subject:"iked\(8\)\: move CERTREQ handler out of parser"

Re: iked(8): move CERTREQ handler out of parser

2019-08-12 Thread Tobias Heider

One more update: I moved to ikev2_handle_certreq() calls somewhere else where
they fit better.

I'd be happy to get some feedback from different iked setups,
in my tests all seems to work as intended. In the best case you
won't notice any difference at all (only the CERTREQ handling will
happen a bit later in recv function).

Here is the diff:

Index: iked.h
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/iked.h,v
retrieving revision 1.121
diff -u -p -u -r1.121 iked.h
--- iked.h  11 May 2019 16:30:23 -  1.121
+++ iked.h  12 Aug 2019 15:19:56 -
@@ -536,6 +536,10 @@ struct iked_message {
struct iked_id   msg_cert;
struct ibuf *msg_cookie;
 
+   uint8_t  msg_certreq_type;  /* CR Encoding*/
+   struct ibuf *msg_certreq_auth;  /* CR Authority */
+   struct ibuf *msg_certreq_ocsp;  /* CR OCSP values */
+
/* MOBIKE */
int  msg_update_sa_addresses;
struct ibuf *msg_cookie2;
Index: ikev2.c
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.171
diff -u -p -u -r1.171 ikev2.c
--- ikev2.c 11 May 2019 16:30:23 -  1.171
+++ ikev2.c 12 Aug 2019 16:03:46 -
@@ -82,6 +82,8 @@ intikev2_send_error(struct iked *, str
struct iked_message *, uint8_t);
 int ikev2_send_init_error(struct iked *, struct iked_message *);
 
+int ikev2_handle_certreq(struct iked*, struct iked_message *);
+
 int ikev2_send_create_child_sa(struct iked *, struct iked_sa *,
struct iked_spi *, uint8_t);
 int ikev2_ikesa_enable(struct iked *, struct iked_sa *, struct iked_sa *);
@@ -874,6 +876,9 @@ ikev2_init_recv(struct iked *env, struct
"IKE_SA_INIT exchange", __func__);
break;
}
+   if (ikev2_handle_certreq(env, msg) != 0)
+   return;
+
(void)ikev2_init_auth(env, msg);
break;
case IKEV2_EXCHANGE_IKE_AUTH:
@@ -2384,6 +2389,9 @@ ikev2_resp_recv(struct iked *env, struct
sa->sa_policy->pol_auth.auth_eap)
sa_state(env, sa, IKEV2_STATE_EAP);
 
+   if (ikev2_handle_certreq(env, msg) != 0)
+   return;
+
if (ikev2_ike_auth_recv(env, sa, msg) != 0) {
log_debug("%s: failed to send auth response", __func__);
ikev2_send_error(env, sa, msg, hdr->ike_exchange);
@@ -2996,6 +3004,46 @@ ikev2_set_sa_proposal(struct iked_sa *sa
return (-1);
}
}
+   return (0);
+}
+
+int
+ikev2_handle_certreq(struct iked* env, struct iked_message *msg)
+{
+   struct iked_sa  *sa;
+
+   if ((sa = msg->msg_sa) == NULL)
+   return (-1);
+
+   if (msg->msg_certreq_type != IKEV2_CERT_NONE) {
+   /* Optional certreq for PSK */
+   if (sa->sa_hdr.sh_initiator)
+   sa->sa_stateinit |= IKED_REQ_CERT;
+   else
+   sa->sa_statevalid |= IKED_REQ_CERT;
+
+   ca_setreq(env, sa, &sa->sa_policy->pol_localid,
+   msg->msg_certreq_type,
+   ibuf_data(msg->msg_certreq_auth),
+   ibuf_length(msg->msg_certreq_auth),
+   PROC_CERT);
+   }
+
+   if (msg->msg_certreq_ocsp != NULL) {
+   ca_setreq(env, sa, &sa->sa_policy->pol_localid,
+   IKEV2_CERT_OCSP,
+   ibuf_data(msg->msg_certreq_auth),
+   ibuf_length(msg->msg_certreq_auth),
+   PROC_CERT);
+   }
+
+   /* Cleanup */
+   ibuf_release(msg->msg_certreq_auth);
+   msg->msg_certreq_auth = NULL;
+   ibuf_release(msg->msg_certreq_ocsp);
+   msg->msg_certreq_ocsp = NULL;
+   msg->msg_certreq_type = IKEV2_CERT_NONE;
+
return (0);
 }
 
