1 /* $OpenBSD: ipsec.c,v 1.121 2005/06/25 23:20:43 hshoexer Exp $ */
2 /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */
3
4 /*
5 * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved.
6 * Copyright (c) 2001 Angelos D. Keromytis. All rights reserved.
7 * Copyright (c) 2001 H�kan Olsson. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 /*
31 * This code was written under funding by Ericsson Radio Systems.
32 */
33
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #include <netdb.h>
37 #include <netinet/in.h>
38 #include <arpa/inet.h>
39 #include <stdlib.h>
40 #include <string.h>
41
42 #include "sysdep.h"
43
44 #include "attribute.h"
45 #include "conf.h"
46 #include "constants.h"
47 #include "crypto.h"
48 #include "dh.h"
49 #include "doi.h"
50 #include "dpd.h"
51 #include "exchange.h"
52 #include "hash.h"
53 #include "ike_aggressive.h"
54 #include "ike_auth.h"
55 #include "ike_main_mode.h"
56 #include "ike_quick_mode.h"
57 #include "ipsec.h"
58 #include "ipsec_doi.h"
59 #include "isakmp.h"
60 #include "isakmp_cfg.h"
61 #include "isakmp_fld.h"
62 #include "isakmp_num.h"
63 #include "log.h"
64 #include "math_group.h"
65 #include "message.h"
66 #include "nat_traversal.h"
67 #include "pf_key_v2.h"
68 #include "prf.h"
69 #include "sa.h"
70 #include "timer.h"
71 #include "transport.h"
72 #include "util.h"
73 #include "x509.h"
74
75 extern int acquire_only;
76
77 /* Backwards compatibility. */
78 #ifndef NI_MAXHOST
79 #define NI_MAXHOST 1025
80 #endif
81
82 /* The replay window size used for all IPsec protocols if not overridden. */
83 #define DEFAULT_REPLAY_WINDOW 16
84
85 struct ipsec_decode_arg {
86 struct message *msg;
87 struct sa *sa;
88 struct proto *proto;
89 };
90
91 /* These variables hold the contacted peers ADT state. */
92 struct contact {
93 struct sockaddr *addr;
94 socklen_t len;
95 } *contacts = 0;
96 int contact_cnt = 0, contact_limit = 0;
97
98 static int addr_cmp(const void *, const void *);
99 static int ipsec_add_contact(struct message *);
100 static int ipsec_contacted(struct message *);
101 static int ipsec_debug_attribute(u_int16_t, u_int8_t *, u_int16_t,
102 void *);
103 static void ipsec_delete_spi(struct sa *, struct proto *, int);
104 static int16_t *ipsec_exchange_script(u_int8_t);
105 static void ipsec_finalize_exchange(struct message *);
106 static void ipsec_free_exchange_data(void *);
107 static void ipsec_free_proto_data(void *);
108 static void ipsec_free_sa_data(void *);
109 static struct keystate *ipsec_get_keystate(struct message *);
110 static u_int8_t *ipsec_get_spi(size_t *, u_int8_t, struct message *);
111 static int ipsec_handle_leftover_payload(struct message *, u_int8_t,
112 struct payload *);
113 static int ipsec_informational_post_hook(struct message *);
114 static int ipsec_informational_pre_hook(struct message *);
115 static int ipsec_initiator(struct message *);
116 static void ipsec_proto_init(struct proto *, char *);
117 static int ipsec_responder(struct message *);
118 static void ipsec_setup_situation(u_int8_t *);
119 static int ipsec_set_network(u_int8_t *, u_int8_t *, struct ipsec_sa *);
120 static size_t ipsec_situation_size(void);
121 static u_int8_t ipsec_spi_size(u_int8_t);
122 static int ipsec_validate_attribute(u_int16_t, u_int8_t *, u_int16_t,
123 void *);
124 static int ipsec_validate_exchange(u_int8_t);
125 static int ipsec_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *,
126 size_t, struct exchange *);
127 static int ipsec_validate_key_information(u_int8_t *, size_t);
128 static int ipsec_validate_notification(u_int16_t);
129 static int ipsec_validate_proto(u_int8_t);
130 static int ipsec_validate_situation(u_int8_t *, size_t *, size_t);
131 static int ipsec_validate_transform_id(u_int8_t, u_int8_t);
132
133 static struct doi ipsec_doi = {
134 {0}, IPSEC_DOI_IPSEC,
135 sizeof(struct ipsec_exch), sizeof(struct ipsec_sa),
136 sizeof(struct ipsec_proto),
137 ipsec_debug_attribute,
138 ipsec_delete_spi,
139 ipsec_exchange_script,
140 ipsec_finalize_exchange,
141 ipsec_free_exchange_data,
142 ipsec_free_proto_data,
143 ipsec_free_sa_data,
144 ipsec_get_keystate,
145 ipsec_get_spi,
146 ipsec_handle_leftover_payload,
147 ipsec_informational_post_hook,
148 ipsec_informational_pre_hook,
149 ipsec_is_attribute_incompatible,
150 ipsec_proto_init,
151 ipsec_setup_situation,
152 ipsec_situation_size,
153 ipsec_spi_size,
154 ipsec_validate_attribute,
155 ipsec_validate_exchange,
156 ipsec_validate_id_information,
157 ipsec_validate_key_information,
158 ipsec_validate_notification,
159 ipsec_validate_proto,
160 ipsec_validate_situation,
161 ipsec_validate_transform_id,
162 ipsec_initiator,
163 ipsec_responder,
164 ipsec_decode_ids
165 };
166
167 int16_t script_quick_mode[] = {
168 ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */
169 ISAKMP_PAYLOAD_SA,
170 ISAKMP_PAYLOAD_NONCE,
171 EXCHANGE_SCRIPT_SWITCH,
172 ISAKMP_PAYLOAD_HASH, /* Responder -> initiator. */
173 ISAKMP_PAYLOAD_SA,
174 ISAKMP_PAYLOAD_NONCE,
175 EXCHANGE_SCRIPT_SWITCH,
176 ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */
177 EXCHANGE_SCRIPT_END
178 };
179
180 int16_t script_new_group_mode[] = {
181 ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */
182 ISAKMP_PAYLOAD_SA,
183 EXCHANGE_SCRIPT_SWITCH,
184 ISAKMP_PAYLOAD_HASH, /* Responder -> initiator. */
185 ISAKMP_PAYLOAD_SA,
186 EXCHANGE_SCRIPT_END
187 };
188
189 struct dst_spi_proto_arg {
190 struct sockaddr *dst;
191 u_int32_t spi;
192 u_int8_t proto;
193 };
194
195 /*
196 * Check if SA matches what we are asking for through V_ARG. It has to
197 * be a finished phase 2 SA.
198 * if "proto" arg is 0, match any proto
199 */
200 static int
ipsec_sa_check(struct sa * sa,void * v_arg)201 ipsec_sa_check(struct sa *sa, void *v_arg)
202 {
203 struct dst_spi_proto_arg *arg = v_arg;
204 struct proto *proto;
205 struct sockaddr *dst, *src;
206 int incoming;
207
208 if (sa->phase != 2 || !(sa->flags & SA_FLAG_READY))
209 return 0;
210
211 sa->transport->vtbl->get_dst(sa->transport, &dst);
212 if (memcmp(sockaddr_addrdata(dst), sockaddr_addrdata(arg->dst),
213 sockaddr_addrlen(dst)) == 0)
214 incoming = 0;
215 else {
216 sa->transport->vtbl->get_src(sa->transport, &src);
217 if (memcmp(sockaddr_addrdata(src), sockaddr_addrdata(arg->dst),
218 sockaddr_addrlen(src)) == 0)
219 incoming = 1;
220 else
221 return 0;
222 }
223
224 for (proto = TAILQ_FIRST(&sa->protos); proto;
225 proto = TAILQ_NEXT(proto, link))
226 if ((arg->proto == 0 || proto->proto == arg->proto) &&
227 memcmp(proto->spi[incoming], &arg->spi, sizeof arg->spi)
228 == 0)
229 return 1;
230 return 0;
231 }
232
233 /* Find an SA with a "name" of DST, SPI & PROTO. */
234 struct sa *
ipsec_sa_lookup(struct sockaddr * dst,u_int32_t spi,u_int8_t proto)235 ipsec_sa_lookup(struct sockaddr *dst, u_int32_t spi, u_int8_t proto)
236 {
237 struct dst_spi_proto_arg arg;
238
239 arg.dst = dst;
240 arg.spi = spi;
241 arg.proto = proto;
242 return sa_find(ipsec_sa_check, &arg);
243 }
244
245 /*
246 * Check if SA matches the flow of another SA in V_ARG. It has to
247 * be a finished non-replaced phase 2 SA.
248 * XXX At some point other selectors will matter here too.
249 */
250 static int
ipsec_sa_check_flow(struct sa * sa,void * v_arg)251 ipsec_sa_check_flow(struct sa *sa, void *v_arg)
252 {
253 struct sa *sa2 = v_arg;
254 struct ipsec_sa *isa = sa->data, *isa2 = sa2->data;
255
256 if (sa == sa2 || sa->phase != 2 ||
257 (sa->flags & (SA_FLAG_READY | SA_FLAG_REPLACED)) != SA_FLAG_READY)
258 return 0;
259
260 if (isa->tproto != isa2->tproto || isa->sport != isa2->sport ||
261 isa->dport != isa2->dport)
262 return 0;
263
264 return isa->src_net->sa_family == isa2->src_net->sa_family &&
265 memcmp(sockaddr_addrdata(isa->src_net),
266 sockaddr_addrdata(isa2->src_net),
267 sockaddr_addrlen(isa->src_net)) == 0 &&
268 memcmp(sockaddr_addrdata(isa->src_mask),
269 sockaddr_addrdata(isa2->src_mask),
270 sockaddr_addrlen(isa->src_mask)) == 0 &&
271 memcmp(sockaddr_addrdata(isa->dst_net),
272 sockaddr_addrdata(isa2->dst_net),
273 sockaddr_addrlen(isa->dst_net)) == 0 &&
274 memcmp(sockaddr_addrdata(isa->dst_mask),
275 sockaddr_addrdata(isa2->dst_mask),
276 sockaddr_addrlen(isa->dst_mask)) == 0;
277 }
278
279 /*
280 * Do IPsec DOI specific finalizations task for the exchange where MSG was
281 * the final message.
282 */
283 static void
ipsec_finalize_exchange(struct message * msg)284 ipsec_finalize_exchange(struct message *msg)
285 {
286 struct sa *isakmp_sa = msg->isakmp_sa;
287 struct ipsec_sa *isa;
288 struct exchange *exchange = msg->exchange;
289 struct ipsec_exch *ie = exchange->data;
290 struct sa *sa = 0, *old_sa;
291 struct proto *proto, *last_proto = 0;
292 char *addr1, *addr2, *mask1, *mask2;
293
294 switch (exchange->phase) {
295 case 1:
296 switch (exchange->type) {
297 case ISAKMP_EXCH_ID_PROT:
298 case ISAKMP_EXCH_AGGRESSIVE:
299 isa = isakmp_sa->data;
300 isa->hash = ie->hash->type;
301 isa->prf_type = ie->prf_type;
302 isa->skeyid_len = ie->skeyid_len;
303 isa->skeyid_d = ie->skeyid_d;
304 isa->skeyid_a = ie->skeyid_a;
305 /* Prevents early free of SKEYID_*. */
306 ie->skeyid_a = ie->skeyid_d = 0;
307
308 /*
309 * If a lifetime was negotiated setup the expiration
310 * timers.
