IKEv1 daemon supports DNS and NBNS server assignment from database
[strongswan.git] / src / pluto / modecfg.c
1 /* Mode config related functions
2 * Copyright (C) 2001-2002 Colubris Networks
3 * Copyright (C) 2003 Sean Mathews - Nu Tech Software Solutions, inc.
4 * Copyright (C) 2003-2004 Xelerance Corporation
5 * Copyright (C) 2006-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * This code originally written by Colubris Networks, Inc.
18 * Extraction of patch and porting to 1.99 codebases by Xelerance Corporation
19 * Porting to 2.x by Sean Mathews
20 */
21
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25
26 #include <freeswan.h>
27
28 #include <library.h>
29 #include <attributes/attributes.h>
30 #include <crypto/prfs/prf.h>
31
32 #include "constants.h"
33 #include "defs.h"
34 #include "state.h"
35 #include "demux.h"
36 #include "timer.h"
37 #include "ipsec_doi.h"
38 #include "log.h"
39 #include "crypto.h"
40 #include "modecfg.h"
41 #include "whack.h"
42 #include "xauth.h"
43
44 #define MAX_XAUTH_TRIES 3
45 #define DNS_SERVER_MAX 2
46 #define NBNS_SERVER_MAX 2
47
48 #define SUPPORTED_ATTR_SET ( LELEM(INTERNAL_IP4_ADDRESS) \
49 | LELEM(INTERNAL_IP4_NETMASK) \
50 | LELEM(INTERNAL_IP4_DNS) \
51 | LELEM(INTERNAL_IP4_NBNS) \
52 | LELEM(APPLICATION_VERSION) \
53 | LELEM(INTERNAL_IP6_DNS) \
54 | LELEM(INTERNAL_IP6_NBNS) \
55 )
56
57 #define SUPPORTED_UNITY_ATTR_SET ( LELEM(UNITY_BANNER - UNITY_BASE) )
58
59 #define UNITY_BANNER_STR "Welcome to strongSwan - the Linux VPN Solution!\n"
60
61 /*
62 * Addresses assigned (usually via ModeCfg) to the Initiator
63 */
64 typedef struct internal_addr internal_addr_t;
65
66 struct internal_addr
67 {
68 lset_t attr_set;
69 lset_t xauth_attr_set;
70 lset_t unity_attr_set;
71
72 /* ModeCfg variables */
73 ip_address ipaddr;
74 ip_address dns[DNS_SERVER_MAX];
75 ip_address nbns[NBNS_SERVER_MAX];
76
77 char *unity_banner;
78
79 /* XAUTH variables */
80 u_int16_t xauth_type;
81 xauth_t xauth_secret;
82 bool xauth_status;
83 };
84
85 /**
86 * Initialize an internal_addr struct
87 */
88 static void init_internal_addr(internal_addr_t *ia)
89 {
90 int i;
91
92 ia->attr_set = LEMPTY;
93 ia->xauth_attr_set = LEMPTY;
94 ia->xauth_secret.user_name = chunk_empty;
95 ia->xauth_secret.user_password = chunk_empty;
96 ia->xauth_type = XAUTH_TYPE_GENERIC;
97 ia->xauth_status = XAUTH_STATUS_FAIL;
98 ia->unity_attr_set = LEMPTY;
99 ia->unity_banner = NULL;
100
101 anyaddr(AF_INET, &ia->ipaddr);
102
103 /* initialize DNS server information */
104 for (i = 0; i < DNS_SERVER_MAX; i++)
105 {
106 anyaddr(AF_INET, &ia->dns[i]);
107 }
108
109 /* initialize NBNS server information */
110 for (i = 0; i < NBNS_SERVER_MAX; i++)
111 {
112 anyaddr(AF_INET, &ia->nbns[i]);
113 }
114 }
115
116 /**
117 * Get internal IP address for a connection
118 */
119 static void get_internal_addr(connection_t *c, host_t *requested_vip,
120 internal_addr_t *ia)
121 {
122 int i, dns_idx = 0, nbns_idx = 0;
123 enumerator_t *enumerator;
124 configuration_attribute_type_t type;
125 chunk_t value;
126 host_t *vip = NULL;
127
128 if (isanyaddr(&c->spd.that.host_srcip))
129 {
130 if (c->spd.that.pool)
131 {
132 vip = lib->attributes->acquire_address(lib->attributes,
133 c->spd.that.pool, c->spd.that.id,
134 requested_vip);
135 if (vip)
136 {
137 chunk_t addr = vip->get_address(vip);
138
139 plog("assigning virtual IP %H to peer", vip);
140 initaddr(addr.ptr, addr.len, vip->get_family(vip), &ia->ipaddr);
141
142 }
143 }
144 else
145 {
146 plog("no virtual IP found");
147 }
148 }
149 else
150 {
151 ia->ipaddr = c->spd.that.host_srcip;
152 vip = host_create_from_sockaddr((sockaddr_t*)&ia->ipaddr);
153 plog("assigning virtual IP %H to peer", vip);
154 }
155
156 if (!isanyaddr(&ia->ipaddr)) /* We got an IP address, send it */
157 {
158 c->spd.that.host_srcip = ia->ipaddr;
159 c->spd.that.client.addr = ia->ipaddr;
160 c->spd.that.client.maskbits = 32;
161 c->spd.that.has_client = TRUE;
162
163 ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS)
164 | LELEM(INTERNAL_IP4_NETMASK);
165 }
166
167 /* assign DNS servers from strongswan.conf */
168 for (i = 1; i <= DNS_SERVER_MAX; i++)
169 {
170 char dns_key[16], *dns_str;
171
172 snprintf(dns_key, sizeof(dns_key), "pluto.dns%d", i);
173 dns_str = lib->settings->get_str(lib->settings, dns_key, NULL);
