1
/* FreeS/WAN ISAKMP VendorID
1
/* Openswan ISAKMP VendorID Handling
2
2
* Copyright (C) 2002-2003 Mathieu Lafon - Arkoon Network Security
3
* Copyright (C) 2004 Xelerance Corporation
4
5
* This program is free software; you can redistribute it and/or modify it
5
6
* under the terms of the GNU General Public License as published by the
62
64
* cf49908791073fb46439790fdeb6aeed981101ab0000000500000300
67
* 1f07f70eaa6514d3b0fa96542a500300 (VPN 3000 version 3.0.0)
68
* 1f07f70eaa6514d3b0fa96542a500301 (VPN 3000 version 3.0.1)
69
* 1f07f70eaa6514d3b0fa96542a500305 (VPN 3000 version 3.0.5)
70
* 1f07f70eaa6514d3b0fa96542a500407 (VPN 3000 version 4.0.7)
71
* (Can you see the pattern?)
72
* afcad71368a1f1c96b8696fc77570100 (Non-RFC Dead Peer Detection ?)
65
73
* c32364b3b4f447eb17c488ab2a480a57
66
* 1f07f70eaa6514d3b0fa96542a500305
67
* 1f07f70eaa6514d3b0fa96542a500300
68
* 1f07f70eaa6514d3b0fa96542a500301 (VPN 3000 version 3.1 ??)
69
* afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection ?)
70
74
* 6d761ddc26aceca1b0ed11fabbb860c4
75
* 5946c258f99a1a57b03eb9d1759e0f24 (From a Cisco VPN 3k)
76
* ebbc5b00141d0c895e11bd395902d690 (From a Cisco VPN 3k)
72
78
* Microsoft L2TP (???):
73
79
* 47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310382e312e3020284275696c6420313029000000
75
81
* 3025dbd21062b9e53dc441c6aab5293600000000
78
* If someone know what they mean, mail me.
81
#define MAX_LOG_VID_LEN 8
90
#define MAX_LOG_VID_LEN 32
83
92
#define VID_KEEP 0x0000
84
93
#define VID_MD5HASH 0x0001
88
97
#define VID_SUBSTRING_DUMPHEXA 0x0100
89
98
#define VID_SUBSTRING_DUMPASCII 0x0200
90
#define VID_SUBSTRING (VID_SUBSTRING_DUMPHEXA | VID_SUBSTRING_DUMPASCII)
99
#define VID_SUBSTRING_MATCH 0x0400
100
#define VID_SUBSTRING (VID_SUBSTRING_DUMPHEXA | VID_SUBSTRING_DUMPASCII | VID_SUBSTRING_MATCH)
92
102
struct vid_struct {
93
103
enum known_vendorid id;
155
165
DEC_MD5_VID(SSH_IPSEC_4_2_0,
156
166
"SSH Communications Security IPSEC Express version 4.2.0")
158
169
/* note: md5('CISCO-UNITY') = 12f5f28c457168a9702d9fe274cc02d4 */
159
170
{ VID_CISCO_UNITY, VID_KEEP, NULL, "Cisco-Unity",
160
171
"\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00",
174
{ VID_CISCO3K, VID_KEEP | VID_SUBSTRING_MATCH,
175
NULL, "Cisco VPN 3000 Series" , "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50", 14},
164
178
* Timestep VID seen:
165
179
* - 54494d455354455020312053475720313532302033313520322e303145303133
191
208
DEC_MD5_VID(NATT_IETF_03, "draft-ietf-ipsec-nat-t-ike-03")
192
209
DEC_MD5_VID(NATT_RFC, "Testing NAT-T RFC")
211
DEC_MD5_VID(NATT_DRAFT_IETF_IPSEC_NAT_T_IKE,"draft-ietf-ipsec-nat-t-ike")
196
216
{ VID_MISC_XAUTH, VID_KEEP, NULL, "XAUTH",
197
217
"\x09\x00\x26\x89\xdf\xd6\xb7\x12", 8 },
207
227
{ VID_MISC_HEARTBEAT_NOTIFY, VID_STRING | VID_SUBSTRING_DUMPHEXA,
208
228
"HeartBeat_Notify", "HeartBeat Notify", NULL, 0 },
233
{ VID_MACOSX, VID_STRING|VID_SUBSTRING_DUMPHEXA, "Mac OSX 10.x",
234
"\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62", NULL, 0},
210
236
DEC_MD5_VID(MISC_FRAGMENTATION, "FRAGMENTATION")
237
DEC_MD5_VID(INITIAL_CONTACT, "Vid-Initial-Contact")
213
240
{ 0, 0, NULL, NULL, NULL, 0 }
238
269
unsigned const char *d = vid->data;
240
MD5Update(&ctx, d, strlen(vid->data));
241
MD5Final(vidm, &ctx);
271
osMD5Update(&ctx, d, strlen(vid->data));
272
osMD5Final(vidm, &ctx);
242
273
vid->vid_len = MD5_DIGEST_SIZE;
249
280
char *vidm = malloc(FSWAN_VID_SIZE);
253
MD5Update(&ctx, vid->data, strlen(vid->data));
254
MD5Final(hash, &ctx);
284
osMD5Update(&ctx, vid->data, strlen(vid->data));
285
osMD5Final(hash, &ctx);
257
288
#if FSWAN_VID_SIZE - 2 <= MD5_DIGEST_SIZE
284
315
_vid_struct_init = 1;
287
static void handle_known_vendorid (struct msg_digest *md UNUSED,
288
const char *vidstr, size_t len, struct vid_struct *vid)
320
* Handle Known VendorID's. This function parses what the remote peer
321
* sends us, and enables/disables features based on it. As we go along,
322
* we set vid_usefull =1 if we did something based on this VendorID. This
323
* supresses the 'Ignored VendorID ...' log message.