311 */
312 if (isakmp_sa->seconds)
313 sa_setup_expirations(isakmp_sa);
314
315 if (isakmp_sa->flags & SA_FLAG_NAT_T_KEEPALIVE)
316 nat_t_setup_keepalive(isakmp_sa);
317 break;
318 }
319 break;
320
321 case 2:
322 switch (exchange->type) {
323 case IKE_EXCH_QUICK_MODE:
324 /*
325 * Tell the application(s) about the SPIs and key
326 * material.
327 */
328 for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
329 sa = TAILQ_NEXT(sa, next)) {
330 isa = sa->data;
331
332 if (exchange->initiator) {
333 /*
334 * Initiator is source, responder is
335 * destination.
336 */
337 if (ipsec_set_network(ie->id_ci,
338 ie->id_cr, isa)) {
339 log_print(
340 "ipsec_finalize_exchange: "
341 "ipsec_set_network "
342 "failed");
343 return;
344 }
345 } else {
346 /*
347 * Responder is source, initiator is
348 * destination.
349 */
350 if (ipsec_set_network(ie->id_cr,
351 ie->id_ci, isa)) {
352 log_print(
353 "ipsec_finalize_exchange: "
354 "ipsec_set_network "
355 "failed");
356 return;
357 }
358 }
359
360 for (proto = TAILQ_FIRST(&sa->protos),
361 last_proto = 0; proto;
362 proto = TAILQ_NEXT(proto, link)) {
363 if (pf_key_v2_set_spi(sa, proto,
364 0, isakmp_sa) ||
365 (last_proto &&
366 pf_key_v2_group_spis(sa,
367 last_proto, proto, 0)) ||
368 pf_key_v2_set_spi(sa, proto,
369 1, isakmp_sa) ||
370 (last_proto &&
371 pf_key_v2_group_spis(sa,
372 last_proto, proto, 1)))
373 /*
374 * XXX Tear down this
375 * exchange.
376 */
377 return;
378 last_proto = proto;
379 }
380
381 if (sockaddr2text(isa->src_net, &addr1, 0))
382 addr1 = 0;
383 if (sockaddr2text(isa->src_mask, &mask1, 0))
384 mask1 = 0;
385 if (sockaddr2text(isa->dst_net, &addr2, 0))
386 addr2 = 0;
387 if (sockaddr2text(isa->dst_mask, &mask2, 0))
388 mask2 = 0;
389
390 LOG_DBG((LOG_EXCHANGE, 50,
391 "ipsec_finalize_exchange: src %s %s "
392 "dst %s %s tproto %u sport %u dport %u",
393 addr1 ? addr1 : "<??\?>",
394 mask1 ? mask1 : "<??\?>",
395 addr2 ? addr2 : "<??\?>",
396 mask2 ? mask2 : "<??\?>",
397 isa->tproto, ntohs(isa->sport),
398 ntohs(isa->dport)));
399
400 if (addr1)
401 free(addr1);
402 if (mask1)
403 free(mask1);
404 if (addr2)
405 free(addr2);
406 if (mask2)
407 free(mask2);
408
409 /*
410 * If this is not an SA acquired by the
411 * kernel, it needs to have a SPD entry
412 * (a.k.a. flow) set up.
413 */
414 if (!(sa->flags & SA_FLAG_ONDEMAND ||
415 conf_get_str("General", "Acquire-Only") ||
416 acquire_only) &&
417 pf_key_v2_enable_sa(sa, isakmp_sa))
418 /* XXX Tear down this exchange. */
419 return;
420
421 /*
422 * Mark elder SAs with the same flow
423 * information as replaced.
424 */
425 while ((old_sa = sa_find(ipsec_sa_check_flow,
426 sa)) != 0)
427 sa_mark_replaced(old_sa);
428 }
429 break;
430 }
431 }
432 }
433
434 /* Set the client addresses in ISA from SRC_ID and DST_ID. */
435 static int
ipsec_set_network(u_int8_t * src_id,u_int8_t * dst_id,struct ipsec_sa * isa)436 ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
437 {
438 int id;
439
440 /* Set source address/mask. */
441 id = GET_ISAKMP_ID_TYPE(src_id);
442 switch (id) {
443 case IPSEC_ID_IPV4_ADDR:
444 case IPSEC_ID_IPV4_ADDR_SUBNET:
445 isa->src_net = (struct sockaddr *)calloc(1,
446 sizeof(struct sockaddr_in));
447 if (!isa->src_net)
448 goto memfail;
449 isa->src_net->sa_family = AF_INET;
450 isa->src_net->sa_len = sizeof(struct sockaddr_in);
451
452 isa->src_mask = (struct sockaddr *)calloc(1,
453 sizeof(struct sockaddr_in));
454 if (!isa->src_mask)
455 goto memfail;
456 isa->src_mask->sa_family = AF_INET;
457 isa->src_mask->sa_len = sizeof(struct sockaddr_in);
458 break;
459
460 case IPSEC_ID_IPV6_ADDR:
461 case IPSEC_ID_IPV6_ADDR_SUBNET:
462 isa->src_net = (struct sockaddr *)calloc(1,
463 sizeof(struct sockaddr_in6));
464 if (!isa->src_net)
465 goto memfail;
466 isa->src_net->sa_family = AF_INET6;
467 isa->src_net->sa_len = sizeof(struct sockaddr_in6);
468
469 isa->src_mask = (struct sockaddr *)calloc(1,
470 sizeof(struct sockaddr_in6));
471 if (!isa->src_mask)
472 goto memfail;
473 isa->src_mask->sa_family = AF_INET6;
474 isa->src_mask->sa_len = sizeof(struct sockaddr_in6);
475 break;
476
477 case IPSEC_ID_IPV4_RANGE:
478 case IPSEC_ID_IPV6_RANGE:
479 case IPSEC_ID_DER_ASN1_DN:
480 case IPSEC_ID_DER_ASN1_GN:
481 case IPSEC_ID_KEY_ID:
482 default:
483 log_print("ipsec_set_network: ID type %d (%s) not supported",
484 id, constant_name(ipsec_id_cst, id));
485 return -1;
486 }
487
488 /* Net */
489 memcpy(sockaddr_addrdata(isa->src_net), src_id + ISAKMP_ID_DATA_OFF,
490 sockaddr_addrlen(isa->src_net));
491
492 /* Mask */
493 switch (id) {
494 case IPSEC_ID_IPV4_ADDR:
495 case IPSEC_ID_IPV6_ADDR:
496 memset(sockaddr_addrdata(isa->src_mask), 0xff,
497 sockaddr_addrlen(isa->src_mask));
498 break;
499 case IPSEC_ID_IPV4_ADDR_SUBNET:
500 case IPSEC_ID_IPV6_ADDR_SUBNET:
501 memcpy(sockaddr_addrdata(isa->src_mask), src_id +
502 ISAKMP_ID_DATA_OFF + sockaddr_addrlen(isa->src_net),
503 sockaddr_addrlen(isa->src_mask));
504 break;
505 }
506
507 memcpy(&isa->sport,
508 src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF,
509 IPSEC_ID_PORT_LEN);
510
511 /* Set destination address. */
512 id = GET_ISAKMP_ID_TYPE(dst_id);
513 switch (id) {
514 case IPSEC_ID_IPV4_ADDR:
515 case IPSEC_ID_IPV4_ADDR_SUBNET:
516 isa->dst_net = (struct sockaddr *)calloc(1,
517 sizeof(struct sockaddr_in));
518 if (!isa->dst_net)
519 goto memfail;
520 isa->dst_net->sa_family = AF_INET;
521 isa->dst_net->sa_len = sizeof(struct sockaddr_in);
522
523 isa->dst_mask = (struct sockaddr *)calloc(1,
524 sizeof(struct sockaddr_in));
525 if (!isa->dst_mask)
526 goto memfail;
527 isa->dst_mask->sa_family = AF_INET;
528 isa->dst_mask->sa_len = sizeof(struct sockaddr_in);
529 break;
530
531 case IPSEC_ID_IPV6_ADDR:
532 case IPSEC_ID_IPV6_ADDR_SUBNET:
533 isa->dst_net = (struct sockaddr *)calloc(1,
534 sizeof(struct sockaddr_in6));
535 if (!isa->dst_net)
536 goto memfail;
537 isa->dst_net->sa_family = AF_INET6;
538 isa->dst_net->sa_len = sizeof(struct sockaddr_in6);
539
540 isa->dst_mask = (struct sockaddr *)calloc(1,
541 sizeof(struct sockaddr_in6));
542 if (!isa->dst_mask)
543 goto memfail;
544 isa->dst_mask->sa_family = AF_INET6;
545 isa->dst_mask->sa_len = sizeof(struct sockaddr_in6);
546 break;
547 }
548
549 /* Net */
550 memcpy(sockaddr_addrdata(isa->dst_net), dst_id + ISAKMP_ID_DATA_OFF,
551 sockaddr_addrlen(isa->dst_net));
552
553 /* Mask */
554 switch (id) {
555 case IPSEC_ID_IPV4_ADDR:
556 case IPSEC_ID_IPV6_ADDR:
557 memset(sockaddr_addrdata(isa->dst_mask), 0xff,
558 sockaddr_addrlen(isa->dst_mask));
559 break;
560 case IPSEC_ID_IPV4_ADDR_SUBNET:
561 case IPSEC_ID_IPV6_ADDR_SUBNET:
562 memcpy(sockaddr_addrdata(isa->dst_mask), dst_id +
563 ISAKMP_ID_DATA_OFF + sockaddr_addrlen(isa->dst_net),
564 sockaddr_addrlen(isa->dst_mask));
565 break;
566 }
567
568 memcpy(&isa->tproto, dst_id + ISAKMP_ID_DOI_DATA_OFF +
569 IPSEC_ID_PROTO_OFF, IPSEC_ID_PROTO_LEN);
570 memcpy(&isa->dport,
571 dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF,
572 IPSEC_ID_PORT_LEN);
573 return 0;
574
575 memfail:
576 log_error("ipsec_set_network: calloc () failed");
577 return -1;
578 }
579
580 /* Free the DOI-specific exchange data pointed to by VIE. */
581 static void
ipsec_free_exchange_data(void * vie)582 ipsec_free_exchange_data(void *vie)
583 {
584 struct ipsec_exch *ie = vie;
585 struct isakmp_cfg_attr *attr;
586
587 if (ie->sa_i_b)
588 free(ie->sa_i_b);
589 if (ie->id_ci)
590 free(ie->id_ci);
591 if (ie->id_cr)
592 free(ie->id_cr);
593 if (ie->g_xi)
594 free(ie->g_xi);
595 if (ie->g_xr)
596 free(ie->g_xr);
597 if (ie->g_xy)
598 free(ie->g_xy);
599 if (ie->skeyid)
600 free(ie->skeyid);
601 if (ie->skeyid_d)
602 free(ie->skeyid_d);
603 if (ie->skeyid_a)
604 free(ie->skeyid_a);
605 if (ie->skeyid_e)
606 free(ie->skeyid_e);
607 if (ie->hash_i)
608 free(ie->hash_i);
609 if (ie->hash_r)
610 free(ie->hash_r);
611 if (ie->group)
612 group_free(ie->group);
613 for (attr = LIST_FIRST(&ie->attrs); attr;
614 attr = LIST_FIRST(&ie->attrs)) {
615 LIST_REMOVE(attr, link);
616 if (attr->length)
617 free(attr->value);
618 free(attr);
619 }
620 }
621
622 /* Free the DOI-specific SA data pointed to by VISA. */
623 static void
ipsec_free_sa_data(void * visa)624 ipsec_free_sa_data(void *visa)
625 {
626 struct ipsec_sa *isa = visa;
627
628 if (isa->src_net)
629 free(isa->src_net);
630 if (isa->src_mask)
631 free(isa->src_mask);
632 if (isa->dst_net)
633 free(isa->dst_net);
634 if (isa->dst_mask)
635 free(isa->dst_mask);
636 if (isa->skeyid_a)
637 free(isa->skeyid_a);
638 if (isa->skeyid_d)
639 free(isa->skeyid_d);
640 }
641
642 /* Free the DOI-specific protocol data of an SA pointed to by VIPROTO. */
643 static void
ipsec_free_proto_data(void * viproto)644 ipsec_free_proto_data(void *viproto)
645 {
646 struct ipsec_proto *iproto = viproto;
647 int i;
648
649 for (i = 0; i < 2; i++)
650 if (iproto->keymat[i])
651 free(iproto->keymat[i]);
652 }
653
654 /* Return exchange script based on TYPE. */
655 static int16_t *
ipsec_exchange_script(u_int8_t type)656 ipsec_exchange_script(u_int8_t type)
657 {
658 switch (type) {
659 case ISAKMP_EXCH_TRANSACTION:
660 return script_transaction;
661 case IKE_EXCH_QUICK_MODE:
662 return script_quick_mode;
663 case IKE_EXCH_NEW_GROUP_MODE:
664 return script_new_group_mode;
665 }
666 return 0;
667 }
668
669 /* Initialize this DOI, requires doi_init to already have been called. */
670 void
ipsec_init(void)671 ipsec_init(void)
672 {
673 doi_register(&ipsec_doi);
674 }
675
676 /* Given a message MSG, return a suitable IV (or rather keystate). */
677 static struct keystate *
ipsec_get_keystate(struct message * msg)678 ipsec_get_keystate(struct message *msg)
679 {
680 struct keystate *ks;
681 struct hash *hash;
682
683 /* If we have already have an IV, use it. */
684 if (msg->exchange && msg->exchange->keystate) {
685 ks = malloc(sizeof *ks);
686 if (!ks) {
687 log_error("ipsec_get_keystate: malloc (%lu) failed",
688 (unsigned long) sizeof *ks);
689 return 0;
690 }
691 memcpy(ks, msg->exchange->keystate, sizeof *ks);
692 return ks;
693 }
694 /*
695 * For phase 2 when no SA yet is setup we need to hash the IV used by
696 * the ISAKMP SA concatenated with the message ID, and use that as an
697 * IV for further cryptographic operations.
