/* information about connections between hosts and clients * Copyright (C) 1998-2002 D. Hugh Redelmeier. * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ #include #include #include #include #include #include #include #include #include #include #include #include /* missing from on old systems */ #include #include #include "kameipsec.h" #include #include #include #include "constants.h" #include "defs.h" #include "myid.h" #include "x509.h" #include "ca.h" #include "crl.h" #include "certs.h" #include "ac.h" #include "smartcard.h" #include "fetch.h" #include "connections.h" #include "foodgroups.h" #include "demux.h" #include "state.h" #include "timer.h" #include "ipsec_doi.h" /* needs demux.h and state.h */ #include "server.h" #include "kernel.h" #include "log.h" #include "keys.h" #include "adns.h" /* needs */ #include "dnskey.h" /* needs keys.h and adns.h */ #include "whack.h" #include "alg_info.h" #include "ike_alg.h" #include "kernel_alg.h" #include "nat_traversal.h" #include "virtual.h" #include "whack_attribute.h" #include "modecfg.h" static void flush_pending_by_connection(connection_t *c); /* forward */ static connection_t *connections = NULL; /* struct host_pair: a nexus of information about a pair of hosts. * A host is an IP address, UDP port pair. This is a debatable choice: * - should port be considered (no choice of port in standard)? * - should ID be considered (hard because not always known)? * - should IP address matter on our end (we don't know our end)? * Only oriented connections are registered. * Unoriented connections are kept on the unoriented_connections * linked list (using hp_next). For them, host_pair is NULL. */ struct host_pair { struct { ip_address addr; u_int16_t port; /* host order */ } me, him; bool initial_connection_sent; connection_t *connections; /* connections with this pair */ struct pending *pending; /* awaiting Keying Channel */ struct host_pair *next; }; static struct host_pair *host_pairs = NULL; static connection_t *unoriented_connections = NULL; /** * Check if an id was instantiated by assigning to it the current IP address */ bool his_id_was_instantiated(const connection_t *c) { if (c->kind != CK_INSTANCE) { return FALSE; } if (id_is_ipaddr(c->spd.that.id)) { identification_t *host; bool equal; host = identification_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_addr); equal = host->equals(host, c->spd.that.id); host->destroy(host); return equal; } else { return TRUE; } } /** * Check to see that IDs of peers match */ bool same_peer_ids(const connection_t *c, const connection_t *d, identification_t *his_id) { return d->spd.this.id->equals(d->spd.this.id, c->spd.this.id) && d->spd.that.id->equals(d->spd.that.id, his_id ? his_id : c->spd.that.id); } static struct host_pair *find_host_pair(const ip_address *myaddr, u_int16_t myport, const ip_address *hisaddr, u_int16_t hisport) { struct host_pair *p, *prev; /* default hisaddr to an appropriate any */ if (hisaddr == NULL) hisaddr = aftoinfo(addrtypeof(myaddr))->any; if (nat_traversal_enabled) { /** * port is not relevant in host_pair. with nat_traversal we * always use pluto_port (500) */ myport = pluto_port; hisport = pluto_port; } for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) { if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport && sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport) { if (prev) { prev->next = p->next; /* remove p from list */ p->next = host_pairs; /* and stick it on front */ host_pairs = p; } break; } } return p; } /* find head of list of connections with this pair of hosts */ static connection_t *find_host_pair_connections(const ip_address *myaddr, u_int16_t myport, const ip_address *hisaddr, u_int16_t hisport) { struct host_pair *hp = find_host_pair(myaddr, myport, hisaddr, hisport); if (nat_traversal_enabled && hp && hisaddr) { connection_t *c; for (c = hp->connections; c != NULL; c = c->hp_next) { if (c->spd.this.host_port == myport && c->spd.that.host_port == hisport) return c; } return NULL; } return hp == NULL? NULL : hp->connections; } static void connect_to_host_pair(connection_t *c) { if (oriented(*c)) { struct host_pair *hp; ip_address his_addr = (c->spd.that.allow_any) ? *aftoinfo(addrtypeof(&c->spd.that.host_addr))->any : c->spd.that.host_addr; hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port , &his_addr, c->spd.that.host_port); if (hp == NULL) { /* no suitable host_pair -- build one */ hp = malloc_thing(struct host_pair); hp->me.addr = c->spd.this.host_addr; hp->him.addr = his_addr; hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port; hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port; hp->initial_connection_sent = FALSE; hp->connections = NULL; hp->pending = NULL; hp->next = host_pairs; host_pairs = hp; } c->host_pair = hp; c->hp_next = hp->connections; hp->connections = c; } else { /* since this connection isn't oriented, we place it * in the unoriented_connections list instead. */ c->host_pair = NULL; c->hp_next = unoriented_connections; unoriented_connections = c; } } /* find a connection by name. * If strict, don't accept a CK_INSTANCE. * Move the winner (if any) to the front. * If none is found, and strict, a diagnostic is logged to whack. */ connection_t *con_by_name(const char *nm, bool strict) { connection_t *p, *prev; for (prev = NULL, p = connections; ; prev = p, p = p->ac_next) { if (p == NULL) { if (strict) whack_log(RC_UNKNOWN_NAME , "no connection named \"%s\"", nm); break; } if (streq(p->name, nm) && (!strict || p->kind != CK_INSTANCE)) { if (prev) { prev->ac_next = p->ac_next; /* remove p from list */ p->ac_next = connections; /* and stick it on front */ connections = p; } break; } } return p; } void release_connection(connection_t *c, bool relations) { if (c->kind == CK_INSTANCE) { /* This does everything we need. * Note that we will be called recursively by delete_connection, * but kind will be CK_GOING_AWAY. */ delete_connection(c, relations); } else { flush_pending_by_connection(c); delete_states_by_connection(c, relations); unroute_connection(c); } } /* Delete a connection */ #define list_rm(etype, enext, e, ehead) { \ etype **ep; \ for (ep = &(ehead); *ep != (e); ep = &(*ep)->enext) \ passert(*ep != NULL); /* we must not come up empty-handed */ \ *ep = (e)->enext; \ } void delete_connection(connection_t *c, bool relations) { modecfg_attribute_t *ca; connection_t *old_cur_connection; identification_t *client_id; old_cur_connection = cur_connection == c? NULL : cur_connection; #ifdef DEBUG lset_t old_cur_debugging = cur_debugging; #endif set_cur_connection(c); /* Must be careful to avoid circularity: * we mark c as going away so it won't get deleted recursively. */ passert(c->kind != CK_GOING_AWAY); if (c->kind == CK_INSTANCE) { plog("deleting connection \"%s\" instance with peer %s {isakmp=#%lu/ipsec=#%lu}" , c->name , ip_str(&c->spd.that.host_addr) , c->newest_isakmp_sa, c->newest_ipsec_sa); c->kind = CK_GOING_AWAY; } else { plog("deleting connection"); } release_connection(c, relations); /* won't delete c */ if (c->kind == CK_GROUP) { delete_group(c); } /* free up any logging resources */ perpeer_logfree(c); /* find and delete c from connections list */ list_rm(connection_t, ac_next, c, connections); cur_connection = old_cur_connection; /* find and delete c from the host pair list */ if (c->host_pair == NULL) { if (c->ikev1) { list_rm(connection_t, hp_next, c, unoriented_connections); } } else { struct host_pair *hp = c->host_pair; list_rm(connection_t, hp_next, c, hp->connections); c->host_pair = NULL; /* redundant, but safe */ /* if there are no more connections with this host_pair * and we haven't even made an initial contact, let's delete * this guy in case we were created by an attempted DOS attack. */ if (hp->connections == NULL && !hp->initial_connection_sent) { passert(hp->pending == NULL); /* ??? must deal with this! */ list_rm(struct host_pair, next, hp, host_pairs); free(hp); } } if (c->kind != CK_GOING_AWAY) { free(c->spd.that.virt); } client_id = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id; /* release virtual IP address lease if any */ if (c->spd.that.modecfg && c->spd.that.pool && !c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) { hydra->attributes->release_address(hydra->attributes, c->spd.that.pool, c->spd.that.host_srcip, client_id); } /* release requested attributes if any */ if (c->requested) { c->requested->destroy_function(c->requested, (void*)modecfg_attribute_destroy); } /* release other attributes if any */ if (c->attributes) { while (c->attributes->remove_last(c->attributes, (void **)&ca) == SUCCESS) { hydra->attributes->release(hydra->attributes, ca->handler, client_id, ca->type, ca->value); modecfg_attribute_destroy(ca); } c->attributes->destroy(c->attributes); } if (c->kind != CK_GOING_AWAY) { whack_attr->del_pool(whack_attr, c->name); } /* free internal data */ #ifdef DEBUG cur_debugging = old_cur_debugging; #endif free(c->name); DESTROY_IF(c->xauth_identity); DESTROY_IF(c->spd.this.id); DESTROY_IF(c->spd.this.ca); DESTROY_IF(c->spd.this.groups); DESTROY_IF(c->spd.this.host_srcip); free(c->spd.this.updown); free(c->spd.this.pool); DESTROY_IF(c->spd.that.id); DESTROY_IF(c->spd.that.ca); DESTROY_IF(c->spd.that.groups); DESTROY_IF(c->spd.that.host_srcip); free(c->spd.that.updown); free(c->spd.that.pool); if (c->requested_ca) { c->requested_ca->destroy_offset(c->requested_ca, offsetof(identification_t, destroy)); } gw_delref(&c->gw_info); lock_certs_and_keys("delete_connection"); cert_release(c->spd.this.cert); scx_release(c->spd.this.sc); cert_release(c->spd.that.cert); scx_release(c->spd.that.sc); unlock_certs_and_keys("delete_connection"); alg_info_delref((struct alg_info **)&c->alg_info_esp); alg_info_delref((struct alg_info **)&c->alg_info_ike); free(c); } /* Delete connections with the specified name */ void delete_connections_by_name(const char *name, bool strict) { connection_t *c = con_by_name(name, strict); for (; c != NULL; c = con_by_name(name, FALSE)) delete_connection(c, FALSE); } void delete_every_connection(void) { while (connections) { delete_connection(connections, TRUE); } } void release_dead_interfaces(void) { struct host_pair *hp; for (hp = host_pairs; hp != NULL; hp = hp->next) { connection_t **pp , *p; for (pp = &hp->connections; (p = *pp) != NULL; ) { if (p->interface->change == IFN_DELETE) { /* this connection's interface is going away */ enum connection_kind k = p->kind; release_connection(p, TRUE); if (k <= CK_PERMANENT) { /* The connection should have survived release: * move it to the unoriented_connections list. */ passert(p == *pp); p->interface = NULL; *pp = p->hp_next; /* advance *pp */ p->host_pair = NULL; p->hp_next = unoriented_connections; unoriented_connections = p; } else { /* The connection should have vanished, * but the previous connection remains. */ passert(p != *pp); } } else { pp = &p->hp_next; /* advance pp */ } } } } /* adjust orientations of connections to reflect newly added interfaces */ void check_orientations(void) { /* try to orient all the unoriented connections */ { connection_t *c = unoriented_connections; unoriented_connections = NULL; while (c) { connection_t *nxt = c->hp_next; (void)orient(c); connect_to_host_pair(c); c = nxt; } } /* Check that no oriented connection has become double-oriented. * In other words, the far side must not match one of our new interfaces. */ { struct iface *i; for (i = interfaces; i != NULL; i = i->next) { if (i->change == IFN_ADD) { struct host_pair *hp; for (hp = host_pairs; hp != NULL; hp = hp->next) { if (sameaddr(&hp->him.addr, &i->addr) && hp->him.port == pluto_port) { /* bad news: the whole chain of connections * hanging off this host pair has both sides * matching an interface. * We'll get rid of them, using orient and * connect_to_host_pair. But we'll be lazy * and not ditch the host_pair itself (the * cost of leaving it is slight and cannot * be induced by a foe). */ connection_t *c = hp->connections; hp->connections = NULL; while (c) { connection_t *nxt = c->hp_next; c->interface = NULL; (void)orient(c); connect_to_host_pair(c); c = nxt; } } } } } } } static err_t default_end(struct end *e, ip_address *dflt_nexthop) { err_t ugh = NULL; int af = addrtypeof(&e->host_addr); if (af != AF_INET && af != AF_INET6) { return "unknown address family in default_end"; } /* default ID to IP (but only if not NO_IP -- WildCard) */ if (e->id->get_type(e->id) == ID_ANY && !isanyaddr(&e->host_addr)) { e->id->destroy(e->id); e->id = identification_create_from_sockaddr((sockaddr_t*)&e->host_addr); e->has_id_wildcards = FALSE; } /* default nexthop to other side */ if (isanyaddr(&e->host_nexthop)) { e->host_nexthop = *dflt_nexthop; } /* default client to subnet containing only self * XXX This may mean that the client's address family doesn't match * tunnel_addr_family. */ if (!e->has_client) { ugh = addrtosubnet(&e->host_addr, &e->client); } return ugh; } /* Format the topology of a connection end, leaving out defaults. * Largest left end looks like: client === host : port [ host_id ] --- hop * Note: if that==NULL, skip nexthop * Returns strlen of formated result (length excludes NUL at end). */ size_t format_end(char *buf, size_t buf_len, const struct end *this, const struct end *that, bool is_left, lset_t policy) { char client[BUF_LEN]; const char *client_sep = ""; char protoport[sizeof(":255/65535")]; const char *host = NULL; char host_space[ADDRTOT_BUF]; char host_port[sizeof(":65535")]; char host_id[BUF_LEN + 2]; char hop[ADDRTOT_BUF]; const char *hop_sep = ""; const char *open_brackets = ""; const char *close_brackets = ""; if (isanyaddr(&this->host_addr)) { switch (policy & (POLICY_GROUP | POLICY_OPPO)) { case POLICY_GROUP: host = "%group"; break; case POLICY_OPPO: host = "%opportunistic"; break; case POLICY_GROUP | POLICY_OPPO: host = "%opportunisticgroup"; break; default: host = "%any"; break; } } client[0] = '\0'; if (is_virtual_end(this) && isanyaddr(&this->host_addr)) { host = "%virtual"; } /* [client===] */ if (this->has_client) { ip_address client_net, client_mask; networkof(&this->client, &client_net); maskof(&this->client, &client_mask); client_sep = "==="; /* {client_subnet_wildcard} */ if (this->has_client_wildcard) { open_brackets = "{"; close_brackets = "}"; } if (isanyaddr(&client_net) && isanyaddr(&client_mask) && (policy & (POLICY_GROUP | POLICY_OPPO))) { client_sep = ""; /* boring case */ } else if (subnetisnone(&this->client)) { strcpy(client, "?"); } else { subnettot(&this->client, 0, client, sizeof(client)); } } else if (this->modecfg && this->host_srcip->is_anyaddr(this->host_srcip)) { /* we are mode config client, or a server with a pool */ client_sep = "==="; client[0] = '%'; strcpy(client+1, this->pool ? this->pool : "modecfg"); } /* host */ if (host == NULL) { addrtot(&this->host_addr, 0, host_space, sizeof(host_space)); host = host_space; } host_port[0] = '\0'; if (this->host_port != IKE_UDP_PORT) { snprintf(host_port, sizeof(host_port), ":%u", this->host_port); } /* payload portocol and port */ protoport[0] = '\0'; if (this->has_port_wildcard) { snprintf(protoport, sizeof(protoport), ":%u/%%any", this->protocol); } else if (this->port || this->protocol) { snprintf(protoport, sizeof(protoport), ":%u/%u", this->protocol , this->port); } /* id */ snprintf(host_id, sizeof(host_id), "[%Y]", this->id); /* [---hop] */ hop[0] = '\0'; hop_sep = ""; if (that && !sameaddr(&this->host_nexthop, &that->host_addr)) { addrtot(&this->host_nexthop, 0, hop, sizeof(hop)); hop_sep = "---"; } if (is_left) { snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s%s" , open_brackets, client, close_brackets, client_sep , this->allow_any? "%":"" , host, host_port, host_id, protoport , hop_sep, hop); } else { snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s%s" , hop, hop_sep , this->allow_any? "%":"" , host, host_port, host_id, protoport, client_sep , open_brackets, client, close_brackets); } return strlen(buf); } /* format topology of a connection. * Two symmetric ends separated by ... */ #define CONNECTION_BUF (2 * (END_BUF - 1) + 4) static size_t format_connection(char *buf, size_t buf_len, const connection_t *c, struct spd_route *sr) { size_t w = format_end(buf, buf_len, &sr->this, &sr->that, TRUE, LEMPTY); w += snprintf(buf + w, buf_len - w, "..."); return w + format_end(buf + w, buf_len - w, &sr->that, &sr->this, FALSE, c->policy); } static void unshare_connection_strings(connection_t *c) { c->name = clone_str(c->name); if (c->xauth_identity) { c->xauth_identity = c->xauth_identity->clone(c->xauth_identity); } c->spd.this.id = c->spd.this.id->clone(c->spd.this.id); c->spd.this.pool = clone_str(c->spd.this.pool); c->spd.this.updown = clone_str(c->spd.this.updown); c->spd.this.host_srcip = c->spd.this.host_srcip->clone(c->spd.this.host_srcip); scx_share(c->spd.this.sc); cert_share(c->spd.this.cert); if (c->spd.this.ca) { c->spd.this.ca = c->spd.this.ca->clone(c->spd.this.ca); } if (c->spd.this.groups) { c->spd.this.groups = c->spd.this.groups->get_ref(c->spd.this.groups); } c->spd.that.id = c->spd.that.id->clone(c->spd.that.id); c->spd.that.pool = clone_str(c->spd.that.pool); c->spd.that.updown = clone_str(c->spd.that.updown); c->spd.that.host_srcip = c->spd.that.host_srcip->clone(c->spd.that.host_srcip); scx_share(c->spd.that.sc); cert_share(c->spd.that.cert); if (c->spd.that.ca) { c->spd.that.ca = c->spd.that.ca->clone(c->spd.that.ca); } if (c->spd.that.groups) { c->spd.that.groups = c->spd.that.groups->get_ref(c->spd.that.groups); } /* increment references to algo's */ alg_info_addref((struct alg_info *)c->alg_info_esp); alg_info_addref((struct alg_info *)c->alg_info_ike); } static void load_end_certificate(char *filename, struct end *dst) { time_t notBefore, notAfter; cert_t *cert = NULL; certificate_t *certificate; bool cached_cert = FALSE; /* initialize end certificate */ dst->cert = NULL; /* initialize smartcard info record */ dst->sc = NULL; if (filename) { if (scx_on_smartcard(filename)) { /* load cert from smartcard */ cert = scx_load_cert(filename, &dst->sc, &cached_cert); } else { /* load cert from file */ cert = load_host_cert(filename); } } if (cert) { certificate = cert->cert; if (dst->id->get_type(dst->id) == ID_ANY || !certificate->has_subject(certificate, dst->id)) { plog( " id '%Y' not confirmed by certificate, defaulting to '%Y'", dst->id, certificate->get_subject(certificate)); dst->id->destroy(dst->id); dst->id = certificate->get_subject(certificate); dst->id = dst->id->clone(dst->id); } if (cached_cert) { dst->cert = cert; } else { if (!certificate->get_validity(certificate, NULL, ¬Before, ¬After)) { plog("certificate is invalid (valid from %T to %T)", ¬Before, FALSE, ¬After, FALSE); cert_free(cert); return; } DBG(DBG_CONTROL, DBG_log("certificate is valid") ) add_public_key_from_cert(cert, notAfter, DAL_LOCAL); dst->cert = cert_add(cert); } certificate = dst->cert->cert; /* if no CA is defined, use issuer as default */ if (dst->ca == NULL && certificate->get_type(certificate) == CERT_X509) { identification_t *issuer; issuer = certificate->get_issuer(certificate); dst->ca = issuer->clone(issuer); } /* cache the certificate that was last retrieved from the smartcard */ if (dst->sc) { if (!dst->sc->last_cert || !certificate->equals(certificate, dst->sc->last_cert->cert)) { lock_certs_and_keys("load_end_certificates"); cert_release(dst->sc->last_cert); dst->sc->last_cert = dst->cert; cert_share(dst->cert); unlock_certs_and_keys("load_end_certificates"); } time(&dst->sc->last_load); } } scx_share(dst->sc); cert_share(dst->cert); } static bool extract_end(struct end *dst, const whack_end_t *src, const char *name, bool is_left) { bool same_ca = FALSE; dst->is_left = is_left; dst->id = identification_create_from_string(src->id); dst->ca = NULL; /* decode CA distinguished name, if any */ if (src->ca) { if streq(src->ca, "%same") { same_ca = TRUE; } else if (!streq(src->ca, "%any")) { dst->ca = identification_create_from_string(src->ca); if (dst->ca->get_type(dst->ca) != ID_DER_ASN1_DN) { plog("bad CA string '%s', ignored", src->ca); dst->ca->destroy(dst->ca); dst->ca = NULL; } } } /* load local end certificate and extract ID, if any */ load_end_certificate(src->cert, dst); /* does id has wildcards? */ dst->has_id_wildcards = dst->id->contains_wildcards(dst->id); /* decode group attributes, if any */ if (src->groups) { dst->groups = ietf_attributes_create_from_string(src->groups); } /* the rest is simple copying of corresponding fields */ dst->host_addr = src->host_addr; dst->host_nexthop = src->host_nexthop; dst->host_srcip = host_create_from_sockaddr((sockaddr_t*)&src->host_srcip); dst->has_natip = src->has_natip; dst->client = src->client; dst->protocol = src->protocol; dst->port = src->port; dst->has_port_wildcard = src->has_port_wildcard; dst->key_from_DNS_on_demand = src->key_from_DNS_on_demand; dst->has_client = src->has_client; dst->has_client_wildcard = src->has_client_wildcard; dst->modecfg = src->modecfg; dst->hostaccess = src->hostaccess; dst->allow_any = src->allow_any; dst->sendcert = src->sendcert; dst->updown = clone_str(src->updown); dst->host_port = src->host_port; /* if the sourceip netmask is zero a named pool exists */ if (src->sourceip_mask == 0) { dst->pool = clone_str(src->sourceip); } /* if host sourceip is defined but no client is present * behind the host then set client to sourceip/32 */ if (!dst->host_srcip->is_anyaddr(dst->host_srcip) && !dst->has_natip && !dst->has_client) { ip_address addr; err_t ugh; addr = *(ip_address*)dst->host_srcip->get_sockaddr(dst->host_srcip); ugh = addrtosubnet(&addr, &dst->client); if (ugh) { plog("could not assign host sourceip to client subnet"); } else { dst->has_client = TRUE; } } return same_ca; } static bool check_connection_end(const whack_end_t *this, const whack_end_t *that, const whack_message_t *wm) { if (wm->addr_family != addrtypeof(&this->host_addr) || wm->addr_family != addrtypeof(&this->host_nexthop) || (this->has_client? wm->tunnel_addr_family : wm->addr_family) != subnettypeof(&this->client) || subnettypeof(&this->client) != subnettypeof(&that->client)) { /* this should have been diagnosed by whack, so we need not be clear * !!! overloaded use of RC_CLASH */ loglog(RC_CLASH, "address family inconsistency in connection"); return FALSE; } if (isanyaddr(&that->host_addr)) { /* other side is wildcard: we must check if other conditions met */ if (isanyaddr(&this->host_addr)) { loglog(RC_ORIENT, "connection must specify host IP address for our side"); return FALSE; } } if (this->virt && (!isanyaddr(&this->host_addr) || this->has_client)) { loglog(RC_CLASH, "virtual IP must only be used with %%any and without client"); return FALSE; } return TRUE; /* happy */ } connection_t *find_connection_by_reqid(uint32_t reqid) { connection_t *c; reqid &= ~3; for (c = connections; c != NULL; c = c->ac_next) { if (c->spd.reqid == reqid) { return c; } } return NULL; } static uint32_t gen_reqid(void) { uint32_t start; static uint32_t reqid = IPSEC_MANUAL_REQID_MAX & ~3; start = reqid; do { reqid += 4; if (reqid == 0) { reqid = (IPSEC_MANUAL_REQID_MAX & ~3) + 4; } if (!find_connection_by_reqid(reqid)) { return reqid; } } while (reqid != start); exit_log("unable to allocate reqid"); return 0; /* never reached ... */ } void add_connection(const whack_message_t *wm) { if (con_by_name(wm->name, FALSE) != NULL) { loglog(RC_DUPNAME, "attempt to redefine connection \"%s\"", wm->name); } else if (wm->right.protocol != wm->left.protocol) { /* this should haven been diagnosed by whack * !!! overloaded use of RC_CLASH */ loglog(RC_CLASH, "the protocol must be the same for leftport and rightport"); } else if (check_connection_end(&wm->right, &wm->left, wm) && check_connection_end(&wm->left, &wm->right, wm)) { bool same_rightca, same_leftca; connection_t *c = malloc_thing(connection_t); zero(c); c->name = clone_str(wm->name); c->ikev1 = wm->ikev1; c->policy = wm->policy; if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp) { loglog(RC_COMMENT , "ignoring --compress in \"%s\" because kernel does not support IPCOMP" , c->name); } if (wm->esp) { DBG(DBG_CONTROL, DBG_log("from whack: got --esp=%s", wm->esp ? wm->esp: "NULL") ) c->alg_info_esp = alg_info_esp_create_from_str(wm->esp? wm->esp : ""); DBG(DBG_CRYPT|DBG_CONTROL, static char buf[BUF_LEN]=""; if (c->alg_info_esp) { alg_info_snprint(buf, sizeof(buf) ,(struct alg_info *)c->alg_info_esp); } DBG_log("esp proposal: %s", buf); ) if (c->alg_info_esp) { if (c->alg_info_esp->alg_info_cnt == 0) { loglog(RC_LOG_SERIOUS, "got 0 esp transforms"); } } else { loglog(RC_LOG_SERIOUS, "syntax error in esp string"); } } if (wm->ike) { DBG(DBG_CONTROL, DBG_log("from whack: got --ike=%s", wm->ike ? wm->ike: "NULL") ) c->alg_info_ike= alg_info_ike_create_from_str(wm->ike? wm->ike : ""); DBG(DBG_CRYPT|DBG_CONTROL, static char buf[BUF_LEN]=""; if (c->alg_info_ike) { alg_info_snprint(buf, sizeof(buf) , (struct alg_info *)c->alg_info_ike); } DBG_log("ike proposal: %s", buf); ) if (c->alg_info_ike) { if (c->alg_info_ike->alg_info_cnt == 0) { loglog(RC_LOG_SERIOUS, "got 0 ike transforms"); } } else { loglog(RC_LOG_SERIOUS, "syntax error in ike string"); } } if (wm->xauth_identity) { c->xauth_identity = identification_create_from_string(wm->xauth_identity); } c->sa_ike_life_seconds = wm->sa_ike_life_seconds; c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds; c->sa_rekey_margin = wm->sa_rekey_margin; c->sa_rekey_fuzz = wm->sa_rekey_fuzz; c->sa_keying_tries = wm->sa_keying_tries; /* RFC 3706 DPD */ c->dpd_delay = wm->dpd_delay; c->dpd_timeout = wm->dpd_timeout; c->dpd_action = wm->dpd_action; c->addr_family = wm->addr_family; c->tunnel_addr_family = wm->tunnel_addr_family; c->requested_ca = NULL; same_leftca = extract_end(&c->spd.this, &wm->left, wm->name, TRUE); same_rightca = extract_end(&c->spd.that, &wm->right, wm->name, FALSE); if (same_rightca && c->spd.this.ca) { c->spd.that.ca = c->spd.this.ca->clone(c->spd.this.ca); } else if (same_leftca && c->spd.that.ca) { c->spd.this.ca = c->spd.that.ca->clone(c->spd.that.ca); } default_end(&c->spd.this, &c->spd.that.host_addr); default_end(&c->spd.that, &c->spd.this.host_addr); /* force any wildcard host IP address, any wildcard subnet * or any wildcard ID to that end */ if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard || c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards || c->spd.this.allow_any) { struct end t = c->spd.this; c->spd.this = c->spd.that; c->spd.that = t; } c->spd.next = NULL; c->spd.reqid = wm->reqid ?: gen_reqid(); c->spd.mark_in.value = wm->mark_in.value; c->spd.mark_in.mask = wm->mark_in.mask; c->spd.mark_out.value = wm->mark_out.value; c->spd.mark_out.mask = wm->mark_out.mask; /* set internal fields */ c->instance_serial = 0; c->ac_next = connections; connections = c; c->interface = NULL; c->spd.routing = RT_UNROUTED; c->newest_isakmp_sa = SOS_NOBODY; c->newest_ipsec_sa = SOS_NOBODY; c->spd.eroute_owner = SOS_NOBODY; if (c->policy & POLICY_GROUP) { c->kind = CK_GROUP; add_group(c); } else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy)) || c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard || c->spd.that.has_id_wildcards || c->spd.that.allow_any) { /* Opportunistic or Road Warrior or wildcard client subnet * or wildcard ID */ c->kind = CK_TEMPLATE; } else { c->kind = CK_PERMANENT; } set_policy_prio(c); /* must be after kind is set */ #ifdef DEBUG c->extra_debugging = wm->debugging; #endif c->gw_info = NULL; passert(!