1 /* Security Policy Data Base (such as it is)
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <arpa/inet.h>
26 #include "constants.h"
30 #include "connections.h" /* needs id.h */
34 #include "preshared.h"
38 #include "whack.h" /* for RC_LOG_SERIOUS */
42 #include "crypto.h" /* requires sha1.h and md5.h */
45 #include "kernel_alg.h"
48 #define AD(x) x, elemsof(x) /* Array Description */
49 #define AD_NULL NULL, 0
52 #include "nat_traversal.h"
55 /**************** Oakley (main mode) SA database ****************/
57 /* arrays of attributes for transforms, preshared key, simple-des */
59 static struct db_attr otpsk768desmd5[] = {
60 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
61 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
62 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
63 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
66 static struct db_attr otpsk1024desmd5[] = {
67 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
68 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
69 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
70 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
73 static struct db_attr otpsk1536desmd5[] = {
74 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
75 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
76 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
77 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
80 static struct db_attr otpsk768dessha[] = {
81 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
82 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
83 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
84 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
87 static struct db_attr otpsk1024dessha[] = {
88 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
89 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
90 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
91 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
94 static struct db_attr otpsk1536dessha[] = {
95 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
96 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
97 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
98 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
101 /* arrays of attributes for transforms, RSA signatures, simple-des */
103 static struct db_attr otrsasig768desmd5[] = {
104 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
105 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
106 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
107 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
110 static struct db_attr otrsasig1024desmd5[] = {
111 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
112 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
113 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
114 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
117 static struct db_attr otrsasig1536desmd5[] = {
118 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
119 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
120 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
121 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
124 static struct db_attr otrsasig768dessha[] = {
125 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
126 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
127 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
128 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
131 static struct db_attr otrsasig1024dessha[] = {
132 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
133 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
134 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
135 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
138 static struct db_attr otrsasig1536dessha[] = {
139 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
140 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
141 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
142 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
145 /* arrays of attributes for transforms, preshared key, triple-des */
147 static struct db_attr otpsk768des3md5[] = {
148 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
149 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
150 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
151 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
154 static struct db_attr otpsk1024des3md5[] = {
155 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
156 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
157 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
158 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
161 static struct db_attr otpsk1536des3md5[] = {
162 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
163 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
164 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
165 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
168 static struct db_attr otpsk768des3sha[] = {
169 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
170 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
171 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
172 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
175 static struct db_attr otpsk1024des3sha[] = {
176 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
177 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
178 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
179 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
182 static struct db_attr otpsk1536des3sha[] = {
183 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
184 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
185 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
186 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
189 /* arrays of attributes for transforms, RSA signatures, triple-des */
191 static struct db_attr otrsasig768des3md5[] = {
192 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
193 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
194 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
195 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
198 static struct db_attr otrsasig1024des3md5[] = {
199 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
200 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
201 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
202 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
205 static struct db_attr otrsasig1536des3md5[] = {
206 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
207 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
208 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
209 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
212 static struct db_attr otrsasig768des3sha[] = {
213 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
214 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
215 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
216 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
219 static struct db_attr otrsasig1024des3sha[] = {
220 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
221 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
222 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
223 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
226 static struct db_attr otrsasig1536des3sha[] = {
227 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
228 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
229 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },
230 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
233 /* We won't accept this, but by proposing it, we get to test
234 * our rejection. We better not propose it to an IKE daemon
235 * that will accept it!
237 #ifdef TEST_INDECENT_PROPOSAL
238 static struct db_attr otpsk1024des3tiger[] = {
239 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
240 { OAKLEY_HASH_ALGORITHM, OAKLEY_TIGER },
241 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
242 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
244 #endif /* TEST_INDECENT_PROPOSAL */
246 /* tables of transforms, in preference order (select based on AUTH) */
248 static struct db_trans oakley_trans_psk[] = {
249 #ifdef TEST_INDECENT_PROPOSAL
250 { KEY_IKE, AD(otpsk1024des3tiger) },
252 { KEY_IKE, AD(otpsk1536des3md5) },
253 { KEY_IKE, AD(otpsk1536des3sha) },
254 { KEY_IKE, AD(otpsk1024des3sha) },
255 { KEY_IKE, AD(otpsk1024des3md5) },
256 { KEY_IKE, AD(otpsk1536des3md5) },
257 { KEY_IKE, AD(otpsk1536des3sha) },
258 { KEY_IKE, AD(otpsk768des3sha) },
259 { KEY_IKE, AD(otpsk768des3md5) },
260 { KEY_IKE, AD(otpsk1024dessha) },
261 { KEY_IKE, AD(otpsk1024desmd5) },
262 { KEY_IKE, AD(otpsk1536desmd5) },
263 { KEY_IKE, AD(otpsk1536dessha) },
264 { KEY_IKE, AD(otpsk768dessha) },
265 { KEY_IKE, AD(otpsk768desmd5) },
268 static struct db_trans oakley_trans_rsasig[] = {
269 { KEY_IKE, AD(otrsasig1536des3md5) },
270 { KEY_IKE, AD(otrsasig1536des3sha) },
271 { KEY_IKE, AD(otrsasig1024des3sha) },
272 { KEY_IKE, AD(otrsasig1024des3md5) },
273 { KEY_IKE, AD(otrsasig1536des3md5) },
274 { KEY_IKE, AD(otrsasig1536des3sha) },
275 { KEY_IKE, AD(otrsasig768des3sha) },
276 { KEY_IKE, AD(otrsasig768des3md5) },
277 { KEY_IKE, AD(otrsasig1024dessha) },
278 { KEY_IKE, AD(otrsasig1024desmd5) },
279 { KEY_IKE, AD(otrsasig1536desmd5) },
280 { KEY_IKE, AD(otrsasig1536dessha) },
281 { KEY_IKE, AD(otrsasig768dessha) },
282 { KEY_IKE, AD(otrsasig768desmd5) },
285 /* In this table, either PSK or RSA sig is accepted.
286 * The order matters, but I don't know what would be best.
288 static struct db_trans oakley_trans_pskrsasig[] = {
289 #ifdef TEST_INDECENT_PROPOSAL
290 { KEY_IKE, AD(otpsk1024des3tiger) },
292 { KEY_IKE, AD(otrsasig1536des3md5) },
293 { KEY_IKE, AD(otpsk1536des3md5) },
294 { KEY_IKE, AD(otrsasig1536des3sha) },
295 { KEY_IKE, AD(otpsk1536des3sha) },
296 { KEY_IKE, AD(otrsasig1024des3sha) },
297 { KEY_IKE, AD(otpsk1024des3sha) },
298 { KEY_IKE, AD(otrsasig1024des3md5) },
299 { KEY_IKE, AD(otpsk1024des3md5) },
300 { KEY_IKE, AD(otrsasig1536des3md5) },
301 { KEY_IKE, AD(otpsk1536des3md5) },
302 { KEY_IKE, AD(otrsasig1536des3sha) },
303 { KEY_IKE, AD(otpsk1536des3sha) },
304 { KEY_IKE, AD(otrsasig768des3sha) },
305 { KEY_IKE, AD(otpsk768des3sha) },
306 { KEY_IKE, AD(otrsasig768des3md5) },
307 { KEY_IKE, AD(otpsk768des3md5) },
308 { KEY_IKE, AD(otrsasig1024dessha) },
309 { KEY_IKE, AD(otpsk1024dessha) },
310 { KEY_IKE, AD(otrsasig1024desmd5) },
311 { KEY_IKE, AD(otpsk1024desmd5) },
312 { KEY_IKE, AD(otrsasig1536desmd5) },
313 { KEY_IKE, AD(otpsk1536desmd5) },
314 { KEY_IKE, AD(otrsasig1536dessha) },
315 { KEY_IKE, AD(otpsk1536dessha) },
316 { KEY_IKE, AD(otrsasig768dessha) },
317 { KEY_IKE, AD(otpsk768dessha) },
318 { KEY_IKE, AD(otrsasig768desmd5) },
319 { KEY_IKE, AD(otpsk768desmd5) },
322 /* array of proposals to be conjoined (can only be one for Oakley) */
324 static struct db_prop oakley_pc_psk[] =
325 { { PROTO_ISAKMP, AD(oakley_trans_psk) } };
327 static struct db_prop oakley_pc_rsasig[] =
328 { { PROTO_ISAKMP, AD(oakley_trans_rsasig) } };
330 static struct db_prop oakley_pc_pskrsasig[] =
331 { { PROTO_ISAKMP, AD(oakley_trans_pskrsasig) } };
333 /* array of proposal conjuncts (can only be one) */
335 static struct db_prop_conj oakley_props_psk[] = { { AD(oakley_pc_psk) } };
337 static struct db_prop_conj oakley_props_rsasig[] = { { AD(oakley_pc_rsasig) } };
339 static struct db_prop_conj oakley_props_pskrsasig[] = { { AD(oakley_pc_pskrsasig) } };
341 /* the sadb entry, subscripted by POLICY_PSK and POLICY_RSASIG bits */
342 struct db_sa oakley_sadb[] = {
343 { AD_NULL }, /* none */
344 { AD(oakley_props_psk) }, /* POLICY_PSK */
345 { AD(oakley_props_rsasig) }, /* POLICY_RSASIG */
