search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
added vpnc.ps target (enscript ... vpnc.c)
[vpnc.git] / vpnc.c
blob98ab53e0d53b4eb1306a1a18cc008c31affcdd2b
1 /* IPSec VPN client compatible with Cisco equipment.
2 Copyright (C) 2002, 2003 Geoffrey Keating and Maurice Massar
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17 */
18
19 #define _GNU_SOURCE
20 #include <assert.h>
21 #include <unistd.h>
22 #include <sys/fcntl.h>
23 #include <stdio.h>
24 #include <errno.h>
25 #include <string.h>
26 #include <time.h>
27 #include <stdlib.h>
28 #include <sys/socket.h>
29 #include <netinet/in.h>
30 #include <netdb.h>
31 #include <arpa/inet.h>
32 #include <poll.h>
33 #include <net/if.h>
34 #include <sys/ioctl.h>
35 #include <sys/utsname.h>
36
37 #include <gcrypt.h>
38
39 #include "sysdep.h"
40 #include "config.h"
41 #include "isakmp-pkt.h"
42 #include "math_group.h"
43 #include "dh.h"
44 #include "vpnc.h"
45
46 struct sa_block {
47 uint8_t i_cookie[ISAKMP_COOKIE_LENGTH];
48 uint8_t r_cookie[ISAKMP_COOKIE_LENGTH];
49 uint8_t *key;
50 int keylen;
51 uint8_t *initial_iv;
52 uint8_t *skeyid_a;
53 uint8_t *skeyid_d;
54 int cry_algo, ivlen;
55 int md_algo, md_len;
56 uint8_t current_iv_msgid[4];
57 uint8_t *current_iv;
58 uint8_t our_address[4], our_netmask[4];
59 uint32_t tous_esp_spi, tothem_esp_spi;
60 uint8_t *kill_packet;
61 size_t kill_packet_size;
62 int do_pfs;
63 };
64
65 int tun_fd = -1;
66 char tun_name[IFNAMSIZ];
67
68 static int sockfd = -1;
69 static struct sockaddr *dest_addr;
70 static int timeout = 5000; /* 5 seconds */
71 static uint8_t *resend_hash = NULL;
72
73 static uint8_t r_packet[2048];
74 static ssize_t r_length;
75
76 extern void vpnc_doit(unsigned long tous_spi,
77 const unsigned char *tous_key,
78 struct sockaddr_in *tous_dest,
79 unsigned long tothem_spi,
80 const unsigned char *tothem_key,
81 struct sockaddr_in *tothem_dest,
82 int tun_fd, int md_algo, int cry_algo,
83 uint8_t * kill_packet_p, size_t kill_packet_size_p,
84 struct sockaddr *kill_dest_p, const char *pidfile);
85
86 enum supp_algo_key {
87 SUPP_ALGO_NAME,
88 SUPP_ALGO_MY_ID,
89 SUPP_ALGO_IKE_SA,
90 SUPP_ALGO_IPSEC_SA
91 };
92
93 enum algo_group {
94 SUPP_ALGO_DH_GROUP,
95 SUPP_ALGO_HASH,
96 SUPP_ALGO_CRYPT
97 };
98
99 supported_algo_t supp_dh_group[] = {
100 {"nopfs", 0, 0, 0, 0},
101 {"dh1", OAKLEY_GRP_1, IKE_GROUP_MODP_768, IKE_GROUP_MODP_768, 0},
102 {"dh2", OAKLEY_GRP_2, IKE_GROUP_MODP_1024, IKE_GROUP_MODP_1024, 0},
103 {"dh5", OAKLEY_GRP_5, IKE_GROUP_MODP_1536, IKE_GROUP_MODP_1536, 0},
104 /*{ "dh7", OAKLEY_GRP_7, IKE_GROUP_EC2N_163K, IKE_GROUP_EC2N_163K, 0 } note: code missing */
105 {NULL, 0, 0, 0, 0}
106 };
107
108 supported_algo_t supp_hash[] = {
109 {"md5", GCRY_MD_MD5, IKE_HASH_MD5, IPSEC_AUTH_HMAC_MD5, 0},
110 {"sha1", GCRY_MD_SHA1, IKE_HASH_SHA, IPSEC_AUTH_HMAC_SHA, 0},
111 {NULL, 0, 0, 0, 0}
112 };
113
114 supported_algo_t supp_crypt[] = {
115 /*note: working, but not recommended */
116 {"des", GCRY_CIPHER_DES, IKE_ENC_DES_CBC, ISAKMP_IPSEC_ESP_DES, 0},
117 {"3des", GCRY_CIPHER_3DES, IKE_ENC_3DES_CBC, ISAKMP_IPSEC_ESP_3DES, 0},
118 {"aes128", GCRY_CIPHER_AES128, IKE_ENC_AES_CBC, ISAKMP_IPSEC_ESP_AES, 128},
119 {"aes192", GCRY_CIPHER_AES192, IKE_ENC_AES_CBC, ISAKMP_IPSEC_ESP_AES, 192},
120 {"aes256", GCRY_CIPHER_AES256, IKE_ENC_AES_CBC, ISAKMP_IPSEC_ESP_AES, 256},
121 {NULL, 0, 0, 0, 0}
122 };
123
124 const supported_algo_t *get_algo(enum algo_group what, enum supp_algo_key key, int id,
125 const char *name, int keylen)
126 {
127 supported_algo_t *sa = NULL;
128 int i = 0, val = 0;
129 const char *valname = NULL;
130
131 assert(what <= SUPP_ALGO_CRYPT);
132 assert(key <= SUPP_ALGO_IPSEC_SA);
133
134 switch (what) {
135 case SUPP_ALGO_DH_GROUP:
136 sa = supp_dh_group;
137 break;
138 case SUPP_ALGO_HASH:
139 sa = supp_hash;
140 break;
141 case SUPP_ALGO_CRYPT:
142 sa = supp_crypt;
143 break;
144 }
145
146 for (i = 0; sa[i].name != NULL; i++) {
147 switch (key) {
148 case SUPP_ALGO_NAME:
149 valname = sa[i].name;
150 break;
151 case SUPP_ALGO_MY_ID:
152 val = sa[i].my_id;
153 break;
154 case SUPP_ALGO_IKE_SA:
155 val = sa[i].ike_sa_id;
156 break;
157 case SUPP_ALGO_IPSEC_SA:
158 val = sa[i].ipsec_sa_id;
159 break;
160 }
161 if ((key == SUPP_ALGO_NAME) ? !strcasecmp(name, valname) : (val == id))
162 if (keylen == sa[i].keylen)
163 return sa + i;
164 }
165
166 return NULL;
167 }
168
169 const supported_algo_t *get_dh_group_ike(void)
170 {
171 return get_algo(SUPP_ALGO_DH_GROUP, SUPP_ALGO_NAME, 0, config[CONFIG_IKE_DH], 0);
172 }
173 const supported_algo_t *get_dh_group_ipsec(int server_setting)
174 {
175 const char *pfs_setting = config[CONFIG_IPSEC_PFS];
176
177 if (!strcmp(config[CONFIG_IPSEC_PFS], "server")) {
178 /* treat server_setting == -1 (unknown) as 0 */
179 pfs_setting = (server_setting == 1) ? "dh2" : "nopfs";
180 }
181
182 return get_algo(SUPP_ALGO_DH_GROUP, SUPP_ALGO_NAME, 0, pfs_setting, 0);
183 }
184
185 static __inline__ int min(int a, int b)
186 {
187 return (a < b) ? a : b;
188 }
189
190 static void addenv(const void *name, const char *value)
191 {
192 char *strbuf = NULL, *oldval;
193
194 oldval = getenv(name);
195 if (oldval != NULL) {
196 strbuf = xallocc(strlen(oldval) + 1 + strlen(value) + 1);
197 strcat(strbuf, oldval);
198 strcat(strbuf, " ");
199 strcat(strbuf, value);
200 }
201
202 setenv(name, strbuf ? strbuf : value, 1);
203
204 if (strbuf)
205 free(strbuf);
206 }
207
208 static void addenv_ipv4(const void *name, uint8_t * data)
209 {
210 addenv(name, inet_ntoa(*((struct in_addr *)data)));
211 }
212
213 static int make_socket(uint16_t port)
214 {
215 int sock;
216 struct sockaddr_in name;
217
218 /* Create the socket. */
219 sock = socket(PF_INET, SOCK_DGRAM, 0);
220 if (sock < 0)
221 error(1, errno, "making socket");
222
223 /* Give the socket a name. */
224 name.sin_family = AF_INET;
225 name.sin_port = htons(port);
226 name.sin_addr.s_addr = htonl(INADDR_ANY);
227 if (bind(sock, (struct sockaddr *)&name, sizeof(name)) < 0)
228 error(1, errno, "binding to port %d", port);
229
230 return sock;
231 }
232
233 static struct sockaddr *init_sockaddr(const char *hostname, uint16_t port)
234 {
235 struct hostent *hostinfo;
236 struct sockaddr_in *result;
237
238 result = malloc(sizeof(struct sockaddr_in));
239 if (result == NULL)
240 error(1, errno, "out of memory");
241
242 result->sin_family = AF_INET;
243 result->sin_port = htons(port);
244 if (inet_aton(hostname, &result->sin_addr) == 0) {
245 hostinfo = gethostbyname(hostname);
246 if (hostinfo == NULL)
247 error(1, 0, "unknown host `%s'\n", hostname);
248 result->sin_addr = *(struct in_addr *)hostinfo->h_addr;
249 }
250 return (struct sockaddr *)result;
251 }
252
253 static void setup_tunnel(void)
254 {
255 if (config[CONFIG_IF_NAME])
256 memcpy(tun_name, config[CONFIG_IF_NAME], strlen(config[CONFIG_IF_NAME]));
257
258 tun_fd = tun_open(tun_name);
259 DEBUG(2, printf("using interface %s\n", tun_name));
260
261 if (tun_fd == -1)
262 error(1, errno, "can't initialise tunnel interface");
263 }
264
265 void config_tunnel(const char *dev)
266 {
267 setenv("TUNDEV", dev, 1);
268 setenv("VPNGATEWAY", inet_ntoa(((struct sockaddr_in *)dest_addr)->sin_addr), 1);
269
270 system(config[CONFIG_CONFIG_SCRIPT]);
271 }
272
273 static int recv_ignore_dup(void *recvbuf, size_t recvbufsize, uint8_t reply_extype)
274 {
275 uint8_t *resend_check_hash;
276 int recvsize, hash_len;
277 struct sockaddr_in recvaddr;
278 socklen_t recvaddr_size = sizeof(recvaddr);
279 char ntop_buf[32];
280
281 recvsize = recvfrom(sockfd, recvbuf, recvbufsize, 0,
282 (struct sockaddr *)&recvaddr, &recvaddr_size);
283 if (recvsize == -1)
284 error(1, errno, "receiving packet");
285 if (recvsize > 0) {
286 if (recvaddr_size != sizeof(recvaddr)
287 || recvaddr.sin_family != dest_addr->sa_family
288 || recvaddr.sin_port != ((struct sockaddr_in *)dest_addr)->sin_port
289 || memcmp(&recvaddr.sin_addr,
290 &((struct sockaddr_in *)dest_addr)->sin_addr,
291 sizeof(struct in_addr)) != 0) {
292 error(0, 0, "got response from unknown host %s:%d",
293 inet_ntop(recvaddr.sin_family, &recvaddr.sin_addr,
294 ntop_buf, sizeof(ntop_buf)), ntohs(recvaddr.sin_port));
295 return -1;
296 }
297
298 hex_dump("exchange_type", ((uint8_t *) recvbuf) + ISAKMP_EXCHANGE_TYPE_O, UINT8);
299 if (reply_extype && (((uint8_t *) recvbuf)[ISAKMP_EXCHANGE_TYPE_O] != reply_extype)) {
