1 /* $OpenBSD: ike_phase_1.c,v 1.78 2018/09/20 11:49:55 jsg Exp $ */
2 /* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $ */
3
4 /*
5 * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved.
6 * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved.
7 * Copyright (c) 2001, 2004 H�kan Olsson. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 /*
31 * This code was written under funding by Ericsson Radio Systems.
32 */
33
34 #include <sys/types.h>
35 #include <netinet/in.h>
36 #include <arpa/inet.h>
37 #include <stdlib.h>
38 #include <string.h>
39
40 #include "attribute.h"
41 #include "conf.h"
42 #include "constants.h"
43 #include "crypto.h"
44 #include "dh.h"
45 #include "doi.h"
46 #include "dpd.h"
47 #include "exchange.h"
48 #include "hash.h"
49 #include "ike_auth.h"
50 #include "ike_phase_1.h"
51 #include "ipsec.h"
52 #include "ipsec_doi.h"
53 #include "isakmp.h"
54 #include "log.h"
55 #include "message.h"
56 #include "nat_traversal.h"
57 #include "prf.h"
58 #include "sa.h"
59 #include "transport.h"
60 #include "util.h"
61 #include "vendor.h"
62
63 static int attribute_unacceptable(u_int16_t, u_int8_t *, u_int16_t,
64 void *);
65 static int ike_phase_1_validate_prop(struct exchange *, struct sa *,
66 struct sa *);
67
68 /* Offer a set of transforms to the responder in the MSG message. */
69 int
ike_phase_1_initiator_send_SA(struct message * msg)70 ike_phase_1_initiator_send_SA(struct message *msg)
71 {
72 struct exchange *exchange = msg->exchange;
73 struct ipsec_exch *ie = exchange->data;
74 u_int8_t *proposal = 0, *sa_buf = 0, *saved_nextp, *attr;
75 u_int8_t **transform = 0;
76 size_t transforms_len = 0, proposal_len, sa_len;
77 size_t *transform_len = 0;
78 struct conf_list *conf, *life_conf;
79 struct conf_list_node *xf, *life;
80 int value, update_nextp;
81 size_t i;
82 struct payload *p;
83 struct proto *proto;
84 struct proto_attr *pa;
85 int group_desc = -1, new_group_desc;
86
87 /* Get the list of transforms. */
88 conf = conf_get_list(exchange->policy, "Transforms");
89 if (!conf)
90 return -1;
91
92 transform = calloc(conf->cnt, sizeof *transform);
93 if (!transform) {
94 log_error("ike_phase_1_initiator_send_SA: calloc (%lu, %lu) "
95 "failed", (u_long)conf->cnt, (u_long)sizeof *transform);
96 goto bail_out;
97 }
98 transform_len = calloc(conf->cnt, sizeof *transform_len);
99 if (!transform_len) {
100 log_error("ike_phase_1_initiator_send_SA: calloc (%lu, %lu) "
101 "failed", (u_long)conf->cnt,
102 (u_long)sizeof *transform_len);
103 goto bail_out;
104 }
105 for (xf = TAILQ_FIRST(&conf->fields), i = 0; i < conf->cnt;
106 i++, xf = TAILQ_NEXT(xf, link)) {
107 /* XXX The sizing needs to be dynamic. */
108 transform[i] = malloc(ISAKMP_TRANSFORM_SA_ATTRS_OFF +
109 16 * ISAKMP_ATTR_VALUE_OFF);
110 if (!transform[i]) {
111 log_error("ike_phase_1_initiator_send_SA: malloc (%d) "
112 "failed", ISAKMP_TRANSFORM_SA_ATTRS_OFF +
113 16 * ISAKMP_ATTR_VALUE_OFF);
114 goto bail_out;
115 }
116 SET_ISAKMP_TRANSFORM_NO(transform[i], i);
117 SET_ISAKMP_TRANSFORM_ID(transform[i], IPSEC_TRANSFORM_KEY_IKE);
118 SET_ISAKMP_TRANSFORM_RESERVED(transform[i], 0);
119
120 attr = transform[i] + ISAKMP_TRANSFORM_SA_ATTRS_OFF;
121
122 if (attribute_set_constant(xf->field, "ENCRYPTION_ALGORITHM",
123 ike_encrypt_cst, IKE_ATTR_ENCRYPTION_ALGORITHM, &attr))
124 goto bail_out;
125
126 if (attribute_set_constant(xf->field, "HASH_ALGORITHM",
127 ike_hash_cst, IKE_ATTR_HASH_ALGORITHM, &attr))
128 goto bail_out;
129
130 if (attribute_set_constant(xf->field, "AUTHENTICATION_METHOD",
131 ike_auth_cst, IKE_ATTR_AUTHENTICATION_METHOD, &attr))
132 goto bail_out;
133
134 if (attribute_set_constant(xf->field, "GROUP_DESCRIPTION",
135 ike_group_desc_cst, IKE_ATTR_GROUP_DESCRIPTION, &attr)) {
136 /*
137 * If no group description exists, try looking for
138 * a user-defined one.
139 */
140 if (attribute_set_constant(xf->field, "GROUP_TYPE",
141 ike_group_cst, IKE_ATTR_GROUP_TYPE, &attr))
142 goto bail_out;
143
144 #if 0
145 if (attribute_set_bignum(xf->field, "GROUP_PRIME",
146 IKE_ATTR_GROUP_PRIME, &attr))
147 goto bail_out;
148
149 if (attribute_set_bignum(xf->field,
150 "GROUP_GENERATOR_2", IKE_ATTR_GROUP_GENERATOR_2,
151 &attr))
152 goto bail_out;
153
154 if (attribute_set_bignum(xf->field,
155 "GROUP_GENERATOR_2", IKE_ATTR_GROUP_GENERATOR_2,
156 &attr))
157 goto bail_out;
158
159 if (attribute_set_bignum(xf->field, "GROUP_CURVE_A",
160 IKE_ATTR_GROUP_CURVE_A, &attr))
161 goto bail_out;
162
163 if (attribute_set_bignum(xf->field, "GROUP_CURVE_B",
164 IKE_ATTR_GROUP_CURVE_B, &attr))
165 goto bail_out;
166 #endif
167 }
168 /*
169 * Life durations are special, we should be able to specify
170 * several, one per type.
