ikev1: Add fragmentation support for Windows peers
[strongswan.git] / src / libcharon / sa / ikev1 / tasks / isakmp_vendor.c
1 /*
2 * Copyright (C) 2012-2013 Tobias Brunner
3 * Copyright (C) 2009 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /*
18 * Copyright (C) 2012-2014 Volker RĂ¼melin
19 *
20 * Permission is hereby granted, free of charge, to any person obtaining a copy
21 * of this software and associated documentation files (the "Software"), to deal
22 * in the Software without restriction, including without limitation the rights
23 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
24 * copies of the Software, and to permit persons to whom the Software is
25 * furnished to do so, subject to the following conditions:
26 *
27 * The above copyright notice and this permission notice shall be included in
28 * all copies or substantial portions of the Software.
29 *
30 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
31 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
32 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
33 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
34 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
35 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
36 * THE SOFTWARE.
37 */
38
39 #include "isakmp_vendor.h"
40
41 #include <daemon.h>
42 #include <encoding/payloads/vendor_id_payload.h>
43
44 typedef struct private_isakmp_vendor_t private_isakmp_vendor_t;
45
46 /**
47 * Private data of an isakmp_vendor_t object.
48 */
49 struct private_isakmp_vendor_t {
50
51 /**
52 * Public isakmp_vendor_t interface.
53 */
54 isakmp_vendor_t public;
55
56 /**
57 * Associated IKE_SA
58 */
59 ike_sa_t *ike_sa;
60
61 /**
62 * Are we the inititator of this task
63 */
64 bool initiator;
65
66 /**
67 * Index of best nat traversal VID found
68 */
69 int best_natt_ext;
70
71 /**
72 * Number of times we have been invoked
73 */
74 int count;
75 };
76
77 /**
78 * IKEv1 Vendor ID database
79 */
80 static struct {
81 /* Description */
82 char *desc;
83 /* extension flag negotiated with vendor ID, if any */
84 ike_extension_t extension;
85 /* send yourself? */
86 bool send;
87 /* length of vendor ID string */
88 int len;
89 /* vendor ID string */
90 char *id;
91 } vendor_ids[] = {
92
93 /* strongSwan MD5("strongSwan") */
94 { "strongSwan", EXT_STRONGSWAN, FALSE, 16,
95 "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
96
97 /* XAuth, MD5("draft-ietf-ipsra-isakmp-xauth-06.txt") */
98 { "XAuth", EXT_XAUTH, TRUE, 8,
99 "\x09\x00\x26\x89\xdf\xd6\xb7\x12"},
100
101 /* Dead peer detection, RFC 3706 */
102 { "DPD", EXT_DPD, TRUE, 16,
103 "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00"},
104
105 { "Cisco Unity", EXT_CISCO_UNITY, FALSE, 16,
106 "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
107
108 /* Proprietary IKE fragmentation extension. Capabilities are handled
109 * specially on receipt of this VID. Windows peers send this VID
110 * without capabilities, but accept it with and without capabilities. */
111 { "FRAGMENTATION", EXT_IKE_FRAGMENTATION, FALSE, 20,
112 "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3\x80\x00\x00\x00"},
113
114 /* Windows peers send this VID and a version number */
115 { "MS NT5 ISAKMPOAKLEY", EXT_MS_WINDOWS, FALSE, 20,
116 "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x00"},
117
118 }, vendor_natt_ids[] = {
119
120 /* NAT-Traversal VIDs ordered by preference */
121
122 /* NAT-Traversal, MD5("RFC 3947") */
123 { "NAT-T (RFC 3947)", EXT_NATT, TRUE, 16,
124 "\x4a\x13\x1c\x81\x07\x03\x58\x45\x5c\x57\x28\xf2\x0e\x95\x45\x2f"},
125
126 { "draft-ietf-ipsec-nat-t-ike-03", EXT_NATT | EXT_NATT_DRAFT_02_03,
127 FALSE, 16,
128 "\x7d\x94\x19\xa6\x53\x10\xca\x6f\x2c\x17\x9d\x92\x15\x52\x9d\x56"},
129
130 { "draft-ietf-ipsec-nat-t-ike-02", EXT_NATT | EXT_NATT_DRAFT_02_03,
131 FALSE, 16,
132 "\xcd\x60\x46\x43\x35\xdf\x21\xf8\x7c\xfd\xb2\xfc\x68\xb6\xa4\x48"},
