1 /* Security Policy Data Base (such as it is)
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <arpa/inet.h>
23 #include <sys/queue.h>
26 #include <ipsec_policy.h>
28 #include "constants.h"
31 #include "connections.h"
41 #include "crypto.h" /* requires sha1.h and md5.h */
43 #include "kernel_alg.h"
46 #include "nat_traversal.h"
48 #define AD(x) x, elemsof(x) /* Array Description */
49 #define AD_NULL NULL, 0
51 /**************** Oakely (main mode) SA database ****************/
53 /* array of proposals to be conjoined (can only be one for Oakley) */
55 static struct db_prop oakley_pc
[] =
56 { { PROTO_ISAKMP
, AD_NULL
} };
58 /* array of proposal conjuncts (can only be one) */
60 static struct db_prop_conj oakley_props
[] = { { AD(oakley_pc
) } };
63 struct db_sa oakley_sadb
= { AD(oakley_props
) };
65 /**************** IPsec (quick mode) SA database ****************/
67 /* arrays of attributes for transforms */
69 static struct db_attr espsha1_attr
[] = {
70 { AUTH_ALGORITHM
, AUTH_ALGORITHM_HMAC_SHA1
},
73 static struct db_attr ah_HMAC_SHA1_attr
[] = {
74 { AUTH_ALGORITHM
, AUTH_ALGORITHM_HMAC_SHA1
},
77 /* arrays of transforms, each in in preference order */
79 static struct db_trans espa_trans
[] = {
80 { ESP_3DES
, AD(espsha1_attr
) },
83 static struct db_trans esp_trans
[] = {
84 { ESP_3DES
, AD_NULL
},
87 #ifdef SUPPORT_ESP_NULL
88 static struct db_trans espnull_trans
[] = {
89 { ESP_NULL
, AD(espsha1_attr
) },
91 #endif /* SUPPORT_ESP_NULL */
93 static struct db_trans ah_trans
[] = {
94 { AH_SHA
, AD(ah_HMAC_SHA1_attr
) },
97 static struct db_trans ipcomp_trans
[] = {
98 { IPCOMP_DEFLATE
, AD_NULL
},
101 /* arrays of proposals to be conjoined */
103 static struct db_prop ah_pc
[] = {
104 { PROTO_IPSEC_AH
, AD(ah_trans
) },
107 #ifdef SUPPORT_ESP_NULL
108 static struct db_prop espnull_pc
[] = {
109 { PROTO_IPSEC_ESP
, AD(espnull_trans
) },
111 #endif /* SUPPORT_ESP_NULL */
113 static struct db_prop esp_pc
[] = {
114 { PROTO_IPSEC_ESP
, AD(espa_trans
) },
117 static struct db_prop ah_esp_pc
[] = {
118 { PROTO_IPSEC_AH
, AD(ah_trans
) },
119 { PROTO_IPSEC_ESP
, AD(esp_trans
) },
122 static struct db_prop compress_pc
[] = {
123 { PROTO_IPCOMP
, AD(ipcomp_trans
) },
126 static struct db_prop ah_compress_pc
[] = {
127 { PROTO_IPSEC_AH
, AD(ah_trans
) },
128 { PROTO_IPCOMP
, AD(ipcomp_trans
) },
131 #ifdef SUPPORT_ESP_NULL
132 static struct db_prop espnull_compress_pc
[] = {
133 { PROTO_IPSEC_ESP
, AD(espnull_trans
) },
134 { PROTO_IPCOMP
, AD(ipcomp_trans
) },
136 #endif /* SUPPORT_ESP_NULL */
138 static struct db_prop esp_compress_pc
[] = {
139 { PROTO_IPSEC_ESP
, AD(espa_trans
) },
140 { PROTO_IPCOMP
, AD(ipcomp_trans
) },
143 static struct db_prop ah_esp_compress_pc
[] = {
144 { PROTO_IPSEC_AH
, AD(ah_trans
) },
145 { PROTO_IPSEC_ESP
, AD(esp_trans
) },
146 { PROTO_IPCOMP
, AD(ipcomp_trans
) },
149 /* arrays of proposal alternatives (each element is a conjunction) */
151 static struct db_prop_conj ah_props
[] = {
153 #ifdef SUPPORT_ESP_NULL
158 static struct db_prop_conj esp_props
[] =
161 static struct db_prop_conj ah_esp_props
[] =
162 { { AD(ah_esp_pc
) } };
164 static struct db_prop_conj compress_props
[] = {
168 static struct db_prop_conj ah_compress_props
[] = {
169 { AD(ah_compress_pc
) },
170 #ifdef SUPPORT_ESP_NULL
171 { AD(espnull_compress_pc
) }
175 static struct db_prop_conj esp_compress_props
[] =
176 { { AD(esp_compress_pc
) } };
178 static struct db_prop_conj ah_esp_compress_props
[] =
179 { { AD(ah_esp_compress_pc
) } };
181 /* The IPsec sadb is subscripted by a bitset (subset of policy)
182 * with members from { POLICY_ENCRYPT, POLICY_AUTHENTICATE, POLICY_COMPRESS }
183 * shifted right by POLICY_IPSEC_SHIFT.
185 struct db_sa ipsec_sadb
[1 << 3] = {
186 { AD_NULL
}, /* none */
187 { AD(esp_props
) }, /* POLICY_ENCRYPT */
188 { AD(ah_props
) }, /* POLICY_AUTHENTICATE */
189 { AD(ah_esp_props
) }, /* POLICY_ENCRYPT+POLICY_AUTHENTICATE */
190 { AD(compress_props
) }, /* POLICY_COMPRESS */
191 { AD(esp_compress_props
) }, /* POLICY_ENCRYPT+POLICY_COMPRESS */
192 { AD(ah_compress_props
) }, /* POLICY_AUTHENTICATE+POLICY_COMPRESS */
193 { AD(ah_esp_compress_props
) }, /* POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_COMPRESS */
199 /* output an attribute (within an SA) */
203 , struct_desc
*attr_desc
204 , enum_names
**attr_val_descs USED_BY_DEBUG
207 struct isakmp_attribute attr
;
211 /* short value: use TV form */
212 attr
.isaat_af_type
= type
| ISAKMP_ATTR_AF_TV
;
214 if (!out_struct(&attr
, attr_desc
, pbs
, NULL
))
219 /* This is a real fudge! Since we rarely use long attributes
220 * and since this is the only place where we can cause an
221 * ISAKMP message length to be other than a multiple of 4 octets,
222 * we force the length of the value to be a multiple of 4 octets.
223 * Furthermore, we only handle values up to 4 octets in length.
224 * Voila: a fixed format!
227 u_int32_t nval
= htonl(val
);
229 attr
.isaat_af_type
= type
| ISAKMP_ATTR_AF_TLV
;
230 if (!out_struct(&attr
, attr_desc
, pbs
, &val_pbs
)
231 || !out_raw(&nval
, sizeof(nval
), &val_pbs
, "long attribute value"))
233 close_output_pbs(&val_pbs
);
236 enum_names
*d
= attr_val_descs
[type
];
239 DBG_log(" [%lu is %s]"
240 , val
, enum_show(d
, val
)));
243 #define return_on(var, val) do { var=val;goto return_out; } while(0);
244 /* Output an SA, as described by a db_sa.
245 * This has the side-effect of allocating SPIs for us.
248 out_sa(pb_stream
*outs
257 bool ah_spi_generated
= FALSE
258 , esp_spi_generated
= FALSE
259 , ipcomp_cpi_generated
= FALSE
;
260 #if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
261 struct db_context
*db_ctx
= NULL
;
269 st
->st_doi
= sa
.isasa_doi
= ISAKMP_DOI_IPSEC
; /* all we know */
270 if (!out_struct(&sa
, &isakmp_sa_desc
, outs
, &sa_pbs
))
271 return_on(ret
, FALSE
);
274 /* within SA: situation out */
275 st
->st_situation
= SIT_IDENTITY_ONLY
;
276 if (!out_struct(&st
->st_situation
, &ipsec_sit_desc
, &sa_pbs
, NULL
))
277 return_on(ret
, FALSE
);
279 /* within SA: Proposal Payloads
281 * Multiple Proposals with the same number are simultaneous
282 * (conjuncts) and must deal with different protocols (AH or ESP).
283 * Proposals with different numbers are alternatives (disjuncts),
284 * in preference order.
285 * Proposal numbers must be monotonic.
286 * See RFC 2408 "ISAKMP" 4.2
289 for (pcn
= 0; pcn
!= sadb
->prop_conj_cnt
; pcn
++)
291 struct db_prop_conj
*pc
= &sadb
->prop_conjs
[pcn
];
294 for (pn
= 0; pn
!= pc
->prop_cnt
; pn
++)
296 struct db_prop
*p
= &pc
->props
[pn
];
297 pb_stream proposal_pbs
;
298 struct isakmp_proposal proposal
;
299 struct_desc
*trans_desc
= NULL
;
300 struct_desc
*attr_desc
= NULL
;
301 enum_names
**attr_val_descs
= NULL
;
305 tunnel_mode
= (pn
== pc
->prop_cnt
-1)
306 && (st
->st_policy
& POLICY_TUNNEL
);
308 /* Proposal header */
309 proposal
.isap_np
= pcn
== sadb
->prop_conj_cnt
-1 && pn
== pc
->prop_cnt
-1
310 ? ISAKMP_NEXT_NONE
: ISAKMP_NEXT_P
;
311 proposal
.isap_proposal
= pcn
;
312 proposal
.isap_protoid
= p
->protoid
;
313 proposal
.isap_spisize
= oakley_mode ?
0
314 : p
->protoid
== PROTO_IPCOMP ? IPCOMP_CPI_SIZE
315 : IPSEC_DOI_SPI_SIZE
;
317 /* In quick mode ONLY, create proposal for runtime kernel algos.
