search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Support for /sbin/netconfig under OpenSuse 11.1
[vpnc.git] / vpnc.c
blobd0fe685c0d4101f1694052a5df2a6b51519f736d
1 /* IPSec VPN client compatible with Cisco equipment.
2 Copyright (C) 2002 Geoffrey Keating
3 Copyright (C) 2003-2005 Maurice Massar
4 Copyright (C) 2004 Tomas Mraz
5 Copyright (C) 2004 Martin von Gagern
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20
21 $Id$
22 */
23
24 #define _GNU_SOURCE
25 #include <assert.h>
26 #include <unistd.h>
27 #include <sys/fcntl.h>
28 #include <stdio.h>
29 #include <errno.h>
30 #include <string.h>
31 #include <time.h>
32 #include <stdlib.h>
33 #include <sys/socket.h>
34 #include <netinet/in.h>
35 #include <netdb.h>
36 #include <arpa/inet.h>
37 #include <poll.h>
38 #include <sys/ioctl.h>
39 #include <sys/utsname.h>
40
41 #include <gcrypt.h>
42
43 #include "crypto.h"
44 #include "sysdep.h"
45 #include "config.h"
46 #include "isakmp-pkt.h"
47 #include "math_group.h"
48 #include "dh.h"
49 #include "vpnc.h"
50 #include "tunip.h"
51 #include "supp.h"
52
53 #if defined(__CYGWIN__)
54 GCRY_THREAD_OPTION_PTHREAD_IMPL;
55 #endif
56
57 #define ISAKMP_PORT (500)
58 #define ISAKMP_PORT_NATT (4500)
59
60 const unsigned char VID_XAUTH[] = { /* "draft-ietf-ipsra-isakmp-xauth-06.txt"/8 */
61 0x09, 0x00, 0x26, 0x89, 0xDF, 0xD6, 0xB7, 0x12
62 };
63 const unsigned char VID_DPD[] = { /* Dead Peer Detection, RFC 3706 */
64 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, 0xC9,
65 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, 0x01, 0x00
66 };
67 const unsigned char VID_UNITY[] = { /* "CISCO-UNITY"/14 + major + minor */
68 0x12, 0xF5, 0xF2, 0x8C, 0x45, 0x71, 0x68, 0xA9,
69 0x70, 0x2D, 0x9F, 0xE2, 0x74, 0xCC, 0x01, 0x00
70 };
71 const unsigned char VID_UNKNOWN[] = {
72 0x12, 0x6E, 0x1F, 0x57, 0x72, 0x91, 0x15, 0x3B,
73 0x20, 0x48, 0x5F, 0x7F, 0x15, 0x5B, 0x4B, 0xC8
74 };
75 const unsigned char VID_NATT_00[] = { /* "draft-ietf-ipsec-nat-t-ike-00" */
76 0x44, 0x85, 0x15, 0x2d, 0x18, 0xb6, 0xbb, 0xcd,
77 0x0b, 0xe8, 0xa8, 0x46, 0x95, 0x79, 0xdd, 0xcc
78 };
79 const unsigned char VID_NATT_01[] = { /* "draft-ietf-ipsec-nat-t-ike-01" */
80 0x16, 0xf6, 0xca, 0x16, 0xe4, 0xa4, 0x06, 0x6d,
81 0x83, 0x82, 0x1a, 0x0f, 0x0a, 0xea, 0xa8, 0x62
82 };
83 const unsigned char VID_NATT_02[] = { /* "draft-ietf-ipsec-nat-t-ike-02" */
84 0xcd, 0x60, 0x46, 0x43, 0x35, 0xdf, 0x21, 0xf8,
85 0x7c, 0xfd, 0xb2, 0xfc, 0x68, 0xb6, 0xa4, 0x48
86 };
87 const unsigned char VID_NATT_02N[] = { /* "draft-ietf-ipsec-nat-t-ike-02\n" */
88 0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E,
89 0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F
90 };
91 const unsigned char VID_NATT_03[] = { /* "draft-ietf-ipsec-nat-t-ike-03" */
92 0x7d, 0x94, 0x19, 0xa6, 0x53, 0x10, 0xca, 0x6f,
93 0x2c, 0x17, 0x9d, 0x92, 0x15, 0x52, 0x9d, 0x56
94 };
95 const unsigned char VID_NATT_RFC[] = { /* "RFC 3947" */
96 0x4A, 0x13, 0x1C, 0x81, 0x07, 0x03, 0x58, 0x45,
97 0x5C, 0x57, 0x28, 0xF2, 0x0E, 0x95, 0x45, 0x2F
98 };
99 const unsigned char VID_DWR[] = { /* DWR: Delete with reason */
100 0x2D, 0x79, 0x22, 0xC6, 0xB3, 0x01, 0xD9, 0xB0,
101 0xE1, 0x34, 0x27, 0x39, 0xE9, 0xCF, 0xBB, 0xD5
102 };
103 /* Cisco Unknown1:
104 *const unsigned char VID_CISCO_UNKNOWN_1[] = {
105 * 1f07f70eaa6514d3b0fa96542a500407
106 *};
107 */
108
109 const unsigned char VID_CISCO_FRAG[] = { /* "FRAGMENTATION" */
110 0x40, 0x48, 0xB7, 0xD5, 0x6E, 0xBC, 0xE8, 0x85,
111 0x25, 0xE7, 0xDE, 0x7F, 0x00, 0xD6, 0xC2, 0xD3,
112 0x80, 0x00, 0x00, 0x00
113 };
114 const unsigned char VID_NETSCREEN_15[] = { /* netscreen 15 */
115 0x16, 0x6f, 0x93, 0x2d, 0x55, 0xeb, 0x64, 0xd8,
116 0xe4, 0xdf, 0x4f, 0xd3, 0x7e, 0x23, 0x13, 0xf0,
117 0xd0, 0xfd, 0x84, 0x51, 0x00, 0x00, 0x00, 0x00,
118 0x00, 0x00, 0x00, 0x00
119 };
120 const unsigned char VID_HEARTBEAT_NOTIFY[] = { /* Heartbeat Notify */
121 0x48, 0x65, 0x61, 0x72, 0x74, 0x42, 0x65, 0x61,
122 0x74, 0x5f, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x79,
123 0x38, 0x6b, 0x01, 0x00
124 };
125 const unsigned char VID_NORTEL_CONT[] = { /* BNES: Bay Networks Enterprise Switch + version/id of some kind */
126 0x42, 0x4e, 0x45, 0x53, 0x00, 0x00, 0x00, 0x0a
127 };
128
129 const unsigned char FW_UNKNOWN_TYPEINFO[] = {
130 0x80, 0x01, 0x00, 0x01, 0x80, 0x02, 0x00, 0x01,
131 0x80, 0x03, 0x00, 0x02
132 };
133
134 struct vid_element {
135 const unsigned char* valueptr;
136 const uint16_t length;
137 const char* descr;
138 };
139
140 const struct vid_element vid_list[] = {
141 { VID_XAUTH, sizeof(VID_XAUTH), "Xauth" },
142 { VID_DPD, sizeof(VID_DPD), "DPD" },
143 { VID_UNITY, sizeof(VID_UNITY), "Cisco Unity" },
144 { VID_NATT_00, sizeof(VID_NATT_00), "Nat-T 00" },
145 { VID_NATT_01, sizeof(VID_NATT_01), "Nat-T 01" },
146 { VID_NATT_02, sizeof(VID_NATT_02), "Nat-T 02" },
147 { VID_NATT_02N, sizeof(VID_NATT_02N), "Nat-T 02N" },
148 { VID_NATT_03, sizeof(VID_NATT_03), "Nat-T 03" },
149 { VID_NATT_RFC, sizeof(VID_NATT_RFC), "Nat-T RFC" },
150 { VID_DWR, sizeof(VID_DWR), "Delete With Reason" },
151 { VID_CISCO_FRAG, sizeof(VID_CISCO_FRAG), "Cisco Fragmentation" },
152 { VID_NETSCREEN_15, sizeof(VID_NETSCREEN_15), "Netscreen 15" },
153 { VID_NORTEL_CONT, sizeof(VID_NORTEL_CONT), "Nortel Contivity" },
154 { VID_HEARTBEAT_NOTIFY, sizeof(VID_HEARTBEAT_NOTIFY), "Heartbeat Notify" },
155
156 { NULL, 0, NULL }
157 };
158
159 /* What are DWR-Code and DWR-Text ? */
160
161 static uint8_t r_packet[8192];
162 static ssize_t r_length;
163
164 void print_vid(const unsigned char *vid, uint16_t len) {
165
166 int vid_index = 0;
167
168 if (opt_debug < 2)
169 return;
170
171 while (vid_list[vid_index].length) {
172 if (len == vid_list[vid_index].length &&
173 memcmp(vid_list[vid_index].valueptr, vid, len) == 0) {
174 printf(" (%s)\n", vid_list[vid_index].descr);
175 return;
176 }
177 vid_index++;
178 }
179 printf(" (unknown)\n");
180 }
181
182 static __inline__ int min(int a, int b)
183 {
184 return (a < b) ? a : b;
185 }
186
187 static void addenv(const void *name, const char *value)
188 {
189 char *strbuf = NULL, *oldval;
190
191 oldval = getenv(name);
192 if (oldval != NULL) {
193 strbuf = xallocc(strlen(oldval) + 1 + strlen(value) + 1);
194 strcat(strbuf, oldval);
195 strcat(strbuf, " ");
196 strcat(strbuf, value);
197 }
198
199 setenv(name, strbuf ? strbuf : value, 1);
200
201 free(strbuf);
202 }
203
204 static void addenv_ipv4(const void *name, uint8_t * data)
205 {
206 addenv(name, inet_ntoa(*((struct in_addr *)data)));
207 }
208
209 static int make_socket(struct sa_block *s, uint16_t src_port, uint16_t dst_port)
210 {
211 int sock;
212 struct sockaddr_in name;
213 socklen_t len = sizeof(name);
214
215 /* create the socket */
216 sock = socket(PF_INET, SOCK_DGRAM, 0);
217 if (sock < 0)
218 error(1, errno, "making socket");
219
220 #ifdef FD_CLOEXEC
221 /* do not pass socket to vpnc-script, etc. */
222 fcntl(sock, F_SETFD, FD_CLOEXEC);
223 #endif
224
225 /* give the socket a name */
226 name.sin_family = AF_INET;
227 name.sin_addr = s->opt_src_ip;
228 name.sin_port = htons(src_port);
229 if (bind(sock, (struct sockaddr *)&name, sizeof(name)) < 0)
230 error(1, errno, "Error binding to source port. Try '--local-port 0'\nFailed to bind to %s:%d", inet_ntoa(s->opt_src_ip), src_port);
231
232 /* connect the socket */
233 name.sin_family = AF_INET;
234 name.sin_addr = s->dst;
235 name.sin_port = htons(dst_port);
236 if (connect(sock, (struct sockaddr *)&name, sizeof(name)) < 0)
237 error(1, errno, "connecting to port %d", ntohs(dst_port));
238
239 /* who am I */
240 if (getsockname(sock, (struct sockaddr *)&name, &len) < 0)
241 error(1, errno, "reading local address from socket %d", sock);
242 s->src = name.sin_addr;
243
244 return sock;
245 }
246
247 static void cleanup(struct sa_block *s) {
248 if (s->ike_fd != 0) {
249 close(s->ike_fd);
250 s->ike_fd = 0;
251 }
252 if (s->esp_fd != 0) {
253 close(s->esp_fd);
254 s->esp_fd = 0;
255 }
256 if (s->ike.resend_hash) {
257 free(s->ike.resend_hash);
258 s->ike.resend_hash = NULL;
259 }
260 if (s->ike.skeyid_d) {
261 free(s->ike.skeyid_d);
262 s->ike.skeyid_d = NULL;
263 }
264 if (s->ike.skeyid_a) {
265 free(s->ike.skeyid_a);
266 s->ike.skeyid_a = NULL;
267 }
268 if (s->ike.initial_iv) {
269 free(s->ike.initial_iv);
270 s->ike.initial_iv = NULL;
271 }
272 if (s->ike.current_iv) {
273 free(s->ike.current_iv);
274 s->ike.current_iv = NULL;
275 }
276 if (s->ike.key) {
277 free(s->ike.key);
278 s->ike.key = NULL;
279 }
280 if (s->ipsec.rx.key) {
281 free(s->ipsec.rx.key);
282 s->ipsec.rx.key = NULL;
283 }
284 if (s->ipsec.tx.key) {
285 free(s->ipsec.tx.key);
286 s->ipsec.tx.key = NULL;
287 }
288 if (s->ipsec.rx.cry_ctx) {
289 gcry_cipher_close(s->ipsec.rx.cry_ctx);
290 s->ipsec.rx.cry_ctx = NULL;
291 }
292 if (s->ipsec.tx.cry_ctx) {
293 gcry_cipher_close(s->ipsec.tx.cry_ctx);
294 s->ipsec.tx.cry_ctx = NULL;
295 }
296 }
297
298 static void init_sockaddr(struct in_addr *dst, const char *hostname)
299 {
300 struct hostent *hostinfo;
301
302 if (inet_aton(hostname, dst) == 0) {
303 hostinfo = gethostbyname(hostname);
304 if (hostinfo == NULL)
305 error(1, 0, "unknown host `%s'\n", hostname);
306 *dst = *(struct in_addr *)hostinfo->h_addr;
307 }
308 }
309
310 static void init_netaddr(struct in_addr *net, const char *string)
311 {
312 char *p;
313
314 if ((p = strchr(string, '/')) != NULL) {
315 char *host = xallocc(p - string + 1);
316 memcpy(host, string, p - string + 1);
317 host[p - string] = '\0';
318 init_sockaddr((struct in_addr *)net, host);
319 free(host);
320 if (strchr(p + 1, '.') != NULL)
321 init_sockaddr(net + 1, p + 1);
322 else {
323 int bits = atoi(p + 1);
324 unsigned long mask = (1 << bits) - 1;
325 memcpy((char *)(net + 1), (char *)&mask, 4);
326 }
327 } else {
328 memset((char *)net, 0, 8);
329 }
330 }
331
332 static void setup_tunnel(struct sa_block *s)
333 {
334 setenv("reason", "pre-init", 1);
335 system(config[CONFIG_SCRIPT]);
336
337 if (config[CONFIG_IF_NAME])
338 memcpy(s->tun_name, config[CONFIG_IF_NAME], strlen(config[CONFIG_IF_NAME]));
339
340 s->tun_fd = tun_open(s->tun_name, opt_if_mode);
341 DEBUG(2, printf("using interface %s\n", s->tun_name));
342 setenv("TUNDEV", s->tun_name, 1);
343
344 if (s->tun_fd == -1)
345 error(1, errno, "can't initialise tunnel interface");
346 #ifdef FD_CLOEXEC
347 /* do not pass socket to vpnc-script, etc. */
348 fcntl(s->tun_fd, F_SETFD, FD_CLOEXEC);
349 #endif
350
351 if (opt_if_mode == IF_MODE_TAP) {
352 if (tun_get_hwaddr(s->tun_fd, s->tun_name, s->tun_hwaddr) < 0) {
353 error(1, errno, "can't get tunnel HW address");
354 }
355 hex_dump("interface HW addr", s->tun_hwaddr, ETH_ALEN, NULL);
356 }
357 }
358
359 static void config_tunnel(struct sa_block *s)
360 {
361 setenv("VPNGATEWAY", inet_ntoa(s->dst), 1);
362 setenv("reason", "connect", 1);
363 system(config[CONFIG_SCRIPT]);
364 }
365
366 static void close_tunnel(struct sa_block *s)
367 {
368 setenv("reason", "disconnect", 1);
369 system(config[CONFIG_SCRIPT]);
370 tun_close(s->tun_fd, s->tun_name);
371 }
372
373 static int recv_ignore_dup(struct sa_block *s, void *recvbuf, size_t recvbufsize)
374 {
375 uint8_t *resend_check_hash;
376 int recvsize, hash_len;
377
378 recvsize = recv(s->ike_fd, recvbuf, recvbufsize, 0);
379 if (recvsize < 0)
380 error(1, errno, "receiving packet");
381 if ((unsigned int)recvsize > recvbufsize)
382 error(1, errno, "received packet too large for buffer");
383
384 /* skip (not only) NAT-T draft-0 keepalives */
385 if ( /* (s->ipsec.natt_active_mode == NATT_ACTIVE_DRAFT_OLD) && */
386 (recvsize == 1) && (*((u_char *)(recvbuf)) == 0xff))
387 {
388 if ((s->ipsec.natt_active_mode != NATT_ACTIVE_DRAFT_OLD))
389 {
390 DEBUG(2, printf("Received UDP NAT-Keepalive bug nat active mode incorrect: %d\n", s->ipsec.natt_active_mode));
391 }
392 return -1;
393 }
394
395 hash_len = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
396 resend_check_hash = malloc(hash_len);
397 gcry_md_hash_buffer(GCRY_MD_SHA1, resend_check_hash, recvbuf, recvsize);
