1 /* $OpenBSD: ikev2.c,v 1.114 2014/07/09 12:05:01 markus Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/param.h> 20 #include <sys/queue.h> 21 #include <sys/socket.h> 22 #include <sys/wait.h> 23 #include <sys/uio.h> 24 25 #include <netinet/in.h> 26 #include <netinet/ip_ipsp.h> 27 #include <arpa/inet.h> 28 29 #include <stdlib.h> 30 #include <stdio.h> 31 #include <unistd.h> 32 #include <string.h> 33 #include <getopt.h> 34 #include <signal.h> 35 #include <errno.h> 36 #include <err.h> 37 #include <pwd.h> 38 #include <event.h> 39 40 #include <openssl/sha.h> 41 #include <openssl/evp.h> 42 #include <openssl/x509.h> 43 44 #include "iked.h" 45 #include "ikev2.h" 46 #include "eap.h" 47 #include "dh.h" 48 49 int ikev2_dispatch_parent(int, struct privsep_proc *, struct imsg *); 50 int ikev2_dispatch_ikev1(int, struct privsep_proc *, struct imsg *); 51 int ikev2_dispatch_cert(int, struct privsep_proc *, struct imsg *); 52 53 struct iked_sa * 54 ikev2_getimsgdata(struct iked *, struct imsg *, struct iked_sahdr *, 55 u_int8_t *, u_int8_t **, size_t *); 56 57 void ikev2_recv(struct iked *, struct iked_message *); 58 int ikev2_ike_auth_recv(struct iked *, struct iked_sa *, 59 struct iked_message *); 60 int ikev2_ike_auth(struct iked *, struct iked_sa *); 61 62 void ikev2_init_recv(struct iked *, struct iked_message *, 63 struct ike_header *); 64 int ikev2_init_ike_sa_peer(struct iked *, struct iked_policy *, 65 struct iked_addr *); 66 int ikev2_init_ike_auth(struct iked *, struct iked_sa *); 67 int ikev2_init_auth(struct iked *, struct iked_message *); 68 int ikev2_init_done(struct iked *, struct iked_sa *); 69 70 void ikev2_resp_recv(struct iked *, struct iked_message *, 71 struct ike_header *); 72 int ikev2_resp_ike_sa_init(struct iked *, struct iked_message *); 73 int ikev2_resp_ike_auth(struct iked *, struct iked_sa *); 74 int ikev2_resp_ike_eap(struct iked *, struct iked_sa *, struct ibuf *); 75 76 int ikev2_send_create_child_sa(struct iked *, struct iked_sa *, 77 struct iked_spi *, u_int8_t); 78 int ikev2_ikesa_enable(struct iked *, struct iked_sa *, struct iked_sa *); 79 void ikev2_ikesa_delete(struct iked *, struct iked_sa *, int); 80 int ikev2_init_create_child_sa(struct iked *, struct iked_message *); 81 int ikev2_resp_create_child_sa(struct iked *, struct iked_message *); 82 void ikev2_ike_sa_rekey(struct iked *, void *); 83 void ikev2_ike_sa_timeout(struct iked *env, void *); 84 void ikev2_ike_sa_alive(struct iked *, void *); 85 86 int ikev2_sa_initiator(struct iked *, struct iked_sa *, 87 struct iked_sa *, struct iked_message *); 88 int ikev2_sa_responder(struct iked *, struct iked_sa *, struct iked_sa *, 89 struct iked_message *); 90 int ikev2_sa_initiator_dh(struct iked_sa *, struct iked_message *, u_int); 91 int ikev2_sa_responder_dh(struct iked_kex *, struct iked_proposals *, 92 struct iked_message *, u_int); 93 void ikev2_sa_cleanup_dh(struct iked_sa *); 94 int ikev2_sa_keys(struct iked *, struct iked_sa *, struct ibuf *); 95 int ikev2_sa_tag(struct iked_sa *, struct iked_id *); 96 int ikev2_set_sa_proposal(struct iked_sa *, struct iked_policy *, u_int); 97 98 int ikev2_childsa_negotiate(struct iked *, struct iked_sa *, 99 struct iked_kex *, struct iked_proposals *, int, int); 100 int ikev2_match_proposals(struct iked_proposal *, struct iked_proposal *, 101 struct iked_transform **); 102 int ikev2_valid_proposal(struct iked_proposal *, 103 struct iked_transform **, struct iked_transform **, int *); 104 105 ssize_t ikev2_add_proposals(struct iked *, struct iked_sa *, struct ibuf *, 106 struct iked_proposals *, u_int8_t, int, int); 107 ssize_t ikev2_add_cp(struct iked *, struct iked_sa *, struct ibuf *); 108 ssize_t ikev2_add_transform(struct ibuf *, 109 u_int8_t, u_int8_t, u_int16_t, u_int16_t); 110 ssize_t ikev2_add_ts(struct ibuf *, struct ikev2_payload **, ssize_t, 111 struct iked_sa *, int); 112 ssize_t ikev2_add_certreq(struct ibuf *, struct ikev2_payload **, ssize_t, 113 struct ibuf *, u_int8_t); 114 ssize_t ikev2_add_ipcompnotify(struct iked *, struct ibuf *, 115 struct ikev2_payload **, ssize_t, struct iked_sa *); 116 ssize_t ikev2_add_ts_payload(struct ibuf *, u_int, struct iked_sa *); 117 int ikev2_add_data(struct ibuf *, void *, size_t); 118 int ikev2_add_buf(struct ibuf *buf, struct ibuf *); 119 120 int ikev2_ipcomp_enable(struct iked *, struct iked_sa *); 121 void ikev2_ipcomp_csa_free(struct iked *, struct iked_childsa *); 122 123 int ikev2_cp_setaddr(struct iked *, struct iked_sa *); 124 int ikev2_cp_fixaddr(struct iked_sa *, struct iked_addr *, 125 struct iked_addr *); 126 127 static struct privsep_proc procs[] = { 128 { "parent", PROC_PARENT, ikev2_dispatch_parent }, 129 { "ikev1", PROC_IKEV1, ikev2_dispatch_ikev1 }, 130 { "certstore", PROC_CERT, ikev2_dispatch_cert } 131 }; 132 133 pid_t 134 ikev2(struct privsep *ps, struct privsep_proc *p) 135 { 136 return (proc_run(ps, p, procs, nitems(procs), NULL, NULL)); 137 } 138 139 int 140 ikev2_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) 141 { 142 struct iked *env = p->p_env; 143 144 switch (imsg->hdr.type) { 145 case IMSG_CTL_RESET: 146 return (config_getreset(env, imsg)); 147 case IMSG_CTL_COUPLE: 148 case IMSG_CTL_DECOUPLE: 149 return (config_getcoupled(env, imsg->hdr.type)); 150 case IMSG_CTL_ACTIVE: 151 case IMSG_CTL_PASSIVE: 152 if (config_getmode(env, imsg->hdr.type) == -1) 153 return (0); /* ignore error */ 154 timer_set(env, &env->sc_inittmr, ikev2_init_ike_sa, 155 NULL); 156 timer_add(env, &env->sc_inittmr, IKED_INITIATOR_INITIAL); 157 return (0); 158 case IMSG_UDP_SOCKET: 159 return (config_getsocket(env, imsg, ikev2_msg_cb)); 160 case IMSG_PFKEY_SOCKET: 161 return (config_getpfkey(env, imsg)); 162 case IMSG_CFG_POLICY: 163 return (config_getpolicy(env, imsg)); 164 case IMSG_CFG_USER: 165 return (config_getuser(env, imsg)); 166 case IMSG_COMPILE: 167 return (config_getcompile(env, imsg)); 168 default: 169 break; 170 } 171 172 return (-1); 173 } 174 175 int 176 ikev2_dispatch_ikev1(int fd, struct privsep_proc *p, struct imsg *imsg) 177 { 178 struct iked *env = p->p_env; 179 struct iked_message msg; 180 u_int8_t *buf; 181 ssize_t len; 182 183 switch (imsg->hdr.type) { 184 case IMSG_IKE_MESSAGE: 185 log_debug("%s: message", __func__); 186 IMSG_SIZE_CHECK(imsg, &msg); 187 memcpy(&msg, imsg->data, sizeof(msg)); 188 189 len = IMSG_DATA_SIZE(imsg) - sizeof(msg); 190 buf = (u_int8_t *)imsg->data + sizeof(msg); 191 if (len <= 0 || (msg.msg_data = ibuf_new(buf, len)) == NULL) { 192 log_debug("%s: short message", __func__); 193 return (0); 194 } 195 196 log_debug("%s: message length %zd", __func__, len); 197 198 ikev2_recv(env, &msg); 199 ikev2_msg_cleanup(env, &msg); 200 return (0); 201 default: 202 break; 203 } 204 205 return (-1); 206 } 207 208 int 209 ikev2_dispatch_cert(int fd, struct privsep_proc *p, struct imsg *imsg) 210 { 211 struct iked *env = p->p_env; 212 struct iked_sahdr sh; 213 struct iked_sa *sa; 214 u_int8_t type; 215 u_int8_t *ptr; 216 size_t len; 217 struct iked_id *id = NULL; 218 int ignore = 0; 219 220 switch (imsg->hdr.type) { 221 case IMSG_CERTREQ: 222 IMSG_SIZE_CHECK(imsg, &type); 223 224 ptr = imsg->data; 225 memcpy(&type, ptr, sizeof(type)); 226 ptr += sizeof(type); 227 228 ibuf_release(env->sc_certreq); 229 env->sc_certreqtype = type; 230 env->sc_certreq = ibuf_new(ptr, 231 IMSG_DATA_SIZE(imsg) - sizeof(type)); 232 233 log_debug("%s: updated local CERTREQ type %s length %zu", 234 __func__, print_map(type, ikev2_cert_map), 235 ibuf_length(env->sc_certreq)); 236 237 break; 238 case IMSG_CERTVALID: 239 case IMSG_CERTINVALID: 240 memcpy(&sh, imsg->data, sizeof(sh)); 241 memcpy(&type, (u_int8_t *)imsg->data + sizeof(sh), 242 sizeof(type)); 243 244 /* Ignore invalid or unauthenticated SAs */ 245 if ((sa = sa_lookup(env, 246 sh.sh_ispi, sh.sh_rspi, sh.sh_initiator)) == NULL || 247 sa->sa_state < IKEV2_STATE_EAP) 248 break; 249 250 if (imsg->hdr.type == IMSG_CERTVALID) { 251 log_debug("%s: peer certificate is valid", __func__); 252 sa_stateflags(sa, IKED_REQ_CERTVALID); 253 sa_state(env, sa, IKEV2_STATE_VALID); 254 } else { 255 log_warnx("%s: peer certificate is invalid", __func__); 256 } 257 258 if (ikev2_ike_auth(env, sa) != 0) 259 log_debug("%s: failed to send ike auth", __func__); 260 break; 261 case IMSG_CERT: 262 if ((sa = ikev2_getimsgdata(env, imsg, 263 &sh, &type, &ptr, &len)) == NULL) { 264 log_debug("%s: invalid cert reply", __func__); 265 break; 266 } 267 268 /* 269 * Ignore the message if we already got a valid certificate. 270 * This might happen if the peer sent multiple CERTREQs. 271 */ 272 if (sa->sa_stateflags & IKED_REQ_CERT || 273 type == IKEV2_CERT_NONE) 274 ignore = 1; 275 276 log_debug("%s: cert type %s length %zu, %s", __func__, 277 print_map(type, ikev2_cert_map), len, 278 ignore ? "ignored" : "ok"); 279 280 if (ignore) 281 break; 282 283 if (sh.sh_initiator) 284 id = &sa->sa_icert; 285 else 286 id = &sa->sa_rcert; 287 288 id->id_type = type; 289 id->id_offset = 0; 290 ibuf_release(id->id_buf); 291 id->id_buf = NULL; 292 293 if (len <= 0 || (id->id_buf = ibuf_new(ptr, len)) == NULL) { 294 log_debug("%s: failed to get cert payload", 295 __func__); 296 break; 297 } 298 299 sa_stateflags(sa, IKED_REQ_CERT); 300 301 if (ikev2_ike_auth(env, sa) != 0) 302 log_debug("%s: failed to send ike auth", __func__); 303 break; 304 case IMSG_AUTH: 305 if ((sa = ikev2_getimsgdata(env, imsg, 306 &sh, &type, &ptr, &len)) == NULL) { 307 log_debug("%s: invalid auth reply", __func__); 308 break; 309 } 310 if (sa_stateok(sa, IKEV2_STATE_VALID)) { 311 log_warnx("%s: ignoring AUTH in state %s", __func__, 312 print_map(sa->sa_state, ikev2_state_map)); 313 break; 314 } 315 316 log_debug("%s: AUTH type %d len %zu", __func__, type, len); 317 318 id = &sa->sa_localauth; 319 id->id_type = type; 320 id->id_offset = 0; 321 ibuf_release(id->id_buf); 322 323 if (type != IKEV2_AUTH_NONE) { 324 if (len <= 0 || 325 (id->id_buf = ibuf_new(ptr, len)) == NULL) { 326 log_debug("%s: failed to get auth payload", 327 __func__); 328 break; 329 } 330 } 331 332 sa_stateflags(sa, IKED_REQ_AUTH); 333 /* Switch in case we already have certvalid or authvalid */ 334 sa_state(env, sa, IKEV2_STATE_VALID); 335 336 if (ikev2_ike_auth(env, sa) != 0) 337 log_debug("%s: failed to send ike auth", __func__); 338 break; 339 default: 340 return (-1); 341 } 342 343 return (0); 344 } 345 346 struct iked_sa * 347 ikev2_getimsgdata(struct iked *env, struct imsg *imsg, struct iked_sahdr *sh, 348 u_int8_t *type, u_int8_t **buf, size_t *size) 349 { 350 u_int8_t *ptr; 351 size_t len; 352 struct iked_sa *sa; 353 354 IMSG_SIZE_CHECK(imsg, sh); 355 356 ptr = imsg->data; 357 len = IMSG_DATA_SIZE(imsg) - sizeof(*sh) - sizeof(*type); 358 memcpy(sh, ptr, sizeof(*sh)); 359 memcpy(type, ptr + sizeof(*sh), sizeof(*type)); 360 361 sa = sa_lookup(env, sh->sh_ispi, sh->sh_rspi, sh->sh_initiator); 362 363 log_debug("%s: imsg %d rspi %s ispi %s initiator %d sa %s" 364 " type %d data length %zd", 365 __func__, imsg->hdr.type, 366 print_spi(sh->sh_rspi, 8), 367 print_spi(sh->sh_ispi, 8), 368 sh->sh_initiator, 369 sa == NULL ? "invalid" : "valid", *type, len); 370 371 if (sa == NULL) 372 return (NULL); 373 374 *buf = ptr + sizeof(*sh) + sizeof(*type); 375 *size = len; 376 377 return (sa); 378 } 379 380 void 381 ikev2_recv(struct iked *env, struct iked_message *msg) 382 { 383 struct ike_header *hdr; 384 struct iked_message *m; 385 struct iked_sa *sa; 386 u_int initiator, flag = 0; 387 388 hdr = ibuf_seek(msg->msg_data, msg->msg_offset, sizeof(*hdr)); 389 390 if (hdr == NULL || ibuf_size(msg->msg_data) < 391 (betoh32(hdr->ike_length) - msg->msg_offset)) 392 return; 393 394 initiator = (hdr->ike_flags & IKEV2_FLAG_INITIATOR) ? 0 : 1; 395 msg->msg_response = (hdr->ike_flags & IKEV2_FLAG_RESPONSE) ? 1 : 0; 396 msg->msg_sa = sa_lookup(env, 397 betoh64(hdr->ike_ispi), betoh64(hdr->ike_rspi), 398 initiator); 399 msg->msg_msgid = betoh32(hdr->ike_msgid); 400 if (policy_lookup(env, msg) != 0) 401 return; 402 403 log_info("%s: %s %s from %s %s to %s policy '%s' id %u, %ld bytes", 404 __func__, print_map(hdr->ike_exchange, ikev2_exchange_map), 405 msg->msg_response ? "response" : "request", 406 initiator ? "responder" : "initiator", 407 print_host((struct sockaddr *)&msg->msg_peer, NULL, 0), 408 print_host((struct sockaddr *)&msg->msg_local, NULL, 0), 409 msg->msg_policy->pol_name, msg->msg_msgid, 410 ibuf_length(msg->msg_data)); 411 log_debug("%s: ispi %s rspi %s", __func__, 412 print_spi(betoh64(hdr->ike_ispi), 8), 413 print_spi(betoh64(hdr->ike_rspi), 8)); 414 415 if ((sa = msg->msg_sa) == NULL) 416 goto done; 417 418 if (hdr->ike_exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA) 419 flag = IKED_REQ_CHILDSA; 420 if (hdr->ike_exchange == IKEV2_EXCHANGE_INFORMATIONAL) 421 flag = IKED_REQ_INF; 422 423 if (msg->msg_response) { 424 if (msg->msg_msgid > sa->sa_reqid) 425 return; 426 if (hdr->ike_exchange != IKEV2_EXCHANGE_INFORMATIONAL && 427 !ikev2_msg_lookup(env, &sa->sa_requests, msg, hdr)) 428 return; 429 if (flag) { 430 if ((sa->sa_stateflags & flag) == 0) 431 return; 432 /* 433 * We have initiated this exchange, even if 434 * we are not the initiator of the IKE SA. 435 */ 436 initiator = 1; 437 } 438 /* 439 * There's no need to keep the request around anymore 440 */ 441 if ((m = ikev2_msg_lookup(env, &sa->sa_requests, msg, hdr))) 442 ikev2_msg_dispose(env, &sa->sa_requests, m); 443 } else { 444 if (msg->msg_msgid < sa->sa_msgid) 445 return; 446 if (flag) 447 initiator = 0; 448 /* 449 * See if we have responded to this request before 450 */ 451 if ((m = ikev2_msg_lookup(env, &sa->sa_responses, msg, hdr))) { 452 if (ikev2_msg_retransmit_response(env, sa, m)) { 453 log_warn("%s: failed to retransmit a " 454 "response", __func__); 455 sa_free(env, sa); 456 } 457 return; 458 } else if (sa->sa_msgid_set && msg->msg_msgid == sa->sa_msgid) { 459 /* 460 * Response is being worked on, most likely we're 461 * waiting for the CA process to get back to us 462 */ 463 return; 464 } 465 /* 466 * If it's a new request, make sure to update the peer's 467 * message ID and dispose of all previous responses. 468 * We need to set sa_msgid_set in order to distinguish between 469 * "last msgid was 0" and "msgid not set yet". 470 */ 471 sa->sa_msgid = msg->msg_msgid; 472 sa->sa_msgid_set = 1; 473 ikev2_msg_prevail(env, &sa->sa_responses, msg); 474 } 475 476 if (sa_address(sa, &sa->sa_peer, &msg->msg_peer, 477 sa->sa_hdr.sh_initiator) == -1 || 478 sa_address(sa, &sa->sa_local, &msg->msg_local, 479 sa->sa_hdr.sh_initiator) == -1) 480 return; 481 482 sa->sa_fd = msg->msg_fd; 483 484 log_debug("%s: updated SA to peer %s local %s", __func__, 485 print_host((struct sockaddr *)&sa->sa_peer.addr, NULL, 0), 486 print_host((struct sockaddr *)&sa->sa_local.addr, NULL, 0)); 487 488 done: 489 if (initiator) 490 ikev2_init_recv(env, msg, hdr); 491 else 492 ikev2_resp_recv(env, msg, hdr); 493 494 if (sa != NULL && sa->sa_state == IKEV2_STATE_CLOSED) { 495 log_debug("%s: closing SA", __func__); 496 sa_free(env, sa); 497 } 498 } 499 500 int 501 ikev2_ike_auth_recv(struct iked *env, struct iked_sa *sa, 502 struct iked_message *msg) 503 { 504 struct iked_id *id, *certid; 505 struct ibuf *authmsg; 506 struct iked_auth ikeauth; 507 struct iked_policy *policy = sa->sa_policy; 508 int ret = -1; 509 510 if (sa->sa_hdr.sh_initiator) { 511 id = &sa->sa_rid; 512 certid = &sa->sa_rcert; 513 } else { 514 id = &sa->sa_iid; 515 certid = &sa->sa_icert; 516 } 517 /* try to relookup the policy based on the peerid */ 518 if (msg->msg_id.id_type && !sa->sa_hdr.sh_initiator) { 519 struct iked_policy *old = sa->sa_policy; 520 521 sa->sa_policy = NULL; 522 if (policy_lookup(env, msg) == 0 && msg->msg_policy && 523 msg->msg_policy != old) { 524 log_debug("%s: policy switch %p/%s to %p/%s", 525 __func__, old, old->pol_name, 526 msg->msg_policy, msg->msg_policy->pol_name); 527 RB_REMOVE(iked_sapeers, &old->pol_sapeers, sa); 528 if (RB_INSERT(iked_sapeers, 529 &msg->msg_policy->pol_sapeers, sa)) { 530 /* failed, restore */ 531 log_debug("%s: conflicting sa", __func__); 532 RB_INSERT(iked_sapeers, &old->pol_sapeers, sa); 533 msg->msg_policy = old; 534 } else 535 policy_unref(env, old); 536 policy = sa->sa_policy = msg->msg_policy; 537 } else { 538 /* restore */ 539 msg->msg_policy = sa->sa_policy = old; 540 } 541 } 542 543 if (msg->msg_id.id_type) { 544 memcpy(id, &msg->msg_id, sizeof(*id)); 545 bzero(&msg->msg_id, sizeof(msg->msg_id)); 546 547 if (!sa->sa_hdr.sh_initiator) { 548 if ((authmsg = ikev2_msg_auth(env, sa, 549 !sa->sa_hdr.sh_initiator)) == NULL) { 550 log_debug("%s: failed to get response " 551 "auth data", __func__); 552 return (-1); 553 } 554 555 ca_setauth(env, sa, authmsg, PROC_CERT); 556 ibuf_release(authmsg); 557 } 558 } 559 560 if (msg->msg_cert.id_type) { 561 memcpy(certid, &msg->msg_cert, sizeof(*certid)); 562 bzero(&msg->msg_cert, sizeof(msg->msg_cert)); 563 564 ca_setcert(env, &sa->sa_hdr, 565 id, certid->id_type, 566 ibuf_data(certid->id_buf), 567 ibuf_length(certid->id_buf), PROC_CERT); 568 } 569 570 if (msg->msg_auth.id_type) { 571 memcpy(&ikeauth, &policy->pol_auth, sizeof(ikeauth)); 572 573 if (policy->pol_auth.auth_eap && sa->sa_eapmsk != NULL) { 574 /* 575 * The initiator EAP auth is a PSK derived 576 * from the EAP-specific MSK 577 */ 578 ikeauth.auth_method = IKEV2_AUTH_SHARED_KEY_MIC; 579 580 /* Copy session key as PSK */ 581 memcpy(ikeauth.auth_data, ibuf_data(sa->sa_eapmsk), 582 ibuf_size(sa->sa_eapmsk)); 583 ikeauth.auth_length = ibuf_size(sa->sa_eapmsk); 584 } 585 586 if (msg->msg_auth.id_type != ikeauth.auth_method) { 587 log_warnx("%s: unexpected auth method %s", __func__, 588 print_map(ikeauth.auth_method, ikev2_auth_map)); 589 return (-1); 590 } 591 592 if ((authmsg = ikev2_msg_auth(env, sa, 593 sa->sa_hdr.sh_initiator)) == NULL) { 594 log_debug("%s: failed to get auth data", __func__); 595 return (-1); 596 } 597 598 ret = ikev2_msg_authverify(env, sa, &ikeauth, 599 ibuf_data(msg->msg_auth.id_buf), 600 ibuf_length(msg->msg_auth.id_buf), 601 authmsg); 602 ibuf_release(authmsg); 603 604 if (ret != 0) { 605 log_debug("%s: ikev2_msg_authverify failed", __func__); 606 return (-1); 607 } 608 609 if (sa->sa_eapmsk != NULL) { 610 if ((authmsg = ikev2_msg_auth(env, sa, 611 !sa->sa_hdr.sh_initiator)) == NULL) { 612 log_debug("%s: failed to get auth data", 613 __func__); 614 return (-1); 615 } 616 617 /* XXX 2nd AUTH for EAP messages */ 618 ret = ikev2_msg_authsign(env, sa, &ikeauth, authmsg); 619 ibuf_release(authmsg); 620 621 if (ret != 0) { 622 /* XXX */ 623 return (-1); 624 } 625 626 /* ikev2_msg_authverify verified AUTH */ 627 sa_stateflags(sa, IKED_REQ_AUTHVALID); 628 sa_stateflags(sa, IKED_REQ_EAPVALID); 629 630 sa_state(env, sa, IKEV2_STATE_EAP_VALID); 631 } 632 } 633 634 if (!TAILQ_EMPTY(&msg->msg_proposals)) { 635 if (ikev2_sa_negotiate(&sa->sa_proposals, 636 &sa->sa_policy->pol_proposals, &msg->msg_proposals) != 0) { 637 log_debug("%s: no proposal chosen", __func__); 638 msg->msg_error = IKEV2_N_NO_PROPOSAL_CHOSEN; 639 return (-1); 640 } else 641 sa_stateflags(sa, IKED_REQ_SA); 642 } 643 return ikev2_ike_auth(env, sa); 644 } 645 646 int 647 ikev2_ike_auth(struct iked *env, struct iked_sa *sa) 648 { 649 if (sa->sa_hdr.sh_initiator) { 650 if (sa_stateok(sa, IKEV2_STATE_AUTH_SUCCESS)) 651 return (ikev2_init_done(env, sa)); 652 else 653 return (ikev2_init_ike_auth(env, sa)); 654 } 655 return (ikev2_resp_ike_auth(env, sa)); 656 } 657 658 void 659 ikev2_init_recv(struct iked *env, struct iked_message *msg, 660 struct ike_header *hdr) 661 { 662 struct iked_sa *sa; 663 in_port_t port; 664 struct iked_socket *sock; 665 666 if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1) { 667 log_debug("%s: unknown SA", __func__); 668 return; 669 } 670 sa = msg->msg_sa; 671 672 switch (hdr->ike_exchange) { 673 case IKEV2_EXCHANGE_IKE_SA_INIT: 674 /* Update the SPIs */ 675 if ((sa = sa_new(env, 676 betoh64(hdr->ike_ispi), betoh64(hdr->ike_rspi), 1, 677 NULL)) == NULL || sa != msg->msg_sa) { 678 log_debug("%s: invalid new SA", __func__); 679 if (sa) 680 sa_free(env, sa); 681 } 682 break; 683 case IKEV2_EXCHANGE_IKE_AUTH: 684 case IKEV2_EXCHANGE_CREATE_CHILD_SA: 685 if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1) 686 return; 687 break; 688 case IKEV2_EXCHANGE_INFORMATIONAL: 689 break; 690 default: 691 log_debug("%s: unsupported exchange: %s", __func__, 692 print_map(hdr->ike_exchange, ikev2_exchange_map)); 693 return; 694 } 695 696 if (ikev2_pld_parse(env, hdr, msg, msg->msg_offset) != 0) { 697 log_debug("%s: failed to parse message", __func__); 698 return; 699 } 700 701 if (!ikev2_msg_frompeer(msg)) 702 return; 703 704 if (sa->sa_udpencap && sa->sa_natt == 0 && 705 (sock = ikev2_msg_getsocket(env, 706 sa->sa_local.addr_af, 1)) != NULL) { 707 /* 708 * Update address information and use the NAT-T 709 * port and socket, if available. 