1 |
|
|
/* $OpenBSD: ike.c,v 1.81 2015/12/09 21:41:50 naddy Exp $ */ |
2 |
|
|
/* |
3 |
|
|
* Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> |
4 |
|
|
* |
5 |
|
|
* Permission to use, copy, modify, and distribute this software for any |
6 |
|
|
* purpose with or without fee is hereby granted, provided that the above |
7 |
|
|
* copyright notice and this permission notice appear in all copies. |
8 |
|
|
* |
9 |
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
10 |
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
11 |
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
12 |
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
13 |
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
14 |
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
15 |
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 |
|
|
*/ |
17 |
|
|
|
18 |
|
|
#include <sys/types.h> |
19 |
|
|
#include <sys/socket.h> |
20 |
|
|
#include <sys/stat.h> |
21 |
|
|
#include <sys/queue.h> |
22 |
|
|
#include <netinet/in.h> |
23 |
|
|
#include <netdb.h> |
24 |
|
|
#include <arpa/inet.h> |
25 |
|
|
|
26 |
|
|
#include <err.h> |
27 |
|
|
#include <fcntl.h> |
28 |
|
|
#include <stdio.h> |
29 |
|
|
#include <stdlib.h> |
30 |
|
|
#include <string.h> |
31 |
|
|
#include <unistd.h> |
32 |
|
|
#include <limits.h> |
33 |
|
|
|
34 |
|
|
#include "ipsecctl.h" |
35 |
|
|
|
36 |
|
|
static void ike_section_general(struct ipsec_rule *, FILE *); |
37 |
|
|
static void ike_section_peer(struct ipsec_rule *, FILE *); |
38 |
|
|
static void ike_section_ids(struct ipsec_rule *, FILE *); |
39 |
|
|
static void ike_section_ipsec(struct ipsec_rule *, FILE *); |
40 |
|
|
static int ike_section_p1(struct ipsec_rule *, FILE *); |
41 |
|
|
static int ike_section_p2(struct ipsec_rule *, FILE *); |
42 |
|
|
static void ike_section_p2ids(struct ipsec_rule *, FILE *); |
43 |
|
|
static int ike_connect(struct ipsec_rule *, FILE *); |
44 |
|
|
static int ike_gen_config(struct ipsec_rule *, FILE *); |
45 |
|
|
static int ike_delete_config(struct ipsec_rule *, FILE *); |
46 |
|
|
static void ike_setup_ids(struct ipsec_rule *); |
47 |
|
|
|
48 |
|
|
int ike_print_config(struct ipsec_rule *, int); |
49 |
|
|
int ike_ipsec_establish(int, struct ipsec_rule *, const char *); |
50 |
|
|
|
51 |
|
|
#define SET "C set " |
52 |
|
|
#define ADD "C add " |
53 |
|
|
#define DELETE "C rms " |
54 |
|
|
#define RMV "C rmv " |
55 |
|
|
|
56 |
|
|
#define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5 |
57 |
|
|
#define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30 |
58 |
|
|
|
59 |
|
|
char *ike_id_types[] = { |
60 |
|
|
"", "", "IPV4_ADDR", "IPV6_ADDR", "FQDN", "USER_FQDN" |
61 |
|
|
}; |
62 |
|
|
|
63 |
|
|
static void |
64 |
|
|
ike_section_general(struct ipsec_rule *r, FILE *fd) |
65 |
|
|
{ |
66 |
|
|
if (r->ikemode == IKE_DYNAMIC) { |
67 |
|
|
fprintf(fd, SET "[General]:Check-interval=%d force\n", |
68 |
|
|
CONF_DFLT_DYNAMIC_CHECK_INTERVAL); |
69 |
|
|
fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", |
70 |
|
|
CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); |
71 |
|
|
} |
72 |
|
|
} |
73 |
|
|
|
74 |
|
|
static void |
75 |
|
|
ike_section_peer(struct ipsec_rule *r, FILE *fd) |
76 |
|
|
{ |
77 |
|
|
if (r->peer) |
78 |
|
|
fprintf(fd, SET "[Phase 1]:%s=%s force\n", r->peer->name, |
79 |
|
|
r->p1name); |
80 |
|
|
else |
81 |
|
|
fprintf(fd, SET "[Phase 1]:Default=%s force\n", r->p1name); |
82 |
|
|
fprintf(fd, SET "[%s]:Phase=1 force\n", r->p1name); |
83 |
|
|
if (r->peer) |
84 |
|
|
fprintf(fd, SET "[%s]:Address=%s force\n", r->p1name, |
85 |
|
|
r->peer->name); |
86 |
|
|
if (r->local) |
87 |
|
|
fprintf(fd, SET "[%s]:Local-address=%s force\n", r->p1name, |
88 |
|
|
r->local->name); |
89 |
|
|
if (r->ikeauth->type == IKE_AUTH_PSK) |
90 |
|
|
fprintf(fd, SET "[%s]:Authentication=%s force\n", r->p1name, |