698 */
699 if (!msg->isakmp_sa->keystate) {
700 log_print("ipsec_get_keystate: no keystate in ISAKMP SA %p",
701 msg->isakmp_sa);
702 return 0;
703 }
704 ks = crypto_clone_keystate(msg->isakmp_sa->keystate);
705 if (!ks)
706 return 0;
707
708 hash = hash_get(((struct ipsec_sa *)msg->isakmp_sa->data)->hash);
709 hash->Init(hash->ctx);
710 LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: final phase 1 IV",
711 ks->riv, ks->xf->blocksize));
712 hash->Update(hash->ctx, ks->riv, ks->xf->blocksize);
713 LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: message ID",
714 ((u_int8_t *) msg->iov[0].iov_base) + ISAKMP_HDR_MESSAGE_ID_OFF,
715 ISAKMP_HDR_MESSAGE_ID_LEN));
716 hash->Update(hash->ctx, ((u_int8_t *) msg->iov[0].iov_base) +
717 ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN);
718 hash->Final(hash->digest, hash->ctx);
719 crypto_init_iv(ks, hash->digest, ks->xf->blocksize);
720 LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: phase 2 IV",
721 hash->digest, ks->xf->blocksize));
722 return ks;
723 }
724
725 static void
ipsec_setup_situation(u_int8_t * buf)726 ipsec_setup_situation(u_int8_t *buf)
727 {
728 SET_IPSEC_SIT_SIT(buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY);
729 }
730
731 static size_t
ipsec_situation_size(void)732 ipsec_situation_size(void)
733 {
734 return IPSEC_SIT_SIT_LEN;
735 }
736
737 static u_int8_t
ipsec_spi_size(u_int8_t proto)738 ipsec_spi_size(u_int8_t proto)
739 {
740 return IPSEC_SPI_SIZE;
741 }
742
743 static int
ipsec_validate_attribute(u_int16_t type,u_int8_t * value,u_int16_t len,void * vmsg)744 ipsec_validate_attribute(u_int16_t type, u_int8_t * value, u_int16_t len,
745 void *vmsg)
746 {
747 struct message *msg = vmsg;
748
749 if (msg->exchange->phase == 1 &&
750 (type < IKE_ATTR_ENCRYPTION_ALGORITHM || type > IKE_ATTR_GROUP_ORDER))
751 return -1;
752 if (msg->exchange->phase == 2 &&
753 (type < IPSEC_ATTR_SA_LIFE_TYPE || type > IPSEC_ATTR_ECN_TUNNEL))
754 return -1;
755 return 0;
756 }
757
758 static int
ipsec_validate_exchange(u_int8_t exch)759 ipsec_validate_exchange(u_int8_t exch)
760 {
761 return exch != IKE_EXCH_QUICK_MODE && exch != IKE_EXCH_NEW_GROUP_MODE;
762 }
763
764 static int
ipsec_validate_id_information(u_int8_t type,u_int8_t * extra,u_int8_t * buf,size_t sz,struct exchange * exchange)765 ipsec_validate_id_information(u_int8_t type, u_int8_t *extra, u_int8_t *buf,
766 size_t sz, struct exchange *exchange)
767 {
768 u_int8_t proto = GET_IPSEC_ID_PROTO(extra);
769 u_int16_t port = GET_IPSEC_ID_PORT(extra);
770
771 LOG_DBG((LOG_MESSAGE, 40,
772 "ipsec_validate_id_information: proto %d port %d type %d",
773 proto, port, type));
774 if (type < IPSEC_ID_IPV4_ADDR || type > IPSEC_ID_KEY_ID)
775 return -1;
776
777 switch (type) {
778 case IPSEC_ID_IPV4_ADDR:
779 LOG_DBG_BUF((LOG_MESSAGE, 40,
780 "ipsec_validate_id_information: IPv4", buf,
781 sizeof(struct in_addr)));
782 break;
783
784 case IPSEC_ID_IPV6_ADDR:
785 LOG_DBG_BUF((LOG_MESSAGE, 40,
786 "ipsec_validate_id_information: IPv6", buf,
787 sizeof(struct in6_addr)));
788 break;
789
790 case IPSEC_ID_IPV4_ADDR_SUBNET:
791 LOG_DBG_BUF((LOG_MESSAGE, 40,
792 "ipsec_validate_id_information: IPv4 network/netmask",
793 buf, 2 * sizeof(struct in_addr)));
794 break;
795
796 case IPSEC_ID_IPV6_ADDR_SUBNET:
797 LOG_DBG_BUF((LOG_MESSAGE, 40,
798 "ipsec_validate_id_information: IPv6 network/netmask",
799 buf, 2 * sizeof(struct in6_addr)));
800 break;
801
802 default:
803 break;
804 }
805
806 if (exchange->phase == 1 &&
807 (proto != IPPROTO_UDP || port != UDP_DEFAULT_PORT) &&
808 (proto != 0 || port != 0)) {
809 /*
810 * XXX SSH's ISAKMP tester fails this test (proto 17 - port
811 * 0).
812 */
813 #ifdef notyet
814 return -1;
815 #else
816 log_print("ipsec_validate_id_information: dubious ID "
817 "information accepted");
818 #endif
819 }
820 /* XXX More checks? */
821
822 return 0;
823 }
824
825 static int
ipsec_validate_key_information(u_int8_t * buf,size_t sz)826 ipsec_validate_key_information(u_int8_t *buf, size_t sz)
827 {
828 /* XXX Not implemented yet. */
829 return 0;
830 }
831
832 static int
ipsec_validate_notification(u_int16_t type)833 ipsec_validate_notification(u_int16_t type)
834 {
835 return type < IPSEC_NOTIFY_RESPONDER_LIFETIME ||
836 type > IPSEC_NOTIFY_INITIAL_CONTACT ? -1 : 0;
837 }
838
839 static int
ipsec_validate_proto(u_int8_t proto)840 ipsec_validate_proto(u_int8_t proto)
841 {
842 return proto < IPSEC_PROTO_IPSEC_AH ||
843 proto > IPSEC_PROTO_IPCOMP ? -1 : 0;
844 }
845
846 static int
ipsec_validate_situation(u_int8_t * buf,size_t * sz,size_t len)847 ipsec_validate_situation(u_int8_t *buf, size_t *sz, size_t len)
848 {
849 if (len < IPSEC_SIT_SIT_OFF + IPSEC_SIT_SIT_LEN) {
850 log_print("ipsec_validate_situation: payload too short: %u",
851 (unsigned int) len);
852 return -1;
853 }
854 /* Currently only "identity only" situations are supported. */
855 if (GET_IPSEC_SIT_SIT(buf) != IPSEC_SIT_IDENTITY_ONLY)
856 return 1;
857
858 *sz = IPSEC_SIT_SIT_LEN;
859
860 return 0;
861 }
862
863 static int
ipsec_validate_transform_id(u_int8_t proto,u_int8_t transform_id)864 ipsec_validate_transform_id(u_int8_t proto, u_int8_t transform_id)
865 {
866 switch (proto) {
867 /*
868 * As no unexpected protocols can occur, we just tie the
869 * default case to the first case, in orer to silence a GCC
870 * warning.
871 */
872 default:
873 case ISAKMP_PROTO_ISAKMP:
874 return transform_id != IPSEC_TRANSFORM_KEY_IKE;
875 case IPSEC_PROTO_IPSEC_AH:
876 return transform_id < IPSEC_AH_MD5 ||
877 transform_id > IPSEC_AH_DES ? -1 : 0;
878 case IPSEC_PROTO_IPSEC_ESP:
879 return transform_id < IPSEC_ESP_DES_IV64 ||
880 (transform_id > IPSEC_ESP_AES_128_CTR &&
881 transform_id < IPSEC_ESP_AES_MARS) ||
882 transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0;
883 case IPSEC_PROTO_IPCOMP:
884 return transform_id < IPSEC_IPCOMP_OUI ||
885 transform_id > IPSEC_IPCOMP_V42BIS ? -1 : 0;
886 }
887 }
888
889 static int
ipsec_initiator(struct message * msg)890 ipsec_initiator(struct message *msg)
891 {
892 struct exchange *exchange = msg->exchange;
893 int (**script)(struct message *) = 0;
894
895 /* Check that the SA is coherent with the IKE rules. */
896 if (exchange->type != ISAKMP_EXCH_TRANSACTION &&
897 ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT &&
898 exchange->type != ISAKMP_EXCH_AGGRESSIVE &&
899 exchange->type != ISAKMP_EXCH_INFO) ||
900 (exchange->phase == 2 && exchange->type != IKE_EXCH_QUICK_MODE &&
901 exchange->type != ISAKMP_EXCH_INFO))) {
902 log_print("ipsec_initiator: unsupported exchange type %d "
903 "in phase %d", exchange->type, exchange->phase);
904 return -1;
905 }
906 switch (exchange->type) {
907 case ISAKMP_EXCH_ID_PROT:
908 script = ike_main_mode_initiator;
909 break;
910 case ISAKMP_EXCH_AGGRESSIVE:
911 script = ike_aggressive_initiator;
912 break;
913 case ISAKMP_EXCH_TRANSACTION:
914 script = isakmp_cfg_initiator;
915 break;
916 case ISAKMP_EXCH_INFO:
917 return message_send_info(msg);
918 case IKE_EXCH_QUICK_MODE:
919 script = ike_quick_mode_initiator;
920 break;
921 default:
922 log_print("ipsec_initiator: unsupported exchange type %d",
923 exchange->type);
924 return -1;
925 }
926
927 /* Run the script code for this step. */
928 if (script)
929 return script[exchange->step] (msg);
930
931 return 0;
932 }
933
934 /*
935 * delete all SA's from addr with the associated proto and SPI's
936 *
937 * spis[] is an array of SPIs of size 16-octet for proto ISAKMP
938 * or 4-octet otherwise.