300 DEBUG(2, printf("want extype %d, got %d, ignoring\n", reply_extype,
301 ((uint8_t *) recvbuf)[ISAKMP_EXCHANGE_TYPE_O]));
302 return -1;
303 }
304
305 hash_len = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
306 resend_check_hash = malloc(hash_len);
307 gcry_md_hash_buffer(GCRY_MD_SHA1, resend_check_hash, recvbuf, recvsize);
308 if (resend_hash && memcmp(resend_hash, resend_check_hash, hash_len) == 0) {
309 free(resend_check_hash);
310 return -1;
311 }
312 if (!resend_hash) {
313 resend_hash = resend_check_hash;
314 } else {
315 memcpy(resend_hash, resend_check_hash, hash_len);
316 free(resend_check_hash);
317 }
318 }
319 return recvsize;
320 }
321
322 /* Send TOSEND of size SENDSIZE to the socket. Then wait for a new packet,
323 resending TOSEND on timeout, and ignoring duplicate packets; the
324 new packet is put in RECVBUF of size RECVBUFSIZE and the actual size
325 of the new packet is returned. */
326
327 static ssize_t
328 sendrecv(void *recvbuf, size_t recvbufsize, void *tosend, size_t sendsize, uint8_t reply_extype)
329 {
330 struct pollfd pfd;
331 int tries = 0;
332 int recvsize;
333 time_t start = time(NULL);
334 time_t end;
335
336 pfd.fd = sockfd;
337 pfd.events = POLLIN;
338 tries = 0;
339
340 for (;;) {
341 int pollresult;
342
343 if (tosend != NULL)
344 if (sendto(sockfd, tosend, sendsize, 0,
345 dest_addr, sizeof(struct sockaddr_in)) != (int)sendsize)
346 error(1, errno, "can't send packet");
347 do {
348 pollresult = poll(&pfd, 1, timeout << tries);
349 } while (pollresult == -1 && errno == EINTR);
350 if (pollresult == -1)
351 error(1, errno, "can't poll socket");
352 if (pollresult != 0) {
353 recvsize = recv_ignore_dup(recvbuf, recvbufsize, reply_extype);
354 end = time(NULL);
355 if (recvsize != -1)
356 break;
357 continue;
358 }
359 if (tries > 5)
360 error(1, 0, "no response from target");
361 tries++;
362 }
363
364 /* Wait at least 2s for a response or 4 times the time it took
365 * last time. */
366 if (start == end)
367 timeout = 2000;
368 else
369 timeout = 4000 * (end - start);
370
371 return recvsize;
372 }
373
374 void isakmp_crypt(struct sa_block *s, uint8_t * block, size_t blocklen, int enc)
375 {
376 unsigned char *new_iv;
377 gcry_cipher_hd_t cry_ctx;
378
379 if (blocklen < ISAKMP_PAYLOAD_O || ((blocklen - ISAKMP_PAYLOAD_O) % s->ivlen != 0))
380 abort();
381
382 if ((memcmp(block + ISAKMP_MESSAGE_ID_O, s->current_iv_msgid, 4) != 0) && (enc >= 0)) {
383 unsigned char *iv;
384 gcry_md_hd_t md_ctx;
385
386 gcry_md_open(&md_ctx, s->md_algo, 0);
387 gcry_md_write(md_ctx, s->initial_iv, s->ivlen);
388 gcry_md_write(md_ctx, block + ISAKMP_MESSAGE_ID_O, 4);
389 gcry_md_final(md_ctx);
390 iv = gcry_md_read(md_ctx, 0);
391 memcpy(s->current_iv, iv, s->ivlen);
392 memcpy(s->current_iv_msgid, block + ISAKMP_MESSAGE_ID_O, 4);
393 gcry_md_close(md_ctx);
394 }
395
396 new_iv = xallocc(s->ivlen);
397 gcry_cipher_open(&cry_ctx, s->cry_algo, GCRY_CIPHER_MODE_CBC, 0);
398 gcry_cipher_setkey(cry_ctx, s->key, s->keylen);
399 gcry_cipher_setiv(cry_ctx, s->current_iv, s->ivlen);
400 if (!enc) {
401 memcpy(new_iv, block + blocklen - s->ivlen, s->ivlen);
402 gcry_cipher_decrypt(cry_ctx, block + ISAKMP_PAYLOAD_O, blocklen - ISAKMP_PAYLOAD_O,
403 NULL, 0);
404 memcpy(s->current_iv, new_iv, s->ivlen);
405 } else { /* enc == -1 (no longer used) || enc == 1 */
406 gcry_cipher_encrypt(cry_ctx, block + ISAKMP_PAYLOAD_O, blocklen - ISAKMP_PAYLOAD_O,
407 NULL, 0);
408 if (enc > 0)
409 memcpy(s->current_iv, block + blocklen - s->ivlen, s->ivlen);
410 }
411 gcry_cipher_close(cry_ctx);
412
413 }
414
415 static uint16_t unpack_verify_phase2(struct sa_block *s,
416 uint8_t * r_packet,
417 size_t r_length, struct isakmp_packet **r_p, const uint8_t * nonce, size_t nonce_size)
418 {
419 struct isakmp_packet *r;
420 uint16_t reject = 0;
421
422 *r_p = NULL;
423
424 if (r_length < ISAKMP_PAYLOAD_O || ((r_length - ISAKMP_PAYLOAD_O) % s->ivlen != 0))
425 return ISAKMP_N_UNEQUAL_PAYLOAD_LENGTHS;
426
427 isakmp_crypt(s, r_packet, r_length, 0);
428
429 {
430 r = parse_isakmp_packet(r_packet, r_length, &reject);
431 if (reject != 0)
432 return reject;
433 }
434
435 /* Verify the basic stuff. */
436 if (memcmp(r->i_cookie, s->i_cookie, ISAKMP_COOKIE_LENGTH) != 0
437 || memcmp(r->r_cookie, s->r_cookie, ISAKMP_COOKIE_LENGTH) != 0)
438 return ISAKMP_N_INVALID_COOKIE;
439 if (r->flags != ISAKMP_FLAG_E)
440 return ISAKMP_N_INVALID_FLAGS;
441
442 {
443 size_t sz, spos;
444 gcry_md_hd_t hm;
445 unsigned char *expected_hash;
446 struct isakmp_payload *h = r->payload;
447
448 if (h == NULL || h->type != ISAKMP_PAYLOAD_HASH || h->u.hash.length != s->md_len)
449 return ISAKMP_N_INVALID_HASH_INFORMATION;
450
451 spos = (ISAKMP_PAYLOAD_O + (r_packet[ISAKMP_PAYLOAD_O + 2] << 8)
452 + r_packet[ISAKMP_PAYLOAD_O + 3]);
453
454 /* Compute the real length based on the payload lengths. */
455 for (sz = spos; r_packet[sz] != 0; sz += r_packet[sz + 2] << 8 | r_packet[sz + 3]) ;
456 sz += r_packet[sz + 2] << 8 | r_packet[sz + 3];
457
458 gcry_md_open(&hm, s->md_algo, GCRY_MD_FLAG_HMAC);
459 gcry_md_setkey(hm, s->skeyid_a, s->md_len);
460 gcry_md_write(hm, r_packet + ISAKMP_MESSAGE_ID_O, 4);
461 if (nonce)
462 gcry_md_write(hm, nonce, nonce_size);
463 gcry_md_write(hm, r_packet + spos, sz - spos);
464 gcry_md_final(hm);
465 expected_hash = gcry_md_read(hm, 0);
466
467 if (opt_debug >= 3) {
468 printf("hashlen: %d\n", s->md_len);
469 printf("u.hash.length: %d\n", h->u.hash.length);
470 hex_dump("expected_hash", expected_hash, s->md_len);
471 hex_dump("h->u.hash.data", h->u.hash.data, s->md_len);
472 }
473
474 reject = 0;
475 if (memcmp(h->u.hash.data, expected_hash, s->md_len) != 0)
476 reject = ISAKMP_N_AUTHENTICATION_FAILED;
477 gcry_md_close(hm);
478 #if 0
479 if (reject != 0)
480 return reject;
481 #endif
482 }
483 *r_p = r;
484 return 0;
485 }
486
487 static void
488 phase2_authpacket(struct sa_block *s, struct isakmp_payload *pl,
489 uint8_t exchange_type, uint32_t msgid,
490 uint8_t ** p_flat, size_t * p_size,
491 uint8_t * nonce_i, int ni_len, uint8_t * nonce_r, int nr_len)
492 {
493 struct isakmp_packet *p;
494 uint8_t *pl_flat;
495 size_t pl_size;
496 gcry_md_hd_t hm;
497 uint8_t msgid_sent[4];
498
499 /* Build up the packet. */
500 p = new_isakmp_packet();
501 memcpy(p->i_cookie, s->i_cookie, ISAKMP_COOKIE_LENGTH);
502 memcpy(p->r_cookie, s->r_cookie, ISAKMP_COOKIE_LENGTH);
503 p->flags = ISAKMP_FLAG_E;
504 p->isakmp_version = ISAKMP_VERSION;
505 p->exchange_type = exchange_type;
506 p->message_id = msgid;
507 p->payload = new_isakmp_payload(ISAKMP_PAYLOAD_HASH);
508 p->payload->next = pl;
509 p->payload->u.hash.length = s->md_len;
510 p->payload->u.hash.data = xallocc(s->md_len);
511
512 /* Set the MAC. */
513 gcry_md_open(&hm, s->md_algo, GCRY_MD_FLAG_HMAC);
514 gcry_md_setkey(hm, s->skeyid_a, s->md_len);
515
516 if (pl == NULL) {
517 DEBUG(3, printf("authing NULL package!\n"));
518 gcry_md_write(hm, "" /* \0 */ , 1);
519 }
520
521 msgid_sent[0] = msgid >> 24;
522 msgid_sent[1] = msgid >> 16;
523 msgid_sent[2] = msgid >> 8;
524 msgid_sent[3] = msgid;
525 gcry_md_write(hm, msgid_sent, sizeof(msgid_sent));
526
527 if (nonce_i != NULL)
528 gcry_md_write(hm, nonce_i, ni_len);
529
530 if (nonce_r != NULL)
531 gcry_md_write(hm, nonce_r, nr_len);
532
533 if (pl != NULL) {
534 flatten_isakmp_payload(pl, &pl_flat, &pl_size);
535 gcry_md_write(hm, pl_flat, pl_size);
536 memset(pl_flat, 0, pl_size);
537 free(pl_flat);
538 }
539
540 gcry_md_final(hm);
541 memcpy(p->payload->u.hash.data, gcry_md_read(hm, 0), s->md_len);
542 gcry_md_close(hm);
543
544 flatten_isakmp_packet(p, p_flat, p_size, s->ivlen);
545 free_isakmp_packet(p);
546 }
547
548 static void sendrecv_phase2(struct sa_block *s, struct isakmp_payload *pl,
549 uint8_t exchange_type, uint32_t msgid, int sendonly, uint8_t reply_extype,
550 uint8_t ** save_p_flat, size_t * save_p_size,
551 uint8_t * nonce_i, int ni_len, uint8_t * nonce_r, int nr_len)
552 {
553 uint8_t *p_flat;
554 size_t p_size;
555
556 if ((save_p_flat == NULL) || (*save_p_flat == NULL)) {
557 phase2_authpacket(s, pl, exchange_type, msgid, &p_flat, &p_size,
558 nonce_i, ni_len, nonce_r, nr_len);
559 isakmp_crypt(s, p_flat, p_size, 1);
560 } else {
561 p_flat = *save_p_flat;
562 p_size = *save_p_size;
563 }
564
565 if (!sendonly)
