1 | /* $NetBSD: proposal.c,v 1.17 2008/09/19 11:14:49 tteras Exp $ */ |
---|
2 | |
---|
3 | /* $Id: proposal.c,v 1.17 2008/09/19 11:14:49 tteras Exp $ */ |
---|
4 | |
---|
5 | /* |
---|
6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
---|
7 | * All rights reserved. |
---|
8 | * |
---|
9 | * Redistribution and use in source and binary forms, with or without |
---|
10 | * modification, are permitted provided that the following conditions |
---|
11 | * are met: |
---|
12 | * 1. Redistributions of source code must retain the above copyright |
---|
13 | * notice, this list of conditions and the following disclaimer. |
---|
14 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
15 | * notice, this list of conditions and the following disclaimer in the |
---|
16 | * documentation and/or other materials provided with the distribution. |
---|
17 | * 3. Neither the name of the project nor the names of its contributors |
---|
18 | * may be used to endorse or promote products derived from this software |
---|
19 | * without specific prior written permission. |
---|
20 | * |
---|
21 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
---|
22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
---|
25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
31 | * SUCH DAMAGE. |
---|
32 | */ |
---|
33 | |
---|
34 | #include "config.h" |
---|
35 | |
---|
36 | #include <sys/param.h> |
---|
37 | #include <sys/types.h> |
---|
38 | #include <sys/socket.h> |
---|
39 | #include <sys/queue.h> |
---|
40 | |
---|
41 | #include <netinet/in.h> |
---|
42 | #include PATH_IPSEC_H |
---|
43 | |
---|
44 | #include <stdlib.h> |
---|
45 | #include <stdio.h> |
---|
46 | #include <string.h> |
---|
47 | #include <errno.h> |
---|
48 | |
---|
49 | #include "var.h" |
---|
50 | #include "misc.h" |
---|
51 | #include "vmbuf.h" |
---|
52 | #include "plog.h" |
---|
53 | #include "sockmisc.h" |
---|
54 | #include "debug.h" |
---|
55 | |
---|
56 | #include "policy.h" |
---|
57 | #include "pfkey.h" |
---|
58 | #include "isakmp_var.h" |
---|
59 | #include "isakmp.h" |
---|
60 | #include "ipsec_doi.h" |
---|
61 | #include "algorithm.h" |
---|
62 | #include "proposal.h" |
---|
63 | #include "sainfo.h" |
---|
64 | #include "localconf.h" |
---|
65 | #include "remoteconf.h" |
---|
66 | #include "oakley.h" |
---|
67 | #include "handler.h" |
---|
68 | #include "strnames.h" |
---|
69 | #include "gcmalloc.h" |
---|
70 | #ifdef ENABLE_NATT |
---|
71 | #include "nattraversal.h" |
---|
72 | #endif |
---|
73 | |
---|
74 | static uint g_nextreqid = 1; |
---|
75 | |
---|
76 | /* %%% |
---|
77 | * modules for ipsec sa spec |
---|
78 | */ |
---|
79 | struct saprop * |
---|
80 | newsaprop() |
---|
81 | { |
---|
82 | struct saprop *new; |
---|
83 | |
---|
84 | new = racoon_calloc(1, sizeof(*new)); |
---|
85 | if (new == NULL) |
---|
86 | return NULL; |
---|
87 | |
---|
88 | return new; |
---|
89 | } |
---|
90 | |
---|
91 | struct saproto * |
---|
92 | newsaproto() |
---|
93 | { |
---|
94 | struct saproto *new; |
---|
95 | |
---|
96 | new = racoon_calloc(1, sizeof(*new)); |
---|
97 | if (new == NULL) |
---|
98 | return NULL; |
---|
99 | |
---|
100 | return new; |
---|
101 | } |
---|
102 | |
---|
103 | /* set saprop to last part of the prop tree */ |
---|
104 | void |
---|
105 | inssaprop(head, new) |
---|
106 | struct saprop **head; |
---|
107 | struct saprop *new; |
---|
108 | { |
---|
109 | struct saprop *p; |
---|
110 | |
---|
111 | if (*head == NULL) { |
---|
112 | *head = new; |
---|
113 | return; |
---|
114 | } |
---|
115 | |
---|
116 | for (p = *head; p->next; p = p->next) |
---|
117 | ; |
---|
118 | p->next = new; |
---|
119 | |
---|
120 | return; |
---|
121 | } |
---|
122 | |
---|
123 | /* set saproto to the end of the proto tree in saprop */ |
---|
124 | void |
---|
125 | inssaproto(pp, new) |
---|
126 | struct saprop *pp; |
---|
127 | struct saproto *new; |
---|
128 | { |
---|
129 | struct saproto *p; |
---|
130 | |
---|
131 | for (p = pp->head; p && p->next; p = p->next) |
---|
132 | ; |
---|
133 | if (p == NULL) |
---|
134 | pp->head = new; |
---|
135 | else |
---|
136 | p->next = new; |
---|
137 | |
---|
138 | return; |
---|
139 | } |
---|
140 | |
---|
141 | /* set saproto to the top of the proto tree in saprop */ |
---|
142 | void |
---|
143 | inssaprotorev(pp, new) |
---|
144 | struct saprop *pp; |
---|
145 | struct saproto *new; |
---|
146 | { |
---|
147 | new->next = pp->head; |
---|
148 | pp->head = new; |
---|
149 | |
---|
150 | return; |
---|
151 | } |
---|
152 | |
---|
153 | struct satrns * |
---|
154 | newsatrns() |
---|
155 | { |
---|
156 | struct satrns *new; |
---|
157 | |
---|
158 | new = racoon_calloc(1, sizeof(*new)); |
---|
159 | if (new == NULL) |
---|
160 | return NULL; |
---|
161 | |
---|
162 | return new; |
---|
163 | } |
---|
164 | |
---|
165 | /* set saproto to last part of the proto tree in saprop */ |
---|
166 | void |
---|
167 | inssatrns(pr, new) |
---|
168 | struct saproto *pr; |
---|
169 | struct satrns *new; |
---|
170 | { |
---|
171 | struct satrns *tr; |
---|
172 | |
---|
173 | for (tr = pr->head; tr && tr->next; tr = tr->next) |
---|
174 | ; |
---|
175 | if (tr == NULL) |
---|
176 | pr->head = new; |
---|
177 | else |
---|
178 | tr->next = new; |
---|
179 | |
---|
180 | return; |
---|
181 | } |
---|
182 | |
---|
183 | /* |
---|
184 | * take a single match between saprop. allocate a new proposal and return it |
