/* Get list of "local equivalent" realms. Meaning the list of realms * where [email protected] is considered the same user as [email protected] * If not specified, default to upper-case of local domain name */ struct conf_list *get_local_realms(void) { static struct conf_list *local_realms = NULL; if (local_realms) return local_realms; local_realms = conf_get_list("General", "Local-Realms"); if (local_realms == NULL) { struct conf_list_node *node; local_realms = malloc(sizeof *local_realms); if (local_realms == NULL) return NULL; local_realms->cnt = 0; TAILQ_INIT(&local_realms->fields); node = calloc(1, sizeof *node); if (node == NULL) return NULL; node->field = calloc(1, NFS4_MAX_DOMAIN_LEN); if (node->field == NULL) { free(node); return NULL; } nfs4_get_default_domain(NULL, node->field, NFS4_MAX_DOMAIN_LEN); toupper_str(node->field); TAILQ_INSERT_TAIL(&local_realms->fields, node, link); local_realms->cnt++; } return local_realms; }
int nfs4_init_name_mapping(char *conffile)
{
int ret = -ENOENT;
char *method;
int dflt = 0;
struct conf_list *nfs4_methods, *gss_methods;
/* XXX: need to be able to reload configurations... */
if (nfs4_plugins) /* already succesfully initialized */
return 0;
if (conffile)
conf_path = conffile;
else
conf_path = PATH_IDMAPDCONF;
conf_init();
default_domain = conf_get_str("General", "Domain");
if (default_domain == NULL) {
dflt = 1;
ret = domain_from_dns(&default_domain);
if (ret) {
IDMAP_LOG(1, ("libnfsidmap: Unable to determine "
"the NFSv4 domain; Using '%s' as the NFSv4 domain "
"which means UIDs will be mapped to the 'Nobody-User' "
"user defined in %s\n",
IDMAPD_DEFAULT_DOMAIN, PATH_IDMAPDCONF));
default_domain = IDMAPD_DEFAULT_DOMAIN;
}
}
IDMAP_LOG(1, ("libnfsidmap: using%s domain: %s\n",
(dflt ? " (default)" : ""), default_domain));
/* Get list of "local equivalent" realms. Meaning the list of realms
* where [email protected] is considered the same user as [email protected]
* If not specified, default to upper-case of local domain name */
local_realms = conf_get_list("General", "Local-Realms");
if (local_realms == NULL) {
struct conf_list_node *node;
local_realms = malloc(sizeof *local_realms);
if (local_realms == NULL)
return -ENOMEM;
local_realms->cnt = 0;
TAILQ_INIT(&local_realms->fields);
node = calloc(1, sizeof *node);
if (node == NULL)
return -ENOMEM;
node->field = strdup(get_default_domain());
if (node->field == NULL)
return -ENOMEM;
toupper_str(node->field);
TAILQ_INSERT_TAIL(&local_realms->fields, node, link);
local_realms->cnt++;
}
nfs4_methods = conf_get_list("Translation", "Method");
if (nfs4_methods) {
IDMAP_LOG(1, ("libnfsidmap: processing 'Method' list\n"));
if (load_plugins(nfs4_methods, &nfs4_plugins) == -1)
return -ENOENT;
} else {
struct conf_list list;
struct conf_list_node node;
TAILQ_INIT(&list.fields);
list.cnt = 1;
node.field = "nsswitch";
TAILQ_INSERT_TAIL (&list.fields, &node, link);
if (load_plugins(&list, &nfs4_plugins) == -1)
return -ENOENT;
}
gss_methods = conf_get_list("Translation", "GSS-Methods");
if (gss_methods) {
IDMAP_LOG(1, ("libnfsidmap: processing 'GSS-Methods' list\n"));
if (load_plugins(gss_methods, &gss_plugins) == -1)
goto out;
}
ret = 0;
out:
if (ret) {
if (nfs4_plugins)
unload_plugins(nfs4_plugins);
if (gss_plugins)
unload_plugins(gss_plugins);
nfs4_plugins = gss_plugins = NULL;
}
return ret ? -ENOENT: 0;
}
/*
* Call the configuration API.
* XXX Error handling! How to do multi-line transactions?
