search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
terminate config reading on EOT/Ctl-D instead of just on pipe close
[vpnc.git] / vpnc.c
blobb3518b659aa74c299a9077871daa746c97a2b100
1 /* IPSec VPN client compatible with Cisco equipment.
2 Copyright (C) 2002 Geoffrey Keating
3 Copyright (C) 2003-2005 Maurice Massar
4 Copyright (C) 2004 Tomas Mraz
5 Copyright (C) 2004 Martin von Gagern
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20
21 $Id$
22 */
23
24 #define _GNU_SOURCE
25 #include <assert.h>
26 #include <unistd.h>
27 #include <sys/fcntl.h>
28 #include <stdio.h>
29 #include <errno.h>
30 #include <string.h>
31 #include <time.h>
32 #include <stdlib.h>
33 #include <sys/socket.h>
34 #include <netinet/in.h>
35 #include <netdb.h>
36 #include <arpa/inet.h>
37 #include <poll.h>
38 #include <sys/ioctl.h>
39 #include <sys/utsname.h>
40
41 #include <gcrypt.h>
42
43 #include "crypto.h"
44 #include "sysdep.h"
45 #include "config.h"
46 #include "isakmp-pkt.h"
47 #include "math_group.h"
48 #include "dh.h"
49 #include "vpnc.h"
50 #include "tunip.h"
51 #include "supp.h"
52
53 #if defined(__CYGWIN__)
54 GCRY_THREAD_OPTION_PTHREAD_IMPL;
55 #endif
56
57 #define ISAKMP_PORT (500)
58 #define ISAKMP_PORT_NATT (4500)
59
60 const unsigned char VID_XAUTH[] = { /* "draft-ietf-ipsra-isakmp-xauth-06.txt"/8 */
61 0x09, 0x00, 0x26, 0x89, 0xDF, 0xD6, 0xB7, 0x12
62 };
63 const unsigned char VID_DPD[] = { /* Dead Peer Detection, RFC 3706 */
64 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, 0xC9,
65 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, 0x01, 0x00
66 };
67 const unsigned char VID_UNITY[] = { /* "CISCO-UNITY"/14 + major + minor */
68 0x12, 0xF5, 0xF2, 0x8C, 0x45, 0x71, 0x68, 0xA9,
69 0x70, 0x2D, 0x9F, 0xE2, 0x74, 0xCC, 0x01, 0x00
70 };
71 const unsigned char VID_UNKNOWN[] = {
72 0x12, 0x6E, 0x1F, 0x57, 0x72, 0x91, 0x15, 0x3B,
73 0x20, 0x48, 0x5F, 0x7F, 0x15, 0x5B, 0x4B, 0xC8
74 };
75 const unsigned char VID_NATT_00[] = { /* "draft-ietf-ipsec-nat-t-ike-00" */
76 0x44, 0x85, 0x15, 0x2d, 0x18, 0xb6, 0xbb, 0xcd,
77 0x0b, 0xe8, 0xa8, 0x46, 0x95, 0x79, 0xdd, 0xcc
78 };
79 const unsigned char VID_NATT_01[] = { /* "draft-ietf-ipsec-nat-t-ike-01" */
80 0x16, 0xf6, 0xca, 0x16, 0xe4, 0xa4, 0x06, 0x6d,
81 0x83, 0x82, 0x1a, 0x0f, 0x0a, 0xea, 0xa8, 0x62
82 };
83 const unsigned char VID_NATT_02[] = { /* "draft-ietf-ipsec-nat-t-ike-02" */
84 0xcd, 0x60, 0x46, 0x43, 0x35, 0xdf, 0x21, 0xf8,
85 0x7c, 0xfd, 0xb2, 0xfc, 0x68, 0xb6, 0xa4, 0x48
86 };
87 const unsigned char VID_NATT_02N[] = { /* "draft-ietf-ipsec-nat-t-ike-02\n" */
88 0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E,
89 0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F
90 };
91 const unsigned char VID_NATT_03[] = { /* "draft-ietf-ipsec-nat-t-ike-03" */
92 0x7d, 0x94, 0x19, 0xa6, 0x53, 0x10, 0xca, 0x6f,
93 0x2c, 0x17, 0x9d, 0x92, 0x15, 0x52, 0x9d, 0x56
94 };
95 const unsigned char VID_NATT_RFC[] = { /* "RFC 3947" */
96 0x4A, 0x13, 0x1C, 0x81, 0x07, 0x03, 0x58, 0x45,
97 0x5C, 0x57, 0x28, 0xF2, 0x0E, 0x95, 0x45, 0x2F
98 };
99 const unsigned char VID_DWR[] = { /* DWR: Delete with reason */
100 0x2D, 0x79, 0x22, 0xC6, 0xB3, 0x01, 0xD9, 0xB0,
101 0xE1, 0x34, 0x27, 0x39, 0xE9, 0xCF, 0xBB, 0xD5
102 };
103 /* Cisco Unknown1:
104 *const unsigned char VID_CISCO_UNKNOWN_1[] = {
105 * 1f07f70eaa6514d3b0fa96542a500407
106 *};
107 */
108
109 const unsigned char VID_CISCO_FRAG[] = { /* "FRAGMENTATION" */
110 0x40, 0x48, 0xB7, 0xD5, 0x6E, 0xBC, 0xE8, 0x85,
111 0x25, 0xE7, 0xDE, 0x7F, 0x00, 0xD6, 0xC2, 0xD3,
112 0x80, 0x00, 0x00, 0x00
113 };
114 const unsigned char VID_NETSCREEN_15[] = { /* netscreen 15 */
115 0x16, 0x6f, 0x93, 0x2d, 0x55, 0xeb, 0x64, 0xd8,
116 0xe4, 0xdf, 0x4f, 0xd3, 0x7e, 0x23, 0x13, 0xf0,
117 0xd0, 0xfd, 0x84, 0x51, 0x00, 0x00, 0x00, 0x00,
118 0x00, 0x00, 0x00, 0x00
119 };
120 const unsigned char VID_HEARTBEAT_NOTIFY[] = { /* Heartbeat Notify */
121 0x48, 0x65, 0x61, 0x72, 0x74, 0x42, 0x65, 0x61,
122 0x74, 0x5f, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x79,
123 0x38, 0x6b, 0x01, 0x00
124 };
125 const unsigned char VID_NORTEL_CONT[] = { /* BNES: Bay Networks Enterprise Switch + version/id of some kind */
126 0x42, 0x4e, 0x45, 0x53, 0x00, 0x00, 0x00, 0x0a
127 };
128
129 const unsigned char FW_UNKNOWN_TYPEINFO[] = {
130 0x80, 0x01, 0x00, 0x01, 0x80, 0x02, 0x00, 0x01,
131 0x80, 0x03, 0x00, 0x02
132 };
133
134 struct vid_element {
135 const unsigned char* valueptr;
136 const uint16_t length;
137 const char* descr;
138 };
139
140 const struct vid_element vid_list[] = {
141 { VID_XAUTH, sizeof(VID_XAUTH), "Xauth" },
142 { VID_DPD, sizeof(VID_DPD), "DPD" },
143 { VID_UNITY, sizeof(VID_UNITY), "Cisco Unity" },
144 { VID_NATT_00, sizeof(VID_NATT_00), "Nat-T 00" },
145 { VID_NATT_01, sizeof(VID_NATT_01), "Nat-T 01" },
146 { VID_NATT_02, sizeof(VID_NATT_02), "Nat-T 02" },
147 { VID_NATT_02N, sizeof(VID_NATT_02N), "Nat-T 02N" },
148 { VID_NATT_03, sizeof(VID_NATT_03), "Nat-T 03" },
149 { VID_NATT_RFC, sizeof(VID_NATT_RFC), "Nat-T RFC" },
150 { VID_DWR, sizeof(VID_DWR), "Delete With Reason" },
151 { VID_CISCO_FRAG, sizeof(VID_CISCO_FRAG), "Cisco Fragmentation" },
152 { VID_NETSCREEN_15, sizeof(VID_NETSCREEN_15), "Netscreen 15" },
153 { VID_NORTEL_CONT, sizeof(VID_NORTEL_CONT), "Nortel Contivity" },
154 { VID_HEARTBEAT_NOTIFY, sizeof(VID_HEARTBEAT_NOTIFY), "Heartbeat Notify" },
155
156 { NULL, 0, NULL }
157 };
158
159 /* What are DWR-Code and DWR-Text ? */
160
161 static uint8_t r_packet[8192];
162 static ssize_t r_length;
163
164 static struct sa_block *s_atexit_sa;
165
166 static void close_tunnel(struct sa_block *s);
167
168 void print_vid(const unsigned char *vid, uint16_t len) {
169
170 int vid_index = 0;
171
172 if (opt_debug < 2)
173 return;
174
175 while (vid_list[vid_index].length) {
176 if (len == vid_list[vid_index].length &&
177 memcmp(vid_list[vid_index].valueptr, vid, len) == 0) {
178 printf(" (%s)\n", vid_list[vid_index].descr);
179 return;
180 }
181 vid_index++;
182 }
183 printf(" (unknown)\n");
184 }
185
186 static __inline__ int min(int a, int b)
187 {
188 return (a < b) ? a : b;
189 }
190
191 static void addenv(const void *name, const char *value)
192 {
193 char *strbuf = NULL, *oldval;
194
195 oldval = getenv(name);
196 if (oldval != NULL) {
197 strbuf = xallocc(strlen(oldval) + 1 + strlen(value) + 1);
198 strcat(strbuf, oldval);
199 strcat(strbuf, " ");
200 strcat(strbuf, value);
201 }
202
203 setenv(name, strbuf ? strbuf : value, 1);
204
205 free(strbuf);
206 }
207
208 static void addenv_ipv4(const void *name, uint8_t * data)
209 {
210 addenv(name, inet_ntoa(*((struct in_addr *)data)));
211 }
212
213 static int make_socket(struct sa_block *s, uint16_t src_port, uint16_t dst_port)
214 {
215 int sock;
216 struct sockaddr_in name;
217 socklen_t len = sizeof(name);
218
219 /* create the socket */
220 sock = socket(PF_INET, SOCK_DGRAM, 0);
221 if (sock < 0)
222 error(1, errno, "making socket");
223
224 #ifdef FD_CLOEXEC
225 /* do not pass socket to vpnc-script, etc. */
226 fcntl(sock, F_SETFD, FD_CLOEXEC);
227 #endif
228
229 /* give the socket a name */
230 name.sin_family = AF_INET;
231 name.sin_addr = s->opt_src_ip;
232 name.sin_port = htons(src_port);
233 if (bind(sock, (struct sockaddr *)&name, sizeof(name)) < 0)
234 error(1, errno, "Error binding to source port. Try '--local-port 0'\nFailed to bind to %s:%d", inet_ntoa(s->opt_src_ip), src_port);
235
236 /* connect the socket */
237 name.sin_family = AF_INET;
238 name.sin_addr = s->dst;
239 name.sin_port = htons(dst_port);
240 if (connect(sock, (struct sockaddr *)&name, sizeof(name)) < 0)
241 error(1, errno, "connecting to port %d", ntohs(dst_port));
242
243 /* who am I */
244 if (getsockname(sock, (struct sockaddr *)&name, &len) < 0)
245 error(1, errno, "reading local address from socket %d", sock);
246 s->src = name.sin_addr;
247
248 return sock;
249 }
250
251 static void cleanup(struct sa_block *s) {
252 if (s->ike_fd != 0) {
253 close(s->ike_fd);
254 s->ike_fd = 0;
255 }
256 if (s->esp_fd != 0) {
257 close(s->esp_fd);
258 s->esp_fd = 0;
259 }
260 if (s->ike.resend_hash) {
261 free(s->ike.resend_hash);
262 s->ike.resend_hash = NULL;
263 }
264 if (s->ike.skeyid_d) {
265 free(s->ike.skeyid_d);
266 s->ike.skeyid_d = NULL;
267 }
268 if (s->ike.skeyid_a) {
269 free(s->ike.skeyid_a);
270 s->ike.skeyid_a = NULL;
271 }
272 if (s->ike.initial_iv) {
273 free(s->ike.initial_iv);
274 s->ike.initial_iv = NULL;
275 }
276 if (s->ike.current_iv) {
277 free(s->ike.current_iv);
278 s->ike.current_iv = NULL;
279 }
280 if (s->ike.key) {
281 free(s->ike.key);
282 s->ike.key = NULL;
283 }
284 if (s->ipsec.rx.key) {
285 free(s->ipsec.rx.key);
286 s->ipsec.rx.key = NULL;
287 }
288 if (s->ipsec.tx.key) {
289 free(s->ipsec.tx.key);
290 s->ipsec.tx.key = NULL;
291 }
292 if (s->ipsec.rx.cry_ctx) {
293 gcry_cipher_close(s->ipsec.rx.cry_ctx);
294 s->ipsec.rx.cry_ctx = NULL;
295 }
296 if (s->ipsec.tx.cry_ctx) {
297 gcry_cipher_close(s->ipsec.tx.cry_ctx);
298 s->ipsec.tx.cry_ctx = NULL;
299 }
300 }
301
302 static void init_sockaddr(struct in_addr *dst, const char *hostname)
303 {
304 struct hostent *hostinfo;
305
306 if (inet_aton(hostname, dst) == 0) {
307 hostinfo = gethostbyname(hostname);
308 if (hostinfo == NULL)
309 error(1, 0, "unknown host `%s'\n", hostname);
310 *dst = *(struct in_addr *)hostinfo->h_addr;
311 }
312 }
313
314 static void init_netaddr(struct in_addr *net, const char *string)
315 {
316 char *p;
317
318 if ((p = strchr(string, '/')) != NULL) {
319 char *host = xallocc(p - string + 1);
320 memcpy(host, string, p - string + 1);
321 host[p - string] = '\0';
322 init_sockaddr((struct in_addr *)net, host);
323 free(host);
324 if (strchr(p + 1, '.') != NULL)
325 init_sockaddr(net + 1, p + 1);
326 else {
327 int bits = atoi(p + 1);
328 unsigned long mask = (1 << bits) - 1;
329 memcpy((char *)(net + 1), (char *)&mask, 4);
330 }
331 } else {
332 memset((char *)net, 0, 8);
333 }
334 }
335
336 static void setup_tunnel(struct sa_block *s)
337 {
338 setenv("reason", "pre-init", 1);
339 system(config[CONFIG_SCRIPT]);
340
341 if (config[CONFIG_IF_NAME])
342 memcpy(s->tun_name, config[CONFIG_IF_NAME], strlen(config[CONFIG_IF_NAME]));
343
344 s->tun_fd = tun_open(s->tun_name, opt_if_mode);
345 DEBUG(2, printf("using interface %s\n", s->tun_name));
346 setenv("TUNDEV", s->tun_name, 1);
347
348 if (s->tun_fd == -1)
349 error(1, errno, "can't initialise tunnel interface");
350 #ifdef FD_CLOEXEC
351 /* do not pass socket to vpnc-script, etc. */
352 fcntl(s->tun_fd, F_SETFD, FD_CLOEXEC);
353 #endif
354
355 if (opt_if_mode == IF_MODE_TAP) {
356 if (tun_get_hwaddr(s->tun_fd, s->tun_name, s->tun_hwaddr) < 0) {
357 error(1, errno, "can't get tunnel HW address");
358 }
359 hex_dump("interface HW addr", s->tun_hwaddr, ETH_ALEN, NULL);
360 }
361
362 unsetenv("INTERNAL_IP4_MTU");
363 if (config[CONFIG_IF_MTU]) {
364 int mtu;
365
366 mtu = atoi(config[CONFIG_IF_MTU]);
367 if (mtu < 0 || mtu > 65535) {
368 DEBUG(1, printf("ignore MTU option. Use automatic detection\n"));
369 mtu = 0;
370 }
371 if (mtu > 0) {
372 char *strbuf;
373 asprintf(&strbuf, "%d", mtu);
374 setenv("INTERNAL_IP4_MTU", strbuf, 1);
375 free(strbuf);
376 }
377 }
378 }
379
380 static void atexit_close(void)
381 {
382 if (s_atexit_sa != NULL) {
383 close_tunnel(s_atexit_sa);
384 s_atexit_sa = NULL;
385 }
386 }
387
388 static void config_tunnel(struct sa_block *s)
389 {
390 setenv("VPNGATEWAY", inet_ntoa(s->dst), 1);
391 setenv("reason", "connect", 1);
392 system(config[CONFIG_SCRIPT]);
393 s_atexit_sa = s;
394 atexit(atexit_close);
395 }
396
397 static void close_tunnel(struct sa_block *s)
398 {
399 setenv("reason", "disconnect", 1);
400 system(config[CONFIG_SCRIPT]);
401 tun_close(s->tun_fd, s->tun_name);
402 }
403
404 static int recv_ignore_dup(struct sa_block *s, void *recvbuf, size_t recvbufsize)
405 {
406 uint8_t *resend_check_hash;
407 int recvsize, hash_len;
408
409 recvsize = recv(s->ike_fd, recvbuf, recvbufsize, 0);
410 if (recvsize < 0)
411 error(1, errno, "receiving packet");
412 if ((unsigned int)recvsize > recvbufsize)
413 error(1, errno, "received packet too large for buffer");
414
415 /* skip (not only) NAT-T draft-0 keepalives */
416 if ( /* (s->ipsec.natt_active_mode == NATT_ACTIVE_DRAFT_OLD) && */
417 (recvsize == 1) && (*((u_char *)(recvbuf)) == 0xff))
418 {
419 if ((s->ipsec.natt_active_mode != NATT_ACTIVE_DRAFT_OLD))
420 {