939 */
940 static void
ipsec_delete_spi_list(struct sockaddr * addr,u_int8_t proto,u_int8_t * spis,int nspis,char * type)941 ipsec_delete_spi_list(struct sockaddr *addr, u_int8_t proto, u_int8_t *spis,
942 int nspis, char *type)
943 {
944 struct sa *sa;
945 int i;
946
947 for (i = 0; i < nspis; i++) {
948 if (proto == ISAKMP_PROTO_ISAKMP) {
949 u_int8_t *spi = spis + i * ISAKMP_HDR_COOKIES_LEN;
950
951 /*
952 * This really shouldn't happen in IPSEC DOI
953 * code, but Cisco VPN 3000 sends ISAKMP DELETE's
954 * this way.
955 */
956 sa = sa_lookup_isakmp_sa(addr, spi);
957 } else {
958 u_int32_t spi = ((u_int32_t *)spis)[i];
959
960 sa = ipsec_sa_lookup(addr, spi, proto);
961 }
962
963 if (sa == NULL) {
964 LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: could "
965 "not locate SA (SPI %08x, proto %u)",
966 ((u_int32_t *)spis)[i], proto));
967 continue;
968 }
969 /* Delete the SA and search for the next */
970 LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: "
971 "%s made us delete SA %p (%d references) for proto %d",
972 type, sa, sa->refcnt, proto));
973
974 sa_free(sa);
975 }
976 }
977
978 static int
ipsec_responder(struct message * msg)979 ipsec_responder(struct message *msg)
980 {
981 struct exchange *exchange = msg->exchange;
982 int (**script)(struct message *) = 0;
983 struct payload *p;
984 u_int16_t type;
985
986 /* Check that a new exchange is coherent with the IKE rules. */
987 if (exchange->step == 0 && exchange->type != ISAKMP_EXCH_TRANSACTION &&
988 ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT &&
989 exchange->type != ISAKMP_EXCH_AGGRESSIVE &&
990 exchange->type != ISAKMP_EXCH_INFO) ||
991 (exchange->phase == 2 && exchange->type != IKE_EXCH_QUICK_MODE &&
992 exchange->type != ISAKMP_EXCH_INFO))) {
993 message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE,
994 0, 1, 0);
995 return -1;
996 }
997 LOG_DBG((LOG_MISC, 30, "ipsec_responder: phase %d exchange %d step %d",
998 exchange->phase, exchange->type, exchange->step));
999 switch (exchange->type) {
1000 case ISAKMP_EXCH_ID_PROT:
1001 script = ike_main_mode_responder;
1002 break;
1003 case ISAKMP_EXCH_AGGRESSIVE:
1004 script = ike_aggressive_responder;
1005 break;
1006 case ISAKMP_EXCH_TRANSACTION:
1007 script = isakmp_cfg_responder;
1008 break;
1009 case ISAKMP_EXCH_INFO:
1010 TAILQ_FOREACH(p, &msg->payload[ISAKMP_PAYLOAD_NOTIFY], link) {
1011 type = GET_ISAKMP_NOTIFY_MSG_TYPE(p->p);
1012 LOG_DBG((LOG_EXCHANGE, 10,
1013 "ipsec_responder: got NOTIFY of type %s",
1014 constant_name(isakmp_notify_cst, type)));
1015
1016 switch (type) {
1017 case IPSEC_NOTIFY_INITIAL_CONTACT:
1018 /* Handled by leftover logic. */
1019 break;
1020
1021 case ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE:
1022 case ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK:
1023 dpd_handle_notify(msg, p);
1024 break;
1025
1026 default:
1027 p->flags |= PL_MARK;
1028 break;
1029 }
1030 }
1031
1032 /*
1033 * If any DELETEs are in here, let the logic of leftover
1034 * payloads deal with them.
1035 */
1036 return 0;
1037
1038 case IKE_EXCH_QUICK_MODE:
1039 script = ike_quick_mode_responder;
1040 break;
1041
1042 default:
1043 message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE,
1044 0, 1, 0);
1045 return -1;
1046 }
1047
1048 /* Run the script code for this step. */
1049 if (script)
1050 return script[exchange->step] (msg);
1051
1052 /*
1053 * XXX So far we don't accept any proposals for exchanges we don't
1054 * support.
1055 */
1056 if (payload_first(msg, ISAKMP_PAYLOAD_SA)) {
1057 message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
1058 return -1;
1059 }
1060 return 0;
1061 }
1062
1063 static enum hashes
from_ike_hash(u_int16_t hash)1064 from_ike_hash(u_int16_t hash)
1065 {
1066 switch (hash) {
1067 case IKE_HASH_MD5:
1068 return HASH_MD5;
1069 case IKE_HASH_SHA:
1070 return HASH_SHA1;
1071 }
1072 return -1;
1073 }
1074
1075 static enum transform
from_ike_crypto(u_int16_t crypto)1076 from_ike_crypto(u_int16_t crypto)
1077 {
1078 /* Coincidentally this is the null operation :-) */
1079 return crypto;
1080 }
1081
1082 /*
1083 * Find out whether the attribute of type TYPE with a LEN length value
1084 * pointed to by VALUE is incompatible with what we can handle.
1085 * VMSG is a pointer to the current message.
1086 */
1087 int
ipsec_is_attribute_incompatible(u_int16_t type,u_int8_t * value,u_int16_t len,void * vmsg)1088 ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t *value, u_int16_t len,
1089 void *vmsg)
1090 {
1091 struct message *msg = vmsg;
1092 u_int16_t dv = decode_16(value);
1093
1094 if (msg->exchange->phase == 1) {
1095 switch (type) {
1096 case IKE_ATTR_ENCRYPTION_ALGORITHM:
1097 return !crypto_get(from_ike_crypto(dv));
1098 case IKE_ATTR_HASH_ALGORITHM:
1099 return !hash_get(from_ike_hash(dv));
1100 case IKE_ATTR_AUTHENTICATION_METHOD:
1101 return !ike_auth_get(dv);
1102 case IKE_ATTR_GROUP_DESCRIPTION:
1103 return (dv < IKE_GROUP_DESC_MODP_768 ||
1104 dv > IKE_GROUP_DESC_MODP_1536) &&
1105 (dv < IKE_GROUP_DESC_MODP_2048 ||
1106 dv > IKE_GROUP_DESC_MODP_8192);
1107 case IKE_ATTR_GROUP_TYPE:
1108 return 1;
1109 case IKE_ATTR_GROUP_PRIME:
1110 return 1;
1111 case IKE_ATTR_GROUP_GENERATOR_1:
1112 return 1;
1113 case IKE_ATTR_GROUP_GENERATOR_2:
1114 return 1;
1115 case IKE_ATTR_GROUP_CURVE_A:
1116 return 1;
1117 case IKE_ATTR_GROUP_CURVE_B:
1118 return 1;
1119 case IKE_ATTR_LIFE_TYPE:
1120 return dv < IKE_DURATION_SECONDS ||
1121 dv > IKE_DURATION_KILOBYTES;
1122 case IKE_ATTR_LIFE_DURATION:
1123 return len != 2 && len != 4;
1124 case IKE_ATTR_PRF:
1125 return 1;
1126 case IKE_ATTR_KEY_LENGTH:
1127 /*
1128 * Our crypto routines only allows key-lengths which
1129 * are multiples of an octet.
1130 */
1131 return dv % 8 != 0;
1132 case IKE_ATTR_FIELD_SIZE:
1133 return 1;
1134 case IKE_ATTR_GROUP_ORDER:
1135 return 1;
1136 }
1137 } else {
1138 switch (type) {
1139 case IPSEC_ATTR_SA_LIFE_TYPE:
1140 return dv < IPSEC_DURATION_SECONDS ||
1141 dv > IPSEC_DURATION_KILOBYTES;
1142 case IPSEC_ATTR_SA_LIFE_DURATION:
1143 return len != 2 && len != 4;
1144 case IPSEC_ATTR_GROUP_DESCRIPTION:
1145 return (dv < IKE_GROUP_DESC_MODP_768 ||
1146 dv > IKE_GROUP_DESC_MODP_1536) &&
1147 (dv < IKE_GROUP_DESC_MODP_2048 ||
1148 IKE_GROUP_DESC_MODP_8192 < dv);
1149 case IPSEC_ATTR_ENCAPSULATION_MODE:
1150 return dv != IPSEC_ENCAP_TUNNEL &&
1151 dv != IPSEC_ENCAP_TRANSPORT &&
1152 dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL &&
1153 dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT &&
1154 dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT &&
1155 dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT;
1156 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM:
1157 return dv < IPSEC_AUTH_HMAC_MD5 ||
1158 dv > IPSEC_AUTH_HMAC_RIPEMD;
1159 case IPSEC_ATTR_KEY_LENGTH:
1160 /*
1161 * XXX Blowfish needs '0'. Others appear to disregard
1162 * this attr?
1163 */
1164 return 0;
1165 case IPSEC_ATTR_KEY_ROUNDS:
1166 return 1;
1167 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE:
1168 return 1;
1169 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM:
1170 return 1;
1171 case IPSEC_ATTR_ECN_TUNNEL:
1172 return 1;
1173 }
1174 }
1175 /* XXX Silence gcc. */
1176 return 1;
1177 }
1178
1179 /*
1180 * Log the attribute of TYPE with a LEN length value pointed to by VALUE
1181 * in human-readable form. VMSG is a pointer to the current message.
1182 */
1183 int
ipsec_debug_attribute(u_int16_t type,u_int8_t * value,u_int16_t len,void * vmsg)1184 ipsec_debug_attribute(u_int16_t type, u_int8_t *value, u_int16_t len,
1185 void *vmsg)
1186 {
1187 struct message *msg = vmsg;
1188 char val[20];
1189
1190 /* XXX Transient solution. */
1191 if (len == 2)
1192 snprintf(val, sizeof val, "%d", decode_16(value));
1193 else if (len == 4)
1194 snprintf(val, sizeof val, "%d", decode_32(value));
1195 else
1196 snprintf(val, sizeof val, "unrepresentable");
1197
1198 LOG_DBG((LOG_MESSAGE, 50, "Attribute %s value %s",
1199 constant_name(msg->exchange->phase == 1 ? ike_attr_cst :
1200 ipsec_attr_cst, type), val));
1201 return 0;
1202 }
1203
1204 /*
1205 * Decode the attribute of type TYPE with a LEN length value pointed to by
1206 * VALUE. VIDA is a pointer to a context structure where we can find the
1207 * current message, SA and protocol.