91 |
|
|
r->ikeauth->string); |
92 |
|
|
} |
93 |
|
|
|
94 |
|
|
static void |
95 |
|
|
ike_section_ids(struct ipsec_rule *r, FILE *fd) |
96 |
|
|
{ |
97 |
|
|
char myname[HOST_NAME_MAX+1]; |
98 |
|
|
|
99 |
|
|
if (r->auth == NULL) |
100 |
|
|
return; |
101 |
|
|
|
102 |
|
|
if (r->ikemode == IKE_DYNAMIC && r->auth->srcid == NULL) { |
103 |
|
|
if (gethostname(myname, sizeof(myname)) == -1) |
104 |
|
|
err(1, "ike_section_ids: gethostname"); |
105 |
|
|
if ((r->auth->srcid = strdup(myname)) == NULL) |
106 |
|
|
err(1, "ike_section_ids: strdup"); |
107 |
|
|
r->auth->srcid_type = ID_FQDN; |
108 |
|
|
} |
109 |
|
|
if (r->auth->srcid) { |
110 |
|
|
fprintf(fd, SET "[%s]:ID=id-%s force\n", r->p1name, |
111 |
|
|
r->auth->srcid); |
112 |
|
|
fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->srcid, |
113 |
|
|
ike_id_types[r->auth->srcid_type]); |
114 |
|
|
if (r->auth->srcid_type == ID_IPV4 || |
115 |
|
|
r->auth->srcid_type == ID_IPV6) |
116 |
|
|
fprintf(fd, SET "[id-%s]:Address=%s force\n", |
117 |
|
|
r->auth->srcid, r->auth->srcid); |
118 |
|
|
else |
119 |
|
|
fprintf(fd, SET "[id-%s]:Name=%s force\n", |
120 |
|
|
r->auth->srcid, r->auth->srcid); |
121 |
|
|
} |
122 |
|
|
if (r->auth->dstid) { |
123 |
|
|
fprintf(fd, SET "[%s]:Remote-ID=id-%s force\n", r->p1name, |
124 |
|
|
r->auth->dstid); |
125 |
|
|
fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->dstid, |
126 |
|
|
ike_id_types[r->auth->dstid_type]); |
127 |
|
|
if (r->auth->dstid_type == ID_IPV4 || |
128 |
|
|
r->auth->dstid_type == ID_IPV6) |
129 |
|
|
fprintf(fd, SET "[id-%s]:Address=%s force\n", |
130 |
|
|
r->auth->dstid, r->auth->dstid); |
131 |
|
|
else |
132 |
|
|
fprintf(fd, SET "[id-%s]:Name=%s force\n", |
133 |
|
|
r->auth->dstid, r->auth->dstid); |
134 |
|
|
} |
135 |
|
|
} |
136 |
|
|
|
137 |
|
|
static void |
138 |
|
|
ike_section_ipsec(struct ipsec_rule *r, FILE *fd) |
139 |
|
|
{ |
140 |
|
|
fprintf(fd, SET "[%s]:Phase=2 force\n", r->p2name); |
141 |
|
|
fprintf(fd, SET "[%s]:ISAKMP-peer=%s force\n", r->p2name, r->p1name); |
142 |
|
|
fprintf(fd, SET "[%s]:Configuration=phase2-%s force\n", r->p2name, |
143 |
|
|
r->p2name); |
144 |
|
|
fprintf(fd, SET "[%s]:Local-ID=%s force\n", r->p2name, r->p2lid); |
145 |
|
|
if (r->p2nid) |
146 |
|
|
fprintf(fd, SET "[%s]:NAT-ID=%s force\n", r->p2name, r->p2nid); |
147 |
|
|
fprintf(fd, SET "[%s]:Remote-ID=%s force\n", r->p2name, r->p2rid); |
148 |
|
|
|
149 |
|
|
if (r->tag) |
150 |
|
|
fprintf(fd, SET "[%s]:PF-Tag=%s force\n", r->p2name, r->tag); |
151 |
|
|
} |
152 |
|
|
|
153 |
|
|
static int |
154 |
|
|
ike_section_p2(struct ipsec_rule *r, FILE *fd) |
155 |
|
|
{ |
156 |
|
|
char *exchange_type, *key_length, *transform, *p; |
157 |
|
|
char *enc_alg, *auth_alg, *group_desc, *encap; |
158 |
|
|
int needauth = 1; |
159 |
|
|
int num_print = 0; |
160 |
|
|
|
161 |
|
|
switch (r->p2ie) { |
162 |
|
|
case IKE_QM: |
163 |
|
|
exchange_type = "QUICK_MODE"; |
164 |
|
|
break; |
165 |
|
|
default: |
166 |
|
|
warnx("illegal phase 2 ike mode %d", r->p2ie); |
167 |
|
|
return (-1); |
168 |
|
|
} |
169 |
|
|
|
170 |
|
|
fprintf(fd, SET "[phase2-%s]:EXCHANGE_TYPE=%s force\n", r->p2name, |
171 |
|
|
exchange_type); |
172 |
|
|
fprintf(fd, SET "[phase2-%s]:Suites=phase2-suite-%s force\n", r->p2name, |
173 |
|
|
r->p2name); |
174 |
|
|
|
175 |
|
|
fprintf(fd, SET "[phase2-suite-%s]:Protocols=phase2-protocol-%s " |
176 |
|
|
"force\n", r->p2name, r->p2name); |
177 |
|
|
|
178 |
|
|
fprintf(fd, SET "[phase2-protocol-%s]:PROTOCOL_ID=", r->p2name); |
179 |
|
|
|
180 |
|
|
switch (r->satype) { |
181 |
|
|
case IPSEC_ESP: |
182 |
|
|
fprintf(fd, "IPSEC_ESP"); |
183 |
|
|
break; |
184 |
|
|
case IPSEC_AH: |
185 |
|
|
fprintf(fd, "IPSEC_AH"); |
186 |
|
|
break; |
187 |
|
|
default: |
188 |
|
|
warnx("illegal satype %d", r->satype); |