171 */
172 life_conf = conf_get_list(xf->field, "Life");
173 if (life_conf) {
174 for (life = TAILQ_FIRST(&life_conf->fields); life;
175 life = TAILQ_NEXT(life, link)) {
176 attribute_set_constant(life->field,
177 "LIFE_TYPE", ike_duration_cst,
178 IKE_ATTR_LIFE_TYPE, &attr);
179
180 /*
181 * XXX Deals with 16 and 32 bit lifetimes
182 * only
183 */
184 value = conf_get_num(life->field,
185 "LIFE_DURATION", 0);
186 if (value) {
187 if (value <= 0xffff)
188 attr = attribute_set_basic(
189 attr,
190 IKE_ATTR_LIFE_DURATION,
191 value);
192 else {
193 value = htonl(value);
194 attr = attribute_set_var(attr,
195 IKE_ATTR_LIFE_DURATION,
196 (u_int8_t *)&value,
197 sizeof value);
198 }
199 }
200 }
201 conf_free_list(life_conf);
202 }
203 attribute_set_constant(xf->field, "PRF", ike_prf_cst,
204 IKE_ATTR_PRF, &attr);
205
206 value = conf_get_num(xf->field, "KEY_LENGTH", 0);
207 if (value)
208 attr = attribute_set_basic(attr, IKE_ATTR_KEY_LENGTH,
209 value);
210
211 value = conf_get_num(xf->field, "FIELD_SIZE", 0);
212 if (value)
213 attr = attribute_set_basic(attr, IKE_ATTR_FIELD_SIZE,
214 value);
215
216 value = conf_get_num(xf->field, "GROUP_ORDER", 0);
217 if (value)
218 attr = attribute_set_basic(attr, IKE_ATTR_GROUP_ORDER,
219 value);
220
221 /* Record the real transform size. */
222 transforms_len += transform_len[i] = attr - transform[i];
223
224 /* XXX I don't like exchange-specific stuff in here. */
225 if (exchange->type == ISAKMP_EXCH_AGGRESSIVE) {
226 /*
227 * Make sure that if a group description is specified,
228 * it is specified for all transforms equally.
229 */
230 attr = (u_int8_t *)conf_get_str(xf->field,
231 "GROUP_DESCRIPTION");
232 new_group_desc =
233 attr ? constant_value(ike_group_desc_cst,
234 (char *)attr) : 0;
235 if (group_desc == -1)
236 group_desc = new_group_desc;
237 else if (group_desc != new_group_desc) {
238 log_print("ike_phase_1_initiator_send_SA: "
239 "differing group descriptions in a "
240 "proposal");
241 goto bail_out;
242 }
243 }
244 /*
245 * We need to check that we actually support our
246 * configuration.
247 */
248 if (attribute_map(transform[i] + ISAKMP_TRANSFORM_SA_ATTRS_OFF,
249 transform_len[i] - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
250 exchange->doi->is_attribute_incompatible, msg)) {
251 log_print("ike_phase_1_initiator_send_SA: "
252 "section [%s] has unsupported attribute(s)",
253 xf->field);
254 goto bail_out;
255 }
256 }
257
258 /* XXX I don't like exchange-specific stuff in here. */
259 if (exchange->type == ISAKMP_EXCH_AGGRESSIVE)
260 ie->group = group_get(group_desc);
261
262 proposal_len = ISAKMP_PROP_SPI_OFF;
263 proposal = malloc(proposal_len);
264 if (!proposal) {
265 log_error("ike_phase_1_initiator_send_SA: malloc (%lu) failed",
266 (unsigned long)proposal_len);
267 goto bail_out;
268 }
269 SET_ISAKMP_PROP_NO(proposal, 1);
270 SET_ISAKMP_PROP_PROTO(proposal, ISAKMP_PROTO_ISAKMP);
271 SET_ISAKMP_PROP_SPI_SZ(proposal, 0);
272 SET_ISAKMP_PROP_NTRANSFORMS(proposal, conf->cnt);
273
274 /* XXX I would like to see this factored out. */
275 proto = calloc(1, sizeof *proto);
276 if (!proto) {
277 log_error("ike_phase_1_initiator_send_SA: "
278 "calloc (1, %lu) failed", (unsigned long)sizeof *proto);
279 goto bail_out;
280 }
281 proto->no = 1;
282 proto->proto = ISAKMP_PROTO_ISAKMP;
283 proto->sa = TAILQ_FIRST(&exchange->sa_list);
284 proto->xf_cnt = conf->cnt;
285 TAILQ_INIT(&proto->xfs);
286 for (i = 0; i < proto->xf_cnt; i++) {
287 pa = calloc(1, sizeof *pa);
288 if (!pa)
289 goto bail_out;
290 pa->len = transform_len[i];
291 pa->attrs = malloc(pa->len);
292 if (!pa->attrs) {
293 free(pa);
294 goto bail_out;
295 }
296 memcpy(pa->attrs, transform[i], pa->len);
297 TAILQ_INSERT_TAIL(&proto->xfs, pa, next);
298 }
299 TAILQ_INSERT_TAIL(&TAILQ_FIRST(&exchange->sa_list)->protos, proto,
300 link);
301
302 sa_len = ISAKMP_SA_SIT_OFF + IPSEC_SIT_SIT_LEN;
303 sa_buf = malloc(sa_len);
304 if (!sa_buf) {
305 log_error("ike_phase_1_initiator_send_SA: malloc (%lu) failed",
306 (unsigned long)sa_len);
307 goto bail_out;
308 }
309 SET_ISAKMP_SA_DOI(sa_buf, IPSEC_DOI_IPSEC);
310 SET_IPSEC_SIT_SIT(sa_buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY);
311
312 /*
313 * Add the payloads. As this is a SA, we need to recompute the
314 * lengths of the payloads containing others.
315 */
316 if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1))
317 goto bail_out;
318 SET_ISAKMP_GEN_LENGTH(sa_buf,
319 sa_len + proposal_len + transforms_len);
320 sa_buf = 0;
321
322 saved_nextp = msg->nextp;
323 if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, proposal,
324 proposal_len, 0))
325 goto bail_out;
326 SET_ISAKMP_GEN_LENGTH(proposal, proposal_len + transforms_len);
327 proposal = 0;
328
329 update_nextp = 0;
330 for (i = 0; i < conf->cnt; i++) {
331 if (message_add_payload(msg, ISAKMP_PAYLOAD_TRANSFORM,
332 transform[i], transform_len[i], update_nextp))
333 goto bail_out;
334 update_nextp = 1;
335 transform[i] = 0;
336 }
337 msg->nextp = saved_nextp;
338
339 /* Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len. */
340 ie->sa_i_b_len = sa_len + proposal_len + transforms_len -
341 ISAKMP_GEN_SZ;
342 ie->sa_i_b = malloc(ie->sa_i_b_len);
343 if (!ie->sa_i_b) {
344 log_error("ike_phase_1_initiator_send_SA: malloc (%lu) failed",
345 (unsigned long)ie->sa_i_b_len);
346 goto bail_out;
347 }
348 memcpy(ie->sa_i_b,
349 payload_first(msg, ISAKMP_PAYLOAD_SA)->p + ISAKMP_GEN_SZ,
350 sa_len - ISAKMP_GEN_SZ);
351 memcpy(ie->sa_i_b + sa_len - ISAKMP_GEN_SZ,
352 payload_first(msg, ISAKMP_PAYLOAD_PROPOSAL)->p, proposal_len);
353 transforms_len = 0;
354 for (i = 0, p = TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_TRANSFORM]);
355 i < conf->cnt; i++, p = TAILQ_NEXT(p, link)) {
356 memcpy(ie->sa_i_b + sa_len + proposal_len + transforms_len -
357 ISAKMP_GEN_SZ, p->p, transform_len[i]);
358 transforms_len += transform_len[i];
359 }
360
361 /* Advertise OpenBSD isakmpd. */
362 if (add_vendor_openbsd(msg))
363 goto bail_out;
364
365 /* Advertise NAT-T capability. */
366 if (nat_t_add_vendor_payloads(msg))
367 goto bail_out;
368
369 /* Advertise DPD capability. */
370 if (dpd_add_vendor_payload(msg))
371 goto bail_out;
372
373 conf_free_list(conf);
374 free(transform);
375 free(transform_len);
376 return 0;
377
378 bail_out:
379 free(sa_buf);
380 free(proposal);
381 if (transform) {
382 for (i = 0; i < conf->cnt; i++)
383 free(transform[i]);
384 free(transform);
385 }
386 free(transform_len);
387 conf_free_list(conf);
388 return -1;
389 }
390
391 /* Figure out what transform the responder chose. */
392 int
ike_phase_1_initiator_recv_SA(struct message * msg)393 ike_phase_1_initiator_recv_SA(struct message *msg)
394 {
395 struct exchange *exchange = msg->exchange;
396 struct sa *sa = TAILQ_FIRST(&exchange->sa_list);
397 struct ipsec_exch *ie = exchange->data;
398 struct ipsec_sa *isa = sa->data;
399 struct payload *sa_p = payload_first(msg, ISAKMP_PAYLOAD_SA);
400 struct payload *prop = payload_first(msg, ISAKMP_PAYLOAD_PROPOSAL);
401 struct payload *xf = payload_first(msg, ISAKMP_PAYLOAD_TRANSFORM);
402
403 /*
404 * IKE requires that only one SA with only one proposal exists and
405 * since we are getting an answer on our transform offer, only one
406 * transform.