398 if (s->ike.resend_hash && memcmp(s->ike.resend_hash, resend_check_hash, hash_len) == 0) {
399 free(resend_check_hash);
400 /* FIXME: if we get a retransmission, we probably should do a retransmission too */
401 DEBUG(2, printf("Received duplicated packet, dropping it!\n"));
402 return -1;
403 }
404 if (!s->ike.resend_hash) {
405 s->ike.resend_hash = resend_check_hash;
406 } else {
407 memcpy(s->ike.resend_hash, resend_check_hash, hash_len);
408 free(resend_check_hash);
409 }
410
411 return recvsize;
412 }
413
414 /* Send TOSEND of size SENDSIZE to the socket. Then wait for a new packet,
415 resending TOSEND on timeout, and ignoring duplicate packets; the
416 new packet is put in RECVBUF of size RECVBUFSIZE and the actual size
417 of the new packet is returned. */
418
419 static ssize_t sendrecv(struct sa_block *s, void *recvbuf, size_t recvbufsize, void *tosend, size_t sendsize, int sendonly)
420 {
421 struct pollfd pfd;
422 int tries = 0;
423 int recvsize = -1;
424 time_t start = time(NULL);
425 time_t end = 0;
426 void *realtosend;
427
428 pfd.fd = s->ike_fd;
429 pfd.events = POLLIN;
430 tries = 0;
431
432 if ((s->ipsec.natt_active_mode == NATT_ACTIVE_RFC) && (tosend != NULL)) {
433 DEBUG(2, printf("NAT-T mode, adding non-esp marker\n"));
434 realtosend = xallocc(sendsize+4);
435 memmove((char*)realtosend+4, tosend, sendsize);
436 sendsize += 4;
437 } else {
438 realtosend = tosend;
439 }
440
441 for (;;) {
442 int pollresult;
443
444 if (realtosend != NULL)
445 if (write(s->ike_fd, realtosend, sendsize) != (int)sendsize)
446 error(1, errno, "can't send packet");
447 if (sendonly)
448 break;
449
450 do {
451 pollresult = poll(&pfd, 1, s->ike.timeout << tries);
452 } while (pollresult == -1 && errno == EINTR);
453
454 if (pollresult == -1)
455 error(1, errno, "can't poll socket");
456 if (pollresult != 0) {
457 recvsize = recv_ignore_dup(s, recvbuf, recvbufsize);
458 end = time(NULL);
459 if (recvsize != -1)
460 break;
461 continue;
462 }
463
464 if (tries > 2)
465 error(1, 0, "no response from target");
466 tries++;
467 }
468
469 if (realtosend != tosend)
470 free(realtosend);
471
472 if (sendonly)
473 return 0;
474
475 if ((s->ipsec.natt_active_mode == NATT_ACTIVE_RFC)&&(recvsize > 4)) {
476 recvsize -= 4; /* 4 bytes non-esp marker */
477 memmove(recvbuf, (char *)recvbuf+4, recvsize);
478 }
479
480 DEBUGTOP(3, printf("\n receiving: <========================\n"));
481
482 /* Wait at least 2s for a response or 4 times the time it took
483 * last time. */
484 if (start >= end)
485 s->ike.timeout = 2000;
486 else
487 s->ike.timeout = 4000 * (end - start);
488
489 return recvsize;
490 }
491
492 static int isakmp_crypt(struct sa_block *s, uint8_t * block, size_t blocklen, int enc)
493 {
494 unsigned char *new_iv, *iv = NULL;
495 int info_ex;
496 gcry_cipher_hd_t cry_ctx;
497
498 if (blocklen < ISAKMP_PAYLOAD_O || ((blocklen - ISAKMP_PAYLOAD_O) % s->ike.ivlen != 0))
499 abort();
500
501 if (!enc && (memcmp(block + ISAKMP_I_COOKIE_O, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH) != 0
502 || memcmp(block + ISAKMP_R_COOKIE_O, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH) != 0)) {
503 DEBUG(2, printf("got packet with wrong cookies\n"));
504 return ISAKMP_N_INVALID_COOKIE;
505 }
506
507 info_ex = block[ISAKMP_EXCHANGE_TYPE_O] == ISAKMP_EXCHANGE_INFORMATIONAL;
508
509 if (memcmp(block + ISAKMP_MESSAGE_ID_O, s->ike.current_iv_msgid, 4) != 0) {
510 gcry_md_hd_t md_ctx;
511
512 gcry_md_open(&md_ctx, s->ike.md_algo, 0);
513 gcry_md_write(md_ctx, s->ike.initial_iv, s->ike.ivlen);
514 gcry_md_write(md_ctx, block + ISAKMP_MESSAGE_ID_O, 4);
515 gcry_md_final(md_ctx);
516 if (info_ex) {
517 iv = xallocc(s->ike.ivlen);
518 memcpy(iv, gcry_md_read(md_ctx, 0), s->ike.ivlen);
519 } else {
520 memcpy(s->ike.current_iv, gcry_md_read(md_ctx, 0), s->ike.ivlen);
521 memcpy(s->ike.current_iv_msgid, block + ISAKMP_MESSAGE_ID_O, 4);
522 }
523 gcry_md_close(md_ctx);
524 } else if (info_ex) {
525 abort();
526 }
527
528 if (!info_ex) {
529 iv = s->ike.current_iv;
530 }
531
532 new_iv = xallocc(s->ike.ivlen);
533 gcry_cipher_open(&cry_ctx, s->ike.cry_algo, GCRY_CIPHER_MODE_CBC, 0);
534 gcry_cipher_setkey(cry_ctx, s->ike.key, s->ike.keylen);
535 gcry_cipher_setiv(cry_ctx, iv, s->ike.ivlen);
536 if (!enc) {
537 memcpy(new_iv, block + blocklen - s->ike.ivlen, s->ike.ivlen);
538 gcry_cipher_decrypt(cry_ctx, block + ISAKMP_PAYLOAD_O, blocklen - ISAKMP_PAYLOAD_O,
539 NULL, 0);
540 if (!info_ex)
541 memcpy(s->ike.current_iv, new_iv, s->ike.ivlen);
542 } else {
543 gcry_cipher_encrypt(cry_ctx, block + ISAKMP_PAYLOAD_O, blocklen - ISAKMP_PAYLOAD_O,
544 NULL, 0);
545 if (!info_ex)
546 memcpy(s->ike.current_iv, block + blocklen - s->ike.ivlen, s->ike.ivlen);
547 }
548 gcry_cipher_close(cry_ctx);
549
550 free(new_iv);
551 if (info_ex)
552 free(iv);
553
554 return 0;
555 }
556
557 static uint16_t unpack_verify_phase2(struct sa_block *s, uint8_t * r_packet,
558 size_t r_length, struct isakmp_packet **r_p, const uint8_t * nonce, size_t nonce_size)
559 {
560 struct isakmp_packet *r;
561 int reject = 0;
562
563 *r_p = NULL;
564
565 /* Some users report "payload ... not padded..." errors. It seems that they
566 * are harmless, so ignore and fix the symptom
567 */
568 if (r_length < ISAKMP_PAYLOAD_O ||
569 ((r_length - ISAKMP_PAYLOAD_O) % s->ike.ivlen != 0)) {
570 DEBUG(2, printf("payload too short or not padded: len=%lld, min=%d (ivlen=%lld)\n",
571 (long long)r_length, ISAKMP_PAYLOAD_O, (long long)s->ike.ivlen));
572 hex_dump("Payload", r_packet, r_length, NULL);
573 if (r_length < ISAKMP_PAYLOAD_O ) {
574 return ISAKMP_N_UNEQUAL_PAYLOAD_LENGTHS;
575 }
576 r_length -= (r_length - ISAKMP_PAYLOAD_O) % s->ike.ivlen;
577 }
578
579 reject = isakmp_crypt(s, r_packet, r_length, 0);
580 if (reject != 0)
581 return reject;
582
583 s->ike.life.rx += r_length;
584
585 {
586 r = parse_isakmp_packet(r_packet, r_length, &reject);
587 if (reject != 0) {
588 if (r) free_isakmp_packet(r);
589 return reject;
590 }
591 }
592
593 /* Verify the basic stuff. */
594 if (r->flags != ISAKMP_FLAG_E) {
595 free_isakmp_packet(r);
596 return ISAKMP_N_INVALID_FLAGS;
597 }
598
599 {
600 size_t sz, spos;
601 gcry_md_hd_t hm;
602 unsigned char *expected_hash;
603 struct isakmp_payload *h = r->payload;
604
605 if (h == NULL || h->type != ISAKMP_PAYLOAD_HASH || h->u.hash.length != s->ike.md_len) {
606 free_isakmp_packet(r);
607 return ISAKMP_N_INVALID_HASH_INFORMATION;
608 }
609
610 spos = (ISAKMP_PAYLOAD_O + (r_packet[ISAKMP_PAYLOAD_O + 2] << 8)
611 + r_packet[ISAKMP_PAYLOAD_O + 3]);
612
613 /* Compute the real length based on the payload lengths. */
614 for (sz = spos; r_packet[sz] != 0; sz += r_packet[sz + 2] << 8 | r_packet[sz + 3]) ;
615 sz += r_packet[sz + 2] << 8 | r_packet[sz + 3];
616
617 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
618 gcry_md_setkey(hm, s->ike.skeyid_a, s->ike.md_len);
619 gcry_md_write(hm, r_packet + ISAKMP_MESSAGE_ID_O, 4);
620 if (nonce)
621 gcry_md_write(hm, nonce, nonce_size);
622 gcry_md_write(hm, r_packet + spos, sz - spos);
623 gcry_md_final(hm);
624 expected_hash = gcry_md_read(hm, 0);
625
626 DEBUG(3,printf("hashlen: %lu\n", (unsigned long)s->ike.md_len));
627 DEBUG(3,printf("u.hash.length: %d\n", h->u.hash.length));
628 hex_dump("expected_hash", expected_hash, s->ike.md_len, NULL);
629 hex_dump("h->u.hash.data", h->u.hash.data, s->ike.md_len, NULL);
630
631 reject = 0;
632 if (memcmp(h->u.hash.data, expected_hash, s->ike.md_len) != 0)
633 reject = ISAKMP_N_AUTHENTICATION_FAILED;
634 gcry_md_close(hm);
635 #if 0
636 if (reject != 0) {
637 free_isakmp_packet(r);
638 return reject;
639 }
640 #endif
641 }
642 *r_p = r;
643 return 0;
644 }
645
646 static void
647 phase2_authpacket(struct sa_block *s, struct isakmp_payload *pl,
648 uint8_t exchange_type, uint32_t msgid,
649 uint8_t ** p_flat, size_t * p_size,
650 uint8_t * nonce_i, int ni_len, uint8_t * nonce_r, int nr_len)
651 {
652 struct isakmp_packet *p;
653 uint8_t *pl_flat;
654 size_t pl_size;
655 gcry_md_hd_t hm;
656 uint8_t msgid_sent[4];
657
658 /* Build up the packet. */
659 p = new_isakmp_packet();
660 memcpy(p->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
661 memcpy(p->r_cookie, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
662 p->flags = ISAKMP_FLAG_E;
663 p->isakmp_version = ISAKMP_VERSION;
664 p->exchange_type = exchange_type;
665 p->message_id = msgid;
666 p->payload = new_isakmp_payload(ISAKMP_PAYLOAD_HASH);
667 p->payload->next = pl;
668 p->payload->u.hash.length = s->ike.md_len;
669 p->payload->u.hash.data = xallocc(s->ike.md_len);
670
671 /* Set the MAC. */
672 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
673 gcry_md_setkey(hm, s->ike.skeyid_a, s->ike.md_len);
674
675 if (pl == NULL) {
676 DEBUG(3, printf("authing NULL package!\n"));
677 gcry_md_write(hm, "" /* \0 */ , 1);
678 }
679
680 msgid_sent[0] = msgid >> 24;
681 msgid_sent[1] = msgid >> 16;
682 msgid_sent[2] = msgid >> 8;
683 msgid_sent[3] = msgid;
684 gcry_md_write(hm, msgid_sent, sizeof(msgid_sent));
685
686 if (nonce_i != NULL)
687 gcry_md_write(hm, nonce_i, ni_len);
688
689 if (nonce_r != NULL)
690 gcry_md_write(hm, nonce_r, nr_len);
691
692 if (pl != NULL) {
693 flatten_isakmp_payloads(pl, &pl_flat, &pl_size);
694 gcry_md_write(hm, pl_flat, pl_size);
695 memset(pl_flat, 0, pl_size);
696 free(pl_flat);
697 }
698
699 gcry_md_final(hm);
700 memcpy(p->payload->u.hash.data, gcry_md_read(hm, 0), s->ike.md_len);
701 gcry_md_close(hm);
702
703 flatten_isakmp_packet(p, p_flat, p_size, s->ike.ivlen);
704 free_isakmp_packet(p);
705 }
706
707 static void sendrecv_phase2(struct sa_block *s, struct isakmp_payload *pl,
708 uint8_t exchange_type, uint32_t msgid, int sendonly,
709 uint8_t * nonce_i, int ni_len, uint8_t * nonce_r, int nr_len)
710 {
711 uint8_t *p_flat;
712 size_t p_size;
713 ssize_t recvlen;
714
715 phase2_authpacket(s, pl, exchange_type, msgid, &p_flat, &p_size,
716 nonce_i, ni_len, nonce_r, nr_len);
717 isakmp_crypt(s, p_flat, p_size, 1);
718 s->ike.life.tx += p_size;
719
720 recvlen = sendrecv(s, r_packet, sizeof(r_packet), p_flat, p_size, sendonly);
721 if (sendonly == 0)
722 r_length = recvlen;
723
724 free(p_flat);
725 }
726
727 void keepalive_ike(struct sa_block *s)
728 {
729 uint32_t msgid;
730
731 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
732 sendrecv_phase2(s, NULL, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 1, 0, 0, 0, 0);
733 }
734
735 static void send_dpd(struct sa_block *s, int isack, uint32_t seqno)
736 {
737 struct isakmp_payload *pl;
738 uint32_t msgid;
739
740 pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
741 pl->u.n.doi = ISAKMP_DOI_IPSEC;
742 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
743 pl->u.n.type = isack ? ISAKMP_N_R_U_THERE_ACK : ISAKMP_N_R_U_THERE;
744 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
745 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
746 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
747 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
748 pl->u.n.data_length = 4;
749 pl->u.n.data = xallocc(4);
750 *((uint32_t *) pl->u.n.data) = htonl(seqno);
751 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
752 /* 2007-09-06 JKU/ZID: Sonicwall drops non hashed r_u_there-requests */
753 sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid,
754 1 , NULL, 0, NULL, 0);
755 }
756
757 void dpd_ike(struct sa_block *s)
758 {
759 if (!s->ike.do_dpd)
760 return;
761
762 if (s->ike.dpd_seqno == s->ike.dpd_seqno_ack) {
763 /* Increase the sequence number, reset the attempts to 6, record
764 ** the current time and send a dpd request
765 */
766 s->ike.dpd_attempts = 6;
767 s->ike.dpd_sent = time(NULL);
768 s->ike.dpd_seqno++;
769 send_dpd(s, 0, s->ike.dpd_seqno);
770 } else {
771 /* Our last dpd request has not yet been acked. If it's been
772 ** less than 5 seconds since we sent it do nothing. Otherwise
773 ** decrement dpd_attempts. If dpd_attempts is 0 dpd fails and we
774 ** terminate otherwise we send it again with the same sequence
775 ** number and record current time.
