/*
* Show IKE algorithms for
* - this connection (result from ike= string)
* - newest SA
*/
void ike_alg_show_connection(const struct connection *c, const char *instance)
{
const struct state *st;
if (c->alg_info_ike != NULL) {
char buf[1024];
alg_info_ike_snprint(buf, sizeof(buf) - 1,
c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms wanted: %s",
c->name,
instance,
buf);
alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms found: %s",
c->name,
instance,
buf);
}
st = state_with_serialno(c->newest_isakmp_sa);
if (st != NULL) {
struct esb_buf encbuf, prfbuf, integbuf, groupbuf;
if (!st->st_ikev2) {
/* IKEv1 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithm newest: %s_%03d-%s-%s",
c->name,
instance,
enum_show_shortb(&oakley_enc_names, st->st_oakley.encrypt, &encbuf),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
enum_show_shortb(&oakley_hash_names, st->st_oakley.prf_hash, &prfbuf),
enum_show_shortb(&oakley_group_names, st->st_oakley.group->group, &groupbuf));
} else {
/* IKEv2 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKEv2 algorithm newest: %s_%03d-%s-%s-%s",
c->name,
instance,
enum_showb(&ikev2_trans_type_encr_names, st->st_oakley.encrypt, &encbuf),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
enum_showb(&ikev2_trans_type_integ_names, st->st_oakley.integ_hash, &integbuf),
enum_showb(&ikev2_trans_type_prf_names, st->st_oakley.prf_hash, &prfbuf),
enum_show_shortb(&oakley_group_names, st->st_oakley.group->group, &groupbuf));
}
}
}
/*
* Show registered IKE algorithms
*/
void ike_alg_show_status(void)
{
unsigned i;
struct ike_alg *algo;
whack_log(RC_COMMENT, "IKE algorithms supported:");
whack_log(RC_COMMENT, " "); /* spacer */
IKE_EALG_FOR_EACH(algo) {
struct esb_buf v1namebuf, v2namebuf;
passert(algo != NULL);
passert(algo->algo_id != 0 || algo->algo_v2id != 0);
whack_log(RC_COMMENT,
"algorithm IKE encrypt: v1id=%d, v1name=%s, v2id=%d, v2name=%s, blocksize=%zu, keydeflen=%u",
algo->algo_id,
enum_showb(&oakley_enc_names, algo->algo_id, &v1namebuf),
algo->algo_v2id,
enum_showb(&ikev2_trans_type_encr_names, algo->algo_v2id, &v2namebuf),
((struct encrypt_desc *)algo)->enc_blocksize,
((struct encrypt_desc *)algo)->keydeflen);
}
IKE_HALG_FOR_EACH(algo) {
/*
* ??? we think that hash_integ_len is meaningless
* (and 0) for IKE hashes
*/
pexpect(((struct hash_desc *)algo)->hash_integ_len == 0);
whack_log(RC_COMMENT,
"algorithm IKE hash: id=%d, name=%s, hashlen=%zu",
algo->algo_id,
enum_name(&oakley_hash_names, algo->algo_id),
((struct hash_desc *)algo)->hash_digest_len);
}
#define IKE_DH_ALG_FOR_EACH(idx) for ((idx) = 0; (idx) != oakley_group_size; (idx)++)
IKE_DH_ALG_FOR_EACH(i) {
const struct oakley_group_desc *gdesc = oakley_group + i;
whack_log(RC_COMMENT,
"algorithm IKE dh group: id=%d, name=%s, bits=%d",
gdesc->group,
enum_name(&oakley_group_names, gdesc->group),
(int)gdesc->bytes * BITS_PER_BYTE);
}
whack_log(RC_COMMENT, " "); /* spacer */
}
/* used by kernel_netlink.c and kernel_bsdkame.c */
int kernel_alg_add(int satype, int exttype, const struct sadb_alg *sadb_alg)
{
struct sadb_alg *alg_p, tmp_alg;
uint8_t alg_id = sadb_alg->sadb_alg_id;
if (DBGP(DBG_KERNEL|DBG_CRYPT)) {
const char *exttype_name =
exttype == SADB_EXT_SUPPORTED_AUTH ? "SADB_EXT_SUPPORTED_AUTH"
: exttype == SADB_EXT_SUPPORTED_ENCRYPT ? "SADB_EXT_SUPPORTED_ENCRYPT"
: "SADB_EXT_SUPPORTED_???";
struct esb_buf alg_name_buf;
/*
* XXX: The ALG_ID value found here comes from the
* Linux kernel (see libreswan/pfkeyv2.h) so using
* AH_TRANSFORMID_NAMES and ESP_TRANSFORMID_NAMES is
* only an approximation.