710 */ 711 port = htons(socket_getport( 712 (struct sockaddr *)&sock->sock_addr)); 713 sa->sa_local.addr_port = port; 714 sa->sa_peer.addr_port = port; 715 (void)socket_af((struct sockaddr *)&sa->sa_local.addr, port); 716 (void)socket_af((struct sockaddr *)&sa->sa_peer.addr, port); 717 718 msg->msg_fd = sa->sa_fd = sock->sock_fd; 719 msg->msg_sock = sock; 720 sa->sa_natt = 1; 721 722 log_debug("%s: NAT detected, updated SA to " 723 "peer %s local %s", __func__, 724 print_host((struct sockaddr *)&sa->sa_peer.addr, NULL, 0), 725 print_host((struct sockaddr *)&sa->sa_local.addr, NULL, 0)); 726 } 727 728 switch (hdr->ike_exchange) { 729 case IKEV2_EXCHANGE_IKE_SA_INIT: 730 (void)ikev2_init_auth(env, msg); 731 break; 732 case IKEV2_EXCHANGE_IKE_AUTH: 733 (void)ikev2_ike_auth_recv(env, sa, msg); 734 break; 735 case IKEV2_EXCHANGE_CREATE_CHILD_SA: 736 (void)ikev2_init_create_child_sa(env, msg); 737 break; 738 case IKEV2_EXCHANGE_INFORMATIONAL: 739 sa->sa_stateflags &= ~IKED_REQ_INF; 740 break; 741 default: 742 log_debug("%s: exchange %s not implemented", __func__, 743 print_map(hdr->ike_exchange, ikev2_exchange_map)); 744 break; 745 } 746 } 747 748 void 749 ikev2_init_ike_sa(struct iked *env, void *arg) 750 { 751 struct iked_policy *pol; 752 753 TAILQ_FOREACH(pol, &env->sc_policies, pol_entry) { 754 if ((pol->pol_flags & IKED_POLICY_ACTIVE) == 0) 755 continue; 756 if (sa_peer_lookup(pol, &pol->pol_peer.addr) != NULL) { 757 log_debug("%s: \"%s\" is already active", 758 __func__, pol->pol_name); 759 continue; 760 } 761 762 log_debug("%s: initiating \"%s\"", __func__, pol->pol_name); 763 764 if (ikev2_init_ike_sa_peer(env, pol, &pol->pol_peer)) 765 log_debug("%s: failed to initiate with peer %s", 766 __func__, 767 print_host((struct sockaddr *)&pol->pol_peer.addr, 768 NULL, 0)); 769 } 770 771 timer_set(env, &env->sc_inittmr, ikev2_init_ike_sa, NULL); 772 timer_add(env, &env->sc_inittmr, IKED_INITIATOR_INTERVAL); 773 } 774 775 int 776 ikev2_init_ike_sa_peer(struct iked *env, struct iked_policy *pol, 777 struct iked_addr *peer) 778 { 779 struct sockaddr_storage ss; 780 struct iked_message req; 781 struct ike_header *hdr; 782 struct ikev2_payload *pld; 783 struct ikev2_keyexchange *ke; 784 struct ikev2_notify *n; 785 struct iked_sa *sa; 786 struct ibuf *buf; 787 struct group *group; 788 u_int8_t *ptr; 789 ssize_t len; 790 int ret = -1; 791 struct iked_socket *sock; 792 in_port_t port; 793 794 if ((sock = ikev2_msg_getsocket(env, peer->addr_af, 0)) == NULL) 795 return (-1); 796 797 /* Create a new initiator SA */ 798 if ((sa = sa_new(env, 0, 0, 1, pol)) == NULL) 799 return (-1); 800 801 /* Pick peer's DH group if asked */ 802 /* XXX free old sa_dhgroup ? */ 803 sa->sa_dhgroup = pol->pol_peerdh; 804 805 if (ikev2_sa_initiator(env, sa, NULL, NULL) == -1) 806 goto done; 807 808 if (pol->pol_local.addr.ss_family == AF_UNSPEC) { 809 if (socket_getaddr(sock->sock_fd, &ss) == -1) 810 goto done; 811 } else 812 memcpy(&ss, &pol->pol_local.addr, pol->pol_local.addr.ss_len); 813 814 if ((buf = ikev2_msg_init(env, &req, &peer->addr, peer->addr.ss_len, 815 &ss, ss.ss_len, 0)) == NULL) 816 goto done; 817 818 /* Inherit the port from the 1st send socket */ 819 port = htons(socket_getport((struct sockaddr *)&sock->sock_addr)); 820 (void)socket_af((struct sockaddr *)&req.msg_local, port); 821 (void)socket_af((struct sockaddr *)&req.msg_peer, port); 822 823 req.msg_fd = sock->sock_fd; 824 req.msg_sa = sa; 825 req.msg_sock = sock; 826 req.msg_msgid = ikev2_msg_id(env, sa); 827 828 /* IKE header */ 829 if ((hdr = ikev2_add_header(buf, sa, req.msg_msgid, 830 IKEV2_PAYLOAD_SA, IKEV2_EXCHANGE_IKE_SA_INIT, 0)) == NULL) 831 goto done; 832 833 /* SA payload */ 834 if ((pld = ikev2_add_payload(buf)) == NULL) 835 goto done; 836 if ((len = ikev2_add_proposals(env, sa, buf, &pol->pol_proposals, 837 IKEV2_SAPROTO_IKE, sa->sa_hdr.sh_initiator, 0)) == -1) 838 goto done; 839 840 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_KE) == -1) 841 goto done; 842 843 /* KE payload */ 844 if ((pld = ikev2_add_payload(buf)) == NULL) 845 goto done; 846 if ((ke = ibuf_advance(buf, sizeof(*ke))) == NULL) 847 goto done; 848 if ((group = sa->sa_dhgroup) == NULL) { 849 log_debug("%s: invalid dh", __func__); 850 goto done; 851 } 852 ke->kex_dhgroup = htobe16(group->id); 853 if (ikev2_add_buf(buf, sa->sa_dhiexchange) == -1) 854 goto done; 855 len = sizeof(*ke) + dh_getlen(group); 856 857 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONCE) == -1) 858 goto done; 859 860 /* NONCE payload */ 861 if ((pld = ikev2_add_payload(buf)) == NULL) 862 goto done; 863 if (ikev2_add_buf(buf, sa->sa_inonce) == -1) 864 goto done; 865 len = ibuf_size(sa->sa_inonce); 866 867 if ((env->sc_opts & IKED_OPT_NONATT) == 0) { 868 if (ntohs(port) == IKED_NATT_PORT) { 869 /* Enforce NAT-T on the initiator side */ 870 log_debug("%s: enforcing NAT-T", __func__); 871 req.msg_natt = sa->sa_natt = 1; 872 } 873 874 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NOTIFY) == -1) 875 goto done; 876 877 /* NAT-T notify payloads */ 878 if ((pld = ikev2_add_payload(buf)) == NULL) 879 goto done; 880 if ((n = ibuf_advance(buf, sizeof(*n))) == NULL) 881 goto done; 882 n->n_type = htobe16(IKEV2_N_NAT_DETECTION_SOURCE_IP); 883 len = ikev2_nat_detection(env, &req, NULL, 0, 0); 884 if ((ptr = ibuf_advance(buf, len)) == NULL) 885 goto done; 886 if ((len = ikev2_nat_detection(env, &req, ptr, len, 887 betoh16(n->n_type))) == -1) 888 goto done; 889 len += sizeof(*n); 890 891 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NOTIFY) == -1) 892 goto done; 893 894 if ((pld = ikev2_add_payload(buf)) == NULL) 895 goto done; 896 if ((n = ibuf_advance(buf, sizeof(*n))) == NULL) 897 goto done; 898 n->n_type = htobe16(IKEV2_N_NAT_DETECTION_DESTINATION_IP); 899 len = ikev2_nat_detection(env, &req, NULL, 0, 0); 900 if ((ptr = ibuf_advance(buf, len)) == NULL) 901 goto done; 902 if ((len = ikev2_nat_detection(env, &req, ptr, len, 903 betoh16(n->n_type))) == -1) 904 goto done; 905 len += sizeof(*n); 906 } 907 908 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONE) == -1) 909 goto done; 910 911 if (ikev2_set_header(hdr, ibuf_size(buf) - sizeof(*hdr)) == -1) 912 goto done; 913 914 (void)ikev2_pld_parse(env, hdr, &req, 0); 915 916 ibuf_release(sa->sa_1stmsg); 917 if ((sa->sa_1stmsg = ibuf_dup(buf)) == NULL) { 918 log_debug("%s: failed to copy 1st message", __func__); 919 goto done; 920 } 921 922 memcpy(&sa->sa_polpeer, &pol->pol_peer, sizeof(sa->sa_polpeer)); 923 if (RB_INSERT(iked_sapeers, &pol->pol_sapeers, sa)) { 924 log_debug("%s: conflicting sa", __func__); 925 goto done; 926 } 927 928 if ((ret = ikev2_msg_send(env, &req)) == 0) 929 sa_state(env, sa, IKEV2_STATE_SA_INIT); 930 931 done: 932 if (ret == -1) { 933 log_debug("%s: closing SA", __func__); 934 sa_free(env, sa); 935 } 936 ikev2_msg_cleanup(env, &req); 937 938 return (ret); 939 } 940 941 int 942 ikev2_init_auth(struct iked *env, struct iked_message *msg) 943 { 944 struct iked_sa *sa = msg->msg_sa; 945 struct ibuf *authmsg; 946 947 if (sa == NULL) 948 return (-1); 949 950 if (ikev2_sa_initiator(env, sa, NULL, msg) == -1) { 951 log_debug("%s: failed to get IKE keys", __func__); 952 return (-1); 953 } 954 955 if ((authmsg = ikev2_msg_auth(env, sa, 956 !sa->sa_hdr.sh_initiator)) == NULL) { 957 log_debug("%s: failed to get auth data", __func__); 958 return (-1); 959 } 960 961 if (ca_setauth(env, sa, authmsg, PROC_CERT) == -1) { 962 log_debug("%s: failed to get cert", __func__); 963 return (-1); 964 } 965 966 return (ikev2_init_ike_auth(env, sa)); 967 } 968 969 int 970 ikev2_init_ike_auth(struct iked *env, struct iked_sa *sa) 971 { 972 struct iked_policy *pol = sa->sa_policy; 973 struct ikev2_payload *pld; 974 struct ikev2_cert *cert; 975 struct ikev2_auth *auth; 976 struct iked_id *id, *certid; 977 struct ibuf *e = NULL; 978 u_int8_t firstpayload; 979 int ret = -1; 980 ssize_t len; 981 982 if (!sa_stateok(sa, IKEV2_STATE_SA_INIT)) 983 return (0); 984 985 if (!sa->sa_localauth.id_type) { 986 log_debug("%s: no local auth", __func__); 987 return (-1); 988 } 989 990 /* New encrypted message buffer */ 991 if ((e = ibuf_static()) == NULL) 992 goto done; 993 994 id = &sa->sa_iid; 995 certid = &sa->sa_icert; 996 997 /* ID payload */ 998 if ((pld = ikev2_add_payload(e)) == NULL) 999 goto done; 1000 firstpayload = IKEV2_PAYLOAD_IDi; 1001 if (ibuf_cat(e, id->id_buf) != 0) 1002 goto done; 1003 len = ibuf_size(id->id_buf); 1004 1005 /* CERT payload */ 1006 if ((sa->sa_stateinit & IKED_REQ_CERT) && 1007 (certid->id_type != IKEV2_CERT_NONE)) { 1008 if (ikev2_next_payload(pld, len, 1009 IKEV2_PAYLOAD_CERT) == -1) 1010 goto done; 1011 if ((pld = ikev2_add_payload(e)) == NULL) 1012 goto done; 1013 if ((cert = ibuf_advance(e, sizeof(*cert))) == NULL) 1014 goto done; 1015 cert->cert_type = certid->id_type; 1016 if (ibuf_cat(e, certid->id_buf) != 0) 1017 goto done; 1018 len = ibuf_size(certid->id_buf) + sizeof(*cert); 1019 1020 /* CERTREQ payload(s) */ 1021 if ((len = ikev2_add_certreq(e, &pld, 1022 len, env->sc_certreq, env->sc_certreqtype)) == -1) 1023 goto done; 1024 1025 if (env->sc_certreqtype != pol->pol_certreqtype && 1026 (len = ikev2_add_certreq(e, &pld, 1027 len, NULL, pol->pol_certreqtype)) == -1) 1028 goto done; 1029 } 1030 1031 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_AUTH) == -1) 1032 goto done; 1033 1034 /* AUTH payload */ 1035 if ((pld = ikev2_add_payload(e)) == NULL) 1036 goto done; 1037 if ((auth = ibuf_advance(e, sizeof(*auth))) == NULL) 1038 goto done; 1039 auth->auth_method = sa->sa_localauth.id_type; 1040 if (ibuf_cat(e, sa->sa_localauth.id_buf) != 0) 1041 goto done; 1042 len = ibuf_size(sa->sa_localauth.id_buf) + sizeof(*auth); 1043 1044 /* CP payload */ 1045 if (sa->sa_cp) { 1046 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_CP) == -1) 1047 goto done; 1048 1049 if ((pld = ikev2_add_payload(e)) == NULL) 1050 goto done; 1051 if ((len = ikev2_add_cp(env, sa, e)) == -1) 1052 goto done; 1053 } 1054 1055 /* compression */ 1056 if ((pol->pol_flags & IKED_POLICY_IPCOMP) && 1057 (len = ikev2_add_ipcompnotify(env, e, &pld, len, sa)) == -1) 1058 goto done; 1059 1060 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_SA) == -1) 1061 goto done; 1062 1063 /* SA payload */ 1064 if ((pld = ikev2_add_payload(e)) == NULL) 1065 goto done; 1066 if ((len = ikev2_add_proposals(env, sa, e, &pol->pol_proposals, 0, 1067 sa->sa_hdr.sh_initiator, 0)) == -1) 1068 goto done; 1069 1070 if ((len = ikev2_add_ts(e, &pld, len, sa, 0)) == -1) 1071 goto done; 1072 1073 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONE) == -1) 1074 goto done; 1075 1076 ret = ikev2_msg_send_encrypt(env, sa, &e, 1077 IKEV2_EXCHANGE_IKE_AUTH, firstpayload, 0); 1078 1079 done: 1080 ibuf_release(e); 1081 1082 return (ret); 1083 } 1084 1085 int 1086 ikev2_init_done(struct iked *env, struct iked_sa *sa) 1087 { 1088 int ret; 1089 1090 if (!sa_stateok(sa, IKEV2_STATE_VALID)) 1091 return (0); /* ignored */ 1092 1093 ret = ikev2_childsa_negotiate(env, sa, &sa->sa_kex, &sa->sa_proposals, 1094 sa->sa_hdr.sh_initiator, 0); 1095 if (ret == 0) 1096 ret = ikev2_childsa_enable(env, sa); 1097 if (ret == 0) { 1098 sa_state(env, sa, IKEV2_STATE_ESTABLISHED); 1099 timer_set(env, &sa->sa_timer, ikev2_ike_sa_alive, sa); 1100 timer_add(env, &sa->sa_timer, IKED_IKE_SA_ALIVE_TIMEOUT); 1101 timer_set(env, &sa->sa_rekey, ikev2_ike_sa_rekey, sa); 1102 if (sa->sa_policy->pol_rekey) 1103 timer_add(env, &sa->sa_rekey, sa->sa_policy->pol_rekey); 1104 } 1105 1106 if (ret) 1107 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1); 1108 return (ret); 1109 } 1110 1111 int 1112 ikev2_policy2id(struct iked_static_id *polid, struct iked_id *id, int srcid) 1113 { 1114 struct ikev2_id hdr; 1115 struct iked_static_id localpid; 1116 char idstr[IKED_ID_SIZE]; 1117 struct in_addr in4; 1118 struct in6_addr in6; 1119 X509_NAME *name = NULL; 1120 u_int8_t *p; 1121 size_t len; 1122 1123 /* Fixup the local Id if not specified */ 1124 if (srcid && polid->id_type == 0) { 1125 polid = &localpid; 1126 bzero(polid, sizeof(*polid)); 1127 1128 /* Create a default local ID based on our FQDN */ 1129 polid->id_type = IKEV2_ID_FQDN; 1130 if (gethostname((char *)polid->id_data, 1131 sizeof(polid->id_data)) != 0) 1132 return (-1); 1133 polid->id_offset = 0; 1134 polid->id_length = 1135 strlen((char *)polid->id_data); /* excluding NUL */ 1136 } 1137 1138 if (!polid->id_length) 1139 return (-1); 1140 1141 /* Create an IKEv2 ID payload */ 1142 bzero(&hdr, sizeof(hdr)); 1143 hdr.id_type = id->id_type = polid->id_type; 1144 id->id_offset = sizeof(hdr); 1145 1146 if ((id->id_buf = ibuf_new(&hdr, sizeof(hdr))) == NULL) 1147 return (-1); 1148 1149 switch (id->id_type) { 1150 case IKEV2_ID_IPV4: 1151 if (inet_pton(AF_INET, (char *)polid->id_data, &in4) != 1 || 1152 ibuf_add(id->id_buf, &in4, sizeof(in4)) != 0) { 1153 ibuf_release(id->id_buf); 1154 return (-1); 1155 } 1156 break; 1157 case IKEV2_ID_IPV6: 1158 if (inet_pton(AF_INET6, (char *)polid->id_data, &in6) != 1 || 1159 ibuf_add(id->id_buf, &in6, sizeof(in6)) != 0) { 1160 ibuf_release(id->id_buf); 1161 return (-1); 1162 } 1163 break; 1164 case IKEV2_ID_ASN1_DN: 1165 /* policy has ID in string-format, convert to ASN1 */ 1166 if ((name = ca_x509_name_parse(polid->id_data)) == NULL || 1167 (len = i2d_X509_NAME(name, NULL)) < 0 || 1168 (p = ibuf_reserve(id->id_buf, len)) == NULL || 1169 (i2d_X509_NAME(name, &p)) < 0) { 1170 if (name) 1171 X509_NAME_free(name); 1172 ibuf_release(id->id_buf); 1173 return (-1); 1174 } 1175 X509_NAME_free(name); 1176 break; 1177 default: 1178 if (ibuf_add(id->id_buf, 1179 polid->id_data, polid->id_length) != 0) { 1180 ibuf_release(id->id_buf); 1181 return (-1); 1182 } 1183 break; 1184 } 1185 1186 if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1) 1187 return (-1); 1188 1189 log_debug("%s: %s %s length %zu", __func__, 1190 srcid ? "srcid" : "dstid", 1191 idstr, ibuf_size(id->id_buf)); 1192 1193 return (0); 1194 } 1195 1196 struct ike_header * 1197 ikev2_add_header(struct ibuf *buf, struct iked_sa *sa, 1198 u_int32_t msgid, u_int8_t nextpayload, 1199 u_int8_t exchange, u_int8_t flags) 1200 { 1201 struct ike_header *hdr; 1202 1203 if ((hdr = ibuf_advance(buf, sizeof(*hdr))) == NULL) { 1204 log_debug("%s: failed to add header", __func__); 1205 return (NULL); 1206 } 1207 1208 hdr->ike_ispi = htobe64(sa->sa_hdr.sh_ispi); 1209 hdr->ike_rspi = htobe64(sa->sa_hdr.sh_rspi); 1210 hdr->ike_nextpayload = nextpayload; 1211 hdr->ike_version = IKEV2_VERSION; 1212 hdr->ike_exchange = exchange; 1213 hdr->ike_msgid = htobe32(msgid); 1214 hdr->ike_length = htobe32(sizeof(*hdr)); 1215 hdr->ike_flags = flags; 1216 1217 if (sa->sa_hdr.sh_initiator) 1218 hdr->ike_flags |= IKEV2_FLAG_INITIATOR; 1219 1220 return (hdr); 1221 } 1222 1223 int 1224 ikev2_set_header(struct ike_header *hdr, size_t length) 1225 { 1226 u_int32_t hdrlength = sizeof(*hdr) + length; 1227 1228 if (hdrlength > UINT32_MAX) { 1229 log_debug("%s: message too long", __func__); 1230 return (-1); 1231 } 1232 1233 hdr->ike_length = htobe32(sizeof(*hdr) + length); 1234 1235 return (0); 1236 } 1237 1238 struct ikev2_payload * 1239 ikev2_add_payload(struct ibuf *buf) 1240 { 1241 struct ikev2_payload *pld; 1242 1243 if ((pld = ibuf_advance(buf, sizeof(*pld))) == NULL) { 1244 log_debug("%s: failed to add payload", __func__); 1245 return (NULL); 1246 } 1247 1248 pld->pld_nextpayload = IKEV2_PAYLOAD_NONE; 1249 pld->pld_length = sizeof(*pld); 1250 1251 return (pld); 1252 } 1253 1254 ssize_t 1255 ikev2_add_ts_payload(struct ibuf *buf, u_int type, struct iked_sa *sa) 1256 { 1257 struct iked_policy *pol = sa->sa_policy; 1258 struct ikev2_tsp *tsp; 1259 struct ikev2_ts *ts; 1260 struct iked_flow *flow; 1261 struct iked_addr *addr; 1262 struct iked_addr pooladdr; 1263 u_int8_t *ptr; 1264 size_t len = 0; 1265 u_int32_t av[4], bv[4], mv[4]; 1266 struct sockaddr_in *in4; 1267 struct sockaddr_in6 *in6; 1268 1269 if ((tsp = ibuf_advance(buf, sizeof(*tsp))) == NULL) 1270 return (-1); 1271 tsp->tsp_count = pol->pol_nflows; 1272 len = sizeof(*tsp); 1273 1274 RB_FOREACH(flow, iked_flows, &pol->pol_flows) { 1275 if ((ts = ibuf_advance(buf, sizeof(*ts))) == NULL) 1276 return (-1); 1277 1278 if (type == IKEV2_PAYLOAD_TSi) { 1279 if (sa->sa_hdr.sh_initiator) 1280 addr = &flow->flow_src; 1281 else 1282 addr = &flow->flow_dst; 1283 } else if (type == IKEV2_PAYLOAD_TSr) { 1284 if (sa->sa_hdr.sh_initiator) 1285 addr = &flow->flow_dst; 1286 else 1287 addr = &flow->flow_src; 1288 } else 1289 return (-1); 1290 1291 /* patch remote address (if configured to 0.0.0.0) */ 1292 if ((type == IKEV2_PAYLOAD_TSi && !sa->sa_hdr.sh_initiator) || 1293 (type == IKEV2_PAYLOAD_TSr && sa->sa_hdr.sh_initiator)) { 1294 if (ikev2_cp_fixaddr(sa, addr, &pooladdr) != -1) 1295 addr = &pooladdr; 1296 } 1297 1298 ts->ts_protoid = flow->flow_ipproto; 1299 1300 if (addr->addr_port) { 1301 ts->ts_startport = addr->addr_port; 1302 ts->ts_endport = addr->addr_port; 1303 } else { 1304 ts->ts_startport = 0; 