---|
185 | * for future use (like picking single proposal from a bundle). |
---|
186 | * pp1: peer's proposal. |
---|
187 | * pp2: my proposal. |
---|
188 | * NOTE: In the case of initiator, must be ensured that there is no |
---|
189 | * modification of the proposal by calling cmp_aproppair_i() before |
---|
190 | * this function. |
---|
191 | * XXX cannot understand the comment! |
---|
192 | */ |
---|
193 | struct saprop * |
---|
194 | cmpsaprop_alloc(ph1, pp1, pp2, side) |
---|
195 | struct ph1handle *ph1; |
---|
196 | const struct saprop *pp1, *pp2; |
---|
197 | int side; |
---|
198 | { |
---|
199 | struct saprop *newpp = NULL; |
---|
200 | struct saproto *pr1, *pr2, *newpr = NULL; |
---|
201 | struct satrns *tr1, *tr2, *newtr; |
---|
202 | const int ordermatters = 0; |
---|
203 | int npr1, npr2; |
---|
204 | int spisizematch; |
---|
205 | |
---|
206 | newpp = newsaprop(); |
---|
207 | if (newpp == NULL) { |
---|
208 | plog(LLV_ERROR, LOCATION, NULL, |
---|
209 | "failed to allocate saprop.\n"); |
---|
210 | return NULL; |
---|
211 | } |
---|
212 | newpp->prop_no = pp1->prop_no; |
---|
213 | |
---|
214 | /* see proposal.h about lifetime/key length and PFS selection. */ |
---|
215 | |
---|
216 | /* check time/bytes lifetime and PFS */ |
---|
217 | switch (ph1->rmconf->pcheck_level) { |
---|
218 | case PROP_CHECK_OBEY: |
---|
219 | newpp->lifetime = pp1->lifetime; |
---|
220 | newpp->lifebyte = pp1->lifebyte; |
---|
221 | newpp->pfs_group = pp1->pfs_group; |
---|
222 | break; |
---|
223 | |
---|
224 | case PROP_CHECK_STRICT: |
---|
225 | if (pp1->lifetime > pp2->lifetime) { |
---|
226 | plog(LLV_ERROR, LOCATION, NULL, |
---|
227 | "long lifetime proposed: " |
---|
228 | "my:%d peer:%d\n", |
---|
229 | (int)pp2->lifetime, (int)pp1->lifetime); |
---|
230 | goto err; |
---|
231 | } |
---|
232 | if (pp1->lifebyte > pp2->lifebyte) { |
---|
233 | plog(LLV_ERROR, LOCATION, NULL, |
---|
234 | "long lifebyte proposed: " |
---|
235 | "my:%d peer:%d\n", |
---|
236 | pp2->lifebyte, pp1->lifebyte); |
---|
237 | goto err; |
---|
238 | } |
---|
239 | newpp->lifetime = pp1->lifetime; |
---|
240 | newpp->lifebyte = pp1->lifebyte; |
---|
241 | |
---|
242 | prop_pfs_check: |
---|
243 | if (pp2->pfs_group != 0 && pp1->pfs_group != pp2->pfs_group) { |
---|
244 | plog(LLV_ERROR, LOCATION, NULL, |
---|
245 | "pfs group mismatched: " |
---|
246 | "my:%d peer:%d\n", |
---|
247 | pp2->pfs_group, pp1->pfs_group); |
---|
248 | goto err; |
---|
249 | } |
---|
250 | newpp->pfs_group = pp1->pfs_group; |
---|
251 | break; |
---|
252 | |
---|
253 | case PROP_CHECK_CLAIM: |
---|
254 | /* lifetime */ |
---|
255 | if (pp1->lifetime <= pp2->lifetime) { |
---|
256 | newpp->lifetime = pp1->lifetime; |
---|
257 | } else { |
---|
258 | newpp->lifetime = pp2->lifetime; |
---|
259 | newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC; |
---|
260 | plog(LLV_NOTIFY, LOCATION, NULL, |
---|
261 | "use own lifetime: " |
---|
262 | "my:%d peer:%d\n", |
---|
263 | (int)pp2->lifetime, (int)pp1->lifetime); |
---|
264 | } |
---|
265 | |
---|
266 | /* lifebyte */ |
---|
267 | if (pp1->lifebyte > pp2->lifebyte) { |
---|
268 | newpp->lifebyte = pp2->lifebyte; |
---|
269 | newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC; |
---|
270 | plog(LLV_NOTIFY, LOCATION, NULL, |
---|
271 | "use own lifebyte: " |
---|
272 | "my:%d peer:%d\n", |
---|
273 | pp2->lifebyte, pp1->lifebyte); |
---|
274 | } |
---|
275 | newpp->lifebyte = pp1->lifebyte; |
---|
276 | |
---|
277 | goto prop_pfs_check; |
---|
278 | break; |
---|
279 | |
---|
280 | case PROP_CHECK_EXACT: |
---|
281 | if (pp1->lifetime != pp2->lifetime) { |
---|
282 | plog(LLV_ERROR, LOCATION, NULL, |
---|
283 | "lifetime mismatched: " |
---|
284 | "my:%d peer:%d\n", |
---|
285 | (int)pp2->lifetime, (int)pp1->lifetime); |
---|
286 | goto err; |
---|
287 | } |
---|
288 | |
---|
289 | if (pp1->lifebyte != pp2->lifebyte) { |
---|
290 | plog(LLV_ERROR, LOCATION, NULL, |
---|
291 | "lifebyte mismatched: " |
---|
292 | "my:%d peer:%d\n", |
---|
293 | pp2->lifebyte, pp1->lifebyte); |
---|
294 | goto err; |
---|
295 | } |
---|
296 | if (pp1->pfs_group != pp2->pfs_group) { |
---|
297 | plog(LLV_ERROR, LOCATION, NULL, |
---|
298 | "pfs group mismatched: " |
---|
299 | "my:%d peer:%d\n", |
---|
300 | pp2->pfs_group, pp1->pfs_group); |
---|
301 | goto err; |
---|
302 | } |
---|
303 | newpp->lifetime = pp1->lifetime; |
---|
304 | newpp->lifebyte = pp1->lifebyte; |
---|
305 | newpp->pfs_group = pp1->pfs_group; |
---|
306 | break; |
---|
307 | |
---|
308 | default: |
---|
309 | plog(LLV_ERROR, LOCATION, NULL, |
---|
310 | "invalid pcheck_level why?.\n"); |
---|
311 | goto err; |
---|
312 | } |
---|
313 | |
---|
314 | #ifdef HAVE_SECCTX |
---|
315 | /* check the security_context properties. |
---|
316 | * It is possible for one side to have a security context |
---|
317 | * and the other side doesn't. If so, this is an error. |
---|
318 | */ |
---|
319 | |
---|
320 | if (*pp1->sctx.ctx_str && !(*pp2->sctx.ctx_str)) { |
---|
321 | plog(LLV_ERROR, LOCATION, NULL, |
---|
322 | "My proposal missing security context\n"); |
---|
323 | goto err; |
---|
324 | } |
---|
325 | if (!(*pp1->sctx.ctx_str) && *pp2->sctx.ctx_str) { |
---|
326 | plog(LLV_ERROR, LOCATION, NULL, |
---|
327 | "Peer is missing security context\n"); |
---|
328 | goto err; |