325
* @param md UNUSED - Deprecated
326
* @param vidstr VendorID String
327
* @param len Length of vidstr
328
* @param vid VendorID Struct (see vendor.h)
329
* @param st State Structure (Hopefully initialized)
332
static void handle_known_vendorid (struct msg_digest *md UNUSED
335
, struct vid_struct *vid
336
, struct state *st UNUSED)
290
338
char vid_dump[128];
291
339
int vid_usefull = 0;
294
342
switch (vid->id) {
295
343
#ifdef NAT_TRAVERSAL
297
* Use most recent supported NAT-Traversal method and ignore the
298
* other ones (implementations will send all supported methods but
299
* only one will be used)
345
* Use most recent supported NAT-Traversal method and ignore
346
* the other ones (implementations will send all supported
347
* methods but only one will be used)
301
349
* Note: most recent == higher id in vendor.h
313
361
case VID_NATT_IETF_03:
314
362
case VID_NATT_RFC:
316
if ((nat_traversal_support_port_floating) &&
317
(md->quirks.nat_traversal_vid < vid->id)) {
318
md->quirks.nat_traversal_vid = vid->id;
364
if(!nat_traversal_support_port_floating) {
320
365
loglog(RC_LOG_SERIOUS
321
, "received Vendor ID payload [%s] meth=%d, but already using method %d"
322
, vid->descr, vid->id, md->quirks.nat_traversal_vid);
366
, "received Vendor ID payload [%s] meth=%d, "
367
"but port floating is off"
368
, vid->descr, vid->id);
371
if (md->quirks.nat_traversal_vid < vid->id) {
372
loglog(RC_LOG_SERIOUS
373
, "received Vendor ID payload [%s] method set to=%d "
374
, vid->descr, vid->id);
375
md->quirks.nat_traversal_vid = vid->id;
378
loglog(RC_LOG_SERIOUS
379
, "received Vendor ID payload [%s] meth=%d, "
380
"but already using method %d"
381
, vid->descr, vid->id
382
, md->quirks.nat_traversal_vid);
390
/* Remote side would like to do DPD with us on this connection */
395
/* We only need these when dealing with XAUTH */
327
397
case VID_SSH_SENTINEL_1_4_1:
328
loglog(RC_LOG_SERIOUS, "SSH Sentinel 1.4.1 found, setting XAUTH_ACK quirk");
398
loglog(RC_LOG_SERIOUS
399
, "SSH Sentinel 1.4.1 found, setting XAUTH_ACK quirk");
329
400
md->quirks.xauth_ack_msgid = TRUE;
404
case VID_CISCO_UNITY:
405
md->quirks.modecfg_pull_mode= TRUE;
333
409
case VID_MISC_XAUTH:
367
444
vid_usefull ? "received" : "ignoring", vid_dump);
370
void handle_vendorid (struct msg_digest *md, const char *vid, size_t len)
449
* Handle VendorID's. This function parses what the remote peer
450
* sends us, calls handle_known_vendorid on each VID we received
452
* Known VendorID's are defined in vendor.h
454
* @param md Message Digest from remote peer
455
* @param vid String of VendorIDs
456
* @param len Length of vid
457
* @param vid VendorID Struct (see vendor.h)
458
* @param st State Structure (Hopefully initialized)
461
void handle_vendorid (struct msg_digest *md, const char *vid, size_t len, struct state *st)
372
463
struct vid_struct *pvid;
382
473
if (pvid->vid && vid && pvid->vid_len && len) {
383
474
if (pvid->vid_len == len) {
384
475
if (memcmp(pvid->vid, vid, len)==0) {
385
handle_known_vendorid(md, vid, len, pvid);
476
handle_known_vendorid(md, vid
389
else if ((pvid->vid_len < len) && (pvid->flags & VID_SUBSTRING)) {
481
else if ((pvid->vid_len < len)
482
&& (pvid->flags & VID_SUBSTRING)) {
390
483
if (memcmp(pvid->vid, vid, pvid->vid_len)==0) {
391
handle_known_vendorid(md, vid, len, pvid);
484
handle_known_vendorid(md, vid, len
406
500
log_vid[2*i] = _hexdig[(vid[i] >> 4) & 0xF];
407
501
log_vid[2*i+1] = _hexdig[vid[i] & 0xF];
409
loglog(RC_LOG_SERIOUS, "ignoring Vendor ID payload [%s%s]",
503
loglog(RC_LOG_SERIOUS, "ignoring unknown Vendor ID payload [%s%s]",
410
504
log_vid, (len>MAX_LOG_VID_LEN) ? "..." : "");
415
509
* Add a vendor id payload to the msg
512
* @param outs PB stream
513
* @param vid Int of VendorID to be sent (see vendor.h for the list)
514
* @return bool True if successful
417
516
bool out_vendorid (u_int8_t np, pb_stream *outs, unsigned int vid)