch (SOCKADDR_FAMILY(p->ai_addr)) {
992 case AF_INET:
993 a = (uint8_t *)&((struct sockaddr_in *)p->ai_addr)->sin_addr;
994 alen = sizeof(struct in_addr);
995 break;
996 #ifdef INET6
997 case AF_INET6:
998 a = (uint8_t *)&((struct sockaddr_in6 *)p->ai_addr)->sin6_addr;
999 alen = sizeof(struct in6_addr);
1000 break;
1001 #endif
1002 default:
1003 isakmp_log(0, 0, 0, 0,
1004 PLOG_INTWARN, PLOGLOC,
1005 "ignoring unsupported address (family %d) returned by getaddrinfo(%s)\n",
1006 SOCKADDR_FAMILY(p->ai_addr),
1007 nodename);
1008 continue;
1009 }
1010 data = rc_vnew(a, alen);
1011 if (!data)
1012 goto fail_nomem;
1013 if (af)
1014 *af = SOCKADDR_FAMILY(p->ai_addr);
1015 if (p->ai_next) {
1016 isakmp_log(0, 0, 0, 0,
1017 PLOG_INTWARN, PLOGLOC,
1018 "ignoring extraneous values returned by getaddrinfo(%s)\n",
1019 nodename);
1020 }
1021 break;
1022 }
1023 }
1024 fail_nomem:
1025 freeaddrinfo(info);
1026 return data;
1027 }
1028
1029 /*
1030 * convert config identifier to IKE data
1031 * (data is ID payload content, excluding ID payload header)
1032 * identifier type codes are common between IKEv1 (IPSEC DOI) and IKEv2
1033 */
1034 rc_vchar_t *
1035 ike_identifier_data(struct rc_idlist *id, int *id_type)
1036 {
1037 rc_vchar_t *data = 0;
1038
1039 if (!id)
1040 return 0;
1041 assert(id_type != 0);
1042
1043 switch (id->idtype) {
1044 case RCT_IDT_IPADDR:
1045 /* convert numeric address string into binary */
1046 {
1047 int af;
1048
1049 data = ike_aton(id->id, &af);
1050 if (!data)
1051 return 0;
1052 switch (af) {
1053 case AF_INET:
1054 *id_type = IKEV2_ID_IPV4_ADDR;
1055 break;
1056 #ifdef INET6
1057 case AF_INET6:
1058 *id_type = IKEV2_ID_IPV6_ADDR;
1059 break;
1060 #endif
1061 default: /* shouldn't happen: addrbuf must be 0 */
1062 rc_vfree(data);
1063 return 0;
1064 }
1065 }
1066 break;
1067
1068 case RCT_IDT_USER_FQDN:
1069 *id_type = IKEV2_ID_RFC822_ADDR;
1070 data = rc_vdup(id->id);
1071 break;
1072 case RCT_IDT_FQDN:
1073 *id_type = IKEV2_ID_FQDN;
1074 data = rc_vdup(id->id);
1075 break;
1076
1077 case RCT_IDT_KEYID:
1078 *id_type = IKEV2_ID_KEY_ID;
1079 if (id->idqual == RCT_IDQ_TAG)
1080 data = rc_vdup(id->id);
1081 else {
1082 /* read file */
1083 const char *filename;
1084
1085 filename = rc_vmem2str(id->id);
1086 if (!filename) {
1087 isakmp_log(0, 0, 0, 0,
1088 PLOG_INTERR, PLOGLOC,
1089 "failed obtaining filename string\n");
1090 return 0;
1091 }
1092 data = rcf_readfile(filename, PLOGLOC, 0);
1093 if (!data)
1094 return 0; /* rcf_readfile() spits error messages */
1095 }
1096 break;
1097
1098 #ifdef HAVE_SIGNING_C
1099 case RCT_IDT_X509_SUBJECT:
1100 /* read cert from file and extract subjectName */
1101 {
1102 const char *filename;
1103 int err;
1104 rc_vchar_t *cert;
1105
1106 filename = rc_vmem2str(id->id);
1107 if (!filename) {
1108 isakmp_log(0, 0, 0, 0,
1109 PLOG_INTERR, PLOGLOC,
1110 "failed obtaining filename string\n");
1111 return 0;
1112 }
1113 err = rc_safefile(filename, FALSE);
1114 if (err == -1) {
1115 isakmp_log(0, 0, 0, 0,
1116 PLOG_INTERR, PLOGLOC,
1117 "failed accessing file %s: %s\n",
1118 filename, strerror(errno));
1119 return 0;
1120 } else if (err != 0) {
1121 isakmp_log(0, 0, 0, 0,
1122 PLOG_INTERR, PLOGLOC,
1123 "file %s is not safe, code %d: %s\n",
1124 filename, err,
1125 rc_safefile_strerror(err));
1126 return 0;
1127 }
1128 cert = eay_get_x509cert(filename);
1129 if (!cert) {
1130 isakmp_log(0, 0, 0, 0,
1131 PLOG_INTERR, PLOGLOC,
1132 "failed reading cert (%s)\n",
1133 filename);
1134 return 0;
1135 }
1136 data = eay_get_x509asn1subjectname(cert);
1137 rc_vfree(cert);
1138 if (!data) {
1139 isakmp_log(0, 0, 0, 0,
1140 PLOG_INTERR, PLOGLOC,
1141 "failed obtaining subjectName from cert (%s)\n",
1142 filename);
1143 return 0;
1144 }
1145 *id_type = IKEV2_ID_DER_ASN1_DN;
1146 }
1147 break;
1148 #endif
1149
1150 default:
1151 plog(PLOG_INTERR, PLOGLOC, 0,
1152 "unsupported identifier type (%s)\n", rct2str(id->idtype));
1153 return 0;
1154 }
1155
1156 return data;
1157 }
1158
1159 /*
1160 * compare id (type id_type, value id_val) with idlist entry id
1161 * returns 0 if equal, non-0 otherwise
1162 *
1163 * rc_type id_val
1164 * -------------------
1165 * USER_FQDN string
1166 * FQDN string
1167 * IPADDR binary representation
1168 * KEY_ID arbitrary octets
1169 * X509_SUBJECT DER binary representation
1170 */
1171 int
1172 ike_compare_id(rc_type rc_id_type, rc_vchar_t *id_val, struct rc_idlist *id)
1173 {
1174 rc_vchar_t *data;
1175 int cmp;
1176 int dummy;
1177
1178 if (rc_id_type != id->idtype)
1179 return -1;
1180
1181 data = ike_identifier_data(id, &dummy);
1182 if (!data)
1183 return -1;
1184
1185 switch (rc_id_type) {
1186 case RCT_IDT_USER_FQDN:
1187 case RCT_IDT_FQDN:
1188 case RCT_IDT_IPADDR:
1189 case RCT_IDT_KEYID:
1190 cmp = rc_vmemcmp(data, id_val);
1191 rc_vfree(data);
1192 return cmp;
1193
1194 case RCT_IDT_X509_SUBJECT:
1195 #ifndef HAVE_SIGNING_C
1196 return -1;
1197 #else
1198 cmp = eay_cmp_asn1dn(data, id_val); /* ??? can I use rc_vmemcmp()? */
1199 rc_vfree(data);
1200 return cmp;
1201 #endif
1202 break;
1203
1204 default:
1205 return -1;
1206 }
1207 }
1208
1209 rc_vchar_t *
1210 ikev1_id2rct_id(rc_vchar_t *id_p, rc_type *type)
1211 {
1212 #ifdef IKEV1
1213 struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id_p->v;
1214 rc_vchar_t *idbuf = 0;
1215 int id_len;
1216 rc_type rc_id_type = 0;
1217
1218 id_len = id_p->l - sizeof(*id_b);
1219
1220 switch (id_b->type) {
1221 case IPSECDOI_ID_FQDN:
1222 case IPSECDOI_ID_USER_FQDN:
1223 case IPSECDOI_ID_KEY_ID:
1224 case IPSECDOI_ID_DER_ASN1_DN:
1225 case IPSECDOI_ID_IPV4_ADDR:
1226 #ifdef INET6
1227 case IPSECDOI_ID_IPV6_ADDR:
1228 #endif
1229 rc_id_type = ikev1_id_to_rc(id_b->type);
1230 idbuf = rc_vnew((uint8_t *)(id_b + 1), id_len);
1231 break;
1232
1233 case IPSECDOI_ID_DER_ASN1_GN:
1234 default:
1235 isakmp_log(0, 0, 0, 0,
1236 PLOG_PROTOERR, PLOGLOC,
1237 "peer id (type %d) is unsupported\n",
1238 id_b->type);
1239 *type = 0;
1240 return 0;
1241 }
1242
1243 *type = rc_id_type;
1244 return idbuf;
1245 #else
1246 *type = 0;
1247 return 0;
1248 #endif
1249 }
1250
1251 rc_vchar_t *
1252 ikev2_id2rct_id(struct ikev2_payload_header *payl, rc_type *type)
1253 {
1254 struct ikev2payl_ident *id = (struct ikev2payl_ident *)payl;
1255 rc_vchar_t *idbuf = 0;
1256 int id_len;
1257 rc_type rc_id_type = 0;
1258
1259 id_len = get_payload_length(id) - sizeof(struct ikev2payl_ident);
1260
1261 switch (id->id_h.id_type) {
1262 case IKEV2_ID_RFC822_ADDR:
1263 case IKEV2_ID_FQDN:
1264 case IKEV2_ID_KEY_ID:
1265 case IKEV2_ID_DER_ASN1_DN:
1266 case IKEV2_ID_IPV4_ADDR:
1267 #ifdef INET6
1268 case IKEV2_ID_IPV6_ADDR:
1269 #endif
1270 rc_id_type = ikev2_id_to_rc(id->id_h.id_type);
1271 idbuf = rc_vnew((uint8_t *)(id + 1), id_len);
1272 break;
1273
1274 case IKEV2_ID_DER_ASN1_GN:
1275 default:
1276 isakmp_log(0, 0, 0, 0,
1277 PLOG_PROTOERR, PLOGLOC,
1278 "peer id (type %d) is unsupported\n",
1279 id->id_h.id_type);
1280 *type = 0;
1281 return 0;
1282 break;
1283 }
1284
1285 *type = rc_id_type;
1286 return idbuf;
1287 }
1288
1289 void
1290 ike_hexdump(char *buf, size_t bufsiz, uint8_t *data, size_t datalen)
1291 {
1292 char *bufptr;
1293 size_t buflen;
1294
1295 bufptr = buf;
1296 buflen = bufsiz;
1297 bufptr[0] = '\0';
1298 while (datalen > 0) {
1299 if (buflen < 3 || (buflen <= 4 && datalen > 1)) {
1300 strlcpy(bufptr, "...", buflen);
1301 break;
1302 }
1303 snprintf(bufptr, buflen, "%02x", *data);
1304 ++data;
1305 --datalen;
1306 buflen -= 2;
1307 bufptr += 2;
1308 }
1309 }
1310
1311 const char *
1312 ike_id_str(rc_type rc_id_type, rc_vchar_t *id_data)
1313 {
1314 switch (rc_id_type) {
1315 case RCT_IDT_USER_FQDN:
1316 case RCT_IDT_FQDN:
1317 return rc_vmem2str(id_data);
1318 break;
1319
1320 case RCT_IDT_IPADDR:
1321 {
1322 struct sockaddr_storage ss;
1323
1324 if (id_data->l == sizeof(struct in_addr)) {
1325 memset(&ss, 0, sizeof(struct sockaddr_in));
1326 SOCKADDR_FAMILY(&ss) = AF_INET;
1327 SET_SOCKADDR_LEN(&ss,
1328 sizeof(struct sockaddr_in));
1329 memcpy(&((struct sockaddr_in *)&ss)->sin_addr,
1330 id_data->v, sizeof(struct in_addr));
1331 } else if (id_data->l == sizeof(struct in6_addr)) {
1332 memset(&ss, 0, sizeof(struct sockaddr_in6));
1333 SOCKADDR_FAMILY(&ss) = AF_INET6;
1334 SET_SOCKADDR_LEN(&ss,
1335 sizeof(struct sockaddr_in6));
1336 memcpy(&((struct sockaddr_in6 *)&ss)->sin6_addr,
1337 id_data->v, sizeof(struct in6_addr));
1338 } else {
1339 return "(unknown format)";
1340 }
1341 return rcs_sa2str_wop((struct sockaddr *)&ss);
1342 }
1343 break;
1344
1345 case RCT_IDT_KEYID:
1346 case RCT_IDT_X509_SUBJECT:
1347 default:
1348 {
1349 rc_vchar_t *lbuf;
1350
1351 lbuf = rbuf_getlb();
1352 ike_hexdump(lbuf->v, lbuf->l, (uint8_t *)id_data->v, id_data->l);
1353 return lbuf->v;
1354 }
1355 break;
1356 }
1357 }
1358
1359 #ifdef DEBUG
1360 void
1361 ikev2_id_dump(char *msg, struct ikev2_payload_header *id_p)
1362 {
1363 rc_type rc_id_type;
1364 rc_vchar_t *idbuf;
1365
1366 idbuf = ikev2_id2rct_id(id_p, &rc_id_type);
1367 if (rc_id_type == 0) {
1368 rc_vchar_t *lbuf;
1369
1370 TRACE((PLOGLOC, "unknown ID type"));
1371 lbuf = rbuf_getlb();
1372 ike_hexdump(lbuf->v, lbuf->l,
1373 (uint8_t *)(id_p + 1), get_payload_data_length(id_p));
1374 TRACE((PLOGLOC, "%s\n", lbuf->v));
1375 } else {
1376 TRACE((PLOGLOC, "%s: %s\n",
1377 msg, ike_id_str(rc_id_type, idbuf)));
1378 }
1379 }
1380 #endif
1381
1382 struct rcf_remote *
1383 ikev1_conf_find_by_id(rc_vchar_t *id_p)
1384 {
1385 rc_type rc_id_type;
1386 rc_vchar_t *idbuf = 0;
1387 struct rcf_remote *result = 0;
1388
1389 idbuf = ikev1_id2rct_id(id_p, &rc_id_type);
1390 if (!rc_id_type)
1391 goto end;
1392
1393 (void)rcf_get_remotebypeersid(rc_id_type, idbuf, RCT_KMP_IKEV1,
1394 ike_compare_id, &result);
1395
1396 end:
1397 if (idbuf)
1398 rc_vfree(idbuf);
1399 return result;
1400 }
1401
1402 struct rcf_remote *
1403 ikev2_conf_find_by_id(struct ikev2_payload_header *payl)
1404 {
1405 rc_type rc_id_type;
1406 rc_vchar_t *idbuf = 0;
1407 struct rcf_remote *result = 0;
1408
1409 idbuf = ikev2_id2rct_id(payl, &rc_id_type);
1410 if (!idbuf)
1411 goto end;
1412
1413 (void)rcf_get_remotebypeersid(rc_id_type, idbuf, RCT_KMP_IKEV2,
1414 ike_compare_id, &result);
1415
1416 end:
1417 if (idbuf)
1418 rc_vfree(idbuf);
1419 return result;
1420 }
1421
1422 /*
1423 * How the responder find the appropriate traffic selector
1424 *
1425 * Let a TS be a sequence {TSi} for i=0..N-1
1426 * where TSi is a tuple of {addrrange, {proto or ANYPROTO}, portrange}
1427 *
1428 * requirements from the draft:
1429 *
1430 * 1. single range (N=1)
1431 * if TS0 is acceptable
1432 * then
1433 * choose TS0
1434 * else if policy is a subset of TS0
1435 * best guess
1436 * or reject with SINGLE_PAIR_REQUIRED
1437 * else fail
1438 *
1439 * ?.
1440 * if responder's policy contains multiple smaller ranges
1441 * and all encompassed by TS
1442 * and policy being that each of those ranges should be sent over differnt SA
1443 * then
1444 * best guess
1445 * or reject with SINGLE_PAIR_REQUIRED
1446 * else ...
1447 *
1448 * 2. specific+range (N>1?)