1305 ts->ts_endport = 0xffff; 1306 } 1307 1308 switch (addr->addr_af) { 1309 case AF_INET: 1310 ts->ts_type = IKEV2_TS_IPV4_ADDR_RANGE; 1311 ts->ts_length = htobe16(sizeof(*ts) + 8); 1312 1313 if ((ptr = ibuf_advance(buf, 8)) == NULL) 1314 return (-1); 1315 1316 in4 = (struct sockaddr_in *)&addr->addr; 1317 if (addr->addr_net) { 1318 /* Convert IPv4 network to address range */ 1319 mv[0] = prefixlen2mask(addr->addr_mask); 1320 av[0] = in4->sin_addr.s_addr & mv[0]; 1321 bv[0] = in4->sin_addr.s_addr | ~mv[0]; 1322 } else 1323 av[0] = bv[0] = in4->sin_addr.s_addr; 1324 1325 memcpy(ptr, &av[0], 4); 1326 memcpy(ptr + 4, &bv[0], 4); 1327 break; 1328 case AF_INET6: 1329 ts->ts_type = IKEV2_TS_IPV6_ADDR_RANGE; 1330 ts->ts_length = htobe16(sizeof(*ts) + 32); 1331 1332 if ((ptr = ibuf_advance(buf, 32)) == NULL) 1333 return (-1); 1334 1335 in6 = (struct sockaddr_in6 *)&addr->addr; 1336 1337 memcpy(&av, &in6->sin6_addr.s6_addr, 16); 1338 memcpy(&bv, &in6->sin6_addr.s6_addr, 16); 1339 if (addr->addr_net) { 1340 /* Convert IPv6 network to address range */ 1341 prefixlen2mask6(addr->addr_mask, mv); 1342 av[0] &= mv[0]; 1343 av[1] &= mv[1]; 1344 av[2] &= mv[2]; 1345 av[3] &= mv[3]; 1346 bv[0] |= ~mv[0]; 1347 bv[1] |= ~mv[1]; 1348 bv[2] |= ~mv[2]; 1349 bv[3] |= ~mv[3]; 1350 } 1351 1352 memcpy(ptr, &av, 16); 1353 memcpy(ptr + 16, &bv, 16); 1354 break; 1355 } 1356 1357 len += betoh16(ts->ts_length); 1358 } 1359 1360 return (len); 1361 } 1362 1363 ssize_t 1364 ikev2_add_ts(struct ibuf *e, struct ikev2_payload **pld, ssize_t len, 1365 struct iked_sa *sa, int reverse) 1366 { 1367 if (ikev2_next_payload(*pld, len, IKEV2_PAYLOAD_TSi) == -1) 1368 return (-1); 1369 1370 /* TSi payload */ 1371 if ((*pld = ikev2_add_payload(e)) == NULL) 1372 return (-1); 1373 if ((len = ikev2_add_ts_payload(e, reverse ? IKEV2_PAYLOAD_TSr : 1374 IKEV2_PAYLOAD_TSi, sa)) == -1) 1375 return (-1); 1376 1377 if (ikev2_next_payload(*pld, len, IKEV2_PAYLOAD_TSr) == -1) 1378 return (-1); 1379 1380 /* TSr payload */ 1381 if ((*pld = ikev2_add_payload(e)) == NULL) 1382 return (-1); 1383 if ((len = ikev2_add_ts_payload(e, reverse ? IKEV2_PAYLOAD_TSi : 1384 IKEV2_PAYLOAD_TSr, sa)) == -1) 1385 return (-1); 1386 1387 return (len); 1388 } 1389 1390 1391 ssize_t 1392 ikev2_add_certreq(struct ibuf *e, struct ikev2_payload **pld, ssize_t len, 1393 struct ibuf *certreq, u_int8_t type) 1394 { 1395 struct ikev2_cert *cert; 1396 1397 if (type == IKEV2_CERT_NONE) 1398 return (len); 1399 1400 if (ikev2_next_payload(*pld, len, IKEV2_PAYLOAD_CERTREQ) == -1) 1401 return (-1); 1402 1403 /* CERTREQ payload */ 1404 if ((*pld = ikev2_add_payload(e)) == NULL) 1405 return (-1); 1406 1407 if ((cert = ibuf_advance(e, sizeof(*cert))) == NULL) 1408 return (-1); 1409 1410 cert->cert_type = type; 1411 len = sizeof(*cert); 1412 1413 if (certreq != NULL && cert->cert_type == IKEV2_CERT_X509_CERT) { 1414 if (ikev2_add_buf(e, certreq) == -1) 1415 return (-1); 1416 len += ibuf_size(certreq); 1417 } 1418 1419 log_debug("%s: type %s length %zd", __func__, 1420 print_map(type, ikev2_cert_map), len); 1421 1422 return (len); 1423 } 1424 1425 ssize_t 1426 ikev2_add_ipcompnotify(struct iked *env, struct ibuf *e, 1427 struct ikev2_payload **pld, ssize_t len, struct iked_sa *sa) 1428 { 1429 struct iked_childsa csa; 1430 struct ikev2_notify *n; 1431 u_int8_t *ptr; 1432 u_int16_t cpi; 1433 u_int32_t spi; 1434 u_int8_t transform; 1435 1436 /* we only support deflate */ 1437 transform = IKEV2_IPCOMP_DEFLATE; 1438 1439 bzero(&csa, sizeof(csa)); 1440 csa.csa_saproto = IKEV2_SAPROTO_IPCOMP; 1441 csa.csa_ikesa = sa; 1442 csa.csa_local = &sa->sa_peer; 1443 csa.csa_peer = &sa->sa_local; 1444 1445 if (pfkey_sa_init(env->sc_pfkey, &csa, &spi) == -1) 1446 return (-1); 1447 /* 1448 * We get spi == 0 if the kernel does not support IPcomp, 1449 * so just return the length of the current payload. 1450 */ 1451 if (spi == 0) 1452 return (len); 1453 cpi = htobe16((u_int16_t)spi); 1454 if (*pld) 1455 if (ikev2_next_payload(*pld, len, IKEV2_PAYLOAD_NOTIFY) == -1) 1456 return (-1); 1457 if ((*pld = ikev2_add_payload(e)) == NULL) 1458 return (-1); 1459 len = sizeof(*n) + sizeof(cpi) + sizeof(transform); 1460 if ((ptr = ibuf_advance(e, len)) == NULL) 1461 return (-1); 1462 n = (struct ikev2_notify *)ptr; 1463 n->n_protoid = 0; 1464 n->n_spisize = 0; 1465 n->n_type = htobe16(IKEV2_N_IPCOMP_SUPPORTED); 1466 ptr += sizeof(*n); 1467 memcpy(ptr, &cpi, sizeof(cpi)); 1468 ptr += sizeof(cpi); 1469 memcpy(ptr, &transform, sizeof(transform)); 1470 1471 sa->sa_cpi_in = spi; /* already on host byte order */ 1472 log_debug("%s: sa_cpi_in 0x%04x", __func__, sa->sa_cpi_in); 1473 1474 return (len); 1475 } 1476 1477 int 1478 ikev2_next_payload(struct ikev2_payload *pld, size_t length, 1479 u_int8_t nextpayload) 1480 { 1481 size_t pldlength = sizeof(*pld) + length; 1482 1483 if (pldlength > UINT16_MAX) { 1484 log_debug("%s: payload too long", __func__); 1485 return (-1); 1486 } 1487 1488 log_debug("%s: length %zu nextpayload %s", 1489 __func__, pldlength, print_map(nextpayload, ikev2_payload_map)); 1490 1491 pld->pld_length = htobe16(pldlength); 1492 pld->pld_nextpayload = nextpayload; 1493 1494 return (0); 1495 } 1496 1497 ssize_t 1498 ikev2_nat_detection(struct iked *env, struct iked_message *msg, 1499 void *ptr, size_t len, u_int type) 1500 { 1501 EVP_MD_CTX ctx; 1502 struct ike_header *hdr; 1503 u_int8_t md[SHA_DIGEST_LENGTH]; 1504 u_int mdlen = sizeof(md); 1505 struct iked_sa *sa = msg->msg_sa; 1506 struct sockaddr_in *in4; 1507 struct sockaddr_in6 *in6; 1508 ssize_t ret = -1; 1509 struct sockaddr *src, *dst, *ss; 1510 u_int64_t rspi, ispi; 1511 struct ibuf *buf; 1512 int frompeer = 0; 1513 u_int32_t rnd; 1514 1515 if (ptr == NULL) 1516 return (mdlen); 1517 1518 if (ikev2_msg_frompeer(msg)) { 1519 buf = msg->msg_parent->msg_data; 1520 if ((hdr = ibuf_seek(buf, 0, sizeof(*hdr))) == NULL) 1521 return (-1); 1522 ispi = hdr->ike_ispi; 1523 rspi = hdr->ike_rspi; 1524 frompeer = 1; 1525 src = (struct sockaddr *)&msg->msg_peer; 1526 dst = (struct sockaddr *)&msg->msg_local; 1527 } else { 1528 ispi = htobe64(sa->sa_hdr.sh_ispi); 1529 rspi = htobe64(sa->sa_hdr.sh_rspi); 1530 frompeer = 0; 1531 src = (struct sockaddr *)&msg->msg_local; 1532 dst = (struct sockaddr *)&msg->msg_peer; 1533 } 1534 1535 EVP_MD_CTX_init(&ctx); 1536 EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL); 1537 1538 switch (type) { 1539 case IKEV2_N_NAT_DETECTION_SOURCE_IP: 1540 log_debug("%s: %s source %s %s %s", __func__, 1541 frompeer ? "peer" : "local", 1542 print_spi(betoh64(ispi), 8), 1543 print_spi(betoh64(rspi), 8), 1544 print_host(src, NULL, 0)); 1545 ss = src; 1546 break; 1547 case IKEV2_N_NAT_DETECTION_DESTINATION_IP: 1548 log_debug("%s: %s destination %s %s %s", __func__, 1549 frompeer ? "peer" : "local", 1550 print_spi(betoh64(ispi), 8), 1551 print_spi(betoh64(rspi), 8), 1552 print_host(dst, NULL, 0)); 1553 ss = dst; 1554 break; 1555 default: 1556 goto done; 1557 } 1558 1559 EVP_DigestUpdate(&ctx, &ispi, sizeof(ispi)); 1560 EVP_DigestUpdate(&ctx, &rspi, sizeof(rspi)); 1561 1562 switch (ss->sa_family) { 1563 case AF_INET: 1564 in4 = (struct sockaddr_in *)ss; 1565 EVP_DigestUpdate(&ctx, &in4->sin_addr.s_addr, 1566 sizeof(in4->sin_addr.s_addr)); 1567 EVP_DigestUpdate(&ctx, &in4->sin_port, 1568 sizeof(in4->sin_port)); 1569 break; 1570 case AF_INET6: 1571 in6 = (struct sockaddr_in6 *)ss; 1572 EVP_DigestUpdate(&ctx, &in6->sin6_addr.s6_addr, 1573 sizeof(in6->sin6_addr.s6_addr)); 1574 EVP_DigestUpdate(&ctx, &in6->sin6_port, 1575 sizeof(in6->sin6_port)); 1576 break; 1577 default: 1578 goto done; 1579 } 1580 1581 if (env->sc_opts & IKED_OPT_NATT) { 1582 /* Enforce NAT-T/UDP-encapsulation by distorting the digest */ 1583 rnd = arc4random(); 1584 EVP_DigestUpdate(&ctx, &rnd, sizeof(rnd)); 1585 } 1586 1587 EVP_DigestFinal_ex(&ctx, md, &mdlen); 1588 1589 if (len < mdlen) 1590 goto done; 1591 1592 memcpy(ptr, md, mdlen); 1593 ret = mdlen; 1594 done: 1595 EVP_MD_CTX_cleanup(&ctx); 1596 1597 return (ret); 1598 } 1599 1600 ssize_t 1601 ikev2_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf) 1602 { 1603 struct iked_policy *pol = sa->sa_policy; 1604 struct ikev2_cp *cp; 1605 struct ikev2_cfg *cfg; 1606 struct iked_cfg *ikecfg; 1607 u_int i; 1608 u_int32_t mask4; 1609 size_t len; 1610 struct sockaddr_in *in4; 1611 struct sockaddr_in6 *in6; 1612 u_int8_t prefixlen; 1613 1614 if ((cp = ibuf_advance(buf, sizeof(*cp))) == NULL) 1615 return (-1); 1616 len = sizeof(*cp); 1617 1618 switch (sa->sa_cp) { 1619 case IKEV2_CP_REQUEST: 1620 cp->cp_type = IKEV2_CP_REPLY; 1621 break; 1622 case IKEV2_CP_REPLY: 1623 case IKEV2_CP_SET: 1624 case IKEV2_CP_ACK: 1625 /* Not yet supported */ 1626 return (-1); 1627 } 1628 1629 for (i = 0; i < pol->pol_ncfg; i++) { 1630 ikecfg = &pol->pol_cfg[i]; 1631 if (ikecfg->cfg_action != cp->cp_type) 1632 continue; 1633 1634 if ((cfg = ibuf_advance(buf, sizeof(*cfg))) == NULL) 1635 return (-1); 1636 1637 cfg->cfg_type = htobe16(ikecfg->cfg_type); 1638 len += sizeof(*cfg); 1639 1640 switch (ikecfg->cfg_type) { 1641 case IKEV2_CFG_INTERNAL_IP4_ADDRESS: 1642 case IKEV2_CFG_INTERNAL_IP4_NETMASK: 1643 case IKEV2_CFG_INTERNAL_IP4_DNS: 1644 case IKEV2_CFG_INTERNAL_IP4_NBNS: 1645 case IKEV2_CFG_INTERNAL_IP4_DHCP: 1646 case IKEV2_CFG_INTERNAL_IP4_SERVER: 1647 /* 4 bytes IPv4 address */ 1648 in4 = (ikecfg->cfg.address.addr_mask != 32 && 1649 (ikecfg->cfg_type == 1650 IKEV2_CFG_INTERNAL_IP4_ADDRESS) && 1651 sa->sa_addrpool && 1652 sa->sa_addrpool->addr_af == AF_INET) ? 1653 (struct sockaddr_in *)&sa->sa_addrpool->addr : 1654 (struct sockaddr_in *)&ikecfg->cfg.address.addr; 1655 cfg->cfg_length = htobe16(4); 1656 if (ibuf_add(buf, &in4->sin_addr.s_addr, 4) == -1) 1657 return (-1); 1658 len += 4; 1659 break; 1660 case IKEV2_CFG_INTERNAL_IP4_SUBNET: 1661 /* 4 bytes IPv4 address + 4 bytes IPv4 mask + */ 1662 in4 = (struct sockaddr_in *)&ikecfg->cfg.address.addr; 1663 mask4 = prefixlen2mask(ikecfg->cfg.address.addr_mask); 1664 cfg->cfg_length = htobe16(8); 1665 if (ibuf_add(buf, &in4->sin_addr.s_addr, 4) == -1) 1666 return (-1); 1667 if (ibuf_add(buf, &mask4, 4) == -1) 1668 return (-1); 1669 len += 8; 1670 break; 1671 case IKEV2_CFG_INTERNAL_IP6_DNS: 1672 case IKEV2_CFG_INTERNAL_IP6_NBNS: 1673 case IKEV2_CFG_INTERNAL_IP6_DHCP: 1674 case IKEV2_CFG_INTERNAL_IP6_SERVER: 1675 /* 16 bytes IPv6 address */ 1676 in6 = (struct sockaddr_in6 *)&ikecfg->cfg.address; 1677 cfg->cfg_length = htobe16(16); 1678 if (ibuf_add(buf, &in6->sin6_addr.s6_addr, 16) == -1) 1679 return (-1); 1680 len += 16; 1681 break; 1682 case IKEV2_CFG_INTERNAL_IP6_ADDRESS: 1683 case IKEV2_CFG_INTERNAL_IP6_SUBNET: 1684 /* 16 bytes IPv6 address + 1 byte prefix length */ 1685 in6 = (ikecfg->cfg.address.addr_mask != 128 && 1686 (ikecfg->cfg_type == 1687 IKEV2_CFG_INTERNAL_IP6_ADDRESS) && 1688 sa->sa_addrpool && 1689 sa->sa_addrpool->addr_af == AF_INET6) ? 1690 (struct sockaddr_in6 *)&sa->sa_addrpool->addr : 1691 (struct sockaddr_in6 *)&ikecfg->cfg.address.addr; 1692 cfg->cfg_length = htobe16(17); 1693 if (ibuf_add(buf, &in6->sin6_addr.s6_addr, 16) == -1) 1694 return (-1); 1695 if (ikecfg->cfg.address.addr_net) 1696 prefixlen = ikecfg->cfg.address.addr_mask; 1697 else 1698 prefixlen = 128; 1699 if (ibuf_add(buf, &prefixlen, 1) == -1) 1700 return (-1); 1701 len += 16 + 1; 1702 break; 1703 case IKEV2_CFG_APPLICATION_VERSION: 1704 /* Reply with an empty string (non-NUL terminated) */ 1705 cfg->cfg_length = 0; 1706 break; 1707 } 1708 } 1709 1710 return (len); 1711 } 1712 1713 ssize_t 1714 ikev2_add_proposals(struct iked *env, struct iked_sa *sa, struct ibuf *buf, 1715 struct iked_proposals *proposals, u_int8_t protoid, int initiator, 1716 int sendikespi) 1717 { 1718 struct ikev2_sa_proposal *sap; 1719 struct iked_transform *xform; 1720 struct iked_proposal *prop; 1721 struct iked_childsa csa; 1722 ssize_t length = 0, saplength, xflen; 1723 u_int64_t spi64; 1724 u_int32_t spi32, spi; 1725 u_int i; 1726 1727 TAILQ_FOREACH(prop, proposals, prop_entry) { 1728 if ((protoid && prop->prop_protoid != protoid) || 1729 (!protoid && prop->prop_protoid == IKEV2_SAPROTO_IKE)) 1730 continue; 1731 1732 if (protoid != IKEV2_SAPROTO_IKE && initiator) { 1733 bzero(&csa, sizeof(csa)); 1734 csa.csa_ikesa = sa; 1735 csa.csa_saproto = prop->prop_protoid; 1736 csa.csa_local = &sa->sa_peer; 1737 csa.csa_peer = &sa->sa_local; 1738 1739 if (pfkey_sa_init(env->sc_pfkey, &csa, &spi) == -1) 1740 return (-1); 1741 1742 prop->prop_localspi.spi = spi; 1743 prop->prop_localspi.spi_size = 4; 1744 prop->prop_localspi.spi_protoid = prop->prop_protoid; 1745 } 1746 1747 if ((sap = ibuf_advance(buf, sizeof(*sap))) == NULL) { 1748 log_debug("%s: failed to add proposal", __func__); 1749 return (-1); 1750 } 1751 1752 if (sendikespi) { 1753 /* Special case for IKE SA rekeying */ 1754 prop->prop_localspi.spi = initiator ? 1755 sa->sa_hdr.sh_ispi : sa->sa_hdr.sh_rspi; 1756 prop->prop_localspi.spi_size = 8; 1757 prop->prop_localspi.spi_protoid = IKEV2_SAPROTO_IKE; 1758 } 1759 1760 sap->sap_proposalnr = prop->prop_id; 1761 sap->sap_protoid = prop->prop_protoid; 1762 sap->sap_spisize = prop->prop_localspi.spi_size; 1763 sap->sap_transforms = prop->prop_nxforms; 1764 saplength = sizeof(*sap); 1765 1766 switch (prop->prop_localspi.spi_size) { 1767 case 4: 1768 spi32 = htobe32(prop->prop_localspi.spi); 1769 if (ibuf_add(buf, &spi32, sizeof(spi32)) != 0) 1770 return (-1); 1771 saplength += 4; 1772 break; 1773 case 8: 1774 spi64 = htobe64(prop->prop_localspi.spi); 1775 if (ibuf_add(buf, &spi64, sizeof(spi64)) != 0) 1776 return (-1); 1777 saplength += 8; 1778 break; 1779 default: 1780 break; 1781 } 1782 1783 for (i = 0; i < prop->prop_nxforms; i++) { 1784 xform = prop->prop_xforms + i; 1785 1786 if ((xflen = ikev2_add_transform(buf, 1787 i == prop->prop_nxforms - 1 ? 1788 IKEV2_XFORM_LAST : IKEV2_XFORM_MORE, 1789 xform->xform_type, xform->xform_id, 1790 xform->xform_length)) == -1) 1791 return (-1); 1792 1793 saplength += xflen; 1794 } 1795 1796 sap->sap_length = htobe16(saplength); 1797 length += saplength; 1798 } 1799 1800 log_debug("%s: length %zd", __func__, length); 1801 1802 return (length); 1803 } 1804 1805 ssize_t 1806 ikev2_add_transform(struct ibuf *buf, 1807 u_int8_t more, u_int8_t type, u_int16_t id, u_int16_t length) 1808 { 1809 struct ikev2_transform *xfrm; 1810 struct ikev2_attribute *attr; 1811 1812 if ((xfrm = ibuf_advance(buf, sizeof(*xfrm))) == NULL) { 1813 log_debug("%s: failed to add transform", __func__); 1814 return (-1); 1815 } 1816 xfrm->xfrm_more = more; 1817 xfrm->xfrm_type = type; 1818 xfrm->xfrm_id = htobe16(id); 1819 1820 if (length) { 1821 xfrm->xfrm_length = htobe16(sizeof(*xfrm) + sizeof(*attr)); 1822 1823 if ((attr = ibuf_advance(buf, sizeof(*attr))) == NULL) { 1824 log_debug("%s: failed to add attribute", __func__); 1825 return (-1); 1826 } 1827 attr->attr_type = htobe16(IKEV2_ATTRAF_TV | 1828 IKEV2_ATTRTYPE_KEY_LENGTH); 1829 attr->attr_length = htobe16(length); 1830 } else 1831 xfrm->xfrm_length = htobe16(sizeof(*xfrm)); 1832 1833 return (betoh16(xfrm->xfrm_length)); 1834 } 1835 1836 int 1837 ikev2_add_data(struct ibuf *buf, void *data, size_t length) 1838 { 1839 void *msgbuf; 1840 1841 if ((msgbuf = ibuf_advance(buf, length)) == NULL) { 1842 log_debug("%s: failed", __func__); 1843 return (-1); 1844 } 1845 memcpy(msgbuf, data, length); 1846 1847 return (0); 1848 } 1849 1850 int 1851 ikev2_add_buf(struct ibuf *buf, struct ibuf *data) 1852 { 1853 void *msgbuf; 1854 1855 if ((msgbuf = ibuf_advance(buf, ibuf_size(data))) == NULL) { 1856 log_debug("%s: failed", __func__); 1857 return (-1); 1858 } 1859 memcpy(msgbuf, ibuf_data(data), ibuf_size(data)); 1860 1861 return (0); 1862 } 1863 1864 void 1865 ikev2_resp_recv(struct iked *env, struct iked_message *msg, 1866 struct ike_header *hdr) 1867 { 1868 struct iked_sa *sa; 1869 1870 switch (hdr->ike_exchange) { 1871 case IKEV2_EXCHANGE_IKE_SA_INIT: 1872 if (msg->msg_sa != NULL) { 1873 log_debug("%s: SA already exists", __func__); 1874 return; 1875 } 1876 if ((msg->msg_sa = sa_new(env, 1877 betoh64(hdr->ike_ispi), betoh64(hdr->ike_rspi), 1878 0, msg->msg_policy)) == NULL) { 1879 log_debug("%s: failed to get new SA", __func__); 1880 return; 1881 } 1882 break; 1883 case IKEV2_EXCHANGE_IKE_AUTH: 1884 if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1) 1885 return; 1886 if (sa_stateok(msg->msg_sa, IKEV2_STATE_VALID)) { 1887 log_debug("%s: already authenticated", __func__); 1888 return; 1889 } 1890 break; 1891 case IKEV2_EXCHANGE_CREATE_CHILD_SA: 1892 if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1) 1893 return; 1894 break; 1895 case IKEV2_EXCHANGE_INFORMATIONAL: 1896 if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1) 1897 return; 1898 break; 1899 default: 1900 log_debug("%s: unsupported exchange: %s", __func__, 1901 print_map(hdr->ike_exchange, ikev2_exchange_map)); 1902 return; 1903 } 1904 1905 if (ikev2_pld_parse(env, hdr, msg, msg->msg_offset) != 0) { 1906 log_debug("%s: failed to parse message", __func__); 1907 return; 1908 } 1909 1910 if (!ikev2_msg_frompeer(msg)) 1911 return; 1912 1913 if ((sa = msg->msg_sa) == NULL) 1914 return; 1915 1916 if (msg->msg_natt && sa->sa_natt == 0) { 1917 log_debug("%s: NAT-T message received, updated SA", __func__); 1918 sa->sa_natt = 1; 1919 } 1920 1921 switch (hdr->ike_exchange) { 1922 case IKEV2_EXCHANGE_IKE_SA_INIT: 1923 if (ikev2_sa_responder(env, sa, NULL, msg) != 0) { 1924 log_debug("%s: failed to get IKE SA keys", __func__); 1925 sa_state(env, sa, IKEV2_STATE_CLOSED); 1926 return; 1927 } 1928 if (ikev2_resp_ike_sa_init(env, msg) != 0) { 1929 log_debug("%s: failed to send init response", __func__); 1930 sa_state(env, sa, IKEV2_STATE_CLOSED); 1931 return; 1932 } 1933 break; 1934 case IKEV2_EXCHANGE_IKE_AUTH: 1935 if (!sa_stateok(sa, IKEV2_STATE_SA_INIT)) { 1936 log_debug("%s: state mismatch", __func__); 1937 sa_state(env, sa, IKEV2_STATE_CLOSED); 1938 return; 1939 } 1940 1941 if (!sa_stateok(sa, IKEV2_STATE_AUTH_REQUEST) && 1942 sa->sa_policy->pol_auth.auth_eap) 1943 sa_state(env, sa, IKEV2_STATE_EAP); 1944 1945 if (ikev2_ike_auth_recv(env, sa, msg) != 0) { 1946 log_debug("%s: failed to send auth response", __func__); 1947 sa_state(env, sa, IKEV2_STATE_CLOSED); 1948 return; 1949 } 1950 break; 1951 case IKEV2_EXCHANGE_CREATE_CHILD_SA: 1952 (void)ikev2_resp_create_child_sa(env, msg); 1953 break; 1954 case IKEV2_EXCHANGE_INFORMATIONAL: 1955 if (!msg->msg_responded && !msg->msg_error) { 1956 (void)ikev2_send_ike_e(env, sa, NULL, 1957 IKEV2_PAYLOAD_NONE, IKEV2_EXCHANGE_INFORMATIONAL, 1958 1); 1959 msg->msg_responded = 1; 1960 } 1961 break; 1962 default: 1963 break; 1964 } 1965 } 1966 1967 int 1968 ikev2_resp_ike_sa_init(struct iked *env, struct iked_message *msg) 1969 { 1970 struct iked_message resp; 1971 struct ike_header *hdr; 1972 struct ikev2_payload *pld; 1973 struct ikev2_keyexchange *ke; 1974 struct ikev2_notify *n; 1975 struct iked_sa *sa = msg->msg_sa; 1976 struct