void p2_dpd_outI1(struct state *p2st) { struct state *st; time_t delay = p2st->st_connection->dpd_delay; time_t timeout = p2st->st_connection->dpd_timeout; /* find the related Phase 1 state */ st = find_phase1_state(p2st->st_connection, ISAKMP_SA_ESTABLISHED_STATES); if (st == NULL) { loglog(RC_LOG_SERIOUS, "DPD Error: could not find newest phase 1 state"); return; } dpd_outI(st, p2st, TRUE, delay, timeout); }
/** Lookup information about the hostpair, and set things like bandwidth * relative crypto strength, compression and credentials. * * @param IPsec Policy Query * @return void */ static void info_lookuphostpair(struct ipsec_policy_cmd_query *ipcq) { struct connection *c; struct state *p1st, *p2st; /* default result: no crypto */ ipcq->strength = IPSEC_PRIVACY_NONE; ipcq->bandwidth = IPSEC_QOS_WIRESPEED; ipcq->credential_count = 0; #ifdef DEBUG { char sstr[ADDRTOT_BUF], dstr[ADDRTOT_BUF]; addrtot(&ipcq->query_local, 0, sstr, sizeof(sstr)); addrtot(&ipcq->query_remote, 0, dstr, sizeof(dstr)); DBG_log("info request for %s -> %s", sstr, dstr); } #endif /* okay, look up what connection handles this ip pair */ c = find_connection_for_clients(NULL, &ipcq->query_local, &ipcq->query_remote, ipcq->proto); if (c == NULL) { /* try reversing it */ c = find_connection_for_clients(NULL, &ipcq->query_remote, &ipcq->query_local, ipcq->proto); if (c != NULL) { ip_address tmp; /* If it is reversed, swap it */ tmp = ipcq->query_local; ipcq->query_local = ipcq->query_remote; ipcq->query_remote = tmp; } } if (c == NULL) { #ifdef DEBUG DBG_log("no connection found"); #endif return; /* no crypto */ } if (c->newest_ipsec_sa == SOS_NOBODY) { ip_subnet us, them; DBG_log("connection %s found, no ipsec state, looking again", c->name); addrtosubnet(&ipcq->query_local, &us); addrtosubnet(&ipcq->query_remote, &them); c = find_client_connection(c, &us, &them, 0, 0, 0, 0); if (c == NULL) return; /* no crypto */ } DBG_log("connection %s[%ld] with state %u" , c->name, c->instance_serial , (unsigned int)c->newest_ipsec_sa); if (c->newest_ipsec_sa == SOS_NOBODY) return; /* no crypto */ /* we found a connection, try to lookup the state */ p2st = state_with_serialno(c->newest_ipsec_sa); p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES); if (p1st == NULL || p2st == NULL) { DBG_log("connection %s[%ld] has missing states %s %s" , c->name, c->instance_serial , (p1st ? "phase1" : "") , (p2st ? "phase1" : "")); return; /* no crypto */ } /* if we have AH present, then record minimal info */ if (p2st->st_ah.present) { ipcq->strength = IPSEC_PRIVACY_INTEGRAL; ipcq->auth_detail = p2st->st_esp.attrs.transattrs.integ_hash; } if (p2st->st_esp.present) { /* * XXX-mcr Please do not shout at me about relative strengths * here. I'm not a cryptographer. I just diddle bits. */ switch (p2st->st_esp.attrs.transattrs.encrypt) { case ESP_NULL: /* actually, do not change it if we set it from AH */ break; case ESP_DES: case ESP_DES_IV64: case ESP_DES_IV32: case ESP_RC4: ipcq->strength = IPSEC_PRIVACY_ROT13; break; case ESP_RC5: case ESP_IDEA: case ESP_CAST: case ESP_BLOWFISH: case ESP_3DES: ipcq->strength = IPSEC_PRIVACY_PRIVATE; ipcq->bandwidth = IPSEC_QOS_VOIP; break; case ESP_3IDEA: ipcq->strength = IPSEC_PRIVACY_STRONG; ipcq->bandwidth = IPSEC_QOS_INTERACTIVE; break; case ESP_AES: ipcq->strength = IPSEC_PRIVACY_STRONG; ipcq->bandwidth = IPSEC_QOS_FTP; break; } ipcq->esp_detail = p2st->st_esp.attrs.transattrs.encrypt; } if (p2st->st_ipcomp.present) ipcq->comp_detail = p2st->st_esp.attrs.transattrs.encrypt; /* now! the credentails that were used */ /* for the moment we only have 1 credential, the DNS name, * because the DNS servers do not return the chain of SIGs yet */ if(!c->spd.this.key_from_DNS_on_demand) { /* the key didn't come from the DNS in some way, * so it must have been loaded locally. */ ipcq->credential_count = 1; ipcq->credentials[0].ii_type = c->spd.this.id.kind; ipcq->credentials[0].ii_format = CERT_RAW_RSA; } #if 0 switch (c->spd.id.kind) { case ID_IPV4_ADDR: } if (c->gw_info == NULL) { plog("rcv_info: connection %s had NULL gw_info.", c->name); return } #endif ipcq->credential_count = 1; /* pull credentials out of gw_info */ switch (p1st->st_peer_pubkey->dns_auth_level) { case DAL_UNSIGNED: case DAL_NOTSEC: /* these seem to be the same for this purpose */ ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind; ipcq->credentials[0].ii_type = CERT_NONE; idtoa(&p1st->st_peer_pubkey->id , ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn)); break; case DAL_SIGNED: ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind; ipcq->credentials[0].ii_format = CERT_DNS_SIGNED_KEY; idtoa(&p1st->st_peer_pubkey->id , ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn)); if (p1st->st_peer_pubkey->dns_sig != NULL) { strncat(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig , p1st->st_peer_pubkey->dns_sig , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig) - strlen(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig -1)); } break; case DAL_LOCAL: ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind; ipcq->credentials[0].ii_format = CERT_RAW_RSA; idtoa(&p1st->st_peer_pubkey->id , ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name , sizeof(ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name)); break; } }
so_serial_t replacing, enum crypto_importance importance #ifdef HAVE_LABELED_IPSEC , struct xfrm_user_sec_ctx_ike *uctx #endif ) { /* If there's already an ISAKMP SA established, use that and * go directly to Quick Mode. We are even willing to use one * that is still being negotiated, but only if we are the Initiator * (thus we can be sure that the IDs are not going to change; * other issues around intent might matter). * Note: there is no way to initiate with a Road Warrior. */ struct state *st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES | PHASE1_INITIATOR_STATES); if (st == NULL) { initiator_function *initiator = pick_initiator(c, policy); if (initiator != NULL) { (void) initiator(whack_sock, c, NULL, policy, try, importance #ifdef HAVE_LABELED_IPSEC , uctx #endif ); } else { /* fizzle: whack_sock will be unused */ close_any(whack_sock); }