566 r_length = sendrecv(r_packet, sizeof(r_packet), p_flat, p_size, reply_extype);
567 else {
568 if (sendto(sockfd, p_flat, p_size, 0,
569 dest_addr, sizeof(struct sockaddr_in)) != (int)p_size
570 && sendonly == 1)
571 error(1, errno, "can't send packet");
572 }
573 if (save_p_flat == NULL) {
574 free(p_flat);
575 } else {
576 *save_p_flat = p_flat;
577 *save_p_size = p_size;
578 }
579 }
580
581 static void phase2_fatal(struct sa_block *s, const char *msg, uint16_t id)
582 {
583 struct isakmp_payload *pl;
584 uint32_t msgid;
585
586 DEBUG(1, printf("\n\n---!!!!!!!!! entering phase2_fatal !!!!!!!!!---\n\n\n"));
587 gcry_randomize((uint8_t *) & msgid, sizeof(msgid), GCRY_WEAK_RANDOM);
588 pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
589 pl->u.n.doi = ISAKMP_DOI_IPSEC;
590 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
591 pl->u.n.type = id;
592 sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 2, 0, 0, 0, 0, 0, 0, 0);
593
594 gcry_randomize((uint8_t *) & msgid, sizeof(msgid), GCRY_WEAK_RANDOM);
595 pl = new_isakmp_payload(ISAKMP_PAYLOAD_D);
596 pl->u.d.doi = ISAKMP_DOI_IPSEC;
597 pl->u.d.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
598 pl->u.d.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
599 pl->u.d.num_spi = 1;
600 pl->u.d.spi = xallocc(1 * sizeof(uint8_t *));
601 pl->u.d.spi[0] = xallocc(2 * ISAKMP_COOKIE_LENGTH);
602 memcpy(pl->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 0, s->i_cookie, ISAKMP_COOKIE_LENGTH);
603 memcpy(pl->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 1, s->r_cookie, ISAKMP_COOKIE_LENGTH);
604 sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 2, 0, 0, 0, 0, 0, 0, 0);
605
606 error(1, 0, msg, isakmp_notify_to_error(id));
607 }
608
609 static uint8_t *gen_keymat(struct sa_block *s,
610 uint8_t protocol, uint32_t spi,
611 int md_algo, int crypt_algo,
612 const uint8_t * dh_shared, size_t dh_size,
613 const uint8_t * ni_data, size_t ni_size, const uint8_t * nr_data, size_t nr_size)
614 {
615 gcry_md_hd_t hm;
616 uint8_t *block;
617 int i;
618 int blksz;
619 int cnt;
620
621 int md_len = gcry_md_get_algo_dlen(md_algo);
622 int cry_len;
623
624 gcry_cipher_algo_info(crypt_algo, GCRYCTL_GET_KEYLEN, NULL, &cry_len);
625 blksz = md_len + cry_len;
626 cnt = (blksz + s->md_len - 1) / s->md_len;
627 block = xallocc(cnt * s->md_len);
628 DEBUG(3, printf("generating %d bytes keymat (cnt=%d)\n", blksz, cnt));
629 if (cnt < 1)
630 abort();
631
632 for (i = 0; i < cnt; i++) {
633 gcry_md_open(&hm, s->md_algo, GCRY_MD_FLAG_HMAC);
634 gcry_md_setkey(hm, s->skeyid_d, s->md_len);
635 if (i != 0)
636 gcry_md_write(hm, block + (i - 1) * s->md_len, s->md_len);
637 if (dh_shared != NULL)
638 gcry_md_write(hm, dh_shared, dh_size);
639 gcry_md_write(hm, &protocol, 1);
640 gcry_md_write(hm, (uint8_t *) & spi, sizeof(spi));
641 gcry_md_write(hm, ni_data, ni_size);
642 gcry_md_write(hm, nr_data, nr_size);
643 gcry_md_final(hm);
644 memcpy(block + i * s->md_len, gcry_md_read(hm, 0), s->md_len);
645 gcry_md_close(hm);
646 }
647 return block;
648 }
649
650 /* * */
651
652 struct isakmp_attribute *make_transform_ike(int dh_group, int crypt, int hash, int keylen)
653 {
654 struct isakmp_attribute *a = NULL;
655
656 a = new_isakmp_attribute(IKE_ATTRIB_LIFE_DURATION, a);
657 a->af = isakmp_attr_lots;
658 a->u.lots.length = 4;
659 a->u.lots.data = xallocc(a->u.lots.length);
660 *((uint32_t *) a->u.lots.data) = htonl(2147483);
661 a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a);
662 a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a);
663 a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, XAUTH_AUTH_XAUTHInitPreShared, a);
664 a = new_isakmp_attribute_16(IKE_ATTRIB_HASH, hash, a);
665 a = new_isakmp_attribute_16(IKE_ATTRIB_ENC, crypt, a);
666 if (keylen != 0)
667 a = new_isakmp_attribute_16(IKE_ATTRIB_KEY_LENGTH, keylen, a);
668 return a;
669 }
670
671 struct isakmp_payload *make_our_sa_ike(void)
672 {
673 struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
674 struct isakmp_payload *t = NULL, *tn;
675 struct isakmp_attribute *a;
676 int dh_grp = get_dh_group_ike()->ike_sa_id;
677 unsigned int crypt, hash, keylen;
678 int i;
679
680 r->u.sa.doi = ISAKMP_DOI_IPSEC;
681 r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
682 r->u.sa.proposals = new_isakmp_payload(ISAKMP_PAYLOAD_P);
683 r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_ISAKMP;
684 for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
685 if ((supp_crypt[crypt].my_id == GCRY_CIPHER_DES) && (opt_1des == 0))
686 continue;
687 keylen = supp_crypt[crypt].keylen;
688 for (hash = 0; supp_hash[hash].name != NULL; hash++) {
689 tn = t;
690 t = new_isakmp_payload(ISAKMP_PAYLOAD_T);
691 t->u.t.id = ISAKMP_IPSEC_KEY_IKE;
692 a = make_transform_ike(dh_grp, supp_crypt[crypt].ike_sa_id,
693 supp_hash[hash].ike_sa_id, keylen);
694 t->u.t.attributes = a;
695 t->next = tn;
696 }
697 }
698 for (i = 0, tn = t; tn; tn = tn->next)
699 tn->u.t.number = i++;
700 r->u.sa.proposals->u.p.transforms = t;
701 return r;
702 }
703
704 void do_phase_1(const char *key_id, const char *shared_key, struct sa_block *d)
705 {
706 unsigned char i_nonce[20];
707 struct group *dh_grp;
708 unsigned char *dh_public;
709 unsigned char *returned_hash;
710 static const uint8_t xauth_vid[] = XAUTH_VENDOR_ID;
711 static const uint8_t unity_vid[] = UNITY_VENDOR_ID;
712 static const uint8_t unknown_vid[] = UNKNOWN_VENDOR_ID;
713 #if 0
714 static const uint8_t dpd_vid[] = UNITY_VENDOR_ID;
715 static const uint8_t my_vid[] = {
716 0x35, 0x53, 0x07, 0x6c, 0x4f, 0x65, 0x12, 0x68, 0x02, 0x82, 0xf2, 0x15,
717 0x8a, 0xa8, 0xa0, 0x9e
718 };
719 #endif
720
721 struct isakmp_packet *p1;
722
723 DEBUG(2, printf("S4.1\n"));
724 gcry_randomize(d->i_cookie, ISAKMP_COOKIE_LENGTH, GCRY_STRONG_RANDOM);
725 d->do_pfs = -1;
726 if (d->i_cookie[0] == 0)
727 d->i_cookie[0] = 1;
728 hex_dump("i_cookie", d->i_cookie, ISAKMP_COOKIE_LENGTH);
729 gcry_randomize(i_nonce, sizeof(i_nonce), GCRY_STRONG_RANDOM);
730 hex_dump("i_nonce", i_nonce, sizeof(i_nonce));
731 DEBUG(2, printf("S4.2\n"));
732 /* Set up the Diffie-Hellman stuff. */
733 {
734 dh_grp = group_get(get_dh_group_ike()->my_id);
735 dh_public = xallocc(dh_getlen(dh_grp));
736 dh_create_exchange(dh_grp, dh_public);
737 hex_dump("dh_public", dh_public, dh_getlen(dh_grp));
738 }
739
740 DEBUG(2, printf("S4.3\n"));
741 /* Create the first packet. */
742 {
743 struct isakmp_payload *l;
744 uint8_t *pkt;
745 size_t pkt_len;
746
747 p1 = new_isakmp_packet();
748 memcpy(p1->i_cookie, d->i_cookie, ISAKMP_COOKIE_LENGTH);
749 p1->isakmp_version = ISAKMP_VERSION;
750 p1->exchange_type = ISAKMP_EXCHANGE_AGGRESSIVE;
751 p1->payload = l = make_our_sa_ike();
752 l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_KE, dh_public, dh_getlen(dh_grp));
753 l->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_NONCE,
754 i_nonce, sizeof(i_nonce));
755 l = l->next->next;
756 l->next = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
757 l = l->next;
758 l->u.id.type = ISAKMP_IPSEC_ID_KEY_ID;
759 l->u.id.protocol = IPPROTO_UDP;
760 l->u.id.port = 500; /*TODO: get local port */
761 l->u.id.length = strlen(key_id);
762 l->u.id.data = xallocc(l->u.id.length);
763 memcpy(l->u.id.data, key_id, strlen(key_id));
764 l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, xauth_vid, sizeof(xauth_vid));
765 l->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
766 unity_vid, sizeof(unity_vid));
767 #if 0
768 l->next->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
769 dpd_vid, sizeof(dpd_vid));
770 #endif
771 flatten_isakmp_packet(p1, &pkt, &pkt_len, 0);
772
773 /* Now, send that packet and receive a new one. */
774 r_length = sendrecv(r_packet, sizeof(r_packet), pkt, pkt_len, 0);
775 free(pkt);
776 }
777 DEBUG(2, printf("S4.4\n"));
778 /* Decode the recieved packet. */
779 {
780 struct isakmp_packet *r;
781 uint16_t reject;
782 struct isakmp_payload *rp;
783 struct isakmp_payload *nonce = NULL;
784 struct isakmp_payload *ke = NULL;
785 struct isakmp_payload *hash = NULL;
786 struct isakmp_payload *idp = NULL;
787 int seen_xauth_vid = 0;
788 unsigned char *skeyid;
789 gcry_md_hd_t skeyid_ctx;
790
791 reject = 0;
792 r = parse_isakmp_packet(r_packet, r_length, &reject);
793
794 /* Verify the correctness of the recieved packet. */
795 if (reject == 0 && memcmp(r->i_cookie, d->i_cookie, ISAKMP_COOKIE_LENGTH) != 0)
