Racoon patch for mode_cfg with rsasig authentication

[Frank Wille <frank%phoenix.owl.de@localhost>]

Hi!

First of all thanks to christos@ for his latest NAT-T SA patches! I'm sure
my company will grant a donation to the NetBSD project, when everything is
finally up and running.

Now I was able to write a small patch for Racoon, which requests "IKE mode
config" in "rsasig" (certificates on both sides only) authentication mode,
providing "mode_cfg" was configured to "on".

Today I successfully tested it with a Lancom router, using the following
configuration:

---8<---
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

remote "wpsd"
{
    remote_address 1.2.3.4;
    exchange_mode main,base;

    my_identifier asn1dn;
    certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
    ca_type x509 "ca.crt";

    mode_cfg on;
    dpd_delay 20;
    nat_traversal on;
    lifetime time 8 hour;
    script "phase1-up.sh" phase1_up;
    script "phase1-down.sh" phase1_down;

    proposal {
        encryption_algorithm aes;
        hash_algorithm md5;
        authentication_method rsasig;
        dh_group 2;
    }
    proposal_check obey;
}

sainfo anonymous
{
    pfs_group 2;
    lifetime time 8 hour;
    encryption_algorithm aes;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
}
---8<---


How do we handle modifications in ipsec-tools? Just commit them locally into
the repository? Or do we also send patches to the ipsec-tools sourceforge
project?

Somebody familiar with the racoon source (maybe manu@?) should check my
patches first, to make sure they are really ok.

The last four lines were not required for the Lancom, but for testing with
an "rsasig" NetBSD/racoon gateway, which didn't identify itself with an
XAUTH vendor-id in this mode (while the Lancom does).


Sorry for all the logs and questions over the last days. I learned a lot
about IPsec during this time. :)

-- 
Frank Wille

--- isakmp_cfg.c.orig	2016-03-09 14:17:12.000000000 +0100
+++ isakmp_cfg.c	2016-03-09 14:28:01.000000000 +0100
@@ -457,6 +457,7 @@
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 
+		case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 			script_hook(iph1, SCRIPT_PHASE1_UP);
 			break;
 		default:
@@ -639,6 +640,7 @@
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 
+		case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 			script_hook(iph1, SCRIPT_PHASE1_UP);
 			break;
 		default:
--- isakmp_ident.c.orig	2016-03-09 12:42:03.000000000 +0100
+++ isakmp_ident.c	2016-03-09 12:46:49.000000000 +0100
@@ -172,6 +172,7 @@
 			plist = isakmp_plist_append(plist,
 			    vid_xauth, ISAKMP_NPTYPE_VID);
 
+	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
 			plog(LLV_ERROR, LOCATION, NULL,
 			     "Unity vendor ID generation failed\n");
--- isakmp.c.orig	2016-03-08 12:33:47.000000000 +0100
+++ isakmp.c	2016-03-09 15:49:41.000000000 +0100
@@ -890,6 +890,10 @@
 				/* XXX Don't process INITIAL_CONTACT */
 				iph1->rmconf->ini_contact = 0;
 				break;
+			case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+				if (iph1->rmconf->mode_cfg)
+					error = isakmp_cfg_getconfig(iph1);
+				break;
 			default:
 				break;
 			}
@@ -945,6 +949,10 @@
 				break;
 			}
 		}
+		if ((iph1->rmconf->mode_cfg) &&
+		    !(iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH)) {
+			error = isakmp_cfg_getconfig(iph1);
+		}
 	}
 
 	return 0;