Print this page
Current snapshot of OpenSolaris port.
Checkpoint
Checkpoint
Merge from parent.
Merge with WIDE update.
Pull from WIDE.
Pull from WIDE.
Checkpoint
Re-update.
blah
WIDE update
Update from WIDE.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/iked/ike_conf.c
+++ new/iked/ike_conf.c
1 1 /* $Id: ike_conf.c,v 1.161 2009/03/23 06:47:40 fukumoto Exp $ */
2 2
3 3 /*
4 4 * Copyright (C) 2004 WIDE Project.
5 5 * All rights reserved.
6 6 *
7 7 * Redistribution and use in source and binary forms, with or without
8 8 * modification, are permitted provided that the following conditions
9 9 * are met:
10 10 * 1. Redistributions of source code must retain the above copyright
11 11 * notice, this list of conditions and the following disclaimer.
12 12 * 2. Redistributions in binary form must reproduce the above copyright
13 13 * notice, this list of conditions and the following disclaimer in the
14 14 * documentation and/or other materials provided with the distribution.
15 15 * 3. Neither the name of the project nor the names of its contributors
16 16 * may be used to endorse or promote products derived from this software
17 17 * without specific prior written permission.
18 18 *
19 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 29 * SUCH DAMAGE.
30 30 */
31 31
32 32 #include <config.h>
33 33
34 34 #include <stddef.h>
35 35 #include <stdlib.h>
36 36 #include <errno.h>
37 37 #include <limits.h>
38 38 #include <string.h>
39 39 #include <sys/types.h>
40 40 #include <sys/socket.h>
41 41 #include <netdb.h>
42 42 #include <netinet/in.h>
43 43 #include <assert.h>
44 44
45 45 #include "racoon.h"
46 46 #include "safefile.h"
47 47
48 48 #include "var.h"
49 49 #include "sockmisc.h"
50 50 #include "isakmp_impl.h"
51 51 #ifdef IKEV1
52 52 # include "ikev1_impl.h"
53 53 #endif
54 54 #include "ikev2_impl.h"
55 55 #include "dhgroup.h"
56 56 #include "ike_conf.h"
57 57 #ifdef IKEV1
58 58 # include "ikev1/algorithm.h"
59 59 # include "ikev1/ikev1_natt.h"
60 60 # include "ikev1/ipsec_doi.h"
61 61 #endif
62 62
63 63 #include "crypto_impl.h" /* for eay_get_x509() and such */
64 64
65 65 #include "plog.h"
66 66 #include "debug.h"
67 67 #ifdef DEBUG
68 68 # include <stdio.h>
69 69 #endif
70 70
71 71 static struct prop_pair *ikev2_ipsec_sa_to_proplist(struct ikev2_child_sa *,
72 72 int, struct rcf_sa *, int,
73 73 int, rc_type);
74 74 #ifdef IKEV1
75 75 static rc_type ikev1_id_to_rc(unsigned int);
76 76 #endif
77 77 static rc_type ikev2_id_to_rc(unsigned int);
78 78
79 79 char *script_names[SCRIPT_NUM] = {
80 80 "phase1_up", "phase1_down", "phase2_up", "phase2_down",
81 81 "phase1_rekey", "phase2_rekey", "migration"
82 82 };
83 83
84 84 /*
85 85 * default values handling for struct rcf_remote
86 86 */
87 87 #ifdef IKEV1
88 88 struct rcf_kmp ikev1_default_values = {
89 89 RCT_KMP_IKEV1, /* kmp_proto */
90 90 NULL, /* plog */
91 91 RCT_BOOL_OFF, /* passive */
92 92 RCT_BOOL_OFF, /* use_coa */
93 93 NULL, /* peers_ipaddr */
94 94 NULL, /* my_id */
95 95 NULL, /* peers_id */
96 96 NULL, /* my_pubkey */
97 97 NULL, /* peers_pubkey */
98 98 NULL, /* pre_shared_key */
99 99 RCT_BOOL_OFF, /* verify_id */
100 100 RCT_BOOL_ON, /* verify_pubkey */
101 101 RCT_BOOL_ON, /* send_cert */
102 102 RCT_BOOL_ON, /* send_cert_req */
103 103 IKEV1_DEFAULT_NONCE_SIZE, /* nonce_size */
104 104 RCT_BOOL_ON, /* initial_contact */
105 105 RCT_BOOL_OFF, /* support_proxy */
106 106 0, /* selector_check */
107 107 RCT_PCT_STRICT, /* proposal_check */
108 108 RCT_BOOL_ON, /* random_pad_content */
109 109 RCT_BOOL_OFF, /* random_padlen */
110 110 0, /* max_padlen */
111 111 IKEV1_DEFAULT_RETRY, /* max_retry_to_send */
112 112 IKEV1_DEFAULT_INTERVAL_TO_SEND, /* interval_to_send */
113 113 1, /* times_per_send */
114 114 IKEV1_DEFAULT_LIFETIME_TIME, /* kmp_sa_lifetime_time */
115 115 IKEV1_DEFAULT_LIFETIME_BYTE, /* kmp_sa_lifetime_byte */
116 116 IKEV1_DEFAULT_NEGOTIATION_TIMEOUT, /* kmp_sa_nego_time_limit */
117 117 0, /* kmp_sa_grace_period */
118 118 IKEV1_DEFAULT_NEGOTIATION_TIMEOUT, /* ipsec_sa_nego_time_limit */
119 119 NULL, /* kmp_enc_alg */
120 120 NULL, /* kmp_hash_alg */
121 121 NULL, /* kmp_prf_alg */
122 122 NULL, /* kmp_dh_group */
123 123 NULL, /* kmp_auth_method */
124 124 0, /* peers_kmp_port */
125 125 RCT_EXM_MAIN, /* exchange_mode */
126 126 NULL, /* my_gssapi_id */
127 127 RCT_BOOL_OFF, /* cookie_required */
128 128 RCT_BOOL_OFF, /* send_peers_id */
129 129 RCT_BOOL_OFF, /* need_pfs */
130 130 RCT_BOOL_ON, /* nat_traversal */
131 131 IKEV1_DEFAULT_NATK_INTERVAL, /* natk_interval */
132 132 NULL, /* my_principal */
133 133 NULL, /* peers_principal */
134 134 0, /* mobility_role */
135 135 NULL, /* addresspool */
136 136 0, /* config_request */
137 137 NULL, /* cfg_dns */
138 138 NULL, /* cfg_dhcp */
139 139 NULL, /* application_version */
140 140 NULL, /* mip6_home_prefix */
141 141 RCT_BOOL_ON, /* dpd */
142 142 0, /* dpd_interval */
143 143 5, /* dpd_retry */
144 144 5 /* dpd_maxfails */
145 145 };
146 146 #endif
147 147
148 148 struct rcf_kmp ikev2_default_values = {
149 149 RCT_KMP_IKEV2, /* kmp_proto */
150 150 NULL, /* plog */
151 151 RCT_BOOL_OFF, /* passive */
152 152 RCT_BOOL_OFF, /* use_coa */
153 153 NULL, /* peers_ipaddr */
154 154 NULL, /* my_id */
155 155 NULL, /* peers_id */
156 156 NULL, /* my_pubkey */
157 157 NULL, /* peers_pubkey */
158 158 NULL, /* pre_shared_key */
159 159 RCT_BOOL_ON, /* verify_id */
160 160 RCT_BOOL_OFF, /* verify_pubkey */
161 161 RCT_BOOL_OFF, /* send_cert */
162 162 RCT_BOOL_OFF, /* send_cert_req */
163 163 IKEV2_DEFAULT_NONCE_SIZE, /* nonce_size */
164 164 RCT_BOOL_OFF, /* initial_contact */
165 165 RCT_BOOL_OFF, /* support_proxy */
166 166 RCT_PCT_EXACT, /* selector_check */
167 167 RCT_PCT_OBEY, /* proposal_check */
168 168 RCT_BOOL_OFF, /* random_pad_content */
169 169 RCT_BOOL_OFF, /* random_padlen */
170 170 0, /* max_padlen */
171 171 IKEV2_DEFAULT_RETRY, /* max_retry_to_send */
172 172 1, /* interval_to_send */
173 173 1, /* times_per_send */
174 174 IKEV2_DEFAULT_LIFETIME_TIME, /* kmp_sa_lifetime_time */
175 175 IKEV2_DEFAULT_LIFETIME_BYTE, /* kmp_sa_lifetime_byte */
176 176 IKEV2_DEFAULT_NEGOTIATION_TIMEOUT, /* kmp_sa_nego_time_limit */
177 177 IKEV2_DEFAULT_GRACE_PERIOD, /* kmp_sa_grace_period */
178 178 IKEV2_DEFAULT_NEGOTIATION_TIMEOUT, /* ipsec_sa_nego_time_limit */
179 179 NULL, /* kmp_enc_alg */
180 180 NULL, /* kmp_hash_alg */
181 181 NULL, /* kmp_prf_alg */
182 182 NULL, /* kmp_dh_group */
183 183 NULL, /* kmp_auth_method */
184 184 0, /* peers_kmp_port */
185 185 0, /* exchange_mode */
186 186 NULL, /* my_gssapi_id */
187 187 RCT_BOOL_OFF, /* cookie_required */
188 188 RCT_BOOL_OFF, /* send_peers_id */
189 189 RCT_BOOL_OFF, /* need_pfs */
190 190 RCT_BOOL_ON, /* nat_traversal */
191 191 IKEV2_DEFAULT_NATK_INTERVAL, /* natk_interval */
192 192 NULL, /* my_principal */
193 193 NULL, /* peers_principal */
194 194 0, /* mobility_role */
195 195 NULL, /* addresspool */
196 196 0, /* config_request */
197 197 NULL, /* cfg_dns */
198 198 NULL, /* cfg_dhcp */
199 199 NULL, /* application_version */
200 200 NULL, /* mip6_home_prefix */
201 201 RCT_BOOL_ON, /* dpd */
202 202 IKEV2_DEFAULT_POLLING_INTERVAL, /* dpd_interval */
203 203 0, /* dpd_retry */
204 204 0 /* dpd_maxfails */
205 205 };
206 206
207 207 #ifdef IKEV1
208 208 struct rcf_kmp *
209 209 ikev1_default(void)
210 210 {
211 211 extern struct rcf_default *rcf_default_head;
212 212
213 213 if (rcf_default_head &&
214 214 rcf_default_head->remote &&
215 215 rcf_default_head->remote->ikev1)
216 216 return rcf_default_head->remote->ikev1;
217 217 else
218 218 return 0;
219 219 }
220 220
221 221 #define IKEV1_CONF_ATTR(type_, field_) \
222 222 type_ \
223 223 ikev1_ ## field_(struct rcf_remote *conf) \
224 224 { \
225 225 type_ retval; \
226 226 IKEV1_CONF(retval, conf, field_, ikev1_default_values.field_); \
227 227 return retval; \
228 228 }
229 229
230 230 IKEV1_CONF_ATTR(struct rc_log *, plog)
231 231 IKEV1_CONF_ATTR(rc_type, passive)
232 232 IKEV1_CONF_ATTR(struct rc_idlist *, my_id)
233 233 IKEV1_CONF_ATTR(struct rc_idlist *, peers_id)
234 234 IKEV1_CONF_ATTR(struct rc_pklist *, my_pubkey)
235 235 IKEV1_CONF_ATTR(struct rc_pklist *, peers_pubkey)
236 236 IKEV1_CONF_ATTR(rc_type, verify_id)
237 237 IKEV1_CONF_ATTR(rc_type, verify_pubkey)
238 238 IKEV1_CONF_ATTR(rc_type, send_cert)
239 239 IKEV1_CONF_ATTR(rc_type, send_cert_req)
240 240 IKEV1_CONF_ATTR(int, nonce_size)
241 241 IKEV1_CONF_ATTR(rc_type, support_proxy)
242 242 IKEV1_CONF_ATTR(rc_type, nat_traversal)
243 243 IKEV1_CONF_ATTR(rc_type, selector_check)
244 244 IKEV1_CONF_ATTR(rc_type, proposal_check)
245 245 IKEV1_CONF_ATTR(rc_type, random_pad_content)
246 246 IKEV1_CONF_ATTR(rc_type, random_padlen)
247 247 IKEV1_CONF_ATTR(int, max_padlen)
248 248 IKEV1_CONF_ATTR(int, max_retry_to_send)
249 249 IKEV1_CONF_ATTR(int, interval_to_send)
250 250 IKEV1_CONF_ATTR(int, times_per_send)
251 251 IKEV1_CONF_ATTR(int, kmp_sa_lifetime_time)
252 252 IKEV1_CONF_ATTR(int, kmp_sa_lifetime_byte)
253 253 IKEV1_CONF_ATTR(int, kmp_sa_nego_time_limit)
254 254 IKEV1_CONF_ATTR(int, kmp_sa_grace_period)
255 255 IKEV1_CONF_ATTR(int, ipsec_sa_nego_time_limit)
256 256 IKEV1_CONF_ATTR(struct rc_alglist *, kmp_enc_alg)
257 257 IKEV1_CONF_ATTR(struct rc_alglist *, kmp_hash_alg)
258 258 IKEV1_CONF_ATTR(struct rc_alglist *, kmp_dh_group)
259 259 IKEV1_CONF_ATTR(struct rc_alglist *, kmp_auth_method)
260 260 IKEV1_CONF_ATTR(int, peers_kmp_port)
261 261 IKEV1_CONF_ATTR(rc_type, exchange_mode)
262 262 IKEV1_CONF_ATTR(rc_vchar_t *, my_gssapi_id)
263 263 IKEV1_CONF_ATTR(rc_type, cookie_required)
264 264 IKEV1_CONF_ATTR(rc_type, need_pfs)
265 265 IKEV1_CONF_ATTR(rc_type, dpd)
266 266 IKEV1_CONF_ATTR(int, dpd_interval)
267 267 IKEV1_CONF_ATTR(int, dpd_retry)
268 268 IKEV1_CONF_ATTR(int, dpd_maxfails)
269 269
270 270
271 271 int
272 272 ikev1_conf_exmode_to_isakmp(struct rcf_remote *conf)
273 273 {
274 274 rc_type code;
275 275
276 276 code = ikev1_exchange_mode(conf);
277 277 switch (code) {
278 278 case RCT_EXM_MAIN:
279 279 return ISAKMP_ETYPE_IDENT;
280 280 case RCT_EXM_AGG:
281 281 return ISAKMP_ETYPE_AGG;
282 282 case RCT_EXM_BASE:
283 283 return ISAKMP_ETYPE_BASE;
284 284 default:
285 285 return 0; /* ??? */
286 286 }
287 287 }
288 288
289 289 /*
290 290 * reads pre_shared_key from file
291 291 */
292 292 rc_vchar_t *
293 293 ikev1_pre_shared_key(struct rcf_remote *rmconf)
294 294 {
295 295 const char *path = 0;
296 296 rc_vchar_t *retbuf = 0;
297 297
298 298 if (rmconf &&
299 299 rmconf->ikev1 &&
300 300 rmconf->ikev1->pre_shared_key)
301 301 path = rc_vmem2str(rmconf->ikev1->pre_shared_key);
302 302 /* else if default? */
303 303
304 304 if (!path)
305 305 return 0;
306 306
307 307 retbuf = rcf_readfile(path, PLOGLOC, 1);
308 308
309 309 return retbuf;
310 310 }
311 311
312 312
313 313 const char *
314 314 ikev1_mycertfile(struct rcf_remote *rmconf)
315 315 {
316 316 struct rc_pklist *p;
317 317
318 318 IKEV1_CONF(p, rmconf, my_pubkey, 0);
319 319 if (!p)
320 320 return 0;
321 321 if (!p->pubkey) /* unexpected */
322 322 return 0;
323 323
324 324 return rc_vmem2str(p->pubkey);
325 325 }
326 326
327 327
328 328 const char *
329 329 ikev1_myprivfile(struct rcf_remote *rmconf)
330 330 {
331 331 struct rc_pklist *p;
332 332
333 333 IKEV1_CONF(p, rmconf, my_pubkey, 0);
334 334 if (!p)
335 335 return 0;
336 336 if (!p->privkey) /* unexpected */
337 337 return 0;
338 338 return rc_vmem2str(p->privkey);
339 339 }
340 340
341 341
342 342 const char *
343 343 ikev1_peerscertfile(struct rcf_remote *rmconf)
344 344 {
345 345 struct rc_pklist *p;
346 346
347 347 IKEV1_CONF(p, rmconf, peers_pubkey, 0);
348 348 if (!p)
349 349 return 0;
350 350 if (!p->pubkey) /* unexpected */
351 351 return 0;
352 352
353 353 return rc_vmem2str(p->pubkey);
354 354 }
355 355
356 356
357 357 const char *
358 358 ikev1_script(struct rcf_remote *rmconf, int script)
359 359 {
360 360 char *s;
361 361 struct rcf_kmp *def;
362 362
363 363 if (rmconf &&
364 364 rmconf->ikev1 &&
365 365 rmconf->ikev1->script[script]) {
366 366 s = rmconf->ikev1->script[script];
367 367 } else {
368 368 def = ikev1_default();
369 369 if (!def)
370 370 return NULL;
371 371 s = def->script[script];
372 372 }
373 373 return s;
374 374 }
375 375 #endif /* IKEV1 */
376 376
377 377 struct rcf_kmp *
378 378 ikev2_default(void)
379 379 {
380 380 extern struct rcf_default *rcf_default_head;
381 381
382 382 if (rcf_default_head &&
383 383 rcf_default_head->remote &&
384 384 rcf_default_head->remote->ikev2)
385 385 return rcf_default_head->remote->ikev2;
386 386 else
387 387 return 0;
388 388 }
389 389
390 390 #define IKEV2_CONF_ATTR(type_, field_) \
391 391 type_ \
392 392 ikev2_ ## field_(struct rcf_remote *conf) \
393 393 { \
394 394 type_ retval; \
395 395 IKEV2_CONF(retval, conf, field_, ikev2_default_values.field_); \
396 396 return retval; \
397 397 }
398 398
399 399 IKEV2_CONF_ATTR(struct rc_log *, plog)
400 400 IKEV2_CONF_ATTR(rc_type, passive)
401 401 IKEV2_CONF_ATTR(struct rc_idlist *, my_id)
402 402 IKEV2_CONF_ATTR(struct rc_idlist *, peers_id)
403 403 IKEV2_CONF_ATTR(struct rc_pklist *, my_pubkey)
404 404 IKEV2_CONF_ATTR(struct rc_pklist *, peers_pubkey)
405 405 IKEV2_CONF_ATTR(rc_type, verify_id)
406 406 IKEV2_CONF_ATTR(int, nonce_size)
407 407 IKEV2_CONF_ATTR(rc_type, selector_check)
408 408 IKEV2_CONF_ATTR(rc_type, random_pad_content)
409 409 IKEV2_CONF_ATTR(rc_type, random_padlen)
410 410 IKEV2_CONF_ATTR(int, max_padlen)
411 411 IKEV2_CONF_ATTR(int, max_retry_to_send)
412 412 IKEV2_CONF_ATTR(int, interval_to_send)
413 413 IKEV2_CONF_ATTR(int, times_per_send)
414 414 IKEV2_CONF_ATTR(int, kmp_sa_lifetime_time)
415 415 IKEV2_CONF_ATTR(int, kmp_sa_lifetime_byte)
416 416 IKEV2_CONF_ATTR(int, kmp_sa_nego_time_limit)
417 417 IKEV2_CONF_ATTR(int, kmp_sa_grace_period)
418 418 IKEV2_CONF_ATTR(int, ipsec_sa_nego_time_limit)
419 419 IKEV2_CONF_ATTR(struct rc_alglist *, kmp_enc_alg)
420 420 IKEV2_CONF_ATTR(struct rc_alglist *, kmp_hash_alg)
421 421 IKEV2_CONF_ATTR(struct rc_alglist *, kmp_prf_alg)
422 422 IKEV2_CONF_ATTR(struct rc_alglist *, kmp_dh_group)
423 423 IKEV2_CONF_ATTR(struct rc_alglist *, kmp_auth_method)
424 424 IKEV2_CONF_ATTR(int, peers_kmp_port)
425 425 IKEV2_CONF_ATTR(rc_type, cookie_required)
426 426 IKEV2_CONF_ATTR(rc_type, send_peers_id)
427 427 IKEV2_CONF_ATTR(rc_type, nat_traversal)
428 428 IKEV2_CONF_ATTR(int, natk_interval)
429 429 IKEV2_CONF_ATTR(rc_type, need_pfs)
430 430 IKEV2_CONF_ATTR(rc_vchar_t *, application_version)
431 431 IKEV2_CONF_ATTR(int, dpd_interval)
432 432
433 433 rc_type ikev2_config_required(struct rcf_remote *conf)
434 434 {
435 435 return RCT_BOOL_OFF;
436 436 }
437 437
438 438 int
439 439 rcf_get_addresspool(rc_vchar_t *name, struct rcf_addresspool **pool)
440 440 {
441 441 int retval = -1;
442 442 struct rcf_addresspool *p;
443 443 extern struct rcf_addresspool *rcf_addresspool_head;
444 444
445 445 for (p = rcf_addresspool_head; p; p = p->next) {
446 446 if (rc_vmemcmp(p->index, name) == 0) {
447 447 *pool = p;
448 448 retval = 0;
449 449 break;
450 450 }
451 451 }
452 452 return retval;
453 453 }
454 454
455 455 struct rcf_addresspool *
456 456 ikev2_addresspool(struct rcf_remote *conf)
457 457 {
458 458 rc_vchar_t *pool_name;
459 459 struct rcf_addresspool *pool;
460 460
461 461 IKEV2_CONF(pool_name, conf, addresspool, NULL);
462 462 if (!pool_name)
463 463 return 0;
464 464
465 465 if (rcf_get_addresspool(pool_name, &pool) == 0)
466 466 return pool;
467 467 return 0;
468 468 }
469 469
470 470 #define IKEV2_CFG(fname, bit) \
471 471 rc_type \
472 472 fname(struct rcf_remote *conf) \
473 473 { \
474 474 int val; \
475 475 \
476 476 IKEV2_CONF(val, conf, config_request, \
477 477 ikev2_default_values.config_request); \
478 478 if (val & bit) \
479 479 return RCT_BOOL_ON; \
480 480 else \
481 481 return RCT_BOOL_OFF; \
482 482 }
483 483
484 484 IKEV2_CFG(ikev2_cfg_application_version, RCF_REQ_APPLICATION_VERSION)
485 485 IKEV2_CFG(ikev2_cfg_ip4_dns, RCF_REQ_IP4_DNS)
486 486 IKEV2_CFG(ikev2_cfg_ip6_dns, RCF_REQ_IP6_DNS)
487 487 IKEV2_CFG(ikev2_cfg_ip4_dhcp, RCF_REQ_IP4_DHCP)
488 488 IKEV2_CFG(ikev2_cfg_ip6_dhcp, RCF_REQ_IP6_DHCP)
489 489 IKEV2_CFG(ikev2_cfg_mip6prefix, RCF_REQ_MIP6_HOME_PREFIX)
490 490 IKEV2_CFG(ikev2_cfg_ip4_address, RCF_REQ_IP4_ADDRESS)
491 491 IKEV2_CFG(ikev2_cfg_ip6_address, RCF_REQ_IP6_ADDRESS)
492 492
493 493 #undef IKEV2_CFG
494 494
495 495 struct rc_addrlist *
496 496 ikev2_dns(struct rcf_remote *conf)
497 497 {
498 498 struct rc_addrlist *val;
499 499
500 500 IKEV2_CONF(val, conf, cfg_dns, ikev2_default_values.cfg_dns);
501 501 return val;
502 502 }
503 503
504 504 struct rc_addrlist *
505 505 ikev2_dhcp(struct rcf_remote *conf)
506 506 {
507 507 struct rc_addrlist *val;
508 508
509 509 IKEV2_CONF(val, conf, cfg_dhcp, ikev2_default_values.cfg_dhcp);
510 510 return val;
511 511 }
512 512
513 513 struct rc_addrlist *
514 514 ikev2_mip6_home_prefix(struct rcf_remote *conf)
515 515 {
516 516 struct rc_addrlist *val;
517 517
518 518 IKEV2_CONF(val, conf, cfg_mip6prefix, ikev2_default_values.cfg_mip6prefix);
519 519 return val;
520 520 }
521 521
522 522 int
523 523 ike_max_ip4_alloc(struct rcf_remote *conf)
524 524 {
525 525 /* stub */
526 526 return 0;
527 527 }
528 528
529 529 int
530 530 ike_max_ip6_alloc(struct rcf_remote *conf)
531 531 {
532 532 /* stub */
533 533 return 0;
534 534 }
535 535
536 536 const char *
537 537 ikev2_script(struct rcf_remote *rmconf, int script)
538 538 {
539 539 char *s;
540 540 struct rcf_kmp *def;
541 541
542 542 if (rmconf &&
543 543 rmconf->ikev2 &&
544 544 rmconf->ikev2->script[script]) {
545 545 s = rmconf->ikev2->script[script];
546 546 } else {
547 547 def = ikev2_default();
548 548 if (!def)
549 549 return NULL;
550 550 s = def->script[script];
551 551 }
552 552 return s;
553 553 }
554 554
555 555 /*
556 556 * default values for struct rcf_sa
557 557 */
558 558 struct rcf_sa *
559 559 sa_default(void)
560 560 {
561 561 extern struct rcf_default *rcf_default_head;
562 562 if (rcf_default_head &&
563 563 rcf_default_head->sa)
564 564 return rcf_default_head->sa;
565 565 else
566 566 return 0;
567 567 }
568 568
569 569 /*
570 570 * default values for struct rcf_ipsec
571 571 */
572 572 struct rcf_ipsec *
573 573 ipsec_default(void)
574 574 {
575 575 extern struct rcf_default *rcf_default_head;
576 576 if (rcf_default_head &&
577 577 rcf_default_head->ipsec)
578 578 return rcf_default_head->ipsec;
579 579 else
580 580 return 0;
581 581 }
582 582
583 583 /*
584 584 * default values for struct rcf_policy
585 585 */
586 586 struct rcf_policy *
587 587 policy_default(void)
588 588 {
589 589 extern struct rcf_default *rcf_default_head;