174 if (dns_str)
175 {
176 err_t ugh;
177 sa_family_t family = strchr(dns_str, ':') ? AF_INET6 : AF_INET;
178
179 ugh = ttoaddr(dns_str, 0, family, &ia->dns[dns_idx]);
180 if (ugh)
181 {
182 plog("error in DNS server address: %s", ugh);
183 continue;
184 }
185 plog("assigning DNS server %s to peer", dns_str);
186
187 /* differentiate between IP4 and IP6 in modecfg_build_msg() */
188 ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
189 dns_idx++;
190 }
191 }
192
193 /* assign NBNS servers from strongswan.conf */
194 for (i = 1; i <= NBNS_SERVER_MAX; i++)
195 {
196 char nbns_key[16], *nbns_str;
197
198 snprintf(nbns_key, sizeof(nbns_key), "pluto.nbns%d", i);
199 nbns_str = lib->settings->get_str(lib->settings, nbns_key, NULL);
200 if (nbns_str)
201 {
202 err_t ugh;
203 sa_family_t family = strchr(nbns_str, ':') ? AF_INET6 : AF_INET;
204
205 ugh = ttoaddr(nbns_str, 0, family, &ia->nbns[nbns_idx]);
206 if (ugh)
207 {
208 plog("error in NBNS server address: %s", ugh);
209 continue;
210 }
211 plog("assigning NBNS server %s to peer", nbns_str);
212
213 /* differentiate between IP4 and IP6 in modecfg_build_msg() */
214 ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
215 nbns_idx++;
216 }
217 }
218
219 /* assign attributes from registered providers */
220 enumerator = lib->attributes->create_responder_enumerator(lib->attributes,
221 c->spd.that.id, vip);
222 while (enumerator->enumerate(enumerator, &type, &value))
223 {
224 err_t ugh;
225 host_t *server;
226 sa_family_t family = AF_INET;
227
228 switch (type)
229 {
230 case INTERNAL_IP6_DNS:
231 family = AF_INET6;
232 /* fallthrough */
233 case INTERNAL_IP4_DNS:
234 if (dns_idx >= DNS_SERVER_MAX)
235 {
236 plog("exceeded the maximum number of %d DNS servers",
237 DNS_SERVER_MAX);
238 break;
239 }
240 ugh = initaddr(value.ptr, value.len, family, &ia->dns[dns_idx]);
241 if (ugh)
242 {
243 plog("error in DNS server address: %s", ugh);
244 break;
245 }
246 server = host_create_from_chunk(family, value, 0);
247 plog("assigning DNS server %H to peer", server);
248 server->destroy(server);
249
250 /* differentiate between IP4 and IP6 in modecfg_build_msg() */
251 ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
252 dns_idx++;
253 break;
254
255 case INTERNAL_IP6_NBNS:
256 family = AF_INET6;
257 /* fallthrough */
258 case INTERNAL_IP4_NBNS:
259 if (nbns_idx >= NBNS_SERVER_MAX)
260 {
261 plog("exceeded the maximum number of %d NBNS servers",
262 NBNS_SERVER_MAX);
263 break;
264 }
265 ugh = initaddr(value.ptr, value.len, family, &ia->nbns[nbns_idx]);
266 if (ugh)
267 {
268 plog("error in NBNS server address: %s", ugh);
269 break;
270 }
271 server = host_create_from_chunk(family, value, 0);
272 plog("assigning NBNS server %H to peer", server);
273 server->destroy(server);
274
275 /* differentiate between IP4 and IP6 in modecfg_build_msg() */
276 ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
277 nbns_idx++;
278 break;
279
280 default:
281 break;
282 }
283 }
284 enumerator->destroy(enumerator);
285 DESTROY_IF(vip);
286 }
287
288
289 /**
290 * Set srcip and client subnet to internal IP address
291 */
292 static bool set_internal_addr(connection_t *c, internal_addr_t *ia)
293 {
294 if (ia->attr_set & LELEM(INTERNAL_IP4_ADDRESS)
295 && !isanyaddr(&ia->ipaddr))
296 {
297 if (addrbytesptr(&c->spd.this.host_srcip, NULL) == 0
298 || isanyaddr(&c->spd.this.host_srcip)
299 || sameaddr(&c->spd.this.host_srcip, &ia->ipaddr))
300 {
301 char srcip[ADDRTOT_BUF];
302
303 addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
304 plog("setting virtual IP source address to %s", srcip);
305 }
306 else
307 {
308 char old_srcip[ADDRTOT_BUF];
309 char new_srcip[ADDRTOT_BUF];
310
311 addrtot(&c->spd.this.host_srcip, 0, old_srcip, sizeof(old_srcip));
312 addrtot(&ia->ipaddr, 0, new_srcip, sizeof(new_srcip));
313 plog("replacing virtual IP source address %s by %s"
314 , old_srcip, new_srcip);
315 }
316
317 /* setting srcip */
318 c->spd.this.host_srcip = ia->ipaddr;
319
320 /* setting client subnet to srcip/32 */
321 addrtosubnet(&ia->ipaddr, &c->spd.this.client);
322 setportof(0, &c->spd.this.client.addr);
323 c->spd.this.has_client = TRUE;
324 return TRUE;
325 }
326 return FALSE;
327 }
328
329 /**
330 * Compute HASH of Mode Config.