*/
static void
ui_config(char *cmd)
{
struct conf_list *vlist;
struct conf_list_node *vnode;
char subcmd[201], section[201], tag[201], value[201], tmp[201];
char *v, *nv;
int trans = 0, items, skip = 0, ret;
FILE *fp;
if (sscanf(cmd, "C %200s", subcmd) != 1)
goto fail;
if (strcasecmp(subcmd, "get") == 0) {
if (sscanf(cmd, "C %*s [%200[^]]]:%200s", section, tag) != 2)
goto fail;
v = conf_get_str(section, tag);
fp = ui_open_result();
if (fp) {
if (v)
fprintf(fp, "%s\n", v);
fclose(fp);
}
LOG_DBG((LOG_UI, 30, "ui_config: \"%s\"", cmd));
return;
}
trans = conf_begin();
if (strcasecmp(subcmd, "set") == 0) {
items = sscanf(cmd, "C %*s [%200[^]]]:%200[^=]=%200s %200s",
section, tag, value, tmp);
if (!(items == 3 || items == 4))
goto fail;
conf_set(trans, section, tag, value, items == 4 ? 1 : 0, 0);
if (strcasecmp(section, "Phase 2") == 0 &&
(strcasecmp(tag, "Connections") == 0 ||
strcasecmp(tag, "Passive-connections") == 0))
ui_conn_reinit();
} else if (strcasecmp(subcmd, "add") == 0) {
items = sscanf(cmd, "C %*s [%200[^]]]:%200[^=]=%200s %200s",
section, tag, value, tmp);
if (!(items == 3 || items == 4))
goto fail;
v = conf_get_str(section, tag);
if (!v)
conf_set(trans, section, tag, value, 1, 0);
else {
vlist = conf_get_list(section, tag);
if (vlist) {
for (vnode = TAILQ_FIRST(&vlist->fields);
vnode;
vnode = TAILQ_NEXT(vnode, link)) {
if (strcmp(vnode->field, value) == 0) {
skip = 1;
break;
}
}
conf_free_list(vlist);
}
/* Add the new value to the end of the 'v' list. */
if (skip == 0) {
if (asprintf(&nv,
v[strlen(v) - 1] == ',' ? "%s%s" : "%s,%s",
v, value) == -1) {
log_error("ui_config: malloc() failed");
if (trans)
conf_end(trans, 0);
return;
}
conf_set(trans, section, tag, nv, 1, 0);
free(nv);
}
}
if (strcasecmp(section, "Phase 2") == 0 &&
(strcasecmp(tag, "Connections") == 0 ||
strcasecmp(tag, "Passive-connections") == 0))
ui_conn_reinit();
} else if (strcasecmp(subcmd, "rmv") == 0) {
items = sscanf(cmd, "C %*s [%200[^]]]:%200[^=]=%200s %200s",
section, tag, value, tmp);
if (!(items == 3 || items == 4))
goto fail;
vlist = conf_get_list(section, tag);
if (vlist) {
nv = v = NULL;
for (vnode = TAILQ_FIRST(&vlist->fields);
vnode;
vnode = TAILQ_NEXT(vnode, link)) {
if (strcmp(vnode->field, value) == 0)
continue;
ret = v ?
asprintf(&nv, "%s,%s", v, vnode->field) :
asprintf(&nv, "%s", vnode->field);
free(v);
if (ret == -1) {
log_error("ui_config: malloc() failed");
if (trans)
conf_end(trans, 0);
return;
}
v = nv;
}
conf_free_list(vlist);
if (nv) {
conf_set(trans, section, tag, nv, 1, 0);
free(nv);
} else {
conf_remove(trans, section, tag);
}
}
if (strcasecmp(section, "Phase 2") == 0 &&
(strcasecmp(tag, "Connections") == 0 ||
strcasecmp(tag, "Passive-connections") == 0))
ui_conn_reinit();
} else if (strcasecmp(subcmd, "rm") == 0) {
if (sscanf(cmd, "C %*s [%200[^]]]:%200s", section, tag) != 2)
goto fail;
conf_remove(trans, section, tag);
} else if (strcasecmp(subcmd, "rms") == 0) {
if (sscanf(cmd, "C %*s [%200[^]]]", section) != 1)
goto fail;
conf_remove_section(trans, section);
} else
goto fail;
LOG_DBG((LOG_UI, 30, "ui_config: \"%s\"", cmd));
conf_end(trans, 1);
return;
fail:
if (trans)
conf_end(trans, 0);
log_print("ui_config: command \"%s\" malformed", cmd);
}
/*
* When we are "the server", this starts SET/ACK mode
* When we are "the client", this starts REQ/REPLY mode
*/
static int
cfg_initiator_send_ATTR(struct message *msg)
{
struct sa *isakmp_sa = msg->isakmp_sa;
struct ipsec_exch *ie = msg->exchange->data;
u_int8_t *hashp = 0, *attrp, *attr;
size_t attrlen, off;
char *id_string, *cfg_mode, *field;
struct sockaddr *sa;
#define CFG_ATTR_BIT_MAX ISAKMP_CFG_ATTR_FUTURE_MIN /* XXX */
bitstr_t bit_decl(attrbits, CFG_ATTR_BIT_MAX);
u_int16_t bit, length;
u_int32_t life;
if (msg->exchange->phase == 2) {
hashp = cfg_add_hash(msg);
if (!hashp)
return -1;
}
/* We initiated this exchange, check isakmp_sa for other side. */