796 reject = ISAKMP_N_INVALID_COOKIE;
797 if (reject == 0)
798 memcpy(d->r_cookie, r->r_cookie, ISAKMP_COOKIE_LENGTH);
799 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_AGGRESSIVE)
800 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
801 if (reject == 0 && r->flags != 0)
802 reject = ISAKMP_N_INVALID_FLAGS;
803 if (reject == 0 && r->message_id != 0)
804 reject = ISAKMP_N_INVALID_MESSAGE_ID;
805 if (reject != 0)
806 error(1, 0, "response was invalid [1]: %s", isakmp_notify_to_error(reject));
807 for (rp = r->payload; rp && reject == 0; rp = rp->next)
808 switch (rp->type) {
809 case ISAKMP_PAYLOAD_SA:
810 if (reject == 0 && rp->u.sa.doi != ISAKMP_DOI_IPSEC)
811 reject = ISAKMP_N_DOI_NOT_SUPPORTED;
812 if (reject == 0 &&
813 rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
814 reject = ISAKMP_N_SITUATION_NOT_SUPPORTED;
815 if (reject == 0 &&
816 (rp->u.sa.proposals == NULL
817 || rp->u.sa.proposals->next != NULL))
818 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
819 if (reject == 0 &&
820 rp->u.sa.proposals->u.p.prot_id !=
821 ISAKMP_IPSEC_PROTO_ISAKMP)
822 reject = ISAKMP_N_INVALID_PROTOCOL_ID;
823 if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 0)
824 reject = ISAKMP_N_INVALID_SPI;
825 if (reject == 0 &&
826 (rp->u.sa.proposals->u.p.transforms == NULL
827 || rp->u.sa.proposals->u.p.transforms->next !=
828 NULL))
829 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
830 if (reject == 0 &&
831 (rp->u.sa.proposals->u.p.transforms->u.t.id
832 != ISAKMP_IPSEC_KEY_IKE))
833 reject = ISAKMP_N_INVALID_TRANSFORM_ID;
834 if (reject == 0) {
835 struct isakmp_attribute *a
836 =
837 rp->u.sa.proposals->u.p.transforms->u.t.attributes;
838 int seen_enc = 0, seen_hash = 0, seen_auth = 0;
839 int seen_group = 0, seen_keylen = 0;
840 for (; a && reject == 0; a = a->next)
841 switch (a->type) {
842 case IKE_ATTRIB_GROUP_DESC:
843 if (a->af == isakmp_attr_16 &&
844 a->u.attr_16 ==
845 get_dh_group_ike()->ike_sa_id)
846 seen_group = 1;
847 else
848 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
849 break;
850 case IKE_ATTRIB_AUTH_METHOD:
851 if (a->af == isakmp_attr_16 &&
852 a->u.attr_16 ==
853 XAUTH_AUTH_XAUTHInitPreShared)
854 seen_auth = 1;
855 else
856 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
857 break;
858 case IKE_ATTRIB_HASH:
859 if (a->af == isakmp_attr_16)
860 seen_hash = a->u.attr_16;
861 else
862 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
863 break;
864 case IKE_ATTRIB_ENC:
865 if (a->af == isakmp_attr_16)
866 seen_enc = a->u.attr_16;
867 else
868 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
869 break;
870 case IKE_ATTRIB_KEY_LENGTH:
871 if (a->af == isakmp_attr_16)
872 seen_keylen = a->u.attr_16;
873 else
874 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
875 break;
876 case IKE_ATTRIB_LIFE_TYPE:
877 case IKE_ATTRIB_LIFE_DURATION:
878 break;
879 default:
880 DEBUG(1, printf
881 ("unknown attribute %d, arborting..\n",
882 a->type));
883 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
884 break;
885 }
886 if (!seen_group || !seen_auth || !seen_hash || !seen_enc)
887 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
888
889 if (get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IKE_SA, seen_hash,
890 NULL, 0) == NULL)
891 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
892 if (get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IKE_SA, seen_enc,
893 NULL, seen_keylen) == NULL)
894 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
895
896 if (reject == 0) {
897 d->cry_algo =
898 get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IKE_SA,
899 seen_enc, NULL, seen_keylen)->my_id;
900 d->md_algo =
901 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IKE_SA,
902 seen_hash, NULL, 0)->my_id;
903 DEBUG(1, printf("IKE SA selected %s-%s\n",
904 get_algo(SUPP_ALGO_CRYPT,
905 SUPP_ALGO_IKE_SA, seen_enc,
906 NULL, seen_keylen)->name,
907 get_algo(SUPP_ALGO_HASH,
908 SUPP_ALGO_IKE_SA, seen_hash,
909 NULL, 0)->name));
910 }
911 }
912 break;
913
914 case ISAKMP_PAYLOAD_ID:
915 idp = rp;
916 break;
917 case ISAKMP_PAYLOAD_KE:
918 ke = rp;
919 break;
920 case ISAKMP_PAYLOAD_NONCE:
921 nonce = rp;
922 break;
923 case ISAKMP_PAYLOAD_HASH:
924 hash = rp;
925 break;
926 case ISAKMP_PAYLOAD_VID:
927 if (rp->u.vid.length == sizeof(xauth_vid)
928 && memcmp(rp->u.vid.data, xauth_vid,
929 sizeof(xauth_vid)) == 0)
930 seen_xauth_vid = 1;
931 break;
932 default:
933 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
934 break;
935 }
936
937 if (reject == 0) {
938 d->md_len = gcry_md_get_algo_dlen(d->md_algo);
939 gcry_cipher_algo_info(d->cry_algo, GCRYCTL_GET_BLKLEN, NULL, &(d->ivlen));
940 gcry_cipher_algo_info(d->cry_algo, GCRYCTL_GET_KEYLEN, NULL, &(d->keylen));
941 }
942
943 if (reject == 0 && (ke == NULL || ke->u.ke.length != dh_getlen(dh_grp)))
944 reject = ISAKMP_N_INVALID_KEY_INFORMATION;
945 if (reject == 0 && nonce == NULL)
946 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
947 if (reject != 0)
948 error(1, 0, "response was invalid [2]: %s", isakmp_notify_to_error(reject));
949 if (reject == 0 && idp == NULL)
950 reject = ISAKMP_N_INVALID_ID_INFORMATION;
951 if (reject == 0 && (hash == NULL || hash->u.hash.length != d->md_len))
952 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
953 if (reject != 0)
954 error(1, 0, "response was invalid [3]: %s", isakmp_notify_to_error(reject));
955
956 /* Generate SKEYID. */
957 {
958 gcry_md_open(&skeyid_ctx, d->md_algo, GCRY_MD_FLAG_HMAC);
959 gcry_md_setkey(skeyid_ctx, shared_key, strlen(shared_key));
960 gcry_md_write(skeyid_ctx, i_nonce, sizeof(i_nonce));
961 gcry_md_write(skeyid_ctx, nonce->u.nonce.data, nonce->u.nonce.length);
962 gcry_md_final(skeyid_ctx);
963 skeyid = gcry_md_read(skeyid_ctx, 0);
964 hex_dump("skeyid", skeyid, d->md_len);
965 }
966
967 /* Verify the hash. */
968 {
969 gcry_md_hd_t hm;
970 unsigned char *expected_hash;
971 uint8_t *sa_f, *idi_f, *idp_f;
972 size_t sa_size, idi_size, idp_size;
973 struct isakmp_payload *sa, *idi;
974
975 sa = p1->payload;
976 for (idi = sa; idi->type != ISAKMP_PAYLOAD_ID; idi = idi->next) ;
977 sa->next = NULL;
978 idi->next = NULL;
979 idp->next = NULL;
980 flatten_isakmp_payload(sa, &sa_f, &sa_size);
981 flatten_isakmp_payload(idi, &idi_f, &idi_size);
982 flatten_isakmp_payload(idp, &idp_f, &idp_size);
983
984 gcry_md_open(&hm, d->md_algo, GCRY_MD_FLAG_HMAC);
985 gcry_md_setkey(hm, skeyid, d->md_len);
986 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
987 gcry_md_write(hm, dh_public, dh_getlen(dh_grp));
988 gcry_md_write(hm, d->r_cookie, ISAKMP_COOKIE_LENGTH);
989 gcry_md_write(hm, d->i_cookie, ISAKMP_COOKIE_LENGTH);
990 gcry_md_write(hm, sa_f + 4, sa_size - 4);
991 gcry_md_write(hm, idp_f + 4, idp_size - 4);
992 gcry_md_final(hm);
993 expected_hash = gcry_md_read(hm, 0);
994
995 if (memcmp(expected_hash, hash->u.hash.data, d->md_len) != 0) {
996 error(1, 0, "hash comparison failed: %s\ncheck group password!",
997 isakmp_notify_to_error(ISAKMP_N_AUTHENTICATION_FAILED));
998 }
999 gcry_md_close(hm);
1000
1001 gcry_md_open(&hm, d->md_algo, GCRY_MD_FLAG_HMAC);
1002 gcry_md_setkey(hm, skeyid, d->md_len);
1003 gcry_md_write(hm, dh_public, dh_getlen(dh_grp));
1004 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1005 gcry_md_write(hm, d->i_cookie, ISAKMP_COOKIE_LENGTH);
1006 gcry_md_write(hm, d->r_cookie, ISAKMP_COOKIE_LENGTH);
1007 gcry_md_write(hm, sa_f + 4, sa_size - 4);
1008 gcry_md_write(hm, idi_f + 4, idi_size - 4);
1009 gcry_md_final(hm);
1010 returned_hash = xallocc(d->md_len);
1011 memcpy(returned_hash, gcry_md_read(hm, 0), d->md_len);
1012 gcry_md_close(hm);
1013 hex_dump("returned_hash", returned_hash, d->md_len);
1014
1015 free(sa_f);
1016 free(idi);
1017 free(idp);
1018 }
1019
1020 /* Determine all the SKEYID_x keys. */
1021 {
1022 gcry_md_hd_t hm;
1023 int i;
1024 static const unsigned char c012[3] = { 0, 1, 2 };
1025 unsigned char *skeyid_e;
1026 unsigned char *dh_shared_secret;
1027
1028 /* Determine the shared secret. */
1029 dh_shared_secret = xallocc(dh_getlen(dh_grp));
1030 dh_create_shared(dh_grp, dh_shared_secret, ke->u.ke.data);
1031 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(dh_grp));
1032
1033 gcry_md_open(&hm, d->md_algo, GCRY_MD_FLAG_HMAC);
1034 gcry_md_setkey(hm, skeyid, d->md_len);