(wm->left.virt && wm->right.virt)); if (wm->left.virt || wm->right.virt) { passert(isanyaddr(&c->spd.that.host_addr)); c->spd.that.virt = create_virtual(c, wm->left.virt ? wm->left.virt : wm->right.virt); if (c->spd.that.virt) c->spd.that.has_client = TRUE; } (void)orient(c); /* if rightsourceip defines a subnet then create an in-memory pool */ if (whack_attr->add_pool(whack_attr, c->name, c->spd.this.is_left ? &wm->right : &wm->left)) { c->spd.that.pool = clone_str(c->name); c->spd.that.modecfg = TRUE; c->spd.that.has_client = FALSE; /* reset the host_srcip so that it gets assigned in modecfg */ DESTROY_IF(c->spd.that.host_srcip); c->spd.that.host_srcip = host_create_any(AF_INET); } if (c->ikev1) { connect_to_host_pair(c); } /* log all about this connection */ plog("added connection description \"%s\"", c->name); DBG(DBG_CONTROL, char topo[BUF_LEN]; (void) format_connection(topo, sizeof(topo), c, &c->spd); DBG_log("%s", topo); /* Make sure that address families can be correctly inferred * from printed ends. */ passert(c->addr_family == addrtypeof(&c->spd.this.host_addr) && c->addr_family == addrtypeof(&c->spd.this.host_nexthop) && (c->spd.this.has_client? c->tunnel_addr_family : c->addr_family) == subnettypeof(&c->spd.this.client) && c->addr_family == addrtypeof(&c->spd.that.host_addr) && c->addr_family == addrtypeof(&c->spd.that.host_nexthop) && (c->spd.that.has_client? c->tunnel_addr_family : c->addr_family) == subnettypeof(&c->spd.that.client)); DBG_log("ike_life: %lus; ipsec_life: %lus; rekey_margin: %lus;" " rekey_fuzz: %lu%%; keyingtries: %lu; policy: %s" , (unsigned long) c->sa_ike_life_seconds , (unsigned long) c->sa_ipsec_life_seconds , (unsigned long) c->sa_rekey_margin , (unsigned long) c->sa_rekey_fuzz , (unsigned long) c->sa_keying_tries , prettypolicy(c->policy)); ); } } /* Derive a template connection from a group connection and target. * Similar to instantiate(). Happens at whack --listen. * Returns name of new connection. May be NULL. * Caller is responsible for freeing. */ char *add_group_instance(connection_t *group, const ip_subnet *target) { char namebuf[100], targetbuf[SUBNETTOT_BUF]; connection_t *t; char *name = NULL; passert(group->kind == CK_GROUP); passert(oriented(*group)); /* manufacture a unique name for this template */ subnettot(target, 0, targetbuf, sizeof(targetbuf)); snprintf(namebuf, sizeof(namebuf), "%s#%s", group->name, targetbuf); if (con_by_name(namebuf, FALSE) != NULL) { loglog(RC_DUPNAME, "group name + target yields duplicate name \"%s\"" , namebuf); } else { t = clone_thing(*group); t->name = namebuf; unshare_connection_strings(t); name = clone_str(t->name); t->spd.that.client = *target; t->policy &= ~(POLICY_GROUP | POLICY_GROUTED); t->kind = isanyaddr(&t->spd.that.host_addr) && !NEVER_NEGOTIATE(t->policy) ? CK_TEMPLATE : CK_INSTANCE; /* reset log file info */ t->log_file_name = NULL; t->log_file = NULL; t->log_file_err = FALSE; t->spd.reqid = gen_reqid(); if (t->spd.that.virt) { DBG_log("virtual_ip not supported in group instance"); t->spd.that.virt = NULL; } /* add to connections list */ t->ac_next = connections; connections = t; /* same host_pair as parent: stick after parent on list */ group->hp_next = t; /* route if group is routed */ if (group->policy & POLICY_GROUTED) { if (!trap_connection(t)) whack_log(RC_ROUTE, "could not route"); } } return name; } /* an old target has disappeared for a group: delete instance */ void remove_group_instance(const connection_t *group USED_BY_DEBUG, const char *name) { passert(group->kind == CK_GROUP); passert(oriented(*group)); delete_connections_by_name(name, FALSE); } /* Common part of instantiating a Road Warrior or Opportunistic connection. * his_id can be used to carry over an ID discovered in Phase 1. * It must not disagree with the one in c, but if that is unspecified, * the new connection will use his_id. * If his_id is NULL, and c.that.id is uninstantiated (ID_ANY), the * new connection will continue to have an uninstantiated that.id. * Note: instantiation does not affect port numbers. * * Note that instantiate can only deal with a single SPD/eroute. */ static connection_t *instantiate(connection_t *c, const ip_address *him, u_int16_t his_port, identification_t *his_id) { connection_t *d; passert(c->kind == CK_TEMPLATE); passert(c->spd.next == NULL); c->instance_serial++; d = clone_thing(*c); d->spd.that.allow_any = FALSE; if (his_id) { d->spd.that.id = his_id; d->spd.that.has_id_wildcards = FALSE; } unshare_connection_strings(d); if (d->spd.this.groups) { d->spd.this.groups = d->spd.this.groups->get_ref(d->spd.this.groups); } if (d->spd.that.groups) { d->spd.that.groups = d->spd.that.groups->get_ref(d->spd.that.groups); } d->kind = CK_INSTANCE; passert(oriented(*d)); d->spd.that.host_addr = *him; setportof(htons(c->spd.that.port), &d->spd.that.host_addr); if (his_port) d->spd.that.host_port = his_port; default_end(&d->spd.that, &d->spd.this.host_addr); /* We cannot guess what our next_hop should be, but if it was * explicitly specified as 0.0.0.0, we set it to be him. * (whack will not allow nexthop to be elided in RW case.) */ default_end(&d->spd.this, &d->spd.that.host_addr); d->spd.next = NULL; d->spd.reqid = gen_reqid(); /* set internal fields */ d->ac_next = connections; connections = d; d->spd.routing = RT_UNROUTED; d->newest_isakmp_sa = SOS_NOBODY; d->newest_ipsec_sa = SOS_NOBODY; d->spd.eroute_owner = SOS_NOBODY; /* reset log file info */ d->log_file_name = NULL; d->log_file = NULL; d->log_file_err = FALSE; connect_to_host_pair(d); return d; if (sameaddr(&d->spd.that.host_addr, &d->spd.this.host_nexthop)) { d->spd.this.host_nexthop = *him; } } connection_t *rw_instantiate(connection_t *c, const ip_address *him, u_int16_t his_port, const ip_subnet *his_net, identification_t *his_id) { connection_t *d = instantiate(c, him, his_port, his_id); if (d && his_net && is_virtual_connection(c)) { d->spd.that.client = *his_net; d->spd.that.virt = NULL; if (subnetishost(his_net) && addrinsubnet(him, his_net)) d->spd.that.has_client = FALSE; } if (d->policy & POLICY_OPPO) { /* This must be before we know the client addresses. * Fill in one that is impossible. This prevents anyone else from * trying to use this connection to get to a particular client */ d->spd.that.client = *aftoinfo(subnettypeof(&d->spd.that.client))->none; } DBG(DBG_CONTROL , DBG_log("instantiated \"%s\" for %s" , d->name, ip_str(him))); return d; } connection_t *oppo_instantiate(connection_t *c, const ip_address *him, identification_t *his_id, struct gw_info *gw, const ip_address *our_client USED_BY_DEBUG, const ip_address *peer_client) { connection_t *d = instantiate(c, him, 0, his_id); passert(d->spd.next == NULL); /* fill in our client side */ if (d->spd.this.has_client) { /* there was a client in the abstract connection * so we demand that the required client is within that subnet. */ passert(addrinsubnet(our_client, &d->spd.this.client)); happy(addrtosubnet(our_client, &d->spd.this.client)); /* opportunistic connections do not use port selectors */ setportof(0, &d->spd.this.client.addr); } else { /* there was no client in the abstract connection * so we demand that the required client be the host */ passert(sameaddr(our_client, &d->spd.this.host_addr)); } /* fill in peer's client side. * If the client is the peer, excise the client from the connection. */ passert((d->policy & POLICY_OPPO) && addrinsubnet(peer_client, &d->spd.that.client)); happy(addrtosubnet(peer_client, &d->spd.that.client)); /* opportunistic connections do not use port selectors */ setportof(0, &d->spd.that.client.addr); if (sameaddr(peer_client, &d->spd.that.host_addr)) d->spd.that.has_client = FALSE; passert(d->gw_info == NULL); gw_addref(gw); d->gw_info = gw; /* Adjust routing if something is eclipsing c. * It must be a %hold for us (hard to passert this). * If there was another instance eclipsing, we'd be using it. */ if (c->spd.routing == RT_ROUTED_ECLIPSED) d->spd.routing = RT_ROUTED_PROSPECTIVE; /* Remember if the template is routed: * if so, this instance applies for initiation * even if it is created for responding. */ if (routed(c->spd.routing)) d->instance_initiation_ok = TRUE; DBG(DBG_CONTROL, char topo[BUF_LEN]; (void) format_connection(topo, sizeof(topo), d, &d->spd); DBG_log("instantiated \"%s\": %s", d->name, topo); ); return d; } /* priority formatting */ void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]) { if (pp == BOTTOM_PRIO) { snprintf(buf, POLICY_PRIO_BUF, "0"); } else { snprintf(buf, POLICY_PRIO_BUF, "%lu,%lu" , pp>>16, (pp & ~(~(policy_prio_t)0 << 16)) >> 8); } } /* Format any information needed to identify an instance of a connection. * Fills any needed information into buf which MUST be big enough. * Road Warrior: peer's IP address * Opportunistic: [" " myclient "==="] " ..." peer ["===" hisclient] '\0' */ static size_t fmt_client(const ip_subnet *client, const ip_address *gw, const char *prefix, char buf[ADDRTOT_BUF]) { if (subnetisaddr(client, gw)) { buf[0] = '\0'; /* compact denotation for "self" */ } else { char *ap; strcpy(buf, prefix); ap = buf + strlen(prefix); if (subnetisnone(client)) strcpy(ap, "?"); /* unknown */ else subnettot(client, 0, ap, SUBNETTOT_BUF); } return strlen(buf); } void fmt_conn_instance(const connection_t *c, char buf[CONN_INST_BUF]) { char *p = buf; *p = '\0'; if (c->kind == CK_INSTANCE) { if (c->instance_serial != 0) { snprintf(p, CONN_INST_BUF, "[%lu]", c->instance_serial); p += strlen(p); } if (c->policy & POLICY_OPPO) { size_t w = fmt_client(&c->spd.this.client, &c->spd.this.host_addr, " ", p); p += w; strcpy(p, w == 0? " ..." : "=== ..."); p += strlen(p); addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF); p += strlen(p); (void) fmt_client(&c->spd.that.client, &c->spd.that.host_addr, "===", p); } else { *p++ = ' '; addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF); # if (c->spd.that.host_port != pluto_port) { p += strlen(p); sprintf(p, ":%d", c->spd.that.host_port); } } } } /* Find an existing connection for a trapped outbound packet. * This is attempted before we bother with gateway discovery. * + this connection is routed or instance_of_routed_template * (i.e. approved for on-demand) * + this subnet contains our_client (or we are our_client) * + that subnet contains peer_client (or peer is peer_client) * + don't care about Phase 1 IDs (we don't know) * Note: result may still need to be instantiated. * The winner has the highest policy priority. * * If there are several with that priority, we give preference to * the first one that is an instance. * * See also build_outgoing_opportunistic_connection. */ connection_t *find_connection_for_clients(struct spd_route **srp, const ip_address *our_client, const ip_address *peer_client, int transport_proto) { connection_t *c = connections, *best = NULL; policy_prio_t best_prio = BOTTOM_PRIO; struct spd_route *sr; struct spd_route *best_sr = NULL; int our_port = ntohs(portof(our_client)); int peer_port = ntohs(portof(peer_client)); passert(!isanyaddr(our_client) && !isanyaddr(peer_client)); #ifdef DEBUG if (DBGP(DBG_CONTROL)) { char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF]; addrtot(our_client, 0, ocb, sizeof(ocb)); addrtot(peer_client, 0, pcb, sizeof(pcb)); DBG_log("find_connection: " "looking for policy for connection: %s:%d/%d -> %s:%d/%d" , ocb, transport_proto, our_port, pcb, transport_proto, peer_port); } #endif /* DEBUG */ for (c = connections; c != NULL; c = c->ac_next) { if (c->kind == CK_GROUP) { continue; } for (sr = &c->spd; best!