1449 * if TS0 is specific and TS0 is a subset of TS1
1450 * then
1451 * if TS1 is acceptable
1452 * then choose TS1
1453 * else if TS0 is acceptable
1454 * then
1455 * MUST narrow to a subset that includes TS0
1456 * else fail
1457 * else .... {case 3}
1458 *
1459 * 3. generic range (N>0)
1460 * choose a subset of traffic
1461 * if more than one subset is acceptable but union is not
1462 * then
1463 * MUST accept some subset
1464 * MAY include ADDITIONAL_TS_POSSIBLE
1465 * else if one subset is acceptable
1466 * then choose it
1467 * else fail
1468 */
1469
1470 /*
1471 * strategy for racoon2:
1472 *
1473 * handle these cases:
1474 * 1. ranges
1475 * 2. specific+ranges
1476 *
1477 * if TS payload starts with a specific TS, and it is covered by my selector,
1478 * or if TS payload does not start with a specific TS
1479 * then
1480 * see if one of ranges contain my selector, so that it can be narrowed
1481 *
1482 * the TS payload which the responder returns to initiator is always
1483 * generated from configuration selector.
1484 *
1485 * SINGLE_PAIR_REQUIRED or ADDITIONAL_TS_POSSIBLE are never generated.
1486 */
1487
1488 int
1489 addr_prefixlen(struct rc_addrlist *addr)
1490 {
1491 int prefixlen;
1492
1493 prefixlen = addr->prefixlen;
1494 return prefixlen;
1495 }
1496
1497 static int compare_bits(uint8_t *, uint8_t *, int) GCC_ATTRIBUTE((unused));
1498
1499 static int
1500 compare_bits(uint8_t *a, uint8_t *b, int bitlen)
1501 {
1502 const int CHARBITS = 8;
1503
1504 for (; bitlen > 0; a++, b++, bitlen -= CHARBITS) {
1505 if (bitlen < CHARBITS) {
1506 return ((*a ^ *b) & (-1 << (CHARBITS - bitlen))) == 0
1507 ? TRUE : FALSE;
1508 }
1509 if ((*a ^ *b) != 0)
1510 return FALSE;
1511 }
1512 return TRUE;
1513 }
1514
1515 int
1516 sockaddr_in_compare_with_prefix(struct sockaddr_in *addr,
1517 struct sockaddr_in *netaddr,
1518 int prefixlen)
1519 {
1520 if (prefixlen == 0)
1521 return TRUE;
1522 if ((ntohl(addr->sin_addr.s_addr ^ netaddr->sin_addr.s_addr)
1523 & (-1 << (32 - prefixlen))) == 0)
1524 return TRUE;
1525 return FALSE;
1526 }
1527
1528 #ifdef INET6
1529 int
1530 sockaddr_in6_compare_with_prefix(struct sockaddr_in6 *addr,
1531 struct sockaddr_in6 *netaddr,
1532 int prefixlen)
1533 {
1534 return compare_bits(&addr->sin6_addr.s6_addr[0],
1535 &netaddr->sin6_addr.s6_addr[0], prefixlen);
1536 }
1537 #endif
1538
1539 int
1540 sockaddr_compare_with_prefix(struct sockaddr *addr,
1541 struct sockaddr *netaddr,
1542 int prefixlen)
1543 {
1544 if (addr->sa_family != netaddr->sa_family)
1545 return FALSE;
1546 switch (addr->sa_family) {
1547 case AF_INET:
1548 return sockaddr_in_compare_with_prefix((struct sockaddr_in *)addr,
1549 (struct sockaddr_in *)netaddr,
1550 prefixlen);
1551 break;
1552 #ifdef INET6
1553 case AF_INET6:
1554 return sockaddr_in6_compare_with_prefix((struct sockaddr_in6 *)addr,
1555 (struct sockaddr_in6 *)netaddr,
1556 prefixlen);
1557 break;
1558 #endif
1559 default:
1560 isakmp_log(0, 0, 0, 0,
1561 PLOG_INTERR, PLOGLOC,
1562 "unsupported address family (%d)\n",
1563 addr->sa_family);
1564 return FALSE;
1565 break;
1566 }
1567 }
1568
1569 /*
1570 * returns TRUE if matches, FALSE otherwise
1571 */
1572 static int
1573 match_addr_ipv4(struct sockaddr *addr, int prefixlen,
1574 uint8_t *start_addr, uint8_t *end_addr)
1575 {
1576 struct sockaddr_in *sin = (struct sockaddr_in *)addr;
1577 uint32_t a, s, e;
1578 uint32_t bits;
1579
1580 if (sin->sin_family != AF_INET)
1581 return FALSE;
1582 a = ntohl(sin->sin_addr.s_addr);
1583 s = get_uint32((uint32_t *)start_addr);
1584 e = get_uint32((uint32_t *)end_addr);
1585 if (prefixlen == 0)
1586 bits = 0xFFFFFFFFu;
1587 else
1588 bits = ((uint32_t)1 << (32 - prefixlen)) - 1;
1589 return (s == (a & ~bits) && (a | bits) == e);
1590 }
1591
1592 #ifdef INET6
1593 static int
1594 match_addr_ipv6(struct sockaddr *addr, int prefixlen,
1595 uint8_t *start_addr, uint8_t *end_addr)
1596 {
1597 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr;
1598 uint8_t *a, *s, *e;
1599 int i;
1600 unsigned int bits;
1601 const int BITS = 8; /* CHAR_BITS; */
1602
1603 if (sin6->sin6_family != AF_INET6)
1604 return FALSE;
1605 a = (uint8_t *)&sin6->sin6_addr;
1606 s = start_addr;
1607 e = end_addr;
1608 for (i = 0; (size_t)i < sizeof(struct in6_addr); ++i) {
1609 if (prefixlen >= BITS * (i + 1)) {
1610 bits = 0xFF;
1611 } else if (prefixlen > BITS * i) {
1612 bits = 0xFF & (-1 << (BITS * (i + 1) - prefixlen));
1613 } else {
1614 bits = 0;
1615 }
1616 if ((a[i] & bits) == s[i] && (a[i] | (~bits & 0xff)) == e[i])
1617 continue;
1618 return FALSE;
1619 }
1620 return TRUE;
1621 }
1622 #endif
1623
1624 static int addr_match(int, struct sockaddr *, int, uint8_t *, uint8_t *)
1625 GCC_ATTRIBUTE((unused));
1626
1627 static int
1628 addr_match(int type, struct sockaddr *addr, int prefixlen,
1629 uint8_t *start_addr, uint8_t *end_addr)
1630 {
1631 switch (type) {
1632 case IKEV2_TS_IPV4_ADDR_RANGE:
1633 return match_addr_ipv4(addr, prefixlen, start_addr, end_addr);
1634 #ifdef INET6
1635 case IKEV2_TS_IPV6_ADDR_RANGE:
1636 return match_addr_ipv6(addr, prefixlen, start_addr, end_addr);
1637 #endif
1638 default:
1639 return FALSE;
1640 }
1641 }
1642
1643 static uint
1644 sockaddr_port(struct sockaddr *addr)
1645 {
1646 switch (SOCKADDR_FAMILY(addr)) {
1647 case AF_INET:
1648 return ntohs(((struct sockaddr_in *)addr)->sin_port);
1649 #ifdef INET6
1650 case AF_INET6:
1651 return ntohs(((struct sockaddr_in6 *)addr)->sin6_port);
1652 #endif
1653 default:
1654 return -1; /* shouldn't happen */
1655 }
1656 }
1657
1658 /*
1659 * returns TRUE if the traffic selector is non-ambiguous
1660 */
1661 static int ts_is_specific(struct ikev2_traffic_selector *ts);
1662
1663 static int
1664 ts_is_specific(struct ikev2_traffic_selector *ts)
1665 {
1666 unsigned int sport, eport;
1667 uint8_t *saddr, *eaddr;
1668 unsigned int addrsiz;
1669
1670 sport = get_uint16(&ts->start_port);
1671 eport = get_uint16(&ts->end_port);
1672
1673 switch (ts->protocol_id) {
1674 case IKEV2_TS_PROTO_ANY:
1675 return FALSE;
1676 case IPPROTO_TCP:
1677 case IPPROTO_UDP:
1678 case IPPROTO_ICMP:
1679 case IPPROTO_ICMPV6:
1680 case IPPROTO_SCTP:
1681 case IPPROTO_MH:
1682 if (sport != eport)
1683 return FALSE;
1684 break;
1685 default:
1686 if (!IKEV2_TS_PORT_IS_ANY(sport, eport))
1687 return FALSE; /* ??? */
1688 break;
1689 }
1690
1691 addrsiz = ikev2_ts_addr_size(ts->ts_type);
1692 saddr = (uint8_t *)(ts + 1);
1693 eaddr = saddr + addrsiz;
1694 if (memcmp(saddr, eaddr, addrsiz) != 0)
1695 return FALSE;
1696
1697 return TRUE;
1698 }
1699
1700 /*
1701 * returns TRUE if a TS0 is within TS1
1702 */
1703 static int ts_within(struct ikev2_traffic_selector *,
1704 struct ikev2_traffic_selector *) GCC_ATTRIBUTE((unused));
1705
1706 static int
1707 ts_within(struct ikev2_traffic_selector *ts0,
1708 struct ikev2_traffic_selector *ts1)
1709 {
1710 uint16_t sport0, eport0, sport1, eport1;
1711 uint8_t *saddr0, *eaddr0, *saddr1, *eaddr1;
1712 unsigned int addrsiz;
1713
1714 if (ts0->ts_type != ts1->ts_type)
1715 return FALSE;
1716
1717 if (ts1->protocol_id != IKEV2_TS_PROTO_ANY
1718 && ts0->protocol_id != ts1->protocol_id)
1719 return FALSE;
1720
1721 /*
1722 * saddr1 <= saddr0 && eaddr0 <= eaddr1
1723 */
1724 addrsiz = ikev2_ts_addr_size(ts0->ts_type);
1725 saddr0 = (uint8_t *)(ts0 + 1);
1726 eaddr0 = saddr0 + addrsiz;
1727 saddr1 = (uint8_t *)(ts1 + 1);
1728 eaddr1 = saddr1 + addrsiz;
1729 if (!(memcmp(saddr0, saddr1, addrsiz) >= 0
1730 && memcmp(eaddr0, eaddr1, addrsiz) <= 0))
1731 return FALSE;
1732
1733 sport0 = get_uint16(&ts0->start_port);
1734 eport0 = get_uint16(&ts0->end_port);
1735 sport1 = get_uint16(&ts1->start_port);
1736 eport1 = get_uint16(&ts1->end_port);
1737 if (!(sport0 >= sport1 && eport0 <= eport1))
1738 return FALSE;
1739
1740 return TRUE;
1741 }
1742
1743 /*
1744 * returns TRUE if one TS range is within addr/prefix
1745 */
1746 static int
1747 ts_is_within_addr(struct ikev2_traffic_selector *ts, int proto,
1748 struct sockaddr *addr, int prefixlen)
1749 {
1750 uint8_t *saddr, *eaddr;
1751 uint8_t *addrptr;
1752 int addrsiz;
1753 int i;
1754 unsigned int bits;
1755 unsigned int sport, eport;
1756 unsigned int port;
1757
1758 /* ts_type / sa_family */
1759 switch (ts->ts_type) {
1760 case IKEV2_TS_IPV4_ADDR_RANGE:
1761 if (addr->sa_family != AF_INET)
1762 return FALSE;
1763 break;
1764 case IKEV2_TS_IPV6_ADDR_RANGE:
1765 if (addr->sa_family != AF_INET6)
1766 return FALSE;
1767 break;
1768 default:
1769 return FALSE;
1770 break;
1771 }
1772
1773 /* protocol_id / proto */
1774 if (!(proto == IKEV2_TS_PROTO_ANY ||
1775 ts->protocol_id == proto))
1776 return FALSE;
1777
1778 /* addr */
1779 switch (addr->sa_family) {
1780 case AF_INET:
1781 addrptr = (uint8_t *)&((struct sockaddr_in *)addr)->sin_addr;
1782 break;
1783 case AF_INET6:
1784 addrptr = (uint8_t *)&((struct sockaddr_in6 *)addr)->sin6_addr;
1785 break;
1786 default: /* shouldn't happen */
1787 return FALSE;
1788 break;
1789 }
1790 addrsiz = ikev2_ts_addr_size(ts->ts_type);
1791 saddr = (uint8_t *)(ts + 1);
1792 eaddr = saddr + addrsiz;
1793 assert(prefixlen >= 0);
1794 if (prefixlen > addrsiz * CHAR_BIT)
1795 prefixlen = addrsiz * CHAR_BIT;
1796 for (i = 0; i < (prefixlen + CHAR_BIT - 1) / CHAR_BIT; ++i) {
1797 if (prefixlen >= CHAR_BIT * (i + 1)) {
1798 bits = 0xFF;
1799 } else if (prefixlen > CHAR_BIT * i) {
1800 bits = 0xFF & (-1 << (CHAR_BIT * (i + 1) - prefixlen));
1801 } else {
1802 bits = 0;
1803 }
1804 if (saddr[i] >= (addrptr[i] & bits) &&
1805 eaddr[i] <= (addrptr[i] | (~bits & 0xff)))
1806 continue;
1807 return FALSE;
1808 }
1809
1810 /* port */
1811 sport = get_uint16(&ts->start_port);
1812 eport = get_uint16(&ts->end_port);
1813 port = sockaddr_port(addr);
1814 if (!(port == 0 ||
1815 (sport == port && eport == port)))
1816 return FALSE;
1817
1818 return TRUE;
1819
1820 }
1821
1822 /*
1823 * returns TRUE if TS range contains addr/prefix
1824 */
1825 static int
1826 ts_contains_addr(struct ikev2_traffic_selector *ts, int proto,
1827 struct sockaddr *addr, int prefixlen)
1828 {
1829 uint8_t *saddr, *eaddr;
1830 uint8_t *addrptr;
1831 int addrsiz;
1832 int i;
1833 unsigned int bits;
1834 unsigned int sport, eport;
1835 unsigned int port;
1836
1837 /* ts_type / sa_family */
1838 switch (ts->ts_type) {
1839 case IKEV2_TS_IPV4_ADDR_RANGE:
1840 if (addr->sa_family != AF_INET)
1841 return FALSE;
1842 break;
1843 case IKEV2_TS_IPV6_ADDR_RANGE:
1844 if (addr->sa_family != AF_INET6)
1845 return FALSE;
1846 break;
1847 default:
1848 return FALSE;
1849 break;
1850 }
1851
1852 /* protocol_id / proto */
1853 if (!(ts->protocol_id == IKEV2_TS_PROTO_ANY ||
1854 ts->protocol_id == proto))
1855 return FALSE;
1856
1857 /* addr */
1858 switch (addr->sa_family) {
1859 case AF_INET:
1860 addrptr = (uint8_t *)&((struct sockaddr_in *)addr)->sin_addr;
1861 break;
1862 case AF_INET6:
1863 addrptr = (uint8_t *)&((struct sockaddr_in6 *)addr)->sin6_addr;
1864 break;
1865 default: /* shouldn't happen */
1866 return FALSE;
1867 break;
1868 }
1869 addrsiz = ikev2_ts_addr_size(ts->ts_type);
1870 saddr = (uint8_t *)(ts + 1);
1871 eaddr = saddr + addrsiz;
1872 for (i = 0; i < (prefixlen + CHAR_BIT - 1) / CHAR_BIT; ++i) {
1873 if (prefixlen >= CHAR_BIT * (i + 1)) {
1874 bits = 0xFF;
1875 } else if (prefixlen > CHAR_BIT * i) {
1876 bits = 0xFF & (-1 << (CHAR_BIT * (i + 1) - prefixlen));
1877 } else {
1878 bits = 0;
1879 }
1880 if (saddr[i] <= (addrptr[i] & bits)
1881 && eaddr[i] >= (addrptr[i] | (~bits & 0xff)))
1882 continue;
1883 return FALSE;
1884 }
1885
1886 /* port */
1887 sport = get_uint16(&ts->start_port);
1888 eport = get_uint16(&ts->end_port);
1889 port = sockaddr_port(addr);
1890 if (!(sport <= port && port <= eport))
1891 return FALSE;
1892
1893 return TRUE;
1894
1895 }
1896
1897 /*
1898 * see whether traffic selectors are acceptable in accord with the config
1899 * compare UNION(TS[i], i = 0..N) with conf(addr, prefixlen, port, proto)
1900 */
1901 static int
1902 ts_is_matching(struct ikev2_traffic_selector *ts0, int num_ts,
1903 unsigned int proto, struct sockaddr *addr, int prefixlen)
1904 {
1905 int i;
1906 struct ikev2_traffic_selector *ts;
1907
1908 /* assume ikev2_check_ts_payload() was called already */
1909 TRACE((PLOGLOC, "num_ts %d\n", num_ts));
1910 if (num_ts <= 0)
1911 return FALSE;
1912
1913 /*
1914 * if ts[0] is specific, and it is within addr/prefix
1915 * or if ts[0] is not specific
1916 * then see if one of ts can be narrowed
1917 */
1918 if (!ts_is_specific(ts0) ||
1919 ts_is_within_addr(ts0, proto, addr, prefixlen)) {
1920 for (i = 0, ts = ts0;
1921 i < num_ts;
1922 ++i, ts = (struct ikev2_traffic_selector *)((uint8_t *)ts +
1923 get_uint16(&ts->selector_length)))
1924 {
1925 TRACE((PLOGLOC, "checking %d\n", i));
1926 if (ts_contains_addr(ts, proto, addr, prefixlen)) {
1927 /* then it can be narrowed to addr/prefix */
1928 TRACE((PLOGLOC,
1929 "ts %d contains %s prefixlen %d\n",
1930 i, rcs_sa2str(addr), prefixlen));
1931 return TRUE;
1932 }
1933 }
1934 }
1935
1936 /* otherwise fail */
1937 TRACE((PLOGLOC, "failed\n"));
1938 return FALSE;
1939 }
1940
1941 static int
1942 ts_payload_is_matching(struct ikev2payl_traffic_selector *ts_payload,
1943 unsigned int proto, struct sockaddr *addr, int prefixlen)
1944 {
1945 return ts_is_matching((struct ikev2_traffic_selector *)(ts_payload + 1),