776 */
777 time_t now = time(NULL);
778 if (now < s->ike.dpd_sent + 5)
779 return;
780 if (--s->ike.dpd_attempts == 0) {
781 DEBUG(2, printf("dead peer detected, terminating\n"));
782 do_kill = -2;
783 return;
784 }
785 s->ike.dpd_sent = now;
786 send_dpd(s, 0, s->ike.dpd_seqno);
787 }
788 }
789
790 static void send_delete_ipsec(struct sa_block *s)
791 {
792 /* 2007-08-31 JKU/ZID: Sonicwall doesn't like the chained
793 * request but wants them split. Cisco does fine with it. */
794 DEBUGTOP(2, printf("S7.10 send ipsec termination message\n"));
795 {
796 struct isakmp_payload *d_ipsec;
797 uint8_t del_msgid;
798
799 gcry_create_nonce((uint8_t *) & del_msgid, sizeof(del_msgid));
800 d_ipsec = new_isakmp_payload(ISAKMP_PAYLOAD_D);
801 d_ipsec->u.d.doi = ISAKMP_DOI_IPSEC;
802 d_ipsec->u.d.protocol = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
803 d_ipsec->u.d.spi_length = 4;
804 d_ipsec->u.d.num_spi = 2;
805 d_ipsec->u.d.spi = xallocc(2 * sizeof(uint8_t *));
806 d_ipsec->u.d.spi[0] = xallocc(d_ipsec->u.d.spi_length);
807 memcpy(d_ipsec->u.d.spi[0], &s->ipsec.rx.spi, 4);
808 d_ipsec->u.d.spi[1] = xallocc(d_ipsec->u.d.spi_length);
809 memcpy(d_ipsec->u.d.spi[1], &s->ipsec.tx.spi, 4);
810 sendrecv_phase2(s, d_ipsec, ISAKMP_EXCHANGE_INFORMATIONAL,
811 del_msgid, 1, NULL, 0, NULL, 0);
812 }
813 }
814
815 static void send_delete_isakmp(struct sa_block *s)
816 {
817 DEBUGTOP(2, printf("S7.11 send isakmp termination message\n"));
818 {
819 struct isakmp_payload *d_isakmp;
820 uint8_t del_msgid;
821
822 gcry_create_nonce((uint8_t *) & del_msgid, sizeof(del_msgid));
823 d_isakmp = new_isakmp_payload(ISAKMP_PAYLOAD_D);
824 d_isakmp->u.d.doi = ISAKMP_DOI_IPSEC;
825 d_isakmp->u.d.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
826 d_isakmp->u.d.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
827 d_isakmp->u.d.num_spi = 1;
828 d_isakmp->u.d.spi = xallocc(1 * sizeof(uint8_t *));
829 d_isakmp->u.d.spi[0] = xallocc(2 * ISAKMP_COOKIE_LENGTH);
830 memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie,
831 ISAKMP_COOKIE_LENGTH);
832 memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie,
833 ISAKMP_COOKIE_LENGTH);
834 sendrecv_phase2(s, d_isakmp, ISAKMP_EXCHANGE_INFORMATIONAL,
835 del_msgid, 1, NULL, 0, NULL, 0);
836 }
837 }
838
839 static void phase2_fatal(struct sa_block *s, const char *msg, int id)
840 {
841 struct isakmp_payload *pl;
842 uint32_t msgid;
843
844 DEBUG(1, printf("\n\n---!!!!!!!!! entering phase2_fatal !!!!!!!!!---\n\n\n"));
845 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
846 pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
847 pl->u.n.doi = ISAKMP_DOI_IPSEC;
848 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
849 pl->u.n.type = id;
850 sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 1, 0, 0, 0, 0);
851
852 send_delete_isakmp(s);
853
854 error(1, 0, msg, val_to_string(id, isakmp_notify_enum_array), id);
855 }
856
857 static uint8_t *gen_keymat(struct sa_block *s,
858 uint8_t protocol, uint32_t spi,
859 const uint8_t * dh_shared, size_t dh_size,
860 const uint8_t * ni_data, size_t ni_size, const uint8_t * nr_data, size_t nr_size)
861 {
862 gcry_md_hd_t hm;
863 uint8_t *block;
864 int i;
865 int blksz;
866 int cnt;
867
868 blksz = s->ipsec.md_len + s->ipsec.key_len;
869 cnt = (blksz + s->ike.md_len - 1) / s->ike.md_len;
870 block = xallocc(cnt * s->ike.md_len);
871 DEBUG(3, printf("generating %d bytes keymat (cnt=%d)\n", blksz, cnt));
872 if (cnt < 1)
873 abort();
874
875 for (i = 0; i < cnt; i++) {
876 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
877 gcry_md_setkey(hm, s->ike.skeyid_d, s->ike.md_len);
878 if (i != 0)
879 gcry_md_write(hm, block + (i - 1) * s->ike.md_len, s->ike.md_len);
880 if (dh_shared != NULL)
881 gcry_md_write(hm, dh_shared, dh_size);
882 gcry_md_write(hm, &protocol, 1);
883 gcry_md_write(hm, (uint8_t *) & spi, sizeof(spi));
884 gcry_md_write(hm, ni_data, ni_size);
885 gcry_md_write(hm, nr_data, nr_size);
886 gcry_md_final(hm);
887 memcpy(block + i * s->ike.md_len, gcry_md_read(hm, 0), s->ike.md_len);
888 gcry_md_close(hm);
889 }
890 return block;
891 }
892
893 static int mask_to_masklen(struct in_addr mask)
894 {
895 int len;
896 uint32_t addr;
897
898 addr = ntohl(mask.s_addr);
899 for (len = 0; addr; addr <<= 1, len++)
900 ;
901 return len;
902 }
903
904 static int do_config_to_env(struct sa_block *s, struct isakmp_attribute *a)
905 {
906 int i;
907 int reject = 0;
908 int seen_address = 0;
909 char *strbuf, *strbuf2;
910
911 unsetenv("CISCO_BANNER");
912 unsetenv("CISCO_DEF_DOMAIN");
913 unsetenv("CISCO_SPLIT_INC");
914 unsetenv("CISCO_IPV6_SPLIT_INC");
915 unsetenv("INTERNAL_IP4_NBNS");
916 unsetenv("INTERNAL_IP4_DNS");
917 unsetenv("INTERNAL_IP4_NETMASK");
918 unsetenv("INTERNAL_IP4_ADDRESS");
919 unsetenv("INTERNAL_IP6_DNS");
920 unsetenv("INTERNAL_IP6_NETMASK");
921 unsetenv("INTERNAL_IP6_ADDRESS");
922
923 for (; a && reject == 0; a = a->next)
924 switch (a->type) {
925 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS:
926 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
927 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
928 else {
929 addenv_ipv4("INTERNAL_IP4_ADDRESS", a->u.lots.data);
930 memcpy(&s->our_address, a->u.lots.data, 4);
931 }
932 seen_address = 1;
933 break;
934
935 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK:
936 if (a->af == isakmp_attr_lots && a->u.lots.length == 0) {
937 DEBUG(2, printf("ignoring zero length netmask\n"));
938 continue;
939 }
940 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
941 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
942 else {
943 uint32_t netaddr = s->our_address.s_addr & ((struct in_addr *)(a->u.lots.data))->s_addr;
944 addenv_ipv4("INTERNAL_IP4_NETMASK", a->u.lots.data);
945 asprintf(&strbuf, "%d", mask_to_masklen(*((struct in_addr *)a->u.lots.data)));
946 setenv("INTERNAL_IP4_NETMASKLEN", strbuf, 1);
947 free(strbuf);
948 addenv_ipv4("INTERNAL_IP4_NETADDR", (uint8_t *)&netaddr);
949 }
950 break;
951
952 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS:
953 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
954 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
955 else
956 addenv_ipv4("INTERNAL_IP4_DNS", a->u.lots.data);
957 break;
958
959 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS:
960 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
961 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
962 else
963 addenv_ipv4("INTERNAL_IP4_NBNS", a->u.lots.data);
964 break;
965
966 case ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN:
967 if (a->af != isakmp_attr_lots) {
968 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
969 break;
970 }
971 strbuf = xallocc(a->u.lots.length + 1);
972 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
973 addenv("CISCO_DEF_DOMAIN", strbuf);
974 free(strbuf);
975 break;
976
977 case ISAKMP_MODECFG_ATTRIB_CISCO_BANNER:
978 if (a->af != isakmp_attr_lots) {
979 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
980 break;
981 }
982 strbuf = xallocc(a->u.lots.length + 1);
983 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
984 addenv("CISCO_BANNER", strbuf);
985 free(strbuf);
986 DEBUG(1, printf("Banner: "));
987 DEBUG(1, fwrite(a->u.lots.data, a->u.lots.length, 1, stdout));
988 DEBUG(1, printf("\n"));
989 break;
990
991 case ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION:
992 DEBUG(2, printf("Remote Application Version: "));
993 DEBUG(2, fwrite(a->u.lots.data, a->u.lots.length, 1, stdout));
994 DEBUG(2, printf("\n"));
995 break;
996
997 case ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS:
998 if (a->af != isakmp_attr_16)
999 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1000 else {
1001 s->ipsec.do_pfs = a->u.attr_16;
1002 DEBUG(2, printf("got pfs setting: %d\n", s->ipsec.do_pfs));
1003 }
1004 break;
1005
1006 case ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT:
1007 if (a->af != isakmp_attr_16)
1008 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1009 else {
1010 s->ipsec.peer_udpencap_port = a->u.attr_16;
1011 DEBUG(2, printf("got peer udp encapsulation port: %hu\n", s->ipsec.peer_udpencap_port));
1012 }
1013 break;
1014
1015 case ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC:
1016 if (a->af != isakmp_attr_acl) {
1017 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1018 break;
1019 }
1020
1021 DEBUG(2, printf("got %d acls for split include\n", a->u.acl.count));
1022 asprintf(&strbuf, "%d", a->u.acl.count);
1023 setenv("CISCO_SPLIT_INC", strbuf, 1);
1024 free(strbuf);
1025
1026 for (i = 0; i < a->u.acl.count; i++) {
1027 DEBUG(2, printf("acl %d: ", i));
1028 /* NOTE: inet_ntoa returns one static buffer */
1029
1030 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_ADDR", i);
1031 asprintf(&strbuf2, "%s", inet_ntoa(a->u.acl.acl_ent[i].addr));
1032 DEBUG(2, printf("addr: %s/", strbuf2));
1033 setenv(strbuf, strbuf2, 1);
1034 free(strbuf); free(strbuf2);
1035
1036 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_MASK", i);
1037 asprintf(&strbuf2, "%s", inet_ntoa(a->u.acl.acl_ent[i].mask));
1038 DEBUG(2, printf("%s ", strbuf2));
1039 setenv(strbuf, strbuf2, 1);
1040 free(strbuf); free(strbuf2);
1041
1042 /* this is just here because ip route does not accept netmasks */
1043 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_MASKLEN", i);
1044 asprintf(&strbuf2, "%d", mask_to_masklen(a->u.acl.acl_ent[i].mask));
1045 DEBUG(2, printf("(%s), ", strbuf2));
1046 setenv(strbuf, strbuf2, 1);
1047 free(strbuf); free(strbuf2);
1048
1049 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_PROTOCOL", i);
1050 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].protocol);
1051 DEBUG(2, printf("protocol: %s, ", strbuf2));
1052 setenv(strbuf, strbuf2, 1);
1053 free(strbuf); free(strbuf2);
1054
1055 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_SPORT", i);
1056 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].sport);
1057 DEBUG(2, printf("sport: %s, ", strbuf2));
1058 setenv(strbuf, strbuf2, 1);
1059 free(strbuf); free(strbuf2);
1060
1061 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_DPORT", i);
1062 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].dport);
1063 DEBUG(2, printf("dport: %s\n", strbuf2));
1064 setenv(strbuf, strbuf2, 1);
1065 free(strbuf); free(strbuf2);
1066 }
1067 break;
1068
1069 case ISAKMP_MODECFG_ATTRIB_CISCO_SAVE_PW:
1070 DEBUG(2, printf("got save password setting: %d\n", a->u.attr_16));
1071 break;
1072
1073 default:
1074 DEBUG(2, printf("unknown attribute %d / 0x%X\n", a->type, a->type));
1075 break;
1076 }
1077
1078 if (reject == 0 && !seen_address)
1079 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1080
1081 return reject;
1082 }
1083
1084 /* * */
1085
1086 static struct isakmp_attribute *make_transform_ike(int dh_group, int crypt, int hash, int keylen, int auth)
1087 {
1088 struct isakmp_attribute *a = NULL;
1089
1090 a = new_isakmp_attribute(IKE_ATTRIB_LIFE_DURATION, a);
1091 a->af = isakmp_attr_lots;
1092 a->u.lots.length = 4;
1093 a->u.lots.data = xallocc(a->u.lots.length);
1094 *((uint32_t *) a->u.lots.data) = htonl(2147483);
1095 a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a);
1096 a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a);
1097 a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a);
1098 a = new_isakmp_attribute_16(IKE_ATTRIB_HASH, hash, a);
1099 a = new_isakmp_attribute_16(IKE_ATTRIB_ENC, crypt, a);
1100 if (keylen != 0)
1101 a = new_isakmp_attribute_16(IKE_ATTRIB_KEY_LENGTH, keylen, a);
1102 return a;
1103 }
1104
1105 static struct isakmp_payload *make_our_sa_ike(void)
1106 {
1107 struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
1108 struct isakmp_payload *t = NULL, *tn;
1109 struct isakmp_attribute *a;
1110 int dh_grp = get_dh_group_ike()->ike_sa_id;
1111 unsigned int auth, crypt, hash, keylen;
1112 int i;
1113
1114 r->u.sa.doi = ISAKMP_DOI_IPSEC;
1115 r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
1116 r->u.sa.proposals = new_isakmp_payload(ISAKMP_PAYLOAD_P);
1117 r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_ISAKMP;
1118 for (auth = 0; supp_auth[auth].name != NULL; auth++) {
1119 if (opt_auth_mode == AUTH_MODE_CERT) {
1120 if ((supp_auth[auth].ike_sa_id != IKE_AUTH_RSA_SIG) &&
1121 (supp_auth[auth].ike_sa_id != IKE_AUTH_DSS))
1122 continue;
1123 } else if (opt_auth_mode == AUTH_MODE_HYBRID) {
1124 if ((supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitRSA) &&
1125 (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitDSS))
1126 continue;
1127 } else {
1128 if (supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitRSA ||
1129 supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitDSS ||
1130 supp_auth[auth].ike_sa_id == IKE_AUTH_RSA_SIG ||
1131 supp_auth[auth].ike_sa_id == IKE_AUTH_DSS)
1132 continue;
1133 }
1134 for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
1135 keylen = supp_crypt[crypt].keylen;
1136 for (hash = 0; supp_hash[hash].name != NULL; hash++) {
1137 tn = t;
1138 t = new_isakmp_payload(ISAKMP_PAYLOAD_T);
1139 t->u.t.id = ISAKMP_IPSEC_KEY_IKE;
1140 a = make_transform_ike(dh_grp, supp_crypt[crypt].ike_sa_id,
1141 supp_hash[hash].ike_sa_id, keylen, supp_auth[auth].ike_sa_id);
1142 t->u.t.attributes = a;
1143 t->next = tn;
1144 }
1145 }
1146 }
1147 for (i = 0, tn = t; tn; tn = tn->next)
1148 tn->u.t.number = i++;
1149 r->u.sa.proposals->u.p.transforms = t;
1150 return r;
1151 }
1152
1153 static void lifetime_ike_process(struct sa_block *s, struct isakmp_attribute *a)
1154 {
1155 uint32_t value;
1156
1157 assert(a != NULL);
1158 assert(a->type == IKE_ATTRIB_LIFE_TYPE);
1159 assert(a->af == isakmp_attr_16);
1160 assert(a->u.attr_16 == IKE_LIFE_TYPE_SECONDS || a->u.attr_16 == IKE_LIFE_TYPE_K);
1161 assert(a->next != NULL);
1162 assert(a->next->type == IKE_ATTRIB_LIFE_DURATION);
1163
1164 if (a->next->af == isakmp_attr_16)
1165 value = a->next->u.attr_16;
1166 else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4)
1167 value = ntohl(*((uint32_t *) a->next->u.lots.data));
1168 else {
1169 DEBUG(2, printf("got unknown ike lifetime attributes af %d len %d\n",
1170 a->next->af, a->next->u.lots.length));
1171 return;
1172 }
1173
1174 DEBUG(2, printf("got ike lifetime attributes: %d %s\n", value,
1175 (a->u.attr_16 == IKE_LIFE_TYPE_SECONDS) ? "seconds" : "kilobyte"));
1176
1177 if (a->u.attr_16 == IKE_LIFE_TYPE_SECONDS)
1178 s->ike.life.seconds = value;
1179 else