346 { AD(oakley_props_pskrsasig) }, /* POLICY_PSK + POLICY_RSASIG */
349 /**************** Oakley (aggressive mode) SA database ****************/
352 /* arrays of attributes for transforms, preshared key */
353 /* init_st_oakley depends upon the ordering within! */
354 struct db_attr otpsk768dessha_tr_am[] = {
355 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
356 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
357 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
358 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
361 struct db_attr otpsk1024dessha_tr_am[] = {
362 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
363 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
364 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
365 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
368 struct db_attr otpsk1536dessha_tr_am[] = {
369 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
370 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
371 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
372 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
375 struct db_attr otpsk768desmd5_tr_am[] = {
376 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
377 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
378 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
379 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
382 struct db_attr otpsk1024desmd5_tr_am[] = {
383 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
384 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
385 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
386 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
389 struct db_attr otpsk1536desmd5_tr_am[] = {
390 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC },
391 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
392 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
393 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
396 struct db_attr otpsk768des3sha_tr_am[] = {
397 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
398 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
399 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
400 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
403 struct db_attr otpsk1024des3sha_tr_am[] = {
404 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
405 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
406 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
407 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
410 struct db_attr otpsk1536des3sha_tr_am[] = {
411 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
412 { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
413 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
414 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
417 struct db_attr otpsk768des3md5_tr_am[] = {
418 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
419 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
420 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
421 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 },
424 struct db_attr otpsk1024des3md5_tr_am[] = {
425 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
426 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
427 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
428 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
431 struct db_attr otpsk1536des3md5_tr_am[] = {
432 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
433 { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
434 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
435 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
438 /* tables of transforms, (only one allowed for Aggressive Mode) */
439 static struct db_trans otpsk768des3sha_trans_am[] = {
440 { KEY_IKE, AD(otpsk768des3sha_tr_am) },
443 static struct db_trans otpsk1024des3sha_trans_am[] = {
444 { KEY_IKE, AD(otpsk1024des3sha_tr_am) },
447 static struct db_trans otpsk1536des3sha_trans_am[] = {
448 { KEY_IKE, AD(otpsk1536des3sha_tr_am) },
451 static struct db_trans otpsk768des3md5_trans_am[] = {
452 { KEY_IKE, AD(otpsk768des3md5_tr_am) },
455 static struct db_trans otpsk1024des3md5_trans_am[] = {
456 { KEY_IKE, AD(otpsk1024des3md5_tr_am) },
459 static struct db_trans otpsk1536des3md5_trans_am[] = {
460 { KEY_IKE, AD(otpsk1536des3md5_tr_am) },
463 static struct db_trans otpsk768dessha_trans_am[] = {
464 { KEY_IKE, AD(otpsk768dessha_tr_am) },
467 static struct db_trans otpsk1024dessha_trans_am[] = {
468 { KEY_IKE, AD(otpsk1024dessha_tr_am) },
471 static struct db_trans otpsk1536dessha_trans_am[] = {
472 { KEY_IKE, AD(otpsk1536dessha_tr_am) },
475 static struct db_trans otpsk768desmd5_trans_am[] = {
476 { KEY_IKE, AD(otpsk768desmd5_tr_am) },
479 static struct db_trans otpsk1024desmd5_trans_am[] = {
480 { KEY_IKE, AD(otpsk1024desmd5_tr_am) },
483 static struct db_trans otpsk1536desmd5_trans_am[] = {
484 { KEY_IKE, AD(otpsk1536desmd5_tr_am) },
488 /* array of proposals to be conjoined (can only be one for Oakley) */
489 static struct db_prop otpsk768des3sha_pc_am[] =
490 { { PROTO_ISAKMP, AD(otpsk768des3sha_trans_am) } };
492 static struct db_prop otpsk1024des3sha_pc_am[] =
493 { { PROTO_ISAKMP, AD(otpsk1024des3sha_trans_am) } };
495 static struct db_prop otpsk1536des3sha_pc_am[] =
496 { { PROTO_ISAKMP, AD(otpsk1536des3sha_trans_am) } };
498 static struct db_prop otpsk768des3md5_pc_am[] =
499 { { PROTO_ISAKMP, AD(otpsk768des3md5_trans_am) } };
501 static struct db_prop otpsk1024des3md5_pc_am[] =
502 { { PROTO_ISAKMP, AD(otpsk1024des3md5_trans_am) } };
504 static struct db_prop otpsk1536des3md5_pc_am[] =
505 { { PROTO_ISAKMP, AD(otpsk1536des3md5_trans_am) } };
507 static struct db_prop otpsk768dessha_pc_am[] =
508 { { PROTO_ISAKMP, AD(otpsk768dessha_trans_am) } };
510 static struct db_prop otpsk1024dessha_pc_am[] =
511 { { PROTO_ISAKMP, AD(otpsk1024dessha_trans_am) } };
513 static struct db_prop otpsk1536dessha_pc_am[] =
514 { { PROTO_ISAKMP, AD(otpsk1536dessha_trans_am) } };
516 static struct db_prop otpsk768desmd5_pc_am[] =
517 { { PROTO_ISAKMP, AD(otpsk768desmd5_trans_am) } };
519 static struct db_prop otpsk1024desmd5_pc_am[] =
520 { { PROTO_ISAKMP, AD(otpsk1024desmd5_trans_am) } };
522 static struct db_prop otpsk1536desmd5_pc_am[] =
523 { { PROTO_ISAKMP, AD(otpsk1536desmd5_trans_am) } };
525 /* array of proposal conjuncts (can only be one) */
526 static struct db_prop_conj otpsk768des3sha_props_am[] = { { AD(otpsk768des3sha_pc_am) } };
528 static struct db_prop_conj otpsk1024des3sha_props_am[] = { { AD(otpsk1024des3sha_pc_am) } };
530 static struct db_prop_conj otpsk1536des3sha_props_am[] = { { AD(otpsk1536des3sha_pc_am) } };
532 static struct db_prop_conj otpsk768des3md5_props_am[] = { { AD(otpsk768des3md5_pc_am) } };
534 static struct db_prop_conj otpsk1024des3md5_props_am[] = { { AD(otpsk1024des3md5_pc_am) } };
536 static struct db_prop_conj otpsk1536des3md5_props_am[] = { { AD(otpsk1536des3md5_pc_am) } };
538 static struct db_prop_conj otpsk768dessha_props_am[] = { { AD(otpsk768dessha_pc_am) } };
540 static struct db_prop_conj otpsk1024dessha_props_am[] = { { AD(otpsk1024dessha_pc_am) } };
542 static struct db_prop_conj otpsk1536dessha_props_am[] = { { AD(otpsk1536dessha_pc_am) } };
544 static struct db_prop_conj otpsk768desmd5_props_am[] = { { AD(otpsk768desmd5_pc_am) } };
546 static struct db_prop_conj otpsk1024desmd5_props_am[] = { { AD(otpsk1024desmd5_pc_am) } };
548 static struct db_prop_conj otpsk1536desmd5_props_am[] = { { AD(otpsk1536desmd5_pc_am) } };
551 struct db_sa otpsk768des3sha_sadb_am = { AD(otpsk768des3sha_props_am) };
553 struct db_sa otpsk1024des3sha_sadb_am = { AD(otpsk1024des3sha_props_am) };
555 struct db_sa otpsk1536des3sha_sadb_am = { AD(otpsk1536des3sha_props_am) };
557 struct db_sa otpsk768des3md5_sadb_am = { AD(otpsk768des3md5_props_am) };
559 struct db_sa otpsk1024des3md5_sadb_am = { AD(otpsk1024des3md5_props_am) };
561 struct db_sa otpsk1536des3md5_sadb_am = { AD(otpsk1536des3md5_props_am) };
563 struct db_sa otpsk768dessha_sadb_am = { AD(otpsk768dessha_props_am) };
565 struct db_sa otpsk1024dessha_sadb_am = { AD(otpsk1024dessha_props_am) };
567 struct db_sa otpsk1536dessha_sadb_am = { AD(otpsk1536dessha_props_am) };
569 struct db_sa otpsk768desmd5_sadb_am = { AD(otpsk768desmd5_props_am) };
571 struct db_sa otpsk1024desmd5_sadb_am = { AD(otpsk1024desmd5_props_am) };
573 struct db_sa otpsk1536desmd5_sadb_am = { AD(otpsk1536desmd5_props_am) };
576 /**************** IPsec (quick mode) SA database ****************/
578 /* arrays of attributes for transforms */
580 static struct db_attr espmd5_attr[] = {
581 { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_MD5 },
584 static struct db_attr espsha1_attr[] = {
585 { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
588 static struct db_attr ah_HMAC_MD5_attr[] = {
589 { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_MD5 },
592 static struct db_attr ah_HMAC_SHA1_attr[] = {
593 { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
596 /* arrays of transforms, each in in preference order */
598 static struct db_trans espa_trans[] = {
599 { ESP_3DES, AD(espmd5_attr) },
600 { ESP_3DES, AD(espsha1_attr) },
601 { ESP_DES, AD(espmd5_attr) },
602 { ESP_DES, AD(espsha1_attr) },
605 static struct db_trans esp_trans[] = {
606 { ESP_3DES, AD_NULL },
607 { ESP_DES, AD_NULL },
610 #ifdef SUPPORT_ESP_NULL
611 static struct db_trans espnull_trans[] = {
612 { ESP_NULL, AD(espmd5_attr) },
613 { ESP_NULL, AD(espsha1_attr) },
615 #endif /* SUPPORT_ESP_NULL */
617 static struct db_trans ah_trans[] = {
618 { AH_MD5, AD(ah_HMAC_MD5_attr) },
619 { AH_SHA, AD(ah_HMAC_SHA1_attr) },
622 static struct db_trans ipcomp_trans[] = {
623 { IPCOMP_LZS, AD_NULL },
624 { IPCOMP_DEFLATE, AD_NULL },
627 /* arrays of proposals to be conjoined */
629 static struct db_prop ah_pc[] = {
630 { PROTO_IPSEC_AH, AD(ah_trans) },
633 #ifdef SUPPORT_ESP_NULL
634 static struct db_prop espnull_pc[] = {
635 { PROTO_IPSEC_ESP, AD(espnull_trans) },
637 #endif /* SUPPORT_ESP_NULL */
639 static struct db_prop esp_pc[] = {
640 { PROTO_IPSEC_ESP, AD(espa_trans) },
643 static struct db_prop ah_esp_pc[] = {
644 { PROTO_IPSEC_AH, AD(ah_trans) },
645 { PROTO_IPSEC_ESP, AD(esp_trans) },
648 static struct db_prop compress_pc[] = {
649 { PROTO_IPCOMP, AD(ipcomp_trans) },
652 static struct db_prop ah_compress_pc[] = {
653 { PROTO_IPSEC_AH, AD(ah_trans) },
654 { PROTO_IPCOMP, AD(ipcomp_trans) },
657 #ifdef SUPPORT_ESP_NULL
658 static struct db_prop espnull_compress_pc[] = {
659 { PROTO_IPSEC_ESP, AD(espnull_trans) },
660 { PROTO_IPCOMP, AD(ipcomp_trans) },
662 #endif /* SUPPORT_ESP_NULL */
664 static struct db_prop esp_compress_pc[] = {
665 { PROTO_IPSEC_ESP, AD(espa_trans) },
666 { PROTO_IPCOMP, AD(ipcomp_trans) },
669 static struct db_prop ah_esp_compress_pc[] = {
670 { PROTO_IPSEC_AH, AD(ah_trans) },
671 { PROTO_IPSEC_ESP, AD(esp_trans) },
672 { PROTO_IPCOMP, AD(ipcomp_trans) },
675 /* arrays of proposal alternatives (each element is a conjunction) */
677 static struct db_prop_conj ah_props[] = {
679 #ifdef SUPPORT_ESP_NULL
684 static struct db_prop_conj esp_props[] =
687 static struct db_prop_conj ah_esp_props[] =
688 { { AD(ah_esp_pc) } };
690 static struct db_prop_conj compress_props[] = {
694 static struct db_prop_conj ah_compress_props[] = {
695 { AD(ah_compress_pc) },
696 #ifdef SUPPORT_ESP_NULL
697 { AD(espnull_compress_pc) }
701 static struct db_prop_conj esp_compress_props[] =
702 { { AD(esp_compress_pc) } };
704 static struct db_prop_conj ah_esp_compress_props[] =
705 { { AD(ah_esp_compress_pc) } };
707 /* The IPsec sadb is subscripted by a bitset (subset of policy)
708 * with members from { POLICY_ENCRYPT, POLICY_AUTHENTICATE, POLICY_COMPRESS }
709 * shifted right by POLICY_IPSEC_SHIFT.
