8b8849c2a61cdd4615a2a0c6d9b5786c6934fd9c
[strongswan.git] / src / pluto / ike_alg.c
1 /* IKE modular algorithm handling interface
2 * Copyright (C) JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
3 * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <stdio.h>
17 #include <string.h>
18 #include <stdlib.h>
19 #include <errno.h>
20 #include <sys/queue.h>
21
22 #include <freeswan.h>
23 #include <ipsec_policy.h>
24
25 #include <library.h>
26 #include <debug.h>
27 #include <crypto/hashers/hasher.h>
28 #include <crypto/crypters/crypter.h>
29 #include <crypto/prfs/prf.h>
30
31 #include "constants.h"
32 #include "defs.h"
33 #include "crypto.h"
34
35 #include "state.h"
36 #include "packet.h"
37 #include "log.h"
38 #include "whack.h"
39 #include "spdb.h"
40 #include "alg_info.h"
41 #include "ike_alg.h"
42 #include "db_ops.h"
43 #include "connections.h"
44 #include "kernel.h"
45
46 #define return_on(var, val) do { var=val;goto return_out; } while(0);
47
48 /**
49 * IKE algorithm list handling - registration and lookup
50 */
51
52 /* Modular IKE algorithm storage structure */
53
54 static struct ike_alg *ike_alg_base[IKE_ALG_MAX+1] = {NULL, NULL};
55
56 /**
57 * Return ike_algo object by {type, id}
58 */
59 static struct ike_alg *ike_alg_find(u_int algo_type, u_int algo_id,
60 u_int keysize __attribute__((unused)))
61 {
62 struct ike_alg *e = ike_alg_base[algo_type];
63
64 while (e != NULL && algo_id > e->algo_id)
65 {
66 e = e->algo_next;
67 }
68 return (e != NULL && e->algo_id == algo_id) ? e : NULL;
69 }
70
71 /**
72 * "raw" ike_alg list adding function
73 */
74 int ike_alg_add(struct ike_alg* a)
75 {
76 if (a->algo_type > IKE_ALG_MAX)
77 {
78 plog("ike_alg: Not added, invalid algorithm type");
79 return -EINVAL;
80 }
81
82 if (ike_alg_find(a->algo_type, a->algo_id, 0) != NULL)
83 {
84 plog("ike_alg: Not added, algorithm already exists");
85 return -EEXIST;
86 }
87
88 {
89 struct ike_alg **ep = &ike_alg_base[a->algo_type];
90 struct ike_alg *e = *ep;
91
92 while (e != NULL && a->algo_id > e->algo_id)
93 {
94 ep = &e->algo_next;
95 e = *ep;
96 }
97 *ep = a;
98 a->algo_next = e;
99 return 0;
100 }
101 }
102
103 /**
104 * Get IKE hash algorithm
105 */
106 struct hash_desc *ike_alg_get_hasher(u_int alg)
107 {
108 return (struct hash_desc *) ike_alg_find(IKE_ALG_HASH, alg, 0);
109 }
110
111 /**
112 * Get IKE encryption algorithm
113 */
114 struct encrypt_desc *ike_alg_get_encrypter(u_int alg)
115 {
116 return (struct encrypt_desc *) ike_alg_find(IKE_ALG_ENCRYPT, alg, 0);
117 }
118
119 /**
120 * Check if IKE hash algorithm is present
121 */
122 bool ike_alg_hash_present(u_int halg)
123 {
124 return ike_alg_get_hasher(halg) != NULL;
125 }
126
127 /**
128 * check if IKE encryption algorithm is present
129 */
130 bool ike_alg_enc_present(u_int ealg)
131 {
132 return ike_alg_get_encrypter(ealg) != NULL;
133 }
134
135 /**
136 * Get pfsgroup for this connection
137 */
138 const struct oakley_group_desc *ike_alg_pfsgroup(struct connection *c, lset_t policy)
139 {
140 const struct oakley_group_desc * ret = NULL;
141
142 if ((policy & POLICY_PFS)
143 && c->alg_info_esp
144 && c->alg_info_esp->esp_pfsgroup)
145 ret = lookup_group(c->alg_info_esp->esp_pfsgroup);
146 return ret;
147 }
148
149 /**
150 * Create an OAKLEY proposal based on alg_info and policy
151 */
152 struct db_context *ike_alg_db_new(struct alg_info_ike *ai , lset_t policy)
153 {
154 struct db_context *db_ctx = NULL;
155 struct ike_info *ike_info;
156 struct encrypt_desc *enc_desc;
157 u_int ealg, halg, modp, eklen = 0;
158 int i;
159
160 bool is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY;
161
162 if (!ai)
163 {
164 whack_log(RC_LOG_SERIOUS, "no IKE algorithms "
165 "for this connection "
166 "(check ike algorithm string)");
167 goto fail;
168 }
169 policy &= POLICY_ID_AUTH_MASK;
170 db_ctx = db_prop_new(PROTO_ISAKMP, 8, 8 * 5);
171
172 /* for each group */