1180 s->ike.life.kbytes = value;
1181 }
1182
1183 static void lifetime_ipsec_process(struct sa_block *s, struct isakmp_attribute *a)
1184 {
1185 uint32_t value;
1186
1187 assert(a != NULL);
1188 assert(a->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE);
1189 assert(a->af == isakmp_attr_16);
1190 assert(a->u.attr_16 == IPSEC_LIFE_SECONDS || a->u.attr_16 == IPSEC_LIFE_K);
1191 assert(a->next != NULL);
1192 assert(a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION);
1193
1194 if (a->next->af == isakmp_attr_16)
1195 value = a->next->u.attr_16;
1196 else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4)
1197 value = ntohl(*((uint32_t *) a->next->u.lots.data));
1198 else
1199 assert(0);
1200
1201 DEBUG(2, printf("got ipsec lifetime attributes: %d %s\n", value,
1202 (a->u.attr_16 == IPSEC_LIFE_SECONDS) ? "seconds" : "kilobyte"));
1203
1204 if (a->u.attr_16 == IPSEC_LIFE_SECONDS)
1205 s->ipsec.life.seconds = value;
1206 else
1207 s->ipsec.life.kbytes = value;
1208
1209 /* FIXME: for notice-payloads: write a seperate function to handle them */
1210 /* bug: this may process lifetime-attributes of SAs twice but to no consequence */
1211 if (a->next->next != NULL && a->next->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
1212 lifetime_ipsec_process(s, a->next->next);
1213 }
1214
1215 static void do_phase1_am_init(struct sa_block *s)
1216 {
1217
1218 s->ike.natd_type = 0;
1219 s->ike.natd_us = s->ike.natd_them = NULL;
1220 s->ike.sa_f = s->ike.idi_f = NULL;
1221
1222 DEBUGTOP(2, printf("S4.1 create_nonce\n"));
1223 gcry_create_nonce(s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1224 s->ike.life.start = time(NULL);
1225 s->ipsec.do_pfs = -1;
1226 if (s->ike.i_cookie[0] == 0)
1227 s->ike.i_cookie[0] = 1;
1228 hex_dump("i_cookie", s->ike.i_cookie, ISAKMP_COOKIE_LENGTH, NULL);
1229 gcry_create_nonce(s->ike.i_nonce, sizeof(s->ike.i_nonce));
1230 hex_dump("i_nonce", s->ike.i_nonce, sizeof(s->ike.i_nonce), NULL);
1231 DEBUGTOP(2, printf("S4.2 dh setup\n"));
1232 /* Set up the Diffie-Hellman stuff. */
1233 {
1234 s->ike.dh_grp = group_get(get_dh_group_ike()->my_id);
1235 s->ike.dh_public = xallocc(dh_getlen(s->ike.dh_grp));
1236 dh_create_exchange(s->ike.dh_grp, s->ike.dh_public);
1237 hex_dump("dh_public", s->ike.dh_public, dh_getlen(s->ike.dh_grp), NULL);
1238 }
1239
1240 }
1241
1242 static void do_phase1_am_packet1(struct sa_block *s, const char *key_id)
1243 {
1244 DEBUGTOP(2, printf("S4.3 AM packet_1\n"));
1245 /* Create the first packet. */
1246 {
1247 struct isakmp_packet *p1;
1248 struct isakmp_payload *l;
1249 uint8_t *pkt;
1250 size_t pkt_len;
1251
1252 p1 = new_isakmp_packet();
1253 memcpy(p1->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1254 p1->isakmp_version = ISAKMP_VERSION;
1255 p1->exchange_type = ISAKMP_EXCHANGE_AGGRESSIVE;
1256 p1->payload = l = make_our_sa_ike();
1257 flatten_isakmp_payload(l, &s->ike.sa_f, &s->ike.sa_size);
1258 l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_KE, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1259 l->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_NONCE,
1260 s->ike.i_nonce, sizeof(s->ike.i_nonce));
1261 l = l->next->next;
1262 l->next = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
1263 l = l->next;
1264 if (opt_vendor == VENDOR_CISCO)
1265 l->u.id.type = ISAKMP_IPSEC_ID_KEY_ID;
1266 else
1267 l->u.id.type = ISAKMP_IPSEC_ID_USER_FQDN;
1268 l->u.id.protocol = IPPROTO_UDP;
1269 l->u.id.port = ISAKMP_PORT; /* this must be 500, see rfc2407, 4.6.2 */
1270 l->u.id.length = strlen(key_id);
1271 l->u.id.data = xallocc(l->u.id.length);
1272 memcpy(l->u.id.data, key_id, strlen(key_id));
1273 flatten_isakmp_payload(l, &s->ike.idi_f, &s->ike.idi_size);
1274 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1275 VID_XAUTH, sizeof(VID_XAUTH));
1276 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1277 VID_UNITY, sizeof(VID_UNITY));
1278 if ((opt_natt_mode == NATT_NORMAL) || (opt_natt_mode == NATT_FORCE)) {
1279 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1280 VID_NATT_RFC, sizeof(VID_NATT_RFC));
1281 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1282 VID_NATT_03, sizeof(VID_NATT_03));
1283 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1284 VID_NATT_02N, sizeof(VID_NATT_02N));
1285 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1286 VID_NATT_02, sizeof(VID_NATT_02));
1287 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1288 VID_NATT_01, sizeof(VID_NATT_01));
1289 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1290 VID_NATT_00, sizeof(VID_NATT_00));
1291 }
1292 s->ike.dpd_idle = atoi(config[CONFIG_DPD_IDLE]);
1293 if (s->ike.dpd_idle != 0) {
1294 if (s->ike.dpd_idle < 10)
1295 s->ike.dpd_idle = 10;
1296 if (s->ike.dpd_idle > 86400)
1297 s->ike.dpd_idle = 86400;
1298 l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1299 VID_DPD, sizeof(VID_DPD));
1300 }
1301 flatten_isakmp_packet(p1, &pkt, &pkt_len, 0);
1302 free_isakmp_packet(p1);
1303
1304 /* Now, send that packet and receive a new one. */
1305 r_length = sendrecv(s, r_packet, sizeof(r_packet), pkt, pkt_len, 0);
1306 free(pkt);
1307 }
1308 }
1309
1310 static void do_phase1_am_packet2(struct sa_block *s, const char *shared_key)
1311 {
1312 DEBUGTOP(2, printf("S4.4 AM_packet2\n"));
1313 /* Decode the recieved packet. */
1314 {
1315 int reject, ret;
1316 struct isakmp_packet *r;
1317 struct isakmp_payload *rp;
1318 struct isakmp_payload *nonce = NULL;
1319 struct isakmp_payload *ke = NULL;
1320 struct isakmp_payload *hash = NULL;
1321 struct isakmp_payload *sig = NULL;
1322 struct isakmp_payload *idp = NULL;
1323 int seen_sa = 0;
1324 uint8_t *psk_skeyid;
1325 uint8_t *skeyid;
1326 gcry_md_hd_t skeyid_ctx;
1327 uint8_t *dh_shared_secret;
1328 int seen_natd = 0, seen_natd_them = 0, seen_natd_us = 0;
1329 int natt_draft = -1;
1330 crypto_ctx *cctx;
1331 crypto_error *crerr = NULL;
1332
1333 cctx = crypto_ctx_new (&crerr);
1334 if (crerr)
1335 crypto_call_error(crerr);
1336
1337 reject = 0;
1338 r = parse_isakmp_packet(r_packet, r_length, &reject);
1339
1340 /* Verify the correctness of the recieved packet. */
1341 if (reject == 0 && memcmp(r->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH) != 0)
1342 reject = ISAKMP_N_INVALID_COOKIE;
1343 if (reject == 0)
1344 memcpy(s->ike.r_cookie, r->r_cookie, ISAKMP_COOKIE_LENGTH);
1345 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_AGGRESSIVE)
1346 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
1347 if (reject == 0 && r->flags != 0)
1348 reject = ISAKMP_N_INVALID_FLAGS;
1349 if (reject == 0 && r->message_id != 0)
1350 reject = ISAKMP_N_INVALID_MESSAGE_ID;
1351 if (reject != 0)
1352 error(1, 0, "response was invalid [1]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1353 for (rp = r->payload; rp && reject == 0; rp = rp->next)
1354 switch (rp->type) {
1355 case ISAKMP_PAYLOAD_SA:
1356 if (reject == 0 && rp->u.sa.doi != ISAKMP_DOI_IPSEC)
1357 reject = ISAKMP_N_DOI_NOT_SUPPORTED;
1358 if (reject == 0 &&
1359 rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
1360 reject = ISAKMP_N_SITUATION_NOT_SUPPORTED;
1361 if (reject == 0 &&
1362 (rp->u.sa.proposals == NULL
1363 || rp->u.sa.proposals->next != NULL))
1364 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1365 if (reject == 0 &&
1366 rp->u.sa.proposals->u.p.prot_id !=
1367 ISAKMP_IPSEC_PROTO_ISAKMP)
1368 reject = ISAKMP_N_INVALID_PROTOCOL_ID;
1369 if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 0)
1370 reject = ISAKMP_N_INVALID_SPI;
1371 if (reject == 0 &&
1372 (rp->u.sa.proposals->u.p.transforms == NULL
1373 || rp->u.sa.proposals->u.p.transforms->next !=
1374 NULL))
1375 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1376 if (reject == 0 &&
1377 (rp->u.sa.proposals->u.p.transforms->u.t.id
1378 != ISAKMP_IPSEC_KEY_IKE))
1379 reject = ISAKMP_N_INVALID_TRANSFORM_ID;
1380 if (reject == 0) {
1381 struct isakmp_attribute *a
1382 =
1383 rp->u.sa.proposals->u.p.transforms->u.t.attributes;
1384 int seen_enc = 0, seen_hash = 0, seen_auth = 0;
1385 int seen_group = 0, seen_keylen = 0;
1386 for (; a && reject == 0; a = a->next)
1387 switch (a->type) {
1388 case IKE_ATTRIB_GROUP_DESC:
1389 if (a->af == isakmp_attr_16 &&
1390 a->u.attr_16 ==
1391 get_dh_group_ike()->ike_sa_id)
1392 seen_group = 1;
1393 else
1394 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1395 break;
1396 case IKE_ATTRIB_AUTH_METHOD:
1397 if (a->af == isakmp_attr_16)
1398 seen_auth = a->u.attr_16;
1399 else
1400 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1401 break;
1402 case IKE_ATTRIB_HASH:
1403 if (a->af == isakmp_attr_16)
1404 seen_hash = a->u.attr_16;
1405 else
1406 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1407 break;
1408 case IKE_ATTRIB_ENC:
1409 if (a->af == isakmp_attr_16)
1410 seen_enc = a->u.attr_16;
1411 else
1412 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1413 break;
1414 case IKE_ATTRIB_KEY_LENGTH:
1415 if (a->af == isakmp_attr_16)
1416 seen_keylen = a->u.attr_16;
1417 else
1418 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1419 break;
1420 case IKE_ATTRIB_LIFE_TYPE:
1421 /* lifetime duration MUST follow lifetype attribute */
1422 if (a->next->type == IKE_ATTRIB_LIFE_DURATION) {
1423 lifetime_ike_process(s, a);
1424 } else
1425 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1426 break;
1427 case IKE_ATTRIB_LIFE_DURATION:
1428 /* already processed above in IKE_ATTRIB_LIFE_TYPE: */
1429 break;
1430 default:
1431 DEBUG(1, printf
1432 ("unknown attribute %d, arborting..\n",
1433 a->type));
1434 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1435 break;
1436 }
1437 if (!seen_group || !seen_auth || !seen_hash || !seen_enc)
1438 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1439
1440 if (get_algo(SUPP_ALGO_AUTH, SUPP_ALGO_IKE_SA, seen_auth,
1441 NULL, 0) == NULL)
1442 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1443 if (get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IKE_SA, seen_hash,
1444 NULL, 0) == NULL)
1445 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1446 if (get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IKE_SA, seen_enc,
1447 NULL, seen_keylen) == NULL)
1448 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1449
1450 if (reject == 0) {
1451 seen_sa = 1;
1452 s->ike.auth_algo = seen_auth;
1453 s->ike.cry_algo =
1454 get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IKE_SA,
1455 seen_enc, NULL, seen_keylen)->my_id;
1456 s->ike.md_algo =
1457 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IKE_SA,
1458 seen_hash, NULL, 0)->my_id;
1459 s->ike.md_len = gcry_md_get_algo_dlen(s->ike.md_algo);
1460 DEBUG(1, printf("IKE SA selected %s-%s-%s\n",
1461 get_algo(SUPP_ALGO_AUTH,
1462 SUPP_ALGO_IKE_SA, seen_auth,
1463 NULL, 0)->name,
1464 get_algo(SUPP_ALGO_CRYPT,
1465 SUPP_ALGO_IKE_SA, seen_enc,
1466 NULL, seen_keylen)->name,
1467 get_algo(SUPP_ALGO_HASH,
1468 SUPP_ALGO_IKE_SA, seen_hash,
1469 NULL, 0)->name));
1470 if (s->ike.cry_algo == GCRY_CIPHER_DES && !opt_1des) {
1471 error(1, 0, "peer selected (single) DES as \"encryption\" method.\n"
1472 "This algorithm is considered too weak today\n"
1473 "If your vpn concentrator admin still insists on using DES\n"
1474 "use the \"--enable-1des\" option.\n");
1475 }
1476 }
1477 }
1478 break;
1479
1480 case ISAKMP_PAYLOAD_ID:
1481 idp = rp;
1482 break;
1483 case ISAKMP_PAYLOAD_KE:
1484 ke = rp;
1485 break;
1486 case ISAKMP_PAYLOAD_NONCE:
1487 nonce = rp;
1488 break;
1489 case ISAKMP_PAYLOAD_HASH:
1490 hash = rp;
1491 break;
1492 case ISAKMP_PAYLOAD_CERT:
1493 if (rp->u.cert.encoding == ISAKMP_CERT_X509_SIG) {
1494 hex_dump("cert", rp->u.cert.data, rp->u.cert.length, NULL);
1495
1496 ret = crypto_push_cert(cctx,
1497 (const unsigned char *) rp->u.cert.data,
1498 rp->u.cert.length,
1499 &crerr);
1500 if (ret)
1501 crypto_call_error(crerr);
1502 }
1503 break;
1504 case ISAKMP_PAYLOAD_SIG:
1505 sig = rp;
1506 break;
1507 case ISAKMP_PAYLOAD_VID:
1508 if (rp->u.vid.length == sizeof(VID_XAUTH)
1509 && memcmp(rp->u.vid.data, VID_XAUTH,
1510 sizeof(VID_XAUTH)) == 0) {
1511 DEBUG(2, printf("peer is XAUTH capable (draft-ietf-ipsec-isakmp-xauth-06)\n"));
1512 } else if (rp->u.vid.length == sizeof(VID_NATT_RFC)
1513 && memcmp(rp->u.vid.data, VID_NATT_RFC,
1514 sizeof(VID_NATT_RFC)) == 0) {
1515 if (natt_draft < 1) natt_draft = 2;
1516 DEBUG(2, printf("peer is NAT-T capable (RFC 3947)\n"));
1517 } else if (rp->u.vid.length == sizeof(VID_NATT_03)
1518 && memcmp(rp->u.vid.data, VID_NATT_03,
1519 sizeof(VID_NATT_03)) == 0) {
1520 if (natt_draft < 1) natt_draft = 2;
1521 DEBUG(2, printf("peer is NAT-T capable (draft-03)\n"));
1522 } else if (rp->u.vid.length == sizeof(VID_NATT_02N)
1523 && memcmp(rp->u.vid.data, VID_NATT_02N,
1524 sizeof(VID_NATT_02N)) == 0) {
1525 if (natt_draft < 1) natt_draft = 2;
1526 DEBUG(2, printf("peer is NAT-T capable (draft-02)\\n\n")); /* sic! */
1527 } else if (rp->u.vid.length == sizeof(VID_NATT_02)
1528 && memcmp(rp->u.vid.data, VID_NATT_02,
1529 sizeof(VID_NATT_02)) == 0) {
1530 if (natt_draft < 1) natt_draft = 2;
1531 DEBUG(2, printf("peer is NAT-T capable (draft-02)\n"));
1532 } else if (rp->u.vid.length == sizeof(VID_NATT_01)
1533 && memcmp(rp->u.vid.data, VID_NATT_01,
1534 sizeof(VID_NATT_01)) == 0) {
1535 if (natt_draft < 1) natt_draft = 1;
1536 DEBUG(2, printf("peer is NAT-T capable (draft-01)\n"));
1537 } else if (rp->u.vid.length == sizeof(VID_NATT_00)
1538 && memcmp(rp->u.vid.data, VID_NATT_00,
1539 sizeof(VID_NATT_00)) == 0) {
1540 if (natt_draft < 0) natt_draft = 0;
1541 DEBUG(2, printf("peer is NAT-T capable (draft-00)\n"));
1542 } else if (rp->u.vid.length == sizeof(VID_DPD)
1543 && memcmp(rp->u.vid.data, VID_DPD,
1544 sizeof(VID_DPD)) == 0) {
1545 if (s->ike.dpd_idle != 0) {
1546 gcry_create_nonce(&s->ike.dpd_seqno, sizeof(s->ike.dpd_seqno));
1547 s->ike.dpd_seqno &= 0x7FFFFFFF;
1548 s->ike.dpd_seqno_ack = s->ike.dpd_seqno;
1549 s->ike.do_dpd = 1;
1550 DEBUG(2, printf("peer is DPD capable (RFC3706)\n"));
1551 } else {
1552 DEBUG(2, printf("ignoring that peer is DPD capable (RFC3706)\n"));
1553 }
1554 } else if (rp->u.vid.length == sizeof(VID_NETSCREEN_15)
1555 && memcmp(rp->u.vid.data, VID_NETSCREEN_15,
1556 sizeof(VID_NETSCREEN_15)) == 0) {
1557 DEBUG(2, printf("peer is using ScreenOS 5.3, 5.4 or 6.0\n"));
1558 } else if (rp->u.vid.length == sizeof(VID_HEARTBEAT_NOTIFY)
1559 && memcmp(rp->u.vid.data, VID_HEARTBEAT_NOTIFY,
1560 sizeof(VID_HEARTBEAT_NOTIFY)) == 0) {