407 */
408 if (TAILQ_NEXT(sa_p, link) || TAILQ_NEXT(prop, link) ||
409 TAILQ_NEXT(xf, link)) {
410 log_print("ike_phase_1_initiator_recv_SA: "
411 "multiple SA, proposal or transform payloads in phase 1");
412 /* XXX Is there a better notification type? */
413 message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
414 return -1;
415 }
416 /* Check that the chosen transform matches an offer. */
417 if (message_negotiate_sa(msg, ike_phase_1_validate_prop) ||
418 !TAILQ_FIRST(&sa->protos))
419 return -1;
420
421 ipsec_decode_transform(msg, sa, TAILQ_FIRST(&sa->protos), xf->p);
422
423 /* XXX I don't like exchange-specific stuff in here. */
424 if (exchange->type != ISAKMP_EXCH_AGGRESSIVE)
425 ie->group = group_get(isa->group_desc);
426
427 /* Mark the SA as handled. */
428 sa_p->flags |= PL_MARK;
429
430 return 0;
431 }
432
433 /* Send our public DH value and a nonce to the responder. */
434 int
ike_phase_1_initiator_send_KE_NONCE(struct message * msg)435 ike_phase_1_initiator_send_KE_NONCE(struct message *msg)
436 {
437 struct ipsec_exch *ie = msg->exchange->data;
438
439 ie->g_x_len = dh_getlen(ie->group);
440
441 /* XXX I want a better way to specify the nonce's size. */
442 return ike_phase_1_send_KE_NONCE(msg, 16);
443 }
444
445 /* Accept responder's public DH value and nonce. */
446 int
ike_phase_1_initiator_recv_KE_NONCE(struct message * msg)447 ike_phase_1_initiator_recv_KE_NONCE(struct message *msg)
448 {
449 if (ike_phase_1_recv_KE_NONCE(msg))
450 return -1;
451
452 return ike_phase_1_post_exchange_KE_NONCE(msg);
453 }
454
455 /*
456 * Accept a set of transforms offered by the initiator and chose one we can
457 * handle.
458 */
459 int
ike_phase_1_responder_recv_SA(struct message * msg)460 ike_phase_1_responder_recv_SA(struct message *msg)
461 {
462 struct exchange *exchange = msg->exchange;
463 struct sa *sa = TAILQ_FIRST(&exchange->sa_list);
464 struct ipsec_sa *isa = sa->data;
465 struct payload *sa_p = payload_first(msg, ISAKMP_PAYLOAD_SA);
466 struct payload *prop = payload_first(msg, ISAKMP_PAYLOAD_PROPOSAL);
467 struct ipsec_exch *ie = exchange->data;
468
469 /* Mark the SA as handled. */
470 sa_p->flags |= PL_MARK;
471
472 /* IKE requires that only one SA with only one proposal exists. */
473 if (TAILQ_NEXT(sa_p, link) || TAILQ_NEXT(prop, link)) {
474 log_print("ike_phase_1_responder_recv_SA: "
475 "multiple SA or proposal payloads in phase 1");
476 /* XXX Is there a better notification type? */
477 message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
478 return -1;
479 }
480 /* Chose a transform from the SA. */
481 if (message_negotiate_sa(msg, ike_phase_1_validate_prop) ||
482 !TAILQ_FIRST(&sa->protos))
483 return -1;
484
485 /* XXX Move into message_negotiate_sa? */
486 ipsec_decode_transform(msg, sa, TAILQ_FIRST(&sa->protos),
487 TAILQ_FIRST(&sa->protos)->chosen->p);
488
489 ie->group = group_get(isa->group_desc);
490
491 /*
492 * Check that the mandatory attributes: encryption, hash,
493 * authentication method and Diffie-Hellman group description, has
494 * been supplied.
