diff options
-rw-r--r-- | sbin/isakmpd/ipsec.c | 202 |
1 files changed, 151 insertions, 51 deletions
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 84e099b8528..7c002b1175b 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,5 +1,5 @@ -/* $OpenBSD: ipsec.c,v 1.4 1998/12/21 01:02:24 niklas Exp $ */ -/* $EOM: ipsec.c,v 1.75 1998/12/15 09:11:57 niklas Exp $ */ +/* $OpenBSD: ipsec.c,v 1.5 1999/02/26 03:43:41 niklas Exp $ */ +/* $EOM: ipsec.c,v 1.82 1999/02/25 13:35:41 niklas Exp $ */ /* * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. @@ -41,6 +41,8 @@ #include <stdlib.h> #include <string.h> +#include "sysdep.h" + #include "attribute.h" #include "conf.h" #include "constants.h" @@ -60,11 +62,13 @@ #include "message.h" #include "prf.h" #include "sa.h" -#include "sysdep.h" #include "timer.h" #include "transport.h" #include "util.h" +/* The replay window size used for all IPSec protocols if not overridden. */ +#define DEFAULT_REPLAY_WINDOW 16 + struct ipsec_decode_arg { struct message *msg; struct sa *sa; @@ -81,6 +85,7 @@ static void ipsec_free_sa_data (void *); static struct keystate *ipsec_get_keystate (struct message *); static u_int8_t *ipsec_get_spi (size_t *, u_int8_t, struct message *); static int ipsec_initiator (struct message *); +static void ipsec_proto_init (struct proto *, char *); static int ipsec_responder (struct message *); static void ipsec_setup_situation (u_int8_t *); static size_t ipsec_situation_size (void); @@ -109,6 +114,7 @@ static struct doi ipsec_doi = { ipsec_get_keystate, ipsec_get_spi, ipsec_is_attribute_incompatible, + ipsec_proto_init, ipsec_setup_situation, ipsec_situation_size, ipsec_spi_size, @@ -180,14 +186,28 @@ ipsec_finalize_exchange (struct message *msg) break; } - /* If a lifetime was negotiated setup the death timer. */ + /* If a lifetime was negotiated setup the expiration timers. */ if (isakmp_sa->seconds) { gettimeofday(&expiration, 0); + expiration.tv_sec += isakmp_sa->seconds * 9 / 10; + isakmp_sa->soft_death + = timer_add_event ("sa_soft_expire", + (void (*) (void *))sa_soft_expire, isakmp_sa, + &expiration); + if (!isakmp_sa->soft_death) + { + /* If we don't give up we might start leaking... */ + sa_delete (isakmp_sa, 1); + return; + } + + gettimeofday(&expiration, 0); expiration.tv_sec += isakmp_sa->seconds; - isakmp_sa->death = timer_add_event ("sa_rekey_p1", - (void (*) (void *))sa_rekey_p1, - isakmp_sa, &expiration); + isakmp_sa->death + = timer_add_event ("sa_hard_expire", + (void (*) (void *))sa_hard_expire, isakmp_sa, + &expiration); if (!isakmp_sa->death) { /* If we don't give up we might start leaking... */ @@ -270,7 +290,7 @@ ipsec_finalize_exchange (struct message *msg) isa->src_net, isa->src_mask, isa->dst_net, isa->dst_mask); - if (sysdep_ipsec_enable_spi (sa, initiator)) + if (sysdep_ipsec_enable_sa (sa, initiator)) /* XXX Tear down this exchange. */ return; } @@ -1150,118 +1170,140 @@ ipsec_keymat_length (struct proto *proto) } /* - * Out of a named section SECTION in the configuration file build an - * ISAKMP ID payload. Ths payload size should be stashed in SZ. - * The caller is responsible for freeing the payload. + * Out of a named section SECTION in the configuration file find out + * the network address and mask as well as the ID type. Put the info + * in the areas pointed to by ADDR, MASK and ID respectively. Return + * 0 on success and -1 on failure. */ -u_int8_t * -ipsec_build_id (char *section, size_t *sz) +int +ipsec_get_id (char *section, int *id, struct in_addr *addr, + struct in_addr *mask) { char *type, *address, *netmask; - struct in_addr addr, mask; - u_int8_t *p; - int id; type = conf_get_str (section, "ID-type"); if (!type) { - log_print ("ipsec_build_id: section %s has no ID-type", section); - return 0; + log_print ("ipsec_get_id: section %s has no \"ID-type\" tag", section); + return -1; } - *sz = ISAKMP_ID_SZ; - - id = constant_value (ipsec_id_cst, type); - switch (id) + *id = constant_value (ipsec_id_cst, type); + switch (*id) { case IPSEC_ID_IPV4_ADDR: address = conf_get_str (section, "Address"); if (!address) { - log_print ("ipsec_id_build: section %s has