summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sbin/isakmpd/pf_key_v2.c313
1 files changed, 235 insertions, 78 deletions
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c
index 44cdabf6bfb..6368c508c4a 100644
--- a/sbin/isakmpd/pf_key_v2.c
+++ b/sbin/isakmpd/pf_key_v2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_key_v2.c,v 1.54 2001/05/30 22:06:42 angelos Exp $ */
+/* $OpenBSD: pf_key_v2.c,v 1.55 2001/05/31 20:30:29 angelos Exp $ */
/* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */
/*
@@ -66,6 +66,7 @@
#include "timer.h"
#include "transport.h"
#include "cert.h"
+#include "key.h"
#ifdef USE_KEYNOTE
#include "policy.h"
@@ -759,7 +760,7 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming,
int dstlen, srclen, keylen, hashlen, err;
struct pf_key_v2_msg *update = 0, *ret = 0;
struct ipsec_proto *iproto = proto->data;
-#if 0
+#if defined(SADB_CREDTYPE_NONE) || defined(SADB_AUTHTYPE_NONE)
struct sadb_cred *cred;
#endif
size_t len;
@@ -1216,8 +1217,13 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming,
free (sid);
}
-#if 0
- /* Setup credentials */
+#ifdef SADB_CREDTYPE_NONE
+ /*
+ * Send received credentials to the kernel. We don't bother with
+ * our credentials, since the process either knows them (if it specified
+ * them with setsockopt()), or has no business looking at them (e.g.,
+ * system wide certs).
+ */
if (isakmp_sa->recv_cert)
{
switch (isakmp_sa->recv_certtype)
@@ -1227,6 +1233,7 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming,
break;
case ISAKMP_CERTENC_KEYNOTE:
+#ifdef USE_KEYNOTE
len = strlen (isakmp_sa->recv_cert);
cred = calloc (PF_KEY_V2_ROUND (len) + sizeof *cred,
sizeof(u_int8_t));
@@ -1242,6 +1249,7 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming,
if (pf_key_v2_msg_add (update, (struct sadb_ext *)cred,
PF_KEY_V2_NODE_MALLOCED) == -1)
goto cleanup;
+#endif /* USE_KEYNOTE */
break;
case ISAKMP_CERTENC_X509_SIG:
@@ -1273,6 +1281,7 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming,
cred->sadb_cred_exttype = SADB_X_EXT_REMOTE_CREDENTIALS;
cred->sadb_cred_type = SADB_CREDTYPE_X509;
memcpy(cred + 1, data, len);
+ free (data);
if (pf_key_v2_msg_add (update, (struct sadb_ext *)cred,
PF_KEY_V2_NODE_MALLOCED) == -1)
@@ -1282,101 +1291,64 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming,
break;
}
}
-
- if (isakmp_sa->sent_cert)
- {
- switch (isakmp_sa->sent_certtype)
- {
- case ISAKMP_CERTENC_NONE:
- /* Nothing to be done */
- break;
-
- case ISAKMP_CERTENC_KEYNOTE:
- len = strlen (isakmp_sa->sent_cert);
- cred = calloc (PF_KEY_V2_ROUND (len) + sizeof *cred,
- sizeof (u_int8_t));
- if (!cred)
- goto cleanup;
-
- cred->sadb_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) +
- PF_KEY_V2_ROUND (len) / PF_KEY_V2_CHUNK;
- cred->sadb_cred_exttype = SADB_X_EXT_LOCAL_CREDENTIALS;