if (isakmp_sa->initiator)
id_string = ipsec_id_string(isakmp_sa->id_r,
isakmp_sa->id_r_len);
else
id_string = ipsec_id_string(isakmp_sa->id_i,
isakmp_sa->id_i_len);
if (!id_string) {
log_print("cfg_initiator_send_ATTR: cannot parse ID");
goto fail;
}
/* Check for attribute list to send to the other side */
attrlen = 0;
bit_nclear(attrbits, 0, CFG_ATTR_BIT_MAX - 1);
cfg_mode = conf_get_str(id_string, "Mode");
if (!cfg_mode || strcmp(cfg_mode, "SET") == 0) {
/* SET/ACK mode */
ie->cfg_type = ISAKMP_CFG_SET;
LOG_DBG((LOG_NEGOTIATION, 10,
"cfg_initiator_send_ATTR: SET/ACK mode"));
#define ATTRFIND(STR,ATTR4,LEN4,ATTR6,LEN6) do \
{ \
if ((sa = conf_get_address (id_string, STR)) != NULL) \
switch (sa->sa_family) { \
case AF_INET: \
bit_set (attrbits, ATTR4); \
attrlen += ISAKMP_ATTR_SZ + LEN4; \
break; \
case AF_INET6: \
bit_set (attrbits, ATTR6); \
attrlen += ISAKMP_ATTR_SZ + LEN6; \
break; \
default: \
break; \
} \
free (sa); \
} while (0)
/*
* XXX We don't simultaneously support IPv4 and IPv6
* addresses.
*/
ATTRFIND("Address", ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS, 4,
ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS, 16);
ATTRFIND("Netmask", ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK, 4,
ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK, 16);
ATTRFIND("Nameserver", ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS, 4,
ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS, 16);
ATTRFIND("WINS-server", ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS, 4,
ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS, 16);
ATTRFIND("DHCP-server", ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP, 4,
ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP, 16);
#ifdef notyet
ATTRFIND("Network", ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET, 8,
ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET, 17);
#endif
#undef ATTRFIND
if (conf_get_str(id_string, "Lifetime")) {
bit_set(attrbits,
ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY);
attrlen += ISAKMP_ATTR_SZ + 4;
}
} else {
struct conf_list *alist;
struct conf_list_node *anode;
ie->cfg_type = ISAKMP_CFG_REQUEST;
LOG_DBG((LOG_NEGOTIATION, 10,
"cfg_initiator_send_ATTR: REQ/REPLY mode"));
alist = conf_get_list(id_string, "Attributes");
if (alist) {
for (anode = TAILQ_FIRST(&alist->fields); anode;
anode = TAILQ_NEXT(anode, link)) {
if (strcasecmp(anode->field, "Address") == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS);
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS);
attrlen += ISAKMP_ATTR_SZ * 2;
} else if (strcasecmp(anode->field, "Netmask")
== 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK);
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK);
attrlen += ISAKMP_ATTR_SZ * 2;
} else if (strcasecmp(anode->field,
"Nameserver") == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS);
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS);
attrlen += ISAKMP_ATTR_SZ * 2;
} else if (strcasecmp(anode->field,
"WINS-server") == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS);
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS);
attrlen += ISAKMP_ATTR_SZ * 2;
} else if (strcasecmp(anode->field,
"DHCP-server") == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP);
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP);
attrlen += ISAKMP_ATTR_SZ * 2;
} else if (strcasecmp(anode->field,
"Lifetime") == 0) {
bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY);
attrlen += ISAKMP_ATTR_SZ;
} else {
log_print("cfg_initiator_send_ATTR: "
"unknown attribute %.20s in "
"section [%s]", anode->field,
id_string);
}
}
conf_free_list(alist);
}
}
if (attrlen == 0) {
/* No data found. */
log_print("cfg_initiator_send_ATTR: no IKECFG attributes "
"found for [%s]", id_string);
/*
* We can continue, but this indicates a configuration error
* that the user probably will want to correct.
