search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Print a warning if an illegal value is used for the spi but continue
[vpnc.git] / vpnc.c
bloba0c211bcd139593eaa58ef3c1c5d38efdf69ae3a
1 /* IPSec VPN client compatible with Cisco equipment.
2 Copyright (C) 2002 Geoffrey Keating
3 Copyright (C) 2003-2005 Maurice Massar
4 Copyright (C) 2004 Tomas Mraz
5 Copyright (C) 2004 Martin von Gagern
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20
21 $Id$
22 */
23
24 #define _GNU_SOURCE
25 #include <assert.h>
26 #include <unistd.h>
27 #include <sys/fcntl.h>
28 #include <stdio.h>
29 #include <errno.h>
30 #include <string.h>
31 #include <time.h>
32 #include <stdlib.h>
33 #include <sys/socket.h>
34 #include <netinet/in.h>
35 #include <netdb.h>
36 #include <arpa/inet.h>
37 #include <poll.h>
38 #include <sys/ioctl.h>
39 #include <sys/utsname.h>
40
41 #include <gcrypt.h>
42
43 #include "crypto.h"
44 #include "sysdep.h"
45 #include "config.h"
46 #include "isakmp-pkt.h"
47 #include "math_group.h"
48 #include "dh.h"
49 #include "vpnc.h"
50 #include "tunip.h"
51 #include "supp.h"
52
53 #if defined(__CYGWIN__)
54 GCRY_THREAD_OPTION_PTHREAD_IMPL;
55 #endif
56
57 #define ISAKMP_PORT (500)
58 #define ISAKMP_PORT_NATT (4500)
59
60 const unsigned char VID_XAUTH[] = { /* "draft-ietf-ipsra-isakmp-xauth-06.txt"/8 */
61 0x09, 0x00, 0x26, 0x89, 0xDF, 0xD6, 0xB7, 0x12
62 };
63 const unsigned char VID_DPD[] = { /* Dead Peer Detection, RFC 3706 */
64 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, 0xC9,
65 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, 0x01, 0x00
66 };
67 const unsigned char VID_UNITY[] = { /* "CISCO-UNITY"/14 + major + minor */
68 0x12, 0xF5, 0xF2, 0x8C, 0x45, 0x71, 0x68, 0xA9,
69 0x70, 0x2D, 0x9F, 0xE2, 0x74, 0xCC, 0x01, 0x00
70 };
71 const unsigned char VID_UNKNOWN[] = {
72 0x12, 0x6E, 0x1F, 0x57, 0x72, 0x91, 0x15, 0x3B,
73 0x20, 0x48, 0x5F, 0x7F, 0x15, 0x5B, 0x4B, 0xC8
74 };
75 const unsigned char VID_NATT_00[] = { /* "draft-ietf-ipsec-nat-t-ike-00" */
76 0x44, 0x85, 0x15, 0x2d, 0x18, 0xb6, 0xbb, 0xcd,
77 0x0b, 0xe8, 0xa8, 0x46, 0x95, 0x79, 0xdd, 0xcc
78 };
79 const unsigned char VID_NATT_01[] = { /* "draft-ietf-ipsec-nat-t-ike-01" */
80 0x16, 0xf6, 0xca, 0x16, 0xe4, 0xa4, 0x06, 0x6d,
81 0x83, 0x82, 0x1a, 0x0f, 0x0a, 0xea, 0xa8, 0x62
82 };
83 const unsigned char VID_NATT_02[] = { /* "draft-ietf-ipsec-nat-t-ike-02" */
84 0xcd, 0x60, 0x46, 0x43, 0x35, 0xdf, 0x21, 0xf8,
85 0x7c, 0xfd, 0xb2, 0xfc, 0x68, 0xb6, 0xa4, 0x48
86 };
87 const unsigned char VID_NATT_02N[] = { /* "draft-ietf-ipsec-nat-t-ike-02\n" */
88 0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E,
89 0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F
90 };
91 const unsigned char VID_NATT_03[] = { /* "draft-ietf-ipsec-nat-t-ike-03" */
92 0x7d, 0x94, 0x19, 0xa6, 0x53, 0x10, 0xca, 0x6f,
93 0x2c, 0x17, 0x9d, 0x92, 0x15, 0x52, 0x9d, 0x56
94 };
95 const unsigned char VID_NATT_RFC[] = { /* "RFC 3947" */
96 0x4A, 0x13, 0x1C, 0x81, 0x07, 0x03, 0x58, 0x45,
97 0x5C, 0x57, 0x28, 0xF2, 0x0E, 0x95, 0x45, 0x2F
98 };
99 const unsigned char VID_DWR[] = { /* DWR: Delete with reason */
100 0x2D, 0x79, 0x22, 0xC6, 0xB3, 0x01, 0xD9, 0xB0,
101 0xE1, 0x34, 0x27, 0x39, 0xE9, 0xCF, 0xBB, 0xD5
102 };
103 /* Cisco Unknown1:
104 *const unsigned char VID_CISCO_UNKNOWN_1[] = {
105 * 1f07f70eaa6514d3b0fa96542a500407
106 *};
107 */
108
109 const unsigned char VID_CISCO_FRAG[] = { /* "FRAGMENTATION" */
110 0x40, 0x48, 0xB7, 0xD5, 0x6E, 0xBC, 0xE8, 0x85,
111 0x25, 0xE7, 0xDE, 0x7F, 0x00, 0xD6, 0xC2, 0xD3,
112 0x80, 0x00, 0x00, 0x00
113 };
114 const unsigned char VID_NETSCREEN_15[] = { /* netscreen 15 */
115 0x16, 0x6f, 0x93, 0x2d, 0x55, 0xeb, 0x64, 0xd8,
116 0xe4, 0xdf, 0x4f, 0xd3, 0x7e, 0x23, 0x13, 0xf0,
117 0xd0, 0xfd, 0x84, 0x51, 0x00, 0x00, 0x00, 0x00,
118 0x00, 0x00, 0x00, 0x00
119 };
120 const unsigned char VID_HEARTBEAT_NOTIFY[] = { /* Heartbeat Notify */
121 0x48, 0x65, 0x61, 0x72, 0x74, 0x42, 0x65, 0x61,
122 0x74, 0x5f, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x79,
123 0x38, 0x6b, 0x01, 0x00
124 };
125 const unsigned char VID_NORTEL_CONT[] = { /* BNES: Bay Networks Enterprise Switch + version/id of some kind */
126 0x42, 0x4e, 0x45, 0x53, 0x00, 0x00, 0x00, 0x0a
127 };
128
129 const unsigned char FW_UNKNOWN_TYPEINFO[] = {
130 0x80, 0x01, 0x00, 0x01, 0x80, 0x02, 0x00, 0x01,
131 0x80, 0x03, 0x00, 0x02
132 };
133
134 struct vid_element {
135 const unsigned char* valueptr;
136 const uint16_t length;
137 const char* descr;
138 };
139
140 const struct vid_element vid_list[] = {
141 { VID_XAUTH, sizeof(VID_XAUTH), "Xauth" },
142 { VID_DPD, sizeof(VID_DPD), "DPD" },
143 { VID_UNITY, sizeof(VID_UNITY), "Cisco Unity" },
144 { VID_NATT_00, sizeof(VID_NATT_00), "Nat-T 00" },
145 { VID_NATT_01, sizeof(VID_NATT_01), "Nat-T 01" },
146 { VID_NATT_02, sizeof(VID_NATT_02), "Nat-T 02" },
147 { VID_NATT_02N, sizeof(VID_NATT_02N), "Nat-T 02N" },
148 { VID_NATT_03, sizeof(VID_NATT_03), "Nat-T 03" },
149 { VID_NATT_RFC, sizeof(VID_NATT_RFC), "Nat-T RFC" },
150 { VID_DWR, sizeof(VID_DWR), "Delete With Reason" },
151 { VID_CISCO_FRAG, sizeof(VID_CISCO_FRAG), "Cisco Fragmentation" },
152 { VID_NETSCREEN_15, sizeof(VID_NETSCREEN_15), "Netscreen 15" },
153 { VID_NORTEL_CONT, sizeof(VID_NORTEL_CONT), "Nortel Contivity" },
154 { VID_HEARTBEAT_NOTIFY, sizeof(VID_HEARTBEAT_NOTIFY), "Heartbeat Notify" },
155
156 { NULL, 0, NULL }
157 };
158
159 /* What are DWR-Code and DWR-Text ? */
160
161 static uint8_t r_packet[8192];
162 static ssize_t r_length;
163
164 static struct sa_block *s_atexit_sa;
165
166 static void close_tunnel(struct sa_block *s);
167
168 void print_vid(const unsigned char *vid, uint16_t len) {
169
170 int vid_index = 0;
171
172 if (opt_debug < 2)
173 return;
174
175 while (vid_list[vid_index].length) {
176 if (len == vid_list[vid_index].length &&
177 memcmp(vid_list[vid_index].valueptr, vid, len) == 0) {
178 printf(" (%s)\n", vid_list[vid_index].descr);
179 return;
180 }
181 vid_index++;
182 }
183 printf(" (unknown)\n");
184 }
185
186 static __inline__ int min(int a, int b)
187 {
188 return (a < b) ? a : b;
189 }
190
191 static void addenv(const void *name, const char *value)
192 {
193 char *strbuf = NULL, *oldval;
194
195 oldval = getenv(name);
196 if (oldval != NULL) {
197 strbuf = xallocc(strlen(oldval) + 1 + strlen(value) + 1);
198 strcat(strbuf, oldval);
199 strcat(strbuf, " ");
200 strcat(strbuf, value);
201 }
202
203 setenv(name, strbuf ? strbuf : value, 1);
204
205 free(strbuf);
206 }
207
208 static void addenv_ipv4(const void *name, uint8_t * data)
209 {
210 addenv(name, inet_ntoa(*((struct in_addr *)data)));
211 }
212
213 static int make_socket(struct sa_block *s, uint16_t src_port, uint16_t dst_port)
214 {
215 int sock;
216 struct sockaddr_in name;
217 socklen_t len = sizeof(name);
218
219 /* create the socket */
220 sock = socket(PF_INET, SOCK_DGRAM, 0);
221 if (sock < 0)
222 error(1, errno, "making socket");
223
224 #ifdef FD_CLOEXEC
225 /* do not pass socket to vpnc-script, etc. */
226 fcntl(sock, F_SETFD, FD_CLOEXEC);
227 #endif
228
229 /* give the socket a name */
230 name.sin_family = AF_INET;
231 name.sin_addr = s->opt_src_ip;
232 name.sin_port = htons(src_port);
233 if (bind(sock, (struct sockaddr *)&name, sizeof(name)) < 0)
234 error(1, errno, "Error binding to source port. Try '--local-port 0'\nFailed to bind to %s:%d", inet_ntoa(s->opt_src_ip), src_port);
235
236 /* connect the socket */
237 name.sin_family = AF_INET;
238 name.sin_addr = s->dst;
239 name.sin_port = htons(dst_port);
240 if (connect(sock, (struct sockaddr *)&name, sizeof(name)) < 0)
241 error(1, errno, "connecting to port %d", ntohs(dst_port));
242
243 /* who am I */
244 if (getsockname(sock, (struct sockaddr *)&name, &len) < 0)
245 error(1, errno, "reading local address from socket %d", sock);
246 s->src = name.sin_addr;
247
248 return sock;
249 }
250
251 static void cleanup(struct sa_block *s) {
252 if (s->ike_fd != 0) {
253 close(s->ike_fd);
254 s->ike_fd = 0;
255 }
256 if (s->esp_fd != 0) {
257 close(s->esp_fd);
258 s->esp_fd = 0;
259 }
260 if (s->ike.resend_hash) {
261 free(s->ike.resend_hash);
262 s->ike.resend_hash = NULL;
263 }
264 if (s->ike.skeyid_d) {
265 free(s->ike.skeyid_d);
266 s->ike.skeyid_d = NULL;
267 }
268 if (s->ike.skeyid_a) {
269 free(s->ike.skeyid_a);
270 s->ike.skeyid_a = NULL;
271 }
272 if (s->ike.initial_iv) {
273 free(s->ike.initial_iv);
274 s->ike.initial_iv = NULL;
275 }
276 if (s->ike.current_iv) {
277 free(s->ike.current_iv);
278 s->ike.current_iv = NULL;
279 }
280 if (s->ike.key) {
281 free(s->ike.key);
282 s->ike.key = NULL;
283 }
284 if (s->ipsec.rx.key) {
285 free(s->ipsec.rx.key);
286 s->ipsec.rx.key = NULL;
287 }
288 if (s->ipsec.tx.key) {
289 free(s->ipsec.tx.key);
290 s->ipsec.tx.key = NULL;
291 }
292 if (s->ipsec.rx.cry_ctx) {
293 gcry_cipher_close(s->ipsec.rx.cry_ctx);
294 s->ipsec.rx.cry_ctx = NULL;
295 }
296 if (s->ipsec.tx.cry_ctx) {
297 gcry_cipher_close(s->ipsec.tx.cry_ctx);
298 s->ipsec.tx.cry_ctx = NULL;
299 }
300 }
301
302 static void init_sockaddr(struct in_addr *dst, const char *hostname)
303 {
304 struct hostent *hostinfo;
305
306 if (inet_aton(hostname, dst) == 0) {
307 hostinfo = gethostbyname(hostname);
308 if (hostinfo == NULL)
309 error(1, 0, "unknown host `%s'\n", hostname);
310 *dst = *(struct in_addr *)hostinfo->h_addr;
311 }
312 }
313
314 static void init_netaddr(struct in_addr *net, const char *string)
315 {
316 char *p;
317
318 if ((p = strchr(string, '/')) != NULL) {
319 char *host = xallocc(p - string + 1);
320 memcpy(host, string, p - string + 1);
321 host[p - string] = '\0';
322 init_sockaddr((struct in_addr *)net, host);
323 free(host);
324 if (strchr(p + 1, '.') != NULL)
325 init_sockaddr(net + 1, p + 1);
326 else {
327 int bits = atoi(p + 1);
328 unsigned long mask = (1 << bits) - 1;
329 memcpy((char *)(net + 1), (char *)&mask, 4);
330 }
331 } else {
332 memset((char *)net, 0, 8);
333 }
334 }
335
336 static void setup_tunnel(struct sa_block *s)
337 {
338 setenv("reason", "pre-init", 1);
339 system(config[CONFIG_SCRIPT]);
340
341 if (config[CONFIG_IF_NAME])
342 memcpy(s->tun_name, config[CONFIG_IF_NAME], strlen(config[CONFIG_IF_NAME]));
343
344 s->tun_fd = tun_open(s->tun_name, opt_if_mode);
345 DEBUG(2, printf("using interface %s\n", s->tun_name));
346 setenv("TUNDEV", s->tun_name, 1);
347
348 if (s->tun_fd == -1)
349 error(1, errno, "can't initialise tunnel interface");
350 #ifdef FD_CLOEXEC
351 /* do not pass socket to vpnc-script, etc. */
352 fcntl(s->tun_fd, F_SETFD, FD_CLOEXEC);
353 #endif
354
355 if (opt_if_mode == IF_MODE_TAP) {
356 if (tun_get_hwaddr(s->tun_fd, s->tun_name, s->tun_hwaddr) < 0) {
357 error(1, errno, "can't get tunnel HW address");
358 }
359 hex_dump("interface HW addr", s->tun_hwaddr, ETH_ALEN, NULL);
360 }
361
362 unsetenv("INTERNAL_IP4_MTU");
363 if (config[CONFIG_IF_MTU]) {
364 int mtu;
365
366 mtu = atoi(config[CONFIG_IF_MTU]);
367 if (mtu < 0 || mtu > 65535) {
368 DEBUG(1, printf("ignore MTU option. Use automatic detection\n"));
369 mtu = 0;
370 }
371 if (mtu > 0) {
372 char *strbuf;
373 asprintf(&strbuf, "%d", mtu);
374 setenv("INTERNAL_IP4_MTU", strbuf, 1);
375 free(strbuf);
376 }
377 }
378 }
379
380 static void atexit_close(void)
381 {
382 if (s_atexit_sa != NULL) {
383 close_tunnel(s_atexit_sa);
384 s_atexit_sa = NULL;
385 }
386 }
387
388 static void config_tunnel(struct sa_block *s)
389 {
390 setenv("VPNGATEWAY", inet_ntoa(s->dst), 1);
391 setenv("reason", "connect", 1);
392 system(config[CONFIG_SCRIPT]);
393 s_atexit_sa = s;
394 atexit(atexit_close);
395 }
396
397 static void close_tunnel(struct sa_block *s)
398 {
399 setenv("reason", "disconnect", 1);
400 system(config[CONFIG_SCRIPT]);
401 tun_close(s->tun_fd, s->tun_name);
402 }
403
404 static int recv_ignore_dup(struct sa_block *s, void *recvbuf, size_t recvbufsize)
405 {
406 uint8_t *resend_check_hash;
407 int recvsize, hash_len;
408
409 recvsize = recv(s->ike_fd, recvbuf, recvbufsize, 0);
410 if (recvsize < 0)
411 error(1, errno, "receiving packet");
412 if ((unsigned int)recvsize > recvbufsize)
413 error(1, errno, "received packet too large for buffer");
414
415 /* skip (not only) NAT-T draft-0 keepalives */
416 if ( /* (s->ipsec.natt_active_mode == NATT_ACTIVE_DRAFT_OLD) && */
417 (recvsize == 1) && (*((u_char *)(recvbuf)) == 0xff))
418 {
419 if ((s->ipsec.natt_active_mode != NATT_ACTIVE_DRAFT_OLD))
420 {