318 * Replace ESP proposals with runtime created one
320 if (!oakley_mode
&& p
->protoid
== PROTO_IPSEC_ESP
)
322 DBG(DBG_CONTROL
| DBG_CRYPT
,
323 if (st
->st_connection
->alg_info_esp
)
325 static char buf
[256]="";
327 alg_info_snprint(buf
, sizeof (buf
),
328 (struct alg_info
*)st
->st_connection
->alg_info_esp
);
332 db_ctx
= kernel_alg_db_new(st
->st_connection
->alg_info_esp
, st
->st_policy
);
333 p
= db_prop_get(db_ctx
);
335 if (!p
|| p
->trans_cnt
== 0)
337 loglog(RC_LOG_SERIOUS
,
338 "empty IPSEC SA proposal to send "
339 "(no kernel algorithms for esp selection)");
340 return_on(ret
, FALSE
);
344 if (oakley_mode
&& p
->protoid
== PROTO_ISAKMP
)
346 DBG(DBG_CONTROL
| DBG_CRYPT
,
347 if (st
->st_connection
->alg_info_ike
)
349 static char buf
[256]="";
351 alg_info_snprint(buf
, sizeof (buf
),
352 (struct alg_info
*)st
->st_connection
->alg_info_ike
);
356 db_ctx
= ike_alg_db_new(st
->st_connection
->alg_info_ike
, st
->st_policy
);
357 p
= db_prop_get(db_ctx
);
359 if (!p
|| p
->trans_cnt
== 0)
361 loglog(RC_LOG_SERIOUS
,
362 "empty ISAKMP SA proposal to send "
363 "(no algorithms for ike selection?)");
364 return_on(ret
, FALSE
);
368 proposal
.isap_notrans
= p
->trans_cnt
;
369 if (!out_struct(&proposal
, &isakmp_proposal_desc
, &sa_pbs
, &proposal_pbs
))
370 return_on(ret
, FALSE
);
372 /* Per-protocols stuff:
375 * Set attr_val_descs.
376 * If not oakley_mode, emit SPI.
377 * We allocate SPIs on demand.
378 * All ESPs in an SA will share a single SPI.
379 * All AHs in an SAwill share a single SPI.
380 * AHs' SPI will be distinct from ESPs'.
381 * This latter is needed because KLIPS doesn't
382 * use the protocol when looking up a (dest, protocol, spi).
383 * ??? If multiple ESPs are composed, how should their SPIs
387 ipsec_spi_t
*spi_ptr
= NULL
;
389 bool *spi_generated
= NULL
;
394 passert(oakley_mode
);
395 trans_desc
= &isakmp_isakmp_transform_desc
;
396 attr_desc
= &isakmp_oakley_attribute_desc
;
397 attr_val_descs
= oakley_attr_val_descs
;
401 passert(!oakley_mode
);
402 trans_desc
= &isakmp_ah_transform_desc
;
403 attr_desc
= &isakmp_ipsec_attribute_desc
;
404 attr_val_descs
= ipsec_attr_val_descs
;
405 spi_ptr
= &st
->st_ah
.our_spi
;
406 spi_generated
= &ah_spi_generated
;
409 case PROTO_IPSEC_ESP
:
410 passert(!oakley_mode
);
411 trans_desc
= &isakmp_esp_transform_desc
;
412 attr_desc
= &isakmp_ipsec_attribute_desc
;
413 attr_val_descs
= ipsec_attr_val_descs
;
414 spi_ptr
= &st
->st_esp
.our_spi
;
415 spi_generated
= &esp_spi_generated
;
419 passert(!oakley_mode
);
420 trans_desc
= &isakmp_ipcomp_transform_desc
;
421 attr_desc
= &isakmp_ipsec_attribute_desc
;
422 attr_val_descs
= ipsec_attr_val_descs
;
424 /* a CPI isn't quite the same as an SPI
425 * so we use specialized code to emit it.
427 if (!ipcomp_cpi_generated
)
429 st
->st_ipcomp
.our_spi
= get_my_cpi(
430 &st
->st_connection
->spd
, tunnel_mode
);
431 if (st
->st_ipcomp
.our_spi
== 0)
432 return_on(ret
, FALSE
); /* problem generating CPI */
434 ipcomp_cpi_generated
= TRUE
;
436 /* CPI is stored in network low order end of an
437 * ipsec_spi_t. So we start a couple of bytes in.
439 if (!out_raw((u_char
*)&st
->st_ipcomp
.our_spi
440 + IPSEC_DOI_SPI_SIZE
- IPCOMP_CPI_SIZE
442 , &proposal_pbs
, "CPI"))
443 return_on(ret
, FALSE
);
446 bad_case(p
->protoid
);
452 *spi_ptr
= get_ipsec_spi(0
454 , &st
->st_connection
->spd
458 *spi_generated
= TRUE
;
460 if (!out_raw((u_char
*)spi_ptr
, IPSEC_DOI_SPI_SIZE
461 , &proposal_pbs
, "SPI"))
462 return_on(ret
, FALSE
);
466 /* within proposal: Transform Payloads */
467 for (tn
= 0; tn
!= p
->trans_cnt
; tn
++)
469 struct db_trans
*t
= &p
->trans
[tn
];
471 struct isakmp_transform trans
;
474 trans
.isat_np
= (tn
== p
->trans_cnt
- 1)
475 ? ISAKMP_NEXT_NONE
: ISAKMP_NEXT_T
;
476 trans
.isat_transnum
= tn
;
477 trans
.isat_transid
= t
->transid
;
478 if (!out_struct(&trans
, trans_desc
, &proposal_pbs
, &trans_pbs
))
479 return_on(ret
, FALSE
);
481 /* Within tranform: Attributes. */
483 /* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
484 * automatically generated because it must be the same
485 * in every transform. Except IPCOMP.
487 if (p
->protoid
!= PROTO_IPCOMP
488 && st
->st_pfs_group
!= NULL
)
490 passert(!oakley_mode
);
491 passert(st
->st_pfs_group
!= &unset_group
);
492 out_attr(GROUP_DESCRIPTION
, st
->st_pfs_group
->group
493 , attr_desc
, attr_val_descs
497 /* automatically generate duration
498 * and, for Phase 2 / Quick Mode, encapsulation.
502 out_attr(OAKLEY_LIFE_TYPE
, OAKLEY_LIFE_SECONDS
503 , attr_desc
, attr_val_descs
505 out_attr(OAKLEY_LIFE_DURATION
506 , st
->st_connection
->sa_ike_life_seconds
507 , attr_desc
, attr_val_descs
512 /* RFC 2407 (IPSEC DOI) 4.5 specifies that
513 * the default is "unspecified (host-dependent)".
514 * This makes little sense, so we always specify it.
516 * Unlike other IPSEC transforms, IPCOMP defaults
517 * to Transport Mode, so we can exploit the default
518 * (draft-shacham-ippcp-rfc2393bis-05.txt 4.1).
520 if (p
->protoid
!= PROTO_IPCOMP
521 || st
->st_policy
& POLICY_TUNNEL
)
523 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
524 if ((st
->nat_traversal
& NAT_T_DETECTED
)
525 && !(st
->st_policy
& POLICY_TUNNEL
))
527 /* Inform user that we will not respect policy and only
528 * propose Tunnel Mode
530 loglog(RC_LOG_SERIOUS
, "NAT-Traversal: "
531 "Transport Mode not allowed due to security concerns -- "
532 "using Tunnel mode");
535 out_attr(ENCAPSULATION_MODE
536 #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
537 , NAT_T_ENCAPSULATION_MODE(st
, st
->st_policy
)
539 /* If NAT-T is detected, use UDP_TUNNEL as long as Transport
540 * Mode has security concerns.
542 * User has been informed of that
544 , NAT_T_ENCAPSULATION_MODE(st
, POLICY_TUNNEL
)
546 , attr_desc
, attr_val_descs
549 out_attr(SA_LIFE_TYPE
, SA_LIFE_TYPE_SECONDS
550 , attr_desc
, attr_val_descs
552 out_attr(SA_LIFE_DURATION
553 , st
->st_connection
->sa_ipsec_life_seconds
554 , attr_desc
, attr_val_descs
558 /* spit out attributes from table */
559 for (an
= 0; an
!= t
->attr_cnt
; an
++)
561 struct db_attr
*a
= &t
->attrs
[an
];
563 out_attr(a
->type
, a
->val
564 , attr_desc
, attr_val_descs
568 close_output_pbs(&trans_pbs
);
570 close_output_pbs(&proposal_pbs
);
572 /* end of a conjunction of proposals */
574 close_output_pbs(&sa_pbs
);
579 #if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
586 /* Handle long form of duration attribute.
587 * The code is can only handle values that can fit in unsigned long.
588 * "Clamping" is probably an acceptable way to impose this limitation.
591 decode_long_duration(pb_stream
*pbs
)
595 /* ignore leading zeros */
596 while (pbs_left(pbs
) != 0 && *pbs
->cur
== '\0')
599 if (pbs_left(pbs
) > sizeof(val
))
601 /* "clamp" too large value to max representable value */
602 val
-= 1; /* portable way to get to maximum value */
603 DBG(DBG_PARSING
, DBG_log(" too large duration clamped to: %lu"
604 , (unsigned long)val
));
609 while (pbs_left(pbs
) != 0)
610 val
= (val
<< BITS_PER_BYTE
) | *pbs
->cur
++;
611 DBG(DBG_PARSING
, DBG_log(" long duration: %lu", (unsigned long)val
));
616 /* Preparse the body of an ISAKMP SA Payload and
617 * return body of ISAKMP Proposal Payload
619 * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
620 * Error response is rudimentary.