590 590 if (rcf_default_head &&
591 591 rcf_default_head->policy)
592 592 return rcf_default_head->policy;
593 593 else
594 594 return 0;
595 595 }
596 596
597 597 rc_type
598 598 ike_ipsec_mode(struct rcf_policy *pl)
599 599 {
600 600 rc_type retval;
601 601
602 602 if (pl && pl->ipsec_mode) /* XXX */
603 603 return pl->ipsec_mode;
604 604
605 605 POLICY_DEFAULT(retval, ipsec_mode, RCT_IPSM_TUNNEL);
606 606 return retval;
607 607 }
608 608
609 609 uint
610 610 ike_acceptable_kmp(struct rcf_remote *conf)
611 611 {
612 612 extern struct rcf_default *rcf_default_head;
613 613
614 614 if (conf && conf->acceptable_kmp)
615 615 return conf->acceptable_kmp;
616 616
617 617 if (rcf_default_head
618 618 && rcf_default_head->remote
619 619 && rcf_default_head->remote->acceptable_kmp)
620 620 return rcf_default_head->remote->acceptable_kmp;
621 621
622 622 return 0;
623 623 }
624 624
625 625 rc_type
626 626 ike_initiate_kmp(struct rcf_remote *remote)
627 627 {
628 628 extern struct rcf_default *rcf_default_head;
629 629
630 630 if (remote && remote->initiate_kmp) /* XXX */
631 631 return remote->initiate_kmp;
632 632
633 633 if (rcf_default_head &&
634 634 rcf_default_head->remote &&
635 635 rcf_default_head->remote->initiate_kmp) /* XXX */
636 636 return rcf_default_head->remote->initiate_kmp;
637 637
638 638 return RCT_KMP_IKEV2;
639 639 }
640 640
641 641 #ifdef HAVE_SIGNING_C
642 642 #if 0
643 643 /*
644 644 *
645 645 */
646 646 rc_vchar_t *
647 647 asn1_sprint(uint8_t *id, size_t id_len)
648 648 {
649 649 size_t len;
650 650 rc_vchar_t *buf;
651 651 BIO *bio;
652 652
653 653 bio = BIO_new(BIO_mem_s());
654 654 ASN1_item_print(bio,, 0, id);
655 655 len = BIO_get_mem_data(bio, &ptr);
656 656 buf = rbuf_getvb(len);
657 657 if (!buf)
658 658 return 0;
659 659 memcpy(buf->v, ptr, len);
660 660 return buf;
661 661 }
662 662 #endif
663 663
664 664 /*
665 665 * find matching pubkey with id_data
666 666 */
667 667 /*ARGSUSED*/
668 668 rc_vchar_t *
669 669 ikev2_public_key(struct ikev2_sa *ike_sa, rc_vchar_t *id_data,
670 670 struct timeval *due_time)
671 671 {
672 672 struct rc_pklist *pk;
673 673 rc_vchar_t *cert = 0;
674 674 rc_vchar_t *pubkey = 0;
675 675 int err;
676 676
677 677 /* TRACE((PLOGLOC, "looking for public key for id %s\n", asn1_sprint(id, id_len))); */
678 678 #if 0
679 679 struct rc_idlist *id;
680 680 struct ikev2payl_ident_h *idh;
681 681 rc_vchar_t *peer_id = 0;
682 682 rc_type peer_id_type;
683 683
684 684 idh = (struct ikev2payl_ident_h *)id_data->v;
685 685 peer_id = rc_vnew((uint8_t *)(idh + 1), id_data->l - sizeof(*idh));
686 686 if (!peer_id)
687 687 goto fail_nomem;
688 688 peer_id_type = ikev2_id_to_rc(idh->id_type);
689 689 for (id = ike_sa->rmconf->ikev2->peers_id; id; id = id->next) {
690 690 if (ike_compare_id(peer_id_type, peer_id, id) == 0)
691 691 goto found;
692 692 }
693 693 plog(PLOG_PROTOERR, PLOGLOC, 0,
694 694 "peer ID does not match config\n");
695 695 goto done;
696 696
697 697 found:
698 698 #endif
699 699 for (pk = ike_sa->rmconf->ikev2->peers_pubkey; pk; pk = pk->next) {
700 700 switch (pk->ftype) {
701 701 case RCT_FTYPE_X509PEM:
702 702 cert = eay_get_x509cert(rc_vmem2str(pk->pubkey));
703 703 if (!cert) {
704 704 plog(PLOG_INTERR, PLOGLOC, 0,
705 705 "failed reading cert file (%s)\n",
706 706 rc_vmem2str(pk->pubkey));
707 707 goto next_pk;
708 708 }
709 709
710 710 x509cert:
711 711 err = eay_check_x509cert(cert, NULL);
712 712 if (err) {
713 713 plog(PLOG_INTERR, PLOGLOC, 0,
714 714 "failed verifying certificate authrotiy of cert (%s)\n",
715 715 rc_vmem2str(pk->pubkey));
716 716 goto next_pk;
717 717 }
718 718 TRACE((PLOGLOC, "using %s\n", rc_vmem2str(pk->pubkey)));
719 719 pubkey = eay_get_x509_pubkey(cert, due_time);
720 720 if (!pubkey) {
721 721 plog(PLOG_INTERR, PLOGLOC, 0,
722 722 "failed reading cert file (%s)\n",
723 723 rc_vmem2str(pk->pubkey));
724 724 goto next_pk;
725 725 }
726 726 rc_vfree(cert);
727 727 goto done;
728 728 break;
729 729 case RCT_FTYPE_PKCS12:
730 730 {
731 731 rc_vchar_t *pk12;
732 732 char *passphrase = 0; /* XXX */
733 733
734 734 pk12 = eay_get_pkcs12(rc_vmem2str(pk->pubkey));
735 735 if (pk12) {
736 736 cert = eay_get_pkcs12_x509cert(pk12,
737 737 passphrase);
738 738 rc_vfree(pk12);
739 739 if (cert)
740 740 goto x509cert;
741 741 plog(PLOG_INTERR, PLOGLOC, 0,
742 742 "failed extracting X509 cert from PKCS#12 file (%s)\n",
743 743 rc_vmem2str(pk->pubkey));
744 744 }
745 745 }
746 746 break;
747 747 case RCT_FTYPE_ASCII:
748 748 default:
749 749 plog(PLOG_INTERR, PLOGLOC, 0,
750 750 "unsupported public key type (%s)\n",
751 751 rct2str(pk->ftype));
752 752 break;
753 753 }
754 754
755 755 next_pk:
756 756 if (cert)
757 757 rc_vfree(cert);
758 758 cert = 0;
759 759 }
760 760 if (!pk) {
761 761 plog(PLOG_PROTOERR, PLOGLOC, 0, "no matching public key\n");
762 762 }
763 763 done:
764 764 #if 0
765 765 if (peer_id)
766 766 rc_vfree(peer_id);
767 767 #endif
768 768 return pubkey;
769 769
770 770 #if 0
771 771 fail_nomem:
772 772 plog(PLOG_INTERR, PLOGLOC, 0, "failed allocating memory\n");
773 773 goto done;
774 774 #endif
775 775 }
776 776
777 777 /*
778 778 * for each pubkey in my_pubkey
779 779 * find matching pubkey with id_data
780 780 * and return privkey
781 781 */
782 782 rc_vchar_t *
783 783 ikev2_private_key(struct ikev2_sa *ike_sa, rc_vchar_t *id_data)
784 784 {
785 785 struct rc_pklist *pk;
786 786 rc_vchar_t *cert;
787 787 rc_vchar_t *privkey = 0;
788 788
789 789 /* TRACE((PLOGLOC, "looking for private key for id %s\n", asn1_sprint(id, id_len))); */
790 790 for (pk = ike_sa->rmconf->ikev2->my_pubkey; pk; pk = pk->next) {
791 791 switch (pk->ftype) {
792 792 case RCT_FTYPE_X509PEM:
793 793 cert = eay_get_x509cert(rc_vmem2str(pk->pubkey));
794 794 if (!cert) {
795 795 plog(PLOG_INTERR, PLOGLOC, 0,
796 796 "failed reading pubkey (%s)\n",
797 797 rc_vmem2str(pk->pubkey));
798 798 goto done;
799 799 }
800 800 privkey = eay_get_pkcs1privkey(rc_vmem2str(pk->privkey));
801 801 if (!privkey)
802 802 isakmp_log(ike_sa, 0, 0, 0,
803 803 PLOG_INTERR, PLOGLOC,
804 804 "failed reading private key (%s)\n",
805 805 rc_vmem2str(pk->privkey));
806 806 rc_vfree(cert);
807 807 goto done;
808 808 break;
809 809 case RCT_FTYPE_PKCS12:
810 810 {
811 811 rc_vchar_t *pk12;
812 812 char *passphrase = 0; /* XXX */
813 813
814 814 pk12 = eay_get_pkcs12(rc_vmem2str(pk->pubkey));
815 815 if (pk12) {
816 816 cert = eay_get_pkcs12_x509cert(pk12,
817 817 passphrase);
818 818 if (!cert) {
819 819 rc_vfree(pk12);
820 820 continue;
821 821 }
822 822 privkey = eay_get_pkcs12_privkey(pk12,
823 823 passphrase);
824 824 rc_vfree(cert);
825 825 rc_vfree(pk12);
826 826 if (!privkey) {
827 827 plog(PLOG_INTERR, PLOGLOC, 0,
828 828 "failed extracting private key from PKCS#12 file (%s)\n",
829 829 rc_vmem2str(pk->pubkey));
830 830 continue;
831 831 }
832 832 goto done;
833 833 }
834 834 }
835 835 break;
836 836 case RCT_FTYPE_ASCII:
837 837 default:
838 838 plog(PLOG_INTERR, PLOGLOC, 0,
839 839 "unsupported public key type (%s)\n",
840 840 rct2str(pk->ftype));
841 841 break;
842 842 }
843 843 }
844 844 done:
845 845 return privkey;
846 846 }
847 847 #endif
848 848
849 849 /*
850 850 * reads pre_shared_key from file
851 851 */
852 852 rc_vchar_t *
853 853 ikev2_pre_shared_key(struct ikev2_sa *ike_sa)
854 854 {
855 855 const char *path = 0;
856 856 rc_vchar_t *retbuf = 0;
857 857
858 858 if (ike_sa->rmconf &&
859 859 ike_sa->rmconf->ikev2 &&
860 860 ike_sa->rmconf->ikev2->pre_shared_key)
861 861 path = rc_vmem2str(ike_sa->rmconf->ikev2->pre_shared_key);
862 862 /* else if default? */
863 863
864 864 if (!path)
865 865 return 0;
866 866
867 867 retbuf = rcf_readfile(path, PLOGLOC, 1);
868 868
869 869 return retbuf;
870 870 }
871 871
872 872 /*
873 873 * find remote_info by sockaddr
874 874 */
875 875 struct rcf_remote *
876 876 ikev1_conf_find(struct sockaddr *addr)
877 877 {
878 878 struct rcf_remote *peer_conf;
879 879
880 880 if (rcf_get_remotebyaddr(addr, RCT_KMP_IKEV1, &peer_conf) != 0) {
881 881 return 0;
882 882 }
883 883 return peer_conf;
884 884 }
885 885
886 886 struct rcf_remote *
887 887 ikev2_conf_find(struct sockaddr *addr)
888 888 {
889 889 struct rcf_remote *peer_conf;
890 890
891 891 if (rcf_get_remotebyaddr(addr, RCT_KMP_IKEV2, &peer_conf) != 0) {
892 892 /* isakmp_log(0, 0, 0, 0, PLOG_PROTOERR, PLOGLOC,
893 893 "failure in finding configuration for remote host\n"); */
894 894 return 0;
895 895 }
896 896 return peer_conf;
897 897 }
898 898
899 899 #ifdef IKEV1
900 900 static rc_type
901 901 ikev1_id_to_rc(unsigned int id_type)
902 902 {
903 903 switch (id_type) {
904 904 case IPSECDOI_ID_IPV4_ADDR:
905 905 return RCT_IDT_IPADDR;
906 906 case IPSECDOI_ID_FQDN:
907 907 return RCT_IDT_FQDN;
908 908 case IPSECDOI_ID_USER_FQDN:
909 909 return RCT_IDT_USER_FQDN;
910 910 case IPSECDOI_ID_IPV6_ADDR:
911 911 return RCT_IDT_IPADDR;
912 912 case IPSECDOI_ID_KEY_ID:
913 913 return RCT_IDT_KEYID;
914 914 case IPSECDOI_ID_DER_ASN1_DN:
915 915 return RCT_IDT_X509_SUBJECT;
916 916 case IPSECDOI_ID_DER_ASN1_GN:
917 917 return 0; /* ??? */
918 918 default:
919 919 return 0; /* ??? */
920 920 }
921 921 }
922 922 #endif
923 923
924 924 static rc_type
925 925 ikev2_id_to_rc(unsigned int id_type)
926 926 {
927 927 switch (id_type) {
928 928 case IKEV2_ID_IPV4_ADDR:
929 929 return RCT_IDT_IPADDR;
930 930 case IKEV2_ID_FQDN:
931 931 return RCT_IDT_FQDN;
932 932 case IKEV2_ID_RFC822_ADDR:
933 933 return RCT_IDT_USER_FQDN;
934 934 case IKEV2_ID_IPV6_ADDR:
935 935 return RCT_IDT_IPADDR;
936 936 case IKEV2_ID_KEY_ID:
937 937 return RCT_IDT_KEYID;
938 938 case IKEV2_ID_DER_ASN1_DN:
939 939 return RCT_IDT_X509_SUBJECT;
940 940 case IKEV2_ID_DER_ASN1_GN:
941 941 return 0; /* ??? */
942 942 default:
943 943 return 0; /* ??? */
944 944 }
945 945 }
946 946
947 947 /*
948 948 * convert numeric notation of IP address into binary representation
949 949 * returns rc_vchar_t* if successful, 0 if fails
950 950 * assigns address family into *af if af is not NULL
951 951 */
952 952 rc_vchar_t *
953 953 ike_aton(rc_vchar_t *s, int *af)
954 954 {
955 955 const char *nodename;
956 956 struct addrinfo hint;
957 957 struct addrinfo *info;
958 958 struct addrinfo *p;
959 959 int err;
960 960 uint8_t *a;
961 961 size_t alen;
962 962 rc_vchar_t *data = 0;
963 963
964 964 nodename = rc_vmem2str(s); /* value in ring buf; no need to free here */
965 965 if (!nodename)
966 966 return 0;
967 967 hint.ai_flags = AI_NUMERICHOST;
968 968 hint.ai_family = PF_UNSPEC;
969 969 hint.ai_socktype = SOCK_DGRAM;
970 970 hint.ai_protocol = IPPROTO_UDP;
971 971 hint.ai_addrlen = 0;
972 972 hint.ai_canonname = 0;
973 973 hint.ai_addr = 0;
974 974 hint.ai_next = 0;
975 975 err = getaddrinfo(nodename, NULL, &hint, &info);
976 976 if (err) {
977 977 isakmp_log(0, 0, 0, 0,
978 978 PLOG_INTERR, PLOGLOC,
979 979 "getaddrinfo(%s): %s\n",
980 980 nodename, gai_strerror(err));
981 981 return 0;
982 982 } else if (info == 0) {
983 983 isakmp_log(0, 0, 0, 0,
984 984 PLOG_INTERR, PLOGLOC,
985 985 "getaddrinfo(%s) returned null list\n",
986 986 nodename);
987 987 return 0;
988 988 }
989 989 for (p = info; p; p = p->ai_next) {
990 990 if (p->ai_addr) {
991 991 switch (SOCKADDR_FAMILY(p->ai_addr)) {
992 992 case AF_INET:
993 993 a = (uint8_t *)&((struct sockaddr_in *)p->ai_addr)->sin_addr;
994 994 alen = sizeof(struct in_addr);
995 995 break;
996 996 #ifdef INET6
997 997 case AF_INET6:
998 998 a = (uint8_t *)&((struct sockaddr_in6 *)p->ai_addr)->sin6_addr;
999 999 alen = sizeof(struct in6_addr);
1000 1000 break;
1001 1001 #endif
1002 1002 default:
1003 1003 isakmp_log(0, 0, 0, 0,
1004 1004 PLOG_INTWARN, PLOGLOC,
1005 1005 "ignoring unsupported address (family %d) returned by getaddrinfo(%s)\n",
1006 1006 SOCKADDR_FAMILY(p->ai_addr),
1007 1007 nodename);
1008 1008 continue;
1009 1009 }
1010 1010 data = rc_vnew(a, alen);
1011 1011 if (!data)
1012 1012 goto fail_nomem;
1013 1013 if (af)
1014 1014 *af = SOCKADDR_FAMILY(p->ai_addr);
1015 1015 if (p->ai_next) {
1016 1016 isakmp_log(0, 0, 0, 0,
1017 1017 PLOG_INTWARN, PLOGLOC,
1018 1018 "ignoring extraneous values returned by getaddrinfo(%s)\n",
1019 1019 nodename);
1020 1020 }
1021 1021 break;
1022 1022 }
1023 1023 }
1024 1024 fail_nomem:
1025 1025 freeaddrinfo(info);
1026 1026 return data;
1027 1027 }
1028 1028
1029 1029 /*
1030 1030 * convert config identifier to IKE data
1031 1031 * (data is ID payload content, excluding ID payload header)
1032 1032 * identifier type codes are common between IKEv1 (IPSEC DOI) and IKEv2
1033 1033 */
1034 1034 rc_vchar_t *
1035 1035 ike_identifier_data(struct rc_idlist *id, int *id_type)
1036 1036 {
1037 1037 rc_vchar_t *data = 0;
1038 1038
1039 1039 if (!id)
1040 1040 return 0;
1041 1041 assert(id_type != 0);
1042 1042
1043 1043 switch (id->idtype) {
1044 1044 case RCT_IDT_IPADDR:
1045 1045 /* convert numeric address string into binary */
1046 1046 {
1047 1047 int af;
1048 1048
1049 1049 data = ike_aton(id->id, &af);
1050 1050 if (!data)
1051 1051 return 0;
1052 1052 switch (af) {
1053 1053 case AF_INET:
1054 1054 *id_type = IKEV2_ID_IPV4_ADDR;
1055 1055 break;
1056 1056 #ifdef INET6
1057 1057 case AF_INET6:
1058 1058 *id_type = IKEV2_ID_IPV6_ADDR;
1059 1059 break;
1060 1060 #endif
1061 1061 default: /* shouldn't happen: addrbuf must be 0 */
1062 1062 rc_vfree(data);
1063 1063 return 0;
1064 1064 }
1065 1065 }
1066 1066 break;
1067 1067
1068 1068 case RCT_IDT_USER_FQDN:
1069 1069 *id_type = IKEV2_ID_RFC822_ADDR;
1070 1070 data = rc_vdup(id->id);
1071 1071 break;
1072 1072 case RCT_IDT_FQDN:
1073 1073 *id_type = IKEV2_ID_FQDN;
1074 1074 data = rc_vdup(id->id);
1075 1075 break;
1076 1076
1077 1077 case RCT_IDT_KEYID:
1078 1078 *id_type = IKEV2_ID_KEY_ID;
1079 1079 if (id->idqual == RCT_IDQ_TAG)
1080 1080 data = rc_vdup(id->id);
1081 1081 else {
1082 1082 /* read file */
1083 1083 const char *filename;
1084 1084
1085 1085 filename = rc_vmem2str(id->id);
1086 1086 if (!filename) {
1087 1087 isakmp_log(0, 0, 0, 0,
1088 1088 PLOG_INTERR, PLOGLOC,
1089 1089 "failed obtaining filename string\n");
1090 1090 return 0;
1091 1091 }
1092 1092 data = rcf_readfile(filename, PLOGLOC, 0);
1093 1093 if (!data)
1094 1094 return 0; /* rcf_readfile() spits error messages */
1095 1095 }
1096 1096 break;
1097 1097
1098 1098 #ifdef HAVE_SIGNING_C
1099 1099 case RCT_IDT_X509_SUBJECT:
1100 1100 /* read cert from file and extract subjectName */
1101 1101 {
1102 1102 const char *filename;
1103 1103 int err;
1104 1104 rc_vchar_t *cert;
1105 1105
1106 1106 filename = rc_vmem2str(id->id);
1107 1107 if (!filename) {
1108 1108 isakmp_log(0, 0, 0, 0,
1109 1109 PLOG_INTERR, PLOGLOC,
1110 1110 "failed obtaining filename string\n");
1111 1111 return 0;
1112 1112 }
1113 1113 err = rc_safefile(filename, FALSE);
1114 1114 if (err == -1) {
1115 1115 isakmp_log(0, 0, 0, 0,
1116 1116 PLOG_INTERR, PLOGLOC,
1117 1117 "failed accessing file %s: %s\n",
1118 1118 filename, strerror(errno));
1119 1119 return 0;
1120 1120 } else if (err != 0) {
1121 1121 isakmp_log(0, 0, 0, 0,
1122 1122 PLOG_INTERR, PLOGLOC,
1123 1123 "file %s is not safe, code %d: %s\n",
1124 1124 filename, err,
1125 1125 rc_safefile_strerror(err));
1126 1126 return 0;
1127 1127 }
1128 1128 cert = eay_get_x509cert(filename);
1129 1129 if (!cert) {
1130 1130 isakmp_log(0, 0, 0, 0,
1131 1131 PLOG_INTERR, PLOGLOC,
1132 1132 "failed reading cert (%s)\n",
1133 1133 filename);
1134 1134 return 0;
1135 1135 }
1136 1136 data = eay_get_x509asn1subjectname(cert);
1137 1137 rc_vfree(cert);
1138 1138 if (!data) {
1139 1139 isakmp_log(0, 0, 0, 0,
1140 1140 PLOG_INTERR, PLOGLOC,
1141 1141 "failed obtaining subjectName from cert (%s)\n",
1142 1142 filename);
1143 1143 return 0;
1144 1144 }
1145 1145 *id_type = IKEV2_ID_DER_ASN1_DN;
1146 1146 }
1147 1147 break;
1148 1148 #endif
1149 1149
1150 1150 default:
1151 1151 plog(PLOG_INTERR, PLOGLOC, 0,
1152 1152 "unsupported identifier type (%s)\n", rct2str(id->idtype));
1153 1153 return 0;
1154 1154 }
1155 1155
1156 1156 return data;
1157 1157 }
1158 1158
1159 1159 /*
1160 1160 * compare id (type id_type, value id_val) with idlist entry id
1161 1161 * returns 0 if equal, non-0 otherwise
1162 1162 *
1163 1163 * rc_type id_val
1164 1164 * -------------------
1165 1165 * USER_FQDN string
1166 1166 * FQDN string
1167 1167 * IPADDR binary representation
1168 1168 * KEY_ID arbitrary octets
1169 1169 * X509_SUBJECT DER binary representation
1170 1170 */
1171 1171 int
1172 1172 ike_compare_id(rc_type rc_id_type, rc_vchar_t *id_val, struct rc_idlist *id)
1173 1173 {
1174 1174 rc_vchar_t *data;
1175 1175 int cmp;
1176 1176 int dummy;
1177 1177
1178 1178 if (rc_id_type != id->idtype)
1179 1179 return -1;
1180 1180
1181 1181 data = ike_identifier_data(id, &dummy);
1182 1182 if (!data)
1183 1183 return -1;
1184 1184
1185 1185 switch (rc_id_type) {
1186 1186 case RCT_IDT_USER_FQDN:
1187 1187 case RCT_IDT_FQDN:
1188 1188 case RCT_IDT_IPADDR:
1189 1189 case RCT_IDT_KEYID:
1190 1190 cmp = rc_vmemcmp(data, id_val);
1191 1191 rc_vfree(data);
1192 1192 return cmp;
1193 1193
1194 1194 case RCT_IDT_X509_SUBJECT:
1195 1195 #ifndef HAVE_SIGNING_C
1196 1196 return -1;
1197 1197 #else
1198 1198 cmp = eay_cmp_asn1dn(data, id_val); /* ??? can I use rc_vmemcmp()? */
1199 1199 rc_vfree(data);
1200 1200 return cmp;
1201 1201 #endif
1202 1202 break;
1203 1203
1204 1204 default:
1205 1205 return -1;
1206 1206 }
1207 1207 }
1208 1208
1209 1209 rc_vchar_t *
1210 1210 ikev1_id2rct_id(rc_vchar_t *id_p, rc_type *type)
1211 1211 {
1212 1212 #ifdef IKEV1
1213 1213 struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id_p->v;
1214 1214 rc_vchar_t *idbuf = 0;
1215 1215 int id_len;
1216 1216 rc_type rc_id_type = 0;
1217 1217
1218 1218 id_len = id_p->l - sizeof(*id_b);
1219 1219
1220 1220 switch (id_b->type) {
1221 1221 case IPSECDOI_ID_FQDN:
1222 1222 case IPSECDOI_ID_USER_FQDN:
1223 1223 case IPSECDOI_ID_KEY_ID:
1224 1224 case IPSECDOI_ID_DER_ASN1_DN:
1225 1225 case IPSECDOI_ID_IPV4_ADDR:
1226 1226 #ifdef INET6
1227 1227 case IPSECDOI_ID_IPV6_ADDR:
1228 1228 #endif
1229 1229 rc_id_type = ikev1_id_to_rc(id_b->type);
1230 1230 idbuf = rc_vnew((uint8_t *)(id_b + 1), id_len);
1231 1231 break;
1232 1232
1233 1233 case IPSECDOI_ID_DER_ASN1_GN:
1234 1234 default:
1235 1235 isakmp_log(0, 0, 0, 0,
1236 1236 PLOG_PROTOERR, PLOGLOC,
1237 1237 "peer id (type %d) is unsupported\n",
1238 1238 id_b->type);
1239 1239 *type = 0;
1240 1240 return 0;
1241 1241 }
1242 1242
1243 1243 *type = rc_id_type;
1244 1244 return idbuf;
1245 1245 #else
1246 1246 *type = 0;
1247 1247 return 0;
1248 1248 #endif
1249 1249 }
1250 1250
1251 1251 rc_vchar_t *
1252 1252 ikev2_id2rct_id(struct ikev2_payload_header *payl, rc_type *type)