421 DEBUG(2, printf("Received UDP NAT-Keepalive bug nat active mode incorrect: %d\n", s->ipsec.natt_active_mode));
422 }
423 return -1;
424 }
425
426 hash_len = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
427 resend_check_hash = malloc(hash_len);
428 gcry_md_hash_buffer(GCRY_MD_SHA1, resend_check_hash, recvbuf, recvsize);
429 if (s->ike.resend_hash && memcmp(s->ike.resend_hash, resend_check_hash, hash_len) == 0) {
430 free(resend_check_hash);
431 /* FIXME: if we get a retransmission, we probably should do a retransmission too */
432 DEBUG(2, printf("Received duplicated packet, dropping it!\n"));
433 return -1;
434 }
435 if (!s->ike.resend_hash) {
436 s->ike.resend_hash = resend_check_hash;
437 } else {
438 memcpy(s->ike.resend_hash, resend_check_hash, hash_len);
439 free(resend_check_hash);
440 }
441
442 return recvsize;
443 }
444
445 /* Send TOSEND of size SENDSIZE to the socket. Then wait for a new packet,
446 resending TOSEND on timeout, and ignoring duplicate packets; the
447 new packet is put in RECVBUF of size RECVBUFSIZE and the actual size
448 of the new packet is returned. */
449
450 static ssize_t sendrecv(struct sa_block *s, void *recvbuf, size_t recvbufsize, void *tosend, size_t sendsize, int sendonly)
451 {
452 struct pollfd pfd;
453 int tries = 0;
454 int recvsize = -1;
455 time_t start = time(NULL);
456 time_t end = 0;
457 void *realtosend;
458
459 pfd.fd = s->ike_fd;
460 pfd.events = POLLIN;
461 tries = 0;
462
463 if ((s->ipsec.natt_active_mode == NATT_ACTIVE_RFC) && (tosend != NULL)) {
464 DEBUG(2, printf("NAT-T mode, adding non-esp marker\n"));
465 realtosend = xallocc(sendsize+4);
466 memmove((char*)realtosend+4, tosend, sendsize);
467 sendsize += 4;
468 } else {
469 realtosend = tosend;
470 }
471
472 for (;;) {
473 int pollresult;
474
475 if (realtosend != NULL)
476 if (write(s->ike_fd, realtosend, sendsize) != (int)sendsize)
477 error(1, errno, "can't send packet");
478 if (sendonly)
479 break;
480
481 do {
482 pollresult = poll(&pfd, 1, s->ike.timeout << tries);
483 } while (pollresult == -1 && errno == EINTR);
484
485 if (pollresult == -1)
486 error(1, errno, "can't poll socket");
487 if (pollresult != 0) {
488 recvsize = recv_ignore_dup(s, recvbuf, recvbufsize);
489 end = time(NULL);
490 if (recvsize != -1)
491 break;
492 continue;
493 }
494
495 if (tries > 2)
496 error(1, 0, "no response from target");
497 tries++;
498 }
499
500 if (realtosend != tosend)
501 free(realtosend);
502
503 if (sendonly)
504 return 0;
505
506 if ((s->ipsec.natt_active_mode == NATT_ACTIVE_RFC)&&(recvsize > 4)) {
507 recvsize -= 4; /* 4 bytes non-esp marker */
508 memmove(recvbuf, (char *)recvbuf+4, recvsize);
509 }
510
511 DEBUGTOP(3, printf("\n receiving: <========================\n"));
512
513 /* Wait at least 2s for a response or 4 times the time it took
514 * last time. */
515 if (start >= end)
516 s->ike.timeout = 2000;
517 else
518 s->ike.timeout = 4000 * (end - start);
519
520 return recvsize;
521 }
522
523 static int isakmp_crypt(struct sa_block *s, uint8_t * block, size_t blocklen, int enc)
524 {
525 unsigned char *new_iv, *iv = NULL;
526 int info_ex;
527 gcry_cipher_hd_t cry_ctx;
528
529 if (blocklen < ISAKMP_PAYLOAD_O || ((blocklen - ISAKMP_PAYLOAD_O) % s->ike.ivlen != 0))
530 abort();
531
532 if (!enc && (memcmp(block + ISAKMP_I_COOKIE_O, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH) != 0
533 || memcmp(block + ISAKMP_R_COOKIE_O, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH) != 0)) {
534 DEBUG(2, printf("got packet with wrong cookies\n"));
535 return ISAKMP_N_INVALID_COOKIE;
536 }
537
538 info_ex = block[ISAKMP_EXCHANGE_TYPE_O] == ISAKMP_EXCHANGE_INFORMATIONAL;
539
540 if (memcmp(block + ISAKMP_MESSAGE_ID_O, s->ike.current_iv_msgid, 4) != 0) {
541 gcry_md_hd_t md_ctx;
542
543 gcry_md_open(&md_ctx, s->ike.md_algo, 0);
544 gcry_md_write(md_ctx, s->ike.initial_iv, s->ike.ivlen);
545 gcry_md_write(md_ctx, block + ISAKMP_MESSAGE_ID_O, 4);
546 gcry_md_final(md_ctx);
547 if (info_ex) {
548 iv = xallocc(s->ike.ivlen);
549 memcpy(iv, gcry_md_read(md_ctx, 0), s->ike.ivlen);
550 } else {
551 memcpy(s->ike.current_iv, gcry_md_read(md_ctx, 0), s->ike.ivlen);
552 memcpy(s->ike.current_iv_msgid, block + ISAKMP_MESSAGE_ID_O, 4);
553 }
554 gcry_md_close(md_ctx);
555 } else if (info_ex) {
556 abort();
557 }
558
559 if (!info_ex) {
560 iv = s->ike.current_iv;
561 }
562
563 new_iv = xallocc(s->ike.ivlen);
564 gcry_cipher_open(&cry_ctx, s->ike.cry_algo, GCRY_CIPHER_MODE_CBC, 0);
565 gcry_cipher_setkey(cry_ctx, s->ike.key, s->ike.keylen);
566 gcry_cipher_setiv(cry_ctx, iv, s->ike.ivlen);
567 if (!enc) {
568 memcpy(new_iv, block + blocklen - s->ike.ivlen, s->ike.ivlen);
569 gcry_cipher_decrypt(cry_ctx, block + ISAKMP_PAYLOAD_O, blocklen - ISAKMP_PAYLOAD_O,
570 NULL, 0);
571 if (!info_ex)
572 memcpy(s->ike.current_iv, new_iv, s->ike.ivlen);
573 } else {
574 gcry_cipher_encrypt(cry_ctx, block + ISAKMP_PAYLOAD_O, blocklen - ISAKMP_PAYLOAD_O,
575 NULL, 0);
576 if (!info_ex)
577 memcpy(s->ike.current_iv, block + blocklen - s->ike.ivlen, s->ike.ivlen);
578 }
579 gcry_cipher_close(cry_ctx);
580
581 free(new_iv);
582 if (info_ex)
583 free(iv);
584
585 return 0;
586 }
587
588 static uint16_t unpack_verify_phase2(struct sa_block *s, uint8_t * r_packet,
589 size_t r_length, struct isakmp_packet **r_p, const uint8_t * nonce, size_t nonce_size)
590 {
591 struct isakmp_packet *r;
592 int reject = 0;
593
594 *r_p = NULL;
595
596 /* Some users report "payload ... not padded..." errors. It seems that they
597 * are harmless, so ignore and fix the symptom
598 */
599 if (r_length < ISAKMP_PAYLOAD_O ||
600 ((r_length - ISAKMP_PAYLOAD_O) % s->ike.ivlen != 0)) {
601 DEBUG(2, printf("payload too short or not padded: len=%lld, min=%d (ivlen=%lld)\n",
602 (long long)r_length, ISAKMP_PAYLOAD_O, (long long)s->ike.ivlen));
603 hex_dump("Payload", r_packet, r_length, NULL);
604 if (r_length < ISAKMP_PAYLOAD_O ) {
605 return ISAKMP_N_UNEQUAL_PAYLOAD_LENGTHS;
606 }
607 r_length -= (r_length - ISAKMP_PAYLOAD_O) % s->ike.ivlen;
608 }
609
610 reject = isakmp_crypt(s, r_packet, r_length, 0);
611 if (reject != 0)
612 return reject;
613
614 s->ike.life.rx += r_length;
615
616 {
617 r = parse_isakmp_packet(r_packet, r_length, &reject);
618 if (reject != 0) {
619 if (r) free_isakmp_packet(r);
620 return reject;
621 }
622 }
623
624 /* Verify the basic stuff. */
625 if (r->flags != ISAKMP_FLAG_E) {
626 free_isakmp_packet(r);
627 return ISAKMP_N_INVALID_FLAGS;
628 }
629
630 {
631 size_t sz, spos;
632 gcry_md_hd_t hm;
633 unsigned char *expected_hash;
634 struct isakmp_payload *h = r->payload;
635
636 if (h == NULL || h->type != ISAKMP_PAYLOAD_HASH || h->u.hash.length != s->ike.md_len) {
637 free_isakmp_packet(r);
638 return ISAKMP_N_INVALID_HASH_INFORMATION;
639 }
640
641 spos = (ISAKMP_PAYLOAD_O + (r_packet[ISAKMP_PAYLOAD_O + 2] << 8)
642 + r_packet[ISAKMP_PAYLOAD_O + 3]);
643
644 /* Compute the real length based on the payload lengths. */
645 for (sz = spos; r_packet[sz] != 0; sz += r_packet[sz + 2] << 8 | r_packet[sz + 3]) ;
646 sz += r_packet[sz + 2] << 8 | r_packet[sz + 3];
647
648 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
649 gcry_md_setkey(hm, s->ike.skeyid_a, s->ike.md_len);
650 gcry_md_write(hm, r_packet + ISAKMP_MESSAGE_ID_O, 4);
651 if (nonce)
652 gcry_md_write(hm, nonce, nonce_size);
653 gcry_md_write(hm, r_packet + spos, sz - spos);
654 gcry_md_final(hm);
655 expected_hash = gcry_md_read(hm, 0);
656
657 DEBUG(3,printf("hashlen: %lu\n", (unsigned long)s->ike.md_len));
658 DEBUG(3,printf("u.hash.length: %d\n", h->u.hash.length));
659 hex_dump("expected_hash", expected_hash, s->ike.md_len, NULL);
660 hex_dump("h->u.hash.data", h->u.hash.data, s->ike.md_len, NULL);
661
662 reject = 0;
663 if (memcmp(h->u.hash.data, expected_hash, s->ike.md_len) != 0)
664 reject = ISAKMP_N_AUTHENTICATION_FAILED;
665 gcry_md_close(hm);
666 #if 0
667 if (reject != 0) {
668 free_isakmp_packet(r);
669 return reject;
670 }
671 #endif
672 }
673 *r_p = r;
674 return 0;
675 }
676
677 static void
678 phase2_authpacket(struct sa_block *s, struct isakmp_payload *pl,
679 uint8_t exchange_type, uint32_t msgid,
680 uint8_t ** p_flat, size_t * p_size,
681 uint8_t * nonce_i, int ni_len, uint8_t * nonce_r, int nr_len)
682 {
683 struct isakmp_packet *p;
684 uint8_t *pl_flat;
685 size_t pl_size;
686 gcry_md_hd_t hm;
687 uint8_t msgid_sent[4];
688
689 /* Build up the packet. */
690 p = new_isakmp_packet();
691 memcpy(p->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
692 memcpy(p->r_cookie, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
693 p->flags = ISAKMP_FLAG_E;
694 p->isakmp_version = ISAKMP_VERSION;
695 p->exchange_type = exchange_type;
696 p->message_id = msgid;
697 p->payload = new_isakmp_payload(ISAKMP_PAYLOAD_HASH);
698 p->payload->next = pl;
699 p->payload->u.hash.length = s->ike.md_len;
700 p->payload->u.hash.data = xallocc(s->ike.md_len);
701
702 /* Set the MAC. */
703 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
704 gcry_md_setkey(hm, s->ike.skeyid_a, s->ike.md_len);
705
706 if (pl == NULL) {
707 DEBUG(3, printf("authing NULL package!\n"));
708 gcry_md_write(hm, "" /* \0 */ , 1);
709 }
710
711 msgid_sent[0] = msgid >> 24;
712 msgid_sent[1] = msgid >> 16;
713 msgid_sent[2] = msgid >> 8;
714 msgid_sent[3] = msgid;
715 gcry_md_write(hm, msgid_sent, sizeof(msgid_sent));
716
717 if (nonce_i != NULL)
718 gcry_md_write(hm, nonce_i, ni_len);
719
720 if (nonce_r != NULL)
721 gcry_md_write(hm, nonce_r, nr_len);
722
723 if (pl != NULL) {
724 flatten_isakmp_payloads(pl, &pl_flat, &pl_size);
725 gcry_md_write(hm, pl_flat, pl_size);
726 memset(pl_flat, 0, pl_size);
727 free(pl_flat);
728 }
729
730 gcry_md_final(hm);
731 memcpy(p->payload->u.hash.data, gcry_md_read(hm, 0), s->ike.md_len);
732 gcry_md_close(hm);
733
734 flatten_isakmp_packet(p, p_flat, p_size, s->ike.ivlen);
735 free_isakmp_packet(p);
736 }
737
738 static void sendrecv_phase2(struct sa_block *s, struct isakmp_payload *pl,
739 uint8_t exchange_type, uint32_t msgid, int sendonly,
740 uint8_t * nonce_i, int ni_len, uint8_t * nonce_r, int nr_len)
741 {
742 uint8_t *p_flat;
743 size_t p_size;
744 ssize_t recvlen;
745
746 phase2_authpacket(s, pl, exchange_type, msgid, &p_flat, &p_size,
747 nonce_i, ni_len, nonce_r, nr_len);
748 isakmp_crypt(s, p_flat, p_size, 1);
749 s->ike.life.tx += p_size;
750
751 recvlen = sendrecv(s, r_packet, sizeof(r_packet), p_flat, p_size, sendonly);
752 if (sendonly == 0)
753 r_length = recvlen;
754
755 free(p_flat);
756 }
757
758 void keepalive_ike(struct sa_block *s)
759 {
760 uint32_t msgid;
761
762 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
763 sendrecv_phase2(s, NULL, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 1, 0, 0, 0, 0);
764 }
765
766 static void send_dpd(struct sa_block *s, int isack, uint32_t seqno)
767 {
768 struct isakmp_payload *pl;
769 uint32_t msgid;
770
771 pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
772 pl->u.n.doi = ISAKMP_DOI_IPSEC;
773 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
774 pl->u.n.type = isack ? ISAKMP_N_R_U_THERE_ACK : ISAKMP_N_R_U_THERE;
775 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
776 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
777 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
778 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
779 pl->u.n.data_length = 4;
780 pl->u.n.data = xallocc(4);
781 *((uint32_t *) pl->u.n.data) = htonl(seqno);
782 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
783 /* 2007-09-06 JKU/ZID: Sonicwall drops non hashed r_u_there-requests */
784 sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid,
785 1 , NULL, 0, NULL, 0);
786 }
787
788 void dpd_ike(struct sa_block *s)
789 {
790 if (!s->ike.do_dpd)
791 return;
792
793 if (s->ike.dpd_seqno == s->ike.dpd_seqno_ack) {
794 /* Increase the sequence number, reset the attempts to 6, record
795 ** the current time and send a dpd request
796 */
797 s->ike.dpd_attempts = 6;
798 s->ike.dpd_sent = time(NULL);
799 s->ike.dpd_seqno++;
800 send_dpd(s, 0, s->ike.dpd_seqno);
801 } else {
802 /* Our last dpd request has not yet been acked. If it's been
803 ** less than 5 seconds since we sent it do nothing. Otherwise
804 ** decrement dpd_attempts. If dpd_attempts is 0 dpd fails and we
805 ** terminate otherwise we send it again with the same sequence
806 ** number and record current time.
