search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Stefan Seyfried <seife+obs@b1-systems.com>
[vpnc.git] / vpnc.c
blobd96dc9a584f2b3d8a4a3276746ba9def0410c0e1
1 /* IPSec VPN client compatible with Cisco equipment.
2 Copyright (C) 2002 Geoffrey Keating
3 Copyright (C) 2003-2005 Maurice Massar
4 Copyright (C) 2004 Tomas Mraz
5 Copyright (C) 2004 Martin von Gagern
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20
21 $Id$
22 */
23
24 #define _GNU_SOURCE
25 #include <assert.h>
26 #include <unistd.h>
27 #include <sys/fcntl.h>
28 #include <stdio.h>
29 #include <errno.h>
30 #include <string.h>
31 #include <time.h>
32 #include <stdlib.h>
33 #include <sys/socket.h>
34 #include <netinet/in.h>
35 #include <netdb.h>
36 #include <arpa/inet.h>
37 #include <poll.h>
38 #include <sys/ioctl.h>
39 #include <sys/utsname.h>
40
41 #include <gcrypt.h>
42
43 #include "crypto.h"
44 #include "sysdep.h"
45 #include "config.h"
46 #include "isakmp-pkt.h"
47 #include "math_group.h"
48 #include "dh.h"
49 #include "vpnc.h"
50 #include "tunip.h"
51 #include "supp.h"
52
53 #if defined(__CYGWIN__)
54 GCRY_THREAD_OPTION_PTHREAD_IMPL;
55 #endif
56
57 #define ISAKMP_PORT (500)
58 #define ISAKMP_PORT_NATT (4500)
59
60 const unsigned char VID_XAUTH[] = { /* "draft-ietf-ipsra-isakmp-xauth-06.txt"/8 */
61 0x09, 0x00, 0x26, 0x89, 0xDF, 0xD6, 0xB7, 0x12
62 };
63 const unsigned char VID_DPD[] = { /* Dead Peer Detection, RFC 3706 */
64 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, 0xC9,
65 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, 0x01, 0x00
66 };
67 const unsigned char VID_UNITY[] = { /* "CISCO-UNITY"/14 + major + minor */
68 0x12, 0xF5, 0xF2, 0x8C, 0x45, 0x71, 0x68, 0xA9,
69 0x70, 0x2D, 0x9F, 0xE2, 0x74, 0xCC, 0x01, 0x00
70 };
71 const unsigned char VID_UNKNOWN[] = {
72 0x12, 0x6E, 0x1F, 0x57, 0x72, 0x91, 0x15, 0x3B,
73 0x20, 0x48, 0x5F, 0x7F, 0x15, 0x5B, 0x4B, 0xC8
74 };
75 const unsigned char VID_NATT_00[] = { /* "draft-ietf-ipsec-nat-t-ike-00" */
76 0x44, 0x85, 0x15, 0x2d, 0x18, 0xb6, 0xbb, 0xcd,
77 0x0b, 0xe8, 0xa8, 0x46, 0x95, 0x79, 0xdd, 0xcc
78 };
79 const unsigned char VID_NATT_01[] = { /* "draft-ietf-ipsec-nat-t-ike-01" */
80 0x16, 0xf6, 0xca, 0x16, 0xe4, 0xa4, 0x06, 0x6d,
81 0x83, 0x82, 0x1a, 0x0f, 0x0a, 0xea, 0xa8, 0x62
82 };
83 const unsigned char VID_NATT_02[] = { /* "draft-ietf-ipsec-nat-t-ike-02" */
84 0xcd, 0x60, 0x46, 0x43, 0x35, 0xdf, 0x21, 0xf8,
85 0x7c, 0xfd, 0xb2, 0xfc, 0x68, 0xb6, 0xa4, 0x48
86 };
87 const unsigned char VID_NATT_02N[] = { /* "draft-ietf-ipsec-nat-t-ike-02\n" */
88 0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E,
89 0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F
90 };
91 const unsigned char VID_NATT_03[] = { /* "draft-ietf-ipsec-nat-t-ike-03" */
92 0x7d, 0x94, 0x19, 0xa6, 0x53, 0x10, 0xca, 0x6f,
93 0x2c, 0x17, 0x9d, 0x92, 0x15, 0x52, 0x9d, 0x56
94 };
95 const unsigned char VID_NATT_RFC[] = { /* "RFC 3947" */
96 0x4A, 0x13, 0x1C, 0x81, 0x07, 0x03, 0x58, 0x45,
97 0x5C, 0x57, 0x28, 0xF2, 0x0E, 0x95, 0x45, 0x2F
98 };
99 const unsigned char VID_DWR[] = { /* DWR: Delete with reason */
100 0x2D, 0x79, 0x22, 0xC6, 0xB3, 0x01, 0xD9, 0xB0,
101 0xE1, 0x34, 0x27, 0x39, 0xE9, 0xCF, 0xBB, 0xD5
102 };
103 /* Cisco Unknown1:
104 *const unsigned char VID_CISCO_UNKNOWN_1[] = {
105 * 1f07f70eaa6514d3b0fa96542a500407
106 *};
107 */
108
109 const unsigned char VID_CISCO_FRAG[] = { /* "FRAGMENTATION" */
110 0x40, 0x48, 0xB7, 0xD5, 0x6E, 0xBC, 0xE8, 0x85,
111 0x25, 0xE7, 0xDE, 0x7F, 0x00, 0xD6, 0xC2, 0xD3,
112 0x80, 0x00, 0x00, 0x00
113 };
114 const unsigned char VID_NETSCREEN_15[] = { /* netscreen 15 */
115 0x16, 0x6f, 0x93, 0x2d, 0x55, 0xeb, 0x64, 0xd8,
116 0xe4, 0xdf, 0x4f, 0xd3, 0x7e, 0x23, 0x13, 0xf0,
117 0xd0, 0xfd, 0x84, 0x51, 0x00, 0x00, 0x00, 0x00,
118 0x00, 0x00, 0x00, 0x00
119 };
120 const unsigned char VID_HEARTBEAT_NOTIFY[] = { /* Heartbeat Notify */
121 0x48, 0x65, 0x61, 0x72, 0x74, 0x42, 0x65, 0x61,
122 0x74, 0x5f, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x79,
123 0x38, 0x6b, 0x01, 0x00
124 };
125 const unsigned char VID_NORTEL_CONT[] = { /* BNES: Bay Networks Enterprise Switch + version/id of some kind */
126 0x42, 0x4e, 0x45, 0x53, 0x00, 0x00, 0x00, 0x0a
127 };
128
129 const unsigned char FW_UNKNOWN_TYPEINFO[] = {
130 0x80, 0x01, 0x00, 0x01, 0x80, 0x02, 0x00, 0x01,
131 0x80, 0x03, 0x00, 0x02
132 };
133
134 struct vid_element {
135 const unsigned char* valueptr;
136 const uint16_t length;
137 const char* descr;
138 };
139
140 const struct vid_element vid_list[] = {
141 { VID_XAUTH, sizeof(VID_XAUTH), "Xauth" },
142 { VID_DPD, sizeof(VID_DPD), "DPD" },
143 { VID_UNITY, sizeof(VID_UNITY), "Cisco Unity" },
144 { VID_NATT_00, sizeof(VID_NATT_00), "Nat-T 00" },
145 { VID_NATT_01, sizeof(VID_NATT_01), "Nat-T 01" },
146 { VID_NATT_02, sizeof(VID_NATT_02), "Nat-T 02" },
147 { VID_NATT_02N, sizeof(VID_NATT_02N), "Nat-T 02N" },
148 { VID_NATT_03, sizeof(VID_NATT_03), "Nat-T 03" },
149 { VID_NATT_RFC, sizeof(VID_NATT_RFC), "Nat-T RFC" },
150 { VID_DWR, sizeof(VID_DWR), "Delete With Reason" },
151 { VID_CISCO_FRAG, sizeof(VID_CISCO_FRAG), "Cisco Fragmentation" },
152 { VID_NETSCREEN_15, sizeof(VID_NETSCREEN_15), "Netscreen 15" },
153 { VID_NORTEL_CONT, sizeof(VID_NORTEL_CONT), "Nortel Contivity" },
154 { VID_HEARTBEAT_NOTIFY, sizeof(VID_HEARTBEAT_NOTIFY), "Heartbeat Notify" },
155
156 { NULL, 0, NULL }
157 };
158
159 /* What are DWR-Code and DWR-Text ? */
160
161 static uint8_t r_packet[8192];
162 static ssize_t r_length;
163
164 void print_vid(const unsigned char *vid, uint16_t len) {
165
166 int vid_index = 0;
167
168 if (opt_debug < 2)
169 return;
170
171 while (vid_list[vid_index].length) {
172 if (len == vid_list[vid_index].length &&
173 memcmp(vid_list[vid_index].valueptr, vid, len) == 0) {
174 printf(" (%s)\n", vid_list[vid_index].descr);
175 return;
176 }
177 vid_index++;
178 }
179 printf(" (unknown)\n");
180 }
181
182 static __inline__ int min(int a, int b)
183 {
184 return (a < b) ? a : b;
185 }
186
187 static void addenv(const void *name, const char *value)
188 {
189 char *strbuf = NULL, *oldval;
190
191 oldval = getenv(name);
192 if (oldval != NULL) {
193 strbuf = xallocc(strlen(oldval) + 1 + strlen(value) + 1);
194 strcat(strbuf, oldval);
195 strcat(strbuf, " ");
196 strcat(strbuf, value);
197 }
198
199 setenv(name, strbuf ? strbuf : value, 1);
200
201 free(strbuf);
202 }
203
204 static void addenv_ipv4(const void *name, uint8_t * data)
205 {
206 addenv(name, inet_ntoa(*((struct in_addr *)data)));
207 }
208
209 static int make_socket(struct sa_block *s, uint16_t src_port, uint16_t dst_port)
210 {
211 int sock;
212 struct sockaddr_in name;
213 socklen_t len = sizeof(name);
214
215 /* create the socket */
216 sock = socket(PF_INET, SOCK_DGRAM, 0);
217 if (sock < 0)
218 error(1, errno, "making socket");
219
220 #ifdef FD_CLOEXEC
221 /* do not pass socket to vpnc-script, etc. */
222 fcntl(sock, F_SETFD, FD_CLOEXEC);
223 #endif
224
225 /* give the socket a name */
226 name.sin_family = AF_INET;
227 name.sin_addr = s->opt_src_ip;
228 name.sin_port = htons(src_port);
229 if (bind(sock, (struct sockaddr *)&name, sizeof(name)) < 0)
230 error(1, errno, "Error binding to source port. Try '--local-port 0'\nFailed to bind to %s:%d", inet_ntoa(s->opt_src_ip), src_port);
231
232 /* connect the socket */
233 name.sin_family = AF_INET;
234 name.sin_addr = s->dst;
235 name.sin_port = htons(dst_port);
236 if (connect(sock, (struct sockaddr *)&name, sizeof(name)) < 0)
237 error(1, errno, "connecting to port %d", ntohs(dst_port));
238
239 /* who am I */
240 if (getsockname(sock, (struct sockaddr *)&name, &len) < 0)
241 error(1, errno, "reading local address from socket %d", sock);
242 s->src = name.sin_addr;
243
244 return sock;
245 }
246
247 static void cleanup(struct sa_block *s) {
248 if (s->ike_fd != 0) {
249 close(s->ike_fd);
250 s->ike_fd = 0;
251 }
252 if (s->esp_fd != 0) {
253 close(s->esp_fd);
254 s->esp_fd = 0;
255 }
256 if (s->ike.resend_hash) {
257 free(s->ike.resend_hash);
258 s->ike.resend_hash = NULL;
259 }
260 if (s->ike.skeyid_d) {
261 free(s->ike.skeyid_d);
262 s->ike.skeyid_d = NULL;
263 }
264 if (s->ike.skeyid_a) {
265 free(s->ike.skeyid_a);
266 s->ike.skeyid_a = NULL;
267 }
268 if (s->ike.initial_iv) {
269 free(s->ike.initial_iv);
270 s->ike.initial_iv = NULL;
271 }
272 if (s->ike.current_iv) {
273 free(s->ike.current_iv);
274 s->ike.current_iv = NULL;
275 }
276 if (s->ike.key) {
277 free(s->ike.key);
278 s->ike.key = NULL;
279 }
280 if (s->ipsec.rx.key) {
281 free(s->ipsec.rx.key);
282 s->ipsec.rx.key = NULL;
283 }
284 if (s->ipsec.tx.key) {
285 free(s->ipsec.tx.key);
286 s->ipsec.tx.key = NULL;
287 }
288 if (s->ipsec.rx.cry_ctx) {
289 gcry_cipher_close(s->ipsec.rx.cry_ctx);
290 s->ipsec.rx.cry_ctx = NULL;
291 }
292 if (s->ipsec.tx.cry_ctx) {
293 gcry_cipher_close(s->ipsec.tx.cry_ctx);
294 s->ipsec.tx.cry_ctx = NULL;
295 }
296 }
297
298 static void init_sockaddr(struct in_addr *dst, const char *hostname)
299 {
300 struct hostent *hostinfo;
301
302 if (inet_aton(hostname, dst) == 0) {
303 hostinfo = gethostbyname(hostname);
304 if (hostinfo == NULL)
305 error(1, 0, "unknown host `%s'\n", hostname);
306 *dst = *(struct in_addr *)hostinfo->h_addr;
307 }
308 }
309
310 static void init_netaddr(struct in_addr *net, const char *string)
311 {
312 char *p;
313
314 if ((p = strchr(string, '/')) != NULL) {
315 char *host = xallocc(p - string + 1);
316 memcpy(host, string, p - string + 1);
317 host[p - string] = '\0';
318 init_sockaddr((struct in_addr *)net, host);
319 free(host);
320 if (strchr(p + 1, '.') != NULL)
321 init_sockaddr(net + 1, p + 1);
322 else {
323 int bits = atoi(p + 1);
324 unsigned long mask = (1 << bits) - 1;
325 memcpy((char *)(net + 1), (char *)&mask, 4);
326 }
327 } else {
328 memset((char *)net, 0, 8);
329 }
330 }
331
332 static void setup_tunnel(struct sa_block *s)
333 {
334 setenv("reason", "pre-init", 1);
335 system(config[CONFIG_SCRIPT]);
336
337 if (config[CONFIG_IF_NAME])
338 memcpy(s->tun_name, config[CONFIG_IF_NAME], strlen(config[CONFIG_IF_NAME]));
339
340 s->tun_fd = tun_open(s->tun_name, opt_if_mode);
341 DEBUG(2, printf("using interface %s\n", s->tun_name));
342 setenv("TUNDEV", s->tun_name, 1);
343
344 if (s->tun_fd == -1)
345 error(1, errno, "can't initialise tunnel interface");
346 #ifdef FD_CLOEXEC
347 /* do not pass socket to vpnc-script, etc. */
348 fcntl(s->tun_fd, F_SETFD, FD_CLOEXEC);
349 #endif
350
351 if (opt_if_mode == IF_MODE_TAP) {
352 if (tun_get_hwaddr(s->tun_fd, s->tun_name, s->tun_hwaddr) < 0) {
353 error(1, errno, "can't get tunnel HW address");
354 }
355 hex_dump("interface HW addr", s->tun_hwaddr, ETH_ALEN, NULL);
356 }
357 }
358
359 static void config_tunnel(struct sa_block *s)
360 {
361 setenv("VPNGATEWAY", inet_ntoa(s->dst), 1);
362 setenv("reason", "connect", 1);
363 system(config[CONFIG_SCRIPT]);
364 }
365
366 static void close_tunnel(struct sa_block *s)
367 {
368 setenv("reason", "disconnect", 1);
369 system(config[CONFIG_SCRIPT]);
370 tun_close(s->tun_fd, s->tun_name);
371 }
372
373 static int recv_ignore_dup(struct sa_block *s, void *recvbuf, size_t recvbufsize)
374 {
375 uint8_t *resend_check_hash;
376 int recvsize, hash_len;
377
378 recvsize = recv(s->ike_fd, recvbuf, recvbufsize, 0);
379 if (recvsize < 0)
380 error(1, errno, "receiving packet");
381 if ((unsigned int)recvsize > recvbufsize)
382 error(1, errno, "received packet too large for buffer");
383
384 /* skip (not only) NAT-T draft-0 keepalives */
385 if ( /* (s->ipsec.natt_active_mode == NATT_ACTIVE_DRAFT_OLD) && */
386 (recvsize == 1) && (*((u_char *)(recvbuf)) == 0xff))
387 {
388 if ((s->ipsec.natt_active_mode != NATT_ACTIVE_DRAFT_OLD))
389 {
390 DEBUG(2, printf("Received UDP NAT-Keepalive bug nat active mode incorrect: %d\n", s->ipsec.natt_active_mode));
391 }
392 return -1;
393 }
394
395 hash_len = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
396 resend_check_hash = malloc(hash_len);
397 gcry_md_hash_buffer(GCRY_MD_SHA1, resend_check_hash, recvbuf, recvsize);