1253 1253 {
1254 1254 struct ikev2payl_ident *id = (struct ikev2payl_ident *)payl;
1255 1255 rc_vchar_t *idbuf = 0;
1256 1256 int id_len;
1257 1257 rc_type rc_id_type = 0;
1258 1258
1259 1259 id_len = get_payload_length(id) - sizeof(struct ikev2payl_ident);
1260 1260
1261 1261 switch (id->id_h.id_type) {
1262 1262 case IKEV2_ID_RFC822_ADDR:
1263 1263 case IKEV2_ID_FQDN:
1264 1264 case IKEV2_ID_KEY_ID:
1265 1265 case IKEV2_ID_DER_ASN1_DN:
1266 1266 case IKEV2_ID_IPV4_ADDR:
1267 1267 #ifdef INET6
1268 1268 case IKEV2_ID_IPV6_ADDR:
1269 1269 #endif
1270 1270 rc_id_type = ikev2_id_to_rc(id->id_h.id_type);
1271 1271 idbuf = rc_vnew((uint8_t *)(id + 1), id_len);
1272 1272 break;
1273 1273
1274 1274 case IKEV2_ID_DER_ASN1_GN:
1275 1275 default:
1276 1276 isakmp_log(0, 0, 0, 0,
1277 1277 PLOG_PROTOERR, PLOGLOC,
1278 1278 "peer id (type %d) is unsupported\n",
1279 1279 id->id_h.id_type);
1280 1280 *type = 0;
1281 1281 return 0;
1282 1282 break;
1283 1283 }
1284 1284
1285 1285 *type = rc_id_type;
1286 1286 return idbuf;
1287 1287 }
1288 1288
1289 1289 void
1290 1290 ike_hexdump(char *buf, size_t bufsiz, uint8_t *data, size_t datalen)
1291 1291 {
1292 1292 char *bufptr;
1293 1293 size_t buflen;
1294 1294
1295 1295 bufptr = buf;
1296 1296 buflen = bufsiz;
1297 1297 bufptr[0] = '\0';
1298 1298 while (datalen > 0) {
1299 1299 if (buflen < 3 || (buflen <= 4 && datalen > 1)) {
1300 1300 strlcpy(bufptr, "...", buflen);
1301 1301 break;
1302 1302 }
1303 1303 snprintf(bufptr, buflen, "%02x", *data);
1304 1304 ++data;
1305 1305 --datalen;
1306 1306 buflen -= 2;
1307 1307 bufptr += 2;
1308 1308 }
1309 1309 }
1310 1310
1311 1311 const char *
1312 1312 ike_id_str(rc_type rc_id_type, rc_vchar_t *id_data)
1313 1313 {
1314 1314 switch (rc_id_type) {
1315 1315 case RCT_IDT_USER_FQDN:
1316 1316 case RCT_IDT_FQDN:
1317 1317 return rc_vmem2str(id_data);
1318 1318 break;
1319 1319
1320 1320 case RCT_IDT_IPADDR:
1321 1321 {
1322 1322 struct sockaddr_storage ss;
1323 1323
1324 1324 if (id_data->l == sizeof(struct in_addr)) {
1325 1325 memset(&ss, 0, sizeof(struct sockaddr_in));
1326 1326 SOCKADDR_FAMILY(&ss) = AF_INET;
1327 1327 SET_SOCKADDR_LEN(&ss,
1328 1328 sizeof(struct sockaddr_in));
1329 1329 memcpy(&((struct sockaddr_in *)&ss)->sin_addr,
1330 1330 id_data->v, sizeof(struct in_addr));
1331 1331 } else if (id_data->l == sizeof(struct in6_addr)) {
1332 1332 memset(&ss, 0, sizeof(struct sockaddr_in6));
1333 1333 SOCKADDR_FAMILY(&ss) = AF_INET6;
1334 1334 SET_SOCKADDR_LEN(&ss,
1335 1335 sizeof(struct sockaddr_in6));
1336 1336 memcpy(&((struct sockaddr_in6 *)&ss)->sin6_addr,
1337 1337 id_data->v, sizeof(struct in6_addr));
1338 1338 } else {
1339 1339 return "(unknown format)";
1340 1340 }
1341 1341 return rcs_sa2str_wop((struct sockaddr *)&ss);
1342 1342 }
1343 1343 break;
1344 1344
1345 1345 case RCT_IDT_KEYID:
1346 1346 case RCT_IDT_X509_SUBJECT:
1347 1347 default:
1348 1348 {
1349 1349 rc_vchar_t *lbuf;
1350 1350
1351 1351 lbuf = rbuf_getlb();
1352 1352 ike_hexdump(lbuf->v, lbuf->l, (uint8_t *)id_data->v, id_data->l);
1353 1353 return lbuf->v;
1354 1354 }
1355 1355 break;
1356 1356 }
1357 1357 }
1358 1358
1359 1359 #ifdef DEBUG
1360 1360 void
1361 1361 ikev2_id_dump(char *msg, struct ikev2_payload_header *id_p)
1362 1362 {
1363 1363 rc_type rc_id_type;
1364 1364 rc_vchar_t *idbuf;
1365 1365
1366 1366 idbuf = ikev2_id2rct_id(id_p, &rc_id_type);
1367 1367 if (rc_id_type == 0) {
1368 1368 rc_vchar_t *lbuf;
1369 1369
1370 1370 TRACE((PLOGLOC, "unknown ID type"));
1371 1371 lbuf = rbuf_getlb();
1372 1372 ike_hexdump(lbuf->v, lbuf->l,
1373 1373 (uint8_t *)(id_p + 1), get_payload_data_length(id_p));
1374 1374 TRACE((PLOGLOC, "%s\n", lbuf->v));
1375 1375 } else {
1376 1376 TRACE((PLOGLOC, "%s: %s\n",
1377 1377 msg, ike_id_str(rc_id_type, idbuf)));
1378 1378 }
1379 1379 }
1380 1380 #endif
1381 1381
1382 1382 struct rcf_remote *
1383 1383 ikev1_conf_find_by_id(rc_vchar_t *id_p)
1384 1384 {
1385 1385 rc_type rc_id_type;
1386 1386 rc_vchar_t *idbuf = 0;
1387 1387 struct rcf_remote *result = 0;
1388 1388
1389 1389 idbuf = ikev1_id2rct_id(id_p, &rc_id_type);
1390 1390 if (!rc_id_type)
1391 1391 goto end;
1392 1392
1393 1393 (void)rcf_get_remotebypeersid(rc_id_type, idbuf, RCT_KMP_IKEV1,
1394 1394 ike_compare_id, &result);
1395 1395
1396 1396 end:
1397 1397 if (idbuf)
1398 1398 rc_vfree(idbuf);
1399 1399 return result;
1400 1400 }
1401 1401
1402 1402 struct rcf_remote *
1403 1403 ikev2_conf_find_by_id(struct ikev2_payload_header *payl)
1404 1404 {
1405 1405 rc_type rc_id_type;
1406 1406 rc_vchar_t *idbuf = 0;
1407 1407 struct rcf_remote *result = 0;
1408 1408
1409 1409 idbuf = ikev2_id2rct_id(payl, &rc_id_type);
1410 1410 if (!idbuf)
1411 1411 goto end;
1412 1412
1413 1413 (void)rcf_get_remotebypeersid(rc_id_type, idbuf, RCT_KMP_IKEV2,
1414 1414 ike_compare_id, &result);
1415 1415
1416 1416 end:
1417 1417 if (idbuf)
1418 1418 rc_vfree(idbuf);
1419 1419 return result;
1420 1420 }
1421 1421
1422 1422 /*
1423 1423 * How the responder find the appropriate traffic selector
1424 1424 *
1425 1425 * Let a TS be a sequence {TSi} for i=0..N-1
1426 1426 * where TSi is a tuple of {addrrange, {proto or ANYPROTO}, portrange}
1427 1427 *
1428 1428 * requirements from the draft:
1429 1429 *
1430 1430 * 1. single range (N=1)
1431 1431 * if TS0 is acceptable
1432 1432 * then
1433 1433 * choose TS0
1434 1434 * else if policy is a subset of TS0
1435 1435 * best guess
1436 1436 * or reject with SINGLE_PAIR_REQUIRED
1437 1437 * else fail
1438 1438 *
1439 1439 * ?.
1440 1440 * if responder's policy contains multiple smaller ranges
1441 1441 * and all encompassed by TS
1442 1442 * and policy being that each of those ranges should be sent over differnt SA
1443 1443 * then
1444 1444 * best guess
1445 1445 * or reject with SINGLE_PAIR_REQUIRED
1446 1446 * else ...
1447 1447 *
1448 1448 * 2. specific+range (N>1?)
1449 1449 * if TS0 is specific and TS0 is a subset of TS1
1450 1450 * then
1451 1451 * if TS1 is acceptable
1452 1452 * then choose TS1
1453 1453 * else if TS0 is acceptable
1454 1454 * then
1455 1455 * MUST narrow to a subset that includes TS0
1456 1456 * else fail
1457 1457 * else .... {case 3}
1458 1458 *
1459 1459 * 3. generic range (N>0)
1460 1460 * choose a subset of traffic
1461 1461 * if more than one subset is acceptable but union is not
1462 1462 * then
1463 1463 * MUST accept some subset
1464 1464 * MAY include ADDITIONAL_TS_POSSIBLE
1465 1465 * else if one subset is acceptable
1466 1466 * then choose it
1467 1467 * else fail
1468 1468 */
1469 1469
1470 1470 /*
1471 1471 * strategy for racoon2:
1472 1472 *
1473 1473 * handle these cases:
1474 1474 * 1. ranges
1475 1475 * 2. specific+ranges
1476 1476 *
1477 1477 * if TS payload starts with a specific TS, and it is covered by my selector,
1478 1478 * or if TS payload does not start with a specific TS
1479 1479 * then
1480 1480 * see if one of ranges contain my selector, so that it can be narrowed
1481 1481 *
1482 1482 * the TS payload which the responder returns to initiator is always
1483 1483 * generated from configuration selector.
1484 1484 *
1485 1485 * SINGLE_PAIR_REQUIRED or ADDITIONAL_TS_POSSIBLE are never generated.
1486 1486 */
1487 1487
1488 1488 int
1489 1489 addr_prefixlen(struct rc_addrlist *addr)
1490 1490 {
1491 1491 int prefixlen;
1492 1492
1493 1493 prefixlen = addr->prefixlen;
1494 1494 return prefixlen;
1495 1495 }
1496 1496
1497 1497 static int compare_bits(uint8_t *, uint8_t *, int) GCC_ATTRIBUTE((unused));
1498 1498
1499 1499 static int
1500 1500 compare_bits(uint8_t *a, uint8_t *b, int bitlen)
1501 1501 {
1502 1502 const int CHARBITS = 8;
1503 1503
1504 1504 for (; bitlen > 0; a++, b++, bitlen -= CHARBITS) {
1505 1505 if (bitlen < CHARBITS) {
1506 1506 return ((*a ^ *b) & (-1 << (CHARBITS - bitlen))) == 0
1507 1507 ? TRUE : FALSE;
1508 1508 }
1509 1509 if ((*a ^ *b) != 0)
1510 1510 return FALSE;
1511 1511 }
1512 1512 return TRUE;
1513 1513 }
1514 1514
1515 1515 int
1516 1516 sockaddr_in_compare_with_prefix(struct sockaddr_in *addr,
1517 1517 struct sockaddr_in *netaddr,
1518 1518 int prefixlen)
1519 1519 {
1520 1520 if (prefixlen == 0)
1521 1521 return TRUE;
1522 1522 if ((ntohl(addr->sin_addr.s_addr ^ netaddr->sin_addr.s_addr)
1523 1523 & (-1 << (32 - prefixlen))) == 0)
1524 1524 return TRUE;
1525 1525 return FALSE;
1526 1526 }
1527 1527
1528 1528 #ifdef INET6
1529 1529 int
1530 1530 sockaddr_in6_compare_with_prefix(struct sockaddr_in6 *addr,
1531 1531 struct sockaddr_in6 *netaddr,
1532 1532 int prefixlen)
1533 1533 {
1534 1534 return compare_bits(&addr->sin6_addr.s6_addr[0],
1535 1535 &netaddr->sin6_addr.s6_addr[0], prefixlen);
1536 1536 }
1537 1537 #endif
1538 1538
1539 1539 int
1540 1540 sockaddr_compare_with_prefix(struct sockaddr *addr,
1541 1541 struct sockaddr *netaddr,
1542 1542 int prefixlen)
1543 1543 {
1544 1544 if (addr->sa_family != netaddr->sa_family)
1545 1545 return FALSE;
1546 1546 switch (addr->sa_family) {
1547 1547 case AF_INET:
1548 1548 return sockaddr_in_compare_with_prefix((struct sockaddr_in *)addr,
1549 1549 (struct sockaddr_in *)netaddr,
1550 1550 prefixlen);
1551 1551 break;
1552 1552 #ifdef INET6
1553 1553 case AF_INET6:
1554 1554 return sockaddr_in6_compare_with_prefix((struct sockaddr_in6 *)addr,
1555 1555 (struct sockaddr_in6 *)netaddr,
1556 1556 prefixlen);
1557 1557 break;
1558 1558 #endif
1559 1559 default:
1560 1560 isakmp_log(0, 0, 0, 0,
1561 1561 PLOG_INTERR, PLOGLOC,
1562 1562 "unsupported address family (%d)\n",
1563 1563 addr->sa_family);
1564 1564 return FALSE;
1565 1565 break;
1566 1566 }
1567 1567 }
1568 1568
1569 1569 /*
1570 1570 * returns TRUE if matches, FALSE otherwise
1571 1571 */
1572 1572 static int
1573 1573 match_addr_ipv4(struct sockaddr *addr, int prefixlen,
1574 1574 uint8_t *start_addr, uint8_t *end_addr)
1575 1575 {
1576 1576 struct sockaddr_in *sin = (struct sockaddr_in *)addr;
1577 1577 uint32_t a, s, e;
1578 1578 uint32_t bits;
1579 1579
1580 1580 if (sin->sin_family != AF_INET)
1581 1581 return FALSE;
1582 1582 a = ntohl(sin->sin_addr.s_addr);
1583 1583 s = get_uint32((uint32_t *)start_addr);
1584 1584 e = get_uint32((uint32_t *)end_addr);
1585 1585 if (prefixlen == 0)
1586 1586 bits = 0xFFFFFFFFu;
1587 1587 else
1588 1588 bits = ((uint32_t)1 << (32 - prefixlen)) - 1;
1589 1589 return (s == (a & ~bits) && (a | bits) == e);
1590 1590 }
1591 1591
1592 1592 #ifdef INET6
1593 1593 static int
1594 1594 match_addr_ipv6(struct sockaddr *addr, int prefixlen,
1595 1595 uint8_t *start_addr, uint8_t *end_addr)
1596 1596 {
1597 1597 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr;
1598 1598 uint8_t *a, *s, *e;
1599 1599 int i;
1600 1600 unsigned int bits;
1601 1601 const int BITS = 8; /* CHAR_BITS; */
1602 1602
1603 1603 if (sin6->sin6_family != AF_INET6)
1604 1604 return FALSE;
1605 1605 a = (uint8_t *)&sin6->sin6_addr;
1606 1606 s = start_addr;
1607 1607 e = end_addr;
1608 1608 for (i = 0; (size_t)i < sizeof(struct in6_addr); ++i) {
1609 1609 if (prefixlen >= BITS * (i + 1)) {
1610 1610 bits = 0xFF;
1611 1611 } else if (prefixlen > BITS * i) {
1612 1612 bits = 0xFF & (-1 << (BITS * (i + 1) - prefixlen));
1613 1613 } else {
1614 1614 bits = 0;
1615 1615 }
1616 1616 if ((a[i] & bits) == s[i] && (a[i] | (~bits & 0xff)) == e[i])
1617 1617 continue;
1618 1618 return FALSE;
1619 1619 }
1620 1620 return TRUE;
1621 1621 }
1622 1622 #endif
1623 1623
1624 1624 static int addr_match(int, struct sockaddr *, int, uint8_t *, uint8_t *)
1625 1625 GCC_ATTRIBUTE((unused));
1626 1626
1627 1627 static int
1628 1628 addr_match(int type, struct sockaddr *addr, int prefixlen,
1629 1629 uint8_t *start_addr, uint8_t *end_addr)
1630 1630 {
1631 1631 switch (type) {
1632 1632 case IKEV2_TS_IPV4_ADDR_RANGE:
1633 1633 return match_addr_ipv4(addr, prefixlen, start_addr, end_addr);
1634 1634 #ifdef INET6
1635 1635 case IKEV2_TS_IPV6_ADDR_RANGE:
1636 1636 return match_addr_ipv6(addr, prefixlen, start_addr, end_addr);
1637 1637 #endif
1638 1638 default:
1639 1639 return FALSE;
1640 1640 }
1641 1641 }
1642 1642
1643 1643 static uint
1644 1644 sockaddr_port(struct sockaddr *addr)
1645 1645 {
1646 1646 switch (SOCKADDR_FAMILY(addr)) {
1647 1647 case AF_INET:
1648 1648 return ntohs(((struct sockaddr_in *)addr)->sin_port);
1649 1649 #ifdef INET6
1650 1650 case AF_INET6:
1651 1651 return ntohs(((struct sockaddr_in6 *)addr)->sin6_port);
1652 1652 #endif
1653 1653 default:
1654 1654 return -1; /* shouldn't happen */
1655 1655 }
1656 1656 }
1657 1657
1658 1658 /*
1659 1659 * returns TRUE if the traffic selector is non-ambiguous
1660 1660 */
1661 1661 static int ts_is_specific(struct ikev2_traffic_selector *ts);
1662 1662
1663 1663 static int
1664 1664 ts_is_specific(struct ikev2_traffic_selector *ts)
1665 1665 {
1666 1666 unsigned int sport, eport;
1667 1667 uint8_t *saddr, *eaddr;
1668 1668 unsigned int addrsiz;
1669 1669
1670 1670 sport = get_uint16(&ts->start_port);
1671 1671 eport = get_uint16(&ts->end_port);
1672 1672
1673 1673 switch (ts->protocol_id) {
1674 1674 case IKEV2_TS_PROTO_ANY:
1675 1675 return FALSE;
1676 1676 case IPPROTO_TCP:
1677 1677 case IPPROTO_UDP:
1678 1678 case IPPROTO_ICMP:
1679 1679 case IPPROTO_ICMPV6:
1680 1680 case IPPROTO_SCTP:
1681 1681 case IPPROTO_MH:
1682 1682 if (sport != eport)
1683 1683 return FALSE;
1684 1684 break;
1685 1685 default:
1686 1686 if (!IKEV2_TS_PORT_IS_ANY(sport, eport))
1687 1687 return FALSE; /* ??? */
1688 1688 break;
1689 1689 }
1690 1690
1691 1691 addrsiz = ikev2_ts_addr_size(ts->ts_type);
1692 1692 saddr = (uint8_t *)(ts + 1);
1693 1693 eaddr = saddr + addrsiz;
1694 1694 if (memcmp(saddr, eaddr, addrsiz) != 0)
1695 1695 return FALSE;
1696 1696
1697 1697 return TRUE;
1698 1698 }
1699 1699
1700 1700 /*
1701 1701 * returns TRUE if a TS0 is within TS1
1702 1702 */
1703 1703 static int ts_within(struct ikev2_traffic_selector *,
1704 1704 struct ikev2_traffic_selector *) GCC_ATTRIBUTE((unused));
1705 1705
1706 1706 static int
1707 1707 ts_within(struct ikev2_traffic_selector *ts0,
1708 1708 struct ikev2_traffic_selector *ts1)
1709 1709 {
1710 1710 uint16_t sport0, eport0, sport1, eport1;
1711 1711 uint8_t *saddr0, *eaddr0, *saddr1, *eaddr1;
1712 1712 unsigned int addrsiz;
1713 1713
1714 1714 if (ts0->ts_type != ts1->ts_type)
1715 1715 return FALSE;
1716 1716
1717 1717 if (ts1->protocol_id != IKEV2_TS_PROTO_ANY
1718 1718 && ts0->protocol_id != ts1->protocol_id)
1719 1719 return FALSE;
1720 1720
1721 1721 /*
1722 1722 * saddr1 <= saddr0 && eaddr0 <= eaddr1
1723 1723 */
1724 1724 addrsiz = ikev2_ts_addr_size(ts0->ts_type);
1725 1725 saddr0 = (uint8_t *)(ts0 + 1);
1726 1726 eaddr0 = saddr0 + addrsiz;
1727 1727 saddr1 = (uint8_t *)(ts1 + 1);
1728 1728 eaddr1 = saddr1 + addrsiz;
1729 1729 if (!(memcmp(saddr0, saddr1, addrsiz) >= 0
1730 1730 && memcmp(eaddr0, eaddr1, addrsiz) <= 0))
1731 1731 return FALSE;
1732 1732
1733 1733 sport0 = get_uint16(&ts0->start_port);
1734 1734 eport0 = get_uint16(&ts0->end_port);
1735 1735 sport1 = get_uint16(&ts1->start_port);
1736 1736 eport1 = get_uint16(&ts1->end_port);
1737 1737 if (!(sport0 >= sport1 && eport0 <= eport1))
1738 1738 return FALSE;
1739 1739
1740 1740 return TRUE;
1741 1741 }
1742 1742
1743 1743 /*
1744 1744 * returns TRUE if one TS range is within addr/prefix
1745 1745 */
1746 1746 static int
1747 1747 ts_is_within_addr(struct ikev2_traffic_selector *ts, int proto,
1748 1748 struct sockaddr *addr, int prefixlen)
1749 1749 {
1750 1750 uint8_t *saddr, *eaddr;
1751 1751 uint8_t *addrptr;
1752 1752 int addrsiz;
1753 1753 int i;
1754 1754 unsigned int bits;
1755 1755 unsigned int sport, eport;
1756 1756 unsigned int port;
1757 1757
1758 1758 /* ts_type / sa_family */
1759 1759 switch (ts->ts_type) {
1760 1760 case IKEV2_TS_IPV4_ADDR_RANGE:
1761 1761 if (addr->sa_family != AF_INET)
1762 1762 return FALSE;
1763 1763 break;
1764 1764 case IKEV2_TS_IPV6_ADDR_RANGE:
1765 1765 if (addr->sa_family != AF_INET6)
1766 1766 return FALSE;
1767 1767 break;
1768 1768 default:
1769 1769 return FALSE;
1770 1770 break;
1771 1771 }
1772 1772
1773 1773 /* protocol_id / proto */
1774 1774 if (!(proto == IKEV2_TS_PROTO_ANY ||
1775 1775 ts->protocol_id == proto))
1776 1776 return FALSE;
1777 1777
1778 1778 /* addr */
1779 1779 switch (addr->sa_family) {
1780 1780 case AF_INET:
1781 1781 addrptr = (uint8_t *)&((struct sockaddr_in *)addr)->sin_addr;
1782 1782 break;
1783 1783 case AF_INET6:
1784 1784 addrptr = (uint8_t *)&((struct sockaddr_in6 *)addr)->sin6_addr;
1785 1785 break;
1786 1786 default: /* shouldn't happen */
1787 1787 return FALSE;
1788 1788 break;
1789 1789 }
1790 1790 addrsiz = ikev2_ts_addr_size(ts->ts_type);
1791 1791 saddr = (uint8_t *)(ts + 1);
1792 1792 eaddr = saddr + addrsiz;
1793 1793 assert(prefixlen >= 0);
1794 1794 if (prefixlen > addrsiz * CHAR_BIT)
1795 1795 prefixlen = addrsiz * CHAR_BIT;
1796 1796 for (i = 0; i < (prefixlen + CHAR_BIT - 1) / CHAR_BIT; ++i) {
1797 1797 if (prefixlen >= CHAR_BIT * (i + 1)) {
1798 1798 bits = 0xFF;
1799 1799 } else if (prefixlen > CHAR_BIT * i) {
1800 1800 bits = 0xFF & (-1 << (CHAR_BIT * (i + 1) - prefixlen));
1801 1801 } else {
1802 1802 bits = 0;
1803 1803 }
1804 1804 if (saddr[i] >= (addrptr[i] & bits) &&
1805 1805 eaddr[i] <= (addrptr[i] | (~bits & 0xff)))
1806 1806 continue;
1807 1807 return FALSE;
1808 1808 }
1809 1809
1810 1810 /* port */
1811 1811 sport = get_uint16(&ts->start_port);
1812 1812 eport = get_uint16(&ts->end_port);
1813 1813 port = sockaddr_port(addr);
1814 1814 if (!(port == 0 ||
1815 1815 (sport == port && eport == port)))
1816 1816 return FALSE;
1817 1817
1818 1818 return TRUE;
1819 1819
1820 1820 }
1821 1821
1822 1822 /*
1823 1823 * returns TRUE if TS range contains addr/prefix
1824 1824 */
1825 1825 static int
1826 1826 ts_contains_addr(struct ikev2_traffic_selector *ts, int proto,
1827 1827 struct sockaddr *addr, int prefixlen)
1828 1828 {
1829 1829 uint8_t *saddr, *eaddr;
1830 1830 uint8_t *addrptr;
1831 1831 int addrsiz;
1832 1832 int i;
1833 1833 unsigned int bits;
1834 1834 unsigned int sport, eport;
1835 1835 unsigned int port;
1836 1836
1837 1837 /* ts_type / sa_family */
1838 1838 switch (ts->ts_type) {
1839 1839 case IKEV2_TS_IPV4_ADDR_RANGE:
1840 1840 if (addr->sa_family != AF_INET)
1841 1841 return FALSE;
1842 1842 break;
1843 1843 case IKEV2_TS_IPV6_ADDR_RANGE:
1844 1844 if (addr->sa_family != AF_INET6)
1845 1845 return FALSE;
1846 1846 break;
1847 1847 default:
1848 1848 return FALSE;
1849 1849 break;
1850 1850 }
1851 1851
1852 1852 /* protocol_id / proto */
1853 1853 if (!(ts->protocol_id == IKEV2_TS_PROTO_ANY ||
1854 1854 ts->protocol_id == proto))
1855 1855 return FALSE;
1856 1856
1857 1857 /* addr */
1858 1858 switch (addr->sa_family) {
1859 1859 case AF_INET:
1860 1860 addrptr = (uint8_t *)&((struct sockaddr_in *)addr)->sin_addr;
1861 1861 break;
1862 1862 case AF_INET6:
1863 1863 addrptr = (uint8_t *)&((struct sockaddr_in6 *)addr)->sin6_addr;
1864 1864 break;
1865 1865 default: /* shouldn't happen */
1866 1866 return FALSE;
1867 1867 break;
1868 1868 }
1869 1869 addrsiz = ikev2_ts_addr_size(ts->ts_type);
1870 1870 saddr = (uint8_t *)(ts + 1);
1871 1871 eaddr = saddr + addrsiz;
1872 1872 for (i = 0; i < (prefixlen + CHAR_BIT - 1) / CHAR_BIT; ++i) {
1873 1873 if (prefixlen >= CHAR_BIT * (i + 1)) {
1874 1874 bits = 0xFF;
1875 1875 } else if (prefixlen > CHAR_BIT * i) {
1876 1876 bits = 0xFF & (-1 << (CHAR_BIT * (i + 1) - prefixlen));
1877 1877 } else {
1878 1878 bits = 0;
1879 1879 }
1880 1880 if (saddr[i] <= (addrptr[i] & bits)
1881 1881 && eaddr[i] >= (addrptr[i] | (~bits & 0xff)))
1882 1882 continue;
1883 1883 return FALSE;
1884 1884 }
1885 1885
1886 1886 /* port */
1887 1887 sport = get_uint16(&ts->start_port);
1888 1888 eport = get_uint16(&ts->end_port);
1889 1889 port = sockaddr_port(addr);
1890 1890 if (!(sport <= port && port <= eport))
1891 1891 return FALSE;
1892 1892
1893 1893 return TRUE;
1894 1894
1895 1895 }
1896 1896
1897 1897 /*
1898 1898 * see whether traffic selectors are acceptable in accord with the config
1899 1899 * compare UNION(TS[i], i = 0..N) with conf(addr, prefixlen, port, proto)
1900 1900 */
1901 1901 static int
1902 1902 ts_is_matching(struct ikev2_traffic_selector *ts0, int num_ts,
1903 1903 unsigned int proto, struct sockaddr *addr, int prefixlen)
1904 1904 {
1905 1905 int i;
1906 1906 struct ikev2_traffic_selector *ts;
1907 1907
1908 1908 /* assume ikev2_check_ts_payload() was called already */
1909 1909 TRACE((PLOGLOC, "num_ts %d\n", num_ts));
1910 1910 if (num_ts <= 0)
1911 1911 return FALSE;
1912 1912
1913 1913 /*
1914 1914 * if ts[0] is specific, and it is within addr/prefix
1915 1915 * or if ts[0] is not specific
1916 1916 * then see if one of ts can be narrowed
1917 1917 */
1918 1918 if (!ts_is_specific(ts0) ||
1919 1919 ts_is_within_addr(ts0, proto, addr, prefixlen)) {
1920 1920 for (i = 0, ts = ts0;
1921 1921 i < num_ts;
1922 1922 ++i, ts = (struct ikev2_traffic_selector *)((uint8_t *)ts +
1923 1923 get_uint16(&ts->selector_length)))
1924 1924 {
1925 1925 TRACE((PLOGLOC, "checking %d\n", i));
1926 1926 if (ts_contains_addr(ts, proto, addr, prefixlen)) {
1927 1927 /* then it can be narrowed to addr/prefix */
1928 1928 TRACE((PLOGLOC,
1929 1929 "ts %d contains %s prefixlen %d\n",
1930 1930 i, rcs_sa2str(addr), prefixlen));
1931 1931 return TRUE;
1932 1932 }
1933 1933 }
1934 1934 }
1935 1935
1936 1936 /* otherwise fail */
1937 1937 TRACE((PLOGLOC, "failed\n"));
1938 1938 return FALSE;
1939 1939 }
1940 1940
1941 1941 static int
1942 1942 ts_payload_is_matching(struct ikev2payl_traffic_selector *ts_payload,
1943 1943 unsigned int proto, struct sockaddr *addr, int prefixlen)
1944 1944 {
1945 1945 return ts_is_matching((struct ikev2_traffic_selector *)(ts_payload + 1),
1946 1946 ts_payload->tsh.num_ts, proto, addr, prefixlen);
1947 1947 }
1948 1948
1949 1949 /*
1950 1950 * returns adequate TS in vmbuf
1951 1951 *
1952 1952 * currently, returning TS is created from proto/addr/prefixlen
1953 1953 * ignoring peer's TS (assuming it is checked by ts_payload_is_matching())
1954 1954 */
1955 1955 static rc_vchar_t *
1956 1956 ts_match(struct ikev2payl_traffic_selector *ts, int num_ts,
1957 1957 int proto, struct sockaddr *addr, int prefixlen)
1958 1958 {
1959 1959 uint8_t *addrptr;
1960 1960 size_t addrsize;
1961 1961 unsigned int port;
1962 1962 rc_vchar_t *resultbuf;
1963 1963 struct ikev2payl_ts_h *r_tsh;
1964 1964 struct ikev2_traffic_selector *r_ts;
1965 1965 uint8_t *r_saddr;
1966 1966 uint8_t *r_eaddr;
1967 1967 int i;
1968 1968
1969 1969 switch (addr->sa_family) {
1970 1970 case AF_INET:
1971 1971 addrptr = (uint8_t *)&((struct sockaddr_in *)addr)->sin_addr.s_addr;
1972 1972 addrsize = sizeof(struct in_addr);
1973 1973 break;
1974 1974 #ifdef INET6
1975 1975 case AF_INET6:
1976 1976 addrptr = (uint8_t *)&((struct sockaddr_in6 *)addr)->sin6_addr;
1977 1977 addrsize = sizeof(struct in6_addr);
1978 1978 break;
1979 1979 #endif
1980 1980 default:
1981 1981 return 0;
1982 1982 }
1983 1983 port = sockaddr_port(addr);
1984 1984
1985 1985 resultbuf = rc_vmalloc(sizeof(struct ikev2payl_ts_h)
1986 1986 + sizeof(struct ikev2_traffic_selector)
1987 1987 + 2 * addrsize);
1988 1988 if (!resultbuf)
1989 1989 return 0;
1990 1990
1991 1991 r_tsh = (struct ikev2payl_ts_h *)resultbuf->v;
1992 1992 r_ts = (struct ikev2_traffic_selector *)(resultbuf->v +
1993 1993 sizeof(struct ikev2payl_ts_h));
1994 1994 r_saddr = (uint8_t *)(r_ts + 1);
1995 1995 r_eaddr = r_saddr + addrsize;
1996 1996
1997 1997 memset(r_tsh, 0, sizeof(struct ikev2payl_ts_h));
1998 1998 r_tsh->num_ts = 1;
1999 1999 switch (addr->sa_family) {
2000 2000 case AF_INET:
2001 2001 r_ts->ts_type = IKEV2_TS_IPV4_ADDR_RANGE;
2002 2002 break;
2003 2003 #ifdef INET6
2004 2004 case AF_INET6:
2005 2005 r_ts->ts_type = IKEV2_TS_IPV6_ADDR_RANGE;
2006 2006 break;
2007 2007 #endif
2008 2008 }
2009 2009 r_ts->protocol_id = proto;
2010 2010 put_uint16(&r_ts->selector_length,
2011 2011 sizeof(struct ikev2_traffic_selector) + 2 * addrsize);
2012 2012 if (port == 0) {
2013 2013 put_uint16(&r_ts->start_port, 0);
2014 2014 put_uint16(&r_ts->end_port, 65535);
2015 2015 } else {
2016 2016 put_uint16(&r_ts->start_port, port);
2017 2017 put_uint16(&r_ts->end_port, port);
2018 2018 }
2019 2019
2020 2020 for (i = 0; i < (int)addrsize; ++i) {
2021 2021 unsigned int bits;
2022 2022 const int BITS = CHAR_BIT;
2023 2023 if (prefixlen >= BITS * (i + 1)) {
2024 2024 bits = 0xFF;
2025 2025 } else if (prefixlen > BITS * i) {
2026 2026 bits = 0xFF & (-1 << (BITS * (i + 1) - prefixlen));
2027 2027 } else {
2028 2028 bits = 0;
2029 2029 }
2030 2030 r_saddr[i] = addrptr[i] & bits;
2031 2031 r_eaddr[i] = addrptr[i] | ~bits;
2032 2032 }
2033 2033
2034 2034 return resultbuf;
2035 2035 }
2036 2036
2037 2037 /*
2038 2038 * Config payload support
2039 2039 */
2040 2040 void
2041 2041 ikev2_cfg_addr2sockaddr(struct sockaddr *sa, struct rcf_address *a, int *prefixlen)
2042 2042 {
2043 2043 struct sockaddr_in *sin;
2044 2044 struct sockaddr_in6 *sin6;
2045 2045
2046 2046 switch (a->af) {
2047 2047 case AF_INET:
2048 2048 *prefixlen = 32;
2049 2049 sin = (struct sockaddr_in *)sa;
2050 2050 memset(sin, 0, sizeof(*sin));
2051 2051 sin->sin_family = AF_INET;
2052 2052 SET_SOCKADDR_LEN(sin, sizeof(*sin));
2053 2053 memcpy(&sin->sin_addr.s_addr, a->address, sizeof(struct in_addr));
2054 2054 break;
2055 2055 case AF_INET6:
2056 2056 *prefixlen = 128;
2057 2057 sin6 = (struct sockaddr_in6 *)sa;
2058 2058 memset(sin6, 0, sizeof(*sin6));
2059 2059 sin6->sin6_family = AF_INET6;
2060 2060 SET_SOCKADDR_LEN(sin6, sizeof(*sin6));
2061 2061 memcpy(&sin6->sin6_addr, a->address, sizeof(struct in6_addr));
2062 2062 break;
2063 2063 default:
2064 2064 /* shouldn't happen */
2065 2065 TRACE((PLOGLOC, "unknown af %d\n", a->af));
2066 2066 return;
2067 2067 }
2068 2068 }
2069 2069
2070 2070
2071 2071 /*
2072 2072 * debug dump Traffic Selectors
2073 2073 */
2074 2074 void
2075 2075 ikev2_dump_traffic_selectors(char *msg,
2076 2076 int num_ts,
2077 2077 struct ikev2_traffic_selector *ts)
2078 2078 {
2079 2079 int i;
2080 2080
2081 2081 plog(PLOG_DEBUG, PLOGLOC, 0, "%s\n", msg);
2082 2082 for (i = 0;
2083 2083 i < num_ts;
2084 2084 ++i, ts = (struct ikev2_traffic_selector *)((uint8_t *)ts +
2085 2085 get_uint16(&ts->selector_length)))
2086 2086 ikev2_print_ts(ts);
2087 2087 }
2088 2088
2089 2089 /*
2090 2090 * debug dump Traffic Selector payload (excluding generic header)
2091 2091 */
2092 2092 void
2093 2093 ikev2_dump_traffic_selector_h(char *header, void *payload_data)
2094 2094 {
2095 2095 struct ikev2payl_ts_h *tsh;
2096 2096
2097 2097 tsh = (struct ikev2payl_ts_h *)payload_data;
2098 2098 ikev2_dump_traffic_selectors(header,
2099 2099 tsh->num_ts,
2100 2100 (struct ikev2_traffic_selector *)(tsh + 1));
2101 2101 }
2102 2102
2103 2103 /*
2104 2104 * debug dump Traffic Selector payload
2105 2105 */
2106 2106 void
2107 2107 ikev2_dump_ts(char *header, struct ikev2payl_traffic_selector *ts_payload)
2108 2108 {
2109 2109 ikev2_dump_traffic_selectors(header,
2110 2110 ts_payload->tsh.num_ts,
2111 2111 (struct ikev2_traffic_selector *)(ts_payload + 1));
2112 2112 }
2113 2113
2114 2114 static void
2115 2115 free_selectorlist(struct rcf_selector *s)
2116 2116 {
2117 2117 struct rcf_selector *s_next;
2118 2118
2119 2119 for (; s; s = s_next) {
2120 2120 s_next = s->next;
2121 2121 rcf_free_selector(s);
2122 2122 }
2123 2123 }
2124 2124
2125 2125 struct rcf_selector *
2126 2126 ike_conf_find_ikev2sel_by_ts(struct ikev2_payload_header *ts_remoteside,
2127 2127 struct ikev2_payload_header *ts_localside,
2128 2128 struct ikev2_child_sa *child_sa,
2129 2129 struct rcf_remote *rmconf)
2130 2130 {
2131 2131 /* int contained = 0; */
2132 2132 struct ikev2_child_param *param = &child_sa->child_param;
2133 2133 struct ikev2payl_traffic_selector *ts_r;
2134 2134 struct ikev2payl_traffic_selector *ts_l;
2135 2135 int src_prefixlen;
2136 2136 int dst_prefixlen;
2137 2137 unsigned int upper_layer_protocol;
2138 2138 struct rcf_selector *s;
2139 2139 struct rcf_selector *s_next;
2140 2140 int err;
2141 2141 struct rc_addrlist *srclist;
2142 2142 struct rc_addrlist *dstlist;
2143 2143 rc_type action;
2144 2144
2145 2145 ts_r = (struct ikev2payl_traffic_selector *)ts_remoteside;
2146 2146 ts_l = (struct ikev2payl_traffic_selector *)ts_localside;
2147 2147
2148 2148 IF_TRACE( {
2149 2149 trace_debug(PLOGLOC, "ike_conf_find_ikev2sel_by_ts\n");
2150 2150 ikev2_dump_ts("remote", ts_r);
2151 2151 ikev2_dump_ts("local", ts_l);
2152 2152 });
2153 2153
2154 2154 if (rcf_get_selectorlist(&s)) {
2155 2155 TRACE((PLOGLOC, "rcf_get_selectorlist() failed\n"));
2156 2156 return 0;
2157 2157 }
2158 2158 for (; s; s_next = s->next, rcf_free_selector(s), s = s_next) {
2159 2159 assert(s->pl != NULL);
2160 2160 action = s->pl->action;
2161 2161 if (!action)
2162 2162 POLICY_DEFAULT(action, action, 0);
2163 2163 if (action != RCT_ACT_AUTO_IPSEC)
2164 2164 continue;
2165 2165
2166 2166 /* use only if the selector is for the remote node */
2167 2167 if (! ((s->pl->rm_index == NULL && rmconf->rm_index == NULL) ||
2168 2168 (s->pl->rm_index != NULL && rmconf->rm_index != NULL &&
2169 2169 rc_vmemcmp(s->pl->rm_index, rmconf->rm_index) == 0))) {
2170 2170 continue;
2171 2171 }
2172 2172
2173 2173 if (s->direction != RCT_DIR_OUTBOUND)
2174 2174 continue;
2175 2175
2176 2176 #ifdef notyet
2177 2177 /*
2178 2178 * if (no corresponding outbound config)
2179 2179 * continue;
2180 2180 */
2181 2181 for (o = rcf_selector_head; o; o = o->next) {
2182 2182 if (o->direction == RCT_DIR_INBOUND
2183 2183 && addrlist_equal(s->src, o->dst)
2184 2184 && addrlist_equal(s->dst, o->src))
2185 2185 break;
2186 2186 }
2187 2187 if (!o) {
2188 2188 TRACE((PLOGLOC,
2189 2189 "no corresponding outbound selector\n"));
2190 2190 continue;
2191 2191 }
2192 2192 #endif
2193 2193
2194 2194 if (ike_ipsec_mode(s->pl) == RCT_IPSM_TRANSPORT) {
2195 2195 if (!param->use_transport_mode)
2196 2196 continue;
2197 2197 }
2198 2198
2199 2199 srclist = dstlist = 0;
2200 2200 err = rcs_extend_addrlist(s->src, &srclist);
2201 2201 if (err != 0) {
2202 2202 isakmp_log(0, 0, 0, 0,
2203 2203 PLOG_INTWARN, PLOGLOC,
2204 2204 "expanding src address of selector %s: %s\n",
2205 2205 rc_vmem2str(s->sl_index), gai_strerror(err));
2206 2206 goto next_selector;
2207 2207 }
2208 2208 if (!srclist) {
2209 2209 TRACE((PLOGLOC, "empty srclist\n"));
2210 2210 goto next_selector;
2211 2211 }
2212 2212
2213 2213 err = rcs_extend_addrlist(s->dst, &dstlist);
2214 2214 if (err != 0) {
2215 2215 isakmp_log(0, 0, 0, 0,
2216 2216 PLOG_INTWARN, PLOGLOC,
2217 2217 "expanding dst address of selector %s: %s\n",
2218 2218 rc_vmem2str(s->sl_index), gai_strerror(err));
2219 2219 goto next_selector;
2220 2220 }
2221 2221 if (!dstlist) {
2222 2222 if (LIST_EMPTY(&child_sa->lease_list)) {
2223 2223 TRACE((PLOGLOC, "empty dstlist\n"));
2224 2224 goto next_selector;
2225 2225 }
2226 2226 }
2227 2227 /*
2228 2228 else if (! LIST_EMPTY(&child_sa->lease_list)
2229 2229 && ) {
2230 2230 TRACE((PLOGLOC, "skipping non-empty dst selector\n"));
2231 2231 goto next_selector;
2232 2232 }
2233 2233 */
2234 2234 assert(dstlist ||
2235 2235 (!dstlist && !LIST_EMPTY(&child_sa->lease_list)));
2236 2236
2237 2237 #if 0 /* it looks like spmd uses only the first address of expanded addresses */
2238 2238 upper_layer_protocol = s->upper_layer_protocol;
2239 2239 if (upper_layer_protocol == RC_PROTO_ANY)
2240 2240 upper_layer_protocol = IKEV2_TS_PROTO_ANY;
2241 2241
2242 2242 for (src = srclist; src; src = src->next) {
2243 2243 if (ts_payload_is_matching(ts_r,
2244 2244 upper_layer_protocol,
2245 2245 src->a.ipaddr,
2246 2246 src->prefixlen)) {
2247 2247 for (dst = dstlist; dst; dst = dst->next) {
2248 2248 if (ts_payload_is_matching(ts_i,
2249 2249 upper_layer_protocol,
2250 2250 dst->a.ipaddr,
2251 2251 dst->prefixlen)) {
2252 2252 goto found;
2253 2253 }
2254 2254 }
2255 2255 }
2256 2256 }
2257 2257
2258 2258 continue;
2259 2259
2260 2260 found:
2261 2261 ...;
2262 2262 #else
2263 2263 if (srclist && srclist->next) {
2264 2264 plog(PLOG_INTWARN, PLOGLOC, 0,
2265 2265 "selector %s src is ambiguous, using the first one of the expanded addresses\n",
2266 2266 rc_vmem2str(s->sl_index));
2267 2267 }
2268 2268 if (dstlist->next) {
2269 2269 plog(PLOG_INTWARN, PLOGLOC, 0,
2270 2270 "selector %s dst is ambiguous, using the first one of the expanded addresses\n",
2271 2271 rc_vmem2str(s->sl_index));
2272 2272 }
2273 2273 #endif
2274 2274
2275 2275 /*
2276 2276 * see whether the TS is acceptable for this selector
2277 2277 */
2278 2278 src_prefixlen = srclist ? addr_prefixlen(srclist) : 0;
2279 2279 dst_prefixlen = dstlist ? addr_prefixlen(dstlist) : 0;
2280 2280 upper_layer_protocol = s->upper_layer_protocol;
2281 2281 if (upper_layer_protocol == RC_PROTO_ANY)
2282 2282 upper_layer_protocol = IKEV2_TS_PROTO_ANY;
2283 2283 if (ts_payload_is_matching(ts_l,
2284 2284 upper_layer_protocol,
2285 2285 srclist->a.ipaddr,
2286 2286 src_prefixlen) &&
2287 2287 LIST_EMPTY(&child_sa->lease_list) &&
2288 2288 dstlist &&
2289 2289 ts_payload_is_matching(ts_r,
2290 2290 upper_layer_protocol,
2291 2291 dstlist->a.ipaddr,
2292 2292 dst_prefixlen)) {
2293 2293 TRACE((PLOGLOC, "using selector %s\n",
2294 2294 rc_vmem2str(s->sl_index)));
2295 2295 param->ts_r = ts_match(ts_l,
2296 2296 ts_l->tsh.num_ts,
2297 2297 upper_layer_protocol,
2298 2298 srclist->a.ipaddr,
2299 2299 src_prefixlen);
2300 2300 param->ts_i = ts_match(ts_r,
2301 2301 ts_r->tsh.num_ts,
2302 2302 upper_layer_protocol,
2303 2303 dstlist->a.ipaddr,
2304 2304 dst_prefixlen);
2305 2305 IF_TRACE({
2306 2306 TRACE((PLOGLOC, "traffic selectors for response:\n"));
2307 2307 ikev2_dump_traffic_selector_h("TSi",
2308 2308 param->ts_i->v);
2309 2309 ikev2_dump_traffic_selector_h("TSr",
2310 2310 param->ts_r->v);
2311 2311 });
2312 2312 child_sa->srclist = srclist;
2313 2313 child_sa->dstlist = dstlist;
2314 2314 free_selectorlist(s->next);
2315 2315 return s;
2316 2316 } else if (ts_payload_is_matching(ts_l,
2317 2317 upper_layer_protocol,
2318 2318 srclist->a.ipaddr,
2319 2319 src_prefixlen) &&
2320 2320 ! LIST_EMPTY(&child_sa->lease_list)) {
2321 2321 /*
2322 2322 TSi: 0.0.0.0/0, TSr: 0.0.0.0/0
2323 2323 selector: IP_ANY - 192.0.2.0/24, addrpool 192.0.2.200-192.0.2.250
2324 2324
2325 2325 */
2326 2326 /*
2327 2327 * if peer requested INTERNAL_IP*_ADDR,
2328 2328 * confirm TS matches with allocated address,
2329 2329 * then deallocate unmatching allocated address
2330 2330 */
2331 2331 struct rcf_address *a;
2332 2332 struct rcf_address *next_a;
2333 2333 struct rcf_address *target;
2334 2334 struct sockaddr_storage ss;
2335 2335 int prefixlen;
2336 2336
2337 2337 target = 0;
2338 2338 for (a = LIST_FIRST(&child_sa->lease_list);
2339 2339 a != 0;
2340 2340 a = LIST_NEXT(a, link_sa)) {
2341 2341 ikev2_cfg_addr2sockaddr((struct sockaddr *)&ss,
2342 2342 a,
2343 2343 &prefixlen);
2344 2344 if (ts_payload_is_matching(ts_r,
2345 2345 upper_layer_protocol,
2346 2346 (struct sockaddr *)&ss,
2347 2347 prefixlen)) {
2348 2348 target = a;
2349 2349 break;
2350 2350 }
2351 2351 }
2352 2352 if (!target)
2353 2353 goto next_selector;
2354 2354
2355 2355 /* remove all but one matching address */
2356 2356 for (a = LIST_FIRST(&child_sa->lease_list); a != 0; a = next_a) {
2357 2357 next_a = LIST_NEXT(a, link_sa);
2358 2358 if (a != target)
2359 2359 rc_addrpool_release_addr(a);
2360 2360 }
2361 2361
2362 2362 TRACE((PLOGLOC, "using selector %s\n",
2363 2363 rc_vmem2str(s->sl_index)));
2364 2364 param->ts_r = ts_match(ts_l,
2365 2365 ts_l->tsh.num_ts,
2366 2366 upper_layer_protocol,
2367 2367 srclist->a.ipaddr,
2368 2368 src_prefixlen);
2369 2369 ikev2_cfg_addr2sockaddr((struct sockaddr *)&ss,
2370 2370 target,
2371 2371 &prefixlen);
2372 2372 param->ts_i = ts_match(ts_r, 1,
2373 2373 upper_layer_protocol,
2374 2374 (struct sockaddr *)&ss,
2375 2375 prefixlen);
2376 2376 IF_TRACE({
2377 2377 TRACE((PLOGLOC, "traffic selectors for response:\n"));
2378 2378 ikev2_dump_traffic_selector_h("TSi",
2379 2379 param->ts_i->v);
2380 2380 ikev2_dump_traffic_selector_h("TSr",
2381 2381 param->ts_r->v);
2382 2382 });
2383 2383 child_sa->srclist = srclist;
2384 2384 child_sa->dstlist = dstlist;
2385 2385 free_selectorlist(s->next);
2386 2386 return s;
2387 2387 }
2388 2388
2389 2389 next_selector:
2390 2390 if (srclist)
2391 2391 rcs_free_addrlist(srclist);
2392 2392 if (dstlist)
2393 2393 rcs_free_addrlist(dstlist);
2394 2394 }
2395 2395 return 0;
2396 2396
2397 2397 #ifdef notyet
2398 2398 /*
2399 2399 * It is possible for the Responder's policy to contain multiple smaller
2400 2400 * ranges, all encompassed by the Initiator's traffic selector, and with
2401 2401 * the Responder's policy being that each of those ranges should be sent
2402 2402 * over a different SA. Continuing the example above, Bob might have a
2403 2403 * policy of being willing to tunnel those addresses to and from Alice,
2404 2404 * but might require that each address pair be on a separately
2405 2405 * negotiated CHILD_SA. If Alice generated her request in response to an
2406 2406 * incoming packet from 10.2.16.43 to 10.16.2.123, there would be no way
2407 2407 * for Bob to determine which pair of addresses should be included in
2408 2408 * this tunnel, and he would have to make his best guess or reject the
2409 2409 * request with a status of SINGLE_PAIR_REQUIRED.