1946 ts_payload->tsh.num_ts, proto, addr, prefixlen);
1947 }
1948
1949 /*
1950 * returns adequate TS in vmbuf
1951 *
1952 * currently, returning TS is created from proto/addr/prefixlen
1953 * ignoring peer's TS (assuming it is checked by ts_payload_is_matching())
1954 */
1955 static rc_vchar_t *
1956 ts_match(struct ikev2payl_traffic_selector *ts, int num_ts,
1957 int proto, struct sockaddr *addr, int prefixlen)
1958 {
1959 uint8_t *addrptr;
1960 size_t addrsize;
1961 unsigned int port;
1962 rc_vchar_t *resultbuf;
1963 struct ikev2payl_ts_h *r_tsh;
1964 struct ikev2_traffic_selector *r_ts;
1965 uint8_t *r_saddr;
1966 uint8_t *r_eaddr;
1967 int i;
1968
1969 switch (addr->sa_family) {
1970 case AF_INET:
1971 addrptr = (uint8_t *)&((struct sockaddr_in *)addr)->sin_addr.s_addr;
1972 addrsize = sizeof(struct in_addr);
1973 break;
1974 #ifdef INET6
1975 case AF_INET6:
1976 addrptr = (uint8_t *)&((struct sockaddr_in6 *)addr)->sin6_addr;
1977 addrsize = sizeof(struct in6_addr);
1978 break;
1979 #endif
1980 default:
1981 return 0;
1982 }
1983 port = sockaddr_port(addr);
1984
1985 resultbuf = rc_vmalloc(sizeof(struct ikev2payl_ts_h)
1986 + sizeof(struct ikev2_traffic_selector)
1987 + 2 * addrsize);
1988 if (!resultbuf)
1989 return 0;
1990
1991 r_tsh = (struct ikev2payl_ts_h *)resultbuf->v;
1992 r_ts = (struct ikev2_traffic_selector *)(resultbuf->v +
1993 sizeof(struct ikev2payl_ts_h));
1994 r_saddr = (uint8_t *)(r_ts + 1);
1995 r_eaddr = r_saddr + addrsize;
1996
1997 memset(r_tsh, 0, sizeof(struct ikev2payl_ts_h));
1998 r_tsh->num_ts = 1;
1999 switch (addr->sa_family) {
2000 case AF_INET:
2001 r_ts->ts_type = IKEV2_TS_IPV4_ADDR_RANGE;
2002 break;
2003 #ifdef INET6
2004 case AF_INET6:
2005 r_ts->ts_type = IKEV2_TS_IPV6_ADDR_RANGE;
2006 break;
2007 #endif
2008 }
2009 r_ts->protocol_id = proto;
2010 put_uint16(&r_ts->selector_length,
2011 sizeof(struct ikev2_traffic_selector) + 2 * addrsize);
2012 if (port == 0) {
2013 put_uint16(&r_ts->start_port, 0);
2014 put_uint16(&r_ts->end_port, 65535);
2015 } else {
2016 put_uint16(&r_ts->start_port, port);
2017 put_uint16(&r_ts->end_port, port);
2018 }
2019
2020 for (i = 0; i < (int)addrsize; ++i) {
2021 unsigned int bits;
2022 const int BITS = CHAR_BIT;
2023 if (prefixlen >= BITS * (i + 1)) {
2024 bits = 0xFF;
2025 } else if (prefixlen > BITS * i) {
2026 bits = 0xFF & (-1 << (BITS * (i + 1) - prefixlen));
2027 } else {
2028 bits = 0;
2029 }
2030 r_saddr[i] = addrptr[i] & bits;
2031 r_eaddr[i] = addrptr[i] | ~bits;
2032 }
2033
2034 return resultbuf;
2035 }
2036
2037 /*
2038 * Config payload support
2039 */
2040 void
2041 ikev2_cfg_addr2sockaddr(struct sockaddr *sa, struct rcf_address *a, int *prefixlen)
2042 {
2043 struct sockaddr_in *sin;
2044 struct sockaddr_in6 *sin6;
2045
2046 switch (a->af) {
2047 case AF_INET:
2048 *prefixlen = 32;
2049 sin = (struct sockaddr_in *)sa;
2050 memset(sin, 0, sizeof(*sin));
2051 sin->sin_family = AF_INET;
2052 SET_SOCKADDR_LEN(sin, sizeof(*sin));
2053 memcpy(&sin->sin_addr.s_addr, a->address, sizeof(struct in_addr));
2054 break;
2055 case AF_INET6:
2056 *prefixlen = 128;
2057 sin6 = (struct sockaddr_in6 *)sa;
2058 memset(sin6, 0, sizeof(*sin6));
2059 sin6->sin6_family = AF_INET6;
2060 SET_SOCKADDR_LEN(sin6, sizeof(*sin6));
2061 memcpy(&sin6->sin6_addr, a->address, sizeof(struct in6_addr));
2062 break;
2063 default:
2064 /* shouldn't happen */
2065 TRACE((PLOGLOC, "unknown af %d\n", a->af));
2066 return;
2067 }
2068 }
2069
2070
2071 /*
2072 * debug dump Traffic Selectors
2073 */
2074 void
2075 ikev2_dump_traffic_selectors(char *msg,
2076 int num_ts,
2077 struct ikev2_traffic_selector *ts)
2078 {
2079 int i;
2080
2081 plog(PLOG_DEBUG, PLOGLOC, 0, "%s\n", msg);
2082 for (i = 0;
2083 i < num_ts;
2084 ++i, ts = (struct ikev2_traffic_selector *)((uint8_t *)ts +
2085 get_uint16(&ts->selector_length)))
2086 ikev2_print_ts(ts);
2087 }
2088
2089 /*
2090 * debug dump Traffic Selector payload (excluding generic header)
2091 */
2092 void
2093 ikev2_dump_traffic_selector_h(char *header, void *payload_data)
2094 {
2095 struct ikev2payl_ts_h *tsh;
2096
2097 tsh = (struct ikev2payl_ts_h *)payload_data;
2098 ikev2_dump_traffic_selectors(header,
2099 tsh->num_ts,
2100 (struct ikev2_traffic_selector *)(tsh + 1));
2101 }
2102
2103 /*
2104 * debug dump Traffic Selector payload
2105 */
2106 void
2107 ikev2_dump_ts(char *header, struct ikev2payl_traffic_selector *ts_payload)
2108 {
2109 ikev2_dump_traffic_selectors(header,
2110 ts_payload->tsh.num_ts,
2111 (struct ikev2_traffic_selector *)(ts_payload + 1));
2112 }
2113
2114 static void
2115 free_selectorlist(struct rcf_selector *s)
2116 {
2117 struct rcf_selector *s_next;
2118
2119 for (; s; s = s_next) {
2120 s_next = s->next;
2121 rcf_free_selector(s);
2122 }
2123 }
2124
2125 struct rcf_selector *
2126 ike_conf_find_ikev2sel_by_ts(struct ikev2_payload_header *ts_remoteside,
2127 struct ikev2_payload_header *ts_localside,
2128 struct ikev2_child_sa *child_sa,
2129 struct rcf_remote *rmconf)
2130 {
2131 /* int contained = 0; */
2132 struct ikev2_child_param *param = &child_sa->child_param;
2133 struct ikev2payl_traffic_selector *ts_r;
2134 struct ikev2payl_traffic_selector *ts_l;
2135 int src_prefixlen;
2136 int dst_prefixlen;
2137 unsigned int upper_layer_protocol;
2138 struct rcf_selector *s;
2139 struct rcf_selector *s_next;
2140 int err;
2141 struct rc_addrlist *srclist;
2142 struct rc_addrlist *dstlist;
2143 rc_type action;
2144
2145 ts_r = (struct ikev2payl_traffic_selector *)ts_remoteside;
2146 ts_l = (struct ikev2payl_traffic_selector *)ts_localside;
2147
2148 IF_TRACE( {
2149 trace_debug(PLOGLOC, "ike_conf_find_ikev2sel_by_ts\n");
2150 ikev2_dump_ts("remote", ts_r);
2151 ikev2_dump_ts("local", ts_l);
2152 });
2153
2154 if (rcf_get_selectorlist(&s)) {
2155 TRACE((PLOGLOC, "rcf_get_selectorlist() failed\n"));
2156 return 0;
2157 }
2158 for (; s; s_next = s->next, rcf_free_selector(s), s = s_next) {
2159 assert(s->pl != NULL);
2160 action = s->pl->action;
2161 if (!action)
2162 POLICY_DEFAULT(action, action, 0);
2163 if (action != RCT_ACT_AUTO_IPSEC)
2164 continue;
2165
2166 /* use only if the selector is for the remote node */
2167 if (! ((s->pl->rm_index == NULL && rmconf->rm_index == NULL) ||
2168 (s->pl->rm_index != NULL && rmconf->rm_index != NULL &&
2169 rc_vmemcmp(s->pl->rm_index, rmconf->rm_index) == 0))) {
2170 continue;
2171 }
2172
2173 if (s->direction != RCT_DIR_OUTBOUND)
2174 continue;
2175
2176 #ifdef notyet
2177 /*
2178 * if (no corresponding outbound config)
2179 * continue;
2180 */
2181 for (o = rcf_selector_head; o; o = o->next) {
2182 if (o->direction == RCT_DIR_INBOUND
2183 && addrlist_equal(s->src, o->dst)
2184 && addrlist_equal(s->dst, o->src))
2185 break;
2186 }
2187 if (!o) {
2188 TRACE((PLOGLOC,
2189 "no corresponding outbound selector\n"));
2190 continue;
2191 }
2192 #endif
2193
2194 if (ike_ipsec_mode(s->pl) == RCT_IPSM_TRANSPORT) {
2195 if (!param->use_transport_mode)
2196 continue;
2197 }
2198
2199 srclist = dstlist = 0;
2200 err = rcs_extend_addrlist(s->src, &srclist);
2201 if (err != 0) {
2202 isakmp_log(0, 0, 0, 0,
2203 PLOG_INTWARN, PLOGLOC,
2204 "expanding src address of selector %s: %s\n",
2205 rc_vmem2str(s->sl_index), gai_strerror(err));
2206 goto next_selector;
2207 }
2208 if (!srclist) {
2209 TRACE((PLOGLOC, "empty srclist\n"));
2210 goto next_selector;
2211 }
2212
2213 err = rcs_extend_addrlist(s->dst, &dstlist);
2214 if (err != 0) {
2215 isakmp_log(0, 0, 0, 0,
2216 PLOG_INTWARN, PLOGLOC,
2217 "expanding dst address of selector %s: %s\n",
2218 rc_vmem2str(s->sl_index), gai_strerror(err));
2219 goto next_selector;
2220 }
2221 if (!dstlist) {
2222 if (LIST_EMPTY(&child_sa->lease_list)) {
2223 TRACE((PLOGLOC, "empty dstlist\n"));
2224 goto next_selector;
2225 }
2226 }
2227 /*
2228 else if (! LIST_EMPTY(&child_sa->lease_list)
2229 && ) {
2230 TRACE((PLOGLOC, "skipping non-empty dst selector\n"));
2231 goto next_selector;
2232 }
2233 */
2234 assert(dstlist ||
2235 (!dstlist && !LIST_EMPTY(&child_sa->lease_list)));
2236
2237 #if 0 /* it looks like spmd uses only the first address of expanded addresses */
2238 upper_layer_protocol = s->upper_layer_protocol;
2239 if (upper_layer_protocol == RC_PROTO_ANY)
2240 upper_layer_protocol = IKEV2_TS_PROTO_ANY;
2241
2242 for (src = srclist; src; src = src->next) {
2243 if (ts_payload_is_matching(ts_r,
2244 upper_layer_protocol,
2245 src->a.ipaddr,
2246 src->prefixlen)) {
2247 for (dst = dstlist; dst; dst = dst->next) {
2248 if (ts_payload_is_matching(ts_i,
2249 upper_layer_protocol,
2250 dst->a.ipaddr,
2251 dst->prefixlen)) {
2252 goto found;
2253 }
2254 }
2255 }
2256 }
2257
2258 continue;
2259
2260 found:
2261 ...;
2262 #else
2263 if (srclist && srclist->next) {
2264 plog(PLOG_INTWARN, PLOGLOC, 0,
2265 "selector %s src is ambiguous, using the first one of the expanded addresses\n",
2266 rc_vmem2str(s->sl_index));
2267 }
2268 if (dstlist->next) {
2269 plog(PLOG_INTWARN, PLOGLOC, 0,
2270 "selector %s dst is ambiguous, using the first one of the expanded addresses\n",
2271 rc_vmem2str(s->sl_index));
2272 }
2273 #endif
2274
2275 /*
2276 * see whether the TS is acceptable for this selector
2277 */
2278 src_prefixlen = srclist ? addr_prefixlen(srclist) : 0;
2279 dst_prefixlen = dstlist ? addr_prefixlen(dstlist) : 0;
2280 upper_layer_protocol = s->upper_layer_protocol;
2281 if (upper_layer_protocol == RC_PROTO_ANY)
2282 upper_layer_protocol = IKEV2_TS_PROTO_ANY;
2283 if (ts_payload_is_matching(ts_l,
2284 upper_layer_protocol,
2285 srclist->a.ipaddr,
2286 src_prefixlen) &&
2287 LIST_EMPTY(&child_sa->lease_list) &&
2288 dstlist &&
2289 ts_payload_is_matching(ts_r,
2290 upper_layer_protocol,
2291 dstlist->a.ipaddr,
2292 dst_prefixlen)) {
2293 TRACE((PLOGLOC, "using selector %s\n",
2294 rc_vmem2str(s->sl_index)));
2295 param->ts_r = ts_match(ts_l,
2296 ts_l->tsh.num_ts,
2297 upper_layer_protocol,
2298 srclist->a.ipaddr,
2299 src_prefixlen);
2300 param->ts_i = ts_match(ts_r,
2301 ts_r->tsh.num_ts,
2302 upper_layer_protocol,
2303 dstlist->a.ipaddr,
2304 dst_prefixlen);
2305 IF_TRACE({
2306 TRACE((PLOGLOC, "traffic selectors for response:\n"));
2307 ikev2_dump_traffic_selector_h("TSi",
2308 param->ts_i->v);
2309 ikev2_dump_traffic_selector_h("TSr",
2310 param->ts_r->v);
2311 });
2312 child_sa->srclist = srclist;
2313 child_sa->dstlist = dstlist;
2314 free_selectorlist(s->next);
2315 return s;
2316 } else if (ts_payload_is_matching(ts_l,
2317 upper_layer_protocol,
2318 srclist->a.ipaddr,
2319 src_prefixlen) &&
2320 ! LIST_EMPTY(&child_sa->lease_list)) {
2321 /*
2322 TSi: 0.0.0.0/0, TSr: 0.0.0.0/0
2323 selector: IP_ANY - 192.0.2.0/24, addrpool 192.0.2.200-192.0.2.250
2324
2325 */
2326 /*
2327 * if peer requested INTERNAL_IP*_ADDR,
2328 * confirm TS matches with allocated address,
2329 * then deallocate unmatching allocated address
2330 */
2331 struct rcf_address *a;
2332 struct rcf_address *next_a;
2333 struct rcf_address *target;
2334 struct sockaddr_storage ss;
2335 int prefixlen;
2336
2337 target = 0;
2338 for (a = LIST_FIRST(&child_sa->lease_list);
2339 a != 0;
2340 a = LIST_NEXT(a, link_sa)) {
2341 ikev2_cfg_addr2sockaddr((struct sockaddr *)&ss,
2342 a,
2343 &prefixlen);
2344 if (ts_payload_is_matching(ts_r,
2345 upper_layer_protocol,
2346 (struct sockaddr *)&ss,
2347 prefixlen)) {
2348 target = a;
2349 break;
2350 }
2351 }
2352 if (!target)
2353 goto next_selector;
2354
2355 /* remove all but one matching address */
2356 for (a = LIST_FIRST(&child_sa->lease_list); a != 0; a = next_a) {
2357 next_a = LIST_NEXT(a, link_sa);
2358 if (a != target)
2359 rc_addrpool_release_addr(a);
2360 }
2361
2362 TRACE((PLOGLOC, "using selector %s\n",
2363 rc_vmem2str(s->sl_index)));
2364 param->ts_r = ts_match(ts_l,
2365 ts_l->tsh.num_ts,
2366 upper_layer_protocol,
2367 srclist->a.ipaddr,
2368 src_prefixlen);
2369 ikev2_cfg_addr2sockaddr((struct sockaddr *)&ss,
2370 target,
2371 &prefixlen);
2372 param->ts_i = ts_match(ts_r, 1,
2373 upper_layer_protocol,
2374 (struct sockaddr *)&ss,
2375 prefixlen);
2376 IF_TRACE({
2377 TRACE((PLOGLOC, "traffic selectors for response:\n"));
2378 ikev2_dump_traffic_selector_h("TSi",
2379 param->ts_i->v);
2380 ikev2_dump_traffic_selector_h("TSr",
2381 param->ts_r->v);
2382 });
2383 child_sa->srclist = srclist;
2384 child_sa->dstlist = dstlist;
2385 free_selectorlist(s->next);
2386 return s;
2387 }
2388
2389 next_selector:
2390 if (srclist)
2391 rcs_free_addrlist(srclist);
2392 if (dstlist)
2393 rcs_free_addrlist(dstlist);
2394 }
2395 return 0;
2396
2397 #ifdef notyet
2398 /*
2399 * It is possible for the Responder's policy to contain multiple smaller
2400 * ranges, all encompassed by the Initiator's traffic selector, and with
2401 * the Responder's policy being that each of those ranges should be sent
2402 * over a different SA. Continuing the example above, Bob might have a
2403 * policy of being willing to tunnel those addresses to and from Alice,
2404 * but might require that each address pair be on a separately
2405 * negotiated CHILD_SA. If Alice generated her request in response to an
2406 * incoming packet from 10.2.16.43 to 10.16.2.123, there would be no way
2407 * for Bob to determine which pair of addresses should be included in
2408 * this tunnel, and he would have to make his best guess or reject the
2409 * request with a status of SINGLE_PAIR_REQUIRED.