- cred->sadb_cred_type = SADB_CREDTYPE_KEYNOTE;
- memcpy(cred + 1, isakmp_sa->sent_cert, len);
-
- if (pf_key_v2_msg_add (update, (struct sadb_ext *)cred,
- PF_KEY_V2_NODE_MALLOCED) == -1)
- goto cleanup;
- break;
-
- case ISAKMP_CERTENC_X509_SIG:
- /* XXX */
- break;
- }
- }
#endif /* SADB_CREDTYPE_NONE */
-#if 0
- /* Setup authentication information */
+#ifdef SADB_AUTHTYPE_NONE
+ /* Tell the kernel what the peer used to authenticate, unless passphrase */
if (isakmp_sa->recv_key)
{
- len = strlen (isakmp_sa->recv_key);
- cred = calloc (PF_KEY_V2_ROUND(len) + sizeof *cred, sizeof (u_int8_t));
- if (!cred)
- goto cleanup;
-
- cred->sadb_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) +
- PF_KEY_V2_ROUND (len) / PF_KEY_V2_CHUNK;
- cred->sadb_cred_exttype = SADB_X_EXT_REMOTE_AUTH;
- memcpy(cred + 1, isakmp_sa->recv_key, len);
+ u_int8_t *data;
- switch (isakmp_sa->recv_certtype)
- {
- case ISAKMP_CERTENC_NONE:
- cred->sadb_cred_type = SADB_AUTHTYPE_PASSPHRASE;
- break;
- case ISAKMP_CERTENC_KEYNOTE:
- case ISAKMP_CERTENC_X509_SIG:
- cred->sadb_cred_type = SADB_AUTHTYPE_RSA;
- break;
- }
+ /*
+ * If it's a private key, we shouldn't pass it to the kernel for
+ * processes to see; successful authentication of Phase 1 implies
+ * that the process already knew the passphrase. On the other hand,
+ * we don't want to reveal to processes any system-wide passphrases
+ * used for authentication with remote systems. Same reason we don't
+ * send up the key (private or passphrase) we used to authenticate
+ * with the peer.
+ */
+ if (isakmp_sa->recv_keytype == ISAKMP_KEY_PASSPHRASE)
+ goto doneauth;
- if (pf_key_v2_msg_add (update, (struct sadb_ext *)cred,
- PF_KEY_V2_NODE_MALLOCED) == -1)
+ key_serialize (isakmp_sa->recv_keytype, ISAKMP_KEYTYPE_PUBLIC,
+ isakmp_sa->recv_key, &data, &len);
+ if (!data)
goto cleanup;
- }
- if (isakmp_sa->sent_key)
- {
- len = strlen (isakmp_sa->sent_key);
cred = calloc (PF_KEY_V2_ROUND(len) + sizeof *cred, sizeof (u_int8_t));
if (!cred)
- goto cleanup;
+ {
+ free (data);
+ goto cleanup;
+ }
cred->sadb_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) +
PF_KEY_V2_ROUND (len) / PF_KEY_V2_CHUNK;
- cred->sadb_cred_exttype = SADB_X_EXT_LOCAL_AUTH;
- memcpy(cred + 1, isakmp_sa->sent_key, len);
+ cred->sadb_cred_exttype = SADB_X_EXT_REMOTE_AUTH;
+ memcpy(cred + 1, data, len);
+ free (data);
- switch (isakmp_sa->sent_certtype)
+ switch (isakmp_sa->recv_keytype)
{
- case ISAKMP_CERTENC_NONE:
- cred->sadb_cred_type = SADB_AUTHTYPE_PASSPHRASE;
- break;
- case ISAKMP_CERTENC_KEYNOTE:
- case ISAKMP_CERTENC_X509_SIG:
+ case ISAKMP_KEY_RSA:
cred->sadb_cred_type = SADB_AUTHTYPE_RSA;
break;
+
+ default:
+ log_error ("pf_key_v2_set_spi: unknown received key type %d",
+ isakmp_sa->recv_keytype);
+ free (cred);
+ goto cleanup;
}
if (pf_key_v2_msg_add (update, (struct sadb_ext *)cred,
