use the Diffie-Hellman functionality of libstrongswan
[strongswan.git] / src / pluto / spdb.c
1 /* Security Policy Data Base (such as it is)
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include <stdio.h>
16 #include <string.h>
17 #include <stdlib.h>
18 #include <sys/socket.h>
19 #include <netinet/in.h>
20 #include <arpa/inet.h>
21 #include <sys/queue.h>
22
23 #include <freeswan.h>
24 #include <ipsec_policy.h>
25
26 #include "constants.h"
27 #include "defs.h"
28 #include "id.h"
29 #include "connections.h"
30 #include "state.h"
31 #include "packet.h"
32 #include "keys.h"
33 #include "kernel.h"
34 #include "log.h"
35 #include "spdb.h"
36 #include "whack.h"
37 #include "crypto.h"
38 #include "alg_info.h"
39 #include "kernel_alg.h"
40 #include "ike_alg.h"
41 #include "db_ops.h"
42 #include "nat_traversal.h"
43
44 #define AD(x) x, countof(x) /* Array Description */
45 #define AD_NULL NULL, 0
46
47 /**************** Oakely (main mode) SA database ****************/
48
49 /* array of proposals to be conjoined (can only be one for Oakley) */
50
51 static struct db_prop oakley_pc[] =
52 { { PROTO_ISAKMP, AD_NULL } };
53
54 /* array of proposal conjuncts (can only be one) */
55
56 static struct db_prop_conj oakley_props[] = { { AD(oakley_pc) } };
57
58 /* the sadb entry */
59 struct db_sa oakley_sadb = { AD(oakley_props) };
60
61 /**************** IPsec (quick mode) SA database ****************/
62
63 /* arrays of attributes for transforms */
64
65 static struct db_attr espsha1_attr[] = {
66 { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
67 };
68
69 static struct db_attr ah_HMAC_SHA1_attr[] = {
70 { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
71 };
72
73 /* arrays of transforms, each in in preference order */
74
75 static struct db_trans espa_trans[] = {
76 { ESP_3DES, AD(espsha1_attr) },
77 };
78
79 static struct db_trans esp_trans[] = {
80 { ESP_3DES, AD_NULL },
81 };
82
83 #ifdef SUPPORT_ESP_NULL
84 static struct db_trans espnull_trans[] = {
85 { ESP_NULL, AD(espsha1_attr) },
86 };
87 #endif /* SUPPORT_ESP_NULL */
88
89 static struct db_trans ah_trans[] = {
90 { AH_SHA, AD(ah_HMAC_SHA1_attr) },
91 };
92
93 static struct db_trans ipcomp_trans[] = {
94 { IPCOMP_DEFLATE, AD_NULL },
95 };
96
97 /* arrays of proposals to be conjoined */
98
99 static struct db_prop ah_pc[] = {
100 { PROTO_IPSEC_AH, AD(ah_trans) },
101 };
102
103 #ifdef SUPPORT_ESP_NULL
104 static struct db_prop espnull_pc[] = {
105 { PROTO_IPSEC_ESP, AD(espnull_trans) },
106 };
107 #endif /* SUPPORT_ESP_NULL */
108
109 static struct db_prop esp_pc[] = {
110 { PROTO_IPSEC_ESP, AD(espa_trans) },
111 };
112
113 static struct db_prop ah_esp_pc[] = {
114 { PROTO_IPSEC_AH, AD(ah_trans) },
115 { PROTO_IPSEC_ESP, AD(esp_trans) },
116 };
117
118 static struct db_prop compress_pc[] = {
119 { PROTO_IPCOMP, AD(ipcomp_trans) },
120 };
121
122 static struct db_prop ah_compress_pc[] = {
123 { PROTO_IPSEC_AH, AD(ah_trans) },
124 { PROTO_IPCOMP, AD(ipcomp_trans) },
125 };
126
127 #ifdef SUPPORT_ESP_NULL
128 static struct db_prop espnull_compress_pc[] = {
129 { PROTO_IPSEC_ESP, AD(espnull_trans) },
130 { PROTO_IPCOMP, AD(ipcomp_trans) },
131 };
132 #endif /* SUPPORT_ESP_NULL */
133
134 static struct db_prop esp_compress_pc[] = {
135 { PROTO_IPSEC_ESP, AD(espa_trans) },
136 { PROTO_IPCOMP, AD(ipcomp_trans) },
137 };
138
139 static struct db_prop ah_esp_compress_pc[] = {
140 { PROTO_IPSEC_AH, AD(ah_trans) },
141 { PROTO_IPSEC_ESP, AD(esp_trans) },
142 { PROTO_IPCOMP, AD(ipcomp_trans) },
143 };
144
145 /* arrays of proposal alternatives (each element is a conjunction) */
146
147 static struct db_prop_conj ah_props[] = {
148 { AD(ah_pc) },
149 #ifdef SUPPORT_ESP_NULL
150 { AD(espnull_pc) }
151 #endif
152 };
153
154 static struct db_prop_conj esp_props[] =
155 { { AD(esp_pc) } };
156
157 static struct db_prop_conj ah_esp_props[] =
158 { { AD(ah_esp_pc) } };
159
160 static struct db_prop_conj compress_props[] = {
161 { AD(compress_pc) },
162 };
163
164 static struct db_prop_conj ah_compress_props[] = {
165 { AD(ah_compress_pc) },
166 #ifdef SUPPORT_ESP_NULL
167 { AD(espnull_compress_pc) }
168 #endif
169 };
170
171 static struct db_prop_conj esp_compress_props[] =
172 { { AD(esp_compress_pc) } };
173
174 static struct db_prop_conj ah_esp_compress_props[] =
175 { { AD(ah_esp_compress_pc) } };
176
177 /* The IPsec sadb is subscripted by a bitset (subset of policy)
178 * with members from { POLICY_ENCRYPT, POLICY_AUTHENTICATE, POLICY_COMPRESS }
179 * shifted right by POLICY_IPSEC_SHIFT.
180 */
181 struct db_sa ipsec_sadb[1 << 3] = {
182 { AD_NULL }, /* none */
183 { AD(esp_props) }, /* POLICY_ENCRYPT */
184 { AD(ah_props) }, /* POLICY_AUTHENTICATE */
185 { AD(ah_esp_props) }, /* POLICY_ENCRYPT+POLICY_AUTHENTICATE */
186 { AD(compress_props) }, /* POLICY_COMPRESS */
187 { AD(esp_compress_props) }, /* POLICY_ENCRYPT+POLICY_COMPRESS */
188 { AD(ah_compress_props) }, /* POLICY_AUTHENTICATE+POLICY_COMPRESS */
189 { AD(ah_esp_compress_props) }, /* POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_COMPRESS */
190 };
191
192 #undef AD
193 #undef AD_NULL
194
195 /* output an attribute (within an SA) */
196 static bool
197 out_attr(int type
198 , unsigned long val
199 , struct_desc *attr_desc
200 , enum_names **attr_val_descs USED_BY_DEBUG
201 , pb_stream *pbs)
202 {
203 struct isakmp_attribute attr;
204
205 if (val >> 16 == 0)
206 {
207 /* short value: use TV form */
208 attr.isaat_af_type = type | ISAKMP_ATTR_AF_TV;
209 attr.isaat_lv = val;
210 if (!out_struct(&attr, attr_desc, pbs, NULL))
211 return FALSE;
212 }
213 else
214 {
215 /* This is a real fudge! Since we rarely use long attributes
216 * and since this is the only place where we can cause an
217 * ISAKMP message length to be other than a multiple of 4 octets,
218 * we force the length of the value to be a multiple of 4 octets.
219 * Furthermore, we only handle values up to 4 octets in length.
220 * Voila: a fixed format!
221 */
222 pb_stream val_pbs;
223 u_int32_t nval = htonl(val);
224
225 attr.isaat_af_type = type | ISAKMP_ATTR_AF_TLV;
226 if (!out_struct(&attr, attr_desc, pbs, &val_pbs)
227 || !out_raw(&nval, sizeof(nval), &val_pbs, "long attribute value"))
228 return FALSE;
229 close_output_pbs(&val_pbs);
230 }
231 DBG(DBG_EMITTING,
232 enum_names *d = attr_val_descs[type];
233
234 if (d != NULL)
235 DBG_log(" [%lu is %s]"
236 , val, enum_show(d, val)));
237 return TRUE;
238 }
239 #define return_on(var, val) do { var=val;goto return_out; } while(0);
240 /* Output an SA, as described by a db_sa.
241 * This has the side-effect of allocating SPIs for us.
242 */
243 bool
244 out_sa(pb_stream *outs
245 , struct db_sa *sadb
246 , struct state *st
247 , bool oakley_mode
248 , u_int8_t np)
249 {
250 pb_stream sa_pbs;
251 int pcn;
252 bool ret = FALSE;
253 bool ah_spi_generated = FALSE
254 , esp_spi_generated = FALSE
255 , ipcomp_cpi_generated = FALSE;
256 #if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
257 struct db_context *db_ctx = NULL;
258 #endif
259
260 /* SA header out */
261 {
262 struct isakmp_sa sa;
263
264 sa.isasa_np = np;
265 st->st_doi = sa.isasa_doi = ISAKMP_DOI_IPSEC; /* all we know */
266 if (!out_struct(&sa, &isakmp_sa_desc, outs, &sa_pbs))
267 return_on(ret, FALSE);
268 }
269
270 /* within SA: situation out */
271 st->st_situation = SIT_IDENTITY_ONLY;
272 if (!out_struct(&st->st_situation, &ipsec_sit_desc, &sa_pbs, NULL))
273 return_on(ret, FALSE);
274
275 /* within SA: Proposal Payloads
276 *
277 * Multiple Proposals with the same number are simultaneous
278 * (conjuncts) and must deal with different protocols (AH or ESP).
279 * Proposals with different numbers are alternatives (disjuncts),
280 * in preference order.
281 * Proposal numbers must be monotonic.