2410 *
2411 * If Bob's policy does not allow him to accept the entire set of
2412 * traffic selectors in Alice's request, but does allow him to accept
2413 * the first selector of TSi and TSr, then Bob MUST narrow the traffic
2414 * selectors to a subset that includes Alice's first choices.
2415 */
2416 if (contsel && contsel->policy->ipsec->require_unique) {
2417
2418 tsi = first of TSi;
2419 tsr = first of TSr;
2420 if (tsi->startaddr == tsi->endaddr
2421 && tsr->startaddr == tsr->endaddr) {
2422 /* narrow to the first ts; */
2423 param->ts_i = rc_vnew(...);
2424 param->ts_r = rc_vnew(...);
2425 } else {
2426 param->single_pair_retuired = TRUE;
2427 return 0;
2428 }
2429 }
2430
2431 if (contsel) {
2432 if (contained >= 2)
2433 param->additional_ts_possible = TRUE;
2434 return contsel;
2435 }
2436 return 0;
2437 #endif
2438 }
2439
2440 /*
2441 * compare two address lists
2442 * returns TRUE if identical, FALSE otherwise
2443 */
2444 int addrlist_equal(struct rc_addrlist *, struct rc_addrlist *)
2445 GCC_ATTRIBUTE((unused));
2446
2447 int
2448 addrlist_equal(struct rc_addrlist *a0, struct rc_addrlist *b0)
2449 {
2450 struct rc_addrlist *a, *b;
2451
2452 for (a = a0, b = b0; a && b; a = a->next, b = b->next) {
2453 if (a->type != b->type)
2454 return FALSE;
2455 if (a->port != b->port)
2456 return FALSE;
2457 if (a->prefixlen != b->prefixlen)
2458 return FALSE;
2459 switch (a->type) {
2460 case RCT_ADDR_INET:
2461 if (!sockaddr_compare_with_prefix(a->a.ipaddr, b->a.ipaddr, a->prefixlen))
2462 return FALSE;
2463 break;
2464 case RCT_ADDR_FQDN:
2465 case RCT_ADDR_MACRO:
2466 case RCT_ADDR_FILE:
2467 if (rc_vmemcmp(a->a.vstr, b->a.vstr) != 0)
2468 return FALSE;
2469 break;
2470 default:
2471 TRACE((PLOGLOC, "unexpected: %d %d\n", a->type, b->type));
2472 return FALSE;
2473 }
2474 }
2475
2476 if (a != 0 || b != 0)
2477 return FALSE;
2478
2479 return TRUE;
2480 }
2481
2482 /*
2483 * returns TRUE if one of the addrlist in l contains addr
2484 */
2485 static int
2486 addrlist_match(struct rc_addrlist *l, struct sockaddr *addr)
2487 {
2488 int prefixlen;
2489
2490 for (; l; l = l->next) {
2491 switch (l->type) {
2492 case RCT_ADDR_INET:
2493 prefixlen = addr_prefixlen(l);
2494 if (sockaddr_compare_with_prefix(addr, l->a.ipaddr, prefixlen))
2495 return TRUE;
2496 break;
2497 default:
2498 isakmp_log(0, 0, 0, 0,
2499 PLOG_INTERR, PLOGLOC,
2500 "unsupported address type (%s) in selector addreses list\n",
2501 rct2str(l->type));
2502 return FALSE;
2503 break;
2504 }
2505 }
2506 return FALSE;
2507 }
2508
2509 struct rcf_selector *
2510 ike_conf_find_selector_by_addr(struct sockaddr *local, struct sockaddr *remote)
2511 {
2512 struct rcf_selector *s;
2513 struct rc_addrlist *s_local;
2514 struct rc_addrlist *s_remote;
2515 extern struct rcf_selector *rcf_selector_head;
2516
2517 for (s = rcf_selector_head; s; s = s->next) {
2518 if (s->direction != RCT_DIR_OUTBOUND)
2519 continue;
2520
2521 s_local = s->src;
2522 s_remote = s->dst;
2523 if ((!local || addrlist_match(s_local, local))
2524 && addrlist_match(s_remote, remote)) {
2525 return s;
2526 }
2527 }
2528 return 0;
2529 }
2530
2531 /* XXX these tables should be generated dynamically from crypto lib
2532 * information (for IKE SA) or kernel information (for IPsec SA) */
2533
2534 /*
2535 * CONF_VARAIBLE_KEYLEN: config racoon_code does not imply key length
2536 * PROTO_VARAIBLE_KEYLEN: protocol needs key length attribute
2537 */
2538 #define CONF_VARIABLE_KEYLEN 0x8000
2539 #define PROTO_VARIABLE_KEYLEN 0x4000
2540 #define IS_CONF_VARIABLE_KEYLEN(_alg) (((_alg).flags & CONF_VARIABLE_KEYLEN) != 0)
2541 #define IS_PROTO_VARIABLE_KEYLEN(_alg) (((_alg).flags & PROTO_VARIABLE_KEYLEN) != 0)
2542
2543 #define KEYLEN(_alg) ((_alg).keylen)
2544
2545 #define ALG_ENC(rc, id, klen, noncelen, flags, def) { (rc), (id), (klen), (noncelen), (flags), 0, (def) }
2546
2547 static struct algdef ikev2_transf_encr[] = {
2548 /* ALG_ENC(RCT_ALG_DES_CBC_IV64, IKEV2TRANSF_ENCR_DES_IV64, 8, 0 ), */
2549 /* ALG_ENC(RCT_ALG_DES_CBC, IKEV2TRANSF_ENCR_DES, 8, 0 ), */
2550 ALG_ENC(RCT_ALG_DES3_CBC, IKEV2TRANSF_ENCR_3DES, 24, 0, 0, &encr_triple_des),
2551 /* ALG_ENC(RCT_ALG_RC5_CBC, IKEV2TRANSF_ENCR_RC5, 16, 0 ), */
2552 /* ALG_ENC(RCT_ALG_IDEA_CBC, IKEV2TRANSF_ENCR_IDEA, 16, 0 ), */
2553 /* ALG_ENC(RCT_ALG_CAST128_CBC, IKEV2TRANSF_ENCR_CAST, 16, 0 ), */
2554 /* ALG_ENC(RCT_ALG_BLOWFISH_CBC, IKEV2TRANSF_ENCR_BLOWFISH, 16, 0 ), */
2555 /* ALG_ENC(RCT_ALG_IDEA3_CBC, IKEV2TRANSF_ENCR_3IDEA, .... ), */
2556 /* ALG_ENC(RCT_ALG_DES_CBC_IV32, IKEV2TRANSF_ENCR_DES_IV32, 8, 0 ), */
2557 ALG_ENC(RCT_ALG_NULL_ENC, IKEV2TRANSF_ENCR_NULL, 0, 0, 0, &encr_null),
2558 ALG_ENC(RCT_ALG_RIJNDAEL_CBC, IKEV2TRANSF_ENCR_AES_CBC, 16, 0, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aes128),
2559 ALG_ENC(RCT_ALG_RIJNDAEL_CBC, IKEV2TRANSF_ENCR_AES_CBC, 24, 0, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aes192),
2560 ALG_ENC(RCT_ALG_RIJNDAEL_CBC, IKEV2TRANSF_ENCR_AES_CBC, 32, 0, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aes256),
2561 ALG_ENC(RCT_ALG_AES128_CBC, IKEV2TRANSF_ENCR_AES_CBC, 16, 0, PROTO_VARIABLE_KEYLEN, &encr_aes128),
2562 ALG_ENC(RCT_ALG_AES192_CBC, IKEV2TRANSF_ENCR_AES_CBC, 24, 0, PROTO_VARIABLE_KEYLEN, &encr_aes192),
2563 ALG_ENC(RCT_ALG_AES256_CBC, IKEV2TRANSF_ENCR_AES_CBC, 32, 0, PROTO_VARIABLE_KEYLEN, &encr_aes256),
2564 ALG_ENC(RCT_ALG_AES_CTR, IKEV2TRANSF_ENCR_AES_CTR, 16, 4, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aesctr128),
2565 ALG_ENC(RCT_ALG_AES_CTR, IKEV2TRANSF_ENCR_AES_CTR, 24, 4, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aesctr192),
2566 ALG_ENC(RCT_ALG_AES_CTR, IKEV2TRANSF_ENCR_AES_CTR, 32, 4, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aesctr256),
2567 /* AES_CCM_8 */
2568 /* AES_CCM_12 */
2569 /* AES_CCM_16 */
2570 /* AES_GCM_ICV8 */
2571 /* AES_GCM_ICV12 */
2572 /* AES_GCM_ICV16 */
2573 /* NULL_AUTH_AES_GMAC */
2574 /* IEEE_P1619_XTS_AES */
2575 { 0 }
2576 };
2577
2578 #define ALG_HASH(rc, id, klen, gen) { (rc), (id), (klen), 0, 0, (void *(*)())(gen), 0 }
2579
2580 static struct algdef ikev2_transf_prf[] = {
2581 ALG_HASH(RCT_ALG_HMAC_MD5, IKEV2TRANSF_PRF_HMAC_MD5, 16, hmacmd5_new),
2582 ALG_HASH(RCT_ALG_HMAC_SHA1, IKEV2TRANSF_PRF_HMAC_SHA1, 20, hmacsha1_new),
2583 /* ALG_HASH( RCT_ALG_HMAC_TIGER, IKEV2TRANSF_PRF_HMAC_TIGER ), */
2584 ALG_HASH(RCT_ALG_AES_XCBC, IKEV2TRANSF_PRF_AES128_XCBC, 16, aesxcbcmac_new),
2585 #ifdef WITH_SHA2
2586 ALG_HASH(RCT_ALG_HMAC_SHA2_256, IKEV2TRANSF_PRF_HMAC_SHA2_256, 256/8, hmacsha256_new),
2587 ALG_HASH(RCT_ALG_HMAC_SHA2_384, IKEV2TRANSF_PRF_HMAC_SHA2_384, 384/8, hmacsha384_new),
2588 ALG_HASH(RCT_ALG_HMAC_SHA2_512, IKEV2TRANSF_PRF_HMAC_SHA2_512, 512/8, hmacsha512_new),
2589 #endif
2590 ALG_HASH(RCT_ALG_AES_CMAC, IKEV2TRANSF_PRF_AES128_CMAC, 16, aescmac_new),
2591 {0}
2592 };
2593
2594 static struct algdef ikev2_transf_integr[] = {
2595 ALG_HASH(RCT_ALG_HMAC_MD5, IKEV2TRANSF_AUTH_HMAC_MD5_96, 16, hmacmd5_96_new),
2596 ALG_HASH(RCT_ALG_HMAC_SHA1, IKEV2TRANSF_AUTH_HMAC_SHA1_96, 20, hmacsha1_96_new),
2597 /* ALG_HASH( RCT_ALG_DES_MAC, IKEV2TRANSF_AUTH_DES_MAC ), */
2598 /* ALG_HASH( RCT_ALG_KPDK_MD5, IKEV2TRANSF_AUTH_KPDK_MD5 ), */
2599 ALG_HASH(RCT_ALG_AES_XCBC, IKEV2TRANSF_AUTH_AES_XCBC_96, 16, aesxcbcmac_96_new),
2600 /* HMAC_MD5_128 */
2601 /* HMAC_SHA1_160 */
2602 ALG_HASH(RCT_ALG_AES_CMAC, IKEV2TRANSF_AUTH_AES_CMAC_96, 16, aescmac_96_new),
2603 /* AES_128_GMAC */
2604 /* AES_192_GMAC */
2605 /* AES_256_GMAC */
2606 #ifdef WITH_SHA2
2607 ALG_HASH(RCT_ALG_HMAC_SHA2_256, IKEV2TRANSF_AUTH_HMAC_SHA2_256_128, 256/8, hmacsha256_128_new),
2608 ALG_HASH(RCT_ALG_HMAC_SHA2_384, IKEV2TRANSF_AUTH_HMAC_SHA2_384_192, 384/8, hmacsha384_192_new),
2609 ALG_HASH(RCT_ALG_HMAC_SHA2_512, IKEV2TRANSF_AUTH_HMAC_SHA2_512_256, 512/8, hmacsha512_256_new),
2610 #endif
2611 {0}
2612 };
2613
2614 #define ALG_DH(rc, id, def) { (rc), (id), 0, 0, 0, 0, (def) }
2615
2616 static struct algdef ikev2_transf_dh[] = {
2617 ALG_DH(RCT_ALG_MODP768, IKEV2TRANSF_DH_MODP768, &dh_modp768),
2618 ALG_DH(RCT_ALG_MODP1024, IKEV2TRANSF_DH_MODP1024, &dh_modp1024),
2619 /* ALG_DH( RCT_ALG_EC2N155, IKEV2TRANSF_DH_EC2N155 ), */
2620 /* ALG_DH( RCT_ALG_EC2N185, IKEV2TRANSF_DH_EC2N185 ), */
2621 ALG_DH(RCT_ALG_MODP1536, IKEV2TRANSF_DH_MODP1536, &dh_modp1536),
2622 ALG_DH(RCT_ALG_MODP2048, IKEV2TRANSF_DH_MODP2048, &dh_modp2048),
2623 ALG_DH(RCT_ALG_MODP3072, IKEV2TRANSF_DH_MODP3072, &dh_modp3072),
2624 ALG_DH(RCT_ALG_MODP4096, IKEV2TRANSF_DH_MODP4096, &dh_modp4096),
2625 ALG_DH(RCT_ALG_MODP6144, IKEV2TRANSF_DH_MODP6144, &dh_modp6144),
2626 ALG_DH(RCT_ALG_MODP8192, IKEV2TRANSF_DH_MODP8192, &dh_modp8192),
2627 /* ECP256 */
2628 /* ECP384 */
2629 /* ECP521 */
2630 /* MODP1024_160POS */
2631 /* MODP2048_224POS */
2632 /* MODP2048_256POS */
2633 /* ECP192 */
2634 /* ECP224 */
2635 {0}
2636 };
2637
2638 static int
2639 is_alg_supported(rc_type alg, int keylen, struct algdef *def)
2640 {
2641 const int BITS = 8;
2642