*/
free(id_string);
return 0;
}
attrlen += ISAKMP_ATTRIBUTE_SZ;
attrp = calloc(1, attrlen);
if (!attrp) {
log_error("cfg_initiator_send_ATTR: calloc (1, %lu) failed",
(unsigned long)attrlen);
goto fail;
}
if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen,
1)) {
free(attrp);
goto fail;
}
SET_ISAKMP_ATTRIBUTE_TYPE(attrp, ie->cfg_type);
getrandom((u_int8_t *) & ie->cfg_id, sizeof ie->cfg_id);
SET_ISAKMP_ATTRIBUTE_ID(attrp, ie->cfg_id);
off = ISAKMP_ATTRIBUTE_SZ;
/*
* Use the bitstring built previously to collect the right
* parameters for attrp.
*/
for (bit = 0; bit < CFG_ATTR_BIT_MAX; bit++)
if (bit_test(attrbits, bit)) {
attr = attrp + off;
SET_ISAKMP_ATTR_TYPE(attr, bit);
if (ie->cfg_type == ISAKMP_CFG_REQUEST) {
off += ISAKMP_ATTR_SZ;
continue;
}
/* All the other are similar, this is the odd one. */
if (bit == ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY) {
life = conf_get_num(id_string, "Lifetime",
1200);
SET_ISAKMP_ATTR_LENGTH_VALUE(attr, 4);
encode_32(attr + ISAKMP_ATTR_VALUE_OFF, life);
off += ISAKMP_ATTR_SZ + 4;
continue;
}
switch (bit) {
case ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS:
case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK:
case ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS:
case ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP:
case ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS:
length = 4;
break;
case ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS:
case ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK:
case ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS:
case ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP:
case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS:
length = 16;
break;
default:
length = 0; /* Silence gcc. */
}
switch (bit) {
case ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS:
case ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS:
field = "Address";
break;
case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK:
case ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK:
field = "Netmask";
break;
case ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS:
case ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS:
field = "Nameserver";
break;
case ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP:
case ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP:
field = "DHCP-server";
break;
case ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS:
case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS:
field = "WINS-server";
break;
default:
field = 0; /* Silence gcc. */
}
sa = conf_get_address(id_string, field);
SET_ISAKMP_ATTR_LENGTH_VALUE(attr, length);
memcpy(attr + ISAKMP_ATTR_VALUE_OFF,
sockaddr_addrdata(sa), length);
free(sa);
off += ISAKMP_ATTR_SZ + length;
}
if (msg->exchange->phase == 2)
if (cfg_finalize_hash(msg, hashp, attrp, attrlen))
goto fail;
return 0;
fail:
free(id_string);
return -1;
}
/* Offer a set of transforms to the responder in the MSG message. */
int
ike_phase_1_initiator_send_SA (struct message *msg)
{
struct exchange *exchange = msg->exchange;
struct ipsec_exch *ie = exchange->data;
u_int8_t *proposal = 0, *sa_buf = 0, *saved_nextp, *attr;
u_int8_t **transform = 0;
size_t transforms_len = 0, proposal_len, sa_len;
size_t *transform_len = 0;
struct conf_list *conf, *life_conf;
struct conf_list_node *xf, *life;
int i, value, update_nextp;
struct payload *p;
struct proto *proto;
int group_desc = -1, new_group_desc;
/* Get the list of transforms. */
conf = conf_get_list (exchange->policy, "Transforms");
if (!conf)
return -1;
transform = calloc (conf->cnt, sizeof *transform);
if (!transform)