282 * See RFC 2408 "ISAKMP" 4.2
283 */
284
285 for (pcn = 0; pcn != sadb->prop_conj_cnt; pcn++)
286 {
287 struct db_prop_conj *pc = &sadb->prop_conjs[pcn];
288 int pn;
289
290 for (pn = 0; pn != pc->prop_cnt; pn++)
291 {
292 struct db_prop *p = &pc->props[pn];
293 pb_stream proposal_pbs;
294 struct isakmp_proposal proposal;
295 struct_desc *trans_desc = NULL;
296 struct_desc *attr_desc = NULL;
297 enum_names **attr_val_descs = NULL;
298 int tn;
299 bool tunnel_mode;
300
301 tunnel_mode = (pn == pc->prop_cnt-1)
302 && (st->st_policy & POLICY_TUNNEL);
303
304 /* Proposal header */
305 proposal.isap_np = pcn == sadb->prop_conj_cnt-1 && pn == pc->prop_cnt-1
306 ? ISAKMP_NEXT_NONE : ISAKMP_NEXT_P;
307 proposal.isap_proposal = pcn;
308 proposal.isap_protoid = p->protoid;
309 proposal.isap_spisize = oakley_mode ? 0
310 : p->protoid == PROTO_IPCOMP ? IPCOMP_CPI_SIZE
311 : IPSEC_DOI_SPI_SIZE;
312
313 /* In quick mode ONLY, create proposal for runtime kernel algos.
314 * Replace ESP proposals with runtime created one
315 */
316 if (!oakley_mode && p->protoid == PROTO_IPSEC_ESP)
317 {
318 DBG(DBG_CONTROL | DBG_CRYPT,
319 if (st->st_connection->alg_info_esp)
320 {
321 static char buf[BUF_LEN]="";
322
323 alg_info_snprint(buf, sizeof (buf),
324 (struct alg_info *)st->st_connection->alg_info_esp);
325 DBG_log(buf);
326 }
327 )
328 db_ctx = kernel_alg_db_new(st->st_connection->alg_info_esp, st->st_policy);
329 p = db_prop_get(db_ctx);
330
331 if (!p || p->trans_cnt == 0)
332 {
333 loglog(RC_LOG_SERIOUS,
334 "empty IPSEC SA proposal to send "
335 "(no kernel algorithms for esp selection)");
336 return_on(ret, FALSE);
337 }
338 }
339
340 if (oakley_mode && p->protoid == PROTO_ISAKMP)
341 {
342 DBG(DBG_CONTROL | DBG_CRYPT,
343 if (st->st_connection->alg_info_ike)
344 {
345 static char buf[BUF_LEN]="";
346
347 alg_info_snprint(buf, sizeof (buf),
348 (struct alg_info *)st->st_connection->alg_info_ike);
349 DBG_log(buf);
350 }
351 )
352 db_ctx = ike_alg_db_new(st->st_connection->alg_info_ike, st->st_policy);
353 p = db_prop_get(db_ctx);
354
355 if (!p || p->trans_cnt == 0)
356 {
357 loglog(RC_LOG_SERIOUS,
358 "empty ISAKMP SA proposal to send "
359 "(no algorithms for ike selection?)");
360 return_on(ret, FALSE);
361 }
362 }
363
364 proposal.isap_notrans = p->trans_cnt;
365 if (!out_struct(&proposal, &isakmp_proposal_desc, &sa_pbs, &proposal_pbs))
366 return_on(ret, FALSE);
367
368 /* Per-protocols stuff:
369 * Set trans_desc.
370 * Set attr_desc.
371 * Set attr_val_descs.
372 * If not oakley_mode, emit SPI.
373 * We allocate SPIs on demand.
374 * All ESPs in an SA will share a single SPI.
375 * All AHs in an SAwill share a single SPI.
376 * AHs' SPI will be distinct from ESPs'.
377 * This latter is needed because KLIPS doesn't
378 * use the protocol when looking up a (dest, protocol, spi).
379 * ??? If multiple ESPs are composed, how should their SPIs
380 * be allocated?
381 */
382 {
383 ipsec_spi_t *spi_ptr = NULL;
384 int proto = 0;
385 bool *spi_generated = NULL;
386
387 switch (p->protoid)
388 {
389 case PROTO_ISAKMP:
390 passert(oakley_mode);
391 trans_desc = &isakmp_isakmp_transform_desc;
392 attr_desc = &isakmp_oakley_attribute_desc;
393 attr_val_descs = oakley_attr_val_descs;
394 /* no SPI needed */
395 break;
396 case PROTO_IPSEC_AH:
397 passert(!oakley_mode);
398 trans_desc = &isakmp_ah_transform_desc;
399 attr_desc = &isakmp_ipsec_attribute_desc;
400 attr_val_descs = ipsec_attr_val_descs;
401 spi_ptr = &st->st_ah.our_spi;
402 spi_generated = &ah_spi_generated;
403 proto = IPPROTO_AH;
404 break;
405 case PROTO_IPSEC_ESP:
406 passert(!oakley_mode);
407 trans_desc = &isakmp_esp_transform_desc;
408 attr_desc = &isakmp_ipsec_attribute_desc;
409 attr_val_descs = ipsec_attr_val_descs;
410 spi_ptr = &st->st_esp.our_spi;
411 spi_generated = &esp_spi_generated;
412 proto = IPPROTO_ESP;
413 break;
414 case PROTO_IPCOMP:
415 passert(!oakley_mode);
416 trans_desc = &isakmp_ipcomp_transform_desc;
417 attr_desc = &isakmp_ipsec_attribute_desc;
418 attr_val_descs = ipsec_attr_val_descs;
419
420 /* a CPI isn't quite the same as an SPI
421 * so we use specialized code to emit it.
422 */
423 if (!ipcomp_cpi_generated)
424 {
425 st->st_ipcomp.our_spi = get_my_cpi(
426 &st->st_connection->spd, tunnel_mode);
427 if (st->st_ipcomp.our_spi == 0)
428 return_on(ret, FALSE); /* problem generating CPI */
429
430 ipcomp_cpi_generated = TRUE;
431 }
432 /* CPI is stored in network low order end of an
433 * ipsec_spi_t. So we start a couple of bytes in.
434 */
435 if (!out_raw((u_char *)&st->st_ipcomp.our_spi
436 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
437 , IPCOMP_CPI_SIZE
438 , &proposal_pbs, "CPI"))
439 return_on(ret, FALSE);
440 break;
441 default:
442 bad_case(p->protoid);
443 }
444 if (spi_ptr != NULL)
445 {
446 if (!*spi_generated)
447 {
448 *spi_ptr = get_ipsec_spi(0
449 , proto
450 , &st->st_connection->spd
451 , tunnel_mode);
452 if (*spi_ptr == 0)
453 return FALSE;
454 *spi_generated = TRUE;
455 }
456 if (!out_raw((u_char *)spi_ptr, IPSEC_DOI_SPI_SIZE
457 , &proposal_pbs, "SPI"))
458 return_on(ret, FALSE);
459 }
460 }
461
462 /* within proposal: Transform Payloads */
463 for (tn = 0; tn != p->trans_cnt; tn++)
464 {
465 struct db_trans *t = &p->trans[tn];
466 pb_stream trans_pbs;
467 struct isakmp_transform trans;
468 int an;
469
470 trans.isat_np = (tn == p->trans_cnt - 1)
471 ? ISAKMP_NEXT_NONE : ISAKMP_NEXT_T;
472 trans.isat_transnum = tn;
473 trans.isat_transid = t->transid;
474 if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs))
475 return_on(ret, FALSE);
476
477 /* Within tranform: Attributes. */
478
479 /* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
480 * automatically generated because it must be the same
481 * in every transform. Except IPCOMP.
482 */
483 if (p->protoid != PROTO_IPCOMP
484 && st->st_pfs_group != NULL)
485 {
486 passert(!oakley_mode);
487 passert(st->st_pfs_group != &unset_group);
488 out_attr(GROUP_DESCRIPTION, st->st_pfs_group->algo_id
489 , attr_desc, attr_val_descs
490 , &trans_pbs);
491 }
492
493 /* automatically generate duration
494 * and, for Phase 2 / Quick Mode, encapsulation.
495 */
496 if (oakley_mode)
497 {
498 out_attr(OAKLEY_LIFE_TYPE, OAKLEY_LIFE_SECONDS
499 , attr_desc, attr_val_descs
500 , &trans_pbs);
501 out_attr(OAKLEY_LIFE_DURATION
502 , st->st_connection->sa_ike_life_seconds
503 , attr_desc, attr_val_descs
504 , &trans_pbs);
505 }
506 else
507 {
508 /* RFC 2407 (IPSEC DOI) 4.5 specifies that
509 * the default is "unspecified (host-dependent)".
510 * This makes little sense, so we always specify it.
511 *
512 * Unlike other IPSEC transforms, IPCOMP defaults
513 * to Transport Mode, so we can exploit the default
514 * (draft-shacham-ippcp-rfc2393bis-05.txt 4.1).
515 */
516 if (p->protoid != PROTO_IPCOMP
517 || st->st_policy & POLICY_TUNNEL)
518 {
519 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
520 if ((st->nat_traversal & NAT_T_DETECTED)
521 && !(st->st_policy & POLICY_TUNNEL))
522 {
523 /* Inform user that we will not respect policy and only
524 * propose Tunnel Mode
525 */
526 loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
527 "Transport Mode not allowed due to security concerns -- "
528 "using Tunnel mode");
529 }
530 #endif
531 out_attr(ENCAPSULATION_MODE
532 #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
533 , NAT_T_ENCAPSULATION_MODE(st, st->st_policy)
534 #else
535 /* If NAT-T is detected, use UDP_TUNNEL as long as Transport
536 * Mode has security concerns.
537 *
538 * User has been informed of that
539 */
540 , NAT_T_ENCAPSULATION_MODE(st, POLICY_TUNNEL)
541 #endif
542 , attr_desc, attr_val_descs
543 , &trans_pbs);
544 }
545 out_attr(SA_LIFE_TYPE, SA_LIFE_TYPE_SECONDS
546 , attr_desc, attr_val_descs
547 , &trans_pbs);
548 out_attr(SA_LIFE_DURATION
549 , st->st_connection->sa_ipsec_life_seconds
550 , attr_desc, attr_val_descs
551 , &trans_pbs);
552 }
553
554 /* spit out attributes from table */
555 for (an = 0; an != t->attr_cnt; an++)
556 {
557 struct db_attr *a = &t->attrs[an];
558
559 out_attr(a->type, a->val
560 , attr_desc, attr_val_descs
561 , &trans_pbs);
562 }
563
564 close_output_pbs(&trans_pbs);
565 }
566 close_output_pbs(&proposal_pbs);
567 }
568 /* end of a conjunction of proposals */
569 }
570 close_output_pbs(&sa_pbs);
571 ret = TRUE;
572
573 return_out:
574
575 #if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
576 if (db_ctx)
577 db_destroy(db_ctx);
578 #endif
579 return ret;
580 }
581
582 /* Handle long form of duration attribute.