331 */
332 static size_t modecfg_hash(u_char *dest, u_char *start, u_char *roof,
333 const struct state *st)
334 {
335 chunk_t msgid_chunk = chunk_from_thing(st->st_msgid);
336 chunk_t msg_chunk = { start, roof - start };
337 size_t prf_block_size;
338 pseudo_random_function_t prf_alg;
339 prf_t *prf;
340
341 prf_alg = oakley_to_prf(st->st_oakley.hash);
342 prf = lib->crypto->create_prf(lib->crypto, prf_alg);
343 prf->set_key(prf, st->st_skeyid_a);
344 prf->get_bytes(prf, msgid_chunk, NULL);
345 prf->get_bytes(prf, msg_chunk, dest);
346 prf_block_size = prf->get_block_size(prf);
347 prf->destroy(prf);
348
349 DBG(DBG_CRYPT,
350 DBG_log("ModeCfg HASH computed:");
351 DBG_dump("", dest, prf_block_size)
352 )
353 return prf_block_size;
354 }
355
356
357 /**
358 * Generate an IKE message containing ModeCfg information (eg: IP, DNS, WINS)
359 */
360 static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody,
361 u_int16_t msg_type,
362 internal_addr_t *ia,
363 u_int16_t ap_id)
364 {
365 u_char *r_hash_start, *r_hashval;
366
367 START_HASH_PAYLOAD(*rbody, ISAKMP_NEXT_ATTR);
368
369 /* ATTR out */
370 {
371 struct isakmp_mode_attr attrh;
372 struct isakmp_attribute attr;
373 pb_stream strattr,attrval;
374 int attr_type, dns_attr_type, nbns_attr_type;
375 int dns_idx, nbns_idx;
376 bool dont_advance;
377 bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY;
378 bool is_unity_attr_set = ia->unity_attr_set != LEMPTY;
379 lset_t attr_set = ia->attr_set;
380
381 attrh.isama_np = ISAKMP_NEXT_NONE;
382 attrh.isama_type = msg_type;
383 attrh.isama_identifier = ap_id;
384
385 if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr))
386 {
387 return STF_INTERNAL_ERROR;
388 }
389 attr_type = 0;
390 dns_idx = 0;
391 nbns_idx = 0;
392
393 while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set)
394 {
395 if (attr_set == LEMPTY)
396 {
397 if (is_xauth_attr_set)
398 {
399 attr_set = ia->xauth_attr_set;
400 attr_type = XAUTH_BASE;
401 is_xauth_attr_set = FALSE;
402 }
403 else
404 {
405 attr_set = ia->unity_attr_set;
406 attr_type = UNITY_BASE;
407 is_unity_attr_set = FALSE;
408 }
409 }
410
411 dont_advance = FALSE;
412
413 if (attr_set & 1)
414 {
415 const u_char *byte_ptr;
416 u_int len;
417
418 /* ISAKMP attr out */
419 if (attr_type == XAUTH_TYPE)
420 {
421 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
422 attr.isaat_lv = ia->xauth_type;
423 }
424 else if (attr_type == XAUTH_STATUS)
425 {
426 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
427 attr.isaat_lv = ia->xauth_status;
428 }
429 else if (attr_type == INTERNAL_IP4_DNS && !isanyaddr(&ia->dns[dns_idx]))
430 {
431 dns_attr_type = (addrtypeof(&ia->dns[dns_idx]) == AF_INET) ?
432 INTERNAL_IP4_DNS : INTERNAL_IP6_DNS;
433 attr.isaat_af_type = dns_attr_type | ISAKMP_ATTR_AF_TLV;
434
435 }
436 else if (attr_type == INTERNAL_IP4_NBNS && !isanyaddr(&ia->nbns[nbns_idx]))
437 {
438 nbns_attr_type = (addrtypeof(&ia->nbns[nbns_idx]) == AF_INET) ?