398 if (s->ike.resend_hash && memcmp(s->ike.resend_hash, resend_check_hash, hash_len) == 0) {
399 free(resend_check_hash);
400 /* FIXME: if we get a retransmission, we probably should do a retransmission too */
401 DEBUG(2, printf("Received duplicated packet, dropping it!\n"));
402 return -1;
403 }
404 if (!s->ike.resend_hash) {
405 s->ike.resend_hash = resend_check_hash;
406 } else {
407 memcpy(s->ike.resend_hash, resend_check_hash, hash_len);
408 free(resend_check_hash);
409 }
410
411 return recvsize;
412 }
413
414 /* Send TOSEND of size SENDSIZE to the socket. Then wait for a new packet,
415 resending TOSEND on timeout, and ignoring duplicate packets; the
416 new packet is put in RECVBUF of size RECVBUFSIZE and the actual size
417 of the new packet is returned. */
418
419 static ssize_t sendrecv(struct sa_block *s, void *recvbuf, size_t recvbufsize, void *tosend, size_t sendsize, int sendonly)
420 {
421 struct pollfd pfd;
422 int tries = 0;
423 int recvsize = -1;
424 time_t start = time(NULL);
425 time_t end = 0;
426 void *realtosend;
427
428 pfd.fd = s->ike_fd;
429 pfd.events = POLLIN;
430 tries = 0;
431
432 if ((s->ipsec.natt_active_mode == NATT_ACTIVE_RFC) && (tosend != NULL)) {
433 DEBUG(2, printf("NAT-T mode, adding non-esp marker\n"));
434 realtosend = xallocc(sendsize+4);
435 memmove((char*)realtosend+4, tosend, sendsize);
436 sendsize += 4;
437 } else {
438 realtosend = tosend;
439 }
440
441 for (;;) {
442 int pollresult;
443
444 if (realtosend != NULL)
445 if (write(s->ike_fd, realtosend, sendsize) != (int)sendsize)
446 error(1, errno, "can't send packet");
447 if (sendonly)
448 break;
449
450 do {
451 pollresult = poll(&pfd, 1, s->ike.timeout << tries);
452 } while (pollresult == -1 && errno == EINTR);
453
454 if (pollresult == -1)
455 error(1, errno, "can't poll socket");
456 if (pollresult != 0) {
457 recvsize = recv_ignore_dup(s, recvbuf, recvbufsize);
458 end = time(NULL);
459 if (recvsize != -1)
460 break;
461 continue;
462 }
463
464 if (tries > 2)
465 error(1, 0, "no response from target");
466 tries++;
467 }
468
469 if (realtosend != tosend)
470 free(realtosend);
471
472 if (sendonly)
473 return 0;
474
475 if ((s->ipsec.natt_active_mode == NATT_ACTIVE_RFC)&&(recvsize > 4)) {
476 recvsize -= 4; /* 4 bytes non-esp marker */
477 memmove(recvbuf, (char *)recvbuf+4, recvsize);
478 }
479
480 DEBUGTOP(3, printf("\n receiving: <========================\n"));
481
482 /* Wait at least 2s for a response or 4 times the time it took
483 * last time. */
484 if (start >= end)
485 s->ike.timeout = 2000;
486 else
487 s->ike.timeout = 4000 * (end - start);
488
489 return recvsize;
490 }
491
492 static int isakmp_crypt(struct sa_block *s, uint8_t * block, size_t blocklen, int enc)
493 {
494 unsigned char *new_iv, *iv = NULL;
495 int info_ex;
496 gcry_cipher_hd_t cry_ctx;
497
498 if (blocklen < ISAKMP_PAYLOAD_O || ((blocklen - ISAKMP_PAYLOAD_O) % s->ike.ivlen != 0))
499 abort();
500
501 if (!enc && (memcmp(block + ISAKMP_I_COOKIE_O, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH) != 0
502 || memcmp(block + ISAKMP_R_COOKIE_O, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH) != 0)) {
503 DEBUG(2, printf("got packet with wrong cookies\n"));
504 return ISAKMP_N_INVALID_COOKIE;
505 }
506
507 info_ex = block[ISAKMP_EXCHANGE_TYPE_O] == ISAKMP_EXCHANGE_INFORMATIONAL;
508
509 if (memcmp(block + ISAKMP_MESSAGE_ID_O, s->ike.current_iv_msgid, 4) != 0) {
510 gcry_md_hd_t md_ctx;
511
512 gcry_md_open(&md_ctx, s->ike.md_algo, 0);
513 gcry_md_write(md_ctx, s->ike.initial_iv, s->ike.ivlen);
514 gcry_md_write(md_ctx, block + ISAKMP_MESSAGE_ID_O, 4);
515 gcry_md_final(md_ctx);
516 if (info_ex) {
517 iv = xallocc(s->ike.ivlen);
518 memcpy(iv, gcry_md_read(md_ctx, 0), s->ike.ivlen);
519 } else {
520 memcpy(s->ike.current_iv, gcry_md_read(md_ctx, 0), s->ike.ivlen);
521 memcpy(s->ike.current_iv_msgid, block + ISAKMP_MESSAGE_ID_O, 4);
522 }
523 gcry_md_close(md_ctx);
524 } else if (info_ex) {
525 abort();
526 }
527
528 if (!info_ex) {
529 iv = s->ike.current_iv;
530 }
531
532 new_iv = xallocc(s->ike.ivlen);
533 gcry_cipher_open(&cry_ctx, s->ike.cry_algo, GCRY_CIPHER_MODE_CBC, 0);
534 gcry_cipher_setkey(cry_ctx, s->ike.key, s->ike.keylen);
535 gcry_cipher_setiv(cry_ctx, iv, s->ike.ivlen);
536 if (!enc) {
537 memcpy(new_iv, block + blocklen - s->ike.ivlen, s->ike.ivlen);
538 gcry_cipher_decrypt(cry_ctx, block + ISAKMP_PAYLOAD_O, blocklen - ISAKMP_PAYLOAD_O,
539 NULL, 0);
540 if (!info_ex)
541 memcpy(s->ike.current_iv, new_iv, s->ike.ivlen);
542 } else {
543 gcry_cipher_encrypt(cry_ctx, block + ISAKMP_PAYLOAD_O, blocklen - ISAKMP_PAYLOAD_O,
544 NULL, 0);
545 if (!info_ex)
546 memcpy(s->ike.current_iv, block + blocklen - s->ike.ivlen, s->ike.ivlen);
547 }
548 gcry_cipher_close(cry_ctx);
549
550 free(new_iv);
551 if (info_ex)
552 free(iv);
553
554 return 0;
555 }
556
557 static uint16_t unpack_verify_phase2(struct sa_block *s, uint8_t * r_packet,
558 size_t r_length, struct isakmp_packet **r_p, const uint8_t * nonce, size_t nonce_size)
559 {
560 struct isakmp_packet *r;
561 int reject = 0;
562
563 *r_p = NULL;
564
565 /* Some users report "payload ... not padded..." errors. It seems that they
566 * are harmless, so ignore and fix the symptom
567 */
568 if (r_length < ISAKMP_PAYLOAD_O ||
569 ((r_length - ISAKMP_PAYLOAD_O) % s->ike.ivlen != 0)) {
570 DEBUG(2, printf("payload too short or not padded: len=%lld, min=%d (ivlen=%lld)\n",
571 (long long)r_length, ISAKMP_PAYLOAD_O, (long long)s->ike.ivlen));
572 hex_dump("Payload", r_packet, r_length, NULL);
573 if (r_length < ISAKMP_PAYLOAD_O ) {
574 return ISAKMP_N_UNEQUAL_PAYLOAD_LENGTHS;
575 }
576 r_length -= (r_length - ISAKMP_PAYLOAD_O) % s->ike.ivlen;
577 }
578
579 reject = isakmp_crypt(s, r_packet, r_length, 0);
580 if (reject != 0)
581 return reject;
582
583 s->ike.life.rx += r_length;
584
585 {
586 r = parse_isakmp_packet(r_packet, r_length, &reject);
587 if (reject != 0) {
588 if (r) free_isakmp_packet(r);
589 return reject;
590 }
591 }
592
593 /* Verify the basic stuff. */
594 if (r->flags != ISAKMP_FLAG_E) {
595 free_isakmp_packet(r);
596 return ISAKMP_N_INVALID_FLAGS;
597 }
598
599 {
600 size_t sz, spos;
601 gcry_md_hd_t hm;
602 unsigned char *expected_hash;
603 struct isakmp_payload *h = r->payload;
604
605 if (h == NULL || h->type != ISAKMP_PAYLOAD_HASH || h->u.hash.length != s->ike.md_len) {
606 free_isakmp_packet(r);
607 return ISAKMP_N_INVALID_HASH_INFORMATION;
608 }
609
610 spos = (ISAKMP_PAYLOAD_O + (r_packet[ISAKMP_PAYLOAD_O + 2] << 8)
611 + r_packet[ISAKMP_PAYLOAD_O + 3]);
612
613 /* Compute the real length based on the payload lengths. */
614 for (sz = spos; r_packet[sz] != 0; sz += r_packet[sz + 2] << 8 | r_packet[sz + 3]) ;
615 sz += r_packet[sz + 2] << 8 | r_packet[sz + 3];
616
617 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
618 gcry_md_setkey(hm, s->ike.skeyid_a, s->ike.md_len);
619 gcry_md_write(hm, r_packet + ISAKMP_MESSAGE_ID_O, 4);
620 if (nonce)
621 gcry_md_write(hm, nonce, nonce_size);
622 gcry_md_write(hm, r_packet + spos, sz - spos);
623 gcry_md_final(hm);
624 expected_hash = gcry_md_read(hm, 0);
625
626 DEBUG(3,printf("hashlen: %lu\n", (unsigned long)s->ike.md_len));
627 DEBUG(3,printf("u.hash.length: %d\n", h->u.hash.length));
628 hex_dump("expected_hash", expected_hash, s->ike.md_len, NULL);
629 hex_dump("h->u.hash.data", h->u.hash.data, s->ike.md_len, NULL);
630
631 reject = 0;
632 if (memcmp(h->u.hash.data, expected_hash, s->ike.md_len) != 0)
633 reject = ISAKMP_N_AUTHENTICATION_FAILED;
634 gcry_md_close(hm);
635 #if 0
636 if (reject != 0) {
637 free_isakmp_packet(r);
638 return reject;
639 }
640 #endif
641 }
642 *r_p = r;
643 return 0;
644 }
645
646 static void
647 phase2_authpacket(struct sa_block *s, struct isakmp_payload *pl,
648 uint8_t exchange_type, uint32_t msgid,
649 uint8_t ** p_flat, size_t * p_size,
650 uint8_t * nonce_i, int ni_len, uint8_t * nonce_r, int nr_len)
651 {
652 struct isakmp_packet *p;
653 uint8_t *pl_flat;
654 size_t pl_size;
655 gcry_md_hd_t hm;
656 uint8_t msgid_sent[4];
657
658 /* Build up the packet. */
659 p = new_isakmp_packet();
660 memcpy(p->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
661 memcpy(p->r_cookie, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
662 p->flags = ISAKMP_FLAG_E;
663 p->isakmp_version = ISAKMP_VERSION;
664 p->exchange_type = exchange_type;
665 p->message_id = msgid;
666 p->payload = new_isakmp_payload(ISAKMP_PAYLOAD_HASH);
667 p->payload->next = pl;
668 p->payload->u.hash.length = s->ike.md_len;
669 p->payload->u.hash.data = xallocc(s->ike.md_len);
670
671 /* Set the MAC. */
672 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
673 gcry_md_setkey(hm, s->ike.skeyid_a, s->ike.md_len);
674
675 if (pl == NULL) {
676 DEBUG(3, printf("authing NULL package!\n"));
677 gcry_md_write(hm, "" /* \0 */ , 1);
678 }
679
680 msgid_sent[0] = msgid >> 24;
681 msgid_sent[1] = msgid >> 16;
682 msgid_sent[2] = msgid >> 8;
683 msgid_sent[3] = msgid;
684 gcry_md_write(hm, msgid_sent, sizeof(msgid_sent));
685
686 if (nonce_i != NULL)
687 gcry_md_write(hm, nonce_i, ni_len);
688
689 if (nonce_r != NULL)
690 gcry_md_write(hm, nonce_r, nr_len);
691
692 if (pl != NULL) {
693 flatten_isakmp_payloads(pl, &pl_flat, &pl_size);
694 gcry_md_write(hm, pl_flat, pl_size);
695 memset(pl_flat, 0, pl_size);
696 free(pl_flat);
697 }
698
699 gcry_md_final(hm);
700 memcpy(p->payload->u.hash.data, gcry_md_read(hm, 0), s->ike.md_len);
701 gcry_md_close(hm);
702
703 flatten_isakmp_packet(p, p_flat, p_size, s->ike.ivlen);
704 free_isakmp_packet(p);
705 }
706
707 static void sendrecv_phase2(struct sa_block *s, struct isakmp_payload *pl,
708 uint8_t exchange_type, uint32_t msgid, int sendonly,
709 uint8_t * nonce_i, int ni_len, uint8_t * nonce_r, int nr_len)
710 {
711 uint8_t *p_flat;
712 size_t p_size;
713 ssize_t recvlen;
714
715 phase2_authpacket(s, pl, exchange_type, msgid, &p_flat, &p_size,
716 nonce_i, ni_len, nonce_r, nr_len);
717 isakmp_crypt(s, p_flat, p_size, 1);
718 s->ike.life.tx += p_size;
719
720 recvlen = sendrecv(s, r_packet, sizeof(r_packet), p_flat, p_size, sendonly);
721 if (sendonly == 0)
722 r_length = recvlen;
723
724 free(p_flat);
725 }
726
727 void keepalive_ike(struct sa_block *s)
728 {
729 uint32_t msgid;
730
731 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
732 sendrecv_phase2(s, NULL, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 1, 0, 0, 0, 0);
733 }
734
735 static void send_dpd(struct sa_block *s, int isack, uint32_t seqno)
736 {
737 struct isakmp_payload *pl;
738 uint32_t msgid;
739
740 pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
741 pl->u.n.doi = ISAKMP_DOI_IPSEC;
742 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
743 pl->u.n.type = isack ? ISAKMP_N_R_U_THERE_ACK : ISAKMP_N_R_U_THERE;
744 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
745 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
746 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
747 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
748 pl->u.n.data_length = 4;
749 pl->u.n.data = xallocc(4);
750 *((uint32_t *) pl->u.n.data) = htonl(seqno);
751 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
752 /* 2007-09-06 JKU/ZID: Sonicwall drops non hashed r_u_there-requests */
753 sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid,
754 1 , NULL, 0, NULL, 0);
755 }
756
757 void dpd_ike(struct sa_block *s)
758 {
759 if (!s->ike.do_dpd)
760 return;
761
762 if (s->ike.dpd_seqno == s->ike.dpd_seqno_ack) {
763 /* Increase the sequence number, reset the attempts to 6, record
764 ** the current time and send a dpd request
765 */
766 s->ike.dpd_attempts = 6;
767 s->ike.dpd_sent = time(NULL);
768 s->ike.dpd_seqno++;
769 send_dpd(s, 0, s->ike.dpd_seqno);
770 } else {
771 /* Our last dpd request has not yet been acked. If it's been
772 ** less than 5 seconds since we sent it do nothing. Otherwise
773 ** decrement dpd_attempts. If dpd_attempts is 0 dpd fails and we
774 ** terminate otherwise we send it again with the same sequence
775 ** number and record current time.