2643 for (; def->racoon_code != 0; ++def) {
2644 if (alg == def->racoon_code &&
2645 (KEYLEN(*def) * BITS == (size_t)keylen ||
2646 (!IS_CONF_VARIABLE_KEYLEN(*def) && keylen == 0)) && /* keylen can be omitted if it is available from racoon code */
2647 (def->generator != 0 || def->definition != 0)) {
2648 return TRUE;
2649 }
2650 }
2651 return FALSE;
2652 }
2653
2654 static int
2655 is_alg_variable_keylen(rc_type alg, struct algdef *def)
2656 {
2657 for (; def->racoon_code != 0; ++def) {
2658 if (alg == def->racoon_code &&
2659 IS_CONF_VARIABLE_KEYLEN(*def))
2660 return TRUE;
2661 }
2662 return FALSE;
2663 }
2664
2665 static int
2666 ikeconf_rcf_alg(unsigned int alg, struct algdef *def)
2667 {
2668 for (; def->racoon_code != 0; ++def) {
2669 if (alg == def->racoon_code) {
2670 return def->transform_id;
2671 }
2672 }
2673 return 0;
2674 }
2675
2676 /*
2677 * returns key length value if the algorithm requires the key length attribute
2678 * if not required, returns 0
2679 */
2680 int
2681 ikev2_rcf_alg_keylen(int type, struct rc_alglist *alg, struct algdef *def)
2682 {
2683 const int BITS = 8;
2684
2685 if (alg->keylen)
2686 return alg->keylen;
2687
2688 for (; def->racoon_code != 0; ++def) {
2689 if (alg->algtype == def->racoon_code) {
2690 if (IS_PROTO_VARIABLE_KEYLEN(*def)) {
2691 return KEYLEN(*def) * BITS;
2692 } else {
2693 return 0;
2694 }
2695 }
2696 }
2697 return 0;
2698 }
2699
2700 /*
2701 * creates an encryptor based on negotiated proposal
2702 * code is ikev2 transform id, klen is key length in bits
2703 */
2704 struct encryptor *
2705 ikev2_encryptor_new(int code, int klen)
2706 {
2707 struct encryptor_method *m;
2708 struct algdef *def;
2709 const int BITS = 8;
2710
2711 for (def = &ikev2_transf_encr[0]; def->racoon_code != 0; ++def) {
2712 if (def->transform_id == code &&
2713 def->definition != 0 &&
2714 (klen == 0 || KEYLEN(*def) * BITS == (size_t)klen)) {
2715 m = (struct encryptor_method *)def->definition;
2716 return encryptor_new(m);
2717 }
2718 }
2719
2720 /* failed */
2721 if (klen == 0)
2722 plog(PLOG_PROTOERR, PLOGLOC, 0,
2723 "unsupported encryption (transform code %d)\n", code);
2724 else
2725 plog(PLOG_PROTOERR, PLOGLOC, 0,
2726 "unsupported encryption (transform code %d keylen %d)\n",
2727 code, klen);
2728 return 0;
2729 }
2730
2731 /*
2732 * creates an authenticator based on negotiated proposal
2733 */
2734 struct authenticator *
2735 ikev2_authenticator_new(int code)
2736 {
2737 struct algdef *def;
2738
2739 for (def = &ikev2_transf_integr[0]; def->racoon_code != 0; ++def) {
2740 if (def->transform_id == code && def->generator != 0) {
2741 struct keyed_hash *(*gen) (void);
2742 struct authenticator *auth;
2743
2744 gen = (struct keyed_hash * (*)(void))def->generator;
2745 auth = keyedhash_authenticator(gen());
2746 if (!auth)
2747 plog(PLOG_INTERR, PLOGLOC, 0,
2748 "failed creating authenticator\n");
2749 return auth;
2750 }
2751 }
2752 plog(PLOG_PROTOERR, PLOGLOC, 0, "unsupported auth code %d\n", code);
2753 return 0;
2754 }
2755
2756 /*
2757 * creates a prf based on negotiated proposal
2758 */
2759 struct keyed_hash *
2760 ikev2_prf_new(int code)
2761 {
2762 struct algdef *def;
2763
2764 for (def = &ikev2_transf_prf[0]; def->racoon_code != 0; ++def) {
2765 if (def->transform_id == code && def->generator != 0) {
2766 struct keyed_hash *(*gen) (void);
2767 struct keyed_hash *prf;
2768
2769 gen = (struct keyed_hash * (*)(void))def->generator;
2770 prf = gen();
2771 if (!prf)
2772 plog(PLOG_INTERR, PLOGLOC, 0,
2773 "failed creating prf\n");
2774 return prf;
2775 }
2776 }
2777 plog(PLOG_PROTOERR, PLOGLOC, 0, "unsupported prf code %d\n", code);
2778 return 0;
2779 }
2780
2781 /* find DH info by Transform ID */
2782 struct algdef *
2783 isakmp_dhinfo(unsigned int id, struct algdef *dhdef)
2784 {
2785 int i;
2786 for (i = 0; dhdef[i].racoon_code != 0; ++i) {
2787 if (dhdef[i].transform_id == id) {
2788 return &dhdef[i];
2789 }
2790 }
2791 return 0;
2792 }
2793
2794 struct algdef *
2795 ikev2_dhinfo(unsigned int id)
2796 {
2797 return isakmp_dhinfo(id, ikev2_transf_dh);
2798 }
2799
2800 /* find DH info by Racoon conf code */
2801 struct algdef *
2802 isakmp_conf_to_dhdef(rc_type code, struct algdef *dhdef)
2803 {
2804 int i;
2805 for (i = 0; dhdef[i].racoon_code != 0; ++i) {
2806 if (code == dhdef[i].racoon_code)
2807 return &dhdef[i];
2808 }
2809 return 0;
2810 }
2811
2812 struct algdef *
2813 ikev2_conf_to_dhdef(rc_type code)
2814 {
2815 return isakmp_conf_to_dhdef(code, ikev2_transf_dh);
2816 }
2817
2818 /*
2819 * choose a dh group from config
2820 */
2821 struct rc_alglist *
2822 ike_conf_dhgrp(struct rcf_remote *conf, int version)
2823 {
2824 struct rc_alglist *grp = 0;
2825 struct rcf_remote *def = 0;
2826 extern struct rcf_default *rcf_default_head;
2827
2828 assert(conf != 0);
2829 if (rcf_default_head)
2830 def = rcf_default_head->remote;
2831 if (version == 1) {
2832 if (def && def->ikev1)
2833 grp = def->ikev1->kmp_dh_group;
2834 if (conf->ikev1 && conf->ikev1->kmp_dh_group)
2835 grp = conf->ikev1->kmp_dh_group;
2836 } else if (version == 2) {
2837 if (def && def->ikev2)
2838 grp = def->ikev2->kmp_dh_group;
2839 if (conf->ikev2 && conf->ikev2->kmp_dh_group)
2840 grp = conf->ikev2->kmp_dh_group;
2841 } else {
2842 return 0;
2843 }
2844 return grp;
2845 }
2846
2847 /* construct new transform proppair */
2848 static struct prop_pair *
2849 transform_new(unsigned int type, unsigned int id, unsigned int keylen, int more)
2850 {
2851 struct prop_pair *transform = 0;
2852 size_t trns_len;
2853 struct ikev2transform *trns;
2854
2855 transform = proppair_new();
2856 if (!transform)
2857 goto fail;
2858 trns_len = sizeof(struct isakmp_pl_t);
2859 if (keylen > 0)
2860 trns_len += sizeof(struct ikev2attrib);
2861 trns = (struct ikev2transform *)racoon_malloc(trns_len);
2862 if (!trns)
2863 goto fail;
2864 trns->more = more;
2865 trns->reserved1 = 0;
2866 put_uint16(&trns->transform_length, trns_len);
2867 trns->transform_type = type;
2868 trns->reserved2 = 0;
2869 put_uint16(&trns->transform_id, id);
2870 if (keylen > 0) {
2871 struct ikev2attrib *attr;
2872 attr = (struct ikev2attrib *)(trns + 1);
2873 put_uint16(&attr->type,
2874 IKEV2ATTRIB_SHORT | IKEV2ATTRIB_KEY_LENGTH);
2875 put_uint16(&attr->l_or_v, keylen);
2876 }
2877
2878 transform->trns = (struct isakmp_pl_t *)trns;
2879
2880 return transform;
2881
2882 fail:
2883 if (transform)
2884 proppair_discard(transform);
2885 return 0;
2886 }
2887
2888 /*
2889 * convert alglist to prop_pair
2890 * with IKEv2 transform ID space
2891 */
2892 static struct prop_pair *
2893 alg_to_proppair(struct rc_alglist *alg, int type,
2894 struct algdef *translation_table)
2895 {
2896 int code;
2897 int keylen;
2898
2899 code = ikeconf_rcf_alg(alg->algtype, translation_table);
2900 if (code == 0) {
2901 isakmp_log(0, 0, 0, 0,
2902 PLOG_INTERR, PLOGLOC,
2903 "unsupported algorithm %s\n", rct2str(alg->algtype));
2904 return 0;
2905 }
2906 keylen = ikev2_rcf_alg_keylen(type, alg, translation_table);
2907
2908 return transform_new(type, code, keylen, 0);
2909 }
2910
2911 static struct prop_pair *
2912 alglist_to_proppair(struct rc_alglist *alg, int type,
2913 struct algdef *translation_table)
2914 {
2915 struct prop_pair *transform_head = 0;
2916 struct prop_pair *transform;
2917 struct prop_pair **tail;
2918 int num_alg;
2919
2920 tail = &transform_head;
2921 for (num_alg = 0; alg != 0; ++num_alg, alg = alg->next) {
2922 transform = alg_to_proppair(alg, type, translation_table);
2923 if (!transform)
2924 goto fail;
2925 *tail = transform;
2926 tail = &transform->tnext;
2927 }
2928
2929 return transform_head;
2930
2931 fail:
2932 if (transform_head)
2933 proppair_discard(transform_head);
2934 return 0;
2935 }
2936
2937 struct prop_pair **
2938 ikev2_conf_to_proplist(struct rcf_remote *rminfo, isakmp_cookie_t spi)
2939 {
2940 struct rcf_kmp *kmp;
2941 struct rcf_kmp *kmp_default;
2942 struct rc_alglist *alglist;
2943 struct prop_pair **result = 0;
2944 struct prop_pair **tail;
2945 size_t spi_size;
2946 struct isakmp_pl_p *prop;
2947 extern struct rcf_default *rcf_default_head;
2948
2949 if (!rminfo)
2950 return 0;
2951 if (!rminfo->ikev2)
2952 return 0;
2953
2954 kmp = rminfo->ikev2;
2955
2956 kmp_default = 0;
2957 if (rcf_default_head && rcf_default_head->remote
2958 && rcf_default_head->remote->ikev2)
2959 kmp_default = rcf_default_head->remote->ikev2;
2960
2961 /*
2962 * with current config syntax, only single proposal can be generated
2963 */
2964
2965 /*
2966 *
2967 * #1 --- Proto IKE
2968 * |
2969 * Transf-Transf-Transf----Transf
2970 * PRF INTEG ENCR DH
2971 * MD5 SHA1 3DES MODP1536
2972 * | | | |
2973 * PRF INTEG ENCR DH
2974 * SHA1 MD5 AESCBC MODP1024
2975 *
2976 */
2977
2978 result = proplist_new();
2979 if (!result)
2980 goto fail_nomem;
2981
2982 result[1] = proppair_new();
2983 if (!result[1])
2984 goto fail_nomem;
2985
2986 if (spi) {
2987 /* (draft-17)
2988 * New initiator and responder SPIs are supplied in the SPI fields.