623 preparse_isakmp_sa_body(const struct isakmp_sa
*sa
625 , u_int32_t
*ipsecdoisit
626 , pb_stream
*proposal_pbs
627 , struct isakmp_proposal
*proposal
)
630 if (sa
->isasa_doi
!= ISAKMP_DOI_IPSEC
)
632 loglog(RC_LOG_SERIOUS
, "Unknown/unsupported DOI %s", enum_show(&doi_names
, sa
->isasa_doi
));
633 /* XXX Could send notification back */
634 return DOI_NOT_SUPPORTED
;
638 if (!in_struct(ipsecdoisit
, &ipsec_sit_desc
, sa_pbs
, NULL
))
639 return SITUATION_NOT_SUPPORTED
;
641 if (*ipsecdoisit
!= SIT_IDENTITY_ONLY
)
643 loglog(RC_LOG_SERIOUS
, "unsupported IPsec DOI situation (%s)"
644 , bitnamesof(sit_bit_names
, *ipsecdoisit
));
645 /* XXX Could send notification back */
646 return SITUATION_NOT_SUPPORTED
;
649 /* The rules for ISAKMP SAs are scattered.
650 * RFC 2409 "IKE" section 5 says that there
651 * can only be one SA, and it can have only one proposal in it.
652 * There may well be multiple transforms.
654 if (!in_struct(proposal
, &isakmp_proposal_desc
, sa_pbs
, proposal_pbs
))
655 return PAYLOAD_MALFORMED
;
657 if (proposal
->isap_np
!= ISAKMP_NEXT_NONE
)
659 loglog(RC_LOG_SERIOUS
, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
660 , enum_show(&payload_names
, proposal
->isap_np
));
661 return PAYLOAD_MALFORMED
;
664 if (proposal
->isap_protoid
!= PROTO_ISAKMP
)
666 loglog(RC_LOG_SERIOUS
, "unexpected Protocol ID (%s) found in Oakley Proposal"
667 , enum_show(&protocol_names
, proposal
->isap_protoid
));
668 return INVALID_PROTOCOL_ID
;
671 /* Just what should we accept for the SPI field?
672 * The RFC is sort of contradictory. We will ignore the SPI
673 * as long as it is of the proper size.
675 * From RFC2408 2.4 Identifying Security Associations:
676 * During phase 1 negotiations, the initiator and responder cookies
677 * determine the ISAKMP SA. Therefore, the SPI field in the Proposal
678 * payload is redundant and MAY be set to 0 or it MAY contain the
679 * transmitting entity's cookie.
681 * From RFC2408 3.5 Proposal Payload:
682 * o SPI Size (1 octet) - Length in octets of the SPI as defined by
683 * the Protocol-Id. In the case of ISAKMP, the Initiator and
684 * Responder cookie pair from the ISAKMP Header is the ISAKMP SPI,
685 * therefore, the SPI Size is irrelevant and MAY be from zero (0) to
686 * sixteen (16). If the SPI Size is non-zero, the content of the
687 * SPI field MUST be ignored. If the SPI Size is not a multiple of
688 * 4 octets it will have some impact on the SPI field and the
689 * alignment of all payloads in the message. The Domain of
690 * Interpretation (DOI) will dictate the SPI Size for other
693 if (proposal
->isap_spisize
== 0)
695 /* empty (0) SPI -- fine */
697 else if (proposal
->isap_spisize
<= MAX_ISAKMP_SPI_SIZE
)
699 u_char junk_spi
[MAX_ISAKMP_SPI_SIZE
];
701 if (!in_raw(junk_spi
, proposal
->isap_spisize
, proposal_pbs
, "Oakley SPI"))
702 return PAYLOAD_MALFORMED
;
706 loglog(RC_LOG_SERIOUS
, "invalid SPI size (%u) in Oakley Proposal"
707 , (unsigned)proposal
->isap_spisize
);
710 return NOTHING_WRONG
;
720 * backup the pointer into a pb_stream
723 backup_pbs(pb_stream
*pbs
)
725 backup
.start
= pbs
->start
;
726 backup
.cur
= pbs
->cur
;
727 backup
.roof
= pbs
->roof
;
731 * restore the pointer into a pb_stream
734 restore_pbs(pb_stream
*pbs
)
736 pbs
->start
= backup
.start
;
737 pbs
->cur
= backup
.cur
;
738 pbs
->roof
= backup
.roof
;
742 * Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies
745 parse_isakmp_policy(pb_stream
*proposal_pbs
749 int last_transnum
= -1;
758 struct isakmp_transform trans
;
760 if (!in_struct(&trans
, &isakmp_isakmp_transform_desc
, proposal_pbs
, &trans_pbs
))
761 return BAD_PROPOSAL_SYNTAX
;
763 if (trans
.isat_transnum
<= last_transnum
)
765 /* picky, picky, picky */
766 loglog(RC_LOG_SERIOUS
, "Transform Numbers are not monotonically increasing"
767 " in Oakley Proposal");
768 return BAD_PROPOSAL_SYNTAX
;
770 last_transnum
= trans
.isat_transnum
;
772 if (trans
.isat_transid
!= KEY_IKE
)
774 loglog(RC_LOG_SERIOUS
, "expected KEY_IKE but found %s in Oakley Transform"
775 , enum_show(&isakmp_transformid_names
, trans
.isat_transid
));
776 return INVALID_TRANSFORM_ID
;
779 attr_start
= trans_pbs
.cur
;
780 attr_len
= pbs_left(&trans_pbs
);
782 /* preprocess authentication attributes only */
783 while (pbs_left(&trans_pbs
) != 0)
785 struct isakmp_attribute a
;
788 if (!in_struct(&a
, &isakmp_oakley_attribute_desc
, &trans_pbs
, &attr_pbs
))
789 return BAD_PROPOSAL_SYNTAX
;
791 passert((a
.isaat_af_type
& ISAKMP_ATTR_RTYPE_MASK
) < 32);
793 switch (a
.isaat_af_type
)
795 case OAKLEY_AUTHENTICATION_METHOD
| ISAKMP_ATTR_AF_TV
:
798 case OAKLEY_PRESHARED_KEY
:
799 *policy
|= POLICY_PSK
;
802 *policy
|= POLICY_RSASIG
;
804 case XAUTHInitPreShared
:
805 *policy
|= POLICY_XAUTH_SERVER
;
807 case XAUTHRespPreShared
:
808 *policy
|= POLICY_XAUTH_PSK
;
811 *policy
|= POLICY_XAUTH_SERVER
;
814 *policy
|= POLICY_XAUTH_RSASIG
;
825 DBG(DBG_CONTROL
|DBG_PARSING
,
826 DBG_log("preparse_isakmp_policy: peer requests %s authentication"
827 , prettypolicy(*policy
))
829 return NOTHING_WRONG
;
833 * check that we can find a preshared secret
836 find_preshared_key(struct state
* st
)
839 struct connection
*c
= st
->st_connection
;
841 if (get_preshared_secret(c
) == NULL
)
843 char my_id
[BUF_LEN
], his_id
[BUF_LEN
];
845 idtoa(&c
->spd
.this.id
, my_id
, sizeof(my_id
));
846 if (his_id_was_instantiated(c
))
847 strcpy(his_id
, "%any");
849 idtoa(&c
->spd
.that
.id
, his_id
, sizeof(his_id
));
850 ugh
= builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
856 /* Parse the body of an ISAKMP SA Payload (i.e. Phase 1 / Main Mode).
857 * Various shortcuts are taken. In particular, the policy, such as
858 * it is, is hardwired.
860 * If r_sa is non-NULL, the body of an SA representing the selected
861 * proposal is emitted.
863 * This routine is used by main_inI1_outR1() and main_inR1_outI2().