495 */
496 if (!exchange->crypto || !ie->hash || !ie->ike_auth || !ie->group) {
497 message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0);
498 return -1;
499 }
500 /* Save the body for later hash computation. */
501 ie->sa_i_b_len = GET_ISAKMP_GEN_LENGTH(sa_p->p) - ISAKMP_GEN_SZ;
502 ie->sa_i_b = malloc(ie->sa_i_b_len);
503 if (!ie->sa_i_b) {
504 /* XXX How to notify peer? */
505 log_error("ike_phase_1_responder_recv_SA: malloc (%lu) failed",
506 (unsigned long)ie->sa_i_b_len);
507 return -1;
508 }
509 memcpy(ie->sa_i_b, sa_p->p + ISAKMP_GEN_SZ, ie->sa_i_b_len);
510 return 0;
511 }
512
513 /* Reply with the transform we chose. */
514 int
ike_phase_1_responder_send_SA(struct message * msg)515 ike_phase_1_responder_send_SA(struct message *msg)
516 {
517 /* Add the SA payload with the transform that was chosen. */
518 if (message_add_sa_payload(msg))
519 return -1;
520
521 /* Advertise OpenBSD isakmpd. */
522 if (add_vendor_openbsd(msg))
523 return -1;
524
525 /* Advertise NAT-T capability. */
526 if (nat_t_add_vendor_payloads(msg))
527 return -1;
528
529 /* Advertise DPD capability. */
530 if (dpd_add_vendor_payload(msg))
531 return -1;
532 return 0;
533 }
534
535 /* Send our public DH value and a nonce to the peer. */
536 int
ike_phase_1_send_KE_NONCE(struct message * msg,size_t nonce_sz)537 ike_phase_1_send_KE_NONCE(struct message *msg, size_t nonce_sz)
538 {
539 /* Public DH key. */
540 if (ipsec_gen_g_x(msg)) {
541 /* XXX How to log and notify peer? */
542 return -1;
543 }
544 /* Generate a nonce, and add it to the message. */
545 if (exchange_gen_nonce(msg, nonce_sz)) {
546 /* XXX Log? */
547 return -1;
548 }
549 /* Are there any CERTREQs to send? */
550 if (exchange_add_certreqs(msg)) {
551 /* XXX Log? */
552 return -1;
553 }
554 /* Try to add certificates which are acceptable for the CERTREQs */
555 if (exchange_add_certs(msg)) {
556 /* XXX Log? */
557 return -1;
558 }
559 /* If this exchange uses NAT-Traversal, add NAT-D payloads now. */
560 if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)
561 if (nat_t_exchange_add_nat_d(msg)) {
562 /* XXX Log? */
563 return -1;
564 }
565 return 0;
566 }
567
568 /* Receive our peer's public DH value and nonce. */
569 int
ike_phase_1_recv_KE_NONCE(struct message * msg)570 ike_phase_1_recv_KE_NONCE(struct message *msg)
571 {
572 /* Copy out the initiator's DH public value. */
573 if (ipsec_save_g_x(msg)) {
574 /* XXX How to log and notify peer? */
575 return -1;
576 }
577 /* Copy out the initiator's nonce. */
578 if (exchange_save_nonce(msg)) {
579 /* XXX How to log and notify peer? */
580 return -1;
581 }
582 /* Copy out the initiator's cert requests. */
583 if (exchange_save_certreq(msg)) {
584 /* XXX How to log and notify peer? */
585 return -1;
586 }
587 /* MainMode: Check for NAT-D payloads and contents. */
588 if (msg->exchange->type == ISAKMP_EXCH_ID_PROT &&
589 msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)
590 (void)nat_t_exchange_check_nat_d(msg);
591 return 0;
592 }
593
594 /*
595 * Compute DH values and key material. This is done in a post-send function
596 * as that means we can do parallel work in both the initiator and responder
597 * thus speeding up exchanges.
598 */
599 int
ike_phase_1_post_exchange_KE_NONCE(struct message * msg)600 ike_phase_1_post_exchange_KE_NONCE(struct message *msg)
601 {
602 struct exchange *exchange = msg->exchange;
603 struct ipsec_exch *ie = exchange->data;
604 struct prf *prf;
605 struct hash *hash = ie->hash;
606 enum cryptoerr err;
607
608 /* Compute Diffie-Hellman shared value. */
609 ie->g_xy_len = dh_secretlen(ie->group);
610 ie->g_xy = malloc(ie->g_xy_len);
611 if (!ie->g_xy) {
612 /* XXX How to notify peer? */
613 log_error("ike_phase_1_post_exchange_KE_NONCE: "
614 "malloc (%lu) failed", (unsigned long)ie->g_xy_len);
615 return -1;
616 }
617 if (dh_create_shared(ie->group, ie->g_xy,
618 exchange->initiator ? ie->g_xr : ie->g_xi)) {
619 log_print("ike_phase_1_post_exchange_KE_NONCE: "
620 "dh_create_shared failed");
621 return -1;
622 }
623 LOG_DBG_BUF((LOG_NEGOTIATION, 80,
624 "ike_phase_1_post_exchange_KE_NONCE: g^xy", ie->g_xy,
625 ie->g_xy_len));
626
627 /* Compute the SKEYID depending on the authentication method. */
628 ie->skeyid = ie->ike_auth->gen_skeyid(exchange, &ie->skeyid_len);
629 if (!ie->skeyid) {
630 /* XXX Log and teardown? */
631 return -1;
632 }
633 LOG_DBG_BUF((LOG_NEGOTIATION, 80,
634 "ike_phase_1_post_exchange_KE_NONCE: SKEYID", ie->skeyid,
635 ie->skeyid_len));
636
637 /* SKEYID_d. */
638 ie->skeyid_d = malloc(ie->skeyid_len);
639 if (!ie->skeyid_d) {
640 /* XXX How to notify peer? */
641 log_error("ike_phase_1_post_exchange_KE_NONCE: "
642 "malloc (%lu) failed", (unsigned long)ie->skeyid_len);
643 return -1;
644 }
645 prf = prf_alloc(ie->prf_type, hash->type, ie->skeyid, ie->skeyid_len);
646 if (!prf) {
647 /* XXX Log and teardown? */
648 return -1;
649 }
650 prf->Init(prf->prfctx);
651 prf->Update(prf->prfctx, ie->g_xy, ie->g_xy_len);
652 prf->Update(prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN);
653 prf->Update(prf->prfctx, (unsigned char *)"\0", 1);
654 prf->Final(ie->skeyid_d, prf->prfctx);
655 LOG_DBG_BUF((LOG_NEGOTIATION, 80,
656 "ike_phase_1_post_exchange_KE_NONCE: SKEYID_d", ie->skeyid_d,
657 ie->skeyid_len));
658
659 /* SKEYID_a. */
660 ie->skeyid_a = malloc(ie->skeyid_len);
661 if (!ie->skeyid_a) {
662 log_error("ike_phase_1_post_exchange_KE_NONCE: "
663 "malloc (%lu) failed", (unsigned long)ie->skeyid_len);
664 prf_free(prf);
665 return -1;
666 }
667 prf->Init(prf->prfctx);
668 prf->Update(prf->prfctx, ie->skeyid_d, ie->skeyid_len);
669 prf->Update(prf->prfctx, ie->g_xy, ie->g_xy_len);
670 prf->Update(prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN);
671 prf->Update(prf->prfctx, (unsigned char *)"\1", 1);