=c && sr; sr = sr->next) { if ((routed(sr->routing) || c->instance_initiation_ok) && addrinsubnet(our_client, &sr->this.client) && addrinsubnet(peer_client, &sr->that.client) && addrinsubnet(peer_client, &sr->that.client) && (!sr->this.protocol || transport_proto == sr->this.protocol) && (!sr->this.port || our_port == sr->this.port) && (!sr->that.port || peer_port == sr->that.port)) { char cib[CONN_INST_BUF]; char cib2[CONN_INST_BUF]; policy_prio_t prio = 8 * (c->prio + (c->kind == CK_INSTANCE)) + 2 * (sr->this.port == our_port) + 2 * (sr->that.port == peer_port) + (sr->this.protocol == transport_proto); #ifdef DEBUG if (DBGP(DBG_CONTROL|DBG_CONTROLMORE)) { char c_ocb[SUBNETTOT_BUF], c_pcb[SUBNETTOT_BUF]; subnettot(&c->spd.this.client, 0, c_ocb, sizeof(c_ocb)); subnettot(&c->spd.that.client, 0, c_pcb, sizeof(c_pcb)); DBG_log("find_connection: conn \"%s\"%s has compatible peers: %s->%s [pri: %ld]" , c->name , (fmt_conn_instance(c, cib), cib) , c_ocb, c_pcb, prio); } #endif /* DEBUG */ if (best == NULL) { best = c; best_sr = sr; best_prio = prio; } DBG(DBG_CONTROLMORE, DBG_log("find_connection: " "comparing best \"%s\"%s [pri:%ld]{%p} (child %s) to \"%s\"%s [pri:%ld]{%p} (child %s)" , best->name , (fmt_conn_instance(best, cib), cib) , best_prio , best , (best->policy_next ? best->policy_next->name : "none") , c->name , (fmt_conn_instance(c, cib2), cib2) , prio , c , (c->policy_next ? c->policy_next->name : "none"))); if (prio > best_prio) { best = c; best_sr = sr; best_prio = prio; } } } } if (best && NEVER_NEGOTIATE(best->policy)) { best = NULL; } if (srp && best) { *srp = best_sr; } #ifdef DEBUG if (DBGP(DBG_CONTROL)) { if (best) { char cib[CONN_INST_BUF]; DBG_log("find_connection: concluding with \"%s\"%s [pri:%ld]{%p} kind=%s" , best->name , (fmt_conn_instance(best, cib), cib) , best_prio , best , enum_name(&connection_kind_names, best->kind)); } else { DBG_log("find_connection: concluding with empty"); } } #endif /* DEBUG */ return best; } /* Find and instantiate a connection for an outgoing Opportunistic connection. * We've already discovered its gateway. * We look for a the connection such that: * + this is one of our interfaces * + this subnet contains our_client (or we are our_client) * (we will specialize the client). We prefer the smallest such subnet. * + that subnet contains peer_clent (we will specialize the client). * We prefer the smallest such subnet. * + is opportunistic * + that peer is NO_IP * + don't care about Phase 1 IDs (probably should be default) * We could look for a connection that already had the desired peer * (rather than NO_IP) specified, but it doesn't seem worth the * bother. * * We look for the routed policy applying to the narrowest subnets. * We only succeed if we find such a policy AND it is satisfactory. * * The body of the inner loop is a lot like that in * find_connection_for_clients. In this case, we know the gateways * that we need to instantiate an opportunistic connection. */ connection_t *build_outgoing_opportunistic_connection(struct gw_info *gw, const ip_address *our_client, const ip_address *peer_client) { struct iface *p; connection_t *best = NULL; struct spd_route *sr, *bestsr; char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF]; addrtot(our_client, 0, ocb, sizeof(ocb)); addrtot(peer_client, 0, pcb, sizeof(pcb)); /* for each of our addresses... */ for (p = interfaces; p != NULL; p = p->next) { /* go through those connections with our address and NO_IP as hosts * We cannot know what port the peer would use, so we assume * that it is pluto_port (makes debugging easier). */ connection_t *c = find_host_pair_connections(&p->addr, pluto_port, (ip_address *)NULL, pluto_port); for (; c != NULL; c = c->hp_next) { DBG(DBG_OPPO, DBG_log("checking %s", c->name)); if (c->kind == CK_GROUP) { continue; } for (sr = &c->spd; best!=c && sr; sr = sr->next) { if (routed(sr->routing) && addrinsubnet(our_client, &sr->this.client) && addrinsubnet(peer_client, &sr->that.client)) { if (best == NULL) { best = c; break; } DBG(DBG_OPPO, DBG_log("comparing best %s to %s" , best->name, c->name)); for (bestsr = &best->spd; best!=c && bestsr; bestsr=bestsr->next) { if (!subnetinsubnet(&bestsr->this.client, &sr->this.client) || (samesubnet(&bestsr->this.client, &sr->this.client) && !subnetinsubnet(&bestsr->that.client , &sr->that.client))) { best = c; } } } } } } if (best == NULL || NEVER_NEGOTIATE(best->policy) || (best->policy & POLICY_OPPO) == LEMPTY || best->kind != CK_TEMPLATE) { return NULL; } else { chunk_t encoding = gw->gw_id->get_encoding(gw->gw_id); id_type_t type = gw->gw_id->get_type(gw->gw_id); ip_address ip_addr; initaddr(encoding.ptr, encoding.len, (type == ID_IPV4_ADDR) ? AF_INET : AF_INET6, &ip_addr); return oppo_instantiate(best, &ip_addr, NULL, gw, our_client, peer_client); } } bool orient(connection_t *c) { struct spd_route *sr; if (!oriented(*c)) { struct iface *p; for (sr = &c->spd; sr; sr = sr->next) { /* Note: this loop does not stop when it finds a match: * it continues checking to catch any ambiguity. */ for (p = interfaces; p != NULL; p = p->next) { if (p->ike_float) { continue; } for (;;) { /* check if this interface matches this end */ if (sameaddr(&sr->this.host_addr, &p->addr) && sr->this.host_port == pluto_port) { if (oriented(*c)) { if (c->interface == p) loglog(RC_LOG_SERIOUS , "both sides of \"%s\" are our interface %s!" , c->name, p->rname); else loglog(RC_LOG_SERIOUS, "two interfaces match \"%s\" (%s, %s)" , c->name, c->interface->rname, p->rname); c->interface = NULL; /* withdraw orientation */ return FALSE; } c->interface = p; } /* done with this interface if it doesn't match that end */ if (!(sameaddr(&sr->that.host_addr, &p->addr) && sr->that.host_port == pluto_port)) break; /* swap ends and try again. * It is a little tricky to see that this loop will stop. * Only continue if the far side matches. * If both sides match, there is an error-out. */ { struct end t = sr->this; sr->this = sr->that; sr->that = t; } } } } } return oriented(*c); } void initiate_connection(const char *name, int whackfd) { connection_t *c = con_by_name(name, TRUE); if (c && c->ikev1) { set_cur_connection(c); if (!oriented(*c)) { loglog(RC_ORIENT, "we have no ipsecN interface for either end of this connection"); } else if (NEVER_NEGOTIATE(c->policy)) { loglog(RC_INITSHUNT , "cannot initiate an authby=never connection"); } else if (c->kind != CK_PERMANENT && !c->spd.that.allow_any) { if (isanyaddr(&c->spd.that.host_addr)) loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address"); else loglog(RC_WILDCARD, "cannot initiate connection with ID wildcards"); } else { /* do we have to prompt for a PIN code? */ if (c->spd.this.sc && !c->spd.this.sc->valid && whackfd != NULL_FD) { scx_get_pin(c->spd.this.sc, whackfd); } if (c->spd.this.sc && !c->spd.this.sc->valid) { loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN"); } else { if (c->spd.that.allow_any) { c = instantiate(c, &c->spd.that.host_addr, c->spd.that.host_port, c->spd.that.id); } /* We will only request an IPsec SA if policy isn't empty * (ignoring Main Mode items). * This is a fudge, but not yet important. * If we are to proceed asynchronously, whackfd will be NULL_FD. */ c->policy |= POLICY_UP; ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY); whackfd = NULL_FD; /* protect from close */ } } reset_cur_connection(); } close_any(whackfd); } /* (Possibly) Opportunistic Initiation: * Knowing clients (single IP addresses), try to build an tunnel. * This may involve discovering a gateway and instantiating an * Opportunistic connection. Called when a packet is caught by * a %trap, or when whack --oppohere --oppothere is used. * It may turn out that an existing or non-opporunistic connnection * can handle the traffic. * * Most of the code will be restarted if an ADNS request is made * to discover the gateway. The only difference between the first * and second entry is whether gateways_from_dns is NULL or not. * initiate_opportunistic: initial entrypoint * continue_oppo: where we pickup when ADNS result arrives * initiate_opportunistic_body: main body shared by above routines * cannot_oppo: a helper function to log a diagnostic * This structure repeats a lot of code when the ADNS result arrives. * This seems like a waste, but anything learned the first time through * may no longer be true! * * After the first IKE message is sent, the regular state machinery * carries negotiation forward. */ enum find_oppo_step { fos_start, fos_myid_ip_txt, fos_myid_hostname_txt, fos_myid_ip_key, fos_myid_hostname_key, fos_our_client, fos_our_txt, #ifdef USE_KEYRR fos_our_key, #endif /* USE_KEYRR */ fos_his_client, fos_done }; #ifdef DEBUG static const char *const oppo_step_name[] = { "fos_start", "fos_myid_ip_txt", "fos_myid_hostname_txt", "fos_myid_ip_key", "fos_myid_hostname_key", "fos_our_client", "fos_our_txt", #ifdef USE_KEYRR "fos_our_key", #endif /* USE_KEYRR */ "fos_his_client", "fos_done" }; #endif /* DEBUG */ struct find_oppo_bundle { enum find_oppo_step step; err_t want; bool failure_ok; /* if true, continue_oppo should not die on DNS failure */ ip_address our_client; /* not pointer! */ ip_address peer_client; int transport_proto; bool held; policy_prio_t policy_prio; ipsec_spi_t failure_shunt; /* in host order! 0 for delete. */ int whackfd; }; struct find_oppo_continuation { struct adns_continuation ac; /* common prefix */ struct find_oppo_bundle b; }; static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh) { char pcb[ADDRTOT_BUF]; char ocb[ADDRTOT_BUF]; addrtot(&b->peer_client, 0, pcb, sizeof(pcb)); addrtot(&b->our_client, 0, ocb, sizeof(ocb)); DBG(DBG_DNS | DBG_OPPO, DBG_log("Can't Opportunistically initiate for %s to %s: %s" , ocb, pcb, ugh)); whack_log(RC_OPPOFAILURE , "Can't Opportunistically initiate for %s to %s: %s" , ocb, pcb, ugh); if (c && c->policy_next) { /* there is some policy that comes afterwards */ struct spd_route *shunt_spd; connection_t *nc = c->policy_next; struct state *st; passert(c->kind == CK_TEMPLATE); passert(c->policy_next->kind == CK_PERMANENT); DBG(DBG_OPPO, DBG_log("OE failed for %s to %s, but %s overrides shunt" , ocb, pcb, c->policy_next->name)); /* * okay, here we need add to the "next" policy, which is ought * to be an instance. * We will add another entry to the spd_route list for the specific * situation that we have. */ shunt_spd = clone_thing(nc->spd); shunt_spd->next = nc->spd.next; nc->spd.next = shunt_spd; happy(addrtosubnet(&b->peer_client, &shunt_spd->that.client)); if (sameaddr(&b->peer_client, &shunt_spd->that.host_addr)) shunt_spd->that.has_client = FALSE; /* * override the tunnel destination with the one from the secondaried * policy */ shunt_spd->that.host_addr = nc->spd.that.host_addr; /* now, lookup the state, and poke it up. */ st = state_with_serialno(nc->newest_ipsec_sa); /* XXX what to do if the IPSEC SA has died? */ passert(st != NULL); /* link the new connection instance to the state's list of * connections */ DBG(DBG_OPPO, DBG_log("installing state: %ld for %s to %s" , nc->newest_ipsec_sa , ocb, pcb)); #ifdef DEBUG if (DBGP(DBG_OPPO | DBG_CONTROLMORE)) { char state_buf[LOG_WIDTH]; char state_buf2[LOG_WIDTH]; time_t n = now(); fmt_state(FALSE, st, n , state_buf, sizeof(state_buf) , state_buf2, sizeof(state_buf2)); DBG_log("cannot_oppo, failure SA1: %s", state_buf); DBG_log("cannot_oppo, failure SA2: %s", state_buf2); } #endif /* DEBUG */ if (!route_and_eroute(c, shunt_spd, st)) { whack_log(RC_OPPOFAILURE , "failed to instantiate shunt policy %s for %s to %s" , c->name , ocb, pcb); } return; } } static void initiate_opportunistic_body(struct find_oppo_bundle *b , struct adns_continuation *ac, err_t ac_ugh); /* forward */ void initiate_opportunistic(const ip_address *our_client, const ip_address *peer_client, int transport_proto, bool held, int whackfd) { struct find_oppo_bundle b; b.want = (whackfd == NULL_FD ? "whack" : "acquire"); b.failure_ok = FALSE; b.our_client = *our_client; b.peer_client = *peer_client; b.transport_proto = transport_proto; b.held = held; b.policy_prio = BOTTOM_PRIO; b.failure_shunt = 0; b.whackfd = whackfd; b.step = fos_start; initiate_opportunistic_body(&b, NULL, NULL); } static void continue_oppo(struct adns_continuation *acr, err_t ugh) { struct find_oppo_continuation *cr = (void *)acr; /* inherit, damn you! */ connection_t *c; bool was_held = cr->b.held; int whackfd = cr->b.whackfd; /* note: cr->id has no resources; cr->sgw_id is ID_ANY: * neither need freeing. */ whack_log_fd = whackfd; #ifdef DEBUG /* if we're going to ignore the error, at least note it in debugging log */ if (cr->b.failure_ok && ugh) { DBG(DBG_CONTROL | DBG_DNS, { char ocb[ADDRTOT_BUF]; char pcb[ADDRTOT_BUF]; addrtot(&cr->b.our_client, 0, ocb, sizeof(ocb)); addrtot(&cr->b.peer_client, 0, pcb, sizeof(pcb)); DBG_log("continuing from failed DNS lookup for %s, %s to %s: %s" , cr->b.want, ocb, pcb, ugh); }); } #endif if (!cr->b.failure_ok && ugh) { c = find_connection_for_clients(NULL, &cr->b.our_client, &cr->b.peer_client , cr->b.transport_proto); cannot_oppo(c, &cr->b , builddiag("%s: %s", cr->b.want, ugh)); } else if (was_held && !cr->b.held) { /* was_held indicates we were started due to a %trap firing * (as opposed to a "whack --oppohere --oppothere"). * Since the %hold has gone, we can assume that somebody else * has beaten us to the punch. We can go home. But lets log it. */ char ocb[ADDRTOT_BUF]; char pcb[ADDRTOT_BUF]; addrtot(&cr->b.our_client, 0, ocb, sizeof(ocb)); addrtot(&cr->b.peer_client, 0, pcb, sizeof(pcb)); loglog(RC_COMMENT , "%%hold otherwise handled during DNS lookup for Opportunistic Initiation for %s to %s" , ocb, pcb); } else { initiate_opportunistic_body(&cr->b, &cr->ac, ugh); whackfd = NULL_FD; /* was handed off */ } whack_log_fd = NULL_FD; close_any(whackfd); } #ifdef USE_KEYRR static err_t check_key_recs(enum myid_state try_state, const connection_t *c, struct adns_continuation *ac) { /* Check if KEY lookup yielded good results. * Looking up based on our ID. Used if * client is ourself, or