ibuf *buf; 1977 struct group *group; 1978 u_int8_t *ptr; 1979 ssize_t len; 1980 int ret = -1; 1981 1982 if (sa->sa_hdr.sh_initiator) { 1983 log_debug("%s: called by initiator", __func__); 1984 return (-1); 1985 } 1986 1987 if ((buf = ikev2_msg_init(env, &resp, 1988 &msg->msg_peer, msg->msg_peerlen, 1989 &msg->msg_local, msg->msg_locallen, 1)) == NULL) 1990 goto done; 1991 1992 resp.msg_sa = sa; 1993 resp.msg_fd = msg->msg_fd; 1994 resp.msg_natt = msg->msg_natt; 1995 resp.msg_msgid = 0; 1996 1997 /* IKE header */ 1998 if ((hdr = ikev2_add_header(buf, sa, resp.msg_msgid, 1999 IKEV2_PAYLOAD_SA, IKEV2_EXCHANGE_IKE_SA_INIT, 2000 IKEV2_FLAG_RESPONSE)) == NULL) 2001 goto done; 2002 2003 /* SA payload */ 2004 if ((pld = ikev2_add_payload(buf)) == NULL) 2005 goto done; 2006 if ((len = ikev2_add_proposals(env, sa, buf, &sa->sa_proposals, 2007 IKEV2_SAPROTO_IKE, sa->sa_hdr.sh_initiator, 0)) == -1) 2008 goto done; 2009 2010 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_KE) == -1) 2011 goto done; 2012 2013 /* KE payload */ 2014 if ((pld = ikev2_add_payload(buf)) == NULL) 2015 goto done; 2016 if ((ke = ibuf_advance(buf, sizeof(*ke))) == NULL) 2017 goto done; 2018 if ((group = sa->sa_dhgroup) == NULL) { 2019 log_debug("%s: invalid dh", __func__); 2020 goto done; 2021 } 2022 ke->kex_dhgroup = htobe16(group->id); 2023 if (ikev2_add_buf(buf, sa->sa_dhrexchange) == -1) 2024 goto done; 2025 len = sizeof(*ke) + dh_getlen(group); 2026 2027 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONCE) == -1) 2028 goto done; 2029 2030 /* NONCE payload */ 2031 if ((pld = ikev2_add_payload(buf)) == NULL) 2032 goto done; 2033 if (ikev2_add_buf(buf, sa->sa_rnonce) == -1) 2034 goto done; 2035 len = ibuf_size(sa->sa_rnonce); 2036 2037 if ((env->sc_opts & IKED_OPT_NONATT) == 0 && 2038 msg->msg_local.ss_family != AF_UNSPEC) { 2039 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NOTIFY) == -1) 2040 goto done; 2041 2042 /* NAT-T notify payloads */ 2043 if ((pld = ikev2_add_payload(buf)) == NULL) 2044 goto done; 2045 if ((n = ibuf_advance(buf, sizeof(*n))) == NULL) 2046 goto done; 2047 n->n_type = htobe16(IKEV2_N_NAT_DETECTION_SOURCE_IP); 2048 len = ikev2_nat_detection(env, &resp, NULL, 0, 0); 2049 if ((ptr = ibuf_advance(buf, len)) == NULL) 2050 goto done; 2051 if ((len = ikev2_nat_detection(env, &resp, ptr, len, 2052 betoh16(n->n_type))) == -1) 2053 goto done; 2054 len += sizeof(*n); 2055 2056 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NOTIFY) == -1) 2057 goto done; 2058 2059 if ((pld = ikev2_add_payload(buf)) == NULL) 2060 goto done; 2061 if ((n = ibuf_advance(buf, sizeof(*n))) == NULL) 2062 goto done; 2063 n->n_type = htobe16(IKEV2_N_NAT_DETECTION_DESTINATION_IP); 2064 len = ikev2_nat_detection(env, &resp, NULL, 0, 0); 2065 if ((ptr = ibuf_advance(buf, len)) == NULL) 2066 goto done; 2067 if ((len = ikev2_nat_detection(env, &resp, ptr, len, 2068 betoh16(n->n_type))) == -1) 2069 goto done; 2070 len += sizeof(*n); 2071 } 2072 2073 if (sa->sa_statevalid & IKED_REQ_CERT) { 2074 /* CERTREQ payload(s) */ 2075 if ((len = ikev2_add_certreq(buf, &pld, 2076 len, env->sc_certreq, env->sc_certreqtype)) == -1) 2077 goto done; 2078 2079 if (env->sc_certreqtype != sa->sa_policy->pol_certreqtype && 2080 (len = ikev2_add_certreq(buf, &pld, 2081 len, NULL, sa->sa_policy->pol_certreqtype)) == -1) 2082 goto done; 2083 } 2084 2085 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONE) == -1) 2086 goto done; 2087 2088 if (ikev2_set_header(hdr, ibuf_size(buf) - sizeof(*hdr)) == -1) 2089 goto done; 2090 2091 (void)ikev2_pld_parse(env, hdr, &resp, 0); 2092 2093 ibuf_release(sa->sa_2ndmsg); 2094 if ((sa->sa_2ndmsg = ibuf_dup(buf)) == NULL) { 2095 log_debug("%s: failed to copy 2nd message", __func__); 2096 goto done; 2097 } 2098 2099 resp.msg_sa = NULL; /* Don't save the response */ 2100 ret = ikev2_msg_send(env, &resp); 2101 2102 done: 2103 ikev2_msg_cleanup(env, &resp); 2104 2105 return (ret); 2106 } 2107 2108 int 2109 ikev2_resp_ike_auth(struct iked *env, struct iked_sa *sa) 2110 { 2111 struct ikev2_payload *pld; 2112 struct ikev2_notify *n; 2113 struct ikev2_cert *cert; 2114 struct ikev2_auth *auth; 2115 struct iked_id *id, *certid; 2116 struct ibuf *e = NULL; 2117 u_int8_t firstpayload; 2118 int ret = -1; 2119 ssize_t len; 2120 2121 if (sa == NULL) 2122 return (-1); 2123 2124 if (sa->sa_state == IKEV2_STATE_EAP) 2125 return (ikev2_resp_ike_eap(env, sa, NULL)); 2126 else if (!sa_stateok(sa, IKEV2_STATE_VALID)) 2127 return (0); /* ignore */ 2128 2129 if (ikev2_cp_setaddr(env, sa) < 0) 2130 return (-1); 2131 2132 if (ikev2_childsa_negotiate(env, sa, &sa->sa_kex, &sa->sa_proposals, 2133 sa->sa_hdr.sh_initiator, 0) < 0) 2134 return (-1); 2135 2136 /* New encrypted message buffer */ 2137 if ((e = ibuf_static()) == NULL) 2138 goto done; 2139 2140 if (!sa->sa_localauth.id_type) { 2141 /* Downgrade the state */ 2142 sa_state(env, sa, IKEV2_STATE_AUTH_SUCCESS); 2143 } 2144 2145 if (!sa_stateok(sa, IKEV2_STATE_VALID)) { 2146 /* Notify payload */ 2147 if ((pld = ikev2_add_payload(e)) == NULL) 2148 goto done; 2149 firstpayload = IKEV2_PAYLOAD_NOTIFY; 2150 2151 if ((n = ibuf_advance(e, sizeof(*n))) == NULL) 2152 goto done; 2153 n->n_protoid = IKEV2_SAPROTO_IKE; /* XXX ESP etc. */ 2154 n->n_spisize = 0; 2155 n->n_type = htobe16(IKEV2_N_AUTHENTICATION_FAILED); 2156 len = sizeof(*n); 2157 2158 goto send; 2159 } 2160 2161 if (sa->sa_hdr.sh_initiator) { 2162 id = &sa->sa_iid; 2163 certid = &sa->sa_icert; 2164 } else { 2165 id = &sa->sa_rid; 2166 certid = &sa->sa_rcert; 2167 } 2168 2169 if (sa->sa_state != IKEV2_STATE_EAP_VALID) { 2170 /* ID payload */ 2171 if ((pld = ikev2_add_payload(e)) == NULL) 2172 goto done; 2173 firstpayload = IKEV2_PAYLOAD_IDr; 2174 if (ibuf_cat(e, id->id_buf) != 0) 2175 goto done; 2176 len = ibuf_size(id->id_buf); 2177 2178 /* CERT payload */ 2179 if ((sa->sa_statevalid & IKED_REQ_CERT) && 2180 (certid->id_type != IKEV2_CERT_NONE)) { 2181 if (ikev2_next_payload(pld, len, 2182 IKEV2_PAYLOAD_CERT) == -1) 2183 goto done; 2184 2185 if ((pld = ikev2_add_payload(e)) == NULL) 2186 goto done; 2187 if ((cert = ibuf_advance(e, sizeof(*cert))) == NULL) 2188 goto done; 2189 cert->cert_type = certid->id_type; 2190 if (ibuf_cat(e, certid->id_buf) != 0) 2191 goto done; 2192 len = ibuf_size(certid->id_buf) + sizeof(*cert); 2193 } 2194 2195 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_AUTH) == -1) 2196 goto done; 2197 } else 2198 firstpayload = IKEV2_PAYLOAD_AUTH; 2199 2200 /* AUTH payload */ 2201 if ((pld = ikev2_add_payload(e)) == NULL) 2202 goto done; 2203 if ((auth = ibuf_advance(e, sizeof(*auth))) == NULL) 2204 goto done; 2205 auth->auth_method = sa->sa_localauth.id_type; 2206 if (ibuf_cat(e, sa->sa_localauth.id_buf) != 0) 2207 goto done; 2208 len = ibuf_size(sa->sa_localauth.id_buf) + sizeof(*auth); 2209 2210 /* CP payload */ 2211 if (sa->sa_cp) { 2212 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_CP) == -1) 2213 goto done; 2214 2215 if ((pld = ikev2_add_payload(e)) == NULL) 2216 goto done; 2217 if ((len = ikev2_add_cp(env, sa, e)) == -1) 2218 goto done; 2219 } 2220 2221 /* compression */ 2222 if (sa->sa_ipcomp && 2223 (len = ikev2_add_ipcompnotify(env, e, &pld, len, sa)) == -1) 2224 goto done; 2225 2226 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_SA) == -1) 2227 goto done; 2228 2229 /* SA payload */ 2230 if ((pld = ikev2_add_payload(e)) == NULL) 2231 goto done; 2232 if ((len = ikev2_add_proposals(env, sa, e, &sa->sa_proposals, 0, 2233 sa->sa_hdr.sh_initiator, 0)) == -1) 2234 goto done; 2235 2236 if ((len = ikev2_add_ts(e, &pld, len, sa, 0)) == -1) 2237 goto done; 2238 2239 send: 2240 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONE) == -1) 2241 goto done; 2242 2243 ret = ikev2_msg_send_encrypt(env, sa, &e, 2244 IKEV2_EXCHANGE_IKE_AUTH, firstpayload, 1); 2245 if (ret == 0) 2246 ret = ikev2_childsa_enable(env, sa); 2247 if (ret == 0) { 2248 sa_state(env, sa, IKEV2_STATE_ESTABLISHED); 2249 timer_set(env, &sa->sa_timer, ikev2_ike_sa_alive, sa); 2250 timer_add(env, &sa->sa_timer, IKED_IKE_SA_ALIVE_TIMEOUT); 2251 timer_set(env, &sa->sa_rekey, ikev2_ike_sa_rekey, sa); 2252 if (sa->sa_policy->pol_rekey) 2253 timer_add(env, &sa->sa_rekey, sa->sa_policy->pol_rekey); 2254 } 2255 2256 done: 2257 if (ret) 2258 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1); 2259 ibuf_release(e); 2260 return (ret); 2261 } 2262 2263 int 2264 ikev2_resp_ike_eap(struct iked *env, struct iked_sa *sa, struct ibuf *eapmsg) 2265 { 2266 struct ikev2_payload *pld; 2267 struct ikev2_cert *cert; 2268 struct ikev2_auth *auth; 2269 struct iked_id *id, *certid; 2270 struct ibuf *e = NULL; 2271 u_int8_t firstpayload; 2272 int ret = -1; 2273 ssize_t len = 0; 2274 2275 if (!sa_stateok(sa, IKEV2_STATE_EAP)) 2276 return (0); 2277 2278 /* Responder only */ 2279 if (sa->sa_hdr.sh_initiator) 2280 return (-1); 2281 2282 /* New encrypted message buffer */ 2283 if ((e = ibuf_static()) == NULL) 2284 goto done; 2285 2286 id = &sa->sa_rid; 2287 certid = &sa->sa_rcert; 2288 2289 /* ID payload */ 2290 if ((pld = ikev2_add_payload(e)) == NULL) 2291 goto done; 2292 firstpayload = IKEV2_PAYLOAD_IDr; 2293 if (ibuf_cat(e, id->id_buf) != 0) 2294 goto done; 2295 len = ibuf_size(id->id_buf); 2296 2297 if ((sa->sa_statevalid & IKED_REQ_CERT) && 2298 (certid->id_type != IKEV2_CERT_NONE)) { 2299 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_CERT) == -1) 2300 goto done; 2301 2302 /* CERT payload */ 2303 if ((pld = ikev2_add_payload(e)) == NULL) 2304 goto done; 2305 if ((cert = ibuf_advance(e, sizeof(*cert))) == NULL) 2306 goto done; 2307 cert->cert_type = certid->id_type; 2308 if (ibuf_cat(e, certid->id_buf) != 0) 2309 goto done; 2310 len = ibuf_size(certid->id_buf) + sizeof(*cert); 2311 } 2312 2313 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_AUTH) == -1) 2314 goto done; 2315 2316 /* AUTH payload */ 2317 if ((pld = ikev2_add_payload(e)) == NULL) 2318 goto done; 2319 if ((auth = ibuf_advance(e, sizeof(*auth))) == NULL) 2320 goto done; 2321 auth->auth_method = sa->sa_localauth.id_type; 2322 if (ibuf_cat(e, sa->sa_localauth.id_buf) != 0) 2323 goto done; 2324 len = ibuf_size(sa->sa_localauth.id_buf) + sizeof(*auth); 2325 2326 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_EAP) == -1) 2327 goto done; 2328 2329 /* EAP payload */ 2330 if ((pld = ikev2_add_payload(e)) == NULL) 2331 goto done; 2332 if ((len = eap_identity_request(e)) == -1) 2333 goto done; 2334 2335 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONE) == -1) 2336 goto done; 2337 2338 ret = ikev2_msg_send_encrypt(env, sa, &e, 2339 IKEV2_EXCHANGE_IKE_AUTH, firstpayload, 1); 2340 2341 done: 2342 ibuf_release(e); 2343 2344 return (ret); 2345 } 2346 2347 int 2348 ikev2_send_ike_e(struct iked *env, struct iked_sa *sa, struct ibuf *buf, 2349 u_int8_t firstpayload, u_int8_t exchange, int response) 2350 { 2351 struct ikev2_payload *pld; 2352 struct ibuf *e = NULL; 2353 int ret = -1; 2354 2355 /* New encrypted message buffer */ 2356 if ((e = ibuf_static()) == NULL) 2357 goto done; 2358 2359 if ((pld = ikev2_add_payload(e)) == NULL) 2360 goto done; 2361 2362 if (buf) { 2363 if (ibuf_cat(e, buf) != 0) 2364 goto done; 2365 2366 if (ikev2_next_payload(pld, ibuf_size(buf), 2367 IKEV2_PAYLOAD_NONE) == -1) 2368 goto done; 2369 } 2370 2371 ret = ikev2_msg_send_encrypt(env, sa, &e, exchange, firstpayload, 2372 response); 2373 2374 done: 2375 ibuf_release(e); 2376 2377 return (ret); 2378 } 2379 2380 int 2381 ikev2_set_sa_proposal(struct iked_sa *sa, struct iked_policy *pol, 2382 u_int proto) 2383 { 2384 struct iked_proposal *prop, *copy; 2385 struct iked_transform *xform; 2386 u_int i; 2387 2388 /* create copy of the policy proposals */ 2389 config_free_proposals(&sa->sa_proposals, proto); 2390 TAILQ_FOREACH(prop, &pol->pol_proposals, prop_entry) { 2391 if (proto != 0 && prop->prop_protoid != proto) 2392 continue; 2393 if ((copy = config_add_proposal(&sa->sa_proposals, 2394 prop->prop_id, prop->prop_protoid)) == NULL) 2395 return (-1); 2396 for (i = 0; i < prop->prop_nxforms; i++) { 2397 xform = &prop->prop_xforms[i]; 2398 if (config_add_transform(copy, xform->xform_type, 2399 xform->xform_id, xform->xform_length, 2400 xform->xform_keylength) == NULL) 2401 return (-1); 2402 } 2403 } 2404 return (0); 2405 } 2406 2407 int 2408 ikev2_send_create_child_sa(struct iked *env, struct iked_sa *sa, 2409 struct iked_spi *rekey, u_int8_t protoid) 2410 { 2411 struct iked_policy *pol = sa->sa_policy; 2412 struct iked_childsa *csa = NULL, *csb = NULL; 2413 struct ikev2_notify *n; 2414 struct ikev2_payload *pld = NULL; 2415 struct ikev2_keyexchange *ke; 2416 struct group *group; 2417 struct ibuf *e = NULL, *nonce = NULL; 2418 u_int8_t *ptr; 2419 u_int8_t firstpayload; 2420 u_int32_t spi; 2421 ssize_t len = 0; 2422 int initiator, ret = -1; 2423 2424 if (rekey) 2425 log_debug("%s: rekeying %s spi %s", __func__, 2426 print_map(rekey->spi_protoid, ikev2_saproto_map), 2427 print_spi(rekey->spi, rekey->spi_size)); 2428 else 2429 log_debug("%s: creating new CHILD SAs", __func__); 2430 2431 /* XXX cannot initiate multiple concurrent CREATE_CHILD_SA exchanges */ 2432 if (sa->sa_stateflags & IKED_REQ_CHILDSA) { 2433 log_debug("%s: another CREATE_CHILD_SA exchange already active", 2434 __func__); 2435 return (-1); 2436 } 2437 2438 sa->sa_rekeyspi = 0; /* clear rekey spi */ 2439 initiator = sa->sa_hdr.sh_initiator ? 1 : 0; 2440 2441 if (rekey && 2442 ((csa = childsa_lookup(sa, rekey->spi, 2443 rekey->spi_protoid)) == NULL || 2444 (csb = csa->csa_peersa) == NULL)) { 2445 log_debug("%s: CHILD SA %s wasn't found", __func__, 2446 print_spi(rekey->spi, rekey->spi_size)); 2447 goto done; 2448 } 2449 2450 /* Generate new nonce */ 2451 if ((nonce = ibuf_random(IKED_NONCE_SIZE)) == NULL) 2452 goto done; 2453 2454 /* Update initiator nonce */ 2455 ibuf_release(sa->sa_inonce); 2456 sa->sa_inonce = nonce; 2457 2458 if ((e = ibuf_static()) == NULL) 2459 goto done; 2460 2461 /* compression */ 2462 if ((pol->pol_flags & IKED_POLICY_IPCOMP) && 2463 (len = ikev2_add_ipcompnotify(env, e, &pld, 0, sa)) == -1) 2464 goto done; 2465 2466 if (pld) { 2467 firstpayload = IKEV2_PAYLOAD_NOTIFY; 2468 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_SA) == -1) 2469 goto done; 2470 } else 2471 firstpayload = IKEV2_PAYLOAD_SA; 2472 2473 /* SA payload */ 2474 if ((pld = ikev2_add_payload(e)) == NULL) 2475 goto done; 2476 2477 /* 2478 * We need to reset the sa_proposal. Otherwise it would be 2479 * left over from the IKE_AUTH exchange and would not contain 2480 * any DH groups (e.g. for ESP child SAs). 2481 */ 2482 if (ikev2_set_sa_proposal(sa, pol, protoid) < 0) { 2483 log_debug("%s: ikev2_set_sa_proposal failed", __func__); 2484 goto done; 2485 } 2486 2487 if ((len = ikev2_add_proposals(env, sa, e, &sa->sa_proposals, 2488 protoid, 1, 0)) == -1) 2489 goto done; 2490 2491 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONCE) == -1) 2492 goto done; 2493 2494 /* NONCE payload */ 2495 if ((pld = ikev2_add_payload(e)) == NULL) 2496 goto done; 2497 if (ikev2_add_buf(e, nonce) == -1) 2498 goto done; 2499 len = ibuf_size(nonce); 2500 2501 if (config_findtransform(&pol->pol_proposals, IKEV2_XFORMTYPE_DH, 2502 protoid)) { 2503 log_debug("%s: enable PFS", __func__); 2504 ikev2_sa_cleanup_dh(sa); 2505 if (ikev2_sa_initiator_dh(sa, NULL, protoid) < 0) { 2506 log_debug("%s: failed to setup DH", __func__); 2507 goto done; 2508 } 2509 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_KE) == -1) 2510 goto done; 2511 2512 /* KE payload */ 2513 if ((pld = ikev2_add_payload(e)) == NULL) 2514 goto done; 2515 if ((ke = ibuf_advance(e, sizeof(*ke))) == NULL) 2516 goto done; 2517 if ((group = sa->sa_dhgroup) == NULL) { 2518 log_debug("%s: invalid dh", __func__); 2519 goto done; 2520 } 2521 ke->kex_dhgroup = htobe16(group->id); 2522 if (ikev2_add_buf(e, sa->sa_dhiexchange) == -1) 2523 goto done; 2524 len = sizeof(*ke) + dh_getlen(group); 2525 } 2526 2527 if ((len = ikev2_add_ts(e, &pld, len, sa, !initiator)) == -1) 2528 goto done; 2529 2530 if (rekey) { 2531 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NOTIFY) == -1) 2532 goto done; 2533 2534 /* REKEY_SA notification */ 2535 if ((pld = ikev2_add_payload(e)) == NULL) 2536 goto done; 2537 if ((n = ibuf_advance(e, sizeof(*n))) == NULL) 2538 goto done; 2539 n->n_type = htobe16(IKEV2_N_REKEY_SA); 2540 n->n_protoid = rekey->spi_protoid; 2541 n->n_spisize = rekey->spi_size; 2542 if ((ptr = ibuf_advance(e, rekey->spi_size)) == NULL) 2543 goto done; 2544 len = rekey->spi_size; 2545 spi = htobe32((u_int32_t)csa->csa_peerspi); 2546 memcpy(ptr, &spi, rekey->spi_size); 2547 len += sizeof(*n); 2548 } 2549 2550 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONE) == -1) 2551 goto done; 2552 2553 ret = ikev2_msg_send_encrypt(env, sa, &e, 2554 IKEV2_EXCHANGE_CREATE_CHILD_SA, firstpayload, 0); 2555 if (ret == 0) { 2556 if (rekey) { 2557 csa->csa_rekey = 1; 2558 csb->csa_rekey = 1; 2559 /* 2560 * Remember the peer spi of the rekeyed 2561 * SA for ikev2_init_create_child_sa(). 2562 */ 2563 sa->sa_rekeyspi = csa->csa_peerspi; 2564 } 2565 sa->sa_stateflags |= IKED_REQ_CHILDSA; 2566 } 2567 2568 done: 2569 ibuf_release(e); 2570 return (ret); 2571 } 2572 2573 void 2574 ikev2_ike_sa_rekey(struct iked *env, void *arg) 2575 { 2576 struct iked_sa *sa = arg; 2577 struct iked_sa *nsa = NULL; 2578 struct ikev2_payload *pld = NULL; 2579 struct ikev2_keyexchange *ke; 2580 struct group *group; 2581 struct ibuf *e = NULL, *nonce = NULL; 2582 ssize_t len = 0; 2583 int ret = -1; 2584 2585 log_debug("%s: called for IKE SA %p", __func__, sa); 2586 2587 if (sa->sa_stateflags & IKED_REQ_CHILDSA) { 2588 /* 2589 * We cannot initiate multiple concurrent CREATE_CHILD_SA 2590 * exchanges, so retry in one minute. 