189 |
|
|
return (-1); |
190 |
|
|
} |
191 |
|
|
fprintf(fd, " force\n"); |
192 |
|
|
|
193 |
|
|
key_length = NULL; |
194 |
|
|
enc_alg = NULL; |
195 |
|
|
if (r->p2xfs && r->p2xfs->encxf) { |
196 |
|
|
if (r->satype == IPSEC_ESP) { |
197 |
|
|
switch (r->p2xfs->encxf->id) { |
198 |
|
|
case ENCXF_3DES_CBC: |
199 |
|
|
enc_alg = "3DES"; |
200 |
|
|
break; |
201 |
|
|
case ENCXF_AES: |
202 |
|
|
enc_alg = "AES"; |
203 |
|
|
key_length = "128,128:256"; |
204 |
|
|
break; |
205 |
|
|
case ENCXF_AES_128: |
206 |
|
|
enc_alg = "AES"; |
207 |
|
|
key_length = "128,128:128"; |
208 |
|
|
break; |
209 |
|
|
case ENCXF_AES_192: |
210 |
|
|
enc_alg = "AES"; |
211 |
|
|
key_length = "192,192:192"; |
212 |
|
|
break; |
213 |
|
|
case ENCXF_AES_256: |
214 |
|
|
enc_alg = "AES"; |
215 |
|
|
key_length = "256,256:256"; |
216 |
|
|
break; |
217 |
|
|
case ENCXF_AESCTR: |
218 |
|
|
enc_alg = "AES_CTR"; |
219 |
|
|
key_length = "128,128:128"; |
220 |
|
|
break; |
221 |
|
|
case ENCXF_AES_128_CTR: |
222 |
|
|
enc_alg = "AES_CTR"; |
223 |
|
|
key_length = "128,128:128"; |
224 |
|
|
break; |
225 |
|
|
case ENCXF_AES_192_CTR: |
226 |
|
|
enc_alg = "AES_CTR"; |
227 |
|
|
key_length = "192,192:192"; |
228 |
|
|
break; |
229 |
|
|
case ENCXF_AES_256_CTR: |
230 |
|
|
enc_alg = "AES_CTR"; |
231 |
|
|
key_length = "256,256:256"; |
232 |
|
|
break; |
233 |
|
|
case ENCXF_AES_128_GCM: |
234 |
|
|
enc_alg = "AES_GCM_16"; |
235 |
|
|
key_length = "128,128:128"; |
236 |
|
|
needauth = 0; |
237 |
|
|
break; |
238 |
|
|
case ENCXF_AES_192_GCM: |
239 |
|
|
enc_alg = "AES_GCM_16"; |
240 |
|
|
key_length = "192,192:192"; |
241 |
|
|
needauth = 0; |
242 |
|
|
break; |
243 |
|
|
case ENCXF_AES_256_GCM: |
244 |
|
|
enc_alg = "AES_GCM_16"; |
245 |
|
|
key_length = "256,256:256"; |
246 |
|
|
needauth = 0; |
247 |
|
|
break; |
248 |
|
|
case ENCXF_AES_128_GMAC: |
249 |
|
|
enc_alg = "AES_GMAC"; |
250 |
|
|
key_length = "128,128:128"; |
251 |
|
|
needauth = 0; |
252 |
|
|
break; |
253 |
|
|
case ENCXF_AES_192_GMAC: |
254 |
|
|
enc_alg = "AES_GMAC"; |
255 |
|
|
key_length = "192,192:192"; |
256 |
|
|
needauth = 0; |
257 |
|
|
break; |
258 |
|
|
case ENCXF_AES_256_GMAC: |
259 |
|
|
enc_alg = "AES_GMAC"; |
260 |
|
|
key_length = "256,256:256"; |
261 |
|
|
needauth = 0; |
262 |
|
|
break; |
263 |
|
|
case ENCXF_BLOWFISH: |
264 |
|
|
enc_alg = "BLOWFISH"; |
265 |
|
|
key_length = "128,96:192"; |
266 |
|
|
break; |
267 |
|
|
case ENCXF_CAST128: |
268 |
|
|
enc_alg = "CAST"; |
269 |
|
|
break; |
270 |
|
|
case ENCXF_NULL: |
271 |
|
|
enc_alg = "NULL"; |
272 |
|
|
needauth = 0; |
273 |
|
|
break; |
274 |
|
|
default: |
275 |
|
|
warnx("illegal transform %s", |
276 |
|
|
r->p2xfs->encxf->name); |
277 |
|
|
return (-1); |
278 |
|
|
} |
279 |
|
|
} else { |
280 |
|
|
warnx("illegal transform %s", r->p2xfs->encxf->name); |
281 |
|
|
return (-1); |
282 |
|
|
} |
283 |
|
|
} else if (r->satype == IPSEC_ESP) { |
284 |
|
|
enc_alg = "AES"; |
285 |
|
|
key_length = "128,128:256"; |
286 |
|
|
} |
287 |
|
|
|
288 |
|
|
switch (r->tmode) { |
289 |
|
|
case IPSEC_TUNNEL: |
290 |
|
|
encap = "TUNNEL"; |
291 |
|
|
break; |
292 |
|
|
case IPSEC_TRANSPORT: |
293 |
|
|
encap = "TRANSPORT"; |
294 |
|
|
break; |
295 |
|
|
default: |
296 |
|
|
warnx("illegal encapsulation mode %d", r->tmode); |
297 |
|
|
return (-1); |
298 |
|
|
} |
299 |
|
|
|
300 |
|
|
auth_alg = NULL; |
301 |
|
|
if (r->p2xfs && r->p2xfs->authxf) { |
302 |
|
|
switch (r->p2xfs->authxf->id) { |
303 |
|
|
case AUTHXF_HMAC_MD5: |
304 |
|
|
auth_alg = "MD5"; |
305 |
|
|
break; |
306 |
|
|
case AUTHXF_HMAC_SHA1: |
307 |
|
|
auth_alg = "SHA"; |
308 |
|
|
break; |
309 |
|
|
case AUTHXF_HMAC_RIPEMD160: |
310 |
|
|
auth_alg = "RIPEMD"; |
311 |
|
|
break; |
312 |
|
|
case AUTHXF_HMAC_SHA2_256: |
313 |
|
|
auth_alg = "SHA2_256"; |
314 |
|
|
break; |
315 |
|
|