776 */
777 time_t now = time(NULL);
778 if (now < s->ike.dpd_sent + 5)
779 return;
780 if (--s->ike.dpd_attempts == 0) {
781 DEBUG(2, printf("dead peer detected, terminating\n"));
782 do_kill = -2;
783 return;
784 }
785 s->ike.dpd_sent = now;
786 send_dpd(s, 0, s->ike.dpd_seqno);
787 }
788 }
789
790 static void send_delete_ipsec(struct sa_block *s)
791 {
792 /* 2007-08-31 JKU/ZID: Sonicwall doesn't like the chained
793 * request but wants them split. Cisco does fine with it. */
794 DEBUGTOP(2, printf("S7.10 send ipsec termination message\n"));
795 {
796 struct isakmp_payload *d_ipsec;
797 uint8_t del_msgid;
798
799 gcry_create_nonce((uint8_t *) & del_msgid, sizeof(del_msgid));
800 d_ipsec = new_isakmp_payload(ISAKMP_PAYLOAD_D);
801 d_ipsec->u.d.doi = ISAKMP_DOI_IPSEC;
802 d_ipsec->u.d.protocol = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
803 d_ipsec->u.d.spi_length = 4;
804 d_ipsec->u.d.num_spi = 2;
805 d_ipsec->u.d.spi = xallocc(2 * sizeof(uint8_t *));
806 d_ipsec->u.d.spi[0] = xallocc(d_ipsec->u.d.spi_length);
807 memcpy(d_ipsec->u.d.spi[0], &s->ipsec.rx.spi, 4);
808 d_ipsec->u.d.spi[1] = xallocc(d_ipsec->u.d.spi_length);
809 memcpy(d_ipsec->u.d.spi[1], &s->ipsec.tx.spi, 4);
810 sendrecv_phase2(s, d_ipsec, ISAKMP_EXCHANGE_INFORMATIONAL,
811 del_msgid, 1, NULL, 0, NULL, 0);
812 }
813 }
814
815 static void send_delete_isakmp(struct sa_block *s)
816 {
817 DEBUGTOP(2, printf("S7.11 send isakmp termination message\n"));
818 {
819 struct isakmp_payload *d_isakmp;
820 uint8_t del_msgid;
821
822 gcry_create_nonce((uint8_t *) & del_msgid, sizeof(del_msgid));
823 d_isakmp = new_isakmp_payload(ISAKMP_PAYLOAD_D);
824 d_isakmp->u.d.doi = ISAKMP_DOI_IPSEC;
825 d_isakmp->u.d.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
826 d_isakmp->u.d.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
827 d_isakmp->u.d.num_spi = 1;
828 d_isakmp->u.d.spi = xallocc(1 * sizeof(uint8_t *));
829 d_isakmp->u.d.spi[0] = xallocc(2 * ISAKMP_COOKIE_LENGTH);
830 memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie,
831 ISAKMP_COOKIE_LENGTH);
832 memcpy(d_isakmp->u.d.spi[0] + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie,
833 ISAKMP_COOKIE_LENGTH);
834 sendrecv_phase2(s, d_isakmp, ISAKMP_EXCHANGE_INFORMATIONAL,
835 del_msgid, 1, NULL, 0, NULL, 0);
836 }
837 }
838
839 static void phase2_fatal(struct sa_block *s, const char *msg, int id)
840 {
841 struct isakmp_payload *pl;
842 uint32_t msgid;
843
844 DEBUG(1, printf("\n\n---!!!!!!!!! entering phase2_fatal !!!!!!!!!---\n\n\n"));
845 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
846 pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
847 pl->u.n.doi = ISAKMP_DOI_IPSEC;
848 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
849 pl->u.n.type = id;
850 sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 1, 0, 0, 0, 0);
851
852 send_delete_isakmp(s);
853
854 error(1, 0, msg, val_to_string(id, isakmp_notify_enum_array), id);
855 }
856
857 static uint8_t *gen_keymat(struct sa_block *s,
858 uint8_t protocol, uint32_t spi,
859 const uint8_t * dh_shared, size_t dh_size,
860 const uint8_t * ni_data, size_t ni_size, const uint8_t * nr_data, size_t nr_size)
861 {
862 gcry_md_hd_t hm;
863 uint8_t *block;
864 int i;
865 int blksz;
866 int cnt;
867
868 blksz = s->ipsec.md_len + s->ipsec.key_len;
869 cnt = (blksz + s->ike.md_len - 1) / s->ike.md_len;
870 block = xallocc(cnt * s->ike.md_len);
871 DEBUG(3, printf("generating %d bytes keymat (cnt=%d)\n", blksz, cnt));
872 if (cnt < 1)
873 abort();
874
875 for (i = 0; i < cnt; i++) {
876 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
877 gcry_md_setkey(hm, s->ike.skeyid_d, s->ike.md_len);
878 if (i != 0)
879 gcry_md_write(hm, block + (i - 1) * s->ike.md_len, s->ike.md_len);
880 if (dh_shared != NULL)
881 gcry_md_write(hm, dh_shared, dh_size);
882 gcry_md_write(hm, &protocol, 1);
883 gcry_md_write(hm, (uint8_t *) & spi, sizeof(spi));
884 gcry_md_write(hm, ni_data, ni_size);
885 gcry_md_write(hm, nr_data, nr_size);
886 gcry_md_final(hm);
887 memcpy(block + i * s->ike.md_len, gcry_md_read(hm, 0), s->ike.md_len);
888 gcry_md_close(hm);
889 }
890 return block;
891 }
892
893 static int mask_to_masklen(struct in_addr mask)
894 {
895 int len;
896 uint32_t addr;
897
898 addr = ntohl(mask.s_addr);
899 for (len = 0; addr; addr <<= 1, len++)
900 ;
901 return len;
902 }
903
904 static int do_config_to_env(struct sa_block *s, struct isakmp_attribute *a)
905 {
906 int i;
907 int reject = 0;
908 int seen_address = 0;
909 char *strbuf, *strbuf2;
910
911 unsetenv("CISCO_BANNER");
912 unsetenv("CISCO_DEF_DOMAIN");
913 unsetenv("CISCO_SPLIT_INC");
914 unsetenv("INTERNAL_IP4_NBNS");
915 unsetenv("INTERNAL_IP4_DNS");
916 unsetenv("INTERNAL_IP4_NETMASK");
917 unsetenv("INTERNAL_IP4_ADDRESS");
918
919 for (; a && reject == 0; a = a->next)
920 switch (a->type) {
921 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS:
922 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
923 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
924 else {
925 addenv_ipv4("INTERNAL_IP4_ADDRESS", a->u.lots.data);
926 memcpy(&s->our_address, a->u.lots.data, 4);
927 }
928 seen_address = 1;
929 break;
930
931 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK:
932 if (a->af == isakmp_attr_lots && a->u.lots.length == 0) {
933 DEBUG(2, printf("ignoring zero length netmask\n"));
934 continue;
935 }
936 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
937 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
938 else {
939 uint32_t netaddr = s->our_address.s_addr & ((struct in_addr *)(a->u.lots.data))->s_addr;
940 addenv_ipv4("INTERNAL_IP4_NETMASK", a->u.lots.data);
941 asprintf(&strbuf, "%d", mask_to_masklen(*((struct in_addr *)a->u.lots.data)));
942 setenv("INTERNAL_IP4_NETMASKLEN", strbuf, 1);
943 free(strbuf);
944 addenv_ipv4("INTERNAL_IP4_NETADDR", (uint8_t *)&netaddr);
945 }
946 break;
947
948 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS:
949 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
950 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
951 else
952 addenv_ipv4("INTERNAL_IP4_DNS", a->u.lots.data);
953 break;
954
955 case ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS:
956 if (a->af != isakmp_attr_lots || a->u.lots.length != 4)
957 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
958 else
959 addenv_ipv4("INTERNAL_IP4_NBNS", a->u.lots.data);
960 break;
961
962 case ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN:
963 if (a->af != isakmp_attr_lots) {
964 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
965 break;
966 }
967 strbuf = xallocc(a->u.lots.length + 1);
968 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
969 addenv("CISCO_DEF_DOMAIN", strbuf);
970 free(strbuf);
971 break;
972
973 case ISAKMP_MODECFG_ATTRIB_CISCO_BANNER:
974 if (a->af != isakmp_attr_lots) {
975 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
976 break;
977 }
978 strbuf = xallocc(a->u.lots.length + 1);
979 memcpy(strbuf, a->u.lots.data, a->u.lots.length);
980 addenv("CISCO_BANNER", strbuf);
981 free(strbuf);
982 DEBUG(1, printf("Banner: "));
983 DEBUG(1, fwrite(a->u.lots.data, a->u.lots.length, 1, stdout));
984 DEBUG(1, printf("\n"));
985 break;
986
987 case ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION:
988 DEBUG(2, printf("Remote Application Version: "));
989 DEBUG(2, fwrite(a->u.lots.data, a->u.lots.length, 1, stdout));
990 DEBUG(2, printf("\n"));
991 break;
992
993 case ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS:
994 if (a->af != isakmp_attr_16)
995 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
996 else {
997 s->ipsec.do_pfs = a->u.attr_16;
998 DEBUG(2, printf("got pfs setting: %d\n", s->ipsec.do_pfs));
999 }
1000 break;
1001
1002 case ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT:
1003 if (a->af != isakmp_attr_16)
1004 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1005 else {
1006 s->ipsec.peer_udpencap_port = a->u.attr_16;
1007 DEBUG(2, printf("got peer udp encapsulation port: %hu\n", s->ipsec.peer_udpencap_port));
1008 }
1009 break;
1010
1011 case ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC:
1012 if (a->af != isakmp_attr_acl) {
1013 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1014 break;
1015 }
1016
1017 DEBUG(2, printf("got %d acls for split include\n", a->u.acl.count));
1018 asprintf(&strbuf, "%d", a->u.acl.count);
1019 setenv("CISCO_SPLIT_INC", strbuf, 1);
1020 free(strbuf);
1021
1022 for (i = 0; i < a->u.acl.count; i++) {
1023 DEBUG(2, printf("acl %d: ", i));
1024 /* NOTE: inet_ntoa returns one static buffer */
1025
1026 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_ADDR", i);
1027 asprintf(&strbuf2, "%s", inet_ntoa(a->u.acl.acl_ent[i].addr));
1028 DEBUG(2, printf("addr: %s/", strbuf2));
1029 setenv(strbuf, strbuf2, 1);
1030 free(strbuf); free(strbuf2);
1031
1032 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_MASK", i);
1033 asprintf(&strbuf2, "%s", inet_ntoa(a->u.acl.acl_ent[i].mask));
1034 DEBUG(2, printf("%s ", strbuf2));
1035 setenv(strbuf, strbuf2, 1);
1036 free(strbuf); free(strbuf2);
1037
1038 /* this is just here because ip route does not accept netmasks */
1039 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_MASKLEN", i);
1040 asprintf(&strbuf2, "%d", mask_to_masklen(a->u.acl.acl_ent[i].mask));
1041 DEBUG(2, printf("(%s), ", strbuf2));
1042 setenv(strbuf, strbuf2, 1);
1043 free(strbuf); free(strbuf2);
1044
1045 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_PROTOCOL", i);
1046 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].protocol);
1047 DEBUG(2, printf("protocol: %s, ", strbuf2));
1048 setenv(strbuf, strbuf2, 1);
1049 free(strbuf); free(strbuf2);
1050
1051 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_SPORT", i);
1052 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].sport);
1053 DEBUG(2, printf("sport: %s, ", strbuf2));
1054 setenv(strbuf, strbuf2, 1);
1055 free(strbuf); free(strbuf2);
1056
1057 asprintf(&strbuf, "CISCO_SPLIT_INC_%d_DPORT", i);
1058 asprintf(&strbuf2, "%hu", a->u.acl.acl_ent[i].dport);
1059 DEBUG(2, printf("dport: %s\n", strbuf2));
1060 setenv(strbuf, strbuf2, 1);
1061 free(strbuf); free(strbuf2);
1062 }
1063 break;
1064
1065 case ISAKMP_MODECFG_ATTRIB_CISCO_SAVE_PW:
1066 DEBUG(2, printf("got save password setting: %d\n", a->u.attr_16));
1067 break;
1068
1069 default:
1070 DEBUG(2, printf("unknown attribute %d / 0x%X\n", a->type, a->type));
1071 break;
1072 }
1073
1074 if (reject == 0 && !seen_address)
1075 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1076
1077 return reject;
1078 }
1079
1080 /* * */
1081
1082 static struct isakmp_attribute *make_transform_ike(int dh_group, int crypt, int hash, int keylen, int auth)
1083 {
1084 struct isakmp_attribute *a = NULL;
1085
1086 a = new_isakmp_attribute(IKE_ATTRIB_LIFE_DURATION, a);
1087 a->af = isakmp_attr_lots;
1088 a->u.lots.length = 4;
1089 a->u.lots.data = xallocc(a->u.lots.length);
1090 *((uint32_t *) a->u.lots.data) = htonl(2147483);
1091 a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a);
1092 a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a);
1093 a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a);
1094 a = new_isakmp_attribute_16(IKE_ATTRIB_HASH, hash, a);
1095 a = new_isakmp_attribute_16(IKE_ATTRIB_ENC, crypt, a);
1096 if (keylen != 0)
1097 a = new_isakmp_attribute_16(IKE_ATTRIB_KEY_LENGTH, keylen, a);
1098 return a;
1099 }
1100
1101 static struct isakmp_payload *make_our_sa_ike(void)
1102 {
1103 struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
1104 struct isakmp_payload *t = NULL, *tn;
1105 struct isakmp_attribute *a;
1106 int dh_grp = get_dh_group_ike()->ike_sa_id;
1107 unsigned int auth, crypt, hash, keylen;
1108 int i;
1109
1110 r->u.sa.doi = ISAKMP_DOI_IPSEC;
1111 r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
1112 r->u.sa.proposals = new_isakmp_payload(ISAKMP_PAYLOAD_P);
1113 r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_ISAKMP;
1114 for (auth = 0; supp_auth[auth].name != NULL; auth++) {
1115 if (opt_auth_mode == AUTH_MODE_CERT) {
1116 if ((supp_auth[auth].ike_sa_id != IKE_AUTH_RSA_SIG) &&
1117 (supp_auth[auth].ike_sa_id != IKE_AUTH_DSS))
1118 continue;
1119 } else if (opt_auth_mode == AUTH_MODE_HYBRID) {
1120 if ((supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitRSA) &&
1121 (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitDSS))
1122 continue;
1123 } else {
1124 if (supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitRSA ||
1125 supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitDSS ||
1126 supp_auth[auth].ike_sa_id == IKE_AUTH_RSA_SIG ||
1127 supp_auth[auth].ike_sa_id == IKE_AUTH_DSS)
1128 continue;
1129 }
1130 for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
1131 keylen = supp_crypt[crypt].keylen;
1132 for (hash = 0; supp_hash[hash].name != NULL; hash++) {
1133 tn = t;
1134 t = new_isakmp_payload(ISAKMP_PAYLOAD_T);
1135 t->u.t.id = ISAKMP_IPSEC_KEY_IKE;
1136 a = make_transform_ike(dh_grp, supp_crypt[crypt].ike_sa_id,
1137 supp_hash[hash].ike_sa_id, keylen, supp_auth[auth].ike_sa_id);
1138 t->u.t.attributes = a;
1139 t->next = tn;
1140 }
1141 }
1142 }
1143 for (i = 0, tn = t; tn; tn = tn->next)
1144 tn->u.t.number = i++;
1145 r->u.sa.proposals->u.p.transforms = t;
1146 return r;
1147 }
1148
1149 static void lifetime_ike_process(struct sa_block *s, struct isakmp_attribute *a)
1150 {
1151 uint32_t value;
1152
1153 assert(a != NULL);
1154 assert(a->type == IKE_ATTRIB_LIFE_TYPE);
1155 assert(a->af == isakmp_attr_16);
1156 assert(a->u.attr_16 == IKE_LIFE_TYPE_SECONDS || a->u.attr_16 == IKE_LIFE_TYPE_K);
1157 assert(a->next != NULL);
1158 assert(a->next->type == IKE_ATTRIB_LIFE_DURATION);
1159
1160 if (a->next->af == isakmp_attr_16)
1161 value = a->next->u.attr_16;
1162 else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4)
1163 value = ntohl(*((uint32_t *) a->next->u.lots.data));
1164 else
1165 assert(0);
1166
1167 DEBUG(2, printf("got ike lifetime attributes: %d %s\n", value,
1168 (a->u.attr_16 == IKE_LIFE_TYPE_SECONDS) ? "seconds" : "kilobyte"));
1169
1170 if (a->u.attr_16 == IKE_LIFE_TYPE_SECONDS)
1171 s->ike.life.seconds = value;
1172 else
1173 s->ike.life.kbytes = value;
1174 }
1175
1176 static void lifetime_ipsec_process(struct sa_block *s, struct isakmp_attribute *a)
1177 {
1178 uint32_t value;
1179
1180 assert(a != NULL);
1181 assert(a->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE);
1182 assert(a->af == isakmp_attr_16);
1183 assert(a->u.attr_16 == IPSEC_LIFE_SECONDS || a->u.attr_16 == IPSEC_LIFE_K);
1184 assert(a->next != NULL);
1185 assert(a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION);
1186
1187 if (a->next->af == isakmp_attr_16)
1188 value = a->next->u.attr_16;
1189 else if (a->next->af == isakmp_attr_lots && a->next->u.lots.length == 4)
1190 value = ntohl(*((uint32_t *) a->next->u.lots.data));
1191 else
1192 assert(0);
1193
1194 DEBUG(2, printf("got ipsec lifetime attributes: %d %s\n", value,
1195 (a->u.attr_16 == IPSEC_LIFE_SECONDS) ? "seconds" : "kilobyte"));
1196
1197 if (a->u.attr_16 == IPSEC_LIFE_SECONDS)
1198 s->ipsec.life.seconds = value;
1199 else
1200 s->ipsec.life.kbytes = value;
1201
1202 /* FIXME: for notice-payloads: write a seperate function to handle them */
1203 /* bug: this may process lifetime-attributes of SAs twice but to no consequence */
1204 if (a->next->next != NULL && a->next->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
1205 lifetime_ipsec_process(s, a->next->next);
1206 }
1207
1208 static void do_phase1_am_init(struct sa_block *s)
1209 {
1210
1211 s->ike.natd_type = 0;
1212 s->ike.natd_us = s->ike.natd_them = NULL;
1213 s->ike.sa_f = s->ike.idi_f = NULL;
1214
1215 DEBUGTOP(2, printf("S4.1 create_nonce\n"));
1216 gcry_create_nonce(s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1217 s->ike.life.start = time(NULL);
1218 s->ipsec.do_pfs = -1;
1219 if (s->ike.i_cookie[0] == 0)
1220 s->ike.i_cookie[0] = 1;
1221 hex_dump("i_cookie", s->ike.i_cookie, ISAKMP_COOKIE_LENGTH, NULL);
1222 gcry_create_nonce(s->ike.i_nonce, sizeof(s->ike.i_nonce));
1223 hex_dump("i_nonce", s->ike.i_nonce, sizeof(s->ike.i_nonce), NULL);
1224 DEBUGTOP(2, printf("S4.2 dh setup\n"));