711 struct db_sa ipsec_sadb[1 << 3] = {
712 { AD_NULL }, /* none */
713 { AD(esp_props) }, /* POLICY_ENCRYPT */
714 { AD(ah_props) }, /* POLICY_AUTHENTICATE */
715 { AD(ah_esp_props) }, /* POLICY_ENCRYPT+POLICY_AUTHENTICATE */
716 { AD(compress_props) }, /* POLICY_COMPRESS */
717 { AD(esp_compress_props) }, /* POLICY_ENCRYPT+POLICY_COMPRESS */
718 { AD(ah_compress_props) }, /* POLICY_AUTHENTICATE+POLICY_COMPRESS */
719 { AD(ah_esp_compress_props) }, /* POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_COMPRESS */
725 /* output an attribute (within an SA) */
729 , struct_desc *attr_desc
730 , enum_names **attr_val_descs USED_BY_DEBUG
733 struct isakmp_attribute attr;
737 /* short value: use TV form */
738 attr.isaat_af_type = type | ISAKMP_ATTR_AF_TV;
740 if (!out_struct(&attr, attr_desc, pbs, NULL))
745 /* This is a real fudge! Since we rarely use long attributes
746 * and since this is the only place where we can cause an
747 * ISAKMP message length to be other than a multiple of 4 octets,
748 * we force the length of the value to be a multiple of 4 octets.
749 * Furthermore, we only handle values up to 4 octets in length.
750 * Voila: a fixed format!
753 u_int32_t nval = htonl(val);
755 attr.isaat_af_type = type | ISAKMP_ATTR_AF_TLV;
756 if (!out_struct(&attr, attr_desc, pbs, &val_pbs)
757 || !out_raw(&nval, sizeof(nval), &val_pbs, "long attribute value"))
759 close_output_pbs(&val_pbs);
762 enum_names *d = attr_val_descs[type];
765 DBG_log(" [%lu is %s]"
766 , val, enum_show(d, val)));
769 #define return_on(var, val) do { var=val;goto return_out; } while(0);
770 /* Output an SA, as described by a db_sa.
771 * This has the side-effect of allocating SPIs for us.
774 out_sa(pb_stream *outs
783 bool ah_spi_generated = FALSE
784 , esp_spi_generated = FALSE
785 , ipcomp_cpi_generated = FALSE;
786 #if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
787 struct db_context *db_ctx = NULL;
795 st->st_doi = sa.isasa_doi = ISAKMP_DOI_IPSEC; /* all we know */
796 if (!out_struct(&sa, &isakmp_sa_desc, outs, &sa_pbs))
797 return_on(ret, FALSE);
800 /* within SA: situation out */
801 st->st_situation = SIT_IDENTITY_ONLY;
802 if (!out_struct(&st->st_situation, &ipsec_sit_desc, &sa_pbs, NULL))
803 return_on(ret, FALSE);
805 /* within SA: Proposal Payloads
807 * Multiple Proposals with the same number are simultaneous
808 * (conjuncts) and must deal with different protocols (AH or ESP).
809 * Proposals with different numbers are alternatives (disjuncts),
810 * in preference order.
811 * Proposal numbers must be monotonic.
812 * See draft-ietf-ipsec-isakmp-09.txt 4.2
815 for (pcn = 0; pcn != sadb->prop_conj_cnt; pcn++)
817 struct db_prop_conj *pc = &sadb->prop_conjs[pcn];
820 for (pn = 0; pn != pc->prop_cnt; pn++)
822 struct db_prop *p = &pc->props[pn];
823 pb_stream proposal_pbs;
824 struct isakmp_proposal proposal;
825 struct_desc *trans_desc;
826 struct_desc *attr_desc;
827 enum_names **attr_val_descs;
830 /* Proposal header */
831 proposal.isap_np = pcn == sadb->prop_conj_cnt-1 && pn == pc->prop_cnt-1
832 ? ISAKMP_NEXT_NONE : ISAKMP_NEXT_P;
833 proposal.isap_proposal = pcn;
834 proposal.isap_protoid = p->protoid;
835 proposal.isap_spisize = oakley_mode ? 0
836 : p->protoid == PROTO_IPCOMP ? IPCOMP_CPI_SIZE
837 : IPSEC_DOI_SPI_SIZE;
838 #ifndef NO_KERNEL_ALG
840 * In quick mode ONLY, create proposal for
841 * runtime kernel algos
843 * replace ESP proposals
844 * with runtime created one
846 if (!oakley_mode && p->protoid==PROTO_IPSEC_ESP) {
847 DBG(DBG_CONTROL | DBG_CRYPT,
848 if (st->st_connection->alg_info_esp) {
849 static char buf[256]="";
850 alg_info_snprint(buf, sizeof (buf),
851 (struct alg_info *)st->st_connection->alg_info_esp);
855 db_ctx=kernel_alg_db_new(st->st_connection->alg_info_esp, st->st_policy);
856 p = db_prop_get(db_ctx);
858 if (!p || p->trans_cnt==0) {
859 loglog(RC_LOG_SERIOUS,
860 "empty IPSEC SA proposal to send "
861 "(no kernel algorithms for esp selection)");
862 return_on(ret, FALSE);
867 if (oakley_mode && p->protoid==PROTO_ISAKMP) {
868 DBG(DBG_CONTROL | DBG_CRYPT,
869 if (st->st_connection->alg_info_ike) {
870 static char buf[256]="";
871 alg_info_snprint(buf, sizeof (buf),
872 (struct alg_info *)st->st_connection->alg_info_ike);
877 db_ctx=ike_alg_db_new(st->st_connection->alg_info_ike,
879 p = db_prop_get(db_ctx);
880 if (!p || p->trans_cnt==0) {
881 loglog(RC_LOG_SERIOUS,
882 "empty ISAKMP SA proposal to send "
883 "(no algorithms for ike selection?)");
884 return_on(ret, FALSE);
888 proposal.isap_notrans = p->trans_cnt;
889 if (!out_struct(&proposal, &isakmp_proposal_desc, &sa_pbs, &proposal_pbs))
890 return_on(ret, FALSE);
892 /* Per-protocols stuff:
895 * Set attr_val_descs.
896 * If not oakley_mode, emit SPI.
897 * We allocate SPIs on demand.
898 * All ESPs in an SA will share a single SPI.
899 * All AHs in an SAwill share a single SPI.
900 * AHs' SPI will be distinct from ESPs'.
901 * This latter is needed because KLIPS doesn't
902 * use the protocol when looking up a (dest, protocol, spi).
903 * ??? If multiple ESPs are composed, how should their SPIs
907 ipsec_spi_t *spi_ptr = NULL;
913 passert(oakley_mode);
914 trans_desc = &isakmp_isakmp_transform_desc;
915 attr_desc = &isakmp_oakley_attribute_desc;
916 attr_val_descs = oakley_attr_val_descs;
920 passert(!oakley_mode);
921 trans_desc = &isakmp_ah_transform_desc;
922 attr_desc = &isakmp_ipsec_attribute_desc;
923 attr_val_descs = ipsec_attr_val_descs;
924 spi_ptr = &st->st_ah.our_spi;
925 spi_generated = &ah_spi_generated;
927 case PROTO_IPSEC_ESP:
928 passert(!oakley_mode);
929 trans_desc = &isakmp_esp_transform_desc;
930 attr_desc = &isakmp_ipsec_attribute_desc;
931 attr_val_descs = ipsec_attr_val_descs;
932 spi_ptr = &st->st_esp.our_spi;
933 spi_generated = &esp_spi_generated;
936 passert(!oakley_mode);
937 trans_desc = &isakmp_ipcomp_transform_desc;
938 attr_desc = &isakmp_ipsec_attribute_desc;
939 attr_val_descs = ipsec_attr_val_descs;
941 /* a CPI isn't quite the same as an SPI
942 * so we use specialized code to emit it.
944 if (!ipcomp_cpi_generated)
946 st->st_ipcomp.our_spi = get_my_cpi();
947 if (st->st_ipcomp.our_spi == 0)
948 return_on(ret, FALSE); /* problem generating CPI */
950 ipcomp_cpi_generated = TRUE;
952 /* CPI is stored in network low order end of an
953 * ipsec_spi_t. So we start a couple of bytes in.