672 prf->Final(ie->skeyid_a, prf->prfctx);
673 LOG_DBG_BUF((LOG_NEGOTIATION, 80,
674 "ike_phase_1_post_exchange_KE_NONCE: SKEYID_a", ie->skeyid_a,
675 ie->skeyid_len));
676
677 /* SKEYID_e. */
678 ie->skeyid_e = malloc(ie->skeyid_len);
679 if (!ie->skeyid_e) {
680 /* XXX How to notify peer? */
681 log_error("ike_phase_1_post_exchange_KE_NONCE: "
682 "malloc (%lu) failed", (unsigned long)ie->skeyid_len);
683 prf_free(prf);
684 return -1;
685 }
686 prf->Init(prf->prfctx);
687 prf->Update(prf->prfctx, ie->skeyid_a, ie->skeyid_len);
688 prf->Update(prf->prfctx, ie->g_xy, ie->g_xy_len);
689 prf->Update(prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN);
690 prf->Update(prf->prfctx, (unsigned char *)"\2", 1);
691 prf->Final(ie->skeyid_e, prf->prfctx);
692 prf_free(prf);
693 LOG_DBG_BUF((LOG_NEGOTIATION, 80,
694 "ike_phase_1_post_exchange_KE_NONCE: SKEYID_e", ie->skeyid_e,
695 ie->skeyid_len));
696
697 /* Key length determination. */
698 if (!exchange->key_length)
699 exchange->key_length = exchange->crypto->keymax;
700
701 /* Derive a longer key from skeyid_e */
702 if (ie->skeyid_len < exchange->key_length) {
703 u_int16_t len, keylen;
704 u_int8_t *key, *p;
705
706 prf = prf_alloc(ie->prf_type, hash->type, ie->skeyid_e,
707 ie->skeyid_len);
708 if (!prf) {
709 /* XXX - notify peer */
710 return -1;
711 }
712 /* Make keylen a multiple of prf->blocksize */
713 keylen = exchange->key_length;
714 if (keylen % prf->blocksize)
715 keylen += prf->blocksize - (keylen % prf->blocksize);
716
717 key = malloc(keylen);
718 if (!key) {
719 /* XXX - Notify peer. */
720 prf_free(prf);
721 log_error("ike_phase_1_post_exchange_KE_NONCE: "
722 "malloc (%d) failed", keylen);
723 return -1;
724 }
725 prf->Init(prf->prfctx);
726 prf->Update(prf->prfctx, (unsigned char *)"\0", 1);
727 prf->Final(key, prf->prfctx);
728
729 for (len = prf->blocksize, p = key; len < exchange->key_length;
730 len += prf->blocksize, p += prf->blocksize) {
731 prf->Init(prf->prfctx);
732 prf->Update(prf->prfctx, p, prf->blocksize);
733 prf->Final(p + prf->blocksize, prf->prfctx);
734 }
735 prf_free(prf);
736
737 /* Setup our keystate using the derived encryption key. */
738 exchange->keystate = crypto_init(exchange->crypto, key,
739 exchange->key_length, &err);
740
741 free(key);
742 } else
743 /* Setup our keystate using the raw skeyid_e. */
744 exchange->keystate = crypto_init(exchange->crypto,
745 ie->skeyid_e, exchange->key_length, &err);
746
747 /* Special handling for DES weak keys. */
748 if (!exchange->keystate && err == EWEAKKEY &&
749 (exchange->key_length << 1) <= ie->skeyid_len) {
750 log_print("ike_phase_1_post_exchange_KE_NONCE: "
751 "weak key, trying subseq. skeyid_e");
752 exchange->keystate = crypto_init(exchange->crypto,
753 ie->skeyid_e + exchange->key_length,
754 exchange->key_length, &err);
755 }
756 if (!exchange->keystate) {
757 log_print("ike_phase_1_post_exchange_KE_NONCE: "
758 "exchange->crypto->init () failed: %d", err);
759
760 /*
761 * XXX We really need to know if problems are of transient
762 * nature or fatal (like failed assertions etc.)
763 */
764 return -1;
765 }
766 /* Setup IV. XXX Only for CBC transforms, no? */
767 hash->Init(hash->ctx);
768 hash->Update(hash->ctx, ie->g_xi, ie->g_x_len);
769 hash->Update(hash->ctx, ie->g_xr, ie->g_x_len);
770 hash->Final(hash->digest, hash->ctx);
771 crypto_init_iv(exchange->keystate, hash->digest,
772 exchange->crypto->blocksize);
773 return 0;
774 }
775
776 int
ike_phase_1_responder_send_ID_AUTH(struct message * msg)777 ike_phase_1_responder_send_ID_AUTH(struct message *msg)
778 {
779 if (ike_phase_1_send_ID(msg))
780 return -1;
781
782 return ike_phase_1_send_AUTH(msg);
783 }
784
785 int
ike_phase_1_send_ID(struct message * msg)786 ike_phase_1_send_ID(struct message *msg)
787 {
788 struct exchange *exchange = msg->exchange;
789 u_int8_t *buf;
790 char header[80];
791 ssize_t sz;
792 struct sockaddr *src;
793 int initiator = exchange->initiator;
794 u_int8_t **id;
795 size_t *id_len;
796 char *my_id = 0, *data;
797 u_int8_t id_type;
798 sa_family_t af = 0;
799
800 /* Choose the right fields to fill-in. */
801 id = initiator ? &exchange->id_i : &exchange->id_r;
802 id_len = initiator ? &exchange->id_i_len : &exchange->id_r_len;
803
804 if (exchange->name)
805 my_id = conf_get_str(exchange->name, "ID");
806
807 if (!my_id)
808 my_id = conf_get_str("General", "Default-phase-1-ID");
809
810 msg->transport->vtbl->get_src(msg->transport, &src);
811 sz = my_id ? ipsec_id_size(my_id, &id_type) : sockaddr_addrlen(src);
812 if (sz == -1)
813 return -1;
814
815 sz += ISAKMP_ID_DATA_OFF;
816 buf = malloc(sz);
817 if (!buf) {
818 log_error("ike_phase_1_send_ID: malloc (%lu) failed",
819 (unsigned long)sz);
820 return -1;
821 }
822 SET_IPSEC_ID_PROTO(buf + ISAKMP_ID_DOI_DATA_OFF, 0);
823 SET_IPSEC_ID_PORT(buf + ISAKMP_ID_DOI_DATA_OFF, 0);
824 if (my_id) {
825 SET_ISAKMP_ID_TYPE(buf, id_type);
826 switch (id_type) {
827 case IPSEC_ID_IPV4_ADDR:
828 case IPSEC_ID_IPV4_ADDR_SUBNET:
829 af = AF_INET;
830 break;
831 case IPSEC_ID_IPV6_ADDR:
832 case IPSEC_ID_IPV6_ADDR_SUBNET:
833 af = AF_INET6;
834 break;
835 }
836 switch (id_type) {
837 case IPSEC_ID_IPV4_ADDR:
838 case IPSEC_ID_IPV6_ADDR:
839 data = conf_get_str(my_id, "Address");
840 if (!data) {
841 log_print("ike_phase_1_send_ID: section %s "
842 "has no \"Address\" tag", my_id);
843 free(buf);
844 return -1;
845 }
846 if (text2sockaddr(data, NULL, &src, af, 0)) {
847 log_error("ike_phase_1_send_ID: "
848 "text2sockaddr() failed");
849 free(buf);
850 return -1;
851 }
852 memcpy(buf + ISAKMP_ID_DATA_OFF,
853 sockaddr_addrdata(src), sockaddr_addrlen(src));
854 free(src);
855 break;
856
857 case IPSEC_ID_IPV4_ADDR_SUBNET:
858 case IPSEC_ID_IPV6_ADDR_SUBNET:
859 /* Network */
860 data = conf_get_str(my_id, "Network");