439 INTERNAL_IP4_NBNS : INTERNAL_IP6_NBNS;
440 attr.isaat_af_type = nbns_attr_type | ISAKMP_ATTR_AF_TLV;
441
442 }
443 else
444 {
445 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
446 }
447 out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval);
448
449 switch (attr_type)
450 {
451 case INTERNAL_IP4_ADDRESS:
452 if (!isanyaddr(&ia->ipaddr))
453 {
454 len = addrbytesptr(&ia->ipaddr, &byte_ptr);
455 out_raw(byte_ptr, len, &attrval, "IP4_addr");
456 }
457 break;
458 case INTERNAL_IP4_NETMASK:
459 {
460 u_int mask;
461 #if 0
462 char mask[4],bits[8]={0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
463 int t,m=st->st_connection->that.host_addr.maskbit;
464 for (t=0; t<4; t++)
465 {
466 if (m < 8)
467 mask[t] = bits[m];
468 else
469 mask[t] = 0xff;
470 m -= 8;
471 }
472 #endif
473 if (st->st_connection->spd.this.client.maskbits == 0)
474 {
475 mask = 0;
476 }
477 else
478 {
479 mask = 0xffffffff * 1;
480 out_raw(&mask, 4, &attrval, "IP4_mask");
481 }
482 }
483 break;
484 case INTERNAL_IP4_SUBNET:
485 {
486 char mask[4];
487 char bits[8] = {0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
488 int t;
489 int m = st->st_connection->spd.this.client.maskbits;
490
491 for (t = 0; t < 4; t++)
492 {
493 mask[t] = (m < 8) ? bits[m] : 0xff;
494 m -= 8;
495 if (m < 0)
496 {
497 m = 0;
498 }
499 }
500 len = addrbytesptr(&st->st_connection->spd.this.client.addr, &byte_ptr);
501 out_raw(byte_ptr, len, &attrval, "IP4_subnet");
502 out_raw(mask, sizeof(mask), &attrval, "IP4_submsk");
503 }
504 break;
505 case INTERNAL_IP4_DNS:
506 case INTERNAL_IP6_DNS:
507 if (!isanyaddr(&ia->dns[dns_idx]))
508 {
509 len = addrbytesptr(&ia->dns[dns_idx++], &byte_ptr);
510 out_raw(byte_ptr, len, &attrval, "IP_dns");
511 }
512 if (dns_idx < DNS_SERVER_MAX && !isanyaddr(&ia->dns[dns_idx]))
513 {
514 dont_advance = TRUE;
515 }
516 break;
517 case INTERNAL_IP4_NBNS:
518 case INTERNAL_IP6_NBNS:
519 if (!isanyaddr(&ia->nbns[nbns_idx]))
520 {
521 len = addrbytesptr(&ia->nbns[nbns_idx++], &byte_ptr);
522 out_raw(byte_ptr, len, &attrval, "IP_nbns");
523 }
524 if (nbns_idx < NBNS_SERVER_MAX && !isanyaddr(&ia->nbns[nbns_idx]))
525 {
526 dont_advance = TRUE;
527 }
528 break;
529 case XAUTH_TYPE:
530 break;
531 case XAUTH_USER_NAME:
532 if (ia->xauth_secret.user_name.ptr != NULL)
533 {
534 out_raw(ia->xauth_secret.user_name.ptr
535 , ia->xauth_secret.user_name.len
536 , &attrval, "xauth_user_name");
537 }
538 break;
539 case XAUTH_USER_PASSWORD:
540 if (ia->xauth_secret.user_password.ptr != NULL)
541 {
542 out_raw(ia->xauth_secret.user_password.ptr
543 , ia->xauth_secret.user_password.len
544 , &attrval, "xauth_user_password");
545 }
546 break;
547 case XAUTH_STATUS:
548 break;
549 case UNITY_BANNER:
550 if (ia->unity_banner != NULL)
551 {
552 out_raw(ia->unity_banner
553 , strlen(ia->unity_banner)
554 , &attrval, "UNITY_BANNER");
555 }
556 break;
557 default:
558 plog("attempt to send unsupported mode cfg attribute %s."
559 , enum_show(&modecfg_attr_names, attr_type));
560 break;
561 }
562 close_output_pbs(&attrval);
563 }
564 if (!dont_advance)
565 {
566 attr_type++;
567 attr_set >>= 1;
568 }
569 }
570 close_message(&strattr);
571 }
572
573 modecfg_hash(r_hashval, r_hash_start, rbody->cur, st);
574 close_message(rbody);
575 encrypt_message(rbody, st);
576 return STF_OK;
577 }
578
579 /**
580 * Send ModeCfg message
581 */
582 static stf_status modecfg_send_msg(struct state *st, int isama_type,
583 internal_addr_t *ia)
584 {
585 pb_stream msg;
586 pb_stream rbody;
587 char buf[BUF_LEN];
588
589 /* set up attr */
590 init_pbs(&msg, buf, sizeof(buf), "ModeCfg msg buffer");
591
592 /* this is the beginning of a new exchange */
593 st->st_msgid = generate_msgid(st);
594 init_phase2_iv(st, &st->st_msgid);
595
596 /* HDR out */
597 {
598 struct isakmp_hdr hdr;
599
600 zero(&hdr); /* default to 0 */
601 hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
602 hdr.isa_np = ISAKMP_NEXT_HASH;
603 hdr.isa_xchg = ISAKMP_XCHG_MODE_CFG;
604 hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
605 memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
606 memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
607 hdr.isa_msgid = st->st_msgid;
608
609 if (!out_struct(&hdr, &isakmp_hdr_desc, &msg, &rbody))
610 {
611 return STF_INTERNAL_ERROR;
612 }
613 }
614
615 /* ATTR out */
616 modecfg_build_msg(st, &rbody
617 , isama_type
618 , ia
619 , 0 /* XXX isama_id */
620 );
621
622 free(st->st_tpacket.ptr);
623 st->st_tpacket = chunk_create(msg.start, pbs_offset(&msg));
624 st->st_tpacket = chunk_clone(st->st_tpacket);
625
626 /* Transmit */
627 send_packet(st, "ModeCfg msg");
628
629 if (st->st_event->ev_type != EVENT_RETRANSMIT)
630 {
631 delete_event(st);
632 event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
633 }
634 return STF_OK;
635 }
636
637 /**