866 parse_isakmp_sa_body(u_int32_t ipsecdoisit
867 , pb_stream
*proposal_pbs
868 , struct isakmp_proposal
*proposal
869 , pb_stream
*r_sa_pbs
873 struct connection
*c
= st
->st_connection
;
874 unsigned no_trans_left
;
876 /* for each transform payload... */
877 no_trans_left
= proposal
->isap_notrans
;
884 struct isakmp_transform trans
;
885 lset_t seen_attrs
= 0;
886 lset_t seen_durations
= 0;
887 u_int16_t life_type
= 0;
888 struct oakley_trans_attrs ta
;
889 err_t ugh
= NULL
; /* set to diagnostic when problem detected */
891 /* initialize only optional field in ta */
892 ta
.life_seconds
= OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT
; /* When this SA expires (seconds) */
894 if (no_trans_left
== 0)
896 loglog(RC_LOG_SERIOUS
, "number of Transform Payloads disagrees with Oakley Proposal Payload");
897 return BAD_PROPOSAL_SYNTAX
;
900 in_struct(&trans
, &isakmp_isakmp_transform_desc
, proposal_pbs
, &trans_pbs
);
901 attr_start
= trans_pbs
.cur
;
902 attr_len
= pbs_left(&trans_pbs
);
904 /* process all the attributes that make up the transform */
906 while (pbs_left(&trans_pbs
) != 0)
908 struct isakmp_attribute a
;
910 u_int32_t val
; /* room for larger values */
912 if (!in_struct(&a
, &isakmp_oakley_attribute_desc
, &trans_pbs
, &attr_pbs
))
913 return BAD_PROPOSAL_SYNTAX
;
915 passert((a
.isaat_af_type
& ISAKMP_ATTR_RTYPE_MASK
) < 32);
917 if (LHAS(seen_attrs
, a
.isaat_af_type
& ISAKMP_ATTR_RTYPE_MASK
))
919 loglog(RC_LOG_SERIOUS
, "repeated %s attribute in Oakley Transform %u"
920 , enum_show(&oakley_attr_names
, a
.isaat_af_type
)
921 , trans
.isat_transnum
);
922 return BAD_PROPOSAL_SYNTAX
;
925 seen_attrs
|= LELEM(a
.isaat_af_type
& ISAKMP_ATTR_RTYPE_MASK
);
931 enum_names
*vdesc
= oakley_attr_val_descs
932 [a
.isaat_af_type
& ISAKMP_ATTR_RTYPE_MASK
];
936 const char *nm
= enum_name(vdesc
, val
);
939 DBG_log(" [%u is %s]", (unsigned)val
, nm
);
943 switch (a
.isaat_af_type
)
945 case OAKLEY_ENCRYPTION_ALGORITHM
| ISAKMP_ATTR_AF_TV
:
946 if (ike_alg_enc_present(val
))
949 ta
.encrypter
= ike_alg_get_encrypter(val
);
950 ta
.enckeylen
= ta
.encrypter
->keydeflen
;
954 ugh
= builddiag("%s is not supported"
955 , enum_show(&oakley_enc_names
, val
));
959 case OAKLEY_HASH_ALGORITHM
| ISAKMP_ATTR_AF_TV
:
960 if (ike_alg_hash_present(val
))
963 ta
.hasher
= ike_alg_get_hasher(val
);
967 ugh
= builddiag("%s is not supported"
968 , enum_show(&oakley_hash_names
, val
));
972 case OAKLEY_AUTHENTICATION_METHOD
| ISAKMP_ATTR_AF_TV
:
974 /* check that authentication method is acceptable */
975 lset_t iap
= st
->st_policy
& POLICY_ID_AUTH_MASK
;
977 /* is the initiator the XAUTH client? */
978 bool xauth_init
= ( initiator
&& (st
->st_policy
& POLICY_XAUTH_SERVER
) == LEMPTY
)
979 || (!initiator
&& (st
->st_policy
& POLICY_XAUTH_SERVER
) != LEMPTY
);
983 case OAKLEY_PRESHARED_KEY
:
984 if ((iap
& POLICY_PSK
) == LEMPTY
)
986 ugh
= "policy does not allow OAKLEY_PRESHARED_KEY authentication";
990 ugh
= find_preshared_key(st
);
991 ta
.auth
= OAKLEY_PRESHARED_KEY
;
994 case XAUTHInitPreShared
:
995 if ((iap
& POLICY_XAUTH_PSK
) == LEMPTY
|| !xauth_init
)
997 ugh
= "policy does not allow XAUTHInitPreShared authentication";
1001 ugh
= find_preshared_key(st
);
1002 ta
.auth
= XAUTHInitPreShared
;
1005 case XAUTHRespPreShared
:
1006 if ((iap
& POLICY_XAUTH_PSK
) == LEMPTY
|| xauth_init
)
1008 ugh
= "policy does not allow XAUTHRespPreShared authentication";
1012 ugh
= find_preshared_key(st
);
1013 ta
.auth
= XAUTHRespPreShared
;
1016 case OAKLEY_RSA_SIG
:
1017 /* Accept if policy specifies RSASIG or is default */
1018 if ((iap
& POLICY_RSASIG
) == LEMPTY
)
1020 ugh
= "policy does not allow OAKLEY_RSA_SIG authentication";
1024 ta
.auth
= OAKLEY_RSA_SIG
;
1028 if ((iap
& POLICY_XAUTH_RSASIG
) == LEMPTY
|| !xauth_init
)
1030 ugh
= "policy does not allow XAUTHInitRSA authentication";
1034 ta
.auth
= XAUTHInitRSA
;
1038 if ((iap
& POLICY_XAUTH_RSASIG
) == LEMPTY
|| xauth_init
)
1040 ugh
= "policy does not allow XAUTHRespRSA authentication";
1044 ta
.auth
= XAUTHRespRSA
;
1048 ugh
= builddiag("Pluto does not support %s authentication"
1049 , enum_show(&oakley_auth_names
, val
));
1055 case OAKLEY_GROUP_DESCRIPTION
| ISAKMP_ATTR_AF_TV
:
1056 ta
.group
= lookup_group(val
);
1057 if (ta
.group
== NULL
)
1059 ugh
= "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported";
1063 case OAKLEY_LIFE_TYPE
| ISAKMP_ATTR_AF_TV
:
1066 case OAKLEY_LIFE_SECONDS
:
1067 case OAKLEY_LIFE_KILOBYTES
:
1068 if (LHAS(seen_durations
, val
))
1070 loglog(RC_LOG_SERIOUS
1071 , "attribute OAKLEY_LIFE_TYPE value %s repeated"
1072 , enum_show(&oakley_lifetime_names
, val
));
1073 return BAD_PROPOSAL_SYNTAX
;
1075 seen_durations
|= LELEM(val
);
1079 ugh
= builddiag("unknown value %s"
1080 , enum_show(&oakley_lifetime_names
, val
));
1085 case OAKLEY_LIFE_DURATION
| ISAKMP_ATTR_AF_TLV
:
1086 val
= decode_long_duration(&attr_pbs
);
1088 case OAKLEY_LIFE_DURATION
| ISAKMP_ATTR_AF_TV
:
1089 if (!LHAS(seen_attrs
, OAKLEY_LIFE_TYPE
))
1091 ugh
= "OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute";
1094 seen_attrs
&= ~(LELEM(OAKLEY_LIFE_DURATION
) | LELEM(OAKLEY_LIFE_TYPE
));
1098 case OAKLEY_LIFE_SECONDS
:
1099 if (val
> OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
)
1102 plog("peer requested %lu seconds"
1103 " which exceeds our limit %d seconds"
1105 , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
);
1106 plog("lifetime reduced to %d seconds "
1107 "(todo: IPSEC_RESPONDER_LIFETIME notification)"
1108 , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
);
1109 val
= OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
;
1111 ugh
= builddiag("peer requested %lu seconds"
1112 " which exceeds our limit %d seconds"
1114 , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
);
1117 ta
.life_seconds
= val
;
1119 case OAKLEY_LIFE_KILOBYTES
:
1120 ta
.life_kilobytes
= val
;
1123 bad_case(life_type
);
1127 case OAKLEY_KEY_LENGTH
| ISAKMP_ATTR_AF_TV
:
1128 if ((seen_attrs
& LELEM(OAKLEY_ENCRYPTION_ALGORITHM
)) == 0)
1130 ugh
= "OAKLEY_KEY_LENGTH attribute not preceded by "
1131 "OAKLEY_ENCRYPTION_ALGORITHM attribute";
1134 if (ta
.encrypter
== NULL
)
1136 ugh
= "NULL encrypter with seen OAKLEY_ENCRYPTION_ALGORITHM";
1140 * check if this keylen is compatible with specified algorithm
1143 && (val
< ta
.encrypter
->keyminlen
|| val
> ta
.encrypter
->keymaxlen
))
1145 ugh
= "peer proposed key length not valid for "
1146 "encryption algorithm specified";
1150 #if 0 /* not yet supported */
1151 case OAKLEY_GROUP_TYPE
| ISAKMP_ATTR_AF_TV
:
1152 case OAKLEY_PRF
| ISAKMP_ATTR_AF_TV
:
1153 case OAKLEY_FIELD_SIZE
| ISAKMP_ATTR_AF_TV
:
1155 case OAKLEY_GROUP_PRIME
| ISAKMP_ATTR_AF_TV
:
1156 case OAKLEY_GROUP_PRIME
| ISAKMP_ATTR_AF_TLV
:
1157 case OAKLEY_GROUP_GENERATOR_ONE
| ISAKMP_ATTR_AF_TV
:
1158 case OAKLEY_GROUP_GENERATOR_ONE
| ISAKMP_ATTR_AF_TLV
:
1159 case OAKLEY_GROUP_GENERATOR_TWO
| ISAKMP_ATTR_AF_TV
:
1160 case OAKLEY_GROUP_GENERATOR_TWO
| ISAKMP_ATTR_AF_TLV
:
1161 case OAKLEY_GROUP_CURVE_A
| ISAKMP_ATTR_AF_TV
:
1162 case OAKLEY_GROUP_CURVE_A
| ISAKMP_ATTR_AF_TLV
:
1163 case OAKLEY_GROUP_CURVE_B
| ISAKMP_ATTR_AF_TV
:
1164 case OAKLEY_GROUP_CURVE_B
| ISAKMP_ATTR_AF_TLV
:
1165 case OAKLEY_GROUP_ORDER
| ISAKMP_ATTR_AF_TV
:
1166 case OAKLEY_GROUP_ORDER
| ISAKMP_ATTR_AF_TLV
:
1169 /* fix compiler warning */
1170 memset(&ta
, 0, sizeof(ta
));
1171 ugh
= "unsupported OAKLEY attribute";
1177 loglog(RC_LOG_SERIOUS
, "%s. Attribute %s"
1178 , ugh
, enum_show(&oakley_attr_names
, a
.isaat_af_type
));
1184 * ML: at last check for allowed transforms in alg_info_ike
1185 * (ALG_INFO_F_STRICT flag)
1189 if (!ike_alg_ok_final(ta
.encrypt
, ta
.enckeylen
, ta
.hash
,
1190 ta
.group ? ta
.group
->group
: -1, c
->alg_info_ike
))
1192 ugh
= "OAKLEY proposal refused";
1198 /* a little more checking is in order */
1202 & (LELEM(OAKLEY_ENCRYPTION_ALGORITHM
)
1203 | LELEM(OAKLEY_HASH_ALGORITHM
)
1204 | LELEM(OAKLEY_AUTHENTICATION_METHOD
)
1205 | LELEM(OAKLEY_GROUP_DESCRIPTION
));
1209 loglog(RC_LOG_SERIOUS
, "missing mandatory attribute(s) %s in Oakley Transform %u"
1210 , bitnamesof(oakley_attr_bit_names
, missing
)
1211 , trans
.isat_transnum
);
1212 return BAD_PROPOSAL_SYNTAX
;
1215 /* We must have liked this transform.
1216 * Lets finish early and leave.
