00a312a50dee6cb8c1d47b1debc4bde21c6d43c0
[strongswan.git] / src / pluto / spdb.c
1 /* Security Policy Data Base (such as it is)
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 *
14 * RCSID $Id$
15 */
16
17 #include <stdio.h>
18 #include <string.h>
19 #include <stdlib.h>
20 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <arpa/inet.h>
23 #include <sys/queue.h>
24
25 #include <freeswan.h>
26 #include <ipsec_policy.h>
27
28 #include "constants.h"
29 #include "defs.h"
30 #include "id.h"
31 #include "connections.h"
32 #include "state.h"
33 #include "packet.h"
34 #include "keys.h"
35 #include "kernel.h"
36 #include "log.h"
37 #include "spdb.h"
38 #include "whack.h"
39 #include "sha1.h"
40 #include "md5.h"
41 #include "crypto.h" /* requires sha1.h and md5.h */
42 #include "alg_info.h"
43 #include "kernel_alg.h"
44 #include "ike_alg.h"
45 #include "db_ops.h"
46 #include "nat_traversal.h"
47
48 #define AD(x) x, elemsof(x) /* Array Description */
49 #define AD_NULL NULL, 0
50
51 /**************** Oakely (main mode) SA database ****************/
52
53 /* array of proposals to be conjoined (can only be one for Oakley) */
54
55 static struct db_prop oakley_pc[] =
56 { { PROTO_ISAKMP, AD_NULL } };
57
58 /* array of proposal conjuncts (can only be one) */
59
60 static struct db_prop_conj oakley_props[] = { { AD(oakley_pc) } };
61
62 /* the sadb entry */
63 struct db_sa oakley_sadb = { AD(oakley_props) };
64
65 /**************** IPsec (quick mode) SA database ****************/
66
67 /* arrays of attributes for transforms */
68
69 static struct db_attr espsha1_attr[] = {
70 { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
71 };
72
73 static struct db_attr ah_HMAC_SHA1_attr[] = {
74 { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
75 };
76
77 /* arrays of transforms, each in in preference order */
78
79 static struct db_trans espa_trans[] = {
80 { ESP_3DES, AD(espsha1_attr) },
81 };
82
83 static struct db_trans esp_trans[] = {
84 { ESP_3DES, AD_NULL },
85 };
86
87 #ifdef SUPPORT_ESP_NULL
88 static struct db_trans espnull_trans[] = {
89 { ESP_NULL, AD(espsha1_attr) },
90 };
91 #endif /* SUPPORT_ESP_NULL */
92
93 static struct db_trans ah_trans[] = {
94 { AH_SHA, AD(ah_HMAC_SHA1_attr) },
95 };
96
97 static struct db_trans ipcomp_trans[] = {
98 { IPCOMP_DEFLATE, AD_NULL },
99 };
100
101 /* arrays of proposals to be conjoined */
102
103 static struct db_prop ah_pc[] = {
104 { PROTO_IPSEC_AH, AD(ah_trans) },
105 };
106
107 #ifdef SUPPORT_ESP_NULL
108 static struct db_prop espnull_pc[] = {
109 { PROTO_IPSEC_ESP, AD(espnull_trans) },
110 };
111 #endif /* SUPPORT_ESP_NULL */
112
113 static struct db_prop esp_pc[] = {
114 { PROTO_IPSEC_ESP, AD(espa_trans) },
115 };
116
117 static struct db_prop ah_esp_pc[] = {
118 { PROTO_IPSEC_AH, AD(ah_trans) },
119 { PROTO_IPSEC_ESP, AD(esp_trans) },
120 };
121
122 static struct db_prop compress_pc[] = {
123 { PROTO_IPCOMP, AD(ipcomp_trans) },
124 };
125
126 static struct db_prop ah_compress_pc[] = {
127 { PROTO_IPSEC_AH, AD(ah_trans) },
128 { PROTO_IPCOMP, AD(ipcomp_trans) },
129 };
130
131 #ifdef SUPPORT_ESP_NULL
132 static struct db_prop espnull_compress_pc[] = {
133 { PROTO_IPSEC_ESP, AD(espnull_trans) },
134 { PROTO_IPCOMP, AD(ipcomp_trans) },
135 };
136 #endif /* SUPPORT_ESP_NULL */
137
138 static struct db_prop esp_compress_pc[] = {
139 { PROTO_IPSEC_ESP, AD(espa_trans) },
140 { PROTO_IPCOMP, AD(ipcomp_trans) },
141 };
142
143 static struct db_prop ah_esp_compress_pc[] = {
144 { PROTO_IPSEC_AH, AD(ah_trans) },
145 { PROTO_IPSEC_ESP, AD(esp_trans) },
146 { PROTO_IPCOMP, AD(ipcomp_trans) },
147 };
148
149 /* arrays of proposal alternatives (each element is a conjunction) */
150
151 static struct db_prop_conj ah_props[] = {
152 { AD(ah_pc) },
153 #ifdef SUPPORT_ESP_NULL
154 { AD(espnull_pc) }
155 #endif
156 };
157
158 static struct db_prop_conj esp_props[] =
159 { { AD(esp_pc) } };
160
161 static struct db_prop_conj ah_esp_props[] =
162 { { AD(ah_esp_pc) } };
163
164 static struct db_prop_conj compress_props[] = {
165 { AD(compress_pc) },
166 };
167
168 static struct db_prop_conj ah_compress_props[] = {
169 { AD(ah_compress_pc) },
170 #ifdef SUPPORT_ESP_NULL
171 { AD(espnull_compress_pc) }
172 #endif
173 };
174
175 static struct db_prop_conj esp_compress_props[] =
176 { { AD(esp_compress_pc) } };
177
178 static struct db_prop_conj ah_esp_compress_props[] =
179 { { AD(ah_esp_compress_pc) } };
180
181 /* The IPsec sadb is subscripted by a bitset (subset of policy)
182 * with members from { POLICY_ENCRYPT, POLICY_AUTHENTICATE, POLICY_COMPRESS }
183 * shifted right by POLICY_IPSEC_SHIFT.
184 */
185 struct db_sa ipsec_sadb[1 << 3] = {
186 { AD_NULL }, /* none */
187 { AD(esp_props) }, /* POLICY_ENCRYPT */
188 { AD(ah_props) }, /* POLICY_AUTHENTICATE */
189 { AD(ah_esp_props) }, /* POLICY_ENCRYPT+POLICY_AUTHENTICATE */
190 { AD(compress_props) }, /* POLICY_COMPRESS */
191 { AD(esp_compress_props) }, /* POLICY_ENCRYPT+POLICY_COMPRESS */
192 { AD(ah_compress_props) }, /* POLICY_AUTHENTICATE+POLICY_COMPRESS */
193 { AD(ah_esp_compress_props) }, /* POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_COMPRESS */
194 };
195
196 #undef AD
197 #undef AD_NULL
198
199 /* output an attribute (within an SA) */
200 static bool
201 out_attr(int type
202 , unsigned long val
203 , struct_desc *attr_desc
204 , enum_names **attr_val_descs USED_BY_DEBUG
205 , pb_stream *pbs)
206 {
207 struct isakmp_attribute attr;
208
209 if (val >> 16 == 0)
210 {
211 /* short value: use TV form */
212 attr.isaat_af_type = type | ISAKMP_ATTR_AF_TV;
213 attr.isaat_lv = val;
214 if (!out_struct(&attr, attr_desc, pbs, NULL))
215 return FALSE;
216 }
217 else
218 {
219 /* This is a real fudge! Since we rarely use long attributes
220 * and since this is the only place where we can cause an
221 * ISAKMP message length to be other than a multiple of 4 octets,
222 * we force the length of the value to be a multiple of 4 octets.
223 * Furthermore, we only handle values up to 4 octets in length.
224 * Voila: a fixed format!
225 */
226 pb_stream val_pbs;
227 u_int32_t nval = htonl(val);
228
229 attr.isaat_af_type = type | ISAKMP_ATTR_AF_TLV;
230 if (!out_struct(&attr, attr_desc, pbs, &val_pbs)
231 || !out_raw(&nval, sizeof(nval), &val_pbs, "long attribute value"))
232 return FALSE;
233 close_output_pbs(&val_pbs);
234 }
235 DBG(DBG_EMITTING,
236 enum_names *d = attr_val_descs[type];
237
238 if (d != NULL)
239 DBG_log(" [%lu is %s]"
240 , val, enum_show(d, val)));
241 return TRUE;
242 }
243 #define return_on(var, val) do { var=val;goto return_out; } while(0);
244 /* Output an SA, as described by a db_sa.
245 * This has the side-effect of allocating SPIs for us.
246 */
247 bool
248 out_sa(pb_stream *outs
249 , struct db_sa *sadb
250 , struct state *st
251 , bool oakley_mode
252 , u_int8_t np)
253 {
254 pb_stream sa_pbs;
255 int pcn;
256 bool ret = FALSE;
257 bool ah_spi_generated = FALSE
258 , esp_spi_generated = FALSE
259 , ipcomp_cpi_generated = FALSE;
260 #if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
261 struct db_context *db_ctx = NULL;
262 #endif
263
264 /* SA header out */
265 {
266 struct isakmp_sa sa;
267
268 sa.isasa_np = np;
269 st->st_doi = sa.isasa_doi = ISAKMP_DOI_IPSEC; /* all we know */
270 if (!out_struct(&sa, &isakmp_sa_desc, outs, &sa_pbs))
271 return_on(ret, FALSE);
272 }
273
274 /* within SA: situation out */
275 st->st_situation = SIT_IDENTITY_ONLY;
276 if (!out_struct(&st->st_situation, &ipsec_sit_desc, &sa_pbs, NULL))
277 return_on(ret, FALSE);
278
279 /* within SA: Proposal Payloads
280 *
281 * Multiple Proposals with the same number are simultaneous
282 * (conjuncts) and must deal with different protocols (AH or ESP).
283 * Proposals with different numbers are alternatives (disjuncts),
284 * in preference order.
285 * Proposal numbers must be monotonic.