1225 /* Set up the Diffie-Hellman stuff. */
1226 {
1227 s->ike.dh_grp = group_get(get_dh_group_ike()->my_id);
1228 s->ike.dh_public = xallocc(dh_getlen(s->ike.dh_grp));
1229 dh_create_exchange(s->ike.dh_grp, s->ike.dh_public);
1230 hex_dump("dh_public", s->ike.dh_public, dh_getlen(s->ike.dh_grp), NULL);
1231 }
1232
1233 }
1234
1235 static void do_phase1_am_packet1(struct sa_block *s, const char *key_id)
1236 {
1237 DEBUGTOP(2, printf("S4.3 AM packet_1\n"));
1238 /* Create the first packet. */
1239 {
1240 struct isakmp_packet *p1;
1241 struct isakmp_payload *l;
1242 uint8_t *pkt;
1243 size_t pkt_len;
1244
1245 p1 = new_isakmp_packet();
1246 memcpy(p1->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1247 p1->isakmp_version = ISAKMP_VERSION;
1248 p1->exchange_type = ISAKMP_EXCHANGE_AGGRESSIVE;
1249 p1->payload = l = make_our_sa_ike();
1250 flatten_isakmp_payload(l, &s->ike.sa_f, &s->ike.sa_size);
1251 l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_KE, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1252 l->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_NONCE,
1253 s->ike.i_nonce, sizeof(s->ike.i_nonce));
1254 l = l->next->next;
1255 l->next = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
1256 l = l->next;
1257 if (opt_vendor == VENDOR_CISCO)
1258 l->u.id.type = ISAKMP_IPSEC_ID_KEY_ID;
1259 else
1260 l->u.id.type = ISAKMP_IPSEC_ID_USER_FQDN;
1261 l->u.id.protocol = IPPROTO_UDP;
1262 l->u.id.port = ISAKMP_PORT; /* this must be 500, see rfc2407, 4.6.2 */
1263 l->u.id.length = strlen(key_id);
1264 l->u.id.data = xallocc(l->u.id.length);
1265 memcpy(l->u.id.data, key_id, strlen(key_id));
1266 flatten_isakmp_payload(l, &s->ike.idi_f, &s->ike.idi_size);
1267 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1268 VID_XAUTH, sizeof(VID_XAUTH));
1269 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1270 VID_UNITY, sizeof(VID_UNITY));
1271 if ((opt_natt_mode == NATT_NORMAL) || (opt_natt_mode == NATT_FORCE)) {
1272 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1273 VID_NATT_RFC, sizeof(VID_NATT_RFC));
1274 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1275 VID_NATT_03, sizeof(VID_NATT_03));
1276 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1277 VID_NATT_02N, sizeof(VID_NATT_02N));
1278 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1279 VID_NATT_02, sizeof(VID_NATT_02));
1280 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1281 VID_NATT_01, sizeof(VID_NATT_01));
1282 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1283 VID_NATT_00, sizeof(VID_NATT_00));
1284 }
1285 s->ike.dpd_idle = atoi(config[CONFIG_DPD_IDLE]);
1286 if (s->ike.dpd_idle != 0) {
1287 if (s->ike.dpd_idle < 10)
1288 s->ike.dpd_idle = 10;
1289 if (s->ike.dpd_idle > 86400)
1290 s->ike.dpd_idle = 86400;
1291 l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
1292 VID_DPD, sizeof(VID_DPD));
1293 }
1294 flatten_isakmp_packet(p1, &pkt, &pkt_len, 0);
1295 free_isakmp_packet(p1);
1296
1297 /* Now, send that packet and receive a new one. */
1298 r_length = sendrecv(s, r_packet, sizeof(r_packet), pkt, pkt_len, 0);
1299 free(pkt);
1300 }
1301 }
1302
1303 static void do_phase1_am_packet2(struct sa_block *s, const char *shared_key)
1304 {
1305 DEBUGTOP(2, printf("S4.4 AM_packet2\n"));
1306 /* Decode the recieved packet. */
1307 {
1308 int reject, ret;
1309 struct isakmp_packet *r;
1310 struct isakmp_payload *rp;
1311 struct isakmp_payload *nonce = NULL;
1312 struct isakmp_payload *ke = NULL;
1313 struct isakmp_payload *hash = NULL;
1314 struct isakmp_payload *sig = NULL;
1315 struct isakmp_payload *idp = NULL;
1316 int seen_sa = 0, seen_xauth_vid = 0;
1317 uint8_t *psk_skeyid;
1318 uint8_t *skeyid;
1319 gcry_md_hd_t skeyid_ctx;
1320 uint8_t *dh_shared_secret;
1321 int seen_natt_vid = 0, seen_natd = 0, seen_natd_them = 0, seen_natd_us = 0;
1322 int natt_draft = -1;
1323 crypto_ctx *cctx;
1324 crypto_error *crerr = NULL;
1325
1326 cctx = crypto_ctx_new (&crerr);
1327 if (crerr)
1328 crypto_call_error(crerr);
1329
1330 reject = 0;
1331 r = parse_isakmp_packet(r_packet, r_length, &reject);
1332
1333 /* Verify the correctness of the recieved packet. */
1334 if (reject == 0 && memcmp(r->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH) != 0)
1335 reject = ISAKMP_N_INVALID_COOKIE;
1336 if (reject == 0)
1337 memcpy(s->ike.r_cookie, r->r_cookie, ISAKMP_COOKIE_LENGTH);
1338 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_AGGRESSIVE)
1339 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
1340 if (reject == 0 && r->flags != 0)
1341 reject = ISAKMP_N_INVALID_FLAGS;
1342 if (reject == 0 && r->message_id != 0)
1343 reject = ISAKMP_N_INVALID_MESSAGE_ID;
1344 if (reject != 0)
1345 error(1, 0, "response was invalid [1]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1346 for (rp = r->payload; rp && reject == 0; rp = rp->next)
1347 switch (rp->type) {
1348 case ISAKMP_PAYLOAD_SA:
1349 if (reject == 0 && rp->u.sa.doi != ISAKMP_DOI_IPSEC)
1350 reject = ISAKMP_N_DOI_NOT_SUPPORTED;
1351 if (reject == 0 &&
1352 rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
1353 reject = ISAKMP_N_SITUATION_NOT_SUPPORTED;
1354 if (reject == 0 &&
1355 (rp->u.sa.proposals == NULL
1356 || rp->u.sa.proposals->next != NULL))
1357 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1358 if (reject == 0 &&
1359 rp->u.sa.proposals->u.p.prot_id !=
1360 ISAKMP_IPSEC_PROTO_ISAKMP)
1361 reject = ISAKMP_N_INVALID_PROTOCOL_ID;
1362 if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 0)
1363 reject = ISAKMP_N_INVALID_SPI;
1364 if (reject == 0 &&
1365 (rp->u.sa.proposals->u.p.transforms == NULL
1366 || rp->u.sa.proposals->u.p.transforms->next !=
1367 NULL))
1368 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1369 if (reject == 0 &&
1370 (rp->u.sa.proposals->u.p.transforms->u.t.id
1371 != ISAKMP_IPSEC_KEY_IKE))
1372 reject = ISAKMP_N_INVALID_TRANSFORM_ID;
1373 if (reject == 0) {
1374 struct isakmp_attribute *a
1375 =
1376 rp->u.sa.proposals->u.p.transforms->u.t.attributes;
1377 int seen_enc = 0, seen_hash = 0, seen_auth = 0;
1378 int seen_group = 0, seen_keylen = 0;
1379 for (; a && reject == 0; a = a->next)
1380 switch (a->type) {
1381 case IKE_ATTRIB_GROUP_DESC:
1382 if (a->af == isakmp_attr_16 &&
1383 a->u.attr_16 ==
1384 get_dh_group_ike()->ike_sa_id)
1385 seen_group = 1;
1386 else
1387 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1388 break;
1389 case IKE_ATTRIB_AUTH_METHOD:
1390 if (a->af == isakmp_attr_16)
1391 seen_auth = a->u.attr_16;
1392 else
1393 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1394 break;
1395 case IKE_ATTRIB_HASH:
1396 if (a->af == isakmp_attr_16)
1397 seen_hash = a->u.attr_16;
1398 else
1399 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1400 break;
1401 case IKE_ATTRIB_ENC:
1402 if (a->af == isakmp_attr_16)
1403 seen_enc = a->u.attr_16;
1404 else
1405 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1406 break;
1407 case IKE_ATTRIB_KEY_LENGTH:
1408 if (a->af == isakmp_attr_16)
1409 seen_keylen = a->u.attr_16;
1410 else
1411 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1412 break;
1413 case IKE_ATTRIB_LIFE_TYPE:
1414 /* lifetime duration MUST follow lifetype attribute */
1415 if (a->next->type == IKE_ATTRIB_LIFE_DURATION) {
1416 lifetime_ike_process(s, a);
1417 } else
1418 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1419 break;
1420 case IKE_ATTRIB_LIFE_DURATION:
1421 /* already processed above in IKE_ATTRIB_LIFE_TYPE: */
1422 break;
1423 default:
1424 DEBUG(1, printf
1425 ("unknown attribute %d, arborting..\n",
1426 a->type));
1427 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
1428 break;
1429 }
1430 if (!seen_group || !seen_auth || !seen_hash || !seen_enc)
1431 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
1432
1433 if (get_algo(SUPP_ALGO_AUTH, SUPP_ALGO_IKE_SA, seen_auth,
1434 NULL, 0) == NULL)
1435 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1436 if (get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IKE_SA, seen_hash,
1437 NULL, 0) == NULL)
1438 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1439 if (get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IKE_SA, seen_enc,
1440 NULL, seen_keylen) == NULL)
1441 reject = ISAKMP_N_NO_PROPOSAL_CHOSEN;
1442
1443 if (reject == 0) {
1444 seen_sa = 1;
1445 s->ike.auth_algo = seen_auth;
1446 s->ike.cry_algo =
1447 get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IKE_SA,
1448 seen_enc, NULL, seen_keylen)->my_id;
1449 s->ike.md_algo =
1450 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IKE_SA,
1451 seen_hash, NULL, 0)->my_id;
1452 s->ike.md_len = gcry_md_get_algo_dlen(s->ike.md_algo);
1453 DEBUG(1, printf("IKE SA selected %s-%s-%s\n",
1454 get_algo(SUPP_ALGO_AUTH,
1455 SUPP_ALGO_IKE_SA, seen_auth,
1456 NULL, 0)->name,
1457 get_algo(SUPP_ALGO_CRYPT,
1458 SUPP_ALGO_IKE_SA, seen_enc,
1459 NULL, seen_keylen)->name,
1460 get_algo(SUPP_ALGO_HASH,
1461 SUPP_ALGO_IKE_SA, seen_hash,
1462 NULL, 0)->name));
1463 if (s->ike.cry_algo == GCRY_CIPHER_DES && !opt_1des) {
1464 error(1, 0, "peer selected (single) DES as \"encryption\" method.\n"
1465 "This algorithm is considered too weak today\n"
1466 "If your vpn concentrator admin still insists on using DES\n"
1467 "use the \"--enable-1des\" option.\n");
1468 }
1469 }
1470 }
1471 break;
1472
1473 case ISAKMP_PAYLOAD_ID:
1474 idp = rp;
1475 break;
1476 case ISAKMP_PAYLOAD_KE:
1477 ke = rp;
1478 break;
1479 case ISAKMP_PAYLOAD_NONCE:
1480 nonce = rp;
1481 break;
1482 case ISAKMP_PAYLOAD_HASH:
1483 hash = rp;
1484 break;
1485 case ISAKMP_PAYLOAD_CERT:
1486 if (rp->u.cert.encoding == ISAKMP_CERT_X509_SIG) {
1487 hex_dump("cert", rp->u.cert.data, rp->u.cert.length, NULL);
1488
1489 ret = crypto_push_cert(cctx,
1490 (const unsigned char *) rp->u.cert.data,
1491 rp->u.cert.length,
1492 &crerr);
1493 if (ret)
1494 crypto_call_error(crerr);
1495 }
1496 break;
1497 case ISAKMP_PAYLOAD_SIG:
1498 sig = rp;
1499 break;
1500 case ISAKMP_PAYLOAD_VID:
1501 if (rp->u.vid.length == sizeof(VID_XAUTH)
1502 && memcmp(rp->u.vid.data, VID_XAUTH,
1503 sizeof(VID_XAUTH)) == 0) {
1504 seen_xauth_vid = 1;
1505 } else if (rp->u.vid.length == sizeof(VID_NATT_RFC)
1506 && memcmp(rp->u.vid.data, VID_NATT_RFC,
1507 sizeof(VID_NATT_RFC)) == 0) {
1508 seen_natt_vid = 1;
1509 if (natt_draft < 1) natt_draft = 2;
1510 DEBUG(2, printf("peer is NAT-T capable (RFC 3947)\n"));
1511 } else if (rp->u.vid.length == sizeof(VID_NATT_03)
1512 && memcmp(rp->u.vid.data, VID_NATT_03,
1513 sizeof(VID_NATT_03)) == 0) {
1514 seen_natt_vid = 1;
1515 if (natt_draft < 1) natt_draft = 2;
1516 DEBUG(2, printf("peer is NAT-T capable (draft-03)\n"));
1517 } else if (rp->u.vid.length == sizeof(VID_NATT_02N)
1518 && memcmp(rp->u.vid.data, VID_NATT_02N,
1519 sizeof(VID_NATT_02N)) == 0) {
1520 seen_natt_vid = 1;
1521 if (natt_draft < 1) natt_draft = 2;
1522 DEBUG(2, printf("peer is NAT-T capable (draft-02)\\n\n")); /* sic! */
1523 } else if (rp->u.vid.length == sizeof(VID_NATT_02)
1524 && memcmp(rp->u.vid.data, VID_NATT_02,
1525 sizeof(VID_NATT_02)) == 0) {
1526 seen_natt_vid = 1;
1527 if (natt_draft < 1) natt_draft = 2;
1528 DEBUG(2, printf("peer is NAT-T capable (draft-02)\n"));
1529 } else if (rp->u.vid.length == sizeof(VID_NATT_01)
1530 && memcmp(rp->u.vid.data, VID_NATT_01,
1531 sizeof(VID_NATT_01)) == 0) {
1532 seen_natt_vid = 1;
1533 if (natt_draft < 1) natt_draft = 1;
1534 DEBUG(2, printf("peer is NAT-T capable (draft-01)\n"));
1535 } else if (rp->u.vid.length == sizeof(VID_NATT_00)
1536 && memcmp(rp->u.vid.data, VID_NATT_00,
1537 sizeof(VID_NATT_00)) == 0) {
1538 seen_natt_vid = 1;
1539 if (natt_draft < 0) natt_draft = 0;
1540 DEBUG(2, printf("peer is NAT-T capable (draft-00)\n"));
1541 } else if (rp->u.vid.length == sizeof(VID_DPD)
1542 && memcmp(rp->u.vid.data, VID_DPD,
1543 sizeof(VID_DPD)) == 0) {
1544 if (s->ike.dpd_idle != 0) {
1545 gcry_create_nonce(&s->ike.dpd_seqno, sizeof(s->ike.dpd_seqno));
1546 s->ike.dpd_seqno &= 0x7FFFFFFF;
1547 s->ike.dpd_seqno_ack = s->ike.dpd_seqno;
1548 s->ike.do_dpd = 1;
1549 DEBUG(2, printf("peer is DPD capable (RFC3706)\n"));
1550 } else {
1551 DEBUG(2, printf("ignoring that peer is DPD capable (RFC3706)\n"));
1552 }
1553 } else if (rp->u.vid.length == sizeof(VID_NETSCREEN_15)
1554 && memcmp(rp->u.vid.data, VID_NETSCREEN_15,
1555 sizeof(VID_NETSCREEN_15)) == 0) {
1556 DEBUG(2, printf("peer is using ScreenOS 5.3, 5.4 or 6.0\n"));
1557 } else if (rp->u.vid.length == sizeof(VID_HEARTBEAT_NOTIFY)
1558 && memcmp(rp->u.vid.data, VID_HEARTBEAT_NOTIFY,
1559 sizeof(VID_HEARTBEAT_NOTIFY)) == 0) {
1560 DEBUG(2, printf("peer sent Heartbeat Notify payload\n"));
1561 } else {
1562 hex_dump("unknown ISAKMP_PAYLOAD_VID",
1563 rp->u.vid.data, rp->u.vid.length, NULL);
1564 }
1565 break;
1566 case ISAKMP_PAYLOAD_NAT_D_OLD:
1567 case ISAKMP_PAYLOAD_NAT_D:
1568 s->ike.natd_type = rp->type;
1569 DEBUG(2, printf("peer is using type %d%s for NAT-Discovery payloads\n",
1570 s->ike.natd_type, val_to_string(s->ike.natd_type, isakmp_payload_enum_array)));
1571 if (!seen_sa /*|| !seen_natt_vid*/) {
1572 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1573 } else if (opt_natt_mode == NATT_NONE) {
1574 ;
1575 } else if (rp->u.natd.length != s->ike.md_len) {
1576 reject = ISAKMP_N_PAYLOAD_MALFORMED;
1577 } else if (seen_natd == 0) {
1578 gcry_md_hd_t hm;
1579 uint16_t n_dst_port = htons(s->ike.dst_port);
1580
1581 s->ike.natd_us = xallocc(s->ike.md_len);
1582 s->ike.natd_them = xallocc(s->ike.md_len);
1583 memcpy(s->ike.natd_us, rp->u.natd.data, s->ike.md_len);
1584 gcry_md_open(&hm, s->ike.md_algo, 0);
1585 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1586 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1587 gcry_md_write(hm, &s->dst, sizeof(struct in_addr));
1588 gcry_md_write(hm, &n_dst_port, sizeof(uint16_t));
1589 gcry_md_final(hm);
1590 memcpy(s->ike.natd_them, gcry_md_read(hm, 0), s->ike.md_len);
1591 gcry_md_close(hm);
1592 seen_natd = 1;
1593 } else {
1594 if (memcmp(s->ike.natd_them, rp->u.natd.data, s->ike.md_len) == 0)
1595 seen_natd_them = 1;
1596 }
1597 break;
1598 default:
1599 DEBUG(1, printf("rejecting invalid payload type %d\n", rp->type));
1600 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
1601 break;
1602 }
1603
1604 if (reject == 0) {
1605 gcry_cipher_algo_info(s->ike.cry_algo, GCRYCTL_GET_BLKLEN, NULL, &(s->ike.ivlen));
1606 gcry_cipher_algo_info(s->ike.cry_algo, GCRYCTL_GET_KEYLEN, NULL, &(s->ike.keylen));
1607 }
1608
1609 if (reject == 0 && (ke == NULL || ke->u.ke.length != dh_getlen(s->ike.dh_grp)))
1610 reject = ISAKMP_N_INVALID_KEY_INFORMATION;
1611 if (reject == 0 && nonce == NULL)
1612 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
1613 if (reject != 0)
1614 error(1, 0, "response was invalid [2]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1615 if (reject == 0 && idp == NULL)
1616 reject = ISAKMP_N_INVALID_ID_INFORMATION;
1617
1618 /* Decide if signature or hash is expected (sig only if vpnc is initiator of hybrid-auth */
1619 if (reject == 0 && opt_auth_mode == AUTH_MODE_PSK && (hash == NULL || hash->u.hash.length != s->ike.md_len))
1620 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
1621 if (reject == 0 && sig == NULL &&
1622 (opt_auth_mode == AUTH_MODE_CERT ||
1623 opt_auth_mode == AUTH_MODE_HYBRID))
1624 reject = ISAKMP_N_INVALID_SIGNATURE;
1625 if (reject != 0)
1626 error(1, 0, "response was invalid [3]: %s(%d)", val_to_string(reject, isakmp_notify_enum_array), reject);
1627
1628 /* Determine the shared secret. */
1629 dh_shared_secret = xallocc(dh_getlen(s->ike.dh_grp));
1630 dh_create_shared(s->ike.dh_grp, dh_shared_secret, ke->u.ke.data);
1631 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(s->ike.dh_grp), NULL);
1632 /* Generate SKEYID. */
1633 {
1634 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1635 gcry_md_setkey(skeyid_ctx, shared_key, strlen(shared_key));
1636 gcry_md_write(skeyid_ctx, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1637 gcry_md_write(skeyid_ctx, nonce->u.nonce.data, nonce->u.nonce.length);
1638 gcry_md_final(skeyid_ctx);
1639 psk_skeyid = xallocc(s->ike.md_len);
1640 memcpy(psk_skeyid, gcry_md_read(skeyid_ctx, 0), s->ike.md_len);