2591 */ 2592 timer_add(env, &sa->sa_rekey, 60); 2593 return; 2594 } 2595 2596 if ((nsa = sa_new(env, 0, 0, 1, sa->sa_policy)) == NULL) { 2597 log_debug("%s: failed to get new SA", __func__); 2598 goto done; 2599 } 2600 2601 if (ikev2_sa_initiator(env, nsa, sa, NULL)) { 2602 log_debug("%s: failed to setup DH", __func__); 2603 goto done; 2604 } 2605 sa_state(env, nsa, IKEV2_STATE_AUTH_SUCCESS); 2606 nonce = nsa->sa_inonce; 2607 2608 if ((e = ibuf_static()) == NULL) 2609 goto done; 2610 2611 /* SA payload */ 2612 if ((pld = ikev2_add_payload(e)) == NULL) 2613 goto done; 2614 2615 /* just reuse the old IKE SA proposals */ 2616 if ((len = ikev2_add_proposals(env, nsa, e, &sa->sa_proposals, 2617 IKEV2_SAPROTO_IKE, 1, 1)) == -1) 2618 goto done; 2619 2620 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONCE) == -1) 2621 goto done; 2622 2623 /* NONCE payload */ 2624 if ((pld = ikev2_add_payload(e)) == NULL) 2625 goto done; 2626 if (ikev2_add_buf(e, nonce) == -1) 2627 goto done; 2628 len = ibuf_size(nonce); 2629 2630 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_KE) == -1) 2631 goto done; 2632 2633 /* KE payload */ 2634 if ((pld = ikev2_add_payload(e)) == NULL) 2635 goto done; 2636 if ((ke = ibuf_advance(e, sizeof(*ke))) == NULL) 2637 goto done; 2638 if ((group = nsa->sa_dhgroup) == NULL) { 2639 log_debug("%s: invalid dh", __func__); 2640 goto done; 2641 } 2642 ke->kex_dhgroup = htobe16(group->id); 2643 if (ikev2_add_buf(e, nsa->sa_dhiexchange) == -1) 2644 goto done; 2645 len = sizeof(*ke) + dh_getlen(group); 2646 2647 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONE) == -1) 2648 goto done; 2649 2650 ret = ikev2_msg_send_encrypt(env, sa, &e, 2651 IKEV2_EXCHANGE_CREATE_CHILD_SA, IKEV2_PAYLOAD_SA, 0); 2652 if (ret == 0) { 2653 sa->sa_stateflags |= IKED_REQ_CHILDSA; 2654 sa->sa_next = nsa; 2655 nsa = NULL; 2656 } 2657 done: 2658 if (nsa) 2659 sa_free(env, nsa); 2660 ibuf_release(e); 2661 2662 if (ret == 0) 2663 log_debug("%s: create child SA sent", __func__); 2664 else 2665 log_debug("%s: could not send create child SA", __func__); 2666 /* XXX should we try again in case of ret != 0 ? */ 2667 } 2668 2669 int 2670 ikev2_init_create_child_sa(struct iked *env, struct iked_message *msg) 2671 { 2672 struct iked_childsa *csa = NULL; 2673 struct iked_proposal *prop; 2674 struct iked_sa *sa = msg->msg_sa; 2675 struct iked_sa *nsa; 2676 struct iked_spi *spi; 2677 struct ikev2_delete *del; 2678 struct ibuf *buf = NULL; 2679 u_int32_t spi32; 2680 int pfs = 0, ret = -1; 2681 2682 if (!ikev2_msg_frompeer(msg) || 2683 (sa->sa_stateflags & IKED_REQ_CHILDSA) == 0) 2684 return (0); 2685 2686 if (msg->msg_prop == NULL || 2687 TAILQ_EMPTY(&msg->msg_proposals)) { 2688 log_debug("%s: no proposal specified", __func__); 2689 return (-1); 2690 } 2691 2692 if (ikev2_sa_negotiate(&sa->sa_proposals, &sa->sa_proposals, 2693 &msg->msg_proposals) != 0) { 2694 log_debug("%s: no proposal chosen", __func__); 2695 return (-1); 2696 } 2697 2698 TAILQ_FOREACH(prop, &sa->sa_proposals, prop_entry) { 2699 if (prop->prop_protoid == msg->msg_prop->prop_protoid) 2700 break; 2701 } 2702 if (prop == NULL) { 2703 log_debug("%s: failed to find %s proposals", __func__, 2704 print_map(msg->msg_prop->prop_protoid, ikev2_saproto_map)); 2705 return (-1); 2706 } 2707 2708 /* IKE SA rekeying */ 2709 if (prop->prop_protoid == IKEV2_SAPROTO_IKE) { 2710 if (sa->sa_next == NULL) { 2711 log_debug("%s: missing IKE SA for rekeying", __func__); 2712 return (-1); 2713 } 2714 /* Update the responder SPI */ 2715 spi = &msg->msg_prop->prop_peerspi; 2716 if ((nsa = sa_new(env, sa->sa_next->sa_hdr.sh_ispi, 2717 spi->spi, 1, NULL)) == NULL || nsa != sa->sa_next) { 2718 log_debug("%s: invalid rekey SA", __func__); 2719 if (nsa) 2720 sa_free(env, nsa); 2721 sa_free(env, sa->sa_next); 2722 sa->sa_next = NULL; 2723 return (-1); 2724 } 2725 if (ikev2_sa_initiator(env, nsa, sa, msg) == -1) { 2726 log_debug("%s: failed to get IKE keys", __func__); 2727 return (-1); 2728 } 2729 sa->sa_stateflags &= ~IKED_REQ_CHILDSA; 2730 sa->sa_next = NULL; 2731 return (ikev2_ikesa_enable(env, sa, nsa)); 2732 } 2733 2734 /* Child SA rekeying */ 2735 if (sa->sa_rekeyspi && 2736 (csa = childsa_lookup(sa, sa->sa_rekeyspi, prop->prop_protoid)) 2737 != NULL) { 2738 log_debug("%s: rekeying CHILD SA old %s spi %s", __func__, 2739 print_spi(csa->csa_spi.spi, csa->csa_spi.spi_size), 2740 print_spi(prop->prop_peerspi.spi, 2741 prop->prop_peerspi.spi_size)); 2742 } 2743 2744 /* check KE payload for PFS */ 2745 if (ibuf_length(msg->msg_ke)) { 2746 log_debug("%s: using PFS", __func__); 2747 if (ikev2_sa_initiator_dh(sa, msg, prop->prop_protoid) < 0) { 2748 log_debug("%s: failed to setup DH", __func__); 2749 return (ret); 2750 } 2751 if (sa->sa_dhpeer == NULL) { 2752 log_debug("%s: no peer DH", __func__); 2753 return (ret); 2754 } 2755 pfs = 1; 2756 /* XXX check group against policy ? */ 2757 /* XXX should ikev2_sa_negotiate do this? */ 2758 } 2759 2760 /* Update responder's nonce */ 2761 if (!ibuf_length(msg->msg_nonce)) { 2762 log_debug("%s: responder didn't send nonce", __func__); 2763 return (-1); 2764 } 2765 ibuf_release(sa->sa_rnonce); 2766 sa->sa_rnonce = ibuf_dup(msg->msg_nonce); 2767 2768 if (ikev2_childsa_negotiate(env, sa, &sa->sa_kex, &sa->sa_proposals, 1, 2769 pfs)) { 2770 log_debug("%s: failed to get CHILD SAs", __func__); 2771 return (-1); 2772 } 2773 2774 if (csa) { 2775 /* Child SA rekeying */ 2776 2777 if ((buf = ibuf_static()) == NULL) 2778 goto done; 2779 2780 if ((del = ibuf_advance(buf, sizeof(*del))) == NULL) 2781 goto done; 2782 2783 del->del_protoid = prop->prop_protoid; 2784 del->del_spisize = sizeof(spi32); 2785 del->del_nspi = htobe16(1); 2786 2787 spi32 = htobe32(csa->csa_spi.spi); 2788 if (ibuf_add(buf, &spi32, sizeof(spi32))) 2789 goto done; 2790 2791 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE, 2792 IKEV2_EXCHANGE_INFORMATIONAL, 0)) 2793 goto done; 2794 2795 sa->sa_stateflags |= IKED_REQ_INF; 2796 } 2797 2798 ret = ikev2_childsa_enable(env, sa); 2799 2800 done: 2801 sa->sa_stateflags &= ~IKED_REQ_CHILDSA; 2802 2803 if (ret) 2804 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1); 2805 ibuf_release(buf); 2806 return (ret); 2807 } 2808 2809 int 2810 ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa) 2811 { 2812 struct iked_childsa *csa, *nextcsa; 2813 struct iked_flow *flow, *nextflow; 2814 struct iked_proposal *prop, *nextprop; 2815 int initiator; 2816 2817 log_debug("%s: IKE SA %p ispi %s rspi %s replaced" 2818 " by SA %p ispi %s rspi %s ", 2819 __func__, sa, 2820 print_spi(sa->sa_hdr.sh_ispi, 8), 2821 print_spi(sa->sa_hdr.sh_rspi, 8), 2822 nsa, 2823 print_spi(nsa->sa_hdr.sh_ispi, 8), 2824 print_spi(nsa->sa_hdr.sh_rspi, 8)); 2825 2826 /* 2827 * Transfer policy and address: 2828 * - Remember if we initiated the original IKE-SA because of our policy. 2829 * - Note that sa_address() will insert the new SA when we set sa_peer. 2830 */ 2831 initiator = !memcmp(&sa->sa_polpeer, &sa->sa_policy->pol_peer, 2832 sizeof(sa->sa_polpeer)); 2833 nsa->sa_policy = sa->sa_policy; 2834 RB_REMOVE(iked_sapeers, &sa->sa_policy->pol_sapeers, sa); 2835 sa->sa_policy = NULL; 2836 if (sa_address(nsa, &nsa->sa_peer, &sa->sa_peer.addr, 2837 initiator) == -1 || 2838 sa_address(nsa, &nsa->sa_local, &sa->sa_local.addr, 2839 initiator) == -1) { 2840 /* reinsert old SA :/ */ 2841 sa->sa_policy = nsa->sa_policy; 2842 if (RB_FIND(iked_sapeers, &nsa->sa_policy->pol_sapeers, nsa)) 2843 RB_REMOVE(iked_sapeers, &nsa->sa_policy->pol_sapeers, nsa); 2844 RB_INSERT(iked_sapeers, &sa->sa_policy->pol_sapeers, sa); 2845 nsa->sa_policy = NULL; 2846 return (-1); 2847 } 2848 2849 /* Transfer socket and NAT information */ 2850 nsa->sa_fd = sa->sa_fd; 2851 nsa->sa_natt = sa->sa_natt; 2852 nsa->sa_udpencap = sa->sa_udpencap; 2853 2854 /* Transfer all Child SAs and flows from the old IKE SA */ 2855 for (flow = TAILQ_FIRST(&sa->sa_flows); flow != NULL; 2856 flow = nextflow) { 2857 nextflow = TAILQ_NEXT(flow, flow_entry); 2858 TAILQ_REMOVE(&sa->sa_flows, flow, flow_entry); 2859 TAILQ_INSERT_TAIL(&nsa->sa_flows, flow, 2860 flow_entry); 2861 flow->flow_ikesa = nsa; 2862 flow->flow_local = &nsa->sa_local; 2863 flow->flow_peer = &nsa->sa_peer; 2864 } 2865 for (csa = TAILQ_FIRST(&sa->sa_childsas); csa != NULL; 2866 csa = nextcsa) { 2867 nextcsa = TAILQ_NEXT(csa, csa_entry); 2868 TAILQ_REMOVE(&sa->sa_childsas, csa, csa_entry); 2869 TAILQ_INSERT_TAIL(&nsa->sa_childsas, csa, 2870 csa_entry); 2871 csa->csa_ikesa = nsa; 2872 if (csa->csa_dir == IPSP_DIRECTION_IN) { 2873 csa->csa_local = &nsa->sa_peer; 2874 csa->csa_peer = &nsa->sa_local; 2875 } else { 2876 csa->csa_local = &nsa->sa_local; 2877 csa->csa_peer = &nsa->sa_peer; 2878 } 2879 } 2880 /* Transfer all non-IKE proposals */ 2881 for (prop = TAILQ_FIRST(&sa->sa_proposals); prop != NULL; 2882 prop = nextprop) { 2883 nextprop = TAILQ_NEXT(prop, prop_entry); 2884 if (prop->prop_protoid == IKEV2_SAPROTO_IKE) 2885 continue; 2886 TAILQ_REMOVE(&sa->sa_proposals, prop, prop_entry); 2887 TAILQ_INSERT_TAIL(&nsa->sa_proposals, prop, 2888 prop_entry); 2889 } 2890 2891 /* Preserve ID information */ 2892 if (sa->sa_hdr.sh_initiator == nsa->sa_hdr.sh_initiator) { 2893 nsa->sa_iid = sa->sa_iid; 2894 nsa->sa_rid = sa->sa_rid; 2895 } else { 2896 /* initiator and responder role swapped */ 2897 nsa->sa_iid = sa->sa_rid; 2898 nsa->sa_rid = sa->sa_iid; 2899 } 2900 /* duplicate the actual buffer */ 2901 nsa->sa_iid.id_buf = ibuf_dup(nsa->sa_iid.id_buf); 2902 nsa->sa_rid.id_buf = ibuf_dup(nsa->sa_rid.id_buf); 2903 2904 /* Transfer sa_addrpool address */ 2905 if (sa->sa_addrpool) { 2906 RB_REMOVE(iked_addrpool, &env->sc_addrpool, sa); 2907 nsa->sa_addrpool = sa->sa_addrpool; 2908 sa->sa_addrpool = NULL; 2909 RB_INSERT(iked_addrpool, &env->sc_addrpool, nsa); 2910 } 2911 2912 log_debug("%s: activating new IKE SA", __func__); 2913 sa_state(env, nsa, IKEV2_STATE_ESTABLISHED); 2914 timer_set(env, &nsa->sa_timer, ikev2_ike_sa_alive, nsa); 2915 timer_add(env, &nsa->sa_timer, IKED_IKE_SA_ALIVE_TIMEOUT); 2916 timer_set(env, &nsa->sa_rekey, ikev2_ike_sa_rekey, nsa); 2917 if (nsa->sa_policy->pol_rekey) 2918 timer_add(env, &nsa->sa_rekey, nsa->sa_policy->pol_rekey); 2919 nsa->sa_stateflags = nsa->sa_statevalid; /* XXX */ 2920 2921 /* unregister DPD keep alive timer & rekey first */ 2922 if (sa->sa_state == IKEV2_STATE_ESTABLISHED) { 2923 timer_del(env, &sa->sa_rekey); 2924 timer_del(env, &sa->sa_timer); 2925 } 2926 2927 ikev2_ikesa_delete(env, sa, nsa->sa_hdr.sh_initiator); 2928 return (0); 2929 } 2930 2931 void 2932 ikev2_ikesa_delete(struct iked *env, struct iked_sa *sa, int initiator) 2933 { 2934 struct ibuf *buf = NULL; 2935 struct ikev2_delete *del; 2936 2937 if (initiator) { 2938 /* Send PAYLOAD_DELETE */ 2939 if ((buf = ibuf_static()) == NULL) 2940 goto done; 2941 if ((del = ibuf_advance(buf, sizeof(*del))) == NULL) 2942 goto done; 2943 del->del_protoid = IKEV2_SAPROTO_IKE; 2944 del->del_spisize = 0; 2945 del->del_nspi = 0; 2946 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE, 2947 IKEV2_EXCHANGE_INFORMATIONAL, 0) == -1) 2948 goto done; 2949 log_debug("%s: sent delete, closing SA", __func__); 2950 done: 2951 ibuf_release(buf); 2952 sa_state(env, sa, IKEV2_STATE_CLOSED); 2953 } else { 2954 sa_state(env, sa, IKEV2_STATE_CLOSING); 2955 } 2956 2957 /* Remove IKE-SA after timeout, e.g. if we don't get a delete */ 2958 timer_set(env, &sa->sa_timer, ikev2_ike_sa_timeout, sa); 2959 timer_add(env, &sa->sa_timer, IKED_IKE_SA_DELETE_TIMEOUT); 2960 } 2961 2962 int 2963 ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg) 2964 { 2965 struct iked_childsa *csa; 2966 struct iked_proposal *prop; 2967 struct iked_proposals proposals; 2968 struct iked_kex *kex, *kextmp = NULL; 2969 struct iked_sa *nsa = NULL, *sa = msg->msg_sa; 2970 struct iked_spi *spi, *rekey = &msg->msg_rekey; 2971 struct ikev2_keyexchange *ke; 2972 struct ikev2_payload *pld = NULL; 2973 struct ibuf *e = NULL, *nonce = NULL; 2974 u_int8_t firstpayload; 2975 ssize_t len = 0; 2976 int initiator, protoid, rekeying = 1; 2977 int ret = -1; 2978 int pfs = 0; 2979 2980 initiator = sa->sa_hdr.sh_initiator ? 1 : 0; 2981 2982 if (!ikev2_msg_frompeer(msg) || msg->msg_prop == NULL) 2983 return (0); 2984 2985 TAILQ_INIT(&proposals); 2986 2987 if ((protoid = rekey->spi_protoid) == 0) { 2988 /* 2989 * If REKEY_SA notification is not present, then it's either 2990 * IKE SA rekeying or the client wants to create additional 2991 * CHILD SAs 2992 */ 2993 if (msg->msg_prop->prop_protoid == IKEV2_SAPROTO_IKE) { 2994 protoid = rekey->spi_protoid = IKEV2_SAPROTO_IKE; 2995 if (sa->sa_hdr.sh_initiator) 2996 rekey->spi = sa->sa_hdr.sh_rspi; 2997 else 2998 rekey->spi = sa->sa_hdr.sh_ispi; 2999 rekey->spi_size = 8; 3000 } else { 3001 protoid = msg->msg_prop->prop_protoid; 3002 rekeying = 0; 3003 } 3004 } 3005 3006 if (rekeying) 3007 log_debug("%s: rekey %s spi %s", __func__, 3008 print_map(rekey->spi_protoid, ikev2_saproto_map), 3009 print_spi(rekey->spi, rekey->spi_size)); 3010 else 3011 log_debug("%s: creating new %s SA", __func__, 3012 print_map(protoid, ikev2_saproto_map)); 3013 3014 if (protoid == IKEV2_SAPROTO_IKE) { 3015 /* IKE SA rekeying */ 3016 spi = &msg->msg_prop->prop_peerspi; 3017 3018 if ((nsa = sa_new(env, spi->spi, 0, 0, 3019 msg->msg_policy)) == NULL) { 3020 log_debug("%s: failed to get new SA", __func__); 3021 return (ret); 3022 } 3023 3024 if (ikev2_sa_responder(env, nsa, sa, msg)) { 3025 log_debug("%s: failed to get IKE SA keys", __func__); 3026 return (ret); 3027 } 3028 3029 sa_state(env, nsa, IKEV2_STATE_AUTH_SUCCESS); 3030 3031 nonce = nsa->sa_rnonce; 3032 kex = &nsa->sa_kex; 3033 } else { 3034 /* Child SA creating/rekeying */ 3035 3036 if ((kex = kextmp = calloc(1, sizeof(*kextmp))) == NULL) { 3037 log_debug("%s: calloc kex", __func__); 3038 goto fail; 3039 } 3040 3041 if (ikev2_sa_negotiate(&proposals, 3042 &sa->sa_policy->pol_proposals, &msg->msg_proposals) != 0) { 3043 log_debug("%s: no proposal chosen", __func__); 3044 goto fail; 3045 } 3046 3047 /* check KE payload for PFS */ 3048 if (ibuf_length(msg->msg_parent->msg_ke)) { 3049 log_debug("%s: using PFS", __func__); 3050 if (ikev2_sa_responder_dh(kex, &proposals, 3051 msg->msg_parent, protoid) < 0) { 3052 log_debug("%s: failed to setup DH", __func__); 3053 goto fail; 3054 } 3055 pfs = 1; 3056 /* XXX check group against policy ? */ 3057 } 3058 3059 /* Update peer SPI */ 3060 TAILQ_FOREACH(prop, &proposals, prop_entry) { 3061 if (prop->prop_protoid == protoid) 3062 break; 3063 } 3064 if (prop == NULL) { 3065 log_debug("%s: failed to find %s proposals", __func__, 3066 print_map(protoid, ikev2_saproto_map)); 3067 goto fail; 3068 } else 3069 prop->prop_peerspi = msg->msg_prop->prop_peerspi; 3070 3071 /* Set rekeying flags on Child SAs */ 3072 if (rekeying) { 3073 if ((csa = childsa_lookup(sa, rekey->spi, 3074 rekey->spi_protoid)) == NULL) { 3075 log_debug("%s: CHILD SA %s wasn't found", 3076 __func__, print_spi(rekey->spi, 3077 rekey->spi_size)); 3078 goto fail; 3079 } 3080 if (!csa->csa_loaded || !csa->csa_peersa || 3081 !csa->csa_peersa->csa_loaded) { 3082 log_debug("%s: SA is not loaded or no peer SA", 3083 __func__); 3084 goto fail; 3085 } 3086 csa->csa_rekey = 1; 3087 csa->csa_peersa->csa_rekey = 1; 3088 } 3089 3090 /* Update initiator's nonce */ 3091 if (!ibuf_length(msg->msg_nonce)) { 3092 log_debug("%s: initiator didn't send nonce", __func__); 3093 goto fail; 3094 } 3095 ibuf_release(kex->kex_inonce); 3096 kex->kex_inonce = ibuf_dup(msg->msg_nonce); 3097 3098 /* Generate new responder's nonce */ 3099 if ((nonce = ibuf_random(IKED_NONCE_SIZE)) == NULL) 3100 goto fail; 3101 3102 /* Update responder's nonce */ 3103 ibuf_release(kex->kex_rnonce); 3104 kex->kex_rnonce = nonce; 3105 3106 if (ikev2_childsa_negotiate(env, sa, kex, &proposals, 0, pfs)) { 3107 log_debug("%s: failed to get CHILD SAs", __func__); 3108 goto fail; 3109 } 3110 } 3111 3112 if ((e = ibuf_static()) == NULL) 3113 goto done; 3114 3115 /* compression (unless IKE rekeying) */ 3116 if (!nsa && sa->sa_ipcomp && 3117 (len = ikev2_add_ipcompnotify(env, e, &pld, 0, sa)) == -1) 3118 goto done; 3119 3120 if (pld) { 3121 firstpayload = IKEV2_PAYLOAD_NOTIFY; 3122 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_SA) == -1) 3123 goto done; 3124 } else 3125 firstpayload = IKEV2_PAYLOAD_SA; 3126 3127 /* SA payload */ 3128 if ((pld = ikev2_add_payload(e)) == NULL) 3129 goto done; 3130 3131 if ((len = ikev2_add_proposals(env, nsa ? nsa : sa, e, 3132 nsa ? &nsa->sa_proposals : &proposals, 3133 protoid, 0, nsa ? 1 : 0)) == -1) 3134 goto done; 3135 3136 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONCE) == -1) 3137 goto done; 3138 3139 /* NONCE payload */ 3140 if ((pld = ikev2_add_payload(e)) == NULL) 3141 goto done; 3142 if (ikev2_add_buf(e, nonce) == -1) 3143 goto done; 3144 len = ibuf_size(nonce); 3145 3146 if (protoid == IKEV2_SAPROTO_IKE || pfs) { 3147 3148 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_KE) == -1) 3149 goto done; 3150 3151 /* KE payload */ 3152 if ((pld = ikev2_add_payload(e)) == NULL) 3153 goto done; 3154 if ((ke = ibuf_advance(e, sizeof(*ke))) == NULL) 3155 goto done; 3156 if (kex->kex_dhgroup == NULL) { 3157 log_debug("%s: invalid dh", __func__); 3158 goto done; 3159 } 3160 ke->kex_dhgroup = htobe16(kex->kex_dhgroup->id); 3161 if (ikev2_add_buf(e, kex->kex_dhrexchange) == -1) 3162 goto done; 3163 len = sizeof(*ke) + dh_getlen(kex->kex_dhgroup); 3164 } 3165 3166 if (protoid != IKEV2_SAPROTO_IKE) 3167 if ((len = ikev2_add_ts(e, &pld, len, sa, initiator)) == -1) 3168 goto done; 3169 3170 if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_NONE) == -1) 3171 goto done; 3172 3173 if ((ret = ikev2_msg_send_encrypt(env, sa, &e, 3174 IKEV2_EXCHANGE_CREATE_CHILD_SA, firstpayload, 1)) == -1) 3175 goto done; 3176 3177 if (protoid == IKEV2_SAPROTO_IKE) 3178 ret = ikev2_ikesa_enable(env, sa, nsa); 3179 else 3180 ret = ikev2_childsa_enable(env, sa); 3181 3182 done: 3183 if (ret && protoid != IKEV2_SAPROTO_IKE) 3184 ikev2_childsa_delete(env, sa, 0, 0, NULL, 1); 3185 ibuf_release(e); 3186 config_free_proposals(&proposals, 0); 3187 config_free_kex(kextmp); 3188 return (ret); 3189 3190 fail: 3191 config_free_proposals(&proposals, 0); 3192 config_free_kex(kextmp); 3193 return (-1); 3194 } 3195 3196 void 3197 ikev2_ike_sa_timeout(struct iked *env, void *arg) 3198 { 3199 struct iked_sa *sa = arg; 3200 3201 log_debug("%s: closing SA", __func__); 3202 sa_free(env, sa); 3203 } 3204 3205 void 3206 ikev2_ike_sa_alive(struct iked *env, void *arg) 3207 { 3208 struct iked_sa *sa = arg; 3209 struct iked_childsa *csa = NULL; 3210 struct timeval tv; 3211 u_int64_t last_used, diff; 3212 int foundin = 0, foundout = 0; 3213 3214 /* check for incoming traffic on any child SA */ 3215 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 3216 if (!csa->csa_loaded || 3217 csa->csa_saproto == IKEV2_SAPROTO_IPCOMP) 3218 continue; 3219 if (pfkey_sa_last_used(env->sc_pfkey, csa, &last_used) != 0) 3220 continue; 3221 gettimeofday(&tv, NULL); 3222 diff = (u_int32_t)(tv.tv_sec - last_used); 3223 log_debug("%s: %s CHILD SA spi %s last used %llu second(s) ago", 3224 __func__, 3225 csa->csa_dir == IPSP_DIRECTION_IN ? "incoming" : "outgoing", 3226 print_spi(csa->csa_spi.spi, csa->csa_spi.spi_size), diff); 3227 if (diff < IKED_IKE_SA_ALIVE_TIMEOUT) { 3228 if (csa->csa_dir == IPSP_DIRECTION_IN) { 3229 foundin = 1; 3230 break; 3231 } else { 3232 foundout = 1; 3233 } 3234 } 3235 } 3236 3237 /* send probe if any outging SA has been used, but no incoming SA */ 3238 if (!foundin && foundout) { 3239 log_debug("%s: sending alive check", __func__); 3240 ikev2_send_ike_e(env, sa, NULL, IKEV2_PAYLOAD_NONE, 3241 IKEV2_EXCHANGE_INFORMATIONAL, 0); 3242 sa->sa_stateflags |= IKED_REQ_INF; 3243 } 3244 3245 /* re-register */ 3246 timer_add(env, &sa->sa_timer, IKED_IKE_SA_ALIVE_TIMEOUT); 3247 } 3248 3249 int 3250 ikev2_send_informational(struct iked *env, struct iked_message *msg) 3251 { 3252 struct iked_message resp; 3253 struct ike_header *hdr; 3254 struct ikev2_payload *pld; 3255 struct ikev2_notify *n; 3256 struct iked_sa *sa = msg->msg_sa, sah; 3257 struct ibuf *buf, *e = NULL; 3258 int ret = -1; 3259 3260 if (msg->msg_error == 0) 3261 return (0); 3262 3263 if ((buf = ikev2_msg_init(env, &resp, 3264 &msg->msg_peer, msg->msg_peerlen, 3265 &msg->msg_local, msg->msg_locallen, 0)) == NULL) 3266 goto done; 3267 3268 /* New encrypted message buffer */ 3269 if ((e = ibuf_static()) == NULL) 3270 goto done; 3271 3272 /* NOTIFY payload */ 3273 if ((pld = ikev2_add_payload(e)) == NULL) 3274 goto done; 3275 3276 if ((n = ibuf_advance(e, sizeof(*n))) == NULL) 3277 goto done; 3278 n->n_protoid = IKEV2_SAPROTO_IKE; /* XXX ESP etc. */ 3279 n->n_spisize = 0; 3280 n->n_type = htobe16(msg->msg_error); 3281 3282 switch (msg->msg_error) { 3283 case IKEV2_N_INVALID_IKE_SPI: 3284 case IKEV2_N_NO_PROPOSAL_CHOSEN: 3285 break; 3286 default: 3287 log_debug("%s: unsupported notification %s", __func__, 3288 print_map(msg->msg_error, ikev2_n_map)); 3289 goto done; 3290 } 3291 3292 if (ikev2_next_payload(pld, sizeof(*n), IKEV2_PAYLOAD_NONE) == -1) 3293 goto done; 3294 3295 if (sa != NULL && msg->msg_e) { 3296 resp.msg_msgid = ikev2_msg_id(env, sa); 3297 3298 /* IKE header */ 3299 if ((hdr = ikev2_add_header(buf, sa, resp.msg_msgid, 3300 IKEV2_PAYLOAD_SK, IKEV2_EXCHANGE_INFORMATIONAL, 3301 0)) == NULL) 3302 goto done; 3303 3304 if ((pld = ikev2_add_payload(buf)) == NULL) 3305 goto done; 3306 3307 /* Encrypt message and add as an E payload */ 3308 if ((e = ikev2_msg_encrypt(env, sa, e)) == NULL) { 3309 log_debug("%s: encryption failed", __func__); 3310 goto done; 3311 } 3312 if (ibuf_cat(buf, e) != 0) 3313 goto done; 3314 if (ikev2_next_payload(pld, ibuf_size(e), 3315 IKEV2_PAYLOAD_NOTIFY) == -1) 3316 goto done; 3317 3318 if (ikev2_set_header(hdr, ibuf_size(buf) - sizeof(*hdr)) == -1) 3319 goto done; 3320 3321 /* Add integrity checksum (HMAC) */ 3322 if (ikev2_msg_integr(env, sa, buf) != 0) { 3323 log_debug("%s: integrity checksum failed", __func__); 3324 goto done; 3325 } 3326 } else { 3327 if ((hdr = ibuf_seek(msg->msg_data, 0, sizeof(*hdr))) == NULL) 3328 goto done; 3329 3330 bzero(&sah, sizeof(sah)); 3331 sah.sa_hdr.sh_rspi = betoh64(hdr->ike_rspi); 3332 sah.sa_hdr.sh_ispi = betoh64(hdr->ike_ispi); 3333 sah.sa_hdr.sh_initiator = 3334 hdr->ike_flags & IKEV2_FLAG_INITIATOR ? 