286 * See RFC 2408 "ISAKMP" 4.2
287 */
288
289 for (pcn = 0; pcn != sadb->prop_conj_cnt; pcn++)
290 {
291 struct db_prop_conj *pc = &sadb->prop_conjs[pcn];
292 int pn;
293
294 for (pn = 0; pn != pc->prop_cnt; pn++)
295 {
296 struct db_prop *p = &pc->props[pn];
297 pb_stream proposal_pbs;
298 struct isakmp_proposal proposal;
299 struct_desc *trans_desc = NULL;
300 struct_desc *attr_desc = NULL;
301 enum_names **attr_val_descs = NULL;
302 int tn;
303 bool tunnel_mode;
304
305 tunnel_mode = (pn == pc->prop_cnt-1)
306 && (st->st_policy & POLICY_TUNNEL);
307
308 /* Proposal header */
309 proposal.isap_np = pcn == sadb->prop_conj_cnt-1 && pn == pc->prop_cnt-1
310 ? ISAKMP_NEXT_NONE : ISAKMP_NEXT_P;
311 proposal.isap_proposal = pcn;
312 proposal.isap_protoid = p->protoid;
313 proposal.isap_spisize = oakley_mode ? 0
314 : p->protoid == PROTO_IPCOMP ? IPCOMP_CPI_SIZE
315 : IPSEC_DOI_SPI_SIZE;
316
317 /* In quick mode ONLY, create proposal for runtime kernel algos.
318 * Replace ESP proposals with runtime created one
319 */
320 if (!oakley_mode && p->protoid == PROTO_IPSEC_ESP)
321 {
322 DBG(DBG_CONTROL | DBG_CRYPT,
323 if (st->st_connection->alg_info_esp)
324 {
325 static char buf[256]="";
326
327 alg_info_snprint(buf, sizeof (buf),
328 (struct alg_info *)st->st_connection->alg_info_esp);
329 DBG_log(buf);
330 }
331 )
332 db_ctx = kernel_alg_db_new(st->st_connection->alg_info_esp, st->st_policy);
333 p = db_prop_get(db_ctx);
334
335 if (!p || p->trans_cnt == 0)
336 {
337 loglog(RC_LOG_SERIOUS,
338 "empty IPSEC SA proposal to send "
339 "(no kernel algorithms for esp selection)");
340 return_on(ret, FALSE);
341 }
342 }
343
344 if (oakley_mode && p->protoid == PROTO_ISAKMP)
345 {
346 DBG(DBG_CONTROL | DBG_CRYPT,
347 if (st->st_connection->alg_info_ike)
348 {
349 static char buf[256]="";
350
351 alg_info_snprint(buf, sizeof (buf),
352 (struct alg_info *)st->st_connection->alg_info_ike);
353 DBG_log(buf);
354 }
355 )
356 db_ctx = ike_alg_db_new(st->st_connection->alg_info_ike, st->st_policy);
357 p = db_prop_get(db_ctx);
358
359 if (!p || p->trans_cnt == 0)
360 {
361 loglog(RC_LOG_SERIOUS,
362 "empty ISAKMP SA proposal to send "
363 "(no algorithms for ike selection?)");
364 return_on(ret, FALSE);
365 }
366 }
367
368 proposal.isap_notrans = p->trans_cnt;
369 if (!out_struct(&proposal, &isakmp_proposal_desc, &sa_pbs, &proposal_pbs))
370 return_on(ret, FALSE);
371
372 /* Per-protocols stuff:
373 * Set trans_desc.
374 * Set attr_desc.
375 * Set attr_val_descs.
376 * If not oakley_mode, emit SPI.
377 * We allocate SPIs on demand.
378 * All ESPs in an SA will share a single SPI.
379 * All AHs in an SAwill share a single SPI.
380 * AHs' SPI will be distinct from ESPs'.
381 * This latter is needed because KLIPS doesn't
382 * use the protocol when looking up a (dest, protocol, spi).
383 * ??? If multiple ESPs are composed, how should their SPIs
384 * be allocated?
385 */
386 {
387 ipsec_spi_t *spi_ptr = NULL;
388 int proto = 0;
389 bool *spi_generated = NULL;
390
391 switch (p->protoid)
392 {
393 case PROTO_ISAKMP:
394 passert(oakley_mode);
395 trans_desc = &isakmp_isakmp_transform_desc;
396 attr_desc = &isakmp_oakley_attribute_desc;
397 attr_val_descs = oakley_attr_val_descs;
398 /* no SPI needed */
399 break;
400 case PROTO_IPSEC_AH:
401 passert(!oakley_mode);
402 trans_desc = &isakmp_ah_transform_desc;
403 attr_desc = &isakmp_ipsec_attribute_desc;
404 attr_val_descs = ipsec_attr_val_descs;
405 spi_ptr = &st->st_ah.our_spi;
406 spi_generated = &ah_spi_generated;
407 proto = IPPROTO_AH;
408 break;
409 case PROTO_IPSEC_ESP:
410 passert(!oakley_mode);
411 trans_desc = &isakmp_esp_transform_desc;
412 attr_desc = &isakmp_ipsec_attribute_desc;
413 attr_val_descs = ipsec_attr_val_descs;
414 spi_ptr = &st->st_esp.our_spi;
415 spi_generated = &esp_spi_generated;
416 proto = IPPROTO_ESP;
417 break;
418 case PROTO_IPCOMP:
419 passert(!oakley_mode);
420 trans_desc = &isakmp_ipcomp_transform_desc;
421 attr_desc = &isakmp_ipsec_attribute_desc;
422 attr_val_descs = ipsec_attr_val_descs;
423
424 /* a CPI isn't quite the same as an SPI
425 * so we use specialized code to emit it.
426 */
427 if (!ipcomp_cpi_generated)
428 {
429 st->st_ipcomp.our_spi = get_my_cpi(
430 &st->st_connection->spd, tunnel_mode);
431 if (st->st_ipcomp.our_spi == 0)
432 return_on(ret, FALSE); /* problem generating CPI */
433
434 ipcomp_cpi_generated = TRUE;
435 }
436 /* CPI is stored in network low order end of an
437 * ipsec_spi_t. So we start a couple of bytes in.
438 */
439 if (!out_raw((u_char *)&st->st_ipcomp.our_spi
440 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
441 , IPCOMP_CPI_SIZE
442 , &proposal_pbs, "CPI"))
443 return_on(ret, FALSE);
444 break;
445 default:
446 bad_case(p->protoid);
447 }
448 if (spi_ptr != NULL)
449 {
450 if (!*spi_generated)
451 {
452 *spi_ptr = get_ipsec_spi(0
453 , proto
454 , &st->st_connection->spd
455 , tunnel_mode);
456 if (*spi_ptr == 0)
457 return FALSE;
458 *spi_generated = TRUE;
459 }
460 if (!out_raw((u_char *)spi_ptr, IPSEC_DOI_SPI_SIZE
461 , &proposal_pbs, "SPI"))
462 return_on(ret, FALSE);
463 }
464 }
465
466 /* within proposal: Transform Payloads */
467 for (tn = 0; tn != p->trans_cnt; tn++)
468 {
469 struct db_trans *t = &p->trans[tn];
470 pb_stream trans_pbs;
471 struct isakmp_transform trans;
472 int an;
473
474 trans.isat_np = (tn == p->trans_cnt - 1)
475 ? ISAKMP_NEXT_NONE : ISAKMP_NEXT_T;
476 trans.isat_transnum = tn;
477 trans.isat_transid = t->transid;
478 if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs))
479 return_on(ret, FALSE);
480
481 /* Within tranform: Attributes. */
482
483 /* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
484 * automatically generated because it must be the same
485 * in every transform. Except IPCOMP.
486 */
487 if (p->protoid != PROTO_IPCOMP
488 && st->st_pfs_group != NULL)
489 {
490 passert(!oakley_mode);
491 passert(st->st_pfs_group != &unset_group);
492 out_attr(GROUP_DESCRIPTION, st->st_pfs_group->group
493 , attr_desc, attr_val_descs
494 , &trans_pbs);
495 }
496
497 /* automatically generate duration
498 * and, for Phase 2 / Quick Mode, encapsulation.
499 */
500 if (oakley_mode)
501 {
502 out_attr(OAKLEY_LIFE_TYPE, OAKLEY_LIFE_SECONDS
503 , attr_desc, attr_val_descs
504 , &trans_pbs);
505 out_attr(OAKLEY_LIFE_DURATION
506 , st->st_connection->sa_ike_life_seconds
507 , attr_desc, attr_val_descs
508 , &trans_pbs);
509 }
510 else
511 {
512 /* RFC 2407 (IPSEC DOI) 4.5 specifies that
513 * the default is "unspecified (host-dependent)".
514 * This makes little sense, so we always specify it.
515 *
516 * Unlike other IPSEC transforms, IPCOMP defaults
517 * to Transport Mode, so we can exploit the default
518 * (draft-shacham-ippcp-rfc2393bis-05.txt 4.1).
519 */
520 if (p->protoid != PROTO_IPCOMP
521 || st->st_policy & POLICY_TUNNEL)
522 {
523 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
524 if ((st->nat_traversal & NAT_T_DETECTED)
525 && !(st->st_policy & POLICY_TUNNEL))
526 {
527 /* Inform user that we will not respect policy and only
528 * propose Tunnel Mode
529 */
530 loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
531 "Transport Mode not allowed due to security concerns -- "
532 "using Tunnel mode");
533 }
534 #endif
535 out_attr(ENCAPSULATION_MODE
536 #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
537 , NAT_T_ENCAPSULATION_MODE(st, st->st_policy)
538 #else
539 /* If NAT-T is detected, use UDP_TUNNEL as long as Transport
540 * Mode has security concerns.
541 *
542 * User has been informed of that
543 */
544 , NAT_T_ENCAPSULATION_MODE(st, POLICY_TUNNEL)
545 #endif
546 , attr_desc, attr_val_descs
547 , &trans_pbs);
548 }
549 out_attr(SA_LIFE_TYPE, SA_LIFE_TYPE_SECONDS
550 , attr_desc, attr_val_descs
551 , &trans_pbs);
552 out_attr(SA_LIFE_DURATION
553 , st->st_connection->sa_ipsec_life_seconds
554 , attr_desc, attr_val_descs
555 , &trans_pbs);
556 }
557
558 /* spit out attributes from table */
559 for (an = 0; an != t->attr_cnt; an++)
560 {
561 struct db_attr *a = &t->attrs[an];
562
563 out_attr(a->type, a->val
564 , attr_desc, attr_val_descs
565 , &trans_pbs);
566 }
567
568 close_output_pbs(&trans_pbs);
569 }
570 close_output_pbs(&proposal_pbs);
571 }
572 /* end of a conjunction of proposals */
573 }
574 close_output_pbs(&sa_pbs);
575 ret = TRUE;
576
577 return_out:
578
579 #if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
580 if (db_ctx)
581 db_destroy(db_ctx);
582 #endif
583 return ret;
584 }
585
586 /* Handle long form of duration attribute.