421 DEBUG(2, printf("Received UDP NAT-Keepalive bug nat active mode incorrect: %d\n", s->ipsec.natt_active_mode));
422 }
423 return -1;
424 }
425
426 hash_len = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
427 resend_check_hash = malloc(hash_len);
428 gcry_md_hash_buffer(GCRY_MD_SHA1, resend_check_hash, recvbuf, recvsize);
429 if (s->ike.resend_hash && memcmp(s->ike.resend_hash, resend_check_hash, hash_len) == 0) {
430 free(resend_check_hash);
431 /* FIXME: if we get a retransmission, we probably should do a retransmission too */
432 DEBUG(2, printf("Received duplicated packet, dropping it!\n"));
433 return -1;
434 }
435 if (!s->ike.resend_hash) {
436 s->ike.resend_hash = resend_check_hash;
437 } else {
438 memcpy(s->ike.resend_hash, resend_check_hash, hash_len);
439 free(resend_check_hash);
440 }
441
442 return recvsize;
443 }
444
445 /* Send TOSEND of size SENDSIZE to the socket. Then wait for a new packet,
446 resending TOSEND on timeout, and ignoring duplicate packets; the
447 new packet is put in RECVBUF of size RECVBUFSIZE and the actual size
448 of the new packet is returned. */
449
450 static ssize_t sendrecv(struct sa_block *s, void *recvbuf, size_t recvbufsize, void *tosend, size_t sendsize, int sendonly)
451 {
452 struct pollfd pfd;
453 int tries = 0;
454 int recvsize = -1;
455 time_t start = time(NULL);
456 time_t end = 0;
457 void *realtosend;
458
459 pfd.fd = s->ike_fd;
460 pfd.events = POLLIN;
461 tries = 0;
462
463 if ((s->ipsec.natt_active_mode == NATT_ACTIVE_RFC) && (tosend != NULL)) {
464 DEBUG(2, printf("NAT-T mode, adding non-esp marker\n"));
465 realtosend = xallocc(sendsize+4);
466 memmove((char*)realtosend+4, tosend, sendsize);
467 sendsize += 4;
468 } else {
469 realtosend = tosend;
470 }
471
472 for (;;) {
473 int pollresult;
474
475 if (realtosend != NULL)
476 if (write(s->ike_fd, realtosend, sendsize) != (int)sendsize)
477 error(1, errno, "can't send packet");
478 if (sendonly)
479 break;
480
481 do {
482 pollresult = poll(&pfd, 1, s->ike.timeout << tries);
483 } while (pollresult == -1 && errno == EINTR);
484
485 if (pollresult == -1)
486 error(1, errno, "can't poll socket");
487 if (pollresult != 0) {
488 recvsize = recv_ignore_dup(s, recvbuf, recvbufsize);
489 end = time(NULL);
490 if (recvsize != -1)
491 break;
492 continue;
493 }
494
495 if (tries > 2)
496 error(1, 0, "no response from target");
497 tries++;
498 }
499
500 if (realtosend != tosend)
501 free(realtosend);
502
503 if (sendonly)
504 return 0;
505
506 if ((s->ipsec.natt_active_mode == NATT_ACTIVE_RFC)&&(recvsize > 4)) {
507 recvsize -= 4; /* 4 bytes non-esp marker */
508 memmove(recvbuf, (char *)recvbuf+4, recvsize);
509 }
510
511 DEBUGTOP(3, printf("\n receiving: <========================\n"));
512
513 /* Wait at least 2s for a response or 4 times the time it took
514 * last time. */
515 if (start >= end)
516 s->ike.timeout = 2000;
517 else
518 s->ike.timeout = 4000 * (end - start);
519
520 return recvsize;
521 }
522
523 static int isakmp_crypt(struct sa_block *s, uint8_t * block, size_t blocklen, int enc)
524 {
525 unsigned char *new_iv, *iv = NULL;
526 int info_ex;
527 gcry_cipher_hd_t cry_ctx;
528
529 if (blocklen < ISAKMP_PAYLOAD_O || ((blocklen - ISAKMP_PAYLOAD_O) % s->ike.ivlen != 0))
530 abort();
531
532 if (!enc && (memcmp(block + ISAKMP_I_COOKIE_O, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH) != 0
533 || memcmp(block + ISAKMP_R_COOKIE_O, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH) != 0)) {
534 DEBUG(2, printf("got packet with wrong cookies\n"));
535 return ISAKMP_N_INVALID_COOKIE;
536 }
537
538 info_ex = block[ISAKMP_EXCHANGE_TYPE_O] == ISAKMP_EXCHANGE_INFORMATIONAL;
539
540 if (memcmp(block + ISAKMP_MESSAGE_ID_O, s->ike.current_iv_msgid, 4) != 0) {
541 gcry_md_hd_t md_ctx;
542
543 gcry_md_open(&md_ctx, s->ike.md_algo, 0);
544 gcry_md_write(md_ctx, s->ike.initial_iv, s->ike.ivlen);
545 gcry_md_write(md_ctx, block + ISAKMP_MESSAGE_ID_O, 4);
546 gcry_md_final(md_ctx);
547 if (info_ex) {
548 iv = xallocc(s->ike.ivlen);
549 memcpy(iv, gcry_md_read(md_ctx, 0), s->ike.ivlen);
550 } else {
551 memcpy(s->ike.current_iv, gcry_md_read(md_ctx, 0), s->ike.ivlen);
552 memcpy(s->ike.current_iv_msgid, block + ISAKMP_MESSAGE_ID_O, 4);
553 }
554 gcry_md_close(md_ctx);
555 } else if (info_ex) {
556 abort();
557 }
558
559 if (!info_ex) {
560 iv = s->ike.current_iv;
561 }
562
563 new_iv = xallocc(s->ike.ivlen);
564 gcry_cipher_open(&cry_ctx, s->ike.cry_algo, GCRY_CIPHER_MODE_CBC, 0);
565 gcry_cipher_setkey(cry_ctx, s->ike.key, s->ike.keylen);
566 gcry_cipher_setiv(cry_ctx, iv, s->ike.ivlen);
567 if (!enc) {
568 memcpy(new_iv, block + blocklen - s->ike.ivlen, s->ike.ivlen);
569 gcry_cipher_decrypt(cry_ctx, block + ISAKMP_PAYLOAD_O, blocklen - ISAKMP_PAYLOAD_O,
570 NULL, 0);
571 if (!info_ex)
572 memcpy(s->ike.current_iv, new_iv, s->ike.ivlen);
573 } else {
574 gcry_cipher_encrypt(cry_ctx, block + ISAKMP_PAYLOAD_O, blocklen - ISAKMP_PAYLOAD_O,
575 NULL, 0);
576 if (!info_ex)
577 memcpy(s->ike.current_iv, block + blocklen - s->ike.ivlen, s->ike.ivlen);
578 }
579 gcry_cipher_close(cry_ctx);
580
581 free(new_iv);
582 if (info_ex)
583 free(iv);
584
585 return 0;
586 }
587
588 static uint16_t unpack_verify_phase2(struct sa_block *s, uint8_t * r_packet,
589 size_t r_length, struct isakmp_packet **r_p, const uint8_t * nonce, size_t nonce_size)
590 {
591 struct isakmp_packet *r;
592 int reject = 0;
593
594 *r_p = NULL;
595
596 /* Some users report "payload ... not padded..." errors. It seems that they
597 * are harmless, so ignore and fix the symptom
598 */
599 if (r_length < ISAKMP_PAYLOAD_O ||
600 ((r_length - ISAKMP_PAYLOAD_O) % s->ike.ivlen != 0)) {
601 DEBUG(2, printf("payload too short or not padded: len=%lld, min=%d (ivlen=%lld)\n",
602 (long long)r_length, ISAKMP_PAYLOAD_O, (long long)s->ike.ivlen));
603 hex_dump("Payload", r_packet, r_length, NULL);
604 if (r_length < ISAKMP_PAYLOAD_O ) {
605 return ISAKMP_N_UNEQUAL_PAYLOAD_LENGTHS;
606 }
607 r_length -= (r_length - ISAKMP_PAYLOAD_O) % s->ike.ivlen;
608 }
609
610 reject = isakmp_crypt(s, r_packet, r_length, 0);
611 if (reject != 0)
612 return reject;
613
614 s->ike.life.rx += r_length;
615
616 {
617 r = parse_isakmp_packet(r_packet, r_length, &reject);
618 if (reject != 0) {
619 if (r) free_isakmp_packet(r);
620 return reject;
621 }
622 }
623
624 /* Verify the basic stuff. */
625 if (r->flags != ISAKMP_FLAG_E) {
626 free_isakmp_packet(r);
627 return ISAKMP_N_INVALID_FLAGS;
628 }
629
630 {
631 size_t sz, spos;
632 gcry_md_hd_t hm;
633 unsigned char *expected_hash;
634 struct isakmp_payload *h = r->payload;
635
636 if (h == NULL || h->type != ISAKMP_PAYLOAD_HASH || h->u.hash.length != s->ike.md_len) {
637 free_isakmp_packet(r);
638 return ISAKMP_N_INVALID_HASH_INFORMATION;
639 }
640
641 spos = (ISAKMP_PAYLOAD_O + (r_packet[ISAKMP_PAYLOAD_O + 2] << 8)
642 + r_packet[ISAKMP_PAYLOAD_O + 3]);
643
644 /* Compute the real length based on the payload lengths. */
645 for (sz = spos; r_packet[sz] != 0; sz += r_packet[sz + 2] << 8 | r_packet[sz + 3]) ;
646 sz += r_packet[sz + 2] << 8 | r_packet[sz + 3];
647
648 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
649 gcry_md_setkey(hm, s->ike.skeyid_a, s->ike.md_len);
650 gcry_md_write(hm, r_packet + ISAKMP_MESSAGE_ID_O, 4);
651 if (nonce)
652 gcry_md_write(hm, nonce, nonce_size);
653 gcry_md_write(hm, r_packet + spos, sz - spos);
654 gcry_md_final(hm);
655 expected_hash = gcry_md_read(hm, 0);
656
657 DEBUG(3,printf("hashlen: %lu\n", (unsigned long)s->ike.md_len));
658 DEBUG(3,printf("u.hash.length: %d\n", h->u.hash.length));
659 hex_dump("expected_hash", expected_hash, s->ike.md_len, NULL);
660 hex_dump("h->u.hash.data", h->u.hash.data, s->ike.md_len, NULL);
661
662 reject = 0;
663 if (memcmp(h->u.hash.data, expected_hash, s->ike.md_len) != 0)
664 reject = ISAKMP_N_AUTHENTICATION_FAILED;
665 gcry_md_close(hm);
666 #if 0
667 if (reject != 0) {
668 free_isakmp_packet(r);
669 return reject;
670 }
671 #endif
672 }
673 *r_p = r;
674 return 0;
675 }
676
677 static void
678 phase2_authpacket(struct sa_block *s, struct isakmp_payload *pl,
679 uint8_t exchange_type, uint32_t msgid,
680 uint8_t ** p_flat, size_t * p_size,
681 uint8_t * nonce_i, int ni_len, uint8_t * nonce_r, int nr_len)
682 {
683 struct isakmp_packet *p;
684 uint8_t *pl_flat;
685 size_t pl_size;
686 gcry_md_hd_t hm;
687 uint8_t msgid_sent[4];
688
689 /* Build up the packet. */
690 p = new_isakmp_packet();
691 memcpy(p->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
692 memcpy(p->r_cookie, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
693 p->flags = ISAKMP_FLAG_E;
694 p->isakmp_version = ISAKMP_VERSION;
695 p->exchange_type = exchange_type;
696 p->message_id = msgid;
697 p->payload = new_isakmp_payload(ISAKMP_PAYLOAD_HASH);
698 p->payload->next = pl;
699 p->payload->u.hash.length = s->ike.md_len;
700 p->payload->u.hash.data = xallocc(s->ike.md_len);
701
702 /* Set the MAC. */
703 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
704 gcry_md_setkey(hm, s->ike.skeyid_a, s->ike.md_len);
705
706 if (pl == NULL) {
707 DEBUG(3, printf("authing NULL package!\n"));
708 gcry_md_write(hm, "" /* \0 */ , 1);
709 }
710
711 msgid_sent[0] = msgid >> 24;
712 msgid_sent[1] = msgid >> 16;
713 msgid_sent[2] = msgid >> 8;
714 msgid_sent[3] = msgid;
715 gcry_md_write(hm, msgid_sent, sizeof(msgid_sent));
716
717 if (nonce_i != NULL)
718 gcry_md_write(hm, nonce_i, ni_len);
719
720 if (nonce_r != NULL)
721 gcry_md_write(hm, nonce_r, nr_len);
722
723 if (pl != NULL) {
724 flatten_isakmp_payloads(pl, &pl_flat, &pl_size);
725 gcry_md_write(hm, pl_flat, pl_size);
726 memset(pl_flat, 0, pl_size);
727 free(pl_flat);
728 }
729
730 gcry_md_final(hm);
731 memcpy(p->payload->u.hash.data, gcry_md_read(hm, 0), s->ike.md_len);
732 gcry_md_close(hm);
733
734 flatten_isakmp_packet(p, p_flat, p_size, s->ike.ivlen);
735 free_isakmp_packet(p);
736 }
737
738 static void sendrecv_phase2(struct sa_block *s, struct isakmp_payload *pl,
739 uint8_t exchange_type, uint32_t msgid, int sendonly,
740 uint8_t * nonce_i, int ni_len, uint8_t * nonce_r, int nr_len)
741 {
742 uint8_t *p_flat;
743 size_t p_size;
744 ssize_t recvlen;
745
746 phase2_authpacket(s, pl, exchange_type, msgid, &p_flat, &p_size,
747 nonce_i, ni_len, nonce_r, nr_len);
748 isakmp_crypt(s, p_flat, p_size, 1);
749 s->ike.life.tx += p_size;
750
751 recvlen = sendrecv(s, r_packet, sizeof(r_packet), p_flat, p_size, sendonly);
752 if (sendonly == 0)
753 r_length = recvlen;
754
755 free(p_flat);
756 }
757
758 void keepalive_ike(struct sa_block *s)
759 {
760 uint32_t msgid;
761
762 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
763 sendrecv_phase2(s, NULL, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 1, 0, 0, 0, 0);
764 }
765
766 static void send_dpd(struct sa_block *s, int isack, uint32_t seqno)
767 {
768 struct isakmp_payload *pl;
769 uint32_t msgid;
770
771 pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
772 pl->u.n.doi = ISAKMP_DOI_IPSEC;
773 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
774 pl->u.n.type = isack ? ISAKMP_N_R_U_THERE_ACK : ISAKMP_N_R_U_THERE;
775 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
776 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
777 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
778 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
779 pl->u.n.data_length = 4;
780 pl->u.n.data = xallocc(4);
781 *((uint32_t *) pl->u.n.data) = htonl(seqno);
782 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
783 /* 2007-09-06 JKU/ZID: Sonicwall drops non hashed r_u_there-requests */
784 sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid,
785 1 , NULL, 0, NULL, 0);
786 }
787
788 void dpd_ike(struct sa_block *s)
789 {
790 if (!s->ike.do_dpd)
791 return;
792
793 if (s->ike.dpd_seqno == s->ike.dpd_seqno_ack) {
794 /* Increase the sequence number, reset the attempts to 6, record
795 ** the current time and send a dpd request
796 */
797 s->ike.dpd_attempts = 6;
798 s->ike.dpd_sent = time(NULL);
799 s->ike.dpd_seqno++;
800 send_dpd(s, 0, s->ike.dpd_seqno);
801 } else {
802 /* Our last dpd request has not yet been acked. If it's been
803 ** less than 5 seconds since we sent it do nothing. Otherwise
804 ** decrement dpd_attempts. If dpd_attempts is 0 dpd fails and we
805 ** terminate otherwise we send it again with the same sequence
806 ** number and record current time.