1219 DBG(DBG_PARSING
| DBG_CRYPT
1220 , DBG_log("Oakley Transform %u accepted", trans
.isat_transnum
));
1222 if (r_sa_pbs
!= NULL
)
1224 struct isakmp_proposal r_proposal
= *proposal
;
1225 pb_stream r_proposal_pbs
;
1226 struct isakmp_transform r_trans
= trans
;
1227 pb_stream r_trans_pbs
;
1230 if (!out_struct(&ipsecdoisit
, &ipsec_sit_desc
, r_sa_pbs
, NULL
))
1234 #ifdef EMIT_ISAKMP_SPI
1235 r_proposal
.isap_spisize
= COOKIE_SIZE
;
1237 r_proposal
.isap_spisize
= 0;
1239 r_proposal
.isap_notrans
= 1;
1240 if (!out_struct(&r_proposal
, &isakmp_proposal_desc
, r_sa_pbs
, &r_proposal_pbs
))
1244 #ifdef EMIT_ISAKMP_SPI
1245 if (!out_raw(my_cookie
, COOKIE_SIZE
, &r_proposal_pbs
, "SPI"))
1247 r_proposal
.isap_spisize
= COOKIE_SIZE
;
1253 r_trans
.isat_np
= ISAKMP_NEXT_NONE
;
1254 if (!out_struct(&r_trans
, &isakmp_isakmp_transform_desc
, &r_proposal_pbs
, &r_trans_pbs
))
1257 if (!out_raw(attr_start
, attr_len
, &r_trans_pbs
, "attributes"))
1259 close_output_pbs(&r_trans_pbs
);
1260 close_output_pbs(&r_proposal_pbs
);
1261 close_output_pbs(r_sa_pbs
);
1264 /* copy over the results */
1266 return NOTHING_WRONG
;
1269 /* on to next transform */
1272 if (trans
.isat_np
== ISAKMP_NEXT_NONE
)
1274 if (no_trans_left
!= 0)
1276 loglog(RC_LOG_SERIOUS
, "number of Transform Payloads disagrees with Oakley Proposal Payload");
1277 return BAD_PROPOSAL_SYNTAX
;
1281 if (trans
.isat_np
!= ISAKMP_NEXT_T
)
1283 loglog(RC_LOG_SERIOUS
, "unexpected %s payload in Oakley Proposal"
1284 , enum_show(&payload_names
, proposal
->isap_np
));
1285 return BAD_PROPOSAL_SYNTAX
;
1288 loglog(RC_LOG_SERIOUS
, "no acceptable Oakley Transform");
1289 return NO_PROPOSAL_CHOSEN
;
1292 /* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode).
1294 * The main routine is parse_ipsec_sa_body; other functions defined
1295 * between here and there are just helpers.
1297 * Various shortcuts are taken. In particular, the policy, such as
1298 * it is, is hardwired.
1300 * If r_sa is non-NULL, the body of an SA representing the selected
1301 * proposal is emitted into it.
1303 * If "selection" is true, the SA is supposed to represent the
1304 * single tranform that the peer has accepted.
1305 * ??? We only check that it is acceptable, not that it is one that we offered!
1307 * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
1308 * Error response is rudimentary.
1310 * Since all ISAKMP groups in all SA Payloads must match, st->st_pfs_group
1311 * holds this across multiple payloads.
1312 * &unset_group signifies not yet "set"; NULL signifies NONE.
1314 * This routine is used by quick_inI1_outR1() and quick_inR1_outI2().
1317 static const struct ipsec_trans_attrs null_ipsec_trans_attrs
= {
1318 0, /* transid (NULL, for now) */
1320 SA_LIFE_DURATION_DEFAULT
, /* life_seconds */
1321 SA_LIFE_DURATION_K_DEFAULT
, /* life_kilobytes */
1322 ENCAPSULATION_MODE_UNSPECIFIED
, /* encapsulation */
1323 AUTH_ALGORITHM_NONE
, /* auth */
1329 parse_ipsec_transform(struct isakmp_transform
*trans
1330 , struct ipsec_trans_attrs
*attrs
1331 , pb_stream
*prop_pbs
1332 , pb_stream
*trans_pbs
1333 , struct_desc
*trans_desc
1334 , int previous_transnum
/* or -1 if none */
1338 , struct state
*st
) /* current state object */
1340 lset_t seen_attrs
= 0;
1341 lset_t seen_durations
= 0;
1342 u_int16_t life_type
= 0;
1343 const struct oakley_group_desc
*pfs_group
= NULL
;
1345 if (!in_struct(trans
, trans_desc
, prop_pbs
, trans_pbs
))
1348 if (trans
->isat_transnum
<= previous_transnum
)
1350 loglog(RC_LOG_SERIOUS
, "Transform Numbers in Proposal are not monotonically increasing");
1354 switch (trans
->isat_np
)
1359 loglog(RC_LOG_SERIOUS
, "Proposal Payload has more Transforms than specified");
1363 case ISAKMP_NEXT_NONE
:
1366 loglog(RC_LOG_SERIOUS
, "Proposal Payload has fewer Transforms than specified");
1371 loglog(RC_LOG_SERIOUS
, "expecting Transform Payload, but found %s in Proposal"
1372 , enum_show(&payload_names
, trans
->isat_np
));
1376 *attrs
= null_ipsec_trans_attrs
;
1377 attrs
->transid
= trans
->isat_transid
;
1379 while (pbs_left(trans_pbs
) != 0)
1381 struct isakmp_attribute a
;
1384 u_int32_t val
; /* room for larger value */
1385 bool ipcomp_inappropriate
= is_ipcomp
; /* will get reset if OK */
1387 if (!in_struct(&a
, &isakmp_ipsec_attribute_desc
, trans_pbs
, &attr_pbs
))
1390 passert((a
.isaat_af_type
& ISAKMP_ATTR_RTYPE_MASK
) < 32);
1392 if (LHAS(seen_attrs
, a
.isaat_af_type
& ISAKMP_ATTR_RTYPE_MASK
))
1394 loglog(RC_LOG_SERIOUS
, "repeated %s attribute in IPsec Transform %u"
1395 , enum_show(&ipsec_attr_names
, a
.isaat_af_type
)
1396 , trans
->isat_transnum
);
1400 seen_attrs
|= LELEM(a
.isaat_af_type
& ISAKMP_ATTR_RTYPE_MASK
);
1404 vdesc
= ipsec_attr_val_descs
[a
.isaat_af_type
& ISAKMP_ATTR_RTYPE_MASK
];
1407 if (enum_name(vdesc
, val
) == NULL
)
1409 loglog(RC_LOG_SERIOUS
, "invalid value %u for attribute %s in IPsec Transform"
1410 , (unsigned)val
, enum_show(&ipsec_attr_names
, a
.isaat_af_type
));
1414 , if ((a
.isaat_af_type
& ISAKMP_ATTR_AF_MASK
) == ISAKMP_ATTR_AF_TV
)
1415 DBG_log(" [%u is %s]"
1416 , (unsigned)val
, enum_show(vdesc
, val
)));
1419 switch (a
.isaat_af_type
)
1421 case SA_LIFE_TYPE
| ISAKMP_ATTR_AF_TV
:
1422 ipcomp_inappropriate
= FALSE
;
1423 if (LHAS(seen_durations
, val
))
1425 loglog(RC_LOG_SERIOUS
, "attribute SA_LIFE_TYPE value %s repeated in message"
1426 , enum_show(&sa_lifetime_names
, val
));
1429 seen_durations
|= LELEM(val
);
1432 case SA_LIFE_DURATION
| ISAKMP_ATTR_AF_TLV
:
1433 val
= decode_long_duration(&attr_pbs
);
1435 case SA_LIFE_DURATION
| ISAKMP_ATTR_AF_TV
:
1436 ipcomp_inappropriate
= FALSE
;
1437 if (!LHAS(seen_attrs
, SA_LIFE_DURATION
))
1439 loglog(RC_LOG_SERIOUS
, "SA_LIFE_DURATION IPsec attribute not preceded by SA_LIFE_TYPE attribute");
1442 seen_attrs
&= ~(LELEM(SA_LIFE_DURATION
) | LELEM(SA_LIFE_TYPE
));
1446 case SA_LIFE_TYPE_SECONDS
:
1447 /* silently limit duration to our maximum */
1448 attrs
->life_seconds
= val
<= SA_LIFE_DURATION_MAXIMUM
1449 ? val
: SA_LIFE_DURATION_MAXIMUM
;
1451 case SA_LIFE_TYPE_KBYTES
:
1452 attrs
->life_kilobytes
= val
;
1455 bad_case(life_type
);
1458 case GROUP_DESCRIPTION
| ISAKMP_ATTR_AF_TV
:
1461 /* Accept reluctantly. Should not happen, according to
1462 * draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
1464 ipcomp_inappropriate
= FALSE
;
1466 , "IPCA (IPcomp SA) contains GROUP_DESCRIPTION."
1467 " Ignoring inapproprate attribute.");
1469 pfs_group
= lookup_group(val
);
1470 if (pfs_group
== NULL
)
1472 loglog(RC_LOG_SERIOUS
, "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS");
1476 case ENCAPSULATION_MODE
| ISAKMP_ATTR_AF_TV
:
1477 ipcomp_inappropriate
= FALSE
;
1480 case ENCAPSULATION_MODE_TUNNEL
:
1481 case ENCAPSULATION_MODE_TRANSPORT
:
1482 if (st
->nat_traversal
& NAT_T_DETECTED
)
1484 loglog(RC_LOG_SERIOUS
1485 , "%s must only be used if NAT-Traversal is not detected"
1486 , enum_name(&enc_mode_names
, val
));
1488 * Accept it anyway because SSH-Sentinel does not
1489 * use UDP_TUNNEL or UDP_TRANSPORT for the diagnostic.