1035 gcry_md_write(hm, dh_shared_secret, dh_getlen(dh_grp));
1036 gcry_md_write(hm, d->i_cookie, ISAKMP_COOKIE_LENGTH);
1037 gcry_md_write(hm, d->r_cookie, ISAKMP_COOKIE_LENGTH);
1038 gcry_md_write(hm, c012 + 0, 1);
1039 gcry_md_final(hm);
1040 d->skeyid_d = xallocc(d->md_len);
1041 memcpy(d->skeyid_d, gcry_md_read(hm, 0), d->md_len);
1042 gcry_md_close(hm);
1043 hex_dump("skeyid_d", d->skeyid_d, d->md_len);
1044
1045 gcry_md_open(&hm, d->md_algo, GCRY_MD_FLAG_HMAC);
1046 gcry_md_setkey(hm, skeyid, d->md_len);
1047 gcry_md_write(hm, d->skeyid_d, d->md_len);
1048 gcry_md_write(hm, dh_shared_secret, dh_getlen(dh_grp));
1049 gcry_md_write(hm, d->i_cookie, ISAKMP_COOKIE_LENGTH);
1050 gcry_md_write(hm, d->r_cookie, ISAKMP_COOKIE_LENGTH);
1051 gcry_md_write(hm, c012 + 1, 1);
1052 gcry_md_final(hm);
1053 d->skeyid_a = xallocc(d->md_len);
1054 memcpy(d->skeyid_a, gcry_md_read(hm, 0), d->md_len);
1055 gcry_md_close(hm);
1056 hex_dump("skeyid_a", d->skeyid_a, d->md_len);
1057
1058 gcry_md_open(&hm, d->md_algo, GCRY_MD_FLAG_HMAC);
1059 gcry_md_setkey(hm, skeyid, d->md_len);
1060 gcry_md_write(hm, d->skeyid_a, d->md_len);
1061 gcry_md_write(hm, dh_shared_secret, dh_getlen(dh_grp));
1062 gcry_md_write(hm, d->i_cookie, ISAKMP_COOKIE_LENGTH);
1063 gcry_md_write(hm, d->r_cookie, ISAKMP_COOKIE_LENGTH);
1064 gcry_md_write(hm, c012 + 2, 1);
1065 gcry_md_final(hm);
1066 skeyid_e = xallocc(d->md_len);
1067 memcpy(skeyid_e, gcry_md_read(hm, 0), d->md_len);
1068 gcry_md_close(hm);
1069 hex_dump("skeyid_e", skeyid_e, d->md_len);
1070
1071 memset(dh_shared_secret, 0, sizeof(dh_shared_secret));
1072
1073 /* Determine the IKE encryption key. */
1074 d->key = xallocc(d->keylen);
1075
1076 if (d->keylen > d->md_len) {
1077 for (i = 0; i * d->md_len < d->keylen; i++) {
1078 gcry_md_open(&hm, d->md_algo, GCRY_MD_FLAG_HMAC);
1079 gcry_md_setkey(hm, skeyid_e, d->md_len);
1080 if (i == 0)
1081 gcry_md_write(hm, "" /* &'\0' */ , 1);
1082 else
1083 gcry_md_write(hm, d->key + (i - 1) * d->md_len,
1084 d->md_len);
1085 gcry_md_final(hm);
1086 memcpy(d->key + i * d->md_len, gcry_md_read(hm, 0),
1087 min(d->md_len, d->keylen - i * d->md_len));
1088 gcry_md_close(hm);
1089 }
1090 } else { /* keylen <= md_len */
1091 memcpy(d->key, skeyid_e, d->keylen);
1092 }
1093 hex_dump("enc-key", d->key, d->keylen);
1094
1095 memset(skeyid_e, 0, d->md_len);
1096 }
1097
1098 /* Determine the initial 3DES IV. */
1099 {
1100 gcry_md_hd_t hm;
1101
1102 assert(d->ivlen < d->md_len);
1103 gcry_md_open(&hm, d->md_algo, 0);
1104 gcry_md_write(hm, dh_public, dh_getlen(dh_grp));
1105 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1106 gcry_md_final(hm);
1107 d->current_iv = xallocc(d->ivlen);
1108 memcpy(d->current_iv, gcry_md_read(hm, 0), d->ivlen);
1109 gcry_md_close(hm);
1110 hex_dump("current_iv", d->current_iv, d->ivlen);
1111 memset(d->current_iv_msgid, 0, 4);
1112 }
1113
1114 gcry_md_close(skeyid_ctx);
1115 }
1116
1117 DEBUG(2, printf("S4.5\n"));
1118 /* Send final phase 1 packet. */
1119 {
1120 struct isakmp_packet *p2;
1121 uint8_t *p2kt;
1122 size_t p2kt_len;
1123 struct isakmp_payload *pl;
1124
1125 p2 = new_isakmp_packet();
1126 memcpy(p2->i_cookie, d->i_cookie, ISAKMP_COOKIE_LENGTH);
1127 memcpy(p2->r_cookie, d->r_cookie, ISAKMP_COOKIE_LENGTH);
1128 p2->flags = ISAKMP_FLAG_E;
1129 p2->isakmp_version = ISAKMP_VERSION;
1130 p2->exchange_type = ISAKMP_EXCHANGE_AGGRESSIVE;
1131 p2->payload = new_isakmp_data_payload(ISAKMP_PAYLOAD_HASH,
1132 returned_hash, d->md_len);
1133 p2->payload->next = pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
1134 pl->u.n.doi = ISAKMP_DOI_IPSEC;
1135 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
1136 pl->u.n.type = ISAKMP_N_IPSEC_INITIAL_CONTACT;
1137 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
1138 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
1139 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, d->i_cookie, ISAKMP_COOKIE_LENGTH);
1140 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, d->r_cookie, ISAKMP_COOKIE_LENGTH);
1141 pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1142 unknown_vid, sizeof(unknown_vid));
1143 pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1144 unity_vid, sizeof(unity_vid));
1145 flatten_isakmp_packet(p2, &p2kt, &p2kt_len, d->ivlen);
1146 free_isakmp_packet(p2);
1147 isakmp_crypt(d, p2kt, p2kt_len, 1);
1148
1149 d->initial_iv = xallocc(d->ivlen);
1150 memcpy(d->initial_iv, d->current_iv, d->ivlen);
1151 hex_dump("initial_iv", d->initial_iv, d->ivlen);
1152
1153 /* Now, send that packet and receive a new one. */
1154 r_length = sendrecv(r_packet, sizeof(r_packet), p2kt, p2kt_len, 0);
1155 free(p2kt);
1156 }
1157 DEBUG(2, printf("S4.6\n"));
1158
1159 free(returned_hash);
1160 }
1161
1162 static int do_phase_2_xauth(struct sa_block *s)
1163 {
1164 struct isakmp_packet *r;
1165 int loopcount;
1166
1167 DEBUG(2, printf("S5.1\n"));
1168 /* This can go around for a while. */
1169 for (loopcount = 0;; loopcount++) {
1170 uint16_t reject;
1171 struct isakmp_payload *rp;
1172 struct isakmp_attribute *a, *ap, *reply_attr;
1173 char ntop_buf[32];
1174 int seen_answer = 0;
1175
1176 DEBUG(2, printf("S5.2\n"));
1177 reject = unpack_verify_phase2(s, r_packet, r_length, &r, NULL, 0);
1178 if (reject == ISAKMP_N_PAYLOAD_MALFORMED) {
1179 r_length = sendrecv(r_packet, sizeof(r_packet), NULL, 0, 0);
1180 continue;
1181 }
1182
1183 /* check for notices */
1184 if (reject == 0 &&
1185 r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL &&
1186 r->payload->next != NULL && r->payload->next->type == ISAKMP_PAYLOAD_N) {
1187 if (r->payload->next->u.n.type == ISAKMP_N_CISCO_LOAD_BALANCE) {
1188 /* load balancing notice ==> restart with new gw */
1189 if (r->payload->next->u.n.data_length != 4)
1190 error(1, 0, "malformed loadbalance target");
1191 memcpy(&((struct sockaddr_in *)dest_addr)->sin_addr,
1192 r->payload->next->u.n.data, 4);
1193 DEBUG(2, printf("got cisco loadbalancing notice, diverting to %s\n",
1194 inet_ntoa(((struct sockaddr_in *)dest_addr)->
1195 sin_addr)));
1196 return 1;
1197 }
1198 if (r->payload->next->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
1199 /* responder liftime notice ==> ignore */
1200 DEBUG(2, printf("got responder liftime notice, ignoring..\n"));
1201 r_length = sendrecv(r_packet, sizeof(r_packet), NULL, 0, 0);
1202 continue;
1203 }
1204 }
1205
1206 DEBUG(2, printf("S5.3\n"));
1207 /* Check the transaction type is OK. */
1208 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_MODECFG_TRANSACTION)
1209 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
1210
1211 /* After the hash, expect an attribute block. */
1212 if (reject == 0
1213 && (r->payload->next == NULL
1214 || r->payload->next->next != NULL
1215 || r->payload->next->type != ISAKMP_PAYLOAD_MODECFG_ATTR))
1216 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1217
1218 if (reject == 0 && r->payload->next->u.modecfg.type == ISAKMP_MODECFG_CFG_SET)
1219 break;
1220 if (reject == 0 && r->payload->next->u.modecfg.type != ISAKMP_MODECFG_CFG_REQUEST)
1221 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1222
1223 if (reject != 0)
1224 phase2_fatal(s, "expected xauth packet; rejected: %s", reject);
1225
1226 DEBUG(2, printf("S5.4\n"));
1227 a = r->payload->next->u.modecfg.attributes;
1228 /* First, print any messages, and verify that we understand the
1229 * conversation. */
1230 for (ap = a; ap && seen_answer == 0; ap = ap->next)
1231 if (ap->type == ISAKMP_XAUTH_ATTRIB_ANSWER)
1232 seen_answer = 1;
1233
1234 for (ap = a; ap && reject == 0; ap = ap->next)
1235 switch (ap->type) {
1236 case ISAKMP_XAUTH_ATTRIB_TYPE:
1237 if (ap->af != isakmp_attr_16 || ap->u.attr_16 != 0)
1238 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1239 break;
1240 case ISAKMP_XAUTH_ATTRIB_USER_NAME:
1241 case ISAKMP_XAUTH_ATTRIB_USER_PASSWORD:
1242 case ISAKMP_XAUTH_ATTRIB_PASSCODE:
1243 case ISAKMP_XAUTH_ATTRIB_DOMAIN:
1244 case ISAKMP_XAUTH_ATTRIB_ANSWER:
1245 case ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR:
1246 break;
1247 case ISAKMP_XAUTH_ATTRIB_MESSAGE:
1248 if (opt_debug || seen_answer || config[CONFIG_XAUTH_INTERACTIVE]) {
1249 if (ap->af == isakmp_attr_16)
1250 printf("%c%c\n", ap->u.attr_16 >> 8, ap->u.attr_16);
1251 else
1252 printf("%.*s%s", ap->u.lots.length, ap->u.lots.data,
1253 ((ap->u.lots.data
1254 && ap->u.lots.data[ap->u.