2989 */
2990 spi_size = sizeof(isakmp_cookie_t);
2991 } else {
2992 spi_size = 0; /* MUST be zero for IKE_SA negotiation */
2993 }
2994 prop = racoon_malloc(sizeof(struct isakmp_pl_p) + spi_size);
2995 if (!prop)
2996 goto fail_nomem;
2997 prop->p_no = 1;
2998 prop->proto_id = IKEV2PROPOSAL_IKE;
2999 prop->spi_size = spi_size;
3000 prop->num_t = 0;
3001 if (spi_size > 0)
3002 memcpy((uint8_t *)(prop + 1), spi, spi_size);
3003
3004 result[1]->prop = prop;
3005 result[1]->trns = 0;
3006
3007 tail = &result[1]->tnext;
3008
3009 alglist = kmp->kmp_enc_alg;
3010 if (!alglist && kmp_default)
3011 alglist = kmp_default->kmp_enc_alg;
3012 if (!alglist)
3013 plog(PLOG_INTWARN, PLOGLOC, 0, "kmp_enc_alg list is empty\n");
3014 *tail = alglist_to_proppair(alglist,
3015 IKEV2TRANSFORM_TYPE_ENCR,
3016 &ikev2_transf_encr[0]);
3017 if (*tail)
3018 tail = &(*tail)->next;
3019
3020 alglist = kmp->kmp_prf_alg;
3021 if (!alglist && kmp_default)
3022 alglist = kmp_default->kmp_prf_alg;
3023 if (!alglist)
3024 plog(PLOG_INTWARN, PLOGLOC, 0, "kmp_prf_alg list is empty\n");
3025 *tail = alglist_to_proppair(alglist,
3026 IKEV2TRANSFORM_TYPE_PRF,
3027 &ikev2_transf_prf[0]);
3028 if (*tail)
3029 tail = &(*tail)->next;
3030
3031 alglist = kmp->kmp_hash_alg;
3032 if (!alglist && kmp_default)
3033 alglist = kmp_default->kmp_hash_alg;
3034 if (!alglist)
3035 plog(PLOG_INTWARN, PLOGLOC, 0, "kmp_hash_alg list is empty\n");
3036 *tail = alglist_to_proppair(alglist,
3037 IKEV2TRANSFORM_TYPE_INTEGR,
3038 &ikev2_transf_integr[0]);
3039 if (*tail)
3040 tail = &(*tail)->next;
3041
3042 alglist = kmp->kmp_dh_group;
3043 if (!alglist && kmp_default)
3044 alglist = kmp_default->kmp_dh_group;
3045 if (!alglist)
3046 plog(PLOG_INTWARN, PLOGLOC, 0, "kmp_dh_group list is empty\n");
3047 *tail = alglist_to_proppair(alglist,
3048 IKEV2TRANSFORM_TYPE_DH,
3049 &ikev2_transf_dh[0]);
3050 if (*tail)
3051 tail = &(*tail)->next;
3052
3053 return result;
3054
3055 fail:
3056 if (result)
3057 proplist_discard(result);
3058 return 0;
3059
3060 fail_nomem:
3061 isakmp_log(0, 0, 0, 0,
3062 PLOG_INTERR, PLOGLOC, "failed allocating memory\n");
3063 goto fail;
3064 }
3065
3066 /*
3067 * IPSEC config to proplist
3068 *
3069 * conf is a linked list of struct rcf_ipsec
3070 */
3071 struct prop_pair **
3072 ikev2_ipsec_conf_to_proplist(struct ikev2_child_sa *child_sa,
3073 int is_createchild)
3074 {
3075 struct rcf_ipsec *conf;
3076 struct prop_pair **proplist = 0;
3077 int proposal_number;
3078
3079 conf = child_sa->selector->pl->ips;
3080
3081 proplist = proplist_new();
3082 if (!proplist)
3083 goto fail_nomem;
3084 for (proposal_number = 1; conf; ++proposal_number, conf = conf->next) {
3085 struct prop_pair **prop_tail;
3086 rc_type ext_sequence;
3087 int need_pfs;
3088
3089 prop_tail = &proplist[proposal_number];
3090
3091 IPSEC_CONF(ext_sequence, conf, ext_sequence, RCT_BOOL_OFF);
3092 #if 1
3093 if (ext_sequence == RCT_BOOL_ON) {
3094 isakmp_log(0, 0, 0, 0,
3095 PLOG_INTWARN, PLOGLOC,
3096 "Extended Sequence Number unsupported.\n");
3097 }
3098 #endif
3099 need_pfs = (is_createchild &&
3100 (ikev2_need_pfs(child_sa->parent->rmconf) == RCT_BOOL_ON));
3101 if (conf->sa_ah) {
3102 *prop_tail = ikev2_ipsec_sa_to_proplist(child_sa,
3103 proposal_number,
3104 conf->sa_ah,
3105 IKEV2PROPOSAL_AH,
3106 need_pfs,
3107 ext_sequence);
3108 if (!*prop_tail)
3109 goto fail;
3110 prop_tail = &(*prop_tail)->next;
3111 }
3112 if (conf->sa_esp) {
3113 *prop_tail = ikev2_ipsec_sa_to_proplist(child_sa,
3114 proposal_number,
3115 conf->sa_esp,
3116 IKEV2PROPOSAL_ESP,
3117 need_pfs,
3118 ext_sequence);
3119 if (!*prop_tail)
3120 goto fail;
3121 prop_tail = &(*prop_tail)->next;
3122 }
3123 }
3124
3125 return proplist;
3126
3127 fail_nomem:
3128 fail:
3129 if (proplist)
3130 proplist_discard(proplist);
3131 return 0;
3132 }
3133
3134 static struct prop_pair *
3135 ikev2_ipsec_sa_to_proplist(struct ikev2_child_sa *child_sa,
3136 int proposal_number,
3137 struct rcf_sa *proto_info,
3138 int proto_id, int need_pfs, rc_type esn)
3139 {
3140 const size_t ipsec_spi_size = sizeof(uint32_t);
3141 struct prop_pair *prop_head;
3142 struct isakmp_pl_p *prop;
3143 struct prop_pair **tail;
3144 struct rc_alglist *enc_alg;
3145 struct rc_alglist *auth_alg;
3146 /* struct rc_alglist * comp_alg; */
3147
3148 prop_head = proppair_new();
3149 if (!prop_head)
3150 goto fail_nomem;
3151
3152 prop = racoon_calloc(1, sizeof(struct isakmp_pl_p) + ipsec_spi_size);
3153 if (!prop)
3154 goto fail_nomem;
3155
3156 prop->h.len = htons(sizeof(struct isakmp_pl_p) + ipsec_spi_size);
3157 prop->p_no = proposal_number;
3158 prop->proto_id = proto_id;
3159 prop->spi_size = ipsec_spi_size;
3160 prop->num_t = 0; /* will be set when packing the packet */
3161 put_uint32((uint32_t *)(prop + 1), proto_info->spi);
3162
3163 prop_head->prop = prop;
3164
3165 tail = &prop_head->tnext; /* link to tnext */
3166
3167 SA_CONF(enc_alg, proto_info, enc_alg, 0);
3168 if (enc_alg) {
3169 *tail = alglist_to_proppair(enc_alg,
3170 IKEV2TRANSFORM_TYPE_ENCR,
3171 &ikev2_transf_encr[0]);
3172 if (!*tail) {
3173 isakmp_log(0, 0, 0, 0,
3174 PLOG_INTERR, PLOGLOC,
3175 "failed converting enc_alg to proposal\n");
3176 goto fail;
3177 }
3178 tail = &(*tail)->next; /* link to next */
3179 }
3180
3181 SA_CONF(auth_alg, proto_info, auth_alg, 0);
3182 if (auth_alg) {
3183 *tail = alglist_to_proppair(auth_alg,
3184 IKEV2TRANSFORM_TYPE_INTEGR,
3185 &ikev2_transf_integr[0]);
3186 if (!*tail) {
3187 isakmp_log(0, 0, 0, 0,
3188 PLOG_INTERR, PLOGLOC,
3189 "failed converting auth_alg to proposal\n");
3190 goto fail;
3191 }
3192 tail = &(*tail)->next;
3193 }
3194
3195 if (need_pfs) {
3196 *tail = alglist_to_proppair(ike_conf_dhgrp(child_sa->parent->rmconf,
3197 IKEV2_MAJOR_VERSION),
3198 IKEV2TRANSFORM_TYPE_DH,
3199 &ikev2_transf_dh[0]);
3200 if (!*tail) {
3201 isakmp_log(0, 0, 0, 0,
3202 PLOG_INTERR, PLOGLOC,
3203 "failed converting kmp_dh_group\n");
3204 goto fail;
3205 }
3206 tail = &(*tail)->next;
3207 }
3208
3209 /*
3210 * (RFC4718, section4.4)
3211 * Extended Sequence Numbers (ESN) Transform
3212 */
3213 if (esn == RCT_BOOL_ON) {
3214 *tail = transform_new(IKEV2TRANSFORM_TYPE_ESN,
3215 IKEV2TRANSF_ESN_YES, 0,
3216 IKEV2TRANSFORM_MORE);
3217 if (!*tail)
3218 goto fail_nomem;
3219 tail = &(*tail)->next;
3220 }
3221 *tail = transform_new(IKEV2TRANSFORM_TYPE_ESN,
3222 IKEV2TRANSF_ESN_NO, 0,
3223 IKEV2TRANSFORM_LAST);
3224 if (!*tail)
3225 goto fail_nomem;
3226 tail = &(*tail)->next;
3227
3228 return prop_head;
3229
3230 fail_nomem:
3231 isakmp_log(0, 0, 0, 0,
3232 PLOG_INTERR, PLOGLOC,
3233 "memory allocation failure\n");
3234 fail:
3235 proppair_discard(prop_head);
3236 return 0;
3237 }
3238
3239 /*
3240 * Transform ID value to RCF id
3241 */
3242 static struct algdef *
3243 ikeconf_find_alg(unsigned int id, struct algdef *def)
3244 {
3245 for (; def->racoon_code != 0; ++def) {
3246 if (def->transform_id == id)
3247 return def;
3248 }
3249 return 0;
3250 }
3251
3252 int
3253 ikev2_proposal_to_ipsec(struct ikev2_child_sa *child_sa,
3254 struct ikev2_child_param *child_param,
3255 struct prop_pair *proposal,
3256 int (*apply_func)(struct ikev2_child_sa *, struct rcpfk_msg *, void *),
3257 void *data)
3258 {
3259 struct rcpfk_msg param;
3260 struct prop_pair *proto;
3261 int i;
3262 int err;
3263 static int header_order[] = {
3264 IKEV2PROPOSAL_AH,
3265 IKEV2PROPOSAL_ESP
3266 };
3267 const int BITS = 8;
3268
3269 /*
3270 * param fields assigned here:
3271 * seq, samode, (reqid,) ul_proto,
3272 * spi, satype, enctype, enckey, enckeylen, authtype, authkey, authkeylen,
3273 *
3274 * not assigned here (apply_func need to assign them if necessary):
3275 * sa_src, pref_src, sa_dst, pref_dst,
3276 * so, wsize, saflags, lft_hard_time, lft_hard_bytes, lft_soft_time, lft_soft_bytes
3277 */
3278
3279 param.seq = child_sa->sadb_request.seqno;
3280
3281 /* for X_EXT_SA2 */
3282 param.samode = child_param->use_transport_mode ?
3283 RCT_IPSM_TRANSPORT : RCT_IPSM_TUNNEL;
3284 param.reqid = child_sa->selector->reqid; /* ??? */
3285
3286 param.ul_proto = child_sa->selector->upper_layer_protocol;
3287
3288 /*
3289 * (draft-17)
3290 * If multiple IPsec protocols are negotiated, keying material is
3291 * taken in the order in which the protocol headers will appear in
3292 * the encapsulated packet.
3293 */
3294
3295 for (i = 0; (size_t)i < ARRAYLEN(header_order); ++i) {
3296 struct ikev2proposal *prop = 0;
3297 struct prop_pair *t;
3298
3299 /* find the proposal for the protocol */
3300 for (proto = proposal; proto; proto = proto->next) {
3301 prop = (struct ikev2proposal *)proto->prop;
3302 if (prop->protocol_id == header_order[i])
3303 break;
3304 }
3305 if (!proto)
3306 continue;
3307
3308 assert(prop != 0);
3309 if (prop->spi_size != sizeof(uint32_t)) {
3310 /* shouldn't happen */
3311 isakmp_log(child_sa->parent, 0, 0, 0,
3312 PLOG_INTERR, PLOGLOC,
3313 "shouldn't happen (spi_size != 4)\n");
3314 goto fail;
3315 }
3316
3317 param.spi = *(uint32_t *)(prop + 1);
3318 param.enctype = 0;
3319 param.authtype = RCT_ALG_NON_AUTH;
3320 param.enckeylen = param.authkeylen = 0;
3321 param.enckey = param.authkey = 0;
3322
3323 switch (prop->protocol_id) {
3324 case IKEV2PROPOSAL_ESP:
3325 param.satype = RCT_SATYPE_ESP;
3326 break;
3327 case IKEV2PROPOSAL_AH:
3328 param.satype = RCT_SATYPE_AH;
3329 break;
3330 default:
3331 /* unexpected */
3332 isakmp_log(child_sa->parent, 0, 0, 0,
3333 PLOG_INTERR, PLOGLOC,
3334 "unexpected prop->protocol_id (%d)\n",
3335 prop->protocol_id);
3336 break;
3337 }
3338
3339 for (t = proto->tnext; t; t = t->next) {
3340 struct ikev2transform *trns;
3341 struct isakmp_data *attr;
3342 size_t attr_bytes;
3343 size_t alen;
3344 uint16_t keylen;
3345 struct algdef *alg;
3346
3347 if (t->tnext != 0) {
3348 /* shouldn't happen; only one should have been singled out */
3349 isakmp_log(child_sa->parent, 0, 0, 0,
3350 PLOG_INTERR, PLOGLOC,
3351 "shouldn't happen (%p != 0)\n",
3352 t->tnext);
3353 }
3354 trns = (struct ikev2transform *)t->trns;
3355 attr = (struct isakmp_data *)(trns + 1);
3356
3357 /* scan attributes */
3358 keylen = 0;
3359 for (attr_bytes = get_uint16(&trns->transform_length) -
3360 sizeof(struct ikev2transform);
3361 attr_bytes > 0;
3362 attr_bytes -= alen) {
3363 assert(attr_bytes >= sizeof(struct ikev2attrib));
3364 switch (get_uint16(&attr->type)) {
3365 case IKEV2ATTRIB_KEY_LENGTH | IKEV2ATTRIB_SHORT:
3366 keylen = get_uint16(&attr->lorv);
3367 break;
3368 default:
3369 /* shoundn't happen */
3370 isakmp_log(child_sa->parent, 0, 0, 0,
3371 PLOG_INTERR, PLOGLOC,
3372 "unexpected attr type (%d)\n",
3373 get_uint16(&attr->type));
3374 break;
3375 }
3376 alen = ISAKMP_ATTRIBUTE_TOTALLENGTH(attr);
3377 attr = ISAKMP_NEXT_ATTRIB(attr);
3378 }
3379
3380 /* convert transform type */
3381 switch (trns->transform_type) {
3382 case IKEV2TRANSFORM_TYPE_ENCR:
3383 alg = ikeconf_find_alg(get_uint16(&trns->transform_id),
3384 &ikev2_transf_encr[0]);
3385 if (!alg)
3386 goto fail;
3387 param.enctype = alg->racoon_code;
3388 if (IS_PROTO_VARIABLE_KEYLEN(*alg)) {
3389 if (keylen == 0)
3390 isakmp_log(child_sa->parent, 0,
3391 0, 0, PLOG_INTWARN,
3392 PLOGLOC,
3393 "keylen == 0 for variable key-length cipher (%s)\n",
3394 rct2str(alg->racoon_code));
3395 if (keylen % BITS != 0)
3396 isakmp_log(child_sa->parent, 0,
3397 0, 0, PLOG_INTWARN,
3398 PLOGLOC,
3399 "keylen %d is not multiple of 8\n",
3400 keylen);
3401 param.enckeylen = keylen / BITS;
3402 } else {
3403 if (keylen > 0)
3404 isakmp_log(child_sa->parent, 0,
3405 0, 0, PLOG_INTWARN,
3406 PLOGLOC,
3407 "keylen (%d) specified to fixed-length key cipher (%s)\n",
3408 keylen,
3409 rct2str(alg->racoon_code));
3410 param.enckeylen = KEYLEN(*alg);
3411 }
3412
3413 /* AES-CTR requires extra bytes */
3414 param.enckeylen += alg->nonce_len;
3415 break;
3416
3417 case IKEV2TRANSFORM_TYPE_INTEGR:
3418 alg = ikeconf_find_alg(get_uint16
3419 (&trns->transform_id),
3420 &ikev2_transf_integr[0]);
3421 if (!alg)
3422 goto fail;
3423 /* so far, no variable-key-length algorithm is defined */
3424 if (keylen > 0) {
3425 isakmp_log(child_sa->parent, 0, 0, 0,
3426 PLOG_INTWARN, PLOGLOC,
3427 "keylen (%d) specified to fixed-length key MAC (%s)\n",
3428 keylen,
