Check keys length regarding proposal_check level

2006-12-05 13:38:40 +00:00 · 2006-12-05 13:38:40 +00:00 · 3db7f7800e
commit 3db7f7800e
parent bd9764c5df
4 changed files with 46 additions and 19 deletions
--- a/crypto/dist/ipsec-tools/ChangeLog
+++ b/crypto/dist/ipsec-tools/ChangeLog
@ -1,3 +1,9 @@
+2006-12-05  Yvan Vanhullebus  <vanhu@netasq.com>
+	* src/racoon/proposal.[ch]: Check keys length regarding
+	  pcheck_level in cmpsatrns().
+	* src/racoon/racoon.conf.5: updated man page about what is
+	  impacted by proposal_check level.
+
 2006-11-12  Matthew Grooms <mgrooms@shrew.net>
 	* src/racoon/sainfo.c: fix anonymous sainfo selection.

--- a/crypto/dist/ipsec-tools/src/racoon/proposal.c
+++ b/crypto/dist/ipsec-tools/src/racoon/proposal.c
@ -1,6 +1,6 @@
-/*	$NetBSD: proposal.c,v 1.11 2006/10/09 06:32:59 manu Exp $	*/
+/*	$NetBSD: proposal.c,v 1.12 2006/12/05 13:38:40 vanhu Exp $	*/

-/* $Id: proposal.c,v 1.11 2006/10/09 06:32:59 manu Exp $ */
+/* $Id: proposal.c,v 1.12 2006/12/05 13:38:40 vanhu Exp $ */

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -427,7 +427,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side)

 		for (tr1 = pr1->head; tr1; tr1 = tr1->next) {
 			for (tr2 = pr2->head; tr2; tr2 = tr2->next) {
-				if (cmpsatrns(pr1->proto_id, tr1, tr2) == 0)
+				if (cmpsatrns(pr1->proto_id, tr1, tr2, ph1->rmconf->pcheck_level) == 0)
 					goto found;
 			}
 		}
@ -529,9 +529,10 @@ cmpsaprop(pp1, pp2)
 * tr2: my satrns
 */
 int
-cmpsatrns(proto_id, tr1, tr2)
+cmpsatrns(proto_id, tr1, tr2, check_level)
 	int proto_id;
 	const struct satrns *tr1, *tr2;
+	int check_level;
 {
 	if (tr1->trns_id != tr2->trns_id) {
 		plog(LLV_WARNING, LOCATION, NULL,
@ -551,16 +552,34 @@ cmpsatrns(proto_id, tr1, tr2)
 		return 1;
 	}

-	/* XXX
-	 * At this moment for interoperability, the responder obey
-	 * the initiator.  It should be defined a notify message.
+	/* Check key length regarding checkmode
+	 * XXX Shall we send some kind of notify message when key length rejected ?
 	 */
-	if (tr1->encklen > tr2->encklen) {
+	switch(check_level){
+	case PROP_CHECK_OBEY:
+		return 0;
+		break;
+
+	case PROP_CHECK_STRICT:
+		/* FALLTHROUGH */
+	case PROP_CHECK_CLAIM:
+		if (tr1->encklen < tr2->encklen) {
 		plog(LLV_WARNING, LOCATION, NULL,
-			"less key length proposed, "
-			"mine:%d peer:%d.  Use initiaotr's one.\n",
+				 "low key length proposed, "
+				 "mine:%d peer:%d.\n",
 			tr2->encklen, tr1->encklen);
-		/* FALLTHRU */
+			return 1;
+		}
+		break;
+	case PROP_CHECK_EXACT:
+		if (tr1->encklen != tr2->encklen) {
+			plog(LLV_WARNING, LOCATION, NULL,
+				 "key length mismatched, "
+				 "mine:%d peer:%d.\n",
+				 tr2->encklen, tr1->encklen);
+			return 1;
+		}
+		break;
 	}

 	return 0;
--- a/crypto/dist/ipsec-tools/src/racoon/proposal.h
+++ b/crypto/dist/ipsec-tools/src/racoon/proposal.h
@ -1,4 +1,4 @@
-/*	$NetBSD: proposal.h,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: proposal.h,v 1.5 2006/12/05 13:38:40 vanhu Exp $	*/

 /* Id: proposal.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */

@ -192,7 +192,7 @@ extern void inssatrns __P((struct saproto *, struct satrns *));
 extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *,
 	const struct saprop *, const struct saprop *, int));
 extern int cmpsaprop __P((const struct saprop *, const struct saprop *));
-extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *));
+extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *, int));
 extern int set_satrnsbysainfo __P((struct saproto *, struct sainfo *));
 extern struct saprop *aproppair2saprop __P((struct prop_pair *));
 extern void free_proppair __P((struct prop_pair **));
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.32 2006/10/06 12:02:27 manu Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.33 2006/12/05 13:38:40 vanhu Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@ -667,7 +667,7 @@ The default value is
 It is useful for a server.
 .\"
 .It Ic proposal_check Ar level ;
-specifies the action of lifetime length and PFS of the phase 2
+specifies the action of lifetime length, key length and PFS of the phase 2
 selection on the responder side, and the action of lifetime check in
 phase 1.
 The default level is
@ -679,14 +679,16 @@ is:
 .It Ic obey
 the responder will obey the initiator anytime.
 .It Ic strict
-If the responder's length is longer than the initiator's one, the
+If the responder's lifetime length is longer than the initiator's one,
+or if responder's key length is shorter than the initiator's one, the
 responder uses the initiator's one.
 Otherwise it rejects the proposal.
 If PFS is not required by the responder, the responder will obey the proposal.
 If PFS is required by both sides and if the responder's group is not equal to
 the initiator's one, then the responder will reject the proposal.
 .It Ic claim
-If the responder's length is longer than the initiator's one, the
+If the responder's length is longer than the initiator's one,
+or if responder's key length is shorter than the initiator's one, the
 responder will use the initiator's one.
 If the responder's length is
 shorter than the initiator's one, the responder uses its own length
@ -695,8 +697,8 @@ case of lifetime (phase 2 only).
 For PFS, this directive behaves the same as
 .Ic strict .
 .It Ic exact
-If the initiator's length is not equal to the responder's one, the
-responder will reject the proposal.
+If the initiator's lifetime or key length is not equal to the responder's one,
+the responder will reject the proposal.
 If PFS is required by both sides and if the responder's group is not equal to
 the initiator's one, then the responder will reject the proposal.
 .El