1641 if (opt_debug < 99)
1642 DEBUG(3, printf("(not dumping psk hash)\n"));
1643 else
1644 hex_dump("psk_skeyid", psk_skeyid, s->ike.md_len, NULL);
1645 free(psk_skeyid);
1646 gcry_md_close(skeyid_ctx);
1647 DEBUG(99, printf("shared-key: %s\n",shared_key));
1648
1649 /* SKEYID - psk only */
1650 if (s->ike.auth_algo == IKE_AUTH_PRESHARED ||
1651 s->ike.auth_algo == IKE_AUTH_XAUTHInitPreShared ||
1652 s->ike.auth_algo == IKE_AUTH_XAUTHRespPreShared) {
1653 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1654 gcry_md_setkey(skeyid_ctx, shared_key, strlen(shared_key));
1655 gcry_md_write(skeyid_ctx, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1656 gcry_md_write(skeyid_ctx, nonce->u.nonce.data, nonce->u.nonce.length);
1657 gcry_md_final(skeyid_ctx);
1658 } else if (s->ike.auth_algo == IKE_AUTH_DSS ||
1659 s->ike.auth_algo == IKE_AUTH_RSA_SIG ||
1660 s->ike.auth_algo == IKE_AUTH_ECDSA_SIG ||
1661 s->ike.auth_algo == IKE_AUTH_HybridInitRSA ||
1662 s->ike.auth_algo == IKE_AUTH_HybridRespRSA ||
1663 s->ike.auth_algo == IKE_AUTH_HybridInitDSS ||
1664 s->ike.auth_algo == IKE_AUTH_HybridRespDSS ||
1665 s->ike.auth_algo == IKE_AUTH_XAUTHInitDSS ||
1666 s->ike.auth_algo == IKE_AUTH_XAUTHRespDSS ||
1667 s->ike.auth_algo == IKE_AUTH_XAUTHInitRSA ||
1668 s->ike.auth_algo == IKE_AUTH_XAUTHRespRSA) {
1669 unsigned char *key;
1670 int key_len;
1671 key_len = sizeof(s->ike.i_nonce) + nonce->u.nonce.length;
1672 key = xallocc(key_len);
1673 memcpy(key, s->ike.i_nonce, sizeof(s->ike.i_nonce));
1674 memcpy(key + sizeof(s->ike.i_nonce), nonce->u.nonce.data, nonce->u.nonce.length);
1675 gcry_md_open(&skeyid_ctx, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1676 gcry_md_setkey(skeyid_ctx, key, key_len);
1677 gcry_md_write(skeyid_ctx, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1678 gcry_md_final(skeyid_ctx);
1679 } else
1680 error(1, 0, "SKEYID could not be computed: %s", "the selected authentication method is not supported");
1681 skeyid = gcry_md_read(skeyid_ctx, 0);
1682 hex_dump("skeyid", skeyid, s->ike.md_len, NULL);
1683 }
1684
1685 /* Verify the hash. */
1686 {
1687 gcry_md_hd_t hm;
1688 unsigned char *expected_hash, *rec_hash;
1689 uint8_t *idp_f;
1690 size_t idp_size;
1691 size_t decr_size = 0;
1692
1693 flatten_isakmp_payload(idp, &idp_f, &idp_size);
1694
1695 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1696 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1697 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1698 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1699 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1700 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1701 gcry_md_write(hm, s->ike.sa_f + 4, s->ike.sa_size - 4);
1702 gcry_md_write(hm, idp_f + 4, idp_size - 4);
1703 gcry_md_final(hm);
1704 expected_hash = gcry_md_read(hm, 0);
1705 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1706
1707 if (opt_auth_mode == AUTH_MODE_PSK) {
1708 if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 0)
1709 error(2, 0, "hash comparison failed: %s(%d)\ncheck group password!",
1710 val_to_string(ISAKMP_N_AUTHENTICATION_FAILED, isakmp_notify_enum_array),
1711 ISAKMP_N_AUTHENTICATION_FAILED);
1712 hex_dump("received hash", hash->u.hash.data, hash->u.hash.length, NULL);
1713 } else if (opt_auth_mode == AUTH_MODE_CERT ||
1714 opt_auth_mode == AUTH_MODE_HYBRID) {
1715 hex_dump("received signature", sig->u.sig.data, sig->u.sig.length, NULL);
1716
1717 ret = crypto_verify_chain(cctx,
1718 config[CONFIG_CA_FILE],
1719 config[CONFIG_CA_DIR],
1720 &crerr);
1721 if (ret)
1722 crypto_call_error(crerr);
1723
1724 /* Verify signature */
1725 rec_hash = crypto_decrypt_signature (cctx,
1726 sig->u.sig.data,
1727 sig->u.sig.length,
1728 &decr_size,
1729 CRYPTO_PAD_PKCS1,
1730 &crerr);
1731 if (!rec_hash)
1732 crypto_call_error(crerr);
1733
1734 if (decr_size != s->ike.md_len) {
1735 printf("Decrypted-Size: %zd\n",decr_size);
1736 hex_dump(" decr_hash", rec_hash, decr_size, NULL);
1737 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1738
1739 error(2, 0, "The hash-value, which was decrypted from the received signature, and the expected hash-value differ in size.\n");
1740 } else {
1741 if (memcmp(rec_hash, expected_hash, decr_size) != 0) {
1742 printf("Decrypted-Size: %zd\n",decr_size);
1743 hex_dump(" decr_hash", rec_hash, decr_size, NULL);
1744 hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
1745
1746 error(2, 0, "The hash-value, which was decrypted from the received signature, and the expected hash-value differ.\n");
1747 } else {
1748 DEBUG(3, printf("Signature MATCH!!\n"));
1749 }
1750 }
1751 /* END - Signature Verification */
1752
1753 free(rec_hash);
1754 }
1755
1756 gcry_md_close(hm);
1757
1758 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1759 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1760 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1761 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1762 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1763 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1764 gcry_md_write(hm, s->ike.sa_f + 4, s->ike.sa_size - 4);
1765 gcry_md_write(hm, s->ike.idi_f + 4, s->ike.idi_size - 4);
1766 gcry_md_final(hm);
1767 s->ike.returned_hash = xallocc(s->ike.md_len);
1768 memcpy(s->ike.returned_hash, gcry_md_read(hm, 0), s->ike.md_len);
1769 gcry_md_close(hm);
1770 hex_dump("returned_hash", s->ike.returned_hash, s->ike.md_len, NULL);
1771
1772 /* PRESHARED_KEY_HASH */
1773 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1774 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1775 gcry_md_write(hm, shared_key, strlen(shared_key));
1776 gcry_md_final(hm);
1777 s->ike.psk_hash = xallocc(s->ike.md_len);
1778 memcpy(s->ike.psk_hash, gcry_md_read(hm, 0), s->ike.md_len);
1779 gcry_md_close(hm);
1780 hex_dump("psk_hash", s->ike.psk_hash, s->ike.md_len, NULL);
1781 /* End PRESHARED_KEY_HASH */
1782
1783 free(s->ike.sa_f);
1784 free(s->ike.idi_f);
1785 free(idp_f);
1786 s->ike.sa_f = NULL;
1787 s->ike.idi_f = NULL;
1788 }
1789
1790 /* Determine all the SKEYID_x keys. */
1791 {
1792 gcry_md_hd_t hm;
1793 int i;
1794 static const unsigned char c012[3] = { 0, 1, 2 };
1795 unsigned char *skeyid_e;
1796 unsigned char *dh_shared_secret;
1797
1798 /* Determine the shared secret. */
1799 dh_shared_secret = xallocc(dh_getlen(s->ike.dh_grp));
1800 dh_create_shared(s->ike.dh_grp, dh_shared_secret, ke->u.ke.data);
1801 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(s->ike.dh_grp), NULL);
1802
1803 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1804 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1805 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1806 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1807 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1808 gcry_md_write(hm, c012 + 0, 1);
1809 gcry_md_final(hm);
1810 if (s->ike.skeyid_d) free(s->ike.skeyid_d);
1811 s->ike.skeyid_d = xallocc(s->ike.md_len);
1812 memcpy(s->ike.skeyid_d, gcry_md_read(hm, 0), s->ike.md_len);
1813 gcry_md_close(hm);
1814 hex_dump("skeyid_d", s->ike.skeyid_d, s->ike.md_len, NULL);
1815
1816 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1817 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1818 gcry_md_write(hm, s->ike.skeyid_d, s->ike.md_len);
1819 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1820 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1821 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1822 gcry_md_write(hm, c012 + 1, 1);
1823 gcry_md_final(hm);
1824 if (s->ike.skeyid_a) free(s->ike.skeyid_a);
1825 s->ike.skeyid_a = xallocc(s->ike.md_len);
1826 memcpy(s->ike.skeyid_a, gcry_md_read(hm, 0), s->ike.md_len);
1827 gcry_md_close(hm);
1828 hex_dump("skeyid_a", s->ike.skeyid_a, s->ike.md_len, NULL);
1829
1830 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1831 gcry_md_setkey(hm, skeyid, s->ike.md_len);
1832 gcry_md_write(hm, s->ike.skeyid_a, s->ike.md_len);
1833 gcry_md_write(hm, dh_shared_secret, dh_getlen(s->ike.dh_grp));
1834 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1835 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1836 gcry_md_write(hm, c012 + 2, 1);
1837 gcry_md_final(hm);
1838 skeyid_e = xallocc(s->ike.md_len);
1839 memcpy(skeyid_e, gcry_md_read(hm, 0), s->ike.md_len);
1840 gcry_md_close(hm);
1841 hex_dump("skeyid_e", skeyid_e, s->ike.md_len, NULL);
1842
1843 memset(dh_shared_secret, 0, sizeof(dh_shared_secret));
1844 free(dh_shared_secret);
1845
1846 /* Determine the IKE encryption key. */
1847 if (s->ike.key) free(s->ike.key);
1848 s->ike.key = xallocc(s->ike.keylen);
1849
1850 if (s->ike.keylen > s->ike.md_len) {
1851 for (i = 0; i * s->ike.md_len < s->ike.keylen; i++) {
1852 gcry_md_open(&hm, s->ike.md_algo, GCRY_MD_FLAG_HMAC);
1853 gcry_md_setkey(hm, skeyid_e, s->ike.md_len);
1854 if (i == 0)
1855 gcry_md_write(hm, "" /* &'\0' */ , 1);
1856 else
1857 gcry_md_write(hm, s->ike.key + (i - 1) * s->ike.md_len,
1858 s->ike.md_len);
1859 gcry_md_final(hm);
1860 memcpy(s->ike.key + i * s->ike.md_len, gcry_md_read(hm, 0),
1861 min(s->ike.md_len, s->ike.keylen - i * s->ike.md_len));
1862 gcry_md_close(hm);
1863 }
1864 } else { /* keylen <= md_len */
1865 memcpy(s->ike.key, skeyid_e, s->ike.keylen);
1866 }
1867 hex_dump("enc-key", s->ike.key, s->ike.keylen, NULL);
1868
1869 memset(skeyid_e, 0, s->ike.md_len);
1870 free(skeyid_e);
1871 }
1872
1873 /* Determine the initial IV. */
1874 {
1875 gcry_md_hd_t hm;
1876
1877 assert(s->ike.ivlen <= s->ike.md_len);
1878 gcry_md_open(&hm, s->ike.md_algo, 0);
1879 gcry_md_write(hm, s->ike.dh_public, dh_getlen(s->ike.dh_grp));
1880 gcry_md_write(hm, ke->u.ke.data, ke->u.ke.length);
1881 gcry_md_final(hm);
1882 if (s->ike.current_iv) free(s->ike.current_iv);
1883 s->ike.current_iv = xallocc(s->ike.ivlen);
1884 memcpy(s->ike.current_iv, gcry_md_read(hm, 0), s->ike.ivlen);
1885 gcry_md_close(hm);
1886 hex_dump("current_iv", s->ike.current_iv, s->ike.ivlen, NULL);
1887 memset(s->ike.current_iv_msgid, 0, 4);
1888 }
1889
1890 gcry_md_close(skeyid_ctx);
1891 crypto_ctx_free(cctx);
1892 free(dh_shared_secret);
1893
1894 /* Determine presence of NAT */
1895 if (s->ike.natd_type != 0) {
1896 seen_natd_us = 0;
1897 /* this could be repeated for any known outbound interfaces */
1898 {
1899 gcry_md_hd_t hm;
1900 uint16_t n_src_port = htons(s->ike.src_port);
1901
1902 gcry_md_open(&hm, s->ike.md_algo, 0);
1903 gcry_md_write(hm, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1904 gcry_md_write(hm, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1905 gcry_md_write(hm, &s->src, sizeof(struct in_addr));
1906 gcry_md_write(hm, &n_src_port, sizeof(uint16_t));
1907 gcry_md_final(hm);
1908 if (memcmp(s->ike.natd_us, gcry_md_read(hm, 0), s->ike.md_len) == 0)
1909 seen_natd_us = 1;
1910 memcpy(s->ike.natd_us, gcry_md_read(hm, 0), s->ike.md_len);
1911 if (opt_natt_mode == NATT_FORCE) {
1912 /* force detection of "this end behind NAT" */
1913 /* by flipping a bit in the nat-detection-hash */
1914 s->ike.natd_us[0] ^= 1;
1915 seen_natd_us = 0;
1916 }
1917 gcry_md_close(hm);
1918 }
1919 /* if there is a NAT, change to port 4500 and select UDP encap */
1920 if (!seen_natd_us || !seen_natd_them) {
1921 DEBUG(1, printf("NAT status: this end behind NAT? %s -- remote end behind NAT? %s\n",
1922 seen_natd_us ? "no" : "YES", seen_natd_them ? "no" : "YES"));
1923 switch (s->ike.natd_type) {
1924 case ISAKMP_PAYLOAD_NAT_D:
1925 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
1926 break;
1927 case ISAKMP_PAYLOAD_NAT_D_OLD:
1928 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL_OLD;
1929 break;
1930 default:
1931 abort();
1932 }
1933 if (natt_draft >= 2) {
1934 s->ipsec.natt_active_mode = NATT_ACTIVE_RFC;
1935 close(s->ike_fd);
1936 if (s->ike.src_port == ISAKMP_PORT)
1937 s->ike.src_port = ISAKMP_PORT_NATT;
1938 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port = ISAKMP_PORT_NATT);
1939 } else {
1940 s->ipsec.natt_active_mode = NATT_ACTIVE_DRAFT_OLD;
1941 }
1942 } else {
1943 DEBUG(1, printf("NAT status: NAT-T VID seen, no NAT device detected\n"));
1944 }
1945 } else {
1946 DEBUG(1, printf("NAT status: no NAT-T VID seen\n"));
1947 }
1948
1949 /* This seems to cause a duplicate free of some data when rekeying:
1950 * *** glibc detected *** vpnc-connect: free(): invalid pointer: 0x09d63ba5
1951 * See also: http://bugs.gentoo.org/show_bug.cgi?id=229003
1952 */
1953 #if 1
1954 free_isakmp_packet(r);
1955 #endif
1956
1957 }
1958 }
1959
1960 static void do_phase1_am_packet3(struct sa_block *s)
1961 {
1962 DEBUGTOP(2, printf("S4.5 AM_packet3\n"));
1963 /* Send final phase 1 packet. */
1964 {
1965 struct isakmp_packet *p2;
1966 uint8_t *p2kt;
1967 size_t p2kt_len;
1968 struct isakmp_payload *pl;
1969
1970 p2 = new_isakmp_packet();
1971 memcpy(p2->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1972 memcpy(p2->r_cookie, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1973 p2->flags = ISAKMP_FLAG_E;
1974 p2->isakmp_version = ISAKMP_VERSION;
1975 p2->exchange_type = ISAKMP_EXCHANGE_AGGRESSIVE;
1976 /* XXX CERT Add id(?), cert and sig here in case of cert auth */
1977 p2->payload = new_isakmp_data_payload(ISAKMP_PAYLOAD_HASH,
1978 s->ike.returned_hash, s->ike.md_len);
1979 p2->payload->next = pl = new_isakmp_payload(ISAKMP_PAYLOAD_N);
1980 pl->u.n.doi = ISAKMP_DOI_IPSEC;
1981 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
1982 pl->u.n.type = ISAKMP_N_IPSEC_INITIAL_CONTACT;
1983 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
1984 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
1985 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
1986 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
1987
1988 /* send PSK-hash if hybrid authentication is negotiated */
1989 if (s->ike.auth_algo == IKE_AUTH_HybridInitRSA ||
1990 s->ike.auth_algo == IKE_AUTH_HybridInitDSS) {
1991 /* Notify - PRESHARED_KEY_HASH */
1992 pl = pl->next = new_isakmp_payload(ISAKMP_PAYLOAD_N);
1993 pl->u.n.doi = ISAKMP_DOI_IPSEC;
1994 pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP;
1995 /* Notify Message - Type: PRESHARED_KEY_HASH */
1996 pl->u.n.type = ISAKMP_N_CISCO_PRESHARED_KEY_HASH;
1997 pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH;
1998 pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH);
1999 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0,
2000 s->ike.i_cookie, ISAKMP_COOKIE_LENGTH);
2001 memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1,
2002 s->ike.r_cookie, ISAKMP_COOKIE_LENGTH);
2003 pl->u.n.data_length = s->ike.md_len;
2004 pl->u.n.data = xallocc(pl->u.n.data_length);
2005 memcpy(pl->u.n.data, s->ike.psk_hash, pl->u.n.data_length);
2006 /* End Notify - PRESHARED_KEY_HASH */
2007 }
2008 pl = pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
2009 VID_UNKNOWN, sizeof(VID_UNKNOWN));
2010 pl = pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
2011 VID_UNITY, sizeof(VID_UNITY));
2012
2013 /* include NAT traversal discovery payloads */
2014 if (s->ike.natd_type != 0) {
2015 pl = pl->next = new_isakmp_data_payload(s->ike.natd_type,
2016 s->ike.natd_them, s->ike.md_len);
2017 pl = pl->next = new_isakmp_data_payload(s->ike.natd_type,
2018 s->ike.natd_us, s->ike.md_len);
2019 free(s->ike.natd_us);
2020 free(s->ike.natd_them);
2021 s->ike.natd_us = NULL;
2022 s->ike.natd_them = NULL;
2023 }
2024
2025 flatten_isakmp_packet(p2, &p2kt, &p2kt_len, s->ike.ivlen);
2026 free_isakmp_packet(p2);
2027 isakmp_crypt(s, p2kt, p2kt_len, 1);
2028
2029 if (s->ike.initial_iv) free(s->ike.initial_iv);
2030 s->ike.initial_iv = xallocc(s->ike.ivlen);
2031 memcpy(s->ike.initial_iv, s->ike.current_iv, s->ike.ivlen);
2032 hex_dump("initial_iv", s->ike.initial_iv, s->ike.ivlen, NULL);
2033
2034 /* Now, send that packet and receive a new one. */
2035 r_length = sendrecv(s, r_packet, sizeof(r_packet), p2kt, p2kt_len, 0);
2036 free(p2kt);
2037 }
2038 }
2039
2040 static void do_phase1_am_cleanup(struct sa_block *s)
2041 {
2042 DEBUGTOP(2, printf("S4.6 cleanup\n"));
2043
2044 free(s->ike.psk_hash);
2045 s->ike.psk_hash = NULL;
2046 free(s->ike.dh_public);
2047 group_free(s->ike.dh_grp);
2048 free(s->ike.returned_hash);
2049 s->ike.returned_hash = NULL;