if TXT had no public key. * Note: if c is different this time, there is * a chance that we did the wrong query. * If so, treat as a kind of failure. */ enum myid_state old_myid_state = myid_state; private_key_t *private; err_t ugh = NULL; myid_state = try_state; if (old_myid_state != myid_state && old_myid_state == MYID_SPECIFIED) { ugh = "%myid was specified while we were guessing"; } else if ((private = get_private_key(c)) == NULL) { ugh = "we don't know our own RSA key"; } else if (!same_id(&ac->id, &c->spd.this.id)) { ugh = "our ID changed underfoot"; } else { /* Similar to code in RSA_check_signature * for checking the other side. */ pubkey_list_t *kr; ugh = "no KEY RR found for us"; for (kr = ac->keys_from_dns; kr != NULL; kr = kr->next) { ugh = "all our KEY RRs have the wrong public key"; if (kr->key->alg == PUBKEY_ALG_RSA && private->belongs_to(private, &kr->key->public_key)) { ugh = NULL; /* good! */ break; } } } if (ugh) { myid_state = old_myid_state; } return ugh; } #endif /* USE_KEYRR */ static err_t check_txt_recs(enum myid_state try_state, const connection_t *c, struct adns_continuation *ac) { /* Check if TXT lookup yielded good results. * Looking up based on our ID. Used if * client is ourself, or if TXT had no public key. * Note: if c is different this time, there is * a chance that we did the wrong query. * If so, treat as a kind of failure. */ enum myid_state old_myid_state = myid_state; private_key_t *private; err_t ugh = NULL; myid_state = try_state; if (old_myid_state != myid_state && old_myid_state == MYID_SPECIFIED) { ugh = "%myid was specified while we were guessing"; } else if ((private = get_private_key(c)) == NULL) { ugh = "we don't know our own RSA key"; } else if (!ac->id->equals(ac->id, c->spd.this.id)) { ugh = "our ID changed underfoot"; } else { /* Similar to code in RSA_check_signature * for checking the other side. */ struct gw_info *gwp; ugh = "no TXT RR found for us"; for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next) { public_key_t *pub_key = gwp->key->public_key; ugh = "all our TXT RRs have the wrong public key"; if (pub_key->get_type(pub_key) == KEY_RSA && private->belongs_to(private, pub_key)) { ugh = NULL; /* good! */ break; } } } if (ugh) { myid_state = old_myid_state; } return ugh; } /* note: gateways_from_dns must be NULL iff this is the first call */ static void initiate_opportunistic_body(struct find_oppo_bundle *b, struct adns_continuation *ac, err_t ac_ugh) { connection_t *c; struct spd_route *sr; /* What connection shall we use? * First try for one that explicitly handles the clients. */ DBG(DBG_CONTROL, { char ours[ADDRTOT_BUF]; char his[ADDRTOT_BUF]; int ourport; int hisport; addrtot(&b->our_client, 0, ours, sizeof(ours)); addrtot(&b->peer_client, 0, his, sizeof(his)); ourport = ntohs(portof(&b->our_client)); hisport = ntohs(portof(&b->peer_client)); DBG_log("initiate on demand from %s:%d to %s:%d proto=%d state: %s because: %s" , ours, ourport, his, hisport, b->transport_proto , oppo_step_name[b->step], b->want); }); if (isanyaddr(&b->our_client) || isanyaddr(&b->peer_client)) { cannot_oppo(NULL, b, "impossible IP address"); } else if ((c = find_connection_for_clients(&sr , &b->our_client , &b->peer_client , b->transport_proto)) == NULL) { /* No connection explicitly handles the clients and there * are no Opportunistic connections -- whine and give up. * The failure policy cannot be gotten from a connection; we pick %pass. */ cannot_oppo(NULL, b, "no routed Opportunistic template covers this pair"); } else if (c->kind != CK_TEMPLATE) { /* We've found a connection that can serve. * Do we have to initiate it? * Not if there is currently an IPSEC SA. * But if there is an IPSEC SA, then the kernel would not * have generated the acquire. So we assume that there isn't one. * This may be redundant if a non-opportunistic * negotiation is already being attempted. */ /* If we are to proceed asynchronously, b->whackfd will be NULL_FD. */ if(c->kind == CK_INSTANCE) { char cib[CONN_INST_BUF]; /* there is already an instance being negotiated, no nothing */ DBG(DBG_CONTROL, DBG_log("found existing instance \"%s\"%s, rekeying it" , c->name , (fmt_conn_instance(c, cib), cib))); /* XXX-mcr - return; */ } /* otherwise, there is some kind of static conn that can handle * this connection, so we initiate it */ if (b->held) { /* what should we do on failure? */ (void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client); } ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY); b->whackfd = NULL_FD; /* protect from close */ } else { /* We are handling an opportunistic situation. * This involves several DNS lookup steps that require suspension. * Note: many facts might change while we're suspended. * Here be dragons. * * The first chunk of code handles the result of the previous * DNS query (if any). It also selects the kind of the next step. * The second chunk initiates the next DNS query (if any). */ enum find_oppo_step next_step = fos_myid_ip_txt; err_t ugh = ac_ugh; char mycredentialstr[BUF_LEN]; char cib[CONN_INST_BUF]; DBG(DBG_CONTROL, DBG_log("creating new instance from \"%s\"%s", c->name, (fmt_conn_instance(c, cib), cib))); snprintf(mycredentialstr, BUF_LEN, "%Y", sr->this.id); /* handle any DNS answer; select next step */ switch (b->step) { case fos_start: /* just starting out: select first query step */ next_step = fos_myid_ip_txt; break; case fos_myid_ip_txt: /* TXT for our default IP address as %myid */ ugh = check_txt_recs(MYID_IP, c, ac); if (ugh) { /* cannot use our IP as OE identitiy for initiation */ DBG(DBG_OPPO, DBG_log("can not use our IP (%Y:TXT) as identity: %s", myids[MYID_IP], ugh)); if (!logged_myid_ip_txt_warning) { loglog(RC_LOG_SERIOUS, "can not use our IP (%Y:TXT) as identity: %s", myids[MYID_IP], ugh); logged_myid_ip_txt_warning = TRUE; } next_step = fos_myid_hostname_txt; ugh = NULL; /* failure can be recovered from */ } else { /* we can use our IP as OE identity for initiation */ if (!logged_myid_ip_txt_warning) { loglog(RC_LOG_SERIOUS, "using our IP (%Y:TXT) as identity!", myids[MYID_IP]); logged_myid_ip_txt_warning = TRUE; } next_step = fos_our_client; } break; case fos_myid_hostname_txt: /* TXT for our hostname as %myid */ ugh = check_txt_recs(MYID_HOSTNAME, c, ac); if (ugh) { /* cannot use our hostname as OE identitiy for initiation */ DBG(DBG_OPPO, DBG_log("can not use our hostname (%Y:TXT) as identity: %s", myids[MYID_HOSTNAME], ugh)); if (!logged_myid_fqdn_txt_warning) { loglog(RC_LOG_SERIOUS, "can not use our hostname (%Y:TXT) as identity: %s", myids[MYID_HOSTNAME], ugh); logged_myid_fqdn_txt_warning = TRUE; } #ifdef USE_KEYRR next_step = fos_myid_ip_key; ugh = NULL; /* failure can be recovered from */ #endif } else { /* we can use our hostname as OE identity for initiation */ if (!logged_myid_fqdn_txt_warning) { loglog(RC_LOG_SERIOUS, "using our hostname (%Y:TXT) as identity!", myids[MYID_HOSTNAME]); logged_myid_fqdn_txt_warning = TRUE; } next_step = fos_our_client; } break; #ifdef USE_KEYRR case fos_myid_ip_key: /* KEY for our default IP address as %myid */ ugh = check_key_recs(MYID_IP, c, ac); if (ugh) { /* cannot use our IP as OE identitiy for initiation */ DBG(DBG_OPPO, DBG_log("can not use our IP (%Y:KEY) as identity: %s", myids[MYID_IP], ugh)); if (!logged_myid_ip_key_warning) { loglog(RC_LOG_SERIOUS, "can not use our IP (%Y:KEY) as identity: %s", myids[MYID_IP], ugh); logged_myid_ip_key_warning = TRUE; } next_step = fos_myid_hostname_key; ugh = NULL; /* failure can be recovered from */ } else { /* we can use our IP as OE identity for initiation */ if (!logged_myid_ip_key_warning) { loglog(RC_LOG_SERIOUS, "using our IP (%Y:KEY) as identity!", myids[MYID_IP]); logged_myid_ip_key_warning = TRUE; } next_step = fos_our_client; } break; case fos_myid_hostname_key: /* KEY for our hostname as %myid */ ugh = check_key_recs(MYID_HOSTNAME, c, ac); if (ugh) { /* cannot use our IP as OE identitiy for initiation */ DBG(DBG_OPPO, DBG_log("can not use our hostname (%Y:KEY) as identity: %s", myids[MYID_HOSTNAME], ugh)); if (!logged_myid_fqdn_key_warning) { loglog(RC_LOG_SERIOUS, "can not use our hostname (%Y:KEY) as identity: %s", myids[MYID_HOSTNAME], ugh); logged_myid_fqdn_key_warning = TRUE; } next_step = fos_myid_hostname_key; ugh = NULL; /* failure can be recovered from */ } else { /* we can use our IP as OE identity for initiation */ if (!logged_myid_fqdn_key_warning) { loglog(RC_LOG_SERIOUS, "using our hostname (%Y:KEY) as identity!", myids[MYID_HOSTNAME]); logged_myid_fqdn_key_warning = TRUE; } next_step = fos_our_client; } break; #endif case fos_our_client: /* TXT for our client */ { /* Our client is not us: we must check the TXT records. * Note: if c is different this time, there is * a chance that we did the wrong query. * If so, treat as a kind of failure. */ private_key_t *private = get_private_key(c); next_step = fos_his_client; /* normal situation */ if (private == NULL) { ugh = "we don't know our own RSA key"; } else if (sameaddr(&sr->this.host_addr, &b->our_client)) { /* this wasn't true when we started -- bail */ ugh = "our IP address changed underfoot"; } else if (!ac->sgw_id->equals(ac->sgw_id, sr->this.id)) { /* this wasn't true when we started -- bail */ ugh = "our ID changed underfoot"; } else { /* Similar to code in quick_inI1_outR1_tail * for checking the other side. */ struct gw_info *gwp; ugh = "no TXT RR for our client delegates us"; for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next) { ugh = "TXT RR for our client has wrong key"; /* If there is a key from the TXT record, * we count it as a win if we match the key. * If there was no key, we have a tentative win: * we need to check our KEY record to be sure. */ if (!gwp->gw_key_present) { /* Success, but the TXT had no key * so we must check our our own KEY records. */ next_step = fos_our_txt; ugh = NULL; /* good! */ break; } if (private->belongs_to(private, gwp->key->public_key)) { ugh = NULL; /* good! */ break; } } } } break; case fos_our_txt: /* TXT for us */ { /* Check if TXT lookup yielded good results. * Looking up based on our ID. Used if * client is ourself, or if TXT had no public key. * Note: if c is different this time, there is * a chance that we did the wrong query. * If so, treat as a kind of failure. */ private_key_t *private = get_private_key(c); next_step = fos_his_client; /* unless we decide to look for KEY RR */ if (private == NULL) { ugh = "we don't know our own RSA key"; } else if (!ac->id->equals(ac->id, c->spd.this.id)) { ugh = "our ID changed underfoot"; } else { /* Similar to code in RSA_check_signature * for checking the other side. */ struct gw_info *gwp; ugh = "no TXT RR for us"; for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next) { ugh = "TXT RR for us has wrong key"; if (gwp->gw_key_present && private->belongs_to(private, gwp->key->public_key)) { DBG(DBG_CONTROL, DBG_log("initiate on demand found TXT with right public key at: %s" , mycredentialstr)); ugh = NULL; break; } } #ifdef USE_KEYRR if (ugh) { /* if no TXT with right key, try KEY */ DBG(DBG_CONTROL, DBG_log("will try for KEY RR since initiate on demand found %s: %s" , ugh, mycredentialstr)); next_step = fos_our_key; ugh = NULL; } #endif } } break; #ifdef USE_KEYRR case fos_our_key: /* KEY for us */ { /* Check if KEY lookup yielded good results. * Looking up based on our ID. Used if * client is ourself, or if TXT had no public key. * Note: if c is different this time, there is * a chance that we did the wrong query. * If so, treat as a kind of failure. */ private_key_t *private = get_private_key(c); next_step = fos_his_client; /* always */ if (private == NULL) { ugh = "we don't know our own RSA key"; } else if (!same_id(&ac->id, &c->spd.this.id)) { ugh = "our ID changed underfoot"; } else { /* Similar to code in RSA_check_signature * for checking the other side. */ pubkey_list_t *kr; ugh = "no KEY RR found for us (and no good TXT RR)"; for (kr = ac->keys_from_dns; kr != NULL; kr = kr->next) { ugh = "all our KEY RRs have the wrong public key (and no good TXT RR)"; if (kr->key->alg == PUBKEY_ALG_RSA && private->belongs_to(private, kr->key->public_key)) { /* do this only once a day */ if (!logged_txt_warning) { loglog(RC_LOG_SERIOUS , "found KEY RR but not TXT RR for %s. See http://www.freeswan.org/err/txt-change.html." , mycredentialstr); logged_txt_warning = TRUE; } ugh = NULL; /* good! */ break; } } } } break; #endif /* USE_KEYRR */ case fos_his_client: /* TXT for his client */ { /* We've finished last DNS queries: TXT for his client. * Using the information, try to instantiate a connection * and start negotiating. * We now know the peer. The chosing of "c" ignored this, * so we will disregard its current value. * !!! We need to randomize the entry in gw that we choose. */ next_step = fos_done; /* no more queries */ c = build_outgoing_opportunistic_connection(ac->gateways_from_dns , &b->our_client , &b->peer_client); if (c == NULL) { /* We cannot seem to instantiate a suitable connection: * complain clearly. */ char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF]; addrtot(&b->our_client, 0, ocb, sizeof(ocb)); addrtot(&b->peer_client, 0, pcb, sizeof(pcb)); loglog(RC_OPPOFAILURE, "no suitable connection for opportunism " "between %s and %s with %Y as peer", ocb, pcb, ac->gateways_from_dns->gw_id); } else { /* If we are to proceed asynchronously, b->whackfd will be NULL_FD. */ passert(c->kind == CK_INSTANCE); passert(c->gw_info != NULL); passert(HAS_IPSEC_POLICY(c->policy)); passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing)); if (b->held) { /* what should we do on failure? */ (void) assign_hold(c, &c->spd , b->transport_proto , &b->our_client, &b->peer_client); } c->gw_info->key->last_tried_time = now(); ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY); b->whackfd = NULL_FD; /* protect from close */ } } break; default: bad_case(b->step); } /* the second chunk: initiate the next DNS query (if any) */ DBG(DBG_CONTROL, { char ours[ADDRTOT_BUF]; char his[ADDRTOT_BUF]; addrtot(&b->our_client, 0, ours, sizeof(ours)); addrtot(&b->peer_client, 0, his, sizeof(his)); DBG_log("initiate on demand from %s to %s new state: %s with ugh: %s" , ours, his, oppo_step_name[b->step], ugh ? ugh : "ok"); }); if (ugh) { b->policy_prio = c->prio; b->failure_shunt = shunt_policy_spi(c, FALSE); cannot_oppo(c, b, ugh); } else if (next_step == fos_done) { /* nothing to do */ } else { /* set up the next query */ struct find_oppo_continuation *cr = malloc_thing(struct find_oppo_continuation); identification_t *id; b->policy_prio = c->prio; b->failure_shunt = shunt_policy_spi(c, FALSE); cr->b = *b; /* copy; start hand off of whackfd */ cr->b.failure_ok = FALSE; cr->b.step = next_step; for (sr = &c->spd ; sr!