807 */
808 time_t now = time(NULL);
809 if (now < s->ike.dpd_sent + 5)
810 return;
811 if (--s->ike.dpd_attempts == 0) {
812 DEBUG(2, printf("dead peer detected, terminating\n"));
813 do_kill = -2;
814 return;
815 }
816 s->ike.dpd_sent = now;
817 send_dpd(s, 0, s->ike.dpd_seqno);
818 }
819 }
820
821 static void send_delete_ipsec(struct sa_block *s)
822 {
823 /* 2007-08-31 JKU/ZID: Sonicwall doesn't like the chained
824 * request but wants them split. Cisco does fine with it. */
825 DEBUGTOP(2, printf("S7.10 send ipsec termination message\n"));
826 {
827 struct isakmp_payload *d_ipsec;
828 uint8_t del_msgid;
829
830 gcry_create_nonce((uint8_t *) & del_msgid, sizeof(del_msgid));
831 d_ipsec = new_isakmp_payload(ISAKMP_PAYLOAD_D);
832 d_ipsec->u.d.doi = ISAKMP_DOI_IPSEC;
833 d_ipsec->u.d.protocol = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
834 d_ipsec->u.d.spi_length = 4;
835 d_ipsec->u.d.num_spi = 2;
836 d_ipsec->u.d.spi = xallocc(2 * sizeof(uint8_t *));
837 d_ipsec->u.d.spi[0] = xallocc(d_ipsec->u.d.spi_length);
838 memcpy(d_ipsec->u.d.spi[0], &s->ipsec.rx.spi, 4);
839 d_ipsec->u.d.spi[1] = xallocc(d_ipsec->u.d.spi_length);
840 memcpy(d_ipsec->u.d.spi[1], &s->ipsec.tx.spi, 4);
841 sendrecv_phase2(s, d_ipsec, ISAKMP_EXCHANGE_INFORMATIONAL,
842 del_msgid, 1, NULL, 0, NULL, 0);
843 }
844 }
845
846 static void send_delete_isakmp(struct sa_block *s)
847 {
848 DEBUGTOP(2, printf("S7.11 send isakmp termination message\n"));
849 {
850 struct isakmp_payload *d_isakmp;
851 uint8_t del_msgid;
852
853 gcry_create_nonce((uint8_t *) & del_msgid, sizeof(del_msgid));
854 d_isakmp = new_isakmp_payload(ISAKMP_PAYLOAD_D);
855 d_isakmp->u.d.doi = ISAKMP_DOI_IPSEC;
856 d_isakmp->u.d.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
857 d_isakmp->u.d.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
858 d_isakmp->u.d.num_spi = 1;
859 d_isakmp->u.d.spi = xallocc(1 * sizeof(uint8_t *));
860 d_isakmp->u.d.spi[0] = xallocc(2 * ISAKMP_COOKIE_LENGTH);
861 memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie,
862 ISAKMP_COOKIE_LENGTH);
863 memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie,
864 ISAKMP_COOKIE_LENGTH);
865 sendrecv_phase2(s, d_isakmp, ISAKMP_EXCHANGE_INFORMATIONAL,
866 del_msgid, 1, NULL, 0, NULL, 0);
867 }
868 }
869
870 static void phase2_fatal(struct sa_block *s, const char *msg, int id)
871 {
872 struct isakmp_payload *pl;
873 uint32_t msgid;
874
875 DEBUG(1, printf("\n\n---!!!!!!!!! entering phase2_fatal !!!!!!!!!---\n\n\n"));
876 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
877 pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
878 pl->u.n.doi = ISAKMP_DOI_IPSEC;
879 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
880 pl->u.n.type = id;
881 sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 1, 0, 0, 0, 0);
882
883 send_delete_isakmp(s);
884
885 error(1, 0, msg, val_to_string(id, isakmp_notify_enum_array), id);
886 }
887
888 static uint8_t *gen_keymat(struct sa_block *s,
889 uint8_t protocol, uint32_t spi,
890 const uint8_t * dh_shared, size_t dh_size,
891 const uint8_t * ni_data, size_t ni_size, const uint8_t * nr_data, size_t nr_size)
892 {
893 gcry_md_hd_t hm;
894 uint8_t *block;
895 int i;
896 int blksz;
897 int cnt;
898
899 blksz = s->ipsec.md_len + s->ipsec.key_len;
900 cnt = (blksz + s->ike.md_len - 1) / s->ike.md_len;
901 block = xallocc(cnt * s->ike.md_len);
902 DEBUG(3, printf("generating %d bytes keymat (cnt=%d)\n", blksz, cnt));
903 if (cnt < 1)
904 abort();
905
906 for (i = 0; i < cnt; i++) {
907 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
908 gcry_md_setkey(hm, s->ike.skeyid_d, s->ike.md_len);
909 if (i != 0)
910 gcry_md_write(hm, block + (i - 1) * s->ike.md_len, s->ike.md_len);
911 if (dh_shared != NULL)
912 gcry_md_write(hm, dh_shared, dh_size);
913 gcry_md_write(hm, &protocol, 1);
914 gcry_md_write(hm, (uint8_t *) & spi, sizeof(spi));
915 gcry_md_write(hm, ni_data, ni_size);
916 gcry_md_write(hm, nr_data, nr_size);
917 gcry_md_final(hm);
918 memcpy(block + i * s->ike.md_len, gcry_md_read(hm, 0), s->ike.md_len);
919 gcry_md_close(hm);
920 }
921 return block;
922 }
923
924 static int mask_to_masklen(struct in_addr mask)
925 {
926 int len;
927 uint32_t addr;
928
929 addr = ntohl(mask.s_addr);
930 for (len = 0; addr; addr <<= 1, len++)
931 ;
932 return len;
933 }
934
935 static int do_config_to_env(struct sa_block *s, struct isakmp_attribute *a)
936 {
937 int i;
938 int reject = 0;
939 int seen_address = 0;
940 char *strbuf, *strbuf2;
941
942 unsetenv("CISCO_BANNER");
943 unsetenv("CISCO_DEF_DOMAIN");
944 unsetenv("CISCO_SPLIT_DNS");
945 unsetenv("CISCO_SPLIT_INC");
946 unsetenv("CISCO_IPV6_SPLIT_INC");
947 unsetenv("INTERNAL_IP4_NBNS");
948 unsetenv("INTERNAL_IP4_DNS");
949 unsetenv("INTERNAL_IP4_NETMASK");
950 unsetenv("INTERNAL_IP4_ADDRESS");
951 unsetenv("INTERNAL_IP6_DNS");
952 unsetenv("INTERNAL_IP6_NETMASK");
953 unsetenv("INTERNAL_IP6_ADDRESS");
954
955 for (; a && reject == 0; a = a->next)
956 switch (a->type) {
957 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS:
958 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
959 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
960 else {
961 addenv_ipv4("INTERNAL_IP4_ADDRESS", a->u.lots.data);
962 memcpy(&s->our_address, a->u.lots.data, 4);
963 }
964 seen_address = 1;
965 break;
966
967 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK:
968 if (a->af == isakmp_attr_lots && a->u.lots.length == 0) {
969 DEBUG(2, printf("ignoring zero length netmask\n"));
970 continue;
971 }
972 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
973 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
974 else {
975 uint32_t netaddr = s->our_address.s_addr & ((struct in_addr *)(a->u.lots.data))->s_addr;
976 addenv_ipv4("INTERNAL_IP4_NETMASK", a->u.lots.data);
977 asprintf(&strbuf, "%d", mask_to_masklen(*((struct in_addr *)a->u.lots.data)));
978 setenv("INTERNAL_IP4_NETMASKLEN", strbuf, 1);
979 free(strbuf);
980 addenv_ipv4("INTERNAL_IP4_NETADDR", (uint8_t *)&netaddr);
981 }
982 break;
983
984 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS:
985 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
986 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
987 else
988 addenv_ipv4("INTERNAL_IP4_DNS", a->u.lots.data);
989 break;
990
991 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS:
992 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
993 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
994 else
995 addenv_ipv4("INTERNAL_IP4_NBNS", a->u.lots.data);
996 break;
997
998 case ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN:
999 if (a->af != isakmp_attr_lots) {
1000 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1001 break;
1002 }
1003 strbuf = xallocc(a->u.lots.length + 1);
1004 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
1005 addenv("CISCO_DEF_DOMAIN", strbuf);
1006 free(strbuf);
1007 break;
1008
1009 case ISAKMP_MODECFG_ATTRIB_CISCO_BANNER:
1010 if (a->af != isakmp_attr_lots) {
1011 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1012 break;
1013 }
1014 strbuf = xallocc(a->u.lots.length + 1);
1015 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
1016 addenv("CISCO_BANNER", strbuf);
1017 free(strbuf);
1018 DEBUG(1, printf("Banner: "));
1019 DEBUG(1, fwrite(a->u.lots.data, a->u.lots.length, 1, stdout));
1020 DEBUG(1, printf("\n"));
1021 break;
1022
1023 case ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION:
1024 DEBUG(2, printf("Remote Application Version: "));
1025 DEBUG(2, fwrite(a->u.lots.data, a->u.lots.length, 1, stdout));
1026 DEBUG(2, printf("\n"));
1027 break;
1028
1029 case ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS:
1030 if (a->af != isakmp_attr_16)
1031 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1032 else {
1033 s->ipsec.do_pfs = a->u.attr_16;
1034 DEBUG(2, printf("got pfs setting: %d\n", s->ipsec.do_pfs));
1035 }
1036 break;
1037
1038 case ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT:
1039 if (a->af != isakmp_attr_16)
1040 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1041 else {
1042 s->ipsec.peer_udpencap_port = a->u.attr_16;
1043 DEBUG(2, printf("got peer udp encapsulation port: %hu\n", s->ipsec.peer_udpencap_port));
1044 }
1045 break;
1046
1047 case ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC:
1048 if (a->af != isakmp_attr_acl) {
1049 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1050 break;
1051 }
1052
1053 DEBUG(2, printf("got %d acls for split include\n", a->u.acl.count));
1054 asprintf(&strbuf, "%d", a->u.acl.count);
1055 setenv("CISCO_SPLIT_INC", strbuf, 1);
1056 free(strbuf);
1057
1058 for (i = 0; i < a->u.acl.count; i++) {
1059 DEBUG(2, printf("acl %d: ", i));
1060 /* NOTE: inet_ntoa returns one static buffer */
1061
1062 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_ADDR", i);
1063 asprintf(&strbuf2, "%s", inet_ntoa(a->u.acl.acl_ent[i].addr));
1064 DEBUG(2, printf("addr: %s/", strbuf2));
1065 setenv(strbuf, strbuf2, 1);
1066 free(strbuf); free(strbuf2);
1067
1068 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_MASK", i);
1069 asprintf(&strbuf2, "%s", inet_ntoa(a->u.acl.acl_ent[i].mask));
1070 DEBUG(2, printf("%s ", strbuf2));
1071 setenv(strbuf, strbuf2, 1);
1072 free(strbuf); free(strbuf2);
1073
1074 /* this is just here because ip route does not accept netmasks */
1075 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_MASKLEN", i);
1076 asprintf(&strbuf2, "%d", mask_to_masklen(a->u.acl.acl_ent[i].mask));
1077 DEBUG(2, printf("(%s), ", strbuf2));
1078 setenv(strbuf, strbuf2, 1);
1079 free(strbuf); free(strbuf2);
1080
1081 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_PROTOCOL", i);
1082 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].protocol);
1083 DEBUG(2, printf("protocol: %s, ", strbuf2));
1084 setenv(strbuf, strbuf2, 1);
1085 free(strbuf); free(strbuf2);
1086
1087 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_SPORT", i);
1088 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].sport);
1089 DEBUG(2, printf("sport: %s, ", strbuf2));
1090 setenv(strbuf, strbuf2, 1);
1091 free(strbuf); free(strbuf2);
1092
1093 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_DPORT", i);
1094 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].dport);
1095 DEBUG(2, printf("dport: %s\n", strbuf2));
1096 setenv(strbuf, strbuf2, 1);
1097 free(strbuf); free(strbuf2);
1098 }
1099 break;
1100
1101 case ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_DNS:
1102 if (a->af != isakmp_attr_lots) {
1103 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1104 break;
1105 }
1106 strbuf = xallocc(a->u.lots.length + 1);
1107 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
1108 addenv("CISCO_SPLIT_DNS", strbuf);
1109 free(strbuf);
1110 DEBUG(2, printf("Split DNS: %s\n", a->u.lots.data));
1111 break;
1112
1113 case ISAKMP_MODECFG_ATTRIB_CISCO_SAVE_PW:
1114 DEBUG(2, printf("got save password setting: %d\n", a->u.attr_16));
1115 break;
1116
1117 default:
1118 DEBUG(2, printf("unknown attribute %d / 0x%X\n", a->type, a->type));
1119 break;
1120 }
1121
1122 if (reject == 0 && !seen_address)
1123 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1124
1125 return reject;
1126 }
1127
1128 /* * */
1129
1130 static struct isakmp_attribute *make_transform_ike(int dh_group, int crypt, int hash, int keylen, int auth)
1131 {
1132 struct isakmp_attribute *a = NULL;
1133
1134 a = new_isakmp_attribute(IKE_ATTRIB_LIFE_DURATION, a);
1135 a->af = isakmp_attr_lots;
1136 a->u.lots.length = 4;
1137 a->u.lots.data = xallocc(a->u.lots.length);
1138 *((uint32_t *) a->u.lots.data) = htonl(2147483);
1139 a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a);
1140 a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a);
1141 a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a);
1142 a = new_isakmp_attribute_16(IKE_ATTRIB_HASH, hash, a);
1143 a = new_isakmp_attribute_16(IKE_ATTRIB_ENC, crypt, a);
1144 if (keylen != 0)
1145 a = new_isakmp_attribute_16(IKE_ATTRIB_KEY_LENGTH, keylen, a);
1146 return a;
1147 }
1148
1149 static struct isakmp_payload *make_our_sa_ike(void)
1150 {
1151 struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
1152 struct isakmp_payload *t = NULL, *tn;
1153 struct isakmp_attribute *a;
1154 int dh_grp = get_dh_group_ike()->ike_sa_id;
1155 unsigned int auth, crypt, hash, keylen;
1156 int i;
1157
1158 r->u.sa.doi = ISAKMP_DOI_IPSEC;
1159 r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
1160 r->u.sa.proposals = new_isakmp_payload(ISAKMP_PAYLOAD_P);
1161 r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_ISAKMP;
1162 for (auth = 0; supp_auth[auth].name != NULL; auth++) {
1163 if (opt_auth_mode == AUTH_MODE_CERT) {
1164 if ((supp_auth[auth].ike_sa_id != IKE_AUTH_RSA_SIG) &&
1165 (supp_auth[auth].ike_sa_id != IKE_AUTH_DSS))
1166 continue;
1167 } else if (opt_auth_mode == AUTH_MODE_HYBRID) {
1168 if ((supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitRSA) &&
1169 (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitDSS))
1170 continue;
1171 } else {
1172 if (supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitRSA ||
1173 supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitDSS ||
1174 supp_auth[auth].ike_sa_id == IKE_AUTH_RSA_SIG ||
1175 supp_auth[auth].ike_sa_id == IKE_AUTH_DSS)
1176 continue;
1177 }
1178 for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
1179 keylen = supp_crypt[crypt].keylen;
1180 for (hash = 0; supp_hash[hash].name != NULL; hash++) {
1181 tn = t;
1182 t = new_isakmp_payload(ISAKMP_PAYLOAD_T);
1183 t->u.t.id = ISAKMP_IPSEC_KEY_IKE;
1184 a = make_transform_ike(dh_grp, supp_crypt[crypt].ike_sa_id,
1185 supp_hash[hash].ike_sa_id, keylen, supp_auth[auth].ike_sa_id);
1186 t->u.t.attributes = a;
1187 t->next = tn;
1188 }
1189 }
1190 }
1191 for (i = 0, tn = t; tn; tn = tn->next)
1192 tn->u.t.number = i++;
1193 r->u.sa.proposals->u.p.transforms = t;
1194 return r;
1195 }
1196
1197 static void lifetime_ike_process(struct sa_block *s, struct isakmp_attribute *a)
1198 {
1199 uint32_t value;
1200
1201 assert(a != NULL);
1202 assert(a->type == IKE_ATTRIB_LIFE_TYPE);
1203 assert(a->af == isakmp_attr_16);
1204 assert(a->u.attr_16 == IKE_LIFE_TYPE_SECONDS || a->u.attr_16 == IKE_LIFE_TYPE_K);
1205 assert(a->next != NULL);
1206 assert(a->next->type == IKE_ATTRIB_LIFE_DURATION);
1207
1208 if (a->next->af == isakmp_attr_16)
1209 value = a->next->u.attr_16;
1210 else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4)
1211 value = ntohl(*((uint32_t *) a->next->u.lots.data));
1212 else {
1213 DEBUG(2, printf("got unknown ike lifetime attributes af %d len %d\n",