case AUTHXF_HMAC_SHA2_384: |
316 |
|
|
auth_alg = "SHA2_384"; |
317 |
|
|
break; |
318 |
|
|
case AUTHXF_HMAC_SHA2_512: |
319 |
|
|
auth_alg = "SHA2_512"; |
320 |
|
|
break; |
321 |
|
|
default: |
322 |
|
|
warnx("illegal transform %s", r->p2xfs->authxf->name); |
323 |
|
|
return (-1); |
324 |
|
|
} |
325 |
|
|
} else if (needauth) |
326 |
|
|
auth_alg = "SHA2_256"; |
327 |
|
|
|
328 |
|
|
group_desc = NULL; |
329 |
|
|
if (r->p2xfs && r->p2xfs->groupxf) { |
330 |
|
|
switch (r->p2xfs->groupxf->id) { |
331 |
|
|
case GROUPXF_NONE: |
332 |
|
|
break; |
333 |
|
|
case GROUPXF_768: |
334 |
|
|
group_desc = "MODP_768"; |
335 |
|
|
break; |
336 |
|
|
case GROUPXF_1024: |
337 |
|
|
group_desc = "MODP_1024"; |
338 |
|
|
break; |
339 |
|
|
case GROUPXF_1536: |
340 |
|
|
group_desc = "MODP_1536"; |
341 |
|
|
break; |
342 |
|
|
case GROUPXF_2048: |
343 |
|
|
group_desc = "MODP_2048"; |
344 |
|
|
break; |
345 |
|
|
case GROUPXF_3072: |
346 |
|
|
group_desc = "MODP_3072"; |
347 |
|
|
break; |
348 |
|
|
case GROUPXF_4096: |
349 |
|
|
group_desc = "MODP_4096"; |
350 |
|
|
break; |
351 |
|
|
case GROUPXF_6144: |
352 |
|
|
group_desc = "MODP_6144"; |
353 |
|
|
break; |
354 |
|
|
case GROUPXF_8192: |
355 |
|
|
group_desc = "MODP_8192"; |
356 |
|
|
break; |
357 |
|
|
default: |
358 |
|
|
warnx("illegal group %s", r->p2xfs->groupxf->name); |
359 |
|
|
return (-1); |
360 |
|
|
} |
361 |
|
|
} else |
362 |
|
|
group_desc = "MODP_3072"; |
363 |
|
|
|
364 |
|
|
/* the transform name must not include "," */ |
365 |
|
|
if (key_length && (p = strchr(key_length, ',')) != NULL) |
366 |
|
|
num_print = p - key_length; |
367 |
|
|
/* |
368 |
|
|
* create a unique transform name, otherwise we cannot have |
369 |
|
|
* multiple transforms per p2name. |
370 |
|
|
*/ |
371 |
|
|
if (asprintf(&transform, "phase2-transform-%s-%s%.*s-%s-%s-%s", |
372 |
|
|
r->p2name, |
373 |
|
|
enc_alg ? enc_alg : "NONE", |
374 |
|
|
num_print, key_length ? key_length : "", |
375 |
|
|
auth_alg ? auth_alg : "NONE", |
376 |
|
|
group_desc ? group_desc : "NONE", |
377 |
|
|
encap) == -1) |
378 |
|
|
errx(1, "asprintf phase2-transform"); |
379 |
|
|
|
380 |
|
|
fprintf(fd, SET "[phase2-protocol-%s]:Transforms=%s force\n", |
381 |
|
|
r->p2name, transform); |
382 |
|
|
|
383 |
|
|
fprintf(fd, SET "[%s]:TRANSFORM_ID=%s force\n", transform, |
384 |
|
|
r->satype == IPSEC_AH ? auth_alg : enc_alg); |
385 |
|
|
if (key_length) |
386 |
|
|
fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform, |
387 |
|
|
key_length); |
388 |
|
|
fprintf(fd, SET "[%s]:ENCAPSULATION_MODE=%s force\n", transform, encap); |
389 |
|
|
if (auth_alg) |
390 |
|
|
fprintf(fd, SET "[%s]:AUTHENTICATION_ALGORITHM=HMAC_%s force\n", |
391 |
|
|
transform, auth_alg); |
392 |
|
|
if (group_desc) |
393 |
|
|
fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform, |
394 |
|
|
group_desc); |
395 |
|
|
|
396 |
|
|
if (r->p2life && r->p2life->lt_seconds != -1) { |
397 |
|
|
fprintf(fd, SET "[%s]:Life=%s-life force\n", |
398 |
|
|
transform, transform); |
399 |
|
|
fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n", |
400 |
|
|
transform); |
401 |
|
|
fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n", |
402 |
|
|
transform, r->p2life->lt_seconds); |
403 |
|
|
} else |
404 |
|
|
fprintf(fd, SET "[%s]:Life=LIFE_QUICK_MODE force\n", |
405 |
|
|
transform); |
406 |
|
|
|
407 |
|
|
free(transform); |
408 |
|
|
return (0); |
409 |
|
|
} |
410 |
|
|
|
411 |
|
|
static int |
412 |
|
|
ike_section_p1(struct ipsec_rule *r, FILE *fd) |
413 |
|
|
{ |
414 |
|
|
char *exchange_type, *key_length, *transform, *p; |
415 |
|
|
char *enc_alg, *auth_alg, *group_desc, *auth_method; |
416 |
|
|
int num_print = 0; |
417 |
|
|
|
418 |
|
|
switch (r->p1ie) { |
419 |
|
|
case IKE_MM: |
420 |
|
|
exchange_type = "ID_PROT"; |
421 |
|
|
break; |
422 |
|
|
case IKE_AM: |