638 * Parse a ModeCfg attribute payload
639 */
640 static stf_status modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
641 {
642 struct isakmp_attribute attr;
643 pb_stream strattr;
644 err_t ugh;
645 char buf[BUF_LEN];
646 int dns_idx = 0;
647 int nbns_idx = 0;
648
649 while (pbs_left(attrs) >= sizeof(struct isakmp_attribute))
650 {
651 u_int16_t attr_type;
652 u_int16_t attr_len;
653
654 if (!in_struct(&attr, &isakmp_modecfg_attribute_desc, attrs, &strattr))
655 {
656 return STF_FAIL;
657 }
658 attr_type = attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK;
659 attr_len = attr.isaat_lv;
660
661 switch (attr_type)
662 {
663 case INTERNAL_IP4_ADDRESS:
664 if (attr_len == 4)
665 {
666 ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->ipaddr);
667 if (ugh != NULL)
668 {
669 plog("received invalid virtual IPv4 address: %s", ugh);
670 }
671 }
672 ia->attr_set |= LELEM(attr_type);
673 break;
674 case INTERNAL_IP4_DNS:
675 if (attr_len == 4 && dns_idx < DNS_SERVER_MAX)
676 {
677 ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->dns[dns_idx]);
678 if (ugh != NULL)
679 {
680 plog("received invalid IPv4 DNS server address: %s", ugh);
681 }
682 else
683 {
684 addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN);
685 plog("received IPv4 DNS server address %s", buf);
686 dns_idx++;
687 }
688 }
689 ia->attr_set |= LELEM(attr_type);
690 break;
691 case INTERNAL_IP4_NBNS:
692 if (attr_len == 4 && nbns_idx < NBNS_SERVER_MAX)
693 {
694 ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->nbns[nbns_idx]);
695 if (ugh != NULL)
696 {
697 plog("received invalid IPv4 NBNS server address: %s", ugh);
698 }
699 else
700 {
701 addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN);
702 plog("received IPv4 NBNS server address %s", buf);
703 nbns_idx++;
704 }
705 }
706 ia->attr_set |= LELEM(attr_type);
707 break;
708 case INTERNAL_IP6_DNS:
709 if (attr_len == 16 && dns_idx < DNS_SERVER_MAX)
710 {
711 ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->dns[dns_idx]);
712 if (ugh != NULL)
713 {
714 plog("received invalid IPv6 DNS server address: %s", ugh);
715 }
716 else
717 {
718 addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN);
719 plog("received IPv6 DNS server address %s", buf);
720 dns_idx++;
721 }
722 }
723 ia->attr_set |= LELEM(attr_type);
724 break;
725 case INTERNAL_IP6_NBNS:
726 if (attr_len == 16 && nbns_idx < NBNS_SERVER_MAX)
727 {
728 ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->nbns[nbns_idx]);
729 if (ugh != NULL)
730 {
731 plog("received invalid IPv6 NBNS server address: %s", ugh);
732 }
733 else
734 {
735 addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN);
736 plog("received IPv6 NBNS server address %s", buf);
737 nbns_idx++;
738 }
739 }
740 ia->attr_set |= LELEM(attr_type);
741 break;
742 case INTERNAL_IP4_NETMASK:
743 case INTERNAL_IP4_SUBNET:
744 case INTERNAL_ADDRESS_EXPIRY:
745 case INTERNAL_IP4_DHCP:
746 case INTERNAL_IP6_ADDRESS:
747 case INTERNAL_IP6_NETMASK:
748 case INTERNAL_IP6_DHCP:
749 case SUPPORTED_ATTRIBUTES:
750 case INTERNAL_IP6_SUBNET:
751 ia->attr_set |= LELEM(attr_type);
752 break;
753 case APPLICATION_VERSION:
754 if (attr_len > 0)
755 {
756 DBG(DBG_PARSING,
757 DBG_log(" '%.*s'", attr_len, strattr.cur)
758 )
759 }
760 ia->attr_set |= LELEM(attr_type);
761 break;
762 case XAUTH_TYPE:
763 ia->xauth_type = attr.isaat_lv;
764 ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
765 break;
766 case XAUTH_USER_NAME:
767 ia->xauth_secret.user_name = chunk_create(strattr.cur, attr_len);
768 ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
769 break;
770 case XAUTH_USER_PASSWORD:
771 ia->xauth_secret.user_password = chunk_create(strattr.cur, attr_len);
772 ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
773 break;
774 case XAUTH_STATUS:
775 ia->xauth_status = attr.isaat_lv;
776 ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
777 break;
778 case XAUTH_MESSAGE:
779 if (attr_len > 0)
780 {
781 DBG(DBG_PARSING,
782 DBG_log(" '%.*s'", attr_len, strattr.cur)
783 )
784 }
785 /* fall through to set attribute flag */
786 case XAUTH_PASSCODE:
787 case XAUTH_CHALLENGE:
788 case XAUTH_DOMAIN:
789 case XAUTH_NEXT_PIN:
790 case XAUTH_ANSWER:
791 ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
792 break;
793 case UNITY_DDNS_HOSTNAME:
794 if (attr_len > 0)
795 {
796 DBG(DBG_PARSING,
797 DBG_log(" '%.*s'", attr_len, strattr.cur)
798 )
799 }
800 /* fall through to set attribute flag */
801 case UNITY_BANNER:
802 case UNITY_SAVE_PASSWD:
803 case UNITY_DEF_DOMAIN:
804 case UNITY_SPLITDNS_NAME:
805 case UNITY_SPLIT_INCLUDE:
806 case UNITY_NATT_PORT:
807 case UNITY_LOCAL_LAN:
808 case UNITY_PFS:
809 case UNITY_FW_TYPE:
810 case UNITY_BACKUP_SERVERS:
811 ia->unity_attr_set |= LELEM(attr_type - UNITY_BASE);
812 break;
813 default:
814 plog("unsupported ModeCfg attribute %s received."