1255 lots.length - 1] !=
1256 '\n')
1257 ? "\n" : ""));
1258 }
1259 break;
1260 default:
1261 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1262 }
1263 DEBUG(2, printf("S5.5\n"));
1264 if (reject != 0)
1265 phase2_fatal(s, "xauth packet unsupported: %s", reject);
1266
1267 inet_ntop(dest_addr->sa_family,
1268 &((struct sockaddr_in *)dest_addr)->sin_addr, ntop_buf, sizeof(ntop_buf));
1269
1270 /* Collect data from the user. */
1271 reply_attr = NULL;
1272 for (ap = a; ap && reject == 0; ap = ap->next)
1273 switch (ap->type) {
1274 case ISAKMP_XAUTH_ATTRIB_DOMAIN:
1275 {
1276 struct isakmp_attribute *na;
1277 na = new_isakmp_attribute(ap->type, reply_attr);
1278 reply_attr = na;
1279 na->u.lots.length = strlen(config[CONFIG_DOMAIN]);
1280 if (na->u.lots.length == 0)
1281 error(1, 0,
1282 "server requested domain, but none set (use \"Domain ...\" in config or --domain");
1283 na->u.lots.data = xallocc(na->u.lots.length);
1284 memcpy(na->u.lots.data, config[CONFIG_DOMAIN],
1285 na->u.lots.length);
1286 break;
1287 }
1288 case ISAKMP_XAUTH_ATTRIB_USER_NAME:
1289 {
1290 struct isakmp_attribute *na;
1291 na = new_isakmp_attribute(ap->type, reply_attr);
1292 reply_attr = na;
1293 na->u.lots.length = strlen(config[CONFIG_XAUTH_USERNAME]);
1294 na->u.lots.data = xallocc(na->u.lots.length);
1295 memcpy(na->u.lots.data, config[CONFIG_XAUTH_USERNAME],
1296 na->u.lots.length);
1297 break;
1298 }
1299 case ISAKMP_XAUTH_ATTRIB_ANSWER:
1300 case ISAKMP_XAUTH_ATTRIB_USER_PASSWORD:
1301 case ISAKMP_XAUTH_ATTRIB_PASSCODE:
1302 if (seen_answer || config[CONFIG_XAUTH_INTERACTIVE]) {
1303 char *pass, *prompt = NULL;
1304 struct isakmp_attribute *na;
1305
1306 asprintf(&prompt, "%s for VPN %s@%s: ",
1307 (ap->type == ISAKMP_XAUTH_ATTRIB_ANSWER) ?
1308 "Answer" :
1309 (ap->type == ISAKMP_XAUTH_ATTRIB_USER_PASSWORD) ?
1310 "Password" : "Passcode",
1311 config[CONFIG_XAUTH_USERNAME], ntop_buf);
1312 pass = getpass(prompt);
1313 free(prompt);
1314
1315 na = new_isakmp_attribute(ap->type, reply_attr);
1316 reply_attr = na;
1317 na->u.lots.length = strlen(pass);
1318 na->u.lots.data = xallocc(na->u.lots.length);
1319 memcpy(na->u.lots.data, pass, na->u.lots.length);
1320 memset(pass, 0, na->u.lots.length);
1321 } else {
1322 struct isakmp_attribute *na;
1323 na = new_isakmp_attribute(ap->type, reply_attr);
1324 reply_attr = na;
1325 na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]);
1326 na->u.lots.data = xallocc(na->u.lots.length);
1327 memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD],
1328 na->u.lots.length);
1329 }
1330 break;
1331 default:
1332 ;
1333 }
1334
1335 /* Send the response. */
1336 rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
1337 rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY;
1338 rp->u.modecfg.id = r->payload->next->u.modecfg.id;
1339 rp->u.modecfg.attributes = reply_attr;
1340 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
1341 r->message_id, 0, 0, 0, 0, 0, 0, 0, 0);
1342
1343 free_isakmp_packet(r);
1344 }
1345
1346 DEBUG(2, printf("S5.6\n"));
1347 {
1348 /* The final SET should have just one attribute. */
1349 uint16_t reject = 0;
1350 struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
1351 uint16_t set_result;
1352
1353 if (a == NULL
1354 || a->type != ISAKMP_XAUTH_ATTRIB_STATUS
1355 || a->af != isakmp_attr_16 || a->next != NULL) {
1356 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1357 phase2_fatal(s, "xauth SET response rejected: %s", reject);
1358 }
1359 set_result = a->u.attr_16;
1360
1361 /* ACK the SET. */
1362 r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
1363 sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
1364 r->message_id, 1, 0, 0, 0, 0, 0, 0, 0);
1365 r->payload->next = NULL;
1366 free_isakmp_packet(r);
1367
1368 if (set_result == 0)
1369 error(2, 0, "authentication unsuccessful");
1370 }
1371 DEBUG(2, printf("S5.7\n"));
1372 return 0;
1373 }
1374
1375 static void do_phase_2_config(struct sa_block *s)
1376 {
1377 struct isakmp_payload *rp;
1378 struct isakmp_attribute *a;
1379 struct isakmp_packet *r;
1380 struct utsname uts;
1381 uint32_t msgid;
1382 uint16_t reject;
1383 int seen_address = 0;
1384 char *strbuf;
1385
1386 uname(&uts);
1387
1388 gcry_randomize((uint8_t *) & msgid, sizeof(msgid), GCRY_WEAK_RANDOM);
1389 if (msgid == 0)
1390 msgid = 1;
1391
1392 rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
1393 rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REQUEST;
1394 rp->u.modecfg.id = 20;
1395 a = NULL;
1396
1397 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION, a);
1398 a->u.lots.length = strlen(config[CONFIG_VERSION]);
1399 a->u.lots.data = xallocc(a->u.lots.length);
1400 memcpy(a->u.lots.data, config[CONFIG_VERSION], a->u.lots.length);
1401
1402 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DDNS_HOSTNAME, a);
1403 a->u.lots.length = strlen(uts.nodename);
1404 a->u.lots.data = xallocc(a->u.lots.length);
1405 memcpy(a->u.lots.data, uts.nodename, a->u.lots.length);
1406
1407 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_BANNER, a);
1408 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS, a);
1409 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN, a);
1410 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS, a);
1411 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS, a);
1412 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK, a);
1413 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS, a);
1414
1415 rp->u.modecfg.attributes = a;
1416 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION, msgid, 0, 0, 0, 0, 0, 0, 0, 0);
1417
1418 reject = unpack_verify_phase2(s, r_packet, r_length, &r, NULL, 0);
1419
1420 /* Check the transaction type & message ID are OK. */
1421 if (reject == 0 && r->message_id != msgid)
1422 reject = ISAKMP_N_INVALID_MESSAGE_ID;
1423 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_MODECFG_TRANSACTION)
1424 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
1425
1426 /* After the hash, expect an attribute block. */
1427 if (reject == 0
1428 && (r->payload->next == NULL
1429 || r->payload->next->next != NULL
1430 || r->payload->next->type != ISAKMP_PAYLOAD_MODECFG_ATTR
1431 #if 0
1432 || r->payload->next->u.modecfg.id != 20
1433 #endif
1434 || r->payload->next->u.modecfg.type != ISAKMP_MODECFG_CFG_REPLY))
1435 reject = ISAKMP_N_PAYLOAD_MALFORMED;
1436
1437 if (reject != 0)
1438 phase2_fatal(s, "configuration response rejected: %s", reject);
1439
1440 unsetenv("CISCO_BANNER");
1441 unsetenv("CISCO_DEF_DOMAIN");
1442 unsetenv("INTERNAL_IP4_NBNS");
1443 unsetenv("INTERNAL_IP4_DNS");
1444 unsetenv("INTERNAL_IP4_NETMASK");
1445 unsetenv("INTERNAL_IP4_ADDRESS");
1446
1447 for (a = r->payload->next->u.modecfg.attributes; a && reject == 0; a = a->next)
1448 switch (a->type) {
1449 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS:
1450 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
1451 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1452 else {
1453 addenv_ipv4("INTERNAL_IP4_ADDRESS", a->u.lots.data);
1454 memcpy(s->our_address, a->u.lots.data, 4);
1455 }
1456 seen_address = 1;
1457 break;
1458
1459 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK:
1460 if (a->af == isakmp_attr_lots && a->u.lots.length == 0) {
1461 DEBUG(2, printf("ignoring zero length netmask\n"));
1462 continue;
1463 }
1464 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
1465 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1466 else
1467 addenv_ipv4("INTERNAL_IP4_NETMASK", a->u.lots.data);
1468 break;
1469
1470 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS:
1471 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
1472 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1473 else
1474 addenv_ipv4("INTERNAL_IP4_DNS", a->u.lots.data);
1475 break;
1476
1477 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS:
1478 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
1479 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1480 else
1481 addenv_ipv4("INTERNAL_IP4_NBNS", a->u.lots.data);
1482 break;
1483
1484 case ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN:
1485 if (a->af != isakmp_attr_lots) {
1486 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1487 break;
1488 }
1489 strbuf = xallocc(a->u.lots.length + 1);
1490 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