423 |
|
|
exchange_type = "AGGRESSIVE"; |
424 |
|
|
break; |
425 |
|
|
default: |
426 |
|
|
warnx("illegal phase 1 ike mode %d", r->p1ie); |
427 |
|
|
return (-1); |
428 |
|
|
} |
429 |
|
|
|
430 |
|
|
fprintf(fd, SET "[%s]:Configuration=phase1-%s force\n", r->p1name, |
431 |
|
|
r->p1name); |
432 |
|
|
fprintf(fd, SET "[phase1-%s]:EXCHANGE_TYPE=%s force\n", r->p1name, |
433 |
|
|
exchange_type); |
434 |
|
|
|
435 |
|
|
key_length = NULL; |
436 |
|
|
if (r->p1xfs && r->p1xfs->encxf) { |
437 |
|
|
switch (r->p1xfs->encxf->id) { |
438 |
|
|
case ENCXF_3DES_CBC: |
439 |
|
|
enc_alg = "3DES"; |
440 |
|
|
break; |
441 |
|
|
case ENCXF_AES: |
442 |
|
|
enc_alg = "AES"; |
443 |
|
|
key_length = "128,128:256"; |
444 |
|
|
break; |
445 |
|
|
case ENCXF_AES_128: |
446 |
|
|
enc_alg = "AES"; |
447 |
|
|
key_length = "128,128:128"; |
448 |
|
|
break; |
449 |
|
|
case ENCXF_AES_192: |
450 |
|
|
enc_alg = "AES"; |
451 |
|
|
key_length = "192,192:192"; |
452 |
|
|
break; |
453 |
|
|
case ENCXF_AES_256: |
454 |
|
|
enc_alg = "AES"; |
455 |
|
|
key_length = "256,256:256"; |
456 |
|
|
break; |
457 |
|
|
case ENCXF_BLOWFISH: |
458 |
|
|
enc_alg = "BLOWFISH"; |
459 |
|
|
key_length = "128,96:192"; |
460 |
|
|
break; |
461 |
|
|
case ENCXF_CAST128: |
462 |
|
|
enc_alg = "CAST"; |
463 |
|
|
break; |
464 |
|
|
default: |
465 |
|
|
warnx("illegal transform %s", r->p1xfs->encxf->name); |
466 |
|
|
return (-1); |
467 |
|
|
} |
468 |
|
|
} else { |
469 |
|
|
enc_alg = "AES"; |
470 |
|
|
key_length = "128,128:256"; |
471 |
|
|
} |
472 |
|
|
|
473 |
|
|
if (r->p1xfs && r->p1xfs->authxf) { |
474 |
|
|
switch (r->p1xfs->authxf->id) { |
475 |
|
|
case AUTHXF_HMAC_MD5: |
476 |
|
|
auth_alg = "MD5"; |
477 |
|
|
break; |
478 |
|
|
case AUTHXF_HMAC_SHA1: |
479 |
|
|
auth_alg = "SHA"; |
480 |
|
|
break; |
481 |
|
|
case AUTHXF_HMAC_SHA2_256: |
482 |
|
|
auth_alg = "SHA2_256"; |
483 |
|
|
break; |
484 |
|
|
case AUTHXF_HMAC_SHA2_384: |
485 |
|
|
auth_alg = "SHA2_384"; |
486 |
|
|
break; |
487 |
|
|
case AUTHXF_HMAC_SHA2_512: |
488 |
|
|
auth_alg = "SHA2_512"; |
489 |
|
|
break; |
490 |
|
|
default: |
491 |
|
|
warnx("illegal transform %s", r->p1xfs->authxf->name); |
492 |
|
|
return (-1); |
493 |
|
|
} |
494 |
|
|
} else |
495 |
|
|
auth_alg = "SHA"; |
496 |
|
|
|
497 |
|
|
if (r->p1xfs && r->p1xfs->groupxf) { |
498 |
|
|
switch (r->p1xfs->groupxf->id) { |
499 |
|
|
case GROUPXF_768: |
500 |
|
|
group_desc = "MODP_768"; |
501 |
|
|
break; |
502 |
|
|
case GROUPXF_1024: |
503 |
|
|
group_desc = "MODP_1024"; |
504 |
|
|
break; |
505 |
|
|
case GROUPXF_1536: |
506 |
|
|
group_desc = "MODP_1536"; |
507 |
|
|
break; |
508 |
|
|
case GROUPXF_2048: |
509 |
|
|
group_desc = "MODP_2048"; |
510 |
|
|
break; |
511 |
|
|
case GROUPXF_3072: |
512 |
|
|
group_desc = "MODP_3072"; |
513 |
|
|
break; |
514 |
|
|
case GROUPXF_4096: |
515 |
|
|
group_desc = "MODP_4096"; |
516 |
|
|
break; |
517 |
|
|
case GROUPXF_6144: |
518 |
|
|
group_desc = "MODP_6144"; |
519 |
|
|
break; |
520 |
|
|
case GROUPXF_8192: |
521 |
|
|
group_desc = "MODP_8192"; |
522 |
|
|
break; |
523 |
|
|
default: |
524 |
|
|
warnx("illegal group %s", r->p1xfs->groupxf->name); |
525 |
|
|
return (-1); |
526 |
|
|
}; |
527 |
|
|
} else |
528 |
|
|
group_desc = "MODP_3072"; |
529 |
|
|
|
530 |
|
|
switch (r->ikeauth->type) { |
531 |
|
|
case IKE_AUTH_PSK: |
532 |
|
|
auth_method = "PRE_SHARED"; |
533 |
|
|
break; |
534 |
|
|
case IKE_AUTH_RSA: |
535 |
|
|
auth_method = "RSA_SIG"; |
536 |
|
|
break; |
537 |
|
|
default: |
538 |
|
|
warnx("illegal authentication method %u", r->ikeauth->type); |
539 |
|
|
return (-1); |
540 |
|
|
} |
541 |
|
|
|
542 |
|
|
/* the transform name must not include "," */ |
543 |
|
|
if (key_length && (p = strchr(key_length, ',')) != NULL) |
544 |
|
|
num_print = p - key_length; |
545 |
|
|