{
log_error ("ike_phase_1_initiator_send_SA: calloc (%d, %lu) failed",
conf->cnt, (unsigned long)sizeof *transform);
goto bail_out;
}
transform_len = calloc (conf->cnt, sizeof *transform_len);
if (!transform_len)
{
log_error ("ike_phase_1_initiator_send_SA: calloc (%d, %lu) failed",
conf->cnt, (unsigned long)sizeof *transform_len);
goto bail_out;
}
for (xf = TAILQ_FIRST (&conf->fields), i = 0; i < conf->cnt;
i++, xf = TAILQ_NEXT (xf, link))
{
/* XXX The sizing needs to be dynamic. */
transform[i]
= malloc (ISAKMP_TRANSFORM_SA_ATTRS_OFF + 16 * ISAKMP_ATTR_VALUE_OFF);
if (!transform[i])
{
log_error ("ike_phase_1_initiator_send_SA: malloc (%d) failed",
ISAKMP_TRANSFORM_SA_ATTRS_OFF
+ 16 * ISAKMP_ATTR_VALUE_OFF);
goto bail_out;
}
SET_ISAKMP_TRANSFORM_NO (transform[i], i);
SET_ISAKMP_TRANSFORM_ID (transform[i], IPSEC_TRANSFORM_KEY_IKE);
SET_ISAKMP_TRANSFORM_RESERVED (transform[i], 0);
attr = transform[i] + ISAKMP_TRANSFORM_SA_ATTRS_OFF;
if (attribute_set_constant (xf->field, "ENCRYPTION_ALGORITHM",
ike_encrypt_cst,
IKE_ATTR_ENCRYPTION_ALGORITHM, &attr))
goto bail_out;
if (attribute_set_constant (xf->field, "HASH_ALGORITHM", ike_hash_cst,
IKE_ATTR_HASH_ALGORITHM, &attr))
goto bail_out;
if (attribute_set_constant (xf->field, "AUTHENTICATION_METHOD",
ike_auth_cst, IKE_ATTR_AUTHENTICATION_METHOD,
&attr))
goto bail_out;
if (attribute_set_constant (xf->field, "GROUP_DESCRIPTION",
ike_group_desc_cst,
IKE_ATTR_GROUP_DESCRIPTION, &attr))
{
/*
* If no group description exists, try looking for a user-defined
* one.
*/
if (attribute_set_constant (xf->field, "GROUP_TYPE", ike_group_cst,
IKE_ATTR_GROUP_TYPE, &attr))
goto bail_out;
#if 0
if (attribute_set_bignum (xf->field, "GROUP_PRIME",
IKE_ATTR_GROUP_PRIME, &attr))
goto bail_out;
if (attribute_set_bignum (xf->field, "GROUP_GENERATOR_2",
IKE_ATTR_GROUP_GENERATOR_2, &attr))
goto bail_out;
if (attribute_set_bignum (xf->field, "GROUP_GENERATOR_2",
IKE_ATTR_GROUP_GENERATOR_2, &attr))
goto bail_out;
if (attribute_set_bignum (xf->field, "GROUP_CURVE_A",
IKE_ATTR_GROUP_CURVE_A, &attr))
goto bail_out;
if (attribute_set_bignum (xf->field, "GROUP_CURVE_B",
IKE_ATTR_GROUP_CURVE_B, &attr))
goto bail_out;
#endif
}
/*
* Life durations are special, we should be able to specify
* several, one per type.
*/
life_conf = conf_get_list (xf->field, "Life");
if (life_conf)
{
for (life = TAILQ_FIRST (&life_conf->fields); life;
life = TAILQ_NEXT (life, link))
{
attribute_set_constant (life->field, "LIFE_TYPE",
ike_duration_cst, IKE_ATTR_LIFE_TYPE,
&attr);
/* XXX Deals with 16 and 32 bit lifetimes only */
value = conf_get_num (life->field, "LIFE_DURATION", 0);
if (value)
{
if (value <= 0xffff)
attr = attribute_set_basic (attr, IKE_ATTR_LIFE_DURATION,
value);
else
{
value = htonl (value);
attr = attribute_set_var (attr, IKE_ATTR_LIFE_DURATION,
(u_int8_t *)&value,
sizeof value);
}
}
}
conf_free_list (life_conf);
}
attribute_set_constant (xf->field, "PRF", ike_prf_cst, IKE_ATTR_PRF,
&attr);
value = conf_get_num (xf->field, "KEY_LENGTH", 0);
if (value)
attr = attribute_set_basic (attr, IKE_ATTR_KEY_LENGTH, value);
value = conf_get_num (xf->field, "FIELD_SIZE", 0);
if (value)
attr = attribute_set_basic (attr, IKE_ATTR_FIELD_SIZE, value);
value = conf_get_num (xf->field, "GROUP_ORDER", 0);
if (value)
attr = attribute_set_basic (attr, IKE_ATTR_GROUP_ORDER, value);
/* Record the real transform size. */
transforms_len += transform_len[i] = attr - transform[i];
/* XXX I don't like exchange-specific stuff in here. */
if (exchange->type == ISAKMP_EXCH_AGGRESSIVE)
{
/*
* Make sure that if a group description is specified, it is
* specified for all transforms equally.