1491 addenv("CISCO_DEF_DOMAIN", strbuf);
1492 free(strbuf);
1493 break;
1494
1495 case ISAKMP_MODECFG_ATTRIB_CISCO_BANNER:
1496 if (a->af != isakmp_attr_lots) {
1497 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1498 break;
1499 }
1500 strbuf = xallocc(a->u.lots.length + 1);
1501 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
1502 addenv("CISCO_BANNER", strbuf);
1503 free(strbuf);
1504 DEBUG(1, printf("Banner: "));
1505 DEBUG(1, fwrite(a->u.lots.data, a->u.lots.length, 1, stdout));
1506 DEBUG(1, printf("\n"));
1507 break;
1508
1509 case ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION:
1510 DEBUG(2, printf("Remote Application Version: "));
1511 DEBUG(2, fwrite(a->u.lots.data, a->u.lots.length, 1, stdout));
1512 DEBUG(2, printf("\n"));
1513 break;
1514
1515 case ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS:
1516 if (a->af != isakmp_attr_16)
1517 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1518 else {
1519 s->do_pfs = a->u.attr_16;
1520 DEBUG(2, printf("got pfs setting: %d\n", s->do_pfs));
1521 }
1522 break;
1523
1524 default:
1525 DEBUG(2, printf("unknown attriube %d / 0x%X\n", a->type, a->type));
1526 break;
1527 }
1528
1529 if (reject == 0 && !seen_address)
1530 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1531
1532 if (reject != 0)
1533 phase2_fatal(s, "configuration response rejected: %s", reject);
1534
1535 DEBUG(1, printf("got address %s\n", getenv("INTERNAL_IP4_ADDRESS")));
1536 }
1537
1538 struct isakmp_attribute *make_transform_ipsec(int dh_group, int hash, int keylen)
1539 {
1540 struct isakmp_attribute *a = NULL;
1541
1542 a = new_isakmp_attribute(ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION, a);
1543 a->af = isakmp_attr_lots;
1544 a->u.lots.length = 4;
1545 a->u.lots.data = xallocc(a->u.lots.length);
1546 *((uint32_t *) a->u.lots.data) = htonl(2147483);
1547 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a);
1548
1549 if (dh_group)
1550 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_GROUP_DESC, dh_group, a);
1551 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_AUTH_ALG, hash, a);
1552 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_ENCAP_MODE, IPSEC_ENCAP_TUNNEL, a);
1553 if (keylen != 0)
1554 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_KEY_LENGTH, keylen, a);
1555
1556 return a;
1557 }
1558
1559 struct isakmp_payload *make_our_sa_ipsec(struct sa_block *s)
1560 {
1561 struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
1562 struct isakmp_payload *p = NULL, *pn;
1563 struct isakmp_attribute *a;
1564 int dh_grp = get_dh_group_ipsec(s->do_pfs)->ipsec_sa_id;
1565 unsigned int crypt, hash, keylen;
1566 int i;
1567
1568 r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
1569 r->u.sa.doi = ISAKMP_DOI_IPSEC;
1570 r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
1571 r->u.sa.proposals = new_isakmp_payload(ISAKMP_PAYLOAD_P);
1572 r->u.sa.proposals->u.p.spi_size = 4;
1573 r->u.sa.proposals->u.p.spi = xallocc(4);
1574 /* The sadb_sa_spi field is already in network order. */
1575 memcpy(r->u.sa.proposals->u.p.spi, &s->tous_esp_spi, 4);
1576 r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
1577 for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
1578 if ((supp_crypt[crypt].my_id == GCRY_CIPHER_DES) && (opt_1des == 0))
1579 continue;
1580 keylen = supp_crypt[crypt].keylen;
1581 for (hash = 0; supp_hash[hash].name != NULL; hash++) {
1582 pn = p;
1583 p = new_isakmp_payload(ISAKMP_PAYLOAD_P);
1584 p->u.p.spi_size = 4;
1585 p->u.p.spi = xallocc(4);
1586 /* The sadb_sa_spi field is already in network order. */
1587 memcpy(p->u.p.spi, &s->tous_esp_spi, 4);
1588 p->u.p.prot_id = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
1589 p->u.p.transforms = new_isakmp_payload(ISAKMP_PAYLOAD_T);
1590 p->u.p.transforms->u.t.id = supp_crypt[crypt].ipsec_sa_id;
1591 a = make_transform_ipsec(dh_grp, supp_hash[hash].ipsec_sa_id, keylen);
1592 p->u.p.transforms->u.t.attributes = a;
1593 p->next = pn;
1594 }
1595 }
1596 for (i = 0, pn = p; pn; pn = pn->next)
1597 pn->u.p.number = i++;
1598 r->u.sa.proposals = p;
1599 return r;
1600 }
1601
1602 static void setup_link(struct sa_block *s)
1603 {
1604 struct isakmp_payload *rp, *us, *ke = NULL, *them, *nonce_r = NULL;
1605 struct isakmp_packet *r;
1606 struct group *dh_grp = NULL;
1607 uint32_t msgid;
1608 uint16_t reject;
1609 uint8_t *p_flat = NULL, *realiv = NULL, realiv_msgid[4];
1610 size_t p_size = 0;
1611 uint8_t nonce[20], *dh_public = NULL;
1612 int ipsec_cry_algo = 0, ipsec_hash_algo = 0, i;
1613
1614 DEBUG(2, printf("S7.1\n"));
1615 /* Set up the Diffie-Hellman stuff. */
1616 if (get_dh_group_ipsec(s->do_pfs)->my_id) {
1617 dh_grp = group_get(get_dh_group_ipsec(s->do_pfs)->my_id);
1618 DEBUG(3, printf("len = %d\n", dh_getlen(dh_grp)));
1619 dh_public = xallocc(dh_getlen(dh_grp));
1620 dh_create_exchange(dh_grp, dh_public);
1621 hex_dump("dh_public", dh_public, dh_getlen(dh_grp));
1622 }
1623
1624 gcry_randomize((uint8_t *) & s->tous_esp_spi, sizeof(s->tous_esp_spi), GCRY_WEAK_RANDOM);
1625 rp = make_our_sa_ipsec(s);
1626 gcry_randomize((uint8_t *) nonce, sizeof(nonce), GCRY_WEAK_RANDOM);
1627 rp->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_NONCE, nonce, sizeof(nonce));
1628
1629 us = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
1630 us->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR;
1631 us->u.id.length = 4;
1632 us->u.id.data = xallocc(4);
1633 memcpy(us->u.id.data, s->our_address, sizeof(struct in_addr));
1634 them = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
1635 them->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR_SUBNET;
1636 them->u.id.length = 8;
1637 them->u.id.data = xallocc(8);
1638 memset(them->u.id.data, 0, 8);
1639 us->next = them;
1640
1641 if (!dh_grp) {
1642 rp->next->next = us;
1643 } else {
1644 rp->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_KE,
1645 dh_public, dh_getlen(dh_grp));
1646 rp->next->next->next = us;
1647 }
1648
1649 gcry_randomize((uint8_t *) & msgid, sizeof(&msgid), GCRY_WEAK_RANDOM);
1650 if (msgid == 0)
1651 msgid = 1;
1652
1653 DEBUG(2, printf("S7.2\n"));
1654 for (i = 0; i < 4; i++) {
1655 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_IKE_QUICK,
1656 msgid, 0, 0, &p_flat, &p_size, 0, 0, 0, 0);
1657
1658 if (realiv == NULL) {
1659 realiv = xallocc(s->ivlen);
1660 memcpy(realiv, s->current_iv, s->ivlen);
1661 memcpy(realiv_msgid, s->current_iv_msgid, 4);
1662 }
1663
1664 DEBUG(2, printf("S7.3\n"));
1665 reject = unpack_verify_phase2(s, r_packet, r_length, &r, nonce, sizeof(nonce));
1666
1667 DEBUG(2, printf("S7.4\n"));
1668 if (((reject == 0) || (reject == ISAKMP_N_AUTHENTICATION_FAILED))
1669 && r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL) {
1670 /* handle notifie responder-lifetime (ignore) */
1671 /* (broken hash => ignore AUTHENTICATION_FAILED) */
1672 if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_N)
1673 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1674
1675 if (reject == 0
1676 && r->payload->next->u.n.type ==
1677 ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
1678 DEBUG(2, printf("ignoring responder-lifetime notify\n"));
1679 memcpy(s->current_iv, realiv, s->ivlen);
1680 memcpy(s->current_iv_msgid, realiv_msgid, 4);
1681 continue;
1682 }
1683 }
1684
1685 /* Check the transaction type & message ID are OK. */
1686 if (reject == 0 && r->message_id != msgid)
1687 reject = ISAKMP_N_INVALID_MESSAGE_ID;
1688
1689 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_IKE_QUICK)
1690 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
1691
1692 /* The SA payload must be second. */
1693 if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_SA)
1694 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1695
1696 if (p_flat)
1697 free(p_flat);
1698 if (realiv)
1699 free(realiv);
1700 break;
1701 }
1702
1703 DEBUG(2, printf("S7.5\n"));
1704 if (reject != 0)
1705 phase2_fatal(s, "quick mode response rejected: %s\ncheck pfs setting", reject);
1706
1707 DEBUG(2, printf("S7.6\n"));
1708 for (rp = r->payload->next; rp && reject == 0; rp = rp->next)
1709 switch (rp->type) {
1710 case ISAKMP_PAYLOAD_SA:
1711 if (reject == 0 && rp->u.sa.doi != ISAKMP_DOI_IPSEC)
1712 reject = ISAKMP_N_DOI_NOT_SUPPORTED;
1713 if (reject == 0 && rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
1714 reject = ISAKMP_N_SITUATION_NOT_SUPPORTED;