807 */
808 time_t now = time(NULL);
809 if (now < s->ike.dpd_sent + 5)
810 return;
811 if (--s->ike.dpd_attempts == 0) {
812 DEBUG(2, printf("dead peer detected, terminating\n"));
813 do_kill = -2;
814 return;
815 }
816 s->ike.dpd_sent = now;
817 send_dpd(s, 0, s->ike.dpd_seqno);
818 }
819 }
820
821 static void send_delete_ipsec(struct sa_block *s)
822 {
823 /* 2007-08-31 JKU/ZID: Sonicwall doesn't like the chained
824 * request but wants them split. Cisco does fine with it. */
825 DEBUGTOP(2, printf("S7.10 send ipsec termination message\n"));
826 {
827 struct isakmp_payload *d_ipsec;
828 uint8_t del_msgid;
829
830 gcry_create_nonce((uint8_t *) & del_msgid, sizeof(del_msgid));
831 d_ipsec = new_isakmp_payload(ISAKMP_PAYLOAD_D);
832 d_ipsec->u.d.doi = ISAKMP_DOI_IPSEC;
833 d_ipsec->u.d.protocol = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
834 d_ipsec->u.d.spi_length = 4;
835 d_ipsec->u.d.num_spi = 2;
836 d_ipsec->u.d.spi = xallocc(2 * sizeof(uint8_t *));
837 d_ipsec->u.d.spi[0] = xallocc(d_ipsec->u.d.spi_length);
838 memcpy(d_ipsec->u.d.spi[0], &s->ipsec.rx.spi, 4);
839 d_ipsec->u.d.spi[1] = xallocc(d_ipsec->u.d.spi_length);
840 memcpy(d_ipsec->u.d.spi[1], &s->ipsec.tx.spi, 4);
841 sendrecv_phase2(s, d_ipsec, ISAKMP_EXCHANGE_INFORMATIONAL,
842 del_msgid, 1, NULL, 0, NULL, 0);
843 }
844 }
845
846 static void send_delete_isakmp(struct sa_block *s)
847 {
848 DEBUGTOP(2, printf("S7.11 send isakmp termination message\n"));
849 {
850 struct isakmp_payload *d_isakmp;
851 uint8_t del_msgid;
852
853 gcry_create_nonce((uint8_t *) & del_msgid, sizeof(del_msgid));
854 d_isakmp = new_isakmp_payload(ISAKMP_PAYLOAD_D);
855 d_isakmp->u.d.doi = ISAKMP_DOI_IPSEC;
856 d_isakmp->u.d.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
857 d_isakmp->u.d.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
858 d_isakmp->u.d.num_spi = 1;
859 d_isakmp->u.d.spi = xallocc(1 * sizeof(uint8_t *));
860 d_isakmp->u.d.spi[0] = xallocc(2 * ISAKMP_COOKIE_LENGTH);
861 memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie,
862 ISAKMP_COOKIE_LENGTH);
863 memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie,
864 ISAKMP_COOKIE_LENGTH);
865 sendrecv_phase2(s, d_isakmp, ISAKMP_EXCHANGE_INFORMATIONAL,
866 del_msgid, 1, NULL, 0, NULL, 0);
867 }
868 }
869
870 static void phase2_fatal(struct sa_block *s, const char *msg, int id)
871 {
872 struct isakmp_payload *pl;
873 uint32_t msgid;
874
875 DEBUG(1, printf("\n\n---!!!!!!!!! entering phase2_fatal !!!!!!!!!---\n\n\n"));
876 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
877 pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
878 pl->u.n.doi = ISAKMP_DOI_IPSEC;
879 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
880 pl->u.n.type = id;
881 sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 1, 0, 0, 0, 0);
882
883 send_delete_isakmp(s);
884
885 error(1, 0, msg, val_to_string(id, isakmp_notify_enum_array), id);
886 }
887
888 static uint8_t *gen_keymat(struct sa_block *s,
889 uint8_t protocol, uint32_t spi,
890 const uint8_t * dh_shared, size_t dh_size,
891 const uint8_t * ni_data, size_t ni_size, const uint8_t * nr_data, size_t nr_size)
892 {
893 gcry_md_hd_t hm;
894 uint8_t *block;
895 int i;
896 int blksz;
897 int cnt;
898
899 blksz = s->ipsec.md_len + s->ipsec.key_len;
900 cnt = (blksz + s->ike.md_len - 1) / s->ike.md_len;
901 block = xallocc(cnt * s->ike.md_len);
902 DEBUG(3, printf("generating %d bytes keymat (cnt=%d)\n", blksz, cnt));
903 if (cnt < 1)
904 abort();
905
906 for (i = 0; i < cnt; i++) {
907 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
908 gcry_md_setkey(hm, s->ike.skeyid_d, s->ike.md_len);
909 if (i != 0)
910 gcry_md_write(hm, block + (i - 1) * s->ike.md_len, s->ike.md_len);
911 if (dh_shared != NULL)
912 gcry_md_write(hm, dh_shared, dh_size);
913 gcry_md_write(hm, &protocol, 1);
914 gcry_md_write(hm, (uint8_t *) & spi, sizeof(spi));
915 gcry_md_write(hm, ni_data, ni_size);
916 gcry_md_write(hm, nr_data, nr_size);
917 gcry_md_final(hm);
918 memcpy(block + i * s->ike.md_len, gcry_md_read(hm, 0), s->ike.md_len);
919 gcry_md_close(hm);
920 }
921 return block;
922 }
923
924 static int mask_to_masklen(struct in_addr mask)
925 {
926 int len;
927 uint32_t addr;
928
929 addr = ntohl(mask.s_addr);
930 for (len = 0; addr; addr <<= 1, len++)
931 ;
932 return len;
933 }
934
935 static int do_config_to_env(struct sa_block *s, struct isakmp_attribute *a)
936 {
937 int i;
938 int reject = 0;
939 int seen_address = 0;
940 char *strbuf, *strbuf2;
941
942 unsetenv("CISCO_BANNER");
943 unsetenv("CISCO_DEF_DOMAIN");
944 unsetenv("CISCO_SPLIT_DNS");
945 unsetenv("CISCO_SPLIT_INC");
946 unsetenv("CISCO_IPV6_SPLIT_INC");
947 unsetenv("INTERNAL_IP4_NBNS");
948 unsetenv("INTERNAL_IP4_DNS");
949 unsetenv("INTERNAL_IP4_NETMASK");
950 unsetenv("INTERNAL_IP4_ADDRESS");
951 unsetenv("INTERNAL_IP6_DNS");
952 unsetenv("INTERNAL_IP6_NETMASK");
953 unsetenv("INTERNAL_IP6_ADDRESS");
954
955 for (; a && reject == 0; a = a->next)
956 switch (a->type) {
957 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS:
958 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
959 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
960 else {
961 addenv_ipv4("INTERNAL_IP4_ADDRESS", a->u.lots.data);
962 memcpy(&s->our_address, a->u.lots.data, 4);
963 }
964 seen_address = 1;
965 break;
966
967 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK:
968 if (a->af == isakmp_attr_lots && a->u.lots.length == 0) {
969 DEBUG(2, printf("ignoring zero length netmask\n"));
970 continue;
971 }
972 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
973 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
974 else {
975 uint32_t netaddr = s->our_address.s_addr & ((struct in_addr *)(a->u.lots.data))->s_addr;
976 addenv_ipv4("INTERNAL_IP4_NETMASK", a->u.lots.data);
977 asprintf(&strbuf, "%d", mask_to_masklen(*((struct in_addr *)a->u.lots.data)));
978 setenv("INTERNAL_IP4_NETMASKLEN", strbuf, 1);
979 free(strbuf);
980 addenv_ipv4("INTERNAL_IP4_NETADDR", (uint8_t *)&netaddr);
981 }
982 break;
983
984 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS:
985 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
986 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
987 else
988 addenv_ipv4("INTERNAL_IP4_DNS", a->u.lots.data);
989 break;
990
991 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS:
992 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
993 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
994 else
995 addenv_ipv4("INTERNAL_IP4_NBNS", a->u.lots.data);
996 break;
997
998 case ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN:
999 if (a->af != isakmp_attr_lots) {
1000 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1001 break;
1002 }
1003 strbuf = xallocc(a->u.lots.length + 1);
1004 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
1005 addenv("CISCO_DEF_DOMAIN", strbuf);
1006 free(strbuf);
1007 break;
1008
1009 case ISAKMP_MODECFG_ATTRIB_CISCO_BANNER:
1010 if (a->af != isakmp_attr_lots) {
1011 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1012 break;
1013 }
1014 strbuf = xallocc(a->u.lots.length + 1);
1015 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
1016 addenv("CISCO_BANNER", strbuf);
1017 free(strbuf);
1018 DEBUG(1, printf("Banner: "));
1019 DEBUG(1, fwrite(a->u.lots.data, a->u.lots.length, 1, stdout));
1020 DEBUG(1, printf("\n"));
1021 break;
1022
1023 case ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION:
1024 DEBUG(2, printf("Remote Application Version: "));
1025 DEBUG(2, fwrite(a->u.lots.data, a->u.lots.length, 1, stdout));
1026 DEBUG(2, printf("\n"));
1027 break;
1028
1029 case ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS:
1030 if (a->af != isakmp_attr_16)
1031 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1032 else {
1033 s->ipsec.do_pfs = a->u.attr_16;
1034 DEBUG(2, printf("got pfs setting: %d\n", s->ipsec.do_pfs));
1035 }
1036 break;
1037
1038 case ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT:
1039 if (a->af != isakmp_attr_16)
1040 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1041 else {
1042 s->ipsec.peer_udpencap_port = a->u.attr_16;
1043 DEBUG(2, printf("got peer udp encapsulation port: %hu\n", s->ipsec.peer_udpencap_port));
1044 }
1045 break;
1046
1047 case ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC:
1048 if (a->af != isakmp_attr_acl) {
1049 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1050 break;
1051 }
1052
1053 DEBUG(2, printf("got %d acls for split include\n", a->u.acl.count));
1054 asprintf(&strbuf, "%d", a->u.acl.count);
1055 setenv("CISCO_SPLIT_INC", strbuf, 1);
1056 free(strbuf);
1057
1058 for (i = 0; i < a->u.acl.count; i++) {
1059 DEBUG(2, printf("acl %d: ", i));
1060 /* NOTE: inet_ntoa returns one static buffer */
1061
1062 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_ADDR", i);
1063 asprintf(&strbuf2, "%s", inet_ntoa(a->u.acl.acl_ent[i].addr));
1064 DEBUG(2, printf("addr: %s/", strbuf2));
1065 setenv(strbuf, strbuf2, 1);
1066 free(strbuf); free(strbuf2);
1067
1068 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_MASK", i);
1069 asprintf(&strbuf2, "%s", inet_ntoa(a->u.acl.acl_ent[i].mask));
1070 DEBUG(2, printf("%s ", strbuf2));
1071 setenv(strbuf, strbuf2, 1);
1072 free(strbuf); free(strbuf2);
1073
1074 /* this is just here because ip route does not accept netmasks */
1075 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_MASKLEN", i);
1076 asprintf(&strbuf2, "%d", mask_to_masklen(a->u.acl.acl_ent[i].mask));
1077 DEBUG(2, printf("(%s), ", strbuf2));
1078 setenv(strbuf, strbuf2, 1);
1079 free(strbuf); free(strbuf2);
1080
1081 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_PROTOCOL", i);
1082 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].protocol);
1083 DEBUG(2, printf("protocol: %s, ", strbuf2));
1084 setenv(strbuf, strbuf2, 1);
1085 free(strbuf); free(strbuf2);
1086
1087 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_SPORT", i);
1088 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].sport);
1089 DEBUG(2, printf("sport: %s, ", strbuf2));
1090 setenv(strbuf, strbuf2, 1);
1091 free(strbuf); free(strbuf2);
1092
1093 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_DPORT", i);
1094 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].dport);
1095 DEBUG(2, printf("dport: %s\n", strbuf2));
1096 setenv(strbuf, strbuf2, 1);
1097 free(strbuf); free(strbuf2);
1098 }
1099 break;
1100
1101 case ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_DNS:
1102 if (a->af != isakmp_attr_lots) {
1103 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1104 break;
1105 }
1106 strbuf = xallocc(a->u.lots.length + 1);
1107 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
1108 addenv("CISCO_SPLIT_DNS", strbuf);
1109 free(strbuf);
1110 DEBUG(2, printf("Split DNS: %s\n", a->u.lots.data));
1111 break;
1112
1113 case ISAKMP_MODECFG_ATTRIB_CISCO_SAVE_PW:
1114 DEBUG(2, printf("got save password setting: %d\n", a->u.attr_16));
1115 break;
1116
1117 default:
1118 DEBUG(2, printf("unknown attribute %d / 0x%X\n", a->type, a->type));
1119 break;
1120 }
1121
1122 if (reject == 0 && !seen_address)
1123 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1124
1125 return reject;
1126 }
1127
1128 /* * */
1129
1130 static struct isakmp_attribute *make_transform_ike(int dh_group, int crypt, int hash, int keylen, int auth)
1131 {
1132 struct isakmp_attribute *a = NULL;
1133
1134 a = new_isakmp_attribute(IKE_ATTRIB_LIFE_DURATION, a);
1135 a->af = isakmp_attr_lots;
1136 a->u.lots.length = 4;
1137 a->u.lots.data = xallocc(a->u.lots.length);
1138 *((uint32_t *) a->u.lots.data) = htonl(2147483);
1139 a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a);
1140 a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a);
1141 a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a);
1142 a = new_isakmp_attribute_16(IKE_ATTRIB_HASH, hash, a);
1143 a = new_isakmp_attribute_16(IKE_ATTRIB_ENC, crypt, a);
1144 if (keylen != 0)
1145 a = new_isakmp_attribute_16(IKE_ATTRIB_KEY_LENGTH, keylen, a);
1146 return a;
1147 }
1148
1149 static struct isakmp_payload *make_our_sa_ike(void)
1150 {
1151 struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
1152 struct isakmp_payload *t = NULL, *tn;
1153 struct isakmp_attribute *a;
1154 int dh_grp = get_dh_group_ike()->ike_sa_id;
1155 unsigned int auth, crypt, hash, keylen;
1156 int i;
1157
1158 r->u.sa.doi = ISAKMP_DOI_IPSEC;
1159 r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
1160 r->u.sa.proposals = new_isakmp_payload(ISAKMP_PAYLOAD_P);
1161 r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_ISAKMP;
1162 for (auth = 0; supp_auth[auth].name != NULL; auth++) {
1163 if (opt_auth_mode == AUTH_MODE_CERT) {
1164 if ((supp_auth[auth].ike_sa_id != IKE_AUTH_RSA_SIG) &&
1165 (supp_auth[auth].ike_sa_id != IKE_AUTH_DSS))
1166 continue;
1167 } else if (opt_auth_mode == AUTH_MODE_HYBRID) {
1168 if ((supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitRSA) &&
1169 (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitDSS))
1170 continue;
1171 } else {
1172 if (supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitRSA ||
1173 supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitDSS ||
1174 supp_auth[auth].ike_sa_id == IKE_AUTH_RSA_SIG ||
1175 supp_auth[auth].ike_sa_id == IKE_AUTH_DSS)
1176 continue;
1177 }
1178 for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
1179 keylen = supp_crypt[crypt].keylen;
1180 for (hash = 0; supp_hash[hash].name != NULL; hash++) {
1181 tn = t;
1182 t = new_isakmp_payload(ISAKMP_PAYLOAD_T);
1183 t->u.t.id = ISAKMP_IPSEC_KEY_IKE;
1184 a = make_transform_ike(dh_grp, supp_crypt[crypt].ike_sa_id,
1185 supp_hash[hash].ike_sa_id, keylen, supp_auth[auth].ike_sa_id);
1186 t->u.t.attributes = a;
1187 t->next = tn;
1188 }
1189 }
1190 }
1191 for (i = 0, tn = t; tn; tn = tn->next)
1192 tn->u.t.number = i++;
1193 r->u.sa.proposals->u.p.transforms = t;
1194 return r;
1195 }
1196
1197 static void lifetime_ike_process(struct sa_block *s, struct isakmp_attribute *a)
1198 {
1199 uint32_t value;
1200
1201 assert(a != NULL);
1202 assert(a->type == IKE_ATTRIB_LIFE_TYPE);
1203 assert(a->af == isakmp_attr_16);
1204 assert(a->u.attr_16 == IKE_LIFE_TYPE_SECONDS || a->u.attr_16 == IKE_LIFE_TYPE_K);
1205 assert(a->next != NULL);
1206 assert(a->next->type == IKE_ATTRIB_LIFE_DURATION);
1207
1208 if (a->next->af == isakmp_attr_16)
1209 value = a->next->u.attr_16;
1210 else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4)
1211 value = ntohl(*((uint32_t *) a->next->u.lots.data));
1212 else {
1213 DEBUG(2, printf("got unknown ike lifetime attributes af %d len %d\n",