955 if (!out_raw((u_char *)&st->st_ipcomp.our_spi
956 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
958 , &proposal_pbs, "CPI"))
959 return_on(ret, FALSE);
968 *spi_ptr = get_ipsec_spi(0);
969 *spi_generated = TRUE;
971 if (!out_raw((u_char *)spi_ptr, IPSEC_DOI_SPI_SIZE
972 , &proposal_pbs, "SPI"))
973 return_on(ret, FALSE);
977 /* within proposal: Transform Payloads */
978 for (tn = 0; tn != p->trans_cnt; tn++)
980 struct db_trans *t = &p->trans[tn];
982 struct isakmp_transform trans;
985 trans.isat_np = (tn == p->trans_cnt - 1)
986 ? ISAKMP_NEXT_NONE : ISAKMP_NEXT_T;
987 trans.isat_transnum = tn;
988 trans.isat_transid = t->transid;
989 if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs))
990 return_on(ret, FALSE);
992 /* Within tranform: Attributes. */
994 /* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
995 * automatically generated because it must be the same
996 * in every transform. Except IPCOMP.
998 if (p->protoid != PROTO_IPCOMP
999 && st->st_pfs_group != NULL)
1001 passert(!oakley_mode);
1002 passert(st->st_pfs_group != &unset_group);
1003 out_attr(GROUP_DESCRIPTION, st->st_pfs_group->group
1004 , attr_desc, attr_val_descs
1008 /* automatically generate duration
1009 * and, for Phase 2 / Quick Mode, encapsulation.
1013 out_attr(OAKLEY_LIFE_TYPE, OAKLEY_LIFE_SECONDS
1014 , attr_desc, attr_val_descs
1016 out_attr(OAKLEY_LIFE_DURATION
1017 , st->st_connection->sa_ike_life_seconds
1018 , attr_desc, attr_val_descs
1023 /* RFC 2407 (IPSEC DOI) 4.5 specifies that
1024 * the default is "unspecified (host-dependent)".
1025 * This makes little sense, so we always specify it.
1027 * Unlike other IPSEC transforms, IPCOMP defaults
1028 * to Transport Mode, so we can exploit the default
1029 * (draft-shacham-ippcp-rfc2393bis-05.txt 4.1).
1031 if (p->protoid != PROTO_IPCOMP
1032 || st->st_policy & POLICY_TUNNEL)
1034 #ifdef NAT_TRAVERSAL
1035 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
1036 if ((st->nat_traversal & NAT_T_DETECTED) &&
1037 (!(st->st_policy & POLICY_TUNNEL))) {
1038 /* Inform user that we will not respect policy and only
1039 * propose Tunnel Mode
1041 loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
1042 "Transport Mode not allowed due to security concerns -- "
1043 "using Tunnel mode");
1047 out_attr(ENCAPSULATION_MODE
1048 #ifdef NAT_TRAVERSAL
1049 #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
1050 , NAT_T_ENCAPSULATION_MODE(st,st->st_policy)
1052 /* If NAT-T is detected, use UDP_TUNNEL as long as Transport
1053 * Mode has security concerns.
1055 * User has been informed of that
1057 , NAT_T_ENCAPSULATION_MODE(st,POLICY_TUNNEL)
1059 #else /* ! NAT_TRAVERSAL */
1060 , st->st_policy & POLICY_TUNNEL
1061 ? ENCAPSULATION_MODE_TUNNEL : ENCAPSULATION_MODE_TRANSPORT
1063 , attr_desc, attr_val_descs
1066 out_attr(SA_LIFE_TYPE, SA_LIFE_TYPE_SECONDS
1067 , attr_desc, attr_val_descs
1069 out_attr(SA_LIFE_DURATION
1070 , st->st_connection->sa_ipsec_life_seconds
1071 , attr_desc, attr_val_descs
1075 /* spit out attributes from table */
1076 for (an = 0; an != t->attr_cnt; an++)
1078 struct db_attr *a = &t->attrs[an];
1080 out_attr(a->type, a->val
1081 , attr_desc, attr_val_descs
1085 close_output_pbs(&trans_pbs);
1087 close_output_pbs(&proposal_pbs);
1089 /* end of a conjunction of proposals */
1091 close_output_pbs(&sa_pbs);
1096 #if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
1103 /* Handle long form of duration attribute.
1104 * The code is can only handle values that can fit in unsigned long.
1105 * "Clamping" is probably an acceptable way to impose this limitation.
1108 decode_long_duration(pb_stream *pbs)
1112 /* ignore leading zeros */
1113 while (pbs_left(pbs) != 0 && *pbs->cur == '\0')
1116 if (pbs_left(pbs) > sizeof(val))
1118 /* "clamp" too large value to max representable value */
1119 val -= 1; /* portable way to get to maximum value */
1120 DBG(DBG_PARSING, DBG_log(" too large duration clamped to: %lu"
1121 , (unsigned long)val));
1126 while (pbs_left(pbs) != 0)
1127 val = (val << BITS_PER_BYTE) | *pbs->cur++;
1128 DBG(DBG_PARSING, DBG_log(" long duration: %lu", (unsigned long)val));
1133 /* Parse the body of an ISAKMP SA Payload (i.e. Phase 1 / Main Mode).
1134 * Various shortcuts are taken. In particular, the policy, such as
1135 * it is, is hardwired.
1137 * If r_sa is non-NULL, the body of an SA representing the selected
1138 * proposal is emitted.
1140 * If "selection" is true, the SA is supposed to represent the
1141 * single tranform that the peer has accepted.
1142 * ??? We only check that it is acceptable, not that it is one that we offered!
1144 * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
1145 * Error response is rudimentary.
1147 * This routine is used by main_inI1_outR1() and main_inR1_outI2().
1150 parse_isakmp_sa_body(
1151 pb_stream *sa_pbs, /* body of input SA Payload */
1152 const struct isakmp_sa *sa, /* header of input SA Payload */
1153 pb_stream *r_sa_pbs, /* if non-NULL, where to emit winning SA */
1154 bool selection, /* if this SA is a selection, only one tranform can appear */
1155 struct state *st) /* current state object */
1158 struct connection *c = st->st_connection;
1160 u_int32_t ipsecdoisit;
1161 pb_stream proposal_pbs;
1162 struct isakmp_proposal proposal;
1163 unsigned no_trans_left;
1167 if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
1169 loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
1170 return DOI_NOT_SUPPORTED;
1174 if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
1176 return SITUATION_NOT_SUPPORTED;
1179 if (ipsecdoisit != SIT_IDENTITY_ONLY)
1181 loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
1182 , bitnamesof(sit_bit_names, ipsecdoisit));
1183 return SITUATION_NOT_SUPPORTED;
1186 /* The rules for ISAKMP SAs are scattered.
1187 * draft-ietf-ipsec-isakmp-oakley-07.txt section 5 says that there
1188 * can only be one SA, and it can have only one proposal in it.
1189 * There may well be multiple transforms.
1191 if (!in_struct(&proposal, &isakmp_proposal_desc, sa_pbs, &proposal_pbs))
1192 return PAYLOAD_MALFORMED;
1194 if (proposal.isap_np != ISAKMP_NEXT_NONE)
1196 loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
1197 , enum_show(&payload_names, proposal.isap_np));
1198 return PAYLOAD_MALFORMED;
1201 if (proposal.isap_protoid != PROTO_ISAKMP)
1203 loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal"
1204 , enum_show(&protocol_names, proposal.isap_protoid));
1205 return INVALID_PROTOCOL_ID;
1208 /* Just what should we accept for the SPI field?
1209 * The RFC is sort of contradictory. We will ignore the SPI
1210 * as long as it is of the proper size.
1212 * From RFC2408 2.4 Identifying Security Associations:
1213 * During phase 1 negotiations, the initiator and responder cookies
1214 * determine the ISAKMP SA. Therefore, the SPI field in the Proposal
1215 * payload is redundant and MAY be set to 0 or it MAY contain the
1216 * transmitting entity's cookie.