/* create unique name for transform, see also ike_section_p2() */ |
546 |
|
|
if (asprintf(&transform, "phase1-transform-%s-%s-%s-%s%.*s-%s", |
547 |
|
|
r->p1name, auth_method, auth_alg, enc_alg, |
548 |
|
|
num_print, key_length ? key_length : "", |
549 |
|
|
group_desc) == -1) |
550 |
|
|
errx(1, "asprintf phase1-transform"); |
551 |
|
|
|
552 |
|
|
fprintf(fd, ADD "[phase1-%s]:Transforms=%s force\n", r->p1name, |
553 |
|
|
transform); |
554 |
|
|
fprintf(fd, SET "[%s]:AUTHENTICATION_METHOD=%s force\n", transform, |
555 |
|
|
auth_method); |
556 |
|
|
fprintf(fd, SET "[%s]:HASH_ALGORITHM=%s force\n", transform, auth_alg); |
557 |
|
|
fprintf(fd, SET "[%s]:ENCRYPTION_ALGORITHM=%s_CBC force\n", transform, |
558 |
|
|
enc_alg); |
559 |
|
|
if (key_length) |
560 |
|
|
fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform, |
561 |
|
|
key_length); |
562 |
|
|
fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform, |
563 |
|
|
group_desc); |
564 |
|
|
|
565 |
|
|
if (r->p1life && r->p1life->lt_seconds != -1) { |
566 |
|
|
fprintf(fd, SET "[%s]:Life=%s-life force\n", |
567 |
|
|
transform, transform); |
568 |
|
|
fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n", |
569 |
|
|
transform); |
570 |
|
|
fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n", |
571 |
|
|
transform, r->p1life->lt_seconds); |
572 |
|
|
} else |
573 |
|
|
fprintf(fd, SET "[%s]:Life=LIFE_MAIN_MODE force\n", transform); |
574 |
|
|
|
575 |
|
|
free(transform); |
576 |
|
|
return (0); |
577 |
|
|
} |
578 |
|
|
|
579 |
|
|
static void |
580 |
|
|
ike_section_p2ids_net(struct ipsec_addr *iamask, sa_family_t af, char *name, |
581 |
|
|
char *p2xid, FILE *fd) |
582 |
|
|
{ |
583 |
|
|
char mask[NI_MAXHOST], *network, *p; |
584 |
|
|
struct sockaddr_storage sas; |
585 |
|
|
struct sockaddr *sa = (struct sockaddr *)&sas; |
586 |
|
|
|
587 |
|
|
bzero(&sas, sizeof(struct sockaddr_storage)); |
588 |
|
|
bzero(mask, sizeof(mask)); |
589 |
|
|
sa->sa_family = af; |
590 |
|
|
switch (af) { |
591 |
|
|
case AF_INET: |
592 |
|
|
sa->sa_len = sizeof(struct sockaddr_in); |
593 |
|
|
bcopy(&iamask->ipa, |
594 |
|
|
&((struct sockaddr_in *)(sa))->sin_addr, |
595 |
|
|
sizeof(struct in6_addr)); |
596 |
|
|
break; |
597 |
|
|
case AF_INET6: |
598 |
|
|
sa->sa_len = sizeof(struct sockaddr_in6); |
599 |
|
|
bcopy(&iamask->ipa, |
600 |
|
|
&((struct sockaddr_in6 *)(sa))->sin6_addr, |
601 |
|
|
sizeof(struct in6_addr)); |
602 |
|
|
break; |
603 |
|
|
} |
604 |
|
|
if (getnameinfo(sa, sa->sa_len, mask, sizeof(mask), NULL, 0, |
605 |
|
|
NI_NUMERICHOST)) |
606 |
|
|
errx(1, "could not get a numeric mask"); |
607 |
|
|
|
608 |
|
|
if ((network = strdup(name)) == NULL) |
609 |
|
|
err(1, "ike_section_p2ids: strdup"); |
610 |
|
|
if ((p = strrchr(network, '/')) != NULL) |
611 |
|
|
*p = '\0'; |
612 |
|
|
|
613 |
|
|
fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR_SUBNET force\n", |
614 |
|
|
p2xid, ((af == AF_INET) ? 4 : 6)); |
615 |
|
|
fprintf(fd, SET "[%s]:Network=%s force\n", p2xid, network); |
616 |
|
|
fprintf(fd, SET "[%s]:Netmask=%s force\n", p2xid, mask); |
617 |
|
|
|
618 |
|
|
free(network); |
619 |
|
|
} |
620 |
|
|
|
621 |
|
|
static void |
622 |
|
|
ike_section_p2ids(struct ipsec_rule *r, FILE *fd) |
623 |
|
|
{ |
624 |
|
|
char *p; |
625 |
|
|
struct ipsec_addr_wrap *src = r->src; |
626 |
|
|
struct ipsec_addr_wrap *dst = r->dst; |
627 |
|
|
|
628 |
|
|
if (src->netaddress) { |
629 |
|
|
ike_section_p2ids_net(&src->mask, src->af, src->name, |
630 |
|
|
r->p2lid, fd); |
631 |
|
|
} else { |
632 |
|
|
fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", |
633 |
|
|
r->p2lid, ((src->af == AF_INET) ? 4 : 6)); |
634 |
|
|
if ((p = strrchr(src->name, '/')) != NULL) |
635 |
|
|
*p = '\0'; |
636 |
|
|
fprintf(fd, SET "[%s]:Address=%s force\n", r->p2lid, |
637 |
|
|
src->name); |
638 |
|
|
} |
639 |
|
|
|