815 , enum_show(&modecfg_attr_names, attr_type));
816 break;
817 }
818 }
819 return STF_OK;
820 }
821
822 /**
823 * Parse a ModeCfg message
824 */
825 static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type,
826 u_int16_t *isama_id, internal_addr_t *ia)
827 {
828 struct state *const st = md->st;
829 struct payload_digest *p;
830 stf_status stat;
831
832 st->st_msgid = md->hdr.isa_msgid;
833
834 CHECK_QUICK_HASH(md, modecfg_hash(hash_val
835 , hash_pbs->roof
836 , md->message_pbs.roof, st)
837 , "MODECFG-HASH", "ISAKMP_CFG_MSG");
838
839 /* process the ModeCfg payloads received */
840 for (p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next)
841 {
842 internal_addr_t ia_candidate;
843
844 init_internal_addr(&ia_candidate);
845
846 if (p->payload.attribute.isama_type == isama_type)
847 {
848 *isama_id = p->payload.attribute.isama_identifier;
849
850 stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
851 if (stat == STF_OK)
852 {
853 /* return with a valid set of attributes */
854 *ia = ia_candidate;
855 return STF_OK;
856 }
857 }
858 else
859 {
860 plog("expected %s, got %s instead (ignored)"
861 , enum_name(&attr_msg_type_names, isama_type)
862 , enum_name(&attr_msg_type_names, p->payload.attribute.isama_type));
863
864 stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
865 }
866 if (stat != STF_OK)
867 {
868 return stat;
869 }
870 }
871 return STF_IGNORE;
872 }
873
874 /**
875 * Send ModeCfg request message from client to server in pull mode
876 */
877 stf_status modecfg_send_request(struct state *st)
878 {
879 connection_t *c = st->st_connection;
880 stf_status stat;
881 internal_addr_t ia;
882
883 init_internal_addr(&ia);
884
885 ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS)
886 | LELEM(INTERNAL_IP4_NETMASK);
887 ia.ipaddr = c->spd.this.host_srcip;
888
889 plog("sending ModeCfg request");
890 st->st_state = STATE_MODE_CFG_I1;
891 stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
892 if (stat == STF_OK)
893 {
894 st->st_modecfg.started = TRUE;
895 }
896 return stat;
897 }
898
899 /* STATE_MODE_CFG_R0:
900 * HDR*, HASH, ATTR(REQ=IP) --> HDR*, HASH, ATTR(REPLY=IP)
901 *
902 * used in ModeCfg pull mode, on the server (responder)
903 */
904 stf_status modecfg_inR0(struct msg_digest *md)
905 {
906 struct state *const st = md->st;
907 u_int16_t isama_id;
908 internal_addr_t ia;
909 bool want_unity_banner;
910 stf_status stat, stat_build;
911 host_t *requested_vip;
912
913 stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
914 if (stat != STF_OK)
915 {
916 return stat;
917 }
918
919 if (ia.attr_set & LELEM(INTERNAL_IP4_ADDRESS))
920 {
921 requested_vip = host_create_from_sockaddr((sockaddr_t*)&ia.ipaddr);
922 }
923 else
924 {
925 requested_vip = host_create_any(AF_INET);
926 }
927 plog("peer requested virtual IP %H", requested_vip);
928
929 want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY;
930 init_internal_addr(&ia);
931 get_internal_addr(st->st_connection, requested_vip, &ia);
932 requested_vip->destroy(requested_vip);
933
934 if (want_unity_banner)
935 {
936 ia.unity_banner = UNITY_BANNER_STR;
937 ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
938 }
939
940 plog("sending ModeCfg reply");
941
942 stat_build = modecfg_build_msg(st, &md->rbody
943 , ISAKMP_CFG_REPLY
944 , &ia
945 , isama_id);
946 if (stat_build != STF_OK)
947 {
948 return stat_build;
949 }
950 st->st_msgid = 0;
951 return STF_OK;
952 }
953
954 /* STATE_MODE_CFG_I1:
955 * HDR*, HASH, ATTR(REPLY=IP)
956 *
957 * used in ModeCfg pull mode, on the client (initiator)
958 */
959 stf_status modecfg_inI1(struct msg_digest *md)
960 {
961 struct state *const st = md->st;
962 u_int16_t isama_id;
963 internal_addr_t ia;
964 stf_status stat;
965
966 plog("parsing ModeCfg reply");
967
968 stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
969 if (stat != STF_OK)
970 {
971 return stat;
972 }
973 st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
974 st->st_msgid = 0;
975 return STF_OK;
976 }
977
978
979 /**
980 * Send ModeCfg set message from server to client in push mode
981 */
982 stf_status modecfg_send_set(struct state *st)
983 {
984 stf_status stat;
985 internal_addr_t ia;
986 host_t *vip;
987
988 init_internal_addr(&ia);
989 vip = host_create_any(AF_INET);
990 get_internal_addr(st->st_connection, vip, &ia);
991 vip->destroy(vip);
992
993 #ifdef CISCO_QUIRKS
994 ia.unity_banner = UNITY_BANNER_STR;
995 ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
996 #endif
997
998 plog("sending ModeCfg set");
999 st->st_state = STATE_MODE_CFG_R3;
1000 stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
1001 if (stat == STF_OK)
1002 {
1003 st->st_modecfg.started = TRUE;
1004 }
1005 return stat;
1006 }
1007
1008 /* STATE_MODE_CFG_I0:
1009 * HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK)
1010 *
1011 * used in ModeCfg push mode, on the client (initiator).