1218 * From RFC2408 3.5 Proposal Payload:
1219 * o SPI Size (1 octet) - Length in octets of the SPI as defined by
1220 * the Protocol-Id. In the case of ISAKMP, the Initiator and
1221 * Responder cookie pair from the ISAKMP Header is the ISAKMP SPI,
1222 * therefore, the SPI Size is irrelevant and MAY be from zero (0) to
1223 * sixteen (16). If the SPI Size is non-zero, the content of the
1224 * SPI field MUST be ignored. If the SPI Size is not a multiple of
1225 * 4 octets it will have some impact on the SPI field and the
1226 * alignment of all payloads in the message. The Domain of
1227 * Interpretation (DOI) will dictate the SPI Size for other
1230 if (proposal.isap_spisize == 0)
1232 /* empty (0) SPI -- fine */
1234 else if (proposal.isap_spisize <= MAX_ISAKMP_SPI_SIZE)
1236 u_char junk_spi[MAX_ISAKMP_SPI_SIZE];
1238 if (!in_raw(junk_spi, proposal.isap_spisize, &proposal_pbs, "Oakley SPI"))
1239 return PAYLOAD_MALFORMED;
1243 loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal"
1244 , (unsigned)proposal.isap_spisize);
1248 if (selection && proposal.isap_notrans != 1)
1250 loglog(RC_LOG_SERIOUS, "a single Transform is required in a selecting Oakley Proposal; found %u"
1251 , (unsigned)proposal.isap_notrans);
1252 return BAD_PROPOSAL_SYNTAX;
1255 /* for each transform payload... */
1258 no_trans_left = proposal.isap_notrans;
1261 pb_stream trans_pbs;
1264 struct isakmp_transform trans;
1265 lset_t seen_attrs = 0
1266 , seen_durations = 0;
1267 u_int16_t life_type;
1268 struct oakley_trans_attrs ta;
1269 err_t ugh = NULL; /* set to diagnostic when problem detected */
1271 /* initialize only optional field in ta */
1272 ta.life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT; /* When this SA expires (seconds) */
1274 if (no_trans_left == 0)
1276 loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
1277 return BAD_PROPOSAL_SYNTAX;
1280 if (!in_struct(&trans, &isakmp_isakmp_transform_desc, &proposal_pbs, &trans_pbs))
1281 return BAD_PROPOSAL_SYNTAX;
1283 if (trans.isat_transnum <= last_transnum)
1285 /* picky, picky, picky */
1286 loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing"
1287 " in Oakley Proposal");
1288 return BAD_PROPOSAL_SYNTAX;
1290 last_transnum = trans.isat_transnum;
1292 if (trans.isat_transid != KEY_IKE)
1294 loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform"
1295 , enum_show(&isakmp_transformid_names, trans.isat_transid));
1296 return INVALID_TRANSFORM_ID;
1299 attr_start = trans_pbs.cur;
1300 attr_len = pbs_left(&trans_pbs);
1302 /* process all the attributes that make up the transform */
1304 while (pbs_left(&trans_pbs) != 0)
1306 struct isakmp_attribute a;
1308 u_int32_t val; /* room for larger values */
1310 if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
1311 return BAD_PROPOSAL_SYNTAX;
1313 passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
1315 if (seen_attrs & LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
1317 loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u"
1318 , enum_show(&oakley_attr_names, a.isaat_af_type)
1319 , trans.isat_transnum);
1320 return BAD_PROPOSAL_SYNTAX;
1323 seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
1329 enum_names *vdesc = oakley_attr_val_descs
1330 [a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
1334 const char *nm = enum_name(vdesc, val);
1337 DBG_log(" [%u is %s]", (unsigned)val, nm);
1341 switch (a.isaat_af_type)
1343 case OAKLEY_ENCRYPTION_ALGORITHM | ISAKMP_ATTR_AF_TV:
1345 if (ike_alg_enc_ok(val, 0, c->alg_info_ike, &ugh)) {
1346 /* if (ike_alg_enc_present(val)) { */
1348 ta.encrypter = crypto_get_encrypter(val);
1349 ta.enckeylen = ta.encrypter->keydeflen;
1354 case OAKLEY_DES_CBC:
1355 case OAKLEY_3DES_CBC:
1357 ta.encrypter = crypto_get_encrypter(val);
1360 ugh = builddiag("%s is not supported"
1361 , enum_show(&oakley_enc_names, val));
1365 case OAKLEY_HASH_ALGORITHM | ISAKMP_ATTR_AF_TV:
1367 if (ike_alg_hash_present(val)) {
1369 ta.hasher = crypto_get_hasher(val);
1378 ta.hasher = crypto_get_hasher(val);
1381 ugh = builddiag("%s is not supported"
1382 , enum_show(&oakley_hash_names, val));
1387 case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
1389 /* check that authentication method is acceptable */
1390 lset_t iap = st->st_policy & POLICY_ID_AUTH_MASK;
1394 case OAKLEY_PRESHARED_KEY:
1395 #if FREESWAN_191 /* Can't see why we need to do this check */
1396 if ((iap & POLICY_PSK) == LEMPTY)
1398 ugh = "policy does not allow OAKLEY_PRESHARED_KEY authentication";
1404 /* check that we can find a preshared secret */
1405 struct connection *c = st->st_connection;
1407 if (get_preshared_secret(c) == NULL)
1412 idtoa(&c->this.id, mid, sizeof(mid));
1413 if (his_id_was_instantiated(c))
1414 strcpy(hid, "%any");
1416 idtoa(&c->that.id, hid, sizeof(hid));
1417 ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
1423 case OAKLEY_RSA_SIG:
1425 /* Accept if policy specifies RSASIG or is default */
1426 if ((iap & POLICY_RSASIG) == LEMPTY)
1428 ugh = "policy does not allow OAKLEY_RSA_SIG authentication";
1433 /* We'd like to check that we can find a public
1434 * key for him and a private key for us that is
1435 * suitable, but we don't yet have his
1436 * Id Payload, so it seems futile to try.
1437 * We can assume that if he proposes it, he
1438 * thinks we've got it. If we proposed it,
1439 * perhaps we know what we're doing.
1448 ugh = builddiag("Pluto does not support %s authentication"
1449 , enum_show(&oakley_auth_names, val));
1455 case OAKLEY_GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
1456 ta.group = lookup_group(val);
1457 if (ta.group == NULL)
1459 ugh = "only OAKLEY_GROUP_MODP768, OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported";
1464 case OAKLEY_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
1467 case OAKLEY_LIFE_SECONDS:
1468 case OAKLEY_LIFE_KILOBYTES:
1469 if (seen_durations & LELEM(val))
1471 loglog(RC_LOG_SERIOUS
1472 , "attribute OAKLEY_LIFE_TYPE value %s repeated"
1473 , enum_show(&oakley_lifetime_names, val));
1476 seen_durations |= LELEM(val);
1480 ugh = builddiag("unknown value %s"
1481 , enum_show(&oakley_lifetime_names, val));
1486 case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
1487 val = decode_long_duration(&attr_pbs);
1489 case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
1490 if ((seen_attrs & LELEM(OAKLEY_LIFE_TYPE)) == 0)
1492 ugh = "OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute";
1495 seen_attrs &= ~(LELEM(OAKLEY_LIFE_DURATION) | LELEM(OAKLEY_LIFE_TYPE));
1499 case OAKLEY_LIFE_SECONDS:
1500 if (val > OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM)
1501 ugh = builddiag("peer requested %lu seconds"
1502 " which exceeds our limit %d seconds"
1504 , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
1505 ta.life_seconds = val;
1507 case OAKLEY_LIFE_KILOBYTES:
1508 ta.life_kilobytes = val;
1516 case OAKLEY_KEY_LENGTH | ISAKMP_ATTR_AF_TV:
1517 if ((seen_attrs & LELEM(OAKLEY_ENCRYPTION_ALGORITHM)) == 0)
1519 ugh = "OAKLEY_KEY_LENGTH attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute";
1522 if (ta.encrypter == NULL)
1524 ugh = "NULL encrypter with seen OAKLEY_ENCRYPTION_ALGORITHM";
1528 * check if this keylen is compatible with
1529 * specified alg_info_ike
1531 if (!ike_alg_enc_ok(ta.encrypt, val, c->alg_info_ike, &ugh)) {
1532 ugh = "peer proposed key_len not valid for encrypt algo setup specified";
1537 case OAKLEY_KEY_LENGTH | ISAKMP_ATTR_AF_TV:
1539 #if 0 /* not yet supported */
1540 case OAKLEY_GROUP_TYPE | ISAKMP_ATTR_AF_TV:
1541 case OAKLEY_PRF | ISAKMP_ATTR_AF_TV:
1542 case OAKLEY_FIELD_SIZE | ISAKMP_ATTR_AF_TV:
1544 case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TV:
1545 case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TLV:
1546 case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TV:
1547 case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TLV:
1548 case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TV:
1549 case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TLV:
1550 case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TV:
1551 case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TLV:
1552 case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TV:
1553 case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TLV:
1554 case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TV:
1555 case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TLV:
1558 ugh = "unsupported OAKLEY attribute";
1564 loglog(RC_LOG_SERIOUS, "%s. Attribute %s"
1565 , ugh, enum_show(&oakley_attr_names, a.isaat_af_type));
1572 /* a little more checking is in order */
1574 unsigned long missing
1576 & (LELEM(OAKLEY_ENCRYPTION_ALGORITHM)
1577 | LELEM(OAKLEY_HASH_ALGORITHM)
1578 | LELEM(OAKLEY_AUTHENTICATION_METHOD)
1579 | LELEM(OAKLEY_GROUP_DESCRIPTION));
1583 loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u"
1584 , bitnamesof(oakley_attr_bit_names, missing)
1585 , trans.isat_transnum);
1586 return BAD_PROPOSAL_SYNTAX;
1589 /* We must have liked this transform.
1590 * Lets finish early and leave.
1593 DBG(DBG_PARSING | DBG_CRYPT
1594 , DBG_log("Oakley Transform %u accepted", trans.isat_transnum));
1596 if (r_sa_pbs != NULL)
1598 struct isakmp_proposal r_proposal = proposal;
1599 pb_stream r_proposal_pbs;
1600 struct isakmp_transform r_trans = trans;
1601 pb_stream r_trans_pbs;
1604 if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
1608 #ifdef EMIT_ISAKMP_SPI
1609 r_proposal.isap_spisize = COOKIE_SIZE;
1611 r_proposal.isap_spisize = 0;
1613 r_proposal.isap_notrans = 1;
1614 if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
1618 #ifdef EMIT_ISAKMP_SPI
1619 if (!out_raw(my_cookie, COOKIE_SIZE, &r_proposal_pbs, "SPI"))
1621 r_proposal.isap_spisize = COOKIE_SIZE;
1627 r_trans.isat_np = ISAKMP_NEXT_NONE;
1628 if (!out_struct(&r_trans, &isakmp_isakmp_transform_desc, &r_proposal_pbs, &r_trans_pbs))
1631 if (!out_raw(attr_start, attr_len, &r_trans_pbs, "attributes"))
1633 close_output_pbs(&r_trans_pbs);
1634 close_output_pbs(&r_proposal_pbs);
1635 close_output_pbs(r_sa_pbs);
1638 /* ??? If selection, we used to save the proposal in state.
1639 * We never used it. From proposal_pbs.start,
1640 * length pbs_room(&proposal_pbs)
1643 /* copy over the results */
1645 return NOTHING_WRONG;
1648 /* on to next transform */
1651 if (trans.isat_np == ISAKMP_NEXT_NONE)
1653 if (no_trans_left != 0)
1655 loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
1656 return BAD_PROPOSAL_SYNTAX;
1660 if (trans.isat_np != ISAKMP_NEXT_T)
1662 loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal"
1663 , enum_show(&payload_names, proposal.isap_np));
1664 return BAD_PROPOSAL_SYNTAX;
1667 loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform");
1668 return NO_PROPOSAL_CHOSEN;
1671 /* Initialize st_oakley field of state for use when initiating in
1674 * This should probably get more of its parameters, like what group to use,
1675 * from the connection specification, but it's not there yet.
1676 * This should ideally be done by passing them via whack.