1214 a->next->af, a->next->u.lots.length));
1215 return;
1216 }
1217
1218 DEBUG(2, printf("got ike lifetime attributes: %d %s\n", value,
1219 (a->u.attr_16 == IKE_LIFE_TYPE_SECONDS) ? "seconds" : "kilobyte"));
1220
1221 if (a->u.attr_16 == IKE_LIFE_TYPE_SECONDS)
1222 s->ike.life.seconds = value;
1223 else
1224 s->ike.life.kbytes = value;
1225 }
1226
1227 static void lifetime_ipsec_process(struct sa_block *s, struct isakmp_attribute *a)
1228 {
1229 uint32_t value;
1230
1231 assert(a != NULL);
1232 assert(a->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE);
1233 assert(a->af == isakmp_attr_16);
1234 assert(a->u.attr_16 == IPSEC_LIFE_SECONDS || a->u.attr_16 == IPSEC_LIFE_K);
1235 assert(a->next != NULL);
1236 assert(a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION);
1237
1238 if (a->next->af == isakmp_attr_16)
1239 value = a->next->u.attr_16;
1240 else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4)
1241 value = ntohl(*((uint32_t *) a->next->u.lots.data));
1242 else
1243 assert(0);
1244
1245 DEBUG(2, printf("got ipsec lifetime attributes: %d %s\n", value,
1246 (a->u.attr_16 == IPSEC_LIFE_SECONDS) ? "seconds" : "kilobyte"));
1247
1248 if (a->u.attr_16 == IPSEC_LIFE_SECONDS)
1249 s->ipsec.life.seconds = value;
1250 else
1251 s->ipsec.life.kbytes = value;
1252
1253 /* FIXME: for notice-payloads: write a seperate function to handle them */
1254 /* bug: this may process lifetime-attributes of SAs twice but to no consequence */
1255 if (a->next->next != NULL && a->next->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
1256 lifetime_ipsec_process(s, a->next->next);
1257 }
1258
1259 static void do_phase1_am_init(struct sa_block *s)
1260 {
1261
1262 s->ike.natd_type = 0;
1263 s->ike.natd_us = s->ike.natd_them = NULL;
1264 s->ike.sa_f = s->ike.idi_f = NULL;
1265
1266 DEBUGTOP(2, printf("S4.1 create_nonce\n"));
1267 gcry_create_nonce(s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1268 s->ike.life.start = time(NULL);
1269 s->ipsec.do_pfs = -1;
1270 if (s->ike.i_cookie[0] == 0)
1271 s->ike.i_cookie[0] = 1;
1272 hex_dump("i_cookie", s->ike.i_cookie, ISAKMP_COOKIE_LENGTH, NULL);
1273 gcry_create_nonce(s->ike.i_nonce, sizeof(s->ike.i_nonce));
1274 hex_dump("i_nonce", s->ike.i_nonce, sizeof(s->ike.i_nonce), NULL);
1275 DEBUGTOP(2, printf("S4.2 dh setup\n"));
1276 /* Set up the Diffie-Hellman stuff. */
1277 {
1278 s->ike.dh_grp = group_get(get_dh_group_ike()->my_id);
1279 s->ike.dh_public = xallocc(dh_getlen(s->ike.dh_grp));
1280 dh_create_exchange(s->ike.dh_grp, s->ike.dh_public);
1281 hex_dump("dh_public", s->ike.dh_public, dh_getlen(s->ike.dh_grp), NULL);
1282 }
1283
1284 }
1285
1286 static void do_phase1_am_packet1(struct sa_block *s, const char *key_id)
1287 {
1288 DEBUGTOP(2, printf("S4.3 AM packet_1\n"));
1289 /* Create the first packet. */
1290 {
1291 struct isakmp_packet *p1;
1292 struct isakmp_payload *l;
1293 uint8_t *pkt;
1294 size_t pkt_len;
1295
1296 p1 = new_isakmp_packet();
1297 memcpy(p1->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1298 p1->isakmp_version = ISAKMP_VERSION;
1299 p1->exchange_type = ISAKMP_EXCHANGE_AGGRESSIVE;
1300 p1->payload = l = make_our_sa_ike();
1301 flatten_isakmp_payload(l, &s->ike.sa_f, &s->ike.sa_size);
1302 l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_KE, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1303 l->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_NONCE,
1304 s->ike.i_nonce, sizeof(s->ike.i_nonce));
1305 l = l->next->next;
1306 l->next = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
1307 l = l->next;
1308 if (opt_vendor == VENDOR_CISCO)
1309 l->u.id.type = ISAKMP_IPSEC_ID_KEY_ID;
1310 else
1311 l->u.id.type = ISAKMP_IPSEC_ID_USER_FQDN;
1312 l->u.id.protocol = IPPROTO_UDP;
1313 l->u.id.port = ISAKMP_PORT; /* this must be 500, see rfc2407, 4.6.2 */
1314 l->u.id.length = strlen(key_id);
1315 l->u.id.data = xallocc(l->u.id.length);
1316 memcpy(l->u.id.data, key_id, strlen(key_id));
1317 flatten_isakmp_payload(l, &s->ike.idi_f, &s->ike.idi_size);
1318 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1319 VID_XAUTH, sizeof(VID_XAUTH));
1320 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1321 VID_UNITY, sizeof(VID_UNITY));
1322 if ((opt_natt_mode == NATT_NORMAL) || (opt_natt_mode == NATT_FORCE)) {
1323 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1324 VID_NATT_RFC, sizeof(VID_NATT_RFC));
1325 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1326 VID_NATT_03, sizeof(VID_NATT_03));
1327 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1328 VID_NATT_02N, sizeof(VID_NATT_02N));
1329 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1330 VID_NATT_02, sizeof(VID_NATT_02));
1331 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1332 VID_NATT_01, sizeof(VID_NATT_01));
1333 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1334 VID_NATT_00, sizeof(VID_NATT_00));
1335 }
1336 s->ike.dpd_idle = atoi(config[CONFIG_DPD_IDLE]);
1337 if (s->ike.dpd_idle != 0) {
1338 if (s->ike.dpd_idle < 10)
1339 s->ike.dpd_idle = 10;
1340 if (s->ike.dpd_idle > 86400)
1341 s->ike.dpd_idle = 86400;
1342 l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1343 VID_DPD, sizeof(VID_DPD));
1344 }
1345 flatten_isakmp_packet(p1, &pkt, &pkt_len, 0);
1346 free_isakmp_packet(p1);
1347
1348 /* Now, send that packet and receive a new one. */
1349 r_length = sendrecv(s, r_packet, sizeof(r_packet), pkt, pkt_len, 0);
1350 free(pkt);
1351 }
1352 }
1353
1354 static void do_phase1_am_packet2(struct sa_block *s, const char *shared_key)
1355 {
1356 DEBUGTOP(2, printf("S4.4 AM_packet2\n"));
1357 /* Decode the recieved packet. */
1358 {
1359 int reject, ret;
1360 struct isakmp_packet *r;
1361 struct isakmp_payload *rp;
1362 struct isakmp_payload *nonce = NULL;
1363 struct isakmp_payload *ke = NULL;
1364 struct isakmp_payload *hash = NULL;
1365 struct isakmp_payload *sig = NULL;
1366 struct isakmp_payload *idp = NULL;
1367 int seen_sa = 0;
1368 uint8_t *psk_skeyid;
1369 uint8_t *skeyid;
1370 gcry_md_hd_t skeyid_ctx;
1371 uint8_t *dh_shared_secret;
1372 int seen_natd = 0, seen_natd_them = 0, seen_natd_us = 0;
1373 int natt_draft = -1;
1374 crypto_ctx *cctx;
1375 crypto_error *crerr = NULL;
1376
1377 cctx = crypto_ctx_new (&crerr);
1378 if (crerr)
1379 crypto_call_error(crerr);
1380
1381 reject = 0;
1382 r = parse_isakmp_packet(r_packet, r_length, &reject);
1383
1384 /* Verify the correctness of the recieved packet. */
1385 if (reject == 0 && memcmp(r->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH) != 0)
1386 reject = ISAKMP_N_INVALID_COOKIE;
1387 if (reject == 0)
1388 memcpy(s->ike.r_cookie, r->r_cookie, ISAKMP_COOKIE_LENGTH);
1389 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_AGGRESSIVE)
1390 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
1391 if (reject == 0 && r->flags != 0)
1392 reject = ISAKMP_N_INVALID_FLAGS;
1393 if (reject == 0 && r->message_id != 0)
1394 reject = ISAKMP_N_INVALID_MESSAGE_ID;
1395 if (reject != 0)
1396 error(1, 0, "response was invalid [1]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1397 for (rp = r->payload; rp && reject == 0; rp = rp->next)
1398 switch (rp->type) {
1399 case ISAKMP_PAYLOAD_SA:
1400 if (reject == 0 && rp->u.sa.doi != ISAKMP_DOI_IPSEC)
1401 reject = ISAKMP_N_DOI_NOT_SUPPORTED;
1402 if (reject == 0 &&
1403 rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
1404 reject = ISAKMP_N_SITUATION_NOT_SUPPORTED;
1405 if (reject == 0 &&
1406 (rp->u.sa.proposals == NULL
1407 || rp->u.sa.proposals->next != NULL))
1408 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1409 if (reject == 0 &&
1410 rp->u.sa.proposals->u.p.prot_id !=
1411 ISAKMP_IPSEC_PROTO_ISAKMP)
1412 reject = ISAKMP_N_INVALID_PROTOCOL_ID;
1413 if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 0)
1414 reject = ISAKMP_N_INVALID_SPI;
1415 if (reject == 0 &&
1416 (rp->u.sa.proposals->u.p.transforms == NULL
1417 || rp->u.sa.proposals->u.p.transforms->next !=
1418 NULL))
1419 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1420 if (reject == 0 &&
1421 (rp->u.sa.proposals->u.p.transforms->u.t.id
1422 != ISAKMP_IPSEC_KEY_IKE))
1423 reject = ISAKMP_N_INVALID_TRANSFORM_ID;
1424 if (reject == 0) {
1425 struct isakmp_attribute *a
1426 =
1427 rp->u.sa.proposals->u.p.transforms->u.t.attributes;
1428 int seen_enc = 0, seen_hash = 0, seen_auth = 0;
1429 int seen_group = 0, seen_keylen = 0;
1430 for (; a && reject == 0; a = a->next)
1431 switch (a->type) {
1432 case IKE_ATTRIB_GROUP_DESC:
1433 if (a->af == isakmp_attr_16 &&
1434 a->u.attr_16 ==
1435 get_dh_group_ike()->ike_sa_id)
1436 seen_group = 1;
1437 else
1438 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1439 break;
1440 case IKE_ATTRIB_AUTH_METHOD:
1441 if (a->af == isakmp_attr_16)
1442 seen_auth = a->u.attr_16;
1443 else
1444 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1445 break;
1446 case IKE_ATTRIB_HASH:
1447 if (a->af == isakmp_attr_16)
1448 seen_hash = a->u.attr_16;
1449 else
1450 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1451 break;
1452 case IKE_ATTRIB_ENC:
1453 if (a->af == isakmp_attr_16)
1454 seen_enc = a->u.attr_16;
1455 else
1456 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1457 break;
1458 case IKE_ATTRIB_KEY_LENGTH:
1459 if (a->af == isakmp_attr_16)
1460 seen_keylen = a->u.attr_16;
1461 else
1462 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1463 break;
1464 case IKE_ATTRIB_LIFE_TYPE:
1465 /* lifetime duration MUST follow lifetype attribute */
1466 if (a->next->type == IKE_ATTRIB_LIFE_DURATION) {
1467 lifetime_ike_process(s, a);
1468 } else
1469 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1470 break;
1471 case IKE_ATTRIB_LIFE_DURATION:
1472 /* already processed above in IKE_ATTRIB_LIFE_TYPE: */
1473 break;
1474 default:
1475 DEBUG(1, printf
1476 ("unknown attribute %d, arborting..\n",
1477 a->type));
1478 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1479 break;
1480 }
1481 if (!seen_group || !seen_auth || !seen_hash || !seen_enc)
1482 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1483
1484 if (get_algo(SUPP_ALGO_AUTH, SUPP_ALGO_IKE_SA, seen_auth,
1485 NULL, 0) == NULL)
1486 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1487 if (get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IKE_SA, seen_hash,
1488 NULL, 0) == NULL)
1489 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1490 if (get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IKE_SA, seen_enc,
1491 NULL, seen_keylen) == NULL)
1492 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1493
1494 if (reject == 0) {
1495 seen_sa = 1;
1496 s->ike.auth_algo = seen_auth;
1497 s->ike.cry_algo =
1498 get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IKE_SA,
1499 seen_enc, NULL, seen_keylen)->my_id;
1500 s->ike.md_algo =
1501 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IKE_SA,
1502 seen_hash, NULL, 0)->my_id;
1503 s->ike.md_len = gcry_md_get_algo_dlen(s->ike.md_algo);
1504 DEBUG(1, printf("IKE SA selected %s-%s-%s\n",
1505 get_algo(SUPP_ALGO_AUTH,
1506 SUPP_ALGO_IKE_SA, seen_auth,
1507 NULL, 0)->name,
1508 get_algo(SUPP_ALGO_CRYPT,
1509 SUPP_ALGO_IKE_SA, seen_enc,
1510 NULL, seen_keylen)->name,
1511 get_algo(SUPP_ALGO_HASH,
1512 SUPP_ALGO_IKE_SA, seen_hash,
1513 NULL, 0)->name));
1514 if (s->ike.cry_algo == GCRY_CIPHER_DES && !opt_1des) {
1515 error(1, 0, "peer selected (single) DES as \"encryption\" method.\n"
1516 "This algorithm is considered too weak today\n"
1517 "If your vpn concentrator admin still insists on using DES\n"
1518 "use the \"--enable-1des\" option.\n");
1519 }
1520 }
1521 }
1522 break;
1523
1524 case ISAKMP_PAYLOAD_ID:
1525 idp = rp;
1526 break;
1527 case ISAKMP_PAYLOAD_KE:
1528 ke = rp;
1529 break;
1530 case ISAKMP_PAYLOAD_NONCE:
1531 nonce = rp;
1532 break;
1533 case ISAKMP_PAYLOAD_HASH:
1534 hash = rp;
1535 break;
1536 case ISAKMP_PAYLOAD_CERT:
1537 if (rp->u.cert.encoding == ISAKMP_CERT_X509_SIG) {
1538 hex_dump("cert", rp->u.cert.data, rp->u.cert.length, NULL);
1539
1540 ret = crypto_push_cert(cctx,
1541 (const unsigned char *) rp->u.cert.data,
1542 rp->u.cert.length,
1543 &crerr);
1544 if (ret)
1545 crypto_call_error(crerr);
1546 }
1547 break;
1548 case ISAKMP_PAYLOAD_SIG:
1549 sig = rp;
1550 break;
1551 case ISAKMP_PAYLOAD_VID:
1552 if (rp->u.vid.length == sizeof(VID_XAUTH)
1553 && memcmp(rp->u.vid.data, VID_XAUTH,
1554 sizeof(VID_XAUTH)) == 0) {
1555 DEBUG(2, printf("peer is XAUTH capable (draft-ietf-ipsec-isakmp-xauth-06)\n"));
1556 } else if (rp->u.vid.length == sizeof(VID_NATT_RFC)
1557 && memcmp(rp->u.vid.data, VID_NATT_RFC,
1558 sizeof(VID_NATT_RFC)) == 0) {
1559 if (natt_draft < 1) natt_draft = 2;
1560 DEBUG(2, printf("peer is NAT-T capable (RFC 3947)\n"));
1561 } else if (rp->u.vid.length == sizeof(VID_NATT_03)
1562 && memcmp(rp->u.vid.data, VID_NATT_03,
1563 sizeof(VID_NATT_03)) == 0) {
1564 if (natt_draft < 1) natt_draft = 2;
1565 DEBUG(2, printf("peer is NAT-T capable (draft-03)\n"));
1566 } else if (rp->u.vid.length == sizeof(VID_NATT_02N)
1567 && memcmp(rp->u.vid.data, VID_NATT_02N,
1568 sizeof(VID_NATT_02N)) == 0) {
1569 if (natt_draft < 1) natt_draft = 2;
1570 DEBUG(2, printf("peer is NAT-T capable (draft-02)\\n\n")); /* sic! */
1571 } else if (rp->u.vid.length == sizeof(VID_NATT_02)
1572 && memcmp(rp->u.vid.data, VID_NATT_02,
1573 sizeof(VID_NATT_02)) == 0) {
1574 if (natt_draft < 1) natt_draft = 2;
1575 DEBUG(2, printf("peer is NAT-T capable (draft-02)\n"));
1576 } else if (rp->u.vid.length == sizeof(VID_NATT_01)
1577 && memcmp(rp->u.vid.data, VID_NATT_01,
1578 sizeof(VID_NATT_01)) == 0) {
1579 if (natt_draft < 1) natt_draft = 1;
1580 DEBUG(2, printf("peer is NAT-T capable (draft-01)\n"));
1581 } else if (rp->u.vid.length == sizeof(VID_NATT_00)
1582 && memcmp(rp->u.vid.data, VID_NATT_00,
1583 sizeof(VID_NATT_00)) == 0) {
1584 if (natt_draft < 0) natt_draft = 0;
1585 DEBUG(2, printf("peer is NAT-T capable (draft-00)\n"));
1586 } else if (rp->u.vid.length == sizeof(VID_DPD)
1587 && memcmp(rp->u.vid.data, VID_DPD,
1588 sizeof(VID_DPD)) == 0) {
1589 if (s->ike.dpd_idle != 0) {
1590 gcry_create_nonce(&s->ike.dpd_seqno, sizeof(s->ike.dpd_seqno));
1591 s->ike.dpd_seqno &= 0x7FFFFFFF;
1592 s->ike.dpd_seqno_ack = s->ike.dpd_seqno;
1593 s->ike.do_dpd = 1;
1594 DEBUG(2, printf("peer is DPD capable (RFC3706)\n"));
1595 } else {
1596 DEBUG(2, printf("ignoring that peer is DPD capable (RFC3706)\n"));
1597 }
1598 } else if (rp->u.vid.length == sizeof(VID_NETSCREEN_15)
1599 && memcmp(rp->u.vid.data, VID_NETSCREEN_15,
1600 sizeof(VID_NETSCREEN_15)) == 0) {
1601 DEBUG(2, printf("peer is using ScreenOS 5.3, 5.4 or 6.0\n"));