1208 */
1209 int
ipsec_decode_attribute(u_int16_t type,u_int8_t * value,u_int16_t len,void * vida)1210 ipsec_decode_attribute(u_int16_t type, u_int8_t *value, u_int16_t len,
1211 void *vida)
1212 {
1213 struct ipsec_decode_arg *ida = vida;
1214 struct message *msg = ida->msg;
1215 struct sa *sa = ida->sa;
1216 struct ipsec_sa *isa = sa->data;
1217 struct proto *proto = ida->proto;
1218 struct ipsec_proto *iproto = proto->data;
1219 struct exchange *exchange = msg->exchange;
1220 struct ipsec_exch *ie = exchange->data;
1221 static int lifetype = 0;
1222
1223 if (exchange->phase == 1) {
1224 switch (type) {
1225 case IKE_ATTR_ENCRYPTION_ALGORITHM:
1226 /* XXX Errors possible? */
1227 exchange->crypto = crypto_get(from_ike_crypto(
1228 decode_16(value)));
1229 break;
1230 case IKE_ATTR_HASH_ALGORITHM:
1231 /* XXX Errors possible? */
1232 ie->hash = hash_get(from_ike_hash(decode_16(value)));
1233 break;
1234 case IKE_ATTR_AUTHENTICATION_METHOD:
1235 /* XXX Errors possible? */
1236 ie->ike_auth = ike_auth_get(decode_16(value));
1237 break;
1238 case IKE_ATTR_GROUP_DESCRIPTION:
1239 isa->group_desc = decode_16(value);
1240 break;
1241 case IKE_ATTR_GROUP_TYPE:
1242 break;
1243 case IKE_ATTR_GROUP_PRIME:
1244 break;
1245 case IKE_ATTR_GROUP_GENERATOR_1:
1246 break;
1247 case IKE_ATTR_GROUP_GENERATOR_2:
1248 break;
1249 case IKE_ATTR_GROUP_CURVE_A:
1250 break;
1251 case IKE_ATTR_GROUP_CURVE_B:
1252 break;
1253 case IKE_ATTR_LIFE_TYPE:
1254 lifetype = decode_16(value);
1255 return 0;
1256 case IKE_ATTR_LIFE_DURATION:
1257 switch (lifetype) {
1258 case IKE_DURATION_SECONDS:
1259 switch (len) {
1260 case 2:
1261 sa->seconds = decode_16(value);
1262 break;
1263 case 4:
1264 sa->seconds = decode_32(value);
1265 break;
1266 default:
1267 log_print("ipsec_decode_attribute: "
1268 "unreasonable lifetime");
1269 }
1270 break;
1271 case IKE_DURATION_KILOBYTES:
1272 switch (len) {
1273 case 2:
1274 sa->kilobytes = decode_16(value);
1275 break;
1276 case 4:
1277 sa->kilobytes = decode_32(value);
1278 break;
1279 default:
1280 log_print("ipsec_decode_attribute: "
1281 "unreasonable lifetime");
1282 }
1283 break;
1284 default:
1285 log_print("ipsec_decode_attribute: unknown "
1286 "lifetime type");
1287 }
1288 break;
1289 case IKE_ATTR_PRF:
1290 break;
1291 case IKE_ATTR_KEY_LENGTH:
1292 exchange->key_length = decode_16(value) / 8;
1293 break;
1294 case IKE_ATTR_FIELD_SIZE:
1295 break;
1296 case IKE_ATTR_GROUP_ORDER:
1297 break;
1298 }
1299 } else {
1300 switch (type) {
1301 case IPSEC_ATTR_SA_LIFE_TYPE:
1302 lifetype = decode_16(value);
1303 return 0;
1304 case IPSEC_ATTR_SA_LIFE_DURATION:
1305 switch (lifetype) {
1306 case IPSEC_DURATION_SECONDS:
1307 switch (len) {
1308 case 2:
1309 sa->seconds = decode_16(value);
1310 break;
1311 case 4:
1312 sa->seconds = decode_32(value);
1313 break;
1314 default:
1315 log_print("ipsec_decode_attribute: "
1316 "unreasonable lifetime");
1317 }
1318 break;
1319 case IPSEC_DURATION_KILOBYTES:
1320 switch (len) {
1321 case 2:
1322 sa->kilobytes = decode_16(value);
1323 break;
1324 case 4:
1325 sa->kilobytes = decode_32(value);
1326 break;
1327 default:
1328 log_print("ipsec_decode_attribute: "
1329 "unreasonable lifetime");
1330 }
1331 break;
1332 default:
1333 log_print("ipsec_decode_attribute: unknown "
1334 "lifetime type");
1335 }
1336 break;
1337 case IPSEC_ATTR_GROUP_DESCRIPTION:
1338 isa->group_desc = decode_16(value);
1339 break;
1340 case IPSEC_ATTR_ENCAPSULATION_MODE:
1341 /*
1342 * XXX Multiple protocols must have same
1343 * encapsulation mode, no?
1344 */
1345 iproto->encap_mode = decode_16(value);
1346 break;
1347 case IPSEC_ATTR_AUTHENTICATION_ALGORITHM:
1348 iproto->auth = decode_16(value);
1349 break;
1350 case IPSEC_ATTR_KEY_LENGTH:
1351 iproto->keylen = decode_16(value);
1352 break;
1353 case IPSEC_ATTR_KEY_ROUNDS:
1354 iproto->keyrounds = decode_16(value);
1355 break;
1356 case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE:
1357 break;
1358 case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM:
1359 break;
1360 case IPSEC_ATTR_ECN_TUNNEL:
1361 break;
1362 }
1363 }
1364 lifetype = 0;
1365 return 0;
1366 }
1367
1368 /*
1369 * Walk over the attributes of the transform payload found in BUF, and
1370 * fill out the fields of the SA attached to MSG. Also mark the SA as
1371 * processed.
1372 */
1373 void
ipsec_decode_transform(struct message * msg,struct sa * sa,struct proto * proto,u_int8_t * buf)1374 ipsec_decode_transform(struct message *msg, struct sa *sa, struct proto *proto,
1375 u_int8_t *buf)
1376 {
1377 struct ipsec_exch *ie = msg->exchange->data;
1378 struct ipsec_decode_arg ida;
1379
1380 LOG_DBG((LOG_MISC, 20, "ipsec_decode_transform: transform %d chosen",
1381 GET_ISAKMP_TRANSFORM_NO(buf)));
1382
1383 ida.msg = msg;
1384 ida.sa = sa;
1385 ida.proto = proto;
1386
1387 /* The default IKE lifetime is 8 hours. */
1388 if (sa->phase == 1)
1389 sa->seconds = 28800;
1390
1391 /* Extract the attributes and stuff them into the SA. */
1392 attribute_map(buf + ISAKMP_TRANSFORM_SA_ATTRS_OFF,
1393 GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
1394 ipsec_decode_attribute, &ida);
1395
1396 /*
1397 * If no pseudo-random function was negotiated, it's HMAC.
1398 * XXX As PRF_HMAC currently is zero, this is a no-op.
1399 */
1400 if (!ie->prf_type)
1401 ie->prf_type = PRF_HMAC;
1402 }
1403
1404 /*
1405 * Delete the IPsec SA represented by the INCOMING direction in protocol PROTO
1406 * of the IKE security association SA.
1407 */
1408 static void
ipsec_delete_spi(struct sa * sa,struct proto * proto,int incoming)1409 ipsec_delete_spi(struct sa *sa, struct proto *proto, int incoming)
1410 {
1411 if (sa->phase == 1)
1412 return;
1413 /* XXX Error handling? Is it interesting? */
1414 pf_key_v2_delete_spi(sa, proto, incoming);
1415 }
1416
1417 /*
1418 * Store BUF into the g^x entry of the exchange that message MSG belongs to.
1419 * PEER is non-zero when the value is our peer's, and zero when it is ours.
1420 */
1421 static int
ipsec_g_x(struct message * msg,int peer,u_int8_t * buf)1422 ipsec_g_x(struct message *msg, int peer, u_int8_t *buf)
1423 {
1424 struct exchange *exchange = msg->exchange;
1425 struct ipsec_exch *ie = exchange->data;
1426 u_int8_t **g_x;
1427 int initiator = exchange->initiator ^ peer;
1428 char header[32];
1429
1430 g_x = initiator ? &ie->g_xi : &ie->g_xr;
1431 *g_x = malloc(ie->g_x_len);
1432 if (!*g_x) {
1433 log_error("ipsec_g_x: malloc (%lu) failed",
1434 (unsigned long)ie->g_x_len);
1435 return -1;
1436 }
1437 memcpy(*g_x, buf, ie->g_x_len);
1438 snprintf(header, sizeof header, "ipsec_g_x: g^x%c",
1439 initiator ? 'i' : 'r');
1440 LOG_DBG_BUF((LOG_MISC, 80, header, *g_x, ie->g_x_len));
1441 return 0;
1442 }
1443
1444 /* Generate our DH value. */
1445 int
ipsec_gen_g_x(struct message * msg)1446 ipsec_gen_g_x(struct message *msg)
1447 {
1448 struct exchange *exchange = msg->exchange;
1449 struct ipsec_exch *ie = exchange->data;
1450 u_int8_t *buf;
1451
1452 buf = malloc(ISAKMP_KE_SZ + ie->g_x_len);
1453 if (!buf) {
1454 log_error("ipsec_gen_g_x: malloc (%lu) failed",
1455 ISAKMP_KE_SZ + (unsigned long)ie->g_x_len);
1456 return -1;
1457 }
1458 if (message_add_payload(msg, ISAKMP_PAYLOAD_KEY_EXCH, buf,
1459 ISAKMP_KE_SZ + ie->g_x_len, 1)) {
1460 free(buf);
1461 return -1;
1462 }
1463 if (dh_create_exchange(ie->group, buf + ISAKMP_KE_DATA_OFF)) {
1464 log_print("ipsec_gen_g_x: dh_create_exchange failed");
1465 free(buf);
1466 return -1;
1467 }
1468 return ipsec_g_x(msg, 0, buf + ISAKMP_KE_DATA_OFF);
1469 }
1470
1471 /* Save the peer's DH value. */
1472 int
ipsec_save_g_x(struct message * msg)1473 ipsec_save_g_x(struct message *msg)
1474 {
1475 struct exchange *exchange = msg->exchange;
1476 struct ipsec_exch *ie = exchange->data;
1477 struct payload *kep;
1478
1479 kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH);
1480 kep->flags |= PL_MARK;
1481 ie->g_x_len = GET_ISAKMP_GEN_LENGTH(kep->p) - ISAKMP_KE_DATA_OFF;
1482
1483 /* Check that the given length matches the group's expectancy. */
1484 if (ie->g_x_len != (size_t) dh_getlen(ie->group)) {
1485 /* XXX Is this a good notify type? */
1486 message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
1487 return -1;
1488 }
1489 return ipsec_g_x(msg, 1, kep->p + ISAKMP_KE_DATA_OFF);
1490 }
1491
1492 /*
1493 * Get a SPI for PROTO and the transport MSG passed over. Store the
1494 * size where SZ points. NB! A zero return is OK if *SZ is zero.
1495 */
1496 static u_int8_t *
ipsec_get_spi(size_t * sz,u_int8_t proto,struct message * msg)1497 ipsec_get_spi(size_t *sz, u_int8_t proto, struct message *msg)
1498 {
1499 struct sockaddr *dst, *src;
1500 struct transport *transport = msg->transport;
1501
1502 if (msg->exchange->phase == 1) {
1503 *sz = 0;
1504 return 0;
1505 } else {
1506 /* We are the destination in the SA we want a SPI for. */
1507 transport->vtbl->get_src(transport, &dst);
1508 /* The peer is the source. */
1509 transport->vtbl->get_dst(transport, &src);
1510 return pf_key_v2_get_spi(sz, proto, src, dst,
1511 msg->exchange->seq);
1512 }
1513 }
1514
1515 /*
1516 * We have gotten a payload PAYLOAD of type TYPE, which did not get handled
1517 * by the logic of the exchange MSG takes part in. Now is the time to deal
1518 * with such a payload if we know how to, if we don't, return -1, otherwise
1519 * 0.