133
134 { "draft-ietf-ipsec-nat-t-ike-02\\n", EXT_NATT | EXT_NATT_DRAFT_02_03,
135 TRUE, 16,
136 "\x90\xcb\x80\x91\x3e\xbb\x69\x6e\x08\x63\x81\xb5\xec\x42\x7b\x1f"},
137
138 { "draft-ietf-ipsec-nat-t-ike-08", 0, FALSE, 16,
139 "\x8f\x8d\x83\x82\x6d\x24\x6b\x6f\xc7\xa8\xa6\xa4\x28\xc1\x1d\xe8"},
140
141 { "draft-ietf-ipsec-nat-t-ike-07", 0, FALSE, 16,
142 "\x43\x9b\x59\xf8\xba\x67\x6c\x4c\x77\x37\xae\x22\xea\xb8\xf5\x82"},
143
144 { "draft-ietf-ipsec-nat-t-ike-06", 0, FALSE, 16,
145 "\x4d\x1e\x0e\x13\x6d\xea\xfa\x34\xc4\xf3\xea\x9f\x02\xec\x72\x85"},
146
147 { "draft-ietf-ipsec-nat-t-ike-05", 0, FALSE, 16,
148 "\x80\xd0\xbb\x3d\xef\x54\x56\x5e\xe8\x46\x45\xd4\xc8\x5c\xe3\xee"},
149
150 { "draft-ietf-ipsec-nat-t-ike-04", 0, FALSE, 16,
151 "\x99\x09\xb6\x4e\xed\x93\x7c\x65\x73\xde\x52\xac\xe9\x52\xfa\x6b"},
152
153 { "draft-ietf-ipsec-nat-t-ike-00", 0, FALSE, 16,
154 "\x44\x85\x15\x2d\x18\xb6\xbb\xcd\x0b\xe8\xa8\x46\x95\x79\xdd\xcc"},
155
156 { "draft-ietf-ipsec-nat-t-ike", 0, FALSE, 16,
157 "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62"},
158
159 { "draft-stenberg-ipsec-nat-traversal-02", 0, FALSE, 16,
160 "\x61\x05\xc4\x22\xe7\x68\x47\xe4\x3f\x96\x84\x80\x12\x92\xae\xcd"},
161
162 { "draft-stenberg-ipsec-nat-traversal-01", 0, FALSE, 16,
163 "\x27\xba\xb5\xdc\x01\xea\x07\x60\xea\x4e\x31\x90\xac\x27\xc0\xd0"},
164
165 };
166
167 /**
168 * According to racoon 0x80000000 seems to indicate support for fragmentation
169 * of Aggressive and Main mode messages. 0x40000000 seems to indicate support
170 * for fragmentation of base ISAKMP messages (Cisco adds that and thus sends
171 * 0xc0000000)
172 */
173 static const u_int32_t fragmentation_ike = 0x80000000;
174
175 static bool is_known_vid(chunk_t data, int i)
176 {
177 switch (vendor_ids[i].extension)
178 {
179 case EXT_IKE_FRAGMENTATION:
180 if (data.len >= 16 && memeq(data.ptr, vendor_ids[i].id, 16))
181 {
182 switch (data.len)
183 {
184 case 16:
185 return TRUE;
186 case 20:
187 return untoh32(&data.ptr[16]) & fragmentation_ike;
188 }
189 }
190 break;
191 case EXT_MS_WINDOWS:
192 return data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16);
193 default:
194 return chunk_equals(data, chunk_create(vendor_ids[i].id,
195 vendor_ids[i].len));
196 }
197 return FALSE;
198 }
199
200 /**
201 * Add supported vendor ID payloads
202 */
203 static void build(private_isakmp_vendor_t *this, message_t *message)
204 {
205 vendor_id_payload_t *vid_payload;
206 bool strongswan, cisco_unity, fragmentation;
207 ike_cfg_t *ike_cfg;
208 int i;
209
210 strongswan = lib->settings->get_bool(lib->settings,
211 "%s.send_vendor_id", FALSE, lib->ns);
212 cisco_unity = lib->settings->get_bool(lib->settings,
213 "%s.cisco_unity", FALSE, lib->ns);
214 ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
215 fragmentation = ike_cfg->fragmentation(ike_cfg) != FRAGMENTATION_NO;
216 if (!this->initiator && fragmentation)
217 {
218 fragmentation = this->ike_sa->supports_extension(this->ike_sa,
219 EXT_IKE_FRAGMENTATION);
220 }
221 for (i = 0; i < countof(vendor_ids); i++)
222 {
223 if (vendor_ids[i].send ||
224 (vendor_ids[i].extension == EXT_STRONGSWAN && strongswan) ||
225 (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity) ||
226 (vendor_ids[i].extension == EXT_IKE_FRAGMENTATION && fragmentation))
227 {
228 DBG2(DBG_IKE, "sending %s vendor ID", vendor_ids[i].desc);
229 vid_payload = vendor_id_payload_create_data(PLV1_VENDOR_ID,
230 chunk_clone(chunk_create(vendor_ids[i].id, vendor_ids[i].len)));
231 message->add_payload(message, &vid_payload->payload_interface);
232 }
233 }
234 for (i = 0; i < countof(vendor_natt_ids); i++)
235 {
236 if ((this->initiator && vendor_natt_ids[i].send) ||
237 this->best_natt_ext == i)
238 {
239 DBG2(DBG_IKE, "sending %s vendor ID", vendor_natt_ids[i].desc);
240 vid_payload = vendor_id_payload_create_data(PLV1_VENDOR_ID,
241 chunk_clone(chunk_create(vendor_natt_ids[i].id,