1214 a->next->af, a->next->u.lots.length));
1215 return;
1216 }
1217
1218 DEBUG(2, printf("got ike lifetime attributes: %d %s\n", value,
1219 (a->u.attr_16 == IKE_LIFE_TYPE_SECONDS) ? "seconds" : "kilobyte"));
1220
1221 if (a->u.attr_16 == IKE_LIFE_TYPE_SECONDS)
1222 s->ike.life.seconds = value;
1223 else
1224 s->ike.life.kbytes = value;
1225 }
1226
1227 static void lifetime_ipsec_process(struct sa_block *s, struct isakmp_attribute *a)
1228 {
1229 uint32_t value;
1230
1231 assert(a != NULL);
1232 assert(a->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE);
1233 assert(a->af == isakmp_attr_16);
1234 assert(a->u.attr_16 == IPSEC_LIFE_SECONDS || a->u.attr_16 == IPSEC_LIFE_K);
1235 assert(a->next != NULL);
1236 assert(a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION);
1237
1238 if (a->next->af == isakmp_attr_16)
1239 value = a->next->u.attr_16;
1240 else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4)
1241 value = ntohl(*((uint32_t *) a->next->u.lots.data));
1242 else
1243 assert(0);
1244
1245 DEBUG(2, printf("got ipsec lifetime attributes: %d %s\n", value,
1246 (a->u.attr_16 == IPSEC_LIFE_SECONDS) ? "seconds" : "kilobyte"));
1247
1248 if (a->u.attr_16 == IPSEC_LIFE_SECONDS)
1249 s->ipsec.life.seconds = value;
1250 else
1251 s->ipsec.life.kbytes = value;
1252
1253 /* FIXME: for notice-payloads: write a seperate function to handle them */
1254 /* bug: this may process lifetime-attributes of SAs twice but to no consequence */
1255 if (a->next->next != NULL && a->next->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
1256 lifetime_ipsec_process(s, a->next->next);
1257 }
1258
1259 static void do_phase1_am_init(struct sa_block *s)
1260 {
1261
1262 s->ike.natd_type = 0;
1263 s->ike.natd_us = s->ike.natd_them = NULL;
1264 s->ike.sa_f = s->ike.idi_f = NULL;
1265
1266 DEBUGTOP(2, printf("S4.1 create_nonce\n"));
1267 gcry_create_nonce(s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1268 s->ike.life.start = time(NULL);
1269 s->ipsec.do_pfs = -1;
1270 if (s->ike.i_cookie[0] == 0)
1271 s->ike.i_cookie[0] = 1;
1272 hex_dump("i_cookie", s->ike.i_cookie, ISAKMP_COOKIE_LENGTH, NULL);
1273 gcry_create_nonce(s->ike.i_nonce, sizeof(s->ike.i_nonce));
1274 hex_dump("i_nonce", s->ike.i_nonce, sizeof(s->ike.i_nonce), NULL);
1275 DEBUGTOP(2, printf("S4.2 dh setup\n"));
1276 /* Set up the Diffie-Hellman stuff. */
1277 {
1278 s->ike.dh_grp = group_get(get_dh_group_ike()->my_id);
1279 s->ike.dh_public = xallocc(dh_getlen(s->ike.dh_grp));
1280 dh_create_exchange(s->ike.dh_grp, s->ike.dh_public);
1281 hex_dump("dh_public", s->ike.dh_public, dh_getlen(s->ike.dh_grp), NULL);
1282 }
1283
1284 }
1285
1286 static void do_phase1_am_packet1(struct sa_block *s, const char *key_id)
1287 {
1288 DEBUGTOP(2, printf("S4.3 AM packet_1\n"));
1289 /* Create the first packet. */
1290 {
1291 struct isakmp_packet *p1;
1292 struct isakmp_payload *l;
1293 uint8_t *pkt;
1294 size_t pkt_len;
1295
1296 p1 = new_isakmp_packet();
1297 memcpy(p1->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1298 p1->isakmp_version = ISAKMP_VERSION;
1299 p1->exchange_type = ISAKMP_EXCHANGE_AGGRESSIVE;
1300 p1->payload = l = make_our_sa_ike();
1301 flatten_isakmp_payload(l, &s->ike.sa_f, &s->ike.sa_size);
1302 l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_KE, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1303 l->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_NONCE,
1304 s->ike.i_nonce, sizeof(s->ike.i_nonce));
1305 l = l->next->next;
1306 l->next = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
1307 l = l->next;
1308 if (opt_vendor == VENDOR_CISCO)
1309 l->u.id.type = ISAKMP_IPSEC_ID_KEY_ID;
1310 else
1311 l->u.id.type = ISAKMP_IPSEC_ID_USER_FQDN;
1312 l->u.id.protocol = IPPROTO_UDP;
1313 l->u.id.port = ISAKMP_PORT; /* this must be 500, see rfc2407, 4.6.2 */
1314 l->u.id.length = strlen(key_id);
1315 l->u.id.data = xallocc(l->u.id.length);
1316 memcpy(l->u.id.data, key_id, strlen(key_id));
1317 flatten_isakmp_payload(l, &s->ike.idi_f, &s->ike.idi_size);
1318 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1319 VID_XAUTH, sizeof(VID_XAUTH));
1320 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1321 VID_UNITY, sizeof(VID_UNITY));
1322 if ((opt_natt_mode == NATT_NORMAL) || (opt_natt_mode == NATT_FORCE)) {
1323 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1324 VID_NATT_RFC, sizeof(VID_NATT_RFC));
1325 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1326 VID_NATT_03, sizeof(VID_NATT_03));
1327 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1328 VID_NATT_02N, sizeof(VID_NATT_02N));
1329 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1330 VID_NATT_02, sizeof(VID_NATT_02));
1331 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1332 VID_NATT_01, sizeof(VID_NATT_01));
1333 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1334 VID_NATT_00, sizeof(VID_NATT_00));
1335 }
1336 s->ike.dpd_idle = atoi(config[CONFIG_DPD_IDLE]);
1337 if (s->ike.dpd_idle != 0) {
1338 if (s->ike.dpd_idle < 10)
1339 s->ike.dpd_idle = 10;
1340 if (s->ike.dpd_idle > 86400)
1341 s->ike.dpd_idle = 86400;
1342 l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1343 VID_DPD, sizeof(VID_DPD));
1344 }
1345 flatten_isakmp_packet(p1, &pkt, &pkt_len, 0);
1346 free_isakmp_packet(p1);
1347
1348 /* Now, send that packet and receive a new one. */
1349 r_length = sendrecv(s, r_packet, sizeof(r_packet), pkt, pkt_len, 0);
1350 free(pkt);
1351 }
1352 }
1353
1354 static void do_phase1_am_packet2(struct sa_block *s, const char *shared_key)
1355 {
1356 DEBUGTOP(2, printf("S4.4 AM_packet2\n"));
1357 /* Decode the recieved packet. */
1358 {
1359 int reject, ret;
1360 struct isakmp_packet *r;
1361 struct isakmp_payload *rp;
1362 struct isakmp_payload *nonce = NULL;
1363 struct isakmp_payload *ke = NULL;
1364 struct isakmp_payload *hash = NULL;
1365 struct isakmp_payload *sig = NULL;
1366 struct isakmp_payload *idp = NULL;
1367 int seen_sa = 0;
1368 uint8_t *psk_skeyid;
1369 uint8_t *skeyid;
1370 gcry_md_hd_t skeyid_ctx;
1371 uint8_t *dh_shared_secret;
1372 int seen_natd = 0, seen_natd_them = 0, seen_natd_us = 0;
1373 int natt_draft = -1;
1374 crypto_ctx *cctx;
1375 crypto_error *crerr = NULL;
1376
1377 cctx = crypto_ctx_new (&crerr);
1378 if (crerr)
1379 crypto_call_error(crerr);
1380
1381 reject = 0;
1382 r = parse_isakmp_packet(r_packet, r_length, &reject);
1383
1384 /* Verify the correctness of the recieved packet. */
1385 if (reject == 0 && memcmp(r->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH) != 0)
1386 reject = ISAKMP_N_INVALID_COOKIE;
1387 if (reject == 0)
1388 memcpy(s->ike.r_cookie, r->r_cookie, ISAKMP_COOKIE_LENGTH);
1389 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_AGGRESSIVE)
1390 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
1391 if (reject == 0 && r->flags != 0)
1392 reject = ISAKMP_N_INVALID_FLAGS;
1393 if (reject == 0 && r->message_id != 0)
1394 reject = ISAKMP_N_INVALID_MESSAGE_ID;
1395 if (reject != 0)
1396 error(1, 0, "response was invalid [1]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1397 for (rp = r->payload; rp && reject == 0; rp = rp->next)
1398 switch (rp->type) {
1399 case ISAKMP_PAYLOAD_SA:
1400 if (reject == 0 && rp->u.sa.doi != ISAKMP_DOI_IPSEC)
1401 reject = ISAKMP_N_DOI_NOT_SUPPORTED;
1402 if (reject == 0 &&
1403 rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
1404 reject = ISAKMP_N_SITUATION_NOT_SUPPORTED;
1405 if (reject == 0 &&
1406 (rp->u.sa.proposals == NULL
1407 || rp->u.sa.proposals->next != NULL))
1408 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1409 if (reject == 0 &&
1410 rp->u.sa.proposals->u.p.prot_id !=
1411 ISAKMP_IPSEC_PROTO_ISAKMP)
1412 reject = ISAKMP_N_INVALID_PROTOCOL_ID;
1413 if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 0)
1414 reject = ISAKMP_N_INVALID_SPI;
1415 if (reject == 0 &&
1416 (rp->u.sa.proposals->u.p.transforms == NULL
1417 || rp->u.sa.proposals->u.p.transforms->next !=
1418 NULL))
1419 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1420 if (reject == 0 &&
1421 (rp->u.sa.proposals->u.p.transforms->u.t.id
1422 != ISAKMP_IPSEC_KEY_IKE))
1423 reject = ISAKMP_N_INVALID_TRANSFORM_ID;
1424 if (reject == 0) {
1425 struct isakmp_attribute *a
1426 =
1427 rp->u.sa.proposals->u.p.transforms->u.t.attributes;
1428 int seen_enc = 0, seen_hash = 0, seen_auth = 0;
1429 int seen_group = 0, seen_keylen = 0;
1430 for (; a && reject == 0; a = a->next)
1431 switch (a->type) {
1432 case IKE_ATTRIB_GROUP_DESC:
1433 if (a->af == isakmp_attr_16 &&
1434 a->u.attr_16 ==
1435 get_dh_group_ike()->ike_sa_id)
1436 seen_group = 1;
1437 else
1438 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1439 break;
1440 case IKE_ATTRIB_AUTH_METHOD:
1441 if (a->af == isakmp_attr_16)
1442 seen_auth = a->u.attr_16;
1443 else
1444 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1445 break;
1446 case IKE_ATTRIB_HASH:
1447 if (a->af == isakmp_attr_16)
1448 seen_hash = a->u.attr_16;
1449 else
1450 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1451 break;
1452 case IKE_ATTRIB_ENC:
1453 if (a->af == isakmp_attr_16)
1454 seen_enc = a->u.attr_16;
1455 else
1456 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1457 break;
1458 case IKE_ATTRIB_KEY_LENGTH:
1459 if (a->af == isakmp_attr_16)
1460 seen_keylen = a->u.attr_16;
1461 else
1462 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1463 break;
1464 case IKE_ATTRIB_LIFE_TYPE:
1465 /* lifetime duration MUST follow lifetype attribute */
1466 if (a->next->type == IKE_ATTRIB_LIFE_DURATION) {
1467 lifetime_ike_process(s, a);
1468 } else
1469 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1470 break;
1471 case IKE_ATTRIB_LIFE_DURATION:
1472 /* already processed above in IKE_ATTRIB_LIFE_TYPE: */
1473 break;
1474 default:
1475 DEBUG(1, printf
1476 ("unknown attribute %d, arborting..\n",
1477 a->type));
1478 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1479 break;
1480 }
1481 if (!seen_group || !seen_auth || !seen_hash || !seen_enc)
1482 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1483
1484 if (get_algo(SUPP_ALGO_AUTH, SUPP_ALGO_IKE_SA, seen_auth,
1485 NULL, 0) == NULL)
1486 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1487 if (get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IKE_SA, seen_hash,
1488 NULL, 0) == NULL)
1489 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1490 if (get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IKE_SA, seen_enc,
1491 NULL, seen_keylen) == NULL)
1492 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1493
1494 if (reject == 0) {
1495 seen_sa = 1;
1496 s->ike.auth_algo = seen_auth;
1497 s->ike.cry_algo =
1498 get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IKE_SA,
1499 seen_enc, NULL, seen_keylen)->my_id;
1500 s->ike.md_algo =
1501 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IKE_SA,
1502 seen_hash, NULL, 0)->my_id;
1503 s->ike.md_len = gcry_md_get_algo_dlen(s->ike.md_algo);
1504 DEBUG(1, printf("IKE SA selected %s-%s-%s\n",
1505 get_algo(SUPP_ALGO_AUTH,
1506 SUPP_ALGO_IKE_SA, seen_auth,
1507 NULL, 0)->name,
1508 get_algo(SUPP_ALGO_CRYPT,
1509 SUPP_ALGO_IKE_SA, seen_enc,
1510 NULL, seen_keylen)->name,
1511 get_algo(SUPP_ALGO_HASH,
1512 SUPP_ALGO_IKE_SA, seen_hash,
1513 NULL, 0)->name));
1514 if (s->ike.cry_algo == GCRY_CIPHER_DES && !opt_1des) {
1515 error(1, 0, "peer selected (single) DES as \"encryption\" method.\n"
1516 "This algorithm is considered too weak today\n"
1517 "If your vpn concentrator admin still insists on using DES\n"
1518 "use the \"--enable-1des\" option.\n");
1519 }
1520 }
1521 }
1522 break;
1523
1524 case ISAKMP_PAYLOAD_ID:
1525 idp = rp;
1526 break;
1527 case ISAKMP_PAYLOAD_KE:
1528 ke = rp;
1529 break;
1530 case ISAKMP_PAYLOAD_NONCE:
1531 nonce = rp;
1532 break;
1533 case ISAKMP_PAYLOAD_HASH:
1534 hash = rp;
1535 break;
1536 case ISAKMP_PAYLOAD_CERT:
1537 if (rp->u.cert.encoding == ISAKMP_CERT_X509_SIG) {
1538 hex_dump("cert", rp->u.cert.data, rp->u.cert.length, NULL);
1539
1540 ret = crypto_push_cert(cctx,
1541 (const unsigned char *) rp->u.cert.data,
1542 rp->u.cert.length,
1543 &crerr);
1544 if (ret)
1545 crypto_call_error(crerr);
1546 }
1547 break;
1548 case ISAKMP_PAYLOAD_SIG:
1549 sig = rp;
1550 break;
1551 case ISAKMP_PAYLOAD_VID:
1552 if (rp->u.vid.length == sizeof(VID_XAUTH)
1553 && memcmp(rp->u.vid.data, VID_XAUTH,
1554 sizeof(VID_XAUTH)) == 0) {
1555 DEBUG(2, printf("peer is XAUTH capable (draft-ietf-ipsec-isakmp-xauth-06)\n"));
1556 } else if (rp->u.vid.length == sizeof(VID_NATT_RFC)
1557 && memcmp(rp->u.vid.data, VID_NATT_RFC,
1558 sizeof(VID_NATT_RFC)) == 0) {
1559 if (natt_draft < 1) natt_draft = 2;
1560 DEBUG(2, printf("peer is NAT-T capable (RFC 3947)\n"));
1561 } else if (rp->u.vid.length == sizeof(VID_NATT_03)
1562 && memcmp(rp->u.vid.data, VID_NATT_03,
1563 sizeof(VID_NATT_03)) == 0) {
1564 if (natt_draft < 1) natt_draft = 2;
1565 DEBUG(2, printf("peer is NAT-T capable (draft-03)\n"));
1566 } else if (rp->u.vid.length == sizeof(VID_NATT_02N)
1567 && memcmp(rp->u.vid.data, VID_NATT_02N,
1568 sizeof(VID_NATT_02N)) == 0) {
1569 if (natt_draft < 1) natt_draft = 2;
1570 DEBUG(2, printf("peer is NAT-T capable (draft-02)\\n\n")); /* sic! */
1571 } else if (rp->u.vid.length == sizeof(VID_NATT_02)
1572 && memcmp(rp->u.vid.data, VID_NATT_02,
1573 sizeof(VID_NATT_02)) == 0) {
1574 if (natt_draft < 1) natt_draft = 2;
1575 DEBUG(2, printf("peer is NAT-T capable (draft-02)\n"));
1576 } else if (rp->u.vid.length == sizeof(VID_NATT_01)
1577 && memcmp(rp->u.vid.data, VID_NATT_01,
1578 sizeof(VID_NATT_01)) == 0) {
1579 if (natt_draft < 1) natt_draft = 1;
1580 DEBUG(2, printf("peer is NAT-T capable (draft-01)\n"));
1581 } else if (rp->u.vid.length == sizeof(VID_NATT_00)
1582 && memcmp(rp->u.vid.data, VID_NATT_00,
1583 sizeof(VID_NATT_00)) == 0) {
1584 if (natt_draft < 0) natt_draft = 0;
1585 DEBUG(2, printf("peer is NAT-T capable (draft-00)\n"));
1586 } else if (rp->u.vid.length == sizeof(VID_DPD)
1587 && memcmp(rp->u.vid.data, VID_DPD,
1588 sizeof(VID_DPD)) == 0) {
1589 if (s->ike.dpd_idle != 0) {
1590 gcry_create_nonce(&s->ike.dpd_seqno, sizeof(s->ike.dpd_seqno));
1591 s->ike.dpd_seqno &= 0x7FFFFFFF;
1592 s->ike.dpd_seqno_ack = s->ike.dpd_seqno;
1593 s->ike.do_dpd = 1;
1594 DEBUG(2, printf("peer is DPD capable (RFC3706)\n"));
1595 } else {
1596 DEBUG(2, printf("ignoring that peer is DPD capable (RFC3706)\n"));
1597 }
1598 } else if (rp->u.vid.length == sizeof(VID_NETSCREEN_15)
1599 && memcmp(rp->u.vid.data, VID_NETSCREEN_15,
1600 sizeof(VID_NETSCREEN_15)) == 0) {
1601 DEBUG(2, printf("peer is using ScreenOS 5.3, 5.4 or 6.0\n"));