2050 }
2051
2052 static void do_phase1_am(const char *key_id, const char *shared_key, struct sa_block *s)
2053 {
2054 do_phase1_am_init(s);
2055 do_phase1_am_packet1(s, key_id);
2056 do_phase1_am_packet2(s, shared_key);
2057 do_phase1_am_packet3(s);
2058 do_phase1_am_cleanup(s);
2059 }
2060
2061 static int do_phase2_notice_check(struct sa_block *s, struct isakmp_packet **r_p,
2062 const uint8_t * nonce, size_t nonce_size)
2063 {
2064 int reject = 0;
2065 struct isakmp_packet *r;
2066
2067 while (1) {
2068 reject = unpack_verify_phase2(s, r_packet, r_length, r_p, nonce, nonce_size);
2069 if (reject == ISAKMP_N_INVALID_COOKIE) {
2070 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2071 continue;
2072 }
2073 if (*r_p == NULL) {
2074 assert(reject != 0);
2075 return reject;
2076 }
2077 r = *r_p;
2078
2079 /* check for notices */
2080 if (r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL &&
2081 r->payload->next != NULL) {
2082 if (r->payload->next->type == ISAKMP_PAYLOAD_N) {
2083 if (r->payload->next->u.n.type == ISAKMP_N_CISCO_LOAD_BALANCE) {
2084 /* load balancing notice ==> restart with new gw */
2085 if (r->payload->next->u.n.data_length != 4)
2086 error(1, 0, "malformed loadbalance target");
2087 s->dst = *(struct in_addr *)r->payload->next->u.n.data;
2088 s->ike.dst_port = ISAKMP_PORT;
2089 s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL;
2090 s->ipsec.natt_active_mode = NATT_ACTIVE_NONE;
2091 if (s->ike.src_port == ISAKMP_PORT_NATT)
2092 s->ike.src_port = ISAKMP_PORT;
2093 close(s->ike_fd);
2094 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port);
2095 DEBUG(2, printf("got cisco loadbalancing notice, diverting to %s\n",
2096 inet_ntoa(s->dst)));
2097 return -1;
2098 } else if (r->payload->next->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
2099 if (r->payload->next->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
2100 lifetime_ike_process(s, r->payload->next->u.n.attributes);
2101 else if (r->payload->next->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2102 lifetime_ipsec_process(s, r->payload->next->u.n.attributes);
2103 else
2104 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
2105 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2106 continue;
2107 } else if (r->payload->next->u.n.type == ISAKMP_N_IPSEC_INITIAL_CONTACT) {
2108 /* why in hell do we get this?? */
2109 DEBUG(2, printf("got initial contact notice, ignoring..\n"));
2110 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2111 continue;
2112 } else {
2113 /* whatever */
2114 printf("received notice of type %s(%d), giving up\n",
2115 val_to_string(r->payload->next->u.n.type, isakmp_notify_enum_array),
2116 r->payload->next->u.n.type);
2117 return reject;
2118 }
2119 }
2120 if (r->payload->next->type == ISAKMP_PAYLOAD_D) {
2121 /* delete notice ==> ignore */
2122 DEBUG(2, printf("got delete for old connection, ignoring..\n"));
2123 r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
2124 continue;
2125 }
2126 }
2127
2128 break;
2129 }
2130 return reject;
2131 }
2132
2133 static int do_phase2_xauth(struct sa_block *s)
2134 {
2135 struct isakmp_packet *r = NULL;
2136 int loopcount;
2137 int reject;
2138 int passwd_used = 0;
2139
2140 DEBUGTOP(2, printf("S5.1 xauth_request\n"));
2141 /* This can go around for a while. */
2142 for (loopcount = 0;; loopcount++) {
2143 struct isakmp_payload *rp;
2144 struct isakmp_attribute *a, *ap, *reply_attr, *last_reply_attr;
2145 char ntop_buf[32];
2146 int seen_answer = 0;
2147
2148 DEBUGTOP(2, printf("S5.2 notice_check\n"));
2149
2150 /* recv and check for notices */
2151 if (r) free_isakmp_packet(r);
2152 r = NULL;
2153 reject = do_phase2_notice_check(s, &r, NULL, 0);
2154 if (reject == -1) {
2155 if (r) free_isakmp_packet(r);
2156 return 1;
2157 }
2158
2159 DEBUGTOP(2, printf("S5.3 type-is-xauth check\n"));
2160 /* Check the transaction type is OK. */
2161 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_MODECFG_TRANSACTION)
2162 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2163
2164 /* After the hash, expect an attribute block. */
2165 if (reject == 0
2166 && (r->payload->next == NULL
2167 || r->payload->next->next != NULL
2168 || r->payload->next->type != ISAKMP_PAYLOAD_MODECFG_ATTR))
2169 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2170
2171 if (reject == 0 && r->payload->next->u.modecfg.type == ISAKMP_MODECFG_CFG_SET) {
2172 /* OK, the server has finished requesting information, go for the final set/ack */
2173 break;
2174 }
2175
2176 if (reject == 0 && r->payload->next->u.modecfg.type != ISAKMP_MODECFG_CFG_REQUEST)
2177 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2178
2179 if (reject != 0)
2180 phase2_fatal(s, "expected xauth packet; rejected: %s(%d)", reject);
2181
2182 DEBUGTOP(2, printf("S5.4 xauth type check\n"));
2183 a = r->payload->next->u.modecfg.attributes;
2184 /* First, print any messages, and verify that we understand the
2185 * conversation. This looks for any place were input is
2186 * required - in these cases, we need to print the prompt
2187 * regardless of whether the user requested interactive mode
2188 * or not. */
2189 for (ap = a; ap && seen_answer == 0; ap = ap->next)
2190 if (ap->type == ISAKMP_XAUTH_06_ATTRIB_ANSWER
2191 || ap->type == ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN
2192 /* || ap->type == ISAKMP_XAUTH_06_ATTRIB_PASSCODE */)
2193 seen_answer = 1;
2194
2195 for (ap = a; ap && reject == 0; ap = ap->next)
2196 switch (ap->type) {
2197 case ISAKMP_XAUTH_06_ATTRIB_TYPE:
2198 if (ap->af != isakmp_attr_16 || ap->u.attr_16 != 0)
2199 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2200 break;
2201 case ISAKMP_XAUTH_06_ATTRIB_USER_NAME:
2202 case ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD:
2203 case ISAKMP_XAUTH_06_ATTRIB_PASSCODE:
2204 case ISAKMP_XAUTH_06_ATTRIB_DOMAIN:
2205 case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
2206 case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
2207 case ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR:
2208 break;
2209 case ISAKMP_XAUTH_06_ATTRIB_MESSAGE:
2210 if (opt_debug || seen_answer || config[CONFIG_XAUTH_INTERACTIVE]) {
2211 if (ap->af == isakmp_attr_16)
2212 printf("%c%c\n", ap->u.attr_16 >> 8, ap->u.attr_16);
2213 else
2214 printf("%.*s%s", ap->u.lots.length, ap->u.lots.data,
2215 ((ap->u.lots.data
2216 && ap->u.lots.data[ap->u.
2217 lots.length - 1] !=
2218 '\n')
2219 ? "\n" : ""));
2220 }
2221 break;
2222 default:
2223 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2224 }
2225 if (reject != 0)
2226 phase2_fatal(s, "xauth packet unsupported: %s(%d)", reject);
2227
2228 DEBUGTOP(2, printf("S5.5 do xauth reply\n"));
2229 inet_ntop(AF_INET, &s->dst, ntop_buf, sizeof(ntop_buf));
2230
2231 /* Collect data from the user. */
2232 reply_attr = last_reply_attr = NULL;
2233 for (ap = a; ap && reject == 0; ap = ap->next) {
2234 struct isakmp_attribute *na = NULL;
2235
2236 switch (ap->type) {
2237 case ISAKMP_XAUTH_06_ATTRIB_TYPE:
2238 {
2239 na = new_isakmp_attribute_16(ap->type, ap->u.attr_16, NULL);
2240 break;
2241 }
2242 case ISAKMP_XAUTH_06_ATTRIB_DOMAIN:
2243 na = new_isakmp_attribute(ap->type, NULL);
2244 if (!config[CONFIG_DOMAIN])
2245 error(1, 0,
2246 "server requested domain, but none set (use \"Domain ...\" in config or --domain");
2247 na->u.lots.length = strlen(config[CONFIG_DOMAIN]);
2248 na->u.lots.data = xallocc(na->u.lots.length);
2249 memcpy(na->u.lots.data, config[CONFIG_DOMAIN],
2250 na->u.lots.length);
2251 break;
2252 case ISAKMP_XAUTH_06_ATTRIB_USER_NAME:
2253 {
2254 na = new_isakmp_attribute(ap->type, NULL);
2255 na->u.lots.length = strlen(config[CONFIG_XAUTH_USERNAME]);
2256 na->u.lots.data = xallocc(na->u.lots.length);
2257 memcpy(na->u.lots.data, config[CONFIG_XAUTH_USERNAME],
2258 na->u.lots.length);
2259 break;
2260 }
2261 case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
2262 case ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD:
2263 case ISAKMP_XAUTH_06_ATTRIB_PASSCODE:
2264 case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
2265 if (passwd_used && config[CONFIG_NON_INTERACTIVE]) {
2266 reject = ISAKMP_N_AUTHENTICATION_FAILED;
2267 phase2_fatal(s, "noninteractive can't reuse password", reject);
2268 error(2, 0, "authentication failed (requires interactive mode)");
2269 } else if (seen_answer || passwd_used || config[CONFIG_XAUTH_INTERACTIVE]) {
2270 char *pass, *prompt = NULL;
2271
2272 asprintf(&prompt, "%s for VPN %s@%s: ",
2273 (ap->type == ISAKMP_XAUTH_06_ATTRIB_ANSWER) ?
2274 "Answer" :
2275 (ap->type == ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD) ?
2276 "Password" : "Passcode",
2277 config[CONFIG_XAUTH_USERNAME], ntop_buf);
2278 pass = getpass(prompt);
2279 free(prompt);
2280
2281 na = new_isakmp_attribute(ap->type, NULL);
2282 na->u.lots.length = strlen(pass);
2283 na->u.lots.data = xallocc(na->u.lots.length);
2284 memcpy(na->u.lots.data, pass, na->u.lots.length);
2285 memset(pass, 0, na->u.lots.length);
2286 } else {
2287 na = new_isakmp_attribute(ap->type, NULL);
2288 na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]);
2289 na->u.lots.data = xallocc(na->u.lots.length);
2290 memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD],
2291 na->u.lots.length);
2292 passwd_used = 1; /* Provide canned password at most once */
2293 }
2294 break;
2295 default:
2296 ;
2297 }
2298 if (na == NULL)
2299 continue;
2300 if (last_reply_attr != NULL) {
2301 last_reply_attr->next = na;
2302 last_reply_attr = na;
2303 } else {
2304 last_reply_attr = reply_attr = na;
2305 }
2306 }
2307
2308 /* Send the response. */
2309 rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
2310 rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY;
2311 rp->u.modecfg.id = r->payload->next->u.modecfg.id;
2312 rp->u.modecfg.attributes = reply_attr;
2313 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2314 r->message_id, 0, 0, 0, 0, 0);
2315
2316 }
2317
2318 if ((opt_vendor == VENDOR_NETSCREEN) &&
2319 (r->payload->next->u.modecfg.type == ISAKMP_MODECFG_CFG_SET)) {
2320 struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
2321
2322 DEBUGTOP(2, printf("S5.5.1 do netscreen modecfg extra\n"));
2323
2324 do_config_to_env(s, a);
2325
2326 for (; a; a = a->next)
2327 if(a->af == isakmp_attr_lots)
2328 a->u.lots.length = 0;
2329
2330 r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
2331 sendrecv_phase2(s, r->payload->next,
2332 ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2333 r->message_id, 0, 0, 0, 0, 0);
2334
2335 reject = do_phase2_notice_check(s, &r, NULL, 0);
2336 if (reject == -1) {
2337 free_isakmp_packet(r);
2338 return 1;
2339 }
2340 }
2341
2342 DEBUGTOP(2, printf("S5.6 process xauth set\n"));
2343 {
2344 /* The final SET should have just one attribute. */
2345 struct isakmp_attribute *a = r->payload->next->u.modecfg.attributes;
2346 uint16_t set_result = 1;
2347
2348 if (a == NULL
2349 || a->type != ISAKMP_XAUTH_06_ATTRIB_STATUS
2350 || a->af != isakmp_attr_16 || a->next != NULL) {
2351 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2352 phase2_fatal(s, "xauth SET message rejected: %s(%d)", reject);
2353 } else {
2354 set_result = a->u.attr_16;
2355 }
2356
2357 /* ACK the SET. */
2358 DEBUGTOP(2, printf("S5.7 send xauth ack\n"));
2359 r->payload->next->u.modecfg.type = ISAKMP_MODECFG_CFG_ACK;
2360 sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
2361 r->message_id, 1, 0, 0, 0, 0);
2362 r->payload->next = NULL; /* this part is already free()d by sendrecv_phase2 */
2363 free_isakmp_packet(r); /* this frees the received set packet (header+hash) */
2364
2365 if (set_result == 0)
2366 error(2, 0, "authentication unsuccessful");
2367 }
2368 DEBUGTOP(2, printf("S5.8 xauth done\n"));
2369 return 0;
2370 }
2371
2372 static int do_phase2_config(struct sa_block *s)
2373 {
2374 struct isakmp_payload *rp;
2375 struct isakmp_attribute *a;
2376 struct isakmp_packet *r;
2377 struct utsname uts;
2378 uint32_t msgid;
2379 int reject;
2380
2381 uname(&uts);
2382
2383 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
2384 if (msgid == 0)
2385 msgid = 1;
2386
2387 rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
2388 rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REQUEST;
2389 rp->u.modecfg.id = 20;
2390 a = NULL;
2391
2392 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION, a);
2393 a->u.lots.length = strlen(config[CONFIG_VERSION]);
2394 a->u.lots.data = xallocc(a->u.lots.length);
2395 memcpy(a->u.lots.data, config[CONFIG_VERSION], a->u.lots.length);
2396
2397 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DDNS_HOSTNAME, a);
2398 a->u.lots.length = strlen(uts.nodename);
2399 a->u.lots.data = xallocc(a->u.lots.length);
2400 memcpy(a->u.lots.data, uts.nodename, a->u.lots.length);
2401
2402 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC, a);
2403 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_SAVE_PW, a);
2404
2405 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_BANNER, a);
2406 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS, a);
2407 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_FW_TYPE, a);
2408 a->u.lots.length = sizeof(FW_UNKNOWN_TYPEINFO);
2409 a->u.lots.data = xallocc(a->u.lots.length);
2410 memcpy(a->u.lots.data, FW_UNKNOWN_TYPEINFO, a->u.lots.length);
2411 if (opt_natt_mode == NATT_CISCO_UDP)
2412 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT, a);
2413 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN, a);
2414 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS, a);
2415 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS, a);
2416 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK, a);
2417 a = new_isakmp_attribute(ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS, a);
2418
2419 rp->u.modecfg.attributes = a;
2420 DEBUGTOP(2, printf("S6.1 phase2_config send modecfg\n"));
2421 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION, msgid, 0, 0, 0, 0, 0);
2422
2423 DEBUGTOP(2, printf("S6.2 phase2_config receive modecfg\n"));
2424 /* recv and check for notices */
2425 reject = do_phase2_notice_check(s, &r, NULL, 0);
2426 if (reject == -1) {
2427 if (r) free_isakmp_packet(r);
2428 return 1;
2429 }
2430
2431 /* Check the transaction type & message ID are OK. */
2432 if (reject == 0 && r->message_id != msgid)
2433 reject = ISAKMP_N_INVALID_MESSAGE_ID;
2434 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_MODECFG_TRANSACTION)
2435 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2436
2437 /* After the hash, expect an attribute block. */
2438 if (reject == 0
2439 && (r->payload->next == NULL
2440 || r->payload->next->next != NULL
2441 || r->payload->next->type != ISAKMP_PAYLOAD_MODECFG_ATTR
2442 #if 0
2443 || r->payload->next->u.modecfg.id != 20
2444 #endif
2445 || r->payload->next->u.modecfg.type != ISAKMP_MODECFG_CFG_REPLY))
2446 reject = ISAKMP_N_PAYLOAD_MALFORMED;
2447
2448 if (reject != 0)
2449 phase2_fatal(s, "configuration response rejected: %s(%d)", reject);
2450
2451 if (reject == 0)
2452 reject = do_config_to_env(s, r->payload->next->u.modecfg.attributes);
2453
2454 if (reject != 0)
2455 phase2_fatal(s, "configuration response rejected: %s(%d)", reject);
2456
2457 DEBUG(1, printf("got address %s\n", getenv("INTERNAL_IP4_ADDRESS")));
2458 free_isakmp_packet(r);
2459 return 0;
2460 }
2461
2462 static struct isakmp_attribute *make_transform_ipsec(struct sa_block *s, int dh_group, int hash, int keylen)
2463 {
2464 struct isakmp_attribute *a = NULL;
2465
2466 a = new_isakmp_attribute(ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION, a);
2467 a->af = isakmp_attr_lots;
2468 a->u.lots.length = 4;
2469 a->u.lots.data = xallocc(a->u.lots.length);
2470 *((uint32_t *) a->u.lots.data) = htonl(2147483);
2471 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a);
2472
2473 if (dh_group)
2474 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_GROUP_DESC, dh_group, a);
2475 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_AUTH_ALG, hash, a);
2476 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_ENCAP_MODE, s->ipsec.encap_mode, a);
2477 if (keylen != 0)
2478 a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_KEY_LENGTH, keylen, a);