---|
329 | } |
---|
330 | |
---|
331 | if (*pp1->sctx.ctx_str && *pp2->sctx.ctx_str) { |
---|
332 | if (pp1->sctx.ctx_doi == pp2->sctx.ctx_doi) |
---|
333 | newpp->sctx.ctx_doi = pp1->sctx.ctx_doi; |
---|
334 | else { |
---|
335 | plog(LLV_ERROR, LOCATION, NULL, |
---|
336 | "sec doi mismatched: my:%d peer:%d\n", |
---|
337 | pp2->sctx.ctx_doi, pp1->sctx.ctx_doi); |
---|
338 | goto err; |
---|
339 | } |
---|
340 | |
---|
341 | if (pp1->sctx.ctx_alg == pp2->sctx.ctx_alg) |
---|
342 | newpp->sctx.ctx_alg = pp1->sctx.ctx_alg; |
---|
343 | else { |
---|
344 | plog(LLV_ERROR, LOCATION, NULL, |
---|
345 | "sec alg mismatched: my:%d peer:%d\n", |
---|
346 | pp2->sctx.ctx_alg, pp1->sctx.ctx_alg); |
---|
347 | goto err; |
---|
348 | } |
---|
349 | |
---|
350 | if ((pp1->sctx.ctx_strlen != pp2->sctx.ctx_strlen) || |
---|
351 | memcmp(pp1->sctx.ctx_str, pp2->sctx.ctx_str, |
---|
352 | pp1->sctx.ctx_strlen) != 0) { |
---|
353 | plog(LLV_ERROR, LOCATION, NULL, |
---|
354 | "sec ctx string mismatched: my:%s peer:%s\n", |
---|
355 | pp2->sctx.ctx_str, pp1->sctx.ctx_str); |
---|
356 | goto err; |
---|
357 | } else { |
---|
358 | newpp->sctx.ctx_strlen = pp1->sctx.ctx_strlen; |
---|
359 | memcpy(newpp->sctx.ctx_str, pp1->sctx.ctx_str, |
---|
360 | pp1->sctx.ctx_strlen); |
---|
361 | } |
---|
362 | } |
---|
363 | #endif /* HAVE_SECCTX */ |
---|
364 | |
---|
365 | npr1 = npr2 = 0; |
---|
366 | for (pr1 = pp1->head; pr1; pr1 = pr1->next) |
---|
367 | npr1++; |
---|
368 | for (pr2 = pp2->head; pr2; pr2 = pr2->next) |
---|
369 | npr2++; |
---|
370 | if (npr1 != npr2) |
---|
371 | goto err; |
---|
372 | |
---|
373 | /* check protocol order */ |
---|
374 | pr1 = pp1->head; |
---|
375 | pr2 = pp2->head; |
---|
376 | |
---|
377 | while (1) { |
---|
378 | if (!ordermatters) { |
---|
379 | /* |
---|
380 | * XXX does not work if we have multiple proposals |
---|
381 | * with the same proto_id |
---|
382 | */ |
---|
383 | switch (side) { |
---|
384 | case RESPONDER: |
---|
385 | if (!pr2) |
---|
386 | break; |
---|
387 | for (pr1 = pp1->head; pr1; pr1 = pr1->next) { |
---|
388 | if (pr1->proto_id == pr2->proto_id) |
---|
389 | break; |
---|
390 | } |
---|
391 | break; |
---|
392 | case INITIATOR: |
---|
393 | if (!pr1) |
---|
394 | break; |
---|
395 | for (pr2 = pp2->head; pr2; pr2 = pr2->next) { |
---|
396 | if (pr2->proto_id == pr1->proto_id) |
---|
397 | break; |
---|
398 | } |
---|
399 | break; |
---|
400 | } |
---|
401 | } |
---|
402 | if (!pr1 || !pr2) |
---|
403 | break; |
---|
404 | |
---|
405 | if (pr1->proto_id != pr2->proto_id) { |
---|
406 | plog(LLV_ERROR, LOCATION, NULL, |
---|
407 | "proto_id mismatched: " |
---|
408 | "my:%s peer:%s\n", |
---|
409 | s_ipsecdoi_proto(pr2->proto_id), |
---|
410 | s_ipsecdoi_proto(pr1->proto_id)); |
---|
411 | goto err; |
---|
412 | } |
---|
413 | spisizematch = 0; |
---|
414 | if (pr1->spisize == pr2->spisize) |
---|
415 | spisizematch = 1; |
---|
416 | else if (pr1->proto_id == IPSECDOI_PROTO_IPCOMP) { |
---|
417 | /* |
---|
418 | * draft-shacham-ippcp-rfc2393bis-05.txt: |
---|
419 | * need to accept 16bit and 32bit SPI (CPI) for IPComp. |
---|
420 | */ |
---|
421 | if (pr1->spisize == sizeof(u_int16_t) && |
---|
422 | pr2->spisize == sizeof(u_int32_t)) { |
---|
423 | spisizematch = 1; |
---|
424 | } else if (pr2->spisize == sizeof(u_int16_t) && |
---|
425 | pr1->spisize == sizeof(u_int32_t)) { |
---|
426 | spisizematch = 1; |
---|
427 | } |
---|
428 | if (spisizematch) { |
---|
429 | plog(LLV_ERROR, LOCATION, NULL, |
---|
430 | "IPComp SPI size promoted " |
---|
431 | "from 16bit to 32bit\n"); |
---|
432 | } |
---|
433 | } |
---|
434 | if (!spisizematch) { |
---|
435 | plog(LLV_ERROR, LOCATION, NULL, |
---|
436 | "spisize mismatched: " |
---|
437 | "my:%d peer:%d\n", |
---|
438 | (int)pr2->spisize, (int)pr1->spisize); |
---|
439 | goto err; |
---|
440 | } |
---|
441 | |
---|
442 | #ifdef ENABLE_NATT |
---|
443 | if ((ph1->natt_flags & NAT_DETECTED) && |
---|
444 | natt_udp_encap (pr2->encmode)) |
---|
445 | { |
---|
446 | plog(LLV_INFO, LOCATION, NULL, "Adjusting my encmode %s->%s\n", |
---|
447 | s_ipsecdoi_encmode(pr2->encmode), |
---|
448 | s_ipsecdoi_encmode(pr2->encmode - ph1->natt_options->mode_udp_diff)); |
---|
449 | pr2->encmode -= ph1->natt_options->mode_udp_diff; |
---|
450 | pr2->udp_encap = 1; |
---|
451 | } |
---|
452 | |
---|
453 | if ((ph1->natt_flags & NAT_DETECTED) && |
---|
454 | natt_udp_encap (pr1->encmode)) |
---|
455 | { |
---|
456 | plog(LLV_INFO, LOCATION, NULL, "Adjusting peer's encmode %s(%d)->%s(%d)\n", |
---|
457 | s_ipsecdoi_encmode(pr1->encmode), |
---|
458 | pr1->encmode, |
---|
459 | s_ipsecdoi_encmode(pr1->encmode - ph1->natt_options->mode_udp_diff), |
---|
460 | pr1->encmode - ph1->natt_options->mode_udp_diff); |
---|
461 | pr1->encmode -= ph1->natt_options->mode_udp_diff; |
---|
462 | pr1->udp_encap = 1; |
---|
463 | } |
---|
464 | #endif |
---|
465 | |
---|
466 | if (pr1->encmode != pr2->encmode) { |
---|
467 | plog(LLV_ERROR, LOCATION, NULL, |
---|
468 | "encmode mismatched: " |
---|
469 | "my:%s peer:%s\n", |
---|
470 | s_ipsecdoi_encmode(pr2->encmode), |
---|
471 | s_ipsecdoi_encmode(pr1->encmode)); |
---|
472 | goto err; |
---|
473 | } |
---|
474 | |
---|
475 | for (tr1 = pr1->head; tr1; tr1 = tr1->next) { |
---|
476 | for (tr2 = pr2->head; tr2; tr2 = tr2->next) { |
---|