861 if (!data) {
862 log_print("ike_phase_1_send_ID: section %s "
863 "has no \"Network\" tag", my_id);
864 free(buf);
865 return -1;
866 }
867 if (text2sockaddr(data, NULL, &src, af, 0)) {
868 log_error("ike_phase_1_send_ID: "
869 "text2sockaddr() failed");
870 free(buf);
871 return -1;
872 }
873 memcpy(buf + ISAKMP_ID_DATA_OFF,
874 sockaddr_addrdata(src), sockaddr_addrlen(src));
875 free(src);
876 /* Netmask */
877 data = conf_get_str(my_id, "Netmask");
878 if (!data) {
879 log_print("ike_phase_1_send_ID: section %s "
880 "has no \"Netmask\" tag", my_id);
881 free(buf);
882 return -1;
883 }
884 if (text2sockaddr(data, NULL, &src, af, 1)) {
885 log_error("ike_phase_1_send_ID: "
886 "text2sockaddr() failed");
887 free(buf);
888 return -1;
889 }
890 memcpy(buf + ISAKMP_ID_DATA_OFF +
891 sockaddr_addrlen(src), sockaddr_addrdata(src),
892 sockaddr_addrlen(src));
893 free(src);
894 break;
895
896 case IPSEC_ID_FQDN:
897 case IPSEC_ID_USER_FQDN:
898 case IPSEC_ID_KEY_ID:
899 data = conf_get_str(my_id, "Name");
900 if (!data) {
901 log_print("ike_phase_1_send_ID: section %s "
902 "has no \"Name\" tag", my_id);
903 free(buf);
904 return -1;
905 }
906 memcpy(buf + ISAKMP_ID_DATA_OFF, data,
907 sz - ISAKMP_ID_DATA_OFF);
908 break;
909
910 default:
911 log_print("ike_phase_1_send_ID: "
912 "unsupported ID type %d", id_type);
913 free(buf);
914 return -1;
915 }
916 } else {
917 switch (src->sa_family) {
918 case AF_INET:
919 SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_IPV4_ADDR);
920 break;
921 case AF_INET6:
922 SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_IPV6_ADDR);
923 break;
924 }
925 /* Already in network byteorder. */
926 memcpy(buf + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src),
927 sockaddr_addrlen(src));
928 }
929
930 if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, buf, sz, 1)) {
931 free(buf);
932 return -1;
933 }
934 *id_len = sz - ISAKMP_GEN_SZ;
935 *id = malloc(*id_len);
936 if (!*id) {
937 log_error("ike_phase_1_send_ID: malloc (%lu) failed",
938 (unsigned long)*id_len);
939 return -1;
940 }
941 memcpy(*id, buf + ISAKMP_GEN_SZ, *id_len);
942 snprintf(header, sizeof header, "ike_phase_1_send_ID: %s",
943 constant_name(ipsec_id_cst, GET_ISAKMP_ID_TYPE(buf)));
944 LOG_DBG_BUF((LOG_NEGOTIATION, 40, header, buf + ISAKMP_ID_DATA_OFF,
945 sz - ISAKMP_ID_DATA_OFF));
946 return 0;
947 }
948
949 int
ike_phase_1_send_AUTH(struct message * msg)950 ike_phase_1_send_AUTH(struct message *msg)
951 {
952 struct exchange *exchange = msg->exchange;
953 struct ipsec_exch *ie = exchange->data;
954
955 if (ie->ike_auth->encode_hash(msg)) {
956 /* XXX Log? */
957 return -1;
958 }
959 /*
960 * XXX Many people say the COMMIT flag is just junk, especially in
961 * Phase 1.
962 */
963 #ifdef notyet
964 if ((exchange->flags & EXCHANGE_FLAG_COMMITTED) == 0)
965 exchange->flags |= EXCHANGE_FLAG_I_COMMITTED;
966 #endif
967
968 return 0;
969 }
970
971 /* Receive ID and HASH and check that the exchange has been consistent. */
972 int
ike_phase_1_recv_ID_AUTH(struct message * msg)973 ike_phase_1_recv_ID_AUTH(struct message *msg)
974 {
975 if (ike_phase_1_recv_ID(msg))
976 return -1;
977
978 return ike_phase_1_recv_AUTH(msg);
979 }
980
981 /* Receive ID. */
982 int
ike_phase_1_recv_ID(struct message * msg)983 ike_phase_1_recv_ID(struct message *msg)
984 {
985 struct exchange *exchange = msg->exchange;
986 struct payload *payload;
987 char header[80], *rs = 0, *rid = 0, *p;
988 int initiator = exchange->initiator;
989 u_int8_t **id, id_type;
990 size_t *id_len;
991 ssize_t sz;
992 struct sockaddr *sa;
993 sa_family_t af = 0;
994
995 payload = payload_first(msg, ISAKMP_PAYLOAD_ID);
996
997 if (exchange->name)
998 rs = conf_get_str(exchange->name, "Remote-ID");
999
1000 if (rs) {
1001 sz = ipsec_id_size(rs, &id_type);
1002 if (sz == -1) {
1003 log_print("ike_phase_1_recv_ID: could not handle "
1004 "specified Remote-ID [%s]", rs);
1005 return -1;
1006 }
1007 rid = malloc(sz);
1008 if (!rid) {
1009 log_error("ike_phase_1_recv_ID: malloc (%lu) failed",
1010 (unsigned long)sz);
1011 return -1;
1012 }
1013 switch (id_type) {
1014 case IPSEC_ID_IPV4_ADDR:
1015 af = AF_INET;
1016 break;
1017 case IPSEC_ID_IPV6_ADDR:
1018 af = AF_INET6;
1019 break;
1020 }
1021 switch (id_type) {
1022 case IPSEC_ID_IPV4_ADDR:
1023 case IPSEC_ID_IPV6_ADDR:
1024 p = conf_get_str(rs, "Address");
1025 if (!p) {
1026 log_print("ike_phase_1_recv_ID: failed to get "
1027 "Address in Remote-ID section [%s]", rs);
1028 free(rid);
1029 return -1;
1030 }
1031 if (text2sockaddr(p, 0, &sa, af, 0) == -1) {
1032 log_print("ike_phase_1_recv_ID: "
1033 "failed to parse address %s", p);
1034 free(rid);
1035 return -1;
1036 }
1037 if ((id_type == IPSEC_ID_IPV4_ADDR &&
1038 sa->sa_family != AF_INET) ||
1039 (id_type == IPSEC_ID_IPV6_ADDR &&
1040 sa->sa_family != AF_INET6)) {
1041 log_print("ike_phase_1_recv_ID: "
1042 "address %s not of expected family", p);
1043 free(rid);
1044 free(sa);
1045 return -1;
1046 }
1047 memcpy(rid, sockaddr_addrdata(sa),
1048 sockaddr_addrlen(sa));
1049 free(sa);
1050 break;
1051
1052 case IPSEC_ID_FQDN:
1053 case IPSEC_ID_USER_FQDN:
1054 case IPSEC_ID_KEY_ID:
1055 p = conf_get_str(rs, "Name");
1056 if (!p) {
1057 log_print("ike_phase_1_recv_ID: failed to "
1058 "get Name in Remote-ID section [%s]", rs);
1059 free(rid);
1060 return -1;
1061 }
1062 memcpy(rid, p, sz);
1063 break;
1064
1065 default:
1066 log_print("ike_phase_1_recv_ID: "
1067 "unsupported ID type %d", id_type);
1068 free(rid);
1069 return -1;
1070 }
1071
1072 /* Compare expected/desired and received remote ID */
1073 if (memcmp(rid, payload->p + ISAKMP_ID_DATA_OFF, sz) != 0) {
1074 free(rid);
1075 log_print("ike_phase_1_recv_ID: "
1076 "received remote ID other than expected %s", p);
1077 return -1;
