user/3008: ISAKMP does not handle phase-1 defaults well

From: Mike Neuman <mcn(at)EnGarde.com>
Date: Sat Nov 30 2002 - 14:39:12 EST

>Number: 3008
>Category: user
>Synopsis: ISAKMP does not handle phase-1 defaults well
>Confidential: no
net
>Environment:

        System      : OpenBSD 3.2
        Architecture: OpenBSD.i386
        Machine     : i386

>Description:

ISAKMPD allows the user to specify a [Default-phase-1] configuration group which allows the user to configure the transforms, lifetimes, etc that are used for *incoming* ISAKMP requests. However, there is no mechanism for specifying defaults for *outgoing* ISAKMP requests. The only means is to create configuration blocks based upon the order in which the ISAKMP query was made (ie. [Connection-0]) or if you know the remote host name (ie. [Peer-199.165.219.200]). In a IPSec transport environment, there may be infinite connections and the remote host will probably not be known in advance.

This flaw is recognized by the author with an XXX block.
>How-To-Repeat:

No repetition required--the software will not accept default outbound policies transforms for phase-1 IKE.
>Fix:

This patch creates a new configuration parameter (which is in the style of the others, such as 'default-phase-1-id' and 'default-phase-2-suites' in the General configuration block). Note this patch applies the default-phase-1-configuration to both inbound and outbound queries, which seems to be expected.

Note, the line numbers are slightly off for the pf_key_v2.c patch because the code also contains the all-0 sockaddr fix described in user/2996, and I've removed it from the patch for clarity.

Index: pf_key_v2.c

---

RCS file: /home/mcn/OS/obsd-cvs/src/sbin/isakmpd/pf_key_v2.c,v retrieving revision 1.117
diff -r1.117 pf_key_v2.c
3898,3903c3915,3926

<         /* XXX Default transform set should be settable. */
<         if (conf_set (af, confname, "Transforms", "3DES-SHA-RSA_SIG", 0,
0))
<           {
<             conf_end (af, 0);
<             goto fail;
<           }
---

>       if (conf_get_str ("General", "Default-Phase-1-Transforms"))

>         {

>                   if (conf_set (af, confname, "Transforms",

>               conf_get_str ("General", "Default-Phase-1-Transforms"), 0,

0))

>             {

>               if (conf_set (af, confname, "Transforms",

"3DES-SHA-RSA_SIG", 0,
 0))
> {
> conf_end (af, 0);
> goto fail;
> }
> }
> }

Index: conf.c

---

RCS file: /home/mcn/OS/obsd-cvs/src/sbin/isakmpd/conf.c,v retrieving revision 1.45
diff -r1.45 conf.c
493c493,497
< conf_set (tr, "Default-phase-1-configuration", "Transforms",

---

>   dflt = conf_get_trans_str (tr, "General", "Default-phase-1-transforms");

>   if (dflt)

>     conf_set (tr, "Default-phase-1-configuration", "Transforms", dflt, 0,

1);

>   else

>     conf_set (tr, "Default-phase-1-configuration", "Transforms",


>Release-Note:

Received on Sun Dec 1 14:04:34 2002