*/
const char *alg_name =
exttype == SADB_EXT_SUPPORTED_AUTH ? enum_showb(&ah_transformid_names, alg_id, &alg_name_buf)
: exttype == SADB_EXT_SUPPORTED_ENCRYPT ? enum_showb(&esp_transformid_names, alg_id, &alg_name_buf)
: "???";
const char *satype_name =
satype == SADB_SATYPE_ESP ? "SADB_SATYPE_ESP"
: satype == SADB_SATYPE_AH ? "SADB_SATYPE_AH"
: "SADB_SATYPE_???";
DBG_log("kernel_alg_add(): satype=%d(%s), exttype=%d(%s), alg_id=%d(%s), alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d",
satype, satype_name,
exttype, exttype_name,
alg_id, alg_name,
sadb_alg->sadb_alg_ivlen,
sadb_alg->sadb_alg_minbits,
sadb_alg->sadb_alg_maxbits);
}
alg_p = sadb_alg_ptr(satype, exttype, alg_id, TRUE);
if (alg_p == NULL) {
DBG(DBG_KERNEL,
DBG_log("kernel_alg_add(%d,%d,%d) fails because alg combo is invalid",
satype, exttype, alg_id));
return -1;
}
/* This logic "mimics" KLIPS: first algo implementation will be used */
if (alg_p->sadb_alg_id != 0) {
DBG(DBG_KERNEL,
DBG_log("kernel_alg_add(): discarding already setup satype=%d, exttype=%d, alg_id=%d",
satype, exttype,
alg_id);
);
/*
* Show registered IKE algorithms
*/
void ike_alg_show_status(void)
{
whack_log(RC_COMMENT, "IKE algorithms supported:");
whack_log(RC_COMMENT, " "); /* spacer */
for (const struct encrypt_desc **algp = next_ike_encrypt_desc(NULL);
algp != NULL;
algp = next_ike_encrypt_desc(algp)) {
struct esb_buf v1namebuf, v2namebuf;
const struct encrypt_desc *alg = (*algp);
passert(alg->common.ikev1_oakley_id != 0 || alg->common.ikev2_id != 0);
whack_log(RC_COMMENT,
"algorithm IKE encrypt: v1id=%d, v1name=%s, v2id=%d, v2name=%s, blocksize=%zu, keydeflen=%u",
alg->common.ikev1_oakley_id,
enum_showb(&oakley_enc_names, alg->common.ikev1_oakley_id, &v1namebuf),
alg->common.ikev2_id,
enum_showb(&ikev2_trans_type_encr_names, alg->common.ikev2_id, &v2namebuf),
alg->enc_blocksize,
alg->keydeflen);
}
for (const struct prf_desc **algp = next_ike_prf_desc(NULL);
algp != NULL;
algp = next_ike_prf_desc(algp)) {
const struct prf_desc *alg = (*algp);
whack_log(RC_COMMENT,
"algorithm IKE hash: id=%d, name=%s, hashlen=%zu",
alg->common.ikev1_oakley_id,
enum_name(&oakley_hash_names, alg->common.ikev1_oakley_id),
alg->prf_output_size);
}
const struct oakley_group_desc *gdesc;
for (gdesc = next_oakley_group(NULL);
gdesc != NULL;
gdesc = next_oakley_group(gdesc)) {
whack_log(RC_COMMENT,
"algorithm IKE dh group: id=%d, name=%s, bits=%d",
gdesc->group,
enum_name(&oakley_group_names, gdesc->group),
(int)gdesc->bytes * BITS_PER_BYTE);
}
whack_log(RC_COMMENT, " "); /* spacer */
}
/*
* Show registered IKE algorithms
*/
void ike_alg_show_status(void)
{
unsigned i;
struct ike_alg *algo;
whack_log(RC_COMMENT, "IKE algorithms supported:");
whack_log(RC_COMMENT, " "); /* spacer */
IKE_EALG_FOR_EACH(algo) {
static char v1namebuf[ENUM_SHOW_BUF_LEN];
static char v2namebuf[ENUM_SHOW_BUF_LEN];
passert(algo != NULL);
passert(algo->algo_id != 0 || algo->algo_v2id != 0);
whack_log(RC_COMMENT,
"algorithm IKE encrypt: v1id=%d, v1name=%s, v2id=%d, v2name=%s, blocksize=%d, keydeflen=%d",
algo->algo_id,
enum_showb(&oakley_enc_names, algo->algo_id, v1namebuf, sizeof(v1namebuf)),
algo->algo_v2id,
enum_showb(&ikev2_trans_type_encr_names, algo->algo_v2id, v2namebuf, sizeof(v2namebuf)),
(int)((struct encrypt_desc *)algo)->enc_blocksize,
((struct encrypt_desc *)algo)->keydeflen);
}
IKE_HALG_FOR_EACH(algo) {
