diff options
Diffstat (limited to 'src/pluto/ike_alg.c')
| -rw-r--r-- | src/pluto/ike_alg.c | 452 |
1 files changed, 0 insertions, 452 deletions
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c deleted file mode 100644 index 3061630e0..000000000 --- a/src/pluto/ike_alg.c +++ /dev/null @@ -1,452 +0,0 @@ -/* IKE modular algorithm handling interface - * Copyright (C) JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar> - * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <errno.h> -#include <sys/queue.h> - -#include <freeswan.h> - -#include <library.h> -#include <debug.h> -#include <credentials/keys/public_key.h> -#include <credentials/keys/private_key.h> -#include <crypto/hashers/hasher.h> -#include <crypto/crypters/crypter.h> -#include <crypto/prfs/prf.h> - -#include "constants.h" -#include "defs.h" -#include "crypto.h" -#include "state.h" -#include "packet.h" -#include "keys.h" -#include "log.h" -#include "whack.h" -#include "spdb.h" -#include "alg_info.h" -#include "ike_alg.h" -#include "db_ops.h" -#include "connections.h" -#include "kernel.h" - -#define return_on(var, val) do { var=val;goto return_out; } while(0); - -/** - * IKE algorithm list handling - registration and lookup - */ - -/* Modular IKE algorithm storage structure */ - -static struct ike_alg *ike_alg_base[IKE_ALG_MAX+1] = {NULL, NULL}; - -/** - * Return ike_algo object by {type, id} - */ -static struct ike_alg *ike_alg_find(u_int algo_type, u_int algo_id, - u_int keysize __attribute__((unused))) -{ - struct ike_alg *e = ike_alg_base[algo_type]; - - while (e != NULL && algo_id > e->algo_id) - { - e = e->algo_next; - } - return (e != NULL && e->algo_id == algo_id) ? e : NULL; -} - -/** - * "raw" ike_alg list adding function - */ -int ike_alg_add(struct ike_alg* a, const char *plugin_name) -{ - if (a->algo_type > IKE_ALG_MAX) - { - plog("ike_alg: Not added, invalid algorithm type"); - return -EINVAL; - } - - if (ike_alg_find(a->algo_type, a->algo_id, 0) != NULL) - { - plog("ike_alg: Not added, algorithm already exists"); - return -EEXIST; - } - - { - struct ike_alg **ep = &ike_alg_base[a->algo_type]; - struct ike_alg *e = *ep; - - while (e != NULL && a->algo_id > e->algo_id) - { - ep = &e->algo_next; - e = *ep; - } - *ep = a; - a->plugin_name = plugin_name; - a->algo_next = e; - return 0; - } -} - -/** - * Get IKE hash algorithm - */ -struct hash_desc *ike_alg_get_hasher(u_int alg) -{ - return (struct hash_desc *) ike_alg_find(IKE_ALG_HASH, alg, 0); -} - -/** - * Get IKE encryption algorithm - */ -struct encrypt_desc *ike_alg_get_crypter(u_int alg) -{ - return (struct encrypt_desc *) ike_alg_find(IKE_ALG_ENCRYPT, alg, 0); -} - -/** - * Get IKE dh group - */ -struct dh_desc *ike_alg_get_dh_group(u_int alg) -{ - return (struct dh_desc *) ike_alg_find(IKE_ALG_DH_GROUP, alg, 0); -} - -/** - * Get pfsgroup for this connection - */ -const struct dh_desc *ike_alg_pfsgroup(connection_t *c, lset_t policy) -{ - const struct dh_desc *ret = NULL; - - if ((policy & POLICY_PFS) && - c->alg_info_esp && c->alg_info_esp->esp_pfsgroup) - { - ret = ike_alg_get_dh_group(c->alg_info_esp->esp_pfsgroup); - } - return ret; -} - -/** - * Create an OAKLEY proposal based on alg_info and policy - */ -struct db_context *ike_alg_db_new(connection_t *c, lset_t policy) -{ - struct alg_info_ike *ai = c->alg_info_ike; - struct db_context *db_ctx = NULL; - struct ike_info *ike_info; - u_int ealg, halg, modp, eklen = 0; - int i; - - bool is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY; - - if (!ai) - { - whack_log(RC_LOG_SERIOUS, "no IKE algorithms " - "for this connection " - "(check ike algorithm string)"); - goto fail; - } - policy &= POLICY_ID_AUTH_MASK; - db_ctx = db_prop_new(PROTO_ISAKMP, 8, 8 * 5); - - /* for each group */ - ALG_INFO_IKE_FOREACH(ai, ike_info, i) - { - ealg = ike_info->ike_ealg; - halg = ike_info->ike_halg; - modp = ike_info->ike_modp; - eklen= ike_info->ike_eklen; - - if (!ike_alg_get_crypter(ealg)) - { - plog("ike alg: crypter %s not present", - enum_show(&oakley_enc_names, ealg)); - continue; - } - if (!ike_alg_get_hasher(halg)) - { - plog("ike alg: hasher %s not present", - enum_show(&oakley_hash_names, halg)); - continue; - } - if (!ike_alg_get_dh_group(modp)) - { - plog("ike alg: dh group %s not present", - enum_show(&oakley_group_names, modp)); - continue; - } - - if (policy & POLICY_PUBKEY) - { - int auth_method = 0, key_size = 0; - key_type_t key_type = KEY_ANY; - - if (c->spd.this.cert) - { - certificate_t *certificate = c->spd.this.cert->cert; - public_key_t *key = certificate->get_public_key(certificate); - - if (key == NULL) - { - plog("ike alg: unable to retrieve my public key"); - continue; - } - key_type = key->get_type(key); - key_size = key->get_keysize(key); - key->destroy(key); - } - else - { - private_key_t *key = get_private_key(c); - - if (key == NULL) - { - plog("ike alg: unable to retrieve my private key"); - continue; - } - key_type = key->get_type(key); - key_size = key->get_keysize(key); - } - switch (key_type) - { - case KEY_RSA: - auth_method = OAKLEY_RSA_SIG; - break; - case KEY_ECDSA: - switch (key_size) - { - case 256: - auth_method = OAKLEY_ECDSA_256; - break; - case 384: - auth_method = OAKLEY_ECDSA_384; - break; - case 521: - auth_method = OAKLEY_ECDSA_521; - break; - default: - continue; - } - break; - default: - continue; - } - db_trans_add(db_ctx, KEY_IKE); - db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg); - db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg); - if (eklen) - { - db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen); - } - db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, auth_method); - db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp); - } - - if (policy & POLICY_PSK) - { - db_trans_add(db_ctx, KEY_IKE); - db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg); - db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg); - if (eklen) - { - db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen); - } - db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY); - db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp); - } - - if (policy & POLICY_XAUTH_RSASIG) - { - db_trans_add(db_ctx, KEY_IKE); - db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg); - db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg); - if (eklen) - { - db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen); - } - db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD - , is_xauth_server ? XAUTHRespRSA : XAUTHInitRSA); - db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp); - } - - if (policy & POLICY_XAUTH_PSK) - { - db_trans_add(db_ctx, KEY_IKE); - db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg); - db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg); - if (eklen) - { - db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen); - } - db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD - , is_xauth_server ? XAUTHRespPreShared : XAUTHInitPreShared); - db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp); - } - } -fail: - return db_ctx; -} - -/** - * Print the name of an algorithm plus the name of the plugin that registered it - */ -static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type, - const char *plugin_name) -{ - char alg_name[BUF_LEN]; - int alg_name_len; - - alg_name_len = sprintf(alg_name, " %s[%s]", enum_name(alg_names, alg_type), - plugin_name); - if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) - { - whack_log(RC_COMMENT, "%s", buf); - *len = sprintf(buf, " "); - } - sprintf(buf + *len, "%s", alg_name); - *len += alg_name_len; -} - -/** - * Show registered IKE algorithms - */ -void ike_alg_list(void) -{ - rng_quality_t quality; - enumerator_t *enumerator; - const char *plugin_name; - char buf[BUF_LEN]; - int len; - struct ike_alg *a; - - whack_log(RC_COMMENT, " "); - whack_log(RC_COMMENT, "List of registered IKEv1 Algorithms:"); - whack_log(RC_COMMENT, " "); - - len = sprintf(buf, " encryption:"); - for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next) - { - print_alg(buf, &len, &oakley_enc_names, a->algo_id, a->plugin_name); - } - whack_log(RC_COMMENT, "%s", buf); - - len = sprintf(buf, " integrity: "); - for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next) - { - print_alg(buf, &len, &oakley_hash_names, a->algo_id, a->plugin_name); - } - whack_log(RC_COMMENT, "%s", buf); - - len = sprintf(buf, " dh-group: "); - for (a = ike_alg_base[IKE_ALG_DH_GROUP]; a != NULL; a = a->algo_next) - { - print_alg(buf, &len, &oakley_group_names, a->algo_id, a->plugin_name); - } - whack_log(RC_COMMENT, "%s", buf); - - len = sprintf(buf, " random-gen:"); - enumerator = lib->crypto->create_rng_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &quality, &plugin_name)) - { - len += sprintf(buf + len, " %N[%s]", rng_quality_names, quality, - plugin_name); - } - enumerator->destroy(enumerator); - whack_log(RC_COMMENT, "%s", buf); -} - -/** - * Show IKE algorithms for this connection (result from ike= string) - * and newest SA - */ -void ike_alg_show_connection(connection_t *c, const char *instance) -{ - struct state *st = state_with_serialno(c->newest_isakmp_sa); - - if (st) - { - if (st->st_oakley.encrypt == OAKLEY_3DES_CBC) - { - whack_log(RC_COMMENT, - "\"%s\"%s: IKE proposal: %s/%s/%s", - c->name, instance, - enum_show(&oakley_enc_names, st->st_oakley.encrypt), - enum_show(&oakley_hash_names, st->st_oakley.hash), - enum_show(&oakley_group_names, st->st_oakley.group->algo_id) - ); - } - else - { - whack_log(RC_COMMENT, - "\"%s\"%s: IKE proposal: %s_%u/%s/%s", - c->name, instance, - enum_show(&oakley_enc_names, st->st_oakley.encrypt), - st->st_oakley.enckeylen, - enum_show(&oakley_hash_names, st->st_oakley.hash), - enum_show(&oakley_group_names, st->st_oakley.group->algo_id) - ); - } - } -} - -/** - * ML: make F_STRICT logic consider enc,hash/auth,modp algorithms - */ -bool ike_alg_ok_final(u_int ealg, u_int key_len, u_int aalg, u_int group, - struct alg_info_ike *alg_info_ike) -{ - /* - * simple test to discard low key_len, will accept it only - * if specified in "esp" string - */ - bool ealg_insecure = (key_len < 128); - - if (ealg_insecure - || (alg_info_ike && alg_info_ike->alg_info_flags & ALG_INFO_F_STRICT)) - { - int i; - struct ike_info *ike_info; - - if (alg_info_ike) - { - ALG_INFO_IKE_FOREACH(alg_info_ike, ike_info, i) - { - if (ike_info->ike_ealg == ealg - && (ike_info->ike_eklen == 0 || key_len == 0 || ike_info->ike_eklen == key_len) - && ike_info->ike_halg == aalg - && ike_info->ike_modp == group) - { - if (ealg_insecure) - loglog(RC_LOG_SERIOUS, "You should NOT use insecure IKE algorithms (%s)!" - , enum_name(&oakley_enc_names, ealg)); - return TRUE; - } - } - } - plog("Oakley Transform [%s (%d), %s, %s] refused due to %s" - , enum_name(&oakley_enc_names, ealg), key_len - , enum_name(&oakley_hash_names, aalg) - , enum_name(&oakley_group_names, group) - , ealg_insecure ? - "insecure key_len and enc. alg. not listed in \"ike\" string" : "strict flag" - ); - return FALSE; - } - return TRUE; -} - |