1491 * remove when SSH-Sentinel is fixed
1493 #ifdef I_DONT_CARE_OF_SSH_SENTINEL
1497 attrs
->encapsulation
= val
;
1499 case ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS
:
1500 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
1501 loglog(RC_LOG_SERIOUS
1502 , "NAT-Traversal: Transport mode disabled due to security concerns");
1505 case ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS
:
1506 if (st
->nat_traversal
& NAT_T_WITH_RFC_VALUES
)
1508 loglog(RC_LOG_SERIOUS
1509 , "%s must only be used with old IETF drafts"
1510 , enum_name(&enc_mode_names
, val
));
1513 else if (st
->nat_traversal
& NAT_T_DETECTED
)
1515 attrs
->encapsulation
= val
1516 - ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS
1517 + ENCAPSULATION_MODE_TUNNEL
;
1521 loglog(RC_LOG_SERIOUS
1522 , "%s must only be used if NAT-Traversal is detected"
1523 , enum_name(&enc_mode_names
, val
));
1527 case ENCAPSULATION_MODE_UDP_TRANSPORT_RFC
:
1528 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
1529 loglog(RC_LOG_SERIOUS
1530 , "NAT-Traversal: Transport mode disabled due "
1531 "to security concerns");
1534 case ENCAPSULATION_MODE_UDP_TUNNEL_RFC
:
1535 if ((st
->nat_traversal
& NAT_T_DETECTED
)
1536 && (st
->nat_traversal
& NAT_T_WITH_RFC_VALUES
))
1538 attrs
->encapsulation
= val
1539 - ENCAPSULATION_MODE_UDP_TUNNEL_RFC
1540 + ENCAPSULATION_MODE_TUNNEL
;
1542 else if (st
->nat_traversal
& NAT_T_DETECTED
)
1544 loglog(RC_LOG_SERIOUS
1545 , "%s must only be used with NAT-T RFC"
1546 , enum_name(&enc_mode_names
, val
));
1551 loglog(RC_LOG_SERIOUS
1552 , "%s must only be used if NAT-Traversal is detected"
1553 , enum_name(&enc_mode_names
, val
));
1558 loglog(RC_LOG_SERIOUS
1559 , "unknown ENCAPSULATION_MODE %d in IPSec SA", val
);
1563 case AUTH_ALGORITHM
| ISAKMP_ATTR_AF_TV
:
1566 case KEY_LENGTH
| ISAKMP_ATTR_AF_TV
:
1567 attrs
->key_len
= val
;
1569 case KEY_ROUNDS
| ISAKMP_ATTR_AF_TV
:
1570 attrs
->key_rounds
= val
;
1572 #if 0 /* not yet implemented */
1573 case COMPRESS_DICT_SIZE
| ISAKMP_ATTR_AF_TV
:
1575 case COMPRESS_PRIVATE_ALG
| ISAKMP_ATTR_AF_TV
:
1578 case SA_LIFE_DURATION
| ISAKMP_ATTR_AF_TLV
:
1580 case COMPRESS_PRIVATE_ALG
| ISAKMP_ATTR_AF_TLV
:
1584 loglog(RC_LOG_SERIOUS
, "unsupported IPsec attribute %s"
1585 , enum_show(&ipsec_attr_names
, a
.isaat_af_type
));
1588 if (ipcomp_inappropriate
)
1590 loglog(RC_LOG_SERIOUS
, "IPsec attribute %s inappropriate for IPCOMP"
1591 , enum_show(&ipsec_attr_names
, a
.isaat_af_type
));
1596 /* Although an IPCOMP SA (IPCA) ought not to have a pfs_group,
1597 * if it does, demand that it be consistent.
1598 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
1600 if (!is_ipcomp
|| pfs_group
!= NULL
)
1602 if (st
->st_pfs_group
== &unset_group
)
1603 st
->st_pfs_group
= pfs_group
;
1605 if (st
->st_pfs_group
!= pfs_group
)
1607 loglog(RC_LOG_SERIOUS
, "GROUP_DESCRIPTION inconsistent with that of %s in IPsec SA"
1608 , selection?
"the Proposal" : "a previous Transform");
1613 if (LHAS(seen_attrs
, SA_LIFE_DURATION
))
1615 loglog(RC_LOG_SERIOUS
, "SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message");
1619 if (!LHAS(seen_attrs
, ENCAPSULATION_MODE
))
1623 /* draft-shacham-ippcp-rfc2393bis-05.txt 4.1:
1624 * "If the Encapsulation Mode is unspecified,
1625 * the default value of Transport Mode is assumed."
1626 * This contradicts/overrides the DOI (quuoted below).
1628 attrs
->encapsulation
= ENCAPSULATION_MODE_TRANSPORT
;
1632 /* ??? Technically, RFC 2407 (IPSEC DOI) 4.5 specifies that
1633 * the default is "unspecified (host-dependent)".
1634 * This makes little sense, so we demand that it be specified.
1636 loglog(RC_LOG_SERIOUS
, "IPsec Transform must specify ENCAPSULATION_MODE");
1641 /* ??? should check for key_len and/or key_rounds if required */
1648 struct isakmp_proposal r_proposal
, /* proposal to emit */
1649 struct isakmp_transform r_trans
, /* winning transformation within it */
1650 u_int8_t np
, /* Next Payload for proposal */
1651 pb_stream
*r_sa_pbs
, /* SA PBS into which to emit */
1652 struct ipsec_proto_info
*pi
, /* info about this protocol instance */
1653 struct_desc
*trans_desc
, /* descriptor for this transformation */
1654 pb_stream
*trans_pbs
, /* PBS for incoming transform */
1655 struct spd_route
*sr
, /* host details for the association */
1656 bool tunnel_mode
) /* true for inner most tunnel SA */
1658 pb_stream r_proposal_pbs
;
1659 pb_stream r_trans_pbs
;
1662 r_proposal
.isap_np
= np
;
1663 r_proposal
.isap_notrans
= 1;
1664 if (!out_struct(&r_proposal
, &isakmp_proposal_desc
, r_sa_pbs
, &r_proposal_pbs
))
1667 /* allocate and emit our CPI/SPI */
1668 if (r_proposal
.isap_protoid
== PROTO_IPCOMP
)
1670 /* CPI is stored in network low order end of an
1671 * ipsec_spi_t. So we start a couple of bytes in.
1672 * Note: we may fail to generate a satisfactory CPI,
1673 * but we'll ignore that.
1675 pi
->our_spi
= get_my_cpi(sr
, tunnel_mode
);
1676 out_raw((u_char
*) &pi
->our_spi
1677 + IPSEC_DOI_SPI_SIZE
- IPCOMP_CPI_SIZE
1679 , &r_proposal_pbs
, "CPI");
1683 pi
->our_spi
= get_ipsec_spi(pi
->attrs
.spi
1684 , r_proposal
.isap_protoid
== PROTO_IPSEC_AH ?
1685 IPPROTO_AH
: IPPROTO_ESP
1688 /* XXX should check for errors */
1689 out_raw((u_char
*) &pi
->our_spi
, IPSEC_DOI_SPI_SIZE
1690 , &r_proposal_pbs
, "SPI");
1694 r_trans
.isat_np
= ISAKMP_NEXT_NONE
;
1695 if (!out_struct(&r_trans
, trans_desc
, &r_proposal_pbs
, &r_trans_pbs
))
1698 /* Transform Attributes: pure echo */
1699 trans_pbs
->cur
= trans_pbs
->start
+ sizeof(struct isakmp_transform
);
1700 if (!out_raw(trans_pbs
->cur
, pbs_left(trans_pbs
)
1701 , &r_trans_pbs
, "attributes"))
1704 close_output_pbs(&r_trans_pbs
);
1705 close_output_pbs(&r_proposal_pbs
);
1709 parse_ipsec_sa_body(
1710 pb_stream
*sa_pbs
, /* body of input SA Payload */
1711 const struct isakmp_sa
*sa
, /* header of input SA Payload */
1712 pb_stream
*r_sa_pbs
, /* if non-NULL, where to emit body of winning SA */
1713 bool selection
, /* if this SA is a selection, only one transform may appear */
1714 struct state
*st
) /* current state object */
1716 const struct connection
*c
= st
->st_connection
;
1717 u_int32_t ipsecdoisit
;
1718 pb_stream next_proposal_pbs
;
1720 struct isakmp_proposal next_proposal
;
1721 ipsec_spi_t next_spi
;
1723 bool next_full
= TRUE
;
1726 if (sa
->isasa_doi
!= ISAKMP_DOI_IPSEC
)
1728 loglog(RC_LOG_SERIOUS
, "Unknown or unsupported DOI %s", enum_show(&doi_names
, sa
->isasa_doi
));
1729 /* XXX Could send notification back */
1730 return DOI_NOT_SUPPORTED
;
1734 if (!in_struct(&ipsecdoisit
, &ipsec_sit_desc
, sa_pbs
, NULL
))
1735 return SITUATION_NOT_SUPPORTED
;
1737 if (ipsecdoisit
!= SIT_IDENTITY_ONLY
)
1739 loglog(RC_LOG_SERIOUS
, "unsupported IPsec DOI situation (%s)"
1740 , bitnamesof(sit_bit_names
, ipsecdoisit
));
1741 /* XXX Could send notification back */
1742 return SITUATION_NOT_SUPPORTED
;
1745 /* The rules for IPsec SAs are scattered.
1746 * RFC 2408 "ISAKMP" section 4.2 gives some info.
1747 * There may be multiple proposals. Those with identical proposal
1748 * numbers must be considered as conjuncts. Those with different
1749 * numbers are disjuncts.
1750 * Each proposal may have several transforms, each considered
1752 * Each transform may have several attributes, all applying.