587 * The code is can only handle values that can fit in unsigned long.
588 * "Clamping" is probably an acceptable way to impose this limitation.
589 */
590 static u_int32_t
591 decode_long_duration(pb_stream *pbs)
592 {
593 u_int32_t val = 0;
594
595 /* ignore leading zeros */
596 while (pbs_left(pbs) != 0 && *pbs->cur == '\0')
597 pbs->cur++;
598
599 if (pbs_left(pbs) > sizeof(val))
600 {
601 /* "clamp" too large value to max representable value */
602 val -= 1; /* portable way to get to maximum value */
603 DBG(DBG_PARSING, DBG_log(" too large duration clamped to: %lu"
604 , (unsigned long)val));
605 }
606 else
607 {
608 /* decode number */
609 while (pbs_left(pbs) != 0)
610 val = (val << BITS_PER_BYTE) | *pbs->cur++;
611 DBG(DBG_PARSING, DBG_log(" long duration: %lu", (unsigned long)val));
612 }
613 return val;
614 }
615
616 /* Preparse the body of an ISAKMP SA Payload and
617 * return body of ISAKMP Proposal Payload
618 *
619 * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
620 * Error response is rudimentary.
621 */
622 notification_t
623 preparse_isakmp_sa_body(const struct isakmp_sa *sa
624 , pb_stream *sa_pbs
625 , u_int32_t *ipsecdoisit
626 , pb_stream *proposal_pbs
627 , struct isakmp_proposal *proposal)
628 {
629 /* DOI */
630 if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
631 {
632 loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
633 /* XXX Could send notification back */
634 return DOI_NOT_SUPPORTED;
635 }
636
637 /* Situation */
638 if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
639 return SITUATION_NOT_SUPPORTED;
640
641 if (*ipsecdoisit != SIT_IDENTITY_ONLY)
642 {
643 loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
644 , bitnamesof(sit_bit_names, *ipsecdoisit));
645 /* XXX Could send notification back */
646 return SITUATION_NOT_SUPPORTED;
647 }
648
649 /* The rules for ISAKMP SAs are scattered.
650 * RFC 2409 "IKE" section 5 says that there
651 * can only be one SA, and it can have only one proposal in it.
652 * There may well be multiple transforms.
653 */
654 if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
655 return PAYLOAD_MALFORMED;
656
657 if (proposal->isap_np != ISAKMP_NEXT_NONE)
658 {
659 loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
660 , enum_show(&payload_names, proposal->isap_np));
661 return PAYLOAD_MALFORMED;
662 }
663
664 if (proposal->isap_protoid != PROTO_ISAKMP)
665 {
666 loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal"
667 , enum_show(&protocol_names, proposal->isap_protoid));
668 return INVALID_PROTOCOL_ID;
669 }
670
671 /* Just what should we accept for the SPI field?
672 * The RFC is sort of contradictory. We will ignore the SPI
673 * as long as it is of the proper size.
674 *
675 * From RFC2408 2.4 Identifying Security Associations:
676 * During phase 1 negotiations, the initiator and responder cookies
677 * determine the ISAKMP SA. Therefore, the SPI field in the Proposal
678 * payload is redundant and MAY be set to 0 or it MAY contain the
679 * transmitting entity's cookie.
680 *
681 * From RFC2408 3.5 Proposal Payload:
682 * o SPI Size (1 octet) - Length in octets of the SPI as defined by
683 * the Protocol-Id. In the case of ISAKMP, the Initiator and
684 * Responder cookie pair from the ISAKMP Header is the ISAKMP SPI,
685 * therefore, the SPI Size is irrelevant and MAY be from zero (0) to
686 * sixteen (16). If the SPI Size is non-zero, the content of the
687 * SPI field MUST be ignored. If the SPI Size is not a multiple of
688 * 4 octets it will have some impact on the SPI field and the
689 * alignment of all payloads in the message. The Domain of
690 * Interpretation (DOI) will dictate the SPI Size for other
691 * protocols.
692 */
693 if (proposal->isap_spisize == 0)
694 {
695 /* empty (0) SPI -- fine */
696 }
697 else if (proposal->isap_spisize <= MAX_ISAKMP_SPI_SIZE)
698 {
699 u_char junk_spi[MAX_ISAKMP_SPI_SIZE];
700
701 if (!in_raw(junk_spi, proposal->isap_spisize, proposal_pbs, "Oakley SPI"))
702 return PAYLOAD_MALFORMED;
703 }
704 else
705 {
706 loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal"
707 , (unsigned)proposal->isap_spisize);
708 return INVALID_SPI;
709 }
710 return NOTHING_WRONG;
711 }
712
713 static struct {
714 u_int8_t *start;
715 u_int8_t *cur;
716 u_int8_t *roof;
717 } backup;
718
719 /*
720 * backup the pointer into a pb_stream
721 */
722 void
723 backup_pbs(pb_stream *pbs)
724 {
725 backup.start = pbs->start;
726 backup.cur = pbs->cur;
727 backup.roof = pbs->roof;
728 }
729
730 /*
731 * restore the pointer into a pb_stream
732 */
733 void
734 restore_pbs(pb_stream *pbs)
735 {
736 pbs->start = backup.start;
737 pbs->cur = backup.cur;
738 pbs->roof = backup.roof;
739 }
740
741 /*
742 * Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies
743 */
744 notification_t
745 parse_isakmp_policy(pb_stream *proposal_pbs
746 , u_int notrans
747 , lset_t *policy)
748 {
749 int last_transnum = -1;
750
751 *policy = LEMPTY;
752
753 while (notrans--)
754 {
755 pb_stream trans_pbs;
756 u_char *attr_start;
757 size_t attr_len;
758 struct isakmp_transform trans;
759
760 if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
761 return BAD_PROPOSAL_SYNTAX;
762
763 if (trans.isat_transnum <= last_transnum)
764 {
765 /* picky, picky, picky */
766 loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing"
767 " in Oakley Proposal");
768 return BAD_PROPOSAL_SYNTAX;
769 }
770 last_transnum = trans.isat_transnum;
771
772 if (trans.isat_transid != KEY_IKE)
773 {
774 loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform"
775 , enum_show(&isakmp_transformid_names, trans.isat_transid));
776 return INVALID_TRANSFORM_ID;
777 }
778
779 attr_start = trans_pbs.cur;
780 attr_len = pbs_left(&trans_pbs);
781
782 /* preprocess authentication attributes only */
783 while (pbs_left(&trans_pbs) != 0)
784 {
785 struct isakmp_attribute a;
786 pb_stream attr_pbs;
787
788 if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
789 return BAD_PROPOSAL_SYNTAX;
790
791 passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
792
793 switch (a.isaat_af_type)
794 {
795 case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
796 switch (a.isaat_lv)
797 {
798 case OAKLEY_PRESHARED_KEY:
799 *policy |= POLICY_PSK;
800 break;
801 case OAKLEY_RSA_SIG:
802 *policy |= POLICY_RSASIG;
803 break;
804 case XAUTHInitPreShared:
805 *policy |= POLICY_XAUTH_SERVER;
806 /* fall through */
807 case XAUTHRespPreShared:
808 *policy |= POLICY_XAUTH_PSK;
809 break;
810 case XAUTHInitRSA:
811 *policy |= POLICY_XAUTH_SERVER;
812 /* fall through */
813 case XAUTHRespRSA:
814 *policy |= POLICY_XAUTH_RSASIG;
815 break;
816 default:
817 break;
818 }
819 break;
820 default:
821 break;
822 }
823 }
824 }
825 DBG(DBG_CONTROL|DBG_PARSING,
826 DBG_log("preparse_isakmp_policy: peer requests %s authentication"
827 , prettypolicy(*policy))
828 )
829 return NOTHING_WRONG;
830 }
831
832 /*
833 * check that we can find a preshared secret
834 */
835 static err_t
836 find_preshared_key(struct state* st)
837 {
838 err_t ugh = NULL;
839 struct connection *c = st->st_connection;
840
841 if (get_preshared_secret(c) == NULL)
842 {
843 char my_id[BUF_LEN], his_id[BUF_LEN];
844
845 idtoa(&c->spd.this.id, my_id, sizeof(my_id));
846 if (his_id_was_instantiated(c))
847 strcpy(his_id, "%any");
848 else
849 idtoa(&c->spd.that.id, his_id, sizeof(his_id));
850 ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
851 , my_id, his_id);
852 }
853 return ugh;
854 }
855
856 /* Parse the body of an ISAKMP SA Payload (i.e. Phase 1 / Main Mode).
857 * Various shortcuts are taken. In particular, the policy, such as
858 * it is, is hardwired.
859 *
860 * If r_sa is non-NULL, the body of an SA representing the selected
861 * proposal is emitted.
862 *
863 * This routine is used by main_inI1_outR1() and main_inR1_outI2().