1561 DEBUG(2, printf("peer sent Heartbeat Notify payload\n"));
1562 } else {
1563 hex_dump("unknown ISAKMP_PAYLOAD_VID",
1564 rp->u.vid.data, rp->u.vid.length, NULL);
1565 }
1566 break;
1567 case ISAKMP_PAYLOAD_NAT_D_OLD:
1568 case ISAKMP_PAYLOAD_NAT_D:
1569 s->ike.natd_type = rp->type;
1570 DEBUG(2, printf("peer is using type %d%s for NAT-Discovery payloads\n",
1571 s->ike.natd_type, val_to_string(s->ike.natd_type, isakmp_payload_enum_array)));
1572 if (!seen_sa) {
1573 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1574 } else if (opt_natt_mode == NATT_NONE) {
1575 ;
1576 } else if (rp->u.natd.length != s->ike.md_len) {
1577 reject = ISAKMP_N_PAYLOAD_MALFORMED;
1578 } else if (seen_natd == 0) {
1579 gcry_md_hd_t hm;
1580 uint16_t n_dst_port = htons(s->ike.dst_port);
1581
1582 s->ike.natd_us = xallocc(s->ike.md_len);
1583 s->ike.natd_them = xallocc(s->ike.md_len);
1584 memcpy(s->ike.natd_us, rp->u.natd.data, s->ike.md_len);
1585 gcry_md_open(&hm, s->ike.md_algo, 0);
1586 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1587 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1588 gcry_md_write(hm, &s->dst, sizeof(struct in_addr));
1589 gcry_md_write(hm, &n_dst_port, sizeof(uint16_t));
1590 gcry_md_final(hm);
1591 memcpy(s->ike.natd_them, gcry_md_read(hm, 0), s->ike.md_len);
1592 gcry_md_close(hm);
1593 seen_natd = 1;
1594 } else {
1595 if (memcmp(s->ike.natd_them, rp->u.natd.data, s->ike.md_len) == 0)
1596 seen_natd_them = 1;
1597 }
1598 break;
1599 case ISAKMP_PAYLOAD_N:
1600 if (rp->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
1601 if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
1602 lifetime_ike_process(s, rp->u.n.attributes);
1603 else if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
1604 lifetime_ipsec_process(s, rp->u.n.attributes);
1605 else
1606 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
1607 } else {
1608 DEBUG(1, printf("rejecting ISAKMP_PAYLOAD_N, type is not lifetime\n"));
1609 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1610 }
1611 break;
1612 default:
1613 DEBUG(1, printf("rejecting invalid payload type %d\n", rp->type));
1614 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1615 break;
1616 }
1617
1618 if (reject == 0) {
1619 gcry_cipher_algo_info(s->ike.cry_algo, GCRYCTL_GET_BLKLEN, NULL, &(s->ike.ivlen));
1620 gcry_cipher_algo_info(s->ike.cry_algo, GCRYCTL_GET_KEYLEN, NULL, &(s->ike.keylen));
1621 }
1622
1623 if (reject == 0 && (ke == NULL || ke->u.ke.length != dh_getlen(s->ike.dh_grp)))
1624 reject = ISAKMP_N_INVALID_KEY_INFORMATION;
1625 if (reject == 0 && nonce == NULL)
1626 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
1627 if (reject != 0)
1628 error(1, 0, "response was invalid [2]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1629 if (reject == 0 && idp == NULL)
1630 reject = ISAKMP_N_INVALID_ID_INFORMATION;
1631
1632 /* Decide if signature or hash is expected (sig only if vpnc is initiator of hybrid-auth */
1633 if (reject == 0 && opt_auth_mode == AUTH_MODE_PSK && (hash == NULL || hash->u.hash.length != s->ike.md_len))
1634 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
1635 if (reject == 0 && sig == NULL &&
1636 (opt_auth_mode == AUTH_MODE_CERT ||
1637 opt_auth_mode == AUTH_MODE_HYBRID))
1638 reject = ISAKMP_N_INVALID_SIGNATURE;
1639 if (reject != 0)
1640 error(1, 0, "response was invalid [3]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1641
1642 /* Determine the shared secret. */
1643 dh_shared_secret = xallocc(dh_getlen(s->ike.dh_grp));
1644 dh_create_shared(s->ike.dh_grp, dh_shared_secret, ke->u.ke.data);
1645 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(s->ike.dh_grp), NULL);
1646 /* Generate SKEYID. */
1647 {
1648 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1649 gcry_md_setkey(skeyid_ctx, shared_key, strlen(shared_key));
1650 gcry_md_write(skeyid_ctx, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1651 gcry_md_write(skeyid_ctx, nonce->u.nonce.data, nonce->u.nonce.length);
1652 gcry_md_final(skeyid_ctx);
1653 psk_skeyid = xallocc(s->ike.md_len);
1654 memcpy(psk_skeyid, gcry_md_read(skeyid_ctx, 0), s->ike.md_len);
1655 if (opt_debug < 99)
1656 DEBUG(3, printf("(not dumping psk hash)\n"));
1657 else
1658 hex_dump("psk_skeyid", psk_skeyid, s->ike.md_len, NULL);
1659 free(psk_skeyid);
1660 gcry_md_close(skeyid_ctx);
1661 DEBUG(99, printf("shared-key: %s\n",shared_key));
1662
1663 /* SKEYID - psk only */
1664 if (s->ike.auth_algo == IKE_AUTH_PRESHARED ||
1665 s->ike.auth_algo == IKE_AUTH_XAUTHInitPreShared ||
1666 s->ike.auth_algo == IKE_AUTH_XAUTHRespPreShared) {
1667 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1668 gcry_md_setkey(skeyid_ctx, shared_key, strlen(shared_key));
1669 gcry_md_write(skeyid_ctx, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1670 gcry_md_write(skeyid_ctx, nonce->u.nonce.data, nonce->u.nonce.length);
1671 gcry_md_final(skeyid_ctx);
1672 } else if (s->ike.auth_algo == IKE_AUTH_DSS ||
1673 s->ike.auth_algo == IKE_AUTH_RSA_SIG ||
1674 s->ike.auth_algo == IKE_AUTH_ECDSA_SIG ||
1675 s->ike.auth_algo == IKE_AUTH_HybridInitRSA ||
1676 s->ike.auth_algo == IKE_AUTH_HybridRespRSA ||
1677 s->ike.auth_algo == IKE_AUTH_HybridInitDSS ||
1678 s->ike.auth_algo == IKE_AUTH_HybridRespDSS ||
1679 s->ike.auth_algo == IKE_AUTH_XAUTHInitDSS ||
1680 s->ike.auth_algo == IKE_AUTH_XAUTHRespDSS ||
1681 s->ike.auth_algo == IKE_AUTH_XAUTHInitRSA ||
1682 s->ike.auth_algo == IKE_AUTH_XAUTHRespRSA) {
1683 unsigned char *key;
1684 int key_len;
1685 key_len = sizeof(s->ike.i_nonce) + nonce->u.nonce.length;
1686 key = xallocc(key_len);
1687 memcpy(key, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1688 memcpy(key + sizeof(s->ike.i_nonce), nonce->u.nonce.data, nonce->u.nonce.length);
1689 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1690 gcry_md_setkey(skeyid_ctx, key, key_len);
1691 gcry_md_write(skeyid_ctx, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1692 gcry_md_final(skeyid_ctx);
1693 } else
1694 error(1, 0, "SKEYID could not be computed: %s", "the selected authentication method is not supported");
1695 skeyid = gcry_md_read(skeyid_ctx, 0);
1696 hex_dump("skeyid", skeyid, s->ike.md_len, NULL);
1697 }
1698
1699 /* Verify the hash. */
1700 {
1701 gcry_md_hd_t hm;
1702 unsigned char *expected_hash, *rec_hash;
1703 uint8_t *idp_f;
1704 size_t idp_size;
1705 size_t decr_size = 0;
1706
1707 flatten_isakmp_payload(idp, &idp_f, &idp_size);
1708
1709 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1710 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1711 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1712 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1713 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1714 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1715 gcry_md_write(hm, s->ike.sa_f + 4, s->ike.sa_size - 4);
1716 gcry_md_write(hm, idp_f + 4, idp_size - 4);
1717 gcry_md_final(hm);
1718 expected_hash = gcry_md_read(hm, 0);
1719 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1720
1721 if (opt_auth_mode == AUTH_MODE_PSK) {
1722 if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 0)
1723 error(2, 0, "hash comparison failed: %s(%d)\ncheck group password!",
1724 val_to_string(ISAKMP_N_AUTHENTICATION_FAILED, isakmp_notify_enum_array),
1725 ISAKMP_N_AUTHENTICATION_FAILED);
1726 hex_dump("received hash", hash->u.hash.data, hash->u.hash.length, NULL);
1727 } else if (opt_auth_mode == AUTH_MODE_CERT ||
1728 opt_auth_mode == AUTH_MODE_HYBRID) {
1729 hex_dump("received signature", sig->u.sig.data, sig->u.sig.length, NULL);
1730
1731 ret = crypto_verify_chain(cctx,
1732 config[CONFIG_CA_FILE],
1733 config[CONFIG_CA_DIR],
1734 &crerr);
1735 if (ret)
1736 crypto_call_error(crerr);
1737
1738 /* Verify signature */
1739 rec_hash = crypto_decrypt_signature (cctx,
1740 sig->u.sig.data,
1741 sig->u.sig.length,
1742 &decr_size,
1743 CRYPTO_PAD_PKCS1,
1744 &crerr);
1745 if (!rec_hash)
1746 crypto_call_error(crerr);
1747
1748 if (decr_size != s->ike.md_len) {
1749 printf("Decrypted-Size: %zd\n",decr_size);
1750 hex_dump(" decr_hash", rec_hash, decr_size, NULL);
1751 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1752
1753 error(2, 0, "The hash-value, which was decrypted from the received signature, and the expected hash-value differ in size.\n");
1754 } else {
1755 if (memcmp(rec_hash, expected_hash, decr_size) != 0) {
1756 printf("Decrypted-Size: %zd\n",decr_size);
1757 hex_dump(" decr_hash", rec_hash, decr_size, NULL);
1758 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1759
1760 error(2, 0, "The hash-value, which was decrypted from the received signature, and the expected hash-value differ.\n");
1761 } else {
1762 DEBUG(3, printf("Signature MATCH!!\n"));
1763 }
1764 }
1765 /* END - Signature Verification */
1766
1767 free(rec_hash);
1768 }
1769
1770 gcry_md_close(hm);
1771
1772 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1773 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1774 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1775 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1776 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1777 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1778 gcry_md_write(hm, s->ike.sa_f + 4, s->ike.sa_size - 4);
1779 gcry_md_write(hm, s->ike.idi_f + 4, s->ike.idi_size - 4);
1780 gcry_md_final(hm);
1781 s->ike.returned_hash = xallocc(s->ike.md_len);
1782 memcpy(s->ike.returned_hash, gcry_md_read(hm, 0), s->ike.md_len);
1783 gcry_md_close(hm);
1784 hex_dump("returned_hash", s->ike.returned_hash, s->ike.md_len, NULL);
1785
1786 /* PRESHARED_KEY_HASH */
1787 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1788 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1789 gcry_md_write(hm, shared_key, strlen(shared_key));
1790 gcry_md_final(hm);
1791 s->ike.psk_hash = xallocc(s->ike.md_len);
1792 memcpy(s->ike.psk_hash, gcry_md_read(hm, 0), s->ike.md_len);
1793 gcry_md_close(hm);
1794 hex_dump("psk_hash", s->ike.psk_hash, s->ike.md_len, NULL);
1795 /* End PRESHARED_KEY_HASH */
1796
1797 free(s->ike.sa_f);
1798 free(s->ike.idi_f);
1799 free(idp_f);
1800 s->ike.sa_f = NULL;
1801 s->ike.idi_f = NULL;
1802 }
1803
1804 /* Determine all the SKEYID_x keys. */
1805 {
1806 gcry_md_hd_t hm;
1807 int i;
1808 static const unsigned char c012[3] = { 0, 1, 2 };
1809 unsigned char *skeyid_e;
1810 unsigned char *dh_shared_secret;
1811
1812 /* Determine the shared secret. */
1813 dh_shared_secret = xallocc(dh_getlen(s->ike.dh_grp));
1814 dh_create_shared(s->ike.dh_grp, dh_shared_secret, ke->u.ke.data);
1815 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(s->ike.dh_grp), NULL);
1816
1817 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1818 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1819 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1820 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1821 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1822 gcry_md_write(hm, c012 + 0, 1);
1823 gcry_md_final(hm);
1824 if (s->ike.skeyid_d) free(s->ike.skeyid_d);
1825 s->ike.skeyid_d = xallocc(s->ike.md_len);
1826 memcpy(s->ike.skeyid_d, gcry_md_read(hm, 0), s->ike.md_len);
1827 gcry_md_close(hm);
1828 hex_dump("skeyid_d", s->ike.skeyid_d, s->ike.md_len, NULL);
1829
1830 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1831 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1832 gcry_md_write(hm, s->ike.skeyid_d, s->ike.md_len);
1833 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1834 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1835 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1836 gcry_md_write(hm, c012 + 1, 1);
1837 gcry_md_final(hm);
1838 if (s->ike.skeyid_a) free(s->ike.skeyid_a);
1839 s->ike.skeyid_a = xallocc(s->ike.md_len);
1840 memcpy(s->ike.skeyid_a, gcry_md_read(hm, 0), s->ike.md_len);
1841 gcry_md_close(hm);
1842 hex_dump("skeyid_a", s->ike.skeyid_a, s->ike.md_len, NULL);
1843
1844 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1845 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1846 gcry_md_write(hm, s->ike.skeyid_a, s->ike.md_len);
1847 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1848 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1849 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1850 gcry_md_write(hm, c012 + 2, 1);
1851 gcry_md_final(hm);
1852 skeyid_e = xallocc(s->ike.md_len);
1853 memcpy(skeyid_e, gcry_md_read(hm, 0), s->ike.md_len);
1854 gcry_md_close(hm);
1855 hex_dump("skeyid_e", skeyid_e, s->ike.md_len, NULL);
1856
1857 memset(dh_shared_secret, 0, sizeof(dh_shared_secret));
1858 free(dh_shared_secret);
1859
1860 /* Determine the IKE encryption key. */
1861 if (s->ike.key) free(s->ike.key);
1862 s->ike.key = xallocc(s->ike.keylen);
1863
1864 if (s->ike.keylen > s->ike.md_len) {
1865 for (i = 0; i * s->ike.md_len < s->ike.keylen; i++) {
1866 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1867 gcry_md_setkey(hm, skeyid_e, s->ike.md_len);
1868 if (i == 0)
1869 gcry_md_write(hm, "" /* &'\0' */ , 1);
1870 else
1871 gcry_md_write(hm, s->ike.key + (i - 1) * s->ike.md_len,
1872 s->ike.md_len);
1873 gcry_md_final(hm);
1874 memcpy(s->ike.key + i * s->ike.md_len, gcry_md_read(hm, 0),
1875 min(s->ike.md_len, s->ike.keylen - i * s->ike.md_len));
1876 gcry_md_close(hm);
1877 }
1878 } else { /* keylen <= md_len */
1879 memcpy(s->ike.key, skeyid_e, s->ike.keylen);
1880 }
1881 hex_dump("enc-key", s->ike.key, s->ike.keylen, NULL);
1882
1883 memset(skeyid_e, 0, s->ike.md_len);
1884 free(skeyid_e);
1885 }
1886
1887 /* Determine the initial IV. */
1888 {
1889 gcry_md_hd_t hm;
1890
1891 assert(s->ike.ivlen <= s->ike.md_len);
1892 gcry_md_open(&hm, s->ike.md_algo, 0);
1893 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1894 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1895 gcry_md_final(hm);
1896 if (s->ike.current_iv) free(s->ike.current_iv);
1897 s->ike.current_iv = xallocc(s->ike.ivlen);
1898 memcpy(s->ike.current_iv, gcry_md_read(hm, 0), s->ike.ivlen);
1899 gcry_md_close(hm);
1900 hex_dump("current_iv", s->ike.current_iv, s->ike.ivlen, NULL);
1901 memset(s->ike.current_iv_msgid, 0, 4);
1902 }
1903
1904 gcry_md_close(skeyid_ctx);
1905 crypto_ctx_free(cctx);
1906 free(dh_shared_secret);
1907
1908 /* Determine presence of NAT */
1909 if (s->ike.natd_type != 0) {
1910 seen_natd_us = 0;
1911 /* this could be repeated for any known outbound interfaces */
1912 {
1913 gcry_md_hd_t hm;
1914 uint16_t n_src_port = htons(s->ike.src_port);
