/* * Show IKE algorithms for * - this connection (result from ike= string) * - newest SA */ void ike_alg_show_connection(const struct connection *c, const char *instance) { const struct state *st; if (c->alg_info_ike != NULL) { char buf[1024]; alg_info_ike_snprint(buf, sizeof(buf) - 1, c->alg_info_ike); whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithms wanted: %s", c->name, instance, buf); alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike); whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithms found: %s", c->name, instance, buf); } st = state_with_serialno(c->newest_isakmp_sa); if (st != NULL) { struct esb_buf encbuf, prfbuf, integbuf, groupbuf; if (!st->st_ikev2) { /* IKEv1 */ whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithm newest: %s_%03d-%s-%s", c->name, instance, enum_show_shortb(&oakley_enc_names, st->st_oakley.encrypt, &encbuf), /* st->st_oakley.encrypter->keydeflen, */ st->st_oakley.enckeylen, enum_show_shortb(&oakley_hash_names, st->st_oakley.prf_hash, &prfbuf), enum_show_shortb(&oakley_group_names, st->st_oakley.group->group, &groupbuf)); } else { /* IKEv2 */ whack_log(RC_COMMENT, "\"%s\"%s: IKEv2 algorithm newest: %s_%03d-%s-%s-%s", c->name, instance, enum_showb(&ikev2_trans_type_encr_names, st->st_oakley.encrypt, &encbuf), /* st->st_oakley.encrypter->keydeflen, */ st->st_oakley.enckeylen, enum_showb(&ikev2_trans_type_integ_names, st->st_oakley.integ_hash, &integbuf), enum_showb(&ikev2_trans_type_prf_names, st->st_oakley.prf_hash, &prfbuf), enum_show_shortb(&oakley_group_names, st->st_oakley.group->group, &groupbuf)); } } }
/* * Show registered IKE algorithms */ void ike_alg_show_status(void) { unsigned i; struct ike_alg *algo; whack_log(RC_COMMENT, "IKE algorithms supported:"); whack_log(RC_COMMENT, " "); /* spacer */ IKE_EALG_FOR_EACH(algo) { struct esb_buf v1namebuf, v2namebuf; passert(algo != NULL); passert(algo->algo_id != 0 || algo->algo_v2id != 0); whack_log(RC_COMMENT, "algorithm IKE encrypt: v1id=%d, v1name=%s, v2id=%d, v2name=%s, blocksize=%zu, keydeflen=%u", algo->algo_id, enum_showb(&oakley_enc_names, algo->algo_id, &v1namebuf), algo->algo_v2id, enum_showb(&ikev2_trans_type_encr_names, algo->algo_v2id, &v2namebuf), ((struct encrypt_desc *)algo)->enc_blocksize, ((struct encrypt_desc *)algo)->keydeflen); } IKE_HALG_FOR_EACH(algo) { /* * ??? we think that hash_integ_len is meaningless * (and 0) for IKE hashes */ pexpect(((struct hash_desc *)algo)->hash_integ_len == 0); whack_log(RC_COMMENT, "algorithm IKE hash: id=%d, name=%s, hashlen=%zu", algo->algo_id, enum_name(&oakley_hash_names, algo->algo_id), ((struct hash_desc *)algo)->hash_digest_len); } #define IKE_DH_ALG_FOR_EACH(idx) for ((idx) = 0; (idx) != oakley_group_size; (idx)++) IKE_DH_ALG_FOR_EACH(i) { const struct oakley_group_desc *gdesc = oakley_group + i; whack_log(RC_COMMENT, "algorithm IKE dh group: id=%d, name=%s, bits=%d", gdesc->group, enum_name(&oakley_group_names, gdesc->group), (int)gdesc->bytes * BITS_PER_BYTE); } whack_log(RC_COMMENT, " "); /* spacer */ }