1680 init_st_oakley(struct state *st, lset_t policy)
1682 struct oakley_trans_attrs ta;
1684 policy &= POLICY_ISAKMP_MASK;
1686 /* When this SA expires (seconds) */
1687 ta.life_seconds = st->st_connection->sa_ike_life_seconds;
1688 ta.life_kilobytes = 1000000;
1690 ta.encrypt = st->st_connection->algorithm_p1.cipher;
1691 ta.encrypter = crypto_get_encrypter(ta.encrypt);
1693 ta.hash = st->st_connection->algorithm_p1.hash ; /* OAKLEY_HASH_ALGORITHM */
1694 ta.hasher = crypto_get_hasher(ta.hash);
1696 if (policy&POLICY_PSK)
1697 ta.auth = OAKLEY_PRESHARED_KEY;
1698 else if (policy&POLICY_RSASIG)
1699 ta.auth = OAKLEY_RSA_SIG;
1703 ta.group = lookup_group(st->st_connection->algorithm_p1.dhg); /* OAKLEY_GROUP_DESCRIPTION */
1711 /* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode).
1713 * The main routine is parse_ipsec_sa_body; other functions defined
1714 * between here and there are just helpers.
1716 * Various shortcuts are taken. In particular, the policy, such as
1717 * it is, is hardwired.
1719 * If r_sa is non-NULL, the body of an SA representing the selected
1720 * proposal is emitted into it.
1722 * If "selection" is true, the SA is supposed to represent the
1723 * single tranform that the peer has accepted.
1724 * ??? We only check that it is acceptable, not that it is one that we offered!
1726 * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
1727 * Error response is rudimentary.
1729 * Since all ISAKMP groups in all SA Payloads must match, st->st_pfs_group
1730 * holds this across multiple payloads.
1731 * &unset_group signifies not yet "set"; NULL signifies NONE.
1733 * This routine is used by quick_inI1_outR1() and quick_inR1_outI2().
1736 static const struct ipsec_trans_attrs null_ipsec_trans_attrs = {
1737 0, /* transid (NULL, for now) */
1739 SA_LIFE_DURATION_DEFAULT, /* life_seconds */
1740 SA_LIFE_DURATION_K_DEFAULT, /* life_kilobytes */
1741 ENCAPSULATION_MODE_UNSPECIFIED, /* encapsulation */
1742 AUTH_ALGORITHM_NONE, /* auth */
1748 parse_ipsec_transform(struct isakmp_transform *trans
1749 , struct ipsec_trans_attrs *attrs
1750 , pb_stream *prop_pbs
1751 , pb_stream *trans_pbs
1752 , struct_desc *trans_desc
1753 , int previous_transnum /* or -1 if none */
1757 , struct state *st) /* current state object */
1759 lset_t seen_attrs = 0
1760 , seen_durations = 0;
1761 u_int16_t life_type;
1762 const struct oakley_group_desc *pfs_group = NULL;
1764 if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
1767 if (trans->isat_transnum <= previous_transnum)
1769 loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing");
1773 switch (trans->isat_np)
1778 loglog(RC_LOG_SERIOUS, "Proposal Payload has more Transforms than specified");
1782 case ISAKMP_NEXT_NONE:
1785 loglog(RC_LOG_SERIOUS, "Proposal Payload has fewer Transforms than specified");
1790 loglog(RC_LOG_SERIOUS, "expecting Transform Payload, but found %s in Proposal"
1791 , enum_show(&payload_names, trans->isat_np));
1795 *attrs = null_ipsec_trans_attrs;
1796 attrs->transid = trans->isat_transid;
1798 while (pbs_left(trans_pbs) != 0)
1800 struct isakmp_attribute a;
1803 u_int32_t val; /* room for larger value */
1804 bool ipcomp_inappropriate = is_ipcomp; /* will get reset if OK */
1806 if (!in_struct(&a, &isakmp_ipsec_attribute_desc, trans_pbs, &attr_pbs))
1809 passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
1811 if (seen_attrs & LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
1813 loglog(RC_LOG_SERIOUS, "repeated %s attribute in IPsec Transform %u"
1814 , enum_show(&ipsec_attr_names, a.isaat_af_type)
1815 , trans->isat_transnum);
1819 seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
1823 vdesc = ipsec_attr_val_descs[a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
1826 if (enum_name(vdesc, val) == NULL)
1828 loglog(RC_LOG_SERIOUS, "invalid value %u for attribute %s in IPsec Transform"
1829 , (unsigned)val, enum_show(&ipsec_attr_names, a.isaat_af_type));
1833 , if ((a.isaat_af_type & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
1834 DBG_log(" [%u is %s]"
1835 , (unsigned)val, enum_show(vdesc, val)));
1838 switch (a.isaat_af_type)
1840 case SA_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
1841 ipcomp_inappropriate = FALSE;
1842 if (seen_durations & LELEM(val))
1844 loglog(RC_LOG_SERIOUS, "attribute SA_LIFE_TYPE value %s repeated in message"
1845 , enum_show(&sa_lifetime_names, val));
1848 seen_durations |= LELEM(val);
1851 case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
1852 val = decode_long_duration(&attr_pbs);
1854 case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
1855 ipcomp_inappropriate = FALSE;
1856 if ((seen_attrs & LELEM(SA_LIFE_DURATION)) == 0)
1858 loglog(RC_LOG_SERIOUS, "SA_LIFE_DURATION IPsec attribute not preceded by SA_LIFE_TYPE attribute");
1861 seen_attrs &= ~(LELEM(SA_LIFE_DURATION) | LELEM(SA_LIFE_TYPE));
1865 case SA_LIFE_TYPE_SECONDS:
1866 /* silently limit duration to our maximum */
1867 attrs->life_seconds = val <= SA_LIFE_DURATION_MAXIMUM
1868 ? val : SA_LIFE_DURATION_MAXIMUM;
1870 case SA_LIFE_TYPE_KBYTES:
1871 attrs->life_kilobytes = val;
1877 case GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
1880 /* Accept reluctantly. Should not happen, according to
1881 * draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
1883 ipcomp_inappropriate = FALSE;
1885 , "IPCA (IPcomp SA) contains GROUP_DESCRIPTION."
1886 " Ignoring inapproprate attribute.");
1888 pfs_group = lookup_group(val);
1889 if (pfs_group == NULL)
1891 loglog(RC_LOG_SERIOUS, "only OAKLEY_GROUP_MODP768, OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS");
1895 case ENCAPSULATION_MODE | ISAKMP_ATTR_AF_TV:
1896 ipcomp_inappropriate = FALSE;
1897 #ifdef NAT_TRAVERSAL
1899 case ENCAPSULATION_MODE_TUNNEL:
1900 case ENCAPSULATION_MODE_TRANSPORT:
1901 if (st->nat_traversal & NAT_T_DETECTED) {
1902 loglog(RC_LOG_SERIOUS,
1903 "%s must only be used if "
1904 "NAT-Traversal is not detected",
1905 enum_name(&enc_mode_names, val));
1907 * Accept it anyway because SSH-Sentinel does not
1908 * use UDP_TUNNEL or UDP_TRANSPORT for the diagnostic.
1910 * remove when SSH-Sentinel is fixed
1912 #ifdef I_DONT_CARE_OF_SSH_SENTINEL
1916 attrs->encapsulation = val;
1918 case ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS:
1919 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
1920 loglog(RC_LOG_SERIOUS,
1921 "NAT-Traversal: Transport mode disabled due "
1922 "to security concerns");
1926 case ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS:
1927 if (st->nat_traversal & NAT_T_WITH_RFC_VALUES) {
1928 loglog(RC_LOG_SERIOUS,
1929 "%s must only be used with old IETF drafts",
1930 enum_name(&enc_mode_names, val));
1933 else if (st->nat_traversal & NAT_T_DETECTED) {
1934 attrs->encapsulation = val - ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS + ENCAPSULATION_MODE_TUNNEL;
1937 loglog(RC_LOG_SERIOUS,
1938 "%s must only be used if "
1939 "NAT-Traversal is detected",
1940 enum_name(&enc_mode_names, val));
1944 case ENCAPSULATION_MODE_UDP_TRANSPORT_RFC:
1945 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
1946 loglog(RC_LOG_SERIOUS,
1947 "NAT-Traversal: Transport mode disabled due "
1948 "to security concerns");
1952 case ENCAPSULATION_MODE_UDP_TUNNEL_RFC:
1953 if ((st->nat_traversal & NAT_T_DETECTED) &&
1954 (st->nat_traversal & NAT_T_WITH_RFC_VALUES)) {
1955 attrs->encapsulation = val - ENCAPSULATION_MODE_UDP_TUNNEL_RFC + ENCAPSULATION_MODE_TUNNEL;
1957 else if (st->nat_traversal & NAT_T_DETECTED) {
1958 loglog(RC_LOG_SERIOUS,
1959 "%s must only be used with NAT-T RFC",
1960 enum_name(&enc_mode_names, val));
1964 loglog(RC_LOG_SERIOUS,
1965 "%s must only be used if "
1966 "NAT-Traversal is detected",
1967 enum_name(&enc_mode_names, val));
1972 loglog(RC_LOG_SERIOUS,
1973 "unknown ENCAPSULATION_MODE %d in IPSec SA", val);
1978 attrs->encapsulation = val;
1981 case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV:
1984 case KEY_LENGTH | ISAKMP_ATTR_AF_TV:
1985 attrs->key_len = val;
1987 case KEY_ROUNDS | ISAKMP_ATTR_AF_TV:
1988 attrs->key_rounds = val;
1990 #if 0 /* not yet implemented */
1991 case COMPRESS_DICT_SIZE | ISAKMP_ATTR_AF_TV:
1993 case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TV:
1996 case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
1998 case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TLV:
2002 loglog(RC_LOG_SERIOUS, "unsupported IPsec attribute %s"
2003 , enum_show(&ipsec_attr_names, a.isaat_af_type));
2006 if (ipcomp_inappropriate)
2008 loglog(RC_LOG_SERIOUS, "IPsec attribute %s inappropriate for IPCOMP"
2009 , enum_show(&ipsec_attr_names, a.isaat_af_type));
2014 /* Although an IPCOMP SA (IPCA) ought not to have a pfs_group,
2015 * if it does, demand that it be consistent.