0 : 1; 3335 3336 resp.msg_msgid = ikev2_msg_id(env, &sah); 3337 3338 /* IKE header */ 3339 if ((hdr = ikev2_add_header(buf, &sah, resp.msg_msgid, 3340 IKEV2_PAYLOAD_NOTIFY, IKEV2_EXCHANGE_INFORMATIONAL, 3341 0)) == NULL) 3342 goto done; 3343 if (ibuf_cat(buf, e) != 0) 3344 goto done; 3345 if (ikev2_set_header(hdr, ibuf_size(buf) - sizeof(*hdr)) == -1) 3346 goto done; 3347 } 3348 3349 resp.msg_data = buf; 3350 resp.msg_fd = msg->msg_fd; 3351 TAILQ_INIT(&resp.msg_proposals); 3352 3353 ret = ikev2_msg_send(env, &resp); 3354 3355 done: 3356 ibuf_release(e); 3357 ikev2_msg_cleanup(env, &resp); 3358 3359 return (ret); 3360 } 3361 3362 ssize_t 3363 ikev2_psk(struct iked_sa *sa, u_int8_t *data, size_t length, 3364 u_int8_t **pskptr) 3365 { 3366 u_int8_t *psk; 3367 size_t psklen = -1; 3368 3369 if (hash_setkey(sa->sa_prf, data, length) == NULL) 3370 return (-1); 3371 3372 if ((psk = calloc(1, hash_keylength(sa->sa_prf))) == NULL) 3373 return (-1); 3374 3375 hash_init(sa->sa_prf); 3376 hash_update(sa->sa_prf, IKEV2_KEYPAD, strlen(IKEV2_KEYPAD)); 3377 hash_final(sa->sa_prf, psk, &psklen); 3378 3379 *pskptr = psk; 3380 return (psklen); 3381 } 3382 3383 int 3384 ikev2_match_proposals(struct iked_proposal *local, struct iked_proposal *peer, 3385 struct iked_transform **xforms) 3386 { 3387 struct iked_transform *tpeer, *tlocal; 3388 u_int i, j, type, score; 3389 u_int8_t protoid = peer->prop_protoid; 3390 3391 for (i = 0; i < peer->prop_nxforms; i++) { 3392 tpeer = peer->prop_xforms + i; 3393 for (j = 0; j < local->prop_nxforms; j++) { 3394 tlocal = local->prop_xforms + j; 3395 if (tpeer->xform_type != tlocal->xform_type || 3396 tpeer->xform_id != tlocal->xform_id || 3397 tpeer->xform_length != tlocal->xform_length) 3398 continue; 3399 if (tpeer->xform_type > IKEV2_XFORMTYPE_MAX) 3400 continue; 3401 type = tpeer->xform_type; 3402 3403 if (xforms[type] == NULL || tlocal->xform_score < 3404 xforms[type]->xform_score) { 3405 xforms[type] = tlocal; 3406 } else 3407 continue; 3408 3409 print_debug("%s: xform %d <-> %d (%d): %s %s " 3410 "(keylength %d <-> %d)", __func__, 3411 peer->prop_id, local->prop_id, tlocal->xform_score, 3412 print_map(type, ikev2_xformtype_map), 3413 print_map(tpeer->xform_id, tpeer->xform_map), 3414 tpeer->xform_keylength, tlocal->xform_keylength); 3415 if (tpeer->xform_length) 3416 print_debug(" %d", tpeer->xform_length); 3417 print_debug("\n"); 3418 } 3419 } 3420 3421 for (i = score = 0; i < IKEV2_XFORMTYPE_MAX; i++) { 3422 if (protoid == IKEV2_SAPROTO_IKE && xforms[i] == NULL && 3423 (i == IKEV2_XFORMTYPE_ENCR || i == IKEV2_XFORMTYPE_PRF || 3424 i == IKEV2_XFORMTYPE_INTEGR || i == IKEV2_XFORMTYPE_DH)) { 3425 score = 0; 3426 break; 3427 } else if (protoid == IKEV2_SAPROTO_AH && xforms[i] == NULL && 3428 (i == IKEV2_XFORMTYPE_INTEGR || i == IKEV2_XFORMTYPE_ESN)) { 3429 score = 0; 3430 break; 3431 } else if (protoid == IKEV2_SAPROTO_ESP && xforms[i] == NULL && 3432 (i == IKEV2_XFORMTYPE_ENCR || i == IKEV2_XFORMTYPE_ESN)) { 3433 score = 0; 3434 break; 3435 } else if (xforms[i] == NULL) 3436 continue; 3437 3438 score += xforms[i]->xform_score; 3439 } 3440 3441 return (score); 3442 } 3443 3444 int 3445 ikev2_sa_negotiate(struct iked_proposals *result, struct iked_proposals *local, 3446 struct iked_proposals *peer) 3447 { 3448 struct iked_proposal *ppeer = NULL, *plocal, *prop, vpeer, vlocal; 3449 struct iked_transform chosen[IKEV2_XFORMTYPE_MAX]; 3450 struct iked_transform *valid[IKEV2_XFORMTYPE_MAX]; 3451 struct iked_transform *match[IKEV2_XFORMTYPE_MAX]; 3452 u_int i, score, chosen_score = 0; 3453 u_int8_t protoid = 0; 3454 3455 bzero(valid, sizeof(valid)); 3456 bzero(&vlocal, sizeof(vlocal)); 3457 bzero(&vpeer, sizeof(vpeer)); 3458 3459 if (TAILQ_EMPTY(peer)) { 3460 log_debug("%s: peer did not send %s proposals", __func__, 3461 print_map(protoid, ikev2_saproto_map)); 3462 return (-1); 3463 } 3464 3465 TAILQ_FOREACH(plocal, local, prop_entry) { 3466 TAILQ_FOREACH(ppeer, peer, prop_entry) { 3467 if (ppeer->prop_protoid != plocal->prop_protoid) 3468 continue; 3469 bzero(match, sizeof(match)); 3470 score = ikev2_match_proposals(plocal, ppeer, match); 3471 log_debug("%s: score %d", __func__, score); 3472 if (score && (!chosen_score || score < chosen_score)) { 3473 chosen_score = score; 3474 for (i = 0; i < IKEV2_XFORMTYPE_MAX; i++) { 3475 if ((valid[i] = match[i])) 3476 memcpy(&chosen[i], match[i], 3477 sizeof(chosen[0])); 3478 } 3479 memcpy(&vpeer, ppeer, sizeof(vpeer)); 3480 memcpy(&vlocal, plocal, sizeof(vlocal)); 3481 } 3482 } 3483 if (chosen_score != 0) 3484 break; 3485 } 3486 3487 if (chosen_score == 0) 3488 return (-1); 3489 else if (result == NULL) 3490 return (0); 3491 3492 (void)config_free_proposals(result, vpeer.prop_protoid); 3493 prop = config_add_proposal(result, vpeer.prop_id, vpeer.prop_protoid); 3494 3495 if (vpeer.prop_localspi.spi_size) { 3496 prop->prop_localspi.spi_size = vpeer.prop_localspi.spi_size; 3497 prop->prop_peerspi = vpeer.prop_peerspi; 3498 } 3499 if (vlocal.prop_localspi.spi_size) { 3500 prop->prop_localspi.spi_size = vlocal.prop_localspi.spi_size; 3501 prop->prop_localspi.spi = vlocal.prop_localspi.spi; 3502 } 3503 3504 for (i = 0; i < IKEV2_XFORMTYPE_MAX; i++) { 3505 if (valid[i] == NULL) 3506 continue; 3507 print_debug("%s: score %d: %s %s", __func__, 3508 chosen[i].xform_score, print_map(i, ikev2_xformtype_map), 3509 print_map(chosen[i].xform_id, chosen[i].xform_map)); 3510 if (chosen[i].xform_length) 3511 print_debug(" %d", chosen[i].xform_length); 3512 print_debug("\n"); 3513 3514 if (config_add_transform(prop, chosen[i].xform_type, 3515 chosen[i].xform_id, chosen[i].xform_length, 3516 chosen[i].xform_keylength) == NULL) 3517 break; 3518 } 3519 3520 return (0); 3521 } 3522 3523 int 3524 ikev2_sa_initiator_dh(struct iked_sa *sa, struct iked_message *msg, u_int proto) 3525 { 3526 struct iked_policy *pol = sa->sa_policy; 3527 struct iked_transform *xform; 3528 3529 if (sa->sa_dhgroup == NULL) { 3530 if ((xform = config_findtransform(&pol->pol_proposals, 3531 IKEV2_XFORMTYPE_DH, proto)) == NULL) { 3532 log_debug("%s: did not find dh transform", __func__); 3533 return (-1); 3534 } 3535 if ((sa->sa_dhgroup = 3536 group_get(xform->xform_id)) == NULL) { 3537 log_debug("%s: invalid dh %d", __func__, 3538 xform->xform_id); 3539 return (-1); 3540 } 3541 } 3542 3543 if (!ibuf_length(sa->sa_dhiexchange)) { 3544 if ((sa->sa_dhiexchange = ibuf_new(NULL, 3545 dh_getlen(sa->sa_dhgroup))) == NULL) { 3546 log_debug("%s: failed to alloc dh exchange", __func__); 3547 return (-1); 3548 } 3549 if (dh_create_exchange(sa->sa_dhgroup, 3550 sa->sa_dhiexchange->buf) == -1) { 3551 log_debug("%s: failed to get dh exchange", __func__); 3552 return (-1); 3553 } 3554 } 3555 3556 /* Initial message */ 3557 if (msg == NULL) 3558 return (0); 3559 3560 if (!ibuf_length(sa->sa_dhrexchange)) { 3561 if (!ibuf_length(msg->msg_ke)) { 3562 log_debug("%s: invalid peer dh exchange", __func__); 3563 return (-1); 3564 } 3565 if ((ssize_t)ibuf_length(msg->msg_ke) != 3566 dh_getlen(sa->sa_dhgroup)) { 3567 log_debug("%s: invalid dh length, size %d", __func__, 3568 dh_getlen(sa->sa_dhgroup) * 8); 3569 return (-1); 3570 } 3571 if ((sa->sa_dhrexchange = ibuf_dup(msg->msg_ke)) == NULL) { 3572 log_debug("%s: failed to copy dh exchange", __func__); 3573 return (-1); 3574 } 3575 } 3576 3577 /* Set a pointer to the peer exchange */ 3578 sa->sa_dhpeer = sa->sa_dhrexchange; 3579 return (0); 3580 } 3581 3582 int 3583 ikev2_sa_initiator(struct iked *env, struct iked_sa *sa, 3584 struct iked_sa *osa, struct iked_message *msg) 3585 { 3586 struct iked_transform *xform; 3587 3588 if (ikev2_sa_initiator_dh(sa, msg, 0) < 0) 3589 return (-1); 3590 3591 if (!ibuf_length(sa->sa_inonce)) { 3592 if ((sa->sa_inonce = ibuf_random(IKED_NONCE_SIZE)) == NULL) { 3593 log_debug("%s: failed to get local nonce", __func__); 3594 return (-1); 3595 } 3596 } 3597 3598 /* Initial message */ 3599 if (msg == NULL) 3600 return (0); 3601 3602 if (!ibuf_length(sa->sa_rnonce)) { 3603 if (!ibuf_length(msg->msg_nonce)) { 3604 log_debug("%s: invalid peer nonce", __func__); 3605 return (-1); 3606 } 3607 if ((sa->sa_rnonce = ibuf_dup(msg->msg_nonce)) == NULL) { 3608 log_debug("%s: failed to get peer nonce", __func__); 3609 return (-1); 3610 } 3611 } 3612 3613 /* XXX we need a better way to get this */ 3614 if (ikev2_sa_negotiate(&sa->sa_proposals, 3615 &msg->msg_policy->pol_proposals, &msg->msg_proposals) != 0) { 3616 log_debug("%s: no proposal chosen", __func__); 3617 msg->msg_error = IKEV2_N_NO_PROPOSAL_CHOSEN; 3618 return (-1); 3619 } else if (sa_stateok(sa, IKEV2_STATE_SA_INIT)) 3620 sa_stateflags(sa, IKED_REQ_SA); 3621 3622 if (sa->sa_encr == NULL) { 3623 if ((xform = config_findtransform(&sa->sa_proposals, 3624 IKEV2_XFORMTYPE_ENCR, 0)) == NULL) { 3625 log_debug("%s: did not find encr transform", __func__); 3626 return (-1); 3627 } 3628 if ((sa->sa_encr = cipher_new(xform->xform_type, 3629 xform->xform_id, xform->xform_length)) == NULL) { 3630 log_debug("%s: failed to get encr", __func__); 3631 return (-1); 3632 } 3633 } 3634 3635 if (sa->sa_prf == NULL) { 3636 if ((xform = config_findtransform(&sa->sa_proposals, 3637 IKEV2_XFORMTYPE_PRF, 0)) == NULL) { 3638 log_debug("%s: did not find prf transform", __func__); 3639 return (-1); 3640 } 3641 if ((sa->sa_prf = 3642 hash_new(xform->xform_type, xform->xform_id)) == NULL) { 3643 log_debug("%s: failed to get prf", __func__); 3644 return (-1); 3645 } 3646 } 3647 3648 if (sa->sa_integr == NULL) { 3649 if ((xform = config_findtransform(&sa->sa_proposals, 3650 IKEV2_XFORMTYPE_INTEGR, 0)) == NULL) { 3651 log_debug("%s: did not find integr transform", 3652 __func__); 3653 return (-1); 3654 } 3655 if ((sa->sa_integr = 3656 hash_new(xform->xform_type, xform->xform_id)) == NULL) { 3657 log_debug("%s: failed to get integr", __func__); 3658 return (-1); 3659 } 3660 } 3661 3662 ibuf_release(sa->sa_2ndmsg); 3663 if ((sa->sa_2ndmsg = ibuf_dup(msg->msg_data)) == NULL) { 3664 log_debug("%s: failed to copy 2nd message", __func__); 3665 return (-1); 3666 } 3667 3668 return (ikev2_sa_keys(env, sa, osa ? osa->sa_key_d : NULL)); 3669 } 3670 3671 int 3672 ikev2_sa_responder_dh(struct iked_kex *kex, struct iked_proposals *proposals, 3673 struct iked_message *msg, u_int proto) 3674 { 3675 struct iked_transform *xform; 3676 3677 if (kex->kex_dhgroup == NULL) { 3678 if ((xform = config_findtransform(proposals, 3679 IKEV2_XFORMTYPE_DH, proto)) == NULL) { 3680 log_debug("%s: did not find dh transform", __func__); 3681 return (-1); 3682 } 3683 if ((kex->kex_dhgroup = 3684 group_get(xform->xform_id)) == NULL) { 3685 log_debug("%s: invalid dh %d", __func__, 3686 xform->xform_id); 3687 return (-1); 3688 } 3689 } 3690 3691 if (!ibuf_length(kex->kex_dhrexchange)) { 3692 if ((kex->kex_dhrexchange = ibuf_new(NULL, 3693 dh_getlen(kex->kex_dhgroup))) == NULL) { 3694 log_debug("%s: failed to alloc dh exchange", __func__); 3695 return (-1); 3696 } 3697 if (dh_create_exchange(kex->kex_dhgroup, 3698 kex->kex_dhrexchange->buf) == -1) { 3699 log_debug("%s: failed to get dh exchange", __func__); 3700 return (-1); 3701 } 3702 } 3703 3704 if (!ibuf_length(kex->kex_dhiexchange)) { 3705 if ((kex->kex_dhiexchange = ibuf_dup(msg->msg_ke)) == NULL || 3706 ((ssize_t)ibuf_length(kex->kex_dhiexchange) != 3707 dh_getlen(kex->kex_dhgroup))) { 3708 /* XXX send notification to peer */ 3709 log_debug("%s: invalid dh, size %d", __func__, 3710 dh_getlen(kex->kex_dhgroup) * 8); 3711 return (-1); 3712 } 3713 } 3714 3715 /* Set a pointer to the peer exchange */ 3716 kex->kex_dhpeer = kex->kex_dhiexchange; 3717 return (0); 3718 } 3719 int 3720 ikev2_sa_responder(struct iked *env, struct iked_sa *sa, struct iked_sa *osa, 3721 struct iked_message *msg) 3722 { 3723 struct iked_transform *xform; 3724 3725 sa_state(env, sa, IKEV2_STATE_SA_INIT); 3726 3727 ibuf_release(sa->sa_1stmsg); 3728 if ((sa->sa_1stmsg = ibuf_dup(msg->msg_data)) == NULL) { 3729 log_debug("%s: failed to copy 1st message", __func__); 3730 return (-1); 3731 } 3732 3733 if (!ibuf_length(sa->sa_rnonce) && 3734 (sa->sa_rnonce = ibuf_random(IKED_NONCE_SIZE)) == NULL) { 3735 log_debug("%s: failed to get local nonce", __func__); 3736 return (-1); 3737 } 3738 3739 if (!ibuf_length(sa->sa_inonce) && 3740 ((ibuf_length(msg->msg_nonce) < IKED_NONCE_MIN) || 3741 (sa->sa_inonce = ibuf_dup(msg->msg_nonce)) == NULL)) { 3742 log_debug("%s: failed to get peer nonce", __func__); 3743 return (-1); 3744 } 3745 3746 /* XXX we need a better way to get this */ 3747 if (ikev2_sa_negotiate(&sa->sa_proposals, 3748 &msg->msg_policy->pol_proposals, &msg->msg_proposals) != 0) { 3749 log_debug("%s: no proposal chosen", __func__); 3750 msg->msg_error = IKEV2_N_NO_PROPOSAL_CHOSEN; 3751 return (-1); 3752 } else if (sa_stateok(sa, IKEV2_STATE_SA_INIT)) 3753 sa_stateflags(sa, IKED_REQ_SA); 3754 3755 if (sa->sa_encr == NULL) { 3756 if ((xform = config_findtransform(&sa->sa_proposals, 3757 IKEV2_XFORMTYPE_ENCR, 0)) == NULL) { 3758 log_debug("%s: did not find encr transform", __func__); 3759 return (-1); 3760 } 3761 if ((sa->sa_encr = cipher_new(xform->xform_type, 3762 xform->xform_id, xform->xform_length)) == NULL) { 3763 log_debug("%s: failed to get encr", __func__); 3764 return (-1); 3765 } 3766 } 3767 3768 if (sa->sa_prf == NULL) { 3769 if ((xform = config_findtransform(&sa->sa_proposals, 3770 IKEV2_XFORMTYPE_PRF, 0)) == NULL) { 3771 log_debug("%s: did not find prf transform", __func__); 3772 return (-1); 3773 } 3774 if ((sa->sa_prf = 3775 hash_new(xform->xform_type, xform->xform_id)) == NULL) { 3776 log_debug("%s: failed to get prf", __func__); 3777 return (-1); 3778 } 3779 } 3780 3781 if (sa->sa_integr == NULL) { 3782 if ((xform = config_findtransform(&sa->sa_proposals, 3783 IKEV2_XFORMTYPE_INTEGR, 0)) == NULL) { 3784 log_debug("%s: did not find integr transform", 3785 __func__); 3786 return (-1); 3787 } 3788 if ((sa->sa_integr = 3789 hash_new(xform->xform_type, xform->xform_id)) == NULL) { 3790 log_debug("%s: failed to get integr", __func__); 3791 return (-1); 3792 } 3793 } 3794 3795 if (ikev2_sa_responder_dh(&sa->sa_kex, &sa->sa_proposals, msg, 0) < 0) 3796 return (-1); 3797 3798 return (ikev2_sa_keys(env, sa, osa ? osa->sa_key_d : NULL)); 3799 } 3800 3801 int 3802 ikev2_sa_keys(struct iked *env, struct iked_sa *sa, struct ibuf *key) 3803 { 3804 struct iked_hash *prf, *integr; 3805 struct iked_cipher *encr; 3806 struct group *group; 3807 struct ibuf *ninr, *dhsecret, *skeyseed, *s, *t; 3808 size_t nonceminlen, ilen, rlen, tmplen; 3809 u_int64_t ispi, rspi; 3810 int ret = -1; 3811 3812 ninr = dhsecret = skeyseed = s = t = NULL; 3813 3814 if ((encr = sa->sa_encr) == NULL || 3815 (prf = sa->sa_prf) == NULL || 3816 (integr = sa->sa_integr) == NULL || 3817 (group = sa->sa_dhgroup) == NULL) { 3818 log_debug("%s: failed to get key input data", __func__); 3819 return (-1); 3820 } 3821 3822 if (prf->hash_fixedkey) 3823 nonceminlen = prf->hash_fixedkey; 3824 else 3825 nonceminlen = IKED_NONCE_MIN; 3826 3827 /* Nonces need a minimal size and should have an even length */ 3828 if (ibuf_length(sa->sa_inonce) < nonceminlen || 3829 (ibuf_length(sa->sa_inonce) % 2) != 0 || 3830 ibuf_length(sa->sa_rnonce) < nonceminlen || 3831 (ibuf_length(sa->sa_rnonce) % 2) != 0) { 3832 log_debug("%s: invalid nonces", __func__); 3833 return (-1); 3834 } 3835 3836 if (prf->hash_fixedkey) { 3837 /* Half of the key bits must come from Ni, and half from Nr */ 3838 ilen = prf->hash_fixedkey / 2; 3839 rlen = prf->hash_fixedkey / 2; 3840 } else { 3841 /* Most PRF functions accept a variable-length key */ 3842 ilen = ibuf_length(sa->sa_inonce); 3843 rlen = ibuf_length(sa->sa_rnonce); 3844 } 3845 3846 /* 3847 * Depending on whether we're generating new keying material 3848 * or rekeying existing SA the algorithm is different. If the 3849 * "key" argument is not specified a concatenation of nonces 3850 * (Ni | Nr) is used as a PRF key, otherwise a "key" buffer 3851 * is used and PRF is performed on the concatenation of DH 3852 * exchange result and nonces (g^ir | Ni | Nr). See sections 3853 * 2.14 and 2.18 of RFC5996 for more information. 