no \"Address\" tag", + log_print ("ipsec_get_id: section %s has no \"Address\" tag", section); - return 0; + return -1; } - if (!inet_aton (address, &addr)) + if (!inet_aton (address, addr)) { - log_print ("ipsec_id_build: invalid section %s address %s", section, + log_print ("ipsec_get_id: invalid address %s in section %s", section, address); - return 0; + return -1; } - - *sz += sizeof (in_addr_t); break; #ifdef notyet case IPSEC_ID_FQDN: - return 0; + return -1; case IPSEC_ID_USER_FQDN: - return 0; + return -1; #endif case IPSEC_ID_IPV4_ADDR_SUBNET: address = conf_get_str (section, "Network"); if (!address) { - log_print ("ipsec_id_build: section %s has no \"Network\" tag", + log_print ("ipsec_get_id: section %s has no \"Network\" tag", section); - return 0; + return -1; } - if (!inet_aton (address, &addr)) + if (!inet_aton (address, addr)) { - log_print ("ipsec_id_build: invalid section %s network %s", section, + log_print ("ipsec_get_id: invalid section %s network %s", section, address); - return 0; + return -1; } netmask = conf_get_str (section, "Netmask"); if (!netmask) { - log_print ("ipsec_id_build: section %s has no \"Netmask\" tag", + log_print ("ipsec_get_id: section %s has no \"Netmask\" tag", section); - return 0; + return -1; } - if (!inet_aton (netmask, &mask)) + if (!inet_aton (netmask, mask)) { log_print ("ipsec_id_build: invalid section %s network %s", section, netmask); - return 0; + return -1; } - - *sz += 2 * sizeof (in_addr_t); break; #ifdef notyet case IPSEC_ID_IPV6_ADDR: - return 0; + return -1; case IPSEC_ID_IPV6_ADDR_SUBNET: - return 0; + return -1; case IPSEC_ID_IPV4_RANGE: - return 0; + return -1; case IPSEC_ID_IPV6_RANGE: - return 0; + return -1; case IPSEC_ID_DER_ASN1_DN: - return 0; + return -1; case IPSEC_ID_DER_ASN1_GN: - return 0; + return -1; case IPSEC_ID_KEY_ID: - return 0; + return -1; #endif default: - log_print ("ipsec_build_id: unknown ID type \"%s\" in section %s", type, + log_print ("ipsec_get_id: unknown ID type \"%s\" in section %s", type, section); - return 0; + return -1; + } + + return 0; +} + +/* + * Out of a named section SECTION in the configuration file build an + * ISAKMP ID payload. Ths payload size should be stashed in SZ. + * The caller is responsible for freeing the payload. + */ +u_int8_t * +ipsec_build_id (char *section, size_t *sz) +{ + struct in_addr addr, mask; + u_int8_t *p; + int id; + + if (ipsec_get_id (section, &id, &addr, &mask)) + return 0; + + *sz = ISAKMP_ID_SZ; + switch (id) + { + case IPSEC_ID_IPV4_ADDR: + *sz += sizeof addr; + break; + case IPSEC_ID_IPV4_ADDR_SUBNET: + *sz += sizeof addr + sizeof mask; + break; } p = malloc (*sz); @@ -1287,3 +1329,61 @@ ipsec_build_id (char *section, size_t *sz) return p; } + +struct dst_spi_proto_arg { + in_addr_t dst; + u_int32_t spi; + u_int8_t proto; +}; + +static int +ipsec_sa_check (struct sa *sa, void *v_arg) +{ + struct dst_spi_proto_arg *arg = v_arg; + struct proto *proto; + struct sockaddr *dst, *src; + int dstlen, srclen; + int incoming; + + sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); + if (((struct sockaddr_in *)dst)->sin_addr.s_addr == arg->dst) + incoming = 0; + else + { + sa->transport->vtbl->get_src (sa->transport, &src, &srclen); + if (((struct sockaddr_in *)src)->sin_addr.s_addr == arg->dst) + incoming = 1; + else + return 0; + } + + for (proto = TAILQ_FIRST (&sa->protos); proto; + proto = TAILQ_NEXT (proto, link)) + if (proto->proto == arg->proto + && memcmp (proto->spi[incoming], &arg->spi, sizeof arg->spi) == 0) + return 1; + return 0; +} + +struct sa * +ipsec_sa_lookup (in_addr_t dst, u_int32_t spi, u_int8_t proto) +{ + struct dst_spi_proto_arg arg = { dst, spi, proto }; + + return sa_find (ipsec_sa_check, &arg); +} + +/* + * IPSec-specific PROTO initializations. SECTION is only set if we are the + * initiator thus only usable there. + * XXX I want to fix this later. + */ +void +ipsec_proto_init (struct proto *proto, char *section) +{ + struct ipsec_proto *iproto = proto->data; + + if (proto->sa->phase == 2 && section) + iproto->replay_window + = conf_get_num (section, "ReplayWindow", DEFAULT_REPLAY_WINDOW); +} |