1078 }
1079 free(rid);
1080 }
1081 /* Choose the right fields to fill in */
1082 id = initiator ? &exchange->id_r : &exchange->id_i;
1083 id_len = initiator ? &exchange->id_r_len : &exchange->id_i_len;
1084
1085 *id_len = GET_ISAKMP_GEN_LENGTH(payload->p) - ISAKMP_GEN_SZ;
1086 *id = malloc(*id_len);
1087 if (!*id) {
1088 log_error("ike_phase_1_recv_ID: malloc (%lu) failed",
1089 (unsigned long)*id_len);
1090 return -1;
1091 }
1092 memcpy(*id, payload->p + ISAKMP_GEN_SZ, *id_len);
1093 snprintf(header, sizeof header, "ike_phase_1_recv_ID: %s",
1094 constant_name(ipsec_id_cst, GET_ISAKMP_ID_TYPE(payload->p)));
1095 LOG_DBG_BUF((LOG_NEGOTIATION, 40, header,
1096 payload->p + ISAKMP_ID_DATA_OFF,
1097 *id_len + ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF));
1098 payload->flags |= PL_MARK;
1099 return 0;
1100 }
1101
1102 /* Receive HASH and check that the exchange has been consistent. */
1103 int
ike_phase_1_recv_AUTH(struct message * msg)1104 ike_phase_1_recv_AUTH(struct message *msg)
1105 {
1106 struct exchange *exchange = msg->exchange;
1107 struct ipsec_exch *ie = exchange->data;
1108 struct prf *prf;
1109 struct hash *hash = ie->hash;
1110 char header[80];
1111 size_t hashsize = hash->hashsize;
1112 int initiator = exchange->initiator;
1113 u_int8_t **hash_p, *id;
1114 size_t id_len;
1115
1116 /* Choose the right fields to fill in */
1117 hash_p = initiator ? &ie->hash_r : &ie->hash_i;
1118 id = initiator ? exchange->id_r : exchange->id_i;
1119 id_len = initiator ? exchange->id_r_len : exchange->id_i_len;
1120
1121 /* The decoded hash will be in ie->hash_r or ie->hash_i */
1122 if (ie->ike_auth->decode_hash(msg)) {
1123 message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1,
1124 0);
1125 return -1;
1126 }
1127 /* Allocate the prf and start calculating his HASH. */
1128 prf = prf_alloc(ie->prf_type, hash->type, ie->skeyid, ie->skeyid_len);
1129 if (!prf) {
1130 /* XXX Log? */
1131 return -1;
1132 }
1133 prf->Init(prf->prfctx);
1134 prf->Update(prf->prfctx, initiator ? ie->g_xr : ie->g_xi, ie->g_x_len);
1135 prf->Update(prf->prfctx, initiator ? ie->g_xi : ie->g_xr, ie->g_x_len);
1136 prf->Update(prf->prfctx, exchange->cookies +
1137 (initiator ? ISAKMP_HDR_RCOOKIE_OFF : ISAKMP_HDR_ICOOKIE_OFF),
1138 ISAKMP_HDR_ICOOKIE_LEN);
1139 prf->Update(prf->prfctx, exchange->cookies +
1140 (initiator ? ISAKMP_HDR_ICOOKIE_OFF : ISAKMP_HDR_RCOOKIE_OFF),
1141 ISAKMP_HDR_ICOOKIE_LEN);
1142 prf->Update(prf->prfctx, ie->sa_i_b, ie->sa_i_b_len);
1143 prf->Update(prf->prfctx, id, id_len);
1144 prf->Final(hash->digest, prf->prfctx);
1145 prf_free(prf);
1146 snprintf(header, sizeof header, "ike_phase_1_recv_AUTH: "
1147 "computed HASH_%c", initiator ? 'R' : 'I');
1148 LOG_DBG_BUF((LOG_NEGOTIATION, 80, header, hash->digest, hashsize));
1149
1150 /* Check that the hash we got matches the one we computed. */
1151 if (memcmp(*hash_p, hash->digest, hashsize) != 0) {
1152 /* XXX Log? */
1153 return -1;
1154 }
1155
1156 /* Mark message as authenticated. */
1157 msg->flags |= MSG_AUTHENTICATED;
1158
1159 return 0;
1160 }
1161
1162 struct attr_node {
1163 LIST_ENTRY(attr_node) link;
1164 u_int16_t type;
1165 };
1166
1167 struct validation_state {
1168 struct conf_list_node *xf;
1169 LIST_HEAD(attr_head, attr_node) attrs;
1170 char *life;
1171 };
1172
1173 /* Validate a proposal inside SA according to EXCHANGE's policy. */
1174 static int
ike_phase_1_validate_prop(struct exchange * exchange,struct sa * sa,struct sa * isakmp_sa)1175 ike_phase_1_validate_prop(struct exchange *exchange, struct sa *sa,
1176 struct sa *isakmp_sa)
1177 {
1178 struct conf_list *conf, *tags;
1179 struct conf_list_node *xf, *tag;
1180 struct proto *proto;
1181 struct validation_state vs;
1182 struct attr_node *node, *next_node;
1183
1184 /* Get the list of transforms. */
1185 conf = conf_get_list(exchange->policy, "Transforms");
1186 if (!conf)
1187 return 0;
1188
1189 for (xf = TAILQ_FIRST(&conf->fields); xf; xf = TAILQ_NEXT(xf, link)) {
1190 for (proto = TAILQ_FIRST(&sa->protos); proto;
1191 proto = TAILQ_NEXT(proto, link)) {
1192 /* Mark all attributes in our policy as unseen. */
1193 LIST_INIT(&vs.attrs);
1194 vs.xf = xf;
1195 vs.life = 0;
1196 if (attribute_map(proto->chosen->p +
1197 ISAKMP_TRANSFORM_SA_ATTRS_OFF,
1198 GET_ISAKMP_GEN_LENGTH(proto->chosen->p) -
1199 ISAKMP_TRANSFORM_SA_ATTRS_OFF,
1200 attribute_unacceptable, &vs))
1201 goto try_next;
1202
1203 /* Sweep over unseen tags in this section. */
1204 tags = conf_get_tag_list(xf->field);
1205 if (tags) {
1206 for (tag = TAILQ_FIRST(&tags->fields); tag;
1207 tag = TAILQ_NEXT(tag, link))
1208 /*
1209 * XXX Should we care about attributes
1210 * we have, they do not provide?
1211 */
1212 for (node = LIST_FIRST(&vs.attrs);
1213 node; node = next_node) {
1214 next_node =
1215 LIST_NEXT(node, link);
1216 if (node->type ==
1217 constant_value(ike_attr_cst,
1218 tag->field)) {
1219 LIST_REMOVE(node, link);
1220 free(node);
1221 }
1222 }
1223 conf_free_list(tags);
1224 }
1225 /* Are there leftover tags in this section? */
1226 node = LIST_FIRST(&vs.attrs);
1227 if (node)
1228 goto try_next;
1229 }
1230
1231 /* All protocols were OK, we succeeded. */
1232 LOG_DBG((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: "
1233 "success"));
1234 conf_free_list(conf);
1235 free(vs.life);
1236 return 1;
1237
1238 try_next:
1239 /* Are there leftover tags in this section? */
1240 node = LIST_FIRST(&vs.attrs);
1241 while (node) {
1242 LIST_REMOVE(node, link);
1243 free(node);
1244 node = LIST_FIRST(&vs.attrs);
1245 }
1246 free(vs.life);
1247 }
1248
1249 LOG_DBG((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: failure"));
1250 conf_free_list(conf);
1251 return 0;
1252 }
1253
1254 /*
1255 * Look at the attribute of type TYPE, located at VALUE for LEN bytes forward.