864 */
865 notification_t
866 parse_isakmp_sa_body(u_int32_t ipsecdoisit
867 , pb_stream *proposal_pbs
868 , struct isakmp_proposal *proposal
869 , pb_stream *r_sa_pbs
870 , struct state *st
871 , bool initiator)
872 {
873 struct connection *c = st->st_connection;
874 unsigned no_trans_left;
875
876 /* for each transform payload... */
877 no_trans_left = proposal->isap_notrans;
878
879 for (;;)
880 {
881 pb_stream trans_pbs;
882 u_char *attr_start;
883 size_t attr_len;
884 struct isakmp_transform trans;
885 lset_t seen_attrs = 0;
886 lset_t seen_durations = 0;
887 u_int16_t life_type = 0;
888 struct oakley_trans_attrs ta;
889 err_t ugh = NULL; /* set to diagnostic when problem detected */
890
891 /* initialize only optional field in ta */
892 ta.life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT; /* When this SA expires (seconds) */
893
894 if (no_trans_left == 0)
895 {
896 loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
897 return BAD_PROPOSAL_SYNTAX;
898 }
899
900 in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs);
901 attr_start = trans_pbs.cur;
902 attr_len = pbs_left(&trans_pbs);
903
904 /* process all the attributes that make up the transform */
905
906 while (pbs_left(&trans_pbs) != 0)
907 {
908 struct isakmp_attribute a;
909 pb_stream attr_pbs;
910 u_int32_t val; /* room for larger values */
911
912 if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
913 return BAD_PROPOSAL_SYNTAX;
914
915 passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
916
917 if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
918 {
919 loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u"
920 , enum_show(&oakley_attr_names, a.isaat_af_type)
921 , trans.isat_transnum);
922 return BAD_PROPOSAL_SYNTAX;
923 }
924
925 seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
926
927 val = a.isaat_lv;
928
929 DBG(DBG_PARSING,
930 {
931 enum_names *vdesc = oakley_attr_val_descs
932 [a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
933
934 if (vdesc != NULL)
935 {
936 const char *nm = enum_name(vdesc, val);
937
938 if (nm != NULL)
939 DBG_log(" [%u is %s]", (unsigned)val, nm);
940 }
941 });
942
943 switch (a.isaat_af_type)
944 {
945 case OAKLEY_ENCRYPTION_ALGORITHM | ISAKMP_ATTR_AF_TV:
946 if (ike_alg_enc_present(val))
947 {
948 ta.encrypt = val;
949 ta.encrypter = ike_alg_get_encrypter(val);
950 ta.enckeylen = ta.encrypter->keydeflen;
951 }
952 else
953 {
954 ugh = builddiag("%s is not supported"
955 , enum_show(&oakley_enc_names, val));
956 }
957 break;
958
959 case OAKLEY_HASH_ALGORITHM | ISAKMP_ATTR_AF_TV:
960 if (ike_alg_hash_present(val))
961 {
962 ta.hash = val;
963 ta.hasher = ike_alg_get_hasher(val);
964 }
965 else
966 {
967 ugh = builddiag("%s is not supported"
968 , enum_show(&oakley_hash_names, val));
969 }
970 break;
971
972 case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
973 {
974 /* check that authentication method is acceptable */
975 lset_t iap = st->st_policy & POLICY_ID_AUTH_MASK;
976
977 /* is the initiator the XAUTH client? */
978 bool xauth_init = ( initiator && (st->st_policy & POLICY_XAUTH_SERVER) == LEMPTY)
979 || (!initiator && (st->st_policy & POLICY_XAUTH_SERVER) != LEMPTY);
980
981 switch (val)
982 {
983 case OAKLEY_PRESHARED_KEY:
984 if ((iap & POLICY_PSK) == LEMPTY)
985 {
986 ugh = "policy does not allow OAKLEY_PRESHARED_KEY authentication";
987 }
988 else
989 {
990 ugh = find_preshared_key(st);
991 ta.auth = OAKLEY_PRESHARED_KEY;
992 }
993 break;
994 case XAUTHInitPreShared:
995 if ((iap & POLICY_XAUTH_PSK) == LEMPTY || !xauth_init)
996 {
997 ugh = "policy does not allow XAUTHInitPreShared authentication";
998 }
999 else
1000 {
1001 ugh = find_preshared_key(st);
1002 ta.auth = XAUTHInitPreShared;
1003 }
1004 break;
1005 case XAUTHRespPreShared:
1006 if ((iap & POLICY_XAUTH_PSK) == LEMPTY || xauth_init)
1007 {
1008 ugh = "policy does not allow XAUTHRespPreShared authentication";
1009 }
1010 else
1011 {
1012 ugh = find_preshared_key(st);
1013 ta.auth = XAUTHRespPreShared;
1014 }
1015 break;
1016 case OAKLEY_RSA_SIG:
1017 /* Accept if policy specifies RSASIG or is default */
1018 if ((iap & POLICY_RSASIG) == LEMPTY)
1019 {
1020 ugh = "policy does not allow OAKLEY_RSA_SIG authentication";
1021 }
1022 else
1023 {
1024 ta.auth = OAKLEY_RSA_SIG;
1025 }
1026 break;
1027 case XAUTHInitRSA:
1028 if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || !xauth_init)
1029 {
1030 ugh = "policy does not allow XAUTHInitRSA authentication";
1031 }
1032 else
1033 {
1034 ta.auth = XAUTHInitRSA;
1035 }
1036 break;
1037 case XAUTHRespRSA:
1038 if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || xauth_init)
1039 {
1040 ugh = "policy does not allow XAUTHRespRSA authentication";
1041 }
1042 else
1043 {
1044 ta.auth = XAUTHRespRSA;
1045 }
1046 break;
1047 default:
1048 ugh = builddiag("Pluto does not support %s authentication"
1049 , enum_show(&oakley_auth_names, val));
1050 break;
1051 }
1052 }
1053 break;
1054
1055 case OAKLEY_GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
1056 ta.group = lookup_group(val);
1057 if (ta.group == NULL)
1058 {
1059 ugh = "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported";
1060 }
1061 break;
1062
1063 case OAKLEY_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
1064 switch (val)
1065 {
1066 case OAKLEY_LIFE_SECONDS:
1067 case OAKLEY_LIFE_KILOBYTES:
1068 if (LHAS(seen_durations, val))
1069 {
1070 loglog(RC_LOG_SERIOUS
1071 , "attribute OAKLEY_LIFE_TYPE value %s repeated"
1072 , enum_show(&oakley_lifetime_names, val));
1073 return BAD_PROPOSAL_SYNTAX;
1074 }
1075 seen_durations |= LELEM(val);
1076 life_type = val;
1077 break;
1078 default:
1079 ugh = builddiag("unknown value %s"
1080 , enum_show(&oakley_lifetime_names, val));
1081 break;
1082 }
1083 break;
1084
1085 case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
1086 val = decode_long_duration(&attr_pbs);
1087 /* fall through */
1088 case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
1089 if (!LHAS(seen_attrs, OAKLEY_LIFE_TYPE))
1090 {
1091 ugh = "OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute";
1092 break;
1093 }
1094 seen_attrs &= ~(LELEM(OAKLEY_LIFE_DURATION) | LELEM(OAKLEY_LIFE_TYPE));
1095
1096 switch (life_type)
1097 {
1098 case OAKLEY_LIFE_SECONDS:
1099 if (val > OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM)
1100 {
1101 #ifdef CISCO_QUIRKS
1102 plog("peer requested %lu seconds"
1103 " which exceeds our limit %d seconds"
1104 , (long) val
1105 , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
1106 plog("lifetime reduced to %d seconds "
1107 "(todo: IPSEC_RESPONDER_LIFETIME notification)"
1108 , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
1109 val = OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM;
1110 #else
1111 ugh = builddiag("peer requested %lu seconds"
1112 " which exceeds our limit %d seconds"
1113 , (long) val
1114 , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
1115 #endif
1116 }
1117 ta.life_seconds = val;
1118 break;
1119 case OAKLEY_LIFE_KILOBYTES:
1120 ta.life_kilobytes = val;
1121 break;
1122 default:
1123 bad_case(life_type);
1124 }
1125 break;
1126
1127 case OAKLEY_KEY_LENGTH | ISAKMP_ATTR_AF_TV:
1128 if ((seen_attrs & LELEM(OAKLEY_ENCRYPTION_ALGORITHM)) == 0)
1129 {
1130 ugh = "OAKLEY_KEY_LENGTH attribute not preceded by "
1131 "OAKLEY_ENCRYPTION_ALGORITHM attribute";
1132 break;
1133 }
1134 if (ta.encrypter == NULL)
1135 {
1136 ugh = "NULL encrypter with seen OAKLEY_ENCRYPTION_ALGORITHM";
1137 break;
1138 }
1139 /*
1140 * check if this keylen is compatible with specified algorithm
1141 */
1142 if (val
1143 && (val < ta.encrypter->keyminlen || val > ta.encrypter->keymaxlen))
1144 {
1145 ugh = "peer proposed key length not valid for "
1146 "encryption algorithm specified";
1147 }
1148 ta.enckeylen = val;
1149 break;
1150 #if 0 /* not yet supported */
1151 case OAKLEY_GROUP_TYPE | ISAKMP_ATTR_AF_TV:
1152 case OAKLEY_PRF | ISAKMP_ATTR_AF_TV:
1153 case OAKLEY_FIELD_SIZE | ISAKMP_ATTR_AF_TV:
1154
1155 case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TV:
1156 case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TLV:
1157 case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TV:
1158 case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TLV:
1159 case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TV:
1160 case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TLV:
1161 case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TV:
1162 case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TLV:
1163 case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TV:
1164 case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TLV:
1165 case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TV:
1166 case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TLV:
1167 #endif
1168 default:
1169 /* fix compiler warning */
1170 memset(&ta, 0, sizeof(ta));
1171 ugh = "unsupported OAKLEY attribute";
1172 break;
1173 }
1174
1175 if (ugh != NULL)
1176 {
1177 loglog(RC_LOG_SERIOUS, "%s. Attribute %s"
1178 , ugh, enum_show(&oakley_attr_names, a.isaat_af_type));
1179 break;
1180 }
1181 }
1182
1183 /*
1184 * ML: at last check for allowed transforms in alg_info_ike
1185 * (ALG_INFO_F_STRICT flag)
1186 */
1187 if (ugh == NULL)
1188 {
1189 if (!ike_alg_ok_final(ta.encrypt, ta.enckeylen, ta.hash,
1190 ta.group ? ta.group->group : -1, c->alg_info_ike))
1191 {
1192 ugh = "OAKLEY proposal refused";
1193 }
1194 }
1195
1196 if (ugh == NULL)
1197 {
1198 /* a little more checking is in order */
1199 {
1200 lset_t missing
1201 = ~seen_attrs
1202 & (LELEM(OAKLEY_ENCRYPTION_ALGORITHM)
1203 | LELEM(OAKLEY_HASH_ALGORITHM)
1204 | LELEM(OAKLEY_AUTHENTICATION_METHOD)
1205 | LELEM(OAKLEY_GROUP_DESCRIPTION));
1206
1207 if (missing)
1208 {
1209 loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u"
1210 , bitnamesof(oakley_attr_bit_names, missing)
1211 , trans.isat_transnum);
1212 return BAD_PROPOSAL_SYNTAX;
1213 }
1214 }
1215 /* We must have liked this transform.
1216 * Lets finish early and leave.