2479
2480 return a;
2481 }
2482
2483 static struct isakmp_payload *make_our_sa_ipsec(struct sa_block *s)
2484 {
2485 struct isakmp_payload *r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
2486 struct isakmp_payload *p = NULL, *pn;
2487 struct isakmp_attribute *a;
2488 int dh_grp = get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id;
2489 unsigned int crypt, hash, keylen;
2490 int i;
2491
2492 r = new_isakmp_payload(ISAKMP_PAYLOAD_SA);
2493 r->u.sa.doi = ISAKMP_DOI_IPSEC;
2494 r->u.sa.situation = ISAKMP_IPSEC_SIT_IDENTITY_ONLY;
2495 r->u.sa.proposals = new_isakmp_payload(ISAKMP_PAYLOAD_P);
2496 r->u.sa.proposals->u.p.spi_size = 4;
2497 r->u.sa.proposals->u.p.spi = xallocc(4);
2498 /* The sadb_sa_spi field is already in network order. */
2499 memcpy(r->u.sa.proposals->u.p.spi, &s->ipsec.rx.spi, 4);
2500 r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
2501 for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
2502 keylen = supp_crypt[crypt].keylen;
2503 for (hash = 0; supp_hash[hash].name != NULL; hash++) {
2504 pn = p;
2505 p = new_isakmp_payload(ISAKMP_PAYLOAD_P);
2506 p->u.p.spi_size = 4;
2507 p->u.p.spi = xallocc(4);
2508 /* The sadb_sa_spi field is already in network order. */
2509 memcpy(p->u.p.spi, &s->ipsec.rx.spi, 4);
2510 p->u.p.prot_id = ISAKMP_IPSEC_PROTO_IPSEC_ESP;
2511 p->u.p.transforms = new_isakmp_payload(ISAKMP_PAYLOAD_T);
2512 p->u.p.transforms->u.t.id = supp_crypt[crypt].ipsec_sa_id;
2513 a = make_transform_ipsec(s, dh_grp, supp_hash[hash].ipsec_sa_id, keylen);
2514 p->u.p.transforms->u.t.attributes = a;
2515 p->next = pn;
2516 }
2517 }
2518 for (i = 0, pn = p; pn; pn = pn->next)
2519 pn->u.p.number = i++;
2520 r->u.sa.proposals = p;
2521 return r;
2522 }
2523
2524 static void do_phase2_qm(struct sa_block *s)
2525 {
2526 struct isakmp_payload *rp, *us, *ke = NULL, *them, *nonce_r = NULL;
2527 struct isakmp_packet *r;
2528 struct group *dh_grp = NULL;
2529 uint32_t msgid;
2530 int reject;
2531 uint8_t nonce_i[20], *dh_public = NULL;
2532
2533 DEBUGTOP(2, printf("S7.1 QM_packet1\n"));
2534 /* Set up the Diffie-Hellman stuff. */
2535 if (get_dh_group_ipsec(s->ipsec.do_pfs)->my_id) {
2536 dh_grp = group_get(get_dh_group_ipsec(s->ipsec.do_pfs)->my_id);
2537 DEBUG(3, printf("len = %d\n", dh_getlen(dh_grp)));
2538 dh_public = xallocc(dh_getlen(dh_grp));
2539 dh_create_exchange(dh_grp, dh_public);
2540 hex_dump("dh_public", dh_public, dh_getlen(dh_grp), NULL);
2541 }
2542
2543 gcry_create_nonce((uint8_t *) & s->ipsec.rx.spi, sizeof(s->ipsec.rx.spi));
2544 rp = make_our_sa_ipsec(s); /* FIXME: LEAK: allocated memory never freed */
2545 gcry_create_nonce((uint8_t *) nonce_i, sizeof(nonce_i));
2546 rp->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_NONCE, nonce_i, sizeof(nonce_i));
2547
2548 us = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
2549 us->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR;
2550 us->u.id.length = 4;
2551 us->u.id.data = xallocc(4);
2552 memcpy(us->u.id.data, &s->our_address, sizeof(struct in_addr));
2553 them = new_isakmp_payload(ISAKMP_PAYLOAD_ID);
2554 them->u.id.type = ISAKMP_IPSEC_ID_IPV4_ADDR_SUBNET;
2555 them->u.id.length = 8;
2556 them->u.id.data = xallocc(8);
2557 init_netaddr((struct in_addr *)them->u.id.data,
2558 config[CONFIG_IPSEC_TARGET_NETWORK]);
2559 us->next = them;
2560 s->ipsec.life.start = time(NULL);
2561
2562 if (!dh_grp) {
2563 rp->next->next = us;
2564 } else {
2565 rp->next->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_KE,
2566 dh_public, dh_getlen(dh_grp));
2567 rp->next->next->next = us;
2568 }
2569
2570 gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid));
2571 if (msgid == 0)
2572 msgid = 1;
2573
2574 DEBUGTOP(2, printf("S7.2 QM_packet2 send_receive\n"));
2575 sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_IKE_QUICK,
2576 msgid, 0, 0, 0, 0, 0);
2577
2578 DEBUGTOP(2, printf("S7.3 QM_packet2 validate type\n"));
2579 reject = do_phase2_notice_check(s, &r, nonce_i, sizeof(nonce_i)); /* FIXME: LEAK */
2580
2581 /* Check the transaction type & message ID are OK. */
2582 if (reject == 0 && r->message_id != msgid)
2583 reject = ISAKMP_N_INVALID_MESSAGE_ID;
2584
2585 if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_IKE_QUICK)
2586 reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
2587
2588 /* The SA payload must be second. */
2589 if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_SA)
2590 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2591
2592 DEBUGTOP(2, printf("S7.5 QM_packet2 check reject offer\n"));
2593 if (reject != 0)
2594 phase2_fatal(s, "quick mode response rejected: %s(%d)\n"
2595 "this means the concentrator did not like what we had to offer.\n"
2596 "Possible reasons are:\n"
2597 " * concentrator configured to require a firewall\n"
2598 " this locks out even Cisco clients on any platform except windows\n"
2599 " which is an obvious security improvement. There is no workaround (yet).\n"
2600 " * concentrator configured to require IP compression\n"
2601 " this is not yet supported by vpnc.\n"
2602 " Note: the Cisco Concentrator Documentation recommends against using\n"
2603 " compression, except on low-bandwith (read: ISDN) links, because it\n"
2604 " uses much CPU-resources on the concentrator\n",
2605 reject);
2606
2607 DEBUGTOP(2, printf("S7.6 QM_packet2 check and process proposal\n"));
2608 for (rp = r->payload->next; rp && reject == 0; rp = rp->next)
2609 switch (rp->type) {
2610 case ISAKMP_PAYLOAD_SA:
2611 if (reject == 0 && rp->u.sa.doi != ISAKMP_DOI_IPSEC)
2612 reject = ISAKMP_N_DOI_NOT_SUPPORTED;
2613 if (reject == 0 && rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
2614 reject = ISAKMP_N_SITUATION_NOT_SUPPORTED;
2615 if (reject == 0 &&
2616 (rp->u.sa.proposals == NULL || rp->u.sa.proposals->next != NULL))
2617 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2618 if (reject == 0 &&
2619 rp->u.sa.proposals->u.p.prot_id != ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2620 reject = ISAKMP_N_INVALID_PROTOCOL_ID;
2621 if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 4)
2622 reject = ISAKMP_N_INVALID_SPI;
2623 if (reject == 0 &&
2624 (rp->u.sa.proposals->u.p.transforms == NULL
2625 || rp->u.sa.proposals->u.p.transforms->next != NULL))
2626 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2627 if (reject == 0) {
2628 struct isakmp_attribute *a
2629 = rp->u.sa.proposals->u.p.transforms->u.t.attributes;
2630 int seen_enc = rp->u.sa.proposals->u.p.transforms->u.t.id;
2631 int seen_auth = 0, seen_encap = 0, seen_group = 0, seen_keylen = 0;
2632
2633 memcpy(&s->ipsec.tx.spi, rp->u.sa.proposals->u.p.spi, 4);
2634
2635 for (; a && reject == 0; a = a->next)
2636 switch (a->type) {
2637 case ISAKMP_IPSEC_ATTRIB_AUTH_ALG:
2638 if (a->af == isakmp_attr_16)
2639 seen_auth = a->u.attr_16;
2640 else
2641 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2642 break;
2643 case ISAKMP_IPSEC_ATTRIB_ENCAP_MODE:
2644 if (a->af == isakmp_attr_16 &&
2645 a->u.attr_16 == s->ipsec.encap_mode)
2646 seen_encap = 1;
2647 else
2648 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2649 break;
2650 case ISAKMP_IPSEC_ATTRIB_GROUP_DESC:
2651 if (dh_grp &&
2652 a->af == isakmp_attr_16 &&
2653 a->u.attr_16 ==
2654 get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id)
2655 seen_group = 1;
2656 else
2657 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2658 break;
2659 case ISAKMP_IPSEC_ATTRIB_KEY_LENGTH:
2660 if (a->af == isakmp_attr_16)
2661 seen_keylen = a->u.attr_16;
2662 else
2663 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2664 break;
2665 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE:
2666 /* lifetime duration MUST follow lifetype attribute */
2667 if (a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION) {
2668 lifetime_ipsec_process(s, a);
2669 } else
2670 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2671 break;
2672 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION:
2673 /* already processed above in ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE: */
2674 break;
2675 default:
2676 reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2677 break;
2678 }
2679 if (reject == 0 && (!seen_auth || !seen_encap ||
2680 (dh_grp && !seen_group)))
2681 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2682
2683 if (reject == 0
2684 && get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth,
2685 NULL, 0) == NULL)
2686 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2687 if (reject == 0
2688 && get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc,
2689 NULL, seen_keylen) == NULL)
2690 reject = ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2691
2692 if (reject == 0) {
2693 s->ipsec.cry_algo =
2694 get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA,
2695 seen_enc, NULL, seen_keylen)->my_id;
2696 s->ipsec.md_algo =
2697 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA,
2698 seen_auth, NULL, 0)->my_id;
2699 if (s->ipsec.cry_algo) {
2700 gcry_cipher_algo_info(s->ipsec.cry_algo, GCRYCTL_GET_KEYLEN, NULL, &(s->ipsec.key_len));
2701 gcry_cipher_algo_info(s->ipsec.cry_algo, GCRYCTL_GET_BLKLEN, NULL, &(s->ipsec.blk_len));
2702 s->ipsec.iv_len = s->ipsec.blk_len;
2703 } else {
2704 s->ipsec.key_len = 0;
2705 s->ipsec.iv_len = 0;
2706 s->ipsec.blk_len = 8; /* seems to be this without encryption... */
2707 }
2708 s->ipsec.md_len = gcry_md_get_algo_dlen(s->ipsec.md_algo);
2709 DEBUG(1, printf("IPSEC SA selected %s-%s\n",
2710 get_algo(SUPP_ALGO_CRYPT,
2711 SUPP_ALGO_IPSEC_SA, seen_enc, NULL,
2712 seen_keylen)->name,
2713 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA,
2714 seen_auth, NULL, 0)->name));
2715 if (s->ipsec.cry_algo == GCRY_CIPHER_DES && !opt_1des) {
2716 error(1, 0, "peer selected (single) DES as \"encrytion\" method.\n"
2717 "This algorithm is considered to weak today\n"
2718 "If your vpn concentrator admin still insists on using DES\n"
2719 "use the \"--enable-1des\" option.\n");
2720 } else if (s->ipsec.cry_algo == GCRY_CIPHER_NONE && !opt_no_encryption) {
2721 error(1, 0, "peer selected NULL as \"encrytion\" method.\n"
2722 "This is _no_ encryption at all.\n"
2723 "Your traffic is still protected against modification with %s\n"
2724 "If your vpn concentrator admin still insists on not using encryption\n"
2725 "use the \"--enable-no-encryption\" option.\n",
2726 get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0)->name);
2727 }
2728 }
2729 }
2730 break;
2731
2732 case ISAKMP_PAYLOAD_N:
2733 if (reject == 0 && rp->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
2734 if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
2735 lifetime_ike_process(s, rp->u.n.attributes);
2736 else if (rp->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2737 lifetime_ipsec_process(s, rp->u.n.attributes);
2738 else
2739 DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
2740 }
2741 break;
2742 case ISAKMP_PAYLOAD_ID:
2743 /* FIXME: Parse payload ID and add route-env in case of ipv4_prefix */
2744 break;
2745 case ISAKMP_PAYLOAD_KE:
2746 ke = rp;
2747 break;
2748 case ISAKMP_PAYLOAD_NONCE:
2749 nonce_r = rp;
2750 break;
2751
2752 default:
2753 reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
2754 break;
2755 }
2756
2757 if (reject == 0 && nonce_r == NULL)
2758 reject = ISAKMP_N_INVALID_HASH_INFORMATION;
2759 if (reject == 0 && dh_grp && (ke == NULL || ke->u.ke.length != dh_getlen(dh_grp)))
2760 reject = ISAKMP_N_INVALID_KEY_INFORMATION;
2761 if (reject != 0)
2762 phase2_fatal(s, "quick mode response rejected [2]: %s(%d)", reject);
2763
2764 /* send final packet */
2765 sendrecv_phase2(s, NULL, ISAKMP_EXCHANGE_IKE_QUICK,
2766 msgid, 1, nonce_i, sizeof(nonce_i),
2767 nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2768
2769 DEBUGTOP(2, printf("S7.7 QM_packet3 sent\n"));
2770
2771 DEBUGTOP(2, printf("S7.8 setup ipsec tunnel\n"));
2772 {
2773 unsigned char *dh_shared_secret = NULL;
2774
2775 if (dh_grp) {
2776 /* Determine the shared secret. */
2777 dh_shared_secret = xallocc(dh_getlen(dh_grp));
2778 dh_create_shared(dh_grp, dh_shared_secret, ke->u.ke.data);
2779 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(dh_grp), NULL);
2780 }
2781
2782 s->ipsec.rx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.rx.spi,
2783 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2784 nonce_i, sizeof(nonce_i), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2785
2786 s->ipsec.tx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.tx.spi,
2787 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2788 nonce_i, sizeof(nonce_i), nonce_r->u.nonce.data, nonce_r->u.nonce.length);
2789
2790 if (dh_grp)
2791 group_free(dh_grp);
2792 free(dh_shared_secret);
2793 free_isakmp_packet(r);
2794
2795 if (s->esp_fd == 0) {
2796 if ((opt_natt_mode == NATT_CISCO_UDP) && s->ipsec.peer_udpencap_port) {
2797 s->esp_fd = make_socket(s, opt_udpencapport, s->ipsec.peer_udpencap_port);
2798 s->ipsec.encap_mode = IPSEC_ENCAP_UDP_TUNNEL;
2799 s->ipsec.natt_active_mode = NATT_ACTIVE_CISCO_UDP;
2800 } else if (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL) {
2801 s->esp_fd = s->ike_fd;
2802 } else {
2803 #ifdef IP_HDRINCL
2804 int hincl = 1;
2805 #endif
2806
2807 s->esp_fd = socket(PF_INET, SOCK_RAW, IPPROTO_ESP);
2808 if (s->esp_fd == -1) {
2809 close_tunnel(s);
2810 error(1, errno, "Couldn't open socket of ESP. Maybe something registered ESP already.\nPlease try '--natt-mode force-natt' or disable whatever is using ESP.\nsocket(PF_INET, SOCK_RAW, IPPROTO_ESP)");
2811 }
2812 #ifdef FD_CLOEXEC
2813 /* do not pass socket to vpnc-script, etc. */
2814 fcntl(s->esp_fd, F_SETFD, FD_CLOEXEC);
2815 #endif
2816 #ifdef IP_HDRINCL
2817 if (setsockopt(s->esp_fd, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) == -1) {
2818 close_tunnel(s);
2819 error(1, errno, "setsockopt(esp_fd, IPPROTO_IP, IP_HDRINCL, 1)");
2820 }
2821 #endif
2822 }
2823 }
2824
2825 s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
2826 }
2827 free(dh_public);
2828 }
2829
2830 static int do_rekey(struct sa_block *s, struct isakmp_packet *r)
2831 {
2832 struct isakmp_payload *rp, *ke = NULL, *nonce_i = NULL;
2833 struct isakmp_attribute *a;
2834 int seen_enc;
2835 int seen_auth = 0, seen_encap = 0, seen_group = 0, seen_keylen = 0;
2836 int nonce_i_copy_len;
2837 struct group *dh_grp = NULL;
2838 uint8_t nonce_r[20], *dh_public = NULL, *nonce_i_copy = NULL;
2839 unsigned char *dh_shared_secret = NULL;
2840
2841 if (get_dh_group_ipsec(s->ipsec.do_pfs)->my_id) {
2842 dh_grp = group_get(get_dh_group_ipsec(s->ipsec.do_pfs)->my_id);
2843 DEBUG(3, printf("len = %d\n", dh_getlen(dh_grp)));
2844 dh_public = xallocc(dh_getlen(dh_grp));
2845 dh_create_exchange(dh_grp, dh_public);
2846 hex_dump("dh_public", dh_public, dh_getlen(dh_grp), NULL);
2847 }
2848
2849 rp = r->payload->next;
2850 /* rp->type == ISAKMP_PAYLOAD_SA, verified by caller */
2851
2852 if (rp->u.sa.doi != ISAKMP_DOI_IPSEC)
2853 return ISAKMP_N_DOI_NOT_SUPPORTED;
2854 if (rp->u.sa.situation != ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
2855 return ISAKMP_N_SITUATION_NOT_SUPPORTED;
2856 if (rp->u.sa.proposals == NULL)
2857 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2858 if (rp->u.sa.proposals->u.p.prot_id != ISAKMP_IPSEC_PROTO_IPSEC_ESP)
2859 return ISAKMP_N_INVALID_PROTOCOL_ID;
2860 if (rp->u.sa.proposals->u.p.spi_size != 4)
2861 return ISAKMP_N_INVALID_SPI;
2862 if (rp->u.sa.proposals->u.p.transforms == NULL || rp->u.sa.proposals->u.p.transforms->next != NULL)
2863 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2864
2865 seen_enc = rp->u.sa.proposals->u.p.transforms->u.t.id;
2866
2867 memcpy(&s->ipsec.tx.spi, rp->u.sa.proposals->u.p.spi, 4);
2868
2869 for (a = rp->u.sa.proposals->u.p.transforms->u.t.attributes; a; a = a->next)
2870 switch (a->type) {
2871 case ISAKMP_IPSEC_ATTRIB_AUTH_ALG:
2872 if (a->af == isakmp_attr_16)
2873 seen_auth = a->u.attr_16;
2874 else
2875 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2876 break;
2877 case ISAKMP_IPSEC_ATTRIB_ENCAP_MODE:
2878 if (a->af == isakmp_attr_16 &&
2879 a->u.attr_16 == (
2880 (s->ipsec.natt_active_mode != NATT_ACTIVE_CISCO_UDP) ?