1754 * To handle the way proposals are combined, we need to do a
1758 if (!in_struct(&next_proposal
, &isakmp_proposal_desc
, sa_pbs
, &next_proposal_pbs
))
1759 return BAD_PROPOSAL_SYNTAX
;
1761 /* for each conjunction of proposals... */
1764 int propno
= next_proposal
.isap_proposal
;
1765 pb_stream ah_prop_pbs
, esp_prop_pbs
, ipcomp_prop_pbs
;
1766 struct isakmp_proposal ah_proposal
= {0, 0, 0, 0, 0, 0, 0};
1767 struct isakmp_proposal esp_proposal
= {0, 0, 0, 0, 0, 0, 0};
1768 struct isakmp_proposal ipcomp_proposal
= {0, 0, 0, 0, 0, 0, 0};
1769 ipsec_spi_t ah_spi
= 0;
1770 ipsec_spi_t esp_spi
= 0;
1771 ipsec_spi_t ipcomp_cpi
= 0;
1772 bool ah_seen
= FALSE
;
1773 bool esp_seen
= FALSE
;
1774 bool ipcomp_seen
= FALSE
;
1775 bool tunnel_mode
= FALSE
;
1776 int inner_proto
= 0;
1777 u_int16_t well_known_cpi
= 0;
1779 pb_stream ah_trans_pbs
, esp_trans_pbs
, ipcomp_trans_pbs
;
1780 struct isakmp_transform ah_trans
, esp_trans
, ipcomp_trans
;
1781 struct ipsec_trans_attrs ah_attrs
, esp_attrs
, ipcomp_attrs
;
1783 /* for each proposal in the conjunction */
1786 if (next_proposal
.isap_protoid
== PROTO_IPCOMP
)
1789 if (next_proposal
.isap_spisize
== IPSEC_DOI_SPI_SIZE
)
1791 /* This code is to accommodate those peculiar
1792 * implementations that send a CPI in the bottom of an
1794 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1
1796 u_int8_t filler
[IPSEC_DOI_SPI_SIZE
- IPCOMP_CPI_SIZE
];
1798 if (!in_raw(filler
, sizeof(filler
)
1799 , &next_proposal_pbs
, "CPI filler")
1800 || !all_zero(filler
, sizeof(filler
)))
1803 else if (next_proposal
.isap_spisize
!= IPCOMP_CPI_SIZE
)
1805 loglog(RC_LOG_SERIOUS
, "IPsec Proposal with improper CPI size (%u)"
1806 , next_proposal
.isap_spisize
);
1810 /* We store CPI in the low order of a network order
1811 * ipsec_spi_t. So we start a couple of bytes in.
1814 if (!in_raw((u_char
*)&next_spi
1815 + IPSEC_DOI_SPI_SIZE
- IPCOMP_CPI_SIZE
1816 , IPCOMP_CPI_SIZE
, &next_proposal_pbs
, "CPI"))
1819 /* If sanity ruled, CPIs would have to be such that
1820 * the SAID (the triple (CPI, IPCOM, destination IP))
1821 * would be unique, just like for SPIs. But there is a
1822 * perversion where CPIs can be well-known and consequently
1823 * the triple is not unique. We hide this fact from
1824 * ourselves by fudging the top 16 bits to make
1825 * the property true internally!
1827 switch (ntohl(next_spi
))
1829 case IPCOMP_DEFLATE
:
1830 well_known_cpi
= ntohl(next_spi
);
1831 next_spi
= uniquify_his_cpi(next_spi
, st
);
1834 loglog(RC_LOG_SERIOUS
1835 , "IPsec Proposal contains well-known CPI that I cannot uniquify");
1840 if (ntohl(next_spi
) < IPCOMP_FIRST_NEGOTIATED
1841 || ntohl(next_spi
) > IPCOMP_LAST_NEGOTIATED
)
1843 loglog(RC_LOG_SERIOUS
, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
1844 , (unsigned long) ntohl(next_spi
));
1853 if (next_proposal
.isap_spisize
!= IPSEC_DOI_SPI_SIZE
)
1855 loglog(RC_LOG_SERIOUS
, "IPsec Proposal with improper SPI size (%u)"
1856 , next_proposal
.isap_spisize
);
1860 if (!in_raw((u_char
*)&next_spi
, sizeof(next_spi
), &next_proposal_pbs
, "SPI"))
1863 /* SPI value 0 is invalid and values 1-255 are reserved to IANA.
1864 * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
1867 if (ntohl(next_spi
) < IPSEC_DOI_SPI_MIN
)
1869 loglog(RC_LOG_SERIOUS
, "IPsec Proposal contains invalid SPI (0x%lx)"
1870 , (unsigned long) ntohl(next_spi
));
1875 if (next_proposal
.isap_notrans
== 0)
1877 loglog(RC_LOG_SERIOUS
, "IPsec Proposal contains no Transforms");
1878 return BAD_PROPOSAL_SYNTAX
;
1881 switch (next_proposal
.isap_protoid
)
1883 case PROTO_IPSEC_AH
:
1886 loglog(RC_LOG_SERIOUS
, "IPsec SA contains two simultaneous AH Proposals");
1887 return BAD_PROPOSAL_SYNTAX
;
1890 ah_prop_pbs
= next_proposal_pbs
;
1891 ah_proposal
= next_proposal
;
1895 case PROTO_IPSEC_ESP
:
1898 loglog(RC_LOG_SERIOUS
, "IPsec SA contains two simultaneous ESP Proposals");
1899 return BAD_PROPOSAL_SYNTAX
;
1902 esp_prop_pbs
= next_proposal_pbs
;
1903 esp_proposal
= next_proposal
;
1910 loglog(RC_LOG_SERIOUS
, "IPsec SA contains two simultaneous IPCOMP Proposals");
1911 return BAD_PROPOSAL_SYNTAX
;
1914 ipcomp_prop_pbs
= next_proposal_pbs
;
1915 ipcomp_proposal
= next_proposal
;
1916 ipcomp_cpi
= next_spi
;
1920 loglog(RC_LOG_SERIOUS
, "unexpected Protocol ID (%s) in IPsec Proposal"
1921 , enum_show(&protocol_names
, next_proposal
.isap_protoid
));
1922 return INVALID_PROTOCOL_ID
;
1925 /* refill next_proposal */
1926 if (next_proposal
.isap_np
== ISAKMP_NEXT_NONE
)
1931 else if (next_proposal
.isap_np
!= ISAKMP_NEXT_P
)
1933 loglog(RC_LOG_SERIOUS
, "unexpected in Proposal: %s"
1934 , enum_show(&payload_names
, next_proposal
.isap_np
));
1935 return BAD_PROPOSAL_SYNTAX
;
1938 if (!in_struct(&next_proposal
, &isakmp_proposal_desc
, sa_pbs
, &next_proposal_pbs
))
1939 return BAD_PROPOSAL_SYNTAX
;
1940 } while (next_proposal
.isap_proposal
== propno
);
1942 /* Now that we have all conjuncts, we should try
1943 * the Cartesian product of eachs tranforms!
1944 * At the moment, we take short-cuts on account of
1945 * our rudimentary hard-wired policy.
1946 * For now, we find an acceptable AH (if any)
1947 * and then an acceptable ESP. The only interaction
1948 * is that the ESP acceptance can know whether there
1949 * was an acceptable AH and hence not require an AUTH.
1954 int previous_transnum
= -1;
1957 for (tn
= 0; tn
!= ah_proposal
.isap_notrans
; tn
++)
1960 bool ok_auth
= FALSE
;
1962 if (!parse_ipsec_transform(&ah_trans
1966 , &isakmp_ah_transform_desc
1969 , tn
== ah_proposal
.isap_notrans
- 1
1972 return BAD_PROPOSAL_SYNTAX
;
1974 previous_transnum
= ah_trans
.isat_transnum
;
1976 /* we must understand ah_attrs.transid
1977 * COMBINED with ah_attrs.auth.
1978 * See RFC 2407 "IPsec DOI" section 4.4.3
1979 * The following combinations are legal,
1980 * but we don't implement all of them:
1981 * It seems as if each auth algorithm
1982 * only applies to one ah transid.