3854 */ 3855 3856 /* 3857 * Generate g^ir 3858 */ 3859 if ((dhsecret = ibuf_new(NULL, dh_getlen(group))) == NULL) { 3860 log_debug("%s: failed to alloc dh secret", __func__); 3861 goto done; 3862 } 3863 if (dh_create_shared(group, dhsecret->buf, 3864 sa->sa_dhpeer->buf) == -1) { 3865 log_debug("%s: failed to get dh secret" 3866 " group %d len %d secret %zu exchange %zu", __func__, 3867 group->id, dh_getlen(group), ibuf_length(dhsecret), 3868 ibuf_length(sa->sa_dhpeer)); 3869 goto done; 3870 } 3871 3872 if (!key) { 3873 /* 3874 * Set PRF key to generate SKEEYSEED = prf(Ni | Nr, g^ir) 3875 */ 3876 if ((ninr = ibuf_new(sa->sa_inonce->buf, ilen)) == NULL || 3877 ibuf_add(ninr, sa->sa_rnonce->buf, rlen) != 0) { 3878 log_debug("%s: failed to get nonce key buffer", 3879 __func__); 3880 goto done; 3881 } 3882 key = ninr; 3883 } else { 3884 /* 3885 * Set PRF key to generate SKEEYSEED = prf(key, g^ir | Ni | Nr) 3886 */ 3887 if (ibuf_add(dhsecret, sa->sa_inonce->buf, ilen) != 0 || 3888 ibuf_add(dhsecret, sa->sa_rnonce->buf, rlen) != 0) { 3889 log_debug("%s: failed to get nonce key buffer", 3890 __func__); 3891 goto done; 3892 } 3893 } 3894 3895 if ((hash_setkey(prf, key->buf, ibuf_length(key))) == NULL) { 3896 log_debug("%s: failed to set prf key", __func__); 3897 goto done; 3898 } 3899 3900 if ((skeyseed = ibuf_new(NULL, hash_length(prf))) == NULL) { 3901 log_debug("%s: failed to get SKEYSEED buffer", __func__); 3902 goto done; 3903 } 3904 3905 tmplen = 0; 3906 hash_init(prf); 3907 hash_update(prf, dhsecret->buf, ibuf_length(dhsecret)); 3908 hash_final(prf, skeyseed->buf, &tmplen); 3909 3910 log_debug("%s: SKEYSEED with %zu bytes", __func__, tmplen); 3911 print_hex(skeyseed->buf, 0, tmplen); 3912 3913 if (ibuf_setsize(skeyseed, tmplen) == -1) { 3914 log_debug("%s: failed to set keymaterial length", __func__); 3915 goto done; 3916 } 3917 3918 /* 3919 * Now generate the key material 3920 * 3921 * S = Ni | Nr | SPIi | SPIr 3922 */ 3923 3924 /* S = Ni | Nr | SPIi | SPIr */ 3925 ilen = ibuf_length(sa->sa_inonce); 3926 rlen = ibuf_length(sa->sa_rnonce); 3927 ispi = htobe64(sa->sa_hdr.sh_ispi); 3928 rspi = htobe64(sa->sa_hdr.sh_rspi); 3929 3930 if ((s = ibuf_new(sa->sa_inonce->buf, ilen)) == NULL || 3931 ibuf_add(s, sa->sa_rnonce->buf, rlen) != 0 || 3932 ibuf_add(s, &ispi, sizeof(ispi)) != 0 || 3933 ibuf_add(s, &rspi, sizeof(rspi)) != 0) { 3934 log_debug("%s: failed to set S buffer", __func__); 3935 goto done; 3936 } 3937 3938 log_debug("%s: S with %zu bytes", __func__, ibuf_length(s)); 3939 print_hex(s->buf, 0, ibuf_length(s)); 3940 3941 /* 3942 * Get the size of the key material we need and the number 3943 * of rounds we need to run the prf+ function. 3944 */ 3945 ilen = hash_length(prf) + /* SK_d */ 3946 hash_keylength(integr) + /* SK_ai */ 3947 hash_keylength(integr) + /* SK_ar */ 3948 cipher_keylength(encr) + /* SK_ei */ 3949 cipher_keylength(encr) + /* SK_er */ 3950 hash_keylength(prf) + /* SK_pi */ 3951 hash_keylength(prf); /* SK_pr */ 3952 3953 if ((t = ikev2_prfplus(prf, skeyseed, s, ilen)) == NULL) { 3954 log_debug("%s: failed to get IKE SA key material", __func__); 3955 goto done; 3956 } 3957 3958 /* ibuf_get() returns a new buffer from the next read offset */ 3959 if ((sa->sa_key_d = ibuf_get(t, hash_length(prf))) == NULL || 3960 (sa->sa_key_iauth = ibuf_get(t, hash_keylength(integr))) == NULL || 3961 (sa->sa_key_rauth = ibuf_get(t, hash_keylength(integr))) == NULL || 3962 (sa->sa_key_iencr = ibuf_get(t, cipher_keylength(encr))) == NULL || 3963 (sa->sa_key_rencr = ibuf_get(t, cipher_keylength(encr))) == NULL || 3964 (sa->sa_key_iprf = ibuf_get(t, hash_length(prf))) == NULL || 3965 (sa->sa_key_rprf = ibuf_get(t, hash_length(prf))) == NULL) { 3966 log_debug("%s: failed to get SA keys", __func__); 3967 goto done; 3968 } 3969 3970 log_debug("%s: SK_d with %zu bytes", __func__, 3971 ibuf_length(sa->sa_key_d)); 3972 print_hex(sa->sa_key_d->buf, 0, ibuf_length(sa->sa_key_d)); 3973 log_debug("%s: SK_ai with %zu bytes", __func__, 3974 ibuf_length(sa->sa_key_iauth)); 3975 print_hex(sa->sa_key_iauth->buf, 0, ibuf_length(sa->sa_key_iauth)); 3976 log_debug("%s: SK_ar with %zu bytes", __func__, 3977 ibuf_length(sa->sa_key_rauth)); 3978 print_hex(sa->sa_key_rauth->buf, 0, ibuf_length(sa->sa_key_rauth)); 3979 log_debug("%s: SK_ei with %zu bytes", __func__, 3980 ibuf_length(sa->sa_key_iencr)); 3981 print_hex(sa->sa_key_iencr->buf, 0, ibuf_length(sa->sa_key_iencr)); 3982 log_debug("%s: SK_er with %zu bytes", __func__, 3983 ibuf_length(sa->sa_key_rencr)); 3984 print_hex(sa->sa_key_rencr->buf, 0, ibuf_length(sa->sa_key_rencr)); 3985 log_debug("%s: SK_pi with %zu bytes", __func__, 3986 ibuf_length(sa->sa_key_iprf)); 3987 print_hex(sa->sa_key_iprf->buf, 0, ibuf_length(sa->sa_key_iprf)); 3988 log_debug("%s: SK_pr with %zu bytes", __func__, 3989 ibuf_length(sa->sa_key_rprf)); 3990 print_hex(sa->sa_key_rprf->buf, 0, ibuf_length(sa->sa_key_rprf)); 3991 3992 ret = 0; 3993 3994 done: 3995 ibuf_release(ninr); 3996 ibuf_release(dhsecret); 3997 ibuf_release(skeyseed); 3998 ibuf_release(s); 3999 ibuf_release(t); 4000 4001 return (ret); 4002 } 4003 4004 void 4005 ikev2_sa_cleanup_dh(struct iked_sa *sa) 4006 { 4007 ibuf_release(sa->sa_dhiexchange); 4008 ibuf_release(sa->sa_dhrexchange); 4009 group_free(sa->sa_dhgroup); 4010 sa->sa_dhiexchange = NULL; 4011 sa->sa_dhrexchange = NULL; 4012 sa->sa_dhgroup = NULL; 4013 } 4014 4015 struct ibuf * 4016 ikev2_prfplus(struct iked_hash *prf, struct ibuf *key, struct ibuf *seed, 4017 size_t keymatlen) 4018 { 4019 struct ibuf *t = NULL, *t1 = NULL, *t2 = NULL; 4020 size_t rlen, i, hashlen = 0; 4021 u_int8_t pad = 0; 4022 4023 /* 4024 * prf+ (K, S) = T1 | T2 | T3 | T4 | ... 4025 * 4026 * T1 = prf (K, S | 0x01) 4027 * T2 = prf (K, T1 | S | 0x02) 4028 * T3 = prf (K, T2 | S | 0x03) 4029 * T4 = prf (K, T3 | S | 0x04) 4030 */ 4031 4032 if ((hash_setkey(prf, ibuf_data(key), ibuf_size(key))) == NULL) { 4033 log_debug("%s: failed to set prf+ key", __func__); 4034 goto fail; 4035 } 4036 4037 if ((t = ibuf_new(NULL, 0)) == NULL) { 4038 log_debug("%s: failed to get T buffer", __func__); 4039 goto fail; 4040 } 4041 4042 rlen = roundup(keymatlen, hash_length(prf)) / hash_length(prf); 4043 if (rlen > 255) 4044 fatalx("ikev2_prfplus: key material too large"); 4045 4046 for (i = 0; i < rlen; i++) { 4047 if (t1 != NULL) { 4048 t2 = ibuf_new(t1->buf, ibuf_length(t1)); 4049 ibuf_release(t1); 4050 } else 4051 t2 = ibuf_new(NULL, 0); 4052 t1 = ibuf_new(NULL, hash_length(prf)); 4053 4054 ibuf_add(t2, seed->buf, ibuf_length(seed)); 4055 pad = i + 1; 4056 ibuf_add(t2, &pad, 1); 4057 4058 hash_init(prf); 4059 hash_update(prf, t2->buf, ibuf_length(t2)); 4060 hash_final(prf, t1->buf, &hashlen); 4061 4062 if (hashlen != hash_length(prf)) 4063 fatalx("ikev2_prfplus: hash length mismatch"); 4064 4065 ibuf_release(t2); 4066 ibuf_add(t, t1->buf, ibuf_length(t1)); 4067 4068 log_debug("%s: T%d with %zu bytes", __func__, 4069 pad, ibuf_length(t1)); 4070 print_hex(t1->buf, 0, ibuf_length(t1)); 4071 } 4072 4073 log_debug("%s: Tn with %zu bytes", __func__, ibuf_length(t)); 4074 print_hex(t->buf, 0, ibuf_length(t)); 4075 4076 ibuf_release(t1); 4077 4078 return (t); 4079 4080 fail: 4081 ibuf_release(t1); 4082 ibuf_release(t); 4083 4084 return (NULL); 4085 } 4086 4087 int 4088 ikev2_sa_tag(struct iked_sa *sa, struct iked_id *id) 4089 { 4090 char *format, *domain = NULL, *idrepl = NULL; 4091 char idstr[IKED_ID_SIZE]; 4092 int ret = -1; 4093 size_t len; 4094 4095 if (sa->sa_tag != NULL) 4096 free(sa->sa_tag); 4097 sa->sa_tag = NULL; 4098 format = sa->sa_policy->pol_tag; 4099 4100 len = IKED_TAG_SIZE; 4101 if ((sa->sa_tag = calloc(1, len)) == NULL) { 4102 log_debug("%s: calloc", __func__); 4103 goto fail; 4104 } 4105 if (strlcpy(sa->sa_tag, format, len) >= len) { 4106 log_debug("%s: tag too long", __func__); 4107 goto fail; 4108 } 4109 4110 if (ikev2_print_id(id, idstr, sizeof(idstr)) == -1) { 4111 log_debug("%s: invalid id", __func__); 4112 goto fail; 4113 } 4114 4115 /* ASN.1 DER IDs are too long, use the CN part instead */ 4116 if ((id->id_type == IKEV2_ID_ASN1_DN) && 4117 (idrepl = strstr(idstr, "CN=")) != NULL) { 4118 domain = strstr(idrepl, "emailAddress="); 4119 idrepl[strcspn(idrepl, "/")] = '\0'; 4120 } else 4121 idrepl = idstr; 4122 4123 if (strstr(format, "$id") != NULL) { 4124 if (expand_string(sa->sa_tag, len, "$id", idrepl) != 0) { 4125 log_debug("%s: failed to expand tag", __func__); 4126 goto fail; 4127 } 4128 } 4129 4130 if (strstr(format, "$name") != NULL) { 4131 if (expand_string(sa->sa_tag, len, "$name", 4132 sa->sa_policy->pol_name) != 0) { 4133 log_debug("%s: failed to expand tag", __func__); 4134 goto fail; 4135 } 4136 } 4137 4138 if (strstr(format, "$domain") != NULL) { 4139 if (id->id_type == IKEV2_ID_FQDN) 4140 domain = strchr(idrepl, '.'); 4141 else if (id->id_type == IKEV2_ID_UFQDN) 4142 domain = strchr(idrepl, '@'); 4143 else if (*idstr == '/' && domain != NULL) 4144 domain = strchr(domain, '@'); 4145 else 4146 domain = NULL; 4147 if (domain == NULL || strlen(domain) < 2) { 4148 log_debug("%s: no valid domain in ID %s", 4149 __func__, idstr); 4150 goto fail; 4151 } 4152 domain++; 4153 if (expand_string(sa->sa_tag, len, "$domain", domain) != 0) { 4154 log_debug("%s: failed to expand tag", __func__); 4155 goto fail; 4156 } 4157 } 4158 4159 log_debug("%s: %s (%zu)", __func__, sa->sa_tag, strlen(sa->sa_tag)); 4160 4161 ret = 0; 4162 fail: 4163 if (ret != 0) { 4164 free(sa->sa_tag); 4165 sa->sa_tag = NULL; 4166 } 4167 4168 return (ret); 4169 } 4170 4171 int 4172 ikev2_childsa_negotiate(struct iked *env, struct iked_sa *sa, 4173 struct iked_kex *kex, struct iked_proposals *proposals, int initiator, 4174 int pfs) 4175 { 4176 struct iked_proposal *prop; 4177 struct iked_transform *xform, *encrxf = NULL, *integrxf = NULL; 4178 struct iked_childsa *csa, *csb; 4179 struct iked_flow *flow, *saflow, *flowa, *flowb; 4180 struct ibuf *keymat = NULL, *seed = NULL, *dhsecret = NULL; 4181 struct group *group; 4182 u_int32_t spi = 0; 4183 u_int i; 4184 size_t ilen = 0; 4185 int esn, skip, ret = -1; 4186 4187 if (!sa_stateok(sa, IKEV2_STATE_VALID)) 4188 return (-1); 4189 4190 if (ikev2_sa_tag(sa, IKESA_DSTID(sa)) == -1) 4191 return (-1); 4192 4193 /* We need to determine the key material length first */ 4194 TAILQ_FOREACH(prop, proposals, prop_entry) { 4195 if (prop->prop_protoid == IKEV2_SAPROTO_IKE) 4196 continue; 4197 log_debug("%s: proposal %d", __func__, prop->prop_id); 4198 for (i = 0; i < prop->prop_nxforms; i++) { 4199 xform = prop->prop_xforms + i; 4200 xform->xform_keylength = 4201 keylength_xf(prop->prop_protoid, 4202 xform->xform_type, xform->xform_id); 4203 4204 switch (xform->xform_type) { 4205 case IKEV2_XFORMTYPE_ENCR: 4206 case IKEV2_XFORMTYPE_INTEGR: 4207 if (xform->xform_length) 4208 xform->xform_keylength = 4209 xform->xform_length; 4210 xform->xform_keylength += 4211 noncelength_xf(xform->xform_type, 4212 xform->xform_id); 4213 ilen += xform->xform_keylength / 8; 4214 break; 4215 } 4216 } 4217 } 4218 4219 /* double key material length for inbound/outbound */ 4220 ilen *= 2; 4221 4222 log_debug("%s: key material length %zu", __func__, ilen); 4223 4224 if ((seed = ibuf_new(NULL, 0)) == NULL) { 4225 log_debug("%s: failed to setup IKE SA key material", __func__); 4226 goto done; 4227 } 4228 if (pfs) { 4229 log_debug("%s: using PFS", __func__); 4230 if (kex->kex_dhpeer == NULL || ibuf_length(kex->kex_dhpeer) == 0 || 4231 (group = kex->kex_dhgroup) == NULL) { 4232 log_debug("%s: no dh group for pfs", __func__); 4233 goto done; 4234 } 4235 if ((dhsecret = ibuf_new(NULL, dh_getlen(group))) == NULL) { 4236 log_debug("%s: failed to alloc dh secret", __func__); 4237 goto done; 4238 } 4239 if (dh_create_shared(group, dhsecret->buf, 4240 kex->kex_dhpeer->buf) == -1) { 4241 log_debug("%s: failed to get dh secret" 4242 " group %d len %d secret %zu exchange %zu", __func__, 4243 group->id, dh_getlen(group), ibuf_length(dhsecret), 4244 ibuf_length(kex->kex_dhpeer)); 4245 goto done; 4246 } 4247 if (ibuf_cat(seed, dhsecret) != 0) { 4248 log_debug("%s: failed to set dh secret", __func__); 4249 goto done; 4250 } 4251 } 4252 if (ibuf_cat(seed, kex->kex_inonce) != 0 || 4253 ibuf_cat(seed, kex->kex_rnonce) != 0 || 4254 (keymat = ikev2_prfplus(sa->sa_prf, 4255 sa->sa_key_d, seed, ilen)) == NULL) { 4256 log_debug("%s: failed to get IKE SA key material", __func__); 4257 goto done; 4258 } 4259 4260 /* Create the new flows */ 4261 TAILQ_FOREACH(prop, proposals, prop_entry) { 4262 if (ikev2_valid_proposal(prop, NULL, NULL, NULL) != 0) 4263 continue; 4264 4265 RB_FOREACH(flow, iked_flows, &sa->sa_policy->pol_flows) { 4266 skip = 0; 4267 TAILQ_FOREACH(saflow, &sa->sa_flows, flow_entry) { 4268 if (IKED_ADDR_EQ(&saflow->flow_src, 4269 &flow->flow_src) && 4270 IKED_ADDR_EQ(&saflow->flow_dst, 4271 &flow->flow_dst) && 4272 saflow->flow_saproto == 4273 prop->prop_protoid) { 4274 skip = 1; 4275 break; 4276 } 4277 } 4278 if (skip) 4279 continue; 4280 4281 if ((flowa = calloc(1, sizeof(*flowa))) == NULL) { 4282 log_debug("%s: failed to get flow", __func__); 4283 goto done; 4284 } 4285 4286 memcpy(flowa, flow, sizeof(*flow)); 4287 flowa->flow_dir = IPSP_DIRECTION_OUT; 4288 flowa->flow_saproto = prop->prop_protoid; 4289 flowa->flow_local = &sa->sa_local; 4290 flowa->flow_peer = &sa->sa_peer; 4291 flowa->flow_ikesa = sa; 4292 ikev2_cp_fixaddr(sa, &flow->flow_dst, &flowa->flow_dst); 4293 4294 if ((flowb = calloc(1, sizeof(*flowb))) == NULL) { 4295 log_debug("%s: failed to get flow", __func__); 4296 flow_free(flowa); 4297 goto done; 4298 } 4299 4300 memcpy(flowb, flowa, sizeof(*flow)); 4301 4302 flowb->flow_dir = IPSP_DIRECTION_IN; 4303 memcpy(&flowb->flow_src, &flow->flow_dst, 4304 sizeof(flow->flow_dst)); 4305 memcpy(&flowb->flow_dst, &flow->flow_src, 4306 sizeof(flow->flow_src)); 4307 ikev2_cp_fixaddr(sa, &flow->flow_dst, &flowb->flow_src); 4308 4309 TAILQ_INSERT_TAIL(&sa->sa_flows, flowa, flow_entry); 4310 TAILQ_INSERT_TAIL(&sa->sa_flows, flowb, flow_entry); 4311 } 4312 } 4313 4314 /* create the CHILD SAs using the key material */ 4315 TAILQ_FOREACH(prop, proposals, prop_entry) { 4316 if (ikev2_valid_proposal(prop, &encrxf, &integrxf, &esn) != 0) 4317 continue; 4318 4319 spi = 0; 4320 4321 if ((csa = calloc(1, sizeof(*csa))) == NULL) { 4322 log_debug("%s: failed to get CHILD SA", __func__); 4323 goto done; 4324 } 4325 4326 csa->csa_saproto = prop->prop_protoid; 4327 csa->csa_ikesa = sa; 4328 csa->csa_spi.spi_protoid = prop->prop_protoid; 4329 csa->csa_esn = esn; 4330 4331 /* Set up responder's SPIs */ 4332 if (initiator) { 4333 csa->csa_dir = IPSP_DIRECTION_OUT; 4334 csa->csa_local = &sa->sa_local; 4335 csa->csa_peer = &sa->sa_peer; 4336 csa->csa_peerspi = prop->prop_localspi.spi; 4337 csa->csa_spi.spi = prop->prop_peerspi.spi; 4338 csa->csa_spi.spi_size = prop->prop_peerspi.spi_size; 4339 } else { 4340 csa->csa_dir = IPSP_DIRECTION_IN; 4341 csa->csa_local = &sa->sa_peer; 4342 csa->csa_peer = &sa->sa_local; 4343 4344 if ((ret = pfkey_sa_init(env->sc_pfkey, csa, 4345 &spi)) != 0) 4346 goto done; 4347 csa->csa_allocated = 1; 4348 4349 csa->csa_peerspi = prop->prop_peerspi.spi; 4350 csa->csa_spi.spi = prop->prop_localspi.spi = spi; 4351 csa->csa_spi.spi_size = 4; 4352 } 4353 4354 if (encrxf && (csa->csa_encrkey = ibuf_get(keymat, 4355 encrxf->xform_keylength / 8)) == NULL) { 4356 log_debug("%s: failed to get CHILD SA encryption key", 4357 __func__); 4358 childsa_free(csa); 4359 goto done; 4360 } 4361 if (integrxf && (csa->csa_integrkey = ibuf_get(keymat, 4362 integrxf->xform_keylength / 8)) == NULL) { 4363 log_debug("%s: failed to get CHILD SA integrity key", 4364 __func__); 4365 childsa_free(csa); 4366 goto done; 4367 } 4368 if (encrxf) 4369 csa->csa_encrid = encrxf->xform_id; 4370 if (integrxf) 4371 csa->csa_integrid = integrxf->xform_id; 4372 4373 if ((csb = calloc(1, sizeof(*csb))) == NULL) { 4374 log_debug("%s: failed to get CHILD SA", __func__); 4375 childsa_free(csa); 4376 goto done; 4377 } 4378 4379 memcpy(csb, csa, sizeof(*csb)); 4380 4381 /* Set up initiator's SPIs */ 4382 csb->csa_spi.spi = csa->csa_peerspi; 4383 csb->csa_peerspi = csa->csa_spi.spi; 4384 csb->csa_allocated = csa->csa_allocated ? 0 : 1; 4385 csb->csa_dir = csa->csa_dir == IPSP_DIRECTION_IN ? 4386 IPSP_DIRECTION_OUT : IPSP_DIRECTION_IN; 4387 csb->csa_local = csa->csa_peer; 4388 csb->csa_peer = csa->csa_local; 4389 4390 if (encrxf && (csb->csa_encrkey = ibuf_get(keymat, 4391 encrxf->xform_keylength / 8)) == NULL) { 4392 log_debug("%s: failed to get CHILD SA encryption key", 4393 __func__); 4394 childsa_free(csa); 4395 childsa_free(csb); 4396 goto done; 4397 } 4398 if (integrxf && (csb->csa_integrkey = ibuf_get(keymat, 4399 integrxf->xform_keylength / 8)) == NULL) { 4400 log_debug("%s: failed to get CHILD SA integrity key", 4401 __func__); 4402 childsa_free(csa); 4403 childsa_free(csb); 4404 goto done; 4405 } 4406 4407 TAILQ_INSERT_TAIL(&sa->sa_childsas, csa, csa_entry); 4408 TAILQ_INSERT_TAIL(&sa->sa_childsas, csb, csa_entry); 4409 4410 csa->csa_peersa = csb; 4411 csb->csa_peersa = csa; 4412 } 4413 4414 ret = 0; 4415 done: 4416 ibuf_release(dhsecret); 4417 ibuf_release(keymat); 4418 ibuf_release(seed); 4419 4420 return (ret); 4421 } 4422 4423 /* free a replaced IPCOMP SA */ 4424 void 4425 ikev2_ipcomp_csa_free(struct iked *env, struct iked_childsa *csa) 4426 { 4427 if (csa->csa_children) 4428 fatalx("ikev2_ipcomp_csa_free: has children"); 4429 if (csa->csa_ikesa) 4430 TAILQ_REMOVE(&csa->csa_ikesa->sa_childsas, csa, 4431 csa_entry); 4432 if (csa->csa_loaded) { 4433 log_debug("%s: csa %p loaded: calling pfkey_sa_delete", 4434 __func__, csa); 4435 pfkey_sa_delete(env->sc_pfkey, csa); 4436 RB_REMOVE(iked_activesas, &env->sc_activesas, csa); 4437 } 4438 childsa_free(csa); 4439 } 4440 4441 int 4442 ikev2_ipcomp_enable(struct iked *env, struct iked_sa *sa) 4443 { 4444 struct iked_childsa *other, *nother, *csa = NULL, *csb = NULL; 4445 struct iked_flow *flow, *flowa = NULL, *flowb = NULL; 4446 struct iked_flow *nflow, *oflow; 4447 4448 if ((csa = calloc(1, sizeof(*csa))) == NULL || 4449 (csb = calloc(1, sizeof(*csb))) == NULL || 4450 (flowa = calloc(1, sizeof(*flowa))) == NULL || 4451 (flowb = calloc(1, sizeof(*flowb))) == NULL) { 4452 free(csa); 4453 free(csb); 4454 free(flowa); 4455 free(flowb); 4456 return (-1); 4457 } 4458 4459 /* switch ESP SAs to transport mode */ 4460 TAILQ_FOREACH(other, &sa->sa_childsas, csa_entry) { 4461 if (!other->csa_rekey && !other->csa_loaded && 4462 other->csa_saproto == IKEV2_SAPROTO_ESP) { 4463 other->csa_transport = 1; 4464 if (other->csa_dir == IPSP_DIRECTION_OUT) { 4465 other->csa_parent = csa; 4466 csa->csa_children++; 4467 } else { 4468 other->csa_parent = csb; 4469 csb->csa_children++; 4470 } 4471 } 4472 } 4473 4474 /* install IPCOMP SAs */ 4475 csa->csa_ikesa = sa; 4476 csa->csa_saproto = IKEV2_SAPROTO_IPCOMP; 4477 csa->csa_spi.spi_size = 2; 4478 csa->csa_spi.spi = sa->sa_cpi_out; 4479 csa->csa_peerspi = sa->sa_cpi_in; 4480 csa->csa_dir = IPSP_DIRECTION_OUT; 4481 csa->csa_local = &sa->sa_local; 4482 csa->csa_peer = &sa->sa_peer; 4483 4484 memcpy(csb, csa, sizeof(*csb)); 4485 csb->csa_spi.spi = csa->csa_peerspi; 4486 csb->csa_peerspi = csa->csa_spi.spi; 4487 csb->csa_dir = IPSP_DIRECTION_IN; 4488 csb->csa_local = csa->csa_peer; 4489 csb->csa_peer = csa->csa_local; 4490 csb->csa_allocated = 1; 4491 4492 /* remove old replaced IPCOMP SAs */ 4493 TAILQ_FOREACH_SAFE(other, &sa->sa_childsas, csa_entry, nother) { 4494 if (other->csa_saproto != IKEV2_SAPROTO_IPCOMP || 4495 other->csa_children != 0) 4496 continue; 4497 if (other->csa_dir == csa->csa_dir && 4498 IKED_ADDR_EQ(other->csa_local, csa->csa_local) && 4499 IKED_ADDR_EQ(other->csa_peer, csa->csa_peer)) { 4500 log_debug("%s: csa %p replaces %p", 4501 __func__, csa, other); 4502 ikev2_ipcomp_csa_free(env, other); 4503 } else if (other->csa_dir == csb->csa_dir && 4504 IKED_ADDR_EQ(other->csa_local, csb->csa_local) && 4505 IKED_ADDR_EQ(other->csa_peer, csb->csa_peer)) { 4506 log_debug("%s: csa %p replaces %p", 4507 __func__, csb, other); 4508 ikev2_ipcomp_csa_free(env, other); 4509 } 4510 } 4511 4512 TAILQ_INSERT_TAIL(&sa->sa_childsas, csa, csa_entry); 4513 TAILQ_INSERT_TAIL(&sa->sa_childsas, csb, csa_entry); 4514 4515 csa->csa_peersa = csb; 4516 csb->csa_peersa = csa; 4517 4518 /* redirect flows to IPCOMP */ 4519 /* XXX expensive? should be merged into ikev2_childsa_negotiate() */ 4520 TAILQ_FOREACH_SAFE(flow, &sa->sa_flows, flow_entry, nflow) { 4521 if (flow->flow_loaded || 4522 flow->flow_saproto != IKEV2_SAPROTO_ESP) 4523 continue; 4524 TAILQ_FOREACH(oflow, &sa->sa_flows, flow_entry) 4525 if (IKED_ADDR_EQ(&oflow->flow_src, &flow->flow_src) && 4526 IKED_ADDR_EQ(&oflow->flow_dst, &flow->flow_dst) && 4527 oflow->flow_dir == flow->flow_dir && 4528 oflow->flow_saproto == IKEV2_SAPROTO_IPCOMP) 4529 break; 4530 if (oflow != NULL) { 4531 log_debug("%s: keeping oflow %p, indentical to flow %p", 4532 __func__, oflow, flow); 4533 TAILQ_REMOVE(&sa->sa_flows, flow, flow_entry); 4534 flow_free(flow); 4535 } else { 4536 log_debug("%s: flow %p saproto %d -> %d", __func__, 4537 flow, flow->flow_saproto, IKEV2_SAPROTO_IPCOMP); 4538 flow->flow_saproto = IKEV2_SAPROTO_IPCOMP; 4539 } 4540 } 4541 4542 /* setup ESP flows for gateways */ 4543 flowa->flow_dir = IPSP_DIRECTION_OUT; 4544 flowa->flow_saproto = IKEV2_SAPROTO_ESP; 4545 flowa->flow_local = &sa->sa_local; 4546 flowa->flow_peer = &sa->sa_peer; 4547 memcpy(&flowa->flow_src, &sa->sa_local, sizeof(sa->sa_local)); 4548 memcpy(&flowa->flow_dst, &sa->sa_peer, sizeof(sa->sa_peer)); 4549 socket_setport((struct sockaddr *)&flowa->flow_src.addr, 0); 4550 socket_setport((struct sockaddr *)&flowa->flow_dst.addr, 0); 4551 flowa->flow_src.addr_port = flowa->flow_dst.addr_port = 0; 4552 flowa->flow_src.addr_mask = flowa->flow_dst.addr_mask = 4553 (sa->sa_local.addr_af == AF_INET) ? 