PF_KEY_V2_NODE_MALLOCED) == -1)
goto cleanup;
}
+ doneauth:
#endif /* SADB_AUTHTYPE_NONE */
- /* Send authentication information */
-
/* XXX Here can sensitivity extensions be setup. */
/* XXX IPv4 specific. */
@@ -2490,6 +2462,9 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg)
u_int16_t sport = 0, dport = 0;
u_int8_t tproto = 0;
char tmbuf[sizeof sport * 3 + 1];
+#if defined(SADB_CREDTYPE_NONE)
+ struct sadb_cred *cred, *sauth;
+#endif
msg = (struct sadb_msg *)TAILQ_FIRST (pmsg)->seg;
@@ -2579,6 +2554,13 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg)
sproto = ext->seg;
tproto = sproto->sadb_protocol_proto;
+#if defined(SADB_CREDTYPE_NONE)
+ cred = (struct sadb_cred *)pf_key_v2_find_ext (ret,
+ SADB_X_EXT_LOCAL_CREDENTIALS);
+
+ sauth = (struct sadb_cred *)pf_key_v2_find_ext (ret, SADB_X_EXT_LOCAL_AUTH);
+#endif
+
bzero (ssflow, sizeof ssflow);
bzero (sdflow, sizeof sdflow);
bzero (ssmask, sizeof ssmask);
@@ -3178,15 +3160,190 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg)
goto fail;
}
- /* XXX Default transform set should be settable */
+#if defined(SADB_CREDTYPE_NONE)
+ /* Store any credentials passed to us */
+ if (cred != NULL)
+ {
+ struct cert_handler *handler = NULL;
+ void *cert;
+ char num[10], *certprint;
+
+ /* Convert to bytes in-place */
+ cred->sadb_cred_len *= PF_KEY_V2_CHUNK;
+
+ if (cred->sadb_cred_len <= sizeof *cred)
+ {
+ log_error ("pf_key_v2_set_spi: zero-length credentials, "
+ "aborting SA acquisition");
+ conf_end (af, 0);
+ goto fail;
+ }
+
+ switch (cred->sadb_cred_type)
+ {
+ case SADB_CREDTYPE_X509:
+ sprintf (num, "%d", ISAKMP_CERTENC_X509_SIG);
+ handler = cert_get (ISAKMP_CERTENC_X509_SIG);
+ break;
+ case SADB_CREDTYPE_KEYNOTE:
+ sprintf (num, "%d", ISAKMP_CERTENC_KEYNOTE);
+ handler = cert_get (ISAKMP_CERTENC_KEYNOTE);
+ break;
+ default:
+ log_error ("pf_key_v2_set_spi: unknown credential type %d",
+ cred->sadb_cred_type);
+ conf_end (af, 0);
+ goto fail;
+ }
+
+ if (handler == NULL)
+ {
+ log_error ("pf_key_v2_set_spi: cert_get (%s) failed", num);
+ conf_end (af, 0);
+ goto fail;
+ }
+
+ /* Set the credential type as a number */
+ if (conf_set (af, peer, "Credential_type", num, 0, 0))
+ {
+ conf_end (af, 0);
+ goto fail;
+ }
+
+ /* Get the certificate */
+ cert = handler->cert_get ((u_int8_t *)(cred + 1),
+ cred->sadb_cred_len - sizeof *cred);
+
+ /* Now convert to printable format */
+ certprint = handler->cert_printable (cert);
+ handler->cert_free (cert);
+ if (certprint == NULL ||
+ conf_set (af, peer, "Credentials", certprint, 0, 0))
+ {
+ if (certprint)
+ free (certprint);
+ conf_end (af, 0);
+ goto fail;
+ }
+ free (certprint);
+ }
+#endif /* SADB_CREDTYPE_NONE */
+
/* Phase 1 configuration */
if (!conf_get_str (confname, "exchange_type"))
{
+#if defined(SADB_CREDTYPE_NONE)