1915
1916 gcry_md_open(&hm, s->ike.md_algo, 0);
1917 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1918 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1919 gcry_md_write(hm, &s->src, sizeof(struct in_addr));
1920 gcry_md_write(hm, &n_src_port, sizeof(uint16_t));
1921 gcry_md_final(hm);
1922 if (memcmp(s->ike.natd_us, gcry_md_read(hm, 0), s->ike.md_len) == 0)
1923 seen_natd_us = 1;
1924 memcpy(s->ike.natd_us, gcry_md_read(hm, 0), s->ike.md_len);
1925 if (opt_natt_mode == NATT_FORCE) {
1926 /* force detection of "this end behind NAT" */
1927 /* by flipping a bit in the nat-detection-hash */
1928 s->ike.natd_us[0] ^= 1;
1929 seen_natd_us = 0;
1930 }
1931 gcry_md_close(hm);
1932 }
1933 /* if there is a NAT, change to port 4500 and select UDP encap */
1934 if (!seen_natd_us || !seen_natd_them) {
1935 DEBUG(1, printf("NAT status: this end behind NAT? %s -- remote end behind NAT? %s\n",
1936 seen_natd_us ? "no" : "YES", seen_natd_them ? "no" : "YES"));
1937 switch (s->ike.natd_type) {
1938 case ISAKMP_PAYLOAD_NAT_D:
1939 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
1940 break;
1941 case ISAKMP_PAYLOAD_NAT_D_OLD:
1942 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL_OLD;
1943 break;
1944 default:
1945 abort();
1946 }
1947 if (natt_draft >= 2) {
1948 s->ipsec.natt_active_mode = NATT_ACTIVE_RFC;
1949 close(s->ike_fd);
1950 if (s->ike.src_port == ISAKMP_PORT)
1951 s->ike.src_port = ISAKMP_PORT_NATT;
1952 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port = ISAKMP_PORT_NATT);
1953 } else {
1954 s->ipsec.natt_active_mode = NATT_ACTIVE_DRAFT_OLD;
1955 }
1956 } else {
1957 DEBUG(1, printf("NAT status: NAT-T VID seen, no NAT device detected\n"));
1958 }
1959 } else {
1960 DEBUG(1, printf("NAT status: no NAT-T VID seen\n"));
1961 }
1962
1963 /* This seems to cause a duplicate free of some data when rekeying:
1964 * *** glibc detected *** vpnc-connect: free(): invalid pointer: 0x09d63ba5
1965 * See also: http://bugs.gentoo.org/show_bug.cgi?id=229003
1966 */
1967 #if 1
1968 free_isakmp_packet(r);
1969 #endif
1970
1971 }
1972 }
1973
1974 static void do_phase1_am_packet3(struct sa_block *s)
1975 {
1976 DEBUGTOP(2, printf("S4.5 AM_packet3\n"));
1977 /* Send final phase 1 packet. */
1978 {
1979 struct isakmp_packet *p2;
1980 uint8_t *p2kt;
1981 size_t p2kt_len;
1982 struct isakmp_payload *pl;
1983
1984 p2 = new_isakmp_packet();
1985 memcpy(p2->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1986 memcpy(p2->r_cookie, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1987 p2->flags = ISAKMP_FLAG_E;
1988 p2->isakmp_version = ISAKMP_VERSION;
1989 p2->exchange_type = ISAKMP_EXCHANGE_AGGRESSIVE;
1990 /* XXX CERT Add id(?), cert and sig here in case of cert auth */
1991 p2->payload = new_isakmp_data_payload(ISAKMP_PAYLOAD_HASH,
1992 s->ike.returned_hash, s->ike.md_len);
1993 p2->payload->next = pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
1994 pl->u.n.doi = ISAKMP_DOI_IPSEC;
1995 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
1996 pl->u.n.type = ISAKMP_N_IPSEC_INITIAL_CONTACT;
1997 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
1998 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
1999 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
2000 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
2001
2002 /* send PSK-hash if hybrid authentication is negotiated */
2003 if (s->ike.auth_algo == IKE_AUTH_HybridInitRSA ||
2004 s->ike.auth_algo == IKE_AUTH_HybridInitDSS) {
2005 /* Notify - PRESHARED_KEY_HASH */
2006 pl = pl->next = new_isakmp_payload(ISAKMP_PAYLOAD_N);
2007 pl->u.n.doi = ISAKMP_DOI_IPSEC;
2008 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
2009 /* Notify Message - Type: PRESHARED_KEY_HASH */
2010 pl->u.n.type = ISAKMP_N_CISCO_PRESHARED_KEY_HASH;
2011 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
2012 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
2013 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0,
2014 s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
2015 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1,
2016 s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
2017 pl->u.n.data_length = s->ike.md_len;
2018 pl->u.n.data = xallocc(pl->u.n.data_length);
2019 memcpy(pl->u.n.data, s->ike.psk_hash, pl->u.n.data_length);
2020 /* End Notify - PRESHARED_KEY_HASH */
2021 }
2022 pl = pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
2023 VID_UNKNOWN, sizeof(VID_UNKNOWN));
2024 pl = pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
2025 VID_UNITY, sizeof(VID_UNITY));
2026
2027 /* include NAT traversal discovery payloads */
2028 if (s->ike.natd_type != 0) {
2029 pl = pl->next = new_isakmp_data_payload(s->ike.natd_type,
2030 s->ike.natd_them, s->ike.md_len);
2031 pl->next = new_isakmp_data_payload(s->ike.natd_type,
2032 s->ike.natd_us, s->ike.md_len);
2033 free(s->ike.natd_us);
2034 free(s->ike.natd_them);
2035 s->ike.natd_us = NULL;
2036 s->ike.natd_them = NULL;
2037 }
2038
2039 flatten_isakmp_packet(p2, &p2kt, &p2kt_len, s->ike.ivlen);
2040 free_isakmp_packet(p2);
2041 isakmp_crypt(s, p2kt, p2kt_len, 1);
2042
2043 if (s->ike.initial_iv) free(s->ike.initial_iv);
2044 s->ike.initial_iv = xallocc(s->ike.ivlen);
2045 memcpy(s->ike.initial_iv, s->ike.current_iv, s->ike.ivlen);
2046 hex_dump("initial_iv", s->ike.initial_iv, s->ike.ivlen, NULL);
2047
2048 /* Now, send that packet and receive a new one. */
2049 r_length = sendrecv(s, r_packet, sizeof(r_packet), p2kt, p2kt_len, 0);
2050 free(p2kt);
2051 }
2052 }
2053
2054 static void do_phase1_am_cleanup(struct sa_block *s)
2055 {
2056 DEBUGTOP(2, printf("S4.6 cleanup\n"));
2057
2058 free(s->ike.psk_hash);
2059 s->ike.psk_hash = NULL;
2060 free(s->ike.dh_public);
2061 group_free(s->ike.dh_grp);
2062 free(s->ike.returned_hash);
2063 s->ike.returned_hash = NULL;
2064 }
2065
2066 static void do_phase1_am(const char *key_id, const char *shared_key, struct sa_block *s)
2067 {
2068 do_phase1_am_init(s);
2069 do_phase1_am_packet1(s, key_id);
2070 do_phase1_am_packet2(s, shared_key);
2071 do_phase1_am_packet3(s);
2072 do_phase1_am_cleanup(s);
2073 }
2074
2075 static int do_phase2_notice_check(struct sa_block *s, struct isakmp_packet **r_p,
2076 const uint8_t * nonce, size_t nonce_size)
2077 {
2078 int reject = 0;
2079 struct isakmp_packet *r;
2080
2081 while (1) {
2082 reject = unpack_verify_phase2(s, r_packet, r_length, r_p, nonce, nonce_size);
2083 if (reject == ISAKMP_N_INVALID_COOKIE) {
2084 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2085 continue;
2086 }
2087 if (*r_p == NULL) {
2088 assert(reject != 0);
2089 return reject;
2090 }
2091 r = *r_p;
2092
2093 /* check for notices */
2094 if (r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL &&
2095 r->payload->next != NULL) {
2096 if (r->payload->next->type == ISAKMP_PAYLOAD_N) {
2097 if (r->payload->next->u.n.type == ISAKMP_N_CISCO_LOAD_BALANCE) {
2098 /* load balancing notice ==> restart with new gw */
2099 if (r->payload->next->u.n.data_length != 4)
2100 error(1, 0, "malformed loadbalance target");
2101 s->dst = *(struct in_addr *)r->payload->next->u.n.data;
2102 s->ike.dst_port = ISAKMP_PORT;
2103 s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL;
2104 s->ipsec.natt_active_mode = NATT_ACTIVE_NONE;
2105 if (s->ike.src_port == ISAKMP_PORT_NATT)
2106 s->ike.src_port = ISAKMP_PORT;
2107 close(s->ike_fd);
2108 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port);
2109 DEBUG(2, printf("got cisco loadbalancing notice, diverting to %s\n",
2110 inet_ntoa(s->dst)));
2111 return -1;
2112 } else if (r->payload->next->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
2113 if (r->payload->next->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
2114 lifetime_ike_process(s, r->payload->next->u.n.attributes);
2115 else if (r->payload->next->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2116 lifetime_ipsec_process(s, r->payload->next->u.n.attributes);
2117 else
2118 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
2119 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2120 continue;
2121 } else if (r->payload->next->u.n.type == ISAKMP_N_IPSEC_INITIAL_CONTACT) {
2122 /* why in hell do we get this?? */
2123 DEBUG(2, printf("got initial contact notice, ignoring..\n"));
2124 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2125 continue;
2126 } else {
2127 /* whatever */
2128 printf("received notice of type %s(%d), giving up\n",
2129 val_to_string(r->payload->next->u.n.type, isakmp_notify_enum_array),
2130 r->payload->next->u.n.type);
2131 return reject;
2132 }
2133 }
2134 if (r->payload->next->type == ISAKMP_PAYLOAD_D) {
2135 /* delete notice ==> ignore */
2136 DEBUG(2, printf("got delete for old connection, ignoring..\n"));
2137 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2138 continue;
2139 }
2140 }
2141
2142 break;
2143 }
2144 return reject;
2145 }
2146
2147 static int do_phase2_xauth(struct sa_block *s)
2148 {
2149 struct isakmp_packet *r = NULL;
2150 int loopcount;
2151 int reject;
2152 int passwd_used = 0;
2153
2154 DEBUGTOP(2, printf("S5.1 xauth_request\n"));
2155 /* This can go around for a while. */
2156 for (loopcount = 0;; loopcount++) {
2157 struct isakmp_payload *rp;
2158 struct isakmp_attribute *a, *ap, *reply_attr, *last_reply_attr;
2159 char ntop_buf[32];
2160 int seen_answer = 0;
2161
2162 DEBUGTOP(2, printf("S5.2 notice_check\n"));
2163
2164 /* recv and check for notices */
2165 if (r) free_isakmp_packet(r);
2166 r = NULL;
2167 reject = do_phase2_notice_check(s, &r, NULL, 0);
2168 if (reject == -1) {
2169 if (r) free_isakmp_packet(r);
2170 return 1;
2171 }
2172
2173 DEBUGTOP(2, printf("S5.3 type-is-xauth check\n"));
2174 /* Check the transaction type is OK. */
2175 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_MODECFG_TRANSACTION)
2176 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2177
2178 /* After the hash, expect an attribute block. */
2179 if (reject == 0
2180 && (r->payload->next == NULL
2181 || r->payload->next->next != NULL
2182 || r->payload->next->type != ISAKMP_PAYLOAD_MODECFG_ATTR))
2183 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2184
2185 if (reject == 0 && r->payload->next->u.modecfg.type == ISAKMP_MODECFG_CFG_SET) {
2186 /* OK, the server has finished requesting information, go for the final set/ack */
2187 break;
2188 }
2189
2190 if (reject == 0 && r->payload->next->u.modecfg.type != ISAKMP_MODECFG_CFG_REQUEST)
2191 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2192
2193 if (reject != 0)
2194 phase2_fatal(s, "expected xauth packet; rejected: %s(%d)", reject);
2195
2196 DEBUGTOP(2, printf("S5.4 xauth type check\n"));
2197 a = r->payload->next->u.modecfg.attributes;
2198 /* First, print any messages, and verify that we understand the
2199 * conversation. This looks for any place were input is
2200 * required - in these cases, we need to print the prompt
2201 * regardless of whether the user requested interactive mode
2202 * or not. */
2203 for (ap = a; ap && seen_answer == 0; ap = ap->next)
2204 if (ap->type == ISAKMP_XAUTH_06_ATTRIB_ANSWER
2205 || ap->type == ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN
2206 /* || ap->type == ISAKMP_XAUTH_06_ATTRIB_PASSCODE */)
2207 seen_answer = 1;
2208
2209 for (ap = a; ap && reject == 0; ap = ap->next)
2210 switch (ap->type) {
2211 case ISAKMP_XAUTH_06_ATTRIB_TYPE:
2212 if (ap->af != isakmp_attr_16 || ap->u.attr_16 != 0)
2213 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2214 break;
2215 case ISAKMP_XAUTH_06_ATTRIB_USER_NAME:
2216 case ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD:
2217 case ISAKMP_XAUTH_06_ATTRIB_PASSCODE:
2218 case ISAKMP_XAUTH_06_ATTRIB_DOMAIN:
2219 case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
2220 case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
2221 case ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR:
2222 break;
2223 case ISAKMP_XAUTH_06_ATTRIB_MESSAGE:
2224 if (opt_debug || seen_answer || config[CONFIG_XAUTH_INTERACTIVE]) {
2225 if (ap->af == isakmp_attr_16)
2226 printf("%c%c\n", ap->u.attr_16 >> 8, ap->u.attr_16);
2227 else
2228 printf("%.*s%s", ap->u.lots.length, ap->u.lots.data,
2229 ((ap->u.lots.data
2230 && ap->u.lots.data[ap->u.
2231 lots.length - 1] !=
2232 '\n')
2233 ? "\n" : ""));
2234 }
2235 break;
2236 default:
2237 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2238 }
2239 if (reject != 0)
2240 phase2_fatal(s, "xauth packet unsupported: %s(%d)", reject);
2241
2242 DEBUGTOP(2, printf("S5.5 do xauth reply\n"));
2243 inet_ntop(AF_INET, &s->dst, ntop_buf, sizeof(ntop_buf));
2244
2245 /* Collect data from the user. */
2246 reply_attr = last_reply_attr = NULL;
2247 for (ap = a; ap && reject == 0; ap = ap->next) {
2248 struct isakmp_attribute *na = NULL;
2249
2250 switch (ap->type) {
2251 case ISAKMP_XAUTH_06_ATTRIB_TYPE:
2252 {
2253 na = new_isakmp_attribute_16(ap->type, ap->u.attr_16, NULL);
2254 break;
2255 }
2256 case ISAKMP_XAUTH_06_ATTRIB_DOMAIN:
2257 na = new_isakmp_attribute(ap->type, NULL);
2258 if (!config[CONFIG_DOMAIN])
2259 error(1, 0,
2260 "server requested domain, but none set (use \"Domain ...\" in config or --domain");
2261 na->u.lots.length = strlen(config[CONFIG_DOMAIN]);
2262 na->u.lots.data = xallocc(na->u.lots.length);
2263 memcpy(na->u.lots.data, config[CONFIG_DOMAIN],
2264 na->u.lots.length);
2265 break;
2266 case ISAKMP_XAUTH_06_ATTRIB_USER_NAME:
2267 {
2268 na = new_isakmp_attribute(ap->type, NULL);
2269 na->u.lots.length = strlen(config[CONFIG_XAUTH_USERNAME]);
2270 na->u.lots.data = xallocc(na->u.lots.length);
2271 memcpy(na->u.lots.data, config[CONFIG_XAUTH_USERNAME],
2272 na->u.lots.length);
2273 break;
2274 }
2275 case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
2276 case ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD:
2277 case ISAKMP_XAUTH_06_ATTRIB_PASSCODE:
2278 case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
2279 if (passwd_used && config[CONFIG_NON_INTERACTIVE]) {
2280 reject = ISAKMP_N_AUTHENTICATION_FAILED;
2281 phase2_fatal(s, "noninteractive can't reuse password", reject);
2282 error(2, 0, "authentication failed (requires interactive mode)");
2283 } else if (seen_answer || passwd_used || config[CONFIG_XAUTH_INTERACTIVE]) {
2284 char *pass, *prompt = NULL;
2285
2286 asprintf(&prompt, "%s for VPN %s@%s: ",
2287 (ap->type == ISAKMP_XAUTH_06_ATTRIB_ANSWER) ?
2288 "Answer" :
2289 (ap->type == ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD) ?