1602 } else if (rp->u.vid.length == sizeof(VID_HEARTBEAT_NOTIFY)
1603 && memcmp(rp->u.vid.data, VID_HEARTBEAT_NOTIFY,
1604 sizeof(VID_HEARTBEAT_NOTIFY)) == 0) {
1605 DEBUG(2, printf("peer sent Heartbeat Notify payload\n"));
1606 } else {
1607 hex_dump("unknown ISAKMP_PAYLOAD_VID",
1608 rp->u.vid.data, rp->u.vid.length, NULL);
1609 }
1610 break;
1611 case ISAKMP_PAYLOAD_NAT_D_OLD:
1612 case ISAKMP_PAYLOAD_NAT_D:
1613 s->ike.natd_type = rp->type;
1614 DEBUG(2, printf("peer is using type %d%s for NAT-Discovery payloads\n",
1615 s->ike.natd_type, val_to_string(s->ike.natd_type, isakmp_payload_enum_array)));
1616 if (!seen_sa) {
1617 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1618 } else if (opt_natt_mode == NATT_NONE) {
1619 ;
1620 } else if (rp->u.natd.length != s->ike.md_len) {
1621 reject = ISAKMP_N_PAYLOAD_MALFORMED;
1622 } else if (seen_natd == 0) {
1623 gcry_md_hd_t hm;
1624 uint16_t n_dst_port = htons(s->ike.dst_port);
1625
1626 s->ike.natd_us = xallocc(s->ike.md_len);
1627 s->ike.natd_them = xallocc(s->ike.md_len);
1628 memcpy(s->ike.natd_us, rp->u.natd.data, s->ike.md_len);
1629 gcry_md_open(&hm, s->ike.md_algo, 0);
1630 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1631 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1632 gcry_md_write(hm, &s->dst, sizeof(struct in_addr));
1633 gcry_md_write(hm, &n_dst_port, sizeof(uint16_t));
1634 gcry_md_final(hm);
1635 memcpy(s->ike.natd_them, gcry_md_read(hm, 0), s->ike.md_len);
1636 gcry_md_close(hm);
1637 seen_natd = 1;
1638 } else {
1639 if (memcmp(s->ike.natd_them, rp->u.natd.data, s->ike.md_len) == 0)
1640 seen_natd_them = 1;
1641 }
1642 break;
1643 case ISAKMP_PAYLOAD_N:
1644 if (rp->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
1645 if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
1646 lifetime_ike_process(s, rp->u.n.attributes);
1647 else if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
1648 lifetime_ipsec_process(s, rp->u.n.attributes);
1649 else
1650 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
1651 } else {
1652 DEBUG(1, printf("rejecting ISAKMP_PAYLOAD_N, type is not lifetime\n"));
1653 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1654 }
1655 break;
1656 default:
1657 DEBUG(1, printf("rejecting invalid payload type %d\n", rp->type));
1658 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1659 break;
1660 }
1661
1662 if (reject == 0) {
1663 gcry_cipher_algo_info(s->ike.cry_algo, GCRYCTL_GET_BLKLEN, NULL, &(s->ike.ivlen));
1664 gcry_cipher_algo_info(s->ike.cry_algo, GCRYCTL_GET_KEYLEN, NULL, &(s->ike.keylen));
1665 }
1666
1667 if (reject == 0 && (ke == NULL || ke->u.ke.length != dh_getlen(s->ike.dh_grp)))
1668 reject = ISAKMP_N_INVALID_KEY_INFORMATION;
1669 if (reject == 0 && nonce == NULL)
1670 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
1671 if (reject != 0)
1672 error(1, 0, "response was invalid [2]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1673 if (reject == 0 && idp == NULL)
1674 reject = ISAKMP_N_INVALID_ID_INFORMATION;
1675
1676 /* Decide if signature or hash is expected (sig only if vpnc is initiator of hybrid-auth */
1677 if (reject == 0 && opt_auth_mode == AUTH_MODE_PSK && (hash == NULL || hash->u.hash.length != s->ike.md_len))
1678 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
1679 if (reject == 0 && sig == NULL &&
1680 (opt_auth_mode == AUTH_MODE_CERT ||
1681 opt_auth_mode == AUTH_MODE_HYBRID))
1682 reject = ISAKMP_N_INVALID_SIGNATURE;
1683 if (reject != 0)
1684 error(1, 0, "response was invalid [3]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1685
1686 /* Determine the shared secret. */
1687 dh_shared_secret = xallocc(dh_getlen(s->ike.dh_grp));
1688 dh_create_shared(s->ike.dh_grp, dh_shared_secret, ke->u.ke.data);
1689 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(s->ike.dh_grp), NULL);
1690 /* Generate SKEYID. */
1691 {
1692 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1693 gcry_md_setkey(skeyid_ctx, shared_key, strlen(shared_key));
1694 gcry_md_write(skeyid_ctx, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1695 gcry_md_write(skeyid_ctx, nonce->u.nonce.data, nonce->u.nonce.length);
1696 gcry_md_final(skeyid_ctx);
1697 psk_skeyid = xallocc(s->ike.md_len);
1698 memcpy(psk_skeyid, gcry_md_read(skeyid_ctx, 0), s->ike.md_len);
1699 if (opt_debug < 99)
1700 DEBUG(3, printf("(not dumping psk hash)\n"));
1701 else
1702 hex_dump("psk_skeyid", psk_skeyid, s->ike.md_len, NULL);
1703 free(psk_skeyid);
1704 gcry_md_close(skeyid_ctx);
1705 DEBUG(99, printf("shared-key: %s\n",shared_key));
1706
1707 /* SKEYID - psk only */
1708 if (s->ike.auth_algo == IKE_AUTH_PRESHARED ||
1709 s->ike.auth_algo == IKE_AUTH_XAUTHInitPreShared ||
1710 s->ike.auth_algo == IKE_AUTH_XAUTHRespPreShared) {
1711 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1712 gcry_md_setkey(skeyid_ctx, shared_key, strlen(shared_key));
1713 gcry_md_write(skeyid_ctx, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1714 gcry_md_write(skeyid_ctx, nonce->u.nonce.data, nonce->u.nonce.length);
1715 gcry_md_final(skeyid_ctx);
1716 } else if (s->ike.auth_algo == IKE_AUTH_DSS ||
1717 s->ike.auth_algo == IKE_AUTH_RSA_SIG ||
1718 s->ike.auth_algo == IKE_AUTH_ECDSA_SIG ||
1719 s->ike.auth_algo == IKE_AUTH_HybridInitRSA ||
1720 s->ike.auth_algo == IKE_AUTH_HybridRespRSA ||
1721 s->ike.auth_algo == IKE_AUTH_HybridInitDSS ||
1722 s->ike.auth_algo == IKE_AUTH_HybridRespDSS ||
1723 s->ike.auth_algo == IKE_AUTH_XAUTHInitDSS ||
1724 s->ike.auth_algo == IKE_AUTH_XAUTHRespDSS ||
1725 s->ike.auth_algo == IKE_AUTH_XAUTHInitRSA ||
1726 s->ike.auth_algo == IKE_AUTH_XAUTHRespRSA) {
1727 unsigned char *key;
1728 int key_len;
1729 key_len = sizeof(s->ike.i_nonce) + nonce->u.nonce.length;
1730 key = xallocc(key_len);
1731 memcpy(key, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1732 memcpy(key + sizeof(s->ike.i_nonce), nonce->u.nonce.data, nonce->u.nonce.length);
1733 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1734 gcry_md_setkey(skeyid_ctx, key, key_len);
1735 gcry_md_write(skeyid_ctx, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1736 gcry_md_final(skeyid_ctx);
1737 } else
1738 error(1, 0, "SKEYID could not be computed: %s", "the selected authentication method is not supported");
1739 skeyid = gcry_md_read(skeyid_ctx, 0);
1740 hex_dump("skeyid", skeyid, s->ike.md_len, NULL);
1741 }
1742
1743 /* Verify the hash. */
1744 {
1745 gcry_md_hd_t hm;
1746 unsigned char *expected_hash, *rec_hash;
1747 uint8_t *idp_f;
1748 size_t idp_size;
1749 size_t decr_size = 0;
1750
1751 flatten_isakmp_payload(idp, &idp_f, &idp_size);
1752
1753 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1754 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1755 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1756 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1757 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1758 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1759 gcry_md_write(hm, s->ike.sa_f + 4, s->ike.sa_size - 4);
1760 gcry_md_write(hm, idp_f + 4, idp_size - 4);
1761 gcry_md_final(hm);
1762 expected_hash = gcry_md_read(hm, 0);
1763 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1764
1765 if (opt_auth_mode == AUTH_MODE_PSK) {
1766 if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 0)
1767 error(2, 0, "hash comparison failed: %s(%d)\ncheck group password!",
1768 val_to_string(ISAKMP_N_AUTHENTICATION_FAILED, isakmp_notify_enum_array),
1769 ISAKMP_N_AUTHENTICATION_FAILED);
1770 hex_dump("received hash", hash->u.hash.data, hash->u.hash.length, NULL);
1771 } else if (opt_auth_mode == AUTH_MODE_CERT ||
1772 opt_auth_mode == AUTH_MODE_HYBRID) {
1773 hex_dump("received signature", sig->u.sig.data, sig->u.sig.length, NULL);
1774
1775 ret = crypto_verify_chain(cctx,
1776 config[CONFIG_CA_FILE],
1777 config[CONFIG_CA_DIR],
1778 &crerr);
1779 if (ret)
1780 crypto_call_error(crerr);
1781
1782 /* Verify signature */
1783 rec_hash = crypto_decrypt_signature (cctx,
1784 sig->u.sig.data,
1785 sig->u.sig.length,
1786 &decr_size,
1787 CRYPTO_PAD_PKCS1,
1788 &crerr);
1789 if (!rec_hash)
1790 crypto_call_error(crerr);
1791
1792 if (decr_size != s->ike.md_len) {
1793 printf("Decrypted-Size: %zd\n",decr_size);
1794 hex_dump(" decr_hash", rec_hash, decr_size, NULL);
1795 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1796
1797 error(2, 0, "The hash-value, which was decrypted from the received signature, and the expected hash-value differ in size.\n");
1798 } else {
1799 if (memcmp(rec_hash, expected_hash, decr_size) != 0) {
1800 printf("Decrypted-Size: %zd\n",decr_size);
1801 hex_dump(" decr_hash", rec_hash, decr_size, NULL);
1802 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1803
1804 error(2, 0, "The hash-value, which was decrypted from the received signature, and the expected hash-value differ.\n");
1805 } else {
1806 DEBUG(3, printf("Signature MATCH!!\n"));
1807 }
1808 }
1809 /* END - Signature Verification */
1810
1811 free(rec_hash);
1812 }
1813
1814 gcry_md_close(hm);
1815
1816 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1817 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1818 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1819 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1820 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1821 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1822 gcry_md_write(hm, s->ike.sa_f + 4, s->ike.sa_size - 4);
1823 gcry_md_write(hm, s->ike.idi_f + 4, s->ike.idi_size - 4);
1824 gcry_md_final(hm);
1825 s->ike.returned_hash = xallocc(s->ike.md_len);
1826 memcpy(s->ike.returned_hash, gcry_md_read(hm, 0), s->ike.md_len);
1827 gcry_md_close(hm);
1828 hex_dump("returned_hash", s->ike.returned_hash, s->ike.md_len, NULL);
1829
1830 /* PRESHARED_KEY_HASH */
1831 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1832 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1833 gcry_md_write(hm, shared_key, strlen(shared_key));
1834 gcry_md_final(hm);
1835 s->ike.psk_hash = xallocc(s->ike.md_len);
1836 memcpy(s->ike.psk_hash, gcry_md_read(hm, 0), s->ike.md_len);
1837 gcry_md_close(hm);
1838 hex_dump("psk_hash", s->ike.psk_hash, s->ike.md_len, NULL);
1839 /* End PRESHARED_KEY_HASH */
1840
1841 free(s->ike.sa_f);
1842 free(s->ike.idi_f);
1843 free(idp_f);
1844 s->ike.sa_f = NULL;
1845 s->ike.idi_f = NULL;
1846 }
1847
1848 /* Determine all the SKEYID_x keys. */
1849 {
1850 gcry_md_hd_t hm;
1851 int i;
1852 static const unsigned char c012[3] = { 0, 1, 2 };
1853 unsigned char *skeyid_e;
1854 unsigned char *dh_shared_secret;
1855
1856 /* Determine the shared secret. */
1857 dh_shared_secret = xallocc(dh_getlen(s->ike.dh_grp));
1858 dh_create_shared(s->ike.dh_grp, dh_shared_secret, ke->u.ke.data);
1859 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(s->ike.dh_grp), NULL);
1860
1861 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1862 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1863 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1864 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1865 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1866 gcry_md_write(hm, c012 + 0, 1);
1867 gcry_md_final(hm);
1868 if (s->ike.skeyid_d) free(s->ike.skeyid_d);
1869 s->ike.skeyid_d = xallocc(s->ike.md_len);
1870 memcpy(s->ike.skeyid_d, gcry_md_read(hm, 0), s->ike.md_len);
1871 gcry_md_close(hm);
1872 hex_dump("skeyid_d", s->ike.skeyid_d, s->ike.md_len, NULL);
1873
1874 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1875 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1876 gcry_md_write(hm, s->ike.skeyid_d, s->ike.md_len);
1877 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1878 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1879 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1880 gcry_md_write(hm, c012 + 1, 1);
1881 gcry_md_final(hm);
1882 if (s->ike.skeyid_a) free(s->ike.skeyid_a);
1883 s->ike.skeyid_a = xallocc(s->ike.md_len);
1884 memcpy(s->ike.skeyid_a, gcry_md_read(hm, 0), s->ike.md_len);
1885 gcry_md_close(hm);
1886 hex_dump("skeyid_a", s->ike.skeyid_a, s->ike.md_len, NULL);
1887
1888 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1889 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1890 gcry_md_write(hm, s->ike.skeyid_a, s->ike.md_len);
1891 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1892 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1893 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1894 gcry_md_write(hm, c012 + 2, 1);
1895 gcry_md_final(hm);
1896 skeyid_e = xallocc(s->ike.md_len);
1897 memcpy(skeyid_e, gcry_md_read(hm, 0), s->ike.md_len);
1898 gcry_md_close(hm);
1899 hex_dump("skeyid_e", skeyid_e, s->ike.md_len, NULL);
1900
1901 memset(dh_shared_secret, 0, sizeof(dh_shared_secret));
1902 free(dh_shared_secret);
1903
1904 /* Determine the IKE encryption key. */
1905 if (s->ike.key) free(s->ike.key);
1906 s->ike.key = xallocc(s->ike.keylen);
1907
1908 if (s->ike.keylen > s->ike.md_len) {
1909 for (i = 0; i * s->ike.md_len < s->ike.keylen; i++) {
1910 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1911 gcry_md_setkey(hm, skeyid_e, s->ike.md_len);
1912 if (i == 0)
1913 gcry_md_write(hm, "" /* &'\0' */ , 1);
1914 else
1915 gcry_md_write(hm, s->ike.key + (i - 1) * s->ike.md_len,
1916 s->ike.md_len);
1917 gcry_md_final(hm);
1918 memcpy(s->ike.key + i * s->ike.md_len, gcry_md_read(hm, 0),
1919 min(s->ike.md_len, s->ike.keylen - i * s->ike.md_len));
1920 gcry_md_close(hm);
1921 }
1922 } else { /* keylen <= md_len */
1923 memcpy(s->ike.key, skeyid_e, s->ike.keylen);
1924 }
1925 hex_dump("enc-key", s->ike.key, s->ike.keylen, NULL);
1926
1927 memset(skeyid_e, 0, s->ike.md_len);
1928 free(skeyid_e);
1929 }
1930
1931 /* Determine the initial IV. */
1932 {
1933 gcry_md_hd_t hm;
1934
1935 assert(s->ike.ivlen <= s->ike.md_len);
1936 gcry_md_open(&hm, s->ike.md_algo, 0);
1937 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1938 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1939 gcry_md_final(hm);
1940 if (s->ike.current_iv) free(s->ike.current_iv);
1941 s->ike.current_iv = xallocc(s->ike.ivlen);
1942 memcpy(s->ike.current_iv, gcry_md_read(hm, 0), s->ike.ivlen);
1943 gcry_md_close(hm);
1944 hex_dump("current_iv", s->ike.current_iv, s->ike.ivlen, NULL);
1945 memset(s->ike.current_iv_msgid, 0, 4);
1946 }
1947
1948 gcry_md_close(skeyid_ctx);
1949 crypto_ctx_free(cctx);
1950 free(dh_shared_secret);
1951
1952 /* Determine presence of NAT */
1953 if (s->ike.natd_type != 0) {
1954 seen_natd_us = 0;
1955 /* this could be repeated for any known outbound interfaces */
1956 {
1957 gcry_md_hd_t hm;
1958 uint16_t n_src_port = htons(s->ike.src_port);