583 * The code is can only handle values that can fit in unsigned long.
584 * "Clamping" is probably an acceptable way to impose this limitation.
585 */
586 static u_int32_t
587 decode_long_duration(pb_stream *pbs)
588 {
589 u_int32_t val = 0;
590
591 /* ignore leading zeros */
592 while (pbs_left(pbs) != 0 && *pbs->cur == '\0')
593 pbs->cur++;
594
595 if (pbs_left(pbs) > sizeof(val))
596 {
597 /* "clamp" too large value to max representable value */
598 val -= 1; /* portable way to get to maximum value */
599 DBG(DBG_PARSING, DBG_log(" too large duration clamped to: %lu"
600 , (unsigned long)val));
601 }
602 else
603 {
604 /* decode number */
605 while (pbs_left(pbs) != 0)
606 val = (val << BITS_PER_BYTE) | *pbs->cur++;
607 DBG(DBG_PARSING, DBG_log(" long duration: %lu", (unsigned long)val));
608 }
609 return val;
610 }
611
612 /* Preparse the body of an ISAKMP SA Payload and
613 * return body of ISAKMP Proposal Payload
614 *
615 * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
616 * Error response is rudimentary.
617 */
618 notification_t
619 preparse_isakmp_sa_body(const struct isakmp_sa *sa
620 , pb_stream *sa_pbs
621 , u_int32_t *ipsecdoisit
622 , pb_stream *proposal_pbs
623 , struct isakmp_proposal *proposal)
624 {
625 /* DOI */
626 if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
627 {
628 loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
629 /* XXX Could send notification back */
630 return DOI_NOT_SUPPORTED;
631 }
632
633 /* Situation */
634 if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
635 return SITUATION_NOT_SUPPORTED;
636
637 if (*ipsecdoisit != SIT_IDENTITY_ONLY)
638 {
639 loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
640 , bitnamesof(sit_bit_names, *ipsecdoisit));
641 /* XXX Could send notification back */
642 return SITUATION_NOT_SUPPORTED;
643 }
644
645 /* The rules for ISAKMP SAs are scattered.
646 * RFC 2409 "IKE" section 5 says that there
647 * can only be one SA, and it can have only one proposal in it.
648 * There may well be multiple transforms.
649 */
650 if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
651 return PAYLOAD_MALFORMED;
652
653 if (proposal->isap_np != ISAKMP_NEXT_NONE)
654 {
655 loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
656 , enum_show(&payload_names, proposal->isap_np));
657 return PAYLOAD_MALFORMED;
658 }
659
660 if (proposal->isap_protoid != PROTO_ISAKMP)
661 {
662 loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal"
663 , enum_show(&protocol_names, proposal->isap_protoid));
664 return INVALID_PROTOCOL_ID;
665 }
666
667 /* Just what should we accept for the SPI field?
668 * The RFC is sort of contradictory. We will ignore the SPI
669 * as long as it is of the proper size.
670 *
671 * From RFC2408 2.4 Identifying Security Associations:
672 * During phase 1 negotiations, the initiator and responder cookies
673 * determine the ISAKMP SA. Therefore, the SPI field in the Proposal
674 * payload is redundant and MAY be set to 0 or it MAY contain the
675 * transmitting entity's cookie.
676 *
677 * From RFC2408 3.5 Proposal Payload:
678 * o SPI Size (1 octet) - Length in octets of the SPI as defined by
679 * the Protocol-Id. In the case of ISAKMP, the Initiator and
680 * Responder cookie pair from the ISAKMP Header is the ISAKMP SPI,
681 * therefore, the SPI Size is irrelevant and MAY be from zero (0) to
682 * sixteen (16). If the SPI Size is non-zero, the content of the
683 * SPI field MUST be ignored. If the SPI Size is not a multiple of
684 * 4 octets it will have some impact on the SPI field and the
685 * alignment of all payloads in the message. The Domain of
686 * Interpretation (DOI) will dictate the SPI Size for other
687 * protocols.
688 */
689 if (proposal->isap_spisize == 0)
690 {
691 /* empty (0) SPI -- fine */
692 }
693 else if (proposal->isap_spisize <= MAX_ISAKMP_SPI_SIZE)
694 {
695 u_char junk_spi[MAX_ISAKMP_SPI_SIZE];
696
697 if (!in_raw(junk_spi, proposal->isap_spisize, proposal_pbs, "Oakley SPI"))
698 return PAYLOAD_MALFORMED;
699 }
700 else
701 {
702 loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal"
703 , (unsigned)proposal->isap_spisize);
704 return INVALID_SPI;
705 }
706 return NOTHING_WRONG;
707 }
708
709 static struct {
710 u_int8_t *start;
711 u_int8_t *cur;
712 u_int8_t *roof;
713 } backup;
714
715 /*
716 * backup the pointer into a pb_stream
717 */
718 void
719 backup_pbs(pb_stream *pbs)
720 {
721 backup.start = pbs->start;
722 backup.cur = pbs->cur;
723 backup.roof = pbs->roof;
724 }
725
726 /*
727 * restore the pointer into a pb_stream
728 */
729 void
730 restore_pbs(pb_stream *pbs)
731 {
732 pbs->start = backup.start;
733 pbs->cur = backup.cur;
734 pbs->roof = backup.roof;
735 }
736
737 /*
738 * Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies
739 */
740 notification_t
741 parse_isakmp_policy(pb_stream *proposal_pbs
742 , u_int notrans
743 , lset_t *policy)
744 {
745 int last_transnum = -1;
746
747 *policy = LEMPTY;
748
749 while (notrans--)
750 {
751 pb_stream trans_pbs;
752 u_char *attr_start;
753 size_t attr_len;
754 struct isakmp_transform trans;
755
756 if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
757 return BAD_PROPOSAL_SYNTAX;
758
759 if (trans.isat_transnum <= last_transnum)
760 {
761 /* picky, picky, picky */
762 loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing"
763 " in Oakley Proposal");
764 return BAD_PROPOSAL_SYNTAX;
765 }
766 last_transnum = trans.isat_transnum;
767
768 if (trans.isat_transid != KEY_IKE)
769 {
770 loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform"
771 , enum_show(&isakmp_transformid_names, trans.isat_transid));
772 return INVALID_TRANSFORM_ID;
773 }
774
775 attr_start = trans_pbs.cur;
776 attr_len = pbs_left(&trans_pbs);
777
778 /* preprocess authentication attributes only */
779 while (pbs_left(&trans_pbs) != 0)
780 {
781 struct isakmp_attribute a;
782 pb_stream attr_pbs;
783
784 if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
785 return BAD_PROPOSAL_SYNTAX;
786
787 passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
788
789 switch (a.isaat_af_type)
790 {
791 case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
792 switch (a.isaat_lv)
793 {
794 case OAKLEY_PRESHARED_KEY:
795 *policy |= POLICY_PSK;
796 break;
797 case OAKLEY_RSA_SIG:
798 *policy |= POLICY_RSASIG;
799 break;
800 case XAUTHInitPreShared:
801 *policy |= POLICY_XAUTH_SERVER;
802 /* fall through */
803 case XAUTHRespPreShared:
804 *policy |= POLICY_XAUTH_PSK;
805 break;
806 case XAUTHInitRSA:
807 *policy |= POLICY_XAUTH_SERVER;
808 /* fall through */
809 case XAUTHRespRSA:
810 *policy |= POLICY_XAUTH_RSASIG;
811 break;
812 default:
813 break;
814 }
815 break;
816 default:
817 break;
818 }
819 }
820 }
821 DBG(DBG_CONTROL|DBG_PARSING,
822 DBG_log("preparse_isakmp_policy: peer requests %s authentication"
823 , prettypolicy(*policy))
824 )
825 return NOTHING_WRONG;
826 }
827
828 /*
829 * check that we can find a preshared secret
830 */
831 static err_t
832 find_preshared_key(struct state* st)
833 {
834 err_t ugh = NULL;
835 struct connection *c = st->st_connection;
836
837 if (get_preshared_secret(c) == NULL)
838 {
839 char my_id[BUF_LEN], his_id[BUF_LEN];
840
841 idtoa(&c->spd.this.id, my_id, sizeof(my_id));
842 if (his_id_was_instantiated(c))
843 strcpy(his_id, "%any");
844 else
845 idtoa(&c->spd.that.id, his_id, sizeof(his_id));
846 ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
847 , my_id, his_id);
848 }
849 return ugh;
850 }
851
852 /* Parse the body of an ISAKMP SA Payload (i.e. Phase 1 / Main Mode).
853 * Various shortcuts are taken. In particular, the policy, such as
854 * it is, is hardwired.
855 *
856 * If r_sa is non-NULL, the body of an SA representing the selected
857 * proposal is emitted.
858 *
859 * This routine is used by main_inI1_outR1() and main_inR1_outI2().