*/
attr = (u_int8_t *)conf_get_str (xf->field, "GROUP_DESCRIPTION");
new_group_desc
= attr ? constant_value (ike_group_desc_cst, (char *)attr) : 0;
if (group_desc == -1)
group_desc = new_group_desc;
else if (group_desc != new_group_desc)
{
log_print ("ike_phase_1_initiator_send_SA: "
"differing group descriptions in a proposal");
goto bail_out;
}
}
/* We need to check that we actually support our configuration. */
if (attribute_map (transform[i] + ISAKMP_TRANSFORM_SA_ATTRS_OFF,
transform_len[i] - ISAKMP_TRANSFORM_SA_ATTRS_OFF,
exchange->doi->is_attribute_incompatible, msg))
{
log_print ("ike_phase_1_initiator_send_SA: "
"section [%s] has unsupported attribute(s)",
xf->field);
goto bail_out;
}
}
/* XXX I don't like exchange-specific stuff in here. */
if (exchange->type == ISAKMP_EXCH_AGGRESSIVE)
ie->group = group_get (group_desc);
proposal_len = ISAKMP_PROP_SPI_OFF;
proposal = malloc (proposal_len);
if (!proposal)
{
log_error ("ike_phase_1_initiator_send_SA: malloc (%lu) failed",
(unsigned long)proposal_len);
goto bail_out;
}
SET_ISAKMP_PROP_NO (proposal, 1);
SET_ISAKMP_PROP_PROTO (proposal, ISAKMP_PROTO_ISAKMP);
SET_ISAKMP_PROP_SPI_SZ (proposal, 0);
SET_ISAKMP_PROP_NTRANSFORMS (proposal, conf->cnt);
/* XXX I would like to see this factored out. */
proto = calloc (1, sizeof *proto);
if (!proto)
{
log_error ("ike_phase_1_initiator_send_SA: calloc (1, %lu) failed",
(unsigned long)sizeof *proto);
goto bail_out;
}
proto->no = 1;
proto->proto = ISAKMP_PROTO_ISAKMP;
proto->sa = TAILQ_FIRST (&exchange->sa_list);
TAILQ_INSERT_TAIL (&TAILQ_FIRST (&exchange->sa_list)->protos, proto,
link);
sa_len = ISAKMP_SA_SIT_OFF + IPSEC_SIT_SIT_LEN;
sa_buf = malloc (sa_len);
if (!sa_buf)
{
log_error ("ike_phase_1_initiator_send_SA: malloc (%lu) failed",
(unsigned long)sa_len);
goto bail_out;
}
SET_ISAKMP_SA_DOI (sa_buf, IPSEC_DOI_IPSEC);
SET_IPSEC_SIT_SIT (sa_buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY);
/*
* Add the payloads. As this is a SA, we need to recompute the
* lengths of the payloads containing others.