1959
1960 gcry_md_open(&hm, s->ike.md_algo, 0);
1961 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1962 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1963 gcry_md_write(hm, &s->src, sizeof(struct in_addr));
1964 gcry_md_write(hm, &n_src_port, sizeof(uint16_t));
1965 gcry_md_final(hm);
1966 if (memcmp(s->ike.natd_us, gcry_md_read(hm, 0), s->ike.md_len) == 0)
1967 seen_natd_us = 1;
1968 memcpy(s->ike.natd_us, gcry_md_read(hm, 0), s->ike.md_len);
1969 if (opt_natt_mode == NATT_FORCE) {
1970 /* force detection of "this end behind NAT" */
1971 /* by flipping a bit in the nat-detection-hash */
1972 s->ike.natd_us[0] ^= 1;
1973 seen_natd_us = 0;
1974 }
1975 gcry_md_close(hm);
1976 }
1977 /* if there is a NAT, change to port 4500 and select UDP encap */
1978 if (!seen_natd_us || !seen_natd_them) {
1979 DEBUG(1, printf("NAT status: this end behind NAT? %s -- remote end behind NAT? %s\n",
1980 seen_natd_us ? "no" : "YES", seen_natd_them ? "no" : "YES"));
1981 switch (s->ike.natd_type) {
1982 case ISAKMP_PAYLOAD_NAT_D:
1983 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
1984 break;
1985 case ISAKMP_PAYLOAD_NAT_D_OLD:
1986 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL_OLD;
1987 break;
1988 default:
1989 abort();
1990 }
1991 if (natt_draft >= 2) {
1992 s->ipsec.natt_active_mode = NATT_ACTIVE_RFC;
1993 close(s->ike_fd);
1994 if (s->ike.src_port == ISAKMP_PORT)
1995 s->ike.src_port = ISAKMP_PORT_NATT;
1996 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port = ISAKMP_PORT_NATT);
1997 } else {
1998 s->ipsec.natt_active_mode = NATT_ACTIVE_DRAFT_OLD;
1999 }
2000 } else {
2001 DEBUG(1, printf("NAT status: NAT-T VID seen, no NAT device detected\n"));
2002 }
2003 } else {
2004 DEBUG(1, printf("NAT status: no NAT-T VID seen\n"));
2005 }
2006
2007 /* This seems to cause a duplicate free of some data when rekeying:
2008 * *** glibc detected *** vpnc-connect: free(): invalid pointer: 0x09d63ba5
2009 * See also: http://bugs.gentoo.org/show_bug.cgi?id=229003
2010 */
2011 #if 1
2012 free_isakmp_packet(r);
2013 #endif
2014
2015 }
2016 }
2017
2018 static void do_phase1_am_packet3(struct sa_block *s)
2019 {
2020 DEBUGTOP(2, printf("S4.5 AM_packet3\n"));
2021 /* Send final phase 1 packet. */
2022 {
2023 struct isakmp_packet *p2;
2024 uint8_t *p2kt;
2025 size_t p2kt_len;
2026 struct isakmp_payload *pl;
2027
2028 p2 = new_isakmp_packet();
2029 memcpy(p2->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
2030 memcpy(p2->r_cookie, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
2031 p2->flags = ISAKMP_FLAG_E;
2032 p2->isakmp_version = ISAKMP_VERSION;
2033 p2->exchange_type = ISAKMP_EXCHANGE_AGGRESSIVE;
2034 /* XXX CERT Add id(?), cert and sig here in case of cert auth */
2035 p2->payload = new_isakmp_data_payload(ISAKMP_PAYLOAD_HASH,
2036 s->ike.returned_hash, s->ike.md_len);
2037 p2->payload->next = pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
2038 pl->u.n.doi = ISAKMP_DOI_IPSEC;
2039 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
2040 pl->u.n.type = ISAKMP_N_IPSEC_INITIAL_CONTACT;
2041 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
2042 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
2043 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
2044 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
2045
2046 /* send PSK-hash if hybrid authentication is negotiated */
2047 if (s->ike.auth_algo == IKE_AUTH_HybridInitRSA ||
2048 s->ike.auth_algo == IKE_AUTH_HybridInitDSS) {
2049 /* Notify - PRESHARED_KEY_HASH */
2050 pl = pl->next = new_isakmp_payload(ISAKMP_PAYLOAD_N);
2051 pl->u.n.doi = ISAKMP_DOI_IPSEC;
2052 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
2053 /* Notify Message - Type: PRESHARED_KEY_HASH */
2054 pl->u.n.type = ISAKMP_N_CISCO_PRESHARED_KEY_HASH;
2055 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
2056 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
2057 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0,
2058 s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
2059 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1,
2060 s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
2061 pl->u.n.data_length = s->ike.md_len;
2062 pl->u.n.data = xallocc(pl->u.n.data_length);
2063 memcpy(pl->u.n.data, s->ike.psk_hash, pl->u.n.data_length);
2064 /* End Notify - PRESHARED_KEY_HASH */
2065 }
2066 pl = pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
2067 VID_UNKNOWN, sizeof(VID_UNKNOWN));
2068 pl = pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
2069 VID_UNITY, sizeof(VID_UNITY));
2070
2071 /* include NAT traversal discovery payloads */
2072 if (s->ike.natd_type != 0) {
2073 pl = pl->next = new_isakmp_data_payload(s->ike.natd_type,
2074 s->ike.natd_them, s->ike.md_len);
2075 pl->next = new_isakmp_data_payload(s->ike.natd_type,
2076 s->ike.natd_us, s->ike.md_len);
2077 free(s->ike.natd_us);
2078 free(s->ike.natd_them);
2079 s->ike.natd_us = NULL;
2080 s->ike.natd_them = NULL;
2081 }
2082
2083 flatten_isakmp_packet(p2, &p2kt, &p2kt_len, s->ike.ivlen);
2084 free_isakmp_packet(p2);
2085 isakmp_crypt(s, p2kt, p2kt_len, 1);
2086
2087 if (s->ike.initial_iv) free(s->ike.initial_iv);
2088 s->ike.initial_iv = xallocc(s->ike.ivlen);
2089 memcpy(s->ike.initial_iv, s->ike.current_iv, s->ike.ivlen);
2090 hex_dump("initial_iv", s->ike.initial_iv, s->ike.ivlen, NULL);
2091
2092 /* Now, send that packet and receive a new one. */
2093 r_length = sendrecv(s, r_packet, sizeof(r_packet), p2kt, p2kt_len, 0);
2094 free(p2kt);
2095 }
2096 }
2097
2098 static void do_phase1_am_cleanup(struct sa_block *s)
2099 {
2100 DEBUGTOP(2, printf("S4.6 cleanup\n"));
2101
2102 free(s->ike.psk_hash);
2103 s->ike.psk_hash = NULL;
2104 free(s->ike.dh_public);
2105 group_free(s->ike.dh_grp);
2106 free(s->ike.returned_hash);
2107 s->ike.returned_hash = NULL;
2108 }
2109
2110 static void do_phase1_am(const char *key_id, const char *shared_key, struct sa_block *s)
2111 {
2112 do_phase1_am_init(s);
2113 do_phase1_am_packet1(s, key_id);
2114 do_phase1_am_packet2(s, shared_key);
2115 do_phase1_am_packet3(s);
2116 do_phase1_am_cleanup(s);
2117 }
2118
2119 static int do_phase2_notice_check(struct sa_block *s, struct isakmp_packet **r_p,
2120 const uint8_t * nonce, size_t nonce_size)
2121 {
2122 int reject = 0;
2123 struct isakmp_packet *r;
2124
2125 while (1) {
2126 reject = unpack_verify_phase2(s, r_packet, r_length, r_p, nonce, nonce_size);
2127 if (reject == ISAKMP_N_INVALID_COOKIE) {
2128 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2129 continue;
2130 }
2131 if (*r_p == NULL) {
2132 assert(reject != 0);
2133 return reject;
2134 }
2135 r = *r_p;
2136
2137 /* check for notices */
2138 if (r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL &&
2139 r->payload->next != NULL) {
2140 if (r->payload->next->type == ISAKMP_PAYLOAD_N) {
2141 if (r->payload->next->u.n.type == ISAKMP_N_CISCO_LOAD_BALANCE) {
2142 /* load balancing notice ==> restart with new gw */
2143 if (r->payload->next->u.n.data_length != 4)
2144 error(1, 0, "malformed loadbalance target");
2145 s->dst = *(struct in_addr *)r->payload->next->u.n.data;
2146 s->ike.dst_port = ISAKMP_PORT;
2147 s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL;
2148 s->ipsec.natt_active_mode = NATT_ACTIVE_NONE;
2149 if (s->ike.src_port == ISAKMP_PORT_NATT)
2150 s->ike.src_port = ISAKMP_PORT;
2151 close(s->ike_fd);
2152 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port);
2153 DEBUG(2, printf("got cisco loadbalancing notice, diverting to %s\n",
2154 inet_ntoa(s->dst)));
2155 return -1;
2156 } else if (r->payload->next->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
2157 if (r->payload->next->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
2158 lifetime_ike_process(s, r->payload->next->u.n.attributes);
2159 else if (r->payload->next->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2160 lifetime_ipsec_process(s, r->payload->next->u.n.attributes);
2161 else
2162 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
2163 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2164 continue;
2165 } else if (r->payload->next->u.n.type == ISAKMP_N_IPSEC_INITIAL_CONTACT) {
2166 /* why in hell do we get this?? */
2167 DEBUG(2, printf("got initial contact notice, ignoring..\n"));
2168 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2169 continue;
2170 } else {
2171 /* whatever */
2172 printf("received notice of type %s(%d), giving up\n",
2173 val_to_string(r->payload->next->u.n.type, isakmp_notify_enum_array),
2174 r->payload->next->u.n.type);
2175 return reject;
2176 }
2177 }
2178 if (r->payload->next->type == ISAKMP_PAYLOAD_D) {
2179 /* delete notice ==> ignore */
2180 DEBUG(2, printf("got delete for old connection, ignoring..\n"));
2181 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2182 continue;
2183 }
2184 }
2185
2186 break;
2187 }
2188 return reject;
2189 }
2190
2191 static int do_phase2_xauth(struct sa_block *s)
2192 {
2193 struct isakmp_packet *r = NULL;
2194 int loopcount;
2195 int reject;
2196 int passwd_used = 0;
2197
2198 DEBUGTOP(2, printf("S5.1 xauth_request\n"));
2199 /* This can go around for a while. */
2200 for (loopcount = 0;; loopcount++) {
2201 struct isakmp_payload *rp;
2202 struct isakmp_attribute *a, *ap, *reply_attr, *last_reply_attr;
2203 char ntop_buf[32];
2204 int seen_answer = 0;
2205
2206 DEBUGTOP(2, printf("S5.2 notice_check\n"));
2207
2208 /* recv and check for notices */
2209 if (r) free_isakmp_packet(r);
2210 r = NULL;
2211 reject = do_phase2_notice_check(s, &r, NULL, 0);
2212 if (reject == -1) {
2213 if (r) free_isakmp_packet(r);
2214 return 1;
2215 }
2216
2217 DEBUGTOP(2, printf("S5.3 type-is-xauth check\n"));
2218 /* Check the transaction type is OK. */
2219 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_MODECFG_TRANSACTION)
2220 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2221
2222 /* After the hash, expect an attribute block. */
2223 if (reject == 0
2224 && (r->payload->next == NULL
2225 || r->payload->next->next != NULL
2226 || r->payload->next->type != ISAKMP_PAYLOAD_MODECFG_ATTR))
2227 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2228
2229 if (reject == 0 && r->payload->next->u.modecfg.type == ISAKMP_MODECFG_CFG_SET) {
2230 /* OK, the server has finished requesting information, go for the final set/ack */
2231 break;
2232 }
2233
2234 if (reject == 0 && r->payload->next->u.modecfg.type != ISAKMP_MODECFG_CFG_REQUEST)
2235 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2236
2237 if (reject != 0)
2238 phase2_fatal(s, "expected xauth packet; rejected: %s(%d)", reject);
2239
2240 DEBUGTOP(2, printf("S5.4 xauth type check\n"));
2241 a = r->payload->next->u.modecfg.attributes;
2242 /* First, print any messages, and verify that we understand the
2243 * conversation. This looks for any place were input is
2244 * required - in these cases, we need to print the prompt
2245 * regardless of whether the user requested interactive mode
2246 * or not. */
2247 for (ap = a; ap && seen_answer == 0; ap = ap->next)
2248 if (ap->type == ISAKMP_XAUTH_06_ATTRIB_ANSWER
2249 || ap->type == ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN
2250 /* || ap->type == ISAKMP_XAUTH_06_ATTRIB_PASSCODE */)
2251 seen_answer = 1;
2252
2253 for (ap = a; ap && reject == 0; ap = ap->next)
2254 switch (ap->type) {
2255 case ISAKMP_XAUTH_06_ATTRIB_TYPE:
2256 if (ap->af != isakmp_attr_16 || ap->u.attr_16 != 0)
2257 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2258 break;
2259 case ISAKMP_XAUTH_06_ATTRIB_USER_NAME:
2260 case ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD:
2261 case ISAKMP_XAUTH_06_ATTRIB_PASSCODE:
2262 case ISAKMP_XAUTH_06_ATTRIB_DOMAIN:
2263 case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
2264 case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
2265 case ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR:
2266 case ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015:
2267 break;
2268 case ISAKMP_XAUTH_06_ATTRIB_MESSAGE:
2269 if (opt_debug || seen_answer || config[CONFIG_XAUTH_INTERACTIVE]) {
2270 if (ap->af == isakmp_attr_16)
2271 printf("%c%c\n", ap->u.attr_16 >> 8, ap->u.attr_16);
2272 else
2273 printf("%.*s%s", ap->u.lots.length, ap->u.lots.data,
2274 ((ap->u.lots.data
2275 && ap->u.lots.data[ap->u.
2276 lots.length - 1] !=
2277 '\n')
2278 ? "\n" : ""));
2279 }
2280 break;
2281 default:
2282 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2283 }
2284 if (reject != 0)
2285 phase2_fatal(s, "xauth packet unsupported: %s(%d)", reject);
2286
2287 DEBUGTOP(2, printf("S5.5 do xauth reply\n"));
2288 inet_ntop(AF_INET, &s->dst, ntop_buf, sizeof(ntop_buf));
2289
2290 /* Collect data from the user. */
2291 reply_attr = last_reply_attr = NULL;
2292 for (ap = a; ap && reject == 0; ap = ap->next) {
2293 struct isakmp_attribute *na = NULL;
2294
2295 switch (ap->type) {
2296 case ISAKMP_XAUTH_06_ATTRIB_TYPE:
2297 case ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015:
2298 {
2299 na = new_isakmp_attribute_16(ap->type, ap->u.attr_16, NULL);
2300 break;
2301 }
2302 case ISAKMP_XAUTH_06_ATTRIB_DOMAIN:
2303 na = new_isakmp_attribute(ap->type, NULL);
2304 if (!config[CONFIG_DOMAIN])
2305 error(1, 0,
2306 "server requested domain, but none set (use \"Domain ...\" in config or --domain");
2307 na->u.lots.length = strlen(config[CONFIG_DOMAIN]);
2308 na->u.lots.data = xallocc(na->u.lots.length);
2309 memcpy(na->u.lots.data, config[CONFIG_DOMAIN],
2310 na->u.lots.length);
2311 break;
2312 case ISAKMP_XAUTH_06_ATTRIB_USER_NAME:
2313 {
2314 na = new_isakmp_attribute(ap->type, NULL);
2315 na->u.lots.length = strlen(config[CONFIG_XAUTH_USERNAME]);
2316 na->u.lots.data = xallocc(na->u.lots.length);
2317 memcpy(na->u.lots.data, config[CONFIG_XAUTH_USERNAME],
2318 na->u.lots.length);
2319 break;
2320 }
2321 case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
2322 case ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD:
2323 case ISAKMP_XAUTH_06_ATTRIB_PASSCODE:
2324 case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
2325 if (passwd_used && config[CONFIG_NON_INTERACTIVE]) {
2326 reject = ISAKMP_N_AUTHENTICATION_FAILED;
2327 phase2_fatal(s, "noninteractive can't reuse password", reject);
2328 error(2, 0, "authentication failed (requires interactive mode)");
2329 } else if (seen_answer || passwd_used || config[CONFIG_XAUTH_INTERACTIVE]) {
2330 char *pass, *prompt = NULL;
2331
2332 asprintf(&prompt, "%s for VPN %s@%s: ",
2333 (ap->type == ISAKMP_XAUTH_06_ATTRIB_ANSWER) ?
2334 "Answer" :
2335 (ap->type == ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD) ?