/* used by kernel_netlink.c and kernel_bsdkame.c */ int kernel_alg_add(int satype, int exttype, const struct sadb_alg *sadb_alg) { struct sadb_alg *alg_p, tmp_alg; uint8_t alg_id = sadb_alg->sadb_alg_id; if (DBGP(DBG_KERNEL|DBG_CRYPT)) { const char *exttype_name = exttype == SADB_EXT_SUPPORTED_AUTH ? "SADB_EXT_SUPPORTED_AUTH" : exttype == SADB_EXT_SUPPORTED_ENCRYPT ? "SADB_EXT_SUPPORTED_ENCRYPT" : "SADB_EXT_SUPPORTED_???"; struct esb_buf alg_name_buf; /* * XXX: The ALG_ID value found here comes from the * Linux kernel (see libreswan/pfkeyv2.h) so using * AH_TRANSFORMID_NAMES and ESP_TRANSFORMID_NAMES is * only an approximation. */ const char *alg_name = exttype == SADB_EXT_SUPPORTED_AUTH ? enum_showb(&ah_transformid_names, alg_id, &alg_name_buf) : exttype == SADB_EXT_SUPPORTED_ENCRYPT ? enum_showb(&esp_transformid_names, alg_id, &alg_name_buf) : "???"; const char *satype_name = satype == SADB_SATYPE_ESP ? "SADB_SATYPE_ESP" : satype == SADB_SATYPE_AH ? "SADB_SATYPE_AH" : "SADB_SATYPE_???"; DBG_log("kernel_alg_add(): satype=%d(%s), exttype=%d(%s), alg_id=%d(%s), alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d", satype, satype_name, exttype, exttype_name, alg_id, alg_name, sadb_alg->sadb_alg_ivlen, sadb_alg->sadb_alg_minbits, sadb_alg->sadb_alg_maxbits); } alg_p = sadb_alg_ptr(satype, exttype, alg_id, TRUE); if (alg_p == NULL) { DBG(DBG_KERNEL, DBG_log("kernel_alg_add(%d,%d,%d) fails because alg combo is invalid", satype, exttype, alg_id)); return -1; } /* This logic "mimics" KLIPS: first algo implementation will be used */ if (alg_p->sadb_alg_id != 0) { DBG(DBG_KERNEL, DBG_log("kernel_alg_add(): discarding already setup satype=%d, exttype=%d, alg_id=%d", satype, exttype, alg_id); );
/* * Show registered IKE algorithms */ void ike_alg_show_status(void) { whack_log(RC_COMMENT, "IKE algorithms supported:"); whack_log(RC_COMMENT, " "); /* spacer */ for (const struct encrypt_desc **algp = next_ike_encrypt_desc(NULL); algp != NULL; algp = next_ike_encrypt_desc(algp)) { struct esb_buf v1namebuf, v2namebuf; const struct encrypt_desc *alg = (*algp); passert(alg->common.ikev1_oakley_id != 0 || alg->common.ikev2_id != 0); whack_log(RC_COMMENT, "algorithm IKE encrypt: v1id=%d, v1name=%s, v2id=%d, v2name=%s, blocksize=%zu, keydeflen=%u", alg->common.ikev1_oakley_id, enum_showb(&oakley_enc_names, alg->common.ikev1_oakley_id, &v1namebuf), alg->common.ikev2_id, enum_showb(&ikev2_trans_type_encr_names, alg->common.ikev2_id, &v2namebuf), alg->enc_blocksize, alg->keydeflen); } for (const struct prf_desc **algp = next_ike_prf_desc(NULL); algp != NULL; algp = next_ike_prf_desc(algp)) { const struct prf_desc *alg = (*algp); whack_log(RC_COMMENT, "algorithm IKE hash: id=%d, name=%s, hashlen=%zu", alg->common.ikev1_oakley_id, enum_name(&oakley_hash_names, alg->common.ikev1_oakley_id), alg->prf_output_size); } const struct oakley_group_desc *gdesc; for (gdesc = next_oakley_group(NULL); gdesc != NULL; gdesc = next_oakley_group(gdesc)) { whack_log(RC_COMMENT, "algorithm IKE dh group: id=%d, name=%s, bits=%d", gdesc->group, enum_name(&oakley_group_names, gdesc->group), (int)gdesc->bytes * BITS_PER_BYTE); } whack_log(RC_COMMENT, " "); /* spacer */ }
/* * Show registered IKE algorithms */ void ike_alg_show_status(void) { unsigned i; struct ike_alg *algo; whack_log(RC_COMMENT, "IKE algorithms supported:"); whack_log(RC_COMMENT, " "); /* spacer */ IKE_EALG_FOR_EACH(algo) { static char v1namebuf[ENUM_SHOW_BUF_LEN]; static char v2namebuf[ENUM_SHOW_BUF_LEN]; passert(algo != NULL); passert(algo->algo_id != 0 || algo->algo_v2id != 0); whack_log(RC_COMMENT, "algorithm IKE encrypt: v1id=%d, v1name=%s, v2id=%d, v2name=%s, blocksize=%d, keydeflen=%d", algo->algo_id, enum_showb(&oakley_enc_names, algo->algo_id, v1namebuf, sizeof(v1namebuf)), algo->algo_v2id, enum_showb(&ikev2_trans_type_encr_names, algo->algo_v2id, v2namebuf, sizeof(v2namebuf)), (int)((struct encrypt_desc *)algo)->enc_blocksize, ((struct encrypt_desc *)algo)->keydeflen); } IKE_HALG_FOR_EACH(algo) { whack_log(RC_COMMENT, "algorithm IKE hash: id=%d, name=%s, hashsize=%d", algo->algo_id, enum_name(&oakley_hash_names, algo->algo_id), (int)((struct hash_desc *)algo)->hash_digest_len ); } #define IKE_DH_ALG_FOR_EACH(idx) for (idx = 0; idx != oakley_group_size; idx++) IKE_DH_ALG_FOR_EACH(i) { const struct oakley_group_desc *gdesc = oakley_group + i; whack_log(RC_COMMENT, "algorithm IKE dh group: id=%d, name=%s, bits=%d", gdesc->group, enum_name(&oakley_group_names, gdesc->group), (int)gdesc->bytes * BITS_PER_BYTE ); } whack_log(RC_COMMENT, " "); /* spacer */ }
/* * Show IKE algorithms for * - this connection (result from ike= string) * - newest SA */ void ike_alg_show_connection(struct connection *c, const char *instance) { struct state *st; if (c->alg_info_ike) { char buf[1024]; alg_info_snprint(buf, sizeof(buf) - 1, (struct alg_info *)c->alg_info_ike); whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithms wanted: %s", c->name, instance, buf); alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike); whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithms found: %s", c->name, instance, buf); } st = state_with_serialno(c->newest_isakmp_sa); if (st != NULL) { static char encbuf[ENUM_SHOW_BUF_LEN]; static char prfbuf[ENUM_SHOW_BUF_LEN]; static char integbuf[ENUM_SHOW_BUF_LEN]; static char groupbuf[ENUM_SHOW_BUF_LEN]; if (!st->st_ikev2) { /* IKEv1 */ whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithm newest: %s_%03d-%s-%s", c->name, instance, strip_prefix(enum_showb(&oakley_enc_names, st->st_oakley.encrypt, encbuf, sizeof(encbuf)), "OAKLEY_"), /* st->st_oakley.encrypter->keydeflen, */ st->st_oakley.enckeylen, strip_prefix(enum_showb(&oakley_hash_names, st->st_oakley.prf_hash, prfbuf, sizeof(prfbuf)), "OAKLEY_"), strip_prefix(enum_showb(&oakley_group_names, st->st_oakley.group->group, groupbuf, sizeof(groupbuf)), "OAKLEY_GROUP_")); } else { /* IKEv2 */ whack_log(RC_COMMENT, "\"%s\"%s: IKEv2 algorithm newest: %s_%03d-%s-%s-%s", c->name, instance, enum_showb(&ikev2_trans_type_encr_names, st->st_oakley.encrypt, encbuf, sizeof(encbuf)), /* st->st_oakley.encrypter->keydeflen, */ st->st_oakley.enckeylen, enum_showb(&ikev2_trans_type_integ_names, st->st_oakley.integ_hash, integbuf, sizeof(integbuf)), enum_showb(&ikev2_trans_type_prf_names, st->st_oakley.prf_hash, prfbuf, sizeof(prfbuf)), strip_prefix(enum_showb(&oakley_group_names, st->st_oakley.group->group, groupbuf, sizeof(groupbuf)), "OAKLEY_GROUP_")); } } }
const char *enum_show(enum_names *ed, unsigned long val) { static char buf[ENUM_SHOW_BUF_LEN]; /* only one! NON-RE-ENTRANT */ return enum_showb(ed, val, buf, sizeof(buf)); }
static void doi_log_cert_thinking(struct msg_digest *md UNUSED, u_int16_t auth, enum ike_cert_type certtype, enum certpolicy policy, bool gotcertrequest, bool send_cert) { DBG(DBG_CONTROL, DBG_log("thinking about whether to send my certificate:")); DBG(DBG_CONTROL, { char esb[ENUM_SHOW_BUF_LEN]; DBG_log(" I have RSA key: %s cert.type: %s ", enum_showb(&oakley_auth_names, auth, esb, sizeof(esb)), enum_show(&ike_cert_type_names, certtype)); }); DBG(DBG_CONTROL, DBG_log(" sendcert: %s and I did%s get a certificate request ", enum_show(&certpolicy_type_names, policy), gotcertrequest ? "" : " not")); DBG(DBG_CONTROL, DBG_log(" so %ssend cert.", send_cert ? "" : "do not ")); if (!send_cert) { if (auth == OAKLEY_PRESHARED_KEY) DBG(DBG_CONTROL, DBG_log("I did not send a certificate because digital signatures are not being used. (PSK)"));