e63b18962cd63607e0294c5cb1bbe9a358aa93ad
[strongswan.git] / src / pluto / modecfg.c
1 /* Mode config related functions
2 * Copyright (C) 2001-2002 Colubris Networks
3 * Copyright (C) 2003 Sean Mathews - Nu Tech Software Solutions, inc.
4 * Copyright (C) 2003-2004 Xelerance Corporation
5 * Copyright (C) 2006-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * This code originally written by Colubris Networks, Inc.
18 * Extraction of patch and porting to 1.99 codebases by Xelerance Corporation
19 * Porting to 2.x by Sean Mathews
20 */
21
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25
26 #include <freeswan.h>
27
28 #include <library.h>
29 #include <attributes/attributes.h>
30 #include <crypto/prfs/prf.h>
31
32 #include "constants.h"
33 #include "defs.h"
34 #include "state.h"
35 #include "demux.h"
36 #include "timer.h"
37 #include "ipsec_doi.h"
38 #include "log.h"
39 #include "crypto.h"
40 #include "modecfg.h"
41 #include "whack.h"
42 #include "xauth.h"
43
44 #define MAX_XAUTH_TRIES 3
45 #define DNS_SERVER_MAX 2
46 #define NBNS_SERVER_MAX 2
47
48 #define SUPPORTED_ATTR_SET ( LELEM(INTERNAL_IP4_ADDRESS) \
49 | LELEM(INTERNAL_IP4_NETMASK) \
50 | LELEM(INTERNAL_IP4_DNS) \
51 | LELEM(INTERNAL_IP4_NBNS) \
52 | LELEM(APPLICATION_VERSION) \
53 | LELEM(INTERNAL_IP6_DNS) \
54 | LELEM(INTERNAL_IP6_NBNS) \
55 )
56
57 #define SUPPORTED_UNITY_ATTR_SET ( LELEM(UNITY_BANNER - UNITY_BASE) )
58
59 #define UNITY_BANNER_STR "Welcome to strongSwan - the Linux VPN Solution!\n"
60
61 /*
62 * Addresses assigned (usually via ModeCfg) to the Initiator
63 */
64 typedef struct internal_addr internal_addr_t;
65
66 struct internal_addr
67 {
68 lset_t attr_set;
69 lset_t xauth_attr_set;
70 lset_t unity_attr_set;
71
72 /* ModeCfg variables */
73 ip_address ipaddr;
74 ip_address dns[DNS_SERVER_MAX];
75 ip_address nbns[NBNS_SERVER_MAX];
76
77 char *unity_banner;
78
79 /* XAUTH variables */
80 u_int16_t xauth_type;
81 xauth_t xauth_secret;
82 bool xauth_status;
83 };
84
85 /**
86 * Initialize an internal_addr struct
87 */
88 static void init_internal_addr(internal_addr_t *ia)
89 {
90 int i;
91
92 ia->attr_set = LEMPTY;
93 ia->xauth_attr_set = LEMPTY;
94 ia->xauth_secret.user_name = chunk_empty;
95 ia->xauth_secret.user_password = chunk_empty;
96 ia->xauth_type = XAUTH_TYPE_GENERIC;
97 ia->xauth_status = XAUTH_STATUS_FAIL;
98 ia->unity_attr_set = LEMPTY;
99 ia->unity_banner = NULL;
100
101 anyaddr(AF_INET, &ia->ipaddr);
102
103 /* initialize DNS server information */
104 for (i = 0; i < DNS_SERVER_MAX; i++)
105 {
106 anyaddr(AF_INET, &ia->dns[i]);
107 }
108
109 /* initialize WINS server information */
110 for (i = 0; i < NBNS_SERVER_MAX; i++)
111 {
112 anyaddr(AF_INET, &ia->nbns[i]);
113 }
114 }
115
116 /**
117 * Get internal IP address for a connection
118 */
119 static void get_internal_addr(connection_t *c, host_t *requested_vip,
120 internal_addr_t *ia)
121 {
122 int i, dns_idx = 0, nbns_idx = 0;
123
124 if (isanyaddr(&c->spd.that.host_srcip))
125 {
126 if (c->spd.that.pool)
127 {
128 host_t *vip;
129
130 vip = lib->attributes->acquire_address(lib->attributes,
131 c->spd.that.pool, c->spd.that.id,
132 requested_vip);
133 if (vip)
134 {
135 chunk_t addr = vip->get_address(vip);
136
137 plog("assigning virtual IP %H to peer", vip);
138 initaddr(addr.ptr, addr.len, vip->get_family(vip), &ia->ipaddr);