2336 "Password" : "Passcode",
2337 config[CONFIG_XAUTH_USERNAME], ntop_buf);
2338 pass = vpnc_getpass(prompt);
2339 free(prompt);
2340 if (pass == NULL)
2341 error(2, 0, "unable to get password");
2342
2343 na = new_isakmp_attribute(ap->type, NULL);
2344 na->u.lots.length = strlen(pass);
2345 na->u.lots.data = xallocc(na->u.lots.length);
2346 memcpy(na->u.lots.data, pass, na->u.lots.length);
2347 memset(pass, 0, na->u.lots.length);
2348 free(pass);
2349 } else {
2350 na = new_isakmp_attribute(ap->type, NULL);
2351 na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]);
2352 na->u.lots.data = xallocc(na->u.lots.length);
2353 memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD],
2354 na->u.lots.length);
2355 passwd_used = 1; /* Provide canned password at most once */
2356 }
2357 break;
2358 default:
2359 ;
2360 }
2361 if (na == NULL)
2362 continue;
2363 if (last_reply_attr != NULL) {
2364 last_reply_attr->next = na;
2365 last_reply_attr = na;
2366 } else {
2367 last_reply_attr = reply_attr = na;
2368 }
2369 }
2370
2371 /* Send the response. */
2372 rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
2373 rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY;
2374 rp->u.modecfg.id = r->payload->next->u.modecfg.id;
2375 rp->u.modecfg.attributes = reply_attr;
2376 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2377 r->message_id, 0, 0, 0, 0, 0);
2378
2379 }
2380
2381 if ((opt_vendor == VENDOR_NETSCREEN) &&
2382 (r->payload->next->u.modecfg.type == ISAKMP_MODECFG_CFG_SET)) {
2383 struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
2384
2385 DEBUGTOP(2, printf("S5.5.1 do netscreen modecfg extra\n"));
2386
2387 do_config_to_env(s, a);
2388
2389 for (; a; a = a->next)
2390 if(a->af == isakmp_attr_lots)
2391 a->u.lots.length = 0;
2392
2393 r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
2394 sendrecv_phase2(s, r->payload->next,
2395 ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2396 r->message_id, 0, 0, 0, 0, 0);
2397
2398 reject = do_phase2_notice_check(s, &r, NULL, 0);
2399 if (reject == -1) {
2400 free_isakmp_packet(r);
2401 return 1;
2402 }
2403 }
2404
2405 DEBUGTOP(2, printf("S5.6 process xauth set\n"));
2406 {
2407 /* The final SET should have just one attribute. */
2408 struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
2409 uint16_t set_result = 1;
2410
2411 if (a == NULL
2412 || a->type != ISAKMP_XAUTH_06_ATTRIB_STATUS
2413 || a->af != isakmp_attr_16 || a->next != NULL) {
2414 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2415 phase2_fatal(s, "xauth SET message rejected: %s(%d)", reject);
2416 } else {
2417 set_result = a->u.attr_16;
2418 }
2419
2420 /* ACK the SET. */
2421 DEBUGTOP(2, printf("S5.7 send xauth ack\n"));
2422 r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
2423 sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2424 r->message_id, 1, 0, 0, 0, 0);
2425 r->payload->next = NULL; /* this part is already free()d by sendrecv_phase2 */
2426 free_isakmp_packet(r); /* this frees the received set packet (header+hash) */
2427
2428 if (set_result == 0)
2429 error(2, 0, "authentication unsuccessful");
2430 }
2431 DEBUGTOP(2, printf("S5.8 xauth done\n"));
2432 return 0;
2433 }
2434
2435 static int do_phase2_config(struct sa_block *s)
2436 {
2437 struct isakmp_payload *rp;
2438 struct isakmp_attribute *a;
2439 struct isakmp_packet *r;
2440 struct utsname uts;
2441 uint32_t msgid;
2442 int reject;
2443
2444 uname(&uts);
2445
2446 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
2447 if (msgid == 0)
2448 msgid = 1;
2449
2450 rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
2451 rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REQUEST;
2452 rp->u.modecfg.id = 20;
2453 a = NULL;
2454
2455 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION, a);
2456 a->u.lots.length = strlen(config[CONFIG_VERSION]);
2457 a->u.lots.data = xallocc(a->u.lots.length);
2458 memcpy(a->u.lots.data, config[CONFIG_VERSION], a->u.lots.length);
2459
2460 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DDNS_HOSTNAME, a);
2461 a->u.lots.length = strlen(uts.nodename);
2462 a->u.lots.data = xallocc(a->u.lots.length);
2463 memcpy(a->u.lots.data, uts.nodename, a->u.lots.length);
2464
2465 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_DNS, a);
2466 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC, a);
2467 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_SAVE_PW, a);
2468
2469 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_BANNER, a);
2470 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS, a);
2471 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_FW_TYPE, a);
2472 a->u.lots.length = sizeof(FW_UNKNOWN_TYPEINFO);
2473 a->u.lots.data = xallocc(a->u.lots.length);
2474 memcpy(a->u.lots.data, FW_UNKNOWN_TYPEINFO, a->u.lots.length);
2475 if (opt_natt_mode == NATT_CISCO_UDP)
2476 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT, a);
2477 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN, a);
2478 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS, a);
2479 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS, a);
2480 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK, a);
2481 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS, a);
2482
2483 rp->u.modecfg.attributes = a;
2484 DEBUGTOP(2, printf("S6.1 phase2_config send modecfg\n"));
2485 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION, msgid, 0, 0, 0, 0, 0);
2486
2487 DEBUGTOP(2, printf("S6.2 phase2_config receive modecfg\n"));
2488 /* recv and check for notices */
2489 reject = do_phase2_notice_check(s, &r, NULL, 0);
2490 if (reject == -1) {
2491 if (r) free_isakmp_packet(r);
2492 return 1;
2493 }
2494
2495 /* Check the transaction type & message ID are OK. */
2496 if (reject == 0 && r->message_id != msgid)
2497 reject = ISAKMP_N_INVALID_MESSAGE_ID;
2498 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_MODECFG_TRANSACTION)
2499 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2500
2501 /* After the hash, expect an attribute block. */
2502 if (reject == 0
2503 && (r->payload->next == NULL
2504 || r->payload->next->next != NULL
2505 || r->payload->next->type != ISAKMP_PAYLOAD_MODECFG_ATTR
2506 #if 0
2507 || r->payload->next->u.modecfg.id != 20
2508 #endif
2509 || r->payload->next->u.modecfg.type != ISAKMP_MODECFG_CFG_REPLY))
2510 reject = ISAKMP_N_PAYLOAD_MALFORMED;
2511
2512 if (reject != 0)
2513 phase2_fatal(s, "configuration response rejected: %s(%d)", reject);
2514
2515 if (reject == 0)
2516 reject = do_config_to_env(s, r->payload->next->u.modecfg.attributes);
2517
2518 if (reject != 0)
2519 phase2_fatal(s, "configuration response rejected: %s(%d)", reject);
2520
2521 DEBUG(1, printf("got address %s\n", getenv("INTERNAL_IP4_ADDRESS")));
2522 free_isakmp_packet(r);
2523 return 0;
2524 }
2525
2526 static struct isakmp_attribute *make_transform_ipsec(struct sa_block *s, int dh_group, int hash, int keylen)
2527 {
2528 struct isakmp_attribute *a = NULL;
2529
2530 a = new_isakmp_attribute(ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION, a);
2531 a->af = isakmp_attr_lots;
2532 a->u.lots.length = 4;
2533 a->u.lots.data = xallocc(a->u.lots.length);
2534 *((uint32_t *) a->u.lots.data) = htonl(2147483);
2535 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a);
2536
2537 if (dh_group)
2538 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_GROUP_DESC, dh_group, a);
2539 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_AUTH_ALG, hash, a);
2540 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_ENCAP_MODE, s->ipsec.encap_mode, a);
2541 if (keylen != 0)
2542 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_KEY_LENGTH, keylen, a);
2543
2544 return a;
2545 }
2546
2547 static struct isakmp_payload *make_our_sa_ipsec(struct sa_block *s)
2548 {
2549 struct isakmp_payload *r;
2550 struct isakmp_payload *p = NULL, *pn;
2551 struct isakmp_attribute *a;
2552 int dh_grp = get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id;
2553 unsigned int crypt, hash, keylen;
2554 int i;
2555
2556 r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
2557 r->u.sa.doi = ISAKMP_DOI_IPSEC;
2558 r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
2559 for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
2560 keylen = supp_crypt[crypt].keylen;
2561 for (hash = 0; supp_hash[hash].name != NULL; hash++) {
2562 pn = p;
2563 p = new_isakmp_payload(ISAKMP_PAYLOAD_P);
2564 p->u.p.spi_size = 4;
2565 p->u.p.spi = xallocc(4);
2566 /* The sadb_sa_spi field is already in network order. */
2567 memcpy(p->u.p.spi, &s->ipsec.rx.spi, 4);
2568 p->u.p.prot_id = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
2569 p->u.p.transforms = new_isakmp_payload(ISAKMP_PAYLOAD_T);
2570 p->u.p.transforms->u.t.id = supp_crypt[crypt].ipsec_sa_id;
2571 a = make_transform_ipsec(s, dh_grp, supp_hash[hash].ipsec_sa_id, keylen);
2572 p->u.p.transforms->u.t.attributes = a;
2573 p->next = pn;
2574 }
2575 }
2576 for (i = 0, pn = p; pn; pn = pn->next)
2577 pn->u.p.number = i++;
2578 r->u.sa.proposals = p;
2579 return r;
2580 }
2581
2582 static void do_phase2_qm(struct sa_block *s)
2583 {
2584 struct isakmp_payload *rp, *us, *ke = NULL, *them, *nonce_r = NULL;
2585 struct isakmp_packet *r;
2586 struct group *dh_grp = NULL;
2587 uint32_t msgid;
2588 int reject;
2589 uint8_t nonce_i[20], *dh_public = NULL;
2590
2591 DEBUGTOP(2, printf("S7.1 QM_packet1\n"));
2592 /* Set up the Diffie-Hellman stuff. */
2593 if (get_dh_group_ipsec(s->ipsec.do_pfs)->my_id) {
2594 dh_grp = group_get(get_dh_group_ipsec(s->ipsec.do_pfs)->my_id);
2595 DEBUG(3, printf("len = %d\n", dh_getlen(dh_grp)));
2596 dh_public = xallocc(dh_getlen(dh_grp));
2597 dh_create_exchange(dh_grp, dh_public);
2598 hex_dump("dh_public", dh_public, dh_getlen(dh_grp), NULL);
2599 }
2600
2601 gcry_create_nonce((uint8_t *) & s->ipsec.rx.spi, sizeof(s->ipsec.rx.spi));
2602 rp = make_our_sa_ipsec(s); /* FIXME: LEAK: allocated memory never freed */
2603 gcry_create_nonce((uint8_t *) nonce_i, sizeof(nonce_i));
2604 rp->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_NONCE, nonce_i, sizeof(nonce_i));
2605
2606 us = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
2607 us->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR;
2608 us->u.id.length = 4;
2609 us->u.id.data = xallocc(4);
2610 memcpy(us->u.id.data, &s->our_address, sizeof(struct in_addr));
2611 them = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
2612 them->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR_SUBNET;
2613 them->u.id.length = 8;
2614 them->u.id.data = xallocc(8);
2615 init_netaddr((struct in_addr *)them->u.id.data,
2616 config[CONFIG_IPSEC_TARGET_NETWORK]);
2617 us->next = them;
2618 s->ipsec.life.start = time(NULL);
2619
2620 if (!dh_grp) {
2621 rp->next->next = us;
2622 } else {
2623 rp->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_KE,
2624 dh_public, dh_getlen(dh_grp));
2625 rp->next->next->next = us;
2626 }
2627
2628 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
2629 if (msgid == 0)
2630 msgid = 1;
2631
2632 DEBUGTOP(2, printf("S7.2 QM_packet2 send_receive\n"));
2633 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_IKE_QUICK,
2634 msgid, 0, 0, 0, 0, 0);
2635
2636 DEBUGTOP(2, printf("S7.3 QM_packet2 validate type\n"));
2637 reject = do_phase2_notice_check(s, &r, nonce_i, sizeof(nonce_i)); /* FIXME: LEAK */
2638
2639 /* Check the transaction type & message ID are OK. */
2640 if (reject == 0 && r->message_id != msgid)
2641 reject = ISAKMP_N_INVALID_MESSAGE_ID;
2642
2643 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_IKE_QUICK)
2644 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2645
2646 /* The SA payload must be second. */
2647 if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_SA)
2648 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2649
2650 DEBUGTOP(2, printf("S7.5 QM_packet2 check reject offer\n"));
2651 if (reject != 0)
2652 phase2_fatal(s, "quick mode response rejected: %s(%d)\n"
2653 "this means the concentrator did not like what we had to offer.\n"
2654 "Possible reasons are:\n"
2655 " * concentrator configured to require a firewall\n"
2656 " this locks out even Cisco clients on any platform except windows\n"
2657 " which is an obvious security improvement. There is no workaround (yet).\n"
2658 " * concentrator configured to require IP compression\n"
2659 " this is not yet supported by vpnc.\n"
2660 " Note: the Cisco Concentrator Documentation recommends against using\n"
2661 " compression, except on low-bandwith (read: ISDN) links, because it\n"
2662 " uses much CPU-resources on the concentrator\n",
2663 reject);
2664
2665 DEBUGTOP(2, printf("S7.6 QM_packet2 check and process proposal\n"));
2666 for (rp = r->payload->next; rp && reject == 0; rp = rp->next)
2667 switch (rp->type) {
2668 case ISAKMP_PAYLOAD_SA:
2669 if (reject == 0 && rp->u.sa.doi != ISAKMP_DOI_IPSEC)
2670 reject = ISAKMP_N_DOI_NOT_SUPPORTED;
2671 if (reject == 0 && rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
2672 reject = ISAKMP_N_SITUATION_NOT_SUPPORTED;
2673 if (reject == 0 &&
2674 (rp->u.sa.proposals == NULL || rp->u.sa.proposals->next != NULL))
2675 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2676 if (reject == 0 &&
2677 rp->u.sa.proposals->u.p.prot_id != ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2678 reject = ISAKMP_N_INVALID_PROTOCOL_ID;
2679 if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 4)
2680 reject = ISAKMP_N_INVALID_SPI;
2681 if (reject == 0 &&
2682 (rp->u.sa.proposals->u.p.transforms == NULL
2683 || rp->u.sa.proposals->u.p.transforms->next != NULL))
2684 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2685 if (reject == 0) {
2686 struct isakmp_attribute *a
2687 = rp->u.sa.proposals->u.p.transforms->u.t.attributes;
2688 int seen_enc = rp->u.sa.proposals->u.p.transforms->u.t.id;
2689 int seen_auth = 0, seen_encap = 0, seen_group = 0, seen_keylen = 0;
2690
2691 memcpy(&s->ipsec.tx.spi, rp->u.sa.proposals->u.p.spi, 4);
2692
2693 for (; a && reject == 0; a = a->next)
2694 switch (a->type) {
2695 case ISAKMP_IPSEC_ATTRIB_AUTH_ALG:
2696 if (a->af == isakmp_attr_16)
2697 seen_auth = a->u.attr_16;
2698 else
2699 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2700 break;
2701 case ISAKMP_IPSEC_ATTRIB_ENCAP_MODE:
2702 if (a->af == isakmp_attr_16 &&
2703 a->u.attr_16 == s->ipsec.encap_mode)
2704 seen_encap = 1;
2705 else
2706 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2707 break;
2708 case ISAKMP_IPSEC_ATTRIB_GROUP_DESC:
2709 if (dh_grp &&
2710 a->af == isakmp_attr_16 &&
2711 a->u.attr_16 ==
2712 get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id)
2713 seen_group = 1;
2714 else
2715 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2716 break;
2717 case ISAKMP_IPSEC_ATTRIB_KEY_LENGTH:
2718 if (a->af == isakmp_attr_16)
2719 seen_keylen = a->u.attr_16;
2720 else
2721 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2722 break;
2723 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE:
2724 /* lifetime duration MUST follow lifetype attribute */
2725 if (a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION) {
2726 lifetime_ipsec_process(s, a);
2727 } else
2728 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2729 break;
2730 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION:
2731 /* already processed above in ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE: */
2732 break;
2733 default:
2734 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2735 break;
2736 }
2737 if (reject == 0 && (!seen_auth || !seen_encap ||
2738 (dh_grp && !seen_group)))
2739 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2740
2741 if (reject == 0
2742 && get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth,
2743 NULL, 0) == NULL)
2744 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2745 if (reject == 0
2746 && get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc,
2747 NULL, seen_keylen) == NULL)
2748 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2749
2750 if (reject == 0) {
2751 s->ipsec.cry_algo =
2752 get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA,
2753 seen_enc, NULL, seen_keylen)->my_id;
2754 s->ipsec.md_algo =
2755 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA,
2756 seen_auth, NULL, 0)->my_id;
2757 if (s->ipsec.cry_algo) {
2758 gcry_cipher_algo_info(s->ipsec.cry_algo, GCRYCTL_GET_KEYLEN, NULL, &(s->ipsec.key_len));
2759 gcry_cipher_algo_info(s->ipsec.cry_algo, GCRYCTL_GET_BLKLEN, NULL, &(s->ipsec.blk_len));
2760 s->ipsec.iv_len = s->ipsec.blk_len;
2761 } else {
2762 s->ipsec.key_len = 0;
2763 s->ipsec.iv_len = 0;
2764 s->ipsec.blk_len = 8; /* seems to be this without encryption... */
2765 }
2766 s->ipsec.md_len = gcry_md_get_algo_dlen(s->ipsec.md_algo);
2767 DEBUG(1, printf("IPSEC SA selected %s-%s\n",
2768 get_algo(SUPP_ALGO_CRYPT,
2769 SUPP_ALGO_IPSEC_SA, seen_enc, NULL,
2770 seen_keylen)->name,
2771 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA,
2772 seen_auth, NULL, 0)->name));
2773 if (s->ipsec.cry_algo == GCRY_CIPHER_DES && !opt_1des) {
2774 error(1, 0, "peer selected (single) DES as \"encrytion\" method.\n"
2775 "This algorithm is considered too weak today\n"
2776 "If your vpn concentrator admin still insists on using DES\n"
2777 "use the \"--enable-1des\" option.\n");
2778 } else if (s->ipsec.cry_algo == GCRY_CIPHER_NONE && !opt_no_encryption) {
2779 error(1, 0, "peer selected NULL as \"encrytion\" method.\n"
2780 "This is _no_ encryption at all.\n"
2781 "Your traffic is still protected against modification with %s\n"
2782 "If your vpn concentrator admin still insists on not using encryption\n"
2783 "use the \"--enable-no-encryption\" option.\n",
2784 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0)->name);
2785 }
2786 }
2787 }
2788 break;
2789
2790 case ISAKMP_PAYLOAD_N:
2791 if (reject == 0 && rp->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
2792 if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
2793 lifetime_ike_process(s, rp->u.n.attributes);
2794 else if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2795 lifetime_ipsec_process(s, rp->u.n.attributes);
2796 else
2797 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
2798 }
2799 break;
2800 case ISAKMP_PAYLOAD_ID:
2801 /* FIXME: Parse payload ID and add route-env in case of ipv4_prefix */
2802 break;
2803 case ISAKMP_PAYLOAD_KE:
2804 ke = rp;
2805 break;
2806 case ISAKMP_PAYLOAD_NONCE:
2807 nonce_r = rp;
2808 break;
2809
2810 default:
2811 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2812 break;
2813 }
2814
2815 if (reject == 0 && nonce_r == NULL)
2816 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
2817 if (reject == 0 && dh_grp && (ke == NULL || ke->u.ke.length != dh_getlen(dh_grp)))
2818 reject = ISAKMP_N_INVALID_KEY_INFORMATION;
2819 if (reject != 0)
2820 phase2_fatal(s, "quick mode response rejected [2]: %s(%d)", reject);
2821
2822 /* send final packet */
2823 sendrecv_phase2(s, NULL, ISAKMP_EXCHANGE_IKE_QUICK,
2824 msgid, 1, nonce_i, sizeof(nonce_i),
2825 nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2826
2827 DEBUGTOP(2, printf("S7.7 QM_packet3 sent\n"));
2828
2829 DEBUGTOP(2, printf("S7.8 setup ipsec tunnel\n"));
2830 {
2831 unsigned char *dh_shared_secret = NULL;
2832
2833 if (dh_grp) {
2834 /* Determine the shared secret. */
2835 dh_shared_secret = xallocc(dh_getlen(dh_grp));
2836 dh_create_shared(dh_grp, dh_shared_secret, ke->u.ke.data);
2837 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(dh_grp), NULL);
2838 }
2839
2840 s->ipsec.rx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.rx.spi,
2841 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2842 nonce_i, sizeof(nonce_i), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2843
2844 s->ipsec.tx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.tx.spi,
2845 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2846 nonce_i, sizeof(nonce_i), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2847
2848 if (dh_grp)
2849 group_free(dh_grp);
2850 free(dh_shared_secret);
2851 free_isakmp_packet(r);
2852
2853 if (s->esp_fd == 0) {
2854 if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
2855 s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
2856 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
2857 s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
2858 } else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
2859 s->esp_fd = s->ike_fd;
2860 } else {
2861 #ifdef IP_HDRINCL
2862 int hincl = 1;
2863 #endif
2864
2865 s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
2866 if (s->esp_fd == -1)
2867 error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
2868 #ifdef FD_CLOEXEC
2869 /* do not pass socket to vpnc-script, etc. */
2870 fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
2871 #endif
2872 #ifdef IP_HDRINCL
2873 if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1)
2874 error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
2875 #endif
2876 }
2877 }
2878
2879 s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
2880 }
2881 free(dh_public);
2882 }
2883
2884 static int do_rekey(struct sa_block *s, struct isakmp_packet *r)
2885 {
2886 struct isakmp_payload *rp, *ke = NULL, *nonce_i = NULL;
2887 struct isakmp_attribute *a;
2888 int seen_enc;
2889 int seen_auth = 0, seen_encap = 0, seen_group = 0, seen_keylen = 0;
2890 int nonce_i_copy_len;
2891 struct group *dh_grp = NULL;
2892 uint8_t nonce_r[20], *dh_public = NULL, *nonce_i_copy = NULL;
2893 unsigned char *dh_shared_secret = NULL;
2894
2895 if (get_dh_group_ipsec(s->ipsec.do_pfs)->my_id) {
2896 dh_grp = group_get(get_dh_group_ipsec(s->ipsec.do_pfs)->my_id);
2897 DEBUG(3, printf("len = %d\n", dh_getlen(dh_grp)));
2898 dh_public = xallocc(dh_getlen(dh_grp));
2899 dh_create_exchange(dh_grp, dh_public);
2900 hex_dump("dh_public", dh_public, dh_getlen(dh_grp), NULL);
2901 }
2902
2903 rp = r->payload->next;
2904 /* rp->type == ISAKMP_PAYLOAD_SA, verified by caller */
2905
2906 if (rp->u.sa.doi != ISAKMP_DOI_IPSEC)
2907 return ISAKMP_N_DOI_NOT_SUPPORTED;
2908 if (rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
2909 return ISAKMP_N_SITUATION_NOT_SUPPORTED;
2910 if (rp->u.sa.proposals == NULL)
2911 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2912 if (rp->u.sa.proposals->u.p.prot_id != ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2913 return ISAKMP_N_INVALID_PROTOCOL_ID;
2914 if (rp->u.sa.proposals->u.p.spi_size != 4)
2915 return ISAKMP_N_INVALID_SPI;
2916 if (rp->u.sa.proposals->u.p.transforms == NULL || rp->u.sa.proposals->u.p.transforms->next != NULL)
2917 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2918
2919 seen_enc = rp->u.sa.proposals->u.p.transforms->u.t.id;
2920
2921 memcpy(&s->ipsec.tx.spi, rp->u.sa.proposals->u.p.spi, 4);
2922
2923 for (a = rp->u.sa.proposals->u.p.transforms->u.t.attributes; a; a = a->next)
2924 switch (a->type) {
2925 case ISAKMP_IPSEC_ATTRIB_AUTH_ALG:
2926 if (a->af == isakmp_attr_16)
2927 seen_auth = a->u.attr_16;
2928 else
2929 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2930 break;
2931 case ISAKMP_IPSEC_ATTRIB_ENCAP_MODE:
2932 if (a->af == isakmp_attr_16 &&
2933 a->u.attr_16 == (
2934 (s->ipsec.natt_active_mode != NATT_ACTIVE_CISCO_UDP) ?