1602 } else if (rp->u.vid.length == sizeof(VID_HEARTBEAT_NOTIFY)
1603 && memcmp(rp->u.vid.data, VID_HEARTBEAT_NOTIFY,
1604 sizeof(VID_HEARTBEAT_NOTIFY)) == 0) {
1605 DEBUG(2, printf("peer sent Heartbeat Notify payload\n"));
1606 } else {
1607 hex_dump("unknown ISAKMP_PAYLOAD_VID",
1608 rp->u.vid.data, rp->u.vid.length, NULL);
1609 }
1610 break;
1611 case ISAKMP_PAYLOAD_NAT_D_OLD:
1612 case ISAKMP_PAYLOAD_NAT_D:
1613 s->ike.natd_type = rp->type;
1614 DEBUG(2, printf("peer is using type %d%s for NAT-Discovery payloads\n",
1615 s->ike.natd_type, val_to_string(s->ike.natd_type, isakmp_payload_enum_array)));
1616 if (!seen_sa) {
1617 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1618 } else if (opt_natt_mode == NATT_NONE) {
1619 ;
1620 } else if (rp->u.natd.length != s->ike.md_len) {
1621 reject = ISAKMP_N_PAYLOAD_MALFORMED;
1622 } else if (seen_natd == 0) {
1623 gcry_md_hd_t hm;
1624 uint16_t n_dst_port = htons(s->ike.dst_port);
1625
1626 s->ike.natd_us = xallocc(s->ike.md_len);
1627 s->ike.natd_them = xallocc(s->ike.md_len);
1628 memcpy(s->ike.natd_us, rp->u.natd.data, s->ike.md_len);
1629 gcry_md_open(&hm, s->ike.md_algo, 0);
1630 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1631 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1632 gcry_md_write(hm, &s->dst, sizeof(struct in_addr));
1633 gcry_md_write(hm, &n_dst_port, sizeof(uint16_t));
1634 gcry_md_final(hm);
1635 memcpy(s->ike.natd_them, gcry_md_read(hm, 0), s->ike.md_len);
1636 gcry_md_close(hm);
1637 seen_natd = 1;
1638 } else {
1639 if (memcmp(s->ike.natd_them, rp->u.natd.data, s->ike.md_len) == 0)
1640 seen_natd_them = 1;
1641 }
1642 break;
1643 case ISAKMP_PAYLOAD_N:
1644 if (rp->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
1645 if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
1646 lifetime_ike_process(s, rp->u.n.attributes);
1647 else if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
1648 lifetime_ipsec_process(s, rp->u.n.attributes);
1649 else
1650 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
1651 } else {
1652 DEBUG(1, printf("rejecting ISAKMP_PAYLOAD_N, type is not lifetime\n"));
1653 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1654 }
1655 break;
1656 default:
1657 DEBUG(1, printf("rejecting invalid payload type %d\n", rp->type));
1658 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1659 break;
1660 }
1661
1662 if (reject == 0) {
1663 gcry_cipher_algo_info(s->ike.cry_algo, GCRYCTL_GET_BLKLEN, NULL, &(s->ike.ivlen));
1664 gcry_cipher_algo_info(s->ike.cry_algo, GCRYCTL_GET_KEYLEN, NULL, &(s->ike.keylen));
1665 }
1666
1667 if (reject == 0 && (ke == NULL || ke->u.ke.length != dh_getlen(s->ike.dh_grp)))
1668 reject = ISAKMP_N_INVALID_KEY_INFORMATION;
1669 if (reject == 0 && nonce == NULL)
1670 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
1671 if (reject != 0)
1672 error(1, 0, "response was invalid [2]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1673 if (reject == 0 && idp == NULL)
1674 reject = ISAKMP_N_INVALID_ID_INFORMATION;
1675
1676 /* Decide if signature or hash is expected (sig only if vpnc is initiator of hybrid-auth */
1677 if (reject == 0 && opt_auth_mode == AUTH_MODE_PSK && (hash == NULL || hash->u.hash.length != s->ike.md_len))
1678 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
1679 if (reject == 0 && sig == NULL &&
1680 (opt_auth_mode == AUTH_MODE_CERT ||
1681 opt_auth_mode == AUTH_MODE_HYBRID))
1682 reject = ISAKMP_N_INVALID_SIGNATURE;
1683 if (reject != 0)
1684 error(1, 0, "response was invalid [3]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1685
1686 /* Determine the shared secret. */
1687 dh_shared_secret = xallocc(dh_getlen(s->ike.dh_grp));
1688 dh_create_shared(s->ike.dh_grp, dh_shared_secret, ke->u.ke.data);
1689 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(s->ike.dh_grp), NULL);
1690 /* Generate SKEYID. */
1691 {
1692 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1693 gcry_md_setkey(skeyid_ctx, shared_key, strlen(shared_key));
1694 gcry_md_write(skeyid_ctx, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1695 gcry_md_write(skeyid_ctx, nonce->u.nonce.data, nonce->u.nonce.length);
1696 gcry_md_final(skeyid_ctx);
1697 psk_skeyid = xallocc(s->ike.md_len);
1698 memcpy(psk_skeyid, gcry_md_read(skeyid_ctx, 0), s->ike.md_len);
1699 if (opt_debug < 99)
1700 DEBUG(3, printf("(not dumping psk hash)\n"));
1701 else
1702 hex_dump("psk_skeyid", psk_skeyid, s->ike.md_len, NULL);
1703 free(psk_skeyid);
1704 gcry_md_close(skeyid_ctx);
1705 DEBUG(99, printf("shared-key: %s\n",shared_key));
1706
1707 /* SKEYID - psk only */
1708 if (s->ike.auth_algo == IKE_AUTH_PRESHARED ||
1709 s->ike.auth_algo == IKE_AUTH_XAUTHInitPreShared ||
1710 s->ike.auth_algo == IKE_AUTH_XAUTHRespPreShared) {
1711 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1712 gcry_md_setkey(skeyid_ctx, shared_key, strlen(shared_key));
1713 gcry_md_write(skeyid_ctx, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1714 gcry_md_write(skeyid_ctx, nonce->u.nonce.data, nonce->u.nonce.length);
1715 gcry_md_final(skeyid_ctx);
1716 } else if (s->ike.auth_algo == IKE_AUTH_DSS ||
1717 s->ike.auth_algo == IKE_AUTH_RSA_SIG ||
1718 s->ike.auth_algo == IKE_AUTH_ECDSA_SIG ||
1719 s->ike.auth_algo == IKE_AUTH_HybridInitRSA ||
1720 s->ike.auth_algo == IKE_AUTH_HybridRespRSA ||
1721 s->ike.auth_algo == IKE_AUTH_HybridInitDSS ||
1722 s->ike.auth_algo == IKE_AUTH_HybridRespDSS ||
1723 s->ike.auth_algo == IKE_AUTH_XAUTHInitDSS ||
1724 s->ike.auth_algo == IKE_AUTH_XAUTHRespDSS ||
1725 s->ike.auth_algo == IKE_AUTH_XAUTHInitRSA ||
1726 s->ike.auth_algo == IKE_AUTH_XAUTHRespRSA) {
1727 unsigned char *key;
1728 int key_len;
1729 key_len = sizeof(s->ike.i_nonce) + nonce->u.nonce.length;
1730 key = xallocc(key_len);
1731 memcpy(key, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1732 memcpy(key + sizeof(s->ike.i_nonce), nonce->u.nonce.data, nonce->u.nonce.length);
1733 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1734 gcry_md_setkey(skeyid_ctx, key, key_len);
1735 gcry_md_write(skeyid_ctx, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1736 gcry_md_final(skeyid_ctx);
1737 } else
1738 error(1, 0, "SKEYID could not be computed: %s", "the selected authentication method is not supported");
1739 skeyid = gcry_md_read(skeyid_ctx, 0);
1740 hex_dump("skeyid", skeyid, s->ike.md_len, NULL);
1741 }
1742
1743 /* Verify the hash. */
1744 {
1745 gcry_md_hd_t hm;
1746 unsigned char *expected_hash, *rec_hash;
1747 uint8_t *idp_f;
1748 size_t idp_size;
1749 size_t decr_size = 0;
1750
1751 flatten_isakmp_payload(idp, &idp_f, &idp_size);
1752
1753 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1754 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1755 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1756 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1757 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1758 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1759 gcry_md_write(hm, s->ike.sa_f + 4, s->ike.sa_size - 4);
1760 gcry_md_write(hm, idp_f + 4, idp_size - 4);
1761 gcry_md_final(hm);
1762 expected_hash = gcry_md_read(hm, 0);
1763 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1764
1765 if (opt_auth_mode == AUTH_MODE_PSK) {
1766 if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 0)
1767 error(2, 0, "hash comparison failed: %s(%d)\ncheck group password!",
1768 val_to_string(ISAKMP_N_AUTHENTICATION_FAILED, isakmp_notify_enum_array),
1769 ISAKMP_N_AUTHENTICATION_FAILED);
1770 hex_dump("received hash", hash->u.hash.data, hash->u.hash.length, NULL);
1771 } else if (opt_auth_mode == AUTH_MODE_CERT ||
1772 opt_auth_mode == AUTH_MODE_HYBRID) {
1773 hex_dump("received signature", sig->u.sig.data, sig->u.sig.length, NULL);
1774
1775 ret = crypto_verify_chain(cctx,
1776 config[CONFIG_CA_FILE],
1777 config[CONFIG_CA_DIR],
1778 &crerr);
1779 if (ret)
1780 crypto_call_error(crerr);
1781
1782 /* Verify signature */
1783 rec_hash = crypto_decrypt_signature (cctx,
1784 sig->u.sig.data,
1785 sig->u.sig.length,
1786 &decr_size,
1787 CRYPTO_PAD_PKCS1,
1788 &crerr);
1789 if (!rec_hash)
1790 crypto_call_error(crerr);
1791
1792 if (decr_size != s->ike.md_len) {
1793 printf("Decrypted-Size: %zd\n",decr_size);
1794 hex_dump(" decr_hash", rec_hash, decr_size, NULL);
1795 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1796
1797 error(2, 0, "The hash-value, which was decrypted from the received signature, and the expected hash-value differ in size.\n");
1798 } else {
1799 if (memcmp(rec_hash, expected_hash, decr_size) != 0) {
1800 printf("Decrypted-Size: %zd\n",decr_size);
1801 hex_dump(" decr_hash", rec_hash, decr_size, NULL);
1802 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1803
1804 error(2, 0, "The hash-value, which was decrypted from the received signature, and the expected hash-value differ.\n");
1805 } else {
1806 DEBUG(3, printf("Signature MATCH!!\n"));
1807 }
1808 }
1809 /* END - Signature Verification */
1810
1811 free(rec_hash);
1812 }
1813
1814 gcry_md_close(hm);
1815
1816 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1817 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1818 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1819 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1820 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1821 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1822 gcry_md_write(hm, s->ike.sa_f + 4, s->ike.sa_size - 4);
1823 gcry_md_write(hm, s->ike.idi_f + 4, s->ike.idi_size - 4);
1824 gcry_md_final(hm);
1825 s->ike.returned_hash = xallocc(s->ike.md_len);
1826 memcpy(s->ike.returned_hash, gcry_md_read(hm, 0), s->ike.md_len);
1827 gcry_md_close(hm);
1828 hex_dump("returned_hash", s->ike.returned_hash, s->ike.md_len, NULL);
1829
1830 /* PRESHARED_KEY_HASH */
1831 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1832 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1833 gcry_md_write(hm, shared_key, strlen(shared_key));
1834 gcry_md_final(hm);
1835 s->ike.psk_hash = xallocc(s->ike.md_len);
1836 memcpy(s->ike.psk_hash, gcry_md_read(hm, 0), s->ike.md_len);
1837 gcry_md_close(hm);
1838 hex_dump("psk_hash", s->ike.psk_hash, s->ike.md_len, NULL);
1839 /* End PRESHARED_KEY_HASH */
1840
1841 free(s->ike.sa_f);
1842 free(s->ike.idi_f);
1843 free(idp_f);
1844 s->ike.sa_f = NULL;
1845 s->ike.idi_f = NULL;
1846 }
1847
1848 /* Determine all the SKEYID_x keys. */
1849 {
1850 gcry_md_hd_t hm;
1851 int i;
1852 static const unsigned char c012[3] = { 0, 1, 2 };
1853 unsigned char *skeyid_e;
1854 unsigned char *dh_shared_secret;
1855
1856 /* Determine the shared secret. */
1857 dh_shared_secret = xallocc(dh_getlen(s->ike.dh_grp));
1858 dh_create_shared(s->ike.dh_grp, dh_shared_secret, ke->u.ke.data);
1859 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(s->ike.dh_grp), NULL);
1860
1861 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1862 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1863 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1864 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1865 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1866 gcry_md_write(hm, c012 + 0, 1);
1867 gcry_md_final(hm);
1868 if (s->ike.skeyid_d) free(s->ike.skeyid_d);
1869 s->ike.skeyid_d = xallocc(s->ike.md_len);
1870 memcpy(s->ike.skeyid_d, gcry_md_read(hm, 0), s->ike.md_len);
1871 gcry_md_close(hm);
1872 hex_dump("skeyid_d", s->ike.skeyid_d, s->ike.md_len, NULL);
1873
1874 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1875 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1876 gcry_md_write(hm, s->ike.skeyid_d, s->ike.md_len);
1877 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1878 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1879 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1880 gcry_md_write(hm, c012 + 1, 1);
1881 gcry_md_final(hm);
1882 if (s->ike.skeyid_a) free(s->ike.skeyid_a);
1883 s->ike.skeyid_a = xallocc(s->ike.md_len);
1884 memcpy(s->ike.skeyid_a, gcry_md_read(hm, 0), s->ike.md_len);
1885 gcry_md_close(hm);
1886 hex_dump("skeyid_a", s->ike.skeyid_a, s->ike.md_len, NULL);
1887
1888 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1889 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1890 gcry_md_write(hm, s->ike.skeyid_a, s->ike.md_len);
1891 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1892 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1893 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1894 gcry_md_write(hm, c012 + 2, 1);
1895 gcry_md_final(hm);
1896 skeyid_e = xallocc(s->ike.md_len);
1897 memcpy(skeyid_e, gcry_md_read(hm, 0), s->ike.md_len);
1898 gcry_md_close(hm);
1899 hex_dump("skeyid_e", skeyid_e, s->ike.md_len, NULL);
1900
1901 memset(dh_shared_secret, 0, sizeof(dh_shared_secret));
1902 free(dh_shared_secret);
1903
1904 /* Determine the IKE encryption key. */
1905 if (s->ike.key) free(s->ike.key);
1906 s->ike.key = xallocc(s->ike.keylen);
1907
1908 if (s->ike.keylen > s->ike.md_len) {
1909 for (i = 0; i * s->ike.md_len < s->ike.keylen; i++) {
1910 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1911 gcry_md_setkey(hm, skeyid_e, s->ike.md_len);
1912 if (i == 0)
1913 gcry_md_write(hm, "" /* &'\0' */ , 1);
1914 else
1915 gcry_md_write(hm, s->ike.key + (i - 1) * s->ike.md_len,
1916 s->ike.md_len);
1917 gcry_md_final(hm);
1918 memcpy(s->ike.key + i * s->ike.md_len, gcry_md_read(hm, 0),
1919 min(s->ike.md_len, s->ike.keylen - i * s->ike.md_len));
1920 gcry_md_close(hm);
1921 }
1922 } else { /* keylen <= md_len */
1923 memcpy(s->ike.key, skeyid_e, s->ike.keylen);
1924 }
1925 hex_dump("enc-key", s->ike.key, s->ike.keylen, NULL);
1926
1927 memset(skeyid_e, 0, s->ike.md_len);
1928 free(skeyid_e);
1929 }
1930
1931 /* Determine the initial IV. */
1932 {
1933 gcry_md_hd_t hm;
1934
1935 assert(s->ike.ivlen <= s->ike.md_len);
1936 gcry_md_open(&hm, s->ike.md_algo, 0);
1937 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1938 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1939 gcry_md_final(hm);
1940 if (s->ike.current_iv) free(s->ike.current_iv);
1941 s->ike.current_iv = xallocc(s->ike.ivlen);
1942 memcpy(s->ike.current_iv, gcry_md_read(hm, 0), s->ike.ivlen);
1943 gcry_md_close(hm);
1944 hex_dump("current_iv", s->ike.current_iv, s->ike.ivlen, NULL);
1945 memset(s->ike.current_iv_msgid, 0, 4);
1946 }
1947
1948 gcry_md_close(skeyid_ctx);
1949 crypto_ctx_free(cctx);
1950 free(dh_shared_secret);
1951
1952 /* Determine presence of NAT */
1953 if (s->ike.natd_type != 0) {
1954 seen_natd_us = 0;
1955 /* this could be repeated for any known outbound interfaces */
1956 {
1957 gcry_md_hd_t hm;
1958 uint16_t n_src_port = htons(s->ike.src_port);