Index: ikev2_pld.c
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2_pld.c,v
retrieving revision 1.71
diff -u -p -u -r1.71 ikev2_pld.c
--- ikev2_pld.c 11 May 2019 16:30:23 -  1.71
+++ ikev2_pld.c 12 Aug 2019 15:52:02 -
@@ -826,7 +826,6 @@ int
 ikev2_pld_certreq(struct iked *env, struct ikev2_payload *pld,
 struct iked_message *msg, size_t offset, size_t left)
 {
-   struct iked_sa  *sa = msg->msg_sa;
struct ikev2_certcert;
uint8_t *buf;
ssize_t  len;
@@ -847,27 +846,39 @@ ikev2_pld_certreq(struct iked *env, stru
if (!ikev2_msg_frompeer(msg))
return (0);
 
-   if (cert.cert_type == IKEV2_CERT_X509_CERT) {

Re: iked(8): move CERTREQ handler out of parser

2019-08-09 Thread Tobias Heider

Update because I forgot to add OCSP support which needs a bit of extra
treatment as it uses an additional CERTREQ payload.

Index: iked.h
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/iked.h,v
retrieving revision 1.121
diff -u -p -u -r1.121 iked.h
--- iked.h  11 May 2019 16:30:23 -  1.121
+++ iked.h  9 Aug 2019 14:20:27 -
@@ -536,6 +536,10 @@ struct iked_message {
struct iked_id   msg_cert;
struct ibuf *msg_cookie;
 
+   uint8_t  msg_certreq_type;  /* CR Encoding*/
+   struct ibuf *msg_certreq_auth;  /* CR Authority */
+   struct ibuf *msg_certreq_ocsp;  /* CR OCSP values */
+
/* MOBIKE */
int  msg_update_sa_addresses;
struct ibuf *msg_cookie2;
Index: ikev2.c
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.171
diff -u -p -u -r1.171 ikev2.c
--- ikev2.c 11 May 2019 16:30:23 -  1.171
+++ ikev2.c 9 Aug 2019 14:23:15 -
@@ -82,6 +82,8 @@ intikev2_send_error(struct iked *, str
struct iked_message *, uint8_t);
 int ikev2_send_init_error(struct iked *, struct iked_message *);
 
+int ikev2_handle_certreq(struct iked*, struct iked_message *);
+
 int ikev2_send_create_child_sa(struct iked *, struct iked_sa *,
struct iked_spi *, uint8_t);
 int ikev2_ikesa_enable(struct iked *, struct iked_sa *, struct iked_sa *);
@@ -608,6 +610,9 @@ ikev2_ike_auth_recv(struct iked *env, st
struct iked_policy  *policy = sa->sa_policy;
int  ret = -1;
 