2016 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
2018 if (!is_ipcomp || pfs_group != NULL)
2020 if (st->st_pfs_group == &unset_group)
2021 st->st_pfs_group = pfs_group;
2023 if (st->st_pfs_group != pfs_group)
2025 loglog(RC_LOG_SERIOUS, "GROUP_DESCRIPTION inconsistent with that of %s in IPsec SA"
2026 , selection? "the Proposal" : "a previous Transform");
2031 if ((seen_attrs & LELEM(SA_LIFE_DURATION)) != 0)
2033 loglog(RC_LOG_SERIOUS, "SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message");
2037 if ((seen_attrs & LELEM(ENCAPSULATION_MODE)) == 0)
2041 /* draft-shacham-ippcp-rfc2393bis-05.txt 4.1:
2042 * "If the Encapsulation Mode is unspecified,
2043 * the default value of Transport Mode is assumed."
2044 * This contradicts/overrides the DOI (quuoted below).
2046 attrs->encapsulation = ENCAPSULATION_MODE_TRANSPORT;
2050 /* ??? Technically, RFC 2407 (IPSEC DOI) 4.5 specifies that
2051 * the default is "unspecified (host-dependent)".
2052 * This makes little sense, so we demand that it be specified.
2054 loglog(RC_LOG_SERIOUS, "IPsec Transform must specify ENCAPSULATION_MODE");
2059 /* ??? should check for key_len and/or key_rounds if required */
2066 struct isakmp_proposal r_proposal, /* proposal to emit */
2067 struct isakmp_transform r_trans, /* winning transformation within it */
2068 u_int8_t np, /* Next Payload for proposal */
2069 pb_stream *r_sa_pbs, /* SA PBS into which to emit */
2070 struct ipsec_proto_info *pi, /* info about this protocol instance */
2071 struct_desc *trans_desc, /* descriptor for this transformation */
2072 pb_stream *trans_pbs) /* PBS for incoming transform */
2074 pb_stream r_proposal_pbs;
2075 pb_stream r_trans_pbs;
2078 r_proposal.isap_np = np;
2079 r_proposal.isap_notrans = 1;
2080 if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
2083 /* allocate and emit our CPI/SPI */
2084 if (r_proposal.isap_protoid == PROTO_IPCOMP)
2086 /* CPI is stored in network low order end of an
2087 * ipsec_spi_t. So we start a couple of bytes in.
2088 * Note: we may fail to generate a satisfactory CPI,
2089 * but we'll ignore that.
2091 pi->our_spi = get_my_cpi();
2092 out_raw((u_char *) &pi->our_spi
2093 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
2095 , &r_proposal_pbs, "CPI");
2099 pi->our_spi = get_ipsec_spi(pi->attrs.spi);
2100 out_raw((u_char *) &pi->our_spi, IPSEC_DOI_SPI_SIZE
2101 , &r_proposal_pbs, "SPI");
2105 r_trans.isat_np = ISAKMP_NEXT_NONE;
2106 if (!out_struct(&r_trans, trans_desc, &r_proposal_pbs, &r_trans_pbs))
2109 /* Transform Attributes: pure echo */
2110 trans_pbs->cur = trans_pbs->start + sizeof(struct isakmp_transform);
2111 if (!out_raw(trans_pbs->cur, pbs_left(trans_pbs)
2112 , &r_trans_pbs, "attributes"))
2115 close_output_pbs(&r_trans_pbs);
2116 close_output_pbs(&r_proposal_pbs);
2120 parse_ipsec_sa_body(
2121 pb_stream *sa_pbs, /* body of input SA Payload */
2122 const struct isakmp_sa *sa, /* header of input SA Payload */
2123 pb_stream *r_sa_pbs, /* if non-NULL, where to emit body of winning SA */
2124 bool selection, /* if this SA is a selection, only one transform may appear */
2125 struct state *st) /* current state object */
2127 const struct connection *c = st->st_connection;
2128 u_int32_t ipsecdoisit;
2129 pb_stream next_proposal_pbs;
2131 struct isakmp_proposal next_proposal;
2132 ipsec_spi_t next_spi;
2134 bool next_full = TRUE;
2137 if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
2139 loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
2140 return DOI_NOT_SUPPORTED;
2144 if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
2145 return SITUATION_NOT_SUPPORTED;
2147 if (ipsecdoisit != SIT_IDENTITY_ONLY)
2149 loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
2150 , bitnamesof(sit_bit_names, ipsecdoisit));
2151 return SITUATION_NOT_SUPPORTED;
2154 /* The rules for IPsec SAs are scattered.
2155 * draft-ietf-ipsec-isakmp-09.txt section 4.2 gives some info.
2156 * There may be multiple proposals. Those with identical proposal
2157 * numbers must be considered as conjuncts. Those with different
2158 * numbers are disjuncts.
2159 * Each proposal may have several transforms, each considered
2161 * Each transform may have several attributes, all applying.
2163 * To handle the way proposals are combined, we need to do a
2167 if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
2168 return BAD_PROPOSAL_SYNTAX;
2170 /* for each conjunction of proposals... */
2173 int propno = next_proposal.isap_proposal;
2174 pb_stream ah_prop_pbs, esp_prop_pbs, ipcomp_prop_pbs;
2175 struct isakmp_proposal ah_proposal, esp_proposal, ipcomp_proposal;
2176 ipsec_spi_t ah_spi, esp_spi, ipcomp_cpi;
2177 bool ah_seen = FALSE, esp_seen = FALSE, ipcomp_seen = FALSE;
2178 u_int16_t well_known_cpi = 0;
2180 pb_stream ah_trans_pbs, esp_trans_pbs, ipcomp_trans_pbs;
2181 struct isakmp_transform ah_trans, esp_trans, ipcomp_trans;
2182 struct ipsec_trans_attrs ah_attrs, esp_attrs, ipcomp_attrs;
2184 /* for each proposal in the conjunction */
2187 if (next_proposal.isap_protoid == PROTO_IPCOMP)
2190 if (next_proposal.isap_spisize == IPSEC_DOI_SPI_SIZE)
2192 /* This code is to accommodate those peculiar
2193 * implementations that send a CPI in the bottom of an
2195 * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1
2197 u_int8_t filler[IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE];
2199 if (!in_raw(filler, sizeof(filler)
2200 , &next_proposal_pbs, "CPI filler")
2201 || !all_zero(filler, sizeof(filler)))
2204 else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE)
2206 loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)"
2207 , next_proposal.isap_spisize);
2211 /* We store CPI in the low order of a network order
2212 * ipsec_spi_t. So we start a couple of bytes in.
2215 if (!in_raw((u_char *)&next_spi
2216 + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
2217 , IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI"))
2220 /* If sanity ruled, CPIs would have to be such that
2221 * the SAID (the triple (CPI, IPCOM, destination IP))
2222 * would be unique, just like for SPIs. But there is a
2223 * perversion where CPIs can be well-known and consequently
2224 * the triple is not unique. We hide this fact from
2225 * ourselves by fudging the top 16 bits to make
2226 * the property true internally!
2228 switch (ntohl(next_spi))
2231 case IPCOMP_DEFLATE:
2232 well_known_cpi = ntohl(next_spi);
2233 next_spi = uniquify_his_cpi(next_spi, st);
2236 loglog(RC_LOG_SERIOUS
2237 , "IPsec Proposal contains well-known CPI that I cannot uniquify");
2242 if (ntohl(next_spi) < IPCOMP_FIRST_NEGOTIATED
2243 || ntohl(next_spi) > IPCOMP_LAST_NEGOTIATED)
2245 loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
2246 , (unsigned long) ntohl(next_spi));
2255 if (next_proposal.isap_spisize != IPSEC_DOI_SPI_SIZE)
2257 loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)"
2258 , next_proposal.isap_spisize);
2262 if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI"))
2265 /* SPI value 0 is invalid and values 1-255 are reserved to IANA.
2266 * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
2269 if (ntohl(next_spi) < IPSEC_DOI_SPI_MIN)
2271 loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)"
2272 , (unsigned long) ntohl(next_spi));
2277 if (next_proposal.isap_notrans == 0)
2279 loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms");
2280 return BAD_PROPOSAL_SYNTAX;
2283 switch (next_proposal.isap_protoid)
2285 case PROTO_IPSEC_AH:
2288 loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals");
2289 return BAD_PROPOSAL_SYNTAX;
2292 ah_prop_pbs = next_proposal_pbs;
2293 ah_proposal = next_proposal;
2297 case PROTO_IPSEC_ESP:
2300 loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals");
2301 return BAD_PROPOSAL_SYNTAX;
2304 esp_prop_pbs = next_proposal_pbs;
2305 esp_proposal = next_proposal;
2312 loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals");
2313 return BAD_PROPOSAL_SYNTAX;
2316 ipcomp_prop_pbs = next_proposal_pbs;
2317 ipcomp_proposal = next_proposal;
2318 ipcomp_cpi = next_spi;
2322 loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal"
2323 , enum_show(&protocol_names, next_proposal.isap_protoid));
2324 return INVALID_PROTOCOL_ID;
2327 /* refill next_proposal */
2328 if (next_proposal.isap_np == ISAKMP_NEXT_NONE)
2333 else if (next_proposal.isap_np != ISAKMP_NEXT_P)
2335 loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s"
2336 , enum_show(&payload_names, next_proposal.isap_np));
2337 return BAD_PROPOSAL_SYNTAX;
2340 if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
2341 return BAD_PROPOSAL_SYNTAX;
2342 } while (next_proposal.isap_proposal == propno);
2344 /* Now that we have all conjuncts, we should try
2345 * the Cartesian product of eachs tranforms!
2346 * At the moment, we take short-cuts on account of
2347 * our rudimentary hard-wired policy.
2348 * For now, we find an acceptable AH (if any)
2349 * and then an acceptable ESP. The only interaction
2350 * is that the ESP acceptance can know whether there
2351 * was an acceptable AH and hence not require an AUTH.