1520 */
1521 int
ipsec_handle_leftover_payload(struct message * msg,u_int8_t type,struct payload * payload)1522 ipsec_handle_leftover_payload(struct message *msg, u_int8_t type,
1523 struct payload *payload)
1524 {
1525 u_int32_t spisz, nspis;
1526 struct sockaddr *dst;
1527 int reenter = 0;
1528 u_int8_t *spis, proto;
1529 struct sa *sa;
1530
1531 switch (type) {
1532 case ISAKMP_PAYLOAD_DELETE:
1533 proto = GET_ISAKMP_DELETE_PROTO(payload->p);
1534 nspis = GET_ISAKMP_DELETE_NSPIS(payload->p);
1535 spisz = GET_ISAKMP_DELETE_SPI_SZ(payload->p);
1536
1537 if (nspis == 0) {
1538 LOG_DBG((LOG_SA, 60, "ipsec_handle_leftover_payload: "
1539 "message specified zero SPIs, ignoring"));
1540 return -1;
1541 }
1542 /* verify proper SPI size */
1543 if ((proto == ISAKMP_PROTO_ISAKMP &&
1544 spisz != ISAKMP_HDR_COOKIES_LEN) ||
1545 (proto != ISAKMP_PROTO_ISAKMP && spisz != sizeof(u_int32_t))) {
1546 log_print("ipsec_handle_leftover_payload: invalid SPI "
1547 "size %d for proto %d in DELETE payload",
1548 spisz, proto);
1549 return -1;
1550 }
1551 spis = (u_int8_t *) malloc(nspis * spisz);
1552 if (!spis) {
1553 log_error("ipsec_handle_leftover_payload: malloc "
1554 "(%d) failed", nspis * spisz);
1555 return -1;
1556 }
1557 /* extract SPI and get dst address */
1558 memcpy(spis, payload->p + ISAKMP_DELETE_SPI_OFF, nspis * spisz);
1559 msg->transport->vtbl->get_dst(msg->transport, &dst);
1560
1561 ipsec_delete_spi_list(dst, proto, spis, nspis, "DELETE");
1562
1563 free(spis);
1564 payload->flags |= PL_MARK;
1565 return 0;
1566
1567 case ISAKMP_PAYLOAD_NOTIFY:
1568 switch (GET_ISAKMP_NOTIFY_MSG_TYPE(payload->p)) {
1569 case IPSEC_NOTIFY_INITIAL_CONTACT:
1570 /*
1571 * Permit INITIAL-CONTACT if
1572 * - this is not an AGGRESSIVE mode exchange
1573 * - it is protected by an ISAKMP SA
1574 *
1575 * XXX Instead of the first condition above, we could
1576 * XXX permit this only for phase 2. In the last
1577 * XXX packet of main-mode, this payload, while
1578 * XXX encrypted, is not part of the hash digest. As
1579 * XXX we currently send our own INITIAL-CONTACTs at
1580 * XXX this point, this too would need to be changed.
1581 */
1582 if (msg->exchange->type == ISAKMP_EXCH_AGGRESSIVE) {
1583 log_print("ipsec_handle_leftover_payload: got "
1584 "INITIAL-CONTACT in AGGRESSIVE mode");
1585 return -1;
1586 }
1587 if ((msg->exchange->flags & EXCHANGE_FLAG_ENCRYPT)
1588 == 0) {
1589 log_print("ipsec_handle_leftover_payload: got "
1590 "INITIAL-CONTACT without ISAKMP SA");
1591 return -1;
1592 }
1593
1594 if ((msg->flags & MSG_AUTHENTICATED) == 0) {
1595 log_print("ipsec_handle_leftover_payload: "
1596 "got unauthenticated INITIAL-CONTACT");
1597 return -1;
1598 }
1599 /*
1600 * Find out who is sending this and then delete every
1601 * SA that is ready. Exchanges will timeout
1602 * themselves and then the non-ready SAs will
1603 * disappear too.
1604 */
1605 msg->transport->vtbl->get_dst(msg->transport, &dst);
1606 while ((sa = sa_lookup_by_peer(dst, SA_LEN(dst))) != 0) {
1607 /*
1608 * Don't delete the current SA -- we received
1609 * the notification over it, so it's obviously
1610 * still active. We temporarily need to remove
1611 * the SA from the list to avoid an endless
1612 * loop, but keep a reference so it won't
1613 * disappear meanwhile.
1614 */
1615 if (sa == msg->isakmp_sa) {
1616 sa_reference(sa);
1617 sa_remove(sa);
1618 reenter = 1;
1619 continue;
1620 }
1621 LOG_DBG((LOG_SA, 30,
1622 "ipsec_handle_leftover_payload: "
1623 "INITIAL-CONTACT made us delete SA %p",
1624 sa));
1625 sa_delete(sa, 0);
1626 }
1627
1628 if (reenter) {
1629 sa_enter(msg->isakmp_sa);
1630 sa_release(msg->isakmp_sa);
1631 }
1632 payload->flags |= PL_MARK;
1633 return 0;
1634 }
1635 }
1636 return -1;
1637 }
1638
1639 /* Return the encryption keylength in octets of the ESP protocol PROTO. */
1640 int
ipsec_esp_enckeylength(struct proto * proto)1641 ipsec_esp_enckeylength(struct proto *proto)
1642 {
1643 struct ipsec_proto *iproto = proto->data;
1644
1645 /* Compute the keylength to use. */
1646 switch (proto->id) {
1647 case IPSEC_ESP_DES:
1648 case IPSEC_ESP_DES_IV32:
1649 case IPSEC_ESP_DES_IV64:
1650 return 8;
1651 case IPSEC_ESP_3DES:
1652 return 24;
1653 case IPSEC_ESP_CAST:
1654 if (!iproto->keylen)
1655 return 16;
1656 return iproto->keylen / 8;
1657 case IPSEC_ESP_AES:
1658 case IPSEC_ESP_AES_128_CTR:
1659 if (!iproto->keylen)
1660 return 16;
1661 /* FALLTHROUGH */
1662 default:
1663 return iproto->keylen / 8;
1664 }
1665 }
1666
1667 /* Return the authentication keylength in octets of the ESP protocol PROTO. */
1668 int
ipsec_esp_authkeylength(struct proto * proto)1669 ipsec_esp_authkeylength(struct proto *proto)
1670 {
1671 struct ipsec_proto *iproto = proto->data;
1672
1673 switch (iproto->auth) {
1674 case IPSEC_AUTH_HMAC_MD5:
1675 return 16;
1676 case IPSEC_AUTH_HMAC_SHA:
1677 case IPSEC_AUTH_HMAC_RIPEMD:
1678 return 20;
1679 case IPSEC_AUTH_HMAC_SHA2_256:
1680 return 32;
1681 case IPSEC_AUTH_HMAC_SHA2_384:
1682 return 48;
1683 case IPSEC_AUTH_HMAC_SHA2_512:
1684 return 64;
1685 default:
1686 return 0;
1687 }
1688 }
1689
1690 /* Return the authentication keylength in octets of the AH protocol PROTO. */
1691 int
ipsec_ah_keylength(struct proto * proto)1692 ipsec_ah_keylength(struct proto *proto)
1693 {
1694 switch (proto->id) {
1695 case IPSEC_AH_MD5:
1696 return 16;
1697 case IPSEC_AH_SHA:
1698 case IPSEC_AH_RIPEMD:
1699 return 20;
1700 case IPSEC_AH_SHA2_256:
1701 return 32;
1702 case IPSEC_AH_SHA2_384:
1703 return 48;
1704 case IPSEC_AH_SHA2_512:
1705 return 64;
1706 default:
1707 return -1;
1708 }
1709 }
1710
1711 /* Return the total keymaterial length of the protocol PROTO. */
1712 int
ipsec_keymat_length(struct proto * proto)1713 ipsec_keymat_length(struct proto *proto)
1714 {
1715 switch (proto->proto) {
1716 case IPSEC_PROTO_IPSEC_ESP:
1717 return ipsec_esp_enckeylength(proto)
1718 + ipsec_esp_authkeylength(proto);
1719 case IPSEC_PROTO_IPSEC_AH:
1720 return ipsec_ah_keylength(proto);
1721 default:
1722 return -1;
1723 }
1724 }
1725
1726 /* Helper function for ipsec_get_id(). */
1727 static int
ipsec_get_proto_port(char * section,u_int8_t * tproto,u_int16_t * port)1728 ipsec_get_proto_port(char *section, u_int8_t *tproto, u_int16_t *port)
1729 {
1730 struct protoent *pe = NULL;
1731 struct servent *se;
1732 char *pstr;
1733
1734 pstr = conf_get_str(section, "Protocol");
1735 if (!pstr) {
1736 *tproto = 0;
1737 return 0;
1738 }
1739 *tproto = (u_int8_t)atoi(pstr);
1740 if (!*tproto) {
1741 pe = getprotobyname(pstr);
1742 if (pe)
1743 *tproto = pe->p_proto;
1744 }
1745 if (!*tproto) {
1746 log_print("ipsec_get_proto_port: protocol \"%s\" unknown",
1747 pstr);
1748 return -1;
1749 }
1750
1751 pstr = conf_get_str(section, "Port");
1752 if (!pstr)
1753 return 0;
1754 *port = (u_int16_t)atoi(pstr);
1755 if (!*port) {
1756 se = getservbyname(pstr,
1757 pe ? pe->p_name : (pstr ? pstr : NULL));
1758 if (se)
1759 *port = ntohs(se->s_port);
1760 }
1761 if (!*port) {
1762 log_print("ipsec_get_proto_port: port \"%s\" unknown",
1763 pstr);
1764 return -1;
1765 }
1766 return 0;
1767 }
1768
1769 /*
1770 * Out of a named section SECTION in the configuration file find out
1771 * the network address and mask as well as the ID type. Put the info
1772 * in the areas pointed to by ADDR, MASK, TPROTO, PORT, and ID respectively.
1773 * Return 0 on success and -1 on failure.
1774 */
1775 int
ipsec_get_id(char * section,int * id,struct sockaddr ** addr,struct sockaddr ** mask,u_int8_t * tproto,u_int16_t * port)1776 ipsec_get_id(char *section, int *id, struct sockaddr **addr,
1777 struct sockaddr **mask, u_int8_t *tproto, u_int16_t *port)
1778 {
1779 char *type, *address, *netmask;
1780 sa_family_t af = 0;
1781
1782 type = conf_get_str(section, "ID-type");
1783 if (!type) {
1784 log_print("ipsec_get_id: section %s has no \"ID-type\" tag",
1785 section);
1786 return -1;
1787 }
1788 *id = constant_value(ipsec_id_cst, type);
1789 switch (*id) {
1790 case IPSEC_ID_IPV4_ADDR:
1791 case IPSEC_ID_IPV4_ADDR_SUBNET:
1792 af = AF_INET;
1793 break;
1794 case IPSEC_ID_IPV6_ADDR:
1795 case IPSEC_ID_IPV6_ADDR_SUBNET:
1796 af = AF_INET6;
1797 break;
1798 }
1799 switch (*id) {
1800 case IPSEC_ID_IPV4_ADDR:
1801 case IPSEC_ID_IPV6_ADDR: {
1802 int ret;
1803
1804 address = conf_get_str(section, "Address");
1805 if (!address) {
1806 log_print("ipsec_get_id: section %s has no "
1807 "\"Address\" tag", section);
1808 return -1;
1809 }
1810 if (text2sockaddr(address, NULL, addr, af, 0)) {
1811 log_print("ipsec_get_id: invalid address %s in "
1812 "section %s", address, section);
1813 return -1;
1814 }
1815 ret = ipsec_get_proto_port(section, tproto, port);
1816 if (ret < 0)
1817 free(*addr);
1818
1819 return ret;
1820 }
1821
1822 #ifdef notyet
1823 case IPSEC_ID_FQDN:
1824 return -1;
1825
1826 case IPSEC_ID_USER_FQDN:
1827 return -1;
1828 #endif
1829
1830 case IPSEC_ID_IPV4_ADDR_SUBNET:
1831 case IPSEC_ID_IPV6_ADDR_SUBNET: {
1832 int ret;
1833
1834 address = conf_get_str(section, "Network");
1835 if (!address) {
1836 log_print("ipsec_get_id: section %s has no "
1837 "\"Network\" tag", section);
1838 return -1;
1839 }
1840 if (text2sockaddr(address, NULL, addr, af, 0)) {
1841 log_print("ipsec_get_id: invalid section %s "
1842 "network %s", section, address);
1843 return -1;
1844 }
1845 netmask = conf_get_str(section, "Netmask");
1846 if (!netmask) {
1847 log_print("ipsec_get_id: section %s has no "
1848 "\"Netmask\" tag", section);
1849 free(*addr);
1850 return -1;
1851 }
1852 if (text2sockaddr(netmask, NULL, mask, af, 1)) {
1853 log_print("ipsec_id_build: invalid section %s "
1854 "network %s", section, netmask);
1855 free(*addr);
1856 return -1;
1857 }
1858 ret = ipsec_get_proto_port(section, tproto, port);
1859 if (ret < 0) {
1860 free(*mask);
1861 free(*addr);
1862 }
1863 return ret;
1864 }
1865
1866 #ifdef notyet
1867 case IPSEC_ID_IPV4_RANGE:
1868 return -1;
1869
1870 case IPSEC_ID_IPV6_RANGE:
1871 return -1;
1872
1873 case IPSEC_ID_DER_ASN1_DN:
1874 return -1;
1875
1876 case IPSEC_ID_DER_ASN1_GN:
1877 return -1;
1878
1879 case IPSEC_ID_KEY_ID:
1880 return -1;
1881 #endif
1882
1883 default:
1884 log_print("ipsec_get_id: unknown ID type \"%s\" in "
1885 "section %s", type, section);
1886 return -1;
1887 }
1888
1889 return 0;
1890 }
1891
1892 /*
1893 * XXX I rather want this function to return a status code, and fail if
1894 * we cannot fit the information in the supplied buffer.