*/
if (message_add_payload (msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1))
goto bail_out;
SET_ISAKMP_GEN_LENGTH (sa_buf,
sa_len + proposal_len + transforms_len);
sa_buf = 0;
saved_nextp = msg->nextp;
if (message_add_payload (msg, ISAKMP_PAYLOAD_PROPOSAL, proposal,
proposal_len, 0))
goto bail_out;
SET_ISAKMP_GEN_LENGTH (proposal, proposal_len + transforms_len);
proposal = 0;
update_nextp = 0;
for (i = 0; i < conf->cnt; i++)
{
if (message_add_payload (msg, ISAKMP_PAYLOAD_TRANSFORM, transform[i],
transform_len[i], update_nextp))
goto bail_out;
update_nextp = 1;
transform[i] = 0;
}
msg->nextp = saved_nextp;
/* Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len. */
ie->sa_i_b_len = sa_len + proposal_len + transforms_len - ISAKMP_GEN_SZ;
ie->sa_i_b = malloc (ie->sa_i_b_len);
if (!ie->sa_i_b)
{
log_error ("ike_phase_1_initiator_send_SA: malloc (%lu) failed",
(unsigned long)ie->sa_i_b_len);
goto bail_out;
}
memcpy (ie->sa_i_b,
TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SA])->p + ISAKMP_GEN_SZ,
sa_len - ISAKMP_GEN_SZ);
memcpy (ie->sa_i_b + sa_len - ISAKMP_GEN_SZ,
TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_PROPOSAL])->p,
proposal_len);
transforms_len = 0;
for (i = 0, p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_TRANSFORM]);
i < conf->cnt; i++, p = TAILQ_NEXT (p, link))
{
memcpy (ie->sa_i_b + sa_len + proposal_len + transforms_len
- ISAKMP_GEN_SZ,
p->p, transform_len[i]);
transforms_len += transform_len[i];
}
conf_free_list (conf);
free (transform);
free (transform_len);
return 0;
bail_out:
if (sa_buf)
free (sa_buf);
if (proposal)
free (proposal);
if (transform)
{
for (i = 0; i < conf->cnt; i++)
if (transform[i])
free (transform[i]);
free (transform);
}
if (transform_len)
free (transform_len);
conf_free_list (conf);
return -1;
}
/*
* Look at the attribute of type TYPE, located at VALUE for LEN bytes forward.
* The VVS argument holds a validation state kept across invocations.
* If the attribute is unacceptable to use, return non-zero, otherwise zero.
*/
static int
attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len,
void *vvs)
{
struct validation_state *vs = vvs;
struct conf_list *life_conf;
struct conf_list_node *xf = vs->xf, *life;
char *tag = constant_lookup (ike_attr_cst, type);
char *str;
struct constant_map *map;
struct attr_node *node;
int rv;
if (!tag)
{
LOG_DBG ((LOG_NEGOTIATION, 60,
"attribute_unacceptable: attribute type %d not known", type));
return 1;
}
switch (type)
{
case IKE_ATTR_ENCRYPTION_ALGORITHM:
case IKE_ATTR_HASH_ALGORITHM:
case IKE_ATTR_AUTHENTICATION_METHOD:
case IKE_ATTR_GROUP_DESCRIPTION:
case IKE_ATTR_GROUP_TYPE:
case IKE_ATTR_PRF:
str = conf_get_str (xf->field, tag);
if (!str)
{
/* This attribute does not exist in this policy. */
LOG_DBG ((LOG_NEGOTIATION, 70,
"attribute_unacceptable: attr %s does not exist in %s",
tag, xf->field));
return 1;
}
map = constant_link_lookup (ike_attr_cst, type);
if (!map)
return 1;
if ((constant_value (map, str) == decode_16 (value)) ||
(!strcmp (str, "ANY")))
{
/* Mark this attribute as seen. */
node = malloc (sizeof *node);
if (!node)
{
log_error ("attribute_unacceptable: malloc (%lu) failed",
(unsigned long)sizeof *node);
return 1;
}
node->type = type;
LIST_INSERT_HEAD (&vs->attrs, node, link);
return 0;
}
LOG_DBG ((LOG_NEGOTIATION, 30,
"attribute_unacceptable: %s: got '%s', expected '%s'", tag,
constant_name (map, decode_16 (value)), str));
return 1;
case IKE_ATTR_GROUP_PRIME:
case IKE_ATTR_GROUP_GENERATOR_1:
case IKE_ATTR_GROUP_GENERATOR_2:
case IKE_ATTR_GROUP_CURVE_A:
case IKE_ATTR_GROUP_CURVE_B:
/* XXX Bignums not handled yet. */
return 1;
case IKE_ATTR_LIFE_TYPE:
case IKE_ATTR_LIFE_DURATION:
life_conf = conf_get_list (xf->field, "Life");
if (life_conf && !strcmp (conf_get_str (xf->field, "Life"), "ANY"))
return 0;
rv = 1;
if (!life_conf)
{
/* Life attributes given, but not in our policy. */
LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: "
"received unexpected life attribute"));
return 1;
}
/*
* Each lifetime type must match, otherwise we turn the proposal down.