139 vip->destroy(vip);
140 }
141 }
142 else
143 {
144 plog("no virtual IP found");
145 }
146 }
147 else
148 {
149 char srcip[ADDRTOT_BUF];
150
151 ia->ipaddr = c->spd.that.host_srcip;
152
153 addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
154 plog("assigning virtual IP %s to peer", srcip);
155 }
156
157 if (!isanyaddr(&ia->ipaddr)) /* We got an IP address, send it */
158 {
159 c->spd.that.host_srcip = ia->ipaddr;
160 c->spd.that.client.addr = ia->ipaddr;
161 c->spd.that.client.maskbits = 32;
162 c->spd.that.has_client = TRUE;
163
164 ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS)
165 | LELEM(INTERNAL_IP4_NETMASK);
166 }
167
168 /* assign DNS servers */
169 for (i = 1; i <= DNS_SERVER_MAX; i++)
170 {
171 char dns_key[16], *dns_str;
172
173 snprintf(dns_key, sizeof(dns_key), "pluto.dns%d", i);
174 dns_str = lib->settings->get_str(lib->settings, dns_key, NULL);
175 if (dns_str)
176 {
177 err_t ugh;
178 sa_family_t family = strchr(dns_str, ':') ? AF_INET6 : AF_INET;
179
180 ugh = ttoaddr(dns_str, 0, family, &ia->dns[dns_idx]);
181 if (ugh != NULL)
182 {
183 plog("error in DNS server address: %s", ugh);
184 continue;
185 }
186 plog("assigning DNS server %s to peer", dns_str);
187
188 /* differentiate between IP4 and IP6 in modecfg_build_msg() */
189 ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
190 dns_idx++;
191 }
192 }
193
194 /* assign WINS servers */
195 for (i = 1; i <= NBNS_SERVER_MAX; i++)
196 {
197 char nbns_key[16], *nbns_str;
198
199 snprintf(nbns_key, sizeof(nbns_key), "pluto.nbns%d", i);
200 nbns_str = lib->settings->get_str(lib->settings, nbns_key, NULL);
201 if (nbns_str)
202 {
203 err_t ugh;
204 sa_family_t family = strchr(nbns_str, ':') ? AF_INET6 : AF_INET;
205
206 ugh = ttoaddr(nbns_str, 0, family, &ia->nbns[nbns_idx]);
207 if (ugh != NULL)
208 {
209 plog("error in WINS server address: %s", ugh);
210 continue;
211 }
212 plog("assigning NBNS server %s to peer", nbns_str);
213
214 /* differentiate between IP4 and IP6 in modecfg_build_msg() */
215 ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
216 nbns_idx++;
217 }
218 }
219 }
220
221
222 /**
223 * Set srcip and client subnet to internal IP address
224 */
225 static bool set_internal_addr(connection_t *c, internal_addr_t *ia)
226 {
227 if (ia->attr_set & LELEM(INTERNAL_IP4_ADDRESS)
228 && !isanyaddr(&ia->ipaddr))
229 {
230 if (addrbytesptr(&c->spd.this.host_srcip, NULL) == 0
231 || isanyaddr(&c->spd.this.host_srcip)
232 || sameaddr(&c->spd.this.host_srcip, &ia->ipaddr))
233 {
234 char srcip[ADDRTOT_BUF];
235
236 addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
237 plog("setting virtual IP source address to %s", srcip);
238 }
239 else
240 {
241 char old_srcip[ADDRTOT_BUF];
242 char new_srcip[ADDRTOT_BUF];
243
244 addrtot(&c->spd.this.host_srcip, 0, old_srcip, sizeof(old_srcip));
245 addrtot(&ia->ipaddr, 0, new_srcip, sizeof(new_srcip));
246 plog("replacing virtual IP source address %s by %s"
247 , old_srcip, new_srcip);
248 }
249
250 /* setting srcip */
251 c->spd.this.host_srcip = ia->ipaddr;
252
253 /* setting client subnet to srcip/32 */
254 addrtosubnet(&ia->ipaddr, &c->spd.this.client);
255 setportof(0, &c->spd.this.client.addr);
256 c->spd.this.has_client = TRUE;
257 return TRUE;
258 }
259 return FALSE;
260 }
261
262 /**
263 * Compute HASH of Mode Config.
264 */
265 static size_t modecfg_hash(u_char *dest, u_char *start, u_char *roof,
266 const struct state *st)
267 {
268 chunk_t msgid_chunk = chunk_from_thing(st->st_msgid);
269 chunk_t msg_chunk = { start, roof - start };
270 size_t prf_block_size;
271 pseudo_random_function_t prf_alg;
272 prf_t *prf;
273
274 prf_alg = oakley_to_prf(st->st_oakley.hash);
275 prf = lib->crypto->create_prf(lib->crypto, prf_alg);
276 prf->set_key(prf, st->st_skeyid_a);
277 prf->get_bytes(prf, msgid_chunk, NULL);
278 prf->get_bytes(prf, msg_chunk, dest);
279 prf_block_size = prf->get_block_size(prf);
280 prf->destroy(prf);
281
282 DBG(DBG_CRYPT,
283 DBG_log("ModeCfg HASH computed:");
284 DBG_dump("", dest, prf_block_size)
285 )
286 return prf_block_size;
287 }
288
289
290 /**
291 * Generate an IKE message containing ModeCfg information (eg: IP, DNS, WINS)
292 */
293 static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody,
294 u_int16_t msg_type,
295 internal_addr_t *ia,
296 u_int16_t ap_id)
297 {
298 u_char *r_hash_start, *r_hashval;
299
300 START_HASH_PAYLOAD(*rbody, ISAKMP_NEXT_ATTR);
301
302 /* ATTR out */
303 {
304 struct isakmp_mode_attr attrh;
305 struct isakmp_attribute attr;
306 pb_stream strattr,attrval;
307 int attr_type, dns_attr_type, nbns_attr_type;
308 int dns_idx, nbns_idx;
309 bool dont_advance;
310 bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY;
311 bool is_unity_attr_set = ia->unity_attr_set != LEMPTY;
312 lset_t attr_set = ia->attr_set;
313
314 attrh.isama_np = ISAKMP_NEXT_NONE;
315 attrh.isama_type = msg_type;
316 attrh.isama_identifier = ap_id;
317
318 if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr))
319 {
320 return STF_INTERNAL_ERROR;
321 }
322 attr_type = 0;
323 dns_idx = 0;
324 nbns_idx = 0;
325
326 while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set)
327 {
328 if (attr_set == LEMPTY)
329 {
330 if (is_xauth_attr_set)
331 {
332 attr_set = ia->xauth_attr_set;
333 attr_type = XAUTH_BASE;
334 is_xauth_attr_set = FALSE;
335 }
336 else
337 {
338 attr_set = ia->unity_attr_set;
339 attr_type = UNITY_BASE;
340 is_unity_attr_set = FALSE;
341 }
342 }
343
344 dont_advance = FALSE;
345
346 if (attr_set & 1)
347 {
348 const u_char *byte_ptr;
349 u_int len;
350
351 /* ISAKMP attr out */
352 if (attr_type == XAUTH_TYPE)
353 {
354 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
355 attr.isaat_lv = ia->xauth_type;
356 }
357 else if (attr_type == XAUTH_STATUS)
358 {
359 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
360 attr.isaat_lv = ia->xauth_status;
361 }
362 else if (attr_type == INTERNAL_IP4_DNS && !isanyaddr(&ia->dns[dns_idx]))
363 {
364 dns_attr_type = (addrtypeof(&ia->dns[dns_idx]) == AF_INET) ?
365 INTERNAL_IP4_DNS : INTERNAL_IP6_DNS;
366 attr.isaat_af_type = dns_attr_type | ISAKMP_ATTR_AF_TLV;
367
368 }
369 else if (attr_type == INTERNAL_IP4_NBNS && !isanyaddr(&ia->nbns[nbns_idx]))
370 {
371 nbns_attr_type = (addrtypeof(&ia->nbns[nbns_idx]) == AF_INET) ?
372 INTERNAL_IP4_NBNS : INTERNAL_IP6_NBNS;
373 attr.isaat_af_type = nbns_attr_type | ISAKMP_ATTR_AF_TLV;
374
375 }
376 else
377 {
378 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
379 }
380 out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval);
381
382 switch (attr_type)
383 {
384 case INTERNAL_IP4_ADDRESS:
385 if (!isanyaddr(&ia->ipaddr))
386 {
387 len = addrbytesptr(&ia->ipaddr, &byte_ptr);
388 out_raw(byte_ptr, len, &attrval, "IP4_addr");
389 }
390 break;
391 case INTERNAL_IP4_NETMASK:
392 {
393 u_int mask;
394 #if 0
395 char mask[4],bits[8]={0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
396 int t,m=st->st_connection->that.host_addr.maskbit;
397 for (t=0; t<4; t++)
398 {
399 if (m < 8)
400 mask[t] = bits[m];
401 else
402 mask[t] = 0xff;
403 m -= 8;
404 }
405 #endif
406 if (st->st_connection->spd.this.client.maskbits == 0)
407 {
408 mask = 0;
409 }
410 else
411 {
412 mask = 0xffffffff * 1;
413 out_raw(&mask, 4, &attrval, "IP4_mask");
414 }
415 }
416 break;
417 case INTERNAL_IP4_SUBNET:
418 {
419 char mask[4];
420 char bits[8] = {0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
421 int t;
422 int m = st->st_connection->spd.this.client.maskbits;
423
424 for (t = 0; t < 4; t++)
425 {
426 mask[t] = (m < 8) ? bits[m] : 0xff;
427 m -= 8;
428 if (m < 0)
429 {
430 m = 0;
431 }
432 }
433 len = addrbytesptr(&st->st_connection->spd.this.client.addr, &byte_ptr);
434 out_raw(byte_ptr, len, &attrval, "IP4_subnet");
435 out_raw(mask, sizeof(mask), &attrval, "IP4_submsk");
436 }
437 break;
438 case INTERNAL_IP4_DNS:
439 case INTERNAL_IP6_DNS:
440 if (!isanyaddr(&ia->dns[dns_idx]))
441 {
442 len = addrbytesptr(&ia->dns[dns_idx++], &byte_ptr);
443 out_raw(byte_ptr, len, &attrval, "IP_dns");
444 }
445 if (dns_idx < DNS_SERVER_MAX && !isanyaddr(&ia->dns[dns_idx]))
446 {
447 dont_advance = TRUE;
448 }
449 break;
450 case INTERNAL_IP4_NBNS:
451 case INTERNAL_IP6_NBNS:
452 if (!isanyaddr(&ia->nbns[nbns_idx]))
453 {
454 len = addrbytesptr(&ia->nbns[nbns_idx++], &byte_ptr);
455 out_raw(byte_ptr, len, &attrval, "IP_nbns");
456 }
457 if (nbns_idx < NBNS_SERVER_MAX && !isanyaddr(&ia->nbns[nbns_idx]))
458 {
459 dont_advance = TRUE;
460 }
461 break;
462 case XAUTH_TYPE:
463 break;
464 case XAUTH_USER_NAME:
465 if (ia->xauth_secret.user_name.ptr != NULL)
466 {
467 out_raw(ia->xauth_secret.user_name.ptr
468 , ia->xauth_secret.user_name.len
469 , &attrval, "xauth_user_name");
470 }
471 break;
472 case XAUTH_USER_PASSWORD:
473 if (ia->xauth_secret.user_password.ptr != NULL)
474 {
475 out_raw(ia->xauth_secret.user_password.ptr
476 , ia->xauth_secret.user_password.len
477 , &attrval, "xauth_user_password");
478 }
479 break;
480 case XAUTH_STATUS:
481 break;
482 case UNITY_BANNER:
483 if (ia->unity_banner != NULL)
484 {
485 out_raw(ia->unity_banner
486 , strlen(ia->unity_banner)
487 , &attrval, "UNITY_BANNER");
488 }
489 break;
490 default:
491 plog("attempt to send unsupported mode cfg attribute %s."
492 , enum_show(&modecfg_attr_names, attr_type));
493 break;
494 }
495 close_output_pbs(&attrval);
496 }
497 if (!dont_advance)
498 {
499 attr_type++;
500 attr_set >>= 1;
501 }
502 }
503 close_message(&strattr);
504 }
505
506 modecfg_hash(r_hashval, r_hash_start, rbody->cur, st);
507 close_message(rbody);
508 encrypt_message(rbody, st);
509 return STF_OK;
510 }
511
512 /**
513 * Send ModeCfg message
514 */
515 static stf_status modecfg_send_msg(struct state *st, int isama_type,
516 internal_addr_t *ia)
517 {
518 pb_stream msg;
519 pb_stream rbody;
520 char buf[BUF_LEN];
521
522 /* set up attr */
523 init_pbs(&msg, buf, sizeof(buf), "ModeCfg msg buffer");
524
525 /* this is the beginning of a new exchange */
526 st->st_msgid = generate_msgid(st);
527 init_phase2_iv(st, &st->st_msgid);
528
529 /* HDR out */
530 {
531 struct isakmp_hdr hdr;
532
533 zero(&hdr); /* default to 0 */
534 hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
535 hdr.isa_np = ISAKMP_NEXT_HASH;
536 hdr.isa_xchg = ISAKMP_XCHG_MODE_CFG;
537 hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
538 memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
539 memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
540 hdr.isa_msgid = st->st_msgid;
541
542 if (!out_struct(&hdr, &isakmp_hdr_desc, &msg, &rbody))
543 {
544 return STF_INTERNAL_ERROR;
545 }
546 }
547
548 /* ATTR out */
549 modecfg_build_msg(st, &rbody
550 , isama_type
551 , ia
552 , 0 /* XXX isama_id */
553 );
554
555 free(st->st_tpacket.ptr);
556 st->st_tpacket = chunk_create(msg.start, pbs_offset(&msg));
557 st->st_tpacket = chunk_clone(st->st_tpacket);
558
559 /* Transmit */
560 send_packet(st, "ModeCfg msg");
561
562 if (st->st_event->ev_type != EVENT_RETRANSMIT)
563 {
564 delete_event(st);
565 event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
566 }
567 return STF_OK;
568 }
569
570 /**
571 * Parse a ModeCfg attribute payload
572 */
573 static stf_status modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
574 {
575 struct isakmp_attribute attr;
576 pb_stream strattr;
577 err_t ugh;
578 char buf[BUF_LEN];
579 int dns_idx = 0;
580 int nbns_idx = 0;
581
582 while (pbs_left(attrs) >= sizeof(struct isakmp_attribute))
583 {
584 u_int16_t attr_type;
585 u_int16_t attr_len;
586
587 if (!in_struct(&attr, &isakmp_modecfg_attribute_desc, attrs, &strattr))
588 {
589 return STF_FAIL;
590 }
591 attr_type = attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK;
592 attr_len = attr.isaat_lv;
593
594 switch (attr_type)
595 {
596 case INTERNAL_IP4_ADDRESS:
597 if (attr_len == 4)
598 {
599 ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->ipaddr);
600 if (ugh != NULL)
601 {
602 plog("received invalid virtual IPv4 address: %s", ugh);
603 }
604 }
605 ia->attr_set |= LELEM(attr_type);
606 break;
607 case INTERNAL_IP4_DNS:
608 if (attr_len == 4 && dns_idx < DNS_SERVER_MAX)
609 {
610 ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->dns[dns_idx]);
611 if (ugh != NULL)
612 {
613 plog("received invalid IPv4 DNS server address: %s", ugh);
614 }
615 else
616 {
617 addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN);
618 plog("received IPv4 DNS server address %s", buf);
619 dns_idx++;
620 }
621 }
622 ia->attr_set |= LELEM(attr_type);
623 break;
624 case INTERNAL_IP4_NBNS:
625 if (attr_len == 4 && nbns_idx < NBNS_SERVER_MAX)
626 {
627 ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->nbns[nbns_idx]);
628 if (ugh != NULL)
629 {
630 plog("received invalid IPv4 WINS server address: %s", ugh);
631 }
632 else
633 {
634 addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN);
635 plog("received IPv4 WINS server address %s", buf);
636 nbns_idx++;
637 }
638 }
639 ia->attr_set |= LELEM(attr_type);
640 break;
641 case INTERNAL_IP6_DNS:
642 if (attr_len == 16 && dns_idx < DNS_SERVER_MAX)
643 {
644 ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->dns[dns_idx]);
645 if (ugh != NULL)
646 {
647 plog("received invalid IPv6 DNS server address: %s", ugh);
648 }
649 else
650 {
651 addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN);
652 plog("received IPv6 DNS server address %s", buf);
653 dns_idx++;
654 }
655 }
656 ia->attr_set |= LELEM(attr_type);
657 break;
658 case INTERNAL_IP6_NBNS:
659 if (attr_len == 16 && nbns_idx < NBNS_SERVER_MAX)
660 {
661 ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->nbns[nbns_idx]);
662 if (ugh != NULL)
663 {
664 plog("received invalid IPv6 WINS server address: %s", ugh);
665 }
666 else
667 {
668 addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN);
669 plog("received IPv6 WINS server address %s", buf);
670 nbns_idx++;
671 }
672 }
673 ia->attr_set |= LELEM(attr_type);
674 break;
675 case INTERNAL_IP4_NETMASK:
676 case INTERNAL_IP4_SUBNET:
677 case INTERNAL_ADDRESS_EXPIRY:
678 case INTERNAL_IP4_DHCP:
679 case INTERNAL_IP6_ADDRESS:
680 case INTERNAL_IP6_NETMASK:
681 case INTERNAL_IP6_DHCP:
682 case SUPPORTED_ATTRIBUTES:
683 case INTERNAL_IP6_SUBNET:
684 ia->attr_set |= LELEM(attr_type);
685 break;
686 case APPLICATION_VERSION:
687 if (attr_len > 0)
688 {
689 DBG(DBG_PARSING,
690 DBG_log(" '%.*s'", attr_len, strattr.cur)
691 )
692 }
693 ia->attr_set |= LELEM(attr_type);
694 break;
695 case XAUTH_TYPE:
696 ia->xauth_type = attr.isaat_lv;
697 ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
698 break;
699 case XAUTH_USER_NAME:
700 ia->xauth_secret.user_name = chunk_create(strattr.cur, attr_len);
701 ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
702 break;
703 case XAUTH_USER_PASSWORD:
704 ia->xauth_secret.user_password = chunk_create(strattr.cur, attr_len);
705 ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
706 break;
707 case XAUTH_STATUS:
708 ia->xauth_status = attr.isaat_lv;
709 ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
710 break;
711 case XAUTH_MESSAGE:
712 if (attr_len > 0)
713 {
714 DBG(DBG_PARSING,
715 DBG_log(" '%.*s'", attr_len, strattr.cur)
716 )
717 }
718 /* fall through to set attribute flag */
719 case XAUTH_PASSCODE:
720 case XAUTH_CHALLENGE:
721 case XAUTH_DOMAIN:
722 case XAUTH_NEXT_PIN:
723 case XAUTH_ANSWER:
724 ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
725 break;
726 case UNITY_DDNS_HOSTNAME:
727 if (attr_len > 0)
728 {
729 DBG(DBG_PARSING,
730 DBG_log(" '%.*s'", attr_len, strattr.cur)
731 )
732 }
733 /* fall through to set attribute flag */
734 case UNITY_BANNER:
735 case UNITY_SAVE_PASSWD:
736 case UNITY_DEF_DOMAIN:
737 case UNITY_SPLITDNS_NAME:
738 case UNITY_SPLIT_INCLUDE:
739 case UNITY_NATT_PORT:
740 case UNITY_LOCAL_LAN:
741 case UNITY_PFS:
742 case UNITY_FW_TYPE:
743 case UNITY_BACKUP_SERVERS:
744 ia->unity_attr_set |= LELEM(attr_type - UNITY_BASE);
745 break;
746 default:
747 plog("unsupported ModeCfg attribute %s received."
748 , enum_show(&modecfg_attr_names, attr_type));
749 break;
750 }
751 }
752 return STF_OK;
753 }
754
755 /**
756 * Parse a ModeCfg message
757 */
758 static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type,
759 u_int16_t *isama_id, internal_addr_t *ia)
760 {
761 struct state *const st = md->st;
762 struct payload_digest *p;
763 stf_status stat;
764
765 st->st_msgid = md->hdr.isa_msgid;
766
767 CHECK_QUICK_HASH(md, modecfg_hash(hash_val
768 , hash_pbs->roof
769 , md->message_pbs.roof, st)
770 , "MODECFG-HASH", "ISAKMP_CFG_MSG");
771
772 /* process the ModeCfg payloads received */
773 for (p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next)
774 {
775 internal_addr_t ia_candidate;
776
777 init_internal_addr(&ia_candidate);
778
779 if (p->payload.attribute.isama_type == isama_type)
780 {
781 *isama_id = p->payload.attribute.isama_identifier;
782
783 stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
784 if (stat == STF_OK)
785 {
786 /* return with a valid set of attributes */
787 *ia = ia_candidate;
788 return STF_OK;
789 }
790 }
791 else
792 {
793 plog("expected %s, got %s instead (ignored)"
794 , enum_name(&attr_msg_type_names, isama_type)
795 , enum_name(&attr_msg_type_names, p->payload.attribute.isama_type));
796
797 stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
798 }
799 if (stat != STF_OK)
800 {
801 return stat;
802 }
803 }
804 return STF_IGNORE;
805 }
806
807 /**
808 * Send ModeCfg request message from client to server in pull mode
809 */
810 stf_status modecfg_send_request(struct state *st)
811 {
812 connection_t *c = st->st_connection;
813 stf_status stat;
814 internal_addr_t ia;
815
816 init_internal_addr(&ia);
817
818 ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS)
819 | LELEM(INTERNAL_IP4_NETMASK);
820 ia.ipaddr = c->spd.this.host_srcip;
821
822 plog("sending ModeCfg request");
823 st->st_state = STATE_MODE_CFG_I1;
824 stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
825 if (stat == STF_OK)
826 {
827 st->st_modecfg.started = TRUE;
828 }
829 return stat;
830 }
831
832 /* STATE_MODE_CFG_R0:
833 * HDR*, HASH, ATTR(REQ=IP) --> HDR*, HASH, ATTR(REPLY=IP)
834 *
835 * used in ModeCfg pull mode, on the server (responder)
836 */
837 stf_status modecfg_inR0(struct msg_digest *md)
838 {
839 struct state *const st = md->st;
840 u_int16_t isama_id;
841 internal_addr_t ia;
842 bool want_unity_banner;
843 stf_status stat, stat_build;
844 host_t *requested_vip;
845
846 stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
847 if (stat != STF_OK)
848 {
849 return stat;
850 }
851
852 if (ia.attr_set & LELEM(INTERNAL_IP4_ADDRESS))
853 {
854 requested_vip = host_create_from_sockaddr((sockaddr_t*)&ia.ipaddr);
855 }
856 else
857 {
858 requested_vip = host_create_any(AF_INET);
859 }
860 plog("peer requested virtual IP %H", requested_vip);
861
862 want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY;
863 init_internal_addr(&ia);
864 get_internal_addr(st->st_connection, requested_vip, &ia);
865 requested_vip->destroy(requested_vip);
866
867 if (want_unity_banner)
868 {
869 ia.unity_banner = UNITY_BANNER_STR;
870 ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
871 }
872
873 plog("sending ModeCfg reply");
874
875 stat_build = modecfg_build_msg(st, &md->rbody
876 , ISAKMP_CFG_REPLY
877 , &ia
878 , isama_id);
879 if (stat_build != STF_OK)
880 {
881 return stat_build;
882 }
883 st->st_msgid = 0;
884 return STF_OK;
885 }
886
887 /* STATE_MODE_CFG_I1:
888 * HDR*, HASH, ATTR(REPLY=IP)
889 *
890 * used in ModeCfg pull mode, on the client (initiator)
891 */
892 stf_status modecfg_inI1(struct msg_digest *md)
893 {
894 struct state *const st = md->st;
895 u_int16_t isama_id;
896 internal_addr_t ia;
897 stf_status stat;
898
899 plog("parsing ModeCfg reply");
900
901 stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
902 if (stat != STF_OK)
903 {
904 return stat;
905 }
906 st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
907 st->st_msgid = 0;
908 return STF_OK;
909 }
910
911
912 /**
913 * Send ModeCfg set message from server to client in push mode
914 */
915 stf_status modecfg_send_set(struct state *st)
916 {
917 stf_status stat;
918 internal_addr_t ia;
919 host_t *vip;
920
921 init_internal_addr(&ia);
922 vip = host_create_any(AF_INET);
923 get_internal_addr(st->st_connection, vip, &ia);
924 vip->destroy(vip);
925
926 #ifdef CISCO_QUIRKS
927 ia.unity_banner = UNITY_BANNER_STR;
928 ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
929 #endif
930
931 plog("sending ModeCfg set");
932 st->st_state = STATE_MODE_CFG_R3;
933 stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
934 if (stat == STF_OK)
935 {
936 st->st_modecfg.started = TRUE;
937 }
938 return stat;
939 }
940
941 /* STATE_MODE_CFG_I0:
942 * HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK)
943 *
944 * used in ModeCfg push mode, on the client (initiator).
945 */
946 stf_status modecfg_inI0(struct msg_digest *md)
947 {
948 struct state *const st = md->st;
949 u_int16_t isama_id;
950 internal_addr_t ia;
951 lset_t attr_set, unity_attr_set;
952 stf_status stat, stat_build;
953
954 plog("parsing ModeCfg set");
955
956 stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
957 if (stat != STF_OK)
958 {
959 return stat;
960 }
961 st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
962
963 /* prepare ModeCfg ack which sends zero length attributes */
964 attr_set = ia.attr_set;
965 unity_attr_set = ia.unity_attr_set;
966 init_internal_addr(&ia);
967 ia.attr_set = attr_set & SUPPORTED_ATTR_SET;
968 ia.unity_attr_set = unity_attr_set & SUPPORTED_UNITY_ATTR_SET;
969
970 plog("sending ModeCfg ack");
971
972 stat_build = modecfg_build_msg(st, &md->rbody
973 , ISAKMP_CFG_ACK
974 , &ia
975 , isama_id);
976 if (stat_build != STF_OK)
977 {
978 return stat_build;
979 }
980 st->st_msgid = 0;
981 return STF_OK;
982 }
983
984 /* STATE_MODE_CFG_R3:
985 * HDR*, HASH, ATTR(ACK,OK)
986 *
987 * used in ModeCfg push mode, on the server (responder)
988 */
989 stf_status modecfg_inR3(struct msg_digest *md)
990 {
991 struct state *const st = md->st;
992 u_int16_t isama_id;
993 internal_addr_t ia;
994 stf_status stat;
995
996 plog("parsing ModeCfg ack");
997
998 stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
999 if (stat != STF_OK)
1000 {
1001 return stat;
1002 }
1003 st->st_msgid = 0;
1004 return STF_OK;
1005 }
1006
1007 /**
1008 * Send XAUTH credentials request (username + password)
1009 */
1010 stf_status xauth_send_request(struct state *st)
1011 {
1012 stf_status stat;
1013 internal_addr_t ia;
1014
1015 init_internal_addr(&ia);
1016 ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE)
1017 | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
1018
1019 plog("sending XAUTH request");
1020 st->st_state = STATE_XAUTH_R1;
1021 stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
1022 if (stat == STF_OK)
1023 {
1024 st->st_xauth.started = TRUE;
1025 }
1026 return stat;
1027 }
1028
1029 /* STATE_XAUTH_I0:
1030 * HDR*, HASH, ATTR(REQ) --> HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD)
1031 *
1032 * used on the XAUTH client (initiator)
1033 */
1034 stf_status xauth_inI0(struct msg_digest *md)
1035 {
1036 struct state *const st = md->st;
1037 u_int16_t isama_id;
1038 internal_addr_t ia;
1039 stf_status stat, stat_build;
1040 bool xauth_type_present;
1041
1042 plog("parsing XAUTH request");
1043
1044 stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
1045 if (stat != STF_OK)
1046 {
1047 return stat;
1048 }
1049
1050 /* check XAUTH attributes */
1051 xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY;
1052
1053 if (xauth_type_present && ia.xauth_type != XAUTH_TYPE_GENERIC)
1054 {
1055 plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type));
1056 stat = STF_FAIL;
1057 }
1058 else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
1059 {
1060 plog("user name attribute is missing in XAUTH request");
1061 stat = STF_FAIL;
1062 }
1063 else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
1064 {
1065 plog("user password attribute is missing in XAUTH request");
1066 stat = STF_FAIL;
1067 }
1068
1069 /* prepare XAUTH reply */
1070 init_internal_addr(&ia);
1071
1072 if (stat == STF_OK)
1073 {
1074 /* get user credentials using a plugin function */
1075 if (!xauth_module.get_secret(&ia.xauth_secret))
1076 {
1077 plog("xauth user credentials not found");
1078 stat = STF_FAIL;
1079 }
1080 }
1081 if (stat == STF_OK)
1082 {
1083 DBG(DBG_CONTROL,
1084 DBG_log("my xauth user name is '%.*s'"
1085 , ia.xauth_secret.user_name.len
1086 , ia.xauth_secret.user_name.ptr)
1087 )
1088 DBG(DBG_PRIVATE,
1089 DBG_log("my xauth user password is '%.*s'"
1090 , ia.xauth_secret.user_password.len
1091 , ia.xauth_secret.user_password.ptr)
1092 )
1093 ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE)
1094 | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
1095 if (xauth_type_present)
1096 {
1097 ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE);
1098 }
1099 }
1100 else
1101 {
1102 ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
1103 ia.xauth_status = XAUTH_STATUS_FAIL;
1104 }
1105
1106 plog("sending XAUTH reply");
1107
1108 stat_build = modecfg_build_msg(st, &md->rbody
1109 , ISAKMP_CFG_REPLY
1110 , &ia
1111 , isama_id);
1112 if (stat_build != STF_OK)
1113 {
1114 return stat_build;
1115 }
1116 if (stat == STF_OK)
1117 {
1118 st->st_xauth.started = TRUE;
1119 st->st_msgid = 0;
1120 return STF_OK;
1121 }
1122 else
1123 {
1124 /* send XAUTH reply msg and then delete ISAKMP SA */
1125 free(st->st_tpacket.ptr);
1126 st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
1127 st->st_tpacket = chunk_clone(st->st_tpacket);
1128 send_packet(st, "XAUTH reply msg");
1129 delete_state(st);
1130 return STF_IGNORE;
1131 }
1132 }
1133
1134 /* STATE_XAUTH_R1:
1135 * HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD) --> HDR*, HASH, ATTR(STATUS)
1136 *
1137 * used on the XAUTH server (responder)
1138 */
1139 stf_status xauth_inR1(struct msg_digest *md)
1140 {
1141 struct state *const st = md->st;
1142 u_int16_t isama_id;
1143 internal_addr_t ia;
1144 stf_status stat, stat_build;
1145
1146 plog("parsing XAUTH reply");
1147
1148 stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
1149 if (stat != STF_OK)
1150 {
1151 return stat;
1152 }
1153
1154 /* did the client return an XAUTH FAIL status? */
1155 if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY)
1156 {
1157 plog("received FAIL status in XAUTH reply");
1158
1159 /* client is not able to do XAUTH, delete ISAKMP SA */
1160 delete_state(st);
1161 return STF_IGNORE;
1162 }
1163
1164 /* check XAUTH reply */
1165 if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
1166 {
1167 plog("user name attribute is missing in XAUTH reply");
1168 st->st_xauth.status = FALSE;
1169 }
1170 else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
1171 {
1172 plog("user password attribute is missing in XAUTH reply");
1173 st->st_xauth.status = FALSE;
1174 }
1175 else
1176 {
1177 xauth_peer_t peer;
1178
1179 peer.conn_name = st->st_connection->name;
1180 addrtot(&md->sender, 0, peer.ip_address, sizeof(peer.ip_address));
1181 snprintf(peer.id, sizeof(peer.id), "%Y",
1182 md->st->st_connection->spd.that.id);
1183
1184 DBG(DBG_CONTROL,
1185 DBG_log("peer xauth user name is '%.*s'"
1186 , ia.xauth_secret.user_name.len
1187 , ia.xauth_secret.user_name.ptr)
1188 )
1189 DBG(DBG_PRIVATE,
1190 DBG_log("peer xauth user password is '%.*s'"
1191 , ia.xauth_secret.user_password.len
1192 , ia.xauth_secret.user_password.ptr)
1193 )
1194 /* verify the user credentials using a plugin function */
1195 st->st_xauth.status = xauth_module.verify_secret(&peer, &ia.xauth_secret);
1196 plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
1197 }
1198
1199 /* prepare XAUTH set which sends the authentication status */
1200 init_internal_addr(&ia);
1201 ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
1202 ia.xauth_status = (st->st_xauth.status)? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL;
1203
1204 plog("sending XAUTH status:");
1205
1206 stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
1207 if (stat_build != STF_OK)
1208 {
1209 return stat_build;
1210 }
1211 return STF_OK;
1212 }
1213
1214 /* STATE_XAUTH_I1:
1215 * HDR*, HASH, ATTR(STATUS) --> HDR*, HASH, ATTR(ACK)
1216 *
1217 * used on the XAUTH client (initiator)
1218 */
1219 stf_status xauth_inI1(struct msg_digest *md)
1220 {
1221 struct state *const st = md->st;
1222 u_int16_t isama_id;
1223 internal_addr_t ia;
1224 stf_status stat, stat_build;
1225
1226 plog("parsing XAUTH status");
1227 stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
1228 if (stat != STF_OK)
1229 {
1230 /* notification payload - not exactly the right choice, but okay */
1231 md->note = ISAKMP_ATTRIBUTES_NOT_SUPPORTED;
1232 return stat;
1233 }
1234
1235 st->st_xauth.status = ia.xauth_status;
1236 plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
1237
1238 plog("sending XAUTH ack");
1239 init_internal_addr(&ia);
1240 stat_build = modecfg_build_msg(st, &md->rbody
1241 , ISAKMP_CFG_ACK
1242 , &ia
1243 , isama_id);
1244 if (stat_build != STF_OK)
1245 {
1246 return stat_build;
1247 }
1248 if (st->st_xauth.status)
1249 {
1250 st->st_msgid = 0;
1251 return STF_OK;
1252 }
1253 else
1254 {
1255 /* send XAUTH ack msg and then delete ISAKMP SA */
1256 free(st->st_tpacket.ptr);
1257 st->st_tpacket = chunk_create(md->reply.start, pbs_offset(&md->reply));
1258 st->st_tpacket = chunk_clone(st->st_tpacket);
1259 send_packet(st, "XAUTH ack msg");
1260 delete_state(st);
1261 return STF_IGNORE;
1262 }
1263 }
1264
1265 /* STATE_XAUTH_R2:
1266 * HDR*, ATTR(STATUS), HASH --> Done
1267 *
1268 * used on the XAUTH server (responder)
1269 */
1270 stf_status xauth_inR2(struct msg_digest *md)
1271 {
1272 struct state *const st = md->st;
1273 u_int16_t isama_id;
1274 internal_addr_t ia;
1275 stf_status stat;
1276
1277 plog("parsing XAUTH ack");
1278
1279 stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
1280 if (stat != STF_OK)
1281 {
1282 return stat;
1283 }
1284 st->st_msgid = 0;
1285 if (st->st_xauth.status)
1286 {
1287 return STF_OK;
1288 }
1289 else
1290 {
1291 delete_state(st);
1292 return STF_IGNORE;
1293 }
1294 }