1217 */
1218
1219 DBG(DBG_PARSING | DBG_CRYPT
1220 , DBG_log("Oakley Transform %u accepted", trans.isat_transnum));
1221
1222 if (r_sa_pbs != NULL)
1223 {
1224 struct isakmp_proposal r_proposal = *proposal;
1225 pb_stream r_proposal_pbs;
1226 struct isakmp_transform r_trans = trans;
1227 pb_stream r_trans_pbs;
1228
1229 /* Situation */
1230 if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
1231 impossible();
1232
1233 /* Proposal */
1234 #ifdef EMIT_ISAKMP_SPI
1235 r_proposal.isap_spisize = COOKIE_SIZE;
1236 #else
1237 r_proposal.isap_spisize = 0;
1238 #endif
1239 r_proposal.isap_notrans = 1;
1240 if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
1241 impossible();
1242
1243 /* SPI */
1244 #ifdef EMIT_ISAKMP_SPI
1245 if (!out_raw(my_cookie, COOKIE_SIZE, &r_proposal_pbs, "SPI"))
1246 impossible();
1247 r_proposal.isap_spisize = COOKIE_SIZE;
1248 #else
1249 /* none (0) */
1250 #endif
1251
1252 /* Transform */
1253 r_trans.isat_np = ISAKMP_NEXT_NONE;
1254 if (!out_struct(&r_trans, &isakmp_isakmp_transform_desc, &r_proposal_pbs, &r_trans_pbs))
1255 impossible();
1256
1257 if (!out_raw(attr_start, attr_len, &r_trans_pbs, "attributes"))
1258 impossible();
1259 close_output_pbs(&r_trans_pbs);
1260 close_output_pbs(&r_proposal_pbs);
1261 close_output_pbs(r_sa_pbs);
1262 }
1263
1264 /* copy over the results */
1265 st->st_oakley = ta;
1266 return NOTHING_WRONG;
1267 }
1268
1269 /* on to next transform */
1270 no_trans_left--;
1271
1272 if (trans.isat_np == ISAKMP_NEXT_NONE)
1273 {
1274 if (no_trans_left != 0)
1275 {
1276 loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
1277 return BAD_PROPOSAL_SYNTAX;
1278 }
1279 break;
1280 }
1281 if (trans.isat_np != ISAKMP_NEXT_T)
1282 {
1283 loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal"
1284 , enum_show(&payload_names, proposal->isap_np));
1285 return BAD_PROPOSAL_SYNTAX;
1286 }
1287 }
1288 loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform");
1289 return NO_PROPOSAL_CHOSEN;
1290 }
1291
1292 /* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode).
1293 *
1294 * The main routine is parse_ipsec_sa_body; other functions defined
1295 * between here and there are just helpers.
1296 *
1297 * Various shortcuts are taken. In particular, the policy, such as
1298 * it is, is hardwired.
1299 *
1300 * If r_sa is non-NULL, the body of an SA representing the selected
1301 * proposal is emitted into it.
1302 *
1303 * If "selection" is true, the SA is supposed to represent the
1304 * single tranform that the peer has accepted.
1305 * ??? We only check that it is acceptable, not that it is one that we offered!
1306 *
1307 * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
1308 * Error response is rudimentary.
1309 *
1310 * Since all ISAKMP groups in all SA Payloads must match, st->st_pfs_group
1311 * holds this across multiple payloads.
1312 * &unset_group signifies not yet "set"; NULL signifies NONE.
1313 *
1314 * This routine is used by quick_inI1_outR1() and quick_inR1_outI2().
1315 */
1316
1317 static const struct ipsec_trans_attrs null_ipsec_trans_attrs = {
1318 0, /* transid (NULL, for now) */
1319 0, /* spi */
1320 SA_LIFE_DURATION_DEFAULT, /* life_seconds */
1321 SA_LIFE_DURATION_K_DEFAULT, /* life_kilobytes */
1322 ENCAPSULATION_MODE_UNSPECIFIED, /* encapsulation */
1323 AUTH_ALGORITHM_NONE, /* auth */
1324 0, /* key_len */
1325 0, /* key_rounds */
1326 };
1327
1328 static bool
1329 parse_ipsec_transform(struct isakmp_transform *trans
1330 , struct ipsec_trans_attrs *attrs
1331 , pb_stream *prop_pbs
1332 , pb_stream *trans_pbs
1333 , struct_desc *trans_desc
1334 , int previous_transnum /* or -1 if none */
1335 , bool selection
1336 , bool is_last
1337 , bool is_ipcomp
1338 , struct state *st) /* current state object */
1339 {
1340 lset_t seen_attrs = 0;
1341 lset_t seen_durations = 0;
1342 u_int16_t life_type = 0;
1343 const struct oakley_group_desc *pfs_group = NULL;
1344
1345 if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
1346 return FALSE;
1347
1348 if (trans->isat_transnum <= previous_transnum)
1349 {
1350 loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing");
1351 return FALSE;
1352 }
1353
1354 switch (trans->isat_np)
1355 {
1356 case ISAKMP_NEXT_T:
1357 if (is_last)
1358 {
1359 loglog(RC_LOG_SERIOUS, "Proposal Payload has more Transforms than specified");
1360 return FALSE;
1361 }
1362 break;
1363 case ISAKMP_NEXT_NONE:
1364 if (!is_last)
1365 {
1366 loglog(RC_LOG_SERIOUS, "Proposal Payload has fewer Transforms than specified");
1367 return FALSE;
1368 }
1369 break;
1370 default:
1371 loglog(RC_LOG_SERIOUS, "expecting Transform Payload, but found %s in Proposal"
1372 , enum_show(&payload_names, trans->isat_np));
1373 return FALSE;
1374 }
1375
1376 *attrs = null_ipsec_trans_attrs;
1377 attrs->transid = trans->isat_transid;
1378
1379 while (pbs_left(trans_pbs) != 0)
1380 {
1381 struct isakmp_attribute a;
1382 pb_stream attr_pbs;
1383 enum_names *vdesc;
1384 u_int32_t val; /* room for larger value */
1385 bool ipcomp_inappropriate = is_ipcomp; /* will get reset if OK */
1386
1387 if (!in_struct(&a, &isakmp_ipsec_attribute_desc, trans_pbs, &attr_pbs))
1388 return FALSE;
1389
1390 passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
1391
1392 if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
1393 {
1394 loglog(RC_LOG_SERIOUS, "repeated %s attribute in IPsec Transform %u"
1395 , enum_show(&ipsec_attr_names, a.isaat_af_type)
1396 , trans->isat_transnum);
1397 return FALSE;
1398 }
1399
1400 seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
1401
1402 val = a.isaat_lv;
1403
1404 vdesc = ipsec_attr_val_descs[a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
1405 if (vdesc != NULL)
1406 {
1407 if (enum_name(vdesc, val) == NULL)
1408 {
1409 loglog(RC_LOG_SERIOUS, "invalid value %u for attribute %s in IPsec Transform"
1410 , (unsigned)val, enum_show(&ipsec_attr_names, a.isaat_af_type));
1411 return FALSE;
1412 }
1413 DBG(DBG_PARSING
1414 , if ((a.isaat_af_type & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
1415 DBG_log(" [%u is %s]"
1416 , (unsigned)val, enum_show(vdesc, val)));
1417 }
1418
1419 switch (a.isaat_af_type)
1420 {
1421 case SA_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
1422 ipcomp_inappropriate = FALSE;
1423 if (LHAS(seen_durations, val))
1424 {
1425 loglog(RC_LOG_SERIOUS, "attribute SA_LIFE_TYPE value %s repeated in message"
1426 , enum_show(&sa_lifetime_names, val));
1427 return FALSE;
1428 }
1429 seen_durations |= LELEM(val);
1430 life_type = val;
1431 break;
1432 case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
1433 val = decode_long_duration(&attr_pbs);
1434 /* fall through */
1435 case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
1436 ipcomp_inappropriate = FALSE;
1437 if (!LHAS(seen_attrs, SA_LIFE_DURATION))
1438 {
1439 loglog(RC_LOG_SERIOUS, "SA_LIFE_DURATION IPsec attribute not preceded by SA_LIFE_TYPE attribute");
1440 return FALSE;
1441 }
1442 seen_attrs &= ~(LELEM(SA_LIFE_DURATION) | LELEM(SA_LIFE_TYPE));
1443
1444 switch (life_type)
1445 {
1446 case SA_LIFE_TYPE_SECONDS:
1447 /* silently limit duration to our maximum */
1448 attrs->life_seconds = val <= SA_LIFE_DURATION_MAXIMUM
1449 ? val : SA_LIFE_DURATION_MAXIMUM;
1450 break;
1451 case SA_LIFE_TYPE_KBYTES:
1452 attrs->life_kilobytes = val;
1453 break;
1454 default:
1455 bad_case(life_type);
1456 }
1457 break;
1458 case GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
1459 if (is_ipcomp)
1460 {
1461 /* Accept reluctantly. Should not happen, according to
1462 * draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
1463 */
1464 ipcomp_inappropriate = FALSE;
1465 loglog(RC_COMMENT
1466 , "IPCA (IPcomp SA) contains GROUP_DESCRIPTION."
1467 " Ignoring inapproprate attribute.");
1468 }
1469 pfs_group = lookup_group(val);
1470 if (pfs_group == NULL)
1471 {
1472 loglog(RC_LOG_SERIOUS, "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS");
1473 return FALSE;
1474 }
1475 break;
1476 case ENCAPSULATION_MODE | ISAKMP_ATTR_AF_TV:
1477 ipcomp_inappropriate = FALSE;
1478 switch (val)
1479 {
1480 case ENCAPSULATION_MODE_TUNNEL:
1481 case ENCAPSULATION_MODE_TRANSPORT:
1482 if (st->nat_traversal & NAT_T_DETECTED)
1483 {
1484 loglog(RC_LOG_SERIOUS
1485 , "%s must only be used if NAT-Traversal is not detected"
1486 , enum_name(&enc_mode_names, val));
1487 /*
1488 * Accept it anyway because SSH-Sentinel does not
1489 * use UDP_TUNNEL or UDP_TRANSPORT for the diagnostic.