1959
1960 gcry_md_open(&hm, s->ike.md_algo, 0);
1961 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1962 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1963 gcry_md_write(hm, &s->src, sizeof(struct in_addr));
1964 gcry_md_write(hm, &n_src_port, sizeof(uint16_t));
1965 gcry_md_final(hm);
1966 if (memcmp(s->ike.natd_us, gcry_md_read(hm, 0), s->ike.md_len) == 0)
1967 seen_natd_us = 1;
1968 memcpy(s->ike.natd_us, gcry_md_read(hm, 0), s->ike.md_len);
1969 if (opt_natt_mode == NATT_FORCE) {
1970 /* force detection of "this end behind NAT" */
1971 /* by flipping a bit in the nat-detection-hash */
1972 s->ike.natd_us[0] ^= 1;
1973 seen_natd_us = 0;
1974 }
1975 gcry_md_close(hm);
1976 }
1977 /* if there is a NAT, change to port 4500 and select UDP encap */
1978 if (!seen_natd_us || !seen_natd_them) {
1979 DEBUG(1, printf("NAT status: this end behind NAT? %s -- remote end behind NAT? %s\n",
1980 seen_natd_us ? "no" : "YES", seen_natd_them ? "no" : "YES"));
1981 switch (s->ike.natd_type) {
1982 case ISAKMP_PAYLOAD_NAT_D:
1983 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
1984 break;
1985 case ISAKMP_PAYLOAD_NAT_D_OLD:
1986 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL_OLD;
1987 break;
1988 default:
1989 abort();
1990 }
1991 if (natt_draft >= 2) {
1992 s->ipsec.natt_active_mode = NATT_ACTIVE_RFC;
1993 close(s->ike_fd);
1994 if (s->ike.src_port == ISAKMP_PORT)
1995 s->ike.src_port = ISAKMP_PORT_NATT;
1996 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port = ISAKMP_PORT_NATT);
1997 } else {
1998 s->ipsec.natt_active_mode = NATT_ACTIVE_DRAFT_OLD;
1999 }
2000 } else {
2001 DEBUG(1, printf("NAT status: NAT-T VID seen, no NAT device detected\n"));
2002 }
2003 } else {
2004 DEBUG(1, printf("NAT status: no NAT-T VID seen\n"));
2005 }
2006
2007 /* This seems to cause a duplicate free of some data when rekeying:
2008 * *** glibc detected *** vpnc-connect: free(): invalid pointer: 0x09d63ba5
2009 * See also: http://bugs.gentoo.org/show_bug.cgi?id=229003
2010 */
2011 #if 1
2012 free_isakmp_packet(r);
2013 #endif
2014
2015 }
2016 }
2017
2018 static void do_phase1_am_packet3(struct sa_block *s)
2019 {
2020 DEBUGTOP(2, printf("S4.5 AM_packet3\n"));
2021 /* Send final phase 1 packet. */
2022 {
2023 struct isakmp_packet *p2;
2024 uint8_t *p2kt;
2025 size_t p2kt_len;
2026 struct isakmp_payload *pl;
2027
2028 p2 = new_isakmp_packet();
2029 memcpy(p2->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
2030 memcpy(p2->r_cookie, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
2031 p2->flags = ISAKMP_FLAG_E;
2032 p2->isakmp_version = ISAKMP_VERSION;
2033 p2->exchange_type = ISAKMP_EXCHANGE_AGGRESSIVE;
2034 /* XXX CERT Add id(?), cert and sig here in case of cert auth */
2035 p2->payload = new_isakmp_data_payload(ISAKMP_PAYLOAD_HASH,
2036 s->ike.returned_hash, s->ike.md_len);
2037 p2->payload->next = pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
2038 pl->u.n.doi = ISAKMP_DOI_IPSEC;
2039 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
2040 pl->u.n.type = ISAKMP_N_IPSEC_INITIAL_CONTACT;
2041 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
2042 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
2043 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
2044 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
2045
2046 /* send PSK-hash if hybrid authentication is negotiated */
2047 if (s->ike.auth_algo == IKE_AUTH_HybridInitRSA ||
2048 s->ike.auth_algo == IKE_AUTH_HybridInitDSS) {
2049 /* Notify - PRESHARED_KEY_HASH */
2050 pl = pl->next = new_isakmp_payload(ISAKMP_PAYLOAD_N);
2051 pl->u.n.doi = ISAKMP_DOI_IPSEC;
2052 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
2053 /* Notify Message - Type: PRESHARED_KEY_HASH */
2054 pl->u.n.type = ISAKMP_N_CISCO_PRESHARED_KEY_HASH;
2055 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
2056 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
2057 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0,
2058 s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
2059 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1,
2060 s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
2061 pl->u.n.data_length = s->ike.md_len;
2062 pl->u.n.data = xallocc(pl->u.n.data_length);
2063 memcpy(pl->u.n.data, s->ike.psk_hash, pl->u.n.data_length);
2064 /* End Notify - PRESHARED_KEY_HASH */
2065 }
2066 pl = pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
2067 VID_UNKNOWN, sizeof(VID_UNKNOWN));
2068 pl = pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
2069 VID_UNITY, sizeof(VID_UNITY));
2070
2071 /* include NAT traversal discovery payloads */
2072 if (s->ike.natd_type != 0) {
2073 pl = pl->next = new_isakmp_data_payload(s->ike.natd_type,
2074 s->ike.natd_them, s->ike.md_len);
2075 pl->next = new_isakmp_data_payload(s->ike.natd_type,
2076 s->ike.natd_us, s->ike.md_len);
2077 free(s->ike.natd_us);
2078 free(s->ike.natd_them);
2079 s->ike.natd_us = NULL;
2080 s->ike.natd_them = NULL;
2081 }
2082
2083 flatten_isakmp_packet(p2, &p2kt, &p2kt_len, s->ike.ivlen);
2084 free_isakmp_packet(p2);
2085 isakmp_crypt(s, p2kt, p2kt_len, 1);
2086
2087 if (s->ike.initial_iv) free(s->ike.initial_iv);
2088 s->ike.initial_iv = xallocc(s->ike.ivlen);
2089 memcpy(s->ike.initial_iv, s->ike.current_iv, s->ike.ivlen);
2090 hex_dump("initial_iv", s->ike.initial_iv, s->ike.ivlen, NULL);
2091
2092 /* Now, send that packet and receive a new one. */
2093 r_length = sendrecv(s, r_packet, sizeof(r_packet), p2kt, p2kt_len, 0);
2094 free(p2kt);
2095 }
2096 }
2097
2098 static void do_phase1_am_cleanup(struct sa_block *s)
2099 {
2100 DEBUGTOP(2, printf("S4.6 cleanup\n"));
2101
2102 free(s->ike.psk_hash);
2103 s->ike.psk_hash = NULL;
2104 free(s->ike.dh_public);
2105 group_free(s->ike.dh_grp);
2106 free(s->ike.returned_hash);
2107 s->ike.returned_hash = NULL;
2108 }
2109
2110 static void do_phase1_am(const char *key_id, const char *shared_key, struct sa_block *s)
2111 {
2112 do_phase1_am_init(s);
2113 do_phase1_am_packet1(s, key_id);
2114 do_phase1_am_packet2(s, shared_key);
2115 do_phase1_am_packet3(s);
2116 do_phase1_am_cleanup(s);
2117 }
2118
2119 static int do_phase2_notice_check(struct sa_block *s, struct isakmp_packet **r_p,
2120 const uint8_t * nonce, size_t nonce_size)
2121 {
2122 int reject = 0;
2123 struct isakmp_packet *r;
2124
2125 while (1) {
2126 reject = unpack_verify_phase2(s, r_packet, r_length, r_p, nonce, nonce_size);
2127 if (reject == ISAKMP_N_INVALID_COOKIE) {
2128 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2129 continue;
2130 }
2131 if (*r_p == NULL) {
2132 assert(reject != 0);
2133 return reject;
2134 }
2135 r = *r_p;
2136
2137 /* check for notices */
2138 if (r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL &&
2139 r->payload->next != NULL) {
2140 if (r->payload->next->type == ISAKMP_PAYLOAD_N) {
2141 if (r->payload->next->u.n.type == ISAKMP_N_CISCO_LOAD_BALANCE) {
2142 /* load balancing notice ==> restart with new gw */
2143 if (r->payload->next->u.n.data_length != 4)
2144 error(1, 0, "malformed loadbalance target");
2145 s->dst = *(struct in_addr *)r->payload->next->u.n.data;
2146 s->ike.dst_port = ISAKMP_PORT;
2147 s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL;
2148 s->ipsec.natt_active_mode = NATT_ACTIVE_NONE;
2149 if (s->ike.src_port == ISAKMP_PORT_NATT)
2150 s->ike.src_port = ISAKMP_PORT;
2151 close(s->ike_fd);
2152 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port);
2153 DEBUG(2, printf("got cisco loadbalancing notice, diverting to %s\n",
2154 inet_ntoa(s->dst)));
2155 return -1;
2156 } else if (r->payload->next->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
2157 if (r->payload->next->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
2158 lifetime_ike_process(s, r->payload->next->u.n.attributes);
2159 else if (r->payload->next->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2160 lifetime_ipsec_process(s, r->payload->next->u.n.attributes);
2161 else
2162 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
2163 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2164 continue;
2165 } else if (r->payload->next->u.n.type == ISAKMP_N_IPSEC_INITIAL_CONTACT) {
2166 /* why in hell do we get this?? */
2167 DEBUG(2, printf("got initial contact notice, ignoring..\n"));
2168 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2169 continue;
2170 } else {
2171 /* whatever */
2172 printf("received notice of type %s(%d), giving up\n",
2173 val_to_string(r->payload->next->u.n.type, isakmp_notify_enum_array),
2174 r->payload->next->u.n.type);
2175 return reject;
2176 }
2177 }
2178 if (r->payload->next->type == ISAKMP_PAYLOAD_D) {
2179 /* delete notice ==> ignore */
2180 DEBUG(2, printf("got delete for old connection, ignoring..\n"));
2181 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2182 continue;
2183 }
2184 }
2185
2186 break;
2187 }
2188 return reject;
2189 }
2190
2191 static int do_phase2_xauth(struct sa_block *s)
2192 {
2193 struct isakmp_packet *r = NULL;
2194 int loopcount;
2195 int reject;
2196 int passwd_used = 0;
2197
2198 DEBUGTOP(2, printf("S5.1 xauth_request\n"));
2199 /* This can go around for a while. */
2200 for (loopcount = 0;; loopcount++) {
2201 struct isakmp_payload *rp;
2202 struct isakmp_attribute *a, *ap, *reply_attr, *last_reply_attr;
2203 char ntop_buf[32];
2204 int seen_answer = 0;
2205
2206 DEBUGTOP(2, printf("S5.2 notice_check\n"));
2207
2208 /* recv and check for notices */
2209 if (r) free_isakmp_packet(r);
2210 r = NULL;
2211 reject = do_phase2_notice_check(s, &r, NULL, 0);
2212 if (reject == -1) {
2213 if (r) free_isakmp_packet(r);
2214 return 1;
2215 }
2216
2217 DEBUGTOP(2, printf("S5.3 type-is-xauth check\n"));
2218 /* Check the transaction type is OK. */
2219 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_MODECFG_TRANSACTION)
2220 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2221
2222 /* After the hash, expect an attribute block. */
2223 if (reject == 0
2224 && (r->payload->next == NULL
2225 || r->payload->next->next != NULL
2226 || r->payload->next->type != ISAKMP_PAYLOAD_MODECFG_ATTR))
2227 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2228
2229 if (reject == 0 && r->payload->next->u.modecfg.type == ISAKMP_MODECFG_CFG_SET) {
2230 /* OK, the server has finished requesting information, go for the final set/ack */
2231 break;
2232 }
2233
2234 if (reject == 0 && r->payload->next->u.modecfg.type != ISAKMP_MODECFG_CFG_REQUEST)
2235 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2236
2237 if (reject != 0)
2238 phase2_fatal(s, "expected xauth packet; rejected: %s(%d)", reject);
2239
2240 DEBUGTOP(2, printf("S5.4 xauth type check\n"));
2241 a = r->payload->next->u.modecfg.attributes;
2242 /* First, print any messages, and verify that we understand the
2243 * conversation. This looks for any place were input is
2244 * required - in these cases, we need to print the prompt
2245 * regardless of whether the user requested interactive mode
2246 * or not. */
2247 for (ap = a; ap && seen_answer == 0; ap = ap->next)
2248 if (ap->type == ISAKMP_XAUTH_06_ATTRIB_ANSWER
2249 || ap->type == ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN
2250 /* || ap->type == ISAKMP_XAUTH_06_ATTRIB_PASSCODE */)
2251 seen_answer = 1;
2252
2253 for (ap = a; ap && reject == 0; ap = ap->next)
2254 switch (ap->type) {
2255 case ISAKMP_XAUTH_06_ATTRIB_TYPE:
2256 if (ap->af != isakmp_attr_16 || ap->u.attr_16 != 0)
2257 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2258 break;
2259 case ISAKMP_XAUTH_06_ATTRIB_USER_NAME:
2260 case ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD:
2261 case ISAKMP_XAUTH_06_ATTRIB_PASSCODE:
2262 case ISAKMP_XAUTH_06_ATTRIB_DOMAIN:
2263 case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
2264 case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
2265 case ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR:
2266 case ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015:
2267 break;
2268 case ISAKMP_XAUTH_06_ATTRIB_MESSAGE:
2269 if (opt_debug || seen_answer || config[CONFIG_XAUTH_INTERACTIVE]) {
2270 if (ap->af == isakmp_attr_16)
2271 printf("%c%c\n", ap->u.attr_16 >> 8, ap->u.attr_16);
2272 else
2273 printf("%.*s%s", ap->u.lots.length, ap->u.lots.data,
2274 ((ap->u.lots.data
2275 && ap->u.lots.data[ap->u.
2276 lots.length - 1] !=
2277 '\n')
2278 ? "\n" : ""));
2279 }
2280 break;
2281 default:
2282 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2283 }
2284 if (reject != 0)
2285 phase2_fatal(s, "xauth packet unsupported: %s(%d)", reject);
2286
2287 DEBUGTOP(2, printf("S5.5 do xauth reply\n"));
2288 inet_ntop(AF_INET, &s->dst, ntop_buf, sizeof(ntop_buf));
2289
2290 /* Collect data from the user. */
2291 reply_attr = last_reply_attr = NULL;
2292 for (ap = a; ap && reject == 0; ap = ap->next) {
2293 struct isakmp_attribute *na = NULL;
2294
2295 switch (ap->type) {
2296 case ISAKMP_XAUTH_06_ATTRIB_TYPE:
2297 case ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015:
2298 {
2299 na = new_isakmp_attribute_16(ap->type, ap->u.attr_16, NULL);
2300 break;
2301 }
2302 case ISAKMP_XAUTH_06_ATTRIB_DOMAIN:
2303 na = new_isakmp_attribute(ap->type, NULL);
2304 if (!config[CONFIG_DOMAIN])
2305 error(1, 0,
2306 "server requested domain, but none set (use \"Domain ...\" in config or --domain");
2307 na->u.lots.length = strlen(config[CONFIG_DOMAIN]);
2308 na->u.lots.data = xallocc(na->u.lots.length);
2309 memcpy(na->u.lots.data, config[CONFIG_DOMAIN],
2310 na->u.lots.length);
2311 break;
2312 case ISAKMP_XAUTH_06_ATTRIB_USER_NAME:
2313 {
2314 na = new_isakmp_attribute(ap->type, NULL);
2315 na->u.lots.length = strlen(config[CONFIG_XAUTH_USERNAME]);
2316 na->u.lots.data = xallocc(na->u.lots.length);
2317 memcpy(na->u.lots.data, config[CONFIG_XAUTH_USERNAME],
2318 na->u.lots.length);
2319 break;
2320 }
2321 case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
2322 case ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD:
2323 case ISAKMP_XAUTH_06_ATTRIB_PASSCODE:
2324 case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
2325 if (passwd_used && config[CONFIG_NON_INTERACTIVE]) {
2326 reject = ISAKMP_N_AUTHENTICATION_FAILED;
2327 phase2_fatal(s, "noninteractive can't reuse password", reject);
2328 error(2, 0, "authentication failed (requires interactive mode)");
2329 } else if (seen_answer || passwd_used || config[CONFIG_XAUTH_INTERACTIVE]) {
2330 char *pass, *prompt = NULL;
2331
2332 asprintf(&prompt, "%s for VPN %s@%s: ",
2333 (ap->type == ISAKMP_XAUTH_06_ATTRIB_ANSWER) ?
2334 "Answer" :
2335 (ap->type == ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD) ?