=NULL && !sameaddr(&sr->this.host_addr, &b->our_client) ; sr = sr->next) ; if (sr == NULL) sr = &c->spd; /* If a %hold shunt has replaced the eroute for this template, * record this fact. */ if (b->held && sr->routing == RT_ROUTED_PROSPECTIVE && eclipsable(sr)) { sr->routing = RT_ROUTED_ECLIPSED; eclipse_count++; } /* Switch to issue next query. * A case may turn out to be unnecessary. If so, it falls * through to the next case. * Figuring out what %myid can stand for must be done before * our client credentials are looked up: we must know what * the client credentials may use to identify us. * On the other hand, our own credentials should be looked * up after our clients in case our credentials are not * needed at all. * XXX this is a wasted effort if we don't have credentials * BUT they are not needed. */ switch (next_step) { case fos_myid_ip_txt: if (c->spd.this.id->get_type(c->spd.this.id) == ID_MYID && myid_state != MYID_SPECIFIED) { cr->b.failure_ok = TRUE; cr->b.want = b->want = "TXT record for IP address as %myid"; ugh = start_adns_query(myids[MYID_IP], myids[MYID_IP], T_TXT, continue_oppo, &cr->ac); break; } cr->b.step = fos_myid_hostname_txt; /* fall through */ case fos_myid_hostname_txt: if (c->spd.this.id->get_type(c->spd.this.id) == ID_MYID && myid_state != MYID_SPECIFIED) { #ifdef USE_KEYRR cr->b.failure_ok = TRUE; #else cr->b.failure_ok = FALSE; #endif cr->b.want = b->want = "TXT record for hostname as %myid"; ugh = start_adns_query(myids[MYID_HOSTNAME], myids[MYID_HOSTNAME], T_TXT, continue_oppo, &cr->ac); break; } #ifdef USE_KEYRR cr->b.step = fos_myid_ip_key; /* fall through */ case fos_myid_ip_key: if (c->spd.this.id.kind == ID_MYID && myid_state != MYID_SPECIFIED) { cr->b.failure_ok = TRUE; cr->b.want = b->want = "KEY record for IP address as %myid (no good TXT)"; ugh = start_adns_query(myids[MYID_IP], NULL, /* security gateway meaningless */ T_KEY, continue_oppo, &cr->ac); break; } cr->b.step = fos_myid_hostname_key; /* fall through */ case fos_myid_hostname_key: if (c->spd.this.id.kind == ID_MYID && myid_state != MYID_SPECIFIED) { cr->b.failure_ok = FALSE; /* last attempt! */ cr->b.want = b->want = "KEY record for hostname as %myid (no good TXT)"; ugh = start_adns_query(myids[MYID_HOSTNAME], NULL, /* security gateway meaningless */ T_KEY, continue_oppo, &cr->ac); break; } #endif cr->b.step = fos_our_client; /* fall through */ case fos_our_client: /* TXT for our client */ if (!sameaddr(&c->spd.this.host_addr, &b->our_client)) { /* Check that at least one TXT(reverse(b->our_client)) is workable. * Note: {unshare|free}_id_content not needed for id: ephemeral. */ cr->b.want = b->want = "our client's TXT record"; id = identification_create_from_sockaddr((sockaddr_t*)&b->our_client); ugh = start_adns_query(id, c->spd.this.id, /* we are the security gateway */ T_TXT, continue_oppo, &cr->ac); id->destroy(id); break; } cr->b.step = fos_our_txt; /* fall through */ case fos_our_txt: /* TXT for us */ cr->b.failure_ok = b->failure_ok = TRUE; cr->b.want = b->want = "our TXT record"; ugh = start_adns_query(sr->this.id, sr->this.id, /* we are the security gateway */ T_TXT, continue_oppo, &cr->ac); break; #ifdef USE_KEYRR case fos_our_key: /* KEY for us */ cr->b.want = b->want = "our KEY record"; cr->b.failure_ok = b->failure_ok = FALSE; ugh = start_adns_query(sr->this.id, NULL, /* security gateway meaningless */ T_KEY, continue_oppo, &cr->ac); break; #endif /* USE_KEYRR */ case fos_his_client: /* TXT for his client */ /* note: {unshare|free}_id_content not needed for id: ephemeral */ cr->b.want = b->want = "target's TXT record"; cr->b.failure_ok = b->failure_ok = FALSE; id = identification_create_from_sockaddr((sockaddr_t*)&b->peer_client); ugh = start_adns_query(id, NULL, /* security gateway unconstrained */ T_TXT, continue_oppo, &cr->ac); id->destroy(id); break; default: bad_case(next_step); } if (ugh == NULL) b->whackfd = NULL_FD; /* complete hand-off */ else cannot_oppo(c, b, ugh); } } close_any(b->whackfd); } void terminate_connection(const char *nm) { /* Loop because more than one may match (master and instances) * But at least one is required (enforced by con_by_name). */ connection_t *c = con_by_name(nm, TRUE); if (c == NULL || !c->ikev1) return; do { connection_t *n = c->ac_next; /* grab this before c might disappear */ if (streq(c->name, nm) && c->kind >= CK_PERMANENT && !NEVER_NEGOTIATE(c->policy)) { set_cur_connection(c); plog("terminating SAs using this connection"); c->policy &= ~POLICY_UP; flush_pending_by_connection(c); delete_states_by_connection(c, FALSE); if (c->kind == CK_INSTANCE) delete_connection(c, FALSE); reset_cur_connection(); } c = n; } while (c); } /* an ISAKMP SA has been established. * Note the serial number, and release any connections with * the same peer ID but different peer IP address. */ bool uniqueIDs = FALSE; /* --uniqueids? */ void ISAKMP_SA_established(connection_t *c, so_serial_t serial) { c->newest_isakmp_sa = serial; /* the connection is now oriented so that we are able to determine * whether we are a mode config server with a virtual IP to send. */ if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip) && !c->spd.that.has_natip) { c->spd.that.modecfg = TRUE; } if (uniqueIDs) { /* for all connections: if the same Phase 1 IDs are used * for a different IP address, unorient that connection. */ connection_t *d; for (d = connections; d != NULL; ) { connection_t *next = d->ac_next; /* might move underneath us */ if (d->kind >= CK_PERMANENT && c->spd.this.id->equals(c->spd.this.id, d->spd.this.id) && c->spd.that.id->equals(c->spd.that.id, d->spd.that.id) && !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr)) { release_connection(d, FALSE); } d = next; } } } /* Find the connection to connection c's peer's client with the * largest value of .routing. All other things being equal, * preference is given to c. If none is routed, return NULL. * * If erop is non-null, set *erop to a connection sharing both * our client subnet and peer's client subnet with the largest value * of .routing. If none is erouted, set *erop to NULL. * * The return value is used to find other connections sharing a route. * *erop is used to find other connections sharing an eroute. */ connection_t *route_owner(connection_t *c, struct spd_route **srp, connection_t **erop, struct spd_route **esrp) { connection_t *d , *best_ro = c , *best_ero = c; struct spd_route *srd, *src; struct spd_route *best_sr, *best_esr; enum routing_t best_routing, best_erouting; passert(oriented(*c)); best_sr = NULL; best_esr = NULL; best_routing = c->spd.routing; best_erouting = best_routing; for (d = connections; d != NULL; d = d->ac_next) { for (srd = &d->spd; srd; srd = srd->next) { if (srd->routing == RT_UNROUTED) continue; for (src = &c->spd; src; src=src->next) { if (!samesubnet(&src->that.client, &srd->that.client)) { continue; } if (src->that.protocol != srd->that.protocol) { continue; } if (src->that.port != srd->that.port) { continue; } if (src->mark_out.value != srd->mark_out.value) { continue; } passert(oriented(*d)); if (srd->routing > best_routing) { best_ro = d; best_sr = srd; best_routing = srd->routing; } if (!samesubnet(&src->this.client, &srd->this.client)) { continue; } if (src->this.protocol != srd->this.protocol) { continue; } if (src->this.port != srd->this.port) { continue; } if (src->mark_in.value != srd->mark_in.value) { continue; } if (srd->routing > best_erouting) { best_ero = d; best_esr = srd; best_erouting = srd->routing; } } } } DBG(DBG_CONTROL, { char cib[CONN_INST_BUF]; err_t m = builddiag("route owner of \"%s\"%s %s:" , c->name , (fmt_conn_instance(c, cib), cib) , enum_name(&routing_story, c->spd.routing)); if (!routed(best_ro->spd.routing)) m = builddiag("%s NULL", m); else if (best_ro == c) m = builddiag("%s self", m); else m = builddiag("%s \"%s\"%s %s", m , best_ro->name , (fmt_conn_instance(best_ro, cib), cib) , enum_name(&routing_story, best_ro->spd.routing)); if (erop) { m = builddiag("%s; eroute owner:", m); if (!erouted(best_ero->spd.routing)) m = builddiag("%s NULL", m); else if (best_ero == c) m = builddiag("%s self", m); else m = builddiag("%s \"%s\"%s %s", m , best_ero->name , (fmt_conn_instance(best_ero, cib), cib) , enum_name(&routing_story, best_ero->spd.routing)); } DBG_log("%s", m); }); if (erop) { *erop = erouted(best_erouting)? best_ero : NULL; } if (srp) { *srp = best_sr; if (esrp) { *esrp = best_esr; } } return routed(best_routing)? best_ro : NULL; } /* Find a connection that owns the shunt eroute between subnets. * There ought to be only one. * This might get to be a bottleneck -- try hashing if it does. */ connection_t *shunt_owner(const ip_subnet *ours, const ip_subnet *his) { connection_t *c; struct spd_route *sr; for (c = connections; c != NULL; c = c->ac_next) { for (sr = &c->spd; sr; sr = sr->next) { if (shunt_erouted(sr->routing) && samesubnet(ours, &sr->this.client) && samesubnet(his, &sr->that.client)) return c; } } return NULL; } /* Find some connection with this pair of hosts. * We don't know enough to chose amongst those available. * ??? no longer usefully different from find_host_pair_connections */ connection_t *find_host_connection(const ip_address *me, u_int16_t my_port, const ip_address *him, u_int16_t his_port, lset_t policy) { connection_t *c = find_host_pair_connections(me, my_port, him, his_port); if (policy != LEMPTY) { lset_t auth_requested = policy & POLICY_ID_AUTH_MASK; /* if we have requirements for the policy, * choose the first matching connection. */ while (c) { if (c->policy & auth_requested) { break; } c = c->hp_next; } } return c; } /* given an up-until-now satisfactory connection, find the best connection * now that we just got the Phase 1 Id Payload from the peer. * * Comments in the code describe the (tricky!) matching criteria. * Although this routine could handle the initiator case, * it isn't currently called in this case. * If it were, it could "upgrade" an Opportunistic Connection * to a Road Warrior Connection if a suitable Peer ID were found. * * In RFC 2409 "The Internet Key Exchange (IKE)", * in 5.1 "IKE Phase 1 Authenticated With Signatures", describing Main * Mode: * * Initiator Responder * ----------- ----------- * HDR, SA --> * <-- HDR, SA * HDR, KE, Ni --> * <-- HDR, KE, Nr * HDR*, IDii, [ CERT, ] SIG_I --> * <-- HDR*, IDir, [ CERT, ] SIG_R * * In 5.4 "Phase 1 Authenticated With a Pre-Shared Key": * * HDR, SA --> * <-- HDR, SA * HDR, KE, Ni --> * <-- HDR, KE, Nr * HDR*, IDii, HASH_I --> * <-- HDR*, IDir, HASH_R * * refine_host_connection could be called in two case: * * - the Responder receives the IDii payload: * + [PSK] after using PSK to decode this message * + before sending its IDir payload * + before using its ID in HASH_R computation * + [DSig] before using its private key to sign SIG_R * + before using the Initiator's ID in HASH_I calculation * + [DSig] before using the Initiator's public key to check SIG_I * * - the Initiator receives the IDir payload: * + [PSK] after using PSK to encode previous message and decode this message * + after sending its IDii payload * + after using its ID in HASH_I computation * + [DSig] after using its private key to sign SIG_I * + before using the Responder's ID to compute HASH_R * + [DSig] before using Responder's public key to check SIG_R * * refine_host_connection can choose a different connection, as long as * nothing already used is changed. * * In the Initiator case, the particular connection might have been * specified by whatever provoked Pluto to initiate. For example: * whack --initiate connection-name * The advantages of switching connections when we're the Initiator seem * less important than the disadvantages, so after FreeS/WAN 1.9, we * don't do this. */ #define PRIO_NO_MATCH_FOUND 2048 connection_t *refine_host_connection(const struct state *st, identification_t *peer_id, identification_t *peer_ca) { connection_t *c = st->st_connection; connection_t *d; connection_t *best_found = NULL; u_int16_t auth = st->st_oakley.auth; lset_t auth_policy = POLICY_PSK; const chunk_t *psk = NULL; bool wcpip; /* wildcard Peer IP? */ int best_prio = PRIO_NO_MATCH_FOUND; int our_pathlen, peer_pathlen; if (c->spd.that.id->equals(c->spd.that.id, peer_id) && trusted_ca(peer_ca, c->spd.that.ca, &peer_pathlen) && peer_pathlen == 0 && match_requested_ca(c->requested_ca, c->spd.this.ca, &our_pathlen) && our_pathlen == 0) { DBG(DBG_CONTROL, DBG_log("current connection is a full match" " -- no need to look further"); ) return c; } switch (auth) { case OAKLEY_PRESHARED_KEY: auth_policy = POLICY_PSK; psk = get_preshared_secret(c); /* It should be virtually impossible to fail to find PSK: * we just used it to decode the current message! */ if (psk == NULL) { return NULL; /* cannot determine PSK! */ } break; case XAUTHInitPreShared: case XAUTHRespPreShared: auth_policy = POLICY_XAUTH_PSK; psk = get_preshared_secret(c); if (psk == NULL) { return NULL; /* cannot determine PSK! */ } break; case OAKLEY_RSA_SIG: case OAKLEY_ECDSA_256: case OAKLEY_ECDSA_384: case OAKLEY_ECDSA_521: auth_policy = POLICY_PUBKEY; break; case XAUTHInitRSA: case XAUTHRespRSA: auth_policy = POLICY_XAUTH_RSASIG; break; default: bad_case(auth); } /* The current connection won't do: search for one that will. * First search for one with the same pair of hosts. * If that fails, search for a suitable Road Warrior or Opportunistic * connection (i.e. wildcard peer IP). * We need to match: * - peer_id (slightly complicated by instantiation) * - if PSK auth, the key must not change (we used it to decode message) * - policy-as-used must be acceptable to new connection */ d = c->host_pair->connections; for (wcpip = FALSE; ; wcpip = TRUE) { for (; d != NULL; d = d->hp_next) { const char *match_name[] = {"no", "ok"}; id_match_t match_level = peer_id->matches(peer_id, d->spd.that.id); bool matching_id = match_level > ID_MATCH_NONE; bool matching_auth = (d->policy & auth_policy) != LEMPTY; bool matching_trust = trusted_ca(peer_ca , d->spd.that.ca, &peer_pathlen); bool matching_request = match_requested_ca(c->requested_ca , d->spd.this.ca, &our_pathlen); bool match = matching_id && matching_auth && matching_trust; int prio = (ID_MATCH_PERFECT) * !matching_request + ID_MATCH_PERFECT - match_level; prio = (X509_MAX_PATH_LEN + 1) * prio + peer_pathlen; prio = (X509_MAX_PATH_LEN + 1) * prio + our_pathlen; DBG(DBG_CONTROLMORE, DBG_log("%s: %s match (id: %s, auth: %s, trust: %s, request: %s, prio: %4d)" , d->name , match ? "full":" no" , match_name[matching_id] , match_name[matching_auth] , match_name[matching_trust] , match_name[matching_request] , match ? prio:PRIO_NO_MATCH_FOUND) ) /* do we have a match? */ if (!match) { continue; } /* ignore group connections */ if (d->policy & POLICY_GROUP) { continue; } if (c->spd.that.host_port != d->spd.that.host_port && d->kind == CK_INSTANCE) { continue; } switch (auth) { case OAKLEY_PRESHARED_KEY: case XAUTHInitPreShared: case XAUTHRespPreShared: /* secret must match the one we already used */ { const chunk_t *dpsk = get_preshared_secret(d); if (dpsk == NULL) { continue; /* no secret */ } if (psk != dpsk) { if (psk->len != dpsk->len || memcmp(psk->ptr, dpsk->ptr, psk->len) != 0) { continue; /* different secret */ } } } break; case OAKLEY_RSA_SIG: case OAKLEY_ECDSA_256: case OAKLEY_ECDSA_384: case OAKLEY_ECDSA_521: case XAUTHInitRSA: case XAUTHRespRSA: /* * We must at least be able to find our private key .*/ if (d->spd.this.sc == NULL /* no smartcard */ && get_private_key(d) == NULL) /* no private key */ { continue; } break; default: bad_case(auth); } /* d has passed all the tests. * We'll go with it if the Peer ID was an exact match. */ if (prio == 0) { return d; } /* We'll remember it as best_found in case an exact * match doesn't come along. */ if (prio < best_prio) { best_found = d; best_prio = prio; } } if (wcpip) return best_found; /* been around twice already */ /* Starting second time around. * We're willing to settle for a connection that needs Peer IP * instantiated: Road Warrior or Opportunistic. * Look on list of connections for host pair with wildcard Peer IP */ d = find_host_pair_connections(&c->spd.this.host_addr, c->spd.this.host_port , (ip_address *)NULL, c->spd.that.host_port); } } /** * With virtual addressing, we must not allow someone to use an already * used (by another id) addr/net. */ static bool is_virtual_net_used(const ip_subnet *peer_net, identification_t *peer_id) { connection_t *d; for (d = connections; d != NULL; d = d->ac_next) { switch (d->kind) { case CK_PERMANENT: case CK_INSTANCE: if ((subnetinsubnet(peer_net,&d->spd.that.client) || subnetinsubnet(&d->spd.that.client,peer_net)) && !d->spd.that.id->equals(d->spd.that.id, peer_id)) { char client[SUBNETTOT_BUF]; subnettot(peer_net, 0, client, sizeof(client)); plog("Virtual IP %s is already used by '%Y'", client, d->spd.that.id); plog("Your ID is '%Y'", peer_id); return TRUE; /* already used by another one */ } break; case CK_GOING_AWAY: default: break; } } return FALSE; /* you can safely use it */ } /* find_client_connection: given a connection suitable for ISAKMP * (i.e. the hosts match), find a one suitable for IPSEC * (i.e. with matching clients). * * If we don't find an exact match (not even our current connection), * we try for one that still needs instantiation. Try Road Warrior * abstract connections and the Opportunistic abstract connections. * This requires inverse instantiation: abstraction. * * After failing to find an exact match, we abstract the peer * to be NO_IP (the wildcard value). This enables matches with * Road Warrior and Opportunistic abstract connections. * * After failing that search, we also abstract the Phase 1 peer ID * if possible. If the peer's ID was the peer's IP address, we make * it NO_ID; instantiation will make it the peer's IP address again. * * If searching for a Road Warrior abstract connection fails, * and conditions are suitable, we search for the best Opportunistic * abstract connection. * * Note: in the end, both Phase 1 IDs must be preserved, after any * instantiation. They are the IDs that have been authenticated. */ #define PATH_WEIGHT 1 #define WILD_WEIGHT (X509_MAX_PATH_LEN+1) #define PRIO_WEIGHT (ID_MATCH_PERFECT+1) * WILD_WEIGHT /* fc_try: a helper function for find_client_connection */ static connection_t *fc_try(const connection_t *c, struct host_pair *hp, identification_t *peer_id, const ip_subnet *our_net, const ip_subnet *peer_net, const u_int8_t our_protocol, const u_int16_t our_port, const u_int8_t peer_protocol, const u_int16_t peer_port, identification_t *peer_ca, ietf_attributes_t *peer_attributes) { connection_t *d; connection_t *best = NULL; policy_prio_t best_prio = BOTTOM_PRIO; id_match_t match_level; int pathlen; const bool peer_net_is_host = subnetisaddr(peer_net, &c->spd.that.host_addr); for (d = hp->connections; d != NULL; d = d->hp_next) { struct spd_route *sr; if (d->policy & POLICY_GROUP) { continue; } match_level = c->spd.that.id->matches(c->spd.that.id, d->spd.that.id); if (!(c->spd.this.id->equals(c->spd.this.id, d->spd.this.id) && (match_level > ID_MATCH_NONE) && trusted_ca(peer_ca, d->spd.that.ca, &pathlen) && match_group_membership(peer_attributes, d->name, d->spd.that.groups))) { continue; } /* compare protocol and ports */ if (d->spd.this.protocol != our_protocol || d->spd.this.port != our_port || d->spd.that.protocol != peer_protocol || (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard)) { continue; } /* non-Opportunistic case: * our_client must match. * * So must peer_client, but the testing is complicated * by the fact that the peer might be a wildcard * and if so, the default value of that.client * won't match the default peer_net. The appropriate test: * * If d has a peer client, it must match peer_net. * If d has no peer client, peer_net must just have peer itself. */ for (sr = &d->spd; best != d && sr != NULL; sr = sr->next) { policy_prio_t prio; #ifdef DEBUG if (DBGP(DBG_CONTROLMORE)) { char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF]; char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF]; subnettot(our_net, 0, s1, sizeof(s1)); subnettot(peer_net, 0, d1, sizeof(d1)); subnettot(&sr->this.client, 0, s3, sizeof(s3)); subnettot(&sr->that.client, 0, d3, sizeof(d3)); DBG_log(" fc_try trying " "%s:%s:%d/%d -> %s:%d/%d vs %s:%s:%d/%d -> %s:%d/%d" , c->name, s1, c->spd.this.protocol, c->spd.this.port , d1, c->spd.that.protocol, c->spd.that.port , d->name, s3, sr->this.protocol, sr->this.port , d3, sr->that.protocol, sr->that.port); } #endif /* DEBUG */ if (!samesubnet(&sr->this.client, our_net)) { continue; } if (sr->that.has_client) { if (sr->that.has_client_wildcard) { if (!subnetinsubnet(peer_net, &sr->that.client)) { continue; } } else { if (!samesubnet(&sr->that.client, peer_net) && !is_virtual_connection(d)) { continue; } if (is_virtual_connection(d) && (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr) || is_virtual_net_used(peer_net, peer_id?peer_id:c->spd.that.id))) { continue; } } } else { host_t *vip = c->spd.that.host_srcip; if (!peer_net_is_host && !(sr->that.modecfg && c->spd.that.modecfg && subnetisaddr(peer_net, (ip_address*)vip->get_sockaddr(vip)))) { continue; } } /* We've run the gauntlet -- success: * We've got an exact match of subnets. * The connection is feasible, but we continue looking for the best. * The highest priority wins, implementing eroute-like rule. * - a routed connection is preferrred * - given that, the smallest number of ID wildcards are preferred * - given that, the shortest CA pathlength is preferred */ prio = PRIO_WEIGHT * routed(sr->routing) + WILD_WEIGHT * match_level + PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen) + 1; if (prio > best_prio) { best = d; best_prio = prio; } } } if (best && NEVER_NEGOTIATE(best->policy)) { best = NULL; } DBG(DBG_CONTROLMORE, DBG_log(" fc_try concluding with %s [%ld]" , (best ? best->name : "none"), best_prio) ) return best; } static connection_t *fc_try_oppo(const connection_t *c, struct host_pair *hp, const ip_subnet *our_net, const ip_subnet *peer_net, const u_int8_t our_protocol, const u_int16_t our_port, const u_int8_t peer_protocol, const u_int16_t peer_port, identification_t *peer_ca, ietf_attributes_t *peer_attributes) { connection_t *d; connection_t *best = NULL; policy_prio_t best_prio = BOTTOM_PRIO; id_match_t match_level; int pathlen; for (d = hp->connections; d != NULL; d = d->hp_next) { struct spd_route *sr; policy_prio_t prio; if (d->policy & POLICY_GROUP) { continue; } match_level = c->spd.that.id->matches(c->spd.that.id, c->spd.that.id); if (!(c->spd.this.id->equals(c->spd.this.id, d->spd.this.id) && (match_level > ID_MATCH_NONE) && trusted_ca(peer_ca, d->spd.that.ca, &pathlen) && match_group_membership(peer_attributes, d->name, d->spd.that.groups))) { continue; } /* compare protocol and ports */ if (d->spd.this.protocol != our_protocol || d->spd.this.port != our_port || d->spd.that.protocol != peer_protocol || (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard)) { continue; } /* Opportunistic case: * our_net must be inside d->spd.this.client * and peer_net must be inside d->spd.that.client * Note: this host_pair chain also has shunt * eroute conns (clear, drop), but they won't * be marked as opportunistic. */ for (sr = &d->spd; sr != NULL; sr = sr->next) { #ifdef DEBUG if (DBGP(DBG_CONTROLMORE)) { char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF]; char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF]; subnettot(our_net, 0, s1, sizeof(s1)); subnettot(peer_net, 0, d1, sizeof(d1)); subnettot(&sr->this.client, 0, s3, sizeof(s3)); subnettot(&sr->that.client, 0, d3, sizeof(d3)); DBG_log(" fc_try_oppo trying %s:%s -> %s vs %s:%s -> %s" , c->name, s1, d1, d->name, s3, d3); } #endif /* DEBUG */ if (!subnetinsubnet(our_net, &sr->this.client) || !subnetinsubnet(peer_net, &sr->that.client)) { continue; } /* The connection is feasible, but we continue looking for the best. * The highest priority wins, implementing eroute-like rule. * - our smallest client subnet is preferred (longest mask) * - given that, his smallest client subnet is preferred * - given that, a routed connection is preferrred * - given that, the smallest number of ID wildcards are preferred * - given that, the shortest CA pathlength is preferred */ prio = PRIO_WEIGHT * (d->prio + routed(sr->routing)) + WILD_WEIGHT * match_level + PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen); if (prio > best_prio) { best = d; best_prio = prio; } } } /* if the best wasn't opportunistic, we fail: it must be a shunt */ if (best && (NEVER_NEGOTIATE(best->policy) || (best->policy & POLICY_OPPO) == LEMPTY)) { best = NULL; } DBG(DBG_CONTROLMORE, DBG_log(" fc_try_oppo concluding with %s [%ld]" , (best ? best->name : "none"), best_prio) ) return best; } /* * get the peer's CA and group attributes */ void get_peer_ca_and_groups(connection_t *c, identification_t **peer_ca, ietf_attributes_t **peer_attributes) { struct state *p1st; *peer_ca = NULL; *peer_attributes = NULL; p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES); if (p1st && p1st->st_peer_pubkey && p1st->st_peer_pubkey->issuer) { certificate_t *cert; cert = ac_get_cert(p1st->st_peer_pubkey->issuer, p1st->st_peer_pubkey->serial); if (cert && ac_verify_cert(cert, strict_crl_policy)) { ac_t *ac = (ac_t*)cert; *peer_attributes = ac->get_groups(ac); } else { DBG(DBG_CONTROL, DBG_log("no valid attribute cert found") ) } *peer_ca = p1st->st_peer_pubkey->issuer; } } connection_t *find_client_connection(connection_t *c, const ip_subnet *our_net, const ip_subnet *peer_net, const u_int8_t our_protocol, const u_int16_t our_port, const u_int8_t peer_protocol, const u_int16_t peer_port) { connection_t *d; struct spd_route *sr; ietf_attributes_t *peer_attributes = NULL; identification_t *peer_ca; get_peer_ca_and_groups(c, &peer_ca, &peer_attributes); #ifdef DEBUG if (DBGP(DBG_CONTROLMORE)) { char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF]; subnettot(our_net, 0, s1, sizeof(s1)); subnettot(peer_net, 0, d1, sizeof(d1)); DBG_log("find_client_connection starting with %s" , (c ? c->name : "(none)")); DBG_log(" looking for %s:%d/%d -> %s:%d/%d" , s1, our_protocol, our_port , d1, peer_protocol, peer_port); } #endif /* DEBUG */ /* give priority to current connection * but even greater priority to a routed concrete connection */ { connection_t *unrouted = NULL; int srnum = -1; for (sr = &c->spd; unrouted == NULL && sr != NULL; sr = sr->next) { srnum++; #ifdef DEBUG if (DBGP(DBG_CONTROLMORE)) { char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF]; subnettot(&sr->this.client, 0, s2, sizeof(s2)); subnettot(&sr->that.client, 0, d2, sizeof(d2)); DBG_log(" concrete checking against sr#%d %s -> %s" , srnum, s2, d2); } #endif /* DEBUG */ if (samesubnet(&sr->this.client, our_net) && samesubnet(&sr->that.client, peer_net) && sr->this.protocol == our_protocol && sr->this.port == our_port && sr->that.protocol == peer_protocol && sr->that.port == peer_port && match_group_membership(peer_attributes, c->name, sr->that.groups)) { passert(oriented(*c)); if (routed(sr->routing)) { DESTROY_IF(peer_attributes); return c; } unrouted = c; } } /* exact match? */ d = fc_try(c, c->host_pair, NULL, our_net, peer_net , our_protocol, our_port, peer_protocol, peer_port , peer_ca, peer_attributes); DBG(DBG_CONTROLMORE, DBG_log(" fc_try %s gives %s" , c->name , (d ? d->name : "none")) ) if (d == NULL) { d = unrouted; } } if (d == NULL) { /* look for an abstract connection to match */ struct spd_route *sr; struct host_pair *hp = NULL; for (sr = &c->spd; hp==NULL && sr != NULL; sr = sr->next) { hp = find_host_pair(&sr->this.host_addr , sr->this.host_port , NULL , sr->that.host_port); #ifdef DEBUG if (DBGP(DBG_CONTROLMORE)) { char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF]; subnettot(&sr->this.client, 0, s2, sizeof(s2)); subnettot(&sr->that.client, 0, d2, sizeof(d2)); DBG_log(" checking hostpair %s -> %s is %s" , s2, d2 , (hp ? "found" : "not found")); } #endif /* DEBUG */ } if (hp) { /* RW match with actual peer_id or abstract peer_id? */ d = fc_try(c, hp, NULL, our_net, peer_net , our_protocol, our_port, peer_protocol, peer_port , peer_ca, peer_attributes); if (d == NULL && subnetishost(our_net) && subnetishost(peer_net)) { /* Opportunistic match? * Always use abstract peer_id. * Note that later instantiation will result in the same peer_id. */ d = fc_try_oppo(c, hp, our_net, peer_net , our_protocol, our_port, peer_protocol, peer_port , peer_ca, peer_attributes); } } } DBG(DBG_CONTROLMORE, DBG_log(" concluding with d = %s" , (d ? d->name : "none")) ) DESTROY_IF(peer_attributes); return d; } int connection_compare(const connection_t *ca, const connection_t *cb) { int ret; /* DBG_log("comparing %s to %s", ca->name, cb->name); */ ret = strcasecmp(ca->name, cb->name); if (ret) { return ret; } ret = ca->kind - cb->kind; /* note: enum connection_kind behaves like int */ if (ret) { return ret; } /* same name, and same type */ switch (ca->kind) { case CK_INSTANCE: return ca->instance_serial < cb->instance_serial ? -1 : ca->instance_serial > cb->instance_serial ? 1 : 0; default: return ca->prio < cb->prio ? -1 : ca->prio > cb->prio ? 1 : 0; } } static int connection_compare_qsort(const void *a, const void *b) { return connection_compare(*(const connection_t *const *)a , *(const connection_t *const *)b); } void show_connections_status(bool all, const char *name) { connection_t *c; int count, i; connection_t **array; /* make an array of connections, and sort it */ count = 0; for (c = connections; c != NULL; c = c->ac_next) { if (c->ikev1 && (name == NULL || streq(c->name, name))) count++; } array = malloc(sizeof(connection_t *)*count); count=0; for (c = connections; c != NULL; c = c->ac_next) { if (c->ikev1 && (name == NULL || streq(c->name, name))) array[count++]=c; } /* sort it! */ qsort(array, count, sizeof(connection_t *), connection_compare_qsort); for (i = 0; i < count; i++) { const char *ifn; char instance[1 + 10 + 1]; char prio[POLICY_PRIO_BUF]; c = array[i]; ifn = oriented(*c)? c->interface->rname : ""; instance[0] = '\0'; if (c->kind == CK_INSTANCE && c->instance_serial != 0) snprintf(instance, sizeof(instance), "[%lu]", c->instance_serial); /* show topology */ { char topo[BUF_LEN]; struct spd_route *sr = &c->spd; int num=0; while (sr) { (void) format_connection(topo, sizeof(topo), c, sr); whack_log(RC_COMMENT, "\"%s\"%s: %s; %s; eroute owner: #%lu" , c->name, instance, topo , enum_name(&routing_story, sr->routing) , sr->eroute_owner); sr = sr->next; num++; } } if (all) { /* show CAs if defined */ if (c->spd.this.ca && c->spd.that.ca) { whack_log(RC_COMMENT, "\"%s\"%s: CAs: \"%Y\"...\"%Y\"", c->name, instance, c->spd.this.ca, c->spd.that.ca); } else if (c->spd.this.ca) { whack_log(RC_COMMENT, "\"%s\"%s: CAs: \"%Y\"...%%any", c->name, instance, c->spd.this.ca); } else if (c->spd.that.ca) { whack_log(RC_COMMENT, "\"%s\"%s: CAs: %%any...\"%Y\"", c->name, instance, c->spd.that.ca); } /* show group attributes if defined */ if (c->spd.that.groups) { whack_log(RC_COMMENT, "\"%s\"%s: groups: %s" , c->name , instance , c->spd.that.groups->get_string(c->spd.that.groups)); } whack_log(RC_COMMENT , "\"%s\"%s: ike_life: %lus; ipsec_life: %lus;" " rekey_margin: %lus; rekey_fuzz: %lu%%; keyingtries: %lu" , c->name , instance , (unsigned long) c->sa_ike_life_seconds , (unsigned long) c->sa_ipsec_life_seconds , (unsigned long) c->sa_rekey_margin , (unsigned long) c->sa_rekey_fuzz , (unsigned long) c->sa_keying_tries); /* show DPD parameters if defined */ if (c->dpd_action != DPD_ACTION_NONE) whack_log(RC_COMMENT , "\"%s\"%s: dpd_action: %N;" " dpd_delay: %lus; dpd_timeout: %lus;" , c->name , instance , dpd_action_names, c->dpd_action , (unsigned long) c->dpd_delay , (unsigned long) c->dpd_timeout); if (c->policy_next) { whack_log(RC_COMMENT , "\"%s\"%s: policy_next: %s" , c->name, instance, c->policy_next->name); } /* Note: we display key_from_DNS_on_demand as if policy [lr]KOD */ fmt_policy_prio(c->prio, prio); whack_log(RC_COMMENT , "\"%s\"%s: policy: %s%s%s; prio: %s; interface: %s; " , c->name , instance , prettypolicy(c->policy) , c->spd.this.key_from_DNS_on_demand? "+lKOD" : "" , c->spd.that.key_from_DNS_on_demand? "+rKOD" : "" , prio , ifn); } whack_log(RC_COMMENT , "\"%s\"%s: newest ISAKMP SA: #%ld; newest IPsec SA: #%ld; " , c->name , instance , c->newest_isakmp_sa , c->newest_ipsec_sa); if (all) { ike_alg_show_connection(c, instance); kernel_alg_show_connection(c, instance); } } if (count > 0) whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */ free(array); } /* struct pending, the structure representing Quick Mode * negotiations delayed until a Keying Channel has been negotiated. * Essentially, a pending call to quick_outI1. */ struct pending { int whack_sock; struct state *isakmp_sa; connection_t *connection; lset_t policy; unsigned long try; so_serial_t replacing; struct pending *next; }; /* queue a Quick Mode negotiation pending completion of a suitable Main Mode */ void add_pending(int whack_sock, struct state *isakmp_sa, connection_t *c, lset_t policy, unsigned long try, so_serial_t replacing) { bool already_queued = FALSE; struct pending *p = c->host_pair->pending; while (p) { if (streq(c->name, p->connection->name)) { already_queued = TRUE; break; } p = p->next; } DBG(DBG_CONTROL, DBG_log("Queuing pending Quick Mode with %s \"%s\"%s" , ip_str(&c->spd.that.host_addr) , c->name , already_queued? " already done" : "") ) if (already_queued) return; p = malloc_thing(struct pending); p->whack_sock = whack_sock; p->isakmp_sa = isakmp_sa; p->connection = c; p->policy = policy; p->try = try; p->replacing = replacing; p->next = c->host_pair->pending; c->host_pair->pending = p; } /* Release all the whacks awaiting the completion of this state. * This is accomplished by closing all the whack socket file descriptors. * We go to a lot of trouble to tell each whack, but to not tell it twice. */ void release_pending_whacks(struct state *st, err_t story) { struct pending *p; struct stat stst; if (st->st_whack_sock == NULL_FD || fstat(st->st_whack_sock, &stst) != 0) zero(&stst); /* resulting st_dev/st_ino ought to be distinct */ release_whack(st); for (p = st->st_connection->host_pair->pending; p != NULL; p = p->next) { if (p->isakmp_sa == st && p->whack_sock != NULL_FD) { struct stat pst; if (fstat(p->whack_sock, &pst) == 0 && (stst.st_dev != pst.st_dev || stst.st_ino != pst.st_ino)) { passert(whack_log_fd == NULL_FD); whack_log_fd = p->whack_sock; whack_log(RC_COMMENT , "%s for ISAKMP SA, but releasing whack for pending IPSEC SA" , story); whack_log_fd = NULL_FD; } close(p->whack_sock); p->whack_sock = NULL_FD; } } } static void delete_pending(struct pending **pp) { struct pending *p = *pp; *pp = p->next; if (p->connection) { connection_discard(p->connection); } close_any(p->whack_sock); free(p); } void unpend(struct state *st) { struct pending **pp , *p; for (pp = &st->st_connection->host_pair->pending; (p = *pp) != NULL; ) { if (p->isakmp_sa == st) { DBG(DBG_CONTROL, DBG_log("unqueuing pending Quick Mode with %s \"%s\"" , ip_str(&p->connection->spd.that.host_addr) , p->connection->name)); (void) quick_outI1(p->whack_sock, st, p->connection, p->policy , p->try, p->replacing); p->whack_sock = NULL_FD; /* ownership transferred */ p->connection = NULL; /* ownership transferred */ delete_pending(pp); } else { pp = &p->next; } } } /* a Main Mode negotiation has been replaced; update any pending */ void update_pending(struct state *os, struct state *ns) { struct pending *p; for (p = os->st_connection->host_pair->pending; p != NULL; p = p->next) { if (p->isakmp_sa == os) p->isakmp_sa = ns; if (p->connection->spd.this.host_port != ns->st_connection->spd.this.host_port) { p->connection->spd.this.host_port = ns->st_connection->spd.this.host_port; p->connection->spd.that.host_port = ns->st_connection->spd.that.host_port; } } } /* a Main Mode negotiation has failed; discard any pending */ void flush_pending_by_state(struct state *st) { struct host_pair *hp = st->st_connection->host_pair; if (hp) { struct pending **pp , *p; for (pp = &hp->pending; (p = *pp) != NULL; ) { if (p->isakmp_sa == st) delete_pending(pp); else pp = &p->next; } } } /* a connection has been deleted; discard any related pending */ static void flush_pending_by_connection(connection_t *c) { if (c->host_pair) { struct pending **pp , *p; for (pp = &c->host_pair->pending; (p = *pp) != NULL; ) { if (p->connection == c) { p->connection = NULL; /* prevent delete_pending from releasing */ delete_pending(pp); } else { pp = &p->next; } } } } void show_pending_phase2(const struct host_pair *hp, const struct state *st) { const struct pending *p; for (p = hp->pending; p != NULL; p = p->next) { if (p->isakmp_sa == st) { /* connection-name state-number [replacing state-number] */ char cip[CONN_INST_BUF]; fmt_conn_instance(p->connection, cip); whack_log(RC_COMMENT, "#%lu: pending Phase 2 for \"%s\"%s replacing #%lu" , p->isakmp_sa->st_serialno , p->connection->name , cip , p->replacing); } } } /* Delete a connection if it is an instance and it is no longer in use. * We must be careful to avoid circularity: * we don't touch it if it is CK_GOING_AWAY. */ void connection_discard(connection_t *c) { if (c->kind == CK_INSTANCE) { /* see if it is being used by a pending */ struct pending *p; for (p = c->host_pair->pending; p != NULL; p = p->next) if (p->connection == c) return; /* in use, so we're done */ if (!states_use_connection(c)) delete_connection(c, FALSE); } } /* A template connection's eroute can be eclipsed by * either a %hold or an eroute for an instance iff * the template is a /32 -> /32. This requires some special casing. */ long eclipse_count = 0; connection_t *eclipsed(connection_t *c, struct spd_route **esrp) { connection_t *ue; struct spd_route *sr1 = &c->spd; ue = NULL; while (sr1 && ue) { for (ue = connections; ue != NULL; ue = ue->ac_next) { struct spd_route *srue = &ue->spd; while (srue && srue->routing == RT_ROUTED_ECLIPSED && !(samesubnet(&sr1->this.client, &srue->this.client) && samesubnet(&sr1->that.client, &srue->that.client))) { srue = srue->next; } if (srue && srue->routing == RT_ROUTED_ECLIPSED) { *esrp = srue; break; } } } return ue; } /* * Local Variables: * c-basic-offset:4 * c-style: pluto * End: */