860 */
861 notification_t
862 parse_isakmp_sa_body(u_int32_t ipsecdoisit
863 , pb_stream *proposal_pbs
864 , struct isakmp_proposal *proposal
865 , pb_stream *r_sa_pbs
866 , struct state *st
867 , bool initiator)
868 {
869 struct connection *c = st->st_connection;
870 unsigned no_trans_left;
871
872 /* for each transform payload... */
873 no_trans_left = proposal->isap_notrans;
874
875 for (;;)
876 {
877 pb_stream trans_pbs;
878 u_char *attr_start;
879 size_t attr_len;
880 struct isakmp_transform trans;
881 lset_t seen_attrs = 0;
882 lset_t seen_durations = 0;
883 u_int16_t life_type = 0;
884 struct oakley_trans_attrs ta;
885 err_t ugh = NULL; /* set to diagnostic when problem detected */
886
887 /* initialize only optional field in ta */
888 ta.life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT; /* When this SA expires (seconds) */
889
890 if (no_trans_left == 0)
891 {
892 loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
893 return BAD_PROPOSAL_SYNTAX;
894 }
895
896 in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs);
897 attr_start = trans_pbs.cur;
898 attr_len = pbs_left(&trans_pbs);
899
900 /* process all the attributes that make up the transform */
901
902 while (pbs_left(&trans_pbs) != 0)
903 {
904 struct isakmp_attribute a;
905 pb_stream attr_pbs;
906 u_int32_t val; /* room for larger values */
907
908 if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
909 return BAD_PROPOSAL_SYNTAX;
910
911 passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
912
913 if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
914 {
915 loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u"
916 , enum_show(&oakley_attr_names, a.isaat_af_type)
917 , trans.isat_transnum);
918 return BAD_PROPOSAL_SYNTAX;
919 }
920
921 seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
922
923 val = a.isaat_lv;
924
925 DBG(DBG_PARSING,
926 {
927 enum_names *vdesc = oakley_attr_val_descs
928 [a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
929
930 if (vdesc != NULL)
931 {
932 const char *nm = enum_name(vdesc, val);
933
934 if (nm != NULL)
935 DBG_log(" [%u is %s]", (unsigned)val, nm);
936 }
937 });
938
939 switch (a.isaat_af_type)
940 {
941 case OAKLEY_ENCRYPTION_ALGORITHM | ISAKMP_ATTR_AF_TV:
942 if (ike_alg_get_crypter(val))
943 {
944 ta.encrypt = val;
945 ta.encrypter = ike_alg_get_crypter(val);
946 ta.enckeylen = ta.encrypter->keydeflen;
947 }
948 else
949 {
950 ugh = builddiag("%s is not supported"
951 , enum_show(&oakley_enc_names, val));
952 }
953 break;
954
955 case OAKLEY_HASH_ALGORITHM | ISAKMP_ATTR_AF_TV:
956 if (ike_alg_get_hasher(val))
957 {
958 ta.hash = val;
959 ta.hasher = ike_alg_get_hasher(val);
960 }
961 else
962 {
963 ugh = builddiag("%s is not supported"
964 , enum_show(&oakley_hash_names, val));
965 }
966 break;
967
968 case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
969 {
970 /* check that authentication method is acceptable */
971 lset_t iap = st->st_policy & POLICY_ID_AUTH_MASK;
972
973 /* is the initiator the XAUTH client? */
974 bool xauth_init = ( initiator && (st->st_policy & POLICY_XAUTH_SERVER) == LEMPTY)
975 || (!initiator && (st->st_policy & POLICY_XAUTH_SERVER) != LEMPTY);
976
977 switch (val)
978 {
979 case OAKLEY_PRESHARED_KEY:
980 if ((iap & POLICY_PSK) == LEMPTY)
981 {
982 ugh = "policy does not allow OAKLEY_PRESHARED_KEY authentication";
983 }
984 else
985 {
986 ugh = find_preshared_key(st);
987 ta.auth = OAKLEY_PRESHARED_KEY;
988 }
989 break;
990 case XAUTHInitPreShared:
991 if ((iap & POLICY_XAUTH_PSK) == LEMPTY || !xauth_init)
992 {
993 ugh = "policy does not allow XAUTHInitPreShared authentication";
994 }
995 else
996 {
997 ugh = find_preshared_key(st);
998 ta.auth = XAUTHInitPreShared;
999 }
1000 break;
1001 case XAUTHRespPreShared:
1002 if ((iap & POLICY_XAUTH_PSK) == LEMPTY || xauth_init)
1003 {
1004 ugh = "policy does not allow XAUTHRespPreShared authentication";
1005 }
1006 else
1007 {
1008 ugh = find_preshared_key(st);
1009 ta.auth = XAUTHRespPreShared;
1010 }
1011 break;
1012 case OAKLEY_RSA_SIG:
1013 /* Accept if policy specifies RSASIG or is default */
1014 if ((iap & POLICY_RSASIG) == LEMPTY)
1015 {
1016 ugh = "policy does not allow OAKLEY_RSA_SIG authentication";
1017 }
1018 else
1019 {
1020 ta.auth = OAKLEY_RSA_SIG;
1021 }
1022 break;
1023 case XAUTHInitRSA:
1024 if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || !xauth_init)
1025 {
1026 ugh = "policy does not allow XAUTHInitRSA authentication";
1027 }
1028 else
1029 {
1030 ta.auth = XAUTHInitRSA;
1031 }
1032 break;
1033 case XAUTHRespRSA:
1034 if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || xauth_init)
1035 {
1036 ugh = "policy does not allow XAUTHRespRSA authentication";
1037 }
1038 else
1039 {
1040 ta.auth = XAUTHRespRSA;
1041 }
1042 break;
1043 default:
1044 ugh = builddiag("Pluto does not support %s authentication"
1045 , enum_show(&oakley_auth_names, val));
1046 break;
1047 }
1048 }
1049 break;
1050
1051 case OAKLEY_GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
1052 ta.group = ike_alg_get_dh_group(val);
1053 if (ta.group == NULL)
1054 {
1055 ugh = builddiag("%s is not supported"
1056 , enum_show(&oakley_group_names, val));
1057 }
1058 break;
1059
1060 case OAKLEY_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
1061 switch (val)
1062 {
1063 case OAKLEY_LIFE_SECONDS:
1064 case OAKLEY_LIFE_KILOBYTES:
1065 if (LHAS(seen_durations, val))
1066 {
1067 loglog(RC_LOG_SERIOUS
1068 , "attribute OAKLEY_LIFE_TYPE value %s repeated"
1069 , enum_show(&oakley_lifetime_names, val));
1070 return BAD_PROPOSAL_SYNTAX;
1071 }
1072 seen_durations |= LELEM(val);
1073 life_type = val;
1074 break;
1075 default:
1076 ugh = builddiag("unknown value %s"
1077 , enum_show(&oakley_lifetime_names, val));
1078 break;
1079 }
1080 break;
1081
1082 case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
1083 val = decode_long_duration(&attr_pbs);
1084 /* fall through */
1085 case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
1086 if (!LHAS(seen_attrs, OAKLEY_LIFE_TYPE))
1087 {
1088 ugh = "OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute";
1089 break;
1090 }
1091 seen_attrs &= ~(LELEM(OAKLEY_LIFE_DURATION) | LELEM(OAKLEY_LIFE_TYPE));
1092
1093 switch (life_type)
1094 {
1095 case OAKLEY_LIFE_SECONDS:
1096 if (val > OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM)
1097 {
1098 #ifdef CISCO_QUIRKS
1099 plog("peer requested %lu seconds"
1100 " which exceeds our limit %d seconds"
1101 , (long) val
1102 , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
1103 plog("lifetime reduced to %d seconds "
1104 "(todo: IPSEC_RESPONDER_LIFETIME notification)"
1105 , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
1106 val = OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM;
1107 #else
1108 ugh = builddiag("peer requested %lu seconds"
1109 " which exceeds our limit %d seconds"
1110 , (long) val
1111 , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
1112 #endif
1113 }
1114 ta.life_seconds = val;
1115 break;
1116 case OAKLEY_LIFE_KILOBYTES:
1117 ta.life_kilobytes = val;
1118 break;
1119 default:
1120 bad_case(life_type);
1121 }
1122 break;
1123
1124 case OAKLEY_KEY_LENGTH | ISAKMP_ATTR_AF_TV:
1125 if ((seen_attrs & LELEM(OAKLEY_ENCRYPTION_ALGORITHM)) == 0)
1126 {
1127 ugh = "OAKLEY_KEY_LENGTH attribute not preceded by "
1128 "OAKLEY_ENCRYPTION_ALGORITHM attribute";
1129 break;
1130 }
1131 if (ta.encrypter == NULL)
1132 {
1133 ugh = "NULL encrypter with seen OAKLEY_ENCRYPTION_ALGORITHM";
1134 break;
1135 }
1136 /*
1137 * check if this keylen is compatible with specified algorithm
1138 */
1139 if (val
1140 && (val < ta.encrypter->keyminlen || val > ta.encrypter->keymaxlen))
1141 {
1142 ugh = "peer proposed key length not valid for "
1143 "encryption algorithm specified";
1144 }
1145 ta.enckeylen = val;
1146 break;
1147 #if 0 /* not yet supported */
1148 case OAKLEY_GROUP_TYPE | ISAKMP_ATTR_AF_TV:
1149 case OAKLEY_PRF | ISAKMP_ATTR_AF_TV:
1150 case OAKLEY_FIELD_SIZE | ISAKMP_ATTR_AF_TV:
1151
1152 case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TV:
1153 case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TLV:
1154 case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TV:
1155 case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TLV:
1156 case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TV:
1157 case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TLV:
1158 case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TV:
1159 case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TLV:
1160 case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TV:
1161 case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TLV:
1162 case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TV:
1163 case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TLV:
1164 #endif
1165 default:
1166 /* fix compiler warning */
1167 memset(&ta, 0, sizeof(ta));
1168 ugh = "unsupported OAKLEY attribute";
1169 break;
1170 }
1171
1172 if (ugh != NULL)
1173 {
1174 loglog(RC_LOG_SERIOUS, "%s. Attribute %s"
1175 , ugh, enum_show(&oakley_attr_names, a.isaat_af_type));
1176 break;
1177 }
1178 }
1179
1180 /*
1181 * ML: at last check for allowed transforms in alg_info_ike
1182 * (ALG_INFO_F_STRICT flag)
1183 */
1184 if (ugh == NULL)
1185 {
1186 if (!ike_alg_ok_final(ta.encrypt, ta.enckeylen, ta.hash,
1187 ta.group ? ta.group->algo_id : -1, c->alg_info_ike))
1188 {
1189 ugh = "OAKLEY proposal refused";
1190 }
1191 }
1192
1193 if (ugh == NULL)
1194 {
1195 /* a little more checking is in order */
1196 {
1197 lset_t missing
1198 = ~seen_attrs
1199 & (LELEM(OAKLEY_ENCRYPTION_ALGORITHM)
1200 | LELEM(OAKLEY_HASH_ALGORITHM)
1201 | LELEM(OAKLEY_AUTHENTICATION_METHOD)
1202 | LELEM(OAKLEY_GROUP_DESCRIPTION));
1203
1204 if (missing)
1205 {
1206 loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u"
1207 , bitnamesof(oakley_attr_bit_names, missing)
1208 , trans.isat_transnum);
1209 return BAD_PROPOSAL_SYNTAX;
1210 }
1211 }
1212 /* We must have liked this transform.
1213 * Lets finish early and leave.