2336 "Password" : "Passcode",
2337 config[CONFIG_XAUTH_USERNAME], ntop_buf);
2338 pass = getpass(prompt);
2339 free(prompt);
2340
2341 na = new_isakmp_attribute(ap->type, NULL);
2342 na->u.lots.length = strlen(pass);
2343 na->u.lots.data = xallocc(na->u.lots.length);
2344 memcpy(na->u.lots.data, pass, na->u.lots.length);
2345 memset(pass, 0, na->u.lots.length);
2346 } else {
2347 na = new_isakmp_attribute(ap->type, NULL);
2348 na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]);
2349 na->u.lots.data = xallocc(na->u.lots.length);
2350 memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD],
2351 na->u.lots.length);
2352 passwd_used = 1; /* Provide canned password at most once */
2353 }
2354 break;
2355 default:
2356 ;
2357 }
2358 if (na == NULL)
2359 continue;
2360 if (last_reply_attr != NULL) {
2361 last_reply_attr->next = na;
2362 last_reply_attr = na;
2363 } else {
2364 last_reply_attr = reply_attr = na;
2365 }
2366 }
2367
2368 /* Send the response. */
2369 rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
2370 rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY;
2371 rp->u.modecfg.id = r->payload->next->u.modecfg.id;
2372 rp->u.modecfg.attributes = reply_attr;
2373 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2374 r->message_id, 0, 0, 0, 0, 0);
2375
2376 }
2377
2378 if ((opt_vendor == VENDOR_NETSCREEN) &&
2379 (r->payload->next->u.modecfg.type == ISAKMP_MODECFG_CFG_SET)) {
2380 struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
2381
2382 DEBUGTOP(2, printf("S5.5.1 do netscreen modecfg extra\n"));
2383
2384 do_config_to_env(s, a);
2385
2386 for (; a; a = a->next)
2387 if(a->af == isakmp_attr_lots)
2388 a->u.lots.length = 0;
2389
2390 r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
2391 sendrecv_phase2(s, r->payload->next,
2392 ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2393 r->message_id, 0, 0, 0, 0, 0);
2394
2395 reject = do_phase2_notice_check(s, &r, NULL, 0);
2396 if (reject == -1) {
2397 free_isakmp_packet(r);
2398 return 1;
2399 }
2400 }
2401
2402 DEBUGTOP(2, printf("S5.6 process xauth set\n"));
2403 {
2404 /* The final SET should have just one attribute. */
2405 struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
2406 uint16_t set_result = 1;
2407
2408 if (a == NULL
2409 || a->type != ISAKMP_XAUTH_06_ATTRIB_STATUS
2410 || a->af != isakmp_attr_16 || a->next != NULL) {
2411 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2412 phase2_fatal(s, "xauth SET message rejected: %s(%d)", reject);
2413 } else {
2414 set_result = a->u.attr_16;
2415 }
2416
2417 /* ACK the SET. */
2418 DEBUGTOP(2, printf("S5.7 send xauth ack\n"));
2419 r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
2420 sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2421 r->message_id, 1, 0, 0, 0, 0);
2422 r->payload->next = NULL; /* this part is already free()d by sendrecv_phase2 */
2423 free_isakmp_packet(r); /* this frees the received set packet (header+hash) */
2424
2425 if (set_result == 0)
2426 error(2, 0, "authentication unsuccessful");
2427 }
2428 DEBUGTOP(2, printf("S5.8 xauth done\n"));
2429 return 0;
2430 }
2431
2432 static int do_phase2_config(struct sa_block *s)
2433 {
2434 struct isakmp_payload *rp;
2435 struct isakmp_attribute *a;
2436 struct isakmp_packet *r;
2437 struct utsname uts;
2438 uint32_t msgid;
2439 int reject;
2440
2441 uname(&uts);
2442
2443 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
2444 if (msgid == 0)
2445 msgid = 1;
2446
2447 rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
2448 rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REQUEST;
2449 rp->u.modecfg.id = 20;
2450 a = NULL;
2451
2452 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION, a);
2453 a->u.lots.length = strlen(config[CONFIG_VERSION]);
2454 a->u.lots.data = xallocc(a->u.lots.length);
2455 memcpy(a->u.lots.data, config[CONFIG_VERSION], a->u.lots.length);
2456
2457 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DDNS_HOSTNAME, a);
2458 a->u.lots.length = strlen(uts.nodename);
2459 a->u.lots.data = xallocc(a->u.lots.length);
2460 memcpy(a->u.lots.data, uts.nodename, a->u.lots.length);
2461
2462 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_DNS, a);
2463 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC, a);
2464 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_SAVE_PW, a);
2465
2466 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_BANNER, a);
2467 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS, a);
2468 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_FW_TYPE, a);
2469 a->u.lots.length = sizeof(FW_UNKNOWN_TYPEINFO);
2470 a->u.lots.data = xallocc(a->u.lots.length);
2471 memcpy(a->u.lots.data, FW_UNKNOWN_TYPEINFO, a->u.lots.length);
2472 if (opt_natt_mode == NATT_CISCO_UDP)
2473 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT, a);
2474 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN, a);
2475 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS, a);
2476 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS, a);
2477 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK, a);
2478 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS, a);
2479
2480 rp->u.modecfg.attributes = a;
2481 DEBUGTOP(2, printf("S6.1 phase2_config send modecfg\n"));
2482 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION, msgid, 0, 0, 0, 0, 0);
2483
2484 DEBUGTOP(2, printf("S6.2 phase2_config receive modecfg\n"));
2485 /* recv and check for notices */
2486 reject = do_phase2_notice_check(s, &r, NULL, 0);
2487 if (reject == -1) {
2488 if (r) free_isakmp_packet(r);
2489 return 1;
2490 }
2491
2492 /* Check the transaction type & message ID are OK. */
2493 if (reject == 0 && r->message_id != msgid)
2494 reject = ISAKMP_N_INVALID_MESSAGE_ID;
2495 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_MODECFG_TRANSACTION)
2496 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2497
2498 /* After the hash, expect an attribute block. */
2499 if (reject == 0
2500 && (r->payload->next == NULL
2501 || r->payload->next->next != NULL
2502 || r->payload->next->type != ISAKMP_PAYLOAD_MODECFG_ATTR
2503 #if 0
2504 || r->payload->next->u.modecfg.id != 20
2505 #endif
2506 || r->payload->next->u.modecfg.type != ISAKMP_MODECFG_CFG_REPLY))
2507 reject = ISAKMP_N_PAYLOAD_MALFORMED;
2508
2509 if (reject != 0)
2510 phase2_fatal(s, "configuration response rejected: %s(%d)", reject);
2511
2512 if (reject == 0)
2513 reject = do_config_to_env(s, r->payload->next->u.modecfg.attributes);
2514
2515 if (reject != 0)
2516 phase2_fatal(s, "configuration response rejected: %s(%d)", reject);
2517
2518 DEBUG(1, printf("got address %s\n", getenv("INTERNAL_IP4_ADDRESS")));
2519 free_isakmp_packet(r);
2520 return 0;
2521 }
2522
2523 static struct isakmp_attribute *make_transform_ipsec(struct sa_block *s, int dh_group, int hash, int keylen)
2524 {
2525 struct isakmp_attribute *a = NULL;
2526
2527 a = new_isakmp_attribute(ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION, a);
2528 a->af = isakmp_attr_lots;
2529 a->u.lots.length = 4;
2530 a->u.lots.data = xallocc(a->u.lots.length);
2531 *((uint32_t *) a->u.lots.data) = htonl(2147483);
2532 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a);
2533
2534 if (dh_group)
2535 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_GROUP_DESC, dh_group, a);
2536 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_AUTH_ALG, hash, a);
2537 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_ENCAP_MODE, s->ipsec.encap_mode, a);
2538 if (keylen != 0)
2539 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_KEY_LENGTH, keylen, a);
2540
2541 return a;
2542 }
2543
2544 static struct isakmp_payload *make_our_sa_ipsec(struct sa_block *s)
2545 {
2546 struct isakmp_payload *r;
2547 struct isakmp_payload *p = NULL, *pn;
2548 struct isakmp_attribute *a;
2549 int dh_grp = get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id;
2550 unsigned int crypt, hash, keylen;
2551 int i;
2552
2553 r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
2554 r->u.sa.doi = ISAKMP_DOI_IPSEC;
2555 r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
2556 for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
2557 keylen = supp_crypt[crypt].keylen;
2558 for (hash = 0; supp_hash[hash].name != NULL; hash++) {
2559 pn = p;
2560 p = new_isakmp_payload(ISAKMP_PAYLOAD_P);
2561 p->u.p.spi_size = 4;
2562 p->u.p.spi = xallocc(4);
2563 /* The sadb_sa_spi field is already in network order. */
2564 memcpy(p->u.p.spi, &s->ipsec.rx.spi, 4);
2565 p->u.p.prot_id = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
2566 p->u.p.transforms = new_isakmp_payload(ISAKMP_PAYLOAD_T);
2567 p->u.p.transforms->u.t.id = supp_crypt[crypt].ipsec_sa_id;
2568 a = make_transform_ipsec(s, dh_grp, supp_hash[hash].ipsec_sa_id, keylen);
2569 p->u.p.transforms->u.t.attributes = a;
2570 p->next = pn;
2571 }
2572 }
2573 for (i = 0, pn = p; pn; pn = pn->next)
2574 pn->u.p.number = i++;
2575 r->u.sa.proposals = p;
2576 return r;
2577 }
2578
2579 static void do_phase2_qm(struct sa_block *s)
2580 {
2581 struct isakmp_payload *rp, *us, *ke = NULL, *them, *nonce_r = NULL;
2582 struct isakmp_packet *r;
2583 struct group *dh_grp = NULL;
2584 uint32_t msgid;
2585 int reject;
2586 uint8_t nonce_i[20], *dh_public = NULL;
2587
2588 DEBUGTOP(2, printf("S7.1 QM_packet1\n"));
2589 /* Set up the Diffie-Hellman stuff. */
2590 if (get_dh_group_ipsec(s->ipsec.do_pfs)->my_id) {
2591 dh_grp = group_get(get_dh_group_ipsec(s->ipsec.do_pfs)->my_id);
2592 DEBUG(3, printf("len = %d\n", dh_getlen(dh_grp)));
2593 dh_public = xallocc(dh_getlen(dh_grp));
2594 dh_create_exchange(dh_grp, dh_public);
2595 hex_dump("dh_public", dh_public, dh_getlen(dh_grp), NULL);
2596 }
2597
2598 gcry_create_nonce((uint8_t *) & s->ipsec.rx.spi, sizeof(s->ipsec.rx.spi));
2599 rp = make_our_sa_ipsec(s); /* FIXME: LEAK: allocated memory never freed */
2600 gcry_create_nonce((uint8_t *) nonce_i, sizeof(nonce_i));
2601 rp->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_NONCE, nonce_i, sizeof(nonce_i));
2602
2603 us = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
2604 us->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR;
2605 us->u.id.length = 4;
2606 us->u.id.data = xallocc(4);
2607 memcpy(us->u.id.data, &s->our_address, sizeof(struct in_addr));
2608 them = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
2609 them->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR_SUBNET;
2610 them->u.id.length = 8;
2611 them->u.id.data = xallocc(8);
2612 init_netaddr((struct in_addr *)them->u.id.data,
2613 config[CONFIG_IPSEC_TARGET_NETWORK]);
2614 us->next = them;
2615 s->ipsec.life.start = time(NULL);
2616
2617 if (!dh_grp) {
2618 rp->next->next = us;
2619 } else {
2620 rp->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_KE,
2621 dh_public, dh_getlen(dh_grp));
2622 rp->next->next->next = us;
2623 }
2624
2625 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
2626 if (msgid == 0)
2627 msgid = 1;
2628
2629 DEBUGTOP(2, printf("S7.2 QM_packet2 send_receive\n"));
2630 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_IKE_QUICK,
2631 msgid, 0, 0, 0, 0, 0);
2632
2633 DEBUGTOP(2, printf("S7.3 QM_packet2 validate type\n"));
2634 reject = do_phase2_notice_check(s, &r, nonce_i, sizeof(nonce_i)); /* FIXME: LEAK */
2635
2636 /* Check the transaction type & message ID are OK. */
2637 if (reject == 0 && r->message_id != msgid)
2638 reject = ISAKMP_N_INVALID_MESSAGE_ID;
2639
2640 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_IKE_QUICK)
2641 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2642
2643 /* The SA payload must be second. */
2644 if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_SA)
2645 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2646
2647 DEBUGTOP(2, printf("S7.5 QM_packet2 check reject offer\n"));
2648 if (reject != 0)
2649 phase2_fatal(s, "quick mode response rejected: %s(%d)\n"
2650 "this means the concentrator did not like what we had to offer.\n"
2651 "Possible reasons are:\n"
2652 " * concentrator configured to require a firewall\n"
2653 " this locks out even Cisco clients on any platform except windows\n"
2654 " which is an obvious security improvement. There is no workaround (yet).\n"
2655 " * concentrator configured to require IP compression\n"
2656 " this is not yet supported by vpnc.\n"
2657 " Note: the Cisco Concentrator Documentation recommends against using\n"
2658 " compression, except on low-bandwith (read: ISDN) links, because it\n"
2659 " uses much CPU-resources on the concentrator\n",
2660 reject);
2661
2662 DEBUGTOP(2, printf("S7.6 QM_packet2 check and process proposal\n"));
2663 for (rp = r->payload->next; rp && reject == 0; rp = rp->next)
2664 switch (rp->type) {
2665 case ISAKMP_PAYLOAD_SA:
2666 if (reject == 0 && rp->u.sa.doi != ISAKMP_DOI_IPSEC)
2667 reject = ISAKMP_N_DOI_NOT_SUPPORTED;
2668 if (reject == 0 && rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
2669 reject = ISAKMP_N_SITUATION_NOT_SUPPORTED;
2670 if (reject == 0 &&
2671 (rp->u.sa.proposals == NULL || rp->u.sa.proposals->next != NULL))
2672 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2673 if (reject == 0 &&
2674 rp->u.sa.proposals->u.p.prot_id != ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2675 reject = ISAKMP_N_INVALID_PROTOCOL_ID;
2676 if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 4)
2677 reject = ISAKMP_N_INVALID_SPI;
2678 if (reject == 0 &&
2679 (rp->u.sa.proposals->u.p.transforms == NULL
2680 || rp->u.sa.proposals->u.p.transforms->next != NULL))
2681 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2682 if (reject == 0) {
2683 struct isakmp_attribute *a
2684 = rp->u.sa.proposals->u.p.transforms->u.t.attributes;
2685 int seen_enc = rp->u.sa.proposals->u.p.transforms->u.t.id;
2686 int seen_auth = 0, seen_encap = 0, seen_group = 0, seen_keylen = 0;
2687
2688 memcpy(&s->ipsec.tx.spi, rp->u.sa.proposals->u.p.spi, 4);
2689
2690 for (; a && reject == 0; a = a->next)
2691 switch (a->type) {
2692 case ISAKMP_IPSEC_ATTRIB_AUTH_ALG:
2693 if (a->af == isakmp_attr_16)
2694 seen_auth = a->u.attr_16;
2695 else
2696 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2697 break;
2698 case ISAKMP_IPSEC_ATTRIB_ENCAP_MODE:
2699 if (a->af == isakmp_attr_16 &&
2700 a->u.attr_16 == s->ipsec.encap_mode)
2701 seen_encap = 1;
2702 else
2703 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2704 break;
2705 case ISAKMP_IPSEC_ATTRIB_GROUP_DESC:
2706 if (dh_grp &&
2707 a->af == isakmp_attr_16 &&
2708 a->u.attr_16 ==
2709 get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id)
2710 seen_group = 1;
2711 else
2712 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2713 break;
2714 case ISAKMP_IPSEC_ATTRIB_KEY_LENGTH:
2715 if (a->af == isakmp_attr_16)
2716 seen_keylen = a->u.attr_16;
2717 else
2718 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2719 break;
2720 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE:
2721 /* lifetime duration MUST follow lifetype attribute */
2722 if (a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION) {
2723 lifetime_ipsec_process(s, a);
2724 } else
2725 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2726 break;
2727 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION:
2728 /* already processed above in ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE: */
2729 break;
2730 default:
2731 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2732 break;
2733 }
2734 if (reject == 0 && (!seen_auth || !seen_encap ||
2735 (dh_grp && !seen_group)))
2736 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2737
2738 if (reject == 0
2739 && get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth,
2740 NULL, 0) == NULL)
2741 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2742 if (reject == 0
2743 && get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc,
2744 NULL, seen_keylen) == NULL)
2745 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2746
2747 if (reject == 0) {
2748 s->ipsec.cry_algo =
2749 get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA,
2750 seen_enc, NULL, seen_keylen)->my_id;
2751 s->ipsec.md_algo =
2752 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA,
2753 seen_auth, NULL, 0)->my_id;
2754 if (s->ipsec.cry_algo) {
2755 gcry_cipher_algo_info(s->ipsec.cry_algo, GCRYCTL_GET_KEYLEN, NULL, &(s->ipsec.key_len));
2756 gcry_cipher_algo_info(s->ipsec.cry_algo, GCRYCTL_GET_BLKLEN, NULL, &(s->ipsec.blk_len));
2757 s->ipsec.iv_len = s->ipsec.blk_len;
2758 } else {
2759 s->ipsec.key_len = 0;
2760 s->ipsec.iv_len = 0;
2761 s->ipsec.blk_len = 8; /* seems to be this without encryption... */
2762 }
2763 s->ipsec.md_len = gcry_md_get_algo_dlen(s->ipsec.md_algo);
2764 DEBUG(1, printf("IPSEC SA selected %s-%s\n",
2765 get_algo(SUPP_ALGO_CRYPT,
2766 SUPP_ALGO_IPSEC_SA, seen_enc, NULL,
2767 seen_keylen)->name,
2768 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA,
2769 seen_auth, NULL, 0)->name));
2770 if (s->ipsec.cry_algo == GCRY_CIPHER_DES && !opt_1des) {
2771 error(1, 0, "peer selected (single) DES as \"encrytion\" method.\n"
2772 "This algorithm is considered too weak today\n"
2773 "If your vpn concentrator admin still insists on using DES\n"
2774 "use the \"--enable-1des\" option.\n");
2775 } else if (s->ipsec.cry_algo == GCRY_CIPHER_NONE && !opt_no_encryption) {
2776 error(1, 0, "peer selected NULL as \"encrytion\" method.\n"
2777 "This is _no_ encryption at all.\n"
2778 "Your traffic is still protected against modification with %s\n"
2779 "If your vpn concentrator admin still insists on not using encryption\n"
2780 "use the \"--enable-no-encryption\" option.\n",
2781 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0)->name);
2782 }
2783 }
2784 }
2785 break;
2786
2787 case ISAKMP_PAYLOAD_N:
2788 if (reject == 0 && rp->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
2789 if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
2790 lifetime_ike_process(s, rp->u.n.attributes);
2791 else if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2792 lifetime_ipsec_process(s, rp->u.n.attributes);
2793 else
2794 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
2795 }
2796 break;
2797 case ISAKMP_PAYLOAD_ID:
2798 /* FIXME: Parse payload ID and add route-env in case of ipv4_prefix */
2799 break;
2800 case ISAKMP_PAYLOAD_KE:
2801 ke = rp;
2802 break;
2803 case ISAKMP_PAYLOAD_NONCE:
2804 nonce_r = rp;
2805 break;
2806
2807 default:
2808 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2809 break;
2810 }
2811
2812 if (reject == 0 && nonce_r == NULL)
2813 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
2814 if (reject == 0 && dh_grp && (ke == NULL || ke->u.ke.length != dh_getlen(dh_grp)))
2815 reject = ISAKMP_N_INVALID_KEY_INFORMATION;
2816 if (reject != 0)
2817 phase2_fatal(s, "quick mode response rejected [2]: %s(%d)", reject);
2818
2819 /* send final packet */
2820 sendrecv_phase2(s, NULL, ISAKMP_EXCHANGE_IKE_QUICK,
2821 msgid, 1, nonce_i, sizeof(nonce_i),
2822 nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2823
2824 DEBUGTOP(2, printf("S7.7 QM_packet3 sent\n"));
2825
2826 DEBUGTOP(2, printf("S7.8 setup ipsec tunnel\n"));
2827 {
2828 unsigned char *dh_shared_secret = NULL;
2829
2830 if (dh_grp) {
2831 /* Determine the shared secret. */
2832 dh_shared_secret = xallocc(dh_getlen(dh_grp));
2833 dh_create_shared(dh_grp, dh_shared_secret, ke->u.ke.data);
2834 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(dh_grp), NULL);
2835 }
2836
2837 s->ipsec.rx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.rx.spi,
2838 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2839 nonce_i, sizeof(nonce_i), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2840
2841 s->ipsec.tx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.tx.spi,
2842 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2843 nonce_i, sizeof(nonce_i), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2844
2845 if (dh_grp)
2846 group_free(dh_grp);
2847 free(dh_shared_secret);
2848 free_isakmp_packet(r);
2849
2850 if (s->esp_fd == 0) {
2851 if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
2852 s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
2853 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
2854 s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
2855 } else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
2856 s->esp_fd = s->ike_fd;
2857 } else {
2858 #ifdef IP_HDRINCL
2859 int hincl = 1;
2860 #endif
2861
2862 s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
2863 if (s->esp_fd == -1)
2864 error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
2865 #ifdef FD_CLOEXEC
2866 /* do not pass socket to vpnc-script, etc. */
2867 fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
2868 #endif
2869 #ifdef IP_HDRINCL
2870 if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1)
2871 error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
2872 #endif
2873 }
2874 }
2875
2876 s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
2877 }
2878 free(dh_public);
2879 }
2880
2881 static int do_rekey(struct sa_block *s, struct isakmp_packet *r)
2882 {
2883 struct isakmp_payload *rp, *ke = NULL, *nonce_i = NULL;
2884 struct isakmp_attribute *a;
2885 int seen_enc;
2886 int seen_auth = 0, seen_encap = 0, seen_group = 0, seen_keylen = 0;
2887 int nonce_i_copy_len;
2888 struct group *dh_grp = NULL;
2889 uint8_t nonce_r[20], *dh_public = NULL, *nonce_i_copy = NULL;
2890 unsigned char *dh_shared_secret = NULL;
2891
2892 if (get_dh_group_ipsec(s->ipsec.do_pfs)->my_id) {
2893 dh_grp = group_get(get_dh_group_ipsec(s->ipsec.do_pfs)->my_id);
2894 DEBUG(3, printf("len = %d\n", dh_getlen(dh_grp)));
2895 dh_public = xallocc(dh_getlen(dh_grp));
2896 dh_create_exchange(dh_grp, dh_public);
2897 hex_dump("dh_public", dh_public, dh_getlen(dh_grp), NULL);
2898 }
2899
2900 rp = r->payload->next;
2901 /* rp->type == ISAKMP_PAYLOAD_SA, verified by caller */
2902
2903 if (rp->u.sa.doi != ISAKMP_DOI_IPSEC)
2904 return ISAKMP_N_DOI_NOT_SUPPORTED;
2905 if (rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
2906 return ISAKMP_N_SITUATION_NOT_SUPPORTED;
2907 if (rp->u.sa.proposals == NULL)
2908 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2909 if (rp->u.sa.proposals->u.p.prot_id != ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2910 return ISAKMP_N_INVALID_PROTOCOL_ID;
2911 if (rp->u.sa.proposals->u.p.spi_size != 4)
2912 return ISAKMP_N_INVALID_SPI;
2913 if (rp->u.sa.proposals->u.p.transforms == NULL || rp->u.sa.proposals->u.p.transforms->next != NULL)
2914 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2915
2916 seen_enc = rp->u.sa.proposals->u.p.transforms->u.t.id;
2917
2918 memcpy(&s->ipsec.tx.spi, rp->u.sa.proposals->u.p.spi, 4);
2919
2920 for (a = rp->u.sa.proposals->u.p.transforms->u.t.attributes; a; a = a->next)
2921 switch (a->type) {
2922 case ISAKMP_IPSEC_ATTRIB_AUTH_ALG:
2923 if (a->af == isakmp_attr_16)
2924 seen_auth = a->u.attr_16;
2925 else
2926 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2927 break;
2928 case ISAKMP_IPSEC_ATTRIB_ENCAP_MODE:
2929 if (a->af == isakmp_attr_16 &&
2930 a->u.attr_16 == (
2931 (s->ipsec.natt_active_mode != NATT_ACTIVE_CISCO_UDP) ?
