diff options
author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-05-30 16:46:34 +0000 |
---|---|---|
committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-05-30 16:46:34 +0000 |
commit | 66a88f7238ceb92814a18f27ba8d7f3645d31b3f (patch) | |
tree | 5f76dc3eba255ddcdc4b5769e53e21d8c9b56472 | |
parent | 50f3fbdf915413c2ea9948d7c9dd8e15deb3bb5c (diff) |
MBOX->FQDN, begining of passing some credentials to the kernel.
-rw-r--r-- | sbin/isakmpd/pf_key_v2.c | 194 |
1 files changed, 183 insertions, 11 deletions
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index bb9b8ed22b8..7b250eba586 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.51 2001/05/05 00:55:13 angelos Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.52 2001/05/30 16:46:33 angelos Exp $ */ /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ /* @@ -65,6 +65,11 @@ #include "sa.h" #include "timer.h" #include "transport.h" +#include "cert.h" + +#ifdef USE_KEYNOTE +#include "policy.h" +#endif #define IN6_IS_ADDR_FULL(a) \ ((*(u_int32_t *)(void *)(&(a)->s6_addr[0]) == 0xffff) \ @@ -754,6 +759,9 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming, int dstlen, srclen, keylen, hashlen, err; struct pf_key_v2_msg *update = 0, *ret = 0; struct ipsec_proto *iproto = proto->data; +#ifdef SADB_CREDTYPE_NONE + struct sadb_cred *cred; +#endif size_t len; #ifdef KAME struct sadb_x_sa2 ssa2; @@ -1124,17 +1132,18 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming, memcpy (sid + 1, isakmp_sa->id_i + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, len - 1); - sid->sadb_ident_type = SADB_IDENTTYPE_MBOX; + sid->sadb_ident_type = SADB_IDENTTYPE_USERFQDN; break; - case IPSEC_ID_KEY_ID: case IPSEC_ID_IPV4_ADDR: + case IPSEC_ID_IPV6_ADDR: + /* XXX CONNECTION/PREFIX ? */ case IPSEC_ID_IPV4_RANGE: case IPSEC_ID_IPV4_ADDR_SUBNET: - case IPSEC_ID_IPV6_ADDR: case IPSEC_ID_IPV6_RANGE: case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX PREFIX */ + case IPSEC_ID_KEY_ID: case IPSEC_ID_DER_ASN1_DN: /* XXX FQDN ? */ default: @@ -1179,17 +1188,18 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming, memcpy (sid + 1, isakmp_sa->id_r + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, len - 1); - sid->sadb_ident_type = SADB_IDENTTYPE_MBOX; + sid->sadb_ident_type = SADB_IDENTTYPE_USERFQDN; break; - case IPSEC_ID_KEY_ID: case IPSEC_ID_IPV4_ADDR: + case IPSEC_ID_IPV6_ADDR: + /* XXX CONNECTION/PREFIX */ case IPSEC_ID_IPV4_RANGE: case IPSEC_ID_IPV4_ADDR_SUBNET: - case IPSEC_ID_IPV6_ADDR: case IPSEC_ID_IPV6_RANGE: case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX PREFIX */ + case IPSEC_ID_KEY_ID: case IPSEC_ID_DER_ASN1_DN: /* XXX FQDN ? */ default: @@ -1206,7 +1216,169 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming, free (sid); } - /* XXX Setup credentials */ + printf("%p %p %p %p\n",isakmp_sa->recv_cert, isakmp_sa->sent_cert, + isakmp_sa->sent_key, isakmp_sa->recv_key); + +#ifdef SADB_CREDTYPE_NONE + /* Setup credentials */ + if (isakmp_sa->recv_cert) + { + switch (isakmp_sa->recv_certtype) + { + case ISAKMP_CERTENC_NONE: + /* Nothing to be done */ + break; + + case ISAKMP_CERTENC_KEYNOTE: + len = strlen (isakmp_sa->recv_cert); + cred = calloc (PF_KEY_V2_ROUND (len) + sizeof *cred, + sizeof(u_int8_t)); + if (!cred) + goto cleanup; + + cred->sadb_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) + + PF_KEY_V2_ROUND (len) / PF_KEY_V2_CHUNK; + cred->sadb_cred_exttype = SADB_X_EXT_REMOTE_CREDENTIALS; + cred->sadb_cred_type = SADB_CREDTYPE_KEYNOTE; + memcpy(cred + 1, isakmp_sa->recv_cert, len); + + if (pf_key_v2_msg_add (update, (struct sadb_ext *)cred, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + break; + + case ISAKMP_CERTENC_X509_SIG: +#ifdef USE_X509 + { + u_int8_t *data; + u_int32_t datalen; + struct cert_handler *handler; + + /* We do it this way to avoid weird includes */ + handler = cert_get (ISAKMP_CERTENC_X509_SIG); + if (!handler) + break; + handler->cert_serialize (isakmp_sa->recv_cert, &data, &datalen); + if (!data) + break; + + len = datalen; + cred = calloc (PF_KEY_V2_ROUND (len) + sizeof *cred, + sizeof(u_int8_t)); + if (!cred) + { + free (data); + goto cleanup; + } + + cred->sadb_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) + + PF_KEY_V2_ROUND (len) / PF_KEY_V2_CHUNK; + cred->sadb_cred_exttype = SADB_X_EXT_REMOTE_CREDENTIALS; + cred->sadb_cred_type = SADB_CREDTYPE_X509; + memcpy(cred + 1, data, len); + + if (pf_key_v2_msg_add (update, (struct sadb_ext *)cred, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + } +#endif /* USE_X509 */ + break; + } + } + + if (isakmp_sa->sent_cert) + { + switch (isakmp_sa->sent_certtype) + { + case ISAKMP_CERTENC_NONE: + /* Nothing to be done */ + break; + + case ISAKMP_CERTENC_KEYNOTE: + len = strlen (isakmp_sa->sent_cert); + cred = calloc (PF_KEY_V2_ROUND (len) + sizeof *cred, + sizeof (u_int8_t)); + if (!cred) + goto cleanup; + + cred->sadb_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) + + PF_KEY_V2_ROUND (len) / PF_KEY_V2_CHUNK; + cred->sadb_cred_exttype = SADB_X_EXT_LOCAL_CREDENTIALS; + cred->sadb_cred_type = SADB_CREDTYPE_KEYNOTE; + memcpy(cred + 1, isakmp_sa->sent_cert, len); + + if (pf_key_v2_msg_add (update, (struct sadb_ext *)cred, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + break; + + case ISAKMP_CERTENC_X509_SIG: + /* XXX */ + break; + } + } +#endif /* SADB_CREDTYPE_NONE */ + +#ifdef SADB_AUTHTYPE_NONE + /* Setup authentication information */ + if (isakmp_sa->recv_key) + { + len = strlen (isakmp_sa->recv_key); + cred = calloc (PF_KEY_V2_ROUND(len) + sizeof *cred, sizeof (u_int8_t)); + if (!cred) + goto cleanup; + + cred->sadb_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) + + PF_KEY_V2_ROUND (len) / PF_KEY_V2_CHUNK; + cred->sadb_cred_exttype = SADB_X_EXT_REMOTE_AUTH; + memcpy(cred + 1, isakmp_sa->recv_key, len); + + switch (isakmp_sa->recv_certtype) + { + case ISAKMP_CERTENC_NONE: + cred->sadb_cred_type = SADB_AUTHTYPE_PASSPHRASE; + break; + case ISAKMP_CERTENC_KEYNOTE: + case ISAKMP_CERTENC_X509_SIG: + cred->sadb_cred_type = SADB_AUTHTYPE_RSA; + break; + } + + if (pf_key_v2_msg_add (update, (struct sadb_ext *)cred, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + } + + if (isakmp_sa->sent_key) + { + len = strlen (isakmp_sa->sent_key); + cred = calloc (PF_KEY_V2_ROUND(len) + sizeof *cred, sizeof (u_int8_t)); + if (!cred) + goto cleanup; + + cred->sadb_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) + + PF_KEY_V2_ROUND (len) / PF_KEY_V2_CHUNK; + cred->sadb_cred_exttype = SADB_X_EXT_LOCAL_AUTH; + memcpy(cred + 1, isakmp_sa->sent_key, len); + + switch (isakmp_sa->sent_certtype) + { + case ISAKMP_CERTENC_NONE: + cred->sadb_cred_type = SADB_AUTHTYPE_PASSPHRASE; + break; + case ISAKMP_CERTENC_KEYNOTE: + case ISAKMP_CERTENC_X509_SIG: + cred->sadb_cred_type = SADB_AUTHTYPE_RSA; + break; + } + + if (pf_key_v2_msg_add (update, (struct sadb_ext *)cred, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + } +#endif /* SADB_AUTHTYPE_NONE */ + + /* Send authentication information */ /* XXX Here can sensitivity extensions be setup. */ @@ -1735,7 +1907,7 @@ pf_key_v2_convert_id (u_int8_t *id, int idlen, int *reslen, int *idtype) *reslen = idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; memcpy (res, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, *reslen); - *idtype = SADB_IDENTTYPE_MBOX; + *idtype = SADB_IDENTTYPE_USERFQDN; return res; case IPSEC_ID_IPV4_ADDR: @@ -2554,7 +2726,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) prefstring = "FQDN"; /* Fall through */ - case SADB_IDENTTYPE_MBOX: + case SADB_IDENTTYPE_USERFQDN: slen = (srcident->sadb_ident_len * sizeof (u_int64_t)) - sizeof (struct sadb_ident); if (!prefstring) @@ -2660,7 +2832,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) prefstring = "FQDN"; /* Fall through */ - case SADB_IDENTTYPE_MBOX: + case SADB_IDENTTYPE_USERFQDN: slen = (dstident->sadb_ident_len * sizeof (u_int64_t)) - sizeof (struct sadb_ident); if (!prefstring) |