1895 */
1896 static void
ipsec_decode_id(char * buf,size_t size,u_int8_t * id,size_t id_len,int isakmpform)1897 ipsec_decode_id(char *buf, size_t size, u_int8_t *id, size_t id_len,
1898 int isakmpform)
1899 {
1900 int id_type;
1901 char *addr = 0, *mask = 0;
1902 u_int32_t *idp;
1903
1904 if (id) {
1905 if (!isakmpform) {
1906 /*
1907 * Exchanges and SAs dont carry the IDs in ISAKMP
1908 * form.
1909 */
1910 id -= ISAKMP_GEN_SZ;
1911 id_len += ISAKMP_GEN_SZ;
1912 }
1913 id_type = GET_ISAKMP_ID_TYPE(id);
1914 idp = (u_int32_t *) (id + ISAKMP_ID_DATA_OFF);
1915 switch (id_type) {
1916 case IPSEC_ID_IPV4_ADDR:
1917 util_ntoa(&addr, AF_INET, id + ISAKMP_ID_DATA_OFF);
1918 snprintf(buf, size, "%08x: %s",
1919 decode_32(id + ISAKMP_ID_DATA_OFF), addr);
1920 break;
1921
1922 case IPSEC_ID_IPV4_ADDR_SUBNET:
1923 util_ntoa(&addr, AF_INET, id + ISAKMP_ID_DATA_OFF);
1924 util_ntoa(&mask, AF_INET, id + ISAKMP_ID_DATA_OFF + 4);
1925 snprintf(buf, size, "%08x/%08x: %s/%s",
1926 decode_32(id + ISAKMP_ID_DATA_OFF),
1927 decode_32(id + ISAKMP_ID_DATA_OFF + 4), addr, mask);
1928 break;
1929
1930 case IPSEC_ID_IPV6_ADDR:
1931 util_ntoa(&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF);
1932 snprintf(buf, size, "%08x%08x%08x%08x: %s", *idp,
1933 *(idp + 1), *(idp + 2), *(idp + 3), addr);
1934 break;
1935
1936 case IPSEC_ID_IPV6_ADDR_SUBNET:
1937 util_ntoa(&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF);
1938 util_ntoa(&mask, AF_INET6, id + ISAKMP_ID_DATA_OFF +
1939 sizeof(struct in6_addr));
1940 snprintf(buf, size,
1941 "%08x%08x%08x%08x/%08x%08x%08x%08x: %s/%s", *idp,
1942 *(idp + 1), *(idp + 2), *(idp + 3), *(idp + 4),
1943 *(idp + 5), *(idp + 6), *(idp + 7), addr, mask);
1944 break;
1945
1946 case IPSEC_ID_FQDN:
1947 case IPSEC_ID_USER_FQDN:
1948 /* String is not NUL terminated, be careful */
1949 id_len -= ISAKMP_ID_DATA_OFF;
1950 id_len = MIN(id_len, size - 1);
1951 memcpy(buf, id + ISAKMP_ID_DATA_OFF, id_len);
1952 buf[id_len] = '\0';
1953 break;
1954
1955 case IPSEC_ID_DER_ASN1_DN:
1956 addr = x509_DN_string(id + ISAKMP_ID_DATA_OFF,
1957 id_len - ISAKMP_ID_DATA_OFF);
1958 if (!addr) {
1959 snprintf(buf, size, "unparsable ASN1 DN ID");
1960 return;
1961 }
1962 strlcpy(buf, addr, size);
1963 break;
1964
1965 default:
1966 snprintf(buf, size, "<id type unknown: %x>", id_type);
1967 break;
1968 }
1969 } else
1970 snprintf(buf, size, "<no ipsec id>");
1971 if (addr)
1972 free(addr);
1973 if (mask)
1974 free(mask);
1975 }
1976
1977 char *
ipsec_decode_ids(char * fmt,u_int8_t * id1,size_t id1_len,u_int8_t * id2,size_t id2_len,int isakmpform)1978 ipsec_decode_ids(char *fmt, u_int8_t *id1, size_t id1_len, u_int8_t *id2,
1979 size_t id2_len, int isakmpform)
1980 {
1981 static char result[1024];
1982 char s_id1[256], s_id2[256];
1983
1984 ipsec_decode_id(s_id1, sizeof s_id1, id1, id1_len, isakmpform);
1985 ipsec_decode_id(s_id2, sizeof s_id2, id2, id2_len, isakmpform);
1986
1987 snprintf(result, sizeof result, fmt, s_id1, s_id2);
1988 return result;
1989 }
1990
1991 /*
1992 * Out of a named section SECTION in the configuration file build an
1993 * ISAKMP ID payload. Ths payload size should be stashed in SZ.
1994 * The caller is responsible for freeing the payload.
1995 */
1996 u_int8_t *
ipsec_build_id(char * section,size_t * sz)1997 ipsec_build_id(char *section, size_t *sz)
1998 {
1999 struct sockaddr *addr, *mask;
2000 u_int8_t *p;
2001 int id, subnet = 0;
2002 u_int8_t tproto = 0;
2003 u_int16_t port = 0;
2004
2005 if (ipsec_get_id(section, &id, &addr, &mask, &tproto, &port))
2006 return 0;
2007
2008 if (id == IPSEC_ID_IPV4_ADDR_SUBNET || id == IPSEC_ID_IPV6_ADDR_SUBNET)
2009 subnet = 1;
2010
2011 *sz = ISAKMP_ID_SZ + sockaddr_addrlen(addr);
2012 if (subnet)
2013 *sz += sockaddr_addrlen(mask);
2014
2015 p = malloc(*sz);
2016 if (!p) {
2017 log_print("ipsec_build_id: malloc(%lu) failed",
2018 (unsigned long)*sz);
2019 if (subnet)
2020 free(mask);
2021 free(addr);
2022 return 0;
2023 }
2024 SET_ISAKMP_ID_TYPE(p, id);
2025 SET_ISAKMP_ID_DOI_DATA(p, (unsigned char *)"\000\000\000");
2026
2027 memcpy(p + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(addr),
2028 sockaddr_addrlen(addr));
2029 if (subnet)
2030 memcpy(p + ISAKMP_ID_DATA_OFF + sockaddr_addrlen(addr),
2031 sockaddr_addrdata(mask), sockaddr_addrlen(mask));
2032
2033 SET_IPSEC_ID_PROTO(p + ISAKMP_ID_DOI_DATA_OFF, tproto);
2034 SET_IPSEC_ID_PORT(p + ISAKMP_ID_DOI_DATA_OFF, port);
2035
2036 if (subnet)
2037 free(mask);
2038 free(addr);
2039 return p;
2040 }
2041
2042 /*
2043 * copy an ISAKMPD id
2044 */
2045 int
ipsec_clone_id(u_int8_t ** did,size_t * did_len,u_int8_t * id,size_t id_len)2046 ipsec_clone_id(u_int8_t **did, size_t *did_len, u_int8_t *id, size_t id_len)
2047 {
2048 if (*did)
2049 free(*did);
2050
2051 if (!id_len || !id) {
2052 *did = 0;
2053 *did_len = 0;
2054 return 0;
2055 }
2056 *did = malloc(id_len);
2057 if (!*did) {
2058 *did_len = 0;
2059 log_error("ipsec_clone_id: malloc(%lu) failed",
2060 (unsigned long)id_len);
2061 return -1;
2062 }
2063 *did_len = id_len;
2064 memcpy(*did, id, id_len);
2065
2066 return 0;
2067 }
2068
2069 /*
2070 * IPsec-specific PROTO initializations. SECTION is only set if we are the
2071 * initiator thus only usable there.
2072 * XXX I want to fix this later.
2073 */
2074 void
ipsec_proto_init(struct proto * proto,char * section)2075 ipsec_proto_init(struct proto *proto, char *section)
2076 {
2077 struct ipsec_proto *iproto = proto->data;
2078
2079 if (proto->sa->phase == 2 && section)
2080 iproto->replay_window = conf_get_num(section, "ReplayWindow",
2081 DEFAULT_REPLAY_WINDOW);
2082 }
2083
2084 /*
2085 * Add a notification payload of type INITIAL CONTACT to MSG if this is
2086 * the first contact we have made to our peer.
2087 */
2088 int
ipsec_initial_contact(struct message * msg)2089 ipsec_initial_contact(struct message *msg)
2090 {
2091 u_int8_t *buf;
2092
2093 if (ipsec_contacted(msg))
2094 return 0;
2095
2096 buf = malloc(ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN);
2097 if (!buf) {
2098 log_error("ike_phase_1_initial_contact: malloc (%d) failed",
2099 ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN);
2100 return -1;
2101 }
2102 SET_ISAKMP_NOTIFY_DOI(buf, IPSEC_DOI_IPSEC);
2103 SET_ISAKMP_NOTIFY_PROTO(buf, ISAKMP_PROTO_ISAKMP);
2104 SET_ISAKMP_NOTIFY_SPI_SZ(buf, ISAKMP_HDR_COOKIES_LEN);
2105 SET_ISAKMP_NOTIFY_MSG_TYPE(buf, IPSEC_NOTIFY_INITIAL_CONTACT);
2106 memcpy(buf + ISAKMP_NOTIFY_SPI_OFF, msg->isakmp_sa->cookies,
2107 ISAKMP_HDR_COOKIES_LEN);
2108 if (message_add_payload(msg, ISAKMP_PAYLOAD_NOTIFY, buf,
2109 ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN, 1)) {
2110 free(buf);
2111 return -1;
2112 }
2113 return ipsec_add_contact(msg);
2114 }
2115
2116 /*
2117 * Compare the two contacts pointed to by A and B. Return negative if
2118 * *A < *B, 0 if they are equal, and positive if *A is the largest of them.