32 : 128; 4554 flowa->flow_ikesa = sa; 4555 4556 /* skip if flow already exists */ 4557 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { 4558 if (IKED_ADDR_EQ(&flow->flow_src, &flowa->flow_src) && 4559 IKED_ADDR_EQ(&flow->flow_dst, &flowa->flow_dst) && 4560 flow->flow_dir == flowa->flow_dir && 4561 flow->flow_saproto == flowa->flow_saproto) { 4562 free(flowa); 4563 free(flowb); 4564 goto done; 4565 } 4566 } 4567 4568 memcpy(flowb, flowa, sizeof(*flowb)); 4569 flowb->flow_dir = IPSP_DIRECTION_IN; 4570 memcpy(&flowb->flow_dst, &flowa->flow_src, sizeof(flowa->flow_src)); 4571 memcpy(&flowb->flow_src, &flowa->flow_dst, sizeof(flowa->flow_dst)); 4572 4573 TAILQ_INSERT_TAIL(&sa->sa_flows, flowa, flow_entry); 4574 TAILQ_INSERT_TAIL(&sa->sa_flows, flowb, flow_entry); 4575 4576 done: 4577 /* make sure IPCOMP CPIs are not reused */ 4578 sa->sa_ipcomp = 0; 4579 sa->sa_cpi_in = sa->sa_cpi_out = 0; 4580 4581 return (0); 4582 } 4583 4584 int 4585 ikev2_childsa_enable(struct iked *env, struct iked_sa *sa) 4586 { 4587 struct iked_childsa *csa; 4588 struct iked_flow *flow, *oflow; 4589 4590 if (sa->sa_ipcomp && sa->sa_cpi_in && sa->sa_cpi_out && 4591 ikev2_ipcomp_enable(env, sa) == -1) 4592 return (-1); 4593 4594 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 4595 if (csa->csa_rekey || csa->csa_loaded) 4596 continue; 4597 4598 if (pfkey_sa_add(env->sc_pfkey, csa, NULL) != 0) { 4599 log_debug("%s: failed to load CHILD SA spi %s", 4600 __func__, print_spi(csa->csa_spi.spi, 4601 csa->csa_spi.spi_size)); 4602 return (-1); 4603 } 4604 4605 RB_INSERT(iked_activesas, &env->sc_activesas, csa); 4606 4607 log_debug("%s: loaded CHILD SA spi %s", __func__, 4608 print_spi(csa->csa_spi.spi, csa->csa_spi.spi_size)); 4609 } 4610 4611 TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { 4612 if (flow->flow_loaded) 4613 continue; 4614 4615 if (pfkey_flow_add(env->sc_pfkey, flow) != 0) { 4616 log_debug("%s: failed to load flow", __func__); 4617 return (-1); 4618 } 4619 4620 if ((oflow = RB_FIND(iked_flows, &env->sc_activeflows, flow)) 4621 != NULL) { 4622 log_debug("%s: replaced old flow %p with %p", 4623 __func__, oflow, flow); 4624 oflow->flow_loaded = 0; 4625 RB_REMOVE(iked_flows, &env->sc_activeflows, oflow); 4626 } 4627 4628 RB_INSERT(iked_flows, &env->sc_activeflows, flow); 4629 4630 log_debug("%s: loaded flow %p", __func__, flow); 4631 } 4632 4633 return (0); 4634 } 4635 4636 int 4637 ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto, 4638 u_int64_t spi, u_int64_t *spiptr, int cleanup) 4639 { 4640 struct iked_childsa *csa, *nextcsa = NULL; 4641 u_int64_t peerspi = 0; 4642 int found = 0; 4643 4644 for (csa = TAILQ_FIRST(&sa->sa_childsas); csa != NULL; csa = nextcsa) { 4645 nextcsa = TAILQ_NEXT(csa, csa_entry); 4646 4647 if ((saproto && csa->csa_saproto != saproto) || 4648 (spi && (csa->csa_spi.spi != spi && 4649 csa->csa_peerspi != spi)) || 4650 (cleanup && csa->csa_loaded)) 4651 continue; 4652 4653 if (csa->csa_loaded) 4654 RB_REMOVE(iked_activesas, &env->sc_activesas, csa); 4655 4656 if (pfkey_sa_delete(env->sc_pfkey, csa) != 0) 4657 log_debug("%s: failed to delete CHILD SA spi %s", 4658 __func__, print_spi(csa->csa_spi.spi, 4659 csa->csa_spi.spi_size)); 4660 else 4661 log_debug("%s: deleted CHILD SA spi %s", __func__, 4662 print_spi(csa->csa_spi.spi, 4663 csa->csa_spi.spi_size)); 4664 found++; 4665 4666 if (spi && csa->csa_spi.spi == spi) 4667 peerspi = csa->csa_peerspi; 4668 4669 TAILQ_REMOVE(&sa->sa_childsas, csa, csa_entry); 4670 childsa_free(csa); 4671 } 4672 4673 if (spiptr) 4674 *spiptr = peerspi; 4675 4676 return (found ? 0 : -1); 4677 } 4678 4679 int 4680 ikev2_valid_proposal(struct iked_proposal *prop, 4681 struct iked_transform **exf, struct iked_transform **ixf, int *esn) 4682 { 4683 struct iked_transform *xform, *encrxf, *integrxf; 4684 u_int i, doesn = 0; 4685 4686 switch (prop->prop_protoid) { 4687 case IKEV2_SAPROTO_ESP: 4688 case IKEV2_SAPROTO_AH: 4689 break; 4690 default: 4691 return (-1); 4692 } 4693 4694 encrxf = integrxf = NULL; 4695 for (i = 0; i < prop->prop_nxforms; i++) { 4696 xform = prop->prop_xforms + i; 4697 if (xform->xform_type == IKEV2_XFORMTYPE_ENCR) 4698 encrxf = xform; 4699 else if (xform->xform_type == IKEV2_XFORMTYPE_INTEGR) 4700 integrxf = xform; 4701 else if (xform->xform_type == IKEV2_XFORMTYPE_ESN && 4702 xform->xform_id == IKEV2_XFORMESN_ESN) 4703 doesn = 1; 4704 } 4705 4706 if (prop->prop_protoid == IKEV2_SAPROTO_IKE) { 4707 if (encrxf == NULL || integrxf == NULL) 4708 return (-1); 4709 } else if (prop->prop_protoid == IKEV2_SAPROTO_AH) { 4710 if (integrxf == NULL) 4711 return (-1); 4712 } else if (prop->prop_protoid == IKEV2_SAPROTO_ESP) { 4713 if (encrxf == NULL) 4714 return (-1); 4715 } 4716 4717 if (exf) 4718 *exf = encrxf; 4719 if (ixf) 4720 *ixf = integrxf; 4721 if (esn) 4722 *esn = doesn; 4723 4724 return (0); 4725 } 4726 4727 /* return 0 if processed, -1 if busy */ 4728 int 4729 ikev2_acquire_sa(struct iked *env, struct iked_flow *acquire) 4730 { 4731 struct iked_flow *flow; 4732 struct iked_sa *sa; 4733 struct iked_policy pol, *p = NULL; 4734 4735 if (env->sc_passive) 4736 return (0); 4737 4738 /* First try to find an active flow with IKE SA */ 4739 flow = RB_FIND(iked_flows, &env->sc_activeflows, acquire); 4740 if (!flow) { 4741 /* Otherwise try to find a matching policy */ 4742 bzero(&pol, sizeof(pol)); 4743 pol.pol_af = acquire->flow_peer->addr_af; 4744 memcpy(&pol.pol_peer, acquire->flow_peer, 4745 sizeof(pol.pol_peer)); 4746 4747 RB_INIT(&pol.pol_flows); 4748 RB_INSERT(iked_flows, &pol.pol_flows, acquire); 4749 pol.pol_nflows = 1; 4750 4751 if ((p = policy_test(env, &pol)) == NULL) { 4752 log_warnx("%s: flow wasn't found", __func__); 4753 return (0); 4754 } 4755 4756 log_debug("%s: found matching policy '%s'", __func__, 4757 p->pol_name); 4758 4759 if (ikev2_init_ike_sa_peer(env, p, acquire->flow_peer) != 0) 4760 log_warnx("%s: failed to initiate a " 4761 "IKE_SA_INIT exchange", __func__); 4762 } else { 4763 log_debug("%s: found active flow", __func__); 4764 4765 if ((sa = flow->flow_ikesa) == NULL) { 4766 log_warnx("%s: flow without SA", __func__); 4767 return (0); 4768 } 4769 if (sa->sa_stateflags & IKED_REQ_CHILDSA) 4770 return (-1); /* busy, retry later */ 4771 if (ikev2_send_create_child_sa(env, sa, NULL, 4772 flow->flow_saproto) != 0) 4773 log_warnx("%s: failed to initiate a " 4774 "CREATE_CHILD_SA exchange", __func__); 4775 } 4776 return (0); 4777 } 4778 4779 void 4780 ikev2_disable_rekeying(struct iked *env, struct iked_sa *sa) 4781 { 4782 struct iked_childsa *csa; 4783 4784 TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { 4785 csa->csa_persistent = 1; 4786 csa->csa_rekey = 0; 4787 } 4788 4789 (void)ikev2_childsa_delete(env, sa, 0, 0, NULL, 1); 4790 } 4791 4792 /* return 0 if processed, -1 if busy */ 4793 int 4794 ikev2_rekey_sa(struct iked *env, struct iked_spi *rekey) 4795 { 4796 struct iked_childsa *csa, key; 4797 struct iked_sa *sa; 4798 4799 key.csa_spi = *rekey; 4800 csa = RB_FIND(iked_activesas, &env->sc_activesas, &key); 4801 if (!csa) 4802 return (0); 4803 4804 if (csa->csa_rekey) /* See if it's already taken care of */ 4805 return (0); 4806 if (csa->csa_saproto == IKEV2_SAPROTO_IPCOMP) /* no rekey */ 4807 return (0); 4808 if ((sa = csa->csa_ikesa) == NULL) { 4809 log_warnx("%s: SA %s doesn't have a parent SA", __func__, 4810 print_spi(rekey->spi, rekey->spi_size)); 4811 return (0); 4812 } 4813 if (!sa_stateok(sa, IKEV2_STATE_ESTABLISHED)) { 4814 log_warnx("%s: SA %s is not established", __func__, 4815 print_spi(rekey->spi, rekey->spi_size)); 4816 return (0); 4817 } 4818 if (sa->sa_stateflags & IKED_REQ_CHILDSA) 4819 return (-1); /* busy, retry later */ 4820 if (csa->csa_allocated) /* Peer SPI died first, get the local one */ 4821 rekey->spi = csa->csa_peerspi; 4822 if (ikev2_send_create_child_sa(env, sa, rekey, rekey->spi_protoid)) 4823 log_warnx("%s: failed to initiate a CREATE_CHILD_SA exchange", 4824 __func__); 4825 return (0); 4826 } 4827 4828 /* return 0 if processed, -1 if busy */ 4829 int 4830 ikev2_drop_sa(struct iked *env, struct iked_spi *drop) 4831 { 4832 struct ibuf *buf = NULL; 4833 struct iked_childsa *csa, key; 4834 struct iked_sa *sa; 4835 struct ikev2_delete *del; 4836 u_int32_t spi32; 4837 4838 key.csa_spi = *drop; 4839 csa = RB_FIND(iked_activesas, &env->sc_activesas, &key); 4840 if (!csa || csa->csa_rekey) 4841 return (0); 4842 4843 sa = csa->csa_ikesa; 4844 if (sa && (sa->sa_stateflags & IKED_REQ_CHILDSA)) 4845 return (-1); /* busy, retry later */ 4846 4847 RB_REMOVE(iked_activesas, &env->sc_activesas, csa); 4848 csa->csa_loaded = 0; 4849 csa->csa_rekey = 1; /* prevent re-loading */ 4850 if (sa == NULL) { 4851 log_debug("%s: failed to find a parent SA", __func__); 4852 return (0); 4853 } 4854 if (csa->csa_saproto == IKEV2_SAPROTO_IPCOMP) { 4855 /* matching Child SAs (e.g. ESP) should have expired by now */ 4856 if (csa->csa_children == 0) 4857 ikev2_ipcomp_csa_free(env, csa); 4858 return (0); 4859 } 4860 4861 if (csa->csa_allocated) 4862 spi32 = htobe32(csa->csa_spi.spi); 4863 else 4864 spi32 = htobe32(csa->csa_peerspi); 4865 4866 if (ikev2_childsa_delete(env, sa, csa->csa_saproto, 4867 csa->csa_peerspi, NULL, 0)) 4868 log_debug("%s: failed to delete CHILD SA %s", __func__, 4869 print_spi(csa->csa_peerspi, drop->spi_size)); 4870 4871 /* Send PAYLOAD_DELETE */ 4872 4873 if ((buf = ibuf_static()) == NULL) 4874 return (0); 4875 if ((del = ibuf_advance(buf, sizeof(*del))) == NULL) 4876 goto done; 4877 del->del_protoid = drop->spi_protoid; 4878 del->del_spisize = 4; 4879 del->del_nspi = htobe16(1); 4880 if (ibuf_add(buf, &spi32, sizeof(spi32))) 4881 goto done; 4882 4883 if (ikev2_send_ike_e(env, sa, buf, IKEV2_PAYLOAD_DELETE, 4884 IKEV2_EXCHANGE_INFORMATIONAL, 0) == -1) 4885 goto done; 4886 4887 sa->sa_stateflags |= IKED_REQ_INF; 4888 4889 /* Initiate Child SA creation */ 4890 if (ikev2_send_create_child_sa(env, sa, NULL, drop->spi_protoid)) 4891 log_warnx("%s: failed to initiate a CREATE_CHILD_SA exchange", 4892 __func__); 4893 4894 done: 4895 ibuf_release(buf); 4896 return (0); 4897 } 4898 4899 int 4900 ikev2_print_id(struct iked_id *id, char *idstr, size_t idstrlen) 4901 { 4902 u_int8_t buf[BUFSIZ], *ptr; 4903 struct sockaddr_in *s4; 4904 struct sockaddr_in6 *s6; 4905 char *str; 4906 ssize_t len; 4907 int i; 4908 const char *type; 4909 4910 bzero(buf, sizeof(buf)); 4911 bzero(idstr, idstrlen); 4912 4913 if (id->id_buf == NULL) 4914 return (-1); 4915 4916 len = ibuf_size(id->id_buf); 4917 ptr = ibuf_data(id->id_buf); 4918 4919 if (len <= id->id_offset) 4920 return (-1); 4921 4922 len -= id->id_offset; 4923 ptr += id->id_offset; 4924 4925 type = print_map(id->id_type, ikev2_id_map); 4926 4927 if (strlcpy(idstr, type, idstrlen) >= idstrlen || 4928 strlcat(idstr, "/", idstrlen) >= idstrlen) 4929 return (-1); 4930 4931 idstr += strlen(idstr); 4932 idstrlen -= strlen(idstr); 4933 4934 switch (id->id_type) { 4935 case IKEV2_ID_IPV4: 4936 s4 = (struct sockaddr_in *)buf; 4937 s4->sin_family = AF_INET; 4938 s4->sin_len = sizeof(*s4); 4939 memcpy(&s4->sin_addr.s_addr, ptr, len); 4940 4941 if (print_host((struct sockaddr *)s4, 4942 idstr, idstrlen) == NULL) 4943 return (-1); 4944 break; 4945 case IKEV2_ID_FQDN: 4946 case IKEV2_ID_UFQDN: 4947 if (len >= (ssize_t)sizeof(buf)) 4948 return (-1); 4949 4950 if ((str = get_string(ptr, len)) == NULL) 4951 return (-1); 4952 4953 if (strlcpy(idstr, str, idstrlen) >= idstrlen) { 4954 free(str); 4955 return (-1); 4956 } 4957 free(str); 4958 break; 4959 case IKEV2_ID_IPV6: 4960 s6 = (struct sockaddr_in6 *)buf; 4961 s6->sin6_family = AF_INET6; 4962 s6->sin6_len = sizeof(*s6); 4963 memcpy(&s6->sin6_addr, ptr, len); 4964 4965 if (print_host((struct sockaddr *)s6, 4966 idstr, idstrlen) == NULL) 4967 return (-1); 4968 break; 4969 case IKEV2_ID_ASN1_DN: 4970 if ((str = ca_asn1_name(ptr, len)) == NULL) 4971 return (-1); 4972 if (strlcpy(idstr, str, idstrlen) >= idstrlen) { 4973 free(str); 4974 return (-1); 4975 } 4976 free(str); 4977 break; 4978 default: 4979 /* XXX test */ 4980 for (i = 0; i < ((ssize_t)idstrlen - 1) && i < len; i++) 4981 snprintf(idstr + i, idstrlen - i, 4982 "%02x", ptr[i]); 4983 break; 4984 } 4985 4986 return (0); 4987 } 4988 4989 /* 4990 * If we have an IKEV2_CP_REQUEST for IKEV2_CFG_INTERNAL_IP4_ADDRESS and 4991 * if a network(pool) is configured, then select an address from that pool 4992 * and remember it in the sa_addrpool attribute. 4993 */ 4994 int 4995 ikev2_cp_setaddr(struct iked *env, struct iked_sa *sa) 4996 { 4997 struct iked_cfg *ikecfg = NULL; 4998 struct iked_policy *pol = sa->sa_policy; 4999 struct sockaddr_in *in4 = NULL, *cfg4 = NULL; 5000 struct sockaddr_in6 *in6 = NULL, *cfg6 = NULL; 5001 struct iked_sa key; 5002 struct iked_addr addr; 5003 u_int32_t mask, host, lower, upper, start; 5004 size_t i; 5005 5006 if (sa->sa_addrpool || pol->pol_ncfg == 0) 5007 return (0); 5008 /* check for an address pool config (address w/ prefixlen != 32) */ 5009 bzero(&addr, sizeof(addr)); 5010 for (i = 0; i < pol->pol_ncfg; i++) { 5011 ikecfg = &pol->pol_cfg[i]; 5012 if (ikecfg->cfg_type == IKEV2_CFG_INTERNAL_IP4_ADDRESS && 5013 ikecfg->cfg.address.addr_mask != 32) { 5014 addr.addr_af = AF_INET; 5015 break; 5016 } 5017 if (ikecfg->cfg_type == IKEV2_CFG_INTERNAL_IP6_ADDRESS && 5018 ikecfg->cfg.address.addr_mask != 128) { 5019 addr.addr_af = AF_INET6; 5020 break; 5021 } 5022 } 5023 if (i == pol->pol_ncfg) 5024 return (0); 5025 5026 /* 5027 * failure: pool configured, but not requested. 5028 * If we continue, we might end up with flows where 0.0.0.0 is NOT 5029 * replaced with an address from the pool with ikev2_cp_fixaddr(). 5030 */ 5031 if (sa->sa_cp != IKEV2_CP_REQUEST) { 5032 log_debug("%s: pool configured, but IKEV2_CP_REQUEST missing", 5033 __func__); 5034 return (-1); 5035 } 5036 5037 /* truncate prefixlen in the v6 case */ 5038 mask = prefixlen2mask(ikecfg->cfg.address.addr_mask); 5039 5040 switch (addr.addr_af) { 5041 case AF_INET: 5042 cfg4 = (struct sockaddr_in *)&ikecfg->cfg.address.addr; 5043 in4 = (struct sockaddr_in *)&addr.addr; 5044 in4->sin_family = AF_INET; 5045 in4->sin_len = sizeof(*in4); 5046 lower = ntohl(cfg4->sin_addr.s_addr & ~mask); 5047 break; 5048 case AF_INET6: 5049 cfg6 = (struct sockaddr_in6 *)&ikecfg->cfg.address.addr; 5050 in6 = (struct sockaddr_in6 *)&addr.addr; 5051 in6->sin6_family = AF_INET6; 5052 in6->sin6_len = sizeof(*in6); 5053 lower = cfg6->sin6_addr.s6_addr[3]; 5054 break; 5055 default: 5056 return (-1); 5057 } 5058 5059 if (lower == 0) 5060 lower = 1; 5061 /* Note that start, upper and host are in HOST byte order */ 5062 upper = ntohl(~mask); 5063 /* Randomly select start from [lower, upper-1] */ 5064 start = arc4random_uniform(upper - lower) + lower; 5065 5066 key.sa_addrpool = &addr; 5067 5068 for (host = start;;) { 5069 log_debug("%s: mask %x start %x lower %x host %x upper %x", 5070 __func__, mask, start, lower, host, upper); 5071 switch (addr.addr_af) { 5072 case AF_INET: 5073 in4->sin_addr.s_addr = 5074 (cfg4->sin_addr.s_addr & mask) | htonl(host); 5075 break; 5076 case AF_INET6: 5077 memcpy(in6, cfg6, sizeof(*in6)); 5078 in6->sin6_addr.s6_addr[3] = htonl(host); 5079 break; 5080 } 5081 if (!RB_FIND(iked_addrpool, &env->sc_addrpool, &key)) 5082 break; 5083 /* try next address */ 5084 host++; 5085 /* but skip broadcast and network address */ 5086 if (host >= upper || host < lower) 5087 host = lower; 5088 if (host == start) 5089 return (-1); /* exhausted */ 5090 } 5091 if (!key.sa_addrpool) 5092 return (-1); /* cannot happen? */ 5093 if ((sa->sa_addrpool = calloc(1, sizeof(addr))) == NULL) 5094 return (-1); 5095 memcpy(sa->sa_addrpool, &addr, sizeof(addr)); 5096 RB_INSERT(iked_addrpool, &env->sc_addrpool, sa); 5097 return (0); 5098 } 5099 5100 /* 5101 * if 'addr' is 'UNSPECIFIED' replace it with sa_addrpool from 5102 * the ip-pool and store the result in 'patched'. 5103 */ 5104 int 5105 ikev2_cp_fixaddr(struct iked_sa *sa, struct iked_addr *addr, 5106 struct iked_addr *patched) 5107 { 5108 struct sockaddr_in *in4; 5109 struct sockaddr_in6 *in6; 5110 5111 if (sa->sa_addrpool == NULL || 5112 sa->sa_addrpool->addr_af != addr->addr_af) 5113 return (-1); 5114 switch (addr->addr_af) { 5115 case AF_INET: 5116 in4 = (struct sockaddr_in *)&addr->addr; 5117 if (in4->sin_addr.s_addr) 5118 return (-1); 5119 break; 5120 case AF_INET6: 5121 in6 = (struct sockaddr_in6 *)&addr->addr; 5122 if (IN6_IS_ADDR_UNSPECIFIED(&in6->sin6_addr)) 5123 return (-1); 5124 break; 5125 } 5126 memcpy(patched, sa->sa_addrpool, sizeof(*patched)); 5127 return (0); 5128 } 5129