3429 rct2str(alg->racoon_code));
3430 }
3431 param.authtype = alg->racoon_code;
3432 param.authkeylen = alg->keylen;
3433 break;
3434 case IKEV2TRANSFORM_TYPE_DH:
3435 break;
3436 case IKEV2TRANSFORM_TYPE_ESN:
3437 #ifdef notyet
3438 /* *esn = get_uint16(&trns->transform_id); */
3439 #else
3440 if (get_uint16(&trns->transform_id) != IKEV2TRANSF_ESN_NO) {
3441 isakmp_log(child_sa->parent, 0, 0, 0,
3442 PLOG_PROTOERR, PLOGLOC,
3443 "negotiated Extended Sequence Number is YES, but it is unsupported\n");
3444 }
3445 #endif
3446 break;
3447 default:
3448 /* unsupported */
3449 isakmp_log(child_sa->parent, 0, 0, 0,
3450 PLOG_INTWARN, PLOGLOC,
3451 "unexpected transform type (%d)\n",
3452 trns->transform_type);
3453 break;
3454 }
3455 }
3456
3457 /* then apply the function */
3458 if ((err = apply_func(child_sa, ¶m, data)) != 0) {
3459 isakmp_log(child_sa->parent, 0, 0, 0,
3460 PLOG_INTERR, PLOGLOC,
3461 "sadb error (%d)\n", err);
3462 goto fail;
3463 }
3464 }
3465 return 0;
3466
3467 fail:
3468 return -1;
3469 }
3470
3471 /*
3472 * Check Configuration consistency
3473 */
3474 #ifdef IKEV1
3475 static int
3476 oakley_encdef_doi_keylen(rc_type type, int keylen)
3477 {
3478 int klen;
3479
3480 switch (type) {
3481 case RCT_ALG_AES128_CBC:
3482 klen = 128;
3483 break;
3484 case RCT_ALG_AES192_CBC:
3485 klen = 192;
3486 break;
3487 case RCT_ALG_AES256_CBC:
3488 klen = 256;
3489 break;
3490 default:
3491 klen = keylen;
3492 break;
3493 }
3494 return alg_oakley_encdef_keylen(alg_oakley_encdef_doi(type), klen);
3495 }
3496 #endif
3497
3498 #ifdef IKEV1
3499 /* check ikev1 clause of remote section of configuration */
3500 static void
3501 ike_conf_check_ikev1(struct rcf_remote *rmconf, int *err, int *warn,
3502 int is_default_clause)
3503 {
3504 struct rcf_kmp *kmp;
3505 char *rm_index;
3506 struct rc_alglist *kmp_auth_method;
3507
3508 if (is_default_clause)
3509 rm_index = strdup("(default)");
3510 else
3511 rm_index = strdup(rc_vmem2str(rmconf->rm_index));
3512
3513 kmp = rmconf->ikev1;
3514
3515 if (is_default_clause) {
3516 if (!kmp)
3517 goto done;
3518 } else {
3519 if (!kmp) {
3520 if (ike_acceptable_kmp(rmconf) & RCF_ALLOW_IKEV1) {
3521 ++*err;
3522 plog(PLOG_INTERR, PLOGLOC, 0,
3523 "remote %s ikev1 is in acceptable_kmp but there's no ikev1 definition\n",
3524 rm_index);
3525 }
3526 goto done;
3527 }
3528
3529 if (!kmp->peers_ipaddr
3530 || !kmp->peers_ipaddr->a.ipaddr) {
3531 ++*err;
3532 plog(PLOG_INTERR, PLOGLOC, 0,
3533 "remote %s ikev1 lacks peers_ipaddr\n",
3534 rm_index);
3535 }
3536
3537 switch (ikev1_exchange_mode(rmconf)) {
3538 case RCT_EXM_MAIN:
3539 break;
3540 case RCT_EXM_AGG:
3541 case RCT_EXM_BASE:
3542 default:
3543 ++*err;
3544 plog(PLOG_INTERR, PLOGLOC, 0,
3545 "remote %s ikev1 exchange_mode %s not supported\n",
3546 rm_index, rct2str(ikev1_exchange_mode(rmconf)));
3547 break;
3548 }
3549
3550 IKEV1_CONF(kmp_auth_method, rmconf, kmp_auth_method, 0);
3551 if (kmp_auth_method == 0) {
3552 ++*err;
3553 plog(PLOG_INTERR, PLOGLOC, 0,
3554 "remote %s lacks kmp_auth_method\n",
3555 rm_index);
3556 }
3557 if (kmp_auth_method->next) {
3558 ++*warn;
3559 plog(PLOG_INTWARN, PLOGLOC, 0,
3560 "remote %s ikev1 kmp_auth_method has multiple entries, only the first one is used.\n",
3561 rm_index);
3562 }
3563
3564 if (ikev1_exchange_mode(rmconf) == RCT_EXM_MAIN
3565 && kmp_auth_method->algtype == RCT_ALG_PSK) {
3566 struct rc_idlist *id;
3567
3568 for (id = kmp->peers_id; id; id = id->next) {
3569 if (id->idtype != RCT_IDT_IPADDR) {
3570 ++*err;
3571 plog(PLOG_INTERR, PLOGLOC, 0,
3572 "remote %s ikev1 peers_id must"
3573 " be type ipaddr when using"
3574 " exchange_mode main and"
3575 " kmp_auth_method psk\n",
3576 rm_index);
3577 }
3578 }
3579 }
3580 }
3581
3582 #define UNSUPPORTED(x) do { \
3583 if (kmp->x) { \
3584 ++*warn; \
3585 plog(PLOG_INTWARN, PLOGLOC, 0, \
3586 "remote %s ikev1 %s configuration field support is unimplemented, ignored\n", \
3587 rm_index, #x); \
3588 } \
3589 } while (0)
3590
3591 UNSUPPORTED(selector_check);
3592 UNSUPPORTED(random_padlen);
3593 UNSUPPORTED(max_padlen);
3594 UNSUPPORTED(max_retry_to_send);
3595 UNSUPPORTED(kmp_sa_nego_time_limit);
3596 UNSUPPORTED(peers_kmp_port);
3597 #ifndef HAVE_GSSAPI
3598 UNSUPPORTED(my_gssapi_id);
3599 #endif
3600
3601 #undef UNSUPPORTED
3602
3603 if (!ikev1_kmp_enc_alg(rmconf)) {
3604 ++*err;
3605 plog(PLOG_INTERR, PLOGLOC, 0,
3606 "remote %s ikev1 section lacks kmp_enc_alg\n",
3607 rm_index);
3608 } else {
3609 struct rc_alglist *enc;
3610
3611 for (enc = ikev1_kmp_enc_alg(rmconf); enc; enc = enc->next) {
3612 if (alg_oakley_encdef_doi(enc->algtype) == -1) {
3613 ++*err;
3614 plog(PLOG_INTERR, PLOGLOC, 0,
3615 "remote %s ikev1 section, kmp_enc_alg %s is not supported\n",
3616 rm_index, rct2str(enc->algtype));
3617 } else if (oakley_encdef_doi_keylen(enc->algtype, enc->keylen) == -1) {
3618 ++*err;
3619 plog(PLOG_INTERR, PLOGLOC, 0,
3620 "remote %s ikev1 section, kmp_enc_alg %s keylen %d is not supported\n",
3621 rm_index, rct2str(enc->algtype),
3622 enc->keylen);
3623 }
3624 }
3625
3626 }
3627
3628 if (!ikev1_kmp_hash_alg(rmconf)) {
3629 ++*err;
3630 plog(PLOG_INTERR, PLOGLOC, 0,
3631 "remote %s ikev1 section lacks kmp_hash_alg\n",
3632 rm_index);
3633 } else {
3634 struct rc_alglist *hash;
3635
3636 for (hash = ikev1_kmp_hash_alg(rmconf); hash; hash = hash->next) {
3637 if (alg_oakley_hashdef_doi(hash->algtype) == -1) {
3638 ++*err;
3639 plog(PLOG_INTERR, PLOGLOC, 0,
3640 "remote %s ikev1 section, kmp_hash_alg %s is not supported\n",
3641 rm_index, rct2str(hash->algtype));
3642 }
3643 }
3644 }
3645
3646 if (kmp->kmp_prf_alg) {
3647 ++*warn;
3648 plog(PLOG_INTWARN, PLOGLOC, 0,
3649 "remote %s ikev1 section, kmp_prf_alg is not used for ikev1, ignored\n",
3650 rm_index);
3651 }
3652
3653 if (!ikev1_kmp_dh_group(rmconf)) {
3654 ++*err;
3655 plog(PLOG_INTERR, PLOGLOC, 0,
3656 "remote %s ikev1 section lacks kmp_dh_group\n",
3657 rm_index);
3658 } else {
3659 struct rc_alglist *dh;
3660
3661 for (dh = ikev1_kmp_dh_group(rmconf); dh; dh = dh->next) {
3662 if (alg_oakley_dhdef_doi(dh->algtype) == -1) {
3663 ++*err;
3664 plog(PLOG_INTERR, PLOGLOC, 0,
3665 "remote %s ikev1 section, kmp_dh_group %s is not supported\n",
3666 rm_index, rct2str(dh->algtype));
3667 }
3668 }
3669 }
3670
3671 done:
3672 free(rm_index);
3673 }
3674 #endif
3675
3676 /* check ikev2 clause of remote section in configuration */
3677 static void
3678 ike_conf_check_ikev2(struct rcf_remote *rmconf, int *err, int *warn,
3679 int is_default_clause)
3680 {
3681 struct rc_alglist *alg;
3682 struct rcf_kmp *kmp;
3683 char *rm_index;
3684
3685 if (is_default_clause)
3686 rm_index = strdup("(default)");
3687 else
3688 rm_index = strdup(rc_vmem2str(rmconf->rm_index));
3689
3690 kmp = rmconf->ikev2;
3691 if (is_default_clause) {
3692 if (!kmp)
3693 goto done;
3694 } else {
3695 struct rc_idlist *my_id;
3696 struct rc_alglist *kmp_auth_method;
3697
3698 if (!kmp) {
3699 if (ike_acceptable_kmp(rmconf) & RCF_ALLOW_IKEV2) {
3700 ++*err;
3701 plog(PLOG_INTERR, PLOGLOC, 0,
3702 "remote %s ikev2 is in acceptable_kmp but there's no ikev2 definition\n",
3703 rm_index);
3704 }
3705 goto done;
3706 }
3707
3708 IKEV2_CONF(my_id, rmconf, my_id, 0);
3709 if (!my_id) {
3710 ++*err;
3711 plog(PLOG_INTERR, PLOGLOC, 0,
3712 "remote %s ikev2 section lacks my_id\n", rm_index);
3713 }
3714
3715 IKEV2_CONF(kmp_auth_method, rmconf, kmp_auth_method, 0);
3716 if (!kmp_auth_method) {
3717 ++*err;
3718 plog(PLOG_INTERR, PLOGLOC, 0,
3719 "remote %s ikev2 section lacks auth_method\n",
3720 rm_index);
3721 }
3722
3723 for (alg = kmp_auth_method; alg; alg = alg->next) {
3724 rc_vchar_t *pre_shared_key;
3725 struct rc_pklist *peers_pubkey;
3726
3727 switch (alg->algtype) {
3728 case RCT_ALG_PSK:
3729 IKEV2_CONF(pre_shared_key, rmconf,
3730 pre_shared_key, 0);
3731 if (!pre_shared_key) {
3732 ++*err;
3733 plog(PLOG_INTERR, PLOGLOC, 0,
3734 "remote %s ikev2 section specifies auth_method psk, but pre_shared_key is not specified\n",
3735 rm_index);
3736 } else {
3737 const char *path;
3738 int errcode;
3739
3740 path = rc_vmem2str(pre_shared_key);
3741 if (!path) {
3742 plog(PLOG_INTERR, PLOGLOC, 0,
3743 "failed allocating memory\n");
3744 ++*err;
3745 break;
3746 }
3747
3748 errcode = rc_safefile(path, 1);
3749 switch (errcode) {
3750 case 0:
3751 break;
3752 case -1:
3753 ++*err;
3754 plog(PLOG_INTERR, PLOGLOC, 0,
3755 "remote %s ikev2 section, failed accessing pre_shared_key file %s\n",
3756 rm_index, path);
3757 break;
3758 default:
3759 ++*err;
3760 plog(PLOG_INTERR, PLOGLOC, 0,
3761 "remote %s ikev2 section, pre_shared_key file %s is not safe, code %d: %s\n",
3762 rm_index, path, errcode,
3763 rc_safefile_strerror(errcode));
3764 break;
3765 }
3766 }
3767 break;
3768 case RCT_ALG_RSASIG:
3769 case RCT_ALG_DSS:
3770 IKEV2_CONF(peers_pubkey, rmconf, peers_pubkey,
3771 0);
3772 if (!peers_pubkey) {
3773 ++*err;
3774 plog(PLOG_INTERR, PLOGLOC, 0,
3775 "remote %s ikev2 section specifies public key authentication, but peers_public_key is not specified\n",
3776 rm_index);
3777 }
3778 break;
3779 default:
3780 ++*err;
3781 plog(PLOG_INTERR, PLOGLOC, 0,
3782 "remote %s ikev2 section specifies unsupported kmp_auth_method (%s)\n",
3783 rm_index, rct2str(alg->algtype));
3784 break;
3785 }
3786 }
3787 }
3788 #define UNSUPPORTED(x) do { \
3789 if (kmp->x) { \
3790 ++*warn; \
3791 plog(PLOG_INTWARN, PLOGLOC, 0, \
3792 "remote %s ikev2 %s configuration field support is unimplemented, ignored\n", \
3793 rm_index, #x); \
3794 } \
3795 } while (0)
3796
3797 #define IGNORED(x) do { \
3798 if (kmp->x) { \
3799 ++*warn; \
3800 plog(PLOG_INTWARN, PLOGLOC, 0, \
3801 "remote %s ikev2 %s configuration field is ignored\n", \
3802 rm_index, #x); \
3803 } \
3804 } while (0)
3805
3806 UNSUPPORTED(verify_pubkey);
3807 UNSUPPORTED(send_cert);
3808 UNSUPPORTED(send_cert_req);
3809 UNSUPPORTED(support_proxy);
3810 UNSUPPORTED(proposal_check);
3811 UNSUPPORTED(kmp_sa_lifetime_byte);
3812 UNSUPPORTED(ipsec_sa_nego_time_limit);
3813 UNSUPPORTED(peers_kmp_port);
3814 IGNORED(dpd);
3815 IGNORED(dpd_retry);
3816 IGNORED(dpd_maxfails);
3817
3818 /* The size of a Nonce MUST be between 16 and 256 octets inclusive. */
3819 if (kmp->nonce_size != 0
3820 && (kmp->nonce_size < IKEV2_NONCE_SIZE_MIN ||
3821 kmp->nonce_size > IKEV2_NONCE_SIZE_MAX)) {
3822 ++*err;
3823 plog(PLOG_INTERR, PLOGLOC, 0,
3824 "remote %s ikev2 nonce size (%d) is out of spec\n",
3825 rm_index, kmp->nonce_size);
3826 }
3827
3828 for (alg = kmp->kmp_enc_alg; alg; alg = alg->next) {
3829 if (!is_alg_supported(alg->algtype, alg->keylen, &ikev2_transf_encr[0])) {
3830 ++*err;
3831 if (alg->keylen) {
3832 plog(PLOG_INTERR, PLOGLOC, 0,
3833 "remote %s ikev2 section, kmp_enc_alg %s keylen %d unsupported\n",
3834 rm_index, rct2str(alg->algtype),
3835 alg->keylen);
3836 } else if (is_alg_variable_keylen(alg->algtype, &ikev2_transf_encr[0])) {
3837 plog(PLOG_INTERR, PLOGLOC, 0,
3838 "remote %s ikev2 section, kmp_enc_alg %s need key length value\n",
3839 rm_index, rct2str(alg->algtype));
3840 } else {
3841 plog(PLOG_INTERR, PLOGLOC, 0,
3842 "remote %s ikev2 section, kmp_enc_alg %s unsupported\n",
3843 rm_index, rct2str(alg->algtype));
3844 }
3845 }
3846 if (alg->key) {
3847 ++*warn;
3848 plog(PLOG_INTWARN, PLOGLOC, 0,
3849 "remote %s ikev2 section, key string specified in kmp_enc_alg list, ignored\n",
3850 rm_index);
3851 }
3852 }
3853 for (alg = kmp->kmp_prf_alg; alg; alg = alg->next) {
3854 if (!is_alg_supported(alg->algtype, alg->keylen, &ikev2_transf_prf[0])) {
3855 ++*err;
3856 if (alg->keylen) {
3857 plog(PLOG_INTERR, PLOGLOC, 0,
3858 "remote %s ikev2 section, kmp_prf_alg %s keylen %d unsupported\n",
3859 rm_index, rct2str(alg->algtype),
3860 alg->keylen);
3861 } else if (is_alg_variable_keylen(alg->algtype, &ikev2_transf_prf[0])) {
3862 plog(PLOG_INTERR, PLOGLOC, 0,
3863 "remote %s ikev2 section, kmp_prf_alg %s need key length value\n",
3864 rm_index, rct2str(alg->algtype));
3865 } else {
3866 plog(PLOG_INTERR, PLOGLOC, 0,
3867 "remote %s ikev2 section, kmp_prf_alg %s unsupported\n",
3868 rm_index, rct2str(alg->algtype));
3869 }
3870 }
3871 if (alg->key) {
3872 ++*warn;
3873 plog(PLOG_INTWARN, PLOGLOC, 0,