1012 */
1013 stf_status modecfg_inI0(struct msg_digest *md)
1014 {
1015 struct state *const st = md->st;
1016 u_int16_t isama_id;
1017 internal_addr_t ia;
1018 lset_t attr_set, unity_attr_set;
1019 stf_status stat, stat_build;
1020
1021 plog("parsing ModeCfg set");
1022
1023 stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
1024 if (stat != STF_OK)
1025 {
1026 return stat;
1027 }
1028 st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
1029
1030 /* prepare ModeCfg ack which sends zero length attributes */
1031 attr_set = ia.attr_set;
1032 unity_attr_set = ia.unity_attr_set;
1033 init_internal_addr(&ia);
1034 ia.attr_set = attr_set & SUPPORTED_ATTR_SET;
1035 ia.unity_attr_set = unity_attr_set & SUPPORTED_UNITY_ATTR_SET;
1036
1037 plog("sending ModeCfg ack");
1038
1039 stat_build = modecfg_build_msg(st, &md->rbody
1040 , ISAKMP_CFG_ACK
1041 , &ia
1042 , isama_id);
1043 if (stat_build != STF_OK)
1044 {
1045 return stat_build;
1046 }
1047 st->st_msgid = 0;
1048 return STF_OK;
1049 }
1050
1051 /* STATE_MODE_CFG_R3:
1052 * HDR*, HASH, ATTR(ACK,OK)
1053 *
1054 * used in ModeCfg push mode, on the server (responder)
1055 */
1056 stf_status modecfg_inR3(struct msg_digest *md)
1057 {
1058 struct state *const st = md->st;
1059 u_int16_t isama_id;
1060 internal_addr_t ia;
1061 stf_status stat;
1062
1063 plog("parsing ModeCfg ack");
1064
1065 stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
1066 if (stat != STF_OK)
1067 {
1068 return stat;
1069 }
1070 st->st_msgid = 0;
1071 return STF_OK;
1072 }
1073
1074 /**
1075 * Send XAUTH credentials request (username + password)
1076 */
1077 stf_status xauth_send_request(struct state *st)
1078 {
1079 stf_status stat;
1080 internal_addr_t ia;
1081
1082 init_internal_addr(&ia);
1083 ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE)
1084 | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
1085
1086 plog("sending XAUTH request");
1087 st->st_state = STATE_XAUTH_R1;
1088 stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
1089 if (stat == STF_OK)
1090 {
1091 st->st_xauth.started = TRUE;
1092 }
1093 return stat;
1094 }
1095
1096 /* STATE_XAUTH_I0:
1097 * HDR*, HASH, ATTR(REQ) --> HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD)
1098 *
1099 * used on the XAUTH client (initiator)
1100 */
1101 stf_status xauth_inI0(struct msg_digest *md)
1102 {
1103 struct state *const st = md->st;
1104 u_int16_t isama_id;
1105 internal_addr_t ia;
1106 stf_status stat, stat_build;
1107 bool xauth_type_present;
1108
1109 plog("parsing XAUTH request");
1110
1111 stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
1112 if (stat != STF_OK)
1113 {
1114 return stat;
1115 }
1116
1117 /* check XAUTH attributes */
1118 xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY;
1119
1120 if (xauth_type_present && ia.xauth_type != XAUTH_TYPE_GENERIC)
1121 {
1122 plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type));
1123 stat = STF_FAIL;
1124 }
1125 else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
1126 {
1127 plog("user name attribute is missing in XAUTH request");
1128 stat = STF_FAIL;
1129 }
1130 else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
1131 {
1132 plog("user password attribute is missing in XAUTH request");
1133 stat = STF_FAIL;
1134 }
1135
1136 /* prepare XAUTH reply */
1137 init_internal_addr(&ia);
1138
1139 if (stat == STF_OK)
1140 {
1141 /* get user credentials using a plugin function */
1142 if (!xauth_module.get_secret(&ia.xauth_secret))
1143 {
1144 plog("xauth user credentials not found");
1145 stat = STF_FAIL;
1146 }
1147 }
1148 if (stat == STF_OK)
1149 {
1150 DBG(DBG_CONTROL,
1151 DBG_log("my xauth user name is '%.*s'"
1152 , ia.xauth_secret.user_name.len
1153 , ia.xauth_secret.user_name.ptr)
1154 )
1155 DBG(DBG_PRIVATE,
1156 DBG_log("my xauth user password is '%.*s'"
1157 , ia.xauth_secret.user_password.len
1158 , ia.xauth_secret.user_password.ptr)
1159 )
1160 ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE)
1161 | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
1162 if (xauth_type_present)
1163 {
1164 ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE);
1165 }
1166 }
1167 else
1168 {
1169 ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
1170 ia.xauth_status = XAUTH_STATUS_FAIL;
1171 }
1172
1173 plog("sending XAUTH reply");
1174
1175 stat_build = modecfg_build_msg(st, &md->rbody
1176 , ISAKMP_CFG_REPLY
1177 , &ia
1178 , isama_id);
1179 if (stat_build != STF_OK)
1180 {
1181 return stat_build;
1182 }
1183 if (stat == STF_OK)
1184 {
1185 st->st_xauth.started = TRUE;
1186 st->st_msgid = 0;
1187 return STF_OK;
1188 }
1189 else
1190 {
1191 /* send XAUTH reply msg and then delete ISAKMP SA */