2119 */
2120 static int
addr_cmp(const void * a,const void * b)2121 addr_cmp(const void *a, const void *b)
2122 {
2123 const struct contact *x = a, *y = b;
2124 int minlen = MIN(x->len, y->len);
2125 int rv = memcmp(x->addr, y->addr, minlen);
2126
2127 return rv ? rv : (x->len - y->len);
2128 }
2129
2130 /*
2131 * Add the peer that MSG is bound to as an address we don't want to send
2132 * INITIAL CONTACT too from now on. Do not call this function with a
2133 * specific address duplicate times. We want fast lookup, speed of insertion
2134 * is unimportant, if this is to scale.
2135 */
2136 static int
ipsec_add_contact(struct message * msg)2137 ipsec_add_contact(struct message *msg)
2138 {
2139 struct contact *new_contacts;
2140 struct sockaddr *dst, *addr;
2141 int cnt;
2142
2143 if (contact_cnt == contact_limit) {
2144 cnt = contact_limit ? 2 * contact_limit : 64;
2145 new_contacts = realloc(contacts, cnt * sizeof contacts[0]);
2146 if (!new_contacts) {
2147 log_error("ipsec_add_contact: "
2148 "realloc (%p, %lu) failed", contacts,
2149 cnt * (unsigned long) sizeof contacts[0]);
2150 return -1;
2151 }
2152 contact_limit = cnt;
2153 contacts = new_contacts;
2154 }
2155 msg->transport->vtbl->get_dst(msg->transport, &dst);
2156 addr = malloc(SA_LEN(dst));
2157 if (!addr) {
2158 log_error("ipsec_add_contact: malloc (%lu) failed",
2159 (unsigned long)SA_LEN(dst));
2160 return -1;
2161 }
2162 memcpy(addr, dst, SA_LEN(dst));
2163 contacts[contact_cnt].addr = addr;
2164 contacts[contact_cnt++].len = SA_LEN(dst);
2165
2166 /*
2167 * XXX There are better algorithms for already mostly-sorted data like
2168 * this, but only qsort is standard. I will someday do this inline.
2169 */
2170 qsort(contacts, contact_cnt, sizeof *contacts, addr_cmp);
2171 return 0;
2172 }
2173
2174 /* Return true if the recipient of MSG has already been contacted. */
2175 static int
ipsec_contacted(struct message * msg)2176 ipsec_contacted(struct message *msg)
2177 {
2178 struct contact contact;
2179
2180 msg->transport->vtbl->get_dst(msg->transport, &contact.addr);
2181 contact.len = SA_LEN(contact.addr);
2182 return contacts ? (bsearch(&contact, contacts, contact_cnt,
2183 sizeof *contacts, addr_cmp) != 0) : 0;
2184 }
2185
2186 /* Add a HASH for to MSG. */
2187 u_int8_t *
ipsec_add_hash_payload(struct message * msg,size_t hashsize)2188 ipsec_add_hash_payload(struct message *msg, size_t hashsize)
2189 {
2190 u_int8_t *buf;
2191
2192 buf = malloc(ISAKMP_HASH_SZ + hashsize);
2193 if (!buf) {
2194 log_error("ipsec_add_hash_payload: malloc (%lu) failed",
2195 ISAKMP_HASH_SZ + (unsigned long) hashsize);
2196 return 0;
2197 }
2198 if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf,
2199 ISAKMP_HASH_SZ + hashsize, 1)) {
2200 free(buf);
2201 return 0;
2202 }
2203 return buf;
2204 }
2205
2206 /* Fill in the HASH payload of MSG. */
2207 int
ipsec_fill_in_hash(struct message * msg)2208 ipsec_fill_in_hash(struct message *msg)
2209 {
2210 struct exchange *exchange = msg->exchange;
2211 struct sa *isakmp_sa = msg->isakmp_sa;
2212 struct ipsec_sa *isa = isakmp_sa->data;
2213 struct hash *hash = hash_get(isa->hash);
2214 struct prf *prf;
2215 struct payload *payload;
2216 u_int8_t *buf;
2217 u_int32_t i;
2218 char header[80];
2219
2220 /* If no SKEYID_a, we need not do anything. */
2221 if (!isa->skeyid_a)
2222 return 0;
2223
2224 payload = payload_first(msg, ISAKMP_PAYLOAD_HASH);
2225 if (!payload) {
2226 log_print("ipsec_fill_in_hash: no HASH payload found");
2227 return -1;
2228 }
2229 buf = payload->p;
2230
2231 /* Allocate the prf and start calculating our HASH(1). */
2232 LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: SKEYID_a",
2233 isa->skeyid_a, isa->skeyid_len));
2234 prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a,
2235 isa->skeyid_len);
2236 if (!prf)
2237 return -1;
2238
2239 prf->Init(prf->prfctx);
2240 LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: message_id",
2241 exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN));
2242 prf->Update(prf->prfctx, exchange->message_id,
2243 ISAKMP_HDR_MESSAGE_ID_LEN);
2244
2245 /* Loop over all payloads after HASH(1). */
2246 for (i = 2; i < msg->iovlen; i++) {
2247 /* XXX Misleading payload type printouts. */
2248 snprintf(header, sizeof header,
2249 "ipsec_fill_in_hash: payload %d after HASH(1)", i - 1);
2250 LOG_DBG_BUF((LOG_MISC, 90, header, msg->iov[i].iov_base,
2251 msg->iov[i].iov_len));
2252 prf->Update(prf->prfctx, msg->iov[i].iov_base,
2253 msg->iov[i].iov_len);
2254 }
2255 prf->Final(buf + ISAKMP_HASH_DATA_OFF, prf->prfctx);
2256 prf_free(prf);
2257 LOG_DBG_BUF((LOG_MISC, 80, "ipsec_fill_in_hash: HASH(1)", buf +
2258 ISAKMP_HASH_DATA_OFF, hash->hashsize));
2259
2260 return 0;
2261 }
2262
2263 /* Add a HASH payload to MSG, if we have an ISAKMP SA we're protected by. */
2264 static int
ipsec_informational_pre_hook(struct message * msg)2265 ipsec_informational_pre_hook(struct message *msg)
2266 {
2267 struct sa *isakmp_sa = msg->isakmp_sa;
2268 struct ipsec_sa *isa;
2269 struct hash *hash;
2270
2271 if (!isakmp_sa)
2272 return 0;
2273 isa = isakmp_sa->data;
2274 hash = hash_get(isa->hash);
2275 return ipsec_add_hash_payload(msg, hash->hashsize) == 0;
2276 }
2277
2278 /*
2279 * Fill in the HASH payload in MSG, if we have an ISAKMP SA we're protected by.
2280 */
2281 static int
ipsec_informational_post_hook(struct message * msg)2282 ipsec_informational_post_hook(struct message *msg)
2283 {
2284 if (!msg->isakmp_sa)
2285 return 0;
2286 return ipsec_fill_in_hash(msg);
2287 }
2288
2289 ssize_t
ipsec_id_size(char * section,u_int8_t * id)2290 ipsec_id_size(char *section, u_int8_t *id)
2291 {
2292 char *type, *data;
2293
2294 type = conf_get_str(section, "ID-type");
2295 if (!type) {
2296 log_print("ipsec_id_size: section %s has no \"ID-type\" tag",
2297 section);
2298 return -1;
2299 }
2300 *id = constant_value(ipsec_id_cst, type);
2301 switch (*id) {
2302 case IPSEC_ID_IPV4_ADDR:
2303 return sizeof(struct in_addr);
2304 case IPSEC_ID_IPV4_ADDR_SUBNET:
2305 return 2 * sizeof(struct in_addr);
2306 case IPSEC_ID_IPV6_ADDR:
2307 return sizeof(struct in6_addr);
2308 case IPSEC_ID_IPV6_ADDR_SUBNET:
2309 return 2 * sizeof(struct in6_addr);
2310 case IPSEC_ID_FQDN:
2311 case IPSEC_ID_USER_FQDN:
2312 case IPSEC_ID_KEY_ID:
2313 case IPSEC_ID_DER_ASN1_DN:
2314 case IPSEC_ID_DER_ASN1_GN:
2315 data = conf_get_str(section, "Name");
2316 if (!data) {
2317 log_print("ipsec_id_size: "
2318 "section %s has no \"Name\" tag", section);
2319 return -1;
2320 }
2321 return strlen(data);
2322 }
2323 log_print("ipsec_id_size: unrecognized/unsupported ID-type %d (%s)",
2324 *id, type);
2325 return -1;
2326 }
2327
2328 /*
2329 * Generate a string version of the ID.
2330 */
2331 char *
ipsec_id_string(u_int8_t * id,size_t id_len)2332 ipsec_id_string(u_int8_t *id, size_t id_len)
2333 {
2334 char *buf = 0;
2335 char *addrstr = 0;
2336 size_t len, size;
2337
2338 /*
2339 * XXX Real ugly way of making the offsets correct. Be aware that id
2340 * now will point before the actual buffer and cannot be dereferenced
2341 * without an offset larger than or equal to ISAKM_GEN_SZ.
2342 */
2343 id -= ISAKMP_GEN_SZ;
2344
2345 /* This is the actual length of the ID data field. */
2346 id_len += ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF;
2347
2348 /*
2349 * Conservative allocation.
2350 * XXX I think the ASN1 DN case can be thought through to give a better
2351 * estimate.
2352 */
2353 size = MAX(sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
2354 sizeof "asn1_dn/" + id_len - ISAKMP_ID_DATA_OFF);
2355 buf = malloc(size);
2356 if (!buf)
2357 /* XXX Log? */
2358 goto fail;
2359
2360 switch (GET_ISAKMP_ID_TYPE(id)) {
2361 case IPSEC_ID_IPV4_ADDR:
2362 if (id_len < sizeof(struct in_addr))
2363 goto fail;
2364 util_ntoa(&addrstr, AF_INET, id + ISAKMP_ID_DATA_OFF);
2365 if (!addrstr)
2366 goto fail;
2367 snprintf(buf, size, "ipv4/%s", addrstr);
2368 break;
2369
2370 case IPSEC_ID_IPV6_ADDR:
2371 if (id_len < sizeof(struct in6_addr))
2372 goto fail;
2373 util_ntoa(&addrstr, AF_INET6, id + ISAKMP_ID_DATA_OFF);
2374 if (!addrstr)
2375 goto fail;
2376 snprintf(buf, size, "ipv6/%s", addrstr);
2377 break;
2378
2379 case IPSEC_ID_FQDN:
2380 case IPSEC_ID_USER_FQDN:
2381 strlcpy(buf,
2382 GET_ISAKMP_ID_TYPE(id) == IPSEC_ID_FQDN ? "fqdn/" : "ufqdn/",
2383 size);
2384 len = strlen(buf);
2385
2386 memcpy(buf + len, id + ISAKMP_ID_DATA_OFF, id_len);
2387 *(buf + len + id_len) = '\0';
2388 break;
2389
2390 case IPSEC_ID_DER_ASN1_DN:
2391 strlcpy(buf, "asn1_dn/", size);
2392 len = strlen(buf);
2393 addrstr = x509_DN_string(id + ISAKMP_ID_DATA_OFF,
2394 id_len - ISAKMP_ID_DATA_OFF);
2395 if (!addrstr)
2396 goto fail;
2397 if (size < len + strlen(addrstr) + 1)
2398 goto fail;
2399 strlcpy(buf + len, addrstr, size - len);
2400 break;
2401
2402 default:
2403 /* Unknown type. */
2404 LOG_DBG((LOG_MISC, 10,
2405 "ipsec_id_string: unknown identity type %d\n",
2406 GET_ISAKMP_ID_TYPE(id)));
2407 goto fail;
2408 }
2409
2410 if (addrstr)
2411 free(addrstr);
2412 return buf;
2413
2414 fail:
2415 if (buf)
2416 free(buf);
2417 if (addrstr)
2418 free(addrstr);
2419 return 0;
2420 }
2421