1214 */
1215
1216 DBG(DBG_PARSING | DBG_CRYPT
1217 , DBG_log("Oakley Transform %u accepted", trans.isat_transnum));
1218
1219 if (r_sa_pbs != NULL)
1220 {
1221 struct isakmp_proposal r_proposal = *proposal;
1222 pb_stream r_proposal_pbs;
1223 struct isakmp_transform r_trans = trans;
1224 pb_stream r_trans_pbs;
1225
1226 /* Situation */
1227 if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
1228 impossible();
1229
1230 /* Proposal */
1231 #ifdef EMIT_ISAKMP_SPI
1232 r_proposal.isap_spisize = COOKIE_SIZE;
1233 #else
1234 r_proposal.isap_spisize = 0;
1235 #endif
1236 r_proposal.isap_notrans = 1;
1237 if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
1238 impossible();
1239
1240 /* SPI */
1241 #ifdef EMIT_ISAKMP_SPI
1242 if (!out_raw(my_cookie, COOKIE_SIZE, &r_proposal_pbs, "SPI"))
1243 impossible();
1244 r_proposal.isap_spisize = COOKIE_SIZE;
1245 #else
1246 /* none (0) */
1247 #endif
1248
1249 /* Transform */
1250 r_trans.isat_np = ISAKMP_NEXT_NONE;
1251 if (!out_struct(&r_trans, &isakmp_isakmp_transform_desc, &r_proposal_pbs, &r_trans_pbs))
1252 impossible();
1253
1254 if (!out_raw(attr_start, attr_len, &r_trans_pbs, "attributes"))
1255 impossible();
1256 close_output_pbs(&r_trans_pbs);
1257 close_output_pbs(&r_proposal_pbs);
1258 close_output_pbs(r_sa_pbs);
1259 }
1260
1261 /* copy over the results */
1262 st->st_oakley = ta;
1263 return NOTHING_WRONG;
1264 }
1265
1266 /* on to next transform */
1267 no_trans_left--;
1268
1269 if (trans.isat_np == ISAKMP_NEXT_NONE)
1270 {
1271 if (no_trans_left != 0)
1272 {
1273 loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
1274 return BAD_PROPOSAL_SYNTAX;
1275 }
1276 break;
1277 }
1278 if (trans.isat_np != ISAKMP_NEXT_T)
1279 {
1280 loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal"
1281 , enum_show(&payload_names, proposal->isap_np));
1282 return BAD_PROPOSAL_SYNTAX;
1283 }
1284 }
1285 loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform");
1286 return NO_PROPOSAL_CHOSEN;
1287 }
1288
1289 /* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode).
1290 *
1291 * The main routine is parse_ipsec_sa_body; other functions defined
1292 * between here and there are just helpers.
1293 *
1294 * Various shortcuts are taken. In particular, the policy, such as
1295 * it is, is hardwired.
1296 *
1297 * If r_sa is non-NULL, the body of an SA representing the selected
1298 * proposal is emitted into it.
1299 *
1300 * If "selection" is true, the SA is supposed to represent the
1301 * single tranform that the peer has accepted.
1302 * ??? We only check that it is acceptable, not that it is one that we offered!
1303 *
1304 * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
1305 * Error response is rudimentary.
1306 *
1307 * Since all ISAKMP groups in all SA Payloads must match, st->st_pfs_group
1308 * holds this across multiple payloads.
1309 * &unset_group signifies not yet "set"; NULL signifies NONE.
1310 *
1311 * This routine is used by quick_inI1_outR1() and quick_inR1_outI2().
1312 */
1313
1314 static const struct ipsec_trans_attrs null_ipsec_trans_attrs = {
1315 0, /* transid (NULL, for now) */
1316 0, /* spi */
1317 SA_LIFE_DURATION_DEFAULT, /* life_seconds */
1318 SA_LIFE_DURATION_K_DEFAULT, /* life_kilobytes */
1319 ENCAPSULATION_MODE_UNSPECIFIED, /* encapsulation */
1320 AUTH_ALGORITHM_NONE, /* auth */
1321 0, /* key_len */
1322 0, /* key_rounds */
1323 };
1324
1325 static bool
1326 parse_ipsec_transform(struct isakmp_transform *trans
1327 , struct ipsec_trans_attrs *attrs
1328 , pb_stream *prop_pbs
1329 , pb_stream *trans_pbs
1330 , struct_desc *trans_desc
1331 , int previous_transnum /* or -1 if none */
1332 , bool selection
1333 , bool is_last
1334 , bool is_ipcomp
1335 , struct state *st) /* current state object */
1336 {
1337 lset_t seen_attrs = 0;
1338 lset_t seen_durations = 0;
1339 u_int16_t life_type = 0;
1340 const struct dh_desc *pfs_group = NULL;
1341
1342 if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
1343 return FALSE;
1344
1345 if (trans->isat_transnum <= previous_transnum)
1346 {
1347 loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing");
1348 return FALSE;
1349 }
1350
1351 switch (trans->isat_np)
1352 {
1353 case ISAKMP_NEXT_T:
1354 if (is_last)
1355 {
1356 loglog(RC_LOG_SERIOUS, "Proposal Payload has more Transforms than specified");
1357 return FALSE;
1358 }
1359 break;
1360 case ISAKMP_NEXT_NONE:
1361 if (!is_last)
1362 {
1363 loglog(RC_LOG_SERIOUS, "Proposal Payload has fewer Transforms than specified");
1364 return FALSE;
1365 }
1366 break;
1367 default:
1368 loglog(RC_LOG_SERIOUS, "expecting Transform Payload, but found %s in Proposal"
1369 , enum_show(&payload_names, trans->isat_np));
1370 return FALSE;
1371 }
1372
1373 *attrs = null_ipsec_trans_attrs;
1374 attrs->transid = trans->isat_transid;
1375
1376 while (pbs_left(trans_pbs) != 0)
1377 {
1378 struct isakmp_attribute a;
1379 pb_stream attr_pbs;
1380 enum_names *vdesc;
1381 u_int32_t val; /* room for larger value */
1382 bool ipcomp_inappropriate = is_ipcomp; /* will get reset if OK */
1383
1384 if (!in_struct(&a, &isakmp_ipsec_attribute_desc, trans_pbs, &attr_pbs))
1385 return FALSE;
1386
1387 passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
1388
1389 if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
1390 {
1391 loglog(RC_LOG_SERIOUS, "repeated %s attribute in IPsec Transform %u"
1392 , enum_show(&ipsec_attr_names, a.isaat_af_type)
1393 , trans->isat_transnum);
1394 return FALSE;
1395 }
1396
1397 seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
1398
1399 val = a.isaat_lv;
1400
1401 vdesc = ipsec_attr_val_descs[a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
1402 if (vdesc != NULL)
1403 {
1404 if (enum_name(vdesc, val) == NULL)
1405 {
1406 loglog(RC_LOG_SERIOUS, "invalid value %u for attribute %s in IPsec Transform"
1407 , (unsigned)val, enum_show(&ipsec_attr_names, a.isaat_af_type));
1408 return FALSE;
1409 }
1410 DBG(DBG_PARSING
1411 , if ((a.isaat_af_type & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
1412 DBG_log(" [%u is %s]"
1413 , (unsigned)val, enum_show(vdesc, val)));
1414 }
1415
1416 switch (a.isaat_af_type)
1417 {
1418 case SA_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
1419 ipcomp_inappropriate = FALSE;
1420 if (LHAS(seen_durations, val))
1421 {
1422 loglog(RC_LOG_SERIOUS, "attribute SA_LIFE_TYPE value %s repeated in message"
1423 , enum_show(&sa_lifetime_names, val));
1424 return FALSE;
1425 }
1426 seen_durations |= LELEM(val);
1427 life_type = val;
1428 break;
1429 case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
1430 val = decode_long_duration(&attr_pbs);
1431 /* fall through */
1432 case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
1433 ipcomp_inappropriate = FALSE;
1434 if (!LHAS(seen_attrs, SA_LIFE_DURATION))
1435 {
1436 loglog(RC_LOG_SERIOUS, "SA_LIFE_DURATION IPsec attribute not preceded by SA_LIFE_TYPE attribute");
1437 return FALSE;
1438 }
1439 seen_attrs &= ~(LELEM(SA_LIFE_DURATION) | LELEM(SA_LIFE_TYPE));
1440
1441 switch (life_type)
1442 {
1443 case SA_LIFE_TYPE_SECONDS:
1444 /* silently limit duration to our maximum */
1445 attrs->life_seconds = val <= SA_LIFE_DURATION_MAXIMUM
1446 ? val : SA_LIFE_DURATION_MAXIMUM;
1447 break;
1448 case SA_LIFE_TYPE_KBYTES:
1449 attrs->life_kilobytes = val;
1450 break;
1451 default:
1452 bad_case(life_type);
1453 }
1454 break;
1455 case GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
1456 if (is_ipcomp)
1457 {
1458 /* Accept reluctantly. Should not happen, according to
1459 * draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
1460 */
1461 ipcomp_inappropriate = FALSE;
1462 loglog(RC_COMMENT
1463 , "IPCA (IPcomp SA) contains GROUP_DESCRIPTION."
1464 " Ignoring inapproprate attribute.");
1465 }
1466 pfs_group = ike_alg_get_dh_group(val);
1467 if (pfs_group == NULL)
1468 {
1469 loglog(RC_LOG_SERIOUS, "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS");
1470 return FALSE;
1471 }
1472 break;
1473 case ENCAPSULATION_MODE | ISAKMP_ATTR_AF_TV:
1474 ipcomp_inappropriate = FALSE;
1475 switch (val)
1476 {
1477 case ENCAPSULATION_MODE_TUNNEL:
1478 case ENCAPSULATION_MODE_TRANSPORT:
1479 if (st->nat_traversal & NAT_T_DETECTED)
1480 {
1481 loglog(RC_LOG_SERIOUS
1482 , "%s must only be used if NAT-Traversal is not detected"
1483 , enum_name(&enc_mode_names, val));
1484 /*
1485 * Accept it anyway because SSH-Sentinel does not
1486 * use UDP_TUNNEL or UDP_TRANSPORT for the diagnostic.