2881 s->ipsec.encap_mode :
2882 IPSEC_ENCAP_TUNNEL /* cisco-udp claims to use encap tunnel... */
2883 ))
2884 seen_encap = 1;
2885 else
2886 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2887 break;
2888 case ISAKMP_IPSEC_ATTRIB_GROUP_DESC:
2889 if (dh_grp && a->af == isakmp_attr_16 &&
2890 a->u.attr_16 == get_dh_group_ipsec(s->ipsec.do_pfs)->ipsec_sa_id)
2891 seen_group = 1;
2892 else
2893 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2894 break;
2895 case ISAKMP_IPSEC_ATTRIB_KEY_LENGTH:
2896 if (a->af == isakmp_attr_16)
2897 seen_keylen = a->u.attr_16;
2898 else
2899 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2900 break;
2901 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE:
2902 /* lifetime duration MUST follow lifetype attribute */
2903 if (a->next->type == ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION) {
2904 lifetime_ipsec_process(s, a);
2905 } else
2906 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2907 break;
2908 case ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION:
2909 /* already processed above in ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE: */
2910 break;
2911 default:
2912 return ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
2913 break;
2914 }
2915 if (!seen_auth || !seen_encap || (dh_grp && !seen_group))
2916 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2917
2918 /* FIXME: Current code has a limitation that will cause problems if
2919 * different algorithms are negotiated during re-keying
2920 */
2921 if ((get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0) == NULL) ||
2922 (get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc, NULL, seen_keylen) == NULL)) {
2923 printf("\nFIXME: vpnc doesn't support change of algorightms during rekeying\n");
2924 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2925 }
2926
2927 /* we don't want to change ciphers during rekeying */
2928 if (s->ipsec.cry_algo != get_algo(SUPP_ALGO_CRYPT, SUPP_ALGO_IPSEC_SA, seen_enc, NULL, seen_keylen)->my_id)
2929 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2930 if (s->ipsec.md_algo != get_algo(SUPP_ALGO_HASH, SUPP_ALGO_IPSEC_SA, seen_auth, NULL, 0)->my_id)
2931 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2932
2933 for (rp = rp->next; rp; rp = rp->next)
2934 switch (rp->type) {
2935 case ISAKMP_PAYLOAD_ID:
2936 /* FIXME: Parse payload ID and add route-env in case of ipv4_prefix */
2937 break;
2938 case ISAKMP_PAYLOAD_KE:
2939 ke = rp;
2940 break;
2941 case ISAKMP_PAYLOAD_NONCE:
2942 nonce_i = rp;
2943 break;
2944 default:
2945 return ISAKMP_N_INVALID_PAYLOAD_TYPE;
2946 break;
2947 }
2948
2949 if ((dh_grp && ke == NULL) || nonce_i == NULL)
2950 return ISAKMP_N_BAD_PROPOSAL_SYNTAX;
2951
2952 DEBUG(3, printf("everything fine so far...\n"));
2953 gcry_create_nonce((uint8_t *) nonce_r, sizeof(nonce_r));
2954 gcry_create_nonce((uint8_t *) & s->ipsec.rx.spi, sizeof(s->ipsec.rx.spi));
2955
2956 if (dh_grp) {
2957 /* Determine the shared secret. */
2958 dh_shared_secret = xallocc(dh_getlen(dh_grp));
2959 dh_create_shared(dh_grp, dh_shared_secret, ke->u.ke.data);
2960 hex_dump("dh_shared_secret", dh_shared_secret, dh_getlen(dh_grp), NULL);
2961 }
2962
2963 free(s->ipsec.rx.key);
2964 free(s->ipsec.tx.key);
2965
2966 s->ipsec.rx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.rx.spi,
2967 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2968 nonce_i->u.nonce.data, nonce_i->u.nonce.length, nonce_r, sizeof(nonce_r));
2969
2970 s->ipsec.tx.key = gen_keymat(s, ISAKMP_IPSEC_PROTO_IPSEC_ESP, s->ipsec.tx.spi,
2971 dh_shared_secret, dh_grp ? dh_getlen(dh_grp) : 0,
2972 nonce_i->u.nonce.data, nonce_i->u.nonce.length, nonce_r, sizeof(nonce_r));
2973
2974 s->ipsec.rx.key_cry = s->ipsec.rx.key;
2975 s->ipsec.rx.key_md = s->ipsec.rx.key + s->ipsec.key_len;
2976 s->ipsec.tx.key_cry = s->ipsec.tx.key;
2977 s->ipsec.tx.key_md = s->ipsec.tx.key + s->ipsec.key_len;
2978
2979 nonce_i_copy_len = nonce_i->u.nonce.length;
2980 nonce_i_copy = xallocc(nonce_i_copy_len);
2981 memcpy(nonce_i_copy, nonce_i->u.nonce.data, nonce_i_copy_len);
2982
2983 s->ipsec.rx.seq_id = s->ipsec.tx.seq_id = 1;
2984 s->ipsec.life.start = time(NULL);
2985 s->ipsec.life.tx = 0;
2986 s->ipsec.life.rx = 0;
2987
2988 if (s->ipsec.cry_algo) {
2989 gcry_cipher_setkey(s->ipsec.rx.cry_ctx, s->ipsec.rx.key_cry, s->ipsec.key_len);
2990 gcry_cipher_setkey(s->ipsec.tx.cry_ctx, s->ipsec.tx.key_cry, s->ipsec.key_len);
2991 }
2992
2993 /* use request as template and just exchange some values */
2994 /* this overwrites data in nonce_i, ke! */
2995 rp = r->payload->next;
2996 /* SA, change the SPI */
2997 memcpy(rp->u.sa.proposals->u.p.spi, &s->ipsec.rx.spi, 4);
2998
2999 for (rp = rp->next; rp; rp = rp->next)
3000 switch (rp->type) {
3001 case ISAKMP_PAYLOAD_ID:
3002 break;
3003 case ISAKMP_PAYLOAD_KE:
3004 memcpy(rp->u.ke.data, dh_public, dh_getlen(dh_grp));
3005 break;
3006 case ISAKMP_PAYLOAD_NONCE:
3007 memcpy(rp->u.nonce.data, nonce_r, sizeof(nonce_r));
3008 break;
3009 default:
3010 assert(0);
3011 break;
3012 }
3013
3014 sendrecv_phase2(s, r->payload->next, ISAKMP_EXCHANGE_IKE_QUICK,
3015 r->message_id, 0, nonce_i_copy, nonce_i_copy_len, 0,0);
3016 unpack_verify_phase2(s, r_packet, r_length, &r, NULL, 0);
3017 free(nonce_i_copy);
3018 /* don't care about answer ... */
3019
3020 return 0;
3021 }
3022
3023 void process_late_ike(struct sa_block *s, uint8_t *r_packet, ssize_t r_length)
3024 {
3025 int reject;
3026 struct isakmp_packet *r;
3027 struct isakmp_payload *rp;
3028
3029 DEBUG(2,printf("got late ike packet: %zd bytes\n", r_length));
3030 /* we should ignore resent packets here.
3031 * unpack_verify_phase2 will fail to decode them probably */
3032 reject = unpack_verify_phase2(s, r_packet, r_length, &r, NULL, 0);
3033
3034 /* just ignore broken stuff for now */
3035 if (reject != 0) {
3036 if (r) free_isakmp_packet(r);
3037 return;
3038 }
3039
3040 /* everything must be encrypted by now */
3041 if (r->payload == NULL || r->payload->type != ISAKMP_PAYLOAD_HASH) {
3042 free_isakmp_packet(r);
3043 return;
3044 }
3045
3046 /* empty packet? well, nothing to see here */
3047 if (r->payload->next == NULL) {
3048 free_isakmp_packet(r);
3049 return;
3050 }
3051
3052 /* do we get an SA proposal for rekeying? */
3053 if (r->exchange_type == ISAKMP_EXCHANGE_IKE_QUICK &&
3054 r->payload->next->type == ISAKMP_PAYLOAD_SA) {
3055 reject = do_rekey(s, r);
3056 DEBUG(3, printf("do_rekey returned: %d\n", reject));
3057 /* FIXME: LEAK but will create segfault for double free */
3058 /* free_isakmp_packet(r); */
3059 return;
3060 }
3061
3062 if (r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL) {
3063 /* Search for notify payloads */
3064 for (rp = r->payload->next; rp; rp = rp->next) {
3065 if (rp->type != ISAKMP_PAYLOAD_N)
3066 continue;
3067 /* did we get a DPD request or ACK? */
3068 if (rp->u.n.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {
3069 DEBUG(2, printf("got non isakmp-notify, ignoring...\n"));
3070 continue;
3071 }
3072 if (rp->u.n.type == ISAKMP_N_R_U_THERE) {
3073 uint32_t seq;
3074 if (rp->u.n.data_length != 4) {
3075 DEBUG(2, printf("ignoring bad data length R-U-THERE request\n"));
3076 continue;
3077 }
3078 seq = ntohl(*((uint32_t *) rp->u.n.data));
3079 send_dpd(s, 1, seq);
3080 DEBUG(2, printf("got r-u-there request sent ack\n"));
3081 continue;
3082 } else if (rp->u.n.type == ISAKMP_N_R_U_THERE_ACK) {
3083 uint32_t seqack;
3084 if (rp->u.n.data_length != 4) {
3085 DEBUG(2, printf("ignoring bad data length R-U-THERE-ACK\n"));
3086 continue;
3087 }
3088 seqack = ntohl(*((uint32_t *) rp->u.n.data));
3089 if (seqack == s->ike.dpd_seqno) {
3090 s->ike.dpd_seqno_ack = seqack;
3091 } else {
3092 DEBUG(2, printf("ignoring r-u-there ack %u (expecting %u)\n", seqack, s->ike.dpd_seqno));
3093 continue;
3094 }
3095 DEBUG(2, printf("got r-u-there ack\n"));
3096 }
3097 }
3098 }
3099
3100 /* check if our isakmp sa gets deleted */
3101 for (rp = r->payload->next; rp; rp = rp->next) {
3102 /* search for delete payloads */
3103 if (rp->type != ISAKMP_PAYLOAD_D)
3104 continue;
3105 if (rp->u.d.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP) {
3106 /* RFC2408, 5.15:
3107 * Process the Delete payload and take appropriate action, according
3108 * to local security policy. As described above, one appropriate
3109 * action SHOULD include cleaning up the local SA database.
3110 */
3111 /* FIXME: any cleanup needed??? */
3112
3113 if (rp->u.d.num_spi >= 1 && memcmp(rp->u.d.spi[0], &s->ipsec.tx.spi, 4) == 0) {
3114 free_isakmp_packet(r);
3115 do_phase2_qm(s);
3116 return;
3117 } else {
3118 DEBUG(2, printf("got isakmp delete with bogus spi (expected %d, received %d), ignoring...\n", s->ipsec.tx.spi, *(rp->u.d.spi[0]) ));
3119 continue;
3120 }
3121 }
3122 /* skip ipsec-esp delete */
3123 if (rp->u.d.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) {
3124 DEBUG(2, printf("got non isakmp-delete, ignoring...\n"));
3125 continue;
3126 };
3127
3128 /*
3129 * RFC 2408, 3.15 Delete Payload
3130 * it is not stated that the SPI field of a delete
3131 * payload can be ignored, because it is given in
3132 * the headers, but I assume so. In other cases
3133 * RFC 2408 (notifications) states this.
3134 */
3135 do_kill = -1;
3136 DEBUG(2, printf("got isakmp-delete, terminating...\n"));
3137 free_isakmp_packet(r);
3138 return;
3139 }
3140
3141 free_isakmp_packet(r);
3142 return;
3143 }
3144
3145 int main(int argc, char **argv)
3146 {
3147 int do_load_balance;
3148 const uint8_t hex_test[] = { 0, 1, 2, 3 };
3149 struct sa_block oursa[1];
3150 struct sa_block *s = oursa;
3151
3152 test_pack_unpack();
3153 #if defined(__CYGWIN__)
3154 gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
3155 #endif
3156 gcry_check_version("1.1.90");
3157 gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0);
3158 group_init();
3159
3160 memset(s, 0, sizeof(*s));
3161 s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL;
3162 s->ike.timeout = 1000; /* 1 second */
3163
3164 do_config(argc, argv);
3165
3166 DEBUG(1, printf("\nvpnc version " VERSION "\n"));
3167 hex_dump("hex_test", hex_test, sizeof(hex_test), NULL);
3168
3169 DEBUGTOP(2, printf("S1 init_sockaddr\n"));
3170 init_sockaddr(&s->dst, config[CONFIG_IPSEC_GATEWAY]);
3171 init_sockaddr(&s->opt_src_ip, config[CONFIG_LOCAL_ADDR]);
3172 DEBUGTOP(2, printf("S2 make_socket\n"));
3173 s->ike.src_port = atoi(config[CONFIG_LOCAL_PORT]);
3174 s->ike.dst_port = ISAKMP_PORT;
3175 s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port);
3176 DEBUGTOP(2, printf("S3 setup_tunnel\n"));
3177 setup_tunnel(s);
3178
3179 do_load_balance = 0;
3180 do {
3181 DEBUGTOP(2, printf("S4 do_phase1_am\n"));
3182 do_phase1_am(config[CONFIG_IPSEC_ID], config[CONFIG_IPSEC_SECRET], s);
3183 DEBUGTOP(2, printf("S5 do_phase2_xauth\n"));
3184 /* FIXME: Create and use a generic function in supp.[hc] */
3185 if (s->ike.auth_algo >= IKE_AUTH_HybridInitRSA)
3186 do_load_balance = do_phase2_xauth(s);
3187 DEBUGTOP(2, printf("S6 do_phase2_config\n"));
3188 if ((opt_vendor == VENDOR_CISCO) && (do_load_balance == 0))
3189 do_load_balance = do_phase2_config(s);
3190 } while (do_load_balance);
3191 DEBUGTOP(2, printf("S7 setup_link (phase 2 + main_loop)\n"));
3192 DEBUGTOP(2, printf("S7.0 run interface setup script\n"));
3193 config_tunnel(s);
3194 do_phase2_qm(s);
3195 DEBUGTOP(2, printf("S7.9 main loop (receive and transmit ipsec packets)\n"));
3196 vpnc_doit(s);
3197
3198 /* Tear down phase 2 and 1 tunnels */
3199 send_delete_ipsec(s);
3200 send_delete_isakmp(s);
3201
3202 /* Cleanup routing */
3203 DEBUGTOP(2, printf("S8 close_tunnel\n"));
3204 close_tunnel(s);
3205
3206 /* Free resources */
3207 DEBUGTOP(2, printf("S9 cleanup\n"));
3208 cleanup(s);
3209
3210 return 0;
3211 }
client for cisco vpn concentrator