2410 2410 *
2411 2411 * If Bob's policy does not allow him to accept the entire set of
2412 2412 * traffic selectors in Alice's request, but does allow him to accept
2413 2413 * the first selector of TSi and TSr, then Bob MUST narrow the traffic
2414 2414 * selectors to a subset that includes Alice's first choices.
2415 2415 */
2416 2416 if (contsel && contsel->policy->ipsec->require_unique) {
2417 2417
2418 2418 tsi = first of TSi;
2419 2419 tsr = first of TSr;
2420 2420 if (tsi->startaddr == tsi->endaddr
2421 2421 && tsr->startaddr == tsr->endaddr) {
2422 2422 /* narrow to the first ts; */
2423 2423 param->ts_i = rc_vnew(...);
2424 2424 param->ts_r = rc_vnew(...);
2425 2425 } else {
2426 2426 param->single_pair_retuired = TRUE;
2427 2427 return 0;
2428 2428 }
2429 2429 }
2430 2430
2431 2431 if (contsel) {
2432 2432 if (contained >= 2)
2433 2433 param->additional_ts_possible = TRUE;
2434 2434 return contsel;
2435 2435 }
2436 2436 return 0;
2437 2437 #endif
2438 2438 }
2439 2439
2440 2440 /*
2441 2441 * compare two address lists
2442 2442 * returns TRUE if identical, FALSE otherwise
2443 2443 */
2444 2444 int addrlist_equal(struct rc_addrlist *, struct rc_addrlist *)
2445 2445 GCC_ATTRIBUTE((unused));
2446 2446
2447 2447 int
2448 2448 addrlist_equal(struct rc_addrlist *a0, struct rc_addrlist *b0)
2449 2449 {
2450 2450 struct rc_addrlist *a, *b;
2451 2451
2452 2452 for (a = a0, b = b0; a && b; a = a->next, b = b->next) {
2453 2453 if (a->type != b->type)
2454 2454 return FALSE;
2455 2455 if (a->port != b->port)
2456 2456 return FALSE;
2457 2457 if (a->prefixlen != b->prefixlen)
2458 2458 return FALSE;
2459 2459 switch (a->type) {
2460 2460 case RCT_ADDR_INET:
2461 2461 if (!sockaddr_compare_with_prefix(a->a.ipaddr, b->a.ipaddr, a->prefixlen))
2462 2462 return FALSE;
2463 2463 break;
2464 2464 case RCT_ADDR_FQDN:
2465 2465 case RCT_ADDR_MACRO:
2466 2466 case RCT_ADDR_FILE:
2467 2467 if (rc_vmemcmp(a->a.vstr, b->a.vstr) != 0)
2468 2468 return FALSE;
2469 2469 break;
2470 2470 default:
2471 2471 TRACE((PLOGLOC, "unexpected: %d %d\n", a->type, b->type));
2472 2472 return FALSE;
2473 2473 }
2474 2474 }
2475 2475
2476 2476 if (a != 0 || b != 0)
2477 2477 return FALSE;
2478 2478
2479 2479 return TRUE;
2480 2480 }
2481 2481
2482 2482 /*
2483 2483 * returns TRUE if one of the addrlist in l contains addr
2484 2484 */
2485 2485 static int
2486 2486 addrlist_match(struct rc_addrlist *l, struct sockaddr *addr)
2487 2487 {
2488 2488 int prefixlen;
2489 2489
2490 2490 for (; l; l = l->next) {
2491 2491 switch (l->type) {
2492 2492 case RCT_ADDR_INET:
2493 2493 prefixlen = addr_prefixlen(l);
2494 2494 if (sockaddr_compare_with_prefix(addr, l->a.ipaddr, prefixlen))
2495 2495 return TRUE;
2496 2496 break;
2497 2497 default:
2498 2498 isakmp_log(0, 0, 0, 0,
2499 2499 PLOG_INTERR, PLOGLOC,
2500 2500 "unsupported address type (%s) in selector addreses list\n",
2501 2501 rct2str(l->type));
2502 2502 return FALSE;
2503 2503 break;
2504 2504 }
2505 2505 }
2506 2506 return FALSE;
2507 2507 }
2508 2508
2509 2509 struct rcf_selector *
2510 2510 ike_conf_find_selector_by_addr(struct sockaddr *local, struct sockaddr *remote)
2511 2511 {
2512 2512 struct rcf_selector *s;
2513 2513 struct rc_addrlist *s_local;
2514 2514 struct rc_addrlist *s_remote;
2515 2515 extern struct rcf_selector *rcf_selector_head;
2516 2516
2517 2517 for (s = rcf_selector_head; s; s = s->next) {
2518 2518 if (s->direction != RCT_DIR_OUTBOUND)
2519 2519 continue;
2520 2520
2521 2521 s_local = s->src;
2522 2522 s_remote = s->dst;
2523 2523 if ((!local || addrlist_match(s_local, local))
2524 2524 && addrlist_match(s_remote, remote)) {
2525 2525 return s;
2526 2526 }
2527 2527 }
2528 2528 return 0;
2529 2529 }
2530 2530
2531 2531 /* XXX these tables should be generated dynamically from crypto lib
2532 2532 * information (for IKE SA) or kernel information (for IPsec SA) */
2533 2533
2534 2534 /*
2535 2535 * CONF_VARAIBLE_KEYLEN: config racoon_code does not imply key length
2536 2536 * PROTO_VARAIBLE_KEYLEN: protocol needs key length attribute
2537 2537 */
2538 2538 #define CONF_VARIABLE_KEYLEN 0x8000
2539 2539 #define PROTO_VARIABLE_KEYLEN 0x4000
2540 2540 #define IS_CONF_VARIABLE_KEYLEN(_alg) (((_alg).flags & CONF_VARIABLE_KEYLEN) != 0)
2541 2541 #define IS_PROTO_VARIABLE_KEYLEN(_alg) (((_alg).flags & PROTO_VARIABLE_KEYLEN) != 0)
2542 2542
2543 2543 #define KEYLEN(_alg) ((_alg).keylen)
2544 2544
2545 2545 #define ALG_ENC(rc, id, klen, noncelen, flags, def) { (rc), (id), (klen), (noncelen), (flags), 0, (def) }
2546 2546
2547 2547 static struct algdef ikev2_transf_encr[] = {
2548 2548 /* ALG_ENC(RCT_ALG_DES_CBC_IV64, IKEV2TRANSF_ENCR_DES_IV64, 8, 0 ), */
2549 2549 /* ALG_ENC(RCT_ALG_DES_CBC, IKEV2TRANSF_ENCR_DES, 8, 0 ), */
2550 2550 ALG_ENC(RCT_ALG_DES3_CBC, IKEV2TRANSF_ENCR_3DES, 24, 0, 0, &encr_triple_des),
2551 2551 /* ALG_ENC(RCT_ALG_RC5_CBC, IKEV2TRANSF_ENCR_RC5, 16, 0 ), */
2552 2552 /* ALG_ENC(RCT_ALG_IDEA_CBC, IKEV2TRANSF_ENCR_IDEA, 16, 0 ), */
2553 2553 /* ALG_ENC(RCT_ALG_CAST128_CBC, IKEV2TRANSF_ENCR_CAST, 16, 0 ), */
2554 2554 /* ALG_ENC(RCT_ALG_BLOWFISH_CBC, IKEV2TRANSF_ENCR_BLOWFISH, 16, 0 ), */
2555 2555 /* ALG_ENC(RCT_ALG_IDEA3_CBC, IKEV2TRANSF_ENCR_3IDEA, .... ), */
2556 2556 /* ALG_ENC(RCT_ALG_DES_CBC_IV32, IKEV2TRANSF_ENCR_DES_IV32, 8, 0 ), */
2557 2557 ALG_ENC(RCT_ALG_NULL_ENC, IKEV2TRANSF_ENCR_NULL, 0, 0, 0, &encr_null),
2558 2558 ALG_ENC(RCT_ALG_RIJNDAEL_CBC, IKEV2TRANSF_ENCR_AES_CBC, 16, 0, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aes128),
2559 2559 ALG_ENC(RCT_ALG_RIJNDAEL_CBC, IKEV2TRANSF_ENCR_AES_CBC, 24, 0, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aes192),
2560 2560 ALG_ENC(RCT_ALG_RIJNDAEL_CBC, IKEV2TRANSF_ENCR_AES_CBC, 32, 0, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aes256),
2561 2561 ALG_ENC(RCT_ALG_AES128_CBC, IKEV2TRANSF_ENCR_AES_CBC, 16, 0, PROTO_VARIABLE_KEYLEN, &encr_aes128),
2562 2562 ALG_ENC(RCT_ALG_AES192_CBC, IKEV2TRANSF_ENCR_AES_CBC, 24, 0, PROTO_VARIABLE_KEYLEN, &encr_aes192),
2563 2563 ALG_ENC(RCT_ALG_AES256_CBC, IKEV2TRANSF_ENCR_AES_CBC, 32, 0, PROTO_VARIABLE_KEYLEN, &encr_aes256),
2564 2564 ALG_ENC(RCT_ALG_AES_CTR, IKEV2TRANSF_ENCR_AES_CTR, 16, 4, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aesctr128),
2565 2565 ALG_ENC(RCT_ALG_AES_CTR, IKEV2TRANSF_ENCR_AES_CTR, 24, 4, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aesctr192),
2566 2566 ALG_ENC(RCT_ALG_AES_CTR, IKEV2TRANSF_ENCR_AES_CTR, 32, 4, CONF_VARIABLE_KEYLEN | PROTO_VARIABLE_KEYLEN, &encr_aesctr256),
2567 2567 /* AES_CCM_8 */
2568 2568 /* AES_CCM_12 */
2569 2569 /* AES_CCM_16 */
2570 2570 /* AES_GCM_ICV8 */
2571 2571 /* AES_GCM_ICV12 */
2572 2572 /* AES_GCM_ICV16 */
2573 2573 /* NULL_AUTH_AES_GMAC */
2574 2574 /* IEEE_P1619_XTS_AES */
2575 2575 { 0 }
2576 2576 };
2577 2577
2578 2578 #define ALG_HASH(rc, id, klen, gen) { (rc), (id), (klen), 0, 0, (void *(*)())(gen), 0 }
2579 2579
2580 2580 static struct algdef ikev2_transf_prf[] = {
2581 2581 ALG_HASH(RCT_ALG_HMAC_MD5, IKEV2TRANSF_PRF_HMAC_MD5, 16, hmacmd5_new),
2582 2582 ALG_HASH(RCT_ALG_HMAC_SHA1, IKEV2TRANSF_PRF_HMAC_SHA1, 20, hmacsha1_new),
2583 2583 /* ALG_HASH( RCT_ALG_HMAC_TIGER, IKEV2TRANSF_PRF_HMAC_TIGER ), */
2584 2584 ALG_HASH(RCT_ALG_AES_XCBC, IKEV2TRANSF_PRF_AES128_XCBC, 16, aesxcbcmac_new),
2585 2585 #ifdef WITH_SHA2
2586 2586 ALG_HASH(RCT_ALG_HMAC_SHA2_256, IKEV2TRANSF_PRF_HMAC_SHA2_256, 256/8, hmacsha256_new),
2587 2587 ALG_HASH(RCT_ALG_HMAC_SHA2_384, IKEV2TRANSF_PRF_HMAC_SHA2_384, 384/8, hmacsha384_new),
2588 2588 ALG_HASH(RCT_ALG_HMAC_SHA2_512, IKEV2TRANSF_PRF_HMAC_SHA2_512, 512/8, hmacsha512_new),
2589 2589 #endif
2590 2590 ALG_HASH(RCT_ALG_AES_CMAC, IKEV2TRANSF_PRF_AES128_CMAC, 16, aescmac_new),
2591 2591 {0}
2592 2592 };
2593 2593
2594 2594 static struct algdef ikev2_transf_integr[] = {
2595 2595 ALG_HASH(RCT_ALG_HMAC_MD5, IKEV2TRANSF_AUTH_HMAC_MD5_96, 16, hmacmd5_96_new),
2596 2596 ALG_HASH(RCT_ALG_HMAC_SHA1, IKEV2TRANSF_AUTH_HMAC_SHA1_96, 20, hmacsha1_96_new),
2597 2597 /* ALG_HASH( RCT_ALG_DES_MAC, IKEV2TRANSF_AUTH_DES_MAC ), */
2598 2598 /* ALG_HASH( RCT_ALG_KPDK_MD5, IKEV2TRANSF_AUTH_KPDK_MD5 ), */
2599 2599 ALG_HASH(RCT_ALG_AES_XCBC, IKEV2TRANSF_AUTH_AES_XCBC_96, 16, aesxcbcmac_96_new),
2600 2600 /* HMAC_MD5_128 */
2601 2601 /* HMAC_SHA1_160 */
2602 2602 ALG_HASH(RCT_ALG_AES_CMAC, IKEV2TRANSF_AUTH_AES_CMAC_96, 16, aescmac_96_new),
2603 2603 /* AES_128_GMAC */
2604 2604 /* AES_192_GMAC */
2605 2605 /* AES_256_GMAC */
2606 2606 #ifdef WITH_SHA2
2607 2607 ALG_HASH(RCT_ALG_HMAC_SHA2_256, IKEV2TRANSF_AUTH_HMAC_SHA2_256_128, 256/8, hmacsha256_128_new),
2608 2608 ALG_HASH(RCT_ALG_HMAC_SHA2_384, IKEV2TRANSF_AUTH_HMAC_SHA2_384_192, 384/8, hmacsha384_192_new),
2609 2609 ALG_HASH(RCT_ALG_HMAC_SHA2_512, IKEV2TRANSF_AUTH_HMAC_SHA2_512_256, 512/8, hmacsha512_256_new),
2610 2610 #endif
2611 2611 {0}
2612 2612 };
2613 2613
2614 2614 #define ALG_DH(rc, id, def) { (rc), (id), 0, 0, 0, 0, (def) }
2615 2615
2616 2616 static struct algdef ikev2_transf_dh[] = {
2617 2617 ALG_DH(RCT_ALG_MODP768, IKEV2TRANSF_DH_MODP768, &dh_modp768),
2618 2618 ALG_DH(RCT_ALG_MODP1024, IKEV2TRANSF_DH_MODP1024, &dh_modp1024),
2619 2619 /* ALG_DH( RCT_ALG_EC2N155, IKEV2TRANSF_DH_EC2N155 ), */
2620 2620 /* ALG_DH( RCT_ALG_EC2N185, IKEV2TRANSF_DH_EC2N185 ), */
2621 2621 ALG_DH(RCT_ALG_MODP1536, IKEV2TRANSF_DH_MODP1536, &dh_modp1536),
2622 2622 ALG_DH(RCT_ALG_MODP2048, IKEV2TRANSF_DH_MODP2048, &dh_modp2048),
2623 2623 ALG_DH(RCT_ALG_MODP3072, IKEV2TRANSF_DH_MODP3072, &dh_modp3072),
2624 2624 ALG_DH(RCT_ALG_MODP4096, IKEV2TRANSF_DH_MODP4096, &dh_modp4096),
2625 2625 ALG_DH(RCT_ALG_MODP6144, IKEV2TRANSF_DH_MODP6144, &dh_modp6144),
2626 2626 ALG_DH(RCT_ALG_MODP8192, IKEV2TRANSF_DH_MODP8192, &dh_modp8192),
2627 2627 /* ECP256 */
2628 2628 /* ECP384 */
2629 2629 /* ECP521 */
2630 2630 /* MODP1024_160POS */
2631 2631 /* MODP2048_224POS */
2632 2632 /* MODP2048_256POS */
2633 2633 /* ECP192 */
2634 2634 /* ECP224 */
2635 2635 {0}
2636 2636 };
2637 2637
2638 2638 static int
2639 2639 is_alg_supported(rc_type alg, int keylen, struct algdef *def)
2640 2640 {
2641 2641 const int BITS = 8;
2642 2642
2643 2643 for (; def->racoon_code != 0; ++def) {
2644 2644 if (alg == def->racoon_code &&
2645 2645 (KEYLEN(*def) * BITS == (size_t)keylen ||
2646 2646 (!IS_CONF_VARIABLE_KEYLEN(*def) && keylen == 0)) && /* keylen can be omitted if it is available from racoon code */
2647 2647 (def->generator != 0 || def->definition != 0)) {
2648 2648 return TRUE;
2649 2649 }
2650 2650 }
2651 2651 return FALSE;
2652 2652 }
2653 2653
2654 2654 static int
2655 2655 is_alg_variable_keylen(rc_type alg, struct algdef *def)
2656 2656 {
2657 2657 for (; def->racoon_code != 0; ++def) {
2658 2658 if (alg == def->racoon_code &&
2659 2659 IS_CONF_VARIABLE_KEYLEN(*def))
2660 2660 return TRUE;
2661 2661 }
2662 2662 return FALSE;
2663 2663 }
2664 2664
2665 2665 static int
2666 2666 ikeconf_rcf_alg(unsigned int alg, struct algdef *def)
2667 2667 {
2668 2668 for (; def->racoon_code != 0; ++def) {
2669 2669 if (alg == def->racoon_code) {
2670 2670 return def->transform_id;
2671 2671 }
2672 2672 }
2673 2673 return 0;
2674 2674 }
2675 2675
2676 2676 /*
2677 2677 * returns key length value if the algorithm requires the key length attribute
2678 2678 * if not required, returns 0
2679 2679 */
2680 2680 int
2681 2681 ikev2_rcf_alg_keylen(int type, struct rc_alglist *alg, struct algdef *def)
2682 2682 {
2683 2683 const int BITS = 8;
2684 2684
2685 2685 if (alg->keylen)
2686 2686 return alg->keylen;
2687 2687
2688 2688 for (; def->racoon_code != 0; ++def) {
2689 2689 if (alg->algtype == def->racoon_code) {
2690 2690 if (IS_PROTO_VARIABLE_KEYLEN(*def)) {
2691 2691 return KEYLEN(*def) * BITS;
2692 2692 } else {
2693 2693 return 0;
2694 2694 }
2695 2695 }
2696 2696 }
2697 2697 return 0;
2698 2698 }
2699 2699
2700 2700 /*
2701 2701 * creates an encryptor based on negotiated proposal
2702 2702 * code is ikev2 transform id, klen is key length in bits
2703 2703 */
2704 2704 struct encryptor *
2705 2705 ikev2_encryptor_new(int code, int klen)
2706 2706 {
2707 2707 struct encryptor_method *m;
2708 2708 struct algdef *def;
2709 2709 const int BITS = 8;
2710 2710
2711 2711 for (def = &ikev2_transf_encr[0]; def->racoon_code != 0; ++def) {
2712 2712 if (def->transform_id == code &&
2713 2713 def->definition != 0 &&
2714 2714 (klen == 0 || KEYLEN(*def) * BITS == (size_t)klen)) {
2715 2715 m = (struct encryptor_method *)def->definition;
2716 2716 return encryptor_new(m);
2717 2717 }
2718 2718 }
2719 2719
2720 2720 /* failed */
2721 2721 if (klen == 0)
2722 2722 plog(PLOG_PROTOERR, PLOGLOC, 0,
2723 2723 "unsupported encryption (transform code %d)\n", code);
2724 2724 else
2725 2725 plog(PLOG_PROTOERR, PLOGLOC, 0,
2726 2726 "unsupported encryption (transform code %d keylen %d)\n",
2727 2727 code, klen);
2728 2728 return 0;
2729 2729 }
2730 2730
2731 2731 /*
2732 2732 * creates an authenticator based on negotiated proposal
2733 2733 */
2734 2734 struct authenticator *
2735 2735 ikev2_authenticator_new(int code)
2736 2736 {
2737 2737 struct algdef *def;
2738 2738
2739 2739 for (def = &ikev2_transf_integr[0]; def->racoon_code != 0; ++def) {
2740 2740 if (def->transform_id == code && def->generator != 0) {
2741 2741 struct keyed_hash *(*gen) (void);
2742 2742 struct authenticator *auth;
2743 2743
2744 2744 gen = (struct keyed_hash * (*)(void))def->generator;
2745 2745 auth = keyedhash_authenticator(gen());
2746 2746 if (!auth)
2747 2747 plog(PLOG_INTERR, PLOGLOC, 0,
2748 2748 "failed creating authenticator\n");
2749 2749 return auth;
2750 2750 }
2751 2751 }
2752 2752 plog(PLOG_PROTOERR, PLOGLOC, 0, "unsupported auth code %d\n", code);
2753 2753 return 0;
2754 2754 }
2755 2755
2756 2756 /*
2757 2757 * creates a prf based on negotiated proposal
2758 2758 */
2759 2759 struct keyed_hash *
2760 2760 ikev2_prf_new(int code)
2761 2761 {
2762 2762 struct algdef *def;
2763 2763
2764 2764 for (def = &ikev2_transf_prf[0]; def->racoon_code != 0; ++def) {
2765 2765 if (def->transform_id == code && def->generator != 0) {
2766 2766 struct keyed_hash *(*gen) (void);
2767 2767 struct keyed_hash *prf;
2768 2768
2769 2769 gen = (struct keyed_hash * (*)(void))def->generator;
2770 2770 prf = gen();
2771 2771 if (!prf)
2772 2772 plog(PLOG_INTERR, PLOGLOC, 0,
2773 2773 "failed creating prf\n");
2774 2774 return prf;
2775 2775 }
2776 2776 }
2777 2777 plog(PLOG_PROTOERR, PLOGLOC, 0, "unsupported prf code %d\n", code);
2778 2778 return 0;
2779 2779 }
2780 2780
2781 2781 /* find DH info by Transform ID */
2782 2782 struct algdef *
2783 2783 isakmp_dhinfo(unsigned int id, struct algdef *dhdef)
2784 2784 {
2785 2785 int i;
2786 2786 for (i = 0; dhdef[i].racoon_code != 0; ++i) {
2787 2787 if (dhdef[i].transform_id == id) {
2788 2788 return &dhdef[i];
2789 2789 }
2790 2790 }
2791 2791 return 0;
2792 2792 }
2793 2793
2794 2794 struct algdef *
2795 2795 ikev2_dhinfo(unsigned int id)
2796 2796 {
2797 2797 return isakmp_dhinfo(id, ikev2_transf_dh);
2798 2798 }
2799 2799
2800 2800 /* find DH info by Racoon conf code */
2801 2801 struct algdef *
2802 2802 isakmp_conf_to_dhdef(rc_type code, struct algdef *dhdef)
2803 2803 {
2804 2804 int i;