whack_log(RC_COMMENT,
"algorithm IKE hash: id=%d, name=%s, hashsize=%d",
algo->algo_id,
enum_name(&oakley_hash_names, algo->algo_id),
(int)((struct hash_desc *)algo)->hash_digest_len
);
}
#define IKE_DH_ALG_FOR_EACH(idx) for (idx = 0; idx != oakley_group_size; idx++)
IKE_DH_ALG_FOR_EACH(i) {
const struct oakley_group_desc *gdesc = oakley_group + i;
whack_log(RC_COMMENT,
"algorithm IKE dh group: id=%d, name=%s, bits=%d",
gdesc->group,
enum_name(&oakley_group_names, gdesc->group),
(int)gdesc->bytes * BITS_PER_BYTE
);
}
whack_log(RC_COMMENT, " "); /* spacer */
}
/*
* Show IKE algorithms for
* - this connection (result from ike= string)
* - newest SA
*/
void ike_alg_show_connection(struct connection *c, const char *instance)
{
struct state *st;
if (c->alg_info_ike) {
char buf[1024];
alg_info_snprint(buf, sizeof(buf) - 1,
(struct alg_info *)c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms wanted: %s",
c->name,
instance,
buf);
alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms found: %s",
c->name,
instance,
buf);
}
st = state_with_serialno(c->newest_isakmp_sa);
if (st != NULL) {
static char encbuf[ENUM_SHOW_BUF_LEN];
static char prfbuf[ENUM_SHOW_BUF_LEN];
static char integbuf[ENUM_SHOW_BUF_LEN];
static char groupbuf[ENUM_SHOW_BUF_LEN];
if (!st->st_ikev2) { /* IKEv1 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithm newest: %s_%03d-%s-%s",
c->name,
instance,
strip_prefix(enum_showb(&oakley_enc_names, st->st_oakley.encrypt, encbuf, sizeof(encbuf)), "OAKLEY_"),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
strip_prefix(enum_showb(&oakley_hash_names, st->st_oakley.prf_hash, prfbuf, sizeof(prfbuf)), "OAKLEY_"),
strip_prefix(enum_showb(&oakley_group_names, st->st_oakley.group->group, groupbuf, sizeof(groupbuf)), "OAKLEY_GROUP_"));
} else { /* IKEv2 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKEv2 algorithm newest: %s_%03d-%s-%s-%s",
c->name,
instance,
enum_showb(&ikev2_trans_type_encr_names, st->st_oakley.encrypt, encbuf, sizeof(encbuf)),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
enum_showb(&ikev2_trans_type_integ_names, st->st_oakley.integ_hash, integbuf, sizeof(integbuf)),
enum_showb(&ikev2_trans_type_prf_names, st->st_oakley.prf_hash, prfbuf, sizeof(prfbuf)),
strip_prefix(enum_showb(&oakley_group_names, st->st_oakley.group->group, groupbuf, sizeof(groupbuf)), "OAKLEY_GROUP_"));
}
}
}
const char *enum_show(enum_names *ed, unsigned long val)
{
static char buf[ENUM_SHOW_BUF_LEN]; /* only one! NON-RE-ENTRANT */
return enum_showb(ed, val, buf, sizeof(buf));
}
static void doi_log_cert_thinking(struct msg_digest *md UNUSED,
u_int16_t auth,
enum ike_cert_type certtype,
enum certpolicy policy,
bool gotcertrequest,
bool send_cert)
{
DBG(DBG_CONTROL,
DBG_log("thinking about whether to send my certificate:"));
DBG(DBG_CONTROL, {
char esb[ENUM_SHOW_BUF_LEN];
DBG_log(" I have RSA key: %s cert.type: %s ",
enum_showb(&oakley_auth_names, auth, esb, sizeof(esb)),
enum_show(&ike_cert_type_names, certtype));
});
DBG(DBG_CONTROL,
DBG_log(" sendcert: %s and I did%s get a certificate request ",
enum_show(&certpolicy_type_names, policy),
gotcertrequest ? "" : " not"));
DBG(DBG_CONTROL,
DBG_log(" so %ssend cert.", send_cert ? "" : "do not "));
if (!send_cert) {
if (auth == OAKLEY_PRESHARED_KEY)
DBG(DBG_CONTROL,
DBG_log("I did not send a certificate because digital signatures are not being used. (PSK)"));