173 ALG_INFO_IKE_FOREACH(ai, ike_info, i)
174 {
175 ealg = ike_info->ike_ealg;
176 halg = ike_info->ike_halg;
177 modp = ike_info->ike_modp;
178 eklen= ike_info->ike_eklen;
179
180 if (!ike_alg_enc_present(ealg))
181 {
182 DBG_log("ike_alg: ike enc ealg=%d not present"
183 , ealg);
184 continue;
185 }
186
187 if (!ike_alg_hash_present(halg))
188 {
189 DBG_log("ike_alg: ike hash halg=%d not present"
190 , halg);
191 continue;
192 }
193
194 enc_desc = ike_alg_get_encrypter(ealg);
195 passert(enc_desc != NULL);
196
197 if (eklen
198 && (eklen < enc_desc->keyminlen || eklen > enc_desc->keymaxlen))
199 {
200 DBG_log("ike_alg: ealg=%d (specified) keylen:%d, not valid min=%d, max=%d"
201 , ealg
202 , eklen
203 , enc_desc->keyminlen
204 , enc_desc->keymaxlen
205 );
206 continue;
207 }
208
209 if (policy & POLICY_RSASIG)
210 {
211 db_trans_add(db_ctx, KEY_IKE);
212 db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
213 db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
214 if (eklen)
215 db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
216 db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG);
217 db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
218 }
219
220 if (policy & POLICY_PSK)
221 {
222 db_trans_add(db_ctx, KEY_IKE);
223 db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
224 db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
225 if (eklen)
226 db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
227 db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
228 db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
229 }
230
231 if (policy & POLICY_XAUTH_RSASIG)
232 {
233 db_trans_add(db_ctx, KEY_IKE);
234 db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
235 db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
236 if (eklen)
237 db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
238 db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
239 , is_xauth_server ? XAUTHRespRSA : XAUTHInitRSA);
240 db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
241 }
242
243 if (policy & POLICY_XAUTH_PSK)
244 {
245 db_trans_add(db_ctx, KEY_IKE);
246 db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
247 db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
248 if (eklen)
249 db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
250 db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
251 , is_xauth_server ? XAUTHRespPreShared : XAUTHInitPreShared);
252 db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
253 }
254 }
255 fail:
256 return db_ctx;
257 }
258
259 /**
260 * Show registered IKE algorithms
261 */
262 void ike_alg_list(void)
263 {
264 u_int i;
265 struct ike_alg *a;
266
267 whack_log(RC_COMMENT, " ");
268 whack_log(RC_COMMENT, "List of registered IKE Encryption Algorithms:");
269 whack_log(RC_COMMENT, " ");
270
271 for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
272 {
273 struct encrypt_desc *desc = (struct encrypt_desc*)a;
274
275 whack_log(RC_COMMENT, "#%-5d %s, blocksize: %d, keylen: %d-%d-%d"
276 , a->algo_id
277 , enum_name(&oakley_enc_names, a->algo_id)
278 , (int)desc->enc_blocksize*BITS_PER_BYTE
279 , desc->keyminlen
280 , desc->keydeflen
281 , desc->keymaxlen
282 );
283 }
284
285 whack_log(RC_COMMENT, " ");
286 whack_log(RC_COMMENT, "List of registered IKE Hash Algorithms:");
287 whack_log(RC_COMMENT, " ");
288
289 for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
290 {
291 whack_log(RC_COMMENT, "#%-5d %s, hashsize: %d"
292 , a->algo_id
293 , enum_name(&oakley_hash_names, a->algo_id)
294 , (int)((struct hash_desc *)a)->hash_digest_size*BITS_PER_BYTE
295 );
296 }
297
298 whack_log(RC_COMMENT, " ");
299 whack_log(RC_COMMENT, "List of registered IKE DH Groups:");
300 whack_log(RC_COMMENT, " ");
301
302 for (i = 0; i < countof(oakley_group); i++)
303 {
304 const struct oakley_group_desc *gdesc=oakley_group + i;
305