242 vendor_natt_ids[i].len)));
243 message->add_payload(message, &vid_payload->payload_interface);
244 }
245 }
246 }
247
248 /**
249 * Process vendor ID payloads
250 */
251 static void process(private_isakmp_vendor_t *this, message_t *message)
252 {
253 enumerator_t *enumerator;
254 payload_t *payload;
255 int i;
256
257 enumerator = message->create_payload_enumerator(message);
258 while (enumerator->enumerate(enumerator, &payload))
259 {
260 if (payload->get_type(payload) == PLV1_VENDOR_ID)
261 {
262 vendor_id_payload_t *vid;
263 bool found = FALSE;
264 chunk_t data;
265
266 vid = (vendor_id_payload_t*)payload;
267 data = vid->get_data(vid);
268
269 for (i = 0; i < countof(vendor_ids); i++)
270 {
271 if (is_known_vid(data, i))
272 {
273 DBG1(DBG_IKE, "received %s vendor ID", vendor_ids[i].desc);
274 if (vendor_ids[i].extension)
275 {
276 this->ike_sa->enable_extension(this->ike_sa,
277 vendor_ids[i].extension);
278 }
279 found = TRUE;
280 break;
281 }
282 }
283 if (!found)
284 {
285 for (i = 0; i < countof(vendor_natt_ids); i++)
286 {
287 if (chunk_equals(data, chunk_create(vendor_natt_ids[i].id,
288 vendor_natt_ids[i].len)))
289 {
290 DBG1(DBG_IKE, "received %s vendor ID",
291 vendor_natt_ids[i].desc);
292 if (vendor_natt_ids[i].extension &&
293 (i < this->best_natt_ext || this->best_natt_ext < 0))
294 {
295 this->best_natt_ext = i;
296 }
297 found = TRUE;
298 break;
299 }
300 }
301 }
302 if (!found)
303 {
304 DBG1(DBG_ENC, "received unknown vendor ID: %#B", &data);
305 }
306 }
307 }
308 enumerator->destroy(enumerator);
309
310 if (this->best_natt_ext >= 0)
311 {
312 this->ike_sa->enable_extension(this->ike_sa,
313 vendor_natt_ids[this->best_natt_ext].extension);
314 }
315 }
316
317 METHOD(task_t, build_i, status_t,
318 private_isakmp_vendor_t *this, message_t *message)
319 {
320 if (this->count++ == 0)
321 {
322 build(this, message);
323 }
324 if (message->get_exchange_type(message) == AGGRESSIVE && this->count > 1)
325 {
326 return SUCCESS;
327 }
328 return NEED_MORE;
329 }
330
331 METHOD(task_t, process_r, status_t,
332 private_isakmp_vendor_t *this, message_t *message)
333 {
334 this->count++;
335 process(this, message);
336 if (message->get_exchange_type(message) == AGGRESSIVE && this->count > 1)
337 {
338 return SUCCESS;
339 }
340 return NEED_MORE;
341 }
342
343 METHOD(task_t, build_r, status_t,
344 private_isakmp_vendor_t *this, message_t *message)
345 {
346 if (this->count == 1)
347 {
348 build(this, message);
349 }
350 if (message->get_exchange_type(message) == ID_PROT && this->count > 2)
351 {
352 return SUCCESS;
353 }
354 return NEED_MORE;
355 }
356
357 METHOD(task_t, process_i, status_t,
358 private_isakmp_vendor_t *this, message_t *message)
359 {
360 process(this, message);
361 if (message->get_exchange_type(message) == ID_PROT && this->count > 2)
362 {
363 return SUCCESS;
364 }
365 return NEED_MORE;
366 }
367
368 METHOD(task_t, migrate, void,
369 private_isakmp_vendor_t *this, ike_sa_t *ike_sa)
370 {
371 this->ike_sa = ike_sa;
372 this->count = 0;
373 }
374
375 METHOD(task_t, get_type, task_type_t,
376 private_isakmp_vendor_t *this)
377 {
378 return TASK_ISAKMP_VENDOR;
379 }
380
381 METHOD(task_t, destroy, void,
382 private_isakmp_vendor_t *this)
383 {
384 free(this);
385 }
386
387 /**
388 * See header
389 */
390 isakmp_vendor_t *isakmp_vendor_create(ike_sa_t *ike_sa, bool initiator)
391 {
392 private_isakmp_vendor_t *this;
393
394 INIT(this,
395 .public = {
396 .task = {
397 .migrate = _migrate,
398 .get_type = _get_type,
399 .destroy = _destroy,
400 },
401 },
402 .initiator = initiator,
403 .ike_sa = ike_sa,
404 .best_natt_ext = -1,
405 );
406
407 if (initiator)
408 {
409 this->public.task.build = _build_i;
410 this->public.task.process = _process_i;
411 }
412 else
413 {
414 this->public.task.build = _build_r;
415 this->public.task.process = _process_r;
416 }
417
418 return &this->public;
419 }