640 |
|
|
if (src->srcnat && src->srcnat->netaddress) { |
641 |
|
|
ike_section_p2ids_net(&src->srcnat->mask, src->af, src->srcnat->name, |
642 |
|
|
r->p2nid, fd); |
643 |
|
|
} else if (src->srcnat) { |
644 |
|
|
fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", |
645 |
|
|
r->p2nid, ((src->af == AF_INET) ? 4 : 6)); |
646 |
|
|
if ((p = strrchr(src->srcnat->name, '/')) != NULL) |
647 |
|
|
*p = '\0'; |
648 |
|
|
fprintf(fd, SET "[%s]:Address=%s force\n", r->p2nid, |
649 |
|
|
src->srcnat->name); |
650 |
|
|
} |
651 |
|
|
|
652 |
|
|
if (dst->netaddress) { |
653 |
|
|
ike_section_p2ids_net(&dst->mask, dst->af, dst->name, |
654 |
|
|
r->p2rid, fd); |
655 |
|
|
} else { |
656 |
|
|
fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", |
657 |
|
|
r->p2rid, ((dst->af == AF_INET) ? 4 : 6)); |
658 |
|
|
if ((p = strrchr(dst->name, '/')) != NULL) |
659 |
|
|
*p = '\0'; |
660 |
|
|
fprintf(fd, SET "[%s]:Address=%s force\n", r->p2rid, |
661 |
|
|
dst->name); |
662 |
|
|
} |
663 |
|
|
if (r->proto) { |
664 |
|
|
fprintf(fd, SET "[%s]:Protocol=%d force\n", |
665 |
|
|
r->p2lid, r->proto); |
666 |
|
|
fprintf(fd, SET "[%s]:Protocol=%d force\n", |
667 |
|
|
r->p2rid, r->proto); |
668 |
|
|
} |
669 |
|
|
if (r->sport) |
670 |
|
|
fprintf(fd, SET "[%s]:Port=%d force\n", r->p2lid, |
671 |
|
|
ntohs(r->sport)); |
672 |
|
|
if (r->dport) |
673 |
|
|
fprintf(fd, SET "[%s]:Port=%d force\n", r->p2rid, |
674 |
|
|
ntohs(r->dport)); |
675 |
|
|
} |
676 |
|
|
|
677 |
|
|
static int |
678 |
|
|
ike_connect(struct ipsec_rule *r, FILE *fd) |
679 |
|
|
{ |
680 |
|
|
switch (r->ikemode) { |
681 |
|
|
case IKE_ACTIVE: |
682 |
|
|
case IKE_DYNAMIC: |
683 |
|
|
fprintf(fd, ADD "[Phase 2]:Connections=%s\n", r->p2name); |
684 |
|
|
break; |
685 |
|
|
case IKE_PASSIVE: |
686 |
|
|
fprintf(fd, ADD "[Phase 2]:Passive-Connections=%s\n", |
687 |
|
|
r->p2name); |
688 |
|
|
break; |
689 |
|
|
default: |
690 |
|
|
return (-1); |
691 |
|
|
} |
692 |
|
|
return (0); |
693 |
|
|
} |
694 |
|
|
|
695 |
|
|
static int |
696 |
|
|
ike_gen_config(struct ipsec_rule *r, FILE *fd) |
697 |
|
|
{ |
698 |
|
|
ike_setup_ids(r); |
699 |
|
|
ike_section_general(r, fd); |
700 |
|
|
ike_section_peer(r, fd); |
701 |
|
|
if (ike_section_p1(r, fd) == -1) { |
702 |
|
|
return (-1); |
703 |
|
|
} |
704 |
|
|
ike_section_ids(r, fd); |
705 |
|
|
ike_section_ipsec(r, fd); |
706 |
|
|
if (ike_section_p2(r, fd) == -1) { |
707 |
|
|
return (-1); |
708 |
|
|
} |
709 |
|
|
ike_section_p2ids(r, fd); |
710 |
|
|
|
711 |
|
|
if (ike_connect(r, fd) == -1) |
712 |
|
|
return (-1); |
713 |
|
|
return (0); |
714 |
|
|
} |
715 |
|
|
|
716 |
|
|
static int |
717 |
|
|
ike_delete_config(struct ipsec_rule *r, FILE *fd) |
718 |
|
|
{ |
719 |
|
|
ike_setup_ids(r); |
720 |
|
|
#if 0 |
721 |
|
|
switch (r->ikemode) { |
722 |
|
|
case IKE_ACTIVE: |
723 |
|
|
case IKE_DYNAMIC: |
724 |
|
|
fprintf(fd, "t %s\n", r->p2name); |
725 |
|
|
break; |
726 |
|
|
case IKE_PASSIVE: |
727 |
|
|
fprintf(fd, DELETE "[Phase 2]\n"); |
728 |
|
|
fprintf(fd, "t %s\n", r->p2name); |
729 |
|
|
break; |
730 |
|
|
default: |
731 |
|
|
return (-1); |
732 |
|
|
} |
733 |
|
|
|
734 |
|
|
if (r->peer) { |
735 |
|
|
fprintf(fd, DELETE "[%s]\n", r->p1name); |
736 |
|
|
fprintf(fd, DELETE "[phase1-%s]\n", r->p1name); |
737 |
|
|
} |
738 |
|
|
if (r->auth) { |
739 |
|
|
if (r->auth->srcid) |
740 |
|
|
fprintf(fd, DELETE "[%s-ID]\n", r->auth->srcid); |
741 |
|
|
if (r->auth->dstid) |
742 |
|
|
fprintf(fd, DELETE "[%s-ID]\n", r->auth->dstid); |
743 |
|
|
} |
744 |
|
|
fprintf(fd, DELETE "[%s]\n", r->p2name); |
745 |
|
|
fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); |
746 |
|
|
fprintf(fd, DELETE "[%s]\n", r->p2lid); |
747 |
|
|
fprintf(fd, DELETE "[%s]\n", r->p2rid); |
748 |
|
|
#else |
749 |
|
|
fprintf(fd, "t %s\n", r->p2name); |
750 |
|
|
switch (r->ikemode) { |