306 whack_log(RC_COMMENT, "#%-5d %s, groupsize: %d"
307 , gdesc->group
308 , enum_name(&oakley_group_names, gdesc->group)
309 , (int)gdesc->bytes*BITS_PER_BYTE
310 );
311 }
312 }
313
314 /**
315 * Show IKE algorithms for this connection (result from ike= string)
316 * and newest SA
317 */
318 void ike_alg_show_connection(struct connection *c, const char *instance)
319 {
320 struct state *st = state_with_serialno(c->newest_isakmp_sa);
321
322 if (st)
323 {
324 if (st->st_oakley.encrypt == OAKLEY_3DES_CBC)
325 {
326 whack_log(RC_COMMENT,
327 "\"%s\"%s: IKE proposal: %s/%s/%s",
328 c->name, instance,
329 enum_show(&oakley_enc_names, st->st_oakley.encrypt),
330 enum_show(&oakley_hash_names, st->st_oakley.hash),
331 enum_show(&oakley_group_names, st->st_oakley.group->group)
332 );
333 }
334 else
335 {
336 whack_log(RC_COMMENT,
337 "\"%s\"%s: IKE proposal: %s_%u/%s/%s",
338 c->name, instance,
339 enum_show(&oakley_enc_names, st->st_oakley.encrypt),
340 st->st_oakley.enckeylen,
341 enum_show(&oakley_hash_names, st->st_oakley.hash),
342 enum_show(&oakley_group_names, st->st_oakley.group->group)
343 );
344 }
345 }
346 }
347
348 /**
349 * Apply a suite of testvectors to an encryption algorithm
350 */
351 static bool ike_encrypt_test(const struct encrypt_desc *desc)
352 {
353 bool encrypt_results = TRUE;
354
355 if (desc->enc_testvectors == NULL)
356 {
357 plog(" %s encryption self-test not available",
358 enum_name(&oakley_enc_names, desc->algo_id));
359 }
360 else
361 {
362 int i;
363 encryption_algorithm_t enc_alg;
364
365 enc_alg = oakley_to_encryption_algorithm(desc->algo_id);
366
367 for (i = 0; desc->enc_testvectors[i].key != NULL; i++)
368 {
369 bool result;
370 crypter_t *crypter;
371 chunk_t key = { (u_char*)desc->enc_testvectors[i].key,
372 desc->enc_testvectors[i].key_size };
373 chunk_t plain = { (u_char*)desc->enc_testvectors[i].plain,
374 desc->enc_testvectors[i].data_size};
375 chunk_t cipher = { (u_char*)desc->enc_testvectors[i].cipher,
376 desc->enc_testvectors[i].data_size};
377 chunk_t encrypted = chunk_empty;
378 chunk_t decrypted = chunk_empty;
379 chunk_t iv;
380
381 crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, key.len);
382 if (crypter == NULL)
383 {
384 plog(" %s encryption function not available",
385 enum_name(&oakley_enc_names, desc->algo_id));
386 return FALSE;
387 }
388 iv = chunk_create((u_char*)desc->enc_testvectors[i].iv,
389 crypter->get_block_size(crypter));
390 crypter->set_key(crypter, key);
391 crypter->decrypt(crypter, cipher, iv, &decrypted);
392 result = chunk_equals(decrypted, plain);
393 crypter->encrypt(crypter, plain, iv, &encrypted);
394 result &= chunk_equals(encrypted, cipher);
395 DBG(DBG_CRYPT,
396 DBG_log(" enc testvector %d: %s", i, result ? "ok":"failed")
397 )
398 encrypt_results &= result;
399 crypter->destroy(crypter);
400 free(encrypted.ptr);
401 free(decrypted.ptr);
402 }
403 plog(" %s encryption self-test %s",
404 enum_name(&oakley_enc_names, desc->algo_id),
405 encrypt_results ? "passed":"failed");
406 }
407 return encrypt_results;
408 }
409
410 /**
411 * Apply a suite of testvectors to a hash algorithm
412 */
413 static bool ike_hash_test(const struct hash_desc *desc)
414 {
415 bool hash_results = TRUE;
416 bool hmac_results = TRUE;
417
418 if (desc->hash_testvectors == NULL)
419 {
420 plog(" %s hash self-test not available",
421 enum_name(&oakley_hash_names, desc->algo_id));
422 }
423 else
424 {
425 int i;
426 hash_algorithm_t hash_alg;
427 hasher_t *hasher;
428
429 hash_alg = oakley_to_hash_algorithm(desc->algo_id);
430 hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
431 if (hasher == NULL)
432 {
433 plog(" %s hash function not available",
434 enum_name(&oakley_hash_names, desc->algo_id));
435 return FALSE;
436 }
437
438 for (i = 0; desc->hash_testvectors[i].msg_digest != NULL; i++)
439 {
440 u_char digest[MAX_DIGEST_LEN];
