diff options
Diffstat (limited to 'ipsec-tools/src/racoon/vendorid.c')
-rw-r--r-- | ipsec-tools/src/racoon/vendorid.c | 320 |
1 files changed, 320 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/vendorid.c b/ipsec-tools/src/racoon/vendorid.c new file mode 100644 index 00000000..81297bdd --- /dev/null +++ b/ipsec-tools/src/racoon/vendorid.c @@ -0,0 +1,320 @@ +/* $NetBSD: vendorid.c,v 1.8 2009/09/01 12:22:09 tteras Exp $ */ + +/* Id: vendorid.c,v 1.10 2006/02/22 16:10:21 vanhu Exp */ + +/* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#include <sys/types.h> +#include <sys/param.h> + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <errno.h> +#include <ctype.h> + +#include "var.h" +#include "misc.h" +#include "vmbuf.h" +#include "plog.h" +#include "debug.h" + +#include "localconf.h" +#include "isakmp_var.h" +#include "isakmp.h" +#include "vendorid.h" +#include "crypto_openssl.h" +#include "handler.h" +#include "remoteconf.h" +#ifdef ENABLE_NATT +#include "nattraversal.h" +#endif +#ifdef ENABLE_HYBRID +#include <resolv.h> +#include "isakmp_xauth.h" +#include "isakmp_cfg.h" +#endif + +static struct vendor_id all_vendor_ids[] = { +{ VENDORID_IPSEC_TOOLS, "IPSec-Tools" }, +{ VENDORID_GSSAPI_LONG, "A GSS-API Authentication Method for IKE" }, +{ VENDORID_GSSAPI , "GSSAPI" }, +{ VENDORID_MS_NT5 , "MS NT5 ISAKMPOAKLEY" }, +{ VENDORID_NATT_00 , "draft-ietf-ipsec-nat-t-ike-00" }, +{ VENDORID_NATT_01 , "draft-ietf-ipsec-nat-t-ike-01" }, +{ VENDORID_NATT_02 , "draft-ietf-ipsec-nat-t-ike-02" }, +{ VENDORID_NATT_02_N , "draft-ietf-ipsec-nat-t-ike-02\n" }, +{ VENDORID_NATT_03 , "draft-ietf-ipsec-nat-t-ike-03" }, +{ VENDORID_NATT_04 , "draft-ietf-ipsec-nat-t-ike-04" }, +{ VENDORID_NATT_05 , "draft-ietf-ipsec-nat-t-ike-05" }, +{ VENDORID_NATT_06 , "draft-ietf-ipsec-nat-t-ike-06" }, +{ VENDORID_NATT_07 , "draft-ietf-ipsec-nat-t-ike-07" }, +{ VENDORID_NATT_08 , "draft-ietf-ipsec-nat-t-ike-08" }, +{ VENDORID_NATT_RFC , "RFC 3947" }, +{ VENDORID_XAUTH , "draft-ietf-ipsra-isakmp-xauth-06.txt" }, +{ VENDORID_UNITY , "CISCO-UNITY" }, +{ VENDORID_FRAG , "FRAGMENTATION" }, +/* Just a readable string for DPD ... */ +{ VENDORID_DPD , "DPD" }, +/* Other known Vendor IDs */ +{ VENDORID_KAME , "KAME/racoon" }, +}; + +#define NUMVENDORIDS (sizeof(all_vendor_ids)/sizeof(all_vendor_ids[0])) + +#define DPD_MAJOR_VERSION 0x01 +#define DPD_MINOR_VERSION 0x00 + +const char vendorid_dpd_hash[] = { + 0xAF, 0xCA, 0xD7, 0x13, + 0x68, 0xA1, 0xF1, 0xC9, + 0x6B, 0x86, 0x96, 0xFC, + 0x77, 0x57, DPD_MAJOR_VERSION, DPD_MINOR_VERSION +}; + + +static vchar_t *vendorid_fixup(int, vchar_t *t); + +static struct vendor_id * +lookup_vendor_id_by_id (int id) +{ + int i; + + for (i = 0; i < NUMVENDORIDS; i++) + if (all_vendor_ids[i].id == id) + return &all_vendor_ids[i]; + + return NULL; +} + +const char * +vid_string_by_id (int id) +{ + struct vendor_id *current; + + if (id == VENDORID_DPD) + return vendorid_dpd_hash; + + current = lookup_vendor_id_by_id(id); + + return current ? current->string : NULL; +} + +static struct vendor_id * +lookup_vendor_id_by_hash (const char *hash) +{ + int i; + unsigned char *h = (unsigned char *)hash; + + for (i = 0; i < NUMVENDORIDS; i++) + if (strncmp(all_vendor_ids[i].hash->v, hash, + all_vendor_ids[i].hash->l) == 0) + return &all_vendor_ids[i]; + + return NULL; +} + +void +compute_vendorids (void) +{ + int i; + vchar_t vid; + + for (i = 0; i < NUMVENDORIDS; i++) { + /* VENDORID_DPD is not a MD5 sum... */ + if(all_vendor_ids[i].id == VENDORID_DPD){ + all_vendor_ids[i].hash = vmalloc(sizeof(vendorid_dpd_hash)); + if (all_vendor_ids[i].hash == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "unable to get memory for VID hash\n"); + exit(1); /* this really shouldn't happen */ + } + memcpy(all_vendor_ids[i].hash->v, vendorid_dpd_hash, + sizeof(vendorid_dpd_hash)); + continue; + } + + vid.v = (char *) all_vendor_ids[i].string; + vid.l = strlen(vid.v); + + all_vendor_ids[i].hash = eay_md5_one(&vid); + if (all_vendor_ids[i].hash == NULL) + plog(LLV_ERROR, LOCATION, NULL, + "unable to hash vendor ID string\n"); + + /* Special cases */ + all_vendor_ids[i].hash = + vendorid_fixup(all_vendor_ids[i].id, + all_vendor_ids[i].hash); + } +} + +/* + * set hashed vendor id. + * hash function is always MD5. + */ +vchar_t * +set_vendorid(int vendorid) +{ + struct vendor_id *current; + vchar_t vid, *new; + + if (vendorid == VENDORID_UNKNOWN) { + /* + * The default unknown ID gets translated to + * KAME/racoon. + */ + vendorid = VENDORID_DEFAULT; + } + + current = lookup_vendor_id_by_id(vendorid); + if (current == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "invalid vendor ID index: %d\n", vendorid); + return (NULL); + } + + /* The rest of racoon expects a private copy + * of the VID that could be free'd after use. + * That's why we don't return the original pointer. */ + return vdup(current->hash); +} + +/* + * Check the vendor ID payload -- return the vendor ID index + * if we find a recognized one, or UNKNOWN if we don't. + * + * gen ... points to Vendor ID payload. + */ +static int +check_vendorid(struct isakmp_gen *gen) +{ + vchar_t vid, *vidhash; + int i, vidlen; + struct vendor_id *current; + + if (gen == NULL) + return (VENDORID_UNKNOWN); + + vidlen = ntohs(gen->len) - sizeof(*gen); + + current = lookup_vendor_id_by_hash((char *)(gen + 1)); + if (!current) + goto unknown; + + if (current->hash->l < vidlen) + plog(LLV_INFO, LOCATION, NULL, + "received broken Microsoft ID: %s\n", + current->string); + else + plog(LLV_INFO, LOCATION, NULL, + "received Vendor ID: %s\n", + current->string); + + return current->id; + +unknown: + plog(LLV_DEBUG, LOCATION, NULL, "received unknown Vendor ID\n"); + plogdump(LLV_DEBUG, (char *)(gen + 1), vidlen); + return (VENDORID_UNKNOWN); +} + +int +handle_vendorid(struct ph1handle *iph1, struct isakmp_gen *gen) +{ + int vid_numeric; + + vid_numeric = check_vendorid(gen); + if (vid_numeric == VENDORID_UNKNOWN) + return vid_numeric; + + iph1->vendorid_mask |= BIT(vid_numeric); + +#ifdef ENABLE_NATT + if (natt_vendorid(vid_numeric)) + natt_handle_vendorid(iph1, vid_numeric); +#endif +#ifdef ENABLE_HYBRID + switch (vid_numeric) { + case VENDORID_XAUTH: + iph1->mode_cfg->flags |= ISAKMP_CFG_VENDORID_XAUTH; + break; + case VENDORID_UNITY: + iph1->mode_cfg->flags |= ISAKMP_CFG_VENDORID_UNITY; + break; + default: + break; + } +#endif +#ifdef ENABLE_DPD + if (vid_numeric == VENDORID_DPD && + (iph1->rmconf == NULL || iph1->rmconf->dpd)) { + iph1->dpd_support = 1; + plog(LLV_DEBUG, LOCATION, NULL, "remote supports DPD\n"); + } +#endif + + return vid_numeric; +} + +static vchar_t * +vendorid_fixup(vendorid, vidhash) + int vendorid; + vchar_t *vidhash; +{ + switch(vendorid) { + case VENDORID_XAUTH: { /* The vendor Id is truncated */ + vchar_t *tmp; + + if ((tmp = vmalloc(8)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "unable to hash vendor ID string\n"); + return NULL; + } + + memcpy(tmp->v, vidhash->v, 8); + vfree(vidhash); + vidhash = tmp; + + break; + } + case VENDORID_UNITY: /* Two bytes tweak */ + vidhash->v[14] = 0x01; + vidhash->v[15] = 0x00; + break; + + default: + break; + } + + return vidhash; +} |