1490 *
1491 * remove when SSH-Sentinel is fixed
1492 */
1493 #ifdef I_DONT_CARE_OF_SSH_SENTINEL
1494 return FALSE;
1495 #endif
1496 }
1497 attrs->encapsulation = val;
1498 break;
1499 case ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS:
1500 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
1501 loglog(RC_LOG_SERIOUS
1502 , "NAT-Traversal: Transport mode disabled due to security concerns");
1503 return FALSE;
1504 #endif
1505 case ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS:
1506 if (st->nat_traversal & NAT_T_WITH_RFC_VALUES)
1507 {
1508 loglog(RC_LOG_SERIOUS
1509 , "%s must only be used with old IETF drafts"
1510 , enum_name(&enc_mode_names, val));
1511 return FALSE;
1512 }
1513 else if (st->nat_traversal & NAT_T_DETECTED)
1514 {
1515 attrs->encapsulation = val
1516 - ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS
1517 + ENCAPSULATION_MODE_TUNNEL;
1518 }
1519 else
1520 {
1521 loglog(RC_LOG_SERIOUS
1522 , "%s must only be used if NAT-Traversal is detected"
1523 , enum_name(&enc_mode_names, val));
1524 return FALSE;
1525 }
1526 break;
1527 case ENCAPSULATION_MODE_UDP_TRANSPORT_RFC:
1528 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
1529 loglog(RC_LOG_SERIOUS
1530 , "NAT-Traversal: Transport mode disabled due "
1531 "to security concerns");
1532 return FALSE;
1533 #endif
1534 case ENCAPSULATION_MODE_UDP_TUNNEL_RFC:
1535 if ((st->nat_traversal & NAT_T_DETECTED)
1536 && (st->nat_traversal & NAT_T_WITH_RFC_VALUES))
1537 {
1538 attrs->encapsulation = val
1539 - ENCAPSULATION_MODE_UDP_TUNNEL_RFC
1540 + ENCAPSULATION_MODE_TUNNEL;
1541 }
1542 else if (st->nat_traversal & NAT_T_DETECTED)
1543 {
1544 loglog(RC_LOG_SERIOUS
1545 , "%s must only be used with NAT-T RFC"
1546 , enum_name(&enc_mode_names, val));
1547 return FALSE;
1548 }
1549 else
1550 {
1551 loglog(RC_LOG_SERIOUS
1552 , "%s must only be used if NAT-Traversal is detected"
1553 , enum_name(&enc_mode_names, val));
1554 return FALSE;
1555 }
1556 break;
1557 default:
1558 loglog(RC_LOG_SERIOUS
1559 , "unknown ENCAPSULATION_MODE %d in IPSec SA", val);
1560 return FALSE;
1561 }
1562 break;
1563 case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV:
1564 attrs->auth = val;
1565 break;
1566 case KEY_LENGTH | ISAKMP_ATTR_AF_TV:
1567 attrs->key_len = val;
1568 break;
1569 case KEY_ROUNDS | ISAKMP_ATTR_AF_TV:
1570 attrs->key_rounds = val;
1571 break;
1572 #if 0 /* not yet implemented */
1573 case COMPRESS_DICT_SIZE | ISAKMP_ATTR_AF_TV:
1574 break;
1575 case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TV:
1576 break;
1577
1578 case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
1579 break;
1580 case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TLV:
1581 break;
1582 #endif
1583 default:
1584 loglog(RC_LOG_SERIOUS, "unsupported IPsec attribute %s"
1585 , enum_show(&ipsec_attr_names, a.isaat_af_type));
1586 return FALSE;
1587 }
1588 if (ipcomp_inappropriate)
1589 {
1590 loglog(RC_LOG_SERIOUS, "IPsec attribute %s inappropriate for IPCOMP"
1591 , enum_show(&ipsec_attr_names, a.isaat_af_type));
1592 return FALSE;
1593 }
1594 }
1595
1596 /* Although an IPCOMP SA (IPCA) ought not to have a pfs_group,
1597 * if it does, demand that it be consistent.
1598 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
1599 */
1600 if (!is_ipcomp || pfs_group != NULL)
1601 {
1602 if (st->st_pfs_group == &unset_group)
1603 st->st_pfs_group = pfs_group;
1604
1605 if (st->st_pfs_group != pfs_group)
1606 {
1607 loglog(RC_LOG_SERIOUS, "GROUP_DESCRIPTION inconsistent with that of %s in IPsec SA"
1608 , selection? "the Proposal" : "a previous Transform");
1609 return FALSE;
1610 }
1611 }
1612
1613 if (LHAS(seen_attrs, SA_LIFE_DURATION))
1614 {
1615 loglog(RC_LOG_SERIOUS, "SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message");
1616 return FALSE;
1617 }
1618
1619 if (!LHAS(seen_attrs, ENCAPSULATION_MODE))
1620 {
1621 if (is_ipcomp)
1622 {
1623 /* draft-shacham-ippcp-rfc2393bis-05.txt 4.1:
1624 * "If the Encapsulation Mode is unspecified,
1625 * the default value of Transport Mode is assumed."
1626 * This contradicts/overrides the DOI (quuoted below).
1627 */
1628 attrs->encapsulation = ENCAPSULATION_MODE_TRANSPORT;
1629 }
1630 else
1631 {
1632 /* ??? Technically, RFC 2407 (IPSEC DOI) 4.5 specifies that
1633 * the default is "unspecified (host-dependent)".
1634 * This makes little sense, so we demand that it be specified.
1635 */
1636 loglog(RC_LOG_SERIOUS, "IPsec Transform must specify ENCAPSULATION_MODE");
1637 return FALSE;
1638 }
1639 }
1640
1641 /* ??? should check for key_len and/or key_rounds if required */
1642
1643 return TRUE;
1644 }
1645
1646 static void
1647 echo_proposal(
1648 struct isakmp_proposal r_proposal, /* proposal to emit */
1649 struct isakmp_transform r_trans, /* winning transformation within it */
1650 u_int8_t np, /* Next Payload for proposal */
1651 pb_stream *r_sa_pbs, /* SA PBS into which to emit */
1652 struct ipsec_proto_info *pi, /* info about this protocol instance */
1653 struct_desc *trans_desc, /* descriptor for this transformation */
1654 pb_stream *trans_pbs, /* PBS for incoming transform */
1655 struct spd_route *sr, /* host details for the association */
1656 bool tunnel_mode) /* true for inner most tunnel SA */
1657 {
1658 pb_stream r_proposal_pbs;
1659 pb_stream r_trans_pbs;
1660
1661 /* Proposal */
1662 r_proposal.isap_np = np;
1663 r_proposal.isap_notrans = 1;
1664 if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
1665 impossible();
1666
1667 /* allocate and emit our CPI/SPI */
1668 if (r_proposal.isap_protoid == PROTO_IPCOMP)
1669 {
1670 /* CPI is stored in network low order end of an
1671 * ipsec_spi_t. So we start a couple of bytes in.
1672 * Note: we may fail to generate a satisfactory CPI,
1673 * but we'll ignore that.
1674 */
1675 pi->our_spi = get_my_cpi(sr, tunnel_mode);
1676 out_raw((u_char *) &pi->our_spi
1677 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
1678 , IPCOMP_CPI_SIZE
1679 , &r_proposal_pbs, "CPI");
1680 }
1681 else
1682 {
1683 pi->our_spi = get_ipsec_spi(pi->attrs.spi
1684 , r_proposal.isap_protoid == PROTO_IPSEC_AH ?
1685 IPPROTO_AH : IPPROTO_ESP
1686 , sr
1687 , tunnel_mode);
1688 /* XXX should check for errors */
1689 out_raw((u_char *) &pi->our_spi, IPSEC_DOI_SPI_SIZE
1690 , &r_proposal_pbs, "SPI");
1691 }
1692
1693 /* Transform */
1694 r_trans.isat_np = ISAKMP_NEXT_NONE;
1695 if (!out_struct(&r_trans, trans_desc, &r_proposal_pbs, &r_trans_pbs))
1696 impossible();
1697
1698 /* Transform Attributes: pure echo */
1699 trans_pbs->cur = trans_pbs->start + sizeof(struct isakmp_transform);
1700 if (!out_raw(trans_pbs->cur, pbs_left(trans_pbs)
1701 , &r_trans_pbs, "attributes"))
1702 impossible();
1703
1704 close_output_pbs(&r_trans_pbs);
1705 close_output_pbs(&r_proposal_pbs);
1706 }
1707
1708 notification_t
1709 parse_ipsec_sa_body(
1710 pb_stream *sa_pbs, /* body of input SA Payload */
1711 const struct isakmp_sa *sa, /* header of input SA Payload */
1712 pb_stream *r_sa_pbs, /* if non-NULL, where to emit body of winning SA */
1713 bool selection, /* if this SA is a selection, only one transform may appear */
1714 struct state *st) /* current state object */
1715 {
1716 const struct connection *c = st->st_connection;
1717 u_int32_t ipsecdoisit;
1718 pb_stream next_proposal_pbs;
1719
1720 struct isakmp_proposal next_proposal;
1721 ipsec_spi_t next_spi;
1722
1723 bool next_full = TRUE;
1724
1725 /* DOI */
1726 if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
1727 {
1728 loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
1729 /* XXX Could send notification back */
1730 return DOI_NOT_SUPPORTED;
1731 }
1732
1733 /* Situation */
1734 if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
1735 return SITUATION_NOT_SUPPORTED;
1736
1737 if (ipsecdoisit != SIT_IDENTITY_ONLY)
1738 {
1739 loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
1740 , bitnamesof(sit_bit_names, ipsecdoisit));
1741 /* XXX Could send notification back */
1742 return SITUATION_NOT_SUPPORTED;
1743 }
1744
1745 /* The rules for IPsec SAs are scattered.
1746 * RFC 2408 "ISAKMP" section 4.2 gives some info.
1747 * There may be multiple proposals. Those with identical proposal
1748 * numbers must be considered as conjuncts. Those with different
1749 * numbers are disjuncts.
1750 * Each proposal may have several transforms, each considered
1751 * an alternative.
1752 * Each transform may have several attributes, all applying.
1753 *
1754 * To handle the way proposals are combined, we need to do a
1755 * look-ahead.