751 |
|
|
case IKE_ACTIVE: |
752 |
|
|
case IKE_DYNAMIC: |
753 |
|
|
fprintf(fd, RMV "[Phase 2]:Connections=%s\n", r->p2name); |
754 |
|
|
break; |
755 |
|
|
case IKE_PASSIVE: |
756 |
|
|
fprintf(fd, RMV "[Phase 2]:Passive-Connections=%s\n", |
757 |
|
|
r->p2name); |
758 |
|
|
break; |
759 |
|
|
default: |
760 |
|
|
return (-1); |
761 |
|
|
} |
762 |
|
|
fprintf(fd, DELETE "[%s]\n", r->p2name); |
763 |
|
|
fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); |
764 |
|
|
#endif |
765 |
|
|
|
766 |
|
|
return (0); |
767 |
|
|
} |
768 |
|
|
|
769 |
|
|
static void |
770 |
|
|
ike_setup_ids(struct ipsec_rule *r) |
771 |
|
|
{ |
772 |
|
|
char sproto[10], ssport[10], sdport[10]; |
773 |
|
|
|
774 |
|
|
/* phase 1 name is peer and local address */ |
775 |
|
|
if (r->peer) { |
776 |
|
|
if (r->local) { |
777 |
|
|
/* peer-dstaddr-local-srcaddr */ |
778 |
|
|
if (asprintf(&r->p1name, "peer-%s-local-%s", |
779 |
|
|
r->peer->name, r->local->name) == -1) |
780 |
|
|
err(1, "ike_setup_ids"); |
781 |
|
|
} else |
782 |
|
|
/* peer-dstaddr */ |
783 |
|
|
if (asprintf(&r->p1name, "peer-%s", |
784 |
|
|
r->peer->name) == -1) |
785 |
|
|
err(1, "ike_setup_ids"); |
786 |
|
|
} else |
787 |
|
|
if ((r->p1name = strdup("peer-default")) == NULL) |
788 |
|
|
err(1, "ike_setup_ids"); |
789 |
|
|
|
790 |
|
|
/* Phase 2 name is from and to network, protocol, port*/ |
791 |
|
|
sproto[0] = ssport[0] = sdport[0] = 0; |
792 |
|
|
if (r->proto) |
793 |
|
|
snprintf(sproto, sizeof sproto, "=%u", r->proto); |
794 |
|
|
if (r->sport) |
795 |
|
|
snprintf(ssport, sizeof ssport, ":%u", ntohs(r->sport)); |
796 |
|
|
if (r->dport) |
797 |
|
|
snprintf(sdport, sizeof sdport, ":%u", ntohs(r->dport)); |
798 |
|
|
/* from-network/masklen=proto:port */ |
799 |
|
|
if (asprintf(&r->p2lid, "from-%s%s%s", r->src->name, sproto, ssport) |
800 |
|
|
== -1) |
801 |
|
|
err(1, "ike_setup_ids"); |
802 |
|
|
/* to-network/masklen=proto:port */ |
803 |
|
|
if (asprintf(&r->p2rid, "to-%s%s%s", r->dst->name, sproto, sdport) |
804 |
|
|
== -1) |
805 |
|
|
err(1, "ike_setup_ids"); |
806 |
|
|
/* from-network/masklen=proto:port-to-network/masklen=proto:port */ |
807 |
|
|
if (asprintf(&r->p2name, "%s-%s", r->p2lid , r->p2rid) == -1) |
808 |
|
|
err(1, "ike_setup_ids"); |
809 |
|
|
/* nat-network/masklen=proto:port */ |
810 |
|
|
if (r->src->srcnat && r->src->srcnat->name) { |
811 |
|
|
if (asprintf(&r->p2nid, "nat-%s%s%s", r->src->srcnat->name, sproto, |
812 |
|
|
ssport) == -1) |
813 |
|
|
err(1, "ike_setup_ids"); |
814 |
|
|
} |
815 |
|
|
} |
816 |
|
|
|
817 |
|
|
int |
818 |
|
|
ike_print_config(struct ipsec_rule *r, int opts) |
819 |
|
|
{ |
820 |
|
|
if (opts & IPSECCTL_OPT_DELETE) |
821 |
|
|
return (ike_delete_config(r, stdout)); |
822 |
|
|
else |
823 |
|
|
return (ike_gen_config(r, stdout)); |
824 |
|
|
} |
825 |
|
|
|
826 |
|
|
int |
827 |
|
|
ike_ipsec_establish(int action, struct ipsec_rule *r, const char *fifo) |
828 |
|
|
{ |
829 |
|
|
struct stat sb; |
830 |
|
|
FILE *fdp; |
831 |
|
|
int fd, ret = 0; |
832 |
|
|
|
833 |
|
|
if ((fd = open(fifo, O_WRONLY)) == -1) |
834 |
|
|
err(1, "ike_ipsec_establish: open(%s)", fifo); |
835 |
|
|
if (fstat(fd, &sb) == -1) |
836 |
|
|
err(1, "ike_ipsec_establish: fstat(%s)", fifo); |
837 |
|
|
if (!S_ISFIFO(sb.st_mode)) |
838 |
|
|
errx(1, "ike_ipsec_establish: %s not a fifo", fifo); |
839 |
|
|
if ((fdp = fdopen(fd, "w")) == NULL) |
840 |
|
|
err(1, "ike_ipsec_establish: fdopen(%s)", fifo); |
841 |
|
|
|
842 |
|
|
switch (action) { |
843 |
|
|
case ACTION_ADD: |
844 |
|
|
ret = ike_gen_config(r, fdp); |
845 |
|
|
break; |
846 |
|
|
case ACTION_DELETE: |
847 |
|
|
ret = ike_delete_config(r, fdp); |
848 |
|
|
break; |
849 |
|
|
default: |
850 |
|
|
ret = -1; |
851 |
|
|
} |
852 |
|
|
|
853 |
|
|
fclose(fdp); |
854 |
|
|
return (ret); |
855 |
|
|
} |