2805 2805 for (i = 0; dhdef[i].racoon_code != 0; ++i) {
2806 2806 if (code == dhdef[i].racoon_code)
2807 2807 return &dhdef[i];
2808 2808 }
2809 2809 return 0;
2810 2810 }
2811 2811
2812 2812 struct algdef *
2813 2813 ikev2_conf_to_dhdef(rc_type code)
2814 2814 {
2815 2815 return isakmp_conf_to_dhdef(code, ikev2_transf_dh);
2816 2816 }
2817 2817
2818 2818 /*
2819 2819 * choose a dh group from config
2820 2820 */
2821 2821 struct rc_alglist *
2822 2822 ike_conf_dhgrp(struct rcf_remote *conf, int version)
2823 2823 {
2824 2824 struct rc_alglist *grp = 0;
2825 2825 struct rcf_remote *def = 0;
2826 2826 extern struct rcf_default *rcf_default_head;
2827 2827
2828 2828 assert(conf != 0);
2829 2829 if (rcf_default_head)
2830 2830 def = rcf_default_head->remote;
2831 2831 if (version == 1) {
2832 2832 if (def && def->ikev1)
2833 2833 grp = def->ikev1->kmp_dh_group;
2834 2834 if (conf->ikev1 && conf->ikev1->kmp_dh_group)
2835 2835 grp = conf->ikev1->kmp_dh_group;
2836 2836 } else if (version == 2) {
2837 2837 if (def && def->ikev2)
2838 2838 grp = def->ikev2->kmp_dh_group;
2839 2839 if (conf->ikev2 && conf->ikev2->kmp_dh_group)
2840 2840 grp = conf->ikev2->kmp_dh_group;
2841 2841 } else {
2842 2842 return 0;
2843 2843 }
2844 2844 return grp;
2845 2845 }
2846 2846
2847 2847 /* construct new transform proppair */
2848 2848 static struct prop_pair *
2849 2849 transform_new(unsigned int type, unsigned int id, unsigned int keylen, int more)
2850 2850 {
2851 2851 struct prop_pair *transform = 0;
2852 2852 size_t trns_len;
2853 2853 struct ikev2transform *trns;
2854 2854
2855 2855 transform = proppair_new();
2856 2856 if (!transform)
2857 2857 goto fail;
2858 2858 trns_len = sizeof(struct isakmp_pl_t);
2859 2859 if (keylen > 0)
2860 2860 trns_len += sizeof(struct ikev2attrib);
2861 2861 trns = (struct ikev2transform *)racoon_malloc(trns_len);
2862 2862 if (!trns)
2863 2863 goto fail;
2864 2864 trns->more = more;
2865 2865 trns->reserved1 = 0;
2866 2866 put_uint16(&trns->transform_length, trns_len);
2867 2867 trns->transform_type = type;
2868 2868 trns->reserved2 = 0;
2869 2869 put_uint16(&trns->transform_id, id);
2870 2870 if (keylen > 0) {
2871 2871 struct ikev2attrib *attr;
2872 2872 attr = (struct ikev2attrib *)(trns + 1);
2873 2873 put_uint16(&attr->type,
2874 2874 IKEV2ATTRIB_SHORT | IKEV2ATTRIB_KEY_LENGTH);
2875 2875 put_uint16(&attr->l_or_v, keylen);
2876 2876 }
2877 2877
2878 2878 transform->trns = (struct isakmp_pl_t *)trns;
2879 2879
2880 2880 return transform;
2881 2881
2882 2882 fail:
2883 2883 if (transform)
2884 2884 proppair_discard(transform);
2885 2885 return 0;
2886 2886 }
2887 2887
2888 2888 /*
2889 2889 * convert alglist to prop_pair
2890 2890 * with IKEv2 transform ID space
2891 2891 */
2892 2892 static struct prop_pair *
2893 2893 alg_to_proppair(struct rc_alglist *alg, int type,
2894 2894 struct algdef *translation_table)
2895 2895 {
2896 2896 int code;
2897 2897 int keylen;
2898 2898
2899 2899 code = ikeconf_rcf_alg(alg->algtype, translation_table);
2900 2900 if (code == 0) {
2901 2901 isakmp_log(0, 0, 0, 0,
2902 2902 PLOG_INTERR, PLOGLOC,
2903 2903 "unsupported algorithm %s\n", rct2str(alg->algtype));
2904 2904 return 0;
2905 2905 }
2906 2906 keylen = ikev2_rcf_alg_keylen(type, alg, translation_table);
2907 2907
2908 2908 return transform_new(type, code, keylen, 0);
2909 2909 }
2910 2910
2911 2911 static struct prop_pair *
2912 2912 alglist_to_proppair(struct rc_alglist *alg, int type,
2913 2913 struct algdef *translation_table)
2914 2914 {
2915 2915 struct prop_pair *transform_head = 0;
2916 2916 struct prop_pair *transform;
2917 2917 struct prop_pair **tail;
2918 2918 int num_alg;
2919 2919
2920 2920 tail = &transform_head;
2921 2921 for (num_alg = 0; alg != 0; ++num_alg, alg = alg->next) {
2922 2922 transform = alg_to_proppair(alg, type, translation_table);
2923 2923 if (!transform)
2924 2924 goto fail;
2925 2925 *tail = transform;
2926 2926 tail = &transform->tnext;
2927 2927 }
2928 2928
2929 2929 return transform_head;
2930 2930
2931 2931 fail:
2932 2932 if (transform_head)
2933 2933 proppair_discard(transform_head);
2934 2934 return 0;
2935 2935 }
2936 2936
2937 2937 struct prop_pair **
2938 2938 ikev2_conf_to_proplist(struct rcf_remote *rminfo, isakmp_cookie_t spi)
2939 2939 {
2940 2940 struct rcf_kmp *kmp;
2941 2941 struct rcf_kmp *kmp_default;
2942 2942 struct rc_alglist *alglist;
2943 2943 struct prop_pair **result = 0;
2944 2944 struct prop_pair **tail;
2945 2945 size_t spi_size;
2946 2946 struct isakmp_pl_p *prop;
2947 2947 extern struct rcf_default *rcf_default_head;
2948 2948
2949 2949 if (!rminfo)
2950 2950 return 0;
2951 2951 if (!rminfo->ikev2)
2952 2952 return 0;
2953 2953
2954 2954 kmp = rminfo->ikev2;
2955 2955
2956 2956 kmp_default = 0;
2957 2957 if (rcf_default_head && rcf_default_head->remote
2958 2958 && rcf_default_head->remote->ikev2)
2959 2959 kmp_default = rcf_default_head->remote->ikev2;
2960 2960
2961 2961 /*
2962 2962 * with current config syntax, only single proposal can be generated
2963 2963 */
2964 2964
2965 2965 /*
2966 2966 *
2967 2967 * #1 --- Proto IKE
2968 2968 * |
2969 2969 * Transf-Transf-Transf----Transf
2970 2970 * PRF INTEG ENCR DH
2971 2971 * MD5 SHA1 3DES MODP1536
2972 2972 * | | | |
2973 2973 * PRF INTEG ENCR DH
2974 2974 * SHA1 MD5 AESCBC MODP1024
2975 2975 *
2976 2976 */
2977 2977
2978 2978 result = proplist_new();
2979 2979 if (!result)
2980 2980 goto fail_nomem;
2981 2981
2982 2982 result[1] = proppair_new();
2983 2983 if (!result[1])
2984 2984 goto fail_nomem;
2985 2985
2986 2986 if (spi) {
2987 2987 /* (draft-17)
2988 2988 * New initiator and responder SPIs are supplied in the SPI fields.
2989 2989 */
2990 2990 spi_size = sizeof(isakmp_cookie_t);
2991 2991 } else {
2992 2992 spi_size = 0; /* MUST be zero for IKE_SA negotiation */
2993 2993 }
2994 2994 prop = racoon_malloc(sizeof(struct isakmp_pl_p) + spi_size);
2995 2995 if (!prop)
2996 2996 goto fail_nomem;
2997 2997 prop->p_no = 1;
2998 2998 prop->proto_id = IKEV2PROPOSAL_IKE;
2999 2999 prop->spi_size = spi_size;
3000 3000 prop->num_t = 0;
3001 3001 if (spi_size > 0)
3002 3002 memcpy((uint8_t *)(prop + 1), spi, spi_size);
3003 3003
3004 3004 result[1]->prop = prop;
3005 3005 result[1]->trns = 0;
3006 3006
3007 3007 tail = &result[1]->tnext;
3008 3008
3009 3009 alglist = kmp->kmp_enc_alg;
3010 3010 if (!alglist && kmp_default)
3011 3011 alglist = kmp_default->kmp_enc_alg;
3012 3012 if (!alglist)
3013 3013 plog(PLOG_INTWARN, PLOGLOC, 0, "kmp_enc_alg list is empty\n");
3014 3014 *tail = alglist_to_proppair(alglist,
3015 3015 IKEV2TRANSFORM_TYPE_ENCR,
3016 3016 &ikev2_transf_encr[0]);
3017 3017 if (*tail)
3018 3018 tail = &(*tail)->next;
3019 3019
3020 3020 alglist = kmp->kmp_prf_alg;
3021 3021 if (!alglist && kmp_default)
3022 3022 alglist = kmp_default->kmp_prf_alg;
3023 3023 if (!alglist)
3024 3024 plog(PLOG_INTWARN, PLOGLOC, 0, "kmp_prf_alg list is empty\n");
3025 3025 *tail = alglist_to_proppair(alglist,
3026 3026 IKEV2TRANSFORM_TYPE_PRF,
3027 3027 &ikev2_transf_prf[0]);
3028 3028 if (*tail)
3029 3029 tail = &(*tail)->next;
3030 3030
3031 3031 alglist = kmp->kmp_hash_alg;
3032 3032 if (!alglist && kmp_default)
3033 3033 alglist = kmp_default->kmp_hash_alg;
3034 3034 if (!alglist)
3035 3035 plog(PLOG_INTWARN, PLOGLOC, 0, "kmp_hash_alg list is empty\n");
3036 3036 *tail = alglist_to_proppair(alglist,
3037 3037 IKEV2TRANSFORM_TYPE_INTEGR,
3038 3038 &ikev2_transf_integr[0]);
3039 3039 if (*tail)
3040 3040 tail = &(*tail)->next;
3041 3041
3042 3042 alglist = kmp->kmp_dh_group;
3043 3043 if (!alglist && kmp_default)
3044 3044 alglist = kmp_default->kmp_dh_group;
3045 3045 if (!alglist)
3046 3046 plog(PLOG_INTWARN, PLOGLOC, 0, "kmp_dh_group list is empty\n");
3047 3047 *tail = alglist_to_proppair(alglist,
3048 3048 IKEV2TRANSFORM_TYPE_DH,
3049 3049 &ikev2_transf_dh[0]);
3050 3050 if (*tail)
3051 3051 tail = &(*tail)->next;
3052 3052
3053 3053 return result;
3054 3054
3055 3055 fail:
3056 3056 if (result)
3057 3057 proplist_discard(result);
3058 3058 return 0;
3059 3059
3060 3060 fail_nomem:
3061 3061 isakmp_log(0, 0, 0, 0,
3062 3062 PLOG_INTERR, PLOGLOC, "failed allocating memory\n");
3063 3063 goto fail;
3064 3064 }
3065 3065
3066 3066 /*
3067 3067 * IPSEC config to proplist
3068 3068 *
3069 3069 * conf is a linked list of struct rcf_ipsec
3070 3070 */
3071 3071 struct prop_pair **
3072 3072 ikev2_ipsec_conf_to_proplist(struct ikev2_child_sa *child_sa,
3073 3073 int is_createchild)
3074 3074 {
3075 3075 struct rcf_ipsec *conf;
3076 3076 struct prop_pair **proplist = 0;
3077 3077 int proposal_number;
3078 3078
3079 3079 conf = child_sa->selector->pl->ips;
3080 3080
3081 3081 proplist = proplist_new();
3082 3082 if (!proplist)
3083 3083 goto fail_nomem;
3084 3084 for (proposal_number = 1; conf; ++proposal_number, conf = conf->next) {
3085 3085 struct prop_pair **prop_tail;
3086 3086 rc_type ext_sequence;
3087 3087 int need_pfs;
3088 3088
3089 3089 prop_tail = &proplist[proposal_number];
3090 3090
3091 3091 IPSEC_CONF(ext_sequence, conf, ext_sequence, RCT_BOOL_OFF);
3092 3092 #if 1
3093 3093 if (ext_sequence == RCT_BOOL_ON) {
3094 3094 isakmp_log(0, 0, 0, 0,
3095 3095 PLOG_INTWARN, PLOGLOC,
3096 3096 "Extended Sequence Number unsupported.\n");
3097 3097 }
3098 3098 #endif
3099 3099 need_pfs = (is_createchild &&
3100 3100 (ikev2_need_pfs(child_sa->parent->rmconf) == RCT_BOOL_ON));
3101 3101 if (conf->sa_ah) {
3102 3102 *prop_tail = ikev2_ipsec_sa_to_proplist(child_sa,
3103 3103 proposal_number,
3104 3104 conf->sa_ah,
3105 3105 IKEV2PROPOSAL_AH,
3106 3106 need_pfs,
3107 3107 ext_sequence);
3108 3108 if (!*prop_tail)
3109 3109 goto fail;
3110 3110 prop_tail = &(*prop_tail)->next;
3111 3111 }
3112 3112 if (conf->sa_esp) {
3113 3113 *prop_tail = ikev2_ipsec_sa_to_proplist(child_sa,
3114 3114 proposal_number,
3115 3115 conf->sa_esp,
3116 3116 IKEV2PROPOSAL_ESP,
3117 3117 need_pfs,
3118 3118 ext_sequence);
3119 3119 if (!*prop_tail)
3120 3120 goto fail;
3121 3121 prop_tail = &(*prop_tail)->next;
3122 3122 }
3123 3123 }
3124 3124
3125 3125 return proplist;
3126 3126
3127 3127 fail_nomem:
3128 3128 fail:
3129 3129 if (proplist)
3130 3130 proplist_discard(proplist);
3131 3131 return 0;
3132 3132 }
3133 3133
3134 3134 static struct prop_pair *
3135 3135 ikev2_ipsec_sa_to_proplist(struct ikev2_child_sa *child_sa,
3136 3136 int proposal_number,
3137 3137 struct rcf_sa *proto_info,
3138 3138 int proto_id, int need_pfs, rc_type esn)
3139 3139 {
3140 3140 const size_t ipsec_spi_size = sizeof(uint32_t);
3141 3141 struct prop_pair *prop_head;
3142 3142 struct isakmp_pl_p *prop;
3143 3143 struct prop_pair **tail;
3144 3144 struct rc_alglist *enc_alg;
3145 3145 struct rc_alglist *auth_alg;
3146 3146 /* struct rc_alglist * comp_alg; */
3147 3147
3148 3148 prop_head = proppair_new();
3149 3149 if (!prop_head)
3150 3150 goto fail_nomem;
3151 3151
3152 3152 prop = racoon_calloc(1, sizeof(struct isakmp_pl_p) + ipsec_spi_size);
3153 3153 if (!prop)
3154 3154 goto fail_nomem;
3155 3155
3156 3156 prop->h.len = htons(sizeof(struct isakmp_pl_p) + ipsec_spi_size);
3157 3157 prop->p_no = proposal_number;
3158 3158 prop->proto_id = proto_id;
3159 3159 prop->spi_size = ipsec_spi_size;
3160 3160 prop->num_t = 0; /* will be set when packing the packet */
3161 3161 put_uint32((uint32_t *)(prop + 1), proto_info->spi);
3162 3162
3163 3163 prop_head->prop = prop;
3164 3164
3165 3165 tail = &prop_head->tnext; /* link to tnext */
3166 3166
3167 3167 SA_CONF(enc_alg, proto_info, enc_alg, 0);
3168 3168 if (enc_alg) {
3169 3169 *tail = alglist_to_proppair(enc_alg,
3170 3170 IKEV2TRANSFORM_TYPE_ENCR,
3171 3171 &ikev2_transf_encr[0]);
3172 3172 if (!*tail) {
3173 3173 isakmp_log(0, 0, 0, 0,
3174 3174 PLOG_INTERR, PLOGLOC,
3175 3175 "failed converting enc_alg to proposal\n");
3176 3176 goto fail;
3177 3177 }
3178 3178 tail = &(*tail)->next; /* link to next */
3179 3179 }
3180 3180
3181 3181 SA_CONF(auth_alg, proto_info, auth_alg, 0);
3182 3182 if (auth_alg) {
3183 3183 *tail = alglist_to_proppair(auth_alg,
3184 3184 IKEV2TRANSFORM_TYPE_INTEGR,
3185 3185 &ikev2_transf_integr[0]);
3186 3186 if (!*tail) {
3187 3187 isakmp_log(0, 0, 0, 0,
3188 3188 PLOG_INTERR, PLOGLOC,
3189 3189 "failed converting auth_alg to proposal\n");
3190 3190 goto fail;
3191 3191 }
3192 3192 tail = &(*tail)->next;
3193 3193 }
3194 3194
3195 3195 if (need_pfs) {
3196 3196 *tail = alglist_to_proppair(ike_conf_dhgrp(child_sa->parent->rmconf,
3197 3197 IKEV2_MAJOR_VERSION),
3198 3198 IKEV2TRANSFORM_TYPE_DH,
3199 3199 &ikev2_transf_dh[0]);
3200 3200 if (!*tail) {
3201 3201 isakmp_log(0, 0, 0, 0,
3202 3202 PLOG_INTERR, PLOGLOC,
3203 3203 "failed converting kmp_dh_group\n");
3204 3204 goto fail;
3205 3205 }
3206 3206 tail = &(*tail)->next;
3207 3207 }
3208 3208
3209 3209 /*
3210 3210 * (RFC4718, section4.4)
3211 3211 * Extended Sequence Numbers (ESN) Transform
3212 3212 */
3213 3213 if (esn == RCT_BOOL_ON) {
3214 3214 *tail = transform_new(IKEV2TRANSFORM_TYPE_ESN,
3215 3215 IKEV2TRANSF_ESN_YES, 0,
3216 3216 IKEV2TRANSFORM_MORE);
3217 3217 if (!*tail)
3218 3218 goto fail_nomem;
3219 3219 tail = &(*tail)->next;
3220 3220 }
3221 3221 *tail = transform_new(IKEV2TRANSFORM_TYPE_ESN,
3222 3222 IKEV2TRANSF_ESN_NO, 0,
3223 3223 IKEV2TRANSFORM_LAST);
3224 3224 if (!*tail)
3225 3225 goto fail_nomem;
3226 3226 tail = &(*tail)->next;
3227 3227
3228 3228 return prop_head;
3229 3229
3230 3230 fail_nomem:
3231 3231 isakmp_log(0, 0, 0, 0,
3232 3232 PLOG_INTERR, PLOGLOC,
3233 3233 "memory allocation failure\n");
3234 3234 fail:
3235 3235 proppair_discard(prop_head);
3236 3236 return 0;
3237 3237 }
3238 3238
3239 3239 /*
3240 3240 * Transform ID value to RCF id
3241 3241 */
3242 3242 static struct algdef *
3243 3243 ikeconf_find_alg(unsigned int id, struct algdef *def)
3244 3244 {
3245 3245 for (; def->racoon_code != 0; ++def) {
3246 3246 if (def->transform_id == id)
3247 3247 return def;
3248 3248 }
3249 3249 return 0;
3250 3250 }
3251 3251
3252 3252 int
3253 3253 ikev2_proposal_to_ipsec(struct ikev2_child_sa *child_sa,
3254 3254 struct ikev2_child_param *child_param,
3255 3255 struct prop_pair *proposal,
3256 3256 int (*apply_func)(struct ikev2_child_sa *, struct rcpfk_msg *, void *),
3257 3257 void *data)
3258 3258 {
|
↓ open down ↓ |
3258 lines elided |
↑ open up ↑ |
3259 3259 struct rcpfk_msg param;
3260 3260 struct prop_pair *proto;
3261 3261 int i;
3262 3262 int err;
3263 3263 static int header_order[] = {
3264 3264 IKEV2PROPOSAL_AH,
3265 3265 IKEV2PROPOSAL_ESP
3266 3266 };
3267 3267 const int BITS = 8;
3268 3268
3269 + (void) memset(¶m, 0, sizeof (param));
3269 3270 /*
3270 3271 * param fields assigned here:
3271 3272 * seq, samode, (reqid,) ul_proto,
3272 3273 * spi, satype, enctype, enckey, enckeylen, authtype, authkey, authkeylen,
3273 3274 *
3274 3275 * not assigned here (apply_func need to assign them if necessary):
3275 3276 * sa_src, pref_src, sa_dst, pref_dst,
3276 3277 * so, wsize, saflags, lft_hard_time, lft_hard_bytes, lft_soft_time, lft_soft_bytes
3277 3278 */
3278 3279
3279 3280 param.seq = child_sa->sadb_request.seqno;
3280 3281
3281 3282 /* for X_EXT_SA2 */
3282 3283 param.samode = child_param->use_transport_mode ?