1756 */
1757
1758 if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
1759 return BAD_PROPOSAL_SYNTAX;
1760
1761 /* for each conjunction of proposals... */
1762 while (next_full)
1763 {
1764 int propno = next_proposal.isap_proposal;
1765 pb_stream ah_prop_pbs, esp_prop_pbs, ipcomp_prop_pbs;
1766 struct isakmp_proposal ah_proposal = {0, 0, 0, 0, 0, 0, 0};
1767 struct isakmp_proposal esp_proposal = {0, 0, 0, 0, 0, 0, 0};
1768 struct isakmp_proposal ipcomp_proposal = {0, 0, 0, 0, 0, 0, 0};
1769 ipsec_spi_t ah_spi = 0;
1770 ipsec_spi_t esp_spi = 0;
1771 ipsec_spi_t ipcomp_cpi = 0;
1772 bool ah_seen = FALSE;
1773 bool esp_seen = FALSE;
1774 bool ipcomp_seen = FALSE;
1775 bool tunnel_mode = FALSE;
1776 int inner_proto = 0;
1777 u_int16_t well_known_cpi = 0;
1778
1779 pb_stream ah_trans_pbs, esp_trans_pbs, ipcomp_trans_pbs;
1780 struct isakmp_transform ah_trans, esp_trans, ipcomp_trans;
1781 struct ipsec_trans_attrs ah_attrs, esp_attrs, ipcomp_attrs;
1782
1783 /* for each proposal in the conjunction */
1784 do {
1785
1786 if (next_proposal.isap_protoid == PROTO_IPCOMP)
1787 {
1788 /* IPCOMP CPI */
1789 if (next_proposal.isap_spisize == IPSEC_DOI_SPI_SIZE)
1790 {
1791 /* This code is to accommodate those peculiar
1792 * implementations that send a CPI in the bottom of an
1793 * SPI-sized field.
1794 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1
1795 */
1796 u_int8_t filler[IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE];
1797
1798 if (!in_raw(filler, sizeof(filler)
1799 , &next_proposal_pbs, "CPI filler")
1800 || !all_zero(filler, sizeof(filler)))
1801 return INVALID_SPI;
1802 }
1803 else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE)
1804 {
1805 loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)"
1806 , next_proposal.isap_spisize);
1807 return INVALID_SPI;
1808 }
1809
1810 /* We store CPI in the low order of a network order
1811 * ipsec_spi_t. So we start a couple of bytes in.
1812 */
1813 zero(&next_spi);
1814 if (!in_raw((u_char *)&next_spi
1815 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
1816 , IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI"))
1817 return INVALID_SPI;
1818
1819 /* If sanity ruled, CPIs would have to be such that
1820 * the SAID (the triple (CPI, IPCOM, destination IP))
1821 * would be unique, just like for SPIs. But there is a
1822 * perversion where CPIs can be well-known and consequently
1823 * the triple is not unique. We hide this fact from
1824 * ourselves by fudging the top 16 bits to make
1825 * the property true internally!
1826 */
1827 switch (ntohl(next_spi))
1828 {
1829 case IPCOMP_DEFLATE:
1830 well_known_cpi = ntohl(next_spi);
1831 next_spi = uniquify_his_cpi(next_spi, st);
1832 if (next_spi == 0)
1833 {
1834 loglog(RC_LOG_SERIOUS
1835 , "IPsec Proposal contains well-known CPI that I cannot uniquify");
1836 return INVALID_SPI;
1837 }
1838 break;
1839 default:
1840 if (ntohl(next_spi) < IPCOMP_FIRST_NEGOTIATED
1841 || ntohl(next_spi) > IPCOMP_LAST_NEGOTIATED)
1842 {
1843 loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
1844 , (unsigned long) ntohl(next_spi));
1845 return INVALID_SPI;
1846 }
1847 break;
1848 }
1849 }
1850 else
1851 {
1852 /* AH or ESP SPI */
1853 if (next_proposal.isap_spisize != IPSEC_DOI_SPI_SIZE)
1854 {
1855 loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)"
1856 , next_proposal.isap_spisize);
1857 return INVALID_SPI;
1858 }
1859
1860 if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI"))
1861 return INVALID_SPI;
1862
1863 /* SPI value 0 is invalid and values 1-255 are reserved to IANA.
1864 * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
1865 * IPCOMP???
1866 */
1867 if (ntohl(next_spi) < IPSEC_DOI_SPI_MIN)
1868 {
1869 loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)"
1870 , (unsigned long) ntohl(next_spi));
1871 return INVALID_SPI;
1872 }
1873 }
1874
1875 if (next_proposal.isap_notrans == 0)
1876 {
1877 loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms");
1878 return BAD_PROPOSAL_SYNTAX;
1879 }
1880
1881 switch (next_proposal.isap_protoid)
1882 {
1883 case PROTO_IPSEC_AH:
1884 if (ah_seen)
1885 {
1886 loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals");
1887 return BAD_PROPOSAL_SYNTAX;
1888 }
1889 ah_seen = TRUE;
1890 ah_prop_pbs = next_proposal_pbs;
1891 ah_proposal = next_proposal;
1892 ah_spi = next_spi;
1893 break;
1894
1895 case PROTO_IPSEC_ESP:
1896 if (esp_seen)
1897 {
1898 loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals");
1899 return BAD_PROPOSAL_SYNTAX;
1900 }
1901 esp_seen = TRUE;
1902 esp_prop_pbs = next_proposal_pbs;
1903 esp_proposal = next_proposal;
1904 esp_spi = next_spi;
1905 break;
1906
1907 case PROTO_IPCOMP:
1908 if (ipcomp_seen)
1909 {
1910 loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals");
1911 return BAD_PROPOSAL_SYNTAX;
1912 }
1913 ipcomp_seen = TRUE;
1914 ipcomp_prop_pbs = next_proposal_pbs;
1915 ipcomp_proposal = next_proposal;
1916 ipcomp_cpi = next_spi;
1917 break;
1918
1919 default:
1920 loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal"
1921 , enum_show(&protocol_names, next_proposal.isap_protoid));
1922 return INVALID_PROTOCOL_ID;
1923 }
1924
1925 /* refill next_proposal */
1926 if (next_proposal.isap_np == ISAKMP_NEXT_NONE)
1927 {
1928 next_full = FALSE;
1929 break;
1930 }
1931 else if (next_proposal.isap_np != ISAKMP_NEXT_P)
1932 {
1933 loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s"
1934 , enum_show(&payload_names, next_proposal.isap_np));
1935 return BAD_PROPOSAL_SYNTAX;
1936 }
1937
1938 if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
1939 return BAD_PROPOSAL_SYNTAX;
1940 } while (next_proposal.isap_proposal == propno);
1941
1942 /* Now that we have all conjuncts, we should try
1943 * the Cartesian product of eachs tranforms!
1944 * At the moment, we take short-cuts on account of
1945 * our rudimentary hard-wired policy.
1946 * For now, we find an acceptable AH (if any)
1947 * and then an acceptable ESP. The only interaction
1948 * is that the ESP acceptance can know whether there
1949 * was an acceptable AH and hence not require an AUTH.
1950 */
1951
1952 if (ah_seen)
1953 {
1954 int previous_transnum = -1;
1955 int tn;
1956
1957 for (tn = 0; tn != ah_proposal.isap_notrans; tn++)
1958 {
1959 int ok_transid = 0;
1960 bool ok_auth = FALSE;
1961
1962 if (!parse_ipsec_transform(&ah_trans
1963 , &ah_attrs
1964 , &ah_prop_pbs
1965 , &ah_trans_pbs
1966 , &isakmp_ah_transform_desc
1967 , previous_transnum
1968 , selection
1969 , tn == ah_proposal.isap_notrans - 1
1970 , FALSE
1971 , st))
1972 return BAD_PROPOSAL_SYNTAX;
1973
1974 previous_transnum = ah_trans.isat_transnum;
1975
1976 /* we must understand ah_attrs.transid
1977 * COMBINED with ah_attrs.auth.
1978 * See RFC 2407 "IPsec DOI" section 4.4.3
1979 * The following combinations are legal,
1980 * but we don't implement all of them:
1981 * It seems as if each auth algorithm
1982 * only applies to one ah transid.