2935 s->ipsec.encap_mode :
2936 IPSEC_ENCAP_TUNNEL /* cisco-udp claims to use encap tunnel... */
2937 ))
2938 seen_encap = 1;
2939 else
2940 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2941 break;
2942 case ISAKMP_IPSEC_ATTRIB_GROUP_DESC:
2943 if (dh_grp && a->af == isakmp_attr_16 &&
2944 a->u.attr_16 == get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id)
2945 seen_group = 1;
2946 else
2947 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2948 break;
2949 case ISAKMP_IPSEC_ATTRIB_KEY_LENGTH:
2950 if (a->af == isakmp_attr_16)
2951 seen_keylen = a->u.attr_16;
2952 else
2953 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2954 break;
2955 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE:
2956 /* lifetime duration MUST follow lifetype attribute */
2957 if (a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION) {
2958 lifetime_ipsec_process(s, a);
2959 } else
2960 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2961 break;
2962 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION:
2963 /* already processed above in ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE: */
2964 break;
2965 default:
2966 return ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2967 break;
2968 }
2969 if (!seen_auth || !seen_encap || (dh_grp && !seen_group))
2970 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2971
2972 /* FIXME: Current code has a limitation that will cause problems if
2973 * different algorithms are negotiated during re-keying
2974 */
2975 if ((get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0) == NULL) ||
2976 (get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc, NULL, seen_keylen) == NULL)) {
2977 printf("\nFIXME: vpnc doesn't support change of algorightms during rekeying\n");
2978 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2979 }
2980
2981 /* we don't want to change ciphers during rekeying */
2982 if (s->ipsec.cry_algo != get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc, NULL, seen_keylen)->my_id)
2983 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2984 if (s->ipsec.md_algo != get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0)->my_id)
2985 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2986
2987 for (rp = rp->next; rp; rp = rp->next)
2988 switch (rp->type) {
2989 case ISAKMP_PAYLOAD_ID:
2990 /* FIXME: Parse payload ID and add route-env in case of ipv4_prefix */
2991 break;
2992 case ISAKMP_PAYLOAD_KE:
2993 ke = rp;
2994 break;
2995 case ISAKMP_PAYLOAD_NONCE:
2996 nonce_i = rp;
2997 break;
2998 default:
2999 return ISAKMP_N_INVALID_PAYLOAD_TYPE;
3000 break;
3001 }
3002
3003 if ((dh_grp && ke == NULL) || nonce_i == NULL)
3004 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
3005
3006 DEBUG(3, printf("everything fine so far...\n"));
3007 gcry_create_nonce((uint8_t *) nonce_r, sizeof(nonce_r));
3008 gcry_create_nonce((uint8_t *) & s->ipsec.rx.spi, sizeof(s->ipsec.rx.spi));
3009
3010 if (dh_grp) {
3011 /* Determine the shared secret. */
3012 dh_shared_secret = xallocc(dh_getlen(dh_grp));
3013 dh_create_shared(dh_grp, dh_shared_secret, ke->u.ke.data);
3014 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(dh_grp), NULL);
3015 }
3016
3017 free(s->ipsec.rx.key);
3018 free(s->ipsec.tx.key);
3019
3020 s->ipsec.rx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.rx.spi,
3021 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
3022 nonce_i->u.nonce.data, nonce_i->u.nonce.length, nonce_r, sizeof(nonce_r));
3023
3024 s->ipsec.tx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.tx.spi,
3025 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
3026 nonce_i->u.nonce.data, nonce_i->u.nonce.length, nonce_r, sizeof(nonce_r));
3027
3028 s->ipsec.rx.key_cry = s->ipsec.rx.key;
3029 s->ipsec.rx.key_md = s->ipsec.rx.key + s->ipsec.key_len;
3030 s->ipsec.tx.key_cry = s->ipsec.tx.key;
3031 s->ipsec.tx.key_md = s->ipsec.tx.key + s->ipsec.key_len;
3032
3033 nonce_i_copy_len = nonce_i->u.nonce.length;
3034 nonce_i_copy = xallocc(nonce_i_copy_len);
3035 memcpy(nonce_i_copy, nonce_i->u.nonce.data, nonce_i_copy_len);
3036
3037 s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
3038 s->ipsec.life.start = time(NULL);
3039 s->ipsec.life.tx = 0;
3040 s->ipsec.life.rx = 0;
3041
3042 if (s->ipsec.cry_algo) {
3043 gcry_cipher_setkey(s->ipsec.rx.cry_ctx, s->ipsec.rx.key_cry, s->ipsec.key_len);
3044 gcry_cipher_setkey(s->ipsec.tx.cry_ctx, s->ipsec.tx.key_cry, s->ipsec.key_len);
3045 }
3046
3047 /* use request as template and just exchange some values */
3048 /* this overwrites data in nonce_i, ke! */
3049 rp = r->payload->next;
3050 /* SA, change the SPI */
3051 memcpy(rp->u.sa.proposals->u.p.spi, &s->ipsec.rx.spi, 4);
3052
3053 for (rp = rp->next; rp; rp = rp->next)
3054 switch (rp->type) {
3055 case ISAKMP_PAYLOAD_ID:
3056 break;
3057 case ISAKMP_PAYLOAD_KE:
3058 memcpy(rp->u.ke.data, dh_public, dh_getlen(dh_grp));
3059 break;
3060 case ISAKMP_PAYLOAD_NONCE:
3061 memcpy(rp->u.nonce.data, nonce_r, sizeof(nonce_r));
3062 break;
3063 default:
3064 assert(0);
3065 break;
3066 }
3067
3068 sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_IKE_QUICK,
3069 r->message_id, 0, nonce_i_copy, nonce_i_copy_len, 0,0);
3070 unpack_verify_phase2(s, r_packet, r_length, &r, NULL, 0);
3071 free(nonce_i_copy);
3072 /* don't care about answer ... */
3073
3074 return 0;
3075 }
3076
3077 void process_late_ike(struct sa_block *s, uint8_t *r_packet, ssize_t r_length)
3078 {
3079 int reject;
3080 struct isakmp_packet *r;
3081 struct isakmp_payload *rp;
3082
3083 DEBUG(2,printf("got late ike packet: %zd bytes\n", r_length));
3084 /* we should ignore resent packets here.
3085 * unpack_verify_phase2 will fail to decode them probably */
3086 reject = unpack_verify_phase2(s, r_packet, r_length, &r, NULL, 0);
3087
3088 /* just ignore broken stuff for now */
3089 if (reject != 0) {
3090 if (r) free_isakmp_packet(r);
3091 return;
3092 }
3093
3094 /* everything must be encrypted by now */
3095 if (r->payload == NULL || r->payload->type != ISAKMP_PAYLOAD_HASH) {
3096 free_isakmp_packet(r);
3097 return;
3098 }
3099
3100 /* empty packet? well, nothing to see here */
3101 if (r->payload->next == NULL) {
3102 free_isakmp_packet(r);
3103 return;
3104 }
3105
3106 /* do we get an SA proposal for rekeying? */
3107 if (r->exchange_type == ISAKMP_EXCHANGE_IKE_QUICK &&
3108 r->payload->next->type == ISAKMP_PAYLOAD_SA) {
3109 reject = do_rekey(s, r);
3110 DEBUG(3, printf("do_rekey returned: %d\n", reject));
3111 /* FIXME: LEAK but will create segfault for double free */
3112 /* free_isakmp_packet(r); */
3113 return;
3114 }
3115
3116 if (r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL) {
3117 /* Search for notify payloads */
3118 for (rp = r->payload->next; rp; rp = rp->next) {
3119 if (rp->type != ISAKMP_PAYLOAD_N)
3120 continue;
3121 /* did we get a DPD request or ACK? */
3122 if (rp->u.n.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {
3123 DEBUG(2, printf("got non isakmp-notify, ignoring...\n"));
3124 continue;
3125 }
3126 if (rp->u.n.type == ISAKMP_N_R_U_THERE) {
3127 uint32_t seq;
3128 if (rp->u.n.data_length != 4) {
3129 DEBUG(2, printf("ignoring bad data length R-U-THERE request\n"));
3130 continue;
3131 }
3132 seq = ntohl(*((uint32_t *) rp->u.n.data));
3133 send_dpd(s, 1, seq);
3134 DEBUG(2, printf("got r-u-there request sent ack\n"));
3135 continue;
3136 } else if (rp->u.n.type == ISAKMP_N_R_U_THERE_ACK) {
3137 uint32_t seqack;
3138 if (rp->u.n.data_length != 4) {
3139 DEBUG(2, printf("ignoring bad data length R-U-THERE-ACK\n"));
3140 continue;
3141 }
3142 seqack = ntohl(*((uint32_t *) rp->u.n.data));
3143 if (seqack == s->ike.dpd_seqno) {
3144 s->ike.dpd_seqno_ack = seqack;
3145 } else {
3146 DEBUG(2, printf("ignoring r-u-there ack %u (expecting %u)\n", seqack, s->ike.dpd_seqno));
3147 continue;
3148 }
3149 DEBUG(2, printf("got r-u-there ack\n"));
3150 }
3151 }
3152 }
3153
3154 /* check if our isakmp sa gets deleted */
3155 for (rp = r->payload->next; rp; rp = rp->next) {
3156 /* search for delete payloads */
3157 if (rp->type != ISAKMP_PAYLOAD_D)
3158 continue;
3159 if (rp->u.d.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP) {
3160 /* RFC2408, 5.15:
3161 * Process the Delete payload and take appropriate action, according
3162 * to local security policy. As described above, one appropriate
3163 * action SHOULD include cleaning up the local SA database.
3164 */
3165 /* FIXME: any cleanup needed??? */
3166
3167 if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) {
3168 free_isakmp_packet(r);
3169 do_phase2_qm(s);
3170 return;
3171 } else {
3172 DEBUG(2, printf("got isakmp delete with bogus spi (expected %d, received %d), ignoring...\n", s->ipsec.tx.spi, *(rp->u.d.spi[0]) ));
3173 continue;
3174 }
3175 }
3176 /* skip ipsec-esp delete */
3177 if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {
3178 DEBUG(2, printf("got non isakmp-delete, ignoring...\n"));
3179 continue;
3180 };
3181
3182 /*
3183 * RFC 2408, 3.15 Delete Payload
3184 * it is not stated that the SPI field of a delete
3185 * payload can be ignored, because it is given in
3186 * the headers, but I assume so. In other cases
3187 * RFC 2408 (notifications) states this.
3188 */
3189 do_kill = -1;
3190 DEBUG(2, printf("got isakmp-delete, terminating...\n"));
3191 free_isakmp_packet(r);
3192 return;
3193 }
3194
3195 free_isakmp_packet(r);
3196 return;
3197 }
3198
3199 int main(int argc, char **argv)
3200 {
3201 int do_load_balance;
3202 const uint8_t hex_test[] = { 0, 1, 2, 3 };
3203 struct sa_block oursa[1];
3204 struct sa_block *s = oursa;
3205
3206 test_pack_unpack();
3207 #if defined(__CYGWIN__)
3208 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
3209 #endif
3210 gcry_check_version("1.1.90");
3211 gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0);
3212 group_init();
3213
3214 memset(s, 0, sizeof(*s));
3215 s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL;
3216 s->ike.timeout = 1000; /* 1 second */
3217
3218 do_config(argc, argv);
3219
3220 DEBUG(1, printf("\nvpnc version " VERSION "\n"));
3221 hex_dump("hex_test", hex_test, sizeof(hex_test), NULL);
3222
3223 DEBUGTOP(2, printf("S1 init_sockaddr\n"));
3224 init_sockaddr(&s->dst, config[CONFIG_IPSEC_GATEWAY]);
3225 init_sockaddr(&s->opt_src_ip, config[CONFIG_LOCAL_ADDR]);
3226 DEBUGTOP(2, printf("S2 make_socket\n"));
3227 s->ike.src_port = atoi(config[CONFIG_LOCAL_PORT]);
3228 s->ike.dst_port = ISAKMP_PORT;
3229 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port);
3230 DEBUGTOP(2, printf("S3 setup_tunnel\n"));
3231 setup_tunnel(s);
3232
3233 do_load_balance = 0;
3234 do {
3235 DEBUGTOP(2, printf("S4 do_phase1_am\n"));
3236 do_phase1_am(config[CONFIG_IPSEC_ID], config[CONFIG_IPSEC_SECRET], s);
3237 DEBUGTOP(2, printf("S5 do_phase2_xauth\n"));
3238 /* FIXME: Create and use a generic function in supp.[hc] */
3239 if (s->ike.auth_algo >= IKE_AUTH_HybridInitRSA)
3240 do_load_balance = do_phase2_xauth(s);
3241 DEBUGTOP(2, printf("S6 do_phase2_config\n"));
3242 if ((opt_vendor == VENDOR_CISCO) && (do_load_balance == 0))
3243 do_load_balance = do_phase2_config(s);
3244 } while (do_load_balance);
3245 DEBUGTOP(2, printf("S7 setup_link (phase 2 + main_loop)\n"));
3246 DEBUGTOP(2, printf("S7.0 run interface setup script\n"));
3247 config_tunnel(s);
3248 do_phase2_qm(s);
3249 DEBUGTOP(2, printf("S7.9 main loop (receive and transmit ipsec packets)\n"));
3250 vpnc_doit(s);
3251
3252 /* Tear down phase 2 and 1 tunnels */
3253 send_delete_ipsec(s);
3254 send_delete_isakmp(s);
3255
3256 /* Cleanup routing */
3257 DEBUGTOP(2, printf("S8 close_tunnel\n"));
3258 close_tunnel(s);
3259 s_atexit_sa = NULL;
3260
3261 /* Free resources */
3262 DEBUGTOP(2, printf("S9 cleanup\n"));
3263 cleanup(s);
3264
3265 return 0;
3266 }
client for cisco vpn concentrator