2290 "Password" : "Passcode",
2291 config[CONFIG_XAUTH_USERNAME], ntop_buf);
2292 pass = getpass(prompt);
2293 free(prompt);
2294
2295 na = new_isakmp_attribute(ap->type, NULL);
2296 na->u.lots.length = strlen(pass);
2297 na->u.lots.data = xallocc(na->u.lots.length);
2298 memcpy(na->u.lots.data, pass, na->u.lots.length);
2299 memset(pass, 0, na->u.lots.length);
2300 } else {
2301 na = new_isakmp_attribute(ap->type, NULL);
2302 na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]);
2303 na->u.lots.data = xallocc(na->u.lots.length);
2304 memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD],
2305 na->u.lots.length);
2306 passwd_used = 1; /* Provide canned password at most once */
2307 }
2308 break;
2309 default:
2310 ;
2311 }
2312 if (na == NULL)
2313 continue;
2314 if (last_reply_attr != NULL) {
2315 last_reply_attr->next = na;
2316 last_reply_attr = na;
2317 } else {
2318 last_reply_attr = reply_attr = na;
2319 }
2320 }
2321
2322 /* Send the response. */
2323 rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
2324 rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY;
2325 rp->u.modecfg.id = r->payload->next->u.modecfg.id;
2326 rp->u.modecfg.attributes = reply_attr;
2327 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2328 r->message_id, 0, 0, 0, 0, 0);
2329
2330 }
2331
2332 if ((opt_vendor == VENDOR_NETSCREEN) &&
2333 (r->payload->next->u.modecfg.type == ISAKMP_MODECFG_CFG_SET)) {
2334 struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
2335
2336 DEBUGTOP(2, printf("S5.5.1 do netscreen modecfg extra\n"));
2337
2338 do_config_to_env(s, a);
2339
2340 for (; a; a = a->next)
2341 if(a->af == isakmp_attr_lots)
2342 a->u.lots.length = 0;
2343
2344 r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
2345 sendrecv_phase2(s, r->payload->next,
2346 ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2347 r->message_id, 0, 0, 0, 0, 0);
2348
2349 reject = do_phase2_notice_check(s, &r, NULL, 0);
2350 if (reject == -1) {
2351 free_isakmp_packet(r);
2352 return 1;
2353 }
2354 }
2355
2356 DEBUGTOP(2, printf("S5.6 process xauth set\n"));
2357 {
2358 /* The final SET should have just one attribute. */
2359 struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
2360 uint16_t set_result = 1;
2361
2362 if (a == NULL
2363 || a->type != ISAKMP_XAUTH_06_ATTRIB_STATUS
2364 || a->af != isakmp_attr_16 || a->next != NULL) {
2365 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2366 phase2_fatal(s, "xauth SET message rejected: %s(%d)", reject);
2367 } else {
2368 set_result = a->u.attr_16;
2369 }
2370
2371 /* ACK the SET. */
2372 DEBUGTOP(2, printf("S5.7 send xauth ack\n"));
2373 r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
2374 sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2375 r->message_id, 1, 0, 0, 0, 0);
2376 r->payload->next = NULL; /* this part is already free()d by sendrecv_phase2 */
2377 free_isakmp_packet(r); /* this frees the received set packet (header+hash) */
2378
2379 if (set_result == 0)
2380 error(2, 0, "authentication unsuccessful");
2381 }
2382 DEBUGTOP(2, printf("S5.8 xauth done\n"));
2383 return 0;
2384 }
2385
2386 static int do_phase2_config(struct sa_block *s)
2387 {
2388 struct isakmp_payload *rp;
2389 struct isakmp_attribute *a;
2390 struct isakmp_packet *r;
2391 struct utsname uts;
2392 uint32_t msgid;
2393 int reject;
2394
2395 uname(&uts);
2396
2397 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
2398 if (msgid == 0)
2399 msgid = 1;
2400
2401 rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
2402 rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REQUEST;
2403 rp->u.modecfg.id = 20;
2404 a = NULL;
2405
2406 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION, a);
2407 a->u.lots.length = strlen(config[CONFIG_VERSION]);
2408 a->u.lots.data = xallocc(a->u.lots.length);
2409 memcpy(a->u.lots.data, config[CONFIG_VERSION], a->u.lots.length);
2410
2411 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DDNS_HOSTNAME, a);
2412 a->u.lots.length = strlen(uts.nodename);
2413 a->u.lots.data = xallocc(a->u.lots.length);
2414 memcpy(a->u.lots.data, uts.nodename, a->u.lots.length);
2415
2416 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC, a);
2417 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_SAVE_PW, a);
2418
2419 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_BANNER, a);
2420 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS, a);
2421 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_FW_TYPE, a);
2422 a->u.lots.length = sizeof(FW_UNKNOWN_TYPEINFO);
2423 a->u.lots.data = xallocc(a->u.lots.length);
2424 memcpy(a->u.lots.data, FW_UNKNOWN_TYPEINFO, a->u.lots.length);
2425 if (opt_natt_mode == NATT_CISCO_UDP)
2426 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT, a);
2427 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN, a);
2428 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS, a);
2429 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS, a);
2430 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK, a);
2431 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS, a);
2432
2433 rp->u.modecfg.attributes = a;
2434 DEBUGTOP(2, printf("S6.1 phase2_config send modecfg\n"));
2435 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION, msgid, 0, 0, 0, 0, 0);
2436
2437 DEBUGTOP(2, printf("S6.2 phase2_config receive modecfg\n"));
2438 /* recv and check for notices */
2439 reject = do_phase2_notice_check(s, &r, NULL, 0);
2440 if (reject == -1) {
2441 if (r) free_isakmp_packet(r);
2442 return 1;
2443 }
2444
2445 /* Check the transaction type & message ID are OK. */
2446 if (reject == 0 && r->message_id != msgid)
2447 reject = ISAKMP_N_INVALID_MESSAGE_ID;
2448 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_MODECFG_TRANSACTION)
2449 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2450
2451 /* After the hash, expect an attribute block. */
2452 if (reject == 0
2453 && (r->payload->next == NULL
2454 || r->payload->next->next != NULL
2455 || r->payload->next->type != ISAKMP_PAYLOAD_MODECFG_ATTR
2456 #if 0
2457 || r->payload->next->u.modecfg.id != 20
2458 #endif
2459 || r->payload->next->u.modecfg.type != ISAKMP_MODECFG_CFG_REPLY))
2460 reject = ISAKMP_N_PAYLOAD_MALFORMED;
2461
2462 if (reject != 0)
2463 phase2_fatal(s, "configuration response rejected: %s(%d)", reject);
2464
2465 if (reject == 0)
2466 reject = do_config_to_env(s, r->payload->next->u.modecfg.attributes);
2467
2468 if (reject != 0)
2469 phase2_fatal(s, "configuration response rejected: %s(%d)", reject);
2470
2471 DEBUG(1, printf("got address %s\n", getenv("INTERNAL_IP4_ADDRESS")));
2472 free_isakmp_packet(r);
2473 return 0;
2474 }
2475
2476 static struct isakmp_attribute *make_transform_ipsec(struct sa_block *s, int dh_group, int hash, int keylen)
2477 {
2478 struct isakmp_attribute *a = NULL;
2479
2480 a = new_isakmp_attribute(ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION, a);
2481 a->af = isakmp_attr_lots;
2482 a->u.lots.length = 4;
2483 a->u.lots.data = xallocc(a->u.lots.length);
2484 *((uint32_t *) a->u.lots.data) = htonl(2147483);
2485 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a);
2486
2487 if (dh_group)
2488 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_GROUP_DESC, dh_group, a);
2489 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_AUTH_ALG, hash, a);
2490 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_ENCAP_MODE, s->ipsec.encap_mode, a);
2491 if (keylen != 0)
2492 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_KEY_LENGTH, keylen, a);
2493
2494 return a;
2495 }
2496
2497 static struct isakmp_payload *make_our_sa_ipsec(struct sa_block *s)
2498 {
2499 struct isakmp_payload *r;
2500 struct isakmp_payload *p = NULL, *pn;
2501 struct isakmp_attribute *a;
2502 int dh_grp = get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id;
2503 unsigned int crypt, hash, keylen;
2504 int i;
2505
2506 r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
2507 r->u.sa.doi = ISAKMP_DOI_IPSEC;
2508 r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
2509 for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
2510 keylen = supp_crypt[crypt].keylen;
2511 for (hash = 0; supp_hash[hash].name != NULL; hash++) {
2512 pn = p;
2513 p = new_isakmp_payload(ISAKMP_PAYLOAD_P);
2514 p->u.p.spi_size = 4;
2515 p->u.p.spi = xallocc(4);
2516 /* The sadb_sa_spi field is already in network order. */
2517 memcpy(p->u.p.spi, &s->ipsec.rx.spi, 4);
2518 p->u.p.prot_id = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
2519 p->u.p.transforms = new_isakmp_payload(ISAKMP_PAYLOAD_T);
2520 p->u.p.transforms->u.t.id = supp_crypt[crypt].ipsec_sa_id;
2521 a = make_transform_ipsec(s, dh_grp, supp_hash[hash].ipsec_sa_id, keylen);
2522 p->u.p.transforms->u.t.attributes = a;
2523 p->next = pn;
2524 }
2525 }
2526 for (i = 0, pn = p; pn; pn = pn->next)
2527 pn->u.p.number = i++;
2528 r->u.sa.proposals = p;
2529 return r;
2530 }
2531
2532 static void do_phase2_qm(struct sa_block *s)
2533 {
2534 struct isakmp_payload *rp, *us, *ke = NULL, *them, *nonce_r = NULL;
2535 struct isakmp_packet *r;
2536 struct group *dh_grp = NULL;
2537 uint32_t msgid;
2538 int reject;
2539 uint8_t nonce_i[20], *dh_public = NULL;
2540
2541 DEBUGTOP(2, printf("S7.1 QM_packet1\n"));
2542 /* Set up the Diffie-Hellman stuff. */
2543 if (get_dh_group_ipsec(s->ipsec.do_pfs)->my_id) {
2544 dh_grp = group_get(get_dh_group_ipsec(s->ipsec.do_pfs)->my_id);
2545 DEBUG(3, printf("len = %d\n", dh_getlen(dh_grp)));
2546 dh_public = xallocc(dh_getlen(dh_grp));
2547 dh_create_exchange(dh_grp, dh_public);
2548 hex_dump("dh_public", dh_public, dh_getlen(dh_grp), NULL);
2549 }
2550
2551 gcry_create_nonce((uint8_t *) & s->ipsec.rx.spi, sizeof(s->ipsec.rx.spi));
2552 rp = make_our_sa_ipsec(s); /* FIXME: LEAK: allocated memory never freed */
2553 gcry_create_nonce((uint8_t *) nonce_i, sizeof(nonce_i));
2554 rp->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_NONCE, nonce_i, sizeof(nonce_i));
2555
2556 us = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
2557 us->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR;
2558 us->u.id.length = 4;
2559 us->u.id.data = xallocc(4);
2560 memcpy(us->u.id.data, &s->our_address, sizeof(struct in_addr));
2561 them = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
2562 them->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR_SUBNET;
2563 them->u.id.length = 8;
2564 them->u.id.data = xallocc(8);
2565 init_netaddr((struct in_addr *)them->u.id.data,
2566 config[CONFIG_IPSEC_TARGET_NETWORK]);
2567 us->next = them;
2568 s->ipsec.life.start = time(NULL);
2569
2570 if (!dh_grp) {
2571 rp->next->next = us;
2572 } else {
2573 rp->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_KE,
2574 dh_public, dh_getlen(dh_grp));
2575 rp->next->next->next = us;
2576 }
2577
2578 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
2579 if (msgid == 0)
2580 msgid = 1;
2581
2582 DEBUGTOP(2, printf("S7.2 QM_packet2 send_receive\n"));
2583 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_IKE_QUICK,
2584 msgid, 0, 0, 0, 0, 0);
2585
2586 DEBUGTOP(2, printf("S7.3 QM_packet2 validate type\n"));
2587 reject = do_phase2_notice_check(s, &r, nonce_i, sizeof(nonce_i)); /* FIXME: LEAK */
2588
2589 /* Check the transaction type & message ID are OK. */
2590 if (reject == 0 && r->message_id != msgid)
2591 reject = ISAKMP_N_INVALID_MESSAGE_ID;
2592
2593 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_IKE_QUICK)
2594 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2595
2596 /* The SA payload must be second. */
2597 if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_SA)
2598 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2599
2600 DEBUGTOP(2, printf("S7.5 QM_packet2 check reject offer\n"));
2601 if (reject != 0)
2602 phase2_fatal(s, "quick mode response rejected: %s(%d)\n"
2603 "this means the concentrator did not like what we had to offer.\n"
2604 "Possible reasons are:\n"
2605 " * concentrator configured to require a firewall\n"
2606 " this locks out even Cisco clients on any platform except windows\n"
2607 " which is an obvious security improvement. There is no workaround (yet).\n"
2608 " * concentrator configured to require IP compression\n"
2609 " this is not yet supported by vpnc.\n"
2610 " Note: the Cisco Concentrator Documentation recommends against using\n"
2611 " compression, except on low-bandwith (read: ISDN) links, because it\n"
2612 " uses much CPU-resources on the concentrator\n",
2613 reject);
2614
2615 DEBUGTOP(2, printf("S7.6 QM_packet2 check and process proposal\n"));
2616 for (rp = r->payload->next; rp && reject == 0; rp = rp->next)
2617 switch (rp->type) {
2618 case ISAKMP_PAYLOAD_SA:
2619 if (reject == 0 && rp->u.sa.doi != ISAKMP_DOI_IPSEC)
2620 reject = ISAKMP_N_DOI_NOT_SUPPORTED;
2621 if (reject == 0 && rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
2622 reject = ISAKMP_N_SITUATION_NOT_SUPPORTED;
2623 if (reject == 0 &&
2624 (rp->u.sa.proposals == NULL || rp->u.sa.proposals->next != NULL))
2625 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2626 if (reject == 0 &&
2627 rp->u.sa.proposals->u.p.prot_id != ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2628 reject = ISAKMP_N_INVALID_PROTOCOL_ID;
2629 if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 4)
2630 reject = ISAKMP_N_INVALID_SPI;
2631 if (reject == 0 &&
2632 (rp->u.sa.proposals->u.p.transforms == NULL
2633 || rp->u.sa.proposals->u.p.transforms->next != NULL))
2634 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2635 if (reject == 0) {
2636 struct isakmp_attribute *a
2637 = rp->u.sa.proposals->u.p.transforms->u.t.attributes;
2638 int seen_enc = rp->u.sa.proposals->u.p.transforms->u.t.id;
2639 int seen_auth = 0, seen_encap = 0, seen_group = 0, seen_keylen = 0;
2640
2641 memcpy(&s->ipsec.tx.spi, rp->u.sa.proposals->u.p.spi, 4);
2642
2643 for (; a && reject == 0; a = a->next)
2644 switch (a->type) {
2645 case ISAKMP_IPSEC_ATTRIB_AUTH_ALG:
2646 if (a->af == isakmp_attr_16)
2647 seen_auth = a->u.attr_16;
2648 else
2649 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2650 break;
2651 case ISAKMP_IPSEC_ATTRIB_ENCAP_MODE:
2652 if (a->af == isakmp_attr_16 &&
2653 a->u.attr_16 == s->ipsec.encap_mode)
2654 seen_encap = 1;
2655 else
2656 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2657 break;
2658 case ISAKMP_IPSEC_ATTRIB_GROUP_DESC:
2659 if (dh_grp &&
2660 a->af == isakmp_attr_16 &&
2661 a->u.attr_16 ==
2662 get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id)
2663 seen_group = 1;
2664 else
2665 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2666 break;
2667 case ISAKMP_IPSEC_ATTRIB_KEY_LENGTH:
2668 if (a->af == isakmp_attr_16)
2669 seen_keylen = a->u.attr_16;
2670 else
2671 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2672 break;
2673 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE:
2674 /* lifetime duration MUST follow lifetype attribute */
2675 if (a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION) {
2676 lifetime_ipsec_process(s, a);
2677 } else
2678 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2679 break;
2680 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION:
2681 /* already processed above in ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE: */
2682 break;
2683 default:
2684 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2685 break;
2686 }
2687 if (reject == 0 && (!seen_auth || !seen_encap ||
2688 (dh_grp && !seen_group)))
2689 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2690
2691 if (reject == 0
2692 && get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth,
2693 NULL, 0) == NULL)
2694 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2695 if (reject == 0
2696 && get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc,
2697 NULL, seen_keylen) == NULL)
2698 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2699
2700 if (reject == 0) {
2701 s->ipsec.cry_algo =
2702 get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA,
2703 seen_enc, NULL, seen_keylen)->my_id;
2704 s->ipsec.md_algo =
2705 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA,
2706 seen_auth, NULL, 0)->my_id;
2707 if (s->ipsec.cry_algo) {
2708 gcry_cipher_algo_info(s->ipsec.cry_algo, GCRYCTL_GET_KEYLEN, NULL, &(s->ipsec.key_len));
2709 gcry_cipher_algo_info(s->ipsec.cry_algo, GCRYCTL_GET_BLKLEN, NULL, &(s->ipsec.blk_len));
2710 s->ipsec.iv_len = s->ipsec.blk_len;
2711 } else {
2712 s->ipsec.key_len = 0;
2713 s->ipsec.iv_len = 0;
2714 s->ipsec.blk_len = 8; /* seems to be this without encryption... */
2715 }
2716 s->ipsec.md_len = gcry_md_get_algo_dlen(s->ipsec.md_algo);
2717 DEBUG(1, printf("IPSEC SA selected %s-%s\n",
2718 get_algo(SUPP_ALGO_CRYPT,
2719 SUPP_ALGO_IPSEC_SA, seen_enc, NULL,
2720 seen_keylen)->name,
2721 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA,
2722 seen_auth, NULL, 0)->name));
2723 if (s->ipsec.cry_algo == GCRY_CIPHER_DES && !opt_1des) {
2724 error(1, 0, "peer selected (single) DES as \"encrytion\" method.\n"
2725 "This algorithm is considered to weak today\n"
2726 "If your vpn concentrator admin still insists on using DES\n"
2727 "use the \"--enable-1des\" option.\n");
2728 } else if (s->ipsec.cry_algo == GCRY_CIPHER_NONE && !opt_no_encryption) {
2729 error(1, 0, "peer selected NULL as \"encrytion\" method.\n"
2730 "This is _no_ encryption at all.\n"
2731 "Your traffic is still protected against modification with %s\n"
2732 "If your vpn concentrator admin still insists on not using encryption\n"
2733 "use the \"--enable-no-encryption\" option.\n",
2734 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0)->name);
2735 }
2736 }
2737 }
2738 break;
2739
2740 case ISAKMP_PAYLOAD_N:
2741 if (reject == 0 && rp->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
2742 if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
2743 lifetime_ike_process(s, rp->u.n.attributes);
2744 else if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2745 lifetime_ipsec_process(s, rp->u.n.attributes);
2746 else
2747 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
2748 }
2749 break;
2750 case ISAKMP_PAYLOAD_ID:
2751 /* FIXME: Parse payload ID and add route-env in case of ipv4_prefix */
2752 break;
2753 case ISAKMP_PAYLOAD_KE:
2754 ke = rp;
2755 break;
2756 case ISAKMP_PAYLOAD_NONCE:
2757 nonce_r = rp;
2758 break;
2759
2760 default:
2761 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2762 break;
2763 }
2764
2765 if (reject == 0 && nonce_r == NULL)
2766 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
2767 if (reject == 0 && dh_grp && (ke == NULL || ke->u.ke.length != dh_getlen(dh_grp)))
2768 reject = ISAKMP_N_INVALID_KEY_INFORMATION;
2769 if (reject != 0)
2770 phase2_fatal(s, "quick mode response rejected [2]: %s(%d)", reject);
2771
2772 /* send final packet */
2773 sendrecv_phase2(s, NULL, ISAKMP_EXCHANGE_IKE_QUICK,
2774 msgid, 1, nonce_i, sizeof(nonce_i),
2775 nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2776
2777 DEBUGTOP(2, printf("S7.7 QM_packet3 sent\n"));
2778
2779 DEBUGTOP(2, printf("S7.8 setup ipsec tunnel\n"));
2780 {
2781 unsigned char *dh_shared_secret = NULL;
2782
2783 if (dh_grp) {
2784 /* Determine the shared secret. */
2785 dh_shared_secret = xallocc(dh_getlen(dh_grp));
2786 dh_create_shared(dh_grp, dh_shared_secret, ke->u.ke.data);
2787 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(dh_grp), NULL);
2788 }
2789
2790 s->ipsec.rx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.rx.spi,
2791 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2792 nonce_i, sizeof(nonce_i), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2793
2794 s->ipsec.tx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.tx.spi,
2795 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2796 nonce_i, sizeof(nonce_i), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2797
2798 if (dh_grp)
2799 group_free(dh_grp);
2800 free(dh_shared_secret);
2801 free_isakmp_packet(r);
2802
2803 if (s->esp_fd == 0) {
2804 if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
2805 s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
2806 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
2807 s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
2808 } else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
2809 s->esp_fd = s->ike_fd;
2810 } else {
2811 #ifdef IP_HDRINCL
2812 int hincl = 1;
2813 #endif
2814
2815 s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
2816 if (s->esp_fd == -1) {
2817 close_tunnel(s);
2818 error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
2819 }
2820 #ifdef FD_CLOEXEC
2821 /* do not pass socket to vpnc-script, etc. */
2822 fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
2823 #endif
2824 #ifdef IP_HDRINCL
2825 if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
2826 close_tunnel(s);
2827 error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
2828 }
2829 #endif
2830 }
2831 }
2832
2833 s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
2834 }
2835 free(dh_public);
2836 }
2837
2838 static int do_rekey(struct sa_block *s, struct isakmp_packet *r)
2839 {
2840 struct isakmp_payload *rp, *ke = NULL, *nonce_i = NULL;
2841 struct isakmp_attribute *a;
2842 int seen_enc;
2843 int seen_auth = 0, seen_encap = 0, seen_group = 0, seen_keylen = 0;
2844 int nonce_i_copy_len;
2845 struct group *dh_grp = NULL;
2846 uint8_t nonce_r[20], *dh_public = NULL, *nonce_i_copy = NULL;
2847 unsigned char *dh_shared_secret = NULL;
2848
2849 if (get_dh_group_ipsec(s->ipsec.do_pfs)->my_id) {
2850 dh_grp = group_get(get_dh_group_ipsec(s->ipsec.do_pfs)->my_id);
2851 DEBUG(3, printf("len = %d\n", dh_getlen(dh_grp)));
2852 dh_public = xallocc(dh_getlen(dh_grp));
2853 dh_create_exchange(dh_grp, dh_public);
2854 hex_dump("dh_public", dh_public, dh_getlen(dh_grp), NULL);
2855 }
2856
2857 rp = r->payload->next;
2858 /* rp->type == ISAKMP_PAYLOAD_SA, verified by caller */
2859
2860 if (rp->u.sa.doi != ISAKMP_DOI_IPSEC)
2861 return ISAKMP_N_DOI_NOT_SUPPORTED;
2862 if (rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
2863 return ISAKMP_N_SITUATION_NOT_SUPPORTED;
2864 if (rp->u.sa.proposals == NULL)
2865 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2866 if (rp->u.sa.proposals->u.p.prot_id != ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2867 return ISAKMP_N_INVALID_PROTOCOL_ID;
2868 if (rp->u.sa.proposals->u.p.spi_size != 4)
2869 return ISAKMP_N_INVALID_SPI;
2870 if (rp->u.sa.proposals->u.p.transforms == NULL || rp->u.sa.proposals->u.p.transforms->next != NULL)
2871 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2872
2873 seen_enc = rp->u.sa.proposals->u.p.transforms->u.t.id;
2874
2875 memcpy(&s->ipsec.tx.spi, rp->u.sa.proposals->u.p.spi, 4);
2876
2877 for (a = rp->u.sa.proposals->u.p.transforms->u.t.attributes; a; a = a->next)
2878 switch (a->type) {
2879 case ISAKMP_IPSEC_ATTRIB_AUTH_ALG:
2880 if (a->af == isakmp_attr_16)
2881 seen_auth = a->u.attr_16;
2882 else
2883 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2884 break;
2885 case ISAKMP_IPSEC_ATTRIB_ENCAP_MODE:
2886 if (a->af == isakmp_attr_16 &&
2887 a->u.attr_16 == (
2888 (s->ipsec.natt_active_mode != NATT_ACTIVE_CISCO_UDP) ?