1983 * AH_MD5, AUTH_ALGORITHM_HMAC_MD5
1984 * AH_MD5, AUTH_ALGORITHM_KPDK (unimplemented)
1985 * AH_SHA, AUTH_ALGORITHM_HMAC_SHA1
1986 * AH_DES, AUTH_ALGORITHM_DES_MAC (unimplemented)
1987 */
1988 switch (ah_attrs.auth)
1989 {
1990 case AUTH_ALGORITHM_NONE:
1991 loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform");
1992 return BAD_PROPOSAL_SYNTAX;
1993
1994 case AUTH_ALGORITHM_HMAC_MD5:
1995 ok_auth = TRUE;
1996 /* fall through */
1997 case AUTH_ALGORITHM_KPDK:
1998 ok_transid = AH_MD5;
1999 break;
2000
2001 case AUTH_ALGORITHM_HMAC_SHA1:
2002 ok_auth = TRUE;
2003 ok_transid = AH_SHA;
2004 break;
2005
2006 case AUTH_ALGORITHM_DES_MAC:
2007 ok_transid = AH_DES;
2008 break;
2009 }
2010 if (ah_attrs.transid != ok_transid)
2011 {
2012 loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
2013 , enum_name(&auth_alg_names, ah_attrs.auth)
2014 , enum_show(&ah_transformid_names, ah_attrs.transid));
2015 return BAD_PROPOSAL_SYNTAX;
2016 }
2017 if (!ok_auth)
2018 {
2019 DBG(DBG_CONTROL | DBG_CRYPT
2020 , DBG_log("%s attribute unsupported"
2021 " in %s Transform from %s"
2022 , enum_name(&auth_alg_names, ah_attrs.auth)
2023 , enum_show(&ah_transformid_names, ah_attrs.transid)
2024 , ip_str(&c->spd.that.host_addr)));
2025 continue; /* try another */
2026 }
2027 break; /* we seem to be happy */
2028 }
2029 if (tn == ah_proposal.isap_notrans)
2030 continue; /* we didn't find a nice one */
2031 ah_attrs.spi = ah_spi;
2032 inner_proto = IPPROTO_AH;
2033 if (ah_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
2034 tunnel_mode = TRUE;
2035 }
2036
2037 if (esp_seen)
2038 {
2039 int previous_transnum = -1;
2040 int tn;
2041
2042 for (tn = 0; tn != esp_proposal.isap_notrans; tn++)
2043 {
2044 if (!parse_ipsec_transform(&esp_trans
2045 , &esp_attrs
2046 , &esp_prop_pbs
2047 , &esp_trans_pbs
2048 , &isakmp_esp_transform_desc
2049 , previous_transnum
2050 , selection
2051 , tn == esp_proposal.isap_notrans - 1
2052 , FALSE
2053 , st))
2054 return BAD_PROPOSAL_SYNTAX;
2055
2056 previous_transnum = esp_trans.isat_transnum;
2057
2058 /* set default key length for AES encryption */
2059 if (!esp_attrs.key_len && esp_attrs.transid == ESP_AES)
2060 {
2061 esp_attrs.key_len = 128 / BITS_PER_BYTE;
2062 }
2063
2064 if (!kernel_alg_esp_enc_ok(esp_attrs.transid, esp_attrs.key_len
2065 ,c->alg_info_esp))
2066 {
2067 switch (esp_attrs.transid)
2068 {
2069 case ESP_3DES:
2070 break;
2071 #ifdef SUPPORT_ESP_NULL /* should be about as secure as AH-only */
2072 case ESP_NULL:
2073 if (esp_attrs.auth == AUTH_ALGORITHM_NONE)
2074 {
2075 loglog(RC_LOG_SERIOUS, "ESP_NULL requires auth algorithm");
2076 return BAD_PROPOSAL_SYNTAX;
2077 }
2078 if (st->st_policy & POLICY_ENCRYPT)
2079 {
2080 DBG(DBG_CONTROL | DBG_CRYPT
2081 , DBG_log("ESP_NULL Transform Proposal from %s"
2082 " does not satisfy POLICY_ENCRYPT"
2083 , ip_str(&c->spd.that.host_addr)));
2084 continue; /* try another */
2085 }
2086 break;
2087 #endif
2088 default:
2089 DBG(DBG_CONTROL | DBG_CRYPT
2090 , DBG_log("unsupported ESP Transform %s from %s"
2091 , enum_show(&esp_transformid_names, esp_attrs.transid)
2092 , ip_str(&c->spd.that.host_addr)));
2093 continue; /* try another */
2094 }
2095 }
2096
2097 if (!kernel_alg_esp_auth_ok(esp_attrs.auth, c->alg_info_esp))
2098 {
2099 switch (esp_attrs.auth)
2100 {
2101 case AUTH_ALGORITHM_NONE:
2102 if (!ah_seen)
2103 {
2104 DBG(DBG_CONTROL | DBG_CRYPT
2105 , DBG_log("ESP from %s must either have AUTH or be combined with AH"
2106 , ip_str(&c->spd.that.host_addr)));
2107 continue; /* try another */
2108 }
2109 break;
2110 case AUTH_ALGORITHM_HMAC_MD5:
2111 case AUTH_ALGORITHM_HMAC_SHA1:
2112 break;
2113 default:
2114 DBG(DBG_CONTROL | DBG_CRYPT
2115 , DBG_log("unsupported ESP auth alg %s from %s"
2116 , enum_show(&auth_alg_names, esp_attrs.auth)
2117 , ip_str(&c->spd.that.host_addr)));
2118 continue; /* try another */
2119 }
2120 }
2121
2122 /* A last check for allowed transforms in alg_info_esp
2123 * (ALG_INFO_F_STRICT flag)
2124 */
2125 if (!kernel_alg_esp_ok_final(esp_attrs.transid, esp_attrs.key_len
2126 ,esp_attrs.auth, c->alg_info_esp))
2127 {
2128 continue;
2129 }
2130
2131 if (ah_seen && ah_attrs.encapsulation != esp_attrs.encapsulation)
2132 {
2133 /* ??? This should be an error, but is it? */
2134 DBG(DBG_CONTROL | DBG_CRYPT
2135 , DBG_log("AH and ESP transforms disagree about encapsulation; TUNNEL presumed"));
2136 }
2137
2138 break; /* we seem to be happy */
2139 }
2140 if (tn == esp_proposal.isap_notrans)
2141 continue; /* we didn't find a nice one */
2142
2143 esp_attrs.spi = esp_spi;
2144 inner_proto = IPPROTO_ESP;
2145 if (esp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
2146 tunnel_mode = TRUE;
2147 }
2148 else if (st->st_policy & POLICY_ENCRYPT)
2149 {
2150 DBG(DBG_CONTROL | DBG_CRYPT
2151 , DBG_log("policy for \"%s\" requires encryption but ESP not in Proposal from %s"
2152 , c->name, ip_str(&c->spd.that.host_addr)));
2153 continue; /* we needed encryption, but didn't find ESP */
2154 }
2155 else if ((st->st_policy & POLICY_AUTHENTICATE) && !ah_seen)
2156 {
2157 DBG(DBG_CONTROL | DBG_CRYPT
2158 , DBG_log("policy for \"%s\" requires authentication"
2159 " but none in Proposal from %s"
2160 , c->name, ip_str(&c->spd.that.host_addr)));
2161 continue; /* we need authentication, but we found neither ESP nor AH */
2162 }
2163
2164 if (ipcomp_seen)
2165 {
2166 int previous_transnum = -1;
2167 int tn;
2168
2169 #ifdef NEVER /* we think IPcomp is working now */
2170 /**** FUDGE TO PREVENT UNREQUESTED IPCOMP:
2171 **** NEEDED BECAUSE OUR IPCOMP IS EXPERIMENTAL (UNSTABLE).
2172 ****/
2173 if (!(st->st_policy & POLICY_COMPRESS))
2174 {
2175 plog("compression proposed by %s, but policy for \"%s\" forbids it"
2176 , ip_str(&c->spd.that.host_addr), c->name);
2177 continue; /* unwanted compression proposal */
2178 }
2179 #endif
2180 if (!can_do_IPcomp)
2181 {
2182 plog("compression proposed by %s, but KLIPS is not configured with IPCOMP"
2183 , ip_str(&c->spd.that.host_addr));
2184 continue;
2185 }
2186
2187 if (well_known_cpi != 0 && !ah_seen && !esp_seen)
2188 {
2189 plog("illegal proposal: bare IPCOMP used with well-known CPI");
2190 return BAD_PROPOSAL_SYNTAX;
2191 }
2192
2193 for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++)
2194 {
2195 if (!parse_ipsec_transform(&ipcomp_trans
2196 , &ipcomp_attrs
2197 , &ipcomp_prop_pbs
2198 , &ipcomp_trans_pbs
2199 , &isakmp_ipcomp_transform_desc
2200 , previous_transnum
2201 , selection
2202 , tn == ipcomp_proposal.isap_notrans - 1
2203 , TRUE
2204 , st))
2205 return BAD_PROPOSAL_SYNTAX;
2206
2207 previous_transnum = ipcomp_trans.isat_transnum;
2208
2209 if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi)
2210 {
2211 plog("illegal proposal: IPCOMP well-known CPI disagrees with transform");
2212 return BAD_PROPOSAL_SYNTAX;
2213 }
2214
2215 switch (ipcomp_attrs.transid)
2216 {
2217 case IPCOMP_DEFLATE: /* all we can handle! */
2218 break;
2219
2220 default:
2221 DBG(DBG_CONTROL | DBG_CRYPT
2222 , DBG_log("unsupported IPCOMP Transform %s from %s"
2223 , enum_show(&ipcomp_transformid_names, ipcomp_attrs.transid)
2224 , ip_str(&c->spd.that.host_addr)));
2225 continue; /* try another */
2226 }
2227
2228 if (ah_seen && ah_attrs.encapsulation != ipcomp_attrs.encapsulation)
2229 {
2230 /* ??? This should be an error, but is it? */
2231 DBG(DBG_CONTROL | DBG_CRYPT
2232 , DBG_log("AH and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
2233 } else if (esp_seen && esp_attrs.encapsulation != ipcomp_attrs.encapsulation)
2234 {
2235 /* ??? This should be an error, but is it? */
2236 DBG(DBG_CONTROL | DBG_CRYPT
2237 , DBG_log("ESP and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
2238 }
2239
2240 break; /* we seem to be happy */
2241 }
2242 if (tn == ipcomp_proposal.isap_notrans)
2243 continue; /* we didn't find a nice one */
2244 ipcomp_attrs.spi = ipcomp_cpi;
2245 inner_proto = IPPROTO_COMP;
2246 if (ipcomp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
2247 tunnel_mode = TRUE;
2248 }
2249
2250 /* Eureka: we liked what we saw -- accept it. */
2251
2252 if (r_sa_pbs != NULL)
2253 {
2254 /* emit what we've accepted */
2255
2256 /* Situation */
2257 if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
2258 impossible();
2259
2260 /* AH proposal */
2261 if (ah_seen)
2262 echo_proposal(ah_proposal
2263 , ah_trans
2264 , esp_seen || ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
2265 , r_sa_pbs
2266 , &st->st_ah
2267 , &isakmp_ah_transform_desc
2268 , &ah_trans_pbs
2269 , &st->st_connection->spd
2270 , tunnel_mode && inner_proto == IPPROTO_AH);
2271
2272 /* ESP proposal */
2273 if (esp_seen)
2274 echo_proposal(esp_proposal
2275 , esp_trans
2276 , ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
2277 , r_sa_pbs
2278 , &st->st_esp
2279 , &isakmp_esp_transform_desc
2280 , &esp_trans_pbs
2281 , &st->st_connection->spd
2282 , tunnel_mode && inner_proto == IPPROTO_ESP);
2283
2284 /* IPCOMP proposal */
2285 if (ipcomp_seen)
2286 echo_proposal(ipcomp_proposal
2287 , ipcomp_trans
2288 , ISAKMP_NEXT_NONE
2289 , r_sa_pbs
2290 , &st->st_ipcomp
2291 , &isakmp_ipcomp_transform_desc
2292 , &ipcomp_trans_pbs
2293 , &st->st_connection->spd
2294 , tunnel_mode && inner_proto == IPPROTO_COMP);
2295
2296 close_output_pbs(r_sa_pbs);
2297 }
2298
2299 /* save decoded version of winning SA in state */
2300
2301 st->st_ah.present = ah_seen;
2302 if (ah_seen)
2303 st->st_ah.attrs = ah_attrs;
2304
2305 st->st_esp.present = esp_seen;
2306 if (esp_seen)
2307 st->st_esp.attrs = esp_attrs;
2308
2309 st->st_ipcomp.present = ipcomp_seen;
2310 if (ipcomp_seen)
2311 st->st_ipcomp.attrs = ipcomp_attrs;
2312
2313 return NOTHING_WRONG;
2314 }
2315
2316 loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA");
2317 return NO_PROPOSAL_CHOSEN;
2318 }