+   if (ikev2_handle_certreq(env, msg) != 0)
+   return (-1);
+
if (sa->sa_hdr.sh_initiator) {
id = &sa->sa_rid;
certid = &sa->sa_rcert;
@@ -2996,6 +3001,52 @@ ikev2_set_sa_proposal(struct iked_sa *sa
return (-1);
}
}
+   return (0);
+}
+
+int
+ikev2_handle_certreq(struct iked* env, struct iked_message *msg)
+{
+   struct iked_sa  *sa;
+
+   if (msg->msg_certreq_type == IKEV2_CERT_NONE)
+   return (0);
+
+   if ((sa = msg->msg_sa) == NULL)
+   return (-1);
+
+   if (msg->msg_certreq_type != IKEV2_CERT_NONE) {
+   log_debug("%s: handling certreq with type %d.", __func__,
+   msg->msg_certreq_type);
+
+   /* Optional certreq for PSK */
+   if (sa->sa_hdr.sh_initiator)
+   sa->sa_stateinit |= IKED_REQ_CERT;
+   else
+   sa->sa_statevalid |= IKED_REQ_CERT;
+
+   ca_setreq(env, sa, &sa->sa_policy->pol_localid,
+   msg->msg_certreq_type,
+   ibuf_data(msg->msg_certreq_auth),
+   ibuf_length(msg->msg_certreq_auth),
+   PROC_CERT);
+   }
+
+   if (msg->msg_certreq_ocsp != NULL) {
+   ca_setreq(env, sa, &sa->sa_policy->pol_localid,
+   IKEV2_CERT_OCSP,
+   ibuf_data(msg->msg_certreq_auth),
+   ibuf_length(msg->msg_certreq_auth),
+   PROC_CERT);
+   }
+
+   /* Cleanup */
+   ibuf_release(msg->msg_certreq_auth);
+   msg->msg_certreq_auth = NULL;
+   ibuf_release(msg->msg_certreq_ocsp);
+   msg->msg_certreq_ocsp = NULL;
+   msg->msg_certreq_type = IKEV2_CERT_NONE;
+
return (0);
 }
 
Index: ikev2_pld.c
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2_pld.c,v
retrieving revision 1.71
diff -u -p -u -r1.71 ikev2_pld.c
--- ikev2_pld.c 11 May 2019 16:30:23 -  1.71
+++ ikev2_pld.c 9 Aug 2019 14:24:15 -
@@ -826,7 +826,6 @@ int
 ikev2_pld_certreq(struct iked *env, struct ikev2_payload *pld,
 struct iked_message *msg, size_t offset, size_t left)
 {
-   struct iked_sa  *sa = msg->msg_sa;
struct ikev2_certcert;
uint8_t *buf;
ssize_t  len;
@@ -847,27 +846,39 @@ ikev2_pld_certreq(struct iked *env, stru
if (!ikev2_msg_frompeer(msg))
return (0);
 
-   if (cert.cert_type == IKEV2_CERT_X509_CERT) {
-   if (!len)
-   return (0);
-   if ((len % SHA_DIGEST_LENGTH) != 0) {
-   log_debug("%s: invalid certificate request", __func__);
-   return (-1);
-   }
+   /* The contents of the Certification Authority field are defined only
+* for X.509 certificates */
+   switch (cert.cert_type) {
+   case IKEV2_CERT_X509_CERT:
+   case IKEV2_CERT_HASHURL_X509:
+   case IKEV2_CERT_HASHURL_X509_BU

iked(8): move CERTREQ handler out of parser

2019-08-09 Thread Tobias Heider

Hi,

currently some parts of the iked(8) payload parser act on the SA structure
before the message was fully parsed and checked, which is obviously bad for
security.
The parser should store it's results in a temporary location
(e.G. in the iked_message struct) and apply changes only when the message
has passed all checks.

This diff moves the CERTREQ payload handling from the parser to the IKE_AUTH
exchange handler function where it belongs.

Ok?

Index: iked.h
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/iked.h,v
retrieving revision 1.121
diff -u -p -u -r1.121 iked.h
--- iked.h  11 May 2019 16:30:23 -  1.121
+++ iked.h  9 Aug 2019 13:41:00 -
@@ -536,6 +536,9 @@ struct iked_message {
struct iked_id   msg_cert;
struct ibuf *msg_cookie;
 
+   uint8_t  msg_certreq_type;  /* CR Encoding*/
+   struct ibuf *msg_certreq_auth;  /* CR Authority */
+
/* MOBIKE */
int  msg_update_sa_addresses;
struct ibuf *msg_cookie2;
Index: ikev2.c
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.171
diff -u -p -u -r1.171 ikev2.c
--- ikev2.c 11 May 2019 16:30:23 -  1.171
+++ ikev2.c 9 Aug 2019 13:59:53 -
@@ -82,6 +82,8 @@ intikev2_send_error(struct iked *, str
struct iked_message *, uint8_t);
 int ikev2_send_init_error(struct iked *, struct iked_message *);
 