1715 if (reject == 0 &&
1716 (rp->u.sa.proposals == NULL || rp->u.sa.proposals->next != NULL))
1717 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1718 if (reject == 0 &&
1719 rp->u.sa.proposals->u.p.prot_id != ISAKMP_IPSEC_PROTO_IPSEC_ESP)
1720 reject = ISAKMP_N_INVALID_PROTOCOL_ID;
1721 if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 4)
1722 reject = ISAKMP_N_INVALID_SPI;
1723 if (reject == 0 &&
1724 (rp->u.sa.proposals->u.p.transforms == NULL
1725 || rp->u.sa.proposals->u.p.transforms->next != NULL))
1726 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1727 if (reject == 0) {
1728 struct isakmp_attribute *a
1729 = rp->u.sa.proposals->u.p.transforms->u.t.attributes;
1730 int seen_enc = rp->u.sa.proposals->u.p.transforms->u.t.id;
1731 int seen_auth = 0, seen_encap = 0, seen_group = 0, seen_keylen = 0;
1732
1733 memcpy(&s->tothem_esp_spi, rp->u.sa.proposals->u.p.spi, 4);
1734
1735 for (; a && reject == 0; a = a->next)
1736 switch (a->type) {
1737 case ISAKMP_IPSEC_ATTRIB_AUTH_ALG:
1738 if (a->af == isakmp_attr_16)
1739 seen_auth = a->u.attr_16;
1740 else
1741 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1742 break;
1743 case ISAKMP_IPSEC_ATTRIB_ENCAP_MODE:
1744 if (a->af == isakmp_attr_16 &&
1745 a->u.attr_16 == IPSEC_ENCAP_TUNNEL)
1746 seen_encap = 1;
1747 else
1748 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1749 break;
1750 case ISAKMP_IPSEC_ATTRIB_GROUP_DESC:
1751 if (dh_grp &&
1752 a->af == isakmp_attr_16 &&
1753 a->u.attr_16 ==
1754 get_dh_group_ipsec(s->do_pfs)->ipsec_sa_id)
1755 seen_group = 1;
1756 else
1757 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1758 break;
1759 case ISAKMP_IPSEC_ATTRIB_KEY_LENGTH:
1760 if (a->af == isakmp_attr_16)
1761 seen_keylen = a->u.attr_16;
1762 else
1763 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1764 break;
1765 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE:
1766 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION:
1767 break;
1768 default:
1769 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1770 break;
1771 }
1772 if (reject == 0 && (!seen_auth || !seen_encap ||
1773 (dh_grp && !seen_group)))
1774 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1775
1776 if (reject == 0
1777 && get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth,
1778 NULL, 0) == NULL)
1779 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1780 if (reject == 0
1781 && get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc,
1782 NULL, seen_keylen) == NULL)
1783 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1784
1785 if (reject == 0) {
1786 ipsec_cry_algo =
1787 get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA,
1788 seen_enc, NULL, seen_keylen)->my_id;
1789 ipsec_hash_algo =
1790 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA,
1791 seen_auth, NULL, 0)->my_id;
1792 DEBUG(1, printf("IPSEC SA selected %s-%s\n",
1793 get_algo(SUPP_ALGO_CRYPT,
1794 SUPP_ALGO_IPSEC_SA, seen_enc, NULL,
1795 seen_keylen)->name,
1796 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA,
1797 seen_auth, NULL, 0)->name));
1798 }
1799 }
1800 break;
1801
1802 case ISAKMP_PAYLOAD_N:
1803 break;
1804 case ISAKMP_PAYLOAD_ID:
1805 break;
1806 case ISAKMP_PAYLOAD_KE:
1807 ke = rp;
1808 break;
1809 case ISAKMP_PAYLOAD_NONCE:
1810 nonce_r = rp;
1811 break;
1812
1813 default:
1814 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1815 break;
1816 }
1817
1818 if (reject == 0 && nonce_r == NULL)
1819 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
1820 if (reject == 0 && dh_grp && (ke == NULL || ke->u.ke.length != dh_getlen(dh_grp)))
1821 reject = ISAKMP_N_INVALID_KEY_INFORMATION;
1822 if (reject != 0)
1823 phase2_fatal(s, "quick mode response rejected [2]: %s", reject);
1824
1825 /* send final packet */
1826 sendrecv_phase2(s, NULL, ISAKMP_EXCHANGE_IKE_QUICK,
1827 msgid, 1, 0, 0, 0, nonce, sizeof(nonce),
1828 nonce_r->u.nonce.data, nonce_r->u.nonce.length);
1829
1830 DEBUG(2, printf("S7.7\n"));
1831 /* Create the delete payload, now that we have all the information. */
1832 {
1833 struct isakmp_payload *d_isakmp, *d_ipsec;
1834 uint32_t del_msgid;
1835
1836 gcry_randomize((uint8_t *) & del_msgid, sizeof(del_msgid), GCRY_WEAK_RANDOM);
1837 d_isakmp = new_isakmp_payload(ISAKMP_PAYLOAD_D);
1838 d_isakmp->u.d.doi = ISAKMP_DOI_IPSEC;
1839 d_isakmp->u.d.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
1840 d_isakmp->u.d.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
1841 d_isakmp->u.d.num_spi = 1;
1842 d_isakmp->u.d.spi = xallocc(1 * sizeof(uint8_t *));
1843 d_isakmp->u.d.spi[0] = xallocc(2 * ISAKMP_COOKIE_LENGTH);
1844 memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 0, s->i_cookie,
1845 ISAKMP_COOKIE_LENGTH);
1846 memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 1, s->r_cookie,
1847 ISAKMP_COOKIE_LENGTH);
1848 d_ipsec = new_isakmp_payload(ISAKMP_PAYLOAD_D);
1849 d_ipsec->next = d_isakmp;
1850 d_ipsec->u.d.doi = ISAKMP_DOI_IPSEC;
1851 d_ipsec->u.d.protocol = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
1852 d_ipsec->u.d.spi_length = 4;
1853 d_ipsec->u.d.num_spi = 2;
1854 d_ipsec->u.d.spi = xallocc(2 * sizeof(uint8_t *));
1855 d_ipsec->u.d.spi[0] = xallocc(d_ipsec->u.d.spi_length);
1856 memcpy(d_ipsec->u.d.spi[0], &s->tous_esp_spi, 4);
1857 d_ipsec->u.d.spi[1] = xallocc(d_ipsec->u.d.spi_length);
1858 memcpy(d_ipsec->u.d.spi[1], &s->tothem_esp_spi, 4);
1859 phase2_authpacket(s, d_ipsec, ISAKMP_EXCHANGE_INFORMATIONAL,
1860 del_msgid, &s->kill_packet, &s->kill_packet_size,
1861 nonce, sizeof(nonce), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
1862 isakmp_crypt(s, s->kill_packet, s->kill_packet_size, 1);
1863 }
1864 DEBUG(2, printf("S7.8\n"));
1865
1866 /* Set up the interface here so it's ready when our acknowledgement
1867 * arrives. */
1868 config_tunnel(tun_name);
1869 DEBUG(2, printf("S7.9\n"));
1870 {
1871 uint8_t *tous_keys, *tothem_keys;
1872 struct sockaddr_in tothem_dest;
1873 unsigned char *dh_shared_secret = NULL;
1874
1875 if (dh_grp) {
1876 /* Determine the shared secret. */
1877 dh_shared_secret = xallocc(dh_getlen(dh_grp));
1878 dh_create_shared(dh_grp, dh_shared_secret, ke->u.ke.data);
1879 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(dh_grp));
1880 }
1881 tous_keys = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->tous_esp_spi,
1882 ipsec_hash_algo, ipsec_cry_algo,
1883 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
1884 nonce, sizeof(nonce), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
1885 memset(&tothem_dest, 0, sizeof(tothem_dest));
1886 tothem_dest.sin_family = AF_INET;
1887 memcpy(&tothem_dest.sin_addr, s->our_address, 4);
1888 tothem_keys = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->tothem_esp_spi,
1889 ipsec_hash_algo, ipsec_cry_algo,
1890 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
1891 nonce, sizeof(nonce), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
1892 DEBUG(2, printf("S7.10\n"));
1893 vpnc_doit(s->tous_esp_spi, tous_keys, &tothem_dest,
1894 s->tothem_esp_spi, tothem_keys, (struct sockaddr_in *)dest_addr,
1895 tun_fd, ipsec_hash_algo, ipsec_cry_algo,
1896 s->kill_packet, s->kill_packet_size, dest_addr, config[CONFIG_PID_FILE]);
1897 }
1898 }
1899
1900 int main(int argc, char **argv)
1901 {
1902 struct sa_block oursa;
1903 int do_load_balance;
1904 const uint8_t hex_test[] = { 0, 1, 2, 3 };
1905
1906 test_pack_unpack();
1907 gcry_check_version("1.1.90");
1908 gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0);
1909 group_init();
1910
1911 do_config(argc, argv);
1912
1913 hex_dump("hex_test", hex_test, sizeof(hex_test));
1914
1915 DEBUG(1, printf("vpnc version " VERSION "\n"));
1916 DEBUG(2, printf("S1\n"));
1917 dest_addr = init_sockaddr(config[CONFIG_IPSEC_GATEWAY], 500);
1918 DEBUG(2, printf("S2\n"));
1919 sockfd = make_socket(atoi(config[CONFIG_LOCAL_PORT]));
1920 DEBUG(2, printf("S3\n"));
1921 setup_tunnel();
1922
1923 do {
1924 DEBUG(2, printf("S4\n"));
1925 memset(&oursa, '\0', sizeof(oursa));
1926 do_phase_1(config[CONFIG_IPSEC_ID], config[CONFIG_IPSEC_SECRET], &oursa);
1927 DEBUG(2, printf("S5\n"));
1928 do_load_balance = do_phase_2_xauth(&oursa);
1929 } while (do_load_balance);
1930 DEBUG(2, printf("S6\n"));
1931 do_phase_2_config(&oursa);
1932 DEBUG(2, printf("S7\n"));
1933 setup_link(&oursa);
1934
1935 return 0;
1936 }
client for cisco vpn concentrator