3874 "remote %s ikev2 section, key string specified in kmp_prf_alg list, ignored\n",
3875 rm_index);
3876 }
3877 }
3878 for (alg = kmp->kmp_hash_alg; alg; alg = alg->next) {
3879 if (!is_alg_supported(alg->algtype, alg->keylen, &ikev2_transf_integr[0])) {
3880 ++*err;
3881 if (alg->keylen) {
3882 plog(PLOG_INTERR, PLOGLOC, 0,
3883 "remote %s ikev2 section, unsupported kmp_hash_alg %s keylen %d\n",
3884 rm_index, rct2str(alg->algtype),
3885 alg->keylen);
3886 } else if (is_alg_variable_keylen(alg->algtype, &ikev2_transf_integr[0])) {
3887 plog(PLOG_INTERR, PLOGLOC, 0,
3888 "remote %s ikev2 section, kmp_hash_alg %s need key length value\n",
3889 rm_index, rct2str(alg->algtype));
3890 } else {
3891 plog(PLOG_INTERR, PLOGLOC, 0,
3892 "remote %s ikev2 section, unsupported kmp_hash_alg %s\n",
3893 rm_index, rct2str(alg->algtype));
3894 }
3895 }
3896 if (alg->key) {
3897 ++*warn;
3898 plog(PLOG_INTWARN, PLOGLOC, 0,
3899 "remote %s ikev2 section, key string specified for kmp_auth_alg list, ignored\n",
3900 rm_index);
3901 }
3902 }
3903 for (alg = kmp->kmp_dh_group; alg; alg = alg->next) {
3904 if (!is_alg_supported(alg->algtype, 0, &ikev2_transf_dh[0])) {
3905 ++*err;
3906 plog(PLOG_INTERR, PLOGLOC, 0,
3907 "remote %s ikev2 section, kmp_dh_group %s unsupported\n",
3908 rm_index, rct2str(alg->algtype));
3909 }
3910 if (alg->keylen) {
3911 ++*warn;
3912 plog(PLOG_INTWARN, PLOGLOC, 0,
3913 "remote %s ikev2 section, key length specified for kmp_dh_group list, ignored\n",
3914 rm_index);
3915 }
3916 if (alg->key) {
3917 ++*warn;
3918 plog(PLOG_INTWARN, PLOGLOC, 0,
3919 "remote %s ikev2 section, key string specified for kmp_dh_group list, ignored\n",
3920 rm_index);
3921 }
3922 }
3923
3924 done:
3925 free(rm_index);
3926 }
3927
3928 /* check remote section of configuration */
3929 static void
3930 ike_conf_check_remote(struct rcf_remote *r, int *err, int *warn,
3931 int is_default_clause)
3932 {
3933 #if !defined(IKEV1)
3934 if ((ike_acceptable_kmp(r) & RCF_ALLOW_IKEV1)
3935 || r->ikev1) {
3936 ++*err;
3937 plog(PLOG_INTERR, PLOGLOC, 0,
3938 "iked does not support IKEv1\n");
3939 }
3940 #else
3941 ike_conf_check_ikev1(r, err, warn, is_default_clause);
3942 #endif
3943 ike_conf_check_ikev2(r, err, warn, is_default_clause);
3944 }
3945
3946 static void
3947 ike_conf_check_policy(struct rcf_policy *policy, int *err, int *warn,
3948 int is_default_clause)
3949 {
3950 const char *pl_index;
3951 struct rc_addrlist *addr;
3952
3953 if (is_default_clause)
3954 pl_index = "(default)";
3955 else
3956 pl_index = rc_vmem2str(policy->pl_index);
3957
3958 if (policy->peers_sa_ipaddr) {
3959 addr = policy->peers_sa_ipaddr;
3960 switch (addr->type) {
3961 case RCT_ADDR_INET:
3962 case RCT_ADDR_MACRO:
3963 break;
3964 default:
3965 ++*err;
3966 plog(PLOG_INTERR, PLOGLOC, 0,
3967 "unsupported type of address (%s) in peers_sa_ipaddr of policy %s\n",
3968 rct2str(addr->type), pl_index);
3969 break;
3970 }
3971 if (addr->next) {
3972 ++*warn;
3973 plog(PLOG_INTWARN, PLOGLOC, 0,
3974 "multiple addresses in peers_sa_ipaddr of policy %s\n",
3975 pl_index);
3976 }
3977 }
3978
3979 if (policy->my_sa_ipaddr) {
3980 addr = policy->my_sa_ipaddr;
3981 switch (addr->type) {
3982 case RCT_ADDR_INET:
3983 case RCT_ADDR_MACRO:
3984 break;
3985 default:
3986 ++*err;
3987 plog(PLOG_INTERR, PLOGLOC, 0,
3988 "unsupported type of address (%s) in my_sa_ipaddr of policy %s\n",
3989 rct2str(addr->type), pl_index);
3990 break;
3991 }
3992 if (addr->next) {
3993 ++*warn;
3994 plog(PLOG_INTWARN, PLOGLOC, 0,
3995 "multiple addresses in my_sa_ipaddr of policy %s\n",
3996 pl_index);
3997 }
3998 }
3999 }
4000
4001 static void
4002 ike_conf_check_sa(struct rcf_sa *sa, int *err, int *warn, int is_default_clause)
4003 {
4004 struct rc_alglist *alg;
4005 const char *sa_index;
4006
4007 if (!sa)
4008 return;
4009
4010 if (is_default_clause)
4011 sa_index = "(default)";
4012 else
4013 sa_index = rc_vmem2str(sa->sa_index);
4014
4015 /* check sa section */
4016 if (!is_default_clause) {
4017 rc_type sa_protocol;
4018 struct rc_alglist *enc_alg;
4019 struct rc_alglist *auth_alg;
4020 struct rc_alglist *comp_alg;
4021
4022 SA_CONF(sa_protocol, sa, sa_protocol, 0);
4023 SA_CONF(enc_alg, sa, enc_alg, 0);
4024 SA_CONF(auth_alg, sa, auth_alg, 0);
4025 SA_CONF(comp_alg, sa, comp_alg, 0);
4026
4027 switch (sa_protocol) {
4028 case 0:
4029 ++*err;
4030 plog(PLOG_INTERR, PLOGLOC, 0,
4031 "sa %s does not have sa_protocol field\n",
4032 sa_index);
4033 break;
4034 case RCT_SATYPE_ESP:
4035 if (!enc_alg) {
4036 ++*err;
4037 plog(PLOG_INTERR, PLOGLOC, 0,
4038 "sa %s is ESP but enc_alg is not specified\n",
4039 sa_index);
4040 }
4041 if (!auth_alg) {
4042 ++*err;
4043 plog(PLOG_INTERR, PLOGLOC, 0,
4044 "sa %s does not have auth_alg list\n",
4045 sa_index);
4046 }
4047 if (sa->comp_alg) {
4048 ++*warn;
4049 plog(PLOG_INTWARN, PLOGLOC, 0,
4050 "sa %s specifies comp_alg, ignored\n",
4051 sa_index);
4052 }
4053 break;
4054 case RCT_SATYPE_AH:
4055 if (sa->enc_alg) {
4056 ++*warn;
4057 plog(PLOG_INTWARN, PLOGLOC, 0,
4058 "sa %s specifies enc_alg, ignored\n",
4059 sa_index);
4060 }
4061 if (!auth_alg) {
4062 ++*err;
4063 plog(PLOG_INTERR, PLOGLOC, 0,
4064 "sa %s does not have auth_alg list\n",
4065 sa_index);
4066 }
4067 if (sa->comp_alg) {
4068 ++*warn;
4069 plog(PLOG_INTERR, PLOGLOC, 0,
4070 "sa %s specifies comp_alg, ignored\n",
4071 sa_index);
4072 }
4073 break;
4074 case RCT_SATYPE_IPCOMP:
4075 if (!comp_alg) {
4076 ++*err;
4077 plog(PLOG_INTERR, PLOGLOC, 0,
4078 "sa %s does not have comp_alg list\n",
4079 sa_index);
4080 }
4081 if (sa->enc_alg) {
4082 ++*warn;
4083 plog(PLOG_INTWARN, PLOGLOC, 0,
4084 "sa %s specifies enc_alg, ignored\n",
4085 sa_index);
4086 }
4087 if (sa->auth_alg) {
4088 ++*warn;
4089 plog(PLOG_INTWARN, PLOGLOC, 0,
4090 "sa %s specifies auth_alg, ignored\n",
4091 sa_index);
4092 }
4093 default:
4094 ++*err;
4095 plog(PLOG_INTERR, PLOGLOC, 0,
4096 "sa %s is unsupported protocol (type %s)\n",
4097 sa_index, rct2str(sa->sa_protocol));
4098 break;
4099 }
4100 }
4101 #ifdef DEBUG
4102 if (debug_pfkey)
4103 return;
4104 #endif
4105
4106 for (alg = sa->enc_alg; alg; alg = alg->next) {
4107 if (!rcpfk_supported_enc(alg->algtype)) {
4108 ++*err;
4109 plog(PLOG_INTERR, PLOGLOC, 0,
4110 "sa %s enc_alg %s not supported by kernel\n",
4111 sa_index, rct2str(alg->algtype));
4112 }
4113 }
4114 for (alg = sa->auth_alg; alg; alg = alg->next) {
4115 if (!rcpfk_supported_auth(alg->algtype)) {
4116 ++*err;
4117 plog(PLOG_INTERR, PLOGLOC, 0,
4118 "sa %s auth_alg %s not supported by kernel\n",
4119 sa_index, rct2str(alg->algtype));
4120 }
4121 }
4122 #ifdef notyet
4123 for (alg = sa->comp_alg; alg; alg = alg->next) {
4124 if (!rcpfk_supported_comp(alg->algtype)) {
4125 ++*err;
4126 plog(PLOG_INTERR, PLOGLOC, 0,
4127 "sa %s comp_alg %s not supported by kernel\n",
4128 sa_index, rct2str(alg->algtype));
4129 }
4130 }
4131 #endif
4132 }
4133
4134 static void
4135 ike_conf_check_ipsec(struct rcf_ipsec *ips, int *err, int *warn,
4136 int is_default_clause)
4137 {
4138 const char *ips_index;
4139
4140 if (!ips)
4141 return;
4142
4143 if (is_default_clause)
4144 ips_index = "(default)";
4145 else
4146 ips_index = rc_vmem2str(ips->ips_index);
4147
4148 if (ips->ext_sequence == RCT_BOOL_ON) {
4149 ++*warn;
4150 plog(PLOG_INTWARN, PLOGLOC, 0,
4151 "ipsec %s ext_sequence is specified but it is not suported\n",
4152 ips_index);
4153 }
4154 }
4155
4156 /* check configuration */
4157 int
4158 ike_conf_check_consistency(void)
4159 {
4160 int error = 0;
4161 int warn = 0;
4162 struct rcf_remote *r;
4163 struct rcf_selector **prevselp, *selector;
4164 struct rcf_policy *policy;
4165 struct rcf_ipsec *ipsec;
4166 extern struct rcf_default *rcf_default_head;
4167 extern struct rcf_remote *rcf_remote_head;
4168 extern struct rcf_selector *rcf_selector_head;
4169
4170 TRACE((PLOGLOC, "checking configuration\n"));
4171
4172 if (rcf_default_head) {
4173 if (rcf_default_head->remote)
4174 ike_conf_check_remote(rcf_default_head->remote, &error,
4175 &warn, TRUE);
4176 if (rcf_default_head->policy)
4177 ike_conf_check_policy(rcf_default_head->policy, &error,
4178 &warn, TRUE);
4179 if (rcf_default_head->ipsec)
4180 ike_conf_check_ipsec(rcf_default_head->ipsec, &error,
4181 &warn, TRUE);
4182 if (rcf_default_head->sa)
4183 ike_conf_check_sa(rcf_default_head->sa, &error, &warn,
4184 TRUE);
4185 }
4186
4187 for (r = rcf_remote_head; r; r = r->next) {
4188 assert(r->rm_index);
4189 ike_conf_check_remote(r, &error, &warn, FALSE);
4190 }
4191
4192 /* check selector section */
4193 for (prevselp = &rcf_selector_head;
4194 (selector = *prevselp) != 0;
4195 prevselp = *prevselp ? &(*prevselp)->next : prevselp) {
4196 rc_type action;
4197
4198 #ifdef notyet
4199 for each addr {
4200 if (type != RCT_ADDR_INET)
4201 unsupported;
4202 }
4203 #endif
4204
4205 #ifdef notyet
4206 if (s->addrpool && ipsec_mode == transport) {
4207 ++error;
4208 plog(PLOG_INTERR, PLOGLOC, 0,
4209 "selector %s address pool is for tunnel mode only\n",
4210 rc_vmem2str(selector->sl_index));
4211 }
4212 #endif
4213
4214 /* check policy section */
4215 policy = selector->pl;
4216 if (!policy) {
4217 ++error;
4218 plog(PLOG_INTERR, PLOGLOC, 0,
4219 "selector %s lacks policy_index\n",
4220 rc_vmem2str(selector->sl_index));
4221 continue;
4222 }
4223
4224 action = policy->action;
4225 if (!action)
4226 POLICY_DEFAULT(action, action, 0);
4227 switch (action) {
4228 case 0:
4229 ++error;
4230 plog(PLOG_INTERR, PLOGLOC, 0,
4231 "policy %s lacks action field\n",
4232 rc_vmem2str(policy->pl_index));
4233 continue;
4234 case RCT_ACT_AUTO_IPSEC:
4235 break;
4236 default:
4237 TRACE((PLOGLOC, "skipping selector %s\n",
4238 rc_vmem2str(selector->sl_index)));
4239 *prevselp = selector->next;
4240 rcf_free_selector(selector);
4241 continue;
4242 }
4243 /* policy->ipsec_level: iked does not care */
4244
4245 ike_conf_check_policy(policy, &error, &warn, FALSE);
4246
4247 /* check ipsec section */
4248 for (ipsec = policy->ips; ipsec; ipsec = ipsec->next) {
4249 ike_conf_check_ipsec(ipsec, &error, &warn, FALSE);
4250 ike_conf_check_sa(ipsec->sa_ah, &error, &warn, FALSE);
4251 ike_conf_check_sa(ipsec->sa_esp, &error, &warn, FALSE);
4252 ike_conf_check_sa(ipsec->sa_ipcomp, &error, &warn,
4253 FALSE);
4254 }
4255 }
4256
4257 if (error > 0) {
4258 plog(PLOG_INTERR, PLOGLOC, 0,
4259 "configuration errors: %d, warnings: %d\n", error, warn);
4260 return -1;
4261 } else if (warn > 0) {
4262 plog(PLOG_INTWARN, PLOGLOC, 0,
4263 "configuration errors: %d, warnings: %d\n", error, warn);
4264 return 0;
4265 }
4266 return 0;
4267 }
4268
4269 struct sockaddr *
4270 ike_determine_sa_endpoint(struct sockaddr_storage *ss,
4271 struct rc_addrlist *config_ipaddr,
4272 struct sockaddr *actual_addr)
4273 {
4274 struct rc_addrlist *addrlist;
4275 struct sockaddr *addr;
4276
4277 if (!config_ipaddr)
4278 return actual_addr;
4279
4280 switch (config_ipaddr->type) {
4281 case RCT_ADDR_INET:
4282 memcpy(ss, config_ipaddr->a.ipaddr,
4283 SOCKADDR_LEN(config_ipaddr->a.ipaddr));
4284 addr = (struct sockaddr *)ss;
4285 if (!set_port(addr, extract_port(actual_addr))) {
4286 plog(PLOG_INTERR, PLOGLOC, 0, "set_port failed\n");
4287 return NULL;
4288 }
4289 break;
4290
4291 case RCT_ADDR_MACRO:
4292 if (rcs_is_addr_rw(config_ipaddr))
4293 return actual_addr;
4294
4295 if (rcs_getaddrlistbymacro(config_ipaddr->a.vstr,
4296 &addrlist) != 0) {
4297 plog(PLOG_INTERR, PLOGLOC, 0,
4298 "macro %.*s expansion failure\n",
4299 (int)config_ipaddr->a.vstr->l,
4300 config_ipaddr->a.vstr->v);
4301 return NULL;
4302 }
4303 if (addrlist->next)
4304 plog(PLOG_INTWARN, PLOGLOC, 0,
4305 "macro expands to multiple addresses, "
4306 "only the first one is used.\n");
4307
4308 memcpy(ss, addrlist->a.ipaddr,
4309 SOCKADDR_LEN(addrlist->a.ipaddr));
4310 rcs_free_addrlist(addrlist);
4311 addr = (struct sockaddr *)ss;
4312 if (!set_port(addr, extract_port(actual_addr))) {
4313 plog(PLOG_INTERR, PLOGLOC, 0, "set_port failed\n");
4314 return NULL;
4315 }
4316 break;
4317
4318 default:
4319 plog(PLOG_INTERR, PLOGLOC, 0,
4320 "my_sa_ipaddr or peers_sa_ipaddr is "
4321 "unsupported address type (type %s)\n",
4322 rct2str(config_ipaddr->type));
4323 return NULL;
4324 }
4325
4326 return addr;
4327 }