1192 free(st->st_tpacket.ptr);
1193 st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
1194 st->st_tpacket = chunk_clone(st->st_tpacket);
1195 send_packet(st, "XAUTH reply msg");
1196 delete_state(st);
1197 return STF_IGNORE;
1198 }
1199 }
1200
1201 /* STATE_XAUTH_R1:
1202 * HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD) --> HDR*, HASH, ATTR(STATUS)
1203 *
1204 * used on the XAUTH server (responder)
1205 */
1206 stf_status xauth_inR1(struct msg_digest *md)
1207 {
1208 struct state *const st = md->st;
1209 u_int16_t isama_id;
1210 internal_addr_t ia;
1211 stf_status stat, stat_build;
1212
1213 plog("parsing XAUTH reply");
1214
1215 stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
1216 if (stat != STF_OK)
1217 {
1218 return stat;
1219 }
1220
1221 /* did the client return an XAUTH FAIL status? */
1222 if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY)
1223 {
1224 plog("received FAIL status in XAUTH reply");
1225
1226 /* client is not able to do XAUTH, delete ISAKMP SA */
1227 delete_state(st);
1228 return STF_IGNORE;
1229 }
1230
1231 /* check XAUTH reply */
1232 if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
1233 {
1234 plog("user name attribute is missing in XAUTH reply");
1235 st->st_xauth.status = FALSE;
1236 }
1237 else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
1238 {
1239 plog("user password attribute is missing in XAUTH reply");
1240 st->st_xauth.status = FALSE;
1241 }
1242 else
1243 {
1244 xauth_peer_t peer;
1245
1246 peer.conn_name = st->st_connection->name;
1247 addrtot(&md->sender, 0, peer.ip_address, sizeof(peer.ip_address));
1248 snprintf(peer.id, sizeof(peer.id), "%Y",
1249 md->st->st_connection->spd.that.id);
1250
1251 DBG(DBG_CONTROL,
1252 DBG_log("peer xauth user name is '%.*s'"
1253 , ia.xauth_secret.user_name.len
1254 , ia.xauth_secret.user_name.ptr)
1255 )
1256 DBG(DBG_PRIVATE,
1257 DBG_log("peer xauth user password is '%.*s'"
1258 , ia.xauth_secret.user_password.len
1259 , ia.xauth_secret.user_password.ptr)
1260 )
1261 /* verify the user credentials using a plugin function */
1262 st->st_xauth.status = xauth_module.verify_secret(&peer, &ia.xauth_secret);
1263 plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
1264 }
1265
1266 /* prepare XAUTH set which sends the authentication status */
1267 init_internal_addr(&ia);
1268 ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
1269 ia.xauth_status = (st->st_xauth.status)? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL;
1270
1271 plog("sending XAUTH status:");
1272
1273 stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
1274 if (stat_build != STF_OK)
1275 {
1276 return stat_build;
1277 }
1278 return STF_OK;
1279 }
1280
1281 /* STATE_XAUTH_I1:
1282 * HDR*, HASH, ATTR(STATUS) --> HDR*, HASH, ATTR(ACK)
1283 *
1284 * used on the XAUTH client (initiator)
1285 */
1286 stf_status xauth_inI1(struct msg_digest *md)
1287 {
1288 struct state *const st = md->st;
1289 u_int16_t isama_id;
1290 internal_addr_t ia;
1291 stf_status stat, stat_build;
1292
1293 plog("parsing XAUTH status");
1294 stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
1295 if (stat != STF_OK)
1296 {
1297 /* notification payload - not exactly the right choice, but okay */
1298 md->note = ISAKMP_ATTRIBUTES_NOT_SUPPORTED;
1299 return stat;
1300 }
1301
1302 st->st_xauth.status = ia.xauth_status;
1303 plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
1304
1305 plog("sending XAUTH ack");
1306 init_internal_addr(&ia);
1307 stat_build = modecfg_build_msg(st, &md->rbody
1308 , ISAKMP_CFG_ACK
1309 , &ia
1310 , isama_id);
1311 if (stat_build != STF_OK)
1312 {
1313 return stat_build;
1314 }
1315 if (st->st_xauth.status)
1316 {
1317 st->st_msgid = 0;
1318 return STF_OK;
1319 }
1320 else
1321 {
1322 /* send XAUTH ack msg and then delete ISAKMP SA */
1323 free(st->st_tpacket.ptr);
1324 st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
1325 st->st_tpacket = chunk_clone(st->st_tpacket);
1326 send_packet(st, "XAUTH ack msg");
1327 delete_state(st);
1328 return STF_IGNORE;
1329 }
1330 }
1331
1332 /* STATE_XAUTH_R2:
1333 * HDR*, ATTR(STATUS), HASH --> Done
1334 *
1335 * used on the XAUTH server (responder)
1336 */
1337 stf_status xauth_inR2(struct msg_digest *md)
1338 {
1339 struct state *const st = md->st;
1340 u_int16_t isama_id;
1341 internal_addr_t ia;
1342 stf_status stat;
1343
1344 plog("parsing XAUTH ack");
1345
1346 stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
1347 if (stat != STF_OK)
1348 {
1349 return stat;
1350 }
1351 st->st_msgid = 0;
1352 if (st->st_xauth.status)
1353 {
1354 return STF_OK;
1355 }
1356 else
1357 {
1358 delete_state(st);
1359 return STF_IGNORE;
1360 }
1361 }