1487 *
1488 * remove when SSH-Sentinel is fixed
1489 */
1490 #ifdef I_DONT_CARE_OF_SSH_SENTINEL
1491 return FALSE;
1492 #endif
1493 }
1494 attrs->encapsulation = val;
1495 break;
1496 case ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS:
1497 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
1498 loglog(RC_LOG_SERIOUS
1499 , "NAT-Traversal: Transport mode disabled due to security concerns");
1500 return FALSE;
1501 #endif
1502 case ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS:
1503 if (st->nat_traversal & NAT_T_WITH_RFC_VALUES)
1504 {
1505 loglog(RC_LOG_SERIOUS
1506 , "%s must only be used with old IETF drafts"
1507 , enum_name(&enc_mode_names, val));
1508 return FALSE;
1509 }
1510 else if (st->nat_traversal & NAT_T_DETECTED)
1511 {
1512 attrs->encapsulation = val
1513 - ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS
1514 + ENCAPSULATION_MODE_TUNNEL;
1515 }
1516 else
1517 {
1518 loglog(RC_LOG_SERIOUS
1519 , "%s must only be used if NAT-Traversal is detected"
1520 , enum_name(&enc_mode_names, val));
1521 return FALSE;
1522 }
1523 break;
1524 case ENCAPSULATION_MODE_UDP_TRANSPORT_RFC:
1525 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
1526 loglog(RC_LOG_SERIOUS
1527 , "NAT-Traversal: Transport mode disabled due "
1528 "to security concerns");
1529 return FALSE;
1530 #endif
1531 case ENCAPSULATION_MODE_UDP_TUNNEL_RFC:
1532 if ((st->nat_traversal & NAT_T_DETECTED)
1533 && (st->nat_traversal & NAT_T_WITH_RFC_VALUES))
1534 {
1535 attrs->encapsulation = val
1536 - ENCAPSULATION_MODE_UDP_TUNNEL_RFC
1537 + ENCAPSULATION_MODE_TUNNEL;
1538 }
1539 else if (st->nat_traversal & NAT_T_DETECTED)
1540 {
1541 loglog(RC_LOG_SERIOUS
1542 , "%s must only be used with NAT-T RFC"
1543 , enum_name(&enc_mode_names, val));
1544 return FALSE;
1545 }
1546 else
1547 {
1548 loglog(RC_LOG_SERIOUS
1549 , "%s must only be used if NAT-Traversal is detected"
1550 , enum_name(&enc_mode_names, val));
1551 return FALSE;
1552 }
1553 break;
1554 default:
1555 loglog(RC_LOG_SERIOUS
1556 , "unknown ENCAPSULATION_MODE %d in IPSec SA", val);
1557 return FALSE;
1558 }
1559 break;
1560 case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV:
1561 attrs->auth = val;
1562 break;
1563 case KEY_LENGTH | ISAKMP_ATTR_AF_TV:
1564 attrs->key_len = val;
1565 break;
1566 case KEY_ROUNDS | ISAKMP_ATTR_AF_TV:
1567 attrs->key_rounds = val;
1568 break;
1569 #if 0 /* not yet implemented */
1570 case COMPRESS_DICT_SIZE | ISAKMP_ATTR_AF_TV:
1571 break;
1572 case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TV:
1573 break;
1574
1575 case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
1576 break;
1577 case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TLV:
1578 break;
1579 #endif
1580 default:
1581 loglog(RC_LOG_SERIOUS, "unsupported IPsec attribute %s"
1582 , enum_show(&ipsec_attr_names, a.isaat_af_type));
1583 return FALSE;
1584 }
1585 if (ipcomp_inappropriate)
1586 {
1587 loglog(RC_LOG_SERIOUS, "IPsec attribute %s inappropriate for IPCOMP"
1588 , enum_show(&ipsec_attr_names, a.isaat_af_type));
1589 return FALSE;
1590 }
1591 }
1592
1593 /* Although an IPCOMP SA (IPCA) ought not to have a pfs_group,
1594 * if it does, demand that it be consistent.
1595 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
1596 */
1597 if (!is_ipcomp || pfs_group != NULL)
1598 {
1599 if (st->st_pfs_group == &unset_group)
1600 st->st_pfs_group = pfs_group;
1601
1602 if (st->st_pfs_group != pfs_group)
1603 {
1604 loglog(RC_LOG_SERIOUS, "GROUP_DESCRIPTION inconsistent with that of %s in IPsec SA"
1605 , selection? "the Proposal" : "a previous Transform");
1606 return FALSE;
1607 }
1608 }
1609
1610 if (LHAS(seen_attrs, SA_LIFE_DURATION))
1611 {
1612 loglog(RC_LOG_SERIOUS, "SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message");
1613 return FALSE;
1614 }
1615
1616 if (!LHAS(seen_attrs, ENCAPSULATION_MODE))
1617 {
1618 if (is_ipcomp)
1619 {
1620 /* draft-shacham-ippcp-rfc2393bis-05.txt 4.1:
1621 * "If the Encapsulation Mode is unspecified,
1622 * the default value of Transport Mode is assumed."
1623 * This contradicts/overrides the DOI (quuoted below).
1624 */
1625 attrs->encapsulation = ENCAPSULATION_MODE_TRANSPORT;
1626 }
1627 else
1628 {
1629 /* ??? Technically, RFC 2407 (IPSEC DOI) 4.5 specifies that
1630 * the default is "unspecified (host-dependent)".
1631 * This makes little sense, so we demand that it be specified.
1632 */
1633 loglog(RC_LOG_SERIOUS, "IPsec Transform must specify ENCAPSULATION_MODE");
1634 return FALSE;
1635 }
1636 }
1637
1638 /* ??? should check for key_len and/or key_rounds if required */
1639
1640 return TRUE;
1641 }
1642
1643 static void
1644 echo_proposal(
1645 struct isakmp_proposal r_proposal, /* proposal to emit */
1646 struct isakmp_transform r_trans, /* winning transformation within it */
1647 u_int8_t np, /* Next Payload for proposal */
1648 pb_stream *r_sa_pbs, /* SA PBS into which to emit */
1649 struct ipsec_proto_info *pi, /* info about this protocol instance */
1650 struct_desc *trans_desc, /* descriptor for this transformation */
1651 pb_stream *trans_pbs, /* PBS for incoming transform */
1652 struct spd_route *sr, /* host details for the association */
1653 bool tunnel_mode) /* true for inner most tunnel SA */
1654 {
1655 pb_stream r_proposal_pbs;
1656 pb_stream r_trans_pbs;
1657
1658 /* Proposal */
1659 r_proposal.isap_np = np;
1660 r_proposal.isap_notrans = 1;
1661 if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
1662 impossible();
1663
1664 /* allocate and emit our CPI/SPI */
1665 if (r_proposal.isap_protoid == PROTO_IPCOMP)
1666 {
1667 /* CPI is stored in network low order end of an
1668 * ipsec_spi_t. So we start a couple of bytes in.
1669 * Note: we may fail to generate a satisfactory CPI,
1670 * but we'll ignore that.
1671 */
1672 pi->our_spi = get_my_cpi(sr, tunnel_mode);
1673 out_raw((u_char *) &pi->our_spi
1674 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
1675 , IPCOMP_CPI_SIZE
1676 , &r_proposal_pbs, "CPI");
1677 }
1678 else
1679 {
1680 pi->our_spi = get_ipsec_spi(pi->attrs.spi
1681 , r_proposal.isap_protoid == PROTO_IPSEC_AH ?
1682 IPPROTO_AH : IPPROTO_ESP
1683 , sr
1684 , tunnel_mode);
1685 /* XXX should check for errors */
1686 out_raw((u_char *) &pi->our_spi, IPSEC_DOI_SPI_SIZE
1687 , &r_proposal_pbs, "SPI");
1688 }
1689
1690 /* Transform */
1691 r_trans.isat_np = ISAKMP_NEXT_NONE;
1692 if (!out_struct(&r_trans, trans_desc, &r_proposal_pbs, &r_trans_pbs))
1693 impossible();
1694
1695 /* Transform Attributes: pure echo */
1696 trans_pbs->cur = trans_pbs->start + sizeof(struct isakmp_transform);
1697 if (!out_raw(trans_pbs->cur, pbs_left(trans_pbs)
1698 , &r_trans_pbs, "attributes"))
1699 impossible();
1700
1701 close_output_pbs(&r_trans_pbs);
1702 close_output_pbs(&r_proposal_pbs);
1703 }
1704
1705 notification_t
1706 parse_ipsec_sa_body(
1707 pb_stream *sa_pbs, /* body of input SA Payload */
1708 const struct isakmp_sa *sa, /* header of input SA Payload */
1709 pb_stream *r_sa_pbs, /* if non-NULL, where to emit body of winning SA */
1710 bool selection, /* if this SA is a selection, only one transform may appear */
1711 struct state *st) /* current state object */
1712 {
1713 const struct connection *c = st->st_connection;
1714 u_int32_t ipsecdoisit;
1715 pb_stream next_proposal_pbs;
1716
1717 struct isakmp_proposal next_proposal;
1718 ipsec_spi_t next_spi;
1719
1720 bool next_full = TRUE;
1721
1722 /* DOI */
1723 if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
1724 {
1725 loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
1726 /* XXX Could send notification back */
1727 return DOI_NOT_SUPPORTED;
1728 }
1729
1730 /* Situation */
1731 if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
1732 return SITUATION_NOT_SUPPORTED;
1733
1734 if (ipsecdoisit != SIT_IDENTITY_ONLY)
1735 {
1736 loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
1737 , bitnamesof(sit_bit_names, ipsecdoisit));
1738 /* XXX Could send notification back */
1739 return SITUATION_NOT_SUPPORTED;
1740 }
1741
1742 /* The rules for IPsec SAs are scattered.
1743 * RFC 2408 "ISAKMP" section 4.2 gives some info.
1744 * There may be multiple proposals. Those with identical proposal
1745 * numbers must be considered as conjuncts. Those with different
1746 * numbers are disjuncts.
1747 * Each proposal may have several transforms, each considered
1748 * an alternative.
1749 * Each transform may have several attributes, all applying.
1750 *
1751 * To handle the way proposals are combined, we need to do a
1752 * look-ahead.