2889 s->ipsec.encap_mode :
2890 IPSEC_ENCAP_TUNNEL /* cisco-udp claims to use encap tunnel... */
2891 ))
2892 seen_encap = 1;
2893 else
2894 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2895 break;
2896 case ISAKMP_IPSEC_ATTRIB_GROUP_DESC:
2897 if (dh_grp && a->af == isakmp_attr_16 &&
2898 a->u.attr_16 == get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id)
2899 seen_group = 1;
2900 else
2901 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2902 break;
2903 case ISAKMP_IPSEC_ATTRIB_KEY_LENGTH:
2904 if (a->af == isakmp_attr_16)
2905 seen_keylen = a->u.attr_16;
2906 else
2907 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2908 break;
2909 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE:
2910 /* lifetime duration MUST follow lifetype attribute */
2911 if (a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION) {
2912 lifetime_ipsec_process(s, a);
2913 } else
2914 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2915 break;
2916 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION:
2917 /* already processed above in ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE: */
2918 break;
2919 default:
2920 return ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2921 break;
2922 }
2923 if (!seen_auth || !seen_encap || (dh_grp && !seen_group))
2924 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2925
2926 /* FIXME: Current code has a limitation that will cause problems if
2927 * different algorithms are negotiated during re-keying
2928 */
2929 if ((get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0) == NULL) ||
2930 (get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc, NULL, seen_keylen) == NULL)) {
2931 printf("\nFIXME: vpnc doesn't support change of algorightms during rekeying\n");
2932 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2933 }
2934
2935 /* we don't want to change ciphers during rekeying */
2936 if (s->ipsec.cry_algo != get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc, NULL, seen_keylen)->my_id)
2937 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2938 if (s->ipsec.md_algo != get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0)->my_id)
2939 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2940
2941 for (rp = rp->next; rp; rp = rp->next)
2942 switch (rp->type) {
2943 case ISAKMP_PAYLOAD_ID:
2944 /* FIXME: Parse payload ID and add route-env in case of ipv4_prefix */
2945 break;
2946 case ISAKMP_PAYLOAD_KE:
2947 ke = rp;
2948 break;
2949 case ISAKMP_PAYLOAD_NONCE:
2950 nonce_i = rp;
2951 break;
2952 default:
2953 return ISAKMP_N_INVALID_PAYLOAD_TYPE;
2954 break;
2955 }
2956
2957 if ((dh_grp && ke == NULL) || nonce_i == NULL)
2958 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2959
2960 DEBUG(3, printf("everything fine so far...\n"));
2961 gcry_create_nonce((uint8_t *) nonce_r, sizeof(nonce_r));
2962 gcry_create_nonce((uint8_t *) & s->ipsec.rx.spi, sizeof(s->ipsec.rx.spi));
2963
2964 if (dh_grp) {
2965 /* Determine the shared secret. */
2966 dh_shared_secret = xallocc(dh_getlen(dh_grp));
2967 dh_create_shared(dh_grp, dh_shared_secret, ke->u.ke.data);
2968 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(dh_grp), NULL);
2969 }
2970
2971 free(s->ipsec.rx.key);
2972 free(s->ipsec.tx.key);
2973
2974 s->ipsec.rx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.rx.spi,
2975 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2976 nonce_i->u.nonce.data, nonce_i->u.nonce.length, nonce_r, sizeof(nonce_r));
2977
2978 s->ipsec.tx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.tx.spi,
2979 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2980 nonce_i->u.nonce.data, nonce_i->u.nonce.length, nonce_r, sizeof(nonce_r));
2981
2982 s->ipsec.rx.key_cry = s->ipsec.rx.key;
2983 s->ipsec.rx.key_md = s->ipsec.rx.key + s->ipsec.key_len;
2984 s->ipsec.tx.key_cry = s->ipsec.tx.key;
2985 s->ipsec.tx.key_md = s->ipsec.tx.key + s->ipsec.key_len;
2986
2987 nonce_i_copy_len = nonce_i->u.nonce.length;
2988 nonce_i_copy = xallocc(nonce_i_copy_len);
2989 memcpy(nonce_i_copy, nonce_i->u.nonce.data, nonce_i_copy_len);
2990
2991 s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
2992 s->ipsec.life.start = time(NULL);
2993 s->ipsec.life.tx = 0;
2994 s->ipsec.life.rx = 0;
2995
2996 if (s->ipsec.cry_algo) {
2997 gcry_cipher_setkey(s->ipsec.rx.cry_ctx, s->ipsec.rx.key_cry, s->ipsec.key_len);
2998 gcry_cipher_setkey(s->ipsec.tx.cry_ctx, s->ipsec.tx.key_cry, s->ipsec.key_len);
2999 }
3000
3001 /* use request as template and just exchange some values */
3002 /* this overwrites data in nonce_i, ke! */
3003 rp = r->payload->next;
3004 /* SA, change the SPI */
3005 memcpy(rp->u.sa.proposals->u.p.spi, &s->ipsec.rx.spi, 4);
3006
3007 for (rp = rp->next; rp; rp = rp->next)
3008 switch (rp->type) {
3009 case ISAKMP_PAYLOAD_ID:
3010 break;
3011 case ISAKMP_PAYLOAD_KE:
3012 memcpy(rp->u.ke.data, dh_public, dh_getlen(dh_grp));
3013 break;
3014 case ISAKMP_PAYLOAD_NONCE:
3015 memcpy(rp->u.nonce.data, nonce_r, sizeof(nonce_r));
3016 break;
3017 default:
3018 assert(0);
3019 break;
3020 }
3021
3022 sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_IKE_QUICK,
3023 r->message_id, 0, nonce_i_copy, nonce_i_copy_len, 0,0);
3024 unpack_verify_phase2(s, r_packet, r_length, &r, NULL, 0);
3025 free(nonce_i_copy);
3026 /* don't care about answer ... */
3027
3028 return 0;
3029 }
3030
3031 void process_late_ike(struct sa_block *s, uint8_t *r_packet, ssize_t r_length)
3032 {
3033 int reject;
3034 struct isakmp_packet *r;
3035 struct isakmp_payload *rp;
3036
3037 DEBUG(2,printf("got late ike packet: %zd bytes\n", r_length));
3038 /* we should ignore resent packets here.
3039 * unpack_verify_phase2 will fail to decode them probably */
3040 reject = unpack_verify_phase2(s, r_packet, r_length, &r, NULL, 0);
3041
3042 /* just ignore broken stuff for now */
3043 if (reject != 0) {
3044 if (r) free_isakmp_packet(r);
3045 return;
3046 }
3047
3048 /* everything must be encrypted by now */
3049 if (r->payload == NULL || r->payload->type != ISAKMP_PAYLOAD_HASH) {
3050 free_isakmp_packet(r);
3051 return;
3052 }
3053
3054 /* empty packet? well, nothing to see here */
3055 if (r->payload->next == NULL) {
3056 free_isakmp_packet(r);
3057 return;
3058 }
3059
3060 /* do we get an SA proposal for rekeying? */
3061 if (r->exchange_type == ISAKMP_EXCHANGE_IKE_QUICK &&
3062 r->payload->next->type == ISAKMP_PAYLOAD_SA) {
3063 reject = do_rekey(s, r);
3064 DEBUG(3, printf("do_rekey returned: %d\n", reject));
3065 /* FIXME: LEAK but will create segfault for double free */
3066 /* free_isakmp_packet(r); */
3067 return;
3068 }
3069
3070 if (r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL) {
3071 /* Search for notify payloads */
3072 for (rp = r->payload->next; rp; rp = rp->next) {
3073 if (rp->type != ISAKMP_PAYLOAD_N)
3074 continue;
3075 /* did we get a DPD request or ACK? */
3076 if (rp->u.n.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {
3077 DEBUG(2, printf("got non isakmp-notify, ignoring...\n"));
3078 continue;
3079 }
3080 if (rp->u.n.type == ISAKMP_N_R_U_THERE) {
3081 uint32_t seq;
3082 if (rp->u.n.data_length != 4) {
3083 DEBUG(2, printf("ignoring bad data length R-U-THERE request\n"));
3084 continue;
3085 }
3086 seq = ntohl(*((uint32_t *) rp->u.n.data));
3087 send_dpd(s, 1, seq);
3088 DEBUG(2, printf("got r-u-there request sent ack\n"));
3089 continue;
3090 } else if (rp->u.n.type == ISAKMP_N_R_U_THERE_ACK) {
3091 uint32_t seqack;
3092 if (rp->u.n.data_length != 4) {
3093 DEBUG(2, printf("ignoring bad data length R-U-THERE-ACK\n"));
3094 continue;
3095 }
3096 seqack = ntohl(*((uint32_t *) rp->u.n.data));
3097 if (seqack == s->ike.dpd_seqno) {
3098 s->ike.dpd_seqno_ack = seqack;
3099 } else {
3100 DEBUG(2, printf("ignoring r-u-there ack %u (expecting %u)\n", seqack, s->ike.dpd_seqno));
3101 continue;
3102 }
3103 DEBUG(2, printf("got r-u-there ack\n"));
3104 }
3105 }
3106 }
3107
3108 /* check if our isakmp sa gets deleted */
3109 for (rp = r->payload->next; rp; rp = rp->next) {
3110 /* search for delete payloads */
3111 if (rp->type != ISAKMP_PAYLOAD_D)
3112 continue;
3113 if (rp->u.d.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP) {
3114 /* RFC2408, 5.15:
3115 * Process the Delete payload and take appropriate action, according
3116 * to local security policy. As described above, one appropriate
3117 * action SHOULD include cleaning up the local SA database.
3118 */
3119 /* FIXME: any cleanup needed??? */
3120
3121 if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) {
3122 free_isakmp_packet(r);
3123 do_phase2_qm(s);
3124 return;
3125 } else {
3126 DEBUG(2, printf("got isakmp delete with bogus spi (expected %d, received %d), ignoring...\n", s->ipsec.tx.spi, *(rp->u.d.spi[0]) ));
3127 continue;
3128 }
3129 }
3130 /* skip ipsec-esp delete */
3131 if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {
3132 DEBUG(2, printf("got non isakmp-delete, ignoring...\n"));
3133 continue;
3134 };
3135
3136 /*
3137 * RFC 2408, 3.15 Delete Payload
3138 * it is not stated that the SPI field of a delete
3139 * payload can be ignored, because it is given in
3140 * the headers, but I assume so. In other cases
3141 * RFC 2408 (notifications) states this.
3142 */
3143 do_kill = -1;
3144 DEBUG(2, printf("got isakmp-delete, terminating...\n"));
3145 free_isakmp_packet(r);
3146 return;
3147 }
3148
3149 free_isakmp_packet(r);
3150 return;
3151 }
3152
3153 int main(int argc, char **argv)
3154 {
3155 int do_load_balance;
3156 const uint8_t hex_test[] = { 0, 1, 2, 3 };
3157 struct sa_block oursa[1];
3158 struct sa_block *s = oursa;
3159
3160 test_pack_unpack();
3161 #if defined(__CYGWIN__)
3162 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
3163 #endif
3164 gcry_check_version("1.1.90");
3165 gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0);
3166 group_init();
3167
3168 memset(s, 0, sizeof(*s));
3169 s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL;
3170 s->ike.timeout = 1000; /* 1 second */
3171
3172 do_config(argc, argv);
3173
3174 DEBUG(1, printf("\nvpnc version " VERSION "\n"));
3175 hex_dump("hex_test", hex_test, sizeof(hex_test), NULL);
3176
3177 DEBUGTOP(2, printf("S1 init_sockaddr\n"));
3178 init_sockaddr(&s->dst, config[CONFIG_IPSEC_GATEWAY]);
3179 init_sockaddr(&s->opt_src_ip, config[CONFIG_LOCAL_ADDR]);
3180 DEBUGTOP(2, printf("S2 make_socket\n"));
3181 s->ike.src_port = atoi(config[CONFIG_LOCAL_PORT]);
3182 s->ike.dst_port = ISAKMP_PORT;
3183 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port);
3184 DEBUGTOP(2, printf("S3 setup_tunnel\n"));
3185 setup_tunnel(s);
3186
3187 do_load_balance = 0;
3188 do {
3189 DEBUGTOP(2, printf("S4 do_phase1_am\n"));
3190 do_phase1_am(config[CONFIG_IPSEC_ID], config[CONFIG_IPSEC_SECRET], s);
3191 DEBUGTOP(2, printf("S5 do_phase2_xauth\n"));
3192 /* FIXME: Create and use a generic function in supp.[hc] */
3193 if (s->ike.auth_algo >= IKE_AUTH_HybridInitRSA)
3194 do_load_balance = do_phase2_xauth(s);
3195 DEBUGTOP(2, printf("S6 do_phase2_config\n"));
3196 if ((opt_vendor == VENDOR_CISCO) && (do_load_balance == 0))
3197 do_load_balance = do_phase2_config(s);
3198 } while (do_load_balance);
3199 DEBUGTOP(2, printf("S7 setup_link (phase 2 + main_loop)\n"));
3200 DEBUGTOP(2, printf("S7.0 run interface setup script\n"));
3201 config_tunnel(s);
3202 do_phase2_qm(s);
3203 DEBUGTOP(2, printf("S7.9 main loop (receive and transmit ipsec packets)\n"));
3204 vpnc_doit(s);
3205
3206 /* Tear down phase 2 and 1 tunnels */
3207 send_delete_ipsec(s);
3208 send_delete_isakmp(s);
3209
3210 /* Cleanup routing */
3211 DEBUGTOP(2, printf("S8 close_tunnel\n"));
3212 close_tunnel(s);
3213
3214 /* Free resources */
3215 DEBUGTOP(2, printf("S9 cleanup\n"));
3216 cleanup(s);
3217
3218 return 0;
3219 }
client for cisco vpn concentrator