441 chunk_t msg = { (u_char*)desc->hash_testvectors[i].msg,
442 desc->hash_testvectors[i].msg_size };
443 bool result;
444
445 hasher->get_hash(hasher, msg, digest);
446 result = memeq(digest, desc->hash_testvectors[i].msg_digest
447 , desc->hash_digest_size);
448 DBG(DBG_CRYPT,
449 DBG_log(" hash testvector %d: %s", i, result ? "ok":"failed")
450 )
451 hash_results &= result;
452 }
453 hasher->destroy(hasher);
454 plog(" %s hash self-test %s", enum_name(&oakley_hash_names, desc->algo_id),
455 hash_results ? "passed":"failed");
456 }
457
458 if (desc->hmac_testvectors == NULL)
459 {
460 plog(" %s hmac self-test not available", enum_name(&oakley_hash_names, desc->algo_id));
461 }
462 else
463 {
464 int i;
465 pseudo_random_function_t prf_alg;
466
467 prf_alg = oakley_to_prf(desc->algo_id);
468
469 for (i = 0; desc->hmac_testvectors[i].hmac != NULL; i++)
470 {
471 u_char digest[MAX_DIGEST_LEN];
472 chunk_t key = { (u_char*)desc->hmac_testvectors[i].key,
473 desc->hmac_testvectors[i].key_size };
474 chunk_t msg = { (u_char*)desc->hmac_testvectors[i].msg,
475 desc->hmac_testvectors[i].msg_size };
476 prf_t *prf;
477 bool result;
478
479 prf = lib->crypto->create_prf(lib->crypto, prf_alg);
480 if (prf == NULL)
481 {
482 plog(" %s hmac function not available",
483 enum_name(&oakley_hash_names, desc->algo_id));
484 return FALSE;
485 }
486 prf->set_key(prf, key);
487 prf->get_bytes(prf, msg, digest);
488 prf->destroy(prf);
489 result = memeq(digest, desc->hmac_testvectors[i].hmac,
490 desc->hash_digest_size);
491 DBG(DBG_CRYPT,
492 DBG_log(" hmac testvector %d: %s", i, result ? "ok":"failed")
493 )
494 hmac_results &= result;
495 }
496 plog(" %s hmac self-test %s", enum_name(&oakley_hash_names, desc->algo_id)
497 , hmac_results ? "passed":"failed");
498 }
499 return hash_results && hmac_results;
500 }
501
502 /**
503 * Apply test vectors to registered encryption and hash algorithms
504 */
505 bool ike_alg_test(void)
506 {
507 bool all_results = TRUE;
508 struct ike_alg *a;
509
510 plog("Testing registered IKE crypto algorithms:");
511
512 for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
513 {
514 struct encrypt_desc *desc = (struct encrypt_desc*)a;
515
516 all_results &= ike_encrypt_test(desc);
517 }
518
519 for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
520 {
521 struct hash_desc *desc = (struct hash_desc*)a;
522
523 all_results &= ike_hash_test(desc);
524 }
525
526 if (all_results)
527 plog("All crypto self-tests passed");
528 else
529 plog("Some crypto self-tests failed");
530 return all_results;
531 }
532
533 /**
534 * ML: make F_STRICT logic consider enc,hash/auth,modp algorithms
535 */
536 bool ike_alg_ok_final(u_int ealg, u_int key_len, u_int aalg, u_int group,
537 struct alg_info_ike *alg_info_ike)
538 {
539 /*
540 * simple test to discard low key_len, will accept it only
541 * if specified in "esp" string
542 */
543 bool ealg_insecure = (key_len < 128);
544
545 if (ealg_insecure
546 || (alg_info_ike && alg_info_ike->alg_info_flags & ALG_INFO_F_STRICT))
547 {
548 int i;
549 struct ike_info *ike_info;
550
551 if (alg_info_ike)
552 {
553 ALG_INFO_IKE_FOREACH(alg_info_ike, ike_info, i)
554 {
555 if (ike_info->ike_ealg == ealg
556 && (ike_info->ike_eklen == 0 || key_len == 0 || ike_info->ike_eklen == key_len)
557 && ike_info->ike_halg == aalg
558 && ike_info->ike_modp == group)
559 {
560 if (ealg_insecure)
561 loglog(RC_LOG_SERIOUS, "You should NOT use insecure IKE algorithms (%s)!"
562 , enum_name(&oakley_enc_names, ealg));
563 return TRUE;
564 }
565 }
566 }
567 plog("Oakley Transform [%s (%d), %s, %s] refused due to %s"
568 , enum_name(&oakley_enc_names, ealg), key_len
569 , enum_name(&oakley_hash_names, aalg)
570 , enum_name(&oakley_group_names, group)
571 , ealg_insecure ?
572 "insecure key_len and enc. alg. not listed in \"ike\" string" : "strict flag"
573 );
574 return FALSE;
575 }
576 return TRUE;
577 }
578