1753 */
1754
1755 if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
1756 return BAD_PROPOSAL_SYNTAX;
1757
1758 /* for each conjunction of proposals... */
1759 while (next_full)
1760 {
1761 int propno = next_proposal.isap_proposal;
1762 pb_stream ah_prop_pbs, esp_prop_pbs, ipcomp_prop_pbs;
1763 struct isakmp_proposal ah_proposal = {0, 0, 0, 0, 0, 0, 0};
1764 struct isakmp_proposal esp_proposal = {0, 0, 0, 0, 0, 0, 0};
1765 struct isakmp_proposal ipcomp_proposal = {0, 0, 0, 0, 0, 0, 0};
1766 ipsec_spi_t ah_spi = 0;
1767 ipsec_spi_t esp_spi = 0;
1768 ipsec_spi_t ipcomp_cpi = 0;
1769 bool ah_seen = FALSE;
1770 bool esp_seen = FALSE;
1771 bool ipcomp_seen = FALSE;
1772 bool tunnel_mode = FALSE;
1773 int inner_proto = 0;
1774 u_int16_t well_known_cpi = 0;
1775
1776 pb_stream ah_trans_pbs, esp_trans_pbs, ipcomp_trans_pbs;
1777 struct isakmp_transform ah_trans, esp_trans, ipcomp_trans;
1778 struct ipsec_trans_attrs ah_attrs, esp_attrs, ipcomp_attrs;
1779
1780 /* for each proposal in the conjunction */
1781 do {
1782
1783 if (next_proposal.isap_protoid == PROTO_IPCOMP)
1784 {
1785 /* IPCOMP CPI */
1786 if (next_proposal.isap_spisize == IPSEC_DOI_SPI_SIZE)
1787 {
1788 /* This code is to accommodate those peculiar
1789 * implementations that send a CPI in the bottom of an
1790 * SPI-sized field.
1791 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1
1792 */
1793 u_int8_t filler[IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE];
1794
1795 if (!in_raw(filler, sizeof(filler)
1796 , &next_proposal_pbs, "CPI filler")
1797 || !all_zero(filler, sizeof(filler)))
1798 return INVALID_SPI;
1799 }
1800 else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE)
1801 {
1802 loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)"
1803 , next_proposal.isap_spisize);
1804 return INVALID_SPI;
1805 }
1806
1807 /* We store CPI in the low order of a network order
1808 * ipsec_spi_t. So we start a couple of bytes in.
1809 */
1810 zero(&next_spi);
1811 if (!in_raw((u_char *)&next_spi
1812 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
1813 , IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI"))
1814 return INVALID_SPI;
1815
1816 /* If sanity ruled, CPIs would have to be such that
1817 * the SAID (the triple (CPI, IPCOM, destination IP))
1818 * would be unique, just like for SPIs. But there is a
1819 * perversion where CPIs can be well-known and consequently
1820 * the triple is not unique. We hide this fact from
1821 * ourselves by fudging the top 16 bits to make
1822 * the property true internally!
1823 */
1824 switch (ntohl(next_spi))
1825 {
1826 case IPCOMP_DEFLATE:
1827 well_known_cpi = ntohl(next_spi);
1828 next_spi = uniquify_his_cpi(next_spi, st);
1829 if (next_spi == 0)
1830 {
1831 loglog(RC_LOG_SERIOUS
1832 , "IPsec Proposal contains well-known CPI that I cannot uniquify");
1833 return INVALID_SPI;
1834 }
1835 break;
1836 default:
1837 if (ntohl(next_spi) < IPCOMP_FIRST_NEGOTIATED
1838 || ntohl(next_spi) > IPCOMP_LAST_NEGOTIATED)
1839 {
1840 loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
1841 , (unsigned long) ntohl(next_spi));
1842 return INVALID_SPI;
1843 }
1844 break;
1845 }
1846 }
1847 else
1848 {
1849 /* AH or ESP SPI */
1850 if (next_proposal.isap_spisize != IPSEC_DOI_SPI_SIZE)
1851 {
1852 loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)"
1853 , next_proposal.isap_spisize);
1854 return INVALID_SPI;
1855 }
1856
1857 if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI"))
1858 return INVALID_SPI;
1859
1860 /* SPI value 0 is invalid and values 1-255 are reserved to IANA.
1861 * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
1862 * IPCOMP???
1863 */
1864 if (ntohl(next_spi) < IPSEC_DOI_SPI_MIN)
1865 {
1866 loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)"
1867 , (unsigned long) ntohl(next_spi));
1868 return INVALID_SPI;
1869 }
1870 }
1871
1872 if (next_proposal.isap_notrans == 0)
1873 {
1874 loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms");
1875 return BAD_PROPOSAL_SYNTAX;
1876 }
1877
1878 switch (next_proposal.isap_protoid)
1879 {
1880 case PROTO_IPSEC_AH:
1881 if (ah_seen)
1882 {
1883 loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals");
1884 return BAD_PROPOSAL_SYNTAX;
1885 }
1886 ah_seen = TRUE;
1887 ah_prop_pbs = next_proposal_pbs;
1888 ah_proposal = next_proposal;
1889 ah_spi = next_spi;
1890 break;
1891
1892 case PROTO_IPSEC_ESP:
1893 if (esp_seen)
1894 {
1895 loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals");
1896 return BAD_PROPOSAL_SYNTAX;
1897 }
1898 esp_seen = TRUE;
1899 esp_prop_pbs = next_proposal_pbs;
1900 esp_proposal = next_proposal;
1901 esp_spi = next_spi;
1902 break;
1903
1904 case PROTO_IPCOMP:
1905 if (ipcomp_seen)
1906 {
1907 loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals");
1908 return BAD_PROPOSAL_SYNTAX;
1909 }
1910 ipcomp_seen = TRUE;
1911 ipcomp_prop_pbs = next_proposal_pbs;
1912 ipcomp_proposal = next_proposal;
1913 ipcomp_cpi = next_spi;
1914 break;
1915
1916 default:
1917 loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal"
1918 , enum_show(&protocol_names, next_proposal.isap_protoid));
1919 return INVALID_PROTOCOL_ID;
1920 }
1921
1922 /* refill next_proposal */
1923 if (next_proposal.isap_np == ISAKMP_NEXT_NONE)
1924 {
1925 next_full = FALSE;
1926 break;
1927 }
1928 else if (next_proposal.isap_np != ISAKMP_NEXT_P)
1929 {
1930 loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s"
1931 , enum_show(&payload_names, next_proposal.isap_np));
1932 return BAD_PROPOSAL_SYNTAX;
1933 }
1934
1935 if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
1936 return BAD_PROPOSAL_SYNTAX;
1937 } while (next_proposal.isap_proposal == propno);
1938
1939 /* Now that we have all conjuncts, we should try
1940 * the Cartesian product of eachs tranforms!
1941 * At the moment, we take short-cuts on account of
1942 * our rudimentary hard-wired policy.
1943 * For now, we find an acceptable AH (if any)
1944 * and then an acceptable ESP. The only interaction
1945 * is that the ESP acceptance can know whether there
1946 * was an acceptable AH and hence not require an AUTH.
1947 */
1948
1949 if (ah_seen)
1950 {
1951 int previous_transnum = -1;
1952 int tn;
1953
1954 for (tn = 0; tn != ah_proposal.isap_notrans; tn++)
1955 {
1956 int ok_transid = 0;
1957 bool ok_auth = FALSE;
1958
1959 if (!parse_ipsec_transform(&ah_trans
1960 , &ah_attrs
1961 , &ah_prop_pbs
1962 , &ah_trans_pbs
1963 , &isakmp_ah_transform_desc
1964 , previous_transnum
1965 , selection
1966 , tn == ah_proposal.isap_notrans - 1
1967 , FALSE
1968 , st))
1969 return BAD_PROPOSAL_SYNTAX;
1970
1971 previous_transnum = ah_trans.isat_transnum;
1972
1973 /* we must understand ah_attrs.transid
1974 * COMBINED with ah_attrs.auth.
1975 * See RFC 2407 "IPsec DOI" section 4.4.3
1976 * The following combinations are legal,
1977 * but we don't implement all of them:
1978 * It seems as if each auth algorithm
1979 * only applies to one ah transid.