1983 * AH_MD5, AUTH_ALGORITHM_HMAC_MD5
1984 * AH_MD5, AUTH_ALGORITHM_KPDK (unimplemented)
1985 * AH_SHA, AUTH_ALGORITHM_HMAC_SHA1
1986 * AH_DES, AUTH_ALGORITHM_DES_MAC (unimplemented)
1988 switch (ah_attrs
.auth
)
1990 case AUTH_ALGORITHM_NONE
:
1991 loglog(RC_LOG_SERIOUS
, "AUTH_ALGORITHM attribute missing in AH Transform");
1992 return BAD_PROPOSAL_SYNTAX
;
1994 case AUTH_ALGORITHM_HMAC_MD5
:
1997 case AUTH_ALGORITHM_KPDK
:
1998 ok_transid
= AH_MD5
;
2001 case AUTH_ALGORITHM_HMAC_SHA1
:
2003 ok_transid
= AH_SHA
;
2006 case AUTH_ALGORITHM_DES_MAC
:
2007 ok_transid
= AH_DES
;
2010 if (ah_attrs
.transid
!= ok_transid
)
2012 loglog(RC_LOG_SERIOUS
, "%s attribute inappropriate in %s Transform"
2013 , enum_name(&auth_alg_names
, ah_attrs
.auth
)
2014 , enum_show(&ah_transformid_names
, ah_attrs
.transid
));
2015 return BAD_PROPOSAL_SYNTAX
;
2019 DBG(DBG_CONTROL
| DBG_CRYPT
2020 , DBG_log("%s attribute unsupported"
2021 " in %s Transform from %s"
2022 , enum_name(&auth_alg_names
, ah_attrs
.auth
)
2023 , enum_show(&ah_transformid_names
, ah_attrs
.transid
)
2024 , ip_str(&c
->spd
.that
.host_addr
)));
2025 continue; /* try another */
2027 break; /* we seem to be happy */
2029 if (tn
== ah_proposal
.isap_notrans
)
2030 continue; /* we didn't find a nice one */
2031 ah_attrs
.spi
= ah_spi
;
2032 inner_proto
= IPPROTO_AH
;
2033 if (ah_attrs
.encapsulation
== ENCAPSULATION_MODE_TUNNEL
)
2039 int previous_transnum
= -1;
2042 for (tn
= 0; tn
!= esp_proposal
.isap_notrans
; tn
++)
2044 if (!parse_ipsec_transform(&esp_trans
2048 , &isakmp_esp_transform_desc
2051 , tn
== esp_proposal
.isap_notrans
- 1
2054 return BAD_PROPOSAL_SYNTAX
;
2056 previous_transnum
= esp_trans
.isat_transnum
;
2058 /* set default key length for AES encryption */
2059 if (!esp_attrs
.key_len
&& esp_attrs
.transid
== ESP_AES
)
2061 esp_attrs
.key_len
= 128 / BITS_PER_BYTE
;
2064 if (!kernel_alg_esp_enc_ok(esp_attrs
.transid
, esp_attrs
.key_len
2067 switch (esp_attrs
.transid
)
2071 #ifdef SUPPORT_ESP_NULL /* should be about as secure as AH-only */
2073 if (esp_attrs
.auth
== AUTH_ALGORITHM_NONE
)
2075 loglog(RC_LOG_SERIOUS
, "ESP_NULL requires auth algorithm");
2076 return BAD_PROPOSAL_SYNTAX
;
2078 if (st
->st_policy
& POLICY_ENCRYPT
)
2080 DBG(DBG_CONTROL
| DBG_CRYPT
2081 , DBG_log("ESP_NULL Transform Proposal from %s"
2082 " does not satisfy POLICY_ENCRYPT"
2083 , ip_str(&c
->spd
.that
.host_addr
)));
2084 continue; /* try another */
2089 DBG(DBG_CONTROL
| DBG_CRYPT
2090 , DBG_log("unsupported ESP Transform %s from %s"
2091 , enum_show(&esp_transformid_names
, esp_attrs
.transid
)
2092 , ip_str(&c
->spd
.that
.host_addr
)));
2093 continue; /* try another */
2097 if (!kernel_alg_esp_auth_ok(esp_attrs
.auth
, c
->alg_info_esp
))
2099 switch (esp_attrs
.auth
)
2101 case AUTH_ALGORITHM_NONE
:
2104 DBG(DBG_CONTROL
| DBG_CRYPT
2105 , DBG_log("ESP from %s must either have AUTH or be combined with AH"
2106 , ip_str(&c
->spd
.that
.host_addr
)));
2107 continue; /* try another */
2110 case AUTH_ALGORITHM_HMAC_MD5
:
2111 case AUTH_ALGORITHM_HMAC_SHA1
:
2114 DBG(DBG_CONTROL
| DBG_CRYPT
2115 , DBG_log("unsupported ESP auth alg %s from %s"
2116 , enum_show(&auth_alg_names
, esp_attrs
.auth
)
2117 , ip_str(&c
->spd
.that
.host_addr
)));
2118 continue; /* try another */
2122 /* A last check for allowed transforms in alg_info_esp
2123 * (ALG_INFO_F_STRICT flag)
2125 if (!kernel_alg_esp_ok_final(esp_attrs
.transid
, esp_attrs
.key_len
2126 ,esp_attrs
.auth
, c
->alg_info_esp
))
2131 if (ah_seen
&& ah_attrs
.encapsulation
!= esp_attrs
.encapsulation
)
2133 /* ??? This should be an error, but is it? */
2134 DBG(DBG_CONTROL
| DBG_CRYPT
2135 , DBG_log("AH and ESP transforms disagree about encapsulation; TUNNEL presumed"));
2138 break; /* we seem to be happy */
2140 if (tn
== esp_proposal
.isap_notrans
)
2141 continue; /* we didn't find a nice one */
2143 esp_attrs
.spi
= esp_spi
;
2144 inner_proto
= IPPROTO_ESP
;
2145 if (esp_attrs
.encapsulation
== ENCAPSULATION_MODE_TUNNEL
)
2148 else if (st
->st_policy
& POLICY_ENCRYPT
)
2150 DBG(DBG_CONTROL
| DBG_CRYPT
2151 , DBG_log("policy for \"%s\" requires encryption but ESP not in Proposal from %s"
2152 , c
->name
, ip_str(&c
->spd
.that
.host_addr
)));
2153 continue; /* we needed encryption, but didn't find ESP */
2155 else if ((st
->st_policy
& POLICY_AUTHENTICATE
) && !ah_seen
)
2157 DBG(DBG_CONTROL
| DBG_CRYPT
2158 , DBG_log("policy for \"%s\" requires authentication"
2159 " but none in Proposal from %s"
2160 , c
->name
, ip_str(&c
->spd
.that
.host_addr
)));
2161 continue; /* we need authentication, but we found neither ESP nor AH */
2166 int previous_transnum
= -1;
2169 #ifdef NEVER /* we think IPcomp is working now */
2170 /**** FUDGE TO PREVENT UNREQUESTED IPCOMP:
2171 **** NEEDED BECAUSE OUR IPCOMP IS EXPERIMENTAL (UNSTABLE).
2173 if (!(st
->st_policy
& POLICY_COMPRESS
))
2175 plog("compression proposed by %s, but policy for \"%s\" forbids it"
2176 , ip_str(&c
->spd
.that
.host_addr
), c
->name
);
2177 continue; /* unwanted compression proposal */
2182 plog("compression proposed by %s, but KLIPS is not configured with IPCOMP"
2183 , ip_str(&c
->spd
.that
.host_addr
));
2187 if (well_known_cpi
!= 0 && !ah_seen
&& !esp_seen
)
2189 plog("illegal proposal: bare IPCOMP used with well-known CPI");
2190 return BAD_PROPOSAL_SYNTAX
;
2193 for (tn
= 0; tn
!= ipcomp_proposal
.isap_notrans
; tn
++)
2195 if (!parse_ipsec_transform(&ipcomp_trans
2199 , &isakmp_ipcomp_transform_desc
2202 , tn
== ipcomp_proposal
.isap_notrans
- 1
2205 return BAD_PROPOSAL_SYNTAX
;
2207 previous_transnum
= ipcomp_trans
.isat_transnum
;
2209 if (well_known_cpi
!= 0 && ipcomp_attrs
.transid
!= well_known_cpi
)
2211 plog("illegal proposal: IPCOMP well-known CPI disagrees with transform");
2212 return BAD_PROPOSAL_SYNTAX
;
2215 switch (ipcomp_attrs
.transid
)
2217 case IPCOMP_DEFLATE
: /* all we can handle! */
2221 DBG(DBG_CONTROL
| DBG_CRYPT
2222 , DBG_log("unsupported IPCOMP Transform %s from %s"
2223 , enum_show(&ipcomp_transformid_names
, ipcomp_attrs
.transid
)
2224 , ip_str(&c
->spd
.that
.host_addr
)));
2225 continue; /* try another */
2228 if (ah_seen
&& ah_attrs
.encapsulation
!= ipcomp_attrs
.encapsulation
)
2230 /* ??? This should be an error, but is it? */
2231 DBG(DBG_CONTROL
| DBG_CRYPT
2232 , DBG_log("AH and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
2233 } else if (esp_seen
&& esp_attrs
.encapsulation
!= ipcomp_attrs
.encapsulation
)
2235 /* ??? This should be an error, but is it? */
2236 DBG(DBG_CONTROL
| DBG_CRYPT
2237 , DBG_log("ESP and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
2240 break; /* we seem to be happy */
2242 if (tn
== ipcomp_proposal
.isap_notrans
)
2243 continue; /* we didn't find a nice one */
2244 ipcomp_attrs
.spi
= ipcomp_cpi
;
2245 inner_proto
= IPPROTO_COMP
;
2246 if (ipcomp_attrs
.encapsulation
== ENCAPSULATION_MODE_TUNNEL
)
2250 /* Eureka: we liked what we saw -- accept it. */
2252 if (r_sa_pbs
!= NULL
)
2254 /* emit what we've accepted */
2257 if (!out_struct(&ipsecdoisit
, &ipsec_sit_desc
, r_sa_pbs
, NULL
))
2262 echo_proposal(ah_proposal
2264 , esp_seen
|| ipcomp_seen? ISAKMP_NEXT_P
: ISAKMP_NEXT_NONE
2267 , &isakmp_ah_transform_desc
2269 , &st
->st_connection
->spd
2270 , tunnel_mode
&& inner_proto
== IPPROTO_AH
);
2274 echo_proposal(esp_proposal
2276 , ipcomp_seen? ISAKMP_NEXT_P
: ISAKMP_NEXT_NONE
2279 , &isakmp_esp_transform_desc
2281 , &st
->st_connection
->spd
2282 , tunnel_mode
&& inner_proto
== IPPROTO_ESP
);
2284 /* IPCOMP proposal */
2286 echo_proposal(ipcomp_proposal
2291 , &isakmp_ipcomp_transform_desc
2293 , &st
->st_connection
->spd
2294 , tunnel_mode
&& inner_proto
== IPPROTO_COMP
);
2296 close_output_pbs(r_sa_pbs
);
2299 /* save decoded version of winning SA in state */
2301 st
->st_ah
.present
= ah_seen
;
2303 st
->st_ah
.attrs
= ah_attrs
;
2305 st
->st_esp
.present
= esp_seen
;
2307 st
->st_esp
.attrs
= esp_attrs
;
2309 st
->st_ipcomp
.present
= ipcomp_seen
;
2311 st
->st_ipcomp
.attrs
= ipcomp_attrs
;
2313 return NOTHING_WRONG
;
2316 loglog(RC_LOG_SERIOUS
, "no acceptable Proposal in IPsec SA");
2317 return NO_PROPOSAL_CHOSEN
;