* In order to do this we need to find the specific section of our
* policy's "Life" list and match its duration
*/
switch (type)
{
case IKE_ATTR_LIFE_TYPE:
for (life = TAILQ_FIRST (&life_conf->fields); life;
life = TAILQ_NEXT (life, link))
{
str = conf_get_str (life->field, "LIFE_TYPE");
if (!str)
{
LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: "
"section [%s] has no LIFE_TYPE", life->field));
continue;
}
/*
* If this is the type we are looking at, save a pointer
* to this section in vs->life.
*/
if (constant_value (ike_duration_cst, str) == decode_16 (value))
{
vs->life = strdup (life->field);
rv = 0;
goto bail_out;
}
}
LOG_DBG ((LOG_NEGOTIATION, 70,
"attribute_unacceptable: unrecognized LIFE_TYPE %d",
decode_16 (value)));
vs->life = 0;
break;
case IKE_ATTR_LIFE_DURATION:
if (!vs->life)
{
LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: "
"LIFE_DURATION without LIFE_TYPE"));
rv = 1;
goto bail_out;
}
str = conf_get_str (vs->life, "LIFE_DURATION");
if (str)
{
if (!strcmp (str, "ANY"))
rv = 0;
else
rv = !conf_match_num (vs->life, "LIFE_DURATION",
len == 4 ? decode_32 (value) :
decode_16 (value));
}
else
{
LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: "
"section [%s] has no LIFE_DURATION", vs->life));
rv = 1;
}
free (vs->life);
vs->life = 0;
break;
}
bail_out:
conf_free_list (life_conf);
return rv;
case IKE_ATTR_KEY_LENGTH:
case IKE_ATTR_FIELD_SIZE:
case IKE_ATTR_GROUP_ORDER:
if (conf_match_num (xf->field, tag, decode_16 (value)))
{
/* Mark this attribute as seen. */
node = malloc (sizeof *node);
if (!node)
{
log_error ("attribute_unacceptable: malloc (%lu) failed",
(unsigned long)sizeof *node);
return 1;
}
node->type = type;
LIST_INSERT_HEAD (&vs->attrs, node, link);
return 0;
}
return 1;
}
return 1;
}
/* Validate a proposal inside SA according to EXCHANGE's policy. */
static int
ike_phase_1_validate_prop (struct exchange *exchange, struct sa *sa,
struct sa *isakmp_sa)
{
struct conf_list *conf, *tags;
struct conf_list_node *xf, *tag;
struct proto *proto;
struct validation_state vs;
struct attr_node *node, *next_node;
/* Get the list of transforms. */
conf = conf_get_list (exchange->policy, "Transforms");
if (!conf)
return 0;
for (xf = TAILQ_FIRST (&conf->fields); xf; xf = TAILQ_NEXT (xf, link))
{
for (proto = TAILQ_FIRST (&sa->protos); proto;
proto = TAILQ_NEXT (proto, link))
{
/* Mark all attributes in our policy as unseen. */
LIST_INIT (&vs.attrs);
vs.xf = xf;
vs.life = 0;
if (attribute_map (proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF,
GET_ISAKMP_GEN_LENGTH (proto->chosen->p)
- ISAKMP_TRANSFORM_SA_ATTRS_OFF,
attribute_unacceptable, &vs))
goto try_next;
/* Sweep over unseen tags in this section. */
tags = conf_get_tag_list (xf->field);
if (tags)
{
for (tag = TAILQ_FIRST (&tags->fields); tag;
tag = TAILQ_NEXT (tag, link))
/*
* XXX Should we care about attributes we have, they do not
* provide?
*/
for (node = LIST_FIRST (&vs.attrs); node;
node = next_node)
{
next_node = LIST_NEXT (node, link);
if (node->type
== constant_value (ike_attr_cst, tag->field))
{
LIST_REMOVE (node, link);
free (node);
}
}
conf_free_list (tags);
}
/* Are there leftover tags in this section? */
node = LIST_FIRST (&vs.attrs);
if (node)
goto try_next;
}
/* All protocols were OK, we succeeded. */
LOG_DBG ((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: success"));
conf_free_list (conf);
if (vs.life)
free (vs.life);
return 1;
try_next:
/* Are there leftover tags in this section? */
node = LIST_FIRST (&vs.attrs);
while (node)
{
LIST_REMOVE (node, link);
free (node);
node = LIST_FIRST (&vs.attrs);
}
if (vs.life)
free (vs.life);
}
LOG_DBG ((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: failure"));
conf_free_list (conf);
return 0;
}