1256 * The VVS argument holds a validation state kept across invocations.
1257 * If the attribute is unacceptable to use, return non-zero, otherwise zero.
1258 */
1259 static int
attribute_unacceptable(u_int16_t type,u_int8_t * value,u_int16_t len,void * vvs)1260 attribute_unacceptable(u_int16_t type, u_int8_t *value, u_int16_t len,
1261 void *vvs)
1262 {
1263 struct validation_state *vs = vvs;
1264 struct conf_list *life_conf;
1265 struct conf_list_node *xf = vs->xf, *life;
1266 char *tag = constant_lookup(ike_attr_cst, type);
1267 char *str;
1268 struct constant_map *map;
1269 struct attr_node *node;
1270 int rv, dur = 0;
1271
1272 if (!tag) {
1273 log_print("attribute_unacceptable: "
1274 "attribute type %d not known", type);
1275 return 1;
1276 }
1277 switch (type) {
1278 case IKE_ATTR_ENCRYPTION_ALGORITHM:
1279 case IKE_ATTR_HASH_ALGORITHM:
1280 case IKE_ATTR_AUTHENTICATION_METHOD:
1281 case IKE_ATTR_GROUP_DESCRIPTION:
1282 case IKE_ATTR_GROUP_TYPE:
1283 case IKE_ATTR_PRF:
1284 str = conf_get_str(xf->field, tag);
1285 if (!str) {
1286 /* This attribute does not exist in this policy. */
1287 log_print("attribute_unacceptable: "
1288 "attr %s does not exist in %s", tag, xf->field);
1289 return 1;
1290 }
1291 map = constant_link_lookup(ike_attr_cst, type);
1292 if (!map)
1293 return 1;
1294
1295 if ((constant_value(map, str) == decode_16(value)) ||
1296 (!strcmp(str, "ANY"))) {
1297 /* Mark this attribute as seen. */
1298 node = malloc(sizeof *node);
1299 if (!node) {
1300 log_error("attribute_unacceptable: "
1301 "malloc (%lu) failed",
1302 (unsigned long)sizeof *node);
1303 return 1;
1304 }
1305 node->type = type;
1306 LIST_INSERT_HEAD(&vs->attrs, node, link);
1307 return 0;
1308 }
1309 log_print("attribute_unacceptable: %s: got %s, expected %s",
1310 tag, constant_name(map, decode_16(value)), str);
1311 return 1;
1312
1313 case IKE_ATTR_GROUP_PRIME:
1314 case IKE_ATTR_GROUP_GENERATOR_1:
1315 case IKE_ATTR_GROUP_GENERATOR_2:
1316 case IKE_ATTR_GROUP_CURVE_A:
1317 case IKE_ATTR_GROUP_CURVE_B:
1318 /* XXX Bignums not handled yet. */
1319 log_print("attribute_unacceptable: "
1320 "bignum type %d not supported", type);
1321 return 1;
1322
1323 case IKE_ATTR_LIFE_TYPE:
1324 case IKE_ATTR_LIFE_DURATION:
1325 life_conf = conf_get_list(xf->field, "Life");
1326 if (life_conf &&
1327 !strcmp(conf_get_str(xf->field, "Life"), "ANY")) {
1328 conf_free_list(life_conf);
1329 return 0;
1330 }
1331
1332 rv = 1;
1333 if (!life_conf) {
1334 /* Life attributes given, but not in our policy. */
1335 log_print("attribute_unacceptable: "
1336 "life attribute received, none in policy");
1337 return 1;
1338 }
1339 /*
1340 * Each lifetime type must match, otherwise we turn the
1341 * proposal down. In order to do this we need to find the
1342 * specific section of our policy's "Life" list and match
1343 * its duration.
1344 */
1345 switch (type) {
1346 case IKE_ATTR_LIFE_TYPE:
1347 for (life = TAILQ_FIRST(&life_conf->fields); life;
1348 life = TAILQ_NEXT(life, link)) {
1349 str = conf_get_str(life->field, "LIFE_TYPE");
1350 if (!str) {
1351 log_print("attribute_unacceptable: "
1352 "section [%s] has no LIFE_TYPE",
1353 life->field);
1354 continue;
1355 }
1356
1357 /*
1358 * If this is the type we are looking at,
1359 * save a pointer to this section in vs->life.
1360 */
1361 if (constant_value(ike_duration_cst, str) ==
1362 decode_16(value)) {
1363 vs->life = strdup(life->field);
1364 rv = 0;
1365 goto bail_out;
1366 }
1367 }
1368 log_print("attribute_unacceptable: "
1369 "unrecognized LIFE_TYPE %d", decode_16(value));
1370 vs->life = 0;
1371 break;
1372
1373 case IKE_ATTR_LIFE_DURATION:
1374 if (!vs->life) {
1375 log_print("attribute_unacceptable: "
1376 "LIFE_DURATION without LIFE_TYPE");
1377 rv = 1;
1378 goto bail_out;
1379 }
1380 str = conf_get_str(vs->life, "LIFE_DURATION");
1381 if (str) {
1382 if (!strcmp(str, "ANY"))
1383 rv = 0;
1384 else {
1385 dur = (len == 4) ? decode_32(value) :
1386 decode_16(value);
1387 if ((rv = !conf_match_num(vs->life,
1388 "LIFE_DURATION", dur))) {
1389 log_print(
1390 "attribute_unacceptable: "
1391 "LIFE_DURATION: got %d, "
1392 " expected %s", dur, str);
1393 }
1394 }
1395 } else {
1396 log_print("attribute_unacceptable: "
1397 "section [%s] has no LIFE_DURATION",
1398 vs->life);
1399 rv = 1;
1400 }
1401
1402 free(vs->life);
1403 vs->life = 0;
1404 break;
1405 }
1406
1407 bail_out:
1408 conf_free_list(life_conf);
1409 return rv;
1410
1411 case IKE_ATTR_KEY_LENGTH:
1412 case IKE_ATTR_FIELD_SIZE:
1413 case IKE_ATTR_GROUP_ORDER:
1414 if (conf_match_num(xf->field, tag, decode_16(value))) {
1415 /* Mark this attribute as seen. */
1416 node = malloc(sizeof *node);
1417 if (!node) {
1418 log_error("attribute_unacceptable: "
1419 "malloc (%lu) failed",
1420 (unsigned long)sizeof *node);
1421 return 1;
1422 }
1423 node->type = type;
1424 LIST_INSERT_HEAD(&vs->attrs, node, link);
1425 return 0;
1426 }
1427 return 1;
1428 default:
1429 log_print("attribute_unacceptable: unexpected type %d",
1430 type);
1431 }
1432 return 1;
1433 }
1434