477 | if (cmpsatrns(pr1->proto_id, tr1, tr2, ph1->rmconf->pcheck_level) == 0) |
---|
478 | goto found; |
---|
479 | } |
---|
480 | } |
---|
481 | |
---|
482 | goto err; |
---|
483 | |
---|
484 | found: |
---|
485 | newpr = newsaproto(); |
---|
486 | if (newpr == NULL) { |
---|
487 | plog(LLV_ERROR, LOCATION, NULL, |
---|
488 | "failed to allocate saproto.\n"); |
---|
489 | goto err; |
---|
490 | } |
---|
491 | newpr->proto_id = pr1->proto_id; |
---|
492 | newpr->spisize = pr1->spisize; |
---|
493 | newpr->encmode = pr1->encmode; |
---|
494 | newpr->spi = pr2->spi; /* copy my SPI */ |
---|
495 | newpr->spi_p = pr1->spi; /* copy peer's SPI */ |
---|
496 | newpr->reqid_in = pr2->reqid_in; |
---|
497 | newpr->reqid_out = pr2->reqid_out; |
---|
498 | #ifdef ENABLE_NATT |
---|
499 | newpr->udp_encap = pr1->udp_encap | pr2->udp_encap; |
---|
500 | #endif |
---|
501 | |
---|
502 | newtr = newsatrns(); |
---|
503 | if (newtr == NULL) { |
---|
504 | plog(LLV_ERROR, LOCATION, NULL, |
---|
505 | "failed to allocate satrns.\n"); |
---|
506 | racoon_free(newpr); |
---|
507 | goto err; |
---|
508 | } |
---|
509 | newtr->trns_no = tr1->trns_no; |
---|
510 | newtr->trns_id = tr1->trns_id; |
---|
511 | newtr->encklen = tr1->encklen; |
---|
512 | newtr->authtype = tr1->authtype; |
---|
513 | |
---|
514 | inssatrns(newpr, newtr); |
---|
515 | inssaproto(newpp, newpr); |
---|
516 | |
---|
517 | pr1 = pr1->next; |
---|
518 | pr2 = pr2->next; |
---|
519 | } |
---|
520 | |
---|
521 | /* XXX should check if we have visited all items or not */ |
---|
522 | if (!ordermatters) { |
---|
523 | switch (side) { |
---|
524 | case RESPONDER: |
---|
525 | if (!pr2) |
---|
526 | pr1 = NULL; |
---|
527 | break; |
---|
528 | case INITIATOR: |
---|
529 | if (!pr1) |
---|
530 | pr2 = NULL; |
---|
531 | break; |
---|
532 | } |
---|
533 | } |
---|
534 | |
---|
535 | /* should be matched all protocols in a proposal */ |
---|
536 | if (pr1 != NULL || pr2 != NULL) |
---|
537 | goto err; |
---|
538 | |
---|
539 | return newpp; |
---|
540 | |
---|
541 | err: |
---|
542 | flushsaprop(newpp); |
---|
543 | return NULL; |
---|
544 | } |
---|
545 | |
---|
546 | /* take a single match between saprop. returns 0 if pp1 equals to pp2. */ |
---|
547 | int |
---|
548 | cmpsaprop(pp1, pp2) |
---|
549 | const struct saprop *pp1, *pp2; |
---|
550 | { |
---|
551 | if (pp1->pfs_group != pp2->pfs_group) { |
---|
552 | plog(LLV_WARNING, LOCATION, NULL, |
---|
553 | "pfs_group mismatch. mine:%d peer:%d\n", |
---|
554 | pp1->pfs_group, pp2->pfs_group); |
---|
555 | /* FALLTHRU */ |
---|
556 | } |
---|
557 | |
---|
558 | if (pp1->lifetime > pp2->lifetime) { |
---|
559 | plog(LLV_WARNING, LOCATION, NULL, |
---|
560 | "less lifetime proposed. mine:%d peer:%d\n", |
---|
561 | (int)pp1->lifetime, (int)pp2->lifetime); |
---|
562 | /* FALLTHRU */ |
---|
563 | } |
---|
564 | if (pp1->lifebyte > pp2->lifebyte) { |
---|
565 | plog(LLV_WARNING, LOCATION, NULL, |
---|
566 | "less lifebyte proposed. mine:%d peer:%d\n", |
---|
567 | pp1->lifebyte, pp2->lifebyte); |
---|
568 | /* FALLTHRU */ |
---|
569 | } |
---|
570 | |
---|
571 | return 0; |
---|
572 | } |
---|
573 | |
---|
574 | /* |
---|
575 | * take a single match between satrns. returns 0 if tr1 equals to tr2. |
---|
576 | * tr1: peer's satrns |
---|
577 | * tr2: my satrns |
---|
578 | */ |
---|
579 | int |
---|
580 | cmpsatrns(proto_id, tr1, tr2, check_level) |
---|
581 | int proto_id; |
---|
582 | const struct satrns *tr1, *tr2; |
---|
583 | int check_level; |
---|
584 | { |
---|
585 | if (tr1->trns_id != tr2->trns_id) { |
---|
586 | plog(LLV_WARNING, LOCATION, NULL, |
---|
587 | "trns_id mismatched: " |
---|
588 | "my:%s peer:%s\n", |
---|
589 | s_ipsecdoi_trns(proto_id, tr2->trns_id), |
---|
590 | s_ipsecdoi_trns(proto_id, tr1->trns_id)); |
---|
591 | return 1; |
---|
592 | } |
---|
593 | |
---|
594 | if (tr1->authtype != tr2->authtype) { |
---|
595 | plog(LLV_WARNING, LOCATION, NULL, |
---|
596 | "authtype mismatched: " |
---|
597 | "my:%s peer:%s\n", |
---|
598 | s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr2->authtype), |
---|
599 | s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr1->authtype)); |
---|
600 | return 1; |
---|
601 | } |
---|
602 | |
---|
603 | /* Check key length regarding checkmode |
---|
604 | * XXX Shall we send some kind of notify message when key length rejected ? |
---|
605 | */ |
---|
606 | switch(check_level){ |
---|
607 | case PROP_CHECK_OBEY: |
---|
608 | return 0; |
---|
609 | break; |
---|
610 | |
---|
611 | case PROP_CHECK_STRICT: |
---|
612 | /* FALLTHROUGH */ |
---|
613 | case PROP_CHECK_CLAIM: |
---|
614 | if (tr1->encklen < tr2->encklen) { |
---|
615 | plog(LLV_WARNING, LOCATION, NULL, |
---|
616 | "low key length proposed, " |
---|
617 | "mine:%d peer:%d.\n", |
---|
618 | tr2->encklen, tr1->encklen); |
---|
619 | return 1; |
---|
620 | } |
---|
621 | break; |
---|
622 | case PROP_CHECK_EXACT: |
---|
623 | if (tr1->encklen != tr2->encklen) { |
---|
624 | plog(LLV_WARNING, LOCATION, NULL, |
---|
625 | "key length mismatched, " |
---|
626 | "mine:%d peer:%d.\n", |
---|
627 | tr2->encklen, tr1->encklen); |
---|
628 | return 1; |
---|
629 | } |
---|
630 | break; |
---|
631 | } |
---|
632 | |
---|
633 | return 0; |
---|
634 | } |
---|
635 | |
---|
636 | int |
---|
637 | set_satrnsbysainfo(pr, sainfo) |
---|
638 | struct saproto *pr; |
---|
639 | struct sainfo *sainfo; |