+ /* We may have been provided with authentication material */
+ if (sauth != NULL)
+ {
+ u_int8_t *authm;
+
+ /* Convert to bytes in-place */
+ sauth->sadb_cred_len *= PF_KEY_V2_CHUNK;
+
+ switch (sauth->sadb_cred_type)
+ {
+ case SADB_AUTHTYPE_PASSPHRASE:
+ if (conf_set (af, confname, "Transforms", "3DES-SHA", 0, 0))
+ {
+ conf_end (af, 0);
+ goto fail;
+ }
+
+ if (sauth->sadb_cred_len <= sizeof *sauth)
+ {
+ log_error ("pf_key_v2_set_spi: zero-length passphrase, "
+ "aborting SA acquisition");
+ conf_end (af, 0);
+ goto fail;
+ }
+
+ authm = malloc (sauth->sadb_cred_len - sizeof *sauth + 1);
+ if (authm == NULL)
+ {
+ log_error ("pf_key_v2_set_spi: malloc (%d) failed",
+ sauth->sadb_cred_len - sizeof *sauth + 1);
+ conf_end (af, 0);
+ goto fail;
+ }
+ memcpy (authm, sauth + 1,
+ sauth->sadb_cred_len - sizeof *sauth + 1);
+
+ /* Set the passphrase in the peer */
+ if (conf_set (af, peer, "Authentication", authm, 0, 0))
+ {
+ free (authm);
+ conf_end (af, 0);
+ goto fail;
+ }
+ free (authm);
+ break;
+
+ case SADB_AUTHTYPE_RSA:
+ if (conf_set (af, confname, "Transforms", "3DES-SHA-RSA_SIG",
+ 0, 0))
+ {
+ conf_end (af, 0);
+ goto fail;
+ }
+
+ if (sauth->sadb_cred_len <= sizeof *sauth)
+ {
+ log_error ("pf_key_v2_set_spi: zero-length RSA key, "
+ "aborting SA acquisition");
+ conf_end (af, 0);
+ goto fail;
+ }
+
+ authm = key_printable (ISAKMP_KEY_RSA,
+ ISAKMP_KEYTYPE_PRIVATE,
+ (u_int8_t *) sauth + 1,
+ sauth->sadb_cred_len - sizeof *sauth);
+ if (authm == NULL)
+ {
+ log_error ("pf_key_v2_set_spi: failed to convert "
+ "private key to printable format (size %d)",
+ sauth->sadb_cred_len - sizeof *sauth);
+ conf_end (af, 0);
+ goto fail;
+ }
+
+ /*
+ * Set the key in the peer. We don't use "Authentication"
+ * to avoid potential conflicts with file-based
+ * configurations that use public key authentication
+ * but still specify an "Authentication" tag (typically
+ * as a remnant of passphrase-based testing).
+ */
+ if (conf_set (af, peer, "PKAuthentication", authm, 0, 0))
+ {
+ free (authm);
+ conf_end (af, 0);
+ goto fail;
+ }
+ free (authm);
+ break;
+
+ default:
+ log_error ("pf_key_v2_set_spi: unknown authentication "
+ "material type %d received from kernel",
+ sauth->sadb_cred_type);
+ conf_end (af, 0);
+ goto fail;
+ }
+ }
+ else /* Fall through */
+#endif /* SADB_CREDTYPE_NONE */
+ /* XXX Default transform set should be settable */
+ if (conf_set (af, confname, "Transforms", "3DES-SHA-RSA_SIG", 0, 0))
+ {
+ conf_end (af, 0);
+ goto fail;
+ }
+
if (conf_set (af, confname, "Exchange_Type", "ID_PROT", 0, 0)
|| conf_set (af, confname, "DOI", "IPSEC", 0, 0)
- || conf_set (af, confname, "Refcount", "1", 0, 0)
- || conf_set (af, confname, "Transforms", "3DES-SHA-RSA_SIG", 0,
- 0))
+ || conf_set (af, confname, "Refcount", "1", 0, 0))
{
conf_end (af, 0);
goto fail;