2356 int previous_transnum = -1;
2359 for (tn = 0; tn != ah_proposal.isap_notrans; tn++)
2362 bool ok_auth = FALSE;
2364 if (!parse_ipsec_transform(&ah_trans
2368 , &isakmp_ah_transform_desc
2371 , tn == ah_proposal.isap_notrans - 1
2374 return BAD_PROPOSAL_SYNTAX;
2376 previous_transnum = ah_trans.isat_transnum;
2378 /* we must understand ah_attrs.transid
2379 * COMBINED with ah_attrs.auth.
2380 * See draft-ietf-ipsec-ipsec-doi-08.txt 4.4.3
2381 * The following combinations are legal,
2382 * but we don't implement all of them:
2383 * It seems as if each auth algorithm
2384 * only applies to one ah transid.
2385 * AH_MD5, AUTH_ALGORITHM_HMAC_MD5
2386 * AH_MD5, AUTH_ALGORITHM_KPDK (unimplemented)
2387 * AH_SHA, AUTH_ALGORITHM_HMAC_SHA1
2388 * AH_DES, AUTH_ALGORITHM_DES_MAC (unimplemented)
2390 switch (ah_attrs.auth)
2392 case AUTH_ALGORITHM_NONE:
2393 loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform");
2394 return BAD_PROPOSAL_SYNTAX;
2396 case AUTH_ALGORITHM_HMAC_MD5:
2399 case AUTH_ALGORITHM_KPDK:
2400 ok_transid = AH_MD5;
2403 case AUTH_ALGORITHM_HMAC_SHA1:
2405 ok_transid = AH_SHA;
2408 case AUTH_ALGORITHM_DES_MAC:
2409 ok_transid = AH_DES;
2412 if (ah_attrs.transid != ok_transid)
2414 loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
2415 , enum_name(&auth_alg_names, ah_attrs.auth)
2416 , enum_show(&ah_transformid_names, ah_attrs.transid));
2417 return BAD_PROPOSAL_SYNTAX;
2421 DBG(DBG_CONTROL | DBG_CRYPT
2422 , DBG_log("%s attribute unsupported"
2423 " in %s Transform from %s"
2424 , enum_name(&auth_alg_names, ah_attrs.auth)
2425 , enum_show(&ah_transformid_names, ah_attrs.transid)
2426 , ip_str(&c->that.host_addr)));
2427 continue; /* try another */
2429 break; /* we seem to be happy */
2431 if (tn == ah_proposal.isap_notrans)
2432 continue; /* we didn't find a nice one */
2433 ah_attrs.spi = ah_spi;
2438 int previous_transnum = -1;
2441 for (tn = 0; tn != esp_proposal.isap_notrans; tn++)
2443 if (!parse_ipsec_transform(&esp_trans
2447 , &isakmp_esp_transform_desc
2450 , tn == esp_proposal.isap_notrans - 1
2453 return BAD_PROPOSAL_SYNTAX;
2455 previous_transnum = esp_trans.isat_transnum;
2457 #ifndef NO_KERNEL_ALG
2458 if (!kernel_alg_esp_enc_ok(esp_attrs.transid, esp_attrs.key_len,
2461 switch (esp_attrs.transid)
2464 #ifdef NO_KERNEL_ALG /* strictly use runtime information */
2469 #ifdef SUPPORT_ESP_NULL /* should be about as secure as AH-only */
2471 if (esp_attrs.auth == AUTH_ALGORITHM_NONE)
2473 loglog(RC_LOG_SERIOUS, "ESP_NULL requires auth algorithm");
2474 return BAD_PROPOSAL_SYNTAX;
2476 if (st->st_policy & POLICY_ENCRYPT)
2478 DBG(DBG_CONTROL | DBG_CRYPT
2479 , DBG_log("ESP_NULL Transform Proposal from %s"
2480 " does not satisfy POLICY_ENCRYPT"
2481 , ip_str(&c->that.host_addr)));
2482 continue; /* try another */
2488 DBG(DBG_CONTROL | DBG_CRYPT
2489 , DBG_log("unsupported ESP Transform %s from %s"
2490 , enum_show(&esp_transformid_names, esp_attrs.transid)
2491 , ip_str(&c->that.host_addr)));
2492 continue; /* try another */
2494 #ifndef NO_KERNEL_ALG
2495 if (!kernel_alg_esp_auth_ok(esp_attrs.auth, c->alg_info_esp))
2497 switch (esp_attrs.auth)
2499 case AUTH_ALGORITHM_NONE:
2502 DBG(DBG_CONTROL | DBG_CRYPT
2503 , DBG_log("ESP from %s must either have AUTH or be combined with AH"
2504 , ip_str(&c->that.host_addr)));
2505 continue; /* try another */
2508 #ifdef NO_KERNEL_ALG /* strictly use runtime information */
2509 case AUTH_ALGORITHM_HMAC_MD5:
2510 case AUTH_ALGORITHM_HMAC_SHA1:
2514 DBG(DBG_CONTROL | DBG_CRYPT
2515 , DBG_log("unsupported ESP auth alg %s from %s"
2516 , enum_show(&auth_alg_names, esp_attrs.auth)
2517 , ip_str(&c->that.host_addr)));
2518 continue; /* try another */
2521 if (ah_seen && ah_attrs.encapsulation != esp_attrs.encapsulation)
2523 /* ??? This should be an error, but is it? */
2524 DBG(DBG_CONTROL | DBG_CRYPT
2525 , DBG_log("AH and ESP transforms disagree about encapsulation; TUNNEL presumed"));
2528 break; /* we seem to be happy */
2530 if (tn == esp_proposal.isap_notrans)
2531 continue; /* we didn't find a nice one */
2532 esp_attrs.spi = esp_spi;
2534 else if (st->st_policy & POLICY_ENCRYPT)
2536 DBG(DBG_CONTROL | DBG_CRYPT
2537 , DBG_log("policy for \"%s\" requires encryption but ESP not in Proposal from %s"
2538 , c->name, ip_str(&c->that.host_addr)));
2539 continue; /* we needed encryption, but didn't find ESP */
2541 else if ((st->st_policy & POLICY_AUTHENTICATE) && !ah_seen)
2543 DBG(DBG_CONTROL | DBG_CRYPT
2544 , DBG_log("policy for \"%s\" requires authentication"
2545 " but none in Proposal from %s"
2546 , c->name, ip_str(&c->that.host_addr)));
2547 continue; /* we need authentication, but we found neither ESP nor AH */
2552 int previous_transnum = -1;
2555 /**** FUDGE TO PREVENT UNREQUESTED IPCOMP:
2556 **** NEEDED BECAUSE OUR IPCOMP IS EXPERIMENTAL (UNSTABLE).
2558 if (!(st->st_policy & POLICY_COMPRESS))
2560 log("compression proposed by %s, but policy for \"%s\" forbids it"
2561 , ip_str(&c->that.host_addr), c->name);
2562 continue; /* unwanted compression proposal */
2567 log("compression proposed by %s, but KLIPS is not configured with IPCOMP"
2568 , ip_str(&c->that.host_addr));
2572 if (well_known_cpi != 0 && !ah_seen && !esp_seen)
2574 log("illegal proposal: bare IPCOMP used with well-known CPI");
2575 return BAD_PROPOSAL_SYNTAX;
2578 for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++)
2580 if (!parse_ipsec_transform(&ipcomp_trans
2584 , &isakmp_ipcomp_transform_desc
2587 , tn == ipcomp_proposal.isap_notrans - 1
2590 return BAD_PROPOSAL_SYNTAX;
2592 previous_transnum = ipcomp_trans.isat_transnum;
2594 if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi)
2596 log("illegal proposal: IPCOMP well-known CPI disagrees with transform");
2597 return BAD_PROPOSAL_SYNTAX;
2600 switch (ipcomp_attrs.transid)
2603 log("using lzs compression");
2606 case IPCOMP_DEFLATE:
2607 log("using deflate compression");
2611 DBG(DBG_CONTROL | DBG_CRYPT
2612 , DBG_log("unsupported IPCOMP Transform %s from %s"
2613 , enum_show(&ipcomp_transformid_names, ipcomp_attrs.transid)
2614 , ip_str(&c->that.host_addr)));
2615 continue; /* try another */
2618 if (ah_seen && ah_attrs.encapsulation != ipcomp_attrs.encapsulation)
2620 /* ??? This should be an error, but is it? */
2621 DBG(DBG_CONTROL | DBG_CRYPT
2622 , DBG_log("AH and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
2623 } else if (esp_seen && esp_attrs.encapsulation != ipcomp_attrs.encapsulation)
2625 /* ??? This should be an error, but is it? */
2626 DBG(DBG_CONTROL | DBG_CRYPT
2627 , DBG_log("ESP and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
2630 break; /* we seem to be happy */
2632 if (tn == ipcomp_proposal.isap_notrans)
2633 continue; /* we didn't find a nice one */
2634 ipcomp_attrs.spi = ipcomp_cpi;
2637 /* Eureka: we liked what we saw -- accept it. */
2639 if (r_sa_pbs != NULL)
2641 /* emit what we've accepted */
2644 if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
2649 echo_proposal(ah_proposal
2651 , esp_seen || ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
2654 , &isakmp_ah_transform_desc
2659 echo_proposal(esp_proposal
2661 , ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
2664 , &isakmp_esp_transform_desc
2667 /* IPCOMP proposal */
2669 echo_proposal(ipcomp_proposal
2674 , &isakmp_ipcomp_transform_desc
2675 , &ipcomp_trans_pbs);
2677 close_output_pbs(r_sa_pbs);
2680 /* save decoded version of winning SA in state */
2682 st->st_ah.present = ah_seen;
2684 st->st_ah.attrs = ah_attrs;
2686 st->st_esp.present = esp_seen;
2688 st->st_esp.attrs = esp_attrs;
2690 st->st_ipcomp.present = ipcomp_seen;
2692 st->st_ipcomp.attrs = ipcomp_attrs;
2694 return NOTHING_WRONG;
2697 loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA");
2698 return NO_PROPOSAL_CHOSEN;