---|
640 | { |
---|
641 | struct sainfoalg *a, *b; |
---|
642 | struct satrns *newtr; |
---|
643 | int t; |
---|
644 | |
---|
645 | switch (pr->proto_id) { |
---|
646 | case IPSECDOI_PROTO_IPSEC_AH: |
---|
647 | if (sainfo->algs[algclass_ipsec_auth] == NULL) { |
---|
648 | plog(LLV_ERROR, LOCATION, NULL, |
---|
649 | "no auth algorithm found\n"); |
---|
650 | goto err; |
---|
651 | } |
---|
652 | t = 1; |
---|
653 | for (a = sainfo->algs[algclass_ipsec_auth]; a; a = a->next) { |
---|
654 | |
---|
655 | if (a->alg == IPSECDOI_ATTR_AUTH_NONE) |
---|
656 | continue; |
---|
657 | |
---|
658 | /* allocate satrns */ |
---|
659 | newtr = newsatrns(); |
---|
660 | if (newtr == NULL) { |
---|
661 | plog(LLV_ERROR, LOCATION, NULL, |
---|
662 | "failed to allocate satrns.\n"); |
---|
663 | goto err; |
---|
664 | } |
---|
665 | |
---|
666 | newtr->trns_no = t++; |
---|
667 | newtr->trns_id = ipsecdoi_authalg2trnsid(a->alg); |
---|
668 | newtr->authtype = a->alg; |
---|
669 | |
---|
670 | inssatrns(pr, newtr); |
---|
671 | } |
---|
672 | break; |
---|
673 | case IPSECDOI_PROTO_IPSEC_ESP: |
---|
674 | if (sainfo->algs[algclass_ipsec_enc] == NULL) { |
---|
675 | plog(LLV_ERROR, LOCATION, NULL, |
---|
676 | "no encryption algorithm found\n"); |
---|
677 | goto err; |
---|
678 | } |
---|
679 | t = 1; |
---|
680 | for (a = sainfo->algs[algclass_ipsec_enc]; a; a = a->next) { |
---|
681 | for (b = sainfo->algs[algclass_ipsec_auth]; b; b = b->next) { |
---|
682 | /* allocate satrns */ |
---|
683 | newtr = newsatrns(); |
---|
684 | if (newtr == NULL) { |
---|
685 | plog(LLV_ERROR, LOCATION, NULL, |
---|
686 | "failed to allocate satrns.\n"); |
---|
687 | goto err; |
---|
688 | } |
---|
689 | |
---|
690 | newtr->trns_no = t++; |
---|
691 | newtr->trns_id = a->alg; |
---|
692 | newtr->encklen = a->encklen; |
---|
693 | newtr->authtype = b->alg; |
---|
694 | |
---|
695 | inssatrns(pr, newtr); |
---|
696 | } |
---|
697 | } |
---|
698 | break; |
---|
699 | case IPSECDOI_PROTO_IPCOMP: |
---|
700 | if (sainfo->algs[algclass_ipsec_comp] == NULL) { |
---|
701 | plog(LLV_ERROR, LOCATION, NULL, |
---|
702 | "no ipcomp algorithm found\n"); |
---|
703 | goto err; |
---|
704 | } |
---|
705 | t = 1; |
---|
706 | for (a = sainfo->algs[algclass_ipsec_comp]; a; a = a->next) { |
---|
707 | |
---|
708 | /* allocate satrns */ |
---|
709 | newtr = newsatrns(); |
---|
710 | if (newtr == NULL) { |
---|
711 | plog(LLV_ERROR, LOCATION, NULL, |
---|
712 | "failed to allocate satrns.\n"); |
---|
713 | goto err; |
---|
714 | } |
---|
715 | |
---|
716 | newtr->trns_no = t++; |
---|
717 | newtr->trns_id = a->alg; |
---|
718 | newtr->authtype = IPSECDOI_ATTR_AUTH_NONE; /*no auth*/ |
---|
719 | |
---|
720 | inssatrns(pr, newtr); |
---|
721 | } |
---|
722 | break; |
---|
723 | default: |
---|
724 | plog(LLV_ERROR, LOCATION, NULL, |
---|
725 | "unknown proto_id (%d).\n", pr->proto_id); |
---|
726 | goto err; |
---|
727 | } |
---|
728 | |
---|
729 | /* no proposal found */ |
---|
730 | if (pr->head == NULL) { |
---|
731 | plog(LLV_ERROR, LOCATION, NULL, "no algorithms found.\n"); |
---|
732 | return -1; |
---|
733 | } |
---|
734 | |
---|
735 | return 0; |
---|
736 | |
---|
737 | err: |
---|
738 | flushsatrns(pr->head); |
---|
739 | return -1; |
---|
740 | } |
---|
741 | |
---|
742 | struct saprop * |
---|
743 | aproppair2saprop(p0) |
---|
744 | struct prop_pair *p0; |
---|
745 | { |
---|
746 | struct prop_pair *p, *t; |
---|
747 | struct saprop *newpp; |
---|
748 | struct saproto *newpr; |
---|
749 | struct satrns *newtr; |
---|
750 | u_int8_t *spi; |
---|
751 | |
---|
752 | if (p0 == NULL) |
---|
753 | return NULL; |
---|
754 | |
---|
755 | /* allocate ipsec a sa proposal */ |
---|
756 | newpp = newsaprop(); |
---|
757 | if (newpp == NULL) { |
---|
758 | plog(LLV_ERROR, LOCATION, NULL, |
---|
759 | "failed to allocate saprop.\n"); |
---|
760 | return NULL; |
---|
761 | } |
---|
762 | newpp->prop_no = p0->prop->p_no; |
---|
763 | /* lifetime & lifebyte must be updated later */ |
---|
764 | |
---|
765 | for (p = p0; p; p = p->next) { |
---|
766 | |
---|
767 | /* allocate ipsec sa protocol */ |
---|
768 | newpr = newsaproto(); |
---|
769 | if (newpr == NULL) { |
---|
770 | plog(LLV_ERROR, LOCATION, NULL, |
---|
771 | "failed to allocate saproto.\n"); |
---|
772 | goto err; |
---|
773 | } |
---|
774 | |
---|
775 | /* check spi size */ |
---|
776 | /* XXX should be handled isakmp cookie */ |
---|
777 | if (sizeof(newpr->spi) < p->prop->spi_size) { |
---|
778 | plog(LLV_ERROR, LOCATION, NULL, |
---|
779 | "invalid spi size %d.\n", p->prop->spi_size); |
---|
780 | racoon_free(newpr); |
---|
781 | goto err; |
---|
782 | } |
---|
783 | |
---|
784 | /* |
---|
785 | * XXX SPI bits are left-filled, for use with IPComp. |
---|
786 | * we should be switching to variable-length spi field... |
---|
787 | */ |
---|
788 | newpr->proto_id = p->prop->proto_id; |
---|
789 | newpr->spisize = p->prop->spi_size; |
---|
790 | memset(&newpr->spi, 0, sizeof(newpr->spi)); |
---|
791 | spi = (u_int8_t *)&newpr->spi; |
---|
792 | spi += sizeof(newpr->spi); |
---|
793 | spi -= p->prop->spi_size; |
---|
794 | memcpy(spi, p->prop + 1, p->prop->spi_size); |
---|
795 | newpr->reqid_in = 0; |
---|
796 | newpr->reqid_out = 0; |
---|
797 | |
---|
798 | for (t = p; t; t = t->tnext) { |
---|
799 | |
---|
800 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
801 | "prop#=%d prot-id=%s spi-size=%d " |
---|
802 | "#trns=%d trns#=%d trns-id=%s\n", |
---|
803 | t->prop->p_no, |
---|
804 | s_ipsecdoi_proto(t->prop->proto_id), |
---|
805 | t->prop->spi_size, t->prop->num_t, |
---|
806 | t->trns->t_no, |
---|
807 | s_ipsecdoi_trns(t->prop->proto_id, |
---|
808 | t->trns->t_id)); |
---|
809 | |
---|
810 | /* allocate ipsec sa transform */ |
---|
811 | newtr = newsatrns(); |
---|
812 | if (newtr == NULL) { |
---|
813 | plog(LLV_ERROR, LOCATION, NULL, |
---|
814 | "failed to allocate satrns.\n"); |
---|
815 | racoon_free(newpr); |
---|
816 | goto err; |
---|
817 | } |
---|
818 | |
---|
819 | if (ipsecdoi_t2satrns(t->trns, |
---|
820 | newpp, newpr, newtr) < 0) { |
---|
821 | flushsaprop(newpp); |
---|
822 | racoon_free(newtr); |
---|
823 | racoon_free(newpr); |
---|
824 | return NULL; |
---|
825 | } |
---|
826 | |
---|
827 | inssatrns(newpr, newtr); |
---|
828 | } |
---|
829 | |
---|
830 | /* |
---|
831 | * If the peer does not specify encryption mode, use |
---|
832 | * transport mode by default. This is to conform to |
---|
833 | * draft-shacham-ippcp-rfc2393bis-08.txt (explicitly specifies |
---|
834 | * that unspecified == transport), as well as RFC2407 |
---|
835 | * (unspecified == implementation dependent default). |
---|
836 | */ |
---|
837 | if (newpr->encmode == 0) |
---|
838 | newpr->encmode = IPSECDOI_ATTR_ENC_MODE_TRNS; |
---|
839 | |
---|
840 | inssaproto(newpp, newpr); |
---|
841 | } |
---|
842 | |
---|
843 | return newpp; |
---|
844 | |
---|
845 | err: |
---|
846 | flushsaprop(newpp); |
---|
847 | return NULL; |
---|
848 | } |
---|
849 | |
---|
850 | void |
---|
851 | flushsaprop(head) |
---|
852 | struct saprop *head; |
---|
853 | { |
---|
854 | struct saprop *p, *save; |
---|
855 | |
---|
856 | for (p = head; p != NULL; p = save) { |
---|
857 | save = p->next; |
---|
858 | flushsaproto(p->head); |
---|
859 | racoon_free(p); |
---|
860 | } |
---|
861 | |
---|
862 | return; |
---|
863 | } |
---|
864 | |
---|
865 | void |
---|
866 | flushsaproto(head) |
---|
867 | struct saproto *head; |
---|
868 | { |
---|
869 | struct saproto *p, *save; |
---|
870 | |
---|
871 | for (p = head; p != NULL; p = save) { |
---|
872 | save = p->next; |
---|
873 | flushsatrns(p->head); |
---|
874 | vfree(p->keymat); |
---|
875 | vfree(p->keymat_p); |
---|
876 | racoon_free(p); |
---|
877 | } |
---|
878 | |
---|
879 | return; |
---|
880 | } |
---|
881 | |
---|
882 | void |
---|
883 | flushsatrns(head) |
---|
884 | struct satrns *head; |
---|
885 | { |
---|
886 | struct satrns *p, *save; |
---|
887 | |
---|
888 | for (p = head; p != NULL; p = save) { |
---|
889 | save = p->next; |
---|
890 | racoon_free(p); |
---|
891 | } |
---|
892 | |
---|
893 | return; |
---|
894 | } |
---|
895 | |
---|
896 | /* |
---|
897 | * print multiple proposals |
---|
898 | */ |
---|
899 | void |
---|
900 | printsaprop(pri, pp) |
---|
901 | const int pri; |
---|
902 | const struct saprop *pp; |
---|
903 | { |
---|
904 | const struct saprop *p; |
---|
905 | |
---|
906 | if (pp == NULL) { |
---|
907 | plog(pri, LOCATION, NULL, "(null)"); |
---|
908 | return; |
---|
909 | } |
---|
910 | |
---|
911 | for (p = pp; p; p = p->next) { |
---|
912 | printsaprop0(pri, p); |
---|
913 | } |
---|
914 | |
---|
915 | return; |
---|
916 | } |
---|
917 | |
---|
918 | /* |
---|
919 | * print one proposal. |
---|
920 | */ |
---|
921 | void |
---|
922 | printsaprop0(pri, pp) |
---|
923 | int pri; |
---|
924 | const struct saprop *pp; |
---|
925 | { |
---|
926 | const struct saproto *p; |
---|
927 | |
---|
928 | if (pp == NULL) |
---|
929 | return; |
---|
930 | |
---|
931 | for (p = pp->head; p; p = p->next) { |
---|
932 | printsaproto(pri, p); |
---|
933 | } |
---|
934 | |
---|
935 | return; |
---|
936 | } |
---|
937 | |
---|
938 | void |
---|
939 | printsaproto(pri, pr) |
---|
940 | const int pri; |
---|
941 | const struct saproto *pr; |
---|
942 | { |
---|
943 | struct satrns *tr; |
---|
944 | |
---|
945 | if (pr == NULL) |
---|
946 | return; |
---|
947 | |
---|
948 | plog(pri, LOCATION, NULL, |
---|
949 | " (proto_id=%s spisize=%d spi=%08lx spi_p=%08lx " |
---|
950 | "encmode=%s reqid=%d:%d)\n", |
---|
951 | s_ipsecdoi_proto(pr->proto_id), |
---|
952 | (int)pr->spisize, |
---|
953 | (unsigned long)ntohl(pr->spi), |
---|
954 | (unsigned long)ntohl(pr->spi_p), |
---|
955 | s_ipsecdoi_attr_v(IPSECDOI_ATTR_ENC_MODE, pr->encmode), |
---|
956 | (int)pr->reqid_in, (int)pr->reqid_out); |
---|
957 | |
---|
958 | for (tr = pr->head; tr; tr = tr->next) { |
---|
959 | printsatrns(pri, pr->proto_id, tr); |
---|
960 | } |
---|
961 | |
---|
962 | return; |
---|
963 | } |
---|
964 | |
---|
965 | void |
---|
966 | printsatrns(pri, proto_id, tr) |
---|
967 | const int pri; |
---|
968 | const int proto_id; |
---|
969 | const struct satrns *tr; |
---|
970 | { |
---|
971 | if (tr == NULL) |
---|
972 | return; |
---|
973 | |
---|
974 | switch (proto_id) { |
---|
975 | case IPSECDOI_PROTO_IPSEC_AH: |
---|
976 | plog(pri, LOCATION, NULL, |
---|
977 | " (trns_id=%s authtype=%s)\n", |
---|
978 | s_ipsecdoi_trns(proto_id, tr->trns_id), |
---|
979 | s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr->authtype)); |
---|
980 | break; |
---|
981 | case IPSECDOI_PROTO_IPSEC_ESP: |
---|
982 | plog(pri, LOCATION, NULL, |
---|
983 | " (trns_id=%s encklen=%d authtype=%s)\n", |
---|
984 | s_ipsecdoi_trns(proto_id, tr->trns_id), |
---|
985 | tr->encklen, |
---|
986 | s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr->authtype)); |
---|
987 | break; |
---|
988 | case IPSECDOI_PROTO_IPCOMP: |
---|
989 | plog(pri, LOCATION, NULL, |
---|
990 | " (trns_id=%s)\n", |
---|
991 | s_ipsecdoi_trns(proto_id, tr->trns_id)); |
---|
992 | break; |
---|
993 | default: |
---|
994 | plog(pri, LOCATION, NULL, |
---|
995 | "(unknown proto_id %d)\n", proto_id); |
---|
996 | } |
---|
997 | |
---|
998 | return; |
---|
999 | } |
---|
1000 | |
---|
1001 | void |
---|
1002 | print_proppair0(pri, p, level) |
---|
1003 | int pri; |
---|
1004 | struct prop_pair *p; |
---|
1005 | int level; |
---|
1006 | { |
---|
1007 | char spc[21]; |
---|
1008 | |
---|
1009 | memset(spc, ' ', sizeof(spc)); |
---|
1010 | spc[sizeof(spc) - 1] = '\0'; |
---|
1011 | if (level < 20) { |
---|
1012 | spc[level] = '\0'; |
---|
1013 | } |
---|
1014 | |
---|
1015 | plog(pri, LOCATION, NULL, |
---|
1016 | "%s%p: next=%p tnext=%p\n", spc, p, p->next, p->tnext); |
---|
1017 | if (p->next) |
---|
1018 | print_proppair0(pri, p->next, level + 1); |
---|
1019 | if (p->tnext) |
---|
1020 | print_proppair0(pri, p->tnext, level + 1); |
---|
1021 | } |
---|
1022 | |
---|
1023 | void |
---|
1024 | print_proppair(pri, p) |
---|
1025 | int pri; |
---|
1026 | struct prop_pair *p; |
---|
1027 | { |
---|
1028 | print_proppair0(pri, p, 1); |
---|
1029 | } |
---|
1030 | |
---|
1031 | int |
---|
1032 | set_proposal_from_policy(iph2, sp_main, sp_sub) |
---|
1033 | struct ph2handle *iph2; |
---|
1034 | struct secpolicy *sp_main, *sp_sub; |
---|
1035 | { |
---|
1036 | struct saprop *newpp; |
---|
1037 | struct ipsecrequest *req; |
---|
1038 | int encmodesv = IPSECDOI_ATTR_ENC_MODE_TRNS; /* use only when complex_bundle */ |
---|
1039 | |
---|
1040 | newpp = newsaprop(); |
---|
1041 | if (newpp == NULL) { |
---|
1042 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1043 | "failed to allocate saprop.\n"); |
---|
1044 | goto err; |
---|
1045 | } |
---|
1046 | newpp->prop_no = 1; |
---|
1047 | newpp->lifetime = iph2->sainfo->lifetime; |
---|
1048 | newpp->lifebyte = iph2->sainfo->lifebyte; |
---|
1049 | newpp->pfs_group = iph2->sainfo->pfs_group; |
---|
1050 | |
---|
1051 | if (lcconf->complex_bundle) |
---|
1052 | goto skip1; |
---|
1053 | |
---|
1054 | /* |
---|
1055 | * decide the encryption mode of this SA bundle. |
---|
1056 | * the mode becomes tunnel mode when there is even one policy |
---|
1057 | * of tunnel mode in the SPD. otherwise the mode becomes |
---|
1058 | * transport mode. |
---|
1059 | */ |
---|
1060 | for (req = sp_main->req; req; req = req->next) { |
---|
1061 | if (req->saidx.mode == IPSEC_MODE_TUNNEL) { |
---|
1062 | encmodesv = pfkey2ipsecdoi_mode(req->saidx.mode); |
---|
1063 | #ifdef ENABLE_NATT |
---|
1064 | if (iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED)) |
---|
1065 | encmodesv += iph2->ph1->natt_options->mode_udp_diff; |
---|
1066 | #endif |
---|
1067 | break; |
---|
1068 | } |
---|
1069 | } |
---|
1070 | |
---|
1071 | skip1: |
---|
1072 | for (req = sp_main->req; req; req = req->next) { |
---|
1073 | struct saproto *newpr; |
---|
1074 | caddr_t paddr = NULL; |
---|
1075 | |
---|
1076 | /* |
---|
1077 | * check if SA bundle ? |
---|
1078 | * nested SAs negotiation is NOT supported. |
---|
1079 | * me +--- SA1 ---+ peer1 |
---|
1080 | * me +--- SA2 --------------+ peer2 |
---|
1081 | */ |
---|
1082 | #ifdef __linux__ |
---|
1083 | if (req->saidx.src.ss_family && req->saidx.dst.ss_family) { |
---|
1084 | #else |
---|
1085 | if (req->saidx.src.ss_len && req->saidx.dst.ss_len) { |
---|
1086 | #endif |
---|
1087 | /* check the end of ip addresses of SA */ |
---|
1088 | if (iph2->side == INITIATOR) |
---|
1089 | paddr = (caddr_t)&req->saidx.dst; |
---|
1090 | else |
---|
1091 | paddr = (caddr_t)&req->saidx.src; |
---|
1092 | } |
---|
1093 | |
---|
1094 | /* allocate ipsec sa protocol */ |
---|
1095 | newpr = newsaproto(); |
---|
1096 | if (newpr == NULL) { |
---|
1097 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1098 | "failed to allocate saproto.\n"); |
---|
1099 | goto err; |
---|
1100 | } |
---|
1101 | |
---|
1102 | newpr->proto_id = ipproto2doi(req->saidx.proto); |
---|
1103 | if (newpr->proto_id == IPSECDOI_PROTO_IPCOMP) |
---|
1104 | newpr->spisize = 2; |
---|
1105 | else |
---|
1106 | newpr->spisize = 4; |
---|
1107 | if (lcconf->complex_bundle) { |
---|
1108 | newpr->encmode = pfkey2ipsecdoi_mode(req->saidx.mode); |
---|
1109 | #ifdef ENABLE_NATT |
---|
1110 | if (iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED)) |
---|
1111 | newpr->encmode += |
---|
1112 | iph2->ph1->natt_options->mode_udp_diff; |
---|
1113 | #endif |
---|
1114 | } |
---|
1115 | else |
---|
1116 | newpr->encmode = encmodesv; |
---|
1117 | |
---|
1118 | if (iph2->side == INITIATOR) |
---|
1119 | newpr->reqid_out = req->saidx.reqid; |
---|
1120 | else |
---|
1121 | newpr->reqid_in = req->saidx.reqid; |
---|
1122 | |
---|
1123 | if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) { |
---|
1124 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1125 | "failed to get algorithms.\n"); |
---|
1126 | racoon_free(newpr); |
---|
1127 | goto err; |
---|
1128 | } |
---|
1129 | |
---|
1130 | /* set new saproto */ |
---|
1131 | inssaprotorev(newpp, newpr); |
---|
1132 | } |
---|
1133 | |
---|
1134 | /* get reqid_in from inbound policy */ |
---|
1135 | if (sp_sub) { |
---|
1136 | struct saproto *pr; |
---|
1137 | |
---|
1138 | req = sp_sub->req; |
---|
1139 | pr = newpp->head; |
---|
1140 | while (req && pr) { |
---|
1141 | if (iph2->side == INITIATOR) |
---|
1142 | pr->reqid_in = req->saidx.reqid; |
---|
1143 | else |
---|
1144 | pr->reqid_out = req->saidx.reqid; |
---|
1145 | pr = pr->next; |
---|
1146 | req = req->next; |
---|
1147 | } |
---|
1148 | if (pr || req) { |
---|
1149 | plog(LLV_NOTIFY, LOCATION, NULL, |
---|
1150 | "There is a difference " |
---|
1151 | "between the in/out bound policies in SPD.\n"); |
---|
1152 | } |
---|
1153 | } |
---|
1154 | |
---|
1155 | iph2->proposal = newpp; |
---|
1156 | |
---|
1157 | printsaprop0(LLV_DEBUG, newpp); |
---|
1158 | |
---|
1159 | return 0; |
---|
1160 | err: |
---|
1161 | flushsaprop(newpp); |
---|
1162 | return -1; |
---|
1163 | } |
---|
1164 | |
---|
1165 | /* |
---|
1166 | * generate a policy from peer's proposal. |
---|
1167 | * this function unconditionally choices first proposal in SA payload |
---|
1168 | * passed by peer. |
---|
1169 | */ |
---|
1170 | int |
---|
1171 | set_proposal_from_proposal(iph2) |
---|
1172 | struct ph2handle *iph2; |
---|
1173 | { |
---|
1174 | struct saprop *newpp = NULL, *pp0, *pp_peer = NULL; |
---|
1175 | struct saproto *newpr = NULL, *pr; |
---|
1176 | struct prop_pair **pair; |
---|
1177 | int error = -1; |
---|
1178 | int i; |
---|
1179 | |
---|
1180 | /* get proposal pair */ |
---|
1181 | pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2); |
---|
1182 | if (pair == NULL) |
---|
1183 | goto end; |
---|
1184 | |
---|
1185 | /* |
---|
1186 | * make my proposal according as the client proposal. |
---|
1187 | * XXX assumed there is only one proposal even if it's the SA bundle. |
---|
1188 | */ |
---|
1189 | for (i = 0; i < MAXPROPPAIRLEN; i++) { |
---|
1190 | if (pair[i] == NULL) |
---|
1191 | continue; |
---|
1192 | |
---|
1193 | if (pp_peer != NULL) |
---|
1194 | flushsaprop(pp_peer); |
---|
1195 | |
---|
1196 | pp_peer = aproppair2saprop(pair[i]); |
---|
1197 | if (pp_peer == NULL) |
---|
1198 | goto end; |
---|
1199 | |
---|
1200 | pp0 = newsaprop(); |
---|
1201 | if (pp0 == NULL) { |
---|
1202 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1203 | "failed to allocate saprop.\n"); |
---|
1204 | goto end; |
---|
1205 | } |
---|
1206 | pp0->prop_no = 1; |
---|
1207 | pp0->lifetime = iph2->sainfo->lifetime; |
---|
1208 | pp0->lifebyte = iph2->sainfo->lifebyte; |
---|
1209 | pp0->pfs_group = iph2->sainfo->pfs_group; |
---|
1210 | |
---|
1211 | #ifdef HAVE_SECCTX |
---|
1212 | if (*pp_peer->sctx.ctx_str) { |
---|
1213 | pp0->sctx.ctx_doi = pp_peer->sctx.ctx_doi; |
---|
1214 | pp0->sctx.ctx_alg = pp_peer->sctx.ctx_alg; |
---|
1215 | pp0->sctx.ctx_strlen = pp_peer->sctx.ctx_strlen; |
---|
1216 | memcpy(pp0->sctx.ctx_str, pp_peer->sctx.ctx_str, |
---|
1217 | pp_peer->sctx.ctx_strlen); |
---|
1218 | } |
---|
1219 | #endif /* HAVE_SECCTX */ |
---|
1220 | |
---|
1221 | if (pp_peer->next != NULL) { |
---|
1222 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1223 | "pp_peer is inconsistency, ignore it.\n"); |
---|
1224 | /*FALLTHROUGH*/ |
---|
1225 | } |
---|
1226 | |
---|
1227 | for (pr = pp_peer->head; pr; pr = pr->next) |
---|
1228 | { |
---|
1229 | newpr = newsaproto(); |
---|
1230 | if (newpr == NULL) |
---|
1231 | { |
---|
1232 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1233 | "failed to allocate saproto.\n"); |
---|
1234 | racoon_free(pp0); |
---|
1235 | goto end; |
---|
1236 | } |
---|
1237 | newpr->proto_id = pr->proto_id; |
---|
1238 | newpr->spisize = pr->spisize; |
---|
1239 | newpr->encmode = pr->encmode; |
---|
1240 | newpr->spi = 0; |
---|
1241 | newpr->spi_p = pr->spi; /* copy peer's SPI */ |
---|
1242 | newpr->reqid_in = 0; |
---|
1243 | newpr->reqid_out = 0; |
---|
1244 | |
---|
1245 | if (iph2->ph1->rmconf->gen_policy == GENERATE_POLICY_UNIQUE){ |
---|
1246 | newpr->reqid_in = g_nextreqid ; |
---|
1247 | newpr->reqid_out = g_nextreqid ++; |
---|
1248 | /* |
---|
1249 | * XXX there is a (very limited) |
---|
1250 | * risk of reusing the same reqid |
---|
1251 | * as another SP entry for the same peer |
---|
1252 | */ |
---|
1253 | if(g_nextreqid >= IPSEC_MANUAL_REQID_MAX) |
---|
1254 | g_nextreqid = 1; |
---|
1255 | }else{ |
---|
1256 | newpr->reqid_in = 0; |
---|
1257 | newpr->reqid_out = 0; |
---|
1258 | } |
---|
1259 | |
---|
1260 | if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) |
---|
1261 | { |
---|
1262 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1263 | "failed to get algorithms.\n"); |
---|
1264 | racoon_free(newpr); |
---|
1265 | racoon_free(pp0); |
---|
1266 | goto end; |
---|
1267 | } |
---|
1268 | inssaproto(pp0, newpr); |
---|
1269 | } |
---|
1270 | |
---|
1271 | inssaprop(&newpp, pp0); |
---|
1272 | } |
---|
1273 | |
---|
1274 | plog(LLV_DEBUG, LOCATION, NULL, "make a proposal from peer's:\n"); |
---|
1275 | printsaprop0(LLV_DEBUG, newpp); |
---|
1276 | |
---|
1277 | iph2->proposal = newpp; |
---|
1278 | |
---|
1279 | error = 0; |
---|
1280 | |
---|
1281 | end: |
---|
1282 | if (error && newpp) |
---|
1283 | flushsaprop(newpp); |
---|
1284 | |
---|
1285 | if (pp_peer) |
---|
1286 | flushsaprop(pp_peer); |
---|
1287 | if (pair) |
---|
1288 | free_proppair(pair); |
---|
1289 | return error; |
---|
1290 | } |
---|