3283 3284 RCT_IPSM_TRANSPORT : RCT_IPSM_TUNNEL;
3284 3285 param.reqid = child_sa->selector->reqid; /* ??? */
3285 3286
3286 3287 param.ul_proto = child_sa->selector->upper_layer_protocol;
3287 3288
3288 3289 /*
3289 3290 * (draft-17)
3290 3291 * If multiple IPsec protocols are negotiated, keying material is
3291 3292 * taken in the order in which the protocol headers will appear in
3292 3293 * the encapsulated packet.
3293 3294 */
3294 3295
3295 3296 for (i = 0; (size_t)i < ARRAYLEN(header_order); ++i) {
3296 3297 struct ikev2proposal *prop = 0;
3297 3298 struct prop_pair *t;
3298 3299
3299 3300 /* find the proposal for the protocol */
3300 3301 for (proto = proposal; proto; proto = proto->next) {
3301 3302 prop = (struct ikev2proposal *)proto->prop;
3302 3303 if (prop->protocol_id == header_order[i])
3303 3304 break;
3304 3305 }
3305 3306 if (!proto)
3306 3307 continue;
3307 3308
3308 3309 assert(prop != 0);
3309 3310 if (prop->spi_size != sizeof(uint32_t)) {
3310 3311 /* shouldn't happen */
3311 3312 isakmp_log(child_sa->parent, 0, 0, 0,
3312 3313 PLOG_INTERR, PLOGLOC,
3313 3314 "shouldn't happen (spi_size != 4)\n");
3314 3315 goto fail;
3315 3316 }
3316 3317
3317 3318 param.spi = *(uint32_t *)(prop + 1);
3318 3319 param.enctype = 0;
3319 3320 param.authtype = RCT_ALG_NON_AUTH;
3320 3321 param.enckeylen = param.authkeylen = 0;
3321 3322 param.enckey = param.authkey = 0;
3322 3323
3323 3324 switch (prop->protocol_id) {
3324 3325 case IKEV2PROPOSAL_ESP:
3325 3326 param.satype = RCT_SATYPE_ESP;
3326 3327 break;
3327 3328 case IKEV2PROPOSAL_AH:
3328 3329 param.satype = RCT_SATYPE_AH;
3329 3330 break;
3330 3331 default:
3331 3332 /* unexpected */
3332 3333 isakmp_log(child_sa->parent, 0, 0, 0,
3333 3334 PLOG_INTERR, PLOGLOC,
3334 3335 "unexpected prop->protocol_id (%d)\n",
3335 3336 prop->protocol_id);
3336 3337 break;
3337 3338 }
3338 3339
3339 3340 for (t = proto->tnext; t; t = t->next) {
3340 3341 struct ikev2transform *trns;
3341 3342 struct isakmp_data *attr;
3342 3343 size_t attr_bytes;
3343 3344 size_t alen;
3344 3345 uint16_t keylen;
3345 3346 struct algdef *alg;
3346 3347
3347 3348 if (t->tnext != 0) {
3348 3349 /* shouldn't happen; only one should have been singled out */
3349 3350 isakmp_log(child_sa->parent, 0, 0, 0,
3350 3351 PLOG_INTERR, PLOGLOC,
3351 3352 "shouldn't happen (%p != 0)\n",
3352 3353 t->tnext);
3353 3354 }
3354 3355 trns = (struct ikev2transform *)t->trns;
3355 3356 attr = (struct isakmp_data *)(trns + 1);
3356 3357
3357 3358 /* scan attributes */
3358 3359 keylen = 0;
3359 3360 for (attr_bytes = get_uint16(&trns->transform_length) -
3360 3361 sizeof(struct ikev2transform);
3361 3362 attr_bytes > 0;
3362 3363 attr_bytes -= alen) {
3363 3364 assert(attr_bytes >= sizeof(struct ikev2attrib));
3364 3365 switch (get_uint16(&attr->type)) {
3365 3366 case IKEV2ATTRIB_KEY_LENGTH | IKEV2ATTRIB_SHORT:
3366 3367 keylen = get_uint16(&attr->lorv);
3367 3368 break;
3368 3369 default:
3369 3370 /* shoundn't happen */
3370 3371 isakmp_log(child_sa->parent, 0, 0, 0,
3371 3372 PLOG_INTERR, PLOGLOC,
3372 3373 "unexpected attr type (%d)\n",
3373 3374 get_uint16(&attr->type));
3374 3375 break;
3375 3376 }
3376 3377 alen = ISAKMP_ATTRIBUTE_TOTALLENGTH(attr);
3377 3378 attr = ISAKMP_NEXT_ATTRIB(attr);
3378 3379 }
3379 3380
3380 3381 /* convert transform type */
3381 3382 switch (trns->transform_type) {
3382 3383 case IKEV2TRANSFORM_TYPE_ENCR:
3383 3384 alg = ikeconf_find_alg(get_uint16(&trns->transform_id),
3384 3385 &ikev2_transf_encr[0]);
3385 3386 if (!alg)
3386 3387 goto fail;
3387 3388 param.enctype = alg->racoon_code;
3388 3389 if (IS_PROTO_VARIABLE_KEYLEN(*alg)) {
3389 3390 if (keylen == 0)
3390 3391 isakmp_log(child_sa->parent, 0,
3391 3392 0, 0, PLOG_INTWARN,
3392 3393 PLOGLOC,
3393 3394 "keylen == 0 for variable key-length cipher (%s)\n",
3394 3395 rct2str(alg->racoon_code));
3395 3396 if (keylen % BITS != 0)
3396 3397 isakmp_log(child_sa->parent, 0,
3397 3398 0, 0, PLOG_INTWARN,
3398 3399 PLOGLOC,
3399 3400 "keylen %d is not multiple of 8\n",
3400 3401 keylen);
3401 3402 param.enckeylen = keylen / BITS;
3402 3403 } else {
3403 3404 if (keylen > 0)
3404 3405 isakmp_log(child_sa->parent, 0,
3405 3406 0, 0, PLOG_INTWARN,
3406 3407 PLOGLOC,
3407 3408 "keylen (%d) specified to fixed-length key cipher (%s)\n",
3408 3409 keylen,
3409 3410 rct2str(alg->racoon_code));
3410 3411 param.enckeylen = KEYLEN(*alg);
3411 3412 }
3412 3413
3413 3414 /* AES-CTR requires extra bytes */
3414 3415 param.enckeylen += alg->nonce_len;
3415 3416 break;
3416 3417
3417 3418 case IKEV2TRANSFORM_TYPE_INTEGR:
3418 3419 alg = ikeconf_find_alg(get_uint16
3419 3420 (&trns->transform_id),
3420 3421 &ikev2_transf_integr[0]);
3421 3422 if (!alg)
3422 3423 goto fail;
3423 3424 /* so far, no variable-key-length algorithm is defined */
3424 3425 if (keylen > 0) {
3425 3426 isakmp_log(child_sa->parent, 0, 0, 0,
3426 3427 PLOG_INTWARN, PLOGLOC,
3427 3428 "keylen (%d) specified to fixed-length key MAC (%s)\n",
3428 3429 keylen,
3429 3430 rct2str(alg->racoon_code));
3430 3431 }
3431 3432 param.authtype = alg->racoon_code;
3432 3433 param.authkeylen = alg->keylen;
3433 3434 break;
3434 3435 case IKEV2TRANSFORM_TYPE_DH:
3435 3436 break;
3436 3437 case IKEV2TRANSFORM_TYPE_ESN:
3437 3438 #ifdef notyet
3438 3439 /* *esn = get_uint16(&trns->transform_id); */
3439 3440 #else
3440 3441 if (get_uint16(&trns->transform_id) != IKEV2TRANSF_ESN_NO) {
3441 3442 isakmp_log(child_sa->parent, 0, 0, 0,
3442 3443 PLOG_PROTOERR, PLOGLOC,
3443 3444 "negotiated Extended Sequence Number is YES, but it is unsupported\n");
3444 3445 }
3445 3446 #endif
3446 3447 break;
3447 3448 default:
3448 3449 /* unsupported */
3449 3450 isakmp_log(child_sa->parent, 0, 0, 0,
3450 3451 PLOG_INTWARN, PLOGLOC,
3451 3452 "unexpected transform type (%d)\n",
3452 3453 trns->transform_type);
3453 3454 break;
3454 3455 }
3455 3456 }
3456 3457
3457 3458 /* then apply the function */
3458 3459 if ((err = apply_func(child_sa, ¶m, data)) != 0) {
3459 3460 isakmp_log(child_sa->parent, 0, 0, 0,
3460 3461 PLOG_INTERR, PLOGLOC,
3461 3462 "sadb error (%d)\n", err);
3462 3463 goto fail;
3463 3464 }
3464 3465 }
3465 3466 return 0;
3466 3467
3467 3468 fail:
3468 3469 return -1;
3469 3470 }
3470 3471
3471 3472 /*
3472 3473 * Check Configuration consistency
3473 3474 */
3474 3475 #ifdef IKEV1
3475 3476 static int
3476 3477 oakley_encdef_doi_keylen(rc_type type, int keylen)
3477 3478 {
3478 3479 int klen;
3479 3480
3480 3481 switch (type) {
3481 3482 case RCT_ALG_AES128_CBC:
3482 3483 klen = 128;
3483 3484 break;
3484 3485 case RCT_ALG_AES192_CBC:
3485 3486 klen = 192;
3486 3487 break;
3487 3488 case RCT_ALG_AES256_CBC:
3488 3489 klen = 256;
3489 3490 break;
3490 3491 default:
3491 3492 klen = keylen;
3492 3493 break;
3493 3494 }
3494 3495 return alg_oakley_encdef_keylen(alg_oakley_encdef_doi(type), klen);
3495 3496 }
3496 3497 #endif
3497 3498
3498 3499 #ifdef IKEV1
3499 3500 /* check ikev1 clause of remote section of configuration */
3500 3501 static void
3501 3502 ike_conf_check_ikev1(struct rcf_remote *rmconf, int *err, int *warn,
3502 3503 int is_default_clause)
3503 3504 {
3504 3505 struct rcf_kmp *kmp;
3505 3506 char *rm_index;
3506 3507 struct rc_alglist *kmp_auth_method;
3507 3508
3508 3509 if (is_default_clause)
3509 3510 rm_index = strdup("(default)");
3510 3511 else
3511 3512 rm_index = strdup(rc_vmem2str(rmconf->rm_index));
3512 3513
3513 3514 kmp = rmconf->ikev1;
3514 3515
3515 3516 if (is_default_clause) {
3516 3517 if (!kmp)
3517 3518 goto done;
3518 3519 } else {
3519 3520 if (!kmp) {
3520 3521 if (ike_acceptable_kmp(rmconf) & RCF_ALLOW_IKEV1) {
3521 3522 ++*err;
3522 3523 plog(PLOG_INTERR, PLOGLOC, 0,
3523 3524 "remote %s ikev1 is in acceptable_kmp but there's no ikev1 definition\n",
3524 3525 rm_index);
3525 3526 }
3526 3527 goto done;
3527 3528 }
3528 3529
3529 3530 if (!kmp->peers_ipaddr
3530 3531 || !kmp->peers_ipaddr->a.ipaddr) {
3531 3532 ++*err;
3532 3533 plog(PLOG_INTERR, PLOGLOC, 0,
3533 3534 "remote %s ikev1 lacks peers_ipaddr\n",
3534 3535 rm_index);
3535 3536 }
3536 3537
3537 3538 switch (ikev1_exchange_mode(rmconf)) {
3538 3539 case RCT_EXM_MAIN:
3539 3540 break;
3540 3541 case RCT_EXM_AGG:
3541 3542 case RCT_EXM_BASE:
3542 3543 default:
3543 3544 ++*err;
3544 3545 plog(PLOG_INTERR, PLOGLOC, 0,
3545 3546 "remote %s ikev1 exchange_mode %s not supported\n",
3546 3547 rm_index, rct2str(ikev1_exchange_mode(rmconf)));
3547 3548 break;
3548 3549 }
3549 3550
3550 3551 IKEV1_CONF(kmp_auth_method, rmconf, kmp_auth_method, 0);
3551 3552 if (kmp_auth_method == 0) {
3552 3553 ++*err;
3553 3554 plog(PLOG_INTERR, PLOGLOC, 0,
3554 3555 "remote %s lacks kmp_auth_method\n",
3555 3556 rm_index);
3556 3557 }
3557 3558 if (kmp_auth_method->next) {
3558 3559 ++*warn;
3559 3560 plog(PLOG_INTWARN, PLOGLOC, 0,
3560 3561 "remote %s ikev1 kmp_auth_method has multiple entries, only the first one is used.\n",
3561 3562 rm_index);
3562 3563 }
3563 3564
3564 3565 if (ikev1_exchange_mode(rmconf) == RCT_EXM_MAIN
3565 3566 && kmp_auth_method->algtype == RCT_ALG_PSK) {
3566 3567 struct rc_idlist *id;
3567 3568
3568 3569 for (id = kmp->peers_id; id; id = id->next) {
3569 3570 if (id->idtype != RCT_IDT_IPADDR) {
3570 3571 ++*err;
3571 3572 plog(PLOG_INTERR, PLOGLOC, 0,
3572 3573 "remote %s ikev1 peers_id must"
3573 3574 " be type ipaddr when using"
3574 3575 " exchange_mode main and"
3575 3576 " kmp_auth_method psk\n",
3576 3577 rm_index);
3577 3578 }
3578 3579 }
3579 3580 }
3580 3581 }
3581 3582
3582 3583 #define UNSUPPORTED(x) do { \
3583 3584 if (kmp->x) { \
3584 3585 ++*warn; \
3585 3586 plog(PLOG_INTWARN, PLOGLOC, 0, \
3586 3587 "remote %s ikev1 %s configuration field support is unimplemented, ignored\n", \
3587 3588 rm_index, #x); \
3588 3589 } \
3589 3590 } while (0)
3590 3591
3591 3592 UNSUPPORTED(selector_check);
3592 3593 UNSUPPORTED(random_padlen);
3593 3594 UNSUPPORTED(max_padlen);
3594 3595 UNSUPPORTED(max_retry_to_send);
3595 3596 UNSUPPORTED(kmp_sa_nego_time_limit);
3596 3597 UNSUPPORTED(peers_kmp_port);
3597 3598 #ifndef HAVE_GSSAPI
3598 3599 UNSUPPORTED(my_gssapi_id);
3599 3600 #endif
3600 3601
3601 3602 #undef UNSUPPORTED
3602 3603
3603 3604 if (!ikev1_kmp_enc_alg(rmconf)) {
3604 3605 ++*err;
3605 3606 plog(PLOG_INTERR, PLOGLOC, 0,
3606 3607 "remote %s ikev1 section lacks kmp_enc_alg\n",
3607 3608 rm_index);
3608 3609 } else {
3609 3610 struct rc_alglist *enc;
3610 3611
3611 3612 for (enc = ikev1_kmp_enc_alg(rmconf); enc; enc = enc->next) {
3612 3613 if (alg_oakley_encdef_doi(enc->algtype) == -1) {
3613 3614 ++*err;
3614 3615 plog(PLOG_INTERR, PLOGLOC, 0,
3615 3616 "remote %s ikev1 section, kmp_enc_alg %s is not supported\n",
3616 3617 rm_index, rct2str(enc->algtype));
3617 3618 } else if (oakley_encdef_doi_keylen(enc->algtype, enc->keylen) == -1) {
3618 3619 ++*err;
3619 3620 plog(PLOG_INTERR, PLOGLOC, 0,
3620 3621 "remote %s ikev1 section, kmp_enc_alg %s keylen %d is not supported\n",
3621 3622 rm_index, rct2str(enc->algtype),
3622 3623 enc->keylen);
3623 3624 }
3624 3625 }
3625 3626
3626 3627 }
3627 3628
3628 3629 if (!ikev1_kmp_hash_alg(rmconf)) {
3629 3630 ++*err;
3630 3631 plog(PLOG_INTERR, PLOGLOC, 0,
3631 3632 "remote %s ikev1 section lacks kmp_hash_alg\n",
3632 3633 rm_index);
3633 3634 } else {
3634 3635 struct rc_alglist *hash;
3635 3636
3636 3637 for (hash = ikev1_kmp_hash_alg(rmconf); hash; hash = hash->next) {
3637 3638 if (alg_oakley_hashdef_doi(hash->algtype) == -1) {
3638 3639 ++*err;
3639 3640 plog(PLOG_INTERR, PLOGLOC, 0,
3640 3641 "remote %s ikev1 section, kmp_hash_alg %s is not supported\n",
3641 3642 rm_index, rct2str(hash->algtype));
3642 3643 }
3643 3644 }
3644 3645 }
3645 3646
3646 3647 if (kmp->kmp_prf_alg) {
3647 3648 ++*warn;
3648 3649 plog(PLOG_INTWARN, PLOGLOC, 0,
3649 3650 "remote %s ikev1 section, kmp_prf_alg is not used for ikev1, ignored\n",
3650 3651 rm_index);
3651 3652 }
3652 3653
3653 3654 if (!ikev1_kmp_dh_group(rmconf)) {
3654 3655 ++*err;
3655 3656 plog(PLOG_INTERR, PLOGLOC, 0,
3656 3657 "remote %s ikev1 section lacks kmp_dh_group\n",
3657 3658 rm_index);
3658 3659 } else {
3659 3660 struct rc_alglist *dh;
3660 3661
3661 3662 for (dh = ikev1_kmp_dh_group(rmconf); dh; dh = dh->next) {
3662 3663 if (alg_oakley_dhdef_doi(dh->algtype) == -1) {
3663 3664 ++*err;
3664 3665 plog(PLOG_INTERR, PLOGLOC, 0,
3665 3666 "remote %s ikev1 section, kmp_dh_group %s is not supported\n",
3666 3667 rm_index, rct2str(dh->algtype));
3667 3668 }
3668 3669 }
3669 3670 }
3670 3671
3671 3672 done:
3672 3673 free(rm_index);
3673 3674 }
3674 3675 #endif
3675 3676
3676 3677 /* check ikev2 clause of remote section in configuration */
3677 3678 static void
3678 3679 ike_conf_check_ikev2(struct rcf_remote *rmconf, int *err, int *warn,
3679 3680 int is_default_clause)
3680 3681 {
3681 3682 struct rc_alglist *alg;
3682 3683 struct rcf_kmp *kmp;
3683 3684 char *rm_index;
3684 3685
3685 3686 if (is_default_clause)
3686 3687 rm_index = strdup("(default)");
3687 3688 else
3688 3689 rm_index = strdup(rc_vmem2str(rmconf->rm_index));
3689 3690
3690 3691 kmp = rmconf->ikev2;
3691 3692 if (is_default_clause) {
3692 3693 if (!kmp)
3693 3694 goto done;
3694 3695 } else {
3695 3696 struct rc_idlist *my_id;
3696 3697 struct rc_alglist *kmp_auth_method;
3697 3698
3698 3699 if (!kmp) {
3699 3700 if (ike_acceptable_kmp(rmconf) & RCF_ALLOW_IKEV2) {
3700 3701 ++*err;
3701 3702 plog(PLOG_INTERR, PLOGLOC, 0,
3702 3703 "remote %s ikev2 is in acceptable_kmp but there's no ikev2 definition\n",
3703 3704 rm_index);
3704 3705 }
3705 3706 goto done;
3706 3707 }
3707 3708
3708 3709 IKEV2_CONF(my_id, rmconf, my_id, 0);
3709 3710 if (!my_id) {
3710 3711 ++*err;
3711 3712 plog(PLOG_INTERR, PLOGLOC, 0,
3712 3713 "remote %s ikev2 section lacks my_id\n", rm_index);
3713 3714 }
3714 3715
3715 3716 IKEV2_CONF(kmp_auth_method, rmconf, kmp_auth_method, 0);
3716 3717 if (!kmp_auth_method) {
3717 3718 ++*err;
3718 3719 plog(PLOG_INTERR, PLOGLOC, 0,
3719 3720 "remote %s ikev2 section lacks auth_method\n",
3720 3721 rm_index);
3721 3722 }
3722 3723
3723 3724 for (alg = kmp_auth_method; alg; alg = alg->next) {
3724 3725 rc_vchar_t *pre_shared_key;
3725 3726 struct rc_pklist *peers_pubkey;
3726 3727
3727 3728 switch (alg->algtype) {
3728 3729 case RCT_ALG_PSK:
3729 3730 IKEV2_CONF(pre_shared_key, rmconf,
3730 3731 pre_shared_key, 0);
3731 3732 if (!pre_shared_key) {
3732 3733 ++*err;
3733 3734 plog(PLOG_INTERR, PLOGLOC, 0,
3734 3735 "remote %s ikev2 section specifies auth_method psk, but pre_shared_key is not specified\n",
3735 3736 rm_index);
3736 3737 } else {
3737 3738 const char *path;
3738 3739 int errcode;
3739 3740
3740 3741 path = rc_vmem2str(pre_shared_key);
3741 3742 if (!path) {
3742 3743 plog(PLOG_INTERR, PLOGLOC, 0,
3743 3744 "failed allocating memory\n");
3744 3745 ++*err;
3745 3746 break;
3746 3747 }
3747 3748
3748 3749 errcode = rc_safefile(path, 1);
3749 3750 switch (errcode) {
3750 3751 case 0:
3751 3752 break;
3752 3753 case -1:
3753 3754 ++*err;
3754 3755 plog(PLOG_INTERR, PLOGLOC, 0,
3755 3756 "remote %s ikev2 section, failed accessing pre_shared_key file %s\n",
3756 3757 rm_index, path);
3757 3758 break;
3758 3759 default:
3759 3760 ++*err;
3760 3761 plog(PLOG_INTERR, PLOGLOC, 0,
3761 3762 "remote %s ikev2 section, pre_shared_key file %s is not safe, code %d: %s\n",
3762 3763 rm_index, path, errcode,
3763 3764 rc_safefile_strerror(errcode));
3764 3765 break;
3765 3766 }
3766 3767 }
3767 3768 break;
3768 3769 case RCT_ALG_RSASIG:
3769 3770 case RCT_ALG_DSS:
3770 3771 IKEV2_CONF(peers_pubkey, rmconf, peers_pubkey,
3771 3772 0);
3772 3773 if (!peers_pubkey) {
3773 3774 ++*err;
3774 3775 plog(PLOG_INTERR, PLOGLOC, 0,
3775 3776 "remote %s ikev2 section specifies public key authentication, but peers_public_key is not specified\n",
3776 3777 rm_index);
3777 3778 }
3778 3779 break;
3779 3780 default:
3780 3781 ++*err;
3781 3782 plog(PLOG_INTERR, PLOGLOC, 0,
3782 3783 "remote %s ikev2 section specifies unsupported kmp_auth_method (%s)\n",
3783 3784 rm_index, rct2str(alg->algtype));
3784 3785 break;
3785 3786 }
3786 3787 }
3787 3788 }
3788 3789 #define UNSUPPORTED(x) do { \
3789 3790 if (kmp->x) { \
3790 3791 ++*warn; \
3791 3792 plog(PLOG_INTWARN, PLOGLOC, 0, \
3792 3793 "remote %s ikev2 %s configuration field support is unimplemented, ignored\n", \
3793 3794 rm_index, #x); \
3794 3795 } \
3795 3796 } while (0)
3796 3797
3797 3798 #define IGNORED(x) do { \
3798 3799 if (kmp->x) { \
3799 3800 ++*warn; \
3800 3801 plog(PLOG_INTWARN, PLOGLOC, 0, \
3801 3802 "remote %s ikev2 %s configuration field is ignored\n", \
3802 3803 rm_index, #x); \
3803 3804 } \
3804 3805 } while (0)
3805 3806
3806 3807 UNSUPPORTED(verify_pubkey);
3807 3808 UNSUPPORTED(send_cert);
3808 3809 UNSUPPORTED(send_cert_req);
3809 3810 UNSUPPORTED(support_proxy);
3810 3811 UNSUPPORTED(proposal_check);
3811 3812 UNSUPPORTED(kmp_sa_lifetime_byte);
3812 3813 UNSUPPORTED(ipsec_sa_nego_time_limit);
3813 3814 UNSUPPORTED(peers_kmp_port);
3814 3815 IGNORED(dpd);
3815 3816 IGNORED(dpd_retry);
3816 3817 IGNORED(dpd_maxfails);
3817 3818
3818 3819 /* The size of a Nonce MUST be between 16 and 256 octets inclusive. */
3819 3820 if (kmp->nonce_size != 0
3820 3821 && (kmp->nonce_size < IKEV2_NONCE_SIZE_MIN ||
3821 3822 kmp->nonce_size > IKEV2_NONCE_SIZE_MAX)) {
3822 3823 ++*err;
3823 3824 plog(PLOG_INTERR, PLOGLOC, 0,
3824 3825 "remote %s ikev2 nonce size (%d) is out of spec\n",
3825 3826 rm_index, kmp->nonce_size);
3826 3827 }
3827 3828
3828 3829 for (alg = kmp->kmp_enc_alg; alg; alg = alg->next) {