+int ikev2_handle_certreq(struct iked*, struct iked_message *);
+
 int ikev2_send_create_child_sa(struct iked *, struct iked_sa *,
struct iked_spi *, uint8_t);
 int ikev2_ikesa_enable(struct iked *, struct iked_sa *, struct iked_sa *);
@@ -608,6 +610,9 @@ ikev2_ike_auth_recv(struct iked *env, st
struct iked_policy  *policy = sa->sa_policy;
int  ret = -1;
 
+   if (ikev2_handle_certreq(env, msg) != 0)
+   return (-1);
+
if (sa->sa_hdr.sh_initiator) {
id = &sa->sa_rid;
certid = &sa->sa_rcert;
@@ -2996,6 +3001,40 @@ ikev2_set_sa_proposal(struct iked_sa *sa
return (-1);
}
}
+   return (0);
+}
+
+int
+ikev2_handle_certreq(struct iked* env, struct iked_message *msg)
+{
+   struct iked_sa  *sa;
+
+   if (msg->msg_certreq_type == IKEV2_CERT_NONE)
+   return (0);
+
+   log_info("%s: handling certreq with type %d.", __func__,
+   msg->msg_certreq_type);
+
+   if ((sa = msg->msg_sa) == NULL)
+   return (-1);
+
+   /* Optional certreq for PSK */
+   if (sa->sa_hdr.sh_initiator)
+   sa->sa_stateinit |= IKED_REQ_CERT;
+   else
+   sa->sa_statevalid |= IKED_REQ_CERT;
+
+   ca_setreq(env, sa, &sa->sa_policy->pol_localid,
+   msg->msg_certreq_type,
+   ibuf_data(msg->msg_certreq_auth),
+   ibuf_length(msg->msg_certreq_auth),
+   PROC_CERT);
+
+   /* Cleanup */
+   ibuf_release(msg->msg_certreq_auth);
+   msg->msg_certreq_auth = NULL;
+   msg->msg_certreq_type = IKEV2_CERT_NONE;
+
return (0);
 }
 
Index: ikev2_pld.c
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2_pld.c,v
retrieving revision 1.71
diff -u -p -u -r1.71 ikev2_pld.c
--- ikev2_pld.c 11 May 2019 16:30:23 -  1.71
+++ ikev2_pld.c 9 Aug 2019 13:44:07 -
@@ -826,7 +826,6 @@ int
 ikev2_pld_certreq(struct iked *env, struct ikev2_payload *pld,
 struct iked_message *msg, size_t offset, size_t left)
 {
-   struct iked_sa  *sa = msg->msg_sa;
struct ikev2_certcert;
uint8_t *buf;
ssize_t  len;
@@ -847,27 +846,30 @@ ikev2_pld_certreq(struct iked *env, stru
if (!ikev2_msg_frompeer(msg))
return (0);
 
-   if (cert.cert_type == IKEV2_CERT_X509_CERT) {
-   if (!len)
-   return (0);
-   if ((len % SHA_DIGEST_LENGTH) != 0) {
-   log_debug("%s: invalid certificate request", __func__);
-   return (-1);
-   }
+   /* The contents of the Certification Authority field are defined only
+* for X.509 certificates */
+   switch (cert.cert_type) {
+   case IKEV2_CERT_X509_CERT:
+   case IKEV2_CERT_HASHURL_X509:
+   case IKEV2_CERT_HASHURL_X509_BUNDLE:
+   if (len == 0)
+   return (0);
+   if ((len % SHA_DIGEST_LENGTH) != 0) {
+   log_debug("%s: invalid certificate request",
+   __func__);
+

Re: iked(8): move CERTREQ handler out of parser

Re: iked(8): move CERTREQ handler out of parser

iked(8): move CERTREQ handler out of parser

3 matches

Site Navigation

Mail list logo

Footer information