1980 * AH_MD5, AUTH_ALGORITHM_HMAC_MD5
1981 * AH_MD5, AUTH_ALGORITHM_KPDK (unimplemented)
1982 * AH_SHA, AUTH_ALGORITHM_HMAC_SHA1
1983 * AH_DES, AUTH_ALGORITHM_DES_MAC (unimplemented)
1984 */
1985 switch (ah_attrs.auth)
1986 {
1987 case AUTH_ALGORITHM_NONE:
1988 loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform");
1989 return BAD_PROPOSAL_SYNTAX;
1990
1991 case AUTH_ALGORITHM_HMAC_MD5:
1992 ok_auth = TRUE;
1993 /* fall through */
1994 case AUTH_ALGORITHM_KPDK:
1995 ok_transid = AH_MD5;
1996 break;
1997
1998 case AUTH_ALGORITHM_HMAC_SHA1:
1999 ok_auth = TRUE;
2000 ok_transid = AH_SHA;
2001 break;
2002
2003 case AUTH_ALGORITHM_DES_MAC:
2004 ok_transid = AH_DES;
2005 break;
2006 }
2007 if (ah_attrs.transid != ok_transid)
2008 {
2009 loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
2010 , enum_name(&auth_alg_names, ah_attrs.auth)
2011 , enum_show(&ah_transformid_names, ah_attrs.transid));
2012 return BAD_PROPOSAL_SYNTAX;
2013 }
2014 if (!ok_auth)
2015 {
2016 DBG(DBG_CONTROL | DBG_CRYPT
2017 , DBG_log("%s attribute unsupported"
2018 " in %s Transform from %s"
2019 , enum_name(&auth_alg_names, ah_attrs.auth)
2020 , enum_show(&ah_transformid_names, ah_attrs.transid)
2021 , ip_str(&c->spd.that.host_addr)));
2022 continue; /* try another */
2023 }
2024 break; /* we seem to be happy */
2025 }
2026 if (tn == ah_proposal.isap_notrans)
2027 continue; /* we didn't find a nice one */
2028 ah_attrs.spi = ah_spi;
2029 inner_proto = IPPROTO_AH;
2030 if (ah_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
2031 tunnel_mode = TRUE;
2032 }
2033
2034 if (esp_seen)
2035 {
2036 int previous_transnum = -1;
2037 int tn;
2038
2039 for (tn = 0; tn != esp_proposal.isap_notrans; tn++)
2040 {
2041 if (!parse_ipsec_transform(&esp_trans
2042 , &esp_attrs
2043 , &esp_prop_pbs
2044 , &esp_trans_pbs
2045 , &isakmp_esp_transform_desc
2046 , previous_transnum
2047 , selection
2048 , tn == esp_proposal.isap_notrans - 1
2049 , FALSE
2050 , st))
2051 return BAD_PROPOSAL_SYNTAX;
2052
2053 previous_transnum = esp_trans.isat_transnum;
2054
2055 /* set default key length for AES encryption */
2056 if (!esp_attrs.key_len && esp_attrs.transid == ESP_AES)
2057 {
2058 esp_attrs.key_len = 128; /* bits */
2059 }
2060
2061 if (!kernel_alg_esp_enc_ok(esp_attrs.transid, esp_attrs.key_len
2062 ,c->alg_info_esp))
2063 {
2064 switch (esp_attrs.transid)
2065 {
2066 case ESP_3DES:
2067 break;
2068 #ifdef SUPPORT_ESP_NULL /* should be about as secure as AH-only */
2069 case ESP_NULL:
2070 if (esp_attrs.auth == AUTH_ALGORITHM_NONE)
2071 {
2072 loglog(RC_LOG_SERIOUS, "ESP_NULL requires auth algorithm");
2073 return BAD_PROPOSAL_SYNTAX;
2074 }
2075 if (st->st_policy & POLICY_ENCRYPT)
2076 {
2077 DBG(DBG_CONTROL | DBG_CRYPT
2078 , DBG_log("ESP_NULL Transform Proposal from %s"
2079 " does not satisfy POLICY_ENCRYPT"
2080 , ip_str(&c->spd.that.host_addr)));
2081 continue; /* try another */
2082 }
2083 break;
2084 #endif
2085 default:
2086 DBG(DBG_CONTROL | DBG_CRYPT
2087 , DBG_log("unsupported ESP Transform %s from %s"
2088 , enum_show(&esp_transformid_names, esp_attrs.transid)
2089 , ip_str(&c->spd.that.host_addr)));
2090 continue; /* try another */
2091 }
2092 }
2093
2094 if (!kernel_alg_esp_auth_ok(esp_attrs.auth, c->alg_info_esp))
2095 {
2096 switch (esp_attrs.auth)
2097 {
2098 case AUTH_ALGORITHM_NONE:
2099 if (!ah_seen)
2100 {
2101 DBG(DBG_CONTROL | DBG_CRYPT
2102 , DBG_log("ESP from %s must either have AUTH or be combined with AH"
2103 , ip_str(&c->spd.that.host_addr)));
2104 continue; /* try another */
2105 }
2106 break;
2107 case AUTH_ALGORITHM_HMAC_MD5:
2108 case AUTH_ALGORITHM_HMAC_SHA1:
2109 break;
2110 default:
2111 DBG(DBG_CONTROL | DBG_CRYPT
2112 , DBG_log("unsupported ESP auth alg %s from %s"
2113 , enum_show(&auth_alg_names, esp_attrs.auth)
2114 , ip_str(&c->spd.that.host_addr)));
2115 continue; /* try another */
2116 }
2117 }
2118
2119 /* A last check for allowed transforms in alg_info_esp
2120 * (ALG_INFO_F_STRICT flag)
2121 */
2122 if (!kernel_alg_esp_ok_final(esp_attrs.transid, esp_attrs.key_len
2123 ,esp_attrs.auth, c->alg_info_esp))
2124 {
2125 continue;
2126 }
2127
2128 if (ah_seen && ah_attrs.encapsulation != esp_attrs.encapsulation)
2129 {
2130 /* ??? This should be an error, but is it? */
2131 DBG(DBG_CONTROL | DBG_CRYPT
2132 , DBG_log("AH and ESP transforms disagree about encapsulation; TUNNEL presumed"));
2133 }
2134
2135 break; /* we seem to be happy */
2136 }
2137 if (tn == esp_proposal.isap_notrans)
2138 continue; /* we didn't find a nice one */
2139
2140 esp_attrs.spi = esp_spi;
2141 inner_proto = IPPROTO_ESP;
2142 if (esp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
2143 tunnel_mode = TRUE;
2144 }
2145 else if (st->st_policy & POLICY_ENCRYPT)
2146 {
2147 DBG(DBG_CONTROL | DBG_CRYPT
2148 , DBG_log("policy for \"%s\" requires encryption but ESP not in Proposal from %s"
2149 , c->name, ip_str(&c->spd.that.host_addr)));
2150 continue; /* we needed encryption, but didn't find ESP */
2151 }
2152 else if ((st->st_policy & POLICY_AUTHENTICATE) && !ah_seen)
2153 {
2154 DBG(DBG_CONTROL | DBG_CRYPT
2155 , DBG_log("policy for \"%s\" requires authentication"
2156 " but none in Proposal from %s"
2157 , c->name, ip_str(&c->spd.that.host_addr)));
2158 continue; /* we need authentication, but we found neither ESP nor AH */
2159 }
2160
2161 if (ipcomp_seen)
2162 {
2163 int previous_transnum = -1;
2164 int tn;
2165
2166 #ifdef NEVER /* we think IPcomp is working now */
2167 /**** FUDGE TO PREVENT UNREQUESTED IPCOMP:
2168 **** NEEDED BECAUSE OUR IPCOMP IS EXPERIMENTAL (UNSTABLE).
2169 ****/
2170 if (!(st->st_policy & POLICY_COMPRESS))
2171 {
2172 plog("compression proposed by %s, but policy for \"%s\" forbids it"
2173 , ip_str(&c->spd.that.host_addr), c->name);
2174 continue; /* unwanted compression proposal */
2175 }
2176 #endif
2177 if (!can_do_IPcomp)
2178 {
2179 plog("compression proposed by %s, but KLIPS is not configured with IPCOMP"
2180 , ip_str(&c->spd.that.host_addr));
2181 continue;
2182 }
2183
2184 if (well_known_cpi != 0 && !ah_seen && !esp_seen)
2185 {
2186 plog("illegal proposal: bare IPCOMP used with well-known CPI");
2187 return BAD_PROPOSAL_SYNTAX;
2188 }
2189
2190 for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++)
2191 {
2192 if (!parse_ipsec_transform(&ipcomp_trans
2193 , &ipcomp_attrs
2194 , &ipcomp_prop_pbs
2195 , &ipcomp_trans_pbs
2196 , &isakmp_ipcomp_transform_desc
2197 , previous_transnum
2198 , selection
2199 , tn == ipcomp_proposal.isap_notrans - 1
2200 , TRUE
2201 , st))
2202 return BAD_PROPOSAL_SYNTAX;
2203
2204 previous_transnum = ipcomp_trans.isat_transnum;
2205
2206 if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi)
2207 {
2208 plog("illegal proposal: IPCOMP well-known CPI disagrees with transform");
2209 return BAD_PROPOSAL_SYNTAX;
2210 }
2211
2212 switch (ipcomp_attrs.transid)
2213 {
2214 case IPCOMP_DEFLATE: /* all we can handle! */
2215 break;
2216
2217 default:
2218 DBG(DBG_CONTROL | DBG_CRYPT
2219 , DBG_log("unsupported IPCOMP Transform %s from %s"
2220 , enum_show(&ipcomp_transformid_names, ipcomp_attrs.transid)
2221 , ip_str(&c->spd.that.host_addr)));
2222 continue; /* try another */
2223 }
2224
2225 if (ah_seen && ah_attrs.encapsulation != ipcomp_attrs.encapsulation)
2226 {
2227 /* ??? This should be an error, but is it? */
2228 DBG(DBG_CONTROL | DBG_CRYPT
2229 , DBG_log("AH and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
2230 } else if (esp_seen && esp_attrs.encapsulation != ipcomp_attrs.encapsulation)
2231 {
2232 /* ??? This should be an error, but is it? */
2233 DBG(DBG_CONTROL | DBG_CRYPT
2234 , DBG_log("ESP and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
2235 }
2236
2237 break; /* we seem to be happy */
2238 }
2239 if (tn == ipcomp_proposal.isap_notrans)
2240 continue; /* we didn't find a nice one */
2241 ipcomp_attrs.spi = ipcomp_cpi;
2242 inner_proto = IPPROTO_COMP;
2243 if (ipcomp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
2244 tunnel_mode = TRUE;
2245 }
2246
2247 /* Eureka: we liked what we saw -- accept it. */
2248
2249 if (r_sa_pbs != NULL)
2250 {
2251 /* emit what we've accepted */
2252
2253 /* Situation */
2254 if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
2255 impossible();
2256
2257 /* AH proposal */
2258 if (ah_seen)
2259 echo_proposal(ah_proposal
2260 , ah_trans
2261 , esp_seen || ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
2262 , r_sa_pbs
2263 , &st->st_ah
2264 , &isakmp_ah_transform_desc
2265 , &ah_trans_pbs
2266 , &st->st_connection->spd
2267 , tunnel_mode && inner_proto == IPPROTO_AH);
2268
2269 /* ESP proposal */
2270 if (esp_seen)
2271 echo_proposal(esp_proposal
2272 , esp_trans
2273 , ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
2274 , r_sa_pbs
2275 , &st->st_esp
2276 , &isakmp_esp_transform_desc
2277 , &esp_trans_pbs
2278 , &st->st_connection->spd
2279 , tunnel_mode && inner_proto == IPPROTO_ESP);
2280
2281 /* IPCOMP proposal */
2282 if (ipcomp_seen)
2283 echo_proposal(ipcomp_proposal
2284 , ipcomp_trans
2285 , ISAKMP_NEXT_NONE
2286 , r_sa_pbs
2287 , &st->st_ipcomp
2288 , &isakmp_ipcomp_transform_desc
2289 , &ipcomp_trans_pbs
2290 , &st->st_connection->spd
2291 , tunnel_mode && inner_proto == IPPROTO_COMP);
2292
2293 close_output_pbs(r_sa_pbs);
2294 }
2295
2296 /* save decoded version of winning SA in state */
2297
2298 st->st_ah.present = ah_seen;
2299 if (ah_seen)
2300 st->st_ah.attrs = ah_attrs;
2301
2302 st->st_esp.present = esp_seen;
2303 if (esp_seen)
2304 st->st_esp.attrs = esp_attrs;
2305
2306 st->st_ipcomp.present = ipcomp_seen;
2307 if (ipcomp_seen)
2308 st->st_ipcomp.attrs = ipcomp_attrs;
2309
2310 return NOTHING_WRONG;
2311 }
2312
2313 loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA");
2314 return NO_PROPOSAL_CHOSEN;
2315 }