3829 3830 if (!is_alg_supported(alg->algtype, alg->keylen, &ikev2_transf_encr[0])) {
3830 3831 ++*err;
3831 3832 if (alg->keylen) {
3832 3833 plog(PLOG_INTERR, PLOGLOC, 0,
3833 3834 "remote %s ikev2 section, kmp_enc_alg %s keylen %d unsupported\n",
3834 3835 rm_index, rct2str(alg->algtype),
3835 3836 alg->keylen);
3836 3837 } else if (is_alg_variable_keylen(alg->algtype, &ikev2_transf_encr[0])) {
3837 3838 plog(PLOG_INTERR, PLOGLOC, 0,
3838 3839 "remote %s ikev2 section, kmp_enc_alg %s need key length value\n",
3839 3840 rm_index, rct2str(alg->algtype));
3840 3841 } else {
3841 3842 plog(PLOG_INTERR, PLOGLOC, 0,
3842 3843 "remote %s ikev2 section, kmp_enc_alg %s unsupported\n",
3843 3844 rm_index, rct2str(alg->algtype));
3844 3845 }
3845 3846 }
3846 3847 if (alg->key) {
3847 3848 ++*warn;
3848 3849 plog(PLOG_INTWARN, PLOGLOC, 0,
3849 3850 "remote %s ikev2 section, key string specified in kmp_enc_alg list, ignored\n",
3850 3851 rm_index);
3851 3852 }
3852 3853 }
3853 3854 for (alg = kmp->kmp_prf_alg; alg; alg = alg->next) {
3854 3855 if (!is_alg_supported(alg->algtype, alg->keylen, &ikev2_transf_prf[0])) {
3855 3856 ++*err;
3856 3857 if (alg->keylen) {
3857 3858 plog(PLOG_INTERR, PLOGLOC, 0,
3858 3859 "remote %s ikev2 section, kmp_prf_alg %s keylen %d unsupported\n",
3859 3860 rm_index, rct2str(alg->algtype),
3860 3861 alg->keylen);
3861 3862 } else if (is_alg_variable_keylen(alg->algtype, &ikev2_transf_prf[0])) {
3862 3863 plog(PLOG_INTERR, PLOGLOC, 0,
3863 3864 "remote %s ikev2 section, kmp_prf_alg %s need key length value\n",
3864 3865 rm_index, rct2str(alg->algtype));
3865 3866 } else {
3866 3867 plog(PLOG_INTERR, PLOGLOC, 0,
3867 3868 "remote %s ikev2 section, kmp_prf_alg %s unsupported\n",
3868 3869 rm_index, rct2str(alg->algtype));
3869 3870 }
3870 3871 }
3871 3872 if (alg->key) {
3872 3873 ++*warn;
3873 3874 plog(PLOG_INTWARN, PLOGLOC, 0,
3874 3875 "remote %s ikev2 section, key string specified in kmp_prf_alg list, ignored\n",
3875 3876 rm_index);
3876 3877 }
3877 3878 }
3878 3879 for (alg = kmp->kmp_hash_alg; alg; alg = alg->next) {
3879 3880 if (!is_alg_supported(alg->algtype, alg->keylen, &ikev2_transf_integr[0])) {
3880 3881 ++*err;
3881 3882 if (alg->keylen) {
3882 3883 plog(PLOG_INTERR, PLOGLOC, 0,
3883 3884 "remote %s ikev2 section, unsupported kmp_hash_alg %s keylen %d\n",
3884 3885 rm_index, rct2str(alg->algtype),
3885 3886 alg->keylen);
3886 3887 } else if (is_alg_variable_keylen(alg->algtype, &ikev2_transf_integr[0])) {
3887 3888 plog(PLOG_INTERR, PLOGLOC, 0,
3888 3889 "remote %s ikev2 section, kmp_hash_alg %s need key length value\n",
3889 3890 rm_index, rct2str(alg->algtype));
3890 3891 } else {
3891 3892 plog(PLOG_INTERR, PLOGLOC, 0,
3892 3893 "remote %s ikev2 section, unsupported kmp_hash_alg %s\n",
3893 3894 rm_index, rct2str(alg->algtype));
3894 3895 }
3895 3896 }
3896 3897 if (alg->key) {
3897 3898 ++*warn;
3898 3899 plog(PLOG_INTWARN, PLOGLOC, 0,
3899 3900 "remote %s ikev2 section, key string specified for kmp_auth_alg list, ignored\n",
3900 3901 rm_index);
3901 3902 }
3902 3903 }
3903 3904 for (alg = kmp->kmp_dh_group; alg; alg = alg->next) {
3904 3905 if (!is_alg_supported(alg->algtype, 0, &ikev2_transf_dh[0])) {
3905 3906 ++*err;
3906 3907 plog(PLOG_INTERR, PLOGLOC, 0,
3907 3908 "remote %s ikev2 section, kmp_dh_group %s unsupported\n",
3908 3909 rm_index, rct2str(alg->algtype));
3909 3910 }
3910 3911 if (alg->keylen) {
3911 3912 ++*warn;
3912 3913 plog(PLOG_INTWARN, PLOGLOC, 0,
3913 3914 "remote %s ikev2 section, key length specified for kmp_dh_group list, ignored\n",
3914 3915 rm_index);
3915 3916 }
3916 3917 if (alg->key) {
3917 3918 ++*warn;
3918 3919 plog(PLOG_INTWARN, PLOGLOC, 0,
3919 3920 "remote %s ikev2 section, key string specified for kmp_dh_group list, ignored\n",
3920 3921 rm_index);
3921 3922 }
3922 3923 }
3923 3924
3924 3925 done:
3925 3926 free(rm_index);
3926 3927 }
3927 3928
3928 3929 /* check remote section of configuration */
3929 3930 static void
3930 3931 ike_conf_check_remote(struct rcf_remote *r, int *err, int *warn,
3931 3932 int is_default_clause)
3932 3933 {
3933 3934 #if !defined(IKEV1)
3934 3935 if ((ike_acceptable_kmp(r) & RCF_ALLOW_IKEV1)
3935 3936 || r->ikev1) {
3936 3937 ++*err;
3937 3938 plog(PLOG_INTERR, PLOGLOC, 0,
3938 3939 "iked does not support IKEv1\n");
3939 3940 }
3940 3941 #else
3941 3942 ike_conf_check_ikev1(r, err, warn, is_default_clause);
3942 3943 #endif
3943 3944 ike_conf_check_ikev2(r, err, warn, is_default_clause);
3944 3945 }
3945 3946
3946 3947 static void
3947 3948 ike_conf_check_policy(struct rcf_policy *policy, int *err, int *warn,
3948 3949 int is_default_clause)
3949 3950 {
3950 3951 const char *pl_index;
3951 3952 struct rc_addrlist *addr;
3952 3953
3953 3954 if (is_default_clause)
3954 3955 pl_index = "(default)";
3955 3956 else
3956 3957 pl_index = rc_vmem2str(policy->pl_index);
3957 3958
3958 3959 if (policy->peers_sa_ipaddr) {
3959 3960 addr = policy->peers_sa_ipaddr;
3960 3961 switch (addr->type) {
3961 3962 case RCT_ADDR_INET:
3962 3963 case RCT_ADDR_MACRO:
3963 3964 break;
3964 3965 default:
3965 3966 ++*err;
3966 3967 plog(PLOG_INTERR, PLOGLOC, 0,
3967 3968 "unsupported type of address (%s) in peers_sa_ipaddr of policy %s\n",
3968 3969 rct2str(addr->type), pl_index);
3969 3970 break;
3970 3971 }
3971 3972 if (addr->next) {
3972 3973 ++*warn;
3973 3974 plog(PLOG_INTWARN, PLOGLOC, 0,
3974 3975 "multiple addresses in peers_sa_ipaddr of policy %s\n",
3975 3976 pl_index);
3976 3977 }
3977 3978 }
3978 3979
3979 3980 if (policy->my_sa_ipaddr) {
3980 3981 addr = policy->my_sa_ipaddr;
3981 3982 switch (addr->type) {
3982 3983 case RCT_ADDR_INET:
3983 3984 case RCT_ADDR_MACRO:
3984 3985 break;
3985 3986 default:
3986 3987 ++*err;
3987 3988 plog(PLOG_INTERR, PLOGLOC, 0,
3988 3989 "unsupported type of address (%s) in my_sa_ipaddr of policy %s\n",
3989 3990 rct2str(addr->type), pl_index);
3990 3991 break;
3991 3992 }
3992 3993 if (addr->next) {
3993 3994 ++*warn;
3994 3995 plog(PLOG_INTWARN, PLOGLOC, 0,
3995 3996 "multiple addresses in my_sa_ipaddr of policy %s\n",
3996 3997 pl_index);
3997 3998 }
3998 3999 }
3999 4000 }
4000 4001
4001 4002 static void
4002 4003 ike_conf_check_sa(struct rcf_sa *sa, int *err, int *warn, int is_default_clause)
4003 4004 {
4004 4005 struct rc_alglist *alg;
4005 4006 const char *sa_index;
4006 4007
4007 4008 if (!sa)
4008 4009 return;
4009 4010
4010 4011 if (is_default_clause)
4011 4012 sa_index = "(default)";
4012 4013 else
4013 4014 sa_index = rc_vmem2str(sa->sa_index);
4014 4015
4015 4016 /* check sa section */
4016 4017 if (!is_default_clause) {
4017 4018 rc_type sa_protocol;
4018 4019 struct rc_alglist *enc_alg;
4019 4020 struct rc_alglist *auth_alg;
4020 4021 struct rc_alglist *comp_alg;
4021 4022
4022 4023 SA_CONF(sa_protocol, sa, sa_protocol, 0);
4023 4024 SA_CONF(enc_alg, sa, enc_alg, 0);
4024 4025 SA_CONF(auth_alg, sa, auth_alg, 0);
4025 4026 SA_CONF(comp_alg, sa, comp_alg, 0);
4026 4027
4027 4028 switch (sa_protocol) {
4028 4029 case 0:
4029 4030 ++*err;
4030 4031 plog(PLOG_INTERR, PLOGLOC, 0,
4031 4032 "sa %s does not have sa_protocol field\n",
4032 4033 sa_index);
4033 4034 break;
4034 4035 case RCT_SATYPE_ESP:
4035 4036 if (!enc_alg) {
4036 4037 ++*err;
4037 4038 plog(PLOG_INTERR, PLOGLOC, 0,
4038 4039 "sa %s is ESP but enc_alg is not specified\n",
4039 4040 sa_index);
4040 4041 }
4041 4042 if (!auth_alg) {
4042 4043 ++*err;
4043 4044 plog(PLOG_INTERR, PLOGLOC, 0,
4044 4045 "sa %s does not have auth_alg list\n",
4045 4046 sa_index);
4046 4047 }
4047 4048 if (sa->comp_alg) {
4048 4049 ++*warn;
4049 4050 plog(PLOG_INTWARN, PLOGLOC, 0,
4050 4051 "sa %s specifies comp_alg, ignored\n",
4051 4052 sa_index);
4052 4053 }
4053 4054 break;
4054 4055 case RCT_SATYPE_AH:
4055 4056 if (sa->enc_alg) {
4056 4057 ++*warn;
4057 4058 plog(PLOG_INTWARN, PLOGLOC, 0,
4058 4059 "sa %s specifies enc_alg, ignored\n",
4059 4060 sa_index);
4060 4061 }
4061 4062 if (!auth_alg) {
4062 4063 ++*err;
4063 4064 plog(PLOG_INTERR, PLOGLOC, 0,
4064 4065 "sa %s does not have auth_alg list\n",
4065 4066 sa_index);
4066 4067 }
4067 4068 if (sa->comp_alg) {
4068 4069 ++*warn;
4069 4070 plog(PLOG_INTERR, PLOGLOC, 0,
4070 4071 "sa %s specifies comp_alg, ignored\n",
4071 4072 sa_index);
4072 4073 }
4073 4074 break;
4074 4075 case RCT_SATYPE_IPCOMP:
4075 4076 if (!comp_alg) {
4076 4077 ++*err;
4077 4078 plog(PLOG_INTERR, PLOGLOC, 0,
4078 4079 "sa %s does not have comp_alg list\n",
4079 4080 sa_index);
4080 4081 }
4081 4082 if (sa->enc_alg) {
4082 4083 ++*warn;
4083 4084 plog(PLOG_INTWARN, PLOGLOC, 0,
4084 4085 "sa %s specifies enc_alg, ignored\n",
4085 4086 sa_index);
4086 4087 }
4087 4088 if (sa->auth_alg) {
4088 4089 ++*warn;
4089 4090 plog(PLOG_INTWARN, PLOGLOC, 0,
4090 4091 "sa %s specifies auth_alg, ignored\n",
4091 4092 sa_index);
4092 4093 }
4093 4094 default:
4094 4095 ++*err;
4095 4096 plog(PLOG_INTERR, PLOGLOC, 0,
4096 4097 "sa %s is unsupported protocol (type %s)\n",
4097 4098 sa_index, rct2str(sa->sa_protocol));
4098 4099 break;
4099 4100 }
4100 4101 }
4101 4102 #ifdef DEBUG
4102 4103 if (debug_pfkey)
4103 4104 return;
4104 4105 #endif
4105 4106
4106 4107 for (alg = sa->enc_alg; alg; alg = alg->next) {
4107 4108 if (!rcpfk_supported_enc(alg->algtype)) {
4108 4109 ++*err;
4109 4110 plog(PLOG_INTERR, PLOGLOC, 0,
4110 4111 "sa %s enc_alg %s not supported by kernel\n",
4111 4112 sa_index, rct2str(alg->algtype));
4112 4113 }
4113 4114 }
4114 4115 for (alg = sa->auth_alg; alg; alg = alg->next) {
4115 4116 if (!rcpfk_supported_auth(alg->algtype)) {
4116 4117 ++*err;
4117 4118 plog(PLOG_INTERR, PLOGLOC, 0,
4118 4119 "sa %s auth_alg %s not supported by kernel\n",
4119 4120 sa_index, rct2str(alg->algtype));
4120 4121 }
4121 4122 }
4122 4123 #ifdef notyet
4123 4124 for (alg = sa->comp_alg; alg; alg = alg->next) {
4124 4125 if (!rcpfk_supported_comp(alg->algtype)) {
4125 4126 ++*err;
4126 4127 plog(PLOG_INTERR, PLOGLOC, 0,
4127 4128 "sa %s comp_alg %s not supported by kernel\n",
4128 4129 sa_index, rct2str(alg->algtype));
4129 4130 }
4130 4131 }
4131 4132 #endif
4132 4133 }
4133 4134
4134 4135 static void
4135 4136 ike_conf_check_ipsec(struct rcf_ipsec *ips, int *err, int *warn,
4136 4137 int is_default_clause)
4137 4138 {
4138 4139 const char *ips_index;
4139 4140
4140 4141 if (!ips)
4141 4142 return;
4142 4143
4143 4144 if (is_default_clause)
4144 4145 ips_index = "(default)";
4145 4146 else
4146 4147 ips_index = rc_vmem2str(ips->ips_index);
4147 4148
4148 4149 if (ips->ext_sequence == RCT_BOOL_ON) {
4149 4150 ++*warn;
4150 4151 plog(PLOG_INTWARN, PLOGLOC, 0,
4151 4152 "ipsec %s ext_sequence is specified but it is not suported\n",
4152 4153 ips_index);
4153 4154 }
4154 4155 }
4155 4156
4156 4157 /* check configuration */
4157 4158 int
4158 4159 ike_conf_check_consistency(void)
4159 4160 {
4160 4161 int error = 0;
4161 4162 int warn = 0;
4162 4163 struct rcf_remote *r;
4163 4164 struct rcf_selector **prevselp, *selector;
4164 4165 struct rcf_policy *policy;
4165 4166 struct rcf_ipsec *ipsec;
4166 4167 extern struct rcf_default *rcf_default_head;
4167 4168 extern struct rcf_remote *rcf_remote_head;
4168 4169 extern struct rcf_selector *rcf_selector_head;
4169 4170
4170 4171 TRACE((PLOGLOC, "checking configuration\n"));
4171 4172
4172 4173 if (rcf_default_head) {
4173 4174 if (rcf_default_head->remote)
4174 4175 ike_conf_check_remote(rcf_default_head->remote, &error,
4175 4176 &warn, TRUE);
4176 4177 if (rcf_default_head->policy)
4177 4178 ike_conf_check_policy(rcf_default_head->policy, &error,
4178 4179 &warn, TRUE);
4179 4180 if (rcf_default_head->ipsec)
4180 4181 ike_conf_check_ipsec(rcf_default_head->ipsec, &error,
4181 4182 &warn, TRUE);
4182 4183 if (rcf_default_head->sa)
4183 4184 ike_conf_check_sa(rcf_default_head->sa, &error, &warn,
4184 4185 TRUE);
4185 4186 }
4186 4187
4187 4188 for (r = rcf_remote_head; r; r = r->next) {
4188 4189 assert(r->rm_index);
4189 4190 ike_conf_check_remote(r, &error, &warn, FALSE);
4190 4191 }
4191 4192
4192 4193 /* check selector section */
4193 4194 for (prevselp = &rcf_selector_head;
4194 4195 (selector = *prevselp) != 0;
4195 4196 prevselp = *prevselp ? &(*prevselp)->next : prevselp) {
4196 4197 rc_type action;
4197 4198
4198 4199 #ifdef notyet
4199 4200 for each addr {
4200 4201 if (type != RCT_ADDR_INET)
4201 4202 unsupported;
4202 4203 }
4203 4204 #endif
4204 4205
4205 4206 #ifdef notyet
4206 4207 if (s->addrpool && ipsec_mode == transport) {
4207 4208 ++error;
4208 4209 plog(PLOG_INTERR, PLOGLOC, 0,
4209 4210 "selector %s address pool is for tunnel mode only\n",
4210 4211 rc_vmem2str(selector->sl_index));
4211 4212 }
4212 4213 #endif
4213 4214
4214 4215 /* check policy section */
4215 4216 policy = selector->pl;
4216 4217 if (!policy) {
4217 4218 ++error;
4218 4219 plog(PLOG_INTERR, PLOGLOC, 0,
4219 4220 "selector %s lacks policy_index\n",
4220 4221 rc_vmem2str(selector->sl_index));
4221 4222 continue;
4222 4223 }
4223 4224
4224 4225 action = policy->action;
4225 4226 if (!action)
4226 4227 POLICY_DEFAULT(action, action, 0);
4227 4228 switch (action) {
4228 4229 case 0:
4229 4230 ++error;
4230 4231 plog(PLOG_INTERR, PLOGLOC, 0,
4231 4232 "policy %s lacks action field\n",
4232 4233 rc_vmem2str(policy->pl_index));
4233 4234 continue;
4234 4235 case RCT_ACT_AUTO_IPSEC:
4235 4236 break;
4236 4237 default:
4237 4238 TRACE((PLOGLOC, "skipping selector %s\n",
4238 4239 rc_vmem2str(selector->sl_index)));
4239 4240 *prevselp = selector->next;
4240 4241 rcf_free_selector(selector);
4241 4242 continue;
4242 4243 }
4243 4244 /* policy->ipsec_level: iked does not care */
4244 4245
4245 4246 ike_conf_check_policy(policy, &error, &warn, FALSE);
4246 4247
4247 4248 /* check ipsec section */
4248 4249 for (ipsec = policy->ips; ipsec; ipsec = ipsec->next) {
4249 4250 ike_conf_check_ipsec(ipsec, &error, &warn, FALSE);
4250 4251 ike_conf_check_sa(ipsec->sa_ah, &error, &warn, FALSE);
4251 4252 ike_conf_check_sa(ipsec->sa_esp, &error, &warn, FALSE);
4252 4253 ike_conf_check_sa(ipsec->sa_ipcomp, &error, &warn,
4253 4254 FALSE);
4254 4255 }
4255 4256 }
4256 4257
4257 4258 if (error > 0) {
4258 4259 plog(PLOG_INTERR, PLOGLOC, 0,
4259 4260 "configuration errors: %d, warnings: %d\n", error, warn);
4260 4261 return -1;
4261 4262 } else if (warn > 0) {
4262 4263 plog(PLOG_INTWARN, PLOGLOC, 0,
4263 4264 "configuration errors: %d, warnings: %d\n", error, warn);
4264 4265 return 0;
4265 4266 }
4266 4267 return 0;
4267 4268 }
4268 4269
4269 4270 struct sockaddr *
4270 4271 ike_determine_sa_endpoint(struct sockaddr_storage *ss,
4271 4272 struct rc_addrlist *config_ipaddr,
4272 4273 struct sockaddr *actual_addr)
4273 4274 {
4274 4275 struct rc_addrlist *addrlist;
|
↓ open down ↓ |
996 lines elided |
↑ open up ↑ |
4275 4276 struct sockaddr *addr;
4276 4277
4277 4278 if (!config_ipaddr)
4278 4279 return actual_addr;
4279 4280
4280 4281 switch (config_ipaddr->type) {
4281 4282 case RCT_ADDR_INET:
4282 4283 memcpy(ss, config_ipaddr->a.ipaddr,
4283 4284 SOCKADDR_LEN(config_ipaddr->a.ipaddr));
4284 4285 addr = (struct sockaddr *)ss;
4286 +#ifdef sun
4287 + /*
4288 + * XXX KEBE SAYS we need the port from the "policy". This, of
4289 + * course, goes to hell when we introduce tunnel- mode into
4290 + * the mix, and config_ipaddr is != actual_addr. The IKEv1
4291 + * callers of this are restricted to ikev1/pfkey.c, and the
4292 + * IKEv2 callers are restricted to ikev2_child.c. Hopefully
4293 + * those callers can account for tunnel-mode or
4294 + * transport-mode. :)
4295 + */
4296 +#else
4285 4297 if (!set_port(addr, extract_port(actual_addr))) {
4286 4298 plog(PLOG_INTERR, PLOGLOC, 0, "set_port failed\n");
4287 4299 return NULL;
4288 4300 }
4301 +#endif
4289 4302 break;
4290 4303
4291 4304 case RCT_ADDR_MACRO:
4292 4305 if (rcs_is_addr_rw(config_ipaddr))
4293 4306 return actual_addr;
4294 4307
4295 4308 if (rcs_getaddrlistbymacro(config_ipaddr->a.vstr,
4296 4309 &addrlist) != 0) {
4297 4310 plog(PLOG_INTERR, PLOGLOC, 0,
4298 4311 "macro %.*s expansion failure\n",
4299 4312 (int)config_ipaddr->a.vstr->l,
4300 4313 config_ipaddr->a.vstr->v);
4301 4314 return NULL;
|
↓ open down ↓ |
3 lines elided |
↑ open up ↑ |
4302 4315 }
4303 4316 if (addrlist->next)
4304 4317 plog(PLOG_INTWARN, PLOGLOC, 0,
4305 4318 "macro expands to multiple addresses, "
4306 4319 "only the first one is used.\n");
4307 4320
4308 4321 memcpy(ss, addrlist->a.ipaddr,
4309 4322 SOCKADDR_LEN(addrlist->a.ipaddr));
4310 4323 rcs_free_addrlist(addrlist);
4311 4324 addr = (struct sockaddr *)ss;
4325 +#ifdef sun
4326 + /*
4327 + * XXX KEBE SAYS we need the port from the "policy". This, of
4328 + * course, goes to hell when we introduce tunnel- mode into
4329 + * the mix, and config_ipaddr is != actual_addr. The IKEv1
4330 + * callers of this are restricted to ikev1/pfkey.c, and the
4331 + * IKEv2 callers are restricted to ikev2_child.c. Hopefully
4332 + * those callers can account for tunnel-mode or
4333 + * transport-mode. :)
4334 + */
4335 +#else
4312 4336 if (!set_port(addr, extract_port(actual_addr))) {
4313 4337 plog(PLOG_INTERR, PLOGLOC, 0, "set_port failed\n");
4314 4338 return NULL;
4315 4339 }
4340 +#endif
4316 4341 break;
4317 -
4318 4342 default:
4319 4343 plog(PLOG_INTERR, PLOGLOC, 0,
4320 4344 "my_sa_ipaddr or peers_sa_ipaddr is "
4321 4345 "unsupported address type (type %s)\n",
4322 4346 rct2str(config_ipaddr->type));
4323 4347 return NULL;
4324 4348 }
4325 4349
4326 4350 return addr;
4327 4351 }
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX