]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/ipsec_doi.c
ipsec-326.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / ipsec_doi.c
CommitLineData
52b7d2ce
A
1/* $Id: ipsec_doi.c,v 1.26.2.16 2006/02/02 14:37:17 vanhu Exp $ */
2
3/*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32#include "config.h"
33
34#include <sys/types.h>
35#include <sys/param.h>
36#include <sys/socket.h>
37
38#include <netinet/in.h>
39
40#ifndef HAVE_NETINET6_IPSEC
41#include <netinet/ipsec.h>
42#else
43#include <netinet6/ipsec.h>
44#endif
45
46#include <stdlib.h>
47#include <stdio.h>
48#include <string.h>
49#include <errno.h>
50#include <netdb.h>
51#if TIME_WITH_SYS_TIME
52# include <sys/time.h>
53# include <time.h>
54#else
55# if HAVE_SYS_TIME_H
56# include <sys/time.h>
57# else
58# include <time.h>
59# endif
60#endif
61
62#include "var.h"
63#include "vmbuf.h"
64#include "misc.h"
65#include "plog.h"
66#include "debug.h"
67
68#include "cfparse_proto.h"
69#include "isakmp_var.h"
70#include "isakmp.h"
71#include "ipsec_doi.h"
72#include "oakley.h"
73#include "remoteconf.h"
74#include "localconf.h"
75#include "sockmisc.h"
76#include "handler.h"
77#include "policy.h"
78#include "algorithm.h"
79#include "sainfo.h"
80#include "proposal.h"
81#include "crypto_openssl.h"
85f41bec 82#include "crypto_cssm.h"
52b7d2ce
A
83#include "strnames.h"
84#include "gcmalloc.h"
85
86#ifdef ENABLE_NATT
87#include "nattraversal.h"
88#endif
65c25746 89
52b7d2ce
A
90#ifdef ENABLE_HYBRID
91static int switch_authmethod(int);
92#endif
93
52b7d2ce
A
94int verbose_proposal_check = 1;
95
65c25746
A
96static vchar_t *get_ph1approval (phase1_handle_t *, struct prop_pair **);
97void print_ph1mismatched (struct prop_pair *, struct isakmpsa *);
98static int t2isakmpsa (struct isakmp_pl_t *, struct isakmpsa *);
99static int cmp_aproppair_i (struct prop_pair *, struct prop_pair *);
100static struct prop_pair *get_ph2approval (phase2_handle_t *,
101 struct prop_pair **);
102static struct prop_pair *get_ph2approvalx (phase2_handle_t *,
103 struct prop_pair *);
104static void free_proppair0 (struct prop_pair *);
105
106static int get_transform (struct isakmp_pl_p *, struct prop_pair **, int *);
107static u_int32_t ipsecdoi_set_ld (vchar_t *);
108
109static int check_doi (u_int32_t);
110static int check_situation (u_int32_t);
111
112static int check_prot_main (int);
113static int check_prot_quick (int);
114static int (*check_protocol[]) (int) = {
52b7d2ce
A
115 check_prot_main, /* IPSECDOI_TYPE_PH1 */
116 check_prot_quick, /* IPSECDOI_TYPE_PH2 */
65c25746
A
117 NULL, /* IPSECDOI_TYPE_IKEV2_PH1 */
118 NULL, /* IPSECDOI_TYPE_IKEV2_PH2 */
52b7d2ce
A
119};
120
65c25746 121int check_spi_size (int, int);
52b7d2ce 122
65c25746
A
123static int check_trns_isakmp (int);
124static int check_trns_ah (int);
125static int check_trns_esp (int);
126static int check_trns_ipcomp (int);
127static int (*check_transform[]) (int) = {
52b7d2ce
A
128 0,
129 check_trns_isakmp, /* IPSECDOI_PROTO_ISAKMP */
130 check_trns_ah, /* IPSECDOI_PROTO_IPSEC_AH */
131 check_trns_esp, /* IPSECDOI_PROTO_IPSEC_ESP */
132 check_trns_ipcomp, /* IPSECDOI_PROTO_IPCOMP */
133};
134
65c25746
A
135static int check_attr_isakmp (struct isakmp_pl_t *);
136static int check_attr_ah (struct isakmp_pl_t *);
137static int check_attr_esp (struct isakmp_pl_t *);
138static int check_attr_ipsec (int, struct isakmp_pl_t *);
139static int check_attr_ipcomp (struct isakmp_pl_t *);
140static int (*check_attributes[]) (struct isakmp_pl_t *) = {
52b7d2ce
A
141 0,
142 check_attr_isakmp, /* IPSECDOI_PROTO_ISAKMP */
143 check_attr_ah, /* IPSECDOI_PROTO_IPSEC_AH */
144 check_attr_esp, /* IPSECDOI_PROTO_IPSEC_ESP */
145 check_attr_ipcomp, /* IPSECDOI_PROTO_IPCOMP */
146};
147
65c25746
A
148int setph1prop (phase1_handle_t *, caddr_t);
149static int setph1trns (struct isakmpsa *, caddr_t);
150static int setph1attr (struct isakmpsa *, caddr_t);
151static vchar_t *setph2proposal0 (const phase2_handle_t *,
152 const struct saprop *, const struct saproto *);
52b7d2ce 153
65c25746 154static vchar_t *getidval (int, vchar_t *);
52b7d2ce 155
52b7d2ce
A
156
157/*%%%*/
158/*
159 * check phase 1 SA payload.
160 * make new SA payload to be replyed not including general header.
161 * the pointer to one of isakmpsa in proposal is set into iph1->approval.
162 * OUT:
163 * positive: the pointer to new buffer of SA payload.
164 * network byte order.
165 * NULL : error occurd.
166 */
167int
168ipsecdoi_checkph1proposal(sa, iph1)
169 vchar_t *sa;
65c25746 170 phase1_handle_t *iph1;
52b7d2ce
A
171{
172 vchar_t *newsa; /* new SA payload approved. */
173 struct prop_pair **pair;
174
175 /* get proposal pair */
176 pair = get_proppair(sa, IPSECDOI_TYPE_PH1);
177 if (pair == NULL)
178 return -1;
179
180 /* check and get one SA for use */
181 newsa = get_ph1approval(iph1, pair);
182
183 free_proppair(pair);
184
185 if (newsa == NULL)
186 return -1;
187
188 iph1->sa_ret = newsa;
189
190 return 0;
191}
192
193/*
194 * acceptable check for remote configuration.
195 * return a new SA payload to be reply to peer.
196 */
197static vchar_t *
198get_ph1approval(iph1, pair)
65c25746 199 phase1_handle_t *iph1;
52b7d2ce
A
200 struct prop_pair **pair;
201{
202 vchar_t *newsa;
203 struct isakmpsa *sa, tsa;
204 struct prop_pair *s, *p;
205 int prophlen;
206 int i;
207
208 if (iph1->approval) {
209 delisakmpsa(iph1->approval);
210 iph1->approval = NULL;
211 }
212
213 for (i = 0; i < MAXPROPPAIRLEN; i++) {
214 if (pair[i] == NULL)
215 continue;
216 for (s = pair[i]; s; s = s->next) {
217 prophlen =
218 sizeof(struct isakmp_pl_p) + s->prop->spi_size;
219
220 /* compare proposal and select one */
221 for (p = s; p; p = p->tnext) {
222 if ((sa = get_ph1approvalx(p,
223 iph1->rmconf->proposal, &tsa,
224 iph1->rmconf->pcheck_level)) != NULL)
225 goto found;
226 }
227 }
228 }
229
230 /*
231 * if there is no suitable proposal, racoon complains about all of
232 * mismatched items in those proposal.
233 */
234 if (verbose_proposal_check) {
235 for (i = 0; i < MAXPROPPAIRLEN; i++) {
236 if (pair[i] == NULL)
237 continue;
238 for (s = pair[i]; s; s = s->next) {
239 prophlen = sizeof(struct isakmp_pl_p)
240 + s->prop->spi_size;
241 for (p = s; p; p = p->tnext) {
242 print_ph1mismatched(p,
243 iph1->rmconf->proposal);
244 }
245 }
246 }
247 }
65c25746 248 plog(ASL_LEVEL_ERR, "no suitable proposal found.\n");
52b7d2ce
A
249
250 return NULL;
251
252found:
65c25746 253 plog(ASL_LEVEL_DEBUG, "an acceptable proposal found.\n");
52b7d2ce
A
254
255 /* check DH group settings */
256 if (sa->dhgrp) {
257 if (sa->dhgrp->prime && sa->dhgrp->gen1) {
258 /* it's ok */
259 goto saok;
260 }
65c25746 261 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
262 "invalid DH parameter found, use default.\n");
263 oakley_dhgrp_free(sa->dhgrp);
d1e348cf 264 sa->dhgrp=NULL;
52b7d2ce
A
265 }
266
267 if (oakley_setdhgroup(sa->dh_group, &sa->dhgrp) == -1) {
268 sa->dhgrp = NULL;
d1e348cf 269 racoon_free(sa);
52b7d2ce
A
270 return NULL;
271 }
272
273saok:
52b7d2ce 274 iph1->approval = sa;
d1e348cf 275 if(iph1->approval) {
65c25746 276 plog(ASL_LEVEL_DEBUG, "agreed on %s auth.\n",
d1e348cf
A
277 s_oakley_attr_method(iph1->approval->authmethod));
278 }
52b7d2ce
A
279
280 newsa = get_sabyproppair(p, iph1);
281 if (newsa == NULL) {
282 delisakmpsa(iph1->approval);
283 iph1->approval = NULL;
284 }
285
286 return newsa;
287}
288
289/*
290 * compare peer's single proposal and all of my proposal.
291 * and select one if suiatable.
292 * p : one of peer's proposal.
293 * proposal: my proposals.
294 */
65c25746 295struct isakmpsa *
52b7d2ce
A
296get_ph1approvalx(p, proposal, sap, check_level)
297 struct prop_pair *p;
298 struct isakmpsa *proposal, *sap;
299 int check_level;
300{
301 struct isakmp_pl_p *prop = p->prop;
302 struct isakmp_pl_t *trns = p->trns;
303 struct isakmpsa sa, *s, *tsap;
304 int authmethod;
d1e348cf 305 int tsap_authmethod;
52b7d2ce 306
65c25746
A
307 plog(ASL_LEVEL_DEBUG,
308 "prop#=%d, prot-id=%s, spi-size=%d, #trns=%d\n",
309 prop->p_no, s_ipsecdoi_proto(prop->proto_id),
310 prop->spi_size, prop->num_t);
52b7d2ce 311
65c25746 312 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
313 "trns#=%d, trns-id=%s\n",
314 trns->t_no,
315 s_ipsecdoi_trns(prop->proto_id, trns->t_id));
316
317 tsap = sap != NULL ? sap : &sa;
318
319 memset(tsap, 0, sizeof(*tsap));
320 if (t2isakmpsa(trns, tsap) < 0)
321 return NULL;
322 for (s = proposal; s != NULL; s = s->next) {
323#ifdef ENABLE_HYBRID
324 authmethod = switch_authmethod(s->authmethod);
d1e348cf 325 tsap_authmethod = switch_authmethod(tsap->authmethod);
52b7d2ce
A
326#else
327 authmethod = s->authmethod;
d1e348cf 328 tsap_authmethod = tsap->authmethod;
52b7d2ce 329#endif
65c25746
A
330 plog(ASL_LEVEL_DEBUG, "Compared: DB:Peer\n");
331 plog(ASL_LEVEL_DEBUG, "(version = %d:%d)\n",
332 s->version, tsap->version);
333 plog(ASL_LEVEL_DEBUG, "(lifetime = %ld:%ld)\n",
52b7d2ce 334 (long)s->lifetime, (long)tsap->lifetime);
65c25746 335 plog(ASL_LEVEL_DEBUG, "(lifebyte = %zu:%zu)\n",
52b7d2ce 336 s->lifebyte, tsap->lifebyte);
65c25746 337 plog(ASL_LEVEL_DEBUG, "enctype = %s:%s\n",
52b7d2ce
A
338 s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG,
339 s->enctype),
340 s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG,
341 tsap->enctype));
65c25746 342 plog(ASL_LEVEL_DEBUG, "(encklen = %d:%d)\n",
52b7d2ce 343 s->encklen, tsap->encklen);
65c25746 344 plog(ASL_LEVEL_DEBUG, "hashtype = %s:%s\n",
52b7d2ce
A
345 s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG,
346 s->hashtype),
347 s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG,
348 tsap->hashtype));
65c25746 349 plog(ASL_LEVEL_DEBUG, "authmethod = %s:%s\n",
52b7d2ce 350 s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD,
d1e348cf 351 s->authmethod),
52b7d2ce
A
352 s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD,
353 tsap->authmethod));
65c25746 354 plog(ASL_LEVEL_DEBUG, "dh_group = %s:%s\n",
52b7d2ce
A
355 s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC,
356 s->dh_group),
357 s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC,
358 tsap->dh_group));
359#if 0
360 /* XXX to be considered ? */
361 if (tsap->lifebyte > s->lifebyte) ;
362#endif
363 /*
364 * if responder side and peer's key length in proposal
365 * is bigger than mine, it might be accepted.
366 */
367 if(tsap->enctype == s->enctype &&
d1e348cf 368 (tsap->authmethod == authmethod || tsap_authmethod == authmethod) &&
52b7d2ce
A
369 tsap->hashtype == s->hashtype &&
370 tsap->dh_group == s->dh_group &&
65c25746
A
371 tsap->encklen == s->encklen &&
372 tsap->version == s->version) {
52b7d2ce
A
373 switch(check_level) {
374 case PROP_CHECK_OBEY:
375 goto found;
376 break;
377
378 case PROP_CHECK_STRICT:
379 if ((tsap->lifetime > s->lifetime) ||
380 (tsap->lifebyte > s->lifebyte))
381 continue;
382 goto found;
383 break;
384
385 case PROP_CHECK_CLAIM:
386 if (tsap->lifetime < s->lifetime)
387 s->lifetime = tsap->lifetime;
388 if (tsap->lifebyte < s->lifebyte)
389 s->lifebyte = tsap->lifebyte;
390 goto found;
391 break;
392
393 case PROP_CHECK_EXACT:
394 if ((tsap->lifetime != s->lifetime) ||
395 (tsap->lifebyte != s->lifebyte))
396 continue;
397 goto found;
398 break;
399
400 default:
65c25746 401 plog(ASL_LEVEL_ERR,
52b7d2ce
A
402 "Unexpected proposal_check value\n");
403 continue;
404 break;
405 }
406 }
407 }
408
409found:
d1e348cf 410 if (tsap->dhgrp != NULL){
52b7d2ce 411 oakley_dhgrp_free(tsap->dhgrp);
d1e348cf
A
412 tsap->dhgrp = NULL;
413 }
52b7d2ce
A
414
415 if ((s = dupisakmpsa(s)) != NULL) {
416 switch(check_level) {
417 case PROP_CHECK_OBEY:
418 s->lifetime = tsap->lifetime;
419 s->lifebyte = tsap->lifebyte;
420 break;
421
422 case PROP_CHECK_STRICT:
423 s->lifetime = tsap->lifetime;
424 s->lifebyte = tsap->lifebyte;
425 break;
426
427 case PROP_CHECK_CLAIM:
428 if (tsap->lifetime < s->lifetime)
429 s->lifetime = tsap->lifetime;
430 if (tsap->lifebyte < s->lifebyte)
431 s->lifebyte = tsap->lifebyte;
432 break;
433
434 default:
435 break;
436 }
d1e348cf
A
437 // hack to get around cisco rekeys
438 if (tsap->authmethod != authmethod && tsap_authmethod == authmethod) {
439 s->authmethod = tsap->authmethod;
440 }
52b7d2ce 441 }
52b7d2ce
A
442 return s;
443}
444
445/*
446 * print all of items in peer's proposal which are mismatched to my proposal.
447 * p : one of peer's proposal.
448 * proposal: my proposals.
449 */
65c25746 450void
52b7d2ce
A
451print_ph1mismatched(p, proposal)
452 struct prop_pair *p;
453 struct isakmpsa *proposal;
454{
455 struct isakmpsa sa, *s;
456
457 memset(&sa, 0, sizeof(sa));
458 if (t2isakmpsa(p->trns, &sa) < 0)
459 return;
460 for (s = proposal; s ; s = s->next) {
461 if (sa.enctype != s->enctype) {
65c25746 462 plog(ASL_LEVEL_ERR,
52b7d2ce
A
463 "rejected enctype: "
464 "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = "
465 "%s:%s\n",
466 s->prop_no, s->trns_no,
467 p->prop->p_no, p->trns->t_no,
468 s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG,
469 s->enctype),
470 s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG,
471 sa.enctype));
472 }
473 if (sa.authmethod != s->authmethod) {
65c25746 474 plog(ASL_LEVEL_ERR,
52b7d2ce
A
475 "rejected authmethod: "
476 "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = "
477 "%s:%s\n",
478 s->prop_no, s->trns_no,
479 p->prop->p_no, p->trns->t_no,
480 s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD,
481 s->authmethod),
482 s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD,
483 sa.authmethod));
484 }
485 if (sa.hashtype != s->hashtype) {
65c25746 486 plog(ASL_LEVEL_ERR,
52b7d2ce
A
487 "rejected hashtype: "
488 "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = "
489 "%s:%s\n",
490 s->prop_no, s->trns_no,
491 p->prop->p_no, p->trns->t_no,
492 s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG,
493 s->hashtype),
494 s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG,
495 sa.hashtype));
496 }
65c25746
A
497 if (sa.prf != s->prf ||
498 sa.prfklen != s->prfklen) {
499 plog(ASL_LEVEL_ERR,
500 "rejected prf: "
501 "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = "
502 "%s.%d:%s.%d\n",
503 s->prop_no, s->trns_no,
504 p->prop->p_no, p->trns->t_no,
505 s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG,
506 s->prf),
507 s->prfklen,
508 s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG,
509 sa.prf),
510 sa.prfklen);
511 }
52b7d2ce 512 if (sa.dh_group != s->dh_group) {
65c25746 513 plog(ASL_LEVEL_ERR,
52b7d2ce
A
514 "rejected dh_group: "
515 "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = "
516 "%s:%s\n",
517 s->prop_no, s->trns_no,
518 p->prop->p_no, p->trns->t_no,
519 s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC,
520 s->dh_group),
521 s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC,
522 sa.dh_group));
523 }
524 }
525
d1e348cf 526 if (sa.dhgrp != NULL){
52b7d2ce 527 oakley_dhgrp_free(sa.dhgrp);
d1e348cf
A
528 sa.dhgrp=NULL;
529 }
52b7d2ce
A
530}
531
532/*
533 * get ISAKMP data attributes
534 */
535static int
536t2isakmpsa(trns, sa)
537 struct isakmp_pl_t *trns;
538 struct isakmpsa *sa;
539{
540 struct isakmp_data *d, *prev;
541 int flag, type;
542 int error = -1;
543 int life_t;
544 int keylen = 0;
545 vchar_t *val = NULL;
546 int len, tlen;
547 u_char *p;
548
549 tlen = ntohs(trns->h.len) - sizeof(*trns);
550 prev = (struct isakmp_data *)NULL;
551 d = (struct isakmp_data *)(trns + 1);
552
553 /* default */
554 life_t = OAKLEY_ATTR_SA_LD_TYPE_DEFAULT;
555 sa->lifetime = OAKLEY_ATTR_SA_LD_SEC_DEFAULT;
556 sa->lifebyte = 0;
557 sa->dhgrp = racoon_calloc(1, sizeof(struct dhgroup));
558 if (!sa->dhgrp)
559 goto err;
560
561 while (tlen > 0) {
562
563 type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
564 flag = ntohs(d->type) & ISAKMP_GEN_MASK;
565
65c25746 566 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
567 "type=%s, flag=0x%04x, lorv=%s\n",
568 s_oakley_attr(type), flag,
569 s_oakley_attr_v(type, ntohs(d->lorv)));
570
571 /* get variable-sized item */
572 switch (type) {
573 case OAKLEY_ATTR_GRP_PI:
574 case OAKLEY_ATTR_GRP_GEN_ONE:
575 case OAKLEY_ATTR_GRP_GEN_TWO:
576 case OAKLEY_ATTR_GRP_CURVE_A:
577 case OAKLEY_ATTR_GRP_CURVE_B:
578 case OAKLEY_ATTR_SA_LD:
579 case OAKLEY_ATTR_GRP_ORDER:
580 if (flag) { /*TV*/
581 len = 2;
582 p = (u_char *)&d->lorv;
583 } else { /*TLV*/
584 len = ntohs(d->lorv);
e8d9021d 585 if (len > tlen) {
65c25746 586 plog(ASL_LEVEL_ERR,
e8d9021d
A
587 "invalid ISAKMP-SA attr, attr-len %d, overall-len %d\n",
588 len, tlen);
589 return -1;
590 }
52b7d2ce
A
591 p = (u_char *)(d + 1);
592 }
593 val = vmalloc(len);
594 if (!val)
595 return -1;
596 memcpy(val->v, p, len);
597 break;
598
599 default:
600 break;
601 }
602
603 switch (type) {
604 case OAKLEY_ATTR_ENC_ALG:
605 sa->enctype = (u_int16_t)ntohs(d->lorv);
606 break;
607
608 case OAKLEY_ATTR_HASH_ALG:
609 sa->hashtype = (u_int16_t)ntohs(d->lorv);
610 break;
611
612 case OAKLEY_ATTR_AUTH_METHOD:
613 sa->authmethod = ntohs(d->lorv);
614 break;
615
616 case OAKLEY_ATTR_GRP_DESC:
617 sa->dh_group = (u_int16_t)ntohs(d->lorv);
618 break;
619
620 case OAKLEY_ATTR_GRP_TYPE:
621 {
622 int type = (int)ntohs(d->lorv);
623 if (type == OAKLEY_ATTR_GRP_TYPE_MODP)
624 sa->dhgrp->type = type;
625 else
626 return -1;
627 break;
628 }
629 case OAKLEY_ATTR_GRP_PI:
630 sa->dhgrp->prime = val;
631 break;
632
633 case OAKLEY_ATTR_GRP_GEN_ONE:
634 vfree(val);
635 if (!flag)
636 sa->dhgrp->gen1 = ntohs(d->lorv);
637 else {
638 int len = ntohs(d->lorv);
639 sa->dhgrp->gen1 = 0;
640 if (len > 4)
641 return -1;
642 memcpy(&sa->dhgrp->gen1, d + 1, len);
643 sa->dhgrp->gen1 = ntohl(sa->dhgrp->gen1);
644 }
645 break;
646
647 case OAKLEY_ATTR_GRP_GEN_TWO:
648 vfree(val);
649 if (!flag)
650 sa->dhgrp->gen2 = ntohs(d->lorv);
651 else {
652 int len = ntohs(d->lorv);
653 sa->dhgrp->gen2 = 0;
654 if (len > 4)
655 return -1;
656 memcpy(&sa->dhgrp->gen2, d + 1, len);
657 sa->dhgrp->gen2 = ntohl(sa->dhgrp->gen2);
658 }
659 break;
660
661 case OAKLEY_ATTR_GRP_CURVE_A:
662 sa->dhgrp->curve_a = val;
663 break;
664
665 case OAKLEY_ATTR_GRP_CURVE_B:
666 sa->dhgrp->curve_b = val;
667 break;
668
669 case OAKLEY_ATTR_SA_LD_TYPE:
670 {
671 int type = (int)ntohs(d->lorv);
672 switch (type) {
673 case OAKLEY_ATTR_SA_LD_TYPE_SEC:
674 case OAKLEY_ATTR_SA_LD_TYPE_KB:
675 life_t = type;
676 break;
677 default:
678 life_t = OAKLEY_ATTR_SA_LD_TYPE_DEFAULT;
679 break;
680 }
681 break;
682 }
683 case OAKLEY_ATTR_SA_LD:
684 if (!prev
685 || (ntohs(prev->type) & ~ISAKMP_GEN_MASK) !=
686 OAKLEY_ATTR_SA_LD_TYPE) {
65c25746 687 plog(ASL_LEVEL_ERR,
52b7d2ce
A
688 "life duration must follow ltype\n");
689 break;
690 }
691
692 switch (life_t) {
693 case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
694 sa->lifetime = ipsecdoi_set_ld(val);
695 vfree(val);
696 if (sa->lifetime == 0) {
65c25746 697 plog(ASL_LEVEL_ERR,
52b7d2ce
A
698 "invalid life duration.\n");
699 goto err;
700 }
701 break;
702 case IPSECDOI_ATTR_SA_LD_TYPE_KB:
703 sa->lifebyte = ipsecdoi_set_ld(val);
704 vfree(val);
705 if (sa->lifebyte == 0) {
65c25746 706 plog(ASL_LEVEL_ERR,
52b7d2ce
A
707 "invalid life duration.\n");
708 goto err;
709 }
710 break;
711 default:
712 vfree(val);
65c25746 713 plog(ASL_LEVEL_ERR,
52b7d2ce
A
714 "invalid life type: %d\n", life_t);
715 goto err;
716 }
717 break;
718
719 case OAKLEY_ATTR_KEY_LEN:
720 {
721 int len = ntohs(d->lorv);
722 if (len % 8 != 0) {
65c25746 723 plog(ASL_LEVEL_ERR,
52b7d2ce
A
724 "keylen %d: not multiple of 8\n",
725 len);
726 goto err;
727 }
728 sa->encklen = (u_int16_t)len;
729 keylen++;
730 break;
731 }
732 case OAKLEY_ATTR_PRF:
733 case OAKLEY_ATTR_FIELD_SIZE:
734 /* unsupported */
735 break;
736
737 case OAKLEY_ATTR_GRP_ORDER:
738 sa->dhgrp->order = val;
739 break;
52b7d2ce
A
740
741 default:
742 break;
743 }
744
745 prev = d;
746 if (flag) {
747 tlen -= sizeof(*d);
748 d = (struct isakmp_data *)((char *)d + sizeof(*d));
749 } else {
750 tlen -= (sizeof(*d) + ntohs(d->lorv));
751 d = (struct isakmp_data *)((char *)d + sizeof(*d) + ntohs(d->lorv));
752 }
753 }
754
755 /* key length must not be specified on some algorithms */
756 if (keylen) {
757 if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES
52b7d2ce 758 || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) {
65c25746 759 plog(ASL_LEVEL_ERR,
52b7d2ce
A
760 "keylen must not be specified "
761 "for encryption algorithm %d\n",
762 sa->enctype);
763 return -1;
764 }
765 }
766
767 return 0;
768err:
769 return error;
770}
771
772/*%%%*/
773/*
774 * check phase 2 SA payload and select single proposal.
775 * make new SA payload to be replyed not including general header.
776 * This function is called by responder only.
777 * OUT:
778 * 0: succeed.
779 * -1: error occured.
780 */
781int
782ipsecdoi_selectph2proposal(iph2)
65c25746 783 phase2_handle_t *iph2;
52b7d2ce
A
784{
785 struct prop_pair **pair;
786 struct prop_pair *ret;
787
788 /* get proposal pair */
789 pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2);
790 if (pair == NULL)
791 return -1;
792
793 /* check and select a proposal. */
794 ret = get_ph2approval(iph2, pair);
795 free_proppair(pair);
796 if (ret == NULL)
797 return -1;
798
799 /* make a SA to be replayed. */
800 /* SPI must be updated later. */
801 iph2->sa_ret = get_sabyproppair(ret, iph2->ph1);
802 free_proppair0(ret);
803 if (iph2->sa_ret == NULL)
804 return -1;
805
806 return 0;
807}
808
809/*
810 * check phase 2 SA payload returned from responder.
811 * This function is called by initiator only.
812 * OUT:
813 * 0: valid.
814 * -1: invalid.
815 */
816int
817ipsecdoi_checkph2proposal(iph2)
65c25746 818 phase2_handle_t *iph2;
52b7d2ce
A
819{
820 struct prop_pair **rpair = NULL, **spair = NULL;
821 struct prop_pair *p;
822 int i, n, num;
823 int error = -1;
824 vchar_t *sa_ret = NULL;
825
826 /* get proposal pair of SA sent. */
827 spair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2);
828 if (spair == NULL) {
65c25746 829 plog(ASL_LEVEL_ERR,
52b7d2ce
A
830 "failed to get prop pair.\n");
831 goto end;
832 }
833
834 /* XXX should check the number of transform */
835
836 /* get proposal pair of SA replayed */
837 rpair = get_proppair(iph2->sa_ret, IPSECDOI_TYPE_PH2);
838 if (rpair == NULL) {
65c25746 839 plog(ASL_LEVEL_ERR,
52b7d2ce
A
840 "failed to get prop pair.\n");
841 goto end;
842 }
843
844 /* check proposal is only one ? */
845 n = 0;
846 num = 0;
847 for (i = 0; i < MAXPROPPAIRLEN; i++) {
848 if (rpair[i]) {
849 n = i;
850 num++;
851 }
852 }
853 if (num == 0) {
65c25746 854 plog(ASL_LEVEL_ERR,
52b7d2ce
A
855 "no proposal received.\n");
856 goto end;
857 }
858 if (num != 1) {
65c25746 859 plog(ASL_LEVEL_ERR,
52b7d2ce
A
860 "some proposals received.\n");
861 goto end;
862 }
863
864 if (spair[n] == NULL) {
65c25746 865 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
866 "invalid proposal number:%d received.\n", i);
867 }
868
869
870 if (rpair[n]->tnext != NULL) {
65c25746 871 plog(ASL_LEVEL_ERR,
52b7d2ce
A
872 "multi transforms replyed.\n");
873 goto end;
874 }
875
876 if (cmp_aproppair_i(rpair[n], spair[n])) {
65c25746 877 plog(ASL_LEVEL_ERR,
52b7d2ce
A
878 "proposal mismathed.\n");
879 goto end;
880 }
881
882 /*
883 * check and select a proposal.
884 * ensure that there is no modification of the proposal by
885 * cmp_aproppair_i()
886 */
887 p = get_ph2approval(iph2, rpair);
888 if (p == NULL)
889 goto end;
890
891 /* make a SA to be replayed. */
892 sa_ret = iph2->sa_ret;
893 iph2->sa_ret = get_sabyproppair(p, iph2->ph1);
894 free_proppair0(p);
895 if (iph2->sa_ret == NULL)
896 goto end;
897
898 error = 0;
899
900end:
901 if (rpair)
902 free_proppair(rpair);
903 if (spair)
904 free_proppair(spair);
905 if (sa_ret)
906 vfree(sa_ret);
907
908 return error;
909}
910
911/*
912 * compare two prop_pair which is assumed to have same proposal number.
913 * the case of bundle or single SA, NOT multi transforms.
914 * a: a proposal that is multi protocols and single transform, usually replyed.
915 * b: a proposal that is multi protocols and multi transform, usually sent.
916 * NOTE: this function is for initiator.
917 * OUT
918 * 0: equal
919 * 1: not equal
920 * XXX cannot understand the comment!
921 */
922static int
923cmp_aproppair_i(a, b)
924 struct prop_pair *a, *b;
925{
926 struct prop_pair *p, *q, *r;
927 int len;
928
929 for (p = a, q = b; p && q; p = p->next, q = q->next) {
930 for (r = q; r; r = r->tnext) {
931 /* compare trns */
932 if (p->trns->t_no == r->trns->t_no)
933 break;
934 }
935 if (!r) {
936 /* no suitable transform found */
65c25746 937 plog(ASL_LEVEL_ERR,
52b7d2ce
A
938 "no suitable transform found.\n");
939 return -1;
940 }
941
942 /* compare prop */
943 if (p->prop->p_no != r->prop->p_no) {
65c25746 944 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
945 "proposal #%d mismatched, "
946 "expected #%d.\n",
947 r->prop->p_no, p->prop->p_no);
948 /*FALLTHROUGH*/
949 }
950
951 if (p->prop->proto_id != r->prop->proto_id) {
65c25746 952 plog(ASL_LEVEL_ERR,
52b7d2ce
A
953 "proto_id mismathed: my:%d peer:%d\n",
954 r->prop->proto_id, p->prop->proto_id);
955 return -1;
956 }
957
958 if (p->prop->proto_id != r->prop->proto_id) {
65c25746 959 plog(ASL_LEVEL_ERR,
52b7d2ce
A
960 "invalid spi size: %d.\n",
961 p->prop->proto_id);
962 return -1;
963 }
964
965 /* check #of transforms */
966 if (p->prop->num_t != 1) {
65c25746 967 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
968 "#of transform is %d, "
969 "but expected 1.\n", p->prop->num_t);
970 /*FALLTHROUGH*/
971 }
972
973 if (p->trns->t_id != r->trns->t_id) {
65c25746 974 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
975 "transform number has been modified.\n");
976 /*FALLTHROUGH*/
977 }
978 if (p->trns->reserved != r->trns->reserved) {
65c25746 979 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
980 "reserved field should be zero.\n");
981 /*FALLTHROUGH*/
982 }
983
984 /* compare attribute */
985 len = ntohs(r->trns->h.len) - sizeof(*p->trns);
986 if (memcmp(p->trns + 1, r->trns + 1, len) != 0) {
65c25746 987 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
988 "attribute has been modified.\n");
989 /*FALLTHROUGH*/
990 }
991 }
992 if ((p && !q) || (!p && q)) {
993 /* # of protocols mismatched */
65c25746 994 plog(ASL_LEVEL_ERR,
52b7d2ce
A
995 "#of protocols mismatched.\n");
996 return -1;
997 }
998
999 return 0;
1000}
1001
1002/*
1003 * acceptable check for policy configuration.
1004 * return a new SA payload to be reply to peer.
1005 */
1006static struct prop_pair *
1007get_ph2approval(iph2, pair)
65c25746 1008 phase2_handle_t *iph2;
52b7d2ce
A
1009 struct prop_pair **pair;
1010{
1011 struct prop_pair *ret;
1012 int i;
1013
1014 iph2->approval = NULL;
1015
65c25746 1016 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
1017 "begin compare proposals.\n");
1018
1019 for (i = 0; i < MAXPROPPAIRLEN; i++) {
1020 if (pair[i] == NULL)
1021 continue;
65c25746 1022 plog(ASL_LEVEL_DEBUG,
52b7d2ce 1023 "pair[%d]: %p\n", i, pair[i]);
65c25746 1024 print_proppair(ASL_LEVEL_DEBUG, pair[i]);;
52b7d2ce
A
1025
1026 /* compare proposal and select one */
1027 ret = get_ph2approvalx(iph2, pair[i]);
1028 if (ret != NULL) {
1029 /* found */
1030 return ret;
1031 }
1032 }
1033
65c25746 1034 plog(ASL_LEVEL_ERR, "no suitable policy found.\n");
52b7d2ce
A
1035
1036 return NULL;
1037}
1038
1039/*
1040 * compare my proposal and peers just one proposal.
1041 * set a approval.
1042 */
1043static struct prop_pair *
1044get_ph2approvalx(iph2, pp)
65c25746 1045 phase2_handle_t *iph2;
52b7d2ce
A
1046 struct prop_pair *pp;
1047{
1048 struct prop_pair *ret = NULL;
1049 struct saprop *pr0, *pr = NULL;
1050 struct saprop *q1, *q2;
1051
1052 pr0 = aproppair2saprop(pp);
1053 if (pr0 == NULL)
1054 return NULL;
1055
1056 for (q1 = pr0; q1; q1 = q1->next) {
1057 for (q2 = iph2->proposal; q2; q2 = q2->next) {
65c25746 1058 plog(ASL_LEVEL_DEBUG,
52b7d2ce 1059 "peer's single bundle:\n");
65c25746
A
1060 printsaprop0(ASL_LEVEL_DEBUG, q1);
1061 plog(ASL_LEVEL_DEBUG,
52b7d2ce 1062 "my single bundle:\n");
65c25746 1063 printsaprop0(ASL_LEVEL_DEBUG, q2);
52b7d2ce
A
1064
1065 pr = cmpsaprop_alloc(iph2->ph1, q1, q2, iph2->side);
1066 if (pr != NULL)
1067 goto found;
1068
65c25746 1069 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1070 "not matched\n");
1071 }
1072 }
1073 /* no proposal matching */
1074err:
d9c572c0
A
1075 if (pr0 != NULL) {
1076 flushsaprop(pr0);
1077 pr0 = NULL;
1078 }
52b7d2ce
A
1079 return NULL;
1080
1081found:
d9c572c0
A
1082 if (pr0 != NULL) {
1083 flushsaprop(pr0);
1084 pr0 = NULL;
1085 }
65c25746 1086 plog(ASL_LEVEL_DEBUG, "matched\n");
52b7d2ce
A
1087 iph2->approval = pr;
1088
1089 {
1090 struct saproto *sp;
d1e348cf
A
1091 struct prop_pair *p, *x;
1092 struct prop_pair *n = NULL;
52b7d2ce
A
1093
1094 ret = NULL;
1095
1096 for (p = pp; p; p = p->next) {
1097 /*
1098 * find a proposal with matching proto_id.
1099 * we have analyzed validity already, in cmpsaprop_alloc().
1100 */
1101 for (sp = pr->head; sp; sp = sp->next) {
1102 if (sp->proto_id == p->prop->proto_id)
1103 break;
1104 }
1105 if (!sp)
1106 goto err;
1107 if (sp->head->next)
1108 goto err; /* XXX */
1109
1110 for (x = p; x; x = x->tnext)
1111 if (sp->head->trns_no == x->trns->t_no)
1112 break;
1113 if (!x)
1114 goto err; /* XXX */
1115
1116 n = racoon_calloc(1, sizeof(struct prop_pair));
d1e348cf 1117 if (n == NULL) {
65c25746 1118 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1119 "failed to get buffer.\n");
1120 goto err;
1121 }
1122
1123 n->prop = x->prop;
1124 n->trns = x->trns;
1125
1126 /* need to preserve the order */
1127 for (x = ret; x && x->next; x = x->next)
1128 ;
1129 if (x && x->prop == n->prop) {
1130 for (/*nothing*/; x && x->tnext; x = x->tnext)
1131 ;
1132 x->tnext = n;
1133 } else {
1134 if (x)
1135 x->next = n;
1136 else {
1137 ret = n;
1138 }
1139 }
1140
1141 /* #of transforms should be updated ? */
1142 }
1143 }
1144
1145 return ret;
1146}
1147
1148void
1149free_proppair(pair)
1150 struct prop_pair **pair;
1151{
1152 int i;
1153
1154 for (i = 0; i < MAXPROPPAIRLEN; i++) {
1155 free_proppair0(pair[i]);
1156 pair[i] = NULL;
1157 }
1158 racoon_free(pair);
1159}
1160
1161static void
1162free_proppair0(pair)
1163 struct prop_pair *pair;
1164{
1165 struct prop_pair *p, *q, *r, *s;
1166
1167 p = pair;
1168 while (p) {
1169 q = p->next;
1170 r = p;
1171 while (r) {
1172 s = r->tnext;
1173 racoon_free(r);
1174 r = s;
1175 }
1176 p = q;
1177 }
1178}
1179
1180/*
1181 * get proposal pairs from SA payload.
1182 * tiny check for proposal payload.
1183 */
1184struct prop_pair **
1185get_proppair(sa, mode)
1186 vchar_t *sa;
1187 int mode;
1188{
d1e348cf 1189 struct prop_pair **pair = NULL;
52b7d2ce
A
1190 int num_p = 0; /* number of proposal for use */
1191 int tlen;
1192 caddr_t bp;
1193 int i;
52b7d2ce 1194
65c25746 1195 //plogdump(ASL_LEVEL_DEBUG, sa->v, sa->l, "total SA len=%zu\n", sa->l);
52b7d2ce 1196
65c25746
A
1197 if (mode == IPSECDOI_TYPE_PH1 || mode == IPSECDOI_TYPE_PH2) {
1198 // IKEv1
1199 struct ipsecdoi_sa_b *sab = ALIGNED_CAST(__typeof__(sab))sa->v;
52b7d2ce 1200
52b7d2ce 1201
65c25746
A
1202 /* check SA payload size */
1203 if (sa->l < sizeof(*sab)) {
1204 plog(ASL_LEVEL_ERR,
1205 "Invalid SA length = %zu.\n", sa->l);
1206 goto bad;
1207 }
1208
1209 /* check DOI */
1210 if (check_doi(ntohl(sab->doi)) < 0)
1211 goto bad;
1212
1213 /* check SITUATION */
1214 if (check_situation(ntohl(sab->sit)) < 0)
1215 goto bad;
1216
1217 bp = (caddr_t)(sab + 1);
1218 tlen = sa->l - sizeof(*sab);
1219 } else {
1220 bp = (__typeof__(bp))sa->v;
1221 tlen = sa->l;
1222 }
52b7d2ce
A
1223
1224 pair = racoon_calloc(1, MAXPROPPAIRLEN * sizeof(*pair));
1225 if (pair == NULL) {
65c25746 1226 plog(ASL_LEVEL_ERR,
52b7d2ce 1227 "failed to get buffer.\n");
d1e348cf 1228 goto bad;
52b7d2ce 1229 }
52b7d2ce
A
1230
1231 {
1232 struct isakmp_pl_p *prop;
1233 int proplen;
1234 vchar_t *pbuf = NULL;
1235 struct isakmp_parse_t *pa;
1236
1237 pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_P, (struct isakmp_gen *)bp, tlen);
1238 if (pbuf == NULL)
d1e348cf 1239 goto bad;
52b7d2ce 1240
85f41bec 1241 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A
1242 pa->type != ISAKMP_NPTYPE_NONE;
1243 pa++) {
1244 /* check the value of next payload */
1245 if (pa->type != ISAKMP_NPTYPE_P) {
65c25746 1246 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1247 "Invalid payload type=%u\n", pa->type);
1248 vfree(pbuf);
d1e348cf 1249 goto bad;
52b7d2ce
A
1250 }
1251
1252 prop = (struct isakmp_pl_p *)pa->ptr;
1253 proplen = pa->len;
1254
65c25746 1255 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
1256 "proposal #%u len=%d\n", prop->p_no, proplen);
1257
1258 if (proplen == 0) {
65c25746 1259 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1260 "invalid proposal with length %d\n", proplen);
1261 vfree(pbuf);
d1e348cf 1262 goto bad;
52b7d2ce
A
1263 }
1264
1265 /* check Protocol ID */
1266 if (!check_protocol[mode]) {
65c25746 1267 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1268 "unsupported mode %d\n", mode);
1269 continue;
1270 }
1271
1272 if (check_protocol[mode](prop->proto_id) < 0)
1273 continue;
1274
1275 /* check SPI length when IKE. */
1276 if (check_spi_size(prop->proto_id, prop->spi_size) < 0)
1277 continue;
1278
1279 /* get transform */
1280 if (get_transform(prop, pair, &num_p) < 0) {
1281 vfree(pbuf);
d1e348cf 1282 goto bad;
52b7d2ce
A
1283 }
1284 }
1285 vfree(pbuf);
1286 pbuf = NULL;
1287 }
1288
1289 {
1290 int notrans, nprop;
1291 struct prop_pair *p, *q;
1292
1293 /* check for proposals with no transforms */
1294 for (i = 0; i < MAXPROPPAIRLEN; i++) {
1295 if (!pair[i])
1296 continue;
1297
65c25746
A
1298 plog(ASL_LEVEL_DEBUG, "pair %d:\n", i);
1299 print_proppair(ASL_LEVEL_DEBUG, pair[i]);
52b7d2ce
A
1300
1301 notrans = nprop = 0;
1302 for (p = pair[i]; p; p = p->next) {
1303 if (p->trns == NULL) {
1304 notrans++;
1305 break;
1306 }
1307 for (q = p; q; q = q->tnext)
1308 nprop++;
1309 }
1310
1311#if 0
1312 /*
1313 * XXX at this moment, we cannot accept proposal group
1314 * with multiple proposals. this should be fixed.
1315 */
1316 if (pair[i]->next) {
65c25746 1317 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
1318 "proposal #%u ignored "
1319 "(multiple proposal not supported)\n",
1320 pair[i]->prop->p_no);
1321 notrans++;
1322 }
1323#endif
1324
1325 if (notrans) {
1326 for (p = pair[i]; p; p = q) {
1327 q = p->next;
1328 racoon_free(p);
1329 }
1330 pair[i] = NULL;
1331 num_p--;
1332 } else {
65c25746 1333 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
1334 "proposal #%u: %d transform\n",
1335 pair[i]->prop->p_no, nprop);
1336 }
1337 }
1338 }
1339
1340 /* bark if no proposal is found. */
1341 if (num_p <= 0) {
65c25746 1342 plog(ASL_LEVEL_ERR,
52b7d2ce 1343 "no Proposal found.\n");
d1e348cf 1344 goto bad;
52b7d2ce
A
1345 }
1346
1347 return pair;
d1e348cf
A
1348bad:
1349 if (pair != NULL)
1350 racoon_free(pair);
1351 return NULL;
52b7d2ce
A
1352}
1353
1354/*
1355 * check transform payload.
1356 * OUT:
1357 * positive: return the pointer to the payload of valid transform.
1358 * 0 : No valid transform found.
1359 */
1360static int
1361get_transform(prop, pair, num_p)
1362 struct isakmp_pl_p *prop;
1363 struct prop_pair **pair;
1364 int *num_p;
1365{
1366 int tlen; /* total length of all transform in a proposal */
1367 caddr_t bp;
1368 struct isakmp_pl_t *trns;
1369 int trnslen;
1370 vchar_t *pbuf = NULL;
1371 struct isakmp_parse_t *pa;
1372 struct prop_pair *p = NULL, *q;
1373 int num_t;
1374
1375 bp = (caddr_t)prop + sizeof(struct isakmp_pl_p) + prop->spi_size;
1376 tlen = ntohs(prop->h.len)
1377 - (sizeof(struct isakmp_pl_p) + prop->spi_size);
1378 pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_T, (struct isakmp_gen *)bp, tlen);
1379 if (pbuf == NULL)
1380 return -1;
1381
1382 /* check and get transform for use */
1383 num_t = 0;
85f41bec 1384 for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
52b7d2ce
A
1385 pa->type != ISAKMP_NPTYPE_NONE;
1386 pa++) {
1387
1388 num_t++;
1389
1390 /* check the value of next payload */
1391 if (pa->type != ISAKMP_NPTYPE_T) {
65c25746 1392 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1393 "Invalid payload type=%u\n", pa->type);
1394 break;
1395 }
1396
1397 trns = (struct isakmp_pl_t *)pa->ptr;
1398 trnslen = pa->len;
1399
65c25746 1400 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
1401 "transform #%u len=%u\n", trns->t_no, trnslen);
1402
1403 /* check transform ID */
1404 if (prop->proto_id >= ARRAYLEN(check_transform)) {
65c25746 1405 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
1406 "unsupported proto_id %u\n",
1407 prop->proto_id);
1408 continue;
1409 }
1410 if (prop->proto_id >= ARRAYLEN(check_attributes)) {
65c25746 1411 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
1412 "unsupported proto_id %u\n",
1413 prop->proto_id);
1414 continue;
1415 }
1416
1417 if (!check_transform[prop->proto_id]
1418 || !check_attributes[prop->proto_id]) {
65c25746 1419 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
1420 "unsupported proto_id %u\n",
1421 prop->proto_id);
1422 continue;
1423 }
1424 if (check_transform[prop->proto_id](trns->t_id) < 0)
1425 continue;
1426
1427 /* check data attributes */
1428 if (check_attributes[prop->proto_id](trns) != 0)
1429 continue;
1430
1431 p = racoon_calloc(1, sizeof(*p));
1432 if (p == NULL) {
65c25746 1433 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1434 "failed to get buffer.\n");
1435 vfree(pbuf);
1436 return -1;
1437 }
1438 p->prop = prop;
1439 p->trns = trns;
1440
1441 /* need to preserve the order */
1442 for (q = pair[prop->p_no]; q && q->next; q = q->next)
1443 ;
1444 if (q && q->prop == p->prop) {
1445 for (/*nothing*/; q && q->tnext; q = q->tnext)
1446 ;
1447 q->tnext = p;
1448 } else {
1449 if (q)
1450 q->next = p;
1451 else {
1452 pair[prop->p_no] = p;
1453 (*num_p)++;
1454 }
1455 }
1456 }
1457
1458 vfree(pbuf);
1459
1460 return 0;
1461}
1462
1463/*
1464 * make a new SA payload from prop_pair.
65c25746 1465 * NOTE: this function clears the spi value.
52b7d2ce
A
1466 */
1467vchar_t *
1468get_sabyproppair(pair, iph1)
1469 struct prop_pair *pair;
65c25746 1470 phase1_handle_t *iph1;
52b7d2ce
A
1471{
1472 vchar_t *newsa;
1473 int newtlen;
1474 u_int8_t *np_p = NULL;
1475 struct prop_pair *p;
1476 int prophlen, trnslen;
1477 caddr_t bp;
1478
65c25746
A
1479 if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
1480 newtlen = sizeof(struct ipsecdoi_sa_b);
1481 } else {
1482 newtlen = 0;
1483 }
52b7d2ce
A
1484 for (p = pair; p; p = p->next) {
1485 newtlen += sizeof(struct isakmp_pl_p);
1486 newtlen += p->prop->spi_size;
1487 newtlen += ntohs(p->trns->h.len);
1488 }
1489
1490 newsa = vmalloc(newtlen);
1491 if (newsa == NULL) {
65c25746 1492 plog(ASL_LEVEL_ERR, "failed to get newsa.\n");
52b7d2ce
A
1493 return NULL;
1494 }
1495 bp = newsa->v;
1496
1497 ((struct isakmp_gen *)bp)->len = htons(newtlen);
1498
65c25746
A
1499 if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
1500 /* update some of values in SA header */
1501 (ALIGNED_CAST(struct ipsecdoi_sa_b *)bp)->doi = htonl(iph1->rmconf->doitype);
1502 (ALIGNED_CAST(struct ipsecdoi_sa_b *)bp)->sit = htonl(iph1->rmconf->sittype);
1503 bp += sizeof(struct ipsecdoi_sa_b);
1504 }
52b7d2ce
A
1505
1506 /* create proposal payloads */
1507 for (p = pair; p; p = p->next) {
1508 prophlen = sizeof(struct isakmp_pl_p)
1509 + p->prop->spi_size;
1510 trnslen = ntohs(p->trns->h.len);
1511
1512 if (np_p)
1513 *np_p = ISAKMP_NPTYPE_P;
1514
1515 /* create proposal */
1516
1517 memcpy(bp, p->prop, prophlen);
1518 ((struct isakmp_pl_p *)bp)->h.np = ISAKMP_NPTYPE_NONE;
1519 ((struct isakmp_pl_p *)bp)->h.len = htons(prophlen + trnslen);
1520 ((struct isakmp_pl_p *)bp)->num_t = 1;
1521 np_p = &((struct isakmp_pl_p *)bp)->h.np;
1522 memset(bp + sizeof(struct isakmp_pl_p), 0, p->prop->spi_size);
1523 bp += prophlen;
1524
1525 /* create transform */
1526 memcpy(bp, p->trns, trnslen);
1527 ((struct isakmp_pl_t *)bp)->h.np = ISAKMP_NPTYPE_NONE;
1528 ((struct isakmp_pl_t *)bp)->h.len = htons(trnslen);
1529 bp += trnslen;
1530 }
1531
1532 return newsa;
1533}
1534
1535/*
1536 * update responder's spi
1537 */
1538int
1539ipsecdoi_updatespi(iph2)
65c25746 1540 phase2_handle_t *iph2;
52b7d2ce
A
1541{
1542 struct prop_pair **pair, *p;
1543 struct saprop *pp;
1544 struct saproto *pr;
1545 int i;
1546 int error = -1;
1547 u_int8_t *spi;
1548
1549 pair = get_proppair(iph2->sa_ret, IPSECDOI_TYPE_PH2);
1550 if (pair == NULL)
1551 return -1;
1552 for (i = 0; i < MAXPROPPAIRLEN; i++) {
1553 if (pair[i])
1554 break;
1555 }
1556 if (i == MAXPROPPAIRLEN || pair[i]->tnext) {
1557 /* multiple transform must be filtered by selectph2proposal.*/
1558 goto end;
1559 }
1560
1561 pp = iph2->approval;
1562
1563 /* create proposal payloads */
1564 for (p = pair[i]; p; p = p->next) {
1565 /*
1566 * find a proposal/transform with matching proto_id/t_id.
1567 * we have analyzed validity already, in cmpsaprop_alloc().
1568 */
1569 for (pr = pp->head; pr; pr = pr->next) {
1570 if (p->prop->proto_id == pr->proto_id &&
1571 p->trns->t_id == pr->head->trns_id) {
1572 break;
1573 }
1574 }
1575 if (!pr)
1576 goto end;
1577
1578 /*
1579 * XXX SPI bits are left-filled, for use with IPComp.
1580 * we should be switching to variable-length spi field...
1581 */
1582 spi = (u_int8_t *)&pr->spi;
1583 spi += sizeof(pr->spi);
1584 spi -= pr->spisize;
1585 memcpy((caddr_t)p->prop + sizeof(*p->prop), spi, pr->spisize);
1586 }
1587
1588 error = 0;
1589end:
1590 free_proppair(pair);
1591 return error;
1592}
1593
1594/*
1595 * make a new SA payload from prop_pair.
1596 */
1597vchar_t *
1598get_sabysaprop(pp0, sa0)
1599 struct saprop *pp0;
1600 vchar_t *sa0;
1601{
d1e348cf
A
1602 struct prop_pair **pair = NULL;
1603 vchar_t *newsa = NULL;
52b7d2ce
A
1604 int newtlen;
1605 u_int8_t *np_p = NULL;
1606 struct prop_pair *p = NULL;
1607 struct saprop *pp;
1608 struct saproto *pr;
1609 struct satrns *tr;
1610 int prophlen, trnslen;
1611 caddr_t bp;
d1e348cf 1612 int error = -1;
52b7d2ce
A
1613
1614 /* get proposal pair */
1615 pair = get_proppair(sa0, IPSECDOI_TYPE_PH2);
1616 if (pair == NULL)
d1e348cf 1617 goto out;
52b7d2ce
A
1618
1619 newtlen = sizeof(struct ipsecdoi_sa_b);
1620 for (pp = pp0; pp; pp = pp->next) {
1621
1622 if (pair[pp->prop_no] == NULL)
d1e348cf 1623 goto out;
52b7d2ce
A
1624
1625 for (pr = pp->head; pr; pr = pr->next) {
1626 newtlen += (sizeof(struct isakmp_pl_p)
1627 + pr->spisize);
1628
1629 for (tr = pr->head; tr; tr = tr->next) {
1630 for (p = pair[pp->prop_no]; p; p = p->tnext) {
1631 if (tr->trns_no == p->trns->t_no)
1632 break;
1633 }
1634 if (p == NULL)
d1e348cf 1635 goto out;
52b7d2ce
A
1636
1637 newtlen += ntohs(p->trns->h.len);
1638 }
1639 }
1640 }
1641
1642 newsa = vmalloc(newtlen);
1643 if (newsa == NULL) {
65c25746 1644 plog(ASL_LEVEL_ERR, "failed to get newsa.\n");
d1e348cf 1645 goto out;
52b7d2ce
A
1646 }
1647 bp = newsa->v;
1648
1649 /* some of values of SA must be updated in the out of this function */
1650 ((struct isakmp_gen *)bp)->len = htons(newtlen);
1651 bp += sizeof(struct ipsecdoi_sa_b);
1652
1653 /* create proposal payloads */
1654 for (pp = pp0; pp; pp = pp->next) {
1655
1656 for (pr = pp->head; pr; pr = pr->next) {
1657 prophlen = sizeof(struct isakmp_pl_p)
1658 + p->prop->spi_size;
1659
1660 for (tr = pr->head; tr; tr = tr->next) {
1661 for (p = pair[pp->prop_no]; p; p = p->tnext) {
1662 if (tr->trns_no == p->trns->t_no)
1663 break;
1664 }
1665 if (p == NULL)
d1e348cf 1666 goto out;
52b7d2ce
A
1667
1668 trnslen = ntohs(p->trns->h.len);
1669
1670 if (np_p)
1671 *np_p = ISAKMP_NPTYPE_P;
1672
1673 /* create proposal */
1674
1675 memcpy(bp, p->prop, prophlen);
1676 ((struct isakmp_pl_p *)bp)->h.np = ISAKMP_NPTYPE_NONE;
1677 ((struct isakmp_pl_p *)bp)->h.len = htons(prophlen + trnslen);
1678 ((struct isakmp_pl_p *)bp)->num_t = 1;
1679 np_p = &((struct isakmp_pl_p *)bp)->h.np;
1680 bp += prophlen;
1681
1682 /* create transform */
1683 memcpy(bp, p->trns, trnslen);
1684 ((struct isakmp_pl_t *)bp)->h.np = ISAKMP_NPTYPE_NONE;
1685 ((struct isakmp_pl_t *)bp)->h.len = htons(trnslen);
1686 bp += trnslen;
1687 }
1688 }
1689 }
1690
d1e348cf
A
1691 error = 0;
1692out:
1693 if (pair != NULL)
1694 racoon_free(pair);
1695
1696 if (error != 0) {
1697 if (newsa != NULL) {
1698 vfree(newsa);
1699 newsa = NULL;
1700 }
1701 }
1702
52b7d2ce
A
1703 return newsa;
1704}
1705
1706/*
1707 * If some error happens then return 0. Although 0 means that lifetime is zero,
1708 * such a value should not be accepted.
1709 * Also 0 of lifebyte should not be included in a packet although 0 means not
1710 * to care of it.
1711 */
1712static u_int32_t
1713ipsecdoi_set_ld(buf)
1714 vchar_t *buf;
1715{
1716 u_int32_t ld;
1717
1718 if (buf == 0)
1719 return 0;
1720
1721 switch (buf->l) {
1722 case 2:
85f41bec 1723 ld = ntohs(*ALIGNED_CAST(u_int16_t *)buf->v);
52b7d2ce
A
1724 break;
1725 case 4:
85f41bec 1726 ld = ntohl(*ALIGNED_CAST(u_int32_t *)buf->v);
52b7d2ce
A
1727 break;
1728 default:
65c25746 1729 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1730 "length %zu of life duration "
1731 "isn't supported.\n", buf->l);
1732 return 0;
1733 }
1734
1735 return ld;
1736}
1737
1738/*%%%*/
1739/*
1740 * check DOI
1741 */
1742static int
1743check_doi(doi)
1744 u_int32_t doi;
1745{
1746 switch (doi) {
1747 case IPSEC_DOI:
1748 return 0;
1749 default:
65c25746 1750 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1751 "invalid value of DOI 0x%08x.\n", doi);
1752 return -1;
1753 }
1754 /* NOT REACHED */
1755}
1756
1757/*
1758 * check situation
1759 */
1760static int
1761check_situation(sit)
1762 u_int32_t sit;
1763{
1764 switch (sit) {
1765 case IPSECDOI_SIT_IDENTITY_ONLY:
1766 return 0;
1767
1768 case IPSECDOI_SIT_SECRECY:
1769 case IPSECDOI_SIT_INTEGRITY:
65c25746 1770 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1771 "situation 0x%08x unsupported yet.\n", sit);
1772 return -1;
1773
1774 default:
65c25746 1775 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1776 "invalid situation 0x%08x.\n", sit);
1777 return -1;
1778 }
1779 /* NOT REACHED */
1780}
1781
1782/*
1783 * check protocol id in main mode
1784 */
1785static int
1786check_prot_main(proto_id)
1787 int proto_id;
1788{
1789 switch (proto_id) {
1790 case IPSECDOI_PROTO_ISAKMP:
1791 return 0;
1792
1793 default:
65c25746 1794 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1795 "Illegal protocol id=%u.\n", proto_id);
1796 return -1;
1797 }
1798 /* NOT REACHED */
1799}
1800
1801/*
1802 * check protocol id in quick mode
1803 */
1804static int
1805check_prot_quick(proto_id)
1806 int proto_id;
1807{
1808 switch (proto_id) {
1809 case IPSECDOI_PROTO_IPSEC_AH:
1810 case IPSECDOI_PROTO_IPSEC_ESP:
1811 return 0;
1812
1813 case IPSECDOI_PROTO_IPCOMP:
1814 return 0;
1815
1816 default:
65c25746 1817 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1818 "invalid protocol id %d.\n", proto_id);
1819 return -1;
1820 }
1821 /* NOT REACHED */
1822}
1823
65c25746 1824int
52b7d2ce
A
1825check_spi_size(proto_id, size)
1826 int proto_id, size;
1827{
1828 switch (proto_id) {
1829 case IPSECDOI_PROTO_ISAKMP:
1830 if (size != 0) {
1831 /* WARNING */
65c25746 1832 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
1833 "SPI size isn't zero, but IKE proposal.\n");
1834 }
1835 return 0;
1836
1837 case IPSECDOI_PROTO_IPSEC_AH:
1838 case IPSECDOI_PROTO_IPSEC_ESP:
1839 if (size != 4) {
65c25746 1840 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1841 "invalid SPI size=%d for IPSEC proposal.\n",
1842 size);
1843 return -1;
1844 }
1845 return 0;
1846
1847 case IPSECDOI_PROTO_IPCOMP:
1848 if (size != 2 && size != 4) {
65c25746 1849 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1850 "invalid SPI size=%d for IPCOMP proposal.\n",
1851 size);
1852 return -1;
1853 }
1854 return 0;
1855
1856 default:
1857 /* ??? */
1858 return -1;
1859 }
1860 /* NOT REACHED */
1861}
1862
1863/*
1864 * check transform ID in ISAKMP.
1865 */
1866static int
1867check_trns_isakmp(t_id)
1868 int t_id;
1869{
1870 switch (t_id) {
1871 case IPSECDOI_KEY_IKE:
1872 return 0;
1873 default:
65c25746 1874 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1875 "invalid transform-id=%u in proto_id=%u.\n",
1876 t_id, IPSECDOI_KEY_IKE);
1877 return -1;
1878 }
1879 /* NOT REACHED */
1880}
1881
1882/*
1883 * check transform ID in AH.
1884 */
1885static int
1886check_trns_ah(t_id)
1887 int t_id;
1888{
1889 switch (t_id) {
1890 case IPSECDOI_AH_MD5:
1891 case IPSECDOI_AH_SHA:
1892 case IPSECDOI_AH_SHA256:
1893 case IPSECDOI_AH_SHA384:
1894 case IPSECDOI_AH_SHA512:
1895 return 0;
1896 case IPSECDOI_AH_DES:
65c25746 1897 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1898 "not support transform-id=%u in AH.\n", t_id);
1899 return -1;
1900 default:
65c25746 1901 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1902 "invalid transform-id=%u in AH.\n", t_id);
1903 return -1;
1904 }
1905 /* NOT REACHED */
1906}
1907
1908/*
1909 * check transform ID in ESP.
1910 */
1911static int
1912check_trns_esp(t_id)
1913 int t_id;
1914{
1915 switch (t_id) {
1916 case IPSECDOI_ESP_DES:
1917 case IPSECDOI_ESP_3DES:
1918 case IPSECDOI_ESP_NULL:
1919 case IPSECDOI_ESP_RC5:
1920 case IPSECDOI_ESP_CAST:
1921 case IPSECDOI_ESP_BLOWFISH:
1922 case IPSECDOI_ESP_AES:
1923 case IPSECDOI_ESP_TWOFISH:
1924 return 0;
1925 case IPSECDOI_ESP_DES_IV32:
1926 case IPSECDOI_ESP_DES_IV64:
1927 case IPSECDOI_ESP_IDEA:
1928 case IPSECDOI_ESP_3IDEA:
1929 case IPSECDOI_ESP_RC4:
65c25746 1930 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1931 "not support transform-id=%u in ESP.\n", t_id);
1932 return -1;
1933 default:
65c25746 1934 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1935 "invalid transform-id=%u in ESP.\n", t_id);
1936 return -1;
1937 }
1938 /* NOT REACHED */
1939}
1940
1941/*
1942 * check transform ID in IPCOMP.
1943 */
1944static int
1945check_trns_ipcomp(t_id)
1946 int t_id;
1947{
1948 switch (t_id) {
1949 case IPSECDOI_IPCOMP_OUI:
1950 case IPSECDOI_IPCOMP_DEFLATE:
1951 case IPSECDOI_IPCOMP_LZS:
1952 return 0;
1953 default:
65c25746 1954 plog(ASL_LEVEL_ERR,
52b7d2ce
A
1955 "invalid transform-id=%u in IPCOMP.\n", t_id);
1956 return -1;
1957 }
1958 /* NOT REACHED */
1959}
1960
1961/*
1962 * check data attributes in IKE.
1963 */
1964static int
1965check_attr_isakmp(trns)
1966 struct isakmp_pl_t *trns;
1967{
1968 struct isakmp_data *d;
1969 int tlen;
1970 int flag, type;
1971 u_int16_t lorv;
1972
1973 tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t);
1974 d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t));
1975
1976 while (tlen > 0) {
1977 type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
1978 flag = ntohs(d->type) & ISAKMP_GEN_MASK;
1979 lorv = ntohs(d->lorv);
1980
65c25746 1981 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
1982 "type=%s, flag=0x%04x, lorv=%s\n",
1983 s_oakley_attr(type), flag,
1984 s_oakley_attr_v(type, lorv));
1985
1986 /*
1987 * some of the attributes must be encoded in TV.
1988 * see RFC2409 Appendix A "Attribute Classes".
1989 */
1990 switch (type) {
1991 case OAKLEY_ATTR_ENC_ALG:
1992 case OAKLEY_ATTR_HASH_ALG:
1993 case OAKLEY_ATTR_AUTH_METHOD:
1994 case OAKLEY_ATTR_GRP_DESC:
1995 case OAKLEY_ATTR_GRP_TYPE:
1996 case OAKLEY_ATTR_SA_LD_TYPE:
1997 case OAKLEY_ATTR_PRF:
1998 case OAKLEY_ATTR_KEY_LEN:
1999 case OAKLEY_ATTR_FIELD_SIZE:
2000 if (!flag) { /* TLV*/
65c25746 2001 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2002 "oakley attribute %d must be TV.\n",
2003 type);
2004 return -1;
2005 }
2006 break;
2007 }
2008
2009 /* sanity check for TLV. length must be specified. */
2010 if (!flag && lorv == 0) { /*TLV*/
65c25746 2011 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2012 "invalid length %d for TLV attribute %d.\n",
2013 lorv, type);
2014 return -1;
2015 }
2016
2017 switch (type) {
2018 case OAKLEY_ATTR_ENC_ALG:
2019 if (!alg_oakley_encdef_ok(lorv)) {
65c25746 2020 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2021 "invalied encryption algorithm=%d.\n",
2022 lorv);
2023 return -1;
2024 }
2025 break;
2026
2027 case OAKLEY_ATTR_HASH_ALG:
2028 if (!alg_oakley_hashdef_ok(lorv)) {
65c25746 2029 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2030 "invalied hash algorithm=%d.\n",
2031 lorv);
2032 return -1;
2033 }
2034 break;
2035
2036 case OAKLEY_ATTR_AUTH_METHOD:
2037 switch (lorv) {
2038 case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
2039 case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
2040#ifdef ENABLE_HYBRID
2041 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
d1e348cf
A
2042 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
2043#if 0 /* Clashes with OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB */
2044 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
2045#endif
2046 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
2047#endif
52b7d2ce
A
2048 case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
2049 break;
2050 case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
2051#ifdef ENABLE_HYBRID
52b7d2ce 2052 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
d1e348cf
A
2053 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
2054 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
52b7d2ce 2055 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
d1e348cf
A
2056 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
2057 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
2058 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
2059 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
2060 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
2061 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
52b7d2ce
A
2062#endif
2063 case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
2064 case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
65c25746 2065 plog(ASL_LEVEL_ERR,
d1e348cf
A
2066 "auth method %s isn't supported.\n",
2067 s_oakley_attr_method(lorv));
52b7d2ce
A
2068 return -1;
2069 default:
65c25746 2070 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2071 "invalid auth method %d.\n",
2072 lorv);
2073 return -1;
2074 }
2075 break;
2076
2077 case OAKLEY_ATTR_GRP_DESC:
2078 if (!alg_oakley_dhdef_ok(lorv)) {
65c25746 2079 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2080 "invalid DH group %d.\n",
2081 lorv);
2082 return -1;
2083 }
2084 break;
2085
2086 case OAKLEY_ATTR_GRP_TYPE:
2087 switch (lorv) {
2088 case OAKLEY_ATTR_GRP_TYPE_MODP:
2089 break;
2090 default:
65c25746 2091 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2092 "unsupported DH group type %d.\n",
2093 lorv);
2094 return -1;
2095 }
2096 break;
2097
2098 case OAKLEY_ATTR_GRP_PI:
2099 case OAKLEY_ATTR_GRP_GEN_ONE:
2100 /* sanity checks? */
2101 break;
2102
2103 case OAKLEY_ATTR_GRP_GEN_TWO:
2104 case OAKLEY_ATTR_GRP_CURVE_A:
2105 case OAKLEY_ATTR_GRP_CURVE_B:
65c25746 2106 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2107 "attr type=%u isn't supported.\n", type);
2108 return -1;
2109
2110 case OAKLEY_ATTR_SA_LD_TYPE:
2111 switch (lorv) {
2112 case OAKLEY_ATTR_SA_LD_TYPE_SEC:
2113 case OAKLEY_ATTR_SA_LD_TYPE_KB:
2114 break;
2115 default:
65c25746 2116 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2117 "invalid life type %d.\n", lorv);
2118 return -1;
2119 }
2120 break;
2121
2122 case OAKLEY_ATTR_SA_LD:
2123 /* should check the value */
2124 break;
2125
2126 case OAKLEY_ATTR_PRF:
2127 case OAKLEY_ATTR_KEY_LEN:
2128 break;
2129
2130 case OAKLEY_ATTR_FIELD_SIZE:
65c25746 2131 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2132 "attr type=%u isn't supported.\n", type);
2133 return -1;
2134
2135 case OAKLEY_ATTR_GRP_ORDER:
2136 break;
2137
2138 case OAKLEY_ATTR_GSS_ID:
2139 break;
2140
2141 default:
65c25746 2142 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2143 "invalid attribute type %d.\n", type);
2144 return -1;
2145 }
2146
2147 if (flag) {
2148 tlen -= sizeof(*d);
2149 d = (struct isakmp_data *)((char *)d
2150 + sizeof(*d));
2151 } else {
2152 tlen -= (sizeof(*d) + lorv);
2153 d = (struct isakmp_data *)((char *)d
2154 + sizeof(*d) + lorv);
2155 }
2156 }
2157
2158 return 0;
2159}
2160
2161/*
2162 * check data attributes in IPSEC AH/ESP.
2163 */
2164static int
2165check_attr_ah(trns)
2166 struct isakmp_pl_t *trns;
2167{
2168 return check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trns);
2169}
2170
2171static int
2172check_attr_esp(trns)
2173 struct isakmp_pl_t *trns;
2174{
2175 return check_attr_ipsec(IPSECDOI_PROTO_IPSEC_ESP, trns);
2176}
2177
2178static int
2179check_attr_ipsec(proto_id, trns)
2180 int proto_id;
2181 struct isakmp_pl_t *trns;
2182{
2183 struct isakmp_data *d;
2184 int tlen;
2185 int flag, type = 0;
2186 u_int16_t lorv;
2187 int attrseen[16]; /* XXX magic number */
2188
2189 tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t);
2190 d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t));
2191 memset(attrseen, 0, sizeof(attrseen));
2192
2193 while (tlen > 0) {
2194 type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
2195 flag = ntohs(d->type) & ISAKMP_GEN_MASK;
2196 lorv = ntohs(d->lorv);
2197
65c25746 2198 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
2199 "type=%s, flag=0x%04x, lorv=%s\n",
2200 s_ipsecdoi_attr(type), flag,
2201 s_ipsecdoi_attr_v(type, lorv));
2202
2203 if (type < sizeof(attrseen)/sizeof(attrseen[0]))
2204 attrseen[type]++;
2205
2206 switch (type) {
2207 case IPSECDOI_ATTR_ENC_MODE:
2208 if (! flag) {
65c25746 2209 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2210 "must be TV when ENC_MODE.\n");
2211 return -1;
2212 }
2213
2214 switch (lorv) {
2215 case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
2216 case IPSECDOI_ATTR_ENC_MODE_TRNS:
2217 break;
2218#ifdef ENABLE_NATT
2219 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
2220 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
2221 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
2222 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
65c25746 2223 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
2224 "UDP encapsulation requested\n");
2225 break;
2226#endif
2227 default:
65c25746 2228 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2229 "invalid encryption mode=%u.\n",
2230 lorv);
2231 return -1;
2232 }
2233 break;
2234
2235 case IPSECDOI_ATTR_AUTH:
2236 if (! flag) {
65c25746 2237 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2238 "must be TV when AUTH.\n");
2239 return -1;
2240 }
2241
2242 switch (lorv) {
2243 case IPSECDOI_ATTR_AUTH_HMAC_MD5:
2244 if (proto_id == IPSECDOI_PROTO_IPSEC_AH &&
2245 trns->t_id != IPSECDOI_AH_MD5) {
2246ahmismatch:
65c25746 2247 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2248 "auth algorithm %u conflicts "
2249 "with transform %u.\n",
2250 lorv, trns->t_id);
2251 return -1;
2252 }
2253 break;
2254 case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
2255 if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
2256 if (trns->t_id != IPSECDOI_AH_SHA)
2257 goto ahmismatch;
2258 }
2259 break;
2260 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
2261 if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
2262 if (trns->t_id != IPSECDOI_AH_SHA256)
2263 goto ahmismatch;
2264 }
2265 break;
2266 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
2267 if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
2268 if (trns->t_id != IPSECDOI_AH_SHA384)
2269 goto ahmismatch;
2270 }
2271 break;
2272 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
2273 if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
2274 if (trns->t_id != IPSECDOI_AH_SHA512)
2275 goto ahmismatch;
2276 }
2277 break;
2278 case IPSECDOI_ATTR_AUTH_DES_MAC:
2279 case IPSECDOI_ATTR_AUTH_KPDK:
65c25746 2280 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2281 "auth algorithm %u isn't supported.\n",
2282 lorv);
2283 return -1;
2284 default:
65c25746 2285 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2286 "invalid auth algorithm=%u.\n",
2287 lorv);
2288 return -1;
2289 }
2290 break;
2291
2292 case IPSECDOI_ATTR_SA_LD_TYPE:
2293 if (! flag) {
65c25746 2294 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2295 "must be TV when LD_TYPE.\n");
2296 return -1;
2297 }
2298
2299 switch (lorv) {
2300 case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
2301 case IPSECDOI_ATTR_SA_LD_TYPE_KB:
2302 break;
2303 default:
65c25746 2304 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2305 "invalid life type %d.\n", lorv);
2306 return -1;
2307 }
2308 break;
2309
2310 case IPSECDOI_ATTR_SA_LD:
2311 if (flag) {
2312 /* i.e. ISAKMP_GEN_TV */
65c25746 2313 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
2314 "life duration was in TLV.\n");
2315 } else {
2316 /* i.e. ISAKMP_GEN_TLV */
2317 if (lorv == 0) {
65c25746 2318 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2319 "invalid length of LD\n");
2320 return -1;
2321 }
2322 }
2323 break;
2324
2325 case IPSECDOI_ATTR_GRP_DESC:
2326 if (! flag) {
65c25746 2327 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2328 "must be TV when GRP_DESC.\n");
2329 return -1;
2330 }
2331
2332 if (!alg_oakley_dhdef_ok(lorv)) {
65c25746 2333 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2334 "invalid group description=%u.\n",
2335 lorv);
2336 return -1;
2337 }
2338 break;
2339
2340 case IPSECDOI_ATTR_KEY_LENGTH:
2341 if (! flag) {
65c25746 2342 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2343 "must be TV when KEY_LENGTH.\n");
2344 return -1;
2345 }
2346 break;
2347
2348 case IPSECDOI_ATTR_KEY_ROUNDS:
2349 case IPSECDOI_ATTR_COMP_DICT_SIZE:
2350 case IPSECDOI_ATTR_COMP_PRIVALG:
65c25746 2351 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2352 "attr type=%u isn't supported.\n", type);
2353 return -1;
2354
2355 default:
65c25746 2356 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2357 "invalid attribute type %d.\n", type);
2358 return -1;
2359 }
2360
2361 if (flag) {
2362 tlen -= sizeof(*d);
2363 d = (struct isakmp_data *)((char *)d
2364 + sizeof(*d));
2365 } else {
2366 tlen -= (sizeof(*d) + lorv);
2367 d = (struct isakmp_data *)((caddr_t)d
2368 + sizeof(*d) + lorv);
2369 }
2370 }
2371
2372 if (proto_id == IPSECDOI_PROTO_IPSEC_AH &&
2373 !attrseen[IPSECDOI_ATTR_AUTH]) {
65c25746 2374 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2375 "attr AUTH must be present for AH.\n");
2376 return -1;
2377 }
2378
2379 if (proto_id == IPSECDOI_PROTO_IPSEC_ESP &&
2380 trns->t_id == IPSECDOI_ESP_NULL &&
2381 !attrseen[IPSECDOI_ATTR_AUTH]) {
65c25746 2382 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2383 "attr AUTH must be present for ESP NULL encryption.\n");
2384 return -1;
2385 }
2386
2387 return 0;
2388}
2389
2390static int
2391check_attr_ipcomp(trns)
2392 struct isakmp_pl_t *trns;
2393{
2394 struct isakmp_data *d;
2395 int tlen;
2396 int flag, type = 0;
2397 u_int16_t lorv;
2398 int attrseen[16]; /* XXX magic number */
2399
2400 tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t);
2401 d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t));
2402 memset(attrseen, 0, sizeof(attrseen));
2403
2404 while (tlen > 0) {
2405 type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
2406 flag = ntohs(d->type) & ISAKMP_GEN_MASK;
2407 lorv = ntohs(d->lorv);
2408
65c25746 2409 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
2410 "type=%d, flag=0x%04x, lorv=0x%04x\n",
2411 type, flag, lorv);
2412
2413 if (type < sizeof(attrseen)/sizeof(attrseen[0]))
2414 attrseen[type]++;
2415
2416 switch (type) {
2417 case IPSECDOI_ATTR_ENC_MODE:
2418 if (! flag) {
65c25746 2419 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2420 "must be TV when ENC_MODE.\n");
2421 return -1;
2422 }
2423
2424 switch (lorv) {
2425 case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
2426 case IPSECDOI_ATTR_ENC_MODE_TRNS:
2427 break;
2428#ifdef ENABLE_NATT
2429 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
2430 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
2431 case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
2432 case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
65c25746 2433 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
2434 "UDP encapsulation requested\n");
2435 break;
2436#endif
2437 default:
65c25746 2438 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2439 "invalid encryption mode=%u.\n",
2440 lorv);
2441 return -1;
2442 }
2443 break;
2444
2445 case IPSECDOI_ATTR_SA_LD_TYPE:
2446 if (! flag) {
65c25746 2447 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2448 "must be TV when LD_TYPE.\n");
2449 return -1;
2450 }
2451
2452 switch (lorv) {
2453 case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
2454 case IPSECDOI_ATTR_SA_LD_TYPE_KB:
2455 break;
2456 default:
65c25746 2457 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2458 "invalid life type %d.\n", lorv);
2459 return -1;
2460 }
2461 break;
2462
2463 case IPSECDOI_ATTR_SA_LD:
2464 if (flag) {
2465 /* i.e. ISAKMP_GEN_TV */
65c25746 2466 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
2467 "life duration was in TLV.\n");
2468 } else {
2469 /* i.e. ISAKMP_GEN_TLV */
2470 if (lorv == 0) {
65c25746 2471 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2472 "invalid length of LD\n");
2473 return -1;
2474 }
2475 }
2476 break;
2477
2478 case IPSECDOI_ATTR_GRP_DESC:
2479 if (! flag) {
65c25746 2480 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2481 "must be TV when GRP_DESC.\n");
2482 return -1;
2483 }
2484
2485 if (!alg_oakley_dhdef_ok(lorv)) {
65c25746 2486 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2487 "invalid group description=%u.\n",
2488 lorv);
2489 return -1;
2490 }
2491 break;
2492
2493 case IPSECDOI_ATTR_AUTH:
65c25746 2494 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2495 "invalid attr type=%u.\n", type);
2496 return -1;
2497
2498 case IPSECDOI_ATTR_KEY_LENGTH:
2499 case IPSECDOI_ATTR_KEY_ROUNDS:
2500 case IPSECDOI_ATTR_COMP_DICT_SIZE:
2501 case IPSECDOI_ATTR_COMP_PRIVALG:
65c25746 2502 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2503 "attr type=%u isn't supported.\n", type);
2504 return -1;
2505
2506 default:
65c25746 2507 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2508 "invalid attribute type %d.\n", type);
2509 return -1;
2510 }
2511
2512 if (flag) {
2513 tlen -= sizeof(*d);
2514 d = (struct isakmp_data *)((char *)d
2515 + sizeof(*d));
2516 } else {
2517 tlen -= (sizeof(*d) + lorv);
2518 d = (struct isakmp_data *)((caddr_t)d
2519 + sizeof(*d) + lorv);
2520 }
2521 }
2522
2523#if 0
2524 if (proto_id == IPSECDOI_PROTO_IPCOMP &&
2525 !attrseen[IPSECDOI_ATTR_AUTH]) {
65c25746 2526 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2527 "attr AUTH must be present for AH.\n", type);
2528 return -1;
2529 }
2530#endif
2531
2532 return 0;
2533}
2534
2535/* %%% */
2536/*
2537 * create phase1 proposal from remote configuration.
2538 * NOT INCLUDING isakmp general header of SA payload
2539 */
2540vchar_t *
65c25746 2541ipsecdoi_setph1proposal (phase1_handle_t *iph1)
52b7d2ce
A
2542{
2543 vchar_t *mysa;
2544 int sablen;
65c25746
A
2545
2546 if (!iph1) return NULL;
2547
2548 struct isakmpsa *props = iph1->rmconf->proposal;
2549 unsigned int version = iph1->version;
2550
52b7d2ce
A
2551 /* count total size of SA minus isakmp general header */
2552 /* not including isakmp general header of SA payload */
65c25746
A
2553 if (version == ISAKMP_VERSION_NUMBER_IKEV1) {
2554 sablen = sizeof(struct ipsecdoi_sa_b);
2555 } else {
2556 sablen = 0;
2557 }
2558 sablen += setph1prop(iph1, NULL);
2559
52b7d2ce
A
2560 mysa = vmalloc(sablen);
2561 if (mysa == NULL) {
65c25746
A
2562 plog(ASL_LEVEL_ERR,
2563 "failed to allocate my sa buffer\n");
52b7d2ce
A
2564 return NULL;
2565 }
65c25746 2566
52b7d2ce 2567 /* create SA payload */
65c25746
A
2568 if (version == ISAKMP_VERSION_NUMBER_IKEV1) {
2569 /* not including isakmp general header */
2570 (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->doi = htonl(props->rmconf->doitype);
2571 (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype);
2572
2573 (void)setph1prop(iph1, mysa->v + sizeof(struct ipsecdoi_sa_b));
65c25746
A
2574 }
2575
52b7d2ce
A
2576 return mysa;
2577}
2578
65c25746
A
2579int
2580setph1prop (phase1_handle_t *iph1,
2581 caddr_t buf)
52b7d2ce 2582{
65c25746 2583 struct isakmpsa *props = iph1->rmconf->proposal;
65c25746 2584
52b7d2ce
A
2585 struct isakmp_pl_p *prop = NULL;
2586 struct isakmpsa *s = NULL;
2587 int proplen, trnslen;
2588 u_int8_t *np_t; /* pointer next trns type in previous header */
2589 int trns_num;
2590 caddr_t p = buf;
65c25746 2591 int spi_size = 0;
52b7d2ce 2592
65c25746 2593 proplen = sizeof(*prop) + spi_size;
52b7d2ce
A
2594 if (buf) {
2595 /* create proposal */
2596 prop = (struct isakmp_pl_p *)p;
2597 prop->h.np = ISAKMP_NPTYPE_NONE;
65c25746 2598 prop->h.reserved = 0;
52b7d2ce
A
2599 prop->p_no = props->prop_no;
2600 prop->proto_id = IPSECDOI_PROTO_ISAKMP;
65c25746
A
2601 prop->spi_size = spi_size;
2602 p += sizeof(*prop);
52b7d2ce
A
2603 }
2604
2605 np_t = NULL;
2606 trns_num = 0;
2607
2608 for (s = props; s != NULL; s = s->next) {
65c25746
A
2609 {
2610 if (np_t)
2611 *np_t = ISAKMP_NPTYPE_T;
2612
2613 trnslen = setph1trns(s, p);
2614 proplen += trnslen;
2615 if (buf) {
2616 /* save buffer to pre-next payload */
2617 np_t = &((struct isakmp_pl_t *)p)->h.np;
2618 p += trnslen;
2619
2620 /* count up transform length */
2621 trns_num++;
2622 }
52b7d2ce
A
2623 }
2624 }
2625
2626 /* update proposal length */
2627 if (buf) {
2628 prop->h.len = htons(proplen);
2629 prop->num_t = trns_num;
2630 }
2631
2632 return proplen;
2633}
2634
2635static int
65c25746
A
2636setph1trns (struct isakmpsa *sa,
2637 caddr_t buf)
52b7d2ce
A
2638{
2639 struct isakmp_pl_t *trns = NULL;
2640 int trnslen, attrlen;
2641 caddr_t p = buf;
2642
2643 trnslen = sizeof(*trns);
2644 if (buf) {
2645 /* create transform */
2646 trns = (struct isakmp_pl_t *)p;
2647 trns->h.np = ISAKMP_NPTYPE_NONE;
2648 trns->t_no = sa->trns_no;
2649 trns->t_id = IPSECDOI_KEY_IKE;
2650 p += sizeof(*trns);
2651 }
2652
2653 attrlen = setph1attr(sa, p);
2654 trnslen += attrlen;
2655 if (buf)
2656 p += attrlen;
2657
2658 if (buf)
2659 trns->h.len = htons(trnslen);
2660
2661 return trnslen;
2662}
2663
2664static int
65c25746
A
2665setph1attr (struct isakmpsa *sa,
2666 caddr_t buf)
52b7d2ce
A
2667{
2668 caddr_t p = buf;
2669 int attrlen = 0;
2670
2671 if (sa->lifetime) {
2672 u_int32_t lifetime = htonl((u_int32_t)sa->lifetime);
2673
2674 attrlen += sizeof(struct isakmp_data)
2675 + sizeof(struct isakmp_data);
2676 if (sa->lifetime > 0xffff)
2677 attrlen += sizeof(lifetime);
2678 if (buf) {
2679 p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD_TYPE,
2680 OAKLEY_ATTR_SA_LD_TYPE_SEC);
2681 if (sa->lifetime > 0xffff) {
2682 p = isakmp_set_attr_v(p, OAKLEY_ATTR_SA_LD,
2683 (caddr_t)&lifetime,
2684 sizeof(lifetime));
2685 } else {
2686 p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD,
2687 sa->lifetime);
2688 }
2689 }
2690 }
2691
2692 if (sa->lifebyte) {
2693 u_int32_t lifebyte = htonl((u_int32_t)sa->lifebyte);
2694
2695 attrlen += sizeof(struct isakmp_data)
2696 + sizeof(struct isakmp_data);
2697 if (sa->lifebyte > 0xffff)
2698 attrlen += sizeof(lifebyte);
2699 if (buf) {
2700 p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD_TYPE,
2701 OAKLEY_ATTR_SA_LD_TYPE_KB);
2702 if (sa->lifebyte > 0xffff) {
2703 p = isakmp_set_attr_v(p, OAKLEY_ATTR_SA_LD,
2704 (caddr_t)&lifebyte,
2705 sizeof(lifebyte));
2706 } else {
2707 p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD,
2708 sa->lifebyte);
2709 }
2710 }
2711 }
2712
2713 if (sa->enctype) {
2714 attrlen += sizeof(struct isakmp_data);
2715 if (buf)
2716 p = isakmp_set_attr_l(p, OAKLEY_ATTR_ENC_ALG, sa->enctype);
2717 }
2718 if (sa->encklen) {
2719 attrlen += sizeof(struct isakmp_data);
2720 if (buf)
2721 p = isakmp_set_attr_l(p, OAKLEY_ATTR_KEY_LEN, sa->encklen);
2722 }
2723 if (sa->authmethod) {
2724 int authmethod;
2725
2726#ifdef ENABLE_HYBRID
2727 authmethod = switch_authmethod(sa->authmethod);
2728#else
2729 authmethod = sa->authmethod;
2730#endif
2731 attrlen += sizeof(struct isakmp_data);
2732 if (buf)
2733 p = isakmp_set_attr_l(p, OAKLEY_ATTR_AUTH_METHOD, authmethod);
2734 }
2735 if (sa->hashtype) {
2736 attrlen += sizeof(struct isakmp_data);
2737 if (buf)
2738 p = isakmp_set_attr_l(p, OAKLEY_ATTR_HASH_ALG, sa->hashtype);
2739 }
2740 switch (sa->dh_group) {
2741 case OAKLEY_ATTR_GRP_DESC_MODP768:
2742 case OAKLEY_ATTR_GRP_DESC_MODP1024:
2743 case OAKLEY_ATTR_GRP_DESC_MODP1536:
2744 case OAKLEY_ATTR_GRP_DESC_MODP2048:
2745 case OAKLEY_ATTR_GRP_DESC_MODP3072:
2746 case OAKLEY_ATTR_GRP_DESC_MODP4096:
2747 case OAKLEY_ATTR_GRP_DESC_MODP6144:
2748 case OAKLEY_ATTR_GRP_DESC_MODP8192:
2749 /* don't attach group type for known groups */
2750 attrlen += sizeof(struct isakmp_data);
2751 if (buf) {
2752 p = isakmp_set_attr_l(p, OAKLEY_ATTR_GRP_DESC,
2753 sa->dh_group);
2754 }
2755 break;
2756 case OAKLEY_ATTR_GRP_DESC_EC2N155:
2757 case OAKLEY_ATTR_GRP_DESC_EC2N185:
2758 /* don't attach group type for known groups */
2759 attrlen += sizeof(struct isakmp_data);
2760 if (buf) {
2761 p = isakmp_set_attr_l(p, OAKLEY_ATTR_GRP_TYPE,
2762 OAKLEY_ATTR_GRP_TYPE_EC2N);
2763 }
2764 break;
2765 case 0:
2766 default:
2767 break;
2768 }
65c25746 2769
52b7d2ce
A
2770 return attrlen;
2771}
2772
2773static vchar_t *
2774setph2proposal0(iph2, pp, pr)
65c25746 2775 const phase2_handle_t *iph2;
52b7d2ce
A
2776 const struct saprop *pp;
2777 const struct saproto *pr;
2778{
2779 vchar_t *p;
2780 struct isakmp_pl_p *prop;
2781 struct isakmp_pl_t *trns;
2782 struct satrns *tr;
2783 int attrlen;
2784 size_t trnsoff;
2785 caddr_t x0, x;
2786 u_int8_t *np_t; /* pointer next trns type in previous header */
2787 const u_int8_t *spi;
2788
2789 p = vmalloc(sizeof(*prop) + sizeof(pr->spi));
2790 if (p == NULL)
2791 return NULL;
2792
2793 /* create proposal */
2794 prop = (struct isakmp_pl_p *)p->v;
2795 prop->h.np = ISAKMP_NPTYPE_NONE;
2796 prop->p_no = pp->prop_no;
2797 prop->proto_id = pr->proto_id;
2798 prop->num_t = 1;
2799
2800 spi = (const u_int8_t *)&pr->spi;
2801 switch (pr->proto_id) {
2802 case IPSECDOI_PROTO_IPCOMP:
2803 /*
2804 * draft-shacham-ippcp-rfc2393bis-05.txt:
2805 * construct 16bit SPI (CPI).
2806 * XXX we may need to provide a configuration option to
2807 * generate 32bit SPI. otherwise we cannot interoeprate
2808 * with nodes that uses 32bit SPI, in case we are initiator.
2809 */
2810 prop->spi_size = sizeof(u_int16_t);
2811 spi += sizeof(pr->spi) - sizeof(u_int16_t);
2812 p->l -= sizeof(pr->spi);
2813 p->l += sizeof(u_int16_t);
2814 break;
2815 default:
2816 prop->spi_size = sizeof(pr->spi);
2817 break;
2818 }
2819 memcpy(prop + 1, spi, prop->spi_size);
2820
2821 /* create transform */
2822 trnsoff = sizeof(*prop) + prop->spi_size;
2823 np_t = NULL;
2824
2825 for (tr = pr->head; tr; tr = tr->next) {
2826
2827 switch (pr->proto_id) {
2828 case IPSECDOI_PROTO_IPSEC_ESP:
2829 /*
2830 * don't build a null encryption
2831 * with no authentication transform.
2832 */
2833 if (tr->trns_id == IPSECDOI_ESP_NULL &&
2834 tr->authtype == IPSECDOI_ATTR_AUTH_NONE)
2835 continue;
2836 break;
2837 }
2838
2839 if (np_t) {
2840 *np_t = ISAKMP_NPTYPE_T;
2841 prop->num_t++;
2842 }
2843
2844 /* get attribute length */
2845 attrlen = 0;
2846 if (pp->lifetime) {
2847 attrlen += sizeof(struct isakmp_data)
2848 + sizeof(struct isakmp_data);
2849 if (pp->lifetime > 0xffff)
2850 attrlen += sizeof(u_int32_t);
2851 }
2852 if (pp->lifebyte && pp->lifebyte != IPSECDOI_ATTR_SA_LD_KB_MAX) {
2853 attrlen += sizeof(struct isakmp_data)
2854 + sizeof(struct isakmp_data);
2855 if (pp->lifebyte > 0xffff)
2856 attrlen += sizeof(u_int32_t);
2857 }
2858 attrlen += sizeof(struct isakmp_data); /* enc mode */
2859 if (tr->encklen)
2860 attrlen += sizeof(struct isakmp_data);
2861
2862 switch (pr->proto_id) {
2863 case IPSECDOI_PROTO_IPSEC_ESP:
2864 /* non authentication mode ? */
2865 if (tr->authtype != IPSECDOI_ATTR_AUTH_NONE)
2866 attrlen += sizeof(struct isakmp_data);
2867 break;
2868 case IPSECDOI_PROTO_IPSEC_AH:
2869 if (tr->authtype == IPSECDOI_ATTR_AUTH_NONE) {
65c25746 2870 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2871 "no authentication algorithm found "
2872 "but protocol is AH.\n");
2873 vfree(p);
2874 return NULL;
2875 }
2876 attrlen += sizeof(struct isakmp_data);
2877 break;
2878 case IPSECDOI_PROTO_IPCOMP:
2879 break;
2880 default:
65c25746 2881 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2882 "invalid protocol: %d\n", pr->proto_id);
2883 vfree(p);
2884 return NULL;
2885 }
2886
2887 if (alg_oakley_dhdef_ok(iph2->sainfo->pfs_group))
2888 attrlen += sizeof(struct isakmp_data);
2889
2890 p = vrealloc(p, p->l + sizeof(*trns) + attrlen);
2891 if (p == NULL)
2892 return NULL;
2893 prop = (struct isakmp_pl_p *)p->v;
2894
2895 /* set transform's values */
2896 trns = (struct isakmp_pl_t *)(p->v + trnsoff);
2897 trns->h.np = ISAKMP_NPTYPE_NONE;
2898 trns->t_no = tr->trns_no;
2899 trns->t_id = tr->trns_id;
2900
2901 /* set attributes */
2902 x = x0 = p->v + trnsoff + sizeof(*trns);
2903
2904 if (pp->lifetime) {
2905 x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD_TYPE,
2906 IPSECDOI_ATTR_SA_LD_TYPE_SEC);
2907 if (pp->lifetime > 0xffff) {
2908 u_int32_t v = htonl((u_int32_t)pp->lifetime);
2909 x = isakmp_set_attr_v(x, IPSECDOI_ATTR_SA_LD,
2910 (caddr_t)&v, sizeof(v));
2911 } else {
2912 x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD,
2913 pp->lifetime);
2914 }
2915 }
2916
2917 if (pp->lifebyte && pp->lifebyte != IPSECDOI_ATTR_SA_LD_KB_MAX) {
2918 x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD_TYPE,
2919 IPSECDOI_ATTR_SA_LD_TYPE_KB);
2920 if (pp->lifebyte > 0xffff) {
2921 u_int32_t v = htonl((u_int32_t)pp->lifebyte);
2922 x = isakmp_set_attr_v(x, IPSECDOI_ATTR_SA_LD,
2923 (caddr_t)&v, sizeof(v));
2924 } else {
2925 x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD,
2926 pp->lifebyte);
2927 }
2928 }
2929
2930 x = isakmp_set_attr_l(x, IPSECDOI_ATTR_ENC_MODE, pr->encmode);
2931
2932 if (tr->encklen)
2933 x = isakmp_set_attr_l(x, IPSECDOI_ATTR_KEY_LENGTH, tr->encklen);
2934
2935 /* mandatory check has done above. */
2936 if ((pr->proto_id == IPSECDOI_PROTO_IPSEC_ESP && tr->authtype != IPSECDOI_ATTR_AUTH_NONE)
2937 || pr->proto_id == IPSECDOI_PROTO_IPSEC_AH)
2938 x = isakmp_set_attr_l(x, IPSECDOI_ATTR_AUTH, tr->authtype);
2939
2940 if (alg_oakley_dhdef_ok(iph2->sainfo->pfs_group))
2941 x = isakmp_set_attr_l(x, IPSECDOI_ATTR_GRP_DESC,
2942 iph2->sainfo->pfs_group);
2943
2944 /* update length of this transform. */
2945 trns = (struct isakmp_pl_t *)(p->v + trnsoff);
2946 trns->h.len = htons(sizeof(*trns) + attrlen);
2947
2948 /* save buffer to pre-next payload */
2949 np_t = &trns->h.np;
2950
2951 trnsoff += (sizeof(*trns) + attrlen);
2952 }
2953
2954 if (np_t == NULL) {
65c25746 2955 plog(ASL_LEVEL_ERR,
52b7d2ce
A
2956 "no suitable proposal was created.\n");
2957 return NULL;
2958 }
2959
2960 /* update length of this protocol. */
2961 prop->h.len = htons(p->l);
2962
2963 return p;
2964}
2965
2966/*
2967 * create phase2 proposal from policy configuration.
2968 * NOT INCLUDING isakmp general header of SA payload.
2969 * This function is called by initiator only.
2970 */
2971int
65c25746 2972ipsecdoi_setph2proposal(phase2_handle_t *iph2, int return_sa)
52b7d2ce
A
2973{
2974 struct saprop *proposal, *a;
2975 struct saproto *b = NULL;
65c25746 2976 vchar_t *q, *sa = NULL;
52b7d2ce
A
2977 struct isakmp_pl_p *prop;
2978 size_t propoff; /* for previous field of type of next payload. */
2979
65c25746
A
2980 if (return_sa)
2981 proposal = iph2->approval;
2982 else
2983 proposal = iph2->proposal;
52b7d2ce 2984
65c25746
A
2985 if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) {
2986 struct ipsecdoi_sa_b *sab;
52b7d2ce 2987
65c25746
A
2988 sa = vmalloc(sizeof(*sab));
2989 if (sa == NULL) {
2990 plog(ASL_LEVEL_ERR,
2991 "failed to allocate my sa buffer\n");
2992 return -1;
2993 }
2994
2995 /* create SA payload */
2996 sab = ALIGNED_CAST(struct ipsecdoi_sa_b *)sa->v;
2997 sab->doi = htonl(IPSEC_DOI);
2998 sab->sit = htonl(IPSECDOI_SIT_IDENTITY_ONLY); /* XXX configurable ? */
52b7d2ce 2999
65c25746
A
3000 }
3001
52b7d2ce
A
3002 prop = NULL;
3003 propoff = 0;
3004 for (a = proposal; a; a = a->next) {
3005 for (b = a->head; b; b = b->next) {
65c25746 3006 if (b->proto_id == IPSECDOI_PROTO_IPCOMP) {
65c25746
A
3007 // skip this - not specified in the SA
3008 // Need to set this in iph2 ???
3009 continue;
3010 }
3011 // IKEv1 sends encode mode in SA - uses diferent codes when NATT being used
52b7d2ce 3012#ifdef ENABLE_NATT
65c25746 3013 if (iph2->ph1->natt_flags & NAT_DETECTED) {
7ebaebe2 3014 plog (ASL_LEVEL_NOTICE, "NAT detected -> UDP encapsulation\n");
65c25746
A
3015 b->udp_encap = 1;
3016 if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) {
3017 int udp_diff = iph2->ph1->natt_options->mode_udp_diff;
3018 /* Tunnel -> UDP-Tunnel, Transport -> UDP_Transport */
3019 b->encmode += udp_diff;
3020 }
3021 }
52b7d2ce 3022#endif
65c25746
A
3023 switch (iph2->version) {
3024 case ISAKMP_VERSION_NUMBER_IKEV1:
3025 q = setph2proposal0(iph2, a, b);
3026 break;
3027 default:
3028 plog(ASL_LEVEL_ERR, "Invalid IKE version detected\n");
3029 q = NULL;
3030 break;
3031 }
52b7d2ce 3032 if (q == NULL) {
65c25746 3033 VPTRINIT(sa);
52b7d2ce
A
3034 return -1;
3035 }
65c25746
A
3036 if (sa != NULL)
3037 sa = vrealloc(sa, sa->l + q->l);
3038 else
3039 sa = vmalloc(q->l);
3040
3041 if (sa == NULL) {
3042 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3043 "failed to allocate my sa buffer\n");
3044 if (q)
3045 vfree(q);
3046 return -1;
3047 }
65c25746 3048 memcpy(sa->v + sa->l - q->l, q->v, q->l);
52b7d2ce 3049 if (propoff != 0) {
65c25746 3050 prop = (struct isakmp_pl_p *)(sa->v +
52b7d2ce 3051 propoff);
65c25746
A
3052 if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1)
3053 prop->h.np = ISAKMP_NPTYPE_P;
52b7d2ce 3054 }
65c25746 3055 propoff = sa->l - q->l;
52b7d2ce
A
3056
3057 vfree(q);
3058 }
3059 }
65c25746
A
3060 if (return_sa)
3061 iph2->sa_ret = sa;
3062 else
3063 iph2->sa = sa;
52b7d2ce
A
3064 return 0;
3065}
3066
52b7d2ce 3067/*
d1e348cf 3068 * return 1 if all of the given protocols are tunnel mode.
52b7d2ce
A
3069 */
3070int
3071ipsecdoi_tunnelmode(iph2)
65c25746 3072 phase2_handle_t *iph2;
52b7d2ce
A
3073{
3074 struct saprop *pp;
3075 struct saproto *pr = NULL;
3076
3077 for (pp = iph2->proposal; pp; pp = pp->next) {
3078 for (pr = pp->head; pr; pr = pr->next) {
3079 if (pr->encmode != IPSECDOI_ATTR_ENC_MODE_TUNNEL &&
3080 pr->encmode != IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC &&
3081 pr->encmode != IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT)
3082 return 0;
3083 }
3084 }
3085
3086 return 1;
3087}
d1e348cf
A
3088
3089/*
3090 * return 1 if any of the given protocols are transport mode.
3091 */
3092int
3093ipsecdoi_any_transportmode(pp)
3094struct saprop *pp;
3095{
3096 struct saproto *pr = NULL;
3097
3098 for (; pp; pp = pp->next) {
3099 for (pr = pp->head; pr; pr = pr->next) {
3100 if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TRNS ||
3101 pr->encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC ||
3102 pr->encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT)
3103 return 1;
3104 }
3105 }
3106
3107 return 0;
3108}
52b7d2ce
A
3109
3110/*
3111 * return 1 if all of the given protocols are transport mode.
3112 */
3113int
3114ipsecdoi_transportmode(pp)
3115 struct saprop *pp;
3116{
3117 struct saproto *pr = NULL;
3118
3119 for (; pp; pp = pp->next) {
3120 for (pr = pp->head; pr; pr = pr->next) {
3121 if (pr->encmode != IPSECDOI_ATTR_ENC_MODE_TRNS)
3122 return 0;
3123 }
3124 }
3125
3126 return 1;
3127}
3128
3129int
3130ipsecdoi_get_defaultlifetime()
3131{
3132 return IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
3133}
3134
3135int
3136ipsecdoi_checkalgtypes(proto_id, enc, auth, comp)
3137 int proto_id, enc, auth, comp;
3138{
3139#define TMPALGTYPE2STR(n) s_algtype(algclass_ipsec_##n, n)
3140 switch (proto_id) {
3141 case IPSECDOI_PROTO_IPSEC_ESP:
3142 if (enc == 0 || comp != 0) {
65c25746 3143 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3144 "illegal algorithm defined "
3145 "ESP enc=%s auth=%s comp=%s.\n",
3146 TMPALGTYPE2STR(enc),
3147 TMPALGTYPE2STR(auth),
3148 TMPALGTYPE2STR(comp));
3149 return -1;
3150 }
3151 break;
3152 case IPSECDOI_PROTO_IPSEC_AH:
3153 if (enc != 0 || auth == 0 || comp != 0) {
65c25746 3154 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3155 "illegal algorithm defined "
3156 "AH enc=%s auth=%s comp=%s.\n",
3157 TMPALGTYPE2STR(enc),
3158 TMPALGTYPE2STR(auth),
3159 TMPALGTYPE2STR(comp));
3160 return -1;
3161 }
3162 break;
3163 case IPSECDOI_PROTO_IPCOMP:
3164 if (enc != 0 || auth != 0 || comp == 0) {
65c25746 3165 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3166 "illegal algorithm defined "
3167 "IPcomp enc=%s auth=%s comp=%s.\n",
3168 TMPALGTYPE2STR(enc),
3169 TMPALGTYPE2STR(auth),
3170 TMPALGTYPE2STR(comp));
3171 return -1;
3172 }
3173 break;
3174 default:
65c25746 3175 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3176 "invalid ipsec protocol %d\n", proto_id);
3177 return -1;
3178 }
3179#undef TMPALGTYPE2STR
3180 return 0;
3181}
3182
3183int
3184ipproto2doi(proto)
3185 int proto;
3186{
3187 switch (proto) {
3188 case IPPROTO_AH:
3189 return IPSECDOI_PROTO_IPSEC_AH;
3190 case IPPROTO_ESP:
3191 return IPSECDOI_PROTO_IPSEC_ESP;
3192 case IPPROTO_IPCOMP:
3193 return IPSECDOI_PROTO_IPCOMP;
3194 }
3195 return -1; /* XXX */
3196}
3197
3198int
3199doi2ipproto(proto)
3200 int proto;
3201{
3202 switch (proto) {
3203 case IPSECDOI_PROTO_IPSEC_AH:
3204 return IPPROTO_AH;
3205 case IPSECDOI_PROTO_IPSEC_ESP:
3206 return IPPROTO_ESP;
3207 case IPSECDOI_PROTO_IPCOMP:
3208 return IPPROTO_IPCOMP;
3209 }
3210 return -1; /* XXX */
3211}
3212
d1e348cf
A
3213/*
3214 * Check if a subnet id is valid for comparison
3215 * with an address id ( address length mask )
3216 * and compare them
3217 * Return value
3218 * = 0 for match
3219 * = 1 for mismatch
3220 */
3221
3222int
3223ipsecdoi_subnetisaddr_v4( subnet, address )
3224 const vchar_t *subnet;
3225 const vchar_t *address;
3226{
3227 struct in_addr *mask;
3228
3229 if (address->l != sizeof(struct in_addr))
3230 return 1;
3231
3232 if (subnet->l != (sizeof(struct in_addr)*2))
3233 return 1;
3234
85f41bec 3235 mask = ALIGNED_CAST(struct in_addr*)(subnet->v + sizeof(struct in_addr));
d1e348cf
A
3236
3237 if (mask->s_addr!=0xffffffff)
3238 return 1;
3239
3240 return memcmp(subnet->v,address->v,address->l);
3241}
3242
3243#ifdef INET6
3244
3245int
3246ipsecdoi_subnetisaddr_v6( subnet, address )
3247 const vchar_t *subnet;
3248 const vchar_t *address;
3249{
3250 struct in6_addr *mask;
3251 int i;
3252
3253 if (address->l != sizeof(struct in6_addr))
3254 return 1;
3255
3256 if (subnet->l != (sizeof(struct in6_addr)*2))
3257 return 1;
3258
85f41bec 3259 mask = ALIGNED_CAST(struct in6_addr*)(subnet->v + sizeof(struct in6_addr));
d1e348cf
A
3260
3261 for (i=0; i<16; i++)
3262 if(mask->s6_addr[i]!=0xff)
3263 return 1;
3264
3265 return memcmp(subnet->v,address->v,address->l);
3266}
3267
3268#endif
3269
e8d9021d 3270#ifdef NOT_USED
d1e348cf
A
3271/*
3272 * Check and Compare two IDs
3273 * - specify 0 for exact if wildcards are allowed
3274 * Return value
3275 * = 0 for match
3276 * = 1 for misatch
3277 * = -1 for integrity error
3278 */
3279
3280int
3281ipsecdoi_chkcmpids( idt, ids, exact )
3282 const vchar_t *idt; /* id cmp target */
3283 const vchar_t *ids; /* id cmp source */
3284 int exact;
3285{
3286 struct ipsecdoi_id_b *id_bt;
3287 struct ipsecdoi_id_b *id_bs;
3288 vchar_t ident_t;
3289 vchar_t ident_s;
3290 int result;
3291
3292 /* handle wildcard IDs */
3293
3294 if (idt == NULL || ids == NULL)
3295 {
3296 if( !exact )
3297 {
65c25746 3298 plog(ASL_LEVEL_DEBUG,
d1e348cf
A
3299 "check and compare ids : values matched (ANONYMOUS)\n" );
3300 return 0;
3301 }
3302 else
3303 {
65c25746 3304 plog(ASL_LEVEL_DEBUG,
d1e348cf
A
3305 "check and compare ids : value mismatch (ANONYMOUS)\n" );
3306 return -1;
3307 }
3308 }
3309
3310 /* make sure the ids are of the same type */
3311
3312 id_bt = (struct ipsecdoi_id_b *) idt->v;
3313 id_bs = (struct ipsecdoi_id_b *) ids->v;
3314
3315 ident_t.v = idt->v + sizeof(*id_bt);
3316 ident_t.l = idt->l - sizeof(*id_bt);
3317 ident_s.v = ids->v + sizeof(*id_bs);
3318 ident_s.l = ids->l - sizeof(*id_bs);
3319
3320 if (id_bs->type != id_bt->type)
3321 {
3322 /*
3323 * special exception for comparing
3324 * address to subnet id types when
3325 * the netmask is address length
3326 */
3327
3328 if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR)&&
3329 (id_bt->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)) {
3330 result = ipsecdoi_subnetisaddr_v4(&ident_t,&ident_s);
3331 goto cmpid_result;
3332 }
3333
3334 if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)&&
3335 (id_bt->type == IPSECDOI_ID_IPV4_ADDR)) {
3336 result = ipsecdoi_subnetisaddr_v4(&ident_s,&ident_t);
3337 goto cmpid_result;
3338 }
3339
3340#ifdef INET6
3341 if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR)&&
3342 (id_bt->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
3343 result = ipsecdoi_subnetisaddr_v6(&ident_t,&ident_s);
3344 goto cmpid_result;
3345 }
3346
3347 if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)&&
3348 (id_bt->type == IPSECDOI_ID_IPV6_ADDR)) {
3349 result = ipsecdoi_subnetisaddr_v6(&ident_s,&ident_t);
3350 goto cmpid_result;
3351 }
3352#endif
65c25746 3353 plog(ASL_LEVEL_DEBUG,
d1e348cf
A
3354 "check and compare ids : id type mismatch %s != %s\n",
3355 s_ipsecdoi_ident(id_bs->type),
3356 s_ipsecdoi_ident(id_bt->type));
3357
3358 return 1;
3359 }
3360
3361 if(id_bs->proto_id != id_bt->proto_id){
65c25746 3362 plog(ASL_LEVEL_DEBUG,
d1e348cf
A
3363 "check and compare ids : proto_id mismatch %d != %d\n",
3364 id_bs->proto_id, id_bt->proto_id);
3365
3366 return 1;
3367 }
3368
3369 /* compare the ID data. */
3370
3371 switch (id_bt->type) {
3372 case IPSECDOI_ID_DER_ASN1_DN:
3373 case IPSECDOI_ID_DER_ASN1_GN:
3374 /* compare asn1 ids */
3375 result = eay_cmp_asn1dn(&ident_t, &ident_s);
3376 goto cmpid_result;
3377
3378 case IPSECDOI_ID_IPV4_ADDR:
3379 /* validate lengths */
3380 if ((ident_t.l != sizeof(struct in_addr))||
3381 (ident_s.l != sizeof(struct in_addr)))
3382 goto cmpid_invalid;
3383 break;
3384
3385 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
3386 case IPSECDOI_ID_IPV4_ADDR_RANGE:
3387 /* validate lengths */
3388 if ((ident_t.l != (sizeof(struct in_addr)*2))||
3389 (ident_s.l != (sizeof(struct in_addr)*2)))
3390 goto cmpid_invalid;
3391 break;
3392
3393#ifdef INET6
3394 case IPSECDOI_ID_IPV6_ADDR:
3395 /* validate lengths */
3396 if ((ident_t.l != sizeof(struct in6_addr))||
3397 (ident_s.l != sizeof(struct in6_addr)))
3398 goto cmpid_invalid;
3399 break;
3400
3401 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
3402 case IPSECDOI_ID_IPV6_ADDR_RANGE:
3403 /* validate lengths */
3404 if ((ident_t.l != (sizeof(struct in6_addr)*2))||
3405 (ident_s.l != (sizeof(struct in6_addr)*2)))
3406 goto cmpid_invalid;
3407 break;
3408#endif
3409 case IPSECDOI_ID_FQDN:
3410 case IPSECDOI_ID_USER_FQDN:
3411 case IPSECDOI_ID_KEY_ID:
3412 break;
3413
3414 default:
65c25746 3415 plog(ASL_LEVEL_ERR,
d1e348cf
A
3416 "Unhandled id type %i specified for comparison\n",
3417 id_bt->type);
3418 return -1;
3419 }
3420
3421 /* validate matching data and length */
3422 if (ident_t.l == ident_s.l)
3423 result = memcmp(ident_t.v,ident_s.v,ident_t.l);
3424 else
3425 result = 1;
3426
3427cmpid_result:
3428
3429 /* debug level output */
65c25746 3430 if(loglevel >= ASL_LEVEL_DEBUG) {
d1e348cf
A
3431 char *idstrt = ipsecdoi_id2str(idt);
3432 char *idstrs = ipsecdoi_id2str(ids);
3433
3434 if (!result)
65c25746 3435 plog(ASL_LEVEL_DEBUG,
d1e348cf
A
3436 "check and compare ids : values matched (%s)\n",
3437 s_ipsecdoi_ident(id_bs->type) );
3438 else
65c25746 3439 plog(ASL_LEVEL_DEBUG,
d1e348cf
A
3440 "check and compare ids : value mismatch (%s)\n",
3441 s_ipsecdoi_ident(id_bs->type));
3442
65c25746
A
3443 plog(ASL_LEVEL_DEBUG, "cmpid target: \'%s\'\n", idstrt );
3444 plog(ASL_LEVEL_DEBUG, "cmpid source: \'%s\'\n", idstrs );
d1e348cf
A
3445
3446 racoon_free(idstrs);
3447 racoon_free(idstrt);
3448 }
3449
3450 /* return result */
3451 if( !result )
3452 return 0;
3453 else
3454 return 1;
3455
3456cmpid_invalid:
3457
3458 /* id integrity error */
65c25746 3459 plog(ASL_LEVEL_DEBUG, "check and compare ids : %s integrity error\n",
d1e348cf 3460 s_ipsecdoi_ident(id_bs->type));
65c25746
A
3461 plog(ASL_LEVEL_DEBUG, "cmpid target: length = \'%zu\'\n", ident_t.l );
3462 plog(ASL_LEVEL_DEBUG, "cmpid source: length = \'%zu\'\n", ident_s.l );
d1e348cf
A
3463
3464 return -1;
3465}
e8d9021d 3466#endif
d1e348cf 3467
52b7d2ce
A
3468/*
3469 * check the following:
3470 * - In main mode with pre-shared key, only address type can be used.
3471 * - if proper type for phase 1 ?
3472 * - if phase 1 ID payload conformed RFC2407 4.6.2.
3473 * (proto, port) must be (0, 0), (udp, 500) or (udp, [specified]).
3474 * - if ID payload sent from peer is equal to the ID expected by me.
3475 *
3476 * both of "id" and "id_p" should be ID payload without general header,
3477 */
3478int
3479ipsecdoi_checkid1(iph1)
65c25746 3480 phase1_handle_t *iph1;
52b7d2ce
A
3481{
3482 struct ipsecdoi_id_b *id_b;
85f41bec 3483 struct sockaddr_storage *sa;
52b7d2ce
A
3484 caddr_t sa1, sa2;
3485
3486 if (iph1->id_p == NULL) {
65c25746 3487 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3488 "invalid iph1 passed id_p == NULL\n");
3489 return ISAKMP_INTERNAL_ERROR;
3490 }
3491 if (iph1->id_p->l < sizeof(*id_b)) {
65c25746 3492 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3493 "invalid value passed as \"ident\" (len=%lu)\n",
3494 (u_long)iph1->id_p->l);
3495 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
3496 }
3497
85f41bec 3498 id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v;
52b7d2ce
A
3499
3500 /* In main mode with pre-shared key, only address type can be used.
3501 * If NAT Traversal being used and peer is behind nat and
3502 * natt version = 02 - allow non-address ID type.
3503 */
65c25746
A
3504 if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1
3505 && iph1->etype == ISAKMP_ETYPE_IDENT
52b7d2ce
A
3506 && iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY
3507#ifdef ENABLE_NATT
3508 && (iph1->natt_flags & NAT_DETECTED_PEER) == 0
3509#endif
3510 ) {
3511 if (id_b->type != IPSECDOI_ID_IPV4_ADDR
3512 && id_b->type != IPSECDOI_ID_IPV6_ADDR) {
65c25746 3513 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3514 "Expecting IP address type in main mode, "
3515 "but %s.\n", s_ipsecdoi_ident(id_b->type));
3516 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
3517 }
3518 }
3519
3520 /* if proper type for phase 1 ? */
3521 switch (id_b->type) {
3522 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
3523 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
3524 case IPSECDOI_ID_IPV4_ADDR_RANGE:
3525 case IPSECDOI_ID_IPV6_ADDR_RANGE:
65c25746 3526 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
3527 "such ID type %s is not proper.\n",
3528 s_ipsecdoi_ident(id_b->type));
3529 /*FALLTHROUGH*/
3530 }
3531
3532 /* if phase 1 ID payload conformed RFC2407 4.6.2. */
d1e348cf 3533 if (id_b->type == IPSECDOI_ID_IPV4_ADDR ||
52b7d2ce
A
3534 id_b->type == IPSECDOI_ID_IPV6_ADDR) {
3535
3536 if (id_b->proto_id == 0 && ntohs(id_b->port) != 0) {
65c25746 3537 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
3538 "protocol ID and Port mismatched. "
3539 "proto_id:%d port:%d\n",
3540 id_b->proto_id, ntohs(id_b->port));
3541 /*FALLTHROUGH*/
3542
3543 } else if (id_b->proto_id == IPPROTO_UDP) {
3544 /*
3545 * copmaring with expected port.
3546 * always permit if port is equal to PORT_ISAKMP
3547 */
3548 if (ntohs(id_b->port) != PORT_ISAKMP) {
3549
3550 u_int16_t port;
3551
85f41bec 3552 switch (iph1->remote->ss_family) {
52b7d2ce
A
3553 case AF_INET:
3554 port = ((struct sockaddr_in *)iph1->remote)->sin_port;
3555 break;
3556#ifdef INET6
3557 case AF_INET6:
3558 port = ((struct sockaddr_in6 *)iph1->remote)->sin6_port;
3559 break;
3560#endif
3561 default:
65c25746 3562 plog(ASL_LEVEL_ERR,
52b7d2ce 3563 "invalid family: %d\n",
85f41bec 3564 iph1->remote->ss_family);
52b7d2ce
A
3565 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
3566 }
3567 if (ntohs(id_b->port) != port) {
65c25746 3568 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
3569 "port %d expected, but %d\n",
3570 port, ntohs(id_b->port));
3571 /*FALLTHROUGH*/
3572 }
3573 }
3574 }
3575 }
3576
3577 /* compare with the ID if specified. */
3578 if (genlist_next(iph1->rmconf->idvl_p, 0)) {
3579 vchar_t *ident0 = NULL;
85f41bec 3580#ifdef HAVE_OPENSSL
52b7d2ce 3581 vchar_t ident;
85f41bec 3582#endif
52b7d2ce
A
3583 struct idspec *id;
3584 struct genlist_entry *gpb;
3585
3586 for (id = genlist_next (iph1->rmconf->idvl_p, &gpb); id; id = genlist_next (0, &gpb)) {
3587 /* check the type of both IDs */
3588 if (id->idtype != doi2idtype(id_b->type))
3589 continue; /* ID type mismatch */
3590 if (id->id == 0)
3591 goto matched;
3592
3593 /* compare defined ID with the ID sent by peer. */
3594 if (ident0 != NULL)
3595 vfree(ident0);
3596 ident0 = getidval(id->idtype, id->id);
3597
3598 switch (id->idtype) {
3599 case IDTYPE_ASN1DN:
e8d9021d 3600#ifdef HAVE_OPENSSL
d1e348cf
A
3601 ident.v = iph1->id_p->v + sizeof(*id_b);
3602 ident.l = iph1->id_p->l - sizeof(*id_b);
52b7d2ce
A
3603 if (eay_cmp_asn1dn(ident0, &ident) == 0)
3604 goto matched;
e8d9021d 3605#else
65c25746 3606 plog(ASL_LEVEL_WARNING, "ASN1DN ID matching not implemented - passed.\n");
e8d9021d
A
3607 goto matched; //%%%%%% hack for now until we have code to do this.
3608#endif
52b7d2ce
A
3609 break;
3610 case IDTYPE_ADDRESS:
85f41bec 3611 sa = ALIGNED_CAST(struct sockaddr_storage *)ident0->v;
52b7d2ce 3612 sa2 = (caddr_t)(id_b + 1);
85f41bec 3613 switch (sa->ss_family) {
52b7d2ce
A
3614 case AF_INET:
3615 if (iph1->id_p->l - sizeof(*id_b) != sizeof(struct in_addr))
3616 continue; /* ID value mismatch */
3617 sa1 = (caddr_t)&((struct sockaddr_in *)sa)->sin_addr;
3618 if (memcmp(sa1, sa2, sizeof(struct in_addr)) == 0)
3619 goto matched;
3620 break;
3621#ifdef INET6
3622 case AF_INET6:
3623 if (iph1->id_p->l - sizeof(*id_b) != sizeof(struct in6_addr))
3624 continue; /* ID value mismatch */
3625 sa1 = (caddr_t)&((struct sockaddr_in6 *)sa)->sin6_addr;
3626 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) == 0)
3627 goto matched;
3628 break;
3629#endif
3630 default:
3631 break;
3632 }
3633 break;
3634 default:
3635 if (memcmp(ident0->v, id_b + 1, ident0->l) == 0)
3636 goto matched;
3637 break;
3638 }
3639 }
3640 if (ident0 != NULL) {
3641 vfree(ident0);
3642 ident0 = NULL;
3643 }
65c25746 3644 plog(ASL_LEVEL_DEBUG, "No ID match.\n");
52b7d2ce
A
3645 if (iph1->rmconf->verify_identifier)
3646 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
3647matched: /* ID value match */
3648 if (ident0 != NULL)
3649 vfree(ident0);
3650 }
3651
3652 return 0;
3653}
3654
65c25746
A
3655/* HACK!!! - temporary until this prototype gets moved */
3656extern CFDataRef SecCertificateCopySubjectSequence( SecCertificateRef certificate);
3657
52b7d2ce
A
3658/*
3659 * create ID payload for phase 1 and set into iph1->id.
3660 * NOT INCLUDING isakmp general header.
3661 * see, RFC2407 4.6.2.1
3662 */
3663int
3664ipsecdoi_setid1(iph1)
65c25746 3665 phase1_handle_t *iph1;
52b7d2ce
A
3666{
3667 vchar_t *ret = NULL;
3668 struct ipsecdoi_id_b id_b;
3669 vchar_t *ident = NULL;
d06a7ccb 3670 struct sockaddr_in v4_address;
85f41bec 3671 struct sockaddr_storage *ipid = NULL;
52b7d2ce
A
3672
3673 /* init */
65c25746 3674 bzero(&id_b, sizeof(id_b));
52b7d2ce 3675 ident = NULL;
52b7d2ce
A
3676 switch (iph1->rmconf->idvtype) {
3677 case IDTYPE_FQDN:
3678 id_b.type = IPSECDOI_ID_FQDN;
3679 ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
3680 break;
3681 case IDTYPE_USERFQDN:
3682 id_b.type = IPSECDOI_ID_USER_FQDN;
3683 ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
3684 break;
3685 case IDTYPE_KEYID:
52b7d2ce 3686 case IDTYPE_KEYIDUSE:
52b7d2ce
A
3687 id_b.type = IPSECDOI_ID_KEY_ID;
3688 ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
3689 break;
3690 case IDTYPE_ASN1DN:
3691 id_b.type = IPSECDOI_ID_DER_ASN1_DN;
3692 if (iph1->rmconf->idv) {
3693 /* XXX it must be encoded to asn1dn. */
3694 ident = vdup(iph1->rmconf->idv);
3695 } else {
3696 if (oakley_getmycert(iph1) < 0) {
65c25746 3697 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3698 "failed to get own CERT.\n");
3699 goto err;
3700 }
65c25746
A
3701
3702 SecCertificateRef certificate;
3703 CFDataRef subject;
3704 UInt8* namePtr;
3705 int len;
3706
3707 certificate = crypto_cssm_x509cert_CreateSecCertificateRef(&iph1->cert->cert);
3708 if (certificate == NULL) {
3709 plog(ASL_LEVEL_ERR,
3710 "failed to get SecCertificateRef\n");
3711 break;
3712 }
3713 subject = crypto_cssm_CopySubjectSequence(certificate);
3714 if (subject == NULL) {
3715 plog(ASL_LEVEL_ERR,
3716 "failed to get subjectName\n");
3717 CFRelease(certificate);
3718 break;
3719 }
3720 len = CFDataGetLength(subject);
3721 namePtr = (UInt8*)CFDataGetBytePtr(subject);
3722 ident = vmalloc(len);
3723 if (ident == NULL) {
3724 plog(ASL_LEVEL_ERR,
3725 "failed to get subjectName\n");
3726 CFRelease(certificate);
3727 CFRelease(subject);
3728 break;
3729 }
3730 memcpy(ident->v, namePtr, len);
3731 CFRelease(certificate);
3732 CFRelease(subject);
52b7d2ce
A
3733 }
3734 break;
3735 case IDTYPE_ADDRESS:
3736 /*
3737 * if the value of the id type was set by the configuration
3738 * file, then use it. otherwise the value is get from local
3739 * ip address by using ike negotiation.
3740 */
3741 if (iph1->rmconf->idv)
85f41bec 3742 ipid = ALIGNED_CAST(struct sockaddr_storage *)iph1->rmconf->idv->v;
52b7d2ce
A
3743 /*FALLTHROUGH*/
3744 default:
3745 {
3746 int l;
3747 caddr_t p;
3748
3749 if (ipid == NULL)
3750 ipid = iph1->local;
3751
d06a7ccb
A
3752 {
3753 if (ipid->ss_family == AF_INET6 &&
3754 iph1->nat64_prefix.length) {
3755 memset(&v4_address, 0, sizeof(v4_address));
3756 v4_address.sin_len = sizeof(struct sockaddr_in);
3757 v4_address.sin_family = AF_INET;
3758 v4_address.sin_port = ((struct sockaddr_in6 *)ipid)->sin6_port;
3759 v4_address.sin_addr.s_addr = 0;
3760
3761 ipid = ALIGNED_CAST(struct sockaddr_storage *)&v4_address;
3762 }
3763 }
3764
52b7d2ce 3765 /* use IP address */
85f41bec 3766 switch (ipid->ss_family) {
52b7d2ce
A
3767 case AF_INET:
3768 id_b.type = IPSECDOI_ID_IPV4_ADDR;
3769 l = sizeof(struct in_addr);
3770 p = (caddr_t)&((struct sockaddr_in *)ipid)->sin_addr;
3771 break;
3772#ifdef INET6
3773 case AF_INET6:
3774 id_b.type = IPSECDOI_ID_IPV6_ADDR;
3775 l = sizeof(struct in6_addr);
3776 p = (caddr_t)&((struct sockaddr_in6 *)ipid)->sin6_addr;
3777 break;
3778#endif
3779 default:
65c25746 3780 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3781 "invalid address family.\n");
3782 goto err;
3783 }
65c25746
A
3784 if(iph1->version == ISAKMP_VERSION_NUMBER_IKEV1){
3785 id_b.proto_id = IPPROTO_UDP;
3786 id_b.port = htons(PORT_ISAKMP);
3787
3788 }
52b7d2ce
A
3789 ident = vmalloc(l);
3790 if (!ident) {
65c25746 3791 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3792 "failed to get ID buffer.\n");
3793 return 0;
3794 }
3795 memcpy(ident->v, p, ident->l);
3796 }
3797 }
3798 if (!ident) {
65c25746 3799 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3800 "failed to get ID buffer.\n");
3801 return 0;
3802 }
3803
3804 ret = vmalloc(sizeof(id_b) + ident->l);
3805 if (ret == NULL) {
65c25746 3806 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3807 "failed to get ID buffer.\n");
3808 goto err;
3809 }
3810
3811 memcpy(ret->v, &id_b, sizeof(id_b));
3812 memcpy(ret->v + sizeof(id_b), ident->v, ident->l);
3813
3814 iph1->id = ret;
3815
65c25746 3816 plogdump(ASL_LEVEL_DEBUG, iph1->id->v, iph1->id->l, "use ID type of %s\n", s_ipsecdoi_ident(id_b.type));
52b7d2ce
A
3817 if (ident)
3818 vfree(ident);
3819 return 0;
3820
3821err:
3822 if (ident)
3823 vfree(ident);
65c25746 3824 plog(ASL_LEVEL_ERR, "failed get my ID\n");
52b7d2ce
A
3825 return -1;
3826}
3827
3828static vchar_t *
3829getidval(type, val)
3830 int type;
3831 vchar_t *val;
3832{
3833 vchar_t *new = NULL;
3834
3835 if (val)
3836 new = vdup(val);
3837 else if (lcconf->ident[type])
3838 new = vdup(lcconf->ident[type]);
3839
3840 return new;
3841}
3842
3843/* it's only called by cfparse.y. */
3844int
3845set_identifier(vpp, type, value)
3846 vchar_t **vpp, *value;
3847 int type;
d1e348cf
A
3848{
3849 return set_identifier_qual(vpp, type, value, IDQUAL_UNSPEC);
3850}
3851
3852int
3853set_identifier_qual(vpp, type, value, qual)
3854 vchar_t **vpp, *value;
3855 int type;
3856 int qual;
52b7d2ce
A
3857{
3858 vchar_t *new = NULL;
3859
3860 /* simply return if value is null. */
3861 if (!value){
3862 if( type == IDTYPE_FQDN || type == IDTYPE_USERFQDN){
65c25746 3863 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3864 "No %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn");
3865 return -1;
3866 }
3867 return 0;
3868 }
3869
3870 switch (type) {
3871 case IDTYPE_FQDN:
3872 case IDTYPE_USERFQDN:
3873 if(value->l <= 1){
65c25746 3874 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3875 "Empty %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn");
3876 return -1;
3877 }
52b7d2ce 3878 case IDTYPE_KEYIDUSE:
52b7d2ce
A
3879#ifdef ENABLE_HYBRID
3880 case IDTYPE_LOGIN:
3881#endif
3882 /* length is adjusted since QUOTEDSTRING teminates NULL. */
3883 new = vmalloc(value->l - 1);
3884 if (new == NULL)
3885 return -1;
3886 memcpy(new->v, value->v, new->l);
3887 break;
3888 case IDTYPE_KEYID:
d1e348cf
A
3889 /*
3890 * If no qualifier is specified: IDQUAL_UNSPEC. It means
3891 * to use a file for backward compatibility sake.
3892 */
3893 switch(qual) {
3894 case IDQUAL_FILE:
3895 case IDQUAL_UNSPEC: {
3896 FILE *fp;
3897 char b[512];
3898 int tlen, len;
3899
3900 fp = fopen(value->v, "r");
3901 if (fp == NULL) {
65c25746 3902 plog(ASL_LEVEL_ERR,
d1e348cf
A
3903 "can not open %s\n", value->v);
3904 return -1;
3905 }
3906 tlen = 0;
3907 while ((len = fread(b, 1, sizeof(b), fp)) != 0) {
3908 new = vrealloc(new, tlen + len);
3909 if (!new) {
3910 fclose(fp);
3911 return -1;
3912 }
3913 memcpy(new->v + tlen, b, len);
3914 tlen += len;
3915 }
3916 fclose(fp);
3917 break;
52b7d2ce 3918 }
d1e348cf
A
3919
3920 case IDQUAL_TAG:
3921 new = vmalloc(value->l - 1);
3922 if (new == NULL) {
65c25746 3923 plog(ASL_LEVEL_ERR,
d1e348cf 3924 "can not allocate memory");
52b7d2ce
A
3925 return -1;
3926 }
d1e348cf
A
3927 memcpy(new->v, value->v, new->l);
3928 break;
3929
3930 default:
65c25746 3931 plog(ASL_LEVEL_ERR,
d1e348cf
A
3932 "unknown qualifier");
3933 return -1;
52b7d2ce
A
3934 }
3935 break;
d1e348cf
A
3936
3937 case IDTYPE_ADDRESS: {
85f41bec 3938 struct sockaddr_storage *sa;
52b7d2ce
A
3939
3940 /* length is adjusted since QUOTEDSTRING teminates NULL. */
3941 if (value->l == 0)
3942 break;
3943
3944 sa = str2saddr(value->v, NULL);
3945 if (sa == NULL) {
65c25746 3946 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3947 "invalid ip address %s\n", value->v);
3948 return -1;
3949 }
3950
85f41bec 3951 new = vmalloc(sysdep_sa_len((struct sockaddr *)sa));
d1e348cf
A
3952 if (new == NULL) {
3953 racoon_free(sa);
52b7d2ce 3954 return -1;
d1e348cf 3955 }
52b7d2ce 3956 memcpy(new->v, sa, new->l);
d1e348cf 3957 racoon_free(sa);
52b7d2ce
A
3958 break;
3959 }
3960 case IDTYPE_ASN1DN:
65c25746
A
3961 plog(ASL_LEVEL_DEBUG, "Setting ID type ASN1DN from string not supported\n");
3962 return -1;
52b7d2ce
A
3963
3964 break;
3965 }
3966
3967 *vpp = new;
3968
3969 return 0;
3970}
3971
3972/*
3973 * create ID payload for phase 2, and set into iph2->id and id_p. There are
3974 * NOT INCLUDING isakmp general header.
3975 * this function is for initiator. responder will get to copy from payload.
3976 * responder ID type is always address type.
3977 * see, RFC2407 4.6.2.1
3978 */
3979int
3980ipsecdoi_setid2(iph2)
65c25746 3981 phase2_handle_t *iph2;
52b7d2ce
A
3982{
3983 struct secpolicy *sp;
3984
3985 /* check there is phase 2 handler ? */
3986 sp = getspbyspid(iph2->spid);
3987 if (sp == NULL) {
65c25746 3988 plog(ASL_LEVEL_ERR,
52b7d2ce
A
3989 "no policy found for spid:%u.\n", iph2->spid);
3990 return -1;
3991 }
3992
d06a7ccb
A
3993 struct sockaddr_in local_v4_address;
3994 struct sockaddr_storage *srcaddr = &sp->spidx.src;
3995 u_int8_t prefs = sp->spidx.prefs;
3996 if (sp->spidx.dst.ss_family == AF_INET6 &&
3997 iph2->nat64_prefix.length) {
3998 memset(&local_v4_address, 0, sizeof(local_v4_address));
3999 local_v4_address.sin_len = sizeof(struct sockaddr_in);
4000 local_v4_address.sin_family = AF_INET;
4001 local_v4_address.sin_port = ((struct sockaddr_in6 *)&sp->spidx.src)->sin6_port;
4002 local_v4_address.sin_addr.s_addr = 0;
4003
4004 srcaddr = ALIGNED_CAST(struct sockaddr_storage *)&local_v4_address;
4005 prefs = 32;
4006 }
4007 iph2->id = ipsecdoi_sockaddr2id(srcaddr,
4008 prefs, sp->spidx.ul_proto);
52b7d2ce 4009 if (iph2->id == NULL) {
65c25746 4010 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4011 "failed to get ID for %s\n",
4012 spidx2str(&sp->spidx));
4013 return -1;
4014 }
65c25746 4015#ifdef ENABLE_NATT
85f41bec
A
4016 if (((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR ||
4017 (ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR_SUBNET) &&
e8d9021d
A
4018 iph2->side == RESPONDER &&
4019 iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED_ME) &&
4020 lcconf->ext_nat_id) {
4021 vfree(iph2->id);
4022 if (!(iph2->id = vdup(lcconf->ext_nat_id))) {
4023 return -1;
4024 }
4025 }
65c25746
A
4026#endif
4027 plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "use local ID type %s\n",
4028 s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type));
52b7d2ce
A
4029
4030 /* remote side */
d06a7ccb
A
4031 struct sockaddr_in v4_address;
4032 struct sockaddr_storage *dstaddr = &sp->spidx.dst;
4033 u_int8_t prefd = sp->spidx.prefd;
4034 if (sp->spidx.dst.ss_family == AF_INET6 &&
4035 iph2->nat64_prefix.length) {
4036 memset(&v4_address, 0, sizeof(v4_address));
4037 v4_address.sin_len = sizeof(struct sockaddr_in);
4038 v4_address.sin_family = AF_INET;
4039 v4_address.sin_port = ((struct sockaddr_in6 *)&sp->spidx.dst)->sin6_port;
4040 nw_nat64_extract_v4(&iph2->nat64_prefix, &((struct sockaddr_in6 *)&sp->spidx.dst)->sin6_addr, &v4_address.sin_addr);
4041
4042 dstaddr = ALIGNED_CAST(struct sockaddr_storage *)&v4_address;
4043 prefd = 32;
4044 }
4045 iph2->id_p = ipsecdoi_sockaddr2id(dstaddr,
4046 prefd, sp->spidx.ul_proto);
52b7d2ce 4047 if (iph2->id_p == NULL) {
65c25746 4048 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4049 "failed to get ID for %s\n",
4050 spidx2str(&sp->spidx));
4051 VPTRINIT(iph2->id);
4052 return -1;
4053 }
d06a7ccb 4054 plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "use remote ID type %s\n",
65c25746 4055 s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v)->type));
52b7d2ce
A
4056
4057 return 0;
4058}
4059
4060/*
4061 * set address type of ID.
4062 * NOT INCLUDING general header.
4063 */
4064vchar_t *
4065ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto)
85f41bec 4066 struct sockaddr_storage *saddr;
52b7d2ce
A
4067 u_int prefixlen;
4068 u_int ul_proto;
4069{
4070 vchar_t *new;
4071 int type, len1, len2;
4072 caddr_t sa;
4073 u_short port;
4074
4075 /*
4076 * Q. When type is SUBNET, is it allowed to be ::1/128.
4077 * A. Yes. (consensus at bake-off)
4078 */
85f41bec 4079 switch (saddr->ss_family) {
52b7d2ce
A
4080 case AF_INET:
4081 len1 = sizeof(struct in_addr);
d1e348cf 4082 if (prefixlen == (sizeof(struct in_addr) << 3)) {
52b7d2ce
A
4083 type = IPSECDOI_ID_IPV4_ADDR;
4084 len2 = 0;
e627a751 4085 } else if (prefixlen < (sizeof(struct in_addr) << 3)) {
52b7d2ce
A
4086 type = IPSECDOI_ID_IPV4_ADDR_SUBNET;
4087 len2 = sizeof(struct in_addr);
e627a751
A
4088 } else {
4089 plog(ASL_LEVEL_ERR,
4090 "invalid prefix length: %d.\n", prefixlen);
4091 return NULL;
52b7d2ce
A
4092 }
4093 sa = (caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr;
4094 port = ((struct sockaddr_in *)(saddr))->sin_port;
4095 break;
4096#ifdef INET6
4097 case AF_INET6:
4098 len1 = sizeof(struct in6_addr);
d1e348cf 4099 if (prefixlen == (sizeof(struct in6_addr) << 3)) {
52b7d2ce
A
4100 type = IPSECDOI_ID_IPV6_ADDR;
4101 len2 = 0;
e627a751 4102 } else if (prefixlen < (sizeof(struct in6_addr) << 3)) {
52b7d2ce
A
4103 type = IPSECDOI_ID_IPV6_ADDR_SUBNET;
4104 len2 = sizeof(struct in6_addr);
e627a751
A
4105 } else {
4106 plog(ASL_LEVEL_ERR,
4107 "invalid prefix length: %d.\n", prefixlen);
4108 return NULL;
52b7d2ce
A
4109 }
4110 sa = (caddr_t)&((struct sockaddr_in6 *)(saddr))->sin6_addr;
4111 port = ((struct sockaddr_in6 *)(saddr))->sin6_port;
4112 break;
4113#endif
4114 default:
65c25746 4115 plog(ASL_LEVEL_ERR,
85f41bec 4116 "invalid family: %d.\n", saddr->ss_family);
52b7d2ce
A
4117 return NULL;
4118 }
4119
4120 /* get ID buffer */
4121 new = vmalloc(sizeof(struct ipsecdoi_id_b) + len1 + len2);
4122 if (new == NULL) {
65c25746 4123 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4124 "failed to get ID buffer.\n");
4125 return NULL;
4126 }
4127
4128 memset(new->v, 0, new->l);
4129
4130 /* set the part of header. */
85f41bec 4131 (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->type = type;
52b7d2ce
A
4132
4133 /* set ul_proto and port */
4134 /*
4135 * NOTE: we use both IPSEC_ULPROTO_ANY and IPSEC_PORT_ANY as wild card
4136 * because 0 means port number of 0. Instead of 0, we use IPSEC_*_ANY.
4137 */
85f41bec 4138 (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->proto_id =
52b7d2ce 4139 ul_proto == IPSEC_ULPROTO_ANY ? 0 : ul_proto;
85f41bec 4140 (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->port =
52b7d2ce
A
4141 port == IPSEC_PORT_ANY ? 0 : port;
4142 memcpy(new->v + sizeof(struct ipsecdoi_id_b), sa, len1);
4143
4144 /* set address */
4145
4146 /* set prefix */
4147 if (len2) {
4148 u_char *p = (unsigned char *) new->v +
4149 sizeof(struct ipsecdoi_id_b) + len1;
4150 u_int bits = prefixlen;
4151
4152 while (bits >= 8) {
4153 *p++ = 0xff;
4154 bits -= 8;
4155 }
4156
4157 if (bits > 0)
4158 *p = ~((1 << (8 - bits)) - 1);
4159 }
4160
4161 return new;
4162}
4163
d1e348cf
A
4164vchar_t *
4165ipsecdoi_sockrange2id(laddr, haddr, ul_proto)
85f41bec 4166 struct sockaddr_storage *laddr, *haddr;
d1e348cf
A
4167 u_int ul_proto;
4168{
4169 vchar_t *new;
4170 int type, len1, len2;
4171 u_short port;
4172
85f41bec 4173 if (laddr->ss_family != haddr->ss_family) {
65c25746 4174 plog(ASL_LEVEL_ERR, "Address family mismatch\n");
d1e348cf
A
4175 return NULL;
4176 }
4177
85f41bec 4178 switch (laddr->ss_family) {
d1e348cf
A
4179 case AF_INET:
4180 type = IPSECDOI_ID_IPV4_ADDR_RANGE;
4181 len1 = sizeof(struct in_addr);
4182 len2 = sizeof(struct in_addr);
4183 break;
4184#ifdef INET6
4185 case AF_INET6:
4186 type = IPSECDOI_ID_IPV6_ADDR_RANGE;
4187 len1 = sizeof(struct in6_addr);
4188 len2 = sizeof(struct in6_addr);
4189 break;
4190#endif
4191 default:
65c25746 4192 plog(ASL_LEVEL_ERR,
85f41bec 4193 "invalid family: %d.\n", laddr->ss_family);
d1e348cf
A
4194 return NULL;
4195 }
4196
4197 /* get ID buffer */
4198 new = vmalloc(sizeof(struct ipsecdoi_id_b) + len1 + len2);
4199 if (new == NULL) {
65c25746 4200 plog(ASL_LEVEL_ERR,
d1e348cf
A
4201 "failed to get ID buffer.\n");
4202 return NULL;
4203 }
4204
4205 memset(new->v, 0, new->l);
4206 /* set the part of header. */
85f41bec 4207 (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->type = type;
d1e348cf
A
4208
4209 /* set ul_proto and port */
4210 /*
4211 * NOTE: we use both IPSEC_ULPROTO_ANY and IPSEC_PORT_ANY as wild card
4212 * because 0 means port number of 0. Instead of 0, we use IPSEC_*_ANY.
4213 */
85f41bec 4214 (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->proto_id =
d1e348cf
A
4215 ul_proto == IPSEC_ULPROTO_ANY ? 0 : ul_proto;
4216 port = ((struct sockaddr_in *)(laddr))->sin_port;
85f41bec 4217 (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->port =
d1e348cf
A
4218 port == IPSEC_PORT_ANY ? 0 : port;
4219 memcpy(new->v + sizeof(struct ipsecdoi_id_b),
4220 (caddr_t)&((struct sockaddr_in *)(laddr))->sin_addr,
4221 len1);
4222 memcpy(new->v + sizeof(struct ipsecdoi_id_b) + len1,
4223 (caddr_t)&((struct sockaddr_in *)haddr)->sin_addr,
4224 len2);
4225 return new;
4226}
4227
4228
52b7d2ce 4229/*
85f41bec 4230 * create sockaddr_storage structure from ID payload (buf).
52b7d2ce
A
4231 * buffers (saddr, prefixlen, ul_proto) must be allocated.
4232 * see, RFC2407 4.6.2.1
4233 */
4234int
65c25746
A
4235ipsecdoi_id2sockaddr(vchar_t *buf,
4236 struct sockaddr_storage *saddr,
4237 u_int8_t *prefixlen,
4238 u_int16_t *ul_proto,
4239 int version)
52b7d2ce 4240{
85f41bec 4241 struct ipsecdoi_id_b *id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)buf->v;
52b7d2ce
A
4242 u_int plen = 0;
4243
4244 /*
4245 * When a ID payload of subnet type with a IP address of full bit
4246 * masked, it has to be processed as host address.
4247 * e.g. below 2 type are same.
4248 * type = ipv6 subnet, data = 2001::1/128
4249 * type = ipv6 address, data = 2001::1
4250 */
4251 switch (id_b->type) {
4252 case IPSECDOI_ID_IPV4_ADDR:
4253 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
85f41bec
A
4254 saddr->ss_len = sizeof(struct sockaddr_in);
4255 saddr->ss_family = AF_INET;
52b7d2ce
A
4256 ((struct sockaddr_in *)saddr)->sin_port =
4257 (id_b->port == 0
4258 ? IPSEC_PORT_ANY
4259 : id_b->port); /* see sockaddr2id() */
4260 memcpy(&((struct sockaddr_in *)saddr)->sin_addr,
4261 buf->v + sizeof(*id_b), sizeof(struct in_addr));
4262 break;
4263#ifdef INET6
4264 case IPSECDOI_ID_IPV6_ADDR:
4265 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
85f41bec
A
4266 saddr->ss_len = sizeof(struct sockaddr_in6);
4267 saddr->ss_family = AF_INET6;
52b7d2ce
A
4268 ((struct sockaddr_in6 *)saddr)->sin6_port =
4269 (id_b->port == 0
4270 ? IPSEC_PORT_ANY
4271 : id_b->port); /* see sockaddr2id() */
4272 memcpy(&((struct sockaddr_in6 *)saddr)->sin6_addr,
4273 buf->v + sizeof(*id_b), sizeof(struct in6_addr));
4274 break;
4275#endif
4276 default:
65c25746 4277 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4278 "unsupported ID type %d\n", id_b->type);
4279 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
4280 }
4281
4282 /* get prefix length */
4283 switch (id_b->type) {
4284 case IPSECDOI_ID_IPV4_ADDR:
4285 plen = sizeof(struct in_addr) << 3;
4286 break;
4287#ifdef INET6
4288 case IPSECDOI_ID_IPV6_ADDR:
4289 plen = sizeof(struct in6_addr) << 3;
4290 break;
4291#endif
4292 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
4293#ifdef INET6
4294 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
4295#endif
4296 {
4297 u_char *p;
4298 u_int max;
4299 int alen = sizeof(struct in_addr);
4300
4301 switch (id_b->type) {
4302 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
4303 alen = sizeof(struct in_addr);
4304 break;
4305#ifdef INET6
4306 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
4307 alen = sizeof(struct in6_addr);
4308 break;
4309#endif
4310 }
4311
4312 /* sanity check */
4313 if (buf->l < alen)
4314 return ISAKMP_INTERNAL_ERROR;
4315
4316 /* get subnet mask length */
4317 plen = 0;
4318 max = alen <<3;
4319
4320 p = (unsigned char *) buf->v
4321 + sizeof(struct ipsecdoi_id_b)
4322 + alen;
4323
4324 for (; *p == 0xff; p++) {
d1e348cf 4325 plen += 8;
52b7d2ce
A
4326 if (plen >= max)
4327 break;
52b7d2ce
A
4328 }
4329
4330 if (plen < max) {
4331 u_int l = 0;
4332 u_char b = ~(*p);
4333
4334 while (b) {
4335 b >>= 1;
4336 l++;
4337 }
4338
4339 l = 8 - l;
4340 plen += l;
4341 }
4342 }
4343 break;
4344 }
4345
4346 *prefixlen = plen;
65c25746
A
4347 if (version == ISAKMP_VERSION_NUMBER_IKEV1) {
4348 *ul_proto = id_b->proto_id == 0 ? IPSEC_ULPROTO_ANY : id_b->proto_id; /* see sockaddr2id() */
4349 }
52b7d2ce
A
4350
4351 return 0;
4352}
4353
4354/*
4355 * make printable string from ID payload except of general header.
4356 */
d1e348cf 4357char *
52b7d2ce
A
4358ipsecdoi_id2str(id)
4359 const vchar_t *id;
4360{
d1e348cf
A
4361#define BUFLEN 512
4362 char * ret = NULL;
4363 int len = 0;
4364 char *dat;
4365 static char buf[BUFLEN];
85f41bec 4366 struct ipsecdoi_id_b *id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)id->v;
d1e348cf
A
4367 struct sockaddr_storage saddr;
4368 u_int plen = 0;
4369
4370 bzero(&saddr, sizeof(saddr));
4371
4372 switch (id_b->type) {
4373 case IPSECDOI_ID_IPV4_ADDR:
4374 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
4375 case IPSECDOI_ID_IPV4_ADDR_RANGE:
4376
85f41bec
A
4377 saddr.ss_len = sizeof(struct sockaddr_in);
4378 saddr.ss_family = AF_INET;
d1e348cf
A
4379 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
4380 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
4381 id->v + sizeof(*id_b), sizeof(struct in_addr));
4382 break;
4383#ifdef INET6
4384 case IPSECDOI_ID_IPV6_ADDR:
4385 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
4386 case IPSECDOI_ID_IPV6_ADDR_RANGE:
85f41bec
A
4387 saddr.ss_len = sizeof(struct sockaddr_in6);
4388 saddr.ss_family = AF_INET6;
d1e348cf
A
4389 ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
4390 memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
4391 id->v + sizeof(*id_b), sizeof(struct in6_addr));
47612122
A
4392 ((struct sockaddr_in6 *)&saddr)->sin6_scope_id =
4393 (IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)&saddr)->sin6_addr)
85f41bec 4394 ? (ALIGNED_CAST(struct sockaddr_in6 *)id_b)->sin6_scope_id
47612122 4395 : 0);
d1e348cf
A
4396 break;
4397#endif
4398 }
4399
4400 switch (id_b->type) {
4401 case IPSECDOI_ID_IPV4_ADDR:
4402#ifdef INET6
4403 case IPSECDOI_ID_IPV6_ADDR:
4404#endif
4405 len = snprintf( buf, sizeof(buf), "%s", saddrwop2str((struct sockaddr *)&saddr));
4406 break;
52b7d2ce 4407
d1e348cf
A
4408 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
4409#ifdef INET6
4410 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
4411#endif
4412 {
4413 u_char *p;
4414 u_int max;
4415 int alen = sizeof(struct in_addr);
52b7d2ce 4416
d1e348cf
A
4417 switch (id_b->type) {
4418 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
4419 alen = sizeof(struct in_addr);
4420 break;
4421#ifdef INET6
4422 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
4423 alen = sizeof(struct in6_addr);
4424 break;
4425#endif
4426 }
4427
4428 /* sanity check */
4429 if (id->l < alen) {
4430 len = 0;
4431 break;
4432 }
4433
4434 /* get subnet mask length */
4435 plen = 0;
4436 max = alen <<3;
4437
4438 p = (unsigned char *) id->v
4439 + sizeof(struct ipsecdoi_id_b)
4440 + alen;
4441
4442 for (; *p == 0xff; p++) {
4443 plen += 8;
4444 if (plen >= max)
4445 break;
4446 }
4447
4448 if (plen < max) {
4449 u_int l = 0;
4450 u_char b = ~(*p);
4451
4452 while (b) {
4453 b >>= 1;
4454 l++;
4455 }
4456
4457 l = 8 - l;
4458 plen += l;
4459 }
4460
4461 len = snprintf( buf, sizeof(buf), "%s/%i", saddrwop2str((struct sockaddr *)&saddr), plen);
4462 }
4463 break;
4464
4465 case IPSECDOI_ID_IPV4_ADDR_RANGE:
4466
4467 len = snprintf( buf, sizeof(buf), "%s-", saddrwop2str((struct sockaddr *)&saddr));
4468
85f41bec
A
4469 saddr.ss_len = sizeof(struct sockaddr_in);
4470 saddr.ss_family = AF_INET;
d1e348cf
A
4471 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
4472 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
4473 id->v + sizeof(*id_b) + sizeof(struct in_addr),
4474 sizeof(struct in_addr));
4475
4476 if (len >= 0) {
4477 len += snprintf( buf + len, sizeof(buf) - len, "%s", saddrwop2str((struct sockaddr *)&saddr));
4478 }
4479
4480 break;
4481
4482#ifdef INET6
4483 case IPSECDOI_ID_IPV6_ADDR_RANGE:
4484
4485 len = snprintf( buf, sizeof(buf), "%s-", saddrwop2str((struct sockaddr *)&saddr));
4486
85f41bec
A
4487 saddr.ss_len = sizeof(struct sockaddr_in6);
4488 saddr.ss_family = AF_INET6;
d1e348cf
A
4489 ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
4490 memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
4491 id->v + sizeof(*id_b) + sizeof(struct in6_addr),
4492 sizeof(struct in6_addr));
47612122
A
4493 ((struct sockaddr_in6 *)&saddr)->sin6_scope_id =
4494 (IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)&saddr)->sin6_addr)
85f41bec 4495 ? (ALIGNED_CAST(struct sockaddr_in6 *)id_b)->sin6_scope_id
47612122 4496 : 0);
d1e348cf
A
4497
4498 if (len >= 0) {
4499 len += snprintf( buf + len, sizeof(buf) - len, "%s", saddrwop2str((struct sockaddr *)&saddr));
4500 }
4501
4502 break;
4503#endif
4504
4505 case IPSECDOI_ID_FQDN:
4506 case IPSECDOI_ID_USER_FQDN:
4507 len = id->l - sizeof(*id_b);
4508 if (len > BUFLEN)
4509 len = BUFLEN;
4510 memcpy(buf, id->v + sizeof(*id_b), len);
4511 break;
4512
4513 case IPSECDOI_ID_DER_ASN1_DN:
4514 case IPSECDOI_ID_DER_ASN1_GN:
4515 {
e8d9021d 4516#ifdef HAVE_OPENSSL
d1e348cf 4517 X509_NAME *xn = NULL;
e8d9021d 4518#endif
d1e348cf
A
4519
4520 dat = id->v + sizeof(*id_b);
4521 len = id->l - sizeof(*id_b);
e8d9021d 4522#ifdef HAVE_OPENSSL
d1e348cf
A
4523 if (d2i_X509_NAME(&xn, (void*) &dat, len) != NULL) {
4524 BIO *bio = BIO_new(BIO_s_mem());
4525 X509_NAME_print_ex(bio, xn, 0, 0);
4526 len = BIO_get_mem_data(bio, &dat);
4527 if (len > BUFLEN)
4528 len = BUFLEN;
4529 memcpy(buf,dat,len);
4530 BIO_free(bio);
4531 X509_NAME_free(xn);
e8d9021d
A
4532 } else
4533#endif
4534 {
4535
65c25746 4536 plog(ASL_LEVEL_ERR,
d1e348cf
A
4537 "unable to extract asn1dn from id\n");
4538
4539 len = snprintf(buf, sizeof(buf), "<ASN1-DN>");
4540 }
4541
4542 break;
4543 }
4544
4545 /* currently unhandled id types */
4546 case IPSECDOI_ID_KEY_ID:
4547 len = snprintf( buf, sizeof(buf), "<KEY-ID>");
4548 break;
4549
4550 default:
65c25746 4551 plog(ASL_LEVEL_ERR,
d1e348cf
A
4552 "unknown ID type %d\n", id_b->type);
4553 }
4554
4555 if (!len)
4556 len = snprintf( buf, sizeof(buf), "<?>");
4557
4558 ret = racoon_malloc(len+1);
4559 if (ret != NULL) {
4560 memcpy(ret,buf,len);
4561 ret[len]=0;
4562 }
4563
4564 return ret;
52b7d2ce
A
4565}
4566
4567/*
4568 * set IPsec data attributes into a proposal.
4569 * NOTE: MUST called per a transform.
4570 */
4571int
4572ipsecdoi_t2satrns(t, pp, pr, tr)
4573 struct isakmp_pl_t *t;
4574 struct saprop *pp;
4575 struct saproto *pr;
4576 struct satrns *tr;
4577{
4578 struct isakmp_data *d, *prev;
4579 int flag, type;
4580 int error = -1;
4581 int life_t;
4582 int tlen;
4583
4584 tr->trns_no = t->t_no;
4585 tr->trns_id = t->t_id;
4586
4587 tlen = ntohs(t->h.len) - sizeof(*t);
4588 prev = (struct isakmp_data *)NULL;
4589 d = (struct isakmp_data *)(t + 1);
4590
4591 /* default */
4592 life_t = IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT;
4593 pp->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
4594 pp->lifebyte = 0;
4595 tr->authtype = IPSECDOI_ATTR_AUTH_NONE;
4596
4597 while (tlen > 0) {
4598
4599 type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
4600 flag = ntohs(d->type) & ISAKMP_GEN_MASK;
4601
65c25746 4602 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A
4603 "type=%s, flag=0x%04x, lorv=%s\n",
4604 s_ipsecdoi_attr(type), flag,
4605 s_ipsecdoi_attr_v(type, ntohs(d->lorv)));
4606
4607 switch (type) {
4608 case IPSECDOI_ATTR_SA_LD_TYPE:
4609 {
4610 int type = ntohs(d->lorv);
4611 switch (type) {
4612 case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
4613 case IPSECDOI_ATTR_SA_LD_TYPE_KB:
4614 life_t = type;
4615 break;
4616 default:
65c25746 4617 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
4618 "invalid life duration type. "
4619 "use default\n");
4620 life_t = IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT;
4621 break;
4622 }
4623 break;
4624 }
4625 case IPSECDOI_ATTR_SA_LD:
4626 if (prev == NULL
4627 || (ntohs(prev->type) & ~ISAKMP_GEN_MASK) !=
4628 IPSECDOI_ATTR_SA_LD_TYPE) {
65c25746 4629 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4630 "life duration must follow ltype\n");
4631 break;
4632 }
4633
4634 {
4635 u_int32_t t;
4636 vchar_t *ld_buf = NULL;
4637
4638 if (flag) {
4639 /* i.e. ISAKMP_GEN_TV */
4640 ld_buf = vmalloc(sizeof(d->lorv));
4641 if (ld_buf == NULL) {
65c25746 4642 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4643 "failed to get LD buffer.\n");
4644 goto end;
4645 }
4646 memcpy(ld_buf->v, &d->lorv, sizeof(d->lorv));
4647 } else {
4648 int len = ntohs(d->lorv);
4649 /* i.e. ISAKMP_GEN_TLV */
4650 ld_buf = vmalloc(len);
4651 if (ld_buf == NULL) {
65c25746 4652 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4653 "failed to get LD buffer.\n");
4654 goto end;
4655 }
4656 memcpy(ld_buf->v, d + 1, len);
4657 }
4658 switch (life_t) {
4659 case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
4660 t = ipsecdoi_set_ld(ld_buf);
4661 vfree(ld_buf);
4662 if (t == 0) {
65c25746 4663 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4664 "invalid life duration.\n");
4665 goto end;
4666 }
4667 /* lifetime must be equal in a proposal. */
4668 if (pp->lifetime == IPSECDOI_ATTR_SA_LD_SEC_DEFAULT)
4669 pp->lifetime = t;
4670 else if (pp->lifetime != t) {
65c25746 4671 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4672 "lifetime mismatched "
4673 "in a proposal, "
4674 "prev:%ld curr:%u.\n",
4675 (long)pp->lifetime, t);
4676 goto end;
4677 }
4678 break;
4679 case IPSECDOI_ATTR_SA_LD_TYPE_KB:
4680 t = ipsecdoi_set_ld(ld_buf);
4681 vfree(ld_buf);
4682 if (t == 0) {
65c25746 4683 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4684 "invalid life duration.\n");
4685 goto end;
4686 }
4687 /* lifebyte must be equal in a proposal. */
4688 if (pp->lifebyte == 0)
4689 pp->lifebyte = t;
4690 else if (pp->lifebyte != t) {
65c25746 4691 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4692 "lifebyte mismatched "
4693 "in a proposal, "
4694 "prev:%d curr:%u.\n",
4695 pp->lifebyte, t);
4696 goto end;
4697 }
4698 break;
4699 default:
4700 vfree(ld_buf);
65c25746 4701 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4702 "invalid life type: %d\n", life_t);
4703 goto end;
4704 }
4705 }
4706 break;
4707
4708 case IPSECDOI_ATTR_GRP_DESC:
4709 /*
4710 * RFC2407: 4.5 IPSEC Security Association Attributes
4711 * Specifies the Oakley Group to be used in a PFS QM
4712 * negotiation. For a list of supported values, see
4713 * Appendix A of [IKE].
4714 */
4715 if (pp->pfs_group == 0)
4716 pp->pfs_group = (u_int16_t)ntohs(d->lorv);
4717 else if (pp->pfs_group != (u_int16_t)ntohs(d->lorv)) {
65c25746 4718 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4719 "pfs_group mismatched "
4720 "in a proposal.\n");
4721 goto end;
4722 }
4723 break;
4724
4725 case IPSECDOI_ATTR_ENC_MODE:
4726 if (pr->encmode &&
4727 pr->encmode != (u_int16_t)ntohs(d->lorv)) {
65c25746 4728 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4729 "multiple encmode exist "
4730 "in a transform.\n");
4731 goto end;
4732 }
4733 pr->encmode = (u_int16_t)ntohs(d->lorv);
4734 break;
4735
4736 case IPSECDOI_ATTR_AUTH:
4737 if (tr->authtype != IPSECDOI_ATTR_AUTH_NONE) {
65c25746 4738 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4739 "multiple authtype exist "
4740 "in a transform.\n");
4741 goto end;
4742 }
4743 tr->authtype = (u_int16_t)ntohs(d->lorv);
4744 break;
4745
4746 case IPSECDOI_ATTR_KEY_LENGTH:
4747 if (pr->proto_id != IPSECDOI_PROTO_IPSEC_ESP) {
65c25746 4748 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4749 "key length defined but not ESP");
4750 goto end;
4751 }
4752 tr->encklen = ntohs(d->lorv);
4753 break;
4754
4755 case IPSECDOI_ATTR_KEY_ROUNDS:
4756 case IPSECDOI_ATTR_COMP_DICT_SIZE:
4757 case IPSECDOI_ATTR_COMP_PRIVALG:
4758 default:
4759 break;
4760 }
4761
4762 prev = d;
4763 if (flag) {
4764 tlen -= sizeof(*d);
4765 d = (struct isakmp_data *)((char *)d + sizeof(*d));
4766 } else {
4767 tlen -= (sizeof(*d) + ntohs(d->lorv));
4768 d = (struct isakmp_data *)((caddr_t)d + sizeof(*d) + ntohs(d->lorv));
4769 }
4770 }
4771
4772 error = 0;
4773end:
4774 return error;
4775}
4776
4777int
4778ipsecdoi_authalg2trnsid(alg)
4779 int alg;
4780{
4781 switch (alg) {
4782 case IPSECDOI_ATTR_AUTH_HMAC_MD5:
4783 return IPSECDOI_AH_MD5;
4784 case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
4785 return IPSECDOI_AH_SHA;
4786 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
4787 return IPSECDOI_AH_SHA256;
4788 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
4789 return IPSECDOI_AH_SHA384;
4790 case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
4791 return IPSECDOI_AH_SHA512;
4792 case IPSECDOI_ATTR_AUTH_DES_MAC:
4793 return IPSECDOI_AH_DES;
4794 case IPSECDOI_ATTR_AUTH_KPDK:
4795 return IPSECDOI_AH_MD5; /* XXX */
4796 default:
65c25746 4797 plog(ASL_LEVEL_ERR,
52b7d2ce
A
4798 "invalid authentication algorithm:%d\n", alg);
4799 }
4800 return -1;
4801}
4802
52b7d2ce
A
4803static int rm_idtype2doi[] = {
4804 255, /* IDTYPE_UNDEFINED, 0 */
4805 IPSECDOI_ID_FQDN, /* IDTYPE_FQDN, 1 */
4806 IPSECDOI_ID_USER_FQDN, /* IDTYPE_USERFQDN, 2 */
4807 IPSECDOI_ID_KEY_ID, /* IDTYPE_KEYID, 3 */
4808 255, /* IDTYPE_ADDRESS, 4
4809 * it expands into 4 types by another function. */
4810 IPSECDOI_ID_DER_ASN1_DN, /* IDTYPE_ASN1DN, 5 */
52b7d2ce
A
4811};
4812
4813/*
4814 * convert idtype to DOI value.
4815 * OUT 255 : NG
4816 * other: converted.
4817 */
4818int
4819idtype2doi(idtype)
4820 int idtype;
4821{
4822 if (ARRAYLEN(rm_idtype2doi) > idtype)
4823 return rm_idtype2doi[idtype];
4824 return 255;
4825}
4826
4827int
4828doi2idtype(doi)
4829 int doi;
4830{
4831 switch(doi) {
4832 case IPSECDOI_ID_FQDN:
4833 return(IDTYPE_FQDN);
4834 case IPSECDOI_ID_USER_FQDN:
4835 return(IDTYPE_USERFQDN);
4836 case IPSECDOI_ID_KEY_ID:
4837 return(IDTYPE_KEYID);
4838 case IPSECDOI_ID_DER_ASN1_DN:
4839 return(IDTYPE_ASN1DN);
4840 case IPSECDOI_ID_IPV4_ADDR:
4841 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
4842 case IPSECDOI_ID_IPV6_ADDR:
4843 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
4844 return(IDTYPE_ADDRESS);
4845 default:
65c25746 4846 plog(ASL_LEVEL_WARNING,
52b7d2ce
A
4847 "Inproper idtype:%s in this function.\n",
4848 s_ipsecdoi_ident(doi));
4849 return(IDTYPE_ADDRESS); /* XXX */
4850 }
4851 /*NOTREACHED*/
4852}
4853
4854#ifdef ENABLE_HYBRID
4855static int
4856switch_authmethod(authmethod)
4857 int authmethod;
4858{
4859 switch(authmethod) {
4860 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
4861 authmethod = OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I;
4862 break;
4863 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
4864 authmethod = OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I;
4865 break;
52b7d2ce
A
4866 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
4867 authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I;
4868 break;
52b7d2ce
A
4869 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
4870 authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I;
4871 break;
d1e348cf
A
4872 /* Those are not implemented */
4873 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
4874 authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I;
4875 break;
52b7d2ce
A
4876 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
4877 authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I;
4878 break;
4879 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
4880 authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I;
4881 break;
4882 default:
4883 break;
4884 }
4885
4886 return authmethod;
4887}
4888#endif