2932 s->ipsec.encap_mode :
2933 IPSEC_ENCAP_TUNNEL /* cisco-udp claims to use encap tunnel... */
2934 ))
2935 seen_encap = 1;
2936 else
2937 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2938 break;
2939 case ISAKMP_IPSEC_ATTRIB_GROUP_DESC:
2940 if (dh_grp && a->af == isakmp_attr_16 &&
2941 a->u.attr_16 == get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id)
2942 seen_group = 1;
2943 else
2944 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2945 break;
2946 case ISAKMP_IPSEC_ATTRIB_KEY_LENGTH:
2947 if (a->af == isakmp_attr_16)
2948 seen_keylen = a->u.attr_16;
2949 else
2950 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2951 break;
2952 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE:
2953 /* lifetime duration MUST follow lifetype attribute */
2954 if (a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION) {
2955 lifetime_ipsec_process(s, a);
2956 } else
2957 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2958 break;
2959 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION:
2960 /* already processed above in ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE: */
2961 break;
2962 default:
2963 return ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2964 break;
2965 }
2966 if (!seen_auth || !seen_encap || (dh_grp && !seen_group))
2967 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2968
2969 /* FIXME: Current code has a limitation that will cause problems if
2970 * different algorithms are negotiated during re-keying
2971 */
2972 if ((get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0) == NULL) ||
2973 (get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc, NULL, seen_keylen) == NULL)) {
2974 printf("\nFIXME: vpnc doesn't support change of algorightms during rekeying\n");
2975 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2976 }
2977
2978 /* we don't want to change ciphers during rekeying */
2979 if (s->ipsec.cry_algo != get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc, NULL, seen_keylen)->my_id)
2980 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2981 if (s->ipsec.md_algo != get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0)->my_id)
2982 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2983
2984 for (rp = rp->next; rp; rp = rp->next)
2985 switch (rp->type) {
2986 case ISAKMP_PAYLOAD_ID:
2987 /* FIXME: Parse payload ID and add route-env in case of ipv4_prefix */
2988 break;
2989 case ISAKMP_PAYLOAD_KE:
2990 ke = rp;
2991 break;
2992 case ISAKMP_PAYLOAD_NONCE:
2993 nonce_i = rp;
2994 break;
2995 default:
2996 return ISAKMP_N_INVALID_PAYLOAD_TYPE;
2997 break;
2998 }
2999
3000 if ((dh_grp && ke == NULL) || nonce_i == NULL)
3001 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
3002
3003 DEBUG(3, printf("everything fine so far...\n"));
3004 gcry_create_nonce((uint8_t *) nonce_r, sizeof(nonce_r));
3005 gcry_create_nonce((uint8_t *) & s->ipsec.rx.spi, sizeof(s->ipsec.rx.spi));
3006
3007 if (dh_grp) {
3008 /* Determine the shared secret. */
3009 dh_shared_secret = xallocc(dh_getlen(dh_grp));
3010 dh_create_shared(dh_grp, dh_shared_secret, ke->u.ke.data);
3011 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(dh_grp), NULL);
3012 }
3013
3014 free(s->ipsec.rx.key);
3015 free(s->ipsec.tx.key);
3016
3017 s->ipsec.rx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.rx.spi,
3018 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
3019 nonce_i->u.nonce.data, nonce_i->u.nonce.length, nonce_r, sizeof(nonce_r));
3020
3021 s->ipsec.tx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.tx.spi,
3022 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
3023 nonce_i->u.nonce.data, nonce_i->u.nonce.length, nonce_r, sizeof(nonce_r));
3024
3025 s->ipsec.rx.key_cry = s->ipsec.rx.key;
3026 s->ipsec.rx.key_md = s->ipsec.rx.key + s->ipsec.key_len;
3027 s->ipsec.tx.key_cry = s->ipsec.tx.key;
3028 s->ipsec.tx.key_md = s->ipsec.tx.key + s->ipsec.key_len;
3029
3030 nonce_i_copy_len = nonce_i->u.nonce.length;
3031 nonce_i_copy = xallocc(nonce_i_copy_len);
3032 memcpy(nonce_i_copy, nonce_i->u.nonce.data, nonce_i_copy_len);
3033
3034 s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
3035 s->ipsec.life.start = time(NULL);
3036 s->ipsec.life.tx = 0;
3037 s->ipsec.life.rx = 0;
3038
3039 if (s->ipsec.cry_algo) {
3040 gcry_cipher_setkey(s->ipsec.rx.cry_ctx, s->ipsec.rx.key_cry, s->ipsec.key_len);
3041 gcry_cipher_setkey(s->ipsec.tx.cry_ctx, s->ipsec.tx.key_cry, s->ipsec.key_len);
3042 }
3043
3044 /* use request as template and just exchange some values */
3045 /* this overwrites data in nonce_i, ke! */
3046 rp = r->payload->next;
3047 /* SA, change the SPI */
3048 memcpy(rp->u.sa.proposals->u.p.spi, &s->ipsec.rx.spi, 4);
3049
3050 for (rp = rp->next; rp; rp = rp->next)
3051 switch (rp->type) {
3052 case ISAKMP_PAYLOAD_ID:
3053 break;
3054 case ISAKMP_PAYLOAD_KE:
3055 memcpy(rp->u.ke.data, dh_public, dh_getlen(dh_grp));
3056 break;
3057 case ISAKMP_PAYLOAD_NONCE:
3058 memcpy(rp->u.nonce.data, nonce_r, sizeof(nonce_r));
3059 break;
3060 default:
3061 assert(0);
3062 break;
3063 }
3064
3065 sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_IKE_QUICK,
3066 r->message_id, 0, nonce_i_copy, nonce_i_copy_len, 0,0);
3067 unpack_verify_phase2(s, r_packet, r_length, &r, NULL, 0);
3068 free(nonce_i_copy);
3069 /* don't care about answer ... */
3070
3071 return 0;
3072 }
3073
3074 void process_late_ike(struct sa_block *s, uint8_t *r_packet, ssize_t r_length)
3075 {
3076 int reject;
3077 struct isakmp_packet *r;
3078 struct isakmp_payload *rp;
3079
3080 DEBUG(2,printf("got late ike packet: %zd bytes\n", r_length));
3081 /* we should ignore resent packets here.
3082 * unpack_verify_phase2 will fail to decode them probably */
3083 reject = unpack_verify_phase2(s, r_packet, r_length, &r, NULL, 0);
3084
3085 /* just ignore broken stuff for now */
3086 if (reject != 0) {
3087 if (r) free_isakmp_packet(r);
3088 return;
3089 }
3090
3091 /* everything must be encrypted by now */
3092 if (r->payload == NULL || r->payload->type != ISAKMP_PAYLOAD_HASH) {
3093 free_isakmp_packet(r);
3094 return;
3095 }
3096
3097 /* empty packet? well, nothing to see here */
3098 if (r->payload->next == NULL) {
3099 free_isakmp_packet(r);
3100 return;
3101 }
3102
3103 /* do we get an SA proposal for rekeying? */
3104 if (r->exchange_type == ISAKMP_EXCHANGE_IKE_QUICK &&
3105 r->payload->next->type == ISAKMP_PAYLOAD_SA) {
3106 reject = do_rekey(s, r);
3107 DEBUG(3, printf("do_rekey returned: %d\n", reject));
3108 /* FIXME: LEAK but will create segfault for double free */
3109 /* free_isakmp_packet(r); */
3110 return;
3111 }
3112
3113 if (r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL) {
3114 /* Search for notify payloads */
3115 for (rp = r->payload->next; rp; rp = rp->next) {
3116 if (rp->type != ISAKMP_PAYLOAD_N)
3117 continue;
3118 /* did we get a DPD request or ACK? */
3119 if (rp->u.n.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {
3120 DEBUG(2, printf("got non isakmp-notify, ignoring...\n"));
3121 continue;
3122 }
3123 if (rp->u.n.type == ISAKMP_N_R_U_THERE) {
3124 uint32_t seq;
3125 if (rp->u.n.data_length != 4) {
3126 DEBUG(2, printf("ignoring bad data length R-U-THERE request\n"));
3127 continue;
3128 }
3129 seq = ntohl(*((uint32_t *) rp->u.n.data));
3130 send_dpd(s, 1, seq);
3131 DEBUG(2, printf("got r-u-there request sent ack\n"));
3132 continue;
3133 } else if (rp->u.n.type == ISAKMP_N_R_U_THERE_ACK) {
3134 uint32_t seqack;
3135 if (rp->u.n.data_length != 4) {
3136 DEBUG(2, printf("ignoring bad data length R-U-THERE-ACK\n"));
3137 continue;
3138 }
3139 seqack = ntohl(*((uint32_t *) rp->u.n.data));
3140 if (seqack == s->ike.dpd_seqno) {
3141 s->ike.dpd_seqno_ack = seqack;
3142 } else {
3143 DEBUG(2, printf("ignoring r-u-there ack %u (expecting %u)\n", seqack, s->ike.dpd_seqno));
3144 continue;
3145 }
3146 DEBUG(2, printf("got r-u-there ack\n"));
3147 }
3148 }
3149 }
3150
3151 /* check if our isakmp sa gets deleted */
3152 for (rp = r->payload->next; rp; rp = rp->next) {
3153 /* search for delete payloads */
3154 if (rp->type != ISAKMP_PAYLOAD_D)
3155 continue;
3156 if (rp->u.d.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP) {
3157 /* RFC2408, 5.15:
3158 * Process the Delete payload and take appropriate action, according
3159 * to local security policy. As described above, one appropriate
3160 * action SHOULD include cleaning up the local SA database.
3161 */
3162 /* FIXME: any cleanup needed??? */
3163
3164 if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) {
3165 free_isakmp_packet(r);
3166 do_phase2_qm(s);
3167 return;
3168 } else {
3169 DEBUG(2, printf("got isakmp delete with bogus spi (expected %d, received %d), ignoring...\n", s->ipsec.tx.spi, *(rp->u.d.spi[0]) ));
3170 continue;
3171 }
3172 }
3173 /* skip ipsec-esp delete */
3174 if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {
3175 DEBUG(2, printf("got non isakmp-delete, ignoring...\n"));
3176 continue;
3177 };
3178
3179 /*
3180 * RFC 2408, 3.15 Delete Payload
3181 * it is not stated that the SPI field of a delete
3182 * payload can be ignored, because it is given in
3183 * the headers, but I assume so. In other cases
3184 * RFC 2408 (notifications) states this.
3185 */
3186 do_kill = -1;
3187 DEBUG(2, printf("got isakmp-delete, terminating...\n"));
3188 free_isakmp_packet(r);
3189 return;
3190 }
3191
3192 free_isakmp_packet(r);
3193 return;
3194 }
3195
3196 int main(int argc, char **argv)
3197 {
3198 int do_load_balance;
3199 const uint8_t hex_test[] = { 0, 1, 2, 3 };
3200 struct sa_block oursa[1];
3201 struct sa_block *s = oursa;
3202
3203 test_pack_unpack();
3204 #if defined(__CYGWIN__)
3205 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
3206 #endif
3207 gcry_check_version("1.1.90");
3208 gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0);
3209 group_init();
3210
3211 memset(s, 0, sizeof(*s));
3212 s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL;
3213 s->ike.timeout = 1000; /* 1 second */
3214
3215 do_config(argc, argv);
3216
3217 DEBUG(1, printf("\nvpnc version " VERSION "\n"));
3218 hex_dump("hex_test", hex_test, sizeof(hex_test), NULL);
3219
3220 DEBUGTOP(2, printf("S1 init_sockaddr\n"));
3221 init_sockaddr(&s->dst, config[CONFIG_IPSEC_GATEWAY]);
3222 init_sockaddr(&s->opt_src_ip, config[CONFIG_LOCAL_ADDR]);
3223 DEBUGTOP(2, printf("S2 make_socket\n"));
3224 s->ike.src_port = atoi(config[CONFIG_LOCAL_PORT]);
3225 s->ike.dst_port = ISAKMP_PORT;
3226 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port);
3227 DEBUGTOP(2, printf("S3 setup_tunnel\n"));
3228 setup_tunnel(s);
3229
3230 do_load_balance = 0;
3231 do {
3232 DEBUGTOP(2, printf("S4 do_phase1_am\n"));
3233 do_phase1_am(config[CONFIG_IPSEC_ID], config[CONFIG_IPSEC_SECRET], s);
3234 DEBUGTOP(2, printf("S5 do_phase2_xauth\n"));
3235 /* FIXME: Create and use a generic function in supp.[hc] */
3236 if (s->ike.auth_algo >= IKE_AUTH_HybridInitRSA)
3237 do_load_balance = do_phase2_xauth(s);
3238 DEBUGTOP(2, printf("S6 do_phase2_config\n"));
3239 if ((opt_vendor == VENDOR_CISCO) && (do_load_balance == 0))
3240 do_load_balance = do_phase2_config(s);
3241 } while (do_load_balance);
3242 DEBUGTOP(2, printf("S7 setup_link (phase 2 + main_loop)\n"));
3243 DEBUGTOP(2, printf("S7.0 run interface setup script\n"));
3244 config_tunnel(s);
3245 do_phase2_qm(s);
3246 DEBUGTOP(2, printf("S7.9 main loop (receive and transmit ipsec packets)\n"));
3247 vpnc_doit(s);
3248
3249 /* Tear down phase 2 and 1 tunnels */
3250 send_delete_ipsec(s);
3251 send_delete_isakmp(s);
3252
3253 /* Cleanup routing */
3254 DEBUGTOP(2, printf("S8 close_tunnel\n"));
3255 close_tunnel(s);
3256 s_atexit_sa = NULL;
3257
3258 /* Free resources */
3259 DEBUGTOP(2, printf("S9 cleanup\n"));
3260